Terrorists who did not commit terrorism with a clear intention, a shortage of people for аn OPG (organized crime group), six months in custody for securing an employee's laptop, filing (and returning) a poorly written indictment and one of the most impressive failures of the media justice genre imposed by the prosecution and Ivan Geshev. This is how the "NAPleeks" case looks in brief, after the tax agency was breached and the data of more than 6 million Bulgarian citizens leaked from it in 2019. For the state, it was a failure - technical and organizational, on a massive scale, with the fallout continuing to this day.
The hacking of the NRA and the subsequent media justice against Kristiyan Boykov, Ivan Todorov and Georgi Yankov from the company TAD Group was one of the cases that turned Ivan Geshev into a media star, and then into a chief prosecutor. At the same time, it typifies everything wrong with the work of the prosecution in recent years: a powerful media campaign against the accused marked by selective releases of evidence, much of which is subsequently missing from the indictment. Prosecutors had sown the impression that they had indeed caught the perpetrators and could prove their guilt beyond any doubt. Such a statement proved to be far from reality.
When a nation's data was leaked
The public story began on July 15, 2019, when three Bulgarian media outlets received an anonymous email registered on the Russian Yandex platform. It contained a link to a locked archive, a descriptive explanation of the password, and the following message: "Your government is slow. Your cybersecurity posture is parodic," written in English. The archive turned out to be 11 gigabytes of data taken from the NRA. The folders in the archive were diverse - in some there were only three names and social security numbers, in others - data from tax declarations, in third - also IP addresses. The NRA quickly confirmed that the leaked data covering a total of more than 5 million people, some of whom had already died, was authentic.
Just two days later, in the early hours of July 17, Sofia City Prosecutor's Office (SGP) indicted Kristiyan Boykov, at the time a 20-year-old cybersecurity specialist who worked for the TAD Group company. Boykov's face quickly circulated all over the media, but he had actually appeared on it before. In 2017, when he was still a student, he hacked the Ministry of Education and Science's system. Instead of taking advantage of it, however, he alerted the authorities to the problems and then talked about them on live TV. Boykov denied the accusations in an interview with bTV on July 22, but just two days later, the prosecutor's office also arrested one of his employers - the commercial director of TAD Group, Georgi Yankov. A few days later, the owner of the company, Ivan Todorov, was also detained.
And because the law prescribes relatively light punishments for computer crimes, the prosecutor's office decided to accuse them of terrorism and, of course, being an organized criminal group (OCG). The case went to the Specialized Prosecutor's Office, which leaves Todorov in custody for seven months. The specialized prosecutor's office was closed in 2022 before an indictment was filed in the case.
Terrorism, organized gangs, racketeering and... silence
From there, the NAPleeks case turned into complete chaos. Boykov, Yankov and Todorov were practically accused of everything possible - from the racketeering of companies to the hacking of insurance companies.
In response to the mockery on the Internet, the prosecution moved to media justice. It broadcasted a conversation between Boykov and Yankov from the company's office, where Yankov says that "in a western country, the government would have to leave with everyone". After a few more days, witness statements were also published, according to which TAD Group had extorted massive amounts of money from companies.
After several tumultuous weeks in 2019, silence ensued. The case was forgotten, with attention turning to the coronavirus, lockdown, and the protests of 2020. Bulgarian media raised the question of what was happening and why there was no indictment several times but received no answer. During this time, the case fell apart bit by bit. In March 2022, the prosecutor's office dropped the charges against Georgi Yankov, so there was no longer talk of an organized crime group, which by definition must involve at least three people. Yankov himself, who in the days after his release on bail gave several interviews, subsequently fell silent.
Krisss: How the prosecution got to Kristiyan Boykov
According to the indictment, Kristiyan Boykov was identified by a director in the state "Information Service", who, upon checking the archive, found that it was made by a user named Krisss. In the forum of an online game, they linked the name of Kristiyan Boykov registered with the same pseudonym. A day later, Boykov was arrested.
A GDBOP official claims that "when reviewing the contents of the archive contained in the above link, with .csv files in the digital folder, the presence of a file named with the following content: "DESKTOP-Krisss", which is an indicator that a user "Krisss" logged in Windows operating system on a computer program named on May 11, 2019 at 11:49 am was responsible for viewing the file."
The mishmash becomes even more complicated when the testimonies of former colleagues of Boykov are added. According to one of them, Boykov wrote in a general chat that "the NRA is getting busted tonight" back in April; another employee had boasted that on July 10 he had "hacked something big". Another former employee says that Boykov asked him for help hacking the NRA, "specifying that he wanted us to hack the nap.bg and nra.bg domains." However, none of them witnessed any hacking.
The smoking muzzle (or not)
In practice, the prosecution has relied on one direct piece of evidence: nothing else was found on Boykov's work computer to incriminate him, except for a file in the computer's unallocated space created on May 11, 2019. The unallocated space is a place on the computer where data from deleted files is kept. According to the prosecutor's office, this file was provided to the GDBOP, and when a comparative analysis was carried out, it was undisputedly established that it was obviously Kristian Boykov who had received an inquiry from the media regarding the publication of the information and he sent the return email on 16.07.
The problem in the evidence is technical: "The seized computer on which the prosecution claims the crime was committed ran a Linux operating system. Most cyber security professionals prefer to work on Linux. And the lockfile in question was created under the Windows operating system. Anyone with good computer knowledge can add a lockfile additionally with any username they want, especially if they aim to incriminate another person in a crime," says lawyer Asen Asenov, who represents Kristiyan Boykov.
In this case, there are two possible explanations. The first possible explanation is that the file was not created on Boykov's computer. The second is that a computer can also have two operating systems, mostly to test software on it. However, the indictment lacks such an explanation. If the lockfile in question was created later, this brings two problems. The first is that the prosecution's entire narrative fails. The second is that then another question arises: could it be a planted piece of evidence, put into the computer after it has been seized as evidence and which therefore only a small number of government officials have access to? And if so, how much of the prosecution's evidence is reliable?
A sad and inconclusive tale
An hour after the indictment came to court on April 5, 2023, nearly four years after the leak, it was returned for two main reasons: "serious procedural errors" and lack of clarity regarding the exact accusations against Boykov and Todorov.
One of the prosecutor's major omissions is that in one case Todorov helped with "possible intent" and in the other - with "objective intent." Thus Ivan Todorov turns out to be the first person in history to commit terrorism by mistake. The way in which, according to the prosecution, Todorov helped Boykov is also telling: he helped carry out the terrorist act "by providing him with a Lenovo laptop, providing him with a room and an Internet connection." This is contrary to the initial theses of the state prosecution, which presented Todorov as a dangerous criminal and the head of a company that is actively engaged in racketeering. The prosecution did not provide evidence that the laptop, the premises and the internet connection were provided for the specific purpose of committing a crime, although it claims so in plain text. For this act, Ivan Todorov was in custody for seven months. At that time TAD Group ceased operations. At the same time, Todorov also stopped holding the franchise in Bulgaria for the Subway sandwich restaurant chain. After the end of TAD Group, according to information from Capital, many of the specialists turned out to be unemployed, although there is a hunger for such personnel in Bulgaria. The reason: they are seen as potential terrorists.
At the moment, the prosecutor's office is protesting the return of the indictment, maintaining that everything in it is in order. The question remains open as to why the indictment was filed only four years later. The state bears no responsibility for the case. In August 2019, the CPLD fined the NRA BGN 5 million, but since both are state institutions, this is a transfer of money from one pocket to the other - or, as Vladislav Goranov puts it, "a net operation that will not affect anything. What has been, so will be, there is stability."