Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (13 page)

In one of the spacious apartments, Chris Aragon was running his factory. The drapes were drawn over the giant picture window to hide the riot of machinery crowding the Ikea tables and granite countertops. He flipped on his card printer, and it awakened with a whining rumble, wheels spinning up to speed, motors pulling the ribbons taut as a hospital bedsheet.

Max was snagging dumps regularly now, and when he got a new haul, there was no time to waste—the swipes were stolen property twice over, and Chris had to burn through them before the crooks who’d purchased or hacked the numbers maxed them out first or blundered and got them flagged by the credit card companies. Chris had tapped the last of his reserves to invest in about $15,000 worth of credit card printing gear and the apartment to house it. Now the investment was paying dividends.

Chris loaded blank PVC cards into the hopper of an unwieldy oblong machine called a Fargo HDP600 card printer, a $5,000 device used to print corporate ID cards. With a click on his laptop, the machine drew a card into its maw and hummed once, twice, a third, and a fourth time, each sound marking another color as it moved to a clear transfer ribbon and was rapidly vaporized by heating elements and fused to the surface of the card. A final low grinding from the Fargo meant a clear laminate coat was settling over the plastic.

It was forty-four seconds from start to finish, and then the machine spat out the card—a glossy, brightly colored consumer objet d’art. A bald eagle staring purposefully at a Capitol One logo, or the grim American Express centurion, or the simple smudge of sky blue across the white face of a Sony-branded MasterCard. For the high-limit cards, the process was the same, except sometimes Chris would start with gold- or platinum-colored PVC stock, purchased, like the white cards, in boxes of hundreds.

Once he had a pile of freshly printed plastic in hand, Chris moved to a second stop in the assembly line: a monochrome printer for the fine print on the back of the card. Then if the design called for a hologram, he’d pluck a sheet of Chinese-produced counterfeits from a stack, align it carefully in a die punch, and pull the lever to cut out an oval or rounded rectangle the size of a postage stamp. A $2,000 Kwikprint Model 55 heat stamper, resembling a drill press crossed with a medieval torture instrument, fused the metal foil to the surface of the PVC.

The embosser was next: a giant motorized carousel wheel of letters and numbers that sounded like an IBM Selectric as it banged the name, account number, and expiration date one character at a time into the plastic, tipping each with silver or gold foil. From a Chinese supplier, Chris had obtained the special security keys for Visa’s “flying V” and MasterCard’s joined “MC”—two distinctive raised characters found only on credit cards, real and fake.

Credit card verification systems don’t check the customer’s name,
which meant Chris had the luxury of choosing whatever moniker he liked for the front of his plastic; he preferred “Chris Anderson” for the cards he used himself. On his computer, Chris edited Max’s dumps to make the name on the magstripe match the alias—conveniently, the name was the one piece of magstripe data not used in calculating the CVV security code, so it could be altered at will.

Finally, it was two swipes through the trusty MSR206 to program Max’s dump onto the magstripe, and Chris had a counterfeit credit card that duplicated in nearly every way the plastic nestled in a consumer’s wallet or purse somewhere in America.

He wasn’t done yet.

Driver’s licenses were a must for high-end purchases, and there, too, Chris’s assembly line and Shadowcrew’s tutorials got the job done. For licenses, he’d switch from PVC to Teslin, a thinner, more flexible material sold in 8½ × 11 inch sheets. It was one sheet for the front, another for the back, ten licenses to a sheet.

California licenses include two security features that took some extra hacking. One is a translucent image of the California state seal, set in a repeating pattern in the clear laminate over the face of the license. To simulate it, Chris used Pearl Ex, a fine colored powder sold at arts-and-crafts stores for less than three dollars a jar. The trick was to dust a sheet of laminate with a mix of gold and silver Pearl Ex, feed it into a printer loaded with a clear ink cartridge, and print a mirror image of the California pattern with the transparent ink. It didn’t matter that the ink was invisible—it was the heat from the print head he was after. When the sheet came out, the printer had heat-fused the pattern onto the surface, and the extra Pearl Ex was easily washed away in a cold rinse.

The ultraviolet printing on the face of the license was no more difficult. An ordinary ink-jet printer would do the trick, as long as one drained the ink from the cartridge reservoirs and replaced it with multicolored UV ink bought in tubes.

After all the dusting, printing, and washing, Chris was left with four
sheets of material. He would sandwich the two sheets of printed Teslin between the laminate and run it through a pressure laminator. After die-cutting, the result was impressive: Run your fingers over the license and feel the flawless silken surface; hold it at an angle and witness the ghostly state seal; put it under a UV bulb, and the state flag glowed eerily, the words “California Republic” in red, above them a brown bear walking on four legs across a yellow hilltop.

With cards and licenses complete, Chris got on the phone and
summoned his girls. He’d figured out that attractive college-aged women made the best cashers. There was Nancy, a five-foot-three-inch Latina with “love” tattooed on one wrist; Lindsey, a pale girl with brown hair and hazel eyes; Adrian, a young Italian woman; and Jamie, who’d worked as a waitress at the Hooters in Newport Beach.

He’d met the twin brunettes Liz and Michelle Esquere at Villa Siena, where they lived. Michelle was just hanging around with the group, but Liz was invaluable: She had worked in the mortgage industry and was whip-smart, well educated, and responsible enough to take over some of the administrative work, like maintaining the spreadsheet of payouts, in addition to making in-store purchases.

Chris had a talent for recruitment. He might meet a new prospect at a restaurant and invite her to go partying with his friends. She’d join them at the clubs and expensive dinners, ride in the back of the rented limousine when one of them had a birthday to celebrate. She’d see money everywhere. Then, when the time was right, maybe months later, maybe when the girl confessed she had bills to pay or was behind on her rent, he would casually mention that he knew a way she could earn quick and easy money. He’d tell her how it worked. It was a victimless crime, he’d explain.
They’d be “sticking it to the man.”

None of the girls knew where Chris got his credit card data. When he referred to Max, it was as “the Whiz,” an unnamable superhacker whom they’d never have the privilege of meeting. Chris’s code name was “the
Dude.” Now that his operation was purring, the Dude was paying the Whiz around $10,000 a month for the dumps—transferring the payments through a prepaid debit card called Green Dot.

Marketed to students and consumers with poor credit, a Green Dot Visa or MasterCard is a credit card without the credit: The consumer funds the card in advance with direct payroll deposits, transfers from a bank account, or cash. The last option made it an ideal money pipeline between Chris in Orange County and Max in San Francisco: Chris would drop in at a neighborhood 7-Eleven or Walgreens and purchase a Green Dot recharge number, called a MoneyPak, for any amount up to $500. He’d then IM or e-mail the number to Max, who’d apply it to one of his Green Dot cards at the company’s website. He could then use the card for everyday purchases or make withdrawals from San Francisco ATMs.

Once his crew arrived, ready for work, Chris passed out their cards, separated into low-limit classic cards and high-limit gold and platinum. They should stick to small purchases for the classics, he’d remind them—$500 or so. With the high-limit plastic they should go for the big bucks, purchases from $1,000 to $10,000 dollars. The girls were all young, but affecting the privileged bearing of stylish Orange County youth they could walk into a Nordstrom’s and snatch up a couple of $500 Coach bags without raising eyebrows, then cross to the other side of the mall and do the same thing at Bloomingdale’s.

New cashers were always nervous at first, but once the first fake card was approved at the register, they were hooked. In no time they’d be sending Chris excited text messages from their shopping excursions: “Can we use amex at new bloomingdales?” or “I did over 7k on a mc! yeah!”

At the end of the day, they met Chris in a parking lot and transferred the purses trunk-to-trunk. He paid them on the spot, 30 percent of the retail value, and carefully recorded the transaction on a payout sheet like a real businessman. The handbags—elegant cloth and suede and gleaming
buckles—would go in boxes until Chris’s wife, Clara, could sell them on eBay.

As night fell over Villa Siena, the lights went on above the tennis courts and the outdoor fireplaces ignited. Miles away Chris and his crew were at a restaurant, ordering a celebratory dinner and a bottle of wine. As always, it was Chris’s treat.

ice TV!” said Tim, admiring the sixty-one-inch Sony plasma hanging on the wall. Charity, a compulsive reader, hated the new flat-screen, the way it dominated the living room in their new apartment, but Max loved his gadgets, and this one was more than a high-def toy. It was a symbol of the couple’s newfound financial security.

Max’s friends knew that he was into something, and not just because he was no longer struggling to make ends meet. Max had begun slipping Tim CD-ROMs burned with the latest exploits from the underground, giving the system administrator an edge in protecting his work machines. Then there were the odd comments at the monthly Hungry Programmers’ dinner at Jing Jing in Palo Alto. When everyone was done describing their latest projects, Max would only offer a cryptic note of envy. “Wow, I wish I was doing something positive.”

But nobody was pressing Max for the details of his new gig; they could only hope it was something quasilegitimate. The hacker scrupulously avoided burdening his friends with the knowledge of his double life, even as he slipped farther to the edge of their circle. Until the day one of his hacks followed him home.

•  •  •

It was 6:30 a.m. and still dark out when
Chris Toshok awoke to the sound of his doorbell buzzing, the long continuous drone of someone holding their thumb on the button. Figuring it for a neighborhood drunk, he rolled over and tried to get back to sleep. Then the buzz broke into an insistent rhythm,
bzzz, bzzz, bzzz
, like a busy signal. He reluctantly crawled out of bed, grabbed his pants and a sweatshirt, and moved groggily down the stairs.

When he opened the door he found himself squinting into the glare of a flashlight.

“Are you Chris Toshok?” said a woman’s voice.

“Uh, yes.”

“Mr. Toshok, we’re with the FBI. We have a warrant to search the premises.”

The agent—a long-haired blonde—showed Toshok her badge and pressed a thin sheaf of papers into his hands. Another agent put a firm hand on his arm and guided him outside to the porch, clearing the doorway to admit a flood of suits into the house. They roused Toshok’s roommate, then began tossing Chris’s bedroom, riffling through his bookshelves and pawing through his underwear drawer.

The blonde, joined by a Secret Service agent, sat down with Toshok to explain why they were there. Four months earlier the source code for the unreleased first-person shooter Half-Life 2 had been stolen from the computers of Valve Software in Bellevue, Washington. It was swapped in IRC for a while and then showed up on file-sharing networks.

Half-Life 2 was perhaps the most anticipated game of all time, and the emergence of the secret source code had electrified the gaming world. Valve announced it would have to delay the launch of the game, and the company CEO issued a public call for Half-Life fans to help track down the thief. Based on sales of the original game, Valve valued the software at a quarter of a billion dollars.

The FBI had traced some of the hacking activity to Toshok’s Internet IP address at his old house, the agent explained. The judge would go easier on Toshok if he told them where he’d stashed the source code.

Toshok protested his innocence, though he acknowledged that he knew about the breach. His old friend Max Vision was staying with him at the time of the intrusion, and he got very excited when the source code popped up online.

Hearing Max Vision’s name sent the agents into double time—they nearly tripped over themselves to finish the search and get back to the office to prepare a warrant application for Max’s new apartment. Chris watched gloomily as they gathered his nine computers, some music CDs, and his Xbox. The blonde agent registered the look on his face. “Yeah,” she said, “this is going to be hard for you.”

When Max heard about the raid, he knew he didn’t have much time. He ran around his apartment stashing his gear. He hid an external hard drive in a stack of sweaters in the closet, another in a cereal box. One of his laptops fit under the sofa cushions; he hung a second one out the bathroom window in a garbage bag. Everything sensitive on his computers was encrypted, so even if they found his hardware, the agents wouldn’t get any evidence of his hacking. But under the terms of his supervised release, he wasn’t supposed to be using encryption at all. Moreover, it would be incredibly inconvenient to let the FBI take all of his computers.