Aleksei Burkov, a cybercriminal who long operated two of Russia’s most exclusive underground hacking forums, was arrested in 2015 by Israeli authorities. The Russian government fought Burkov’s extradition to the U.S. for four years — even arresting and jailing an Israeli woman to force a prisoner swap. That effort failed: Burkov was sent to America, pleaded guilty, and was sentenced to nine years in prison. But a little more than a year later, he was quietly released and deported back to Russia. Now some Republican lawmakers are asking why a Russian hacker once described as “an asset of supreme importance” was allowed to shorten his stay.
A native of St. Petersburg, Russia, Burkov admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded online community that attracted some of the world’s most-wanted Russian hackers.
But Burkov’s cybercriminal activities spanned far beyond mere credit card fraud. A 2019 deep dive into Burkov’s hacker alias “K0pa” revealed he also was co-administrator of the secretive Russian cybercrime forum “Mazafaka.” Like DirectConnection, Mazafaka’s member roster was a veritable “Who’s Who?” of the Russian hacker underground, and K0pa played a key role in vetting new members and settling disputes for both communities.
K0pa’s elevated status in the Russian cybercrime community made him one of the most connected malicious hackers ever apprehended by U.S. authorities. As I wrote at the time of Burkov’s extradition, the Kremlin was probably concerned that he simply knew too much about Russia’s propensity to outsource certain activities to its criminal hacker community.
“To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government,” KrebsOnSecurity wrote in 2019. “On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.”
Burkov was arrested in December 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.
When Israeli authorities turned down requests to send him back to Russia — supposedly to face separate hacking charges there — the Russians imprisoned Israeli citizen Naama Issachar on trumped-up drug charges in a bid to trade prisoners. Nevertheless, Burkov was extradited to the United States in November 2019.
And if there were any doubts Issachar was jailed for use as a political pawn, Russian President Vladimir Putin erased those by pardoning her in January 2020, just hours after Burkov pleaded guilty in the United States.
In June 2020, Burkov was sentenced to nine years in prison. But a little more than a year later — Aug. 25, 2021 — Burkov was released and deported back to Russia. According to a letter (PDF) sent Monday by four Republican House lawmakers to White House National Security Advisor Jake Sullivan, U.S. Immigration and Customs Enforcement (ICE) officials escorted Burkov onto a plane destined for Moscow shortly after his release.
“An ICE spokesperson stated that Burkov is wanted by Russian authorities, and a DOJ spokesperson denied that a prisoner exchange took place,” the letter reads. “The decision to prematurely release Burkov is curious given the lengths to which the U.S. government went to secure Burkov’s arrest.”
The letter, signed by the ranking members of the House Judiciary, Homeland Security, Intelligence and Foreign Affairs committees, demanded to know why Burkov was released prematurely, and whether the U.S. received anything in return. The lawmakers also asked for a list of all Russian nationals convicted of crimes in the U.S. who were released early since President Biden took office.
Records show Burkov was in the custody of either Israeli or U.S. authorities for almost five years prior to his sentencing in 2020. At the time of his release, Burkov had already been incarcerated for nearly six years. So where did the other years of his sentence go?
That remains unclear, but it is possible he cut some sort of deal to lessen his sentence. On June 16, 2021, a “sealed pleading” was added to Burkov’s court record, followed by a sealed document entered on Aug. 18 — a week before Burkov’s deportation.
The motion to seal these and other documents related to the pleading was made by U.S. federal prosecutors, and those documents remain hidden from public viewing.
Perhaps international arrests have secondary effects down the road: leverage and bargaining.
Or who got released on their side in the game of quid pro quo…
Just like the “I did that” stickers on gas pumps… Wonder who did it?
I suppose the swap could be Brittney Griner. Needless to say I would not be pleased. Time will tell.
She was arrested well after this dude was released.
Verification.
Wow. Way to be tough on Russia, Biden…. No wonder the world doesn’t take him seriously.
Nothing more absurd than claiming Naama Issachar is ‘innocent’.
Squatting on land that belongs to Palestinians is a crime.
Then get your f’ing ass out of the US. You’re squatting on Native American land.
You too.
So are you. But your mother and wife are squatting somewhere else 🙂
k0pa hasn’t done any actual hacking since CyberLords over 15 years ago.
He’s was not actually arrested for or charged with computer intrusion. He was just the fence for stolen goods.
It was in his extensive network of connections that was valuable to us. Not “keeping a dangerous hacker off the streets”. Whatever that means. His position was replaced back in 2015. It’s not like website admins are irreplaceable.
I suspect the DOJ got some valuable information from him in exchange for 30% off his sentence. But this seems like Jim Jordan doing his fake outrage, like they did with Benghazi. They are just in desperate need of a scandal right now.
Yes. I agree, this is really not that shocking. Early release is still common, even in cyber crime cases.
This is BEFORE Russia invaded Ukraine, so at the time it was not surprising that there might be some cooperation between Russia and US law enforcement.
Wasn’t this around the same time that Russia was mysteriously arresting cyber crime groups and shutting down big cyber crime sites? I wonder if this was part of that deal.
We probably were willing to make that deal, give up a prisoner in exchange for some relief against all the big ransomware attacks like Colonial Pipeline.
I think the timing of this letter from the 4 GOP congressmen is deliberate. They want to conflate a pre-Ukraine war deal, with today’s sentiment about Russia. In 2022, this action would be unconscionable. But in 2021, we were still working with Russia on a lot of things.
Just smiling at the fact you were cited in the letter.
Brian how common is it for a cyber criminal of any nationality to only serve 6 years of a 9 year sentence in the US justice system? I would think its very common for domestic criminals but I guess for someone we got extradited into the US they should serve the full term.
I hope we got something for that early release
https://www.justice.gov/usao-ma/pr/russian-national-extradited-role-hacking-and-illegal-trading-scheme
Looks like he was traded for Vladislav Klyushin. A much worse criminal. An actual hacker extradited a few months later to the US for crimes much worse than running a carding website. Seems like a good trade since Burkov was going to be release in a few years anyway.
Mr. NoSecret. Do you know the significance of a co-founder of DirectConnect or Mazafaka admin being in US custody means? These are the most illusive, closely guarded cyber criminal forums out there. This is why Moscow tried to get a prisoner exchange with Israel under false charges. K0pa has the keys to the kingdom when it comes to Russian Organized Cybercrime. You can’t get better access.
Trading him for even 5 people like “Vladislav Klyushin” is a mistake. Hundreds of such individuals are the bread and butter of the forums Aleksei Burkov had access to. Can you explain why enabling dozens of people to successfully commit crimes like Vladislav (and much worse) makes sense?
DirectConnect or Mazafaka is nothing compared to Klyushin’s GRU buddies.
Just because Russia is willing to play dirty with a false arrest of an Israeli, doesn’t mean much. They dropped the charges after extradition… so that means any secrets Burkov may have had is no longer of value.
Putin pardoned Issachar immediately after Burkov’s extradition because she was no longer useful in a prisoner swap for Burkov.
So Russia let Burkov sit in an Israeli jail for 4 years. Then, only when he was going to be sent to the US, did they pull that stunt?
So it seems the intent was to keep him out of the US, but they didn’t care so much that he was in custody.
If Burkov had the “keys to the kingdom” or even “knew too much”, then they would have been trying to get him out years earlier.
Firehouse, Mf and Dc are the top tier cybercrime forums out there, it is very likely the GRU and FSB operate on Dc. This particular individual (k0pa) was a suspected fixer for Russia government with exceptional access.
Russia doesn’t care if he rots for 20 years in an Israeli jail as long as it is in Israel. The second he is on the way to the USA they have a problem.
Why would they not care about Israel? They have a significant cyber law enforcement resources and would share intel with the US.
“To my knowledge, no one has accused Burkov of being some kind of cybercrime fixer or virtual badguy Rolodex for the Russian government,” KrebsOnSecurity wrote in 2019. “On the other hand, from his onetime lofty perch atop some of the most exclusive Russian cybercrime forums, K0pa certainly would have fit that role nicely.”
So according to Krebs, he was not suspected of being a fixer. Just that it may make sense if he were.
I don’t argue that the forum itself doesn’t matter, it obviously is important as any mob hangout. Just that being an “admin” of the forum doesn’t mean he has power and knowledge of everything going on. The admin role is way overblown.
If you’re the admin of a large, highly secretive cybercrime forum and you *don’t* know everything and everyone that goes on with your forum, you will soon lose control over that community. I went into this in great detail in my book Spam Nation, but basically the admins at a minimum know quite a bit about each member (usually a lot more than what is public on the forums), and they probably also vetted each member. When that is not the case, what you tend to see are a lot more “blacklist” complaints of forum members ripping people off, which over time can really hurt a forum’s reputation among members you actually DO want.
These “blacklist” complaints require two (or more) parties to a dispute to submit to the admins reams of evidence supporting their side of argument. This almost always includes at least detailed chat records between the seller and buyer, as well as other information members would never consider publishing on the forum.
So all of the above is true for any cybercrime forum. But for the most exclusive ones like DirectConnection and Maza (which required multiple vouches, deposits and special browser encryption certs), there would be a fair amount of communication between the admins and Russian law enforcement (known or otherwise in the form of FSB posing as cybercriminals). There are lots of reasons this is the case; one is that the Russians actually do follow up and at least identify persons of interest in investigations where a foreign government formally request assistance from the RU govt. Russia traditionally has done little in reply to such requests (at least for the past decade and until quite recently) other than get help ID’ing talented hackers who can be co-opted by the RU state for activities the government would rather not own.
Do you still believe the admin role in this case was overblown? I can probably give you ten more reasons to think otherwise.
I guess I need to read Spam Nation. Thanks for the deep dive and insight.
Firehouse, yes you do.
If you missed it, let me quote Brian for you, “But for the most exclusive ones like DirectConnection and Maza (which required multiple vouches, deposits and special browser encryption certs), …”
Both of these forums are active today. It is generally accepted in the security industry Russian Intelligence and Russian Law Enforcement are actively working with members of these forums (cooperatively).
Mf and Dc are the most closely guarded forums out there (and for good reason).
P.S. A+ explanation Brian.
Brian comment was education, yours was not so much. His was also not confrontational or trying to insult.
I have purchased the book and will read shortly.
one meets the most interesting people in federal custody!
Correct, and Klyushin is said to have information about the 2016 DNC hack.
How much you want to bet the DNC marches him out and tries to tie him to Trump via publicity (but no actual charges) prior to the 2024 elections?
Firehouse. I don’t think you’ve been around long enough to understand the significance of these two forums. Given the recent documents that are sealed on the record, it is a guarantee K0pa had useful information still – otherwise they wouldn’t be sealed. Assuming because the charges were dropped K0pa didn’t have useful intel is incorrect. As Brian points out there charges were dropped because he was extradited. Then intent of the fake charges was to stop the extradition because Russia knows he has intel.
Unless he hand delivered Mazafaka or DirectConnect on a sliver platter to the US DOJ… I cannot comprehend what would give the Biden administration cause to send the co-founder/admin of the two top forums directly back to Moscow on a comfy jet. Come on now… imagine if US DOJ was on Mf or Dc right now, they’d have a ton of intel on precisely what is available on the Russian cyber market — but they’re not. A+ job by US DOJ on this one (sarcasm).
Those sites have long been gone and maybe they were on their gathering intelligence . 99% Likely in my opinion.
My friend, they have not long been gone. These are invite only Russian speaking forums that require multiple vouches by existing members to apply. At one point you even had to have a guarantor, for new members by an existing member if the new member defaulted on a payment or deal. They do not mess around. The teams responsible for the biggest hacks over the last few years were on these forums.
As it’s been pointed out by another user, forums like these are Brian’s territory. He is well known for gaining access to highly coveted forums and reporting on them. If you’ve been around you would know that.
Forums? Who gives a flying crap about forum admins? Theses are middlemen and brokers. There’s always a bigger fish.
Ransomware groups inside russia were likely taken down at Biden’s direction that same year. I don’t worry about carding forums, I worry about GRU, SVR and APTs like Cozy Bear.
This is a cyber crime site, and Krebs investigates such things regularly. So yes, we care. That said, this does reek of manufacturing a scandal now that Russia is persona non-grata numero uno.
CyberPost & Firehouse.
Mf/Dc are still around, and will continue to be around for a long time. It’s is more than likely the GRU/FSB work with members of Dc if they are not on the forum itself. These are the Top Tier forums for Cybercrime. The forums support multi-million dollar operations. You can safely assume the teams responsible for hacks of significance over the past years were on these forums (or wanted to be). Cozy Bear included.
As JamminJ pointed out, this is relevant. Brian is known for getting access to highly coveted forums and reporting on them. If you’ve been around, you would know that. You would also know the significance of these two forums in particular (but you don’t).
Did either Mf or Dc get abandoned in 2015 when Burkov was arrested? No. Did any of the cyber crime even slow down when he got arrested in 2015? No. Then obviously he wasn’t some kingpin.
Burkov works the door at the club where the top mob bosses hang out and discuss plans and trade stuff. But hes still just the guy shaking hands and rubbing elbows, not an actual mob boss.
Vladislav Klyushin is a waaaaaaayyy bigger fish.
Firehouse, it is normal for a seasoned forum to continue operation even after excessive takedown efforts that include appended administrators (mind the plural). Business continues. They aren’t going to shutter an operation making millions a month because one person was caught… especially if they know that person won’t talk. If they are located in Russia, like many users of these particular forums are, they probably don’t even care. They know they are safe unless they upset the Kremlin. That’s how it works.
Firehouse, let me re-iterate. If you knew about these particular forums, you would know my descriptions of them are an understatement. The fact of the matter is, if you are anyone in cyber crime you know of them and you either 1. Want to be on them or 2. Already are. As Brian explained, your assumptions about rubbing elbows is exceptionally incorrect in this case. I’ll divert from re-iterating what he already explained to you this time.
Firehouse, I get the idea you like to talk, but don’t really know what you are talking about. I’d recommend educating yourself before making statements about these topics. You are making a fool of yourself.
You’re incorrect. DC closed many years ago.
If hes such a badass hacker, why did Trump’s DOJ only give him 9 years sentence anyway?? With most as “time-served”?
This guy is a thug, but he’s no pablo escobar.
Maxwell, let me help you out.
It would be better to compare him to a “Russian” Pablo Escobar, whom was good enough that he was never charged with the majority of his crimes. Then being so well connected, our Russian Escobar got himself exchanged for a lieutenant from his own operation. I’ll advise you to check the verbose reply from the author of the blog. TLDR; it is known a person in either one of k0pa’s positions on Dc or Mf would be actively working with Russian Law Enforcement/Intelligence (cooperatively to further the cybercrime operations not to stop them).
P.S. The 9 years is tied to the only thing the US DOJ could prove beyond a doubt – running CarderPlanet, not Mazafaka or DirectConnection.
Easy to call this one.
Yea my guess would be he cooperated or even more so it seems likely he was used as a political bargaining chip. Perhaps to release some of our own but it’s quite coincidental that Israeli jailed as a bargaining chip to fight his extradition is released by Putin the day after this kids sentenced ? It’s like Putin knew and had made a deal with Biden to release her on him cutting years off the Russian hackers bid. Got to love politics meanwhile some poor kid who made one bad mistake will get the full sentence an time served.
You have to wonder if he was sprung to help lead the Russia hacking attack on Ukraine?
He isn’t a hacker though. He’s a forum admin.
He just knows a bunch of people but he hasn’t actually done any hacking. He was jailed for running a website that traded in stolen goods and hacker loot.
KoSReader600000, I’ll refer you to Brian’s comment to Firehouse (the author). Please educate yourself. You couldn’t be more wrong in this case.
”
If you’re the admin of a large, highly secretive cybercrime forum and you *don’t* know everything and everyone that goes on with your forum, you will soon lose control over that community. I went into this in great detail in my book Spam Nation, but basically the admins at a minimum know quite a bit about each member (usually a lot more than what is public on the forums), and they probably also vetted each member…
… But for the most exclusive ones like DirectConnection and Maza (which required multiple vouches, deposits and special browser encryption certs), there would be a fair amount of communication between the admins and Russian law enforcement (known or otherwise in the form of FSB posing as cybercriminals). There are lots of reasons this is the case…
Do you still believe the admin role in this case was overblown? I can probably give you ten more reasons to think otherwise.
”
This is very well said and I can assert, with confidence, the “ten more reasons to think otherwise” is an accurate statement. If you don’t trust me, trust the author and owner of this blog my friend.
We released him because he provided us (the US) concrete and verifiable intelligence regarding all sorts of juicy civilian and government activities, capabilities and names…Basically, he dimed out his friends, colleagues and Government. I bet he now fears for his life in Russia.
Brian some of your concerns may be miss placed.
If he was in custody for fours years prior to being extradited to the States in 2019 and you add in the two years in fed custody while his case worked thru, he has spent close to six years in custody. He’s sentenced to nine years minus the six in custody in Israel and the States leaving three years to serve.
If you minus the 15% sentence deduction he has a total sentence of about 8 years, he’s all ready done six,so he’s being deported a year or two early which is completely different then the picture you painted of someone being released a year into a nine year sentence. He has being in custody for over seven years.
“Unless he hand delivered Mazafaka or DirectConnect on a sliver platter to the US DOJ… I cannot comprehend what would give the Biden administration cause to send the co-founder/admin of the two top forums directly back to Moscow on a comfy jet.”
How about “he’s now an asset?” (or was, until ‘sternly worded letter’ from congress?) Or, promised to be that, with no intention to follow through. Examples abound.
A calculated move by the Biden administration? I suspect the fact that he was released supposedly early allows authorities in the US to taint him in such a way that he can never be trusted again in Russia; the suspicion that he made a deal with either the US and/or the Israelis will for ever hang over him, no matter how much he protests otherwise.
An excellent piece of investigative journalism, Brian, as always.
He gave something up and it was useful. Russia may still use him.
@Margana Seidolem Great point !
It appears to be a smart move by the Biden administration. To neutralize him by releasing with a halo hanging over his head of having made some deal for early release.
Chances are Putin has had him executed by now, or he’s suffering in a dungeon somewhere.
Such sharp thinking is way above the IQ of the Republican House members who are throwing everything at Biden, praying for something to stick..
Good Conduct Time in BOP custody on a 9 year sentence would have earned him almost 1.5 years off his sentence. It’s theoretically possible he informed on the case and had his time cut for that as well via a Rule 35(b) motion… which are mostly always under seal. A 15 month sentence reduction makes sense… not a big chunk of time off.
Great reporting that raises a lot of questions that don’t seem to have clear answers. Keep up the good work.