U.S. law enforcement’s pursuit of global cybercrime is hampered by reliance on politically charged treaties governing extradition of suspected hackers.
The U.S. lacks such treaties with Russia, China, and other nations from which such attacks have originated, preventing accountability for hackers harbored in their home country. Even when suspected cybercriminals are arrested in countries where such treaties are in place, law enforcement still struggles to bring cybercriminals to justice in U.S. courts due to years-long delays and legal challenges.
“The barriers to extradite someone and hold them accountable through legal means are significant,” said Erica Lonergan, a senior director for the Cyberspace Solarium Commission, a U.S. government cybersecurity advisory panel. Aside from gathering evidence needed for an indictment, the U.S. must cooperate with law enforcement partners globally to track down suspected hackers, arrest them, and turn them over to face criminal charges in court.
“This can be a complex and challenging process and that’s why most of the time you don’t see extraditions of individuals who are indicted” for cybercrimes, Lonergan said.
Extradition efforts are part of a broader push by the White House to enlist other countries in cracking down on costly ransomware attacks. The U.S. has asked Poland to extradite Yaroslav Vasinskyi, a Ukrainian national arrested in October for his alleged role in the Russia-linked ransomware group known as REvil.
Whether Poland sends Vasinskyi to the U.S. “depends on a whole host of geopolitical issues,” Daron Hartvigsen, a former U.S. intelligence and law enforcement official, said.
Polish authorities are expected to cooperate, given their extradition relationship with the U.S. and their past cooperation on cyber cases. Ukraine is unlikely to challenge the U.S. request, though Russia could counter with its own extradition attempt, Hartvigsen said. Russia could also use Vasinskyi’s Ukrainian nationality to shift blame for REvil’s attacks away from Russia, he said.
Threatening those who orchestrate cyberattacks with potential prison time sends a message that the U.S. government is taking attacks seriously, Hartvigsen said.
Still, extradition struggles to serve as a measure for combating cybercrime unless it’s successful, Hartvigsen said.
“It’s more of a political tool than a useful deterrent,” said Hartvigsen, now a managing director with StoneTurn, a regulatory, compliance, and investigations advisory firm.
The U.S. government routinely issues indictments against alleged hackers, including cases involving Chinese cyber espionage and the theft of intellectual property from U.S. companies. The U.S. also indicted Chinese hackers accused of trying to steal Covid-19-related research.
“Whether we’re able to translate those indictments into meaningful prosecution and accountability is another story,” Lonergan said, adding that success stories are “more of the exception than the rule.”
Notable examples include Peter Levashov, a Russian hacker who eventually pleaded guilty in U.S. court of using a botnet to steal personal information online.
Levashov was apprehended in Spain in 2017 and extradited to the U.S. the following year. In July, Judge Robert Chatigny in the U.S. District Court for the District of Connecticut spared Levashov additional prison time after he spent more than four years in U.S. custody.
Last September, Judge William Alsup in the U.S. District Court for the Northern District of California ordered Yevgeniy Nikulin, a Russian who was found guilty of hacking into LinkedIn and Dropbox, to spend more than seven years in prison following his extradition from the Czech Republic.
Extradition is especially challenging when hackers work directly for a foreign government, Lonergan said. China hasn’t handed over its military officials who have been indicted in the U.S. for cybercrimes, she said.
Sometimes countries such as the Maldives agree to turn over an alleged cybercriminal despite lacking a formal extradition treaty with the U.S.
One example involves the case of Roman Seleznev, who in 2017 was sentenced to 27 years in prison in the U.S. for stealing consumer credit card numbers from hundreds of retail businesses worldwide and selling the data online. The U.S. Secret Service tracked Seleznev for more than a decade before he was arrested in 2014 while on holiday in the Maldives.
Hackers engaged in bank or payment card fraud and those who extort victims for ransom payments have come to recognize which countries are likely to cooperate with the U.S. on extradition, according to Arkady Bukh, a New York-based criminal defense attorney who has represented a number of hackers.
“The hackers are watching for that,” Bukh said. “They really want to know which countries will not cooperate with the U.S., so they can travel and enjoy their ill-gotten money.”
Even courts in allied countries, like the U.K., can push back on extraditions. The U.S. abandoned efforts to extradite Lauri Love, a British man accused of stealing confidential data from U.S. government agencies, after a U.K. judge ruled Love shouldn’t be tried abroad.
Countries often resist extraditing their own citizens, preferring to only extradite citizens of other nationalities that travel to their country.
“A number of these criminals are harbored in their home country, making it virtually impossible for us to gain access to them or arrest them,” said Sujit Raman, partner at Sidley Austin LLP who previously worked as a federal prosecutor on cyber issues at the Justice Department.
Russian President Vladimir Putin reportedly offered during a June summit with U.S. President Joe Biden to turn over cybercriminals if the U.S. agrees to do the same for Russia. When asked whether the U.S. government would prosecute cybercriminals domestically based on Russian information-sharing, deputy national security adviser Anne Neuberger said that U.S. law enforcement is committed to investigating such information from other countries.
The U.S. is unlikely to take part in such a hacker exchange due to a lack of trust in the fairness of Russia’s judicial system and differing definitions on what ought to count as cybercrime, Hartvigsen said.
The U.S. also hasn’t agreed to an extradition treaty with China because of human rights concerns. An earlier treaty with Hong Kong was suspended in 2020 after Beijing imposed a new national security law on the former British territory.
Some countries have pledged to surrender hackers to each other as part of the Budapest Convention on Cybercrime, which has been signed by the U.S. and many European nations.
Russia is pushing for a global treaty on cybercrime at the United Nations that could touch on extradition. Early drafts of the text haven’t included a common exception to extradition agreements meant to protect people accused of political offenses, according to Duncan Hollis, a former State Department treaty official who’s now a professor at Temple Law School.
“That may matter,” Hollis said, adding “the concern is that cybercrime could be a precursor” to prosecuting opposition leaders or religious minorities for their online speech.