WEBVTT

00:00:00.260 --> 00:00:04.340
JACK: For over two hundred years bank robberies have stayed relatively the same.

00:00:04.340 --> 00:00:09.350
You’d have to go into the bank itself, demand the cash, often with violence, grab what you

00:00:09.350 --> 00:00:11.130
can and get out of there.

00:00:11.130 --> 00:00:15.800
But as banks started coming online and being digitally connected to each other, a whole

00:00:15.800 --> 00:00:18.350
new way to rob a bank started happening.

00:00:18.350 --> 00:00:21.810
This is the story of the first online bank robbery.

00:00:21.810 --> 00:00:29.770
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:00:29.770 --> 00:00:35.219
I’m Jack Rhysider.

00:00:35.219 --> 00:00:39.519
This is Darknet Diaries.

00:00:39.519 --> 00:00:43.579
[INTRO MUSIC ENDS]

00:00:43.579 --> 00:00:54.440
JACK: In the early days of the internet there were a few different competing internets.

00:00:54.440 --> 00:00:58.539
There was ARPANET, Telenet, Tymnet, and some others.

00:00:58.539 --> 00:01:01.229
Each one of these networks spoke a completely different protocol.

00:01:01.229 --> 00:01:06.140
People, machines, and computers on Telenet could not talk to people, machines, and computers

00:01:06.140 --> 00:01:07.140
on the internet.

00:01:07.140 --> 00:01:08.770
They both kind of had their own ecosystem.

00:01:08.770 --> 00:01:12.820
There might be a few computers that could connect to both networks at once but those

00:01:12.820 --> 00:01:14.870
bridges and connections were rare.

00:01:14.870 --> 00:01:18.140
One of these early competing networks was Telenet.

00:01:18.140 --> 00:01:20.250
This is different than Telnet.

00:01:20.250 --> 00:01:24.560
Telenet was a full-blown network kind of like its own internet and it used a completely

00:01:24.560 --> 00:01:26.030
different protocol than the internet.

00:01:26.030 --> 00:01:30.900
It used what’s known as the X.25 protocol to communicate between two systems.

00:01:30.900 --> 00:01:35.180
The internet at first was only available to governments to connect to but Telenet was

00:01:35.180 --> 00:01:39.240
the first public available network so it began picking up in popularity.

00:01:39.240 --> 00:01:44.910
By 1980 Telenet was available in seven major cities and US phone companies had set up over

00:01:44.910 --> 00:01:48.540
1,000 network switches to route packets around the US.

00:01:48.540 --> 00:01:52.800
Another reason why this X.25 protocol became popular was because it was free to connect

00:01:52.800 --> 00:01:53.800
to this network.

00:01:53.800 --> 00:01:55.630
All you needed was a modem and a phone line.

00:01:55.630 --> 00:01:59.970
You didn’t have to pay any ISP fees; just dial into one of the switches and away you

00:01:59.970 --> 00:02:00.970
go.

00:02:00.970 --> 00:02:04.810
From there you can get to any system that’s also on the Telenet network.

00:02:04.810 --> 00:02:08.050
Large companies started connecting to this network to be able to communicate between

00:02:08.050 --> 00:02:10.030
branches.

00:02:10.030 --> 00:02:13.939
Companies such as Apple, Dun & Bradstreet, Westinghouse, Boeing, and Sprint were all

00:02:13.939 --> 00:02:15.159
connected to this network.

00:02:15.159 --> 00:02:20.379
In fact Sprint saw big future in Telenet and actually acquired it themselves, renaming

00:02:20.379 --> 00:02:25.920
the whole network from Telenet to Sprintnet and Sprintnet continued to grow in popularity,

00:02:25.920 --> 00:02:28.409
connecting a dozen more states by the 1990s.

00:02:28.409 --> 00:02:32.139
Getting around on Sprintnet was not as easy as just Googling and finding what you’re

00:02:32.139 --> 00:02:33.139
looking for.

00:02:33.139 --> 00:02:34.260
It was mostly bulletin boards.

00:02:34.260 --> 00:02:38.409
You would read about a certain bulletin board in a magazine or from a friend, dial into

00:02:38.409 --> 00:02:42.010
Sprintnet, set your parameters on your modem, and type in some numbers and commands, get

00:02:42.010 --> 00:02:43.010
the command prompt in.

00:02:43.010 --> 00:02:47.029
If you’re lucky you’d get to the bulletin board which is kind of like an online forum

00:02:47.029 --> 00:02:51.750
but was a simple and crude way to exchange information across the country.

00:02:51.750 --> 00:02:52.890
Sprintnet was not user-friendly.

00:02:52.890 --> 00:02:57.650
It took a lot of practice and patience to not only connect to it but then also find

00:02:57.650 --> 00:03:00.370
anything remotely interesting once there.

00:03:00.370 --> 00:03:04.430
The internet today has billions of users and millions of websites but Sprintnet in the

00:03:04.430 --> 00:03:06.770
90s only had a few thousand servers connected to it.

00:03:06.770 --> 00:03:12.719
It was kind of a ghost yard unless you had something specific you needed to do.

00:03:12.719 --> 00:03:15.730
Going around in that time was an online magazine called Phrack.

00:03:15.730 --> 00:03:21.639
By 1993 there were already 41 issues released and each issue outlined numerous new hacking

00:03:21.639 --> 00:03:24.620
techniques and helpful information for hackers.

00:03:24.620 --> 00:03:28.959
Phrack is the longest-running online hacker magazine and still is kind of releasing issues

00:03:28.959 --> 00:03:30.090
today.

00:03:30.090 --> 00:03:36.200
In March of 1993, issue 42 of Phrack was released and in this issue there was a massive listing

00:03:36.200 --> 00:03:38.709
of all known Sprintnet numbers.

00:03:38.709 --> 00:03:43.349
There were details on how to connect to all of them and what each system might be.

00:03:43.349 --> 00:03:48.019
It broke down into sections of states or companies connected to Sprintnet such as numbers to

00:03:48.019 --> 00:03:52.749
dial into Apple, Westinghouse, and a bunch of numbers to connect into Citibank.

00:03:52.749 --> 00:03:56.799
Citibank is a major bank in the US and headquartered in [00:05:00] New York City.

00:03:56.799 --> 00:04:03.349
This issue of Phrack told you the online location of 363 different Citibank computers.

00:04:03.349 --> 00:04:07.680
Citibank used Sprintnet to communicate between their major offices and other banks that were

00:04:07.680 --> 00:04:08.870
connected to it.

00:04:08.870 --> 00:04:13.830
The Citibank offices were in Singapore, Manila, Tokyo, New York, Milan, Paris, and they were

00:04:13.830 --> 00:04:15.220
all connected over Sprintnet.

00:04:15.220 --> 00:04:21.060
These systems were UNIX Systems, VAX computers, deck servers, mail servers, and more.

00:04:21.060 --> 00:04:25.730
Phrack had just unveiled the addresses of all these systems at Citibank.

00:04:25.730 --> 00:04:28.930
It kind of looked like a phone book or a directory listing.

00:04:28.930 --> 00:04:33.400
It was the area code and then a one-to-four digit number which was the network address.

00:04:33.400 --> 00:04:37.210
This was just a map of what was out there and it didn’t actually tell you how to hack

00:04:37.210 --> 00:04:38.210
into any of it.

00:04:38.210 --> 00:04:44.070
A couple of hackers in St. Petersburg, Russia took notice of all these Citibank systems

00:04:44.070 --> 00:04:46.440
and began dialing into them.

00:04:46.440 --> 00:04:50.540
Their goal was simply to find if any of the Citibank computers were connected to the internet

00:04:50.540 --> 00:04:54.260
so they could go through Citibank to get onto the internet.

00:04:54.260 --> 00:04:58.000
Because at that time, it cost to connect to the internet but it was free to connect to

00:04:58.000 --> 00:05:01.910
Sprintnet so the hackers just wanted to find a free way to get on the internet.

00:05:01.910 --> 00:05:05.960
The two hackers spent a lot of time scouring the Citibank’s network, connecting to one

00:05:05.960 --> 00:05:10.670
number after another, learning what’s there and seeing what you can do once you get there.

00:05:10.670 --> 00:05:14.990
For over a year they kind of poked at it but didn’t really find anything interesting.

00:05:14.990 --> 00:05:19.310
Most connections simply wouldn’t let you do anything at all or were password protected.

00:05:19.310 --> 00:05:24.670
But these two Russian hackers kept at it, connecting to these nodes over and over trying

00:05:24.670 --> 00:05:26.690
to see if there’s anything new there.

00:05:26.690 --> 00:05:32.250
One day one of the systems that normally asked them for a password was wide open.

00:05:32.250 --> 00:05:37.010
[MUSIC] Someone had used that computer and forgot to log out.

00:05:37.010 --> 00:05:40.490
On these old systems you could sort of ride in on other people’s logins.

00:05:40.490 --> 00:05:44.220
The hacker quickly tried to see if their access would allow them to see the password.

00:05:44.220 --> 00:05:46.090
Sure enough, it did.

00:05:46.090 --> 00:05:49.870
Sitting there in the config file was the username and password in clear text.

00:05:49.870 --> 00:05:54.370
It wasn’t great security in 1994 so this was something you’d see sometimes.

00:05:54.370 --> 00:05:59.000
But once the hacker got one known password they were able to get more passwords.

00:05:59.000 --> 00:06:04.650
They scanned all 363 Citibank nodes to see which ones they could log in with with these

00:06:04.650 --> 00:06:05.650
new passwords.

00:06:05.650 --> 00:06:10.250
Before long these two hackers had gained access to numerous Citibank devices and from there

00:06:10.250 --> 00:06:14.360
they were able to map out a large portion of the Citibank network and eventually the

00:06:14.360 --> 00:06:17.770
hacker found a device in Chile that was connected to the internet.

00:06:17.770 --> 00:06:21.930
They were now able to dial into that system and get to the internet for free without having

00:06:21.930 --> 00:06:25.510
to pay for America Online or CompuServe or whatever it was at the time.

00:06:25.510 --> 00:06:29.690
This satisfied one of these Russian hackers but the other dug deeper.

00:06:29.690 --> 00:06:31.200
His name was Buckazoid.

00:06:31.200 --> 00:06:35.280
Buckazoid was fascinated with all the access they gained to Citibank’s network and couldn’t

00:06:35.280 --> 00:06:36.280
let it go.

00:06:36.280 --> 00:06:40.420
He would connect to some and watch what people did on there and try to take a guess at what

00:06:40.420 --> 00:06:42.010
each of the computers was for.

00:06:42.010 --> 00:06:46.410
He eventually found his way onto a computer that looked like it was used to transfer money.

00:06:46.410 --> 00:06:51.390
Operators of this machine would log in, type in the bank, the bank account number, the

00:06:51.390 --> 00:06:54.540
amount to transfer, and away the money would go.

00:06:54.540 --> 00:06:55.860
This was amazing.

00:06:55.860 --> 00:07:00.580
Buckazoid had discovered the exact place and commands and logins needed to transfer money

00:07:00.580 --> 00:07:05.380
from one bank to another, but he also noticed this computer logged everything, every command,

00:07:05.380 --> 00:07:08.590
every connection, and every transfer that was done.

00:07:08.590 --> 00:07:12.180
He believed these logs would probably have been printed out every day and put on a shelf

00:07:12.180 --> 00:07:13.490
for long-term reference.

00:07:13.490 --> 00:07:18.600
At that time Citibank was processing half a trillion dollars a day through these systems.

00:07:18.600 --> 00:07:23.170
Even though there was a lot of logs, a rogue transfer might go undetected.

00:07:23.170 --> 00:07:26.320
Buckazoid and his hacker friend did not take that chance.

00:07:26.320 --> 00:07:31.000
Instead he told another computer guy in St. Petersburg named Vladimir Levin what he found.

00:07:31.000 --> 00:07:35.920
Vladimir was very interested in what Buckazoid found and gave him a hundred dollars for all

00:07:35.920 --> 00:07:40.900
the information; how to connect, usernames and passwords, which systems to connect to,

00:07:40.900 --> 00:07:42.700
and how to do the bank transfer.

00:07:42.700 --> 00:07:46.550
This kind of freaked out Buckazoid and his hacker friend so they disappeared from the

00:07:46.550 --> 00:07:50.820
Citibank network, thinking it was too risky to hang out there now that Vladimir knew their

00:07:50.820 --> 00:07:51.820
secret.

00:07:51.820 --> 00:07:55.180
The story of Buckazoid and his hacker friend in St. Petersburg may not be true.

00:07:55.180 --> 00:07:58.590
These hackers have never been found and the hackers like this don’t like telling their

00:07:58.590 --> 00:08:02.320
stories but there was one Russian blog post about this.

00:08:02.320 --> 00:08:06.620
That’s all I’m going by but this story makes a lot of sense to me because it matches

00:08:06.620 --> 00:08:08.840
a lot of other details that were going on at the time.

00:08:08.840 --> 00:08:12.440
Like, I confirmed the Citibank codes were actually published in the Phrack magazine

00:08:12.440 --> 00:08:14.590
at that time and a few other things.

00:08:14.590 --> 00:08:21.290
But what we do know for sure is that by that summer of 1994, Vladimir Levin in St. Petersburg,

00:08:21.290 --> 00:08:27.900
Russia had everything he needed to make a rogue money transfer out of Citibank.

00:08:27.900 --> 00:08:32.560
Vladimir was thirty years old, living in St. Petersburg, Russia and he was really into

00:08:32.560 --> 00:08:33.560
computers.

00:08:33.560 --> 00:08:37.120
PCs were just becoming a thing at this time and Vladimir would put computers together

00:08:37.120 --> 00:08:39.000
for people and deal with computer parts.

00:08:39.000 --> 00:08:42.590
He also had a day job where he’d work for a software company.

00:08:42.590 --> 00:08:44.770
But he had a bit of a dark side to him.

00:08:44.770 --> 00:08:48.960
Perhaps it was because of growing up and seeing the lawless side of Russia.

00:08:48.960 --> 00:08:52.900
Whatever it was, he wasn’t afraid of hanging out with some rough guys or stealing some

00:08:52.900 --> 00:08:54.270
stuff.

00:08:54.270 --> 00:08:57.279
Vladimir checked his access to the [00:10:00] Citibank computer.

00:08:57.279 --> 00:08:59.220
He went to work where the good computers are.

00:08:59.220 --> 00:09:00.920
He dialed into Sprintnet.

00:09:00.920 --> 00:09:05.230
He logged into the Citibank cash management system and confirmed he could type commands

00:09:05.230 --> 00:09:06.410
in it.

00:09:06.410 --> 00:09:10.960
[BEEPING] All he would need to do is type a few keystrokes, hit Enter, and the money

00:09:10.960 --> 00:09:15.150
would be transferred to wherever he wanted.

00:09:15.150 --> 00:09:19.570
He knew this was a big deal and didn’t want to transfer the money to himself right there

00:09:19.570 --> 00:09:20.710
in St. Petersburg.

00:09:20.710 --> 00:09:24.420
He met up with a friend who agreed to go to Finland and they’d send the money there.

00:09:24.420 --> 00:09:26.921
The friend arrived in Finland and stood by waiting for Vladimir.

00:09:26.921 --> 00:09:31.670
[TYPING, DIALING] Vladimir went to work and fired up his computer, dialed into Sprintnet,

00:09:31.670 --> 00:09:35.830
logged into the Citibank computer, and typed in the commands to transfer some money to

00:09:35.830 --> 00:09:38.890
Finland and hit Enter.

00:09:38.890 --> 00:09:43.080
[POWER SURGE] The computer accepted the commands and the transfer was complete.

00:09:43.080 --> 00:09:46.070
Vladimir called his friend in Finland and told him to withdraw the money.

00:09:46.070 --> 00:09:51.580
The friend went to the bank and sure enough, there was a brand-new $400,000 in his account.

00:09:51.580 --> 00:09:56.040
He withdrew all $400,000 and got out of the country.

00:09:56.040 --> 00:10:01.250
[MUSIC] The excitement of stealing this much money gave Vladimir wild dreams.

00:10:01.250 --> 00:10:02.250
This was easy.

00:10:02.250 --> 00:10:03.530
This was way too easy.

00:10:03.530 --> 00:10:08.779
He wanted to do it again and again and started thinking of ways to conduct the next one.

00:10:08.779 --> 00:10:16.740
But on the other side of the globe in New York City, this transaction raised alarms.

00:10:16.740 --> 00:10:23.270
The Citibank IT staff noticed this but they were too slow to react to stop the transfer.

00:10:23.270 --> 00:10:27.770
The VAX computer that their cash management system was on logged every transaction and

00:10:27.770 --> 00:10:29.940
this one triggered an alert.

00:10:29.940 --> 00:10:33.420
This was a lot of money so Citibank quickly called the FBI.

00:10:33.420 --> 00:10:36.339
[PHONE RINGING] I called the FBI too.

00:10:36.339 --> 00:10:37.339
STEVE: Hello.

00:10:37.339 --> 00:10:40.190
JACK: So we can get the inside scoop to this story.

00:10:40.190 --> 00:10:41.839
STEVE: I’m Steve Garfinkel.

00:10:41.839 --> 00:10:42.990
I’m a retired FBI agent.

00:10:42.990 --> 00:10:50.250
I spent twenty-one years in the FBI and I was a case agent on the Vladimir Levin case.

00:10:50.250 --> 00:10:54.200
JACK: I was able to talk to Steve as he was driving back home from a summer trip.

00:10:54.200 --> 00:10:55.940
He had a long drive on his hands.

00:10:55.940 --> 00:10:56.940
STEVE: Five hours altogether, yep.

00:10:56.940 --> 00:10:59.540
JACK: He was willing to talk to me on this car ride.

00:10:59.540 --> 00:11:00.911
We talked about podcasts we listen to.

00:11:00.911 --> 00:11:01.911
STEVE: You should listen to that.

00:11:01.911 --> 00:11:04.140
It’s really a good story.

00:11:04.140 --> 00:11:05.380
JACK: And computer problems.

00:11:05.380 --> 00:11:07.950
STEVE: My freaking Mac Book totally crashed.

00:11:07.950 --> 00:11:12.550
JACK: But of course, I was fascinated with the Vladimir Levin case.

00:11:12.550 --> 00:11:21.190
STEVE: Yeah, so the case started in summer of 1994 and I was working in the FBI New York

00:11:21.190 --> 00:11:29.279
office and contacted by the victim bank here which was Citibank.

00:11:29.279 --> 00:11:34.970
[MUSIC] When I started this the FBI definitely did not have a cyber-division.

00:11:34.970 --> 00:11:42.580
There were no computer squads so I was not a computer expert by any means.

00:11:42.580 --> 00:11:46.290
For me, it was a lot of on-the-job training.

00:11:46.290 --> 00:11:53.540
My role was not so much to figure out the bits and the bytes as to what happened but

00:11:53.540 --> 00:12:00.399
to – what every FBI agent does which is you gather evidence that’s going to be used

00:12:00.399 --> 00:12:01.620
in a prosecution.

00:12:01.620 --> 00:12:04.980
JACK: The technical parts to this were all handled by Citibank.

00:12:04.980 --> 00:12:09.680
They had an IT department with a great system in place for detecting fraudulent transactions

00:12:09.680 --> 00:12:12.540
and they would give this information to Steve at the FBI.

00:12:12.540 --> 00:12:18.510
STEVE: They were basically monitoring this system and they knew when a bad transfer was

00:12:18.510 --> 00:12:19.510
happening.

00:12:19.510 --> 00:12:22.440
JACK: Citibank’s ears were perked up, waiting for the next alert.

00:12:22.440 --> 00:12:27.160
They knew exactly how to detect a bad transfer and now they were ready to call the FBI the

00:12:27.160 --> 00:12:28.230
moment they detected it.

00:12:28.230 --> 00:12:35.250
STEVE: So what we started doing at that point was trying to identify who the bad bennies

00:12:35.250 --> 00:12:36.250
are.

00:12:36.250 --> 00:12:37.899
The bad guys are gonna want to take the money out.

00:12:37.899 --> 00:12:43.330
JACK: A bad benny or beneficiary is the receiving bank that the money is fraudulently sent to.

00:12:43.330 --> 00:12:46.490
The FBI was poised and ready for this to happen again.

00:12:46.490 --> 00:12:52.270
Back in St. Petersburg Vladimir had a friend who was a neurosurgeon but this guy found

00:12:52.270 --> 00:12:57.080
out he could make more money as a computer-distributor than a brain surgeon so he switched to doing

00:12:57.080 --> 00:12:58.080
that instead.

00:12:58.080 --> 00:13:02.339
Vladimir knew this neurosurgeon computer-distributor and told him about the money transfer that

00:13:02.339 --> 00:13:03.490
he knew how to do.

00:13:03.490 --> 00:13:08.140
The neurosurgeon was connected to some shady guys and knew just who could help.

00:13:08.140 --> 00:13:10.930
He introduced Vladimir to a few guys from the Tambov gang.

00:13:10.930 --> 00:13:15.970
This is a gang out of Tambov Russia who are ex-wrestlers and they turned into regular

00:13:15.970 --> 00:13:17.780
street thugs.

00:13:17.780 --> 00:13:20.160
[MUSIC] The gang was rough.

00:13:20.160 --> 00:13:21.960
Picture your average mafia-style gang.

00:13:21.960 --> 00:13:25.640
They’d go into businesses and threaten the owner with violence unless they’d pay the

00:13:25.640 --> 00:13:26.920
gang a commission.

00:13:26.920 --> 00:13:30.210
In exchange the gang would watch over the businesses to make sure nobody else would

00:13:30.210 --> 00:13:31.210
rob the place.

00:13:31.210 --> 00:13:35.540
This was known as a protection racket and the gang was making a name for itself clashing

00:13:35.540 --> 00:13:40.000
with other gangs, taking over new territories, and leaving a trail of blood wherever it would

00:13:40.000 --> 00:13:41.000
go.

00:13:41.000 --> 00:13:45.170
Vladimir met up with this Tambov gang asking for help to go around the world and collect

00:13:45.170 --> 00:13:46.780
money from these bank transfers.

00:13:46.780 --> 00:13:51.310
The Tambov gang agreed to this plan and would finance the people to fly to foreign countries,

00:13:51.310 --> 00:13:55.620
set up bank accounts there, and collect the money and fly back.

00:13:55.620 --> 00:14:00.300
The plan [00:15:00] was in place and the next chapter was about to begin.

00:14:00.300 --> 00:14:04.529
The Tambov gang sent someone to Argentina who opened a bank account there and gave Vladimir

00:14:04.529 --> 00:14:06.089
the bank account number.

00:14:06.089 --> 00:14:10.740
Vladimir went to work, turned on his computer, connected to Sprintnet, logged into the Citibank

00:14:10.740 --> 00:14:14.630
computer and typed in the commands to make the transfer.

00:14:14.630 --> 00:14:19.160
[POWER SURGE] The money was deposited in the bank account in Argentina.

00:14:19.160 --> 00:14:21.300
But Citibank caught this transaction immediately.

00:14:21.300 --> 00:14:23.730
STEVE: The bank was monitoring their systems.

00:14:23.730 --> 00:14:26.820
We knew that there was a bad transfer going to this bank.

00:14:26.820 --> 00:14:31.020
JACK: The FBI was able to notify the bank in time to freeze the account.

00:14:31.020 --> 00:14:35.110
When that member of the Tambov gang went to withdraw the funds, the account was frozen

00:14:35.110 --> 00:14:38.310
and he couldn’t get it out so he quickly left the bank.

00:14:38.310 --> 00:14:42.120
It all happened too fast for the Argentina police to catch them.

00:14:42.120 --> 00:14:46.220
This mission was a failure for Vladimir and a success for Citibank but this wouldn’t

00:14:46.220 --> 00:14:47.830
slow him down at all.

00:14:47.830 --> 00:14:52.160
Vladimir quickly set up another attempt with the Tambov gang, this time in Israel.

00:14:52.160 --> 00:14:53.910
Vladimir went to work.

00:14:53.910 --> 00:15:01.000
[BEEPING, POWER SURGE] He transferred a large amount of money to this accomplice in Israel.

00:15:01.000 --> 00:15:04.580
Citibank detected this bad transfer right away and notified the FBI.

00:15:04.580 --> 00:15:10.839
STEVE: The Israeli cops arrested a guy by the name of Aleksey Loshmanov.

00:15:10.839 --> 00:15:12.611
JACK: Another failed transfer for Vladimir.

00:15:12.611 --> 00:15:15.940
Vladimir wasn’t sure how these banks were detecting this.

00:15:15.940 --> 00:15:19.110
He thought he just caught a couple bad breaks.

00:15:19.110 --> 00:15:22.740
Vladimir worked with the gang to coordinate another attempt.

00:15:22.740 --> 00:15:26.930
This time a guy named Yevgeny Korolkov would travel with his wife to San Francisco and

00:15:26.930 --> 00:15:29.209
open up numerous bank accounts there.

00:15:29.209 --> 00:15:32.870
The plan was to do multiple bank transfers to see if any of them would go through.

00:15:32.870 --> 00:15:37.700
Yevgeny set up five bank accounts in San Francisco and was ready for the transfers.

00:15:37.700 --> 00:15:39.970
But for some reason he wasn’t able to wait around.

00:15:39.970 --> 00:15:46.029
He left the country and went back to Russia, but he left his young wife Katarina behind

00:15:46.029 --> 00:15:47.870
to withdraw the money.

00:15:47.870 --> 00:15:50.899
Vladimir got the bank account numbers and went to work.

00:15:50.899 --> 00:15:56.200
[BEEPING, POWER TRANSFER] The transfer was complete and they notified Katarina.

00:15:56.200 --> 00:15:59.050
She went to the bank to withdraw the money.

00:15:59.050 --> 00:16:02.790
STEVE: At that point the bank was monitoring their systems.

00:16:02.790 --> 00:16:07.390
We knew that there was a bad transfer going to this – one of the, I think it was Sumitomo

00:16:07.390 --> 00:16:11.160
Bank in San Francisco.

00:16:11.160 --> 00:16:16.180
She came in to make a withdrawal and they said oh, something’s not right here.

00:16:16.180 --> 00:16:21.940
You’ll have to come back tomorrow to pick up the money, to make the withdrawal.

00:16:21.940 --> 00:16:30.910
When she came back the following day FBI San Francisco office was waiting for her and arrested

00:16:30.910 --> 00:16:31.910
her.

00:16:31.910 --> 00:16:36.370
JACK: When the FBI agents searched her apartment in San Francisco her bags were already packed

00:16:36.370 --> 00:16:38.450
and there was a one-way plane ticket to Russia.

00:16:38.450 --> 00:16:43.370
But instead of going back to Russia she took a one-way trip to New York City where she

00:16:43.370 --> 00:16:46.740
would sit in a jail and await her trial.

00:16:46.740 --> 00:16:49.740
STEVE: She was gonna go to trial.

00:16:49.740 --> 00:16:54.769
Just before trial she agreed to cooperate.

00:16:54.769 --> 00:16:58.470
She calls her husband in Russia.

00:16:58.470 --> 00:17:02.700
JACK: She apparently was really mad at her husband for leaving her behind and getting

00:17:02.700 --> 00:17:04.170
her in jail.

00:17:04.170 --> 00:17:07.260
She demanded he come back to help get her out.

00:17:07.260 --> 00:17:10.959
One FBI agent said that she practically read him The Riot Act over the phone.

00:17:10.959 --> 00:17:17.770
STEVE: We convinced her husband to, over the phone, to cooperate with us.

00:17:17.770 --> 00:17:21.280
JACK: This was a stroke of luck for the FBI.

00:17:21.280 --> 00:17:26.030
The guy who got arrested in Israel got a nice private lawyer but Katarina had a public defendant

00:17:26.030 --> 00:17:29.520
so her husband got real mad about this and wanted to come out and help her.

00:17:29.520 --> 00:17:34.650
Once Yevgeny agreed to cooperate the FBI was able to convince him to call Vladimir Levin

00:17:34.650 --> 00:17:35.650
on the phone.

00:17:35.650 --> 00:17:36.990
STEVE: We convince him.

00:17:36.990 --> 00:17:43.660
This is all over the phone, New York to Russia to call Levin while we’re listening to the

00:17:43.660 --> 00:17:44.660
call.

00:17:44.660 --> 00:17:48.270
It’s a three-way call.

00:17:48.270 --> 00:17:49.410
Levin doesn’t know this.

00:17:49.410 --> 00:17:50.930
So Korolkov and Levin speak.

00:17:50.930 --> 00:17:55.290
We basically get Levin admitting to the whole scheme.

00:17:55.290 --> 00:18:00.799
JACK: Now the FBI has their proof of who was behind this case with a name and location.

00:18:00.799 --> 00:18:03.420
This would be enough evidence to begin going after Vladimir.

00:18:03.420 --> 00:18:12.490
STEVE: But we get an arrest warrant for Levin but we had no extradition agreement with the

00:18:12.490 --> 00:18:13.490
Russians.

00:18:13.490 --> 00:18:14.550
The Russians aren’t going to arrest Levin.

00:18:14.550 --> 00:18:19.559
JACK: Yevgeny Korolkov flies from Russia to New York to come help his wife and to turn

00:18:19.559 --> 00:18:20.720
himself in.

00:18:20.720 --> 00:18:24.080
Steve and the FBI team were waiting for him at the airport.

00:18:24.080 --> 00:18:28.760
As soon as he de-boards the plane the FBI move in to arrest him but he has something

00:18:28.760 --> 00:18:31.290
that totally surprises the FBI.

00:18:31.290 --> 00:18:33.880
He brought his six year old daughter.

00:18:33.880 --> 00:18:37.490
STEVE: He shows up at the airport with the girl.

00:18:37.490 --> 00:18:42.830
I’m like what the – nobody said anything about them having a daughter.

00:18:42.830 --> 00:18:45.299
JACK: The FBI is totally flabbergasted on what to do about this girl.

00:18:45.299 --> 00:18:48.120
STEVE: We can’t have them both in jail with their daughter here.

00:18:48.120 --> 00:18:50.130
That wasn’t gonna work.

00:18:50.130 --> 00:18:54.620
JACK: To top that off the immigration officers refusing to allow Korolkov and his daughter

00:18:54.620 --> 00:18:55.620
into the country.

00:18:55.620 --> 00:18:56.620
STEVE: [00:20:00] He doesn’t have a VISA.

00:18:56.620 --> 00:18:59.110
The whole thing was a mess.

00:18:59.110 --> 00:19:02.650
Immigration wasn’t gonna let him into the country and I’m standing there at Immigration.

00:19:02.650 --> 00:19:07.460
They couldn’t care less, me being an FBI agent and this is a witness.

00:19:07.460 --> 00:19:11.080
Then I look at the guy’s nametag, the Immigration guy.

00:19:11.080 --> 00:19:16.030
It’s a guy I went to summer camp with when I was a kid.

00:19:16.030 --> 00:19:18.790
He’s like oh, Steve, yeah, no problem.

00:19:18.790 --> 00:19:22.250
He’s like yeah, he can come in the country.

00:19:22.250 --> 00:19:23.530
Yeah [audible].

00:19:23.530 --> 00:19:28.720
JACK: So Yevgeny and Katarina both get locked up in jail.

00:19:28.720 --> 00:19:32.179
Steve took the six year old daughter around with him until he could figure out what to

00:19:32.179 --> 00:19:33.179
do with her.

00:19:33.179 --> 00:19:35.320
STEVE: We weren’t in the office really.

00:19:35.320 --> 00:19:39.230
She was in the office I think for a short amount of time.

00:19:39.230 --> 00:19:41.540
But we were just kind of driving.

00:19:41.540 --> 00:19:47.720
Then at some point the kid got carsick and she puked in the back of my Crown Vic.

00:19:47.720 --> 00:19:50.500
That’s another couple hours to talk about.

00:19:50.500 --> 00:19:55.000
JACK: Eventually Steve got the mother out on bail and got some informant funds to help

00:19:55.000 --> 00:19:56.000
them out.

00:19:56.000 --> 00:19:59.340
The mother couldn’t leave the country because she was needed to cooperate with the case

00:19:59.340 --> 00:20:02.770
but because of this kid Steve helped them out and…

00:20:02.770 --> 00:20:04.080
STEVE: Get them an apartment.

00:20:04.080 --> 00:20:11.330
Not only that, I get her an apartment, plus I got her registered in school and a vaccine.

00:20:11.330 --> 00:20:14.270
They won’t register the kid without their vaccine.

00:20:14.270 --> 00:20:18.870
I should have got an award for being a social worker that day.

00:20:18.870 --> 00:20:20.650
It was crazy.

00:20:20.650 --> 00:20:28.500
JACK: At this point Vladimir strikes again, this time transferring 1.5 million dollars

00:20:28.500 --> 00:20:30.790
to a bank in Rotterdam in the Netherlands.

00:20:30.790 --> 00:20:32.390
Quickly, Citibank called the FBI.

00:20:32.390 --> 00:20:37.010
STEVE: The first thing they did is call the bank and said hey, you got a million and a

00:20:37.010 --> 00:20:38.660
half dollars going there.

00:20:38.660 --> 00:20:40.290
It’s a bad transfer.

00:20:40.290 --> 00:20:46.860
They, at the same time, were calling the cops and getting everyone on board.

00:20:46.860 --> 00:20:53.570
The Dutch police arrested a Anatoly Lysenkov, the guy who was arrested in Holland picking

00:20:53.570 --> 00:20:54.570
up money.

00:20:54.570 --> 00:20:59.809
He thought he was gonna pick up one and a half million dollars in a bank in Holland.

00:20:59.809 --> 00:21:04.370
He got to the bank and the Dutch cops were waiting for him.

00:21:04.370 --> 00:21:07.770
They locked him up.

00:21:07.770 --> 00:21:10.000
I traveled to Holland.

00:21:10.000 --> 00:21:14.270
I interviewed him while I was there and he denied everything, made up some stories, he

00:21:14.270 --> 00:21:17.240
was picking up the money for somebody.

00:21:17.240 --> 00:21:20.200
He didn’t know it was stolen funds.

00:21:20.200 --> 00:21:24.820
Anyway, we end up – he waives the extradition, came to the US.

00:21:24.820 --> 00:21:31.570
Then when we went to interview him in the US he said well, first of all my name is not

00:21:31.570 --> 00:21:32.590
Anatoly Lysenkov.

00:21:32.590 --> 00:21:34.890
My name is Vladimir Voronin.

00:21:34.890 --> 00:21:37.700
Then he tells us the whole story.

00:21:37.700 --> 00:21:42.690
JACK: Back in St. Petersburg, Vladimir Levin continued to attempt to do money transfers.

00:21:42.690 --> 00:21:47.540
[POWER SURGES] In the course of the next six months he conducted dozens of transfer attempts

00:21:47.540 --> 00:21:50.020
totalling over ten million dollars.

00:21:50.020 --> 00:21:52.970
All attempts were foiled by Citibank and the FBI.

00:21:52.970 --> 00:21:57.170
The FBI was getting closer to finding Vladimir but because he was in Russia the police there

00:21:57.170 --> 00:22:00.180
wouldn’t cooperate entirely with the FBI to arrest him.

00:22:00.180 --> 00:22:03.030
But the FBI did tell the Russian police they’re looking for him.

00:22:03.030 --> 00:22:10.230
STEVE: Turns out when we did that phone call between Korolkov and Levin and we were listening

00:22:10.230 --> 00:22:12.510
in, the Russian cops were listening in too.

00:22:12.510 --> 00:22:19.070
JACK: The Russian police were tracking the Tambov gang which led them to Vladimir so

00:22:19.070 --> 00:22:22.820
they were listening in on the call looking for information on what the next crime might

00:22:22.820 --> 00:22:24.000
be committed in Russia.

00:22:24.000 --> 00:22:29.010
STEVE: [MUSIC] They tipped us off when Levin was leaving the country.

00:22:29.010 --> 00:22:33.650
Levin was flying from St. Petersburg to Holland.

00:22:33.650 --> 00:22:39.320
I’m not sure if it was where in Holland, Amsterdam, or Rotterdam probably.

00:22:39.320 --> 00:22:44.799
But he had to change planes in London.

00:22:44.799 --> 00:22:47.549
He was flying through Stansted Airport.

00:22:47.549 --> 00:22:52.700
JACK: When Steve and the FBI got this tip they immediately called the UK police who

00:22:52.700 --> 00:22:58.930
were able to quickly go to the airport and find Vladimir waiting in the lounge and arrested

00:22:58.930 --> 00:22:59.930
him.

00:22:59.930 --> 00:23:04.870
Vladimir was held in UK police custody and put in jail but Vladimir was denying the involvement

00:23:04.870 --> 00:23:08.490
in the whole thing, saying he had nothing to do with the hacking and claiming complete

00:23:08.490 --> 00:23:09.710
innocence.

00:23:09.710 --> 00:23:13.360
This made the FBI wonder a little if they had the right guy.

00:23:13.360 --> 00:23:17.660
The only evidence they had was a phone call between Korolkov and Vladimir where Vladimir

00:23:17.660 --> 00:23:18.660
was admitting to it.

00:23:18.660 --> 00:23:24.710
STEVE: The Russian cops arrested a bunch of people who were part of this Tambov gang and

00:23:24.710 --> 00:23:30.820
they seized a bunch of computers from Levin that were from that business.

00:23:30.820 --> 00:23:35.679
[MUSIC] I went to Russia and we did a search of those computers.

00:23:35.679 --> 00:23:40.179
I went over there with a guy who was an FBI agent who was a forensic examiner.

00:23:40.179 --> 00:23:45.299
We basically found the smoking gun stuff on that computer.

00:23:45.299 --> 00:23:51.270
We know that was the computer they were using to hack into the bank.

00:23:51.270 --> 00:24:00.350
Then when we found that smoking gun [00:25:00] stuff on the computer, it was in the police

00:24:00.350 --> 00:24:06.960
headquarters in St. Petersburg and it was about 11:00 in the morning and that precipitated

00:24:06.960 --> 00:24:09.710
a big celebration.

00:24:09.710 --> 00:24:17.020
[MUSIC] I have to say at the end of that day, I don’t think before that day or after that

00:24:17.020 --> 00:24:20.700
day, I have never drank so much vodka.

00:24:20.700 --> 00:24:22.860
It was a huge celebration.

00:24:22.860 --> 00:24:26.960
We were drinking vodka, eating pickles.

00:24:26.960 --> 00:24:30.960
It was actually a very crazy day.

00:24:30.960 --> 00:24:35.360
We ended up going to a party somewhere that night.

00:24:35.360 --> 00:24:41.679
It was really – nobody answered the bell the following morning, put it that way.

00:24:41.679 --> 00:24:45.960
JACK: Now the FBI have felt confident they completely busted this crew up.

00:24:45.960 --> 00:24:50.320
They arrested the main hacker involved, seized the computers that were used to do this with,

00:24:50.320 --> 00:24:52.200
and arrested four members of this gang.

00:24:52.200 --> 00:24:55.460
Vladimir Levin was still being held in a jail in the UK.

00:24:55.460 --> 00:24:58.640
STEVE: At some point I actually – we went to England.

00:24:58.640 --> 00:25:00.480
I went to London.

00:25:00.480 --> 00:25:04.470
We had an extradition hearing.

00:25:04.470 --> 00:25:09.789
JACK: After being held for thirty months in UK jails, Vladimir Levin was extradited to

00:25:09.789 --> 00:25:10.789
the US.

00:25:10.789 --> 00:25:15.220
During his trial in the US, after he saw the amount of evidence they had against him, he

00:25:15.220 --> 00:25:19.510
pled guilty and explained and admitted to everything.

00:25:19.510 --> 00:25:24.760
Vladimir Levin attempted forty fraudulent money transfers totalling ten million dollars.

00:25:24.760 --> 00:25:32.309
He was able to successfully steal $400,000 and that was before the FBI got involved.

00:25:32.309 --> 00:25:35.770
Neither Citibank or the FBI could recover that $400,000.

00:25:35.770 --> 00:25:40.429
It’s believed that money was used to purchase guns and weapons.

00:25:40.429 --> 00:25:44.820
Vladimir was sentenced to three years in prison but the thirty months that he was being held

00:25:44.820 --> 00:25:49.679
in UK jails counted towards this, so he only had to serve less than a year in US prison.

00:25:49.679 --> 00:25:52.299
He was also sentenced to pay back $240,000 in restitution.

00:25:52.299 --> 00:25:54.720
STEVE: I have no idea what happened to him.

00:25:54.720 --> 00:26:02.850
I even heard at one point that he went to – he was in Eastern Europe, not in Russia.

00:26:02.850 --> 00:26:09.310
He was in Prague and I had heard he had been killed.

00:26:09.310 --> 00:26:10.310
I don’t know if any of that’s true.

00:26:10.310 --> 00:26:15.570
I’d be kind of curious as to whatever really happened to him.

00:26:15.570 --> 00:26:19.880
JACK: [MUSIC] I wasn’t able to track down what he’s up to, either.

00:26:19.880 --> 00:26:24.280
He probably changed his name after this because Vladimir Levin went down in the history books

00:26:24.280 --> 00:26:27.070
as one of the most notorious hackers of all time.

00:26:27.070 --> 00:26:30.450
That’s because he was the first-known online bank robber.

00:26:30.450 --> 00:26:34.050
Vladimir didn’t use a gun or a mask or even a note.

00:26:34.050 --> 00:26:36.380
He did the whole thing from across the world.

00:26:36.380 --> 00:26:41.880
In 1994 this was a really big deal and being the first in something like this will often

00:26:41.880 --> 00:26:43.429
make you famous.

00:26:43.429 --> 00:26:45.750
Since this incident, the world changed.

00:26:45.750 --> 00:26:47.630
More crimes started being conducted online.

00:26:47.630 --> 00:26:54.049
STEVE: [MUSIC] About a year, year and a half later, the FBI formed its first computer crime

00:26:54.049 --> 00:26:55.049
squad.

00:26:55.049 --> 00:27:02.022
There was one in San Francisco, there was one in DC, and we formed one in New York.

00:27:02.022 --> 00:27:05.039
I ended up on that squad.

00:27:05.039 --> 00:27:08.370
Every crime now digital forensics are involved.

00:27:08.370 --> 00:27:15.790
Even if you talk to any homicide investigator, those homicides now are key evidence found

00:27:15.790 --> 00:27:17.640
in a digital form.

00:27:17.640 --> 00:27:21.330
That’s really I think a huge change in law enforcement.

00:27:21.330 --> 00:27:26.030
You look at any kind of crime out there, any kind, and it involved digital forensics.

00:27:26.030 --> 00:27:30.530
JACK: It’s amazing to witness firsthand the digital transformation our world went

00:27:30.530 --> 00:27:32.580
through in the last thirty years.

00:27:32.580 --> 00:27:33.760
We were here for it.

00:27:33.760 --> 00:27:37.770
Generations from now we’ll look back on the 1980s and think it was so primitive and

00:27:37.770 --> 00:27:39.410
crude.

00:27:39.410 --> 00:27:43.309
Computers and the internet have changed every one of our lives in almost every way.

00:27:43.309 --> 00:27:47.309
How we meet friends, how we order food, and how we go to school.

00:27:47.309 --> 00:27:51.910
How we solve crimes, and even how some people rob banks.

00:27:51.910 --> 00:28:01.610
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries.

00:28:01.610 --> 00:28:05.150
Please consider donating to help support this show by visiting darknetdiaries.com/donate.

00:28:05.150 --> 00:28:07.460
It really helps a lot.

00:28:07.460 --> 00:28:12.340
This show is made by me, the Karate Skid, Jack Rhysider and the theme music is made

00:28:12.340 --> 00:28:22.419
by the masked Breakmaster Cylinder.