Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (26 page)

Then he spun and attacked. The doubt Iceman had sown about JiLsi worked to his advantage. Things were going crazy, he wrote. JiLsi had been acting suspiciously. For one thing, he’d instructed Master Splyntr not to tell anyone that he was running the server. And while JiLsi cultivated the impression that DarkMarket was hosted in a country out of reach of western law enforcement, he was actually hosting it in Tampa, Florida, where the feds could just waltz in any time and serve a search warrant. It was odd behavior indeed.

JiLsi protested his innocence, but it was looking bad for him. Master Splyntr publicly thanked Iceman for bringing the matter to his attention and said he’d move DarkMarket out of the United States at once.

Mularski reached out to law enforcement contacts in Ukraine, and they helped him quickly get hosting there. In the blink of an eye, DarkMarket was in Eastern Europe. Most of the carders had to agree that no fed would move a sting site to a former Soviet state.

There was no formal verdict, but a consensus formed that Master Splyntr was innocent. They weren’t too sure about JiLsi.

When the controversy subsided, Mularski returned to the routine business of running his undercover operation. He was at his desk filling out reports a couple of weeks later when he got a call from another agent.

Special Agent Michael Schuler was a legend among the bureau’s cybercrime agents. It was he who’d hacked into the Russians’ computers in the Invita sting. Now stationed in the Richmond, Virginia, field office, Schuler was calling about a breach at nearby Capital One. The bank’s security officials had detected an attack using an Internet Explorer exploit. They’d sent Schuler a copy of the code, and he wanted Mularski to get one of the NCFTA’s geeks to take a look at it.

Mularski listened as Schuler described his investigation to date. He’d focused on the fake news website, Financialedgenews.com, used to deliver the malware. The domain was registered to a false identity in Georgia. But when the registrar, Go Daddy, checked its records, it found
the same user had once registered another address through the company.

Cardersmarket.com.

Mularski recognized the significance at once. Iceman positioned himself as the innocent operator of a website that happened to discuss illegal activity. Now Schuler had evidence that he was also a profit-oriented hacker, one who’d broken into the network of the fifth-largest credit card issuer in America. “Dude, you got the case!” Mularski laughed. “You got the case
right now
on the guy we were just trying to target on our Group II. We’ve got to work together on this.”

Across town, Secret Service agents at the Pittsburgh field office had made a discovery of their own about Iceman: An informant tipped them off that Carders Market’s kingpin had a second identity as the dumps vendor Digits. Four days after the
USA Today
article, the agents exploited that knowledge by having a second snitch make a controlled buy from Digits: twenty-three dumps for $480 in e-gold.

It was more than they needed for a felony charge.

eith Mularski hadn’t known what he was in for when he took over DarkMarket.

His days were crazy now. He’d start at eight in the morning, logging in to his undercover computer at the office and checking for overnight ICQ messages—any urgent business for Master Splyntr. Then he’d hit DarkMarket and make sure it was up and running. It was always hit-or-miss with Iceman on the loose.

Next came the drudgery of backing up the SQL database. Iceman had somehow dropped the tables twice since his failed attempt to expose Mularski, so now the backups were a part of Mularski’s morning routine. They served an investigative function as well: While the database was being copied, a simple script authored by an NCFTA coder scanned every line for sixteen-digit numbers beginning with the numerals 3 through 6. The stolen credit card numbers would be automatically sorted by BIN and sent to the proper banks for immediate cancellation.

Next, Mularski had to review all the private messages, pick out the interesting chats, and check them into the FBI’s central ELSUR electronic surveillance database. An hour or two of report writing followed. As Master Splyntr, Mularski had begun his own modest cash-out operation. Some banks had agreed to issue him disposable dumps as bait, with fake
names but real lines of credit that the FBI would cover out of its investigative budget. Mularski handed them out with PINs to carders around the country, while the financial institutions reported back daily on where and when each withdrawal took place. Mularski had to pass the information to the local agents in whatever city his cashers were operating from, which meant writing up a detailed memo each time.

At three, when the carders came online in force, Mularski’s second life shifted into high gear. Everyone wanted something from Master Splyntr. There were disputes to settle, like a dumps vendor complaining that his ad wasn’t displayed as prominently as a competitor’s, or a vendor facing accusations of ripping off a customer. Beggars approached him asking for free dumps or spamming services.

Mularski went home at the end of the day, only to log on again. Keeping his credibility as Master Splyntr meant he had to work the same hours as a real carder, so every night saw Mularski on the sofa at home, the television turned to whatever was on, his laptop open and online. He was on DarkMarket, and AIM, and ICQ, answering questions, assigning reviewers, approving vendors, and banning rippers. He stayed online and in character until two in the morning, nearly every day, dealing with the underground.

To ingratiate himself to his primary targets, he’d give them gifts or sell them discounted merchandise, supposedly purchased with stolen credit cards but actually paid for by the bureau. Cha0, a Turkish crime boss and DarkMarket admin, coveted an $800 lightweight PC sold in the States, so Mularski shipped two of them off to Cha0’s drop address in Turkey. Playing Santa Claus was in his job description now: He had to appear to be running ops and making money, and he sure as hell wasn’t going to spam anyone.

Being a cybercrime boss, he was discovering, was hard work.

When he traveled or vacationed, he had to let the forum know in advance—even a brief unexplained absence would invite suspicion that he’d been busted and turned. In January 2007, he let the board know that he’d be on a plane for a while. He didn’t say where or why. He
was going to Germany to talk with prosecutors about DarkMarket’s cofounder Matrix001.

Among other things, Matrix001 was DarkMarket’s resident artist par excellence. He created and sold Photoshop templates used by forgers to produce credit cards or fake ID. He had them all: Visa, MasterCard, American Express, Discover, the U.S. Social Security card, notary seals, and driver’s licenses for several states. His template for an American passport sold for $45. A Bank One Visa was $125.

Matrix001 and Master Splyntr had grown tight since the attempted exposé three months earlier: Mularski and the German both liked video games, and they chatted about the latest titles well into the night. They talked business, too, and Matrix001 had confided that he received wire transfers for some of his sales in the town of Eislingen in southern Germany. That was the first clue to tracking him down.

From there, it was a matter of following the money. Like virtually all carders, Matrix preferred to be paid by e-gold, an electronic payment system created by a former Florida oncologist named Douglas Jackson in 1996. A competitor to PayPal, e-gold was the first virtual currency backed by deposits of actual gold and silver bullion held in bank vaults in London and Dubai.

It had been Jackson’s dream to forge a true international monetary system independent of any government. Criminals loved it. Unlike a real bank, e-gold took no measures to verify the identity of its users—account holders included “Mickey Mouse” and “No Name.” To get money in or out of e-gold, users availed themselves of any of hundreds of independent e-gold exchangers around the world, businesses that would accept bank transfers, anonymous money orders, or even cash in hand and convert it to e-gold for a cut. Exchangers took another slice when a user wanted to convert in the other direction, changing the virtual money into the local currency or receiving it by Western Union, PayPal, or wire transfer. One company even offered a preloaded ATM card—the “G-Card”—that would let account holders withdraw their e-gold from any cash machine.

By all evidence, criminals were e-gold’s bread and butter. By December 2005, the company’s internal investigations had identified more than three thousand accounts involved in carding, another three thousand used for buying and selling child porn, and thirteen thousand accounts linked to various investment scams. They were easy enough to spot: the “memo” field in child porn transactions would read, for example, “Lolita”; in Ponzi schemes, “HYIP,” for “high-yield investment program.” Carders included shorthand descriptions of what they were buying: “For 3 IDs”; “for dumps”; “10 classics”; “Fame’s dumps”; “10 M/C”; “one plat and six classics”; “20 vclassics”; “18 ssns”; “10 AZIDs”; “4 v classics”; “four cvv2s”; “
for 150 classics.”

For a long time, e-gold largely turned a blind eye to the criminal trade; employees locked down some accounts used by child porn sellers but didn’t stop them from transferring out their money. But the company’s attitude changed dramatically in December 2005, when FBI and Secret Service agents executed a search warrant at e-gold’s Melbourne, Florida, offices and accused Jackson of running an unlicensed money transfer service.

Jackson began voluntarily searching his database for signs of criminality and sending tips to the only agency that wasn’t trying to put him in jail, the U.S. Postal Inspection Service. His newfound commitment to law and order was a boon to Mularski. Through Greg Crabb and his team at the post office, Mularski asked Jackson for information about Matrix001’s e-gold account, which was under the alias “Ling Ching.” When Jackson looked in his database, he found that the account had originally been set up under another name: Markus Kellerer, with a street address in Eislingen. In November, Mularski sent a formal request for assistance to the German national police through the U.S. consulate in Frankfurt. The police confirmed that Kellerer was a real person and not just another alias, and Mularski booked his flight to Stuttgart.

Matrix001 would be the first arrest from the DarkMarket sting. Mularski would have to find someone else to chat with about video games.

•  •  •

Once he was back in Pittsburgh, Mularski began working a new, farfetched theory about Iceman. He’d been running down every “Iceman” he could find—there’d been an Iceman on Shadowcrew and others on IRC. They always turned out to be red herrings. Now Mularski was toying with the idea that his Iceman didn’t really exist.

It was Iceman’s supposed collaboration with the Canadian informant Lloyd “Silo” Liske that intrigued him. Silo had worked with Iceman to try to expose Mularski. That, in itself, didn’t mean much—informants often call out suspected cops and snitches to deflect suspicion from themselves. But Silo had told his handler at the Vancouver Police Department that he’d hacked Iceman’s computer, yet when push came to shove, he couldn’t produce Iceman’s real name or even a good Internet IP address. And it turned out that Silo had dozens of e-gold accounts—one of them under the name “Keyser Söze.”

If Liske was a fan of
The Usual Suspects
, it might occur to him to create a phantom criminal mastermind and then feed law enforcement false information about the supposed kingpin in his role as an informant.

Mularski flew to Washington and presented his theory to the Secret Service at their headquarters. It was shot down at once.
They were working closely with Silo’s handler at the Vancouver Police Department, and they knew Silo as one of the good guys.

The Secret Service had run down some false leads themselves. In a lab in the Pittsburgh field office, the agents had a whiteboard scrawled with handles and names connected by squiggles and lines. Many of the names were crossed out. It was their ever-changing road map to Iceman and his world.

Mularski returned to Pittsburgh, and both agencies resumed their search for the real Keyser Söze of the cyberworld—the elusive hacking kingpin Iceman.

ax could see what was coming. With an FBI agent at the helm, DarkMarket was going to put a lot of carders in prison. But like Cassandra from Greek mythology, he was cursed to know the future and have nobody believe him.