Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (27 page)

Between the
USA Today
article and his failed attempt to expose Master Splyntr, Max could feel the heat coming at him. In November, he declared Iceman’s retirement and made a show of handing control of the site to Th3C0rrupted0ne. He secluded himself while things cooled down and three weeks later took back the board under another handle. Iceman was dead; long live “Aphex.”

Max was getting tired of the tight quarters at the Post Street Towers, so Chris brought Nancy, one of his cashers, up to San Francisco to rent Max a one-bedroom at Archstone’s towering Fox Plaza corporate apartment complex in the financial district. She posed as a sales representative at Capital Solutions, a corporate front Aragon used to launder some of his income. Tea, back from her trip to Mongolia, was conscripted to sit in the apartment and accept delivery of a bed, paid for with her legitimate American Express card. Chris reimbursed her afterward.

By January 2007, Max was back in business at his new safe house, with a stew of Wi-Fi brewing outside. Fox Plaza was a giant step up in luxury
from the Post Street Towers, but Max could afford it—he could pay a month’s rent with a couple of good days of dumps vending. As Digits, Max was now regarded by some carders as the second-most-successful magstripe vendor in the world.

The number one spot was firmly occupied by a Ukrainian known as Maksik. Maksik operated outside the carding forums, running his own Web-based dispensary for his stolen cards at Maksik.cc. Buyers would begin by sending Maksik upfront money by e-gold, WebMoney, wire transfer, or Western Union. That would buy them access to his website, where they could select the dumps they wanted by BIN and type of card and place an order. On his end, Maksik would press a button to approve the transaction, and the buyer would get an e-mail with the dumps he’d ordered,
straight from Maksik’s massive database of stolen cards.

Maksik’s wares were phenomenal, with a high success rate at the register and a mammoth selection of BINs. Like Max’s, Maksik’s cards came from swipes at point-of-sale terminals. But instead of targeting scores of small stores and restaurants, Maksik got his cards from a smaller number of giant targets: Polo Ralph Lauren in 2004; Office Max in 2005. In three months, Discount Shoe Warehouse lost 1.4 million cards taken from 108 stores in 25 states—straight into Maksik’s database. In July 2005, a record-breaking 45.6 million dumps were stolen from the TJX-owned retail chains T. J. Maxx, Marshalls, and HomeGoods.

There was a time when such breaches might have remained a secret between the hackers, the companies, and federal law enforcement—with the victim consumers kept in the dark. To encourage companies to report breaches, some FBI agents had an unofficial policy of keeping company names out of indictments and press releases, protecting corporations from bad publicity over their shoddy security. In the 1997 Carlos Salgado Jr. case—the first large-scale online credit card heist—the government persuaded the sentencing judge to permanently seal the court transcripts, for fear the targeted company would suffer “loss of business due to the
perception by others that computer systems may be vulnerable.” Consequently, the eighty thousand victims were never notified that their names, addresses, and credit card numbers had been offered for sale on IRC.

In 2003, the state of California effectively ended such cover-ups when the legislature enacted SB1386, the nation’s first compulsory breach-disclosure law. The law requires hacked organizations doing business in the Golden State to promptly warn potential identity theft victims of a breach. In the years that followed, forty-five other states passed similar legislation. Now no significant breach of consumer data remains a secret for long, once detected by the company and the banks.

The headlines over the giant retail breaches only added luster to Maksik’s product—he didn’t try to hide the fact that he was vending the dumps from the retail chains. When the TJX attack made news in January 2007, the details that emerged also confirmed what many carders already suspected: the Ukrainian had a stateside hacker supplying him with dumps. Maksik was a middleman for a mystery hacker in the States.

In mid-2006, the hacker was apparently in Miami, where he parked at two TJX-owned Marshalls outlets and cracked the stores’ Wi-Fi encryption. From there, he hopped on the local network and swam upstream to the corporate headquarters, where he launched a packet sniffer to capture credit card transactions live from the Marshalls, T. J. Maxx, and HomeGoods stores around the country. The sniffer, an investigation would later find, ran undetected for seven months.

Max had a rival in America, and a damn good one.

Thanks in large part to Maksik’s hacker and Max Vision, the popular consumer impression that Web transactions were less secure than real-life purchases was now completely false. In 2007, the majority of compromised cards were stolen from brick-and-mortar retailers and restaurants. The large retail intrusions were compromising millions of cards at a time, but breaches at smaller merchants were far more common—Visa’s analysis found 83 percent of credit card breaches were at merchants processing one
million Visa transactions or less annually, with the majority of thefts taking place at restaurants.

Max tried to keep the sources of his dumps a secret, falsely claiming in his forum posts that the data came from credit card processing centers to throw investigators off track. But Visa knew that restaurant point-of-sale terminals were being hit hard. In November 2006, the company issued a bulletin to the food service industry warning about hack attacks unfolding through VNC and other remote-access software. Max, though, continued to find a steady stream of vulnerable eateries.

But for Max, it wasn’t enough. He hadn’t gone into the data-theft business to be second-best. Maksik was costing him money. Even Chris was now buying from both Maksik and Max, going with whichever vendor offered him a good deal on the best dumps.

At Max’s direction, Tea befriended the Ukrainian over the course of months and urged him to start vending on Carders Market. Maksik declined graciously and suggested she visit him sometime in Ukraine. Rebuffed, Max took the gloves off and got Tea to send Maksik a Trojan horse program, hoping to get control of the Ukranian’s database of dumps. Maksik laughed off the hacking attempt.

If he’d known, Max might have taken comfort in the fact that he wasn’t the only one frustrated by Maksik’s tight security.

Federal law enforcement had been tracking Maksik since his rise to infamy in the wake of Operation Firewall. An undercover Secret Service agent had been buying dumps from him. Postal Inspector Greg Crabb had worked with law enforcement in Europe to bust carders who’d done business with Maksik, and he shared the resulting information with the Ukrainian national police.
In early 2006, the Ukranians finally identified Maksik as one Maksym Yastremski, from Kharkov. But they didn’t have enough evidence to make an arrest.

The United States refocused on identifying Maksik’s hacking source. E-gold once again provided the entry point. The Secret Service analyzed
Maksik’s accounts in the e-gold database and found that between February and May 2006, Maksik had transferred $410,750 out of his account to “Segvec,” a Mazafaka dumps vendor generally thought to be in Eastern Europe. An outward transfer implied Segvec wasn’t one of Maksik’s customers but a supplier getting his cut.

The feds got a chance at more direct information in June 2006, when Maksik was vacationing in Dubai. Secret Service agents from San Diego worked with local police to execute a “sneak-and-peek” in his room, where
they secretly copied his hard drive for analysis. But it was a dead end. The sensitive material on the drive was all encrypted with a program called Pretty Good Privacy. It was good enough to stop the Secret Service in its tracks.

Carders like Maksik and Max were at the fore in embracing one of the unheralded gifts of the computer revolution: cryptography software so strong that, in theory, even the NSA couldn’t crack it.

In the 1990s the Justice Department and Louis Freeh’s FBI had tried hard to make such encryption illegal in the United States, fearing that it would be embraced by organized crime, pedophiles, terrorists, and hackers. It was a doomed effort. American mathematicians had decades before developed and published high-security encryption algorithms that rivaled the government’s own classified systems; the genie was out of the bottle. In 1991, a U.S. programmer and activist named Phil Zimmerman had released the free software Pretty Good Privacy, which was available on the Web.

But that didn’t stop law enforcement and intelligence officials from trying. In 1993, the Clinton administration began producing the so-called Clipper Chip, an NSA-developed encryption chip intended for use in computers and telephones and designed with a “key recovery” feature that would allow the government to crack the crypto on demand, with the proper legal authority. The chip was a dismal failure in the marketplace, and the project was dead by 1996.

Then lawmakers began swinging the opposite direction, talking about repealing Cold War–era export regulations that classified strong encryption as a “munition” generally prohibited from export. The regulations were forcing technology companies to keep strong crypto out of key Internet software, weakening online security; meanwhile, overseas companies weren’t bound by the laws and were in position to overtake America in the encryption market.

The feds responded with a draconian counterproposal that would have made it a five-year felony to sell any encryption software in America that lacked a back door for law enforcement and government spies. In testimony to a House subcommittee in 1997, a Justice Department lawyer warned that hackers would be a prime customer of legal encryption and used the Carlos Salgado bust to illustrate his point. Salgado had encrypted the CD-ROM containing the eighty thousand stolen credit card numbers. The FBI had only been able to access it because the hacker gave his supposed buyer the key.

“
We were lucky in this case, because Salgado’s purchaser was cooperating with the FBI,” the official testified. “But if we had discovered this case another way, law enforcement could not have penetrated the information on Salgado’s CD-ROM. Crimes like this one have serious implications for law enforcement’s ability to protect commercial data as well as personal privacy.”

But the feds lost the crypto wars, and by 2005 unbreakable crypto was widely available to anyone who wanted it. The predictions of doom had largely failed to materialize; most criminals weren’t tech-savvy enough to adopt encryption.

Max, though, was. If all his tradecraft failed and the feds crashed through his safe house door, they’d find everything he accumulated in his crimes, from credit card numbers to hacking code, scrambled with an Israeli-made encryption program called DriveCrypt—1,344-bit military-grade crypto he’d purchased for about $60.

The government would arrest him anyway, he expected, and demand
his passphrase. He would claim to have forgotten it. A federal judge somewhere would order him to disclose the secret key, and he’d refuse. He’d be held on contempt charges for maybe a year and then be released. Without his files, the government wouldn’t have any evidence of his real crimes.

Nothing had been left to chance—Max was certain. He was untouchable.

onathan Giannone, the Long Island carder Max and Chris had discovered as a teenager, was keeping a secret from everyone.

The same day Max had absorbed his competitors, Secret Service agents had arrested Giannone at his parents’ house for selling some of Max’s dumps to Brett Johnson, the Secret Service informant known as Gollumfun. Giannone was released on bail, but he told nobody about the bust. To him, it was just a bump in the road—how much trouble could he really get in for selling twenty-nine dumps?

The impression that he was facing a slap on the wrist was bolstered when the judge in South Carolina lifted his travel restrictions a month after his arrest. Giannone promptly flew into Oakland Airport on a carding run, and Tea picked him up and showed him around. They drove up and down the Pacific Coast Highway, and she bought him a pizza at Fat Slice on Berkeley’s Telegraph Avenue. She’d always found Giannone amusing—a boastful, curly-haired white kid with hip-hop sensibilities who’d once bragged that he’d beat up a member of the New York Jets at a local bar. Now, though, they had something in common: Chris had stopped talking to Giannone around the time of his arrest, while Tea, for her part, had been ordered to return to the Bay Area so she couldn’t make any more trouble with Chris’s relationships. Chris had exiled them both.

Chris called Tea while they were hanging out and was surprised to
hear that Giannone was in town. He had her put Giannone on the phone. “
So, you take my girls out to party now?” he demanded, angry that Giannone was forging a relationship with one of his people—perhaps courting her for a cashing crew of his own.

“No, I just happen to be here and I looked her up,” Giannone said a little defensively.

It would be Chris’s and Giannone’s last phone conversation. Giannone flew home. He kept in touch with Tea, and a few months later, he warned her that he might not be a good person to be associating with. He was pretty sure he’d been followed on his trip to the Bay Area.