Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (23 page)

They would all know the name “Iceman.”

Max then went to work on the stolen membership data, ignoring, for now, the Eastern European carders. After culling the duplicates and undesirables from the four English-language sites, there were 4,500 new members for Carders Market. He rolled them all into his site’s database, so the carders could use their old nicknames and passwords to log in to their new home.
Carders Market had six thousand members now. It was larger than Shadowcrew had ever been.

He announced the forced merger in a mass e-mail to his new members. As the morning dawned in San Francisco, he watched them gather, confused and angry, on his consolidated crime forum. Matrix001, a German DarkMarket administrator, demanded an explanation for Iceman’s actions. A previously taciturn spam king named Master Splyntr spoke up to criticize the organization of the material Iceman had stolen from the other boards. The entire contents of the competing sites now lived in a new section of Carders Market called “Historical posts from merged forums.” They were unsorted and difficult to navigate; Max had found the sites’ content worthy of preserving but not of organizing.

Max watched the grumbling for a while, then stepped in and let everyone know who was in charge.

A Canadian hacker called Silo countered that Iceman had dissolved the social glue that held the carder community together. He’d violated their trust.

The Vouched came back online, but not for long—it was supposed to be a private, secure forum open only to a select few. When Max had broken its security, he’d shattered its credibility, and nobody bothered to return. TalkCash and ScandinavianCarding were doomed—they had no backups of the databases Max had destroyed. Their members mostly stayed on at Carders Market.

Aside from the Russian forums, which Max was having trouble assimilating because of the language barrier, there was just one black mark on Max’s triumph: DarkMarket. His chief competitor had backups and managed to crawl back to life within days. It was a slap in the face to everything Max was trying to achieve for himself and the community. The war had begun.

In Orange County, Chris was consolidating his end of the business too. He decided it would be convenient to have his full-time workers all living in the same place, and the Archstone chain of apartment complexes offered an Internet-based move-in process perfectly suited to his plans. Prospective tenants could fill out a lease on the company’s website and pay the easy $99 deposit and the first month’s rent with a credit card. Chris could handle everything online, and his people wouldn’t have to put in an appearance until move-in day, when they’d stop by the rental office to flash their fake ID and pick up the door key.

He moved two of his cashers, and Marcos, his pot connection, into the Archstone Mission Viejo, a labyrinth of McMansion-style apartments painted the colors of a sunset and clinging to a hill dotted with palm trees and high-tension lines alongside Interstate 5, ten minutes from his house. He was also looking to expand his crew. One girl had dropped out and moved to Toledo after her second in-store bust, and two others had quit in disgust when Chris impregnated his teenage girlfriend—he was now paying for an apartment for the young woman and their son, whose existence he kept
secret even from his mother.

At the NCFTA office in Pittsburgh, Keith Mularski, in his Master Splyntr guise, got a private message from Iceman himself two days after the hostile takeover. The hacker wanted to apologize for some of his hasty words on his forum.

Anticipating the next stage in the DarkMarket–Carders Market conflict, Iceman had boasted that he would easily defuse any DDoS attacks leveled against his site. But afterward, he Googled Master Splyntr and learned he was a world-class spammer with a botnet army. Iceman seemed loath to turn a mere critic into a full-blown enemy.

Mularski was beginning to see an opportunity in the upheaval gripping the underground. Nobody knew who to trust anymore; everyone was angry at everyone else. If he were to play both sides, he might make
inroads against the forum administrators as they grappled for allies in the brewing battle.

He was allowed three substantive contacts. He decided to use one of them to respond to Iceman.

Mularski watched his screen, waiting. A few minutes later, a response.

It was a promising response. Mularski talked things over with his supervisor, then applied to headquarters for Group II authority, the lesser of two tiers of undercover engagement available to the FBI but still a step up from his previous “passive observation only” mandate. The new latitude wouldn’t let him participate in crimes, but he would finally be permitted to actively engage with the underground. He named Carders Market, and everyone associated with running the site, as the investigation’s targets.

The approval came quickly. But despite his encouraging words, Iceman proved a slippery target; he kept Mularski at arm’s length, not confiding in him and only chatting through Carders Market’s internal messaging system. The FBI agent had better luck on the other side of the battlefield. He’d been an early member of DarkMarket, and now that he was interactive, the site’s founder, JiLsi, quickly identified Master Splyntr as management material. In early September, Splyntr was appointed as a moderator on the site.

The war was heating up. Despite the lessons of the August incursion, JiLsi couldn’t manage to completely lock down DarkMarket. Iceman began sneaking in regularly and deleting accounts at random, just to mess with JiLsi’s head. When DarkMarket retaliated with a fierce DDoS attack against Carders Market’s Iranian host, Iceman fired back with a DDoS of his own against DarkMarket. Both sites groaned under the weight of the junk packets. Iceman quietly set up service at a U.S. hosting company with the bandwidth to absorb the DDoS packets, cleaning the traffic before channeling it back to his real server over an encrypted VPN.

JiLsi was tearing his hair out, voicing his frustrations to Master Splyntr. Mularski shifted his focus away from Iceman and toward the British cybercrime boss who was starting to treat him like a friend. Tentatively, he suggested that JiLsi consider turning over DarkMarket to someone seasoned in setting up bulletproof hosting. Someone accustomed to running sites that everyone hates. A spammer.

Hey, you know my background, he wrote in a chat. I’m real good at setting up servers. I secure servers all the time. I could set this up for you.

Mularski was toying with an extraordinary plan. In the past, the Secret Service and FBI had both run admins as informants: Albert Gonzalez on Shadowcrew and Dave Thomas on the Grifters. But actually running a crime forum directly would provide access to everything from the carders’ IP addresses to their private communications, while giving Master Splyntr, as the site’s runner, more credibility in the underground than any agent could dream of.

JiLsi expressed interest in Master Splyntr’s offer, and Mularski braced himself for another trip to Washington, DC.

Max’s hostile takeover was about fixing the community, not personal profit. But his business in stolen magstripe data was stronger than ever
after the merger—he was earning a thousand dollars a day now selling dumps to carders around the world, in addition to the five to ten thousand a month he was still pulling in through his partnership with Chris.

Publicly, at FTC meetings and elsewhere, the credit card industry was doing its best to conceal the impact of the rampant magstripe theft happening worldwide. Credit leader Visa held up an
industry-funded report by Javelin Strategy and Research that claimed consumers, not companies, were the source of the vast majority of identity theft and credit card fraud cases: Some 63 percent of cases originated with consumers, primarily victims of lost or stolen wallets, followed by theft by trusted associates, stolen mail, and Dumpster diving.

The report was grossly misleading, only tallying cases in which the victim knew how his information had been stolen.
Visa’s private numbers told the real story. Stolen wallets hadn’t been the primary source of fraud since mid-2001, when credit card theft from e-commerce sites sent fraudulent “card not present” transactions—online and telephone purchases—rocketing up the chart, while every other category held steady.

In 2004, when stolen magstripe data became a massive underground commodity, losses to counterfeit cards followed the same stratospheric climb. In the first quarter of 2006, Chris Aragon–style counterfeiting edged out card-not-present fraud for the first time, topping $125 million in quarterly losses to Visa’s member banks alone.

Nearly all those losses began with a price list like Max’s. As Digits, Max accumulated page after page of positive reviews on Carders Market and a reputation for square dealing. It was a point of pride with Max—and a sign of the moral compartmentalization he’d practiced since childhood. Max would happily hack a carder and copy his entire hard drive, but if a customer paid him for information, Max wouldn’t even consider shortchanging him.

His generosity, too, was well known. If Max had dumps that were about to expire, he’d give them away for free rather than let them go to waste. Together, his exemplary business practices and the quality of his
product made Max one of the top five dumps vendors in the world, in a market traditionally dominated by Eastern European sellers.

Max was cautious with his vending. By refusing to sell dumps by BIN—bank identification number—he made it tough for the feds to identify his breaches: The government couldn’t just buy twenty dumps sourced to a single financial institution and ask that bank to look for a common purchase point in its transaction records. Instead, a batch of twenty cards could belong to twenty different banks. They’d all have to cooperate with one another to nail down the source.