It’s rare for Russian criminal hackers to land in U.S. prisons and even rarer for them to get out early. But two of the eight Russians released in Thursday’s prisoner swap with the U.S. are seasoned cybercriminals.
The decision to release the Russians highlights the steep price the U.S. was willing to pay to free political prisoners held by the Kremlin, like Wall Street Journal reporter Evan Gershkovich. It is believed to be the first time the U.S. has released international hackers in a prisoner exchange, according to cybercrime experts and a review conducted by NBC News.
The two convicted Russian hackers, Vladislav Klyushin and Roman Seleznev, are in their early 40s. Klyushin, arrested in 2021, was one of five Russian men accused of an elaborate scheme to hack U.S. companies to learn about earnings reports to beat the stock market. Seleznev was one of history’s most notorious carders — criminals who hack, trade and use stolen credit cards — before his arrest in 2014.
International cybercrime cases are notoriously difficult to prosecute, even among friendly countries. Pinning a person to certain actions at a keyboard can be hard to prove in court, laws often aren’t updated to fully capture what a malicious hacker can accomplish, and geopolitics can make it an enormous challenge for one country to persuade another to hand a suspect over.
Todd Carroll, the chief information security officer at the French company CybelAngel and a retired veteran FBI special agent, said cybercrime cases required an enormous amount of effort to result in arrests.
“It’s not only international cooperation, but it’s the extradition, it’s the legalities, the filings, etc., etc., etc. And then to get your hands actually on somebody and bring them into the United States or bring them to justice in another country? It’s incredibly complex,” Carroll said.
“Cyber has been even more difficult because of the lack of unified laws across the world,” he said.
“I don’t want to undercut getting two U.S. citizens back that were wrongly held over there,” Carroll said. “I’m just not happy about the extremes we have to go to for this to be done.”
Russia, which hosts one of the most thriving cybercrime ecosystems in the world, is particularly tough. The country’s constitution prohibits extraditing its citizens, which has complicated Western law enforcement’s efforts to stop cybercriminals like the ransomware hackers who routinely shut down American hospitals for extortion money.
The U.S. routinely publicly indicts and sanctions Russian hackers, but it can arrest them only if they travel to countries that are willing to work with the U.S. or allied law enforcement.
That was true for the men released Thursday. Both were arrested on vacation in countries that cooperate with the U.S. Klyushin was arrested in Sion, Switzerland — four people alleged to be co-conspirators remain at large — and Seleznev in Maldives.
Philip Reiner, the CEO of the Institute for Security and Technology, a think tank that addresses the geopolitics of technology, said Russia’s economy benefits from how much its cybercriminals bring into the country while the Kremlin can claim it isn’t directly hacking Americans.
“The amount that these actors are able to make goes back into an ecosystem where folks get paid and get paid off,” he said. “It’s not lost on anybody that when Russia may not necessarily want to engage in certain types of activities themselves, they’ve got this syndicate of actors who will do it.”
Both men have connections that may have made them higher priorities for the Kremlin than other criminals: Klyushin was a wealthy oligarch and before his arrest had worked for Vladimir Putin’s office, and Seleznev is the son of a seasoned Russian legislator.