Local hacker, Mikhail Vasiliev, 34, is finding cybercrime doesn’t pay, after his role in the LockBit ransomware attacks on multiple organizations in Canada and abroad in 2021 and 2022.
The Russian-born man with dual Canadian citizenship — who was living in Bradford at the time of his arrest — was sentenced to three years and eight months in prison and ordered to forfeit $860,882 in criminal proceeds by Justice Michelle Fuerst during an Ontario Superior Court of Justice trial in Newmarket earlier this week.
In making the decision, Fuerst said sentencing must send a message that “there is no place in digitally dependant society” for cybercrime, and “bad actors” must understand ransomware attacks are “serious crimes” that will come with “significant jail sentences, even for first offenders.”
That sentencing followed Vasiliev’s previous decision to plead guilty to three counts of extortion under Sec. 346(1.1)(b) of the Criminal Code, three counts of use of a computer to commit mischief under Sec. 342.1 contrary to Sec. 430, and two counts of loaded prohibited firearm under Sec. 95.1.
Each of those eight counts also comes with a DNA order and the last two counts for firearms offences also include orders banning Vasiliev for life from possessing firearms, crossbows, restricted weapons, ammunition or explosive substances.
Vasiliev had previously been charged with violating his bail conditions but that was later withdrawn.
Fuerst also determined Vasiliev is eligible for extradition to New Jersey, where he is facing similar charges as of November 2022.
Vasiliev’s lawyer, Louis Strezos, requested that his client's sentence begin immediately following the trial and Fuerst agreed he will receive credit for his Canadian sentence based on any time served while awaiting trial or while serving any potential sentence in the U.S.
While Strezos couldn’t comment on American proceedings, he said the Minister of Justice is expected to issue the surrender order authorizing Vasiliev’s transfer to the American authorities sometime within the next 30 to 60 days.
LockBit Ransomware
The court heard LockBit is a global ransomware scheme estimated to have extorted tens of millions of dollars from victims, and as one of its users, Vasiliev operated under the moniker “Ghost Rider” and used exploits in the networks of various organizations to encrypt or remove data, which was then held ransom in exchange for cryptocurrency.
Tuesday’s proceedings focused on Vasiliev’s criminal activity in Canada, including cyberattacks on three companies: Crestline Coach Limited in Saskatoon, Sask., on May 7, 2021; Carol Lake Metal Works in Labrador City, N.L. on Jan 6, 2022; and Transat Telecom based out of Quebec on May 12, 2022.
In all cases, Vasiliev locked down the companies’ systems and left notes demanding payment in cryptocurrencies ranging from $500,000 to $1 million and asking companies to log into the Tor browser to discuss payment via the dark web.
While Crestline and Transat both negotiated with Vasiliev and eventually paid him C$279,203 and US$500,000 respectively, Carol Lake chose to pay no ransom and instead rebuilt their system “from scratch,” after the attack.
The number of employees impacted varied from less than 100 to more than 200, remediation time varied from 10 days to more than two weeks, and remediation costs (including payments to Vasiliev, cybersecurity experts, lawyers and credit monitoring agencies) varied from C$113,000 to US$600,000.
In an impact statement, Carol Lake’s president wrote the company suffered “significant financial loss,” and “overwhelming emotional distress” due to the breech, which “eroded trust” with costumers and damaged their reputation.
Luckily, Fuerst acknowledged Vasiliev had not spent the proceeds of his crimes “lavishly,” and as a result about $860,882 was recovered by authorities from Vasiliev’s crytocurrency accounts, which Fuerst ordered to be paid out in restitution to the companies in the following amounts:
- Crestline: $642,391
- Transat: $105,000
- Carol Lake: $113,491
Sentencing
While Crown S. Horgan sought a sentence totalling five years, Strezos sought a sentence of 4.5 years, less one full year for time served.
Horgan had submitted that “denunciation and deterrence” must be the primary objective of sentencing in the case, and that in addition to “significant financial implications” cyberattacks have a “psychological impact,” as well as broader societal impacts as organizations must spend resources to defend against cyberattacks.
On the other hand, Stezos stressed that Vasiliev is a first offender and has “shown remorse” and “accepted responsibility,” by pleading guilty and waving the preliminary hearing as well as consenting to extradition in New Jersey. Strezos also noted some “harshness” in Vasiliev’s pre-sentencing custody as he was locked down 50 per cent of the time.
Before providing her decision, Fuerst noted that the sentence must be “proportionate to gravity of the offence,” and is not a “purely mathematical” decision, but rather specific to the details of each case and its context.
She also explained that while none of the offences have mandatory minimum sentences, extortion is punishable by a maximum of life in prison.
She called cybercrime against businesses “extremely serious,” not just for individual victims who suffer “significant financial loss,” but for the “community as a whole,” since commercial activity is “essential to a healthy functioning economy.”
As such, Fuerst said the sentence must be “sufficiently severe” to deter criminal activity, and noted that only one other case provides a “guide post,” being R. v. Vachon-Desjardins, from 2022, in which Sebastien Vachon-Desjardins received a “lengthy penitentiary sentence” of almost seven years.
In reviewing the aggravating factors, Fuerst noted that Vasiliev’s offences were “far from victimless crimes,” and his conduct was not “spur of the moment” but rather “planned, deliberate and wholly calculated,” as he “specifically targeted” his Canadian victims for their revenues and ability to be exploited.
That not only led the victims and their employees to suffer “significant psychological damage,” but extended to costumers whose data was potentially exposed, and Fuerst added Vasiliev’s two “fully loaded” pistols were an “obvious risk to others.”
However, in considering the mitigating factors, Fuerst acknowledged Vasiliev’s guilty plea and steps to advance his case which saved “weeks if not months” of court time. She also acknowledged he was a first offender and that “substantial” restitution will be made to the victims.
In light of Vasiliev’s experience in pre-sentencing detention at a Greater Toronto Area prison, Fuerst reduced what would have been a global jail term of four years and six months, based on 137 days spent in custody.
Police investigation
With the help of the American Federal Bureau of Investigation (FBI), the Ontario Provincial Police (OPP) arrested Vasiliev while executing a search warrant at a home in Bradford on Oct. 26, 2022, where he was found at a table in the garage using a laptop.
Analysis of the laptop revealed Vasiliev had already partially completed verification to log into a LockBit domain on the dark web and was connected remotely to a server run by Hostkey USA Inc. in New York, but within two days of the search, the server was wiped.
The court heard Vasiliev was in custody at the time and had no knowledge of the wipe, but police seized 41 electronic devices including laptops, computers and cellphones, with analysis ongoing.
So far, police have determined six key devices held confidential data related to ransom of organizations in Canada and elsewhere including summaries of their finances and potential exploits.
Police also found a Glock 19 semi-automatic pistol with two magazines and a Ruger semi-automatic pistol with two magazines.
That search and arrest followed an operation on Aug. 31, 2022, when OPP covertly entered and searched Vasiliev’s home and photographed phones, computers and storage devices — all of which followed from background information the OPP received from the FBI between September 2022 and July 2021, which led them to launch their own investigation, obtaining search warrants and analyzing activity on two criminal online forums.
As part of the investigation, the OPP’s cybercrime team obtained production orders for IP addresses, phone numbers, tracking data as well as warrants to enter Vasiliev’s home and access his computers and online accounts.
The court heard Vasiliev was born in Moscow, Russia and came to Canada in April 2002 with his parents and sister, before attending high school in York Region.
He had no criminal record and lived in Bradford in 2022 with his “young” son and his pregnant wife, who plans to move to Russia.
