Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
In the ladies’ room,
Tsengeltsetseg Tsetsendelger was being kissed. Tipsy from a night out, the young Mongolian immigrant wasn’t sure how it happened, or why, but a pretty five-foot-four girl with tumbling brown hair had decided to kiss her. Then Tsengeltsetseg blinked. There was another, identical woman beside her.
Michelle and Liz introduced themselves, and a wide, unaffected pumpkin smile crept onto Tsengeltsetseg’s face. She told the Esquere twins that they could call her “Tea.”
Tea was a regular at Russian Night and fluent in both Russian and
English. Born in northern Mongolia at a time when the country was still under Soviet influence, she’d learned Russian in school—until the Soviet empire collapsed and Mongolia’s prime minister declared English the landlocked nation’s official second language.
Looking for adventure and the proverbial better way of life, she won a student visa and emigrated to the United States in 2001. Her first thought upon landing at Los Angeles International Airport that summer was that Americans were awfully fat, but when she got out into the city she was more impressed; she enjoyed beautiful people, and L.A. was filled with them.
After one semester at a community college in Torrance, she moved to the Bay Area and got her green card. Now she was attending classes at Peralta College in Oakland, paying her rent and tuition by dishing ice cream at Fenton’s Creamery.
Liz seemed strangely delighted to learn that Tea spoke Russian. The twins bought her a drink and then suggested they continue the party with some friends at their hotel four blocks away. It was after midnight when they got to Chris Aragon’s suite at the luxe Clift Hotel near Union Square. Chris was relaxing there; Tea was struck at once by how handsome he was. He seemed interested in her as well, particularly after the twins mentioned that Tea knew Russian. Joined by two of Chris’s female employees, they opened some booze and hung out until the small hours of the morning, when the girls all left to go to their own rooms and Tea crashed in Chris’s for the night.
She was still shaking off sleep the next morning when the room became a hive of activity. Liz and a handful of other attractive young women—all alert and cleanly scrubbed after their night of partying—began popping in and out, receiving envelopes and cryptic instructions from Chris.
*
They came and went all day, picking up more envelopes, dropping off department store shopping bags, sometimes lingering for a time before departing again. The party atmosphere hung in the air, but there was a nervous, excited edge to it now that made Tea curious—but not so curious as to pry.
When the sun had set and the gang had gathered back at the suite, Tea said her good-byes; she had to go home to the East Bay, to be at work at the ice-cream parlor in the morning.
Chris had a better idea. He was starting a website with a business partner—“Sam”—and they happened to be in need of a full-time Russian translator. It would pay better than spooning out Coffee Cookie Dream to yuppies all day.
“Don’t go,” said Liz. “You’ll make more money with us.”
Tea looked over her pretty new friends. They reminded her of the New Russians who had emerged following the collapse of the Soviet regime, flush with suspiciously acquired wealth, consuming with more hunger than taste.
She liked Chris, though—he seemed different. And an Internet translating job would grant her the freedom and flexibility to focus on her college studies. She said yes.
The next day, Chris packed up his team for the next leg in their travels, a road trip to Vegas. Tea, he said, should meet them there for more fun. He told her to get a Yahoo! e-mail account, and he’d send her flight information once they’d arrived.
Back in her apartment, the whole adventure felt like a strange dream. But the next day, Tea had a confirmation number for her prepaid flight to Las Vegas in her Yahoo! in-box. She packed a bag and headed to the airport.
Chris relocated Tea to his own neighborhood and paid for her to rent an apartment in her real name in Dana Point, a coastal town in southern Orange
County. At the end of a quiet, winding cul-de-sac, painted an Umbrian orange with Spanish tiles combing the roof, the “Tea House,” as he dubbed it, was a world away from the Mongolian city where Tea grew up.
They made love on her new bed, and afterward, Chris left $40 on the nightstand so she could get her nails done. Tea’s feelings were hurt. She wasn’t a hooker. She was falling in love.
Chris and his team moved his card-printing gear from Villa Siena into the Dana Point apartment’s attached garage—the Tea House would be his new plant and party house, as well as the base of operations for Tea’s twenty-four-hour-a-day job on Carders Market. Her task would be to haunt the Eastern European carder forums, like Mazafaka and Cardingworld, and summarize what was happening there for the Russian section of Carders Market.
She’d need a “nick,” Chris explained, a handle or nickname for her online alter-ego. She decided on “Alenka,” the name of a Russian candy.
Alenka went to work at once, glued to the monitor at the Tea House day and night, doing her best to lure the high-powered Russians onto the site run by Chris and “Sam,” the Whiz.
*
Liz was one of Chris Aragon’s cashers, but there’s no evidence that her sister Michelle was involved.
aking up one floor of a lime-green office building on the bank of the Monongahela River, the National Cyber Forensics and Training Alliance was far removed from the cloistered secrecy of Washington’s intelligence community, where Mularski had cut his teeth. Here, dozens of security experts from banks and technology companies worked alongside students from nearby Carnegie Mellon University in a cluster of neat cubicles, surrounded by a ring of offices that followed the smoked-glass walls around the building. With Aeron chairs and dry-erase boards, the office had the feel of one of the technology companies that provided the NCFTA with the bulk of its funds. The FBI had made a few changes before moving in, transforming one office into an electronic communications room, packed with government-approved computer and crypto gear to securely communicate with Washington.
In his office, Mularski looked over a “linkchart” Crabb, the postal inspector, had e-mailed him—a massive organization schematic showing the disparate connections among 125 hard targets in the underground. Mularski realized he’d been going about it all wrong by waiting for a crime, then working to track it back to the culprit. The criminals weren’t hiding at all. They were advertising their services on the forums. That made them vulnerable, in the same way the New York and Chicago Mafia’s rituals and
strict hierarchy had given the FBI a roadmap to crack down on the mob decades before.
All he had to do now was join the carders.
He selected a forum from a list provided by Crabb and clicked on the account registration link. Under Justice Department regulations, Mularski could infiltrate the forums without approval from Washington, provided he observed strict limits on his activities. To maintain his cover, he could post messages to the forum bulletin boards, but he couldn’t engage anyone directly; he would be permitted no more than three “substantive contacts” with any other forum member. Participating in crimes, or making controlled buys from a vendor, was out of the question. It could be an intelligence-gathering operation only; he would be a sponge, soaking up information about his adversaries.
As soon as he connected, he was confronted with his first important strategic decision: What would his hacker handle be? Mularski went with his gut. Inspired by the Saturday morning cartoon
Teenage Mutant Ninja Turtles
, the agent settled on the moniker of the sewer-dwelling karate champs’ rodent sensei, a biped rat called Master Splinter. For uniqueness, and a hackerish timbre, he spelled his surname without major vowels.
So in July 2005, Master Splyntr signed up for his first crime forum, CarderPortal, laughing to himself over the poetry in assuming the name of an underground rat.
Mularski was soon playing the carder forums like a chessboard, drawing on the NCFTA’s stream of scam data for his opening moves.
The center was plugged directly into the antifraud efforts at banks and e-commerce sites, so when a new criminal innovation showed up, Mularski knew about it. He posted about the schemes on CarderPortal, portraying them as his own inventions. The experienced crooks marveled at the newcomer who’d independently reinvented their newest tricks. And
when the scams eventually became public in the press, the newbies remembered they’d heard it first from Master Splyntr.
In the meantime, the FBI agent was soaking up the history of the forums while honing his prose to affect the cynical, profanity-laced style of the underground.
After a few months, Mularski faced the first challenge to his intelligence-gathering operation. The initial crop of forums that grew from the detritus of Shadowcrew had been wide open to new members—spooked by Operation Firewall, many scammers had adopted new handles, and without reputations to trade on there’d been no way for carders to vet one another. Now that was changing. A new breed of “vouched” forums was emerging. The only way to get on them was to win the sponsorship of two existing members. Constrained by the Justice Department’s guidelines, Mularski had deliberately avoided forming direct relationships in the underground. Who would vouch for him?
Borrowing a page from a Robert Ludlum novel, Mularski decided Master Splyntr needed a background legend that could propel him into the new crime boards. His thoughts turned to a Europe-based antispam organization called Spamhaus that he’d worked with as part of previous FBI initiatives.
Founded in 1998 by a former musician, Spamhaus charts the ever-changing lineup of Internet addresses spewing garbage into consumers’ in-boxes; its database of spam sources is used by two-thirds of the world’s ISPs as a blacklist. Of more interest to Mularski was the organization’s public most-wanted list of notorious spammers. Peopled by the likes of Alan “Spam King” Ralsky and the Russian Leo “BadCow” Kuvayev, the Registry of Known Spam Operations, or ROKSO, is second only to a federal grand jury indictment on the list of places an Internet scammer doesn’t want to see his name.
Mularski phoned up founder Steve Linford in Monaco to explain his scheme: He
wanted
to be on ROKSO—or, at least, he wanted Master Splyntr there. Linford agreed, and Mularski went to work crafting his
background story. The best lies hew to the truth, so Mularski decided to make Splyntr a Polish spammer. Mularski was descended on his father’s side from Polish immigrants—his bureau-issue button-down concealed a tattoo on his left arm of the Orzel Bialy, the white eagle with golden beak and talons that adorns Poland’s coat of arms. Mularski would locate Master Splyntr in Warsaw; he’d visited Poland’s capital and could roughly describe its landmarks if pressed.
In August, the ROKSO listing went live, for the first time stapling a “real” name to Mularski’s cartoon-inspired alter ego.
Pavel Kaminski aka “Master Splyntr” runs a loosely organized spam and scam crew from Eastern Europe. Possibly a BadCow affiliate. He is linked to: proxy spam; phishing; pump’n’dump; javascript exploits; carder forums; botnets.
The profile included samples of scammy spam messages supposedly sent out by “Pavel Kaminski,” handcrafted by Spamhaus, and an analysis of his hosting arrangements.
Now the carders who Googled Master Splyntr could see for themselves that he was the real deal, a bona fide Eastern European cybercrook with sticky fingers in a lot of pies. When Mularski logged on to CarderPortal, he found business proposals waiting in his in-box from crooks hoping to partner with him. Still not allowed to engage any suspects, he blew them off sneeringly.
You’re not much of a player, he’d write back. I don’t want to deal with you because I’m a professional and you’re obviously a newbie at this. To rebuff upper-echelon scammers, he challenged their pocketbooks: You don’t have enough money to invest in what I’m doing.
Like an unattainable girl on prom night, Master Splytnr’s aloofness only made him more attractive. When a new site called the International Association for the Advancement of Criminal Activity launched as a closed
forum, he posted a simple note—Hey, I need a vouch—and two existing members spoke up for him solely on the strength of his reputation.
He was vouched on Theft Services next, then CardersArmy. In November 2005, he was one of the first members invited to a brand-new forum called Darkmarket.ws.
A few months later, another, competing site got big enough to cross his radar, and Master Splyntr joined Cardersmarket.com.
onathan Giannone was learning that loss of privacy was the cost of doing business with Iceman.