By ADAM GOLDMAN and MATT APUZZO
WASHINGTON — When a suspected Russian cybercriminal named Dmitry Ukrainsky was arrested in a Thai resort town last summer, the American authorities hoped they could whisk him back to New York for trial and put at least a temporary dent in Russia’s arsenal of computer hackers.
But the Russian authorities moved quickly to persuade Thailand not to extradite him, saying that he should be prosecuted at home. American officials knew what that meant. If Mr. Ukrainsky got on a plane to Moscow, they concluded, he would soon be back at work in front of a computer.
“The American authorities continue the unacceptable practice of ‘hunting’ for Russians all over the world, ignoring the norms of international laws and twisting other states’ arms,” the Russian Foreign Ministry said.
The dispute over Mr. Ukrainsky, whose case remains in limbo, highlights the difficulties — and at times impossibilities — that the United States faces in combating Russian hackers, including those behind the recent attacks on the Democratic National Committee. That hack influenced the course, if not the outcome, of a presidential campaign and was the culmination of years of increasingly brazen digital assaults on American infrastructure.
The United States has few options for responding to such hacks. Russia does not extradite its citizens and has shown that it will not easily be deterred through public shaming. At times, the American authorities have enlisted local police officials to arrest suspects when they leave Russia — for vacation in the Maldives, for example. But more often than not, the F.B.I.and Justice Department investigate and compile accusations and evidence against people who will almost certainly never stand trial.
“You can indict 400 people. They don’t care,” said Robert E. Anderson Jr., who until last year served as the F.B.I.’s most senior executive overseeing computer investigations.
The American government divides the cybersecurity world into two categories: attacks directed or sponsored by governments, and those conducted by criminals. But Russian hacking defies easy categorization, American officials say, because the Russian government tacitly supports many private hackers and occasionally taps them for freelance government work. That has complicated investigations and upended the normal diplomatic order.
In May 2009, for instance, Secret Service agents met in Moscow with their counterparts in the Russian Federal Security Service, known as the F.S.B. The Americans said they were investigating a hacker who had installed malicious code in the software that some American businesses used to process credit card transactions. The hacker was stealing millions of credit card numbers and selling them in an underground digital marketplace.
The agents provided a name — Roman Seleznev — and the aliases he used online. His father was a member of the Russian Parliament. The Secret Service had followed his digital trail to Vladivostok, and they asked for help catching him.
Within weeks, all evidence of Mr. Seleznev’s online identity vanished from the internet. Rather than advancing the case, the Russian government had set it back, the American authorities believed. Prosecutors described their blunt conclusion in court documents: “Further coordination with the Russian government would jeopardize efforts to prosecute this case.” The American authorities were left to pursue Mr. Seleznev by themselves.
The Russians are not always uncooperative. This week they deported Joshua Samuel Aaron, 32, who was wanted by the F.B.I. on charges of stealing hundreds of millions of dollars from Wall Street banks. But Mr. Aaron, who was arrested Wednesday at John F. Kennedy International Airport after arriving on a flight from Moscow, is an American, not a Russian.
In another computer crime case, in 2014, the Justice Department shut down two global computer networks that had been used to steal millions of dollars. Called Operation Tovar, it involved intelligence agencies around the world. The target was 30-year-old Evgeniy M. Bogachev. Safely in Russia, he watched as the F.B.I. made him a most-wanted fugitive and offered a $3 million reward for his capture.
In that case the F.B.I. was actually able to identify the person sitting at the keyboard. More often, the authorities identify aliases or internet addresses but cannot prove who is behind them unless the hackers get sloppy.
In the Seleznev case, for example, the authorities searched a Yahoo email account that was used to register some of the servers in the credit-card scam. Agents found, among other things, receipts for flowers that Mr. Seleznev had sent to his wife.
In the D.N.C. case and other election-year hacks, the authorities have concluded that people affiliated with the Russian government are to blame. But even if intelligence officials can identify who is behind those attacks, naming the actual perpetrators is even harder. One senior federal law enforcement official said this week that investigators still had many unanswered questions.
If it can be done, naming and prosecuting the hackers would follow a path set in 2014, when the Justice Department indicted five members of the Chinese People’s Liberation Army on charges of hacking into American networks. The indictment links the men to specific email addresses and aliases, but does not reveal how the authorities made those connections.
“The chance of us ever getting those Chinese guys is about zero,” said Mr. Anderson. “But it does show them that there’s a change afoot. At least the way we’re looking at it policy-wise.”
Criminal charges have more practical implications, too. “It’s about denying them the ability to travel freely and preventing them from spending their ill-gotten gains anywhere but Russia,” said Leo Taddeo, the chief security officer at Cryptzone and the former top agent in the F.B.I.’s New York computer operations division. “You’re confining them to a prison that spans 11 time zones that can be a pretty unpleasant place.”
In short, even hackers take vacations. In July 2013, the authorities captured a notorious Russian hacker named Aleksandr Andreevich Panin while he was in the Dominican Republic. Mr. Panin was sentenced to more than nine years of prison for selling malware that resulted in the theft of nearly $1 billion.
“Cybercriminals be forewarned: you cannot hide in the shadows of the internet,” said Sally Q. Yates, who was the United States attorney in Georgia at the time and is now the deputy attorney general. “We will find you and bring you to justice.”
It was certainly true for Mr. Seleznev. After finding the flower receipt and making other connections, the American authorities made secret plans to capture him while he vacationed in the Maldives. Agents arrested him at the airport there in 2014 and hurried him onto a plane to the United States territory of Guam.
After a trial in Seattle, he was convicted in August of 38 counts related to hacking in a scheme that prosecutors said cost businesses more than $169 million.
The Russian government declared Mr. Seleznev’s arrest to be an unlawful “kidnapping.” It has denied involvement in the D.N.C. hack and criticized the American government’s efforts to arrest Russian citizens traveling abroad.
That is playing out now in Thailand with Mr. Ukrainsky, and in the Czech Republic with Yevgeniy Aleksandrovich Nikulin, 29, accused of hacking into LinkedIn and Dropbox. He was captured in October in a raid at a hotel in Prague, where he was vacationing with his girlfriend, the police said.
The Russian response was swift: “We insist that the detained Russian citizen should be transferred to Russia.” He remains in the Czech Republic.
Aleksandr Andreevich Panin, Chinese People’s Liberation Army, Cryptzone, cybercriminal, Czech Republic, Democratic National Committee, Dmitry Ukrainsky, Dropbox, Evgeny M. Borgachev, FBI, hacking, Joshua Samuel Aaron, Justice Department, Leo Tadeo, LinkedIn, Operation Tovar, Robert E. Anderson Jr., Roman Seleznev, Russian government, Russian Parliament, Thailand, Vladivostok, Yevgeniy Aleksandrovich Nikulin