The commonly known story
According to the coverage, in 1994 Levin accessed the accounts of several large corporate customers of Citibank via their dial-up wire transfer service (Financial Institutions Citibank Cash Manager) and transferred funds to accounts set up by accomplices in Finland, the United States, the Netherlands, Germany and Israel.
Three of his accomplices were arrested attempting to withdraw funds in Tel Aviv, Rotterdam and San Francisco. Interrogation of his accomplices directed investigations to Levin, then working as a computer programmer for St. Petersburg based computer company AO Saturn. However, Russia's Constitution prohibits extradition of its citizens to foreign countries.
In March 1995 Levin was apprehended at London's Stansted Airport by Scotland Yard officers when making an interconnecting flight from Moscow. Levin's lawyers fought against extradition to the US, but their appeal was rejected by the House of Lords in June 1997.
Levin was delivered into U.S. custody in September 1997, and tried in the United States District Court for the Southern District of New York. In his plea agreement he admitted to only one count of conspiracy to defraud and to stealing US$3.7 million. In February 1998 he was convicted and sentenced to three years in jail, and ordered to make restitution of US$240,015. Citibank claimed that all but US$400,000 of the stolen US$10.7 million had been recovered.
After the compromise of their system, Citibank updated their systems to use Dynamic Encryption Card, a physical authentication token. However, it was not revealed how Levin had gained access to the relevant account access details. Following his arrest in 1995, anonymous members of hacking groups based in St. Petersburg claimed that Levin did not have the technical abilities to break into Citibank's systems, that they had cultivated access to systems deep within the bank's network, and that these access details had been sold to Levin for $100.
The revelation a decade later
In 2005 an alleged member of the former St. Petersburg hacker group, claiming to be one of the original Citibank penetrators, published under the name ArkanoiD a memorandum on popular Provider.net.ru website dedicated to telecom market. According to him, Levin was not actually a scientist (mathematician, biologist or the like) but a kind of ordinary system administrator who managed to get hands on the ready data about how to penetrate in Citibank machines and then exploit them.
ArkanoiD emphasized all the communications were carried over X.25 network and the Internet was not involved. ArkanoiD's group in 1994 found out Citibank systems were unprotected and it spent several weeks examining the structure of the bank's USA-based networks remotely. Members of the group played around with systems' tools (e.g. were installing and running games) and were unnoticed by the bank's staff. Penetrators did not plan to conduct a robbery for their personal safety and stopped their activities at some time. One of them later handed over the crucial access data to Levin (reportedly for the stated $100).
- (Russian) Levin's Case, the Missing Chain — Provider.net.ru, November 11, 2005
- 1997 Extradition judgment
- Net Crackers and the Truth about Levin's Case — the book 'Attack from Internet', 2002, I. Medvedkovsky, P. Semyanov, D. Leonov, A. Lukatsky ((Russian))