The news is littered with reports of data breaches that have been experienced by companies and even governments. Many media reports detail how hackers have been able to obtain tens of thousands of confidential records, or in some instances, tens of millions or more. However, it is rare that a hacker is apprehended and brought to justice for the crimes committed.
Recently, a hacking group based in Russia was reported to have stolen a massive 1 billion passwords. If that was not surprising enough, the authorities know the individuals are based in central Russia. They are also in their early 20s. If they have been identified, why have they not been brought to justice?
In this instance, there are issues because it is the United States that wishes to take action. The crimes were carried out against Americans but some countries are unwilling to turn over their own citizens to other countries. On this occasion, should the hackers criminals be tried in Russia or in the United States? Where should justice be applied, where the crimes were committed or in the country most affected by the crimes? Should hackers be extradited to the US?
If there is no treaty agreed between two countries, hackers will be tried and sentenced (or not) in their own countries. The United States has attempted to get five Chinese hackers extradited and brought to the United States to stand trial. They were employed by+ the Chinese military. China is unlikely to take any action, and certainly will not make them available them to the United States. The individuals are thought to be behind attacks on Alcoa, U.S. Steel and Westinghouse, as well as on other U.S. firms. The hackers were indicted, but that is as far as the U.S. got. They are very likely at work on new hacking campaigns against U.S. companies.
The FBI has previously fooled hackers into coming over to the United States voluntarily. By doing so the tricky problem of extradition has been bypassed. The FBI set up a job interview for two hackers using a fake Seattle company. The duo, Alexey Ivanov and Vasily Gorshkov, arrived for the interview and were promptly apprehended. The latter was given a sentence of 3 years, the former got 48 months.
If you are a hacker and you have begun attacks on Americans, it is a wise move never to visit the country. However, the temptation can be too great. When visiting a car show in Las Vegas in 2010, Russian super-spammer, Oleg Nikolaenko, was arrested and charged for his crimes. He had deployed a botnet to send the spam emails. That botnet included a massive half a million computers. Even more staggering was the volume of emails he shared. An approximate 10 billion per day. He is still awaiting trial.
Hackers are very good at masking their real identities and consequently can be difficult to find. It can be even more difficult to bring them to justice.
It should come as no shock to hear that many successful hackers are located in countries that offer protection against extradition to the United States. Unless there are international laws signed, and more cooperation between countries to tackle the global issue of cybercrime, they are unlikely to face trial and sentenced for their offenses.
