In January 2022, on the eve of Russia’s full-scale invasion of Ukraine, hackers broke into the computer networks of Ukrainian state institutions and critical infrastructure.
They deleted computer systems, leaked Ukrainian citizens’ stolen personal data and published a threatening message on Ukrainian websites.
According to the U.S. Justice Department, their goal was to cause chaos and make Ukrainians fear for the security of their data.
Among cybersecurity specialists, their destructive malware came to be known as WhisperGate.
On June 25, 2024, a Maryland grand jury indicted one of the alleged hackers: 21-year-old Russian citizen Amin Stigal. According to prosecutors, he acted in conspiracy with the Main Intelligence Directorate, commonly known as the GRU, the foreign intelligence agency of Russia’s Ministry of Defense.
The alleged crime was so serious that the U.S. government offered $10 million for information on his whereabouts.
But that wasn’t the first time the United States had charged a Stigal with a cybercrime. Five months earlier, in January, prosecutors unsealed an indictment laying out wire fraud charges against his father, Tim Stigal.
In comments to Voice of America, both the father and son denied that they had committed the alleged crimes. The younger Stigal called the charges “complete nonsense and lies.”
Now, in a new investigation based upon open-source data, VOA has painted the clearest picture yet of the young, alleged hacker and his father.
At the time of his alleged actions, Amin Stigal was a 19-year-old gamer in provincial Russia. His father is a previously noteworthy blogger and activist with the pro-Kremlin youth movement “Nashi” in Dagestan, a Muslim-majority region in Russia’s North Caucasus.
U.S. law enforcement’s move to identify and indict Amin Stigal contributes to a precedent of identifying the real people behind the hackers’ online personas and pressing charges against them, according to Alexander Leslie, a threat intelligence analyst at cybersecurity company Recorded Future.
Both the DOJ and the FBI declined to comment on the charges against the Stigals.
Allegations
According to prosecutors, in January 2022, Stigal and his accomplices conducted an attack on protected computer networks of two dozen Ukrainian government entities, including several ministries, government agencies, and Diia, the Ukrainian digital portal for government services.
The WhisperGate malware placed a message on these computers stating government agencies could buy back stolen data for a payment of $10,000 in the cryptocurrency Bitcoin. In reality, the malware had already destroyed the data.
The hackers also published a message on the Diia mobile application: “Ukrainian ... All information about you has become public. Be afraid and expect the worst. This is for your past, present and future.”
Then, the hackers went on forums on the dark web — an overlay network on the internet that can only be accessed with the Tor browser — and offered to sell the data on 13.5 million Ukrainians for $80,000.
(Diia previously told VOA’s Ukrainian service that the figure of 13.5 million people is “a compilation of various databases that were leaked much earlier from private companies,” and that the government services portal only had 1.5 million users at the time of the hack. Researchers who study the dark web have also cast doubt on claims that all the data advertised online was actually stolen in the January 2022 attack.)
According to U.S. prosecutors, between August 2021 and February 2022, the same group of hackers attempted to break into the computers and servers of an unnamed U.S. government agency in Maryland. In October 2022, they also hacked a computer network connected to the transportation sector of an unnamed central European country that has actively supported Ukraine during the war.
For these alleged crimes, Stigal could receive up to five years in prison.
“Amin Timovich Stigal attempted to leverage malware to aid the Russian military in the invasion of Ukraine,” FBI Deputy Director Paul Abbate said in a press release. “Today’s indictment demonstrates the FBI’s unwavering commitment to combat malicious cyber activities by our adversaries, and we will continue to work with our international partners to thwart attempts to undermine and harm our allies.”
According to cybersecurity expert Leslie, Stigal is likely not the leader or a central participant in the hack.
“We know that historically the GRU leverages non-GRU Russian nationals … to engage in influence operations and provides them with tools, access, and infrastructure,” he said.
Working with non-agents like cybercriminals and hackers gives GRU officers a degree of “plausible deniability” and allows them to absolve themselves of responsibility for the hacks and operations, Leslie added.
There are fewer available details about the allegations against Stigal’s father.
According to the indictment, in 2014-2016 Tim Stigal participated in four conspiracies to traffic in payment card data stolen from the customers of three unnamed American companies. In one case, he allegedly threatened to release the customer data unless one of the companies paid a ransom.
If found guilty, Stigal could face more than 20 years behind bars.
Asked whether the Stigals had tried to prove their innocence to the U.S. authorities, both father and son said that they could face legal repercussions in Russia if they contacted the FBI.
Hacker or gamer?
There is very little publicly available official information about Amin Stigal. He has a number of social media pages, but none appears to feature his photograph or much personal information. The one available image of him — a passport photo published by the U.S. authorities — depicts a young man with dark hair and a longish beard.
The U.S. government states that Stigal was born in Grozny, the capital of Chechnya, a Muslim-majority region in the North Caucasus.
VOA found that, in the months before the Ukrainian infrastructure hack, Stigal lived with his older sister and two younger brothers separately from their parents in the central Russian city of Saratov.
Citing unnamed sources, the independent Russian news site The Insider reported that, during his school years, Stigal began spending time in online chats for hackers and “carders,” people who traffic in stolen credit cards.
There is evidence online that Stigal, at a minimum, was interested in hacking during his teenage years. In 2017, he published two questions on the Russian social network Moi Mir (“My World”): “Help with a hack,” and, “Is it possible to turn off the Internet through the admin panel for people who are connected to WiFi?”
In June 2021, Stigal’s sister, writing in her channel on the Telegram messenger app, described her brother as a first-year student at Saratov State Technical University.
In a message to VOA, Stigal said that he only briefly studied at the university.
According to him, he performed poorly on his college entrance exam in 2020 after contracting COVID, and thus was only able to enroll in the local agricultural university. After his first year there, his friends from high school encouraged him to transfer to the information security department of the technical university, he said. But after a few weeks, he decided cybersecurity wasn’t for him.
“I abandoned my studies and was expelled for poor academic performance,” Stigal told VOA. “I have been playing online games for many years, DotA and CounterStrike [...] and in general I am only interested in e-sports.”
Stigal denies the allegations against him.
“I didn’t hack anything, I didn’t pay for anything, and I have no connection to this hack or to hackers in general,” he wrote.
Tim Stigal also says that his son is not a hacker, doesn’t work, and only plays video games.
But according to Recorded Future’s Leslie, these activities are actually connected.
Teenagers — particularly those with few economic or educational opportunities — are commonly found among Russian hackers engaged in high-level cyber activities, including work for intelligence agencies. Hacker forums often provide a sense of community to these young men, and gaming is part of that culture.
“E-sports is really popular among the Russian cybercriminal underground, not only as a [separate] hobby, but also as a pastime with regards to hacking — sharing game cracks, game exploits,” the analyst said. “So, it’s kind of the gateway drug into the hacker subculture.”
Blogger, activist, trader
When social media users discovered that Amin Stigal’s father, Tim, was also accused of cybercrimes, they couldn’t refrain from cracking jokes.
“Families that commit state-sponsored-cyber-espionage stay together,” VX Underground, an account that actively comments on malware, wrote on X.
In fact, Tim Stigal is not accused of working at the Russian authorities’ behest, although his biography features more than its fair share of politics.
According to open-source information and media reports, Tim Stigal was born in the Chechen village of Kurchaloy, but lived for a long time in Dagestan and other parts of Russia.
His birth name was Timur Magomadov, but in the mid-2000s he chose the pseudonym “Tim Stigal,” he told VOA. Since 2006, he has officially been “Tim Vakhaevich Stigal.”
By profession, Stigal is a financial markets trader. His social media and LiveJournal pages pay significant attention to subjects like Forex and cryptocurrency.
At the same time, he says he has never dealt in stolen card data.
“I have never traded in anything so forbidden,” he told VOA in a message.
Stigal has a wide range of interests. He is the author of the book The Grail of Iman, which analyzes financial and stock markets on the basis of the Quran and Sunnah, the Islamic text outlining the customs and practices of the Prophet Muhammad. He has also published a monograph online called “The Chechen Trace in Ancient Mythology,” which claims that the words “athlete” and “atlas” are derived from the Chechen language, and has put forth a concept for a “mountain” political party to unite the mountainous North Caucasus region.
Before Stigal was charged in the U.S., he attracted attention for his involvement in local politics and in Nashi, a controversial pro-Putin youth movement.
In November 2011, Stigal was listed as the Dagestani leader of “Pharmacies Without Narcotics,” a national program by Nashi that aimed to counter the abuse of medications. Stigal also appeared in a photo of a rally in Moscow where Nashi activists celebrated the ruling United Russia’s party’s victory in Russia’s 2011 parliamentary elections.
At some point, the Stigal family left Dagestan. His daughter wrote on Telegram that before the COVID pandemic, her parents lived in two cities — Moscow and Saratov.
After the pandemic began, they remained in Saratov, but lived separately from their children. Tim Stigal now lives in Khasavyurt, Dagestan.
The Insider reported that leaked Russian interior ministry databases indicate that Stigal is suspected of involvement in extremism or terrorism. However, this information does not fit with the broader picture of his activities — and Stigal told VOA he is not sure where it came from.
Since at least 2011, Stigal has attempted to cooperate with authorities. Over time, his views appear to have only become more pro-Kremlin. On X and Telegram, he regularly publishes posts aggressively criticizing the United States and Ukraine.
Open questions
Recorded Future’s Leslie emphasizes that the charges against the Stigals are quite different.
Although the indictment against Tim Stigal was unsealed in January, it dates back to 2020. His alleged transactions with stolen payment card data represent an older variety of cybercrime characteristic of the 1990s and 2000s. And there are no indications that these alleged crimes are related to intelligence agencies, Leslie said.
The case of Amin Stigal is more complicated. The DOJ openly accuses him of collaborating with the GRU.
But it’s almost impossible to determine the extent of this alleged collaboration because there is so little publicly available information and many different ways such a collaboration could have taken place. Leslie says he cannot even rule out the possibility that Stigal carried out work for the GRU without realizing it.
“It’s not uncommon for the GRU to take non-GRU criminals and hackers and effectively get them to do things on behalf of the GRU,” he said. “And then they cut ties for the purpose of plausible deniability.”