When Turkish police arrested Maksym "Maksik" Yastremskiy -- a Ukrainian wholesaler of stolen identity data -- in July 2007, they didn't just collar one of the most-wanted cybercriminals in the world. They also got a trove of evidence about Yastremskiy's buyers and suppliers, all locked in an encrypted vault on his laptop computer.
Now federal prosecutors are hoping to introduce a copy of Yastremskiy's files in its case against accused hacker Albert "Segvec" Gonzalez. Chat logs and other information on the disk allegedly show that Gonzalez was Yastremskiy's major supplier of credit and debit card numbers.
But Gonzalez's attorney is fighting to keep the data, and similar information seized from a server in Latvia, far away from the New York court room where Gonzalez is scheduled to stand trial next month on the first of three federal indictments. The argument unfolding over the disks illustrates the challenges and controversies of using electronic evidence gathered in foreign jurisdictions, and sheds more light on the unusual methods used to investigate what authorities have called the largest identity theft case in U.S. history.
Gonzalez and his co-conspirators staged high-profile breaches at TJX, Heartland Payment Systems, Dave & Buster's and other retailers and payment processors.
One notable revelation in the government's own filings (.pdf) is that Yastremskiy's arrest did not mark the first time the Secret Service gained access to his computer files. On June 14, 2006 the Secret Service worked with local authorities to conduct a "sneak-and-peek" search of Yastremskiy's laptop while he was traveling through Dubai, in the United Arab Emirates. The agency secretly obtained a copy of the man's hard drive in the search.
The government says that stealth operation is irrelevant now, because it doesn't plan on introducing the data from the sneak-and-peek at trial -- only the data taken in Turkey at Yastremskiy's arrest. But defense attorney Rene Palomino, Jr., says the earlier search may have been unlawful, and could have legally tainted the case: The disk image may have been used by U.S. authorities to obtain a provisional arrest warrant for Yastremskiy in California, and it was that warrant that led Turkish authorities to arrest him and seize his laptop.
In a court filing this month, the lawyer is asking (.pdf) for an evidentiary hearing to, among other things, "determine the extent to which the arrests and seizures were causally motivated by the prior sneak-and-peek conducted by the USSS in Dubai."
Also at issue is the procedure used by Turkish authorities to recover data from the laptop. While U.S. forensics examiners routinely make a bit-for-bit copy of a seized hard drive and leave the original undisturbed, there's evidence that Turkish police tried to install software on the laptop in order to change the Windows password on the machine. Additionally, access times on some 3,000 files were disturbed. The hard drive broke while in Turkish custody, and was later deemed irreparable by the Secret Service.
Palomino raises similar concerns over a Latvian server allegedly used in some of the hack attacks.
Gonzalez and a co-conspirator allegedly maintained the server in Latvia. It was encrypted and protected with a lengthy and complex pass phrase, and was allegedly used as a staging platform to launch attacks against targeted networks. It also stored a modified version of the malicious software used in the Dave & Buster's attack, and millions of stolen credit card numbers siphoned from hacked networks.
The server was seized after U.S. Secret Service arrested the co-conspirator in early May 2008, and turned him into an informant. The informant shared access to the Latvian server and provided authorities with the password key. Secret Service agents then asked the Latvian State Police (LVS) to obtain a computer image of the server from Cronos IT, which leased space to Gonzalez and his partner to host the server.
Cronos employee Ivars Tenters imaged the server and gave it to the LVS, who gave it to the Secret Service. About two weeks later, on June 6, U.S. authorities submitted a mutual legal assistance treaty request for the physical server itself, and Tenters disassembled it and passed it to Latvian prosecutors who gave it to U.S. authorities in September.
Palomino points out that the hash value of the Latvian server provided by prosecutors in the New York case is different from the hash value for the same server provided by authorities in the Massachusetts case against Gonzalez. He argues that Gonzalez has a right to cross-examine Tenters and the LVS officers about the chain-of-custody of the data and the server.
Palomino says the foreign police were acting as agents of the Secret Service, and thus there should be some Fourth Amendment protection for the searches in Latvia and Turkey, and that foreign authorities should be required to show that they adhered to local legal requirements for searches and seizures as well.
The feds counter (.pdf) that Gonzalez has no Fourth Amendment protection on the server in Latvia, because he's never acknowledged it belongs to him, and the informant gave them the password and permission to search it. Gonzalez also doesn't have protection for the laptop in Turkey, because it belongs to Yastremskiy, a non-U.S. person. The laptop was seized from a foreign citizen by foreign law enforcement officers in a foreign country and therefore has no U.S. constitutional protection, prosecutors say.
The government acknowledges that the United States worked closely with Turkish police. The day before Yastremskiy's arrest, Secret Service agents accompanied the police to a hotel where Yastremskiy was staying. While he was out of the room, the police seized his Lamborghini laptop, which had a Cyrillic/English keyboard, and brought it to Secret Service agents across the hall, who photographed the computer, including a logon screen that displayed the name "Mars."
Four days after the arrest, after the U.S. submitted a formal mutual legal assistant request, Turkish police gave U.S. agents a copy of the encrypted hard drive, which authorities refer to as "the Yaz Hard Drive."
Per prosecutors, U.S. Secret Service Special Agent Stuart Van Buren "had to undertake a lengthy and difficult process" to make data "readable and searchable," which was completed August 31. Once it was decrypted, authorities gave Gonzalez's attorneys a copy of the decrypted hard drive.
While U.S. authorities toiled to decrypt the drive, Turkish authorities, working their own case against Yastremskiy for hacking into Turkish banks, got him to cough up his password.
In the documents, Palomino alleges that Turkish authorities may have committed acts that "shocked the conscience" to force Yastremskiy to reveal his password. But his only evidence of this appears to be the lawyer's skepticism that Yastremskiy would have relinquished the password willingly.
Prosecutors counter this with the fact that their unnamed informant needed no undue influence to provide them with the password to the Latvian server after his arrest.
Palomino did not respond to requests for comment.
The government is urging the court to admit the evidence, saying jurors should be allowed to determine if it's authentic. They say they've asked Latvia and Turkey to send witnesses to testify, but can't compel them to come. If the witnesses don't appear in court, the defendant is free to point this out to the jury to cast doubt on the evidence.
The trial in New York involves the Dave & Buster's hack, currently set for trial on September 14. Next year, Gonzalez faces a trial in Massachusetts on the TJX hack and may eventually face trial in New Jersey on new charges levied against him this week for allegedly hacking into five other companies, including Heartland Payment Systems and 7-11, and stealing more than 130 million credit and debit card numbers -- the largest data breach prosecuted in the United States to date.
In the Dave & Buster's case, Yastremskiy is also charged, but hasn't been extradited from Turkey, where he's now serving a 30-year prison sentence. A third co-defendant, Aleksandr Suvorov, pleaded guilty in May and is awaiting sentencing. According to the indictment, Gonzalez provided the sniffing program that Suvorov installed on the Dave & Buster's network.
See also:
- TJX Suspect Was Near Plea Agreement Until New Charges Halted Talks
- TJX Hacker Charged With Heartland, Hannaford Breaches
- Card Processor Admits to Large Data Breach
- TJX Hacker Was Awash in Cash; His Penniless Coder Faces Prison
- Former Teen Hacker's Suicide Linked to TJX Probe
- I Was a Cybercrook for the FBI
- Bullion and Bandits: The Improbable Rise and Fall of E-Gold
- Hacking Godfather 'Maksik' Sentenced to 30 Years by Turkish Court
- Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist
