The Moscow Four: What story hides behind the arrest of Russia’s top cybercrime investigators?

“We get orders from government structures and from private individuals. But we say we are an independent team. It’s just that often it’s impossible to tell who the client is. Sometimes we get information for intermediaries, without knowing who the end client is.”

Russian Hacker “Lewis”– 2015 Interview


A series of spectacular arrests of some of Russia’s top cybersecurity figures — two of them are high-ranked Russian cyber-security FSB officers — is raising serious questions. Charged with treason, the “Lefortovo Four”, are being held in a Moscow prison. Could these individuals be US spies? And could their cases have anything to do with the Russia’s involvement in the hacks targeting the US 2016 election? Follow us on Twitter: @Intel_Today

The identity of four of  the individuals arrested is known. They are  Sergei Mikhailov, Ruslan Stoyanov, Dmitry Dokuchaev (Forb). The fourth treason suspect is Vladimir Anikeev (Lewis) . Here is what is known about these four individuals.

(Six have been arrested so far (31/01/2017) and ten others —  from intermediaries to senior officials — are being investigated. Many of the suspects have fled to the Baltic States and Thailand. )

They are charged under Article 272 of the Criminal Code (Illegal Access to Computer Information).

Being accused of treason, their case is classified. It is not known  exactly what crimes they are suspected of having committed.

However, many Russian media outlets now report that the men are suspected of leaking information to Western investigators about investigations, and of funneling personal and often embarrassing data on Russia’s political elite to a popular blog called Humpty Dumpty (Шалтай-Болтай).

These individuals do not recognize the commission of the treason, but did not deny the fact of the transfer of information to third parties. [Crime Russia]

WARNING. There are no official FSB Press releases about these men. So the information below must be considered with a pinch of salt. It is perhaps better than GOSINT [Gossip Intelligence], or even RUMINT [Rumor Intelligence] . But it is NOT hard vetted INTEL. So, this being said, I will not write in every sentence “allegedly”, “reportedly”, etc…

In the beginning…

The FBI — perhaps acting upon a ‘tip’ —  identified a Russian IT company, “King Servers”, as mounting a cyber-attack on the computer voting systems of Arizona and Illinois during the months ahead of the 2016 US election.

RELATED POST: Obama’s Cryptic Comment on the DNC Leaks

RELATED POST: ‘Russia Hacking’: The Facts about Obama’s Warning Message to Putin

RELATED POST: Former MI6 Chief: ‘ Electronic voting presents serious hacking risk.’

The ‘King Servers’ company was identified in September 2016 as an ‘information nexus’ that was used by hackers suspected of working for Russian state security in cyber-attacks.

According to the independent newspaper Novaya Gazeta, the FSB launched an investigation to find out if FSB officials may have tipped off US officials about Vladimir Fomenko and his server rental company ‘King Servers’.

The FSB found no such evidence but they discovered a very dark plot. And the story is far  from over.

The FSB discovered that a group of Russian individuals collaborating with a blog named “Shaltai-Boltai” had hacked the personal accounts of the highest officials of the Russian government, the presidential administration, and the ministry of defense.

Vladimir Anikeev ( aka “Lewis”)

Vladimir Anikeev is journalist and the founder of the site Shaltay-Boltay ( Humpty Dumpty).

Shaltay-Boltay is suspected of disseminating information from the mail of Presidential Aide Vladislav Surkov (Ukrainian hacker group Kiberhunta ).

The blog has published the correspondence of Deputy Prime Minister Arkady Dvorkovich and Kremlin Chef Evgeny Prigogin.

Individuals close to this blog have hacked the Twitter account of Prime Minister Dmitry Medvedev and auctioned the correspondence with his press secretary Natalia Timakova.

It is rumored that 30 well-known Russian public figures have been hit. But the true number may be much higher as many civil servants have preferred to pay the ransom.


Vladimir Anikeev ( aka “Lewis”)

In October 2016, FSB operatives lured Vladimir Anikeev ( aka “Lewis”)  from Kiev, where he lived in recent years.

When  “Lewis” arrived in St-Petersburg, he was arrested and transferred to Moscow. His testimony led to the arrest of Deputy Head of the FSB ISC Sergey Mikhailov and his colleague Dmitry Dokuchaev

Colonel Sergei Mikhailov

Deputy Director of the FSB’s Office for Information Security Center (CDC OC) which is Russia’s top anti-cybercrime unit.

According to Anikeev’s testimony, Mikhailov oversaw Shaltay-Boltay. The FSB senior officer supplied hackers with information regarding government dignitaries or officials.

The hackers would then demand a ransom from these individual. In case of refusal, they would sell this information for bitcoins through Ukraine and published it on the web.


Colonel Sergei Mikhailov

Mikhailov was detained at a board meeting — escorted out of the room with a bag thrown over his head — in December 2016. He is accused of leaking information to the U.S. intelligence community.

Ruslan Stoyanov

Ruslan Stoyanov was arrested in December 2016. At the time, he was working as a senior employee at Russian security firm Kaspersky Lab which is Russia’s biggest cyber security firm.


Ruslan Stoyanov


As head of its computer incidents investigations unit, Stoyanov was in charge of investigating hacking attacks.

Stoyanov’s previous jobs, according to LinkedIn, include a position at the Cyber Crime Unit at the Russian interior ministry in the early 2000s. (Management of special technical activities of the Moscow police — Department K). His subordinates at Kaspersky Lab also come from this administration.

Then, Stoyanov served as deputy director at a cybercrime investigation firm called “Indrik”, before joining Kaspersky.

Maria Shirokova, a spokeswoman for Kaspersky, said in a statement that Stoyanov’s arrest had ‘nothing to do with Kaspersky Lab and its operations’.

She said the company has no details of the charges faced by Stoyanov, adding that the investigation pre-dates his time with Kaspersky.

Ruslan Stoyanov headed the cybercrime department in Kaspersky Lab since 2013.  He joined the company in 2012.

It is believed that around that time, his department began to  cooperate with the FSB and the Interior Ministry.

Major Dmitry Dokuchaev

Regarded as a master-hacker, Dokuchaev also worked at the (2nd department of operative management) Information Security Center (CDC OC) FSB.


Major Dmitry Dokuchaev — No pic available

Dmitry Dokuchaev was thus a colleague of Mikhailov’s at the FSB.

Dokuchaev worked as a hacker under the alias “Forb” until Russia’s Federal Security Service (FSB) threatened to jail him

The FSB had traced Dokuchaev to the card thefts, and threatened to prosecute the hacker unless he agreed to work for the agency

According to Gazeta, his name fist surfaced in 2012, during an investigation concerning the criminal case of the founder and CEO processing company “Chronopay” Paul Wroblewski.

Gazeta learned that Dokuchaev, then a lieutenant of the FSB, had been writing for  the magazine “Hacker” since 2005, hiding under the pseudonym “Forb”.

Dokuchaev is native of Yekaterinburg, where he graduated from one of the technical colleges in 2005.

In the IT-community, he gained fame after breaking several major sites, including in the US. These events attracted the attention of the CDC FSB.

Connecting the dots?

Question 1. Could their case have anything to do with the Russia’s involvement in the hacks targeting the US 2016 election?

I agree with Leonid Bershidsky who concluded that: “The recent arrests of Russian cybersecurity officials in Moscow likely had little to do with last year’s U.S. election.”

The allegations of the FBI regarding the “King Servers” company prompted an investigation that exposed the collaboration between FSB officials and criminals/hackers. At this point, there is no reason to believe that there is more to it.

Question 2. Could these individuals be “US spies”?

This one is not so obvious to answer. Of course, these individuals deny the charge and they may actually believe their own “innocence” regarding this specific charge.

However, the story  sheds some light on the murky relationship between these FSB officials and the hackers. Obviously, there is nothing surprising about the FSB recruiting hackers. But when the same FSB officials ally themselves with hackers to blackmail and ransom high-ranking government officials, no one can predict the consequences.

This is perhaps a good time to remember two rather cryptic comments. Following the alleged DNC hack, Obama promised that there would be sanctions against Russia. “Some will be overt while some will be covert”… Last summer, former CIA Director Mike Morell introduced the rather bizarre concept of “unwitting agent”…

As “Lewis” acknowledged in 2015, he does not know who pays the bill. At this point, one should not dismiss the possibility that the “Humpty Dumpty” boys have been working for the CIA without knowing it. And that thought must give a serious headache to some folks in the Kremlin.

UPDATE (Tuesday, 31 January 2017  — 18:30 GMT)

The Moscow Time just published the following information:

The Russian Federal Security Service (FSB) agents arrested for treason and illegal hacking reportedly passed confidential information to the U.S. Central Intelligence Agency, sources close to the investigation told the news agency Interfax.

Sergei Mikhailov, a top cybersecurity specialist in the FSB, and his deputy Dmitry Dokuchaev are being accused of “breaking their oath and working with the CIA,” Interfax reported, citing an anonymous source that did not specify if Mikhailov and Dokuchaev worked directly with the CIA or through intermediaries.

“Four people have been arrested in this case, and eight individuals in total have been identified as accomplices. Only four suspects have been charged, and the others could get off as witnesses,” the source told Interfax.

Stay tuned!


Working in Heart of Russian Cybersecurity — The Moscow Time, January 26 2017

There’s Something Very Weird Happening Inside Russia’s Cybersecurity World — BuzzFeedNews

Putin Claims The CIA Hacked The Kremlin — But Did It? — Forbes 28 January 2017

Майор Forb и есть «Шалтай-Болтай»? — Irek Murtazin, “Novaya Gazeta”

Second FSB Agent Arrested for Treason Revealed as Notorious Hacker — The Moscow Time, January 27 2017

Victims of Shaltay-Boltay: more than 30 dignitaries and officials — Crime RUSSIA 30/01/2017

How Russian Hackers Became a Kremlin Headache — Bloomberg

This entry was posted in CIA, Cybercrime, DNC & Podesta Leaks, FBI, FSB, Russia and tagged , , , , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s