Inside the FBI, Russia, and Ukraine’s failed cybercrime investigation

He thought back to reports from just a few hours earlier, when the Ukrainian surveillance team said they were tracking Tank and had intelligence that the suspect had been at home recently. None of it seemed believable. 

Five individuals were detained in Ukraine on that night, but when it came to Tank, who police alleged was in charge of the operation, they left empty-handed. And none of the five people arrested in Ukraine stayed in custody for long.

Somehow, the operation in Ukraine—a two-year international effort to catch the biggest cybercriminals on the FBI’s radar—had gone sideways. Tank had slipped away while under SBU surveillance, while the other major players deftly avoided serious consequences for their crimes. Craig and his team were livid.

But if the situation in Ukraine was frustrating, things were even worse in Russia, where the FBI had no one on the ground. Trust between the Americans and Russians had never been very strong. Early in the investigation, the Russians had waved the FBI off Slavik’s identity.

“They try to push you off target,” Craig says. “But we play those games knowing what’s going to happen. We’re very loose with what we send them anyway, and even if you know something, you try to push it to them to see if they’ll cooperate. And when they don’t—oh, no surprise.”

Even so, while the raids happened in Donetsk, the Americans hoped they would get a call from Russia about an FSB raid on the residence of Aqua, the money launderer Maksim Yakubets. Instead, there was silence.

The operation had its successes—dozens of lower-level operators were arrested across Ukraine, the United States, and the United Kingdom, including some of Tank’s personal friends who helped move stolen money out of England. But a maddening mixture of corruption, rivalry, and stonewalling had left Operation Trident Breach without its top targets.

“It came down to D-Day, and we got ghosted,” Craig says. “The SBU tried to communicate with [the Russians]. The FBI was making phone calls to the embassy in Moscow. It was complete silence. We ended up doing the operation anyway, without the FSB. It was months of silence. Nothing.”

Well-connected criminals

Not everyone in the SBU drives a BMW.

After the raids, some Ukrainian officials, who were unhappy with the corruption and leaks happening within the country’s security services, concluded that the 2010 Donetsk raid against Tank and the Jabber Zeus crew failed because of a tip from a corrupt SBU officer named Alexander Khodakovsky.

At the time, Khodakovsky was the chief of an SBU SWAT unit in Donetsk known as Alpha team. It was the same group that led the raids for Trident Breach. He also helped coordinate law enforcement across the region, which allowed him to tell suspects in advance to prepare for searches or destroy evidence, according to the former SBU officer who spoke to MIT Technology Review anonymously.

When Russia and Ukraine went to war in 2014, Khodakovsky defected. He became a leader in the self-proclaimed Donetsk People’s Republic, which NATO says receives financial and military aid from Moscow.

The problem wasn’t just one corrupt officer, though. The Ukrainian investigation into—and legal proceedings against—Tank and his crew continued after the raids. But they were carefully handled to make sure he stayed free, the former SBU officer explains.

“Through his corrupt links among SBU management, Tank arranged that all further legal proceedings against him were conducted by the SBU Donetsk field office instead of SBU HQ in Kyiv, and eventually managed to have the case discontinued there,” the former officer says. The SBU, FBI, and FSB did not respond to requests for comment.

Tank, it emerged, was deeply entangled with Ukrainian officials linked to Russia’s government—including Ukraine’s former president Viktor Yanukovych, who was ousted in 2014.

Yanukovych’s youngest son, Viktor Jr., was the godfather to Tank’s daughter. Yanukovych Jr. died in 2015 when his Volkswagen minivan fell through the ice on a lake in Russia, and his father remains in exile there after being convicted of treason by a Ukrainian court.

When Yanukovych fled east, Tank moved west to Kyiv, where he is believed to represent some of the former president’s interests, along with his own business ventures. 

“Through this association with the president’s family, Tank managed to develop corrupt links into the top tiers of Ukrainian government, including law enforcement,” the SBU officer explains.

Ever since Yanukovych was deposed, Ukraine’s new leadership has turned more decisively toward the West. 

“The reality is corruption is a major challenge to stopping cybercrime, and it can go up pretty high,” Passwaters says. “But after more than 10 years working with Ukrainians to combat cybercrime, I can say there are plenty of really good people in the trenches silently working on the right side of this fight. They are key.”

Warmer relations with Washington were a major catalyst for the ongoing war in eastern Ukraine. Now, as Kyiv tries to join NATO, one of the conditions of membership is eliminating corruption. The country has lately cooperated with Americans on cybercrime investigations to a degree that would have been unimaginable in 2010. But corruption is still widespread.

“Ukraine overall is more active in combating cybercrime in recent years,” says the former SBU officer. “But only when we see criminals really getting punished would I say that the situation has changed at its root. Now, very often we see public relations stunts that do not result in cybercriminals’ ceasing their activities. Announcing some takedowns, conducting some searches, but then releasing everyone involved and letting them continue operating is not a proper way of tackling cybercrime.”

And Tank’s links to power have not gone away. Enmeshed with the powerful Yanukovych family, which is itself closely aligned with Russia, he remains free.

A looming threat

On June 23, FSB chief Alexander Bortnikov was quoted as saying his agency would work with the Americans to track down criminal hackers. It didn’t take long for two particular Russian names to come up. 

Even after the 2010 raids took down a big chunk of his business, Bogachev continued to be a prominent cybercrime entrepreneur. He put together a new crime ring called the Business Club; it soon grew into a behemoth, stealing more than $100 million that was divided among its members. The group moved from hacking bank accounts to deploying some of the first modern ransomware, with a tool called CryptoLocker, by 2013. Once again, Bogachev was at the center of the evolution of a new kind of cybercrime.

Around the same time, researchers from the Dutch cybersecurity firm Fox-IT who were looking closely at Bogachev’s malware saw that it was not just attacking targets at random. The malware was also quietly looking for information on military services, intelligence agencies, and police in countries including Georgia, Turkey, Syria, and Ukraine—close neighbors and geopolitical rivals to Russia. It became clear that he wasn’t just working from inside Russia, but his malware actually hunted for intelligence on Moscow’s behalf.