Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (17 page)

Chris had delivered. There was ample Wi-Fi swimming around the Post Street Towers, and the apartment was indeed a closet: a three-hundred-square-foot studio that seemed scarcely larger than a prison cell. Decked out in blond wood, with a Formica counter, a full-sized fridge, and a bed that unfolded from the wall, it was a clean and functional McApartment, bare of all distractions and able to provide the necessities for Max’s all-night hacking sprees. The high turnover in the building made him anonymous. Chris just had to flash a fake ID at the rental office, pay a $500 deposit, and sign the six-month lease.

Once his computers were plugged in and his antenna was latched on to some patsy’s network, Max wasted little time in getting back on the job.
As ever, he targeted fraudsters, and he developed some novel ways to steal from them. He monitored the alerts put out by an organization called the Anti-Phishing Working Group, staying on top of the latest phishing attacks. The alerts included the Web addresses of the phishing sites linked to the forged e-mails, allowing Max to hack the phishers’ servers, resteal the stolen data, and erase the original copy, frustrating the phishers and grabbing valuable information at the same time.

Other attacks were less focused. Max was still plugged into the white-hat scene, and he was on the private mailing lists where security holes often appeared for the first time. He had machines scanning the Internet day and night for servers running vulnerable software, just to see what he’d turn up. He was scanning for a Windows server-side buffer overflow when he made the discovery that would lead to his public entry into the carding scene.

His scanning put him inside a Windows machine that, on closer inspection, was in the back office of a Pizza Schmizza restaurant in Vancouver, Washington; he knew the place, it was near his mother’s house. As he looked around the computer, he realized the PC was acting as the back-end system for the point-of-sale terminals at the restaurant—it collected the day’s credit card transactions and sent them in a single batch every night to the credit card processor. Max found that day’s batch stored as a plain text file, with the full magstripe of every customer card recorded inside.

Even better, the system was still storing all the previous batch files, dating back to when the pizza parlor had installed the system about three years earlier. It was some fifty thousand transactions, just sitting there, waiting for him.

Max copied the files, then deleted them—they weren’t needed by Pizza Schmizza; in fact, just storing them in the first place was a violation of Visa’s security standards. After sorting and filtering out the duplicate and expired cards, he was left with about two thousand dumps.

For the first time, Max had a primary source, and they were virgin cards, almost guaranteed to be good.

Chris had been complaining about the staleness of some of Max’s dumps. That would end now. A customer could walk into the Pizza Schmizza and order a twelve-inch pie for his family, and his credit card could be on Max’s hard drive while the leftovers were still cooling in the garbage. Once he was done organizing his numbers, Max gave Chris a taste. “These are extremely fresh,” he said. “They’re from two days ago.”

There was no way that Chris and his crew could metabolize the fifty dumps a day coming from the Pizza Schmizza. So Max decided to make his first forays into vending in the carding scene.

Chris offered to handle the sales in exchange for half the profits. Chris’s recklessness still concerned Max—Chris had nearly been arrested buying gold in, of all places, India, fleeing the country one step ahead of the police. But Chris knew too much about Max for the hacker to just cut him loose, so he agreed to let Chris act as his representative to the underground. Chris soon claimed success in marketing Max’s dumps, until Max—who had a back door on Chris’s computer—figured out that Chris was actually using the magstripe data himself, getting a 50 percent price break by claiming to have resold them. Economically, it was all the same. But
Max couldn’t help feeling cheated yet again.

Max turned to someone who might be easier to control: a teenage carder from Long Island named John Giannone who had become Chris’s sidekick.

Giannone was a smart middle-class kid with a coke habit and burning desire to be a ruthless, badass cyberpunk. His early ops failed to impress: He boasted to another carder that he’d once pushed all the buttons on an elevator before getting off, so the next passenger would have to stop at every floor. On another occasion, he claimed, he walked into a bank
and wrote a note on the back of a deposit slip: “This is a robbery. I have a bomb. Give me money or I’ll blow the bank.” Then he put the slip back on the pile as a surprise for the next customer.

When he was seventeen,
Giannone joined Shadowcrew and CarderPlanet under the handle MarkRich, and started participating in small operations. His reputation went south when he was busted carding plane tickets and a rumor spread that he’d snitched on a forum regular while in juvenile hall.

Undaunted, Giannone paid a more established carder for the exclusive right to take over his handle and reputation. As “Enhance,” the teen became more bold but not more successful. In May 2003, copying an extortion tactic perfected by the Russians, he borrowed a hacker’s botnet and
launched a DDoS attack against JetBlue, taking down the airline’s website for some twenty-five minutes before sending an e-mail demanding $500,000 in protection money. But JetBlue paid him neither cash nor the respect a cybergangster deserved. “We will forward this to the appropriate law enforcement agencies,” the company wrote. “Yesterday’s outage was due to a system upgrade.”

When Max found Giannone with his Free Amex hack,
the teen was running his operations from the computer in his mother’s bedroom. But Max and Chris had looked over Giannone’s files and decided he could be partner material. Chris in particular may have seen something of himself in the young, coke-snorting gangster wannabe. Giannone was already a regular visitor to Orange County—he liked vacationing in the sun—and the two began partying together. Chris called his apprentice “the Kid.”

Max knew everything about Giannone, while Giannone knew virtually nothing about him. For Max, it was an ideal arrangement for a partnership. Giannone made some sales of Max’s dumps and then introduced Max to other carders interested in making buys over ICQ. Max set up a new online identity for his vending: “Generous.”

Dealing with strangers was a big step for Max, and he took elaborate precautions to stay safe. When using carder forums or instant-messaging
services, he’d bounce his connection through his private network of hacked PCs around the world—ensuring nobody could easily trace him even as far as his hacked WiFi. He disguised his writing style online for fear that some ill-considered turn of phrase or choice of punctuation might be matched to one of Max Vision’s security white papers or Bugtraq posts—the FBI had once remarked on the copious ellipses in his anonymous note to Lawrence Berkeley Laboratory during the BIND attacks.

To collect revenue, he accepted payment through an anonymous e-gold account linked to an ATM card. Giannone helped him with a second remittance system. The teenager established a business account at Bank of America for a car repair shop called A&W Auto Clinic, then sent Max the magstripe data and PIN code for his ATM card, allowing Max to clone the card with his MSR206. Dumps buyers in the United States could make a cash deposit for A&W at their nearest Bank of America branch, which Max could then withdraw at his leisure with his cloned ATM card.

Max didn’t need the money the way he used to. He’d squandered most of his nest egg from the Citibank cash-outs, frittering it away on everything from handouts for the homeless to a $1,500 Sony AIBO robotic dog. But he wasn’t broke yet, and Charity had just started a well-paying job as a system administrator at Linden Lab, the brick-and-mortar home of Second Life—a fully realized three-dimensional online universe growing by thousands of inhabitants a month.

There was just one reason he was upping the ante now. He’d become addicted to life as a professional hacker. He loved the cat-and-mouse games, the freedom, the secret power. Cloaked in the anonymity of his safe house, he could indulge any impulse, explore every forbidden corridor of the Net, satisfy every fleeting interest—all without fear of consequence, fettered only by the limits of his conscience. At bottom, the master criminal was still the kid who couldn’t resist slipping into his high school in the middle of the night and leaving his mark.

n a briefing room near Washington, two dozen male faces filled a computer monitor on the wall, some scowling for a mugshot, others smiling for a passport photo. A couple of them looked like teenagers barely out of puberty; others were older, unkempt and vaguely dangerous in appearance.

Around the table a handful of FBI agents in suits and ties stared back at the faces of the international computer underground. For one of the agents, a lot of things were suddenly making sense.

At thirty-five years old, J. Keith Mularski had been an FBI agent for seven years. But he’d been on the computer crime beat for just four months, and he had a lot to learn. Enthusiastically friendly and quick to laugh,
Mularski had wanted to be an FBI agent since his freshman year at Pennsylvania’s Westminster College, when a bureau recruiter came in to speak to one of his classes. He’d held on to the list of qualifications even as he walked a more pedestrian career path, starting as a furniture salesman in Pittsburgh, then working his way up to a position as operations manager for a national furniture chain with fifty employees reporting to him at four stores.

In 1997, after eight years of waiting, he finally decided he was ready for the FBI. After a yearlong application process and sixteen weeks of
training at the FBI academy in Quantico, he was sworn in as an agent in July 1998.

As part of the bureau’s graduation ritual, the newly minted agent was instructed to rank all the FBI field offices in order of assignment preference. He rated his hometown of Pittsburgh as number one—it was where Mularski had grown up, gone to school, and met his wife. His chances of transferring there evaporated the next month, when Islamic terrorists bombed U.S. embassy buildings in Kenya and Tanzania. Veteran FBI agents were dispatched from the Washington, DC, field office to investigate the attacks, and Mularski was one of fifteen fresh recruits sent to fill the vacancies in DC—the city marked thirty-second on his list.

Almost overnight Mularski went from managing furniture stores to working on some of the FBI’s most important, and highly classified, investigations. When, in 1999, a listening device was found in an office on the top floor of the State Department’s headquarters, he was part of the team that identified a Russian diplomat monitoring the transmitter from outside. In 2001, he helped bring down Robert Hanssen, a fellow counterespionage agent who’d been secretly spying for the KGB and its successor agency for twenty years.

It was heady work, but the secrecy chafed Mularski: He held a top-secret clearance and couldn’t talk about his job with outsiders—even his wife. So when headquarters announced openings for two experienced agents to kick-start an ambitious cybercrime initiative in Pittsburgh, he saw a chance to go home and step out of the shadows at the same time.

His new job wouldn’t be in an FBI office. He was assigned to the civilian office of an industry nonprofit group in Pittsburgh called the National Cyber Forensics and Training Alliance. The NCFTA had been formed by banks and Internet companies a couple of years earlier to track and analyze the latest scams targeting consumers online—mostly phishing attacks. Mularski’s job wouldn’t consist of chasing individual scams—in isolation, each round of phishing was too small to meet the FBI’s minimum
loss threshold of $100,000. Rather, he would be looking for trends that pointed to a common culprit—a group or a single hacker—responsible for a large number of cyberthefts. Then he’d shop the results to the various FBI field offices and, hopefully, hand off the investigation.

It was passive intelligence gathering, meticulous but unexciting. Mularski wasn’t in charge of the cases, and he never got the satisfaction of putting handcuffs on a bad guy. But for the first time in seven years, he could talk about his work with his wife over dinner.

Now he was back in the DC area for his first briefing on the carding scene. At the head of the room was Postal Inspector Greg Crabb, a solidly built man with world-weary eyes who worked in the post office’s international fraud unit. Crabb had stumbled upon the carding underground in 2002 while tracking a software counterfeiter with a sideline in credit card fraud. Since then, he’d been on the ground in twenty-five countries, working with local police to make busts and building a massive database of raw intelligence on the growing community: nicknames, IP addresses, instant messages, and e-mails of more than two thousand people. He’d become the government’s top expert on the scene, but the enormity of his crusade now threatened to overwhelm him. So he’d come to the FBI for help.