United States v. Ivanov

United States of America v. Aleksey Vladimirovich Ivanov
United States of America v. Aleksey Vladimirovich Ivanov
Court	United States District Court for the District of Connecticut
Decided	December 6, 2001
Case history
Prior action(s)	Ivanov was indicted for charges of conspiracy, computer fraud, extortion, and possession of illegal access devices. Ivanov motioned to dismiss, arguing the court lacked subject-matter jurisdiction.
Subsequent action(s)	Ivanov was sentenced to 48 months in prison in the United States.
Holding
	Ivanov's motion for dismissal was denied.
Court membership
Judge(s) sitting	Alvin W. Thompson
Keywords
	Subject-matter jurisdiction Legal aspects of computing Cybercrime

Last updated January 31, 2021

‹ The template Infobox court case is being considered for merging. ›

United States v. Ivanov was an American court case addressing subject-matter jurisdiction for computer crimes performed by Internet users outside of the United States against American businesses and infrastructure. In trial court, Aleksey Vladimirovich Ivanov of Chelyabinsk, Russia was indicted for conspiracy, computer fraud, extortion, and possession of illegal access devices; all crimes committed against the Online Information Bureau (OIB) whose business and infrastructure were based in Vernon, Connecticut.

Ivanov moved to dismiss the indictment, claiming that the court lacked subject-matter jurisdiction, arguing that "because he was physically located in Russia when the offenses were committed, he can not be charged with violations of United States law."^[1] The court denied Ivanov's motion, "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by Congress to apply extraterritorially."^[1]

In a later ruling, Ivanov pleaded guilty to several crimes, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.^[2]

Background

Unlawful access and FBI capture

Ivanov attracted FBI attention in the Fall of 1999, when internet service provider (ISP) Speakeasy discovered their network had been compromised and informed the Seattle branch of the FBI. In early 2000, OIB also detected an attack and notified the FBI in Connecticut. Between late 1999 and early 2000, other large Internet corporations including CD Universe, Yahoo, and eBay also experienced similar attacks to Speakeasy and OIB.^[3] Computer forensics determined the Internet traffic for all attacks originated from the same machine in Russia.^[3] After linking his online alias "subbsta" and his resume,^[4] the FBI determined Ivanov's identity and initiated a sting operation to lure him to the United States for arrest.

The FBI constructed a false computer security company, Invita, in Seattle, Washington and invited Ivanov to interview for a position on November 10, 2000.^[5] Ivanov's interview involved hacking an FBI controlled honeypot. While Ivanov was hacking the FBI honeypot, all keystrokes and network traffic were recorded as potential evidence.^[6] In addition, the FBI made video and audio recordings of the entire interview process. After Ivanov successfully gained access to the FBI honeypot, he was arrested.^[6] The FBI used the recorded keystrokes and network traffic log to access the intermediary computers Ivanov used in Russia.

When the FBI accessed Ivanov's machines, they found folders with data corresponding to the companies he had remotely attacked. Over 2.3 GB of data was recovered from Ivanov's machines, including the tools used to gain illegal access and scripts that referenced companies that had been attacked.^[7]

Attack on OIB

Ivanov obtained superuser (root) access to OIB machines. By gaining root access to OIB's machines, Ivanov was effectively able to "control the data, e.g. credit card numbers and merchant account numbers, stored in OIB computers."^[1] After gaining access to OIB's systems, Ivanov contacted OIB using his online handle "subbsta", offering security assistance in exchange for $10,000. OIB refused to pay Ivanov which resulted in a final email: "now imagine please Somebody hack you network (and not notify you about this), he downloaded Atomic software with more than 300 merchants, transfer money, and after this did 'rm –rf' and after this you company be ruined. I don't want this, and because this I notify you about possible hack in you network, if you want you can hire me and im always check security in you network. What you think about this."^[1]

Trials

Indictment

When brought to trial in Connecticut, Ivanov was indicted on eight counts, six of which Ivanov appealed:

Count one charged Ivanov with conspiracy to commit computer fraud in violation of 18 U.S.C. § 371.^[1]
Charges two, three and six all alleged that Ivanov's activity violated 18 U.S.C. § 1030, the Computer Fraud and Abuse Act. The government alleged that Ivanov knowingly accessed OIB's computers with intent to defraud and intentionally accessed OIB's machines with intent to collect information.^[1]
Count six alleged Ivanov "transmitted in interstate and foreign commerce communications containing a threat to cause damage to protected computers owned by OIB."^[1]
Count seven charged Ivanov with disrupting commerce by means of extortion in violation of 18 U.S.C. § 1051.^[1]
Count eight charged Ivanov with possession of "unauthorized accesses devices" in violation of 18 U.S.C. § 1029, which regulates fraud in connection with access devices.^[1]

Ivanov was subject to up to ninety years in prison if found guilty on all counts.^[6]

Ivanov's appeal

After his indictment, Ivanov filed for a motion to dismiss all charges because "he was physically located in Russia when the offenses were committed" and thus "he can not be charged with violations of United States law."^[1] The district court denied his appeal following two trains of logic: "first, because the intended and actual detrimental effects of Ivanov's actions in Russia occurred within the United States, and second, because each of the statutes under which Ivanov was charged with a substantive offense was intended by congress to apply extraterritorially."^[1]

The court argued that previous cases provided precedent for applying subject matter jurisdiction extraterritorially, so long as the "intended and detrimental effects" occurred within jurisdiction. The court cited United States v. Muench as stating, "the intent to cause effects within the United States... makes it reasonable to apply to persons outside United States territory a statute which is not expressly extraterritorial in scope."^[1] The court also cited United States v. Steinberg in claiming, "it has long been a commonplace of criminal liability that a person may be charged in the place where the evil results, even though he is beyond the jurisdiction where he starts the train of events of which the evil is the fruit."^[1]

The court then argued that the detrimental effects of Ivanov's attacks indeed took place in the United States, stating, "the fact the computers were accessed by means of a complex process initiated and controlled from a remote location does not alter the fact that the accessing of the computers, i.e, part of the detrimental effect prohibited by the statute, occurred at the place where the computers were physically located, namely OIB's place of business in Vernon, Connecticut."^[1]

In a second argument, the court stated that regardless of the previous logic, "to each of the statutes under which the defendant has been indicted for a substantive offense, there is clear evidence that the statute was intended to apply extraterritorially."^[1] The court then enumerated each of Ivanov's alleged offenses, the laws they referenced, and the specific language in the laws that implied extraterritorial application.

Following these arguments, the court denied Ivanov's motion to dismiss.

Subsequent rulings

Ivanov later pleaded guilty to several of the charges, including computer intrusion and computer fraud, and was sentenced to 48 months in prison followed by 3 months of supervised release.^[2]

Ivanov's crimes were not limited to Connecticut. He was also prosecuted and convicted in Washington,^[8] New Jersey,^[9] and California^[10] for similar crimes. In total, Ivanov was tried in five district courts, more than any other case listed on the United States Department of Justice listing of computer crimes.^[11]

Impact

Although the court ruled that the laws which Ivanov violated already extended extraterritorially, the USA PATRIOT Act increased the scope of the Computer Fraud and Abuse Act to expressly cover machines outside the United States.^[12]

Related Research Articles

A statute of limitations, known in civil law systems as a prescriptive period, is a law passed by a legislative body to set the maximum time after an event within which legal proceedings may be initiated.

The Computer Fraud and Abuse Act (CFAA) is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law, which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization. Prior to computer-specific criminal laws, computer crimes were prosecuted as mail and wire fraud, but the applying law was often insufficient.

Extraterritorial jurisdiction (ETJ) is the legal ability of a government to exercise authority beyond its normal boundaries.

Cybercrime, or computer-oriented crime, is a crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Cybercrime may threaten a person, company or a nation's security and financial health.

Computer fraud is a cybercrime and the act of using a computer to take or alter electronic data, or to gain unlawful use of a computer or system. In the United States, computer fraud is specifically proscribed by the Computer Fraud and Abuse Act, which criminalizes computer-related acts under federal jurisdiction. Types of computer fraud include:

Making false statements is the common name for the United States federal process crime laid out in Section 1001 of Title 18 of the United States Code, which generally prohibits knowingly and willfully making false or fraudulent statements, or concealing information, in "any matter within the jurisdiction" of the federal government of the United States, even by merely denying guilt when asked by a federal agent. A number of notable people have been convicted under the section, including Martha Stewart, Rod Blagojevich, Michael T. Flynn, Rick Gates, Scooter Libby, Bernard Madoff, and Jeffrey Skilling.

The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or the Budapest Convention, is the first international treaty seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe's observer states Canada, Japan, Philippines, South Africa and the United States.

Protected computers is a term used in Title 18, Section 1030 of the United States Code, which prohibits a number of different kinds of conduct, generally involving unauthorized access to, or damage to the data stored on, "protected computers". The statute, as amended by the National Information Infrastructure Protection Act of 1996, defines "protected computers" as:

a computer—
(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

The Double Jeopardy Clause of the Fifth Amendment to the United States Constitution provides: "[N]or shall any person be subject for the same offence to be twice put in jeopardy of life or limb..." The four essential protections included are prohibitions against, for the same offense:

In United States v. Riggs, the government of the United States prosecuted Robert Riggs and Craig Neidorf for obtaining unauthorized access to and subsequently disseminating a file held on BellSouth's computers. The file, referred to as the E911 file, gave information regarding BellSouth's products implementing 911 emergency telephone services. Riggs and Neidorf were both indicted in the District Court of the Northern District of Illinois on numerous charges relating to the dissemination of the E911 text file. As Riggs had previously been indicted in the Northern District of Georgia in relation to the same incident, his charges from Illinois were transferred to Georgia. Riggs ultimately pleaded guilty in Georgia and was sentenced to 21 months in prison and two years' supervised release. Neidorf pleaded not guilty in Illinois and the government dropped all charges against Neidorf four days after the trial began.

United States v. LaMacchia 871 F.Supp. 535 was a case decided by the United States District Court for the District of Massachusetts which ruled that, under the copyright and cybercrime laws effective at the time, committing copyright infringement for non-commercial motives could not be prosecuted under criminal copyright law.

United States v. Nosal, 676 F.3d 854 was a United States Court of Appeals for the Ninth Circuit decision dealing with the scope of criminal prosecutions of former employees under the Computer Fraud and Abuse Act (CFAA). The Ninth Circuit's first ruling established that employees have not "exceeded authorization" for the purposes of the CFAA if they access a computer in a manner that violates the company's computer use policies—if they are authorized to access the computer and do not circumvent any protection mechanisms.

The Cybercrime Prevention Act of 2012, officially recorded as Republic Act No. 10175, is a law in the Philippines that was approved on September 12, 2012. It aims to address legal issues concerning online interactions and the Internet in the Philippines. Among the cybercrime offenses included in the bill are cybersquatting, cybersex, child pornography, identity theft, illegal access to data and libel.

United States v. Vampire Nation, 451 F.3d 189, is a 2006 decision of the United States Court of Appeals for the Third Circuit regarding the Federal Sentencing Guidelines and asset forfeiture. A three-judge panel unanimously affirmed the conviction and sentence of Frederick Banks, a Pittsburgh man, on numerous felony charges resulting from fraudulent schemes carried out over the Internet. The case takes its title, which has been singled out as memorable and included among lists of amusingly titled cases, from one of Banks' aliases, an electronic music group of which he was the sole regular member. He had filed the appeal under that name while representing himself.

Tor Bernhard Ekeland is a New York City based computer, trial and appellate lawyer. He is the Managing Partner of Tor Ekeland Law, PLLC. He is best known for representing hackers prosecuted under the Computer Fraud and Abuse Act ("CFAA"), as well as white-collar defendants, in federal criminal court and on appeal across the United States.

Operation Shrouded Horizon was an 18-month international law enforcement investigation culminating in the July 2015 seizure of Darkode, an online cybercrime forum and black market, and the arrest of several of its members. The case involved law enforcement agencies from 20 countries, led by the United States Federal Bureau of Investigation (FBI) with the assistance of Europol, in what the FBI called "the largest-ever coordinated law enforcement effort directed at an online cyber criminal forum".

Carding (fraud) Crime involving the trafficking of credit card data

Carding is a term describing the trafficking of credit card, bank account and other personal information online. Activities also encompass procurement of details, and money laundering techniques. Modern carding sites have been described as full-service commercial entities. Since it is not a crime that is committed online, carding is not a form of crime and often intertwined with other types of e-fencing.

Vladislav Anatolievich Horohorin,, alias BadB, is a former hacker and international credit card trafficker who was convicted of wire fraud and served a seven-year prison sentence.

Maksim Viktorovich Yakubets is a Russian national and a computer expert. He is alleged to have been a member of the Jabber Zeus Crew, as well as the alleged leader of the Bugat malware conspiracy.

Van Buren v. United States is a pending United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. The CFAA's language has long created a circuit split in case law, and the Court's decision will significantly impact cybersecurity and computer crime enforcement.

References

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 United States v. Ivanov, 175 F. Supp. 2d 36 (US District Court for the District of Connecticut2001).
1 2 Newcomb, Penny. "Russian Man Sentenced for Hacking into Computers in the United States". U.S. Department of Justice. Retrieved February 6, 2012.
1 2 Traore, Issa. "Chapter 8: Computer Forensics" (PDF). University of Victoria. Retrieved February 6, 2012.
↑ "Cached copy of Ivanov's resume". mail-index.netbsd.org.
↑ "RUSSIAN NATIONAL ARRESTED AND INDICTED FOR PENETRATING U.S. CORPORATE COMPUTER NETWORKS, STEALING CREDIT CARD NUMBERS, AND EXTORTING THE COMPANIES BY THREATENING TO DAMAGE THEIR COMPUTERS". cybercrime.gov.
1 2 3 "A hacker story". crime-research.org. CIO Asia. Retrieved February 6, 2012.
↑ Attfield, Philip (2005). "United States v Gorshkov Detailed Forensics and Case Study; Expert Witness Perspective". First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05). Institute of Electrical and Electronics Engineers. pp. 3–26. doi:10.1109/SADFE.2005.28. ISBN 0-7695-2478-8. A warrant was granted to the FBI 10 days after the download
↑ "Russian Computer Hacker Convicted by Jury". justice.gov. Retrieved February 18, 2012.
↑ "United States v Alexey V.Ivanov". cybercrime.gov. Retrieved February 18, 2012.
↑ "RUSSIAN COMPUTER HACKER INDICTED IN CALIFORNIA FOR BREAKING INTO COMPUTER SYSTEMS AND EXTORTING VICTIM COMPANIES". cybercrime.gov. Archived from the original on June 25, 2001. Retrieved February 18, 2012.
↑ "Computer Crime and Intellectual Property Section". United States Department of Justice. Retrieved February 18, 2012.
↑ Lemley, Mark; Menell, Peter; Merges, Robert; Samuelson, Pamela; Carver, Brian (2011). Software and Internet Law (4th ed.). ISBN 978-0-7355-8915-5.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[usvivanov-1] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 United States v. Ivanov, 175 F. Supp. 2d 36 (US District Court for the District of Connecticut2001).

[sentencing-2] 1 2 Newcomb, Penny. "Russian Man Sentenced for Hacking into Computers in the United States". U.S. Department of Justice. Retrieved February 6, 2012.

[coursenotes-3] 1 2 Traore, Issa. "Chapter 8: Computer Forensics" (PDF). University of Victoria. Retrieved February 6, 2012.

[resume-4] "Cached copy of Ivanov's resume". mail-index.netbsd.org.

[indict-5] "RUSSIAN NATIONAL ARRESTED AND INDICTED FOR PENETRATING U.S. CORPORATE COMPUTER NETWORKS, STEALING CREDIT CARD NUMBERS, AND EXTORTING THE COMPANIES BY THREATENING TO DAMAGE THEIR COMPUTERS". cybercrime.gov.

[hackstory-6] 1 2 3 "A hacker story". crime-research.org. CIO Asia. Retrieved February 6, 2012.

[ieee-7] Attfield, Philip (2005). "United States v Gorshkov Detailed Forensics and Case Study; Expert Witness Perspective". First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05). Institute of Electrical and Electronics Engineers. pp. 3–26. doi:10.1109/SADFE.2005.28. ISBN 0-7695-2478-8. A warrant was granted to the FBI 10 days after the download

[washIndict-8] "Russian Computer Hacker Convicted by Jury". justice.gov. Retrieved February 18, 2012.

[njIndict-9] "United States v Alexey V.Ivanov". cybercrime.gov. Retrieved February 18, 2012.

[caIndict-10] "RUSSIAN COMPUTER HACKER INDICTED IN CALIFORNIA FOR BREAKING INTO COMPUTER SYSTEMS AND EXTORTING VICTIM COMPANIES". cybercrime.gov. Archived from the original on June 25, 2001. Retrieved February 18, 2012.

[dojWeb-11] "Computer Crime and Intellectual Property Section". United States Department of Justice. Retrieved February 18, 2012.

[swlwbook-12] Lemley, Mark; Menell, Peter; Merges, Robert; Samuelson, Pamela; Carver, Brian (2011). Software and Internet Law (4th ed.). ISBN 978-0-7355-8915-5.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]