The couple was tense when we met in a nondescript hotel room somewhere in the United States. We were asked not to reveal the exact location of the rare interview and only learned it ourselves at the last minute.
Yuliya Stepanova, an 800-meter runner, and husband Vitaly, a former doping officer in Russia, have been living in hiding, first in Germany and now in America, for the past two years. But a few days ago Stepanova’s accounts were hacked and the couple’s location was revealed.
Hackers had just tracked them down.
“If something happens to us,” Stepanova said, “it is not an accident. It is not accidental.”
Asked if she specifically means she is worried the couple could be murdered, she said yes: “This is exactly what we have in mind.”
Stepanova and her husband have been branded traitors in their home country, Russia, and have been living like fugitives ever since they decided to expose the widespread use of performance-enhancing drugs among Russian athletes.
A spokesman for President Vladamir Putin once called Stepanova a “Judas.”
Although the Stepanovs tell few people whom they meet who they really are, and fewer still where they live, it isn’t easy to hide in the digital age.
About two weeks ago, the couple and their 3-year-old son were forced to move once again after Stepanova fell victim of a cyber attack.
The hack
Stepanova still trains as an elite runner, and like other athletes, she maintains an account with the World Anti-Doping Agency, WADA. The WADA system keeps track of the locations of its registered athletes so they can be given random drug tests. Stepanova’s WADA account was breached.
“When they told us the account was hacked,” Stepanova said, “the first thing I thought was that they are coming after us and want to know where we were.”
Asked if she knew exactly how she was hacked, Stepanova broke down in tears. “I only want this to be over,” she said.
The Stepanovs may have good reason to worry about what the hack might mean for them. Russia has repeatedly tried to silence, at times violently, those it considers to be turncoats.
Related: Experts: Same Russians Hacked Olympic Whistleblower, Democrats
Two years ago, Yuliya and Vitaly blew the whistle on doping in Russian sports in a documentary by German broadcaster ARD. It was a revelation from an insider: Stepanova herself, once banned for doping while on the Russian team, she said she felt manipulated by what she calls a corrupt system, and wanted to expose it.
With a hidden camera, Stepanova shot banned substance dealings and provided the footage to German investigative journalist Hajo Seppelt, who helped secure the Stepanovs’ interview with NBC.
“We wanted to tell the truth to help our country,” Stepanova said.
“We are trying to do the right thing,” Stepanov added, “for sports for clean athletes.”
“If you want to expose doping there is nowhere to go to,” he said.
Who are the hackers?
Stepanova’s account at WADA was password protected. It appears whoever got in had the password. Her personal email was also hacked at the same time.
WADA confirmed to NBC News that Stepanova’s account was accessed by an unknown actor from a remote location. Cyber experts contacted by NBC News say they’ve don’t have enough evidence to know who accessed her accounts, but they do have suspicions.
At the same time Stepanova’s WADA account was hacked, athletes from around the world started receiving emails, which appeared to come from WADA.
The emails linked to a fake WADA page, where the athletes were called to put in their credentials to the WADA system for the hackers to exploit. Experts call it a “phishing” attack and traced it back to a well-known group of Russian-backed hackers.
“We see a tremendous amount of activity of Russian actors across the board,” said John Hultquist, manager of cyber espionage intelligence at the U.S.-based security firm FireEye.
Related: Olympics Cold War: Anti-Doping Fever Grips Rio
According to Hultquist, FireEye linked the phishing attack on WADA athletes to the Russian hacking group APT28 — Advanced Persistent Threat 28 — also nicknamed Fancy Bear. They did so while looking into the movements of this specific hacking group that they’ve been tracking for years.
Experts also point out, APT28 is the same group that was responsible for hacking the U.S. Democratic National Committee, the DNC, earlier this year.
“The Russian actor APT 28 that we suspect is behind the DNC incident has certain infrastructure that we have seen used in this recent attack,” Hultquist said.
Another cyber security group that looked into the breach, Threatconnect, came up with the…