WASHINGTON — When a suspected Russian cybercriminal named Dmitry Ukrainsky was arrested in a Thai resort town last summer, the U.S. authorities hoped they could whisk him back to New York for trial and put at least a temporary dent in Russia's arsenal of computer hackers.
But the Russian authorities moved quickly to persuade Thailand not to extradite him, saying that he should be prosecuted at home. U.S. officials knew what that meant. If Ukrainsky got on a plane to Moscow, they concluded, he would soon be back at work in front of a computer.
"The American authorities continue the unacceptable practice of 'hunting' for Russians all over the world, ignoring the norms of international laws and twisting other states' arms," the Russian Foreign Ministry said.
The dispute over Ukrainsky, whose case remains in limbo, highlights the difficulties — and at times impossibilities — that the United States faces in combating Russian hackers, including those behind the recent attacks on the Democratic National Committee. That hack influenced the course, if not the outcome, of a presidential campaign and was the culmination of years of increasingly brazen digital assaults on U.S. infrastructure.
The United States has few options for responding to such hacks. Russia does not extradite its citizens and has shown that it will not easily be deterred through public shaming. At times, the U.S. authorities have enlisted local police officials to arrest suspects when they leave Russia — for vacation in the Maldives, for example. But more often than not, the FBI and Justice Department investigate and compile accusations and evidence against people who will almost certainly never stand trial.
"You can indict 400 people. They don't care," said Robert E. Anderson Jr., who until last year served as the FBI's most senior executive overseeing computer investigations.
[Trump falsely says US claim of Russian hacking came after election]
The U.S. government divides the cybersecurity world into two categories: attacks directed or sponsored by governments, and those conducted by criminals. But Russian hacking defies easy categorization, U.S. officials say, because the Russian government tacitly supports many private hackers and occasionally taps them for freelance government work. That has complicated investigations and upended the normal diplomatic order.
In May 2009, for instance, Secret Service agents met in Moscow with their counterparts in the Russian Federal Security Service, known as the FSB. The Americans said they were investigating a hacker who had installed malicious code in the software that some American businesses used to process credit card transactions. The hacker was stealing millions of credit card numbers and selling them in an underground digital marketplace.
The agents provided a name — Roman Seleznev — and the aliases he used online. His father was a member of the Russian Parliament. The Secret Service had followed his digital trail to Vladivostok, Russia, and they asked for help catching him.
Within weeks, all evidence of Seleznev's online identity vanished from the internet. Rather than advancing the case, the Russian government had set it back, the U.S. authorities believed. Prosecutors described their blunt conclusion in court documents: "Further coordination with the Russian government would jeopardize efforts to prosecute this case." The U.S. authorities were left to pursue Seleznev by themselves.
In another computer crime case, in 2014, the Justice Department shut down two worldwide computer networks that had been used to steal millions of dollars from unsuspecting victims. Called Operation Tovar, it was among the department's most complicated computer investigations and involved intelligence agencies around the world. The target was a 30-year-old Russian named Evgeniy M. Bogachev. Safely in Russia, he watched as the FBI made him a most-wanted fugitive and offered a $3 million reward for his capture.
In that case the FBI was actually able to identify the person sitting at the keyboard. More often, the authorities identify aliases or internet addresses but cannot prove who is behind them unless the hackers get sloppy.
In the Seleznev case, for example, the authorities searched a Yahoo email account that was used to register some of the servers in the credit-card scam. Agents found, among other things, receipts for flowers that Seleznev had sent to his wife.
In the DNC case and other election-year hacks, the authorities have concluded that people affiliated with the Russian government are to blame. But even if intelligence officials can identify who is behind those attacks, naming the actual perpetrators is even harder. One senior federal law enforcement official said this week that investigators still had many unanswered questions.
If it can be done, naming and prosecuting the hackers would follow a path set in 2014, when the Justice Department indicted five members of the Chinese People's Liberation Army on charges of hacking into American networks.The indictment links the men to specific email addresses and aliases, but does not reveal how the authorities made those connections.
"The chance of us ever getting those Chinese guys is about zero," Anderson said. "But it does show them that there's a change afoot. At least the way we're looking at it policywise."
Criminal charges have more practical implications, too. "It's about denying them the ability to travel freely and preventing them from spending their ill-gotten gains anywhere but Russia," said Leo Taddeo, the chief security officer at Cryptzone and the former top agent in the FBI's New York computer operations division. "You're confining them to a prison that spans 11 time zones that can be a pretty unpleasant place."
[Putin supervised Russia cyberattacks in US election, officials say]
In short, even hackers take vacations. In July 2013, the authorities captured a notorious Russian hacker named Alexander Andreevich Panin while he was in the Dominican Republic. Panin was sentenced to more than nine years of prison for selling malware that resulted in the theft of nearly $1 billion.
"Cybercriminals be forewarned: you cannot hide in the shadows of the internet," said Sally Q. Yates, who was the U.S. attorney in Georgia at the time and is now the deputy attorney general. "We will find you and bring you to justice,"
It was certainly true for Seleznev. After finding the flower receipt and making other connections, the U.S. authorities made secret plans to capture him while he vacationed in the Maldives. Agents arrested him at the airport there in 2014 and hurried him onto a plane to the U.S. territory of Guam. After a trial in Seattle, he was convicted in August of 38 counts related to hacking in a scheme that prosecutors said cost businesses more than $169 million.
The Russian government declared Seleznev's arrest to be an unlawful "kidnapping." It has denied involvement in the DNC hack and criticized the U.S. government's efforts to arrest Russian citizens traveling abroad.
That is playing out now in Thailand with Ukrainsky, and in the Czech Republic with Yevgeniy Aleksandrovich Nikulin, 29, accused of hacking into LinkedIn and Dropbox. He was captured in October in a raid at a hotel in Prague, where he was vacationing with his girlfriend, the police said.
The Russian response was swift. "We insist that the detained Russian citizen should be transferred to Russia," it said. He remains in the Czech Republic.