Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (11 page)

Chris was blown away. This six-foot-five, semi-vegetarian hacker knew his stuff, even if he was rusty from the joint.

Chris introduced Max to one of his prison contacts, a real estate fraudster named Werner Janer whom Chris had met in Terminal Island in ’92.
Janer offered to pay Max $5,000 to penetrate the computer of a personal enemy. He wrote the check out to Charity so Max wouldn’t have to explain the income to his probation officer.

The money gave Max some breathing room. He began flying to Orange County, misspelling his name on the ticket so there’d be no record of his violating his supervised release by leaving the Bay Area. He and Norminton began crashing at Chris’s place for a week at a stretch, hacking from Chris’s garage.

He downloaded a list of small-sized financial institutions from the FDIC’s website, figuring they’d be most vulnerable, and launched a script to scan each bank for known security holes. An electronic chime rang out through the garage whenever it scored a hit. He wormed into the banks and pulled out customer names, financial data, and checking account numbers.

The scattershot approach meant Max would be spared the frustration he’d felt in his last legitimate penetration test. Hacking any one particular target can be difficult; depending on the target, maybe even impossible. But scan hundreds or thousands of systems, and you’re guaranteed to find some that are soft. It was a numbers game, like trying car doors as you walk through a parking lot.

Charity had only the broadest notion of what Max was up to, and she didn’t like it. In an effort to win her over, Chris and Norminton invited the couple down to Orange County for a short vacation, paying their way for a weekend at Disneyland. Charity could see that Max and Chris were clicking, but something about Chris didn’t smell right. He was too slick, too polished.

Max’s hacking moved to small e-commerce sites, where he grabbed transaction histories, some with credit card numbers. But his efforts were unfocused, and neither Chris nor Norminton was sure what to do with all the data he was stealing.

Fortunately, Chris had some money coming in. Werner Janer owed him $50,000 and was ready to wire-transfer the money to a bank account of Chris’s choosing. Determined to get his hands on cold, hard, unreported cash, Chris asked Norminton to do what he did best; Norminton agreed to have one of his friends receive the transfer and pull it out over the course of a few days.

The first round of withdrawals went as planned, and Norminton and his friend showed up at Chris’s and handed over $30,000 in $100 bills. The following day, though, Norminton reported that his friend had taken ill and would have to take the day off.

In truth, Norminton had discovered the source of the windfall: It was Chris’s cut from a real estate scam he’d helped Janer pull off. The money was dirty, and Norminton was now implicated in the scheme. The next morning, Chris found the Honda he’d loaned Norminton parked outside his office, one tire flat and a fresh dent in the fender. There was a note from Norminton inside: The FBI is after me. I’m skipping town.

Chris phoned Norminton’s cash mule, already knowing what the score would be: Norminton’s associate was in perfect health and had withdrawn the other $20,000 the day before, as planned. He’d given it to Norminton. Didn’t Chris get it?

Chris tracked down Max through Charity and demanded answers: What did Max know about Norminton’s whereabouts? Where was Chris’s money? Max was as surprised as Chris at Norminton’s disappearance, and eventually the two agreed to continue their partnership without Norminton.

Max and Chris fell into a routine. Once a month, Chris flew or drove north and met Max in downtown San Francisco, where they checked into a hotel. They’d carry Max’s massive antenna up the fire stairs to their room and mount it on a tripod near the window. Then Max would putter for a while to locate a high-speed Wi-Fi with a strong signal.

They learned that altitude wasn’t as important in Wi-Fi hacking as the sprawl of buildings visible out the window. If they came up dry, Chris would run down to the front desk to ask for a different room, explaining earnestly that he couldn’t get a cell phone signal or was too afraid of heights to remain on the twentieth floor.

Max treated it like a job, saying good-bye to Charity and then vanishing for up to a week into one of the city’s finest hotels, the Hilton, Westin, W, or Hyatt. While the clang of cable car bells rose from the streets below, Max cast his net over cyberspace, scooping up whatever data he could find—not really sure what he was looking for.

On a whim, he cracked Kimi’s computer and that of her boyfriend, with whom she’d moved in. Max contemplated plundering her address book and sending out a mass e-mail in her name, detailing how she betrayed him. He thought everyone should know that Kimi’s new life was built on a foundation of infidelity.

He didn’t go through with it. He had Charity now. Kimi had moved
on, and nothing would be gained by trying to shame her, he realized. Shortly thereafter, he signed the divorce papers.

Returning to his work, he began performing Google searches for guidance in his targeting: What were other fraudsters doing? How were they monetizing stolen data? That was when he discovered where the real criminal action was online: two websites called CarderPlanet and Shadowcrew.

n the spring of 2001, some 150 Russian-speaking computer criminals convened a summit at a restaurant in the Ukraine port city of Odessa to brainstorm the launch of a revolutionary website. Present were Roman Vega, a thirty-seven-year-old man who sold counterfeit credit cards to the underground through his online storefront BOA Factory; a cybercrook known as “King Arthur”; and the man who would emerge as their leader, a Ukrainian credit card seller known by the handle “Script.”

The discussion was sparked by the success of a UK-hosted website erected in 2000 called Counterfeit Library, which solved one of the fundamental weaknesses of conducting criminal business in IRC chat rooms, where the wisdom and experience of years of crime vanished into the air as soon as the chat was over. Founded by a handful of Western cybercrooks, Counterfeit Library collected underground tutorials onto a single website and attached an online discussion forum where identity thieves could gather to swap tips and buy and sell “novelty” identification cards—a euphemism distilled from the same spirit in which hookers go on “dates.”

Counterfeit Library had more in common with the electronic bulletin board systems of the pre-Web days than with IRC. Members could post in permanent discussion threads and build personal reputations and brands. As criminals around the globe discovered this patch of dry land in the murky ephemeral sea of underground commerce, the site collected
hundreds, then thousands, of members from across North America and Europe. They were identity thieves, hackers, phishers, spammers, currency counterfeiters, credit card forgers, all of whom had been slaving away in their apartments and warehouses, blind, until now, to the vastness of their secret brotherhood.

The carders of Eastern Europe had watched Counterfeit Library with envy. Now they wanted to apply the same alchemy to their own underground.

In June 2001, the result of the Odessa summit was unveiled: the International Carders Alliance, or simply Carderplanet.com, a tightly organized reinvention of Counterfeit Library catering to the underworld of the former Soviet empire. While Counterfeit Library was a freewheeling discussion board and BOA Factory a straightforward storefront operation, CarderPlanet was a disciplined online bazaar, charged with the excitement of a commodities exchange.

Unabashed in its purpose, the site adopted the nomenclature of the Italian Mafia for its rigid hierarchy. A registered user was a “sgarrista”—a soldier, without special privileges. One step up was a “giovane d’honore,” who helped moderate the discussions under the supervision of a “capo.” At the top of the food chain was CarderPlanet’s don, Script.

Russian-speaking vendors flocked to the new site to offer an array of products and services. Credit card numbers were a staple, naturally, but only the beginning. Some sellers specialized in the more valuable “full infos”—a credit card number accompanied by the owner’s name, address, Social Security number, and mother’s maiden name, all for around $30. Hacked eBay accounts were worth $20. Ambitious buyers could spend $100 for a “change of billing,” or COB, a stolen credit card account where the billing address could be changed to a mail drop under the buyer’s control. Other vendors sold counterfeit checks or money orders, or rented drop addresses in the United States where merchandise ordered on American credit cards could be delivered without raising alarms and then reshipped to the scammer.

Physical products like blank plastic “magstripe” (magnetic stripe) cards were in the offering, as well as “novelty” IDs, complete with holograms, which sold for anywhere from $75 to $150, depending on the quality. One could purchase a package of ten identification cards with the same photo but different names for $500.

CarderPlanet’s registration was open to anyone, but to sell on the site, vendors first had to submit their products or services to an approved reviewer for inspection. New vendors would sometimes be required to escrow their transactions through Script or to post a bond with the site’s emergency fund, used to pay out buyers in case an approved vendor went out of business with unfilled orders in his queue. Vendors were expected to keep the board apprised of any vacation plans, safeguard buyers’ information from hacker attacks, and respond promptly to customer complaints. “Rippers,” vendors who failed to deliver on a sale, were subject to banishment, as was any vendor who accumulated five customer complaints.

CarderPlanet was soon imitated by a second site, this one aimed at the English-speaking world: Shadowcrew. In September 2002, after witnessing the stunning success of CarderPlanet’s regimented hierarchy, a carder named “Kidd” brought over the heaviest hitters from Counterfeit Library to do business the Russian way. News of the site spread through IRC chat rooms and prison yards alike, and by April 2003, Shadowcrew had four thousand registered users.

With the motto “For Those Who Like to Play in the Shadows,” Shadowcrew was at once a study-at-home college and an online supermarket for nearly anything illegal. Its tutorials offered lessons on how to use a stolen credit card number, forge a driver’s license, defeat a burglar alarm, or silence a gun. It boasted a wiki that tracked which state driver’s licenses were forgeable. And its approved vendors around the world could provide a dizzying array of illicit products and services: credit reports, hacked online bank accounts, and names, birth dates, and Social Security numbers of potential identity theft targets.

As on CarderPlanet, each product had its own specialists, and every vendor had to be reviewed by a trusted site member before they were allowed to sell. Disputes were handled judiciously, with administrators and moderators working overtime to expose and ban rippers selling bunk products.

The trading wandered beyond data into tangible items like ATM skimmers, prescription drugs, and cocaine, and into services like distributed denial-of-service (DDoS) attacks—take down any website for $200—and malware customization to evade antivirus products. One well-reviewed vendor offered a test-taking service that promised to get customers technical certifications within days. A vendor called UBuyWeRush sprang up to flood the underground with magnetic stripe writers, as well as must-haves like safety paper and magnetic ink cartridges for counterfeiting checks.

Child porn was forbidden, and one vendor who asked to be reviewed for exotic animal sales was laughed off the board. But nearly anything else was fair game on Shadowcrew.

By this time, CarderPlanet had launched subforums for criminals from Asia, Europe, and the States, but it was Shadowcrew that forged a true international marketplace: a cross between the Chicago Mercantile Exchange and
Star Wars
’s Mos Eisley cantina, where criminals of varying disciplines could meet up and collaborate on heists. An identity thief in Denver could buy credit card numbers from a hacker in Moscow, send them to Shanghai to be turned into counterfeit cards, then pick up a fake driver’s license from a forger in Ukraine before hitting the mall.

Max shared his discovery with Chris, who was fascinated. Chris logged on to the forums and studied the content like a textbook. A lot of things hadn’t changed since he’d dealt in credit card fraud in the 1980s. Other things had changed a lot.

There was a time when crooks could literally pull credit card numbers
from the trash by Dumpster-diving for receipts or the carbon-paper slips left over from retailers’ sliding imprint machines. Now mechanical imprinting was dead, and Visa and MasterCard insisted that receipts not include full credit card account numbers. Even if you got the numbers, that was no longer enough to make counterfeit cards. The credit card companies now added a special code to every magnetic stripe—like a PIN, but unknown even to the cardholder.

Called a Card Verification Value, or CVV, the code is a number distilled from other data on the stripe—primarily the account number and expiration date—and then encrypted with a secret key known only to the issuing bank. When the magstripe is swiped at the point-of-sale terminal the CVV is sent along with the account number and other data to the issuing bank for verification; if it doesn’t match, the transaction is declined.