Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
Two weeks earlier,
a female Secret Service agent disguised as a maid had ridden up the elevator with Max and watched him unlock apartment 409. The apartment number was the last piece of data they’d needed.
There was just one more stop before they’d move in: the Orange County Central Men’s Jail, a grim lockup in the flat, sun-baked center of Santa Ana, California. McKenzie and federal prosecutor Luke Dembosky were shown to an interview room to meet Chris Aragon.
Chris was the last holdout in the Orange County crew. Clara and six members of his crew were headed to plea deals that would ultimately net them from six months to seven years in prison. Clara would get two years and eight months. Chris’s mother was looking after the two boys.
Once the introductions were made, McKenzie and Dembosky got down to business. They couldn’t do anything about Chris’s state case, but if he cooperated, he’d have a nice letter in his file from the U.S. government attesting that he’d helped in a major federal prosecution. That could sway the judge at sentencing time. It was all they could do.
McKenzie produced a photo lineup and asked Chris if anyone looked familiar.
Chris’s situation was grim. With his bank robberies and drug-smuggling convictions, he was eligible for California’s tough three-strikes law. That meant a mandatory twenty-five-to-life.
Chris picked out Max’s mugshot from the photos. And then he told the feds the story of Max Vision’s drift to the dark side.
• • •
On Wednesday, September 5, 2007, Max dropped Charity at the post office on an errand and directed his cab driver downtown to the CompUSA store on Market Street. He picked up a new fan for his CPU, walked to his apartment, stripped down, and crashed out on his bed amid a tangle of unfolded laundry. He settled into a deep slumber.
Max had stopped hacking, but he was still disentwining himself from his double life—after five years, he had a lot of relationships and ventures that he couldn’t just sever overnight.
He slept right through the knock at his door at about two p.m. Then the door flew open, and a half-dozen agents rushed into the room, guns drawn, shouting orders. Max bolted upright and screamed.
“Put your hands where I can see them!” an agent yelled. “Lay down!” The agent was positioned between Max and his computers. Max had often thought that, in a raid, he might be able to pull the plug on his server, making his already formidable cyberdefenses completely bulletproof. Now that it was really happening, he realized that diving for his machines wasn’t an option, unless he wanted to be shot.
Max recovered his composure. Unplugged or not, his machines were locked down, and his encryption was rock solid. He managed to relax a little as the agents let him get dressed, then walked him down the hall in handcuffs.
On the way, they passed a three-man team who’d been waiting for the Secret Service to secure the safe house. They weren’t feds; they were from Carnegie Mellon University’s Computer Emergency Response Team, and they were there to bust Max’s crypto.
It was the first time CERT had been invited to a raid—but the circumstances were special. Chris Aragon had employed the same DriveCrypt whole-disk-encryption software that Max used, and neither the Secret Service nor CERT had been able to recover anything from the drive.
Full-disk encryption keeps the entire hard drive encrypted at all times: all the files, the file names, the operating system, the software, the directory structure—any clue to what the user has been doing. Without the decryption key, the disk might as well have been a Frisbee.
The key to cracking a full-disk encryption program is to get at it while it’s still running on the computer. At that point, the disk is still fully encrypted, but the decryption key is stored in RAM, to allow the software to decrypt and encrypt the data from the hard drive on the fly.
The knock on Max’s door had been intended to draw Max away from his machines; if he’d shut them down before the Secret Service got the cuffs on, there wouldn’t have been much CERT could do—the contents of the RAM would have evaporated. But Max had been caught napping, and his servers were still running.
CERT had spent the last two weeks gaming out different scenarios for what they might encounter in Max’s safe house. Now the team leader looked over the setup: Max’s server was wired to half a dozen hard drives.
Two had lost power when an agent tripped over an electrical cable snaking across the floor, but the server itself was still running, and that was what mattered.
While Secret Service flashbulbs bounced off the walls of Max’s cluttered apartment, the forensics experts moved to the machines and began their work, using memory-acquisition software they’d brought with them to suck down the live data from the RAM onto an external storage device.
Down the hall, Max cooled his heels in the feds’ apartment.
Two agents watched over him. Max would be questioned later—for now, the agents were just babysitting, chatting with one another. The Secret Service agent was from the local San Francisco field office; he asked his FBI counterpart where he worked.
“I’m from Pittsburgh,” Keith Mularski answered.
Max’s head snapped to look at Master Splyntr. There was no doubt who had won the carder war.
The Secret Service agents exulted over the bust. “I’ve been dreaming about you,” agent Melissa McKenzie said as she drove Max to the field office. On seeing his raised eyebrow, she added, “I mean about Iceman. Not you personally.”
Two of the local agents were dispatched to Charity’s house. They told her what happened and took her downtown to say good-bye to Max.
“I’m sorry,” he told her when she walked in. “
You were right.”
Max talked to the agents at the field office for a while, trying to feel them out for what they knew and gauge how much trouble he was in. Some of them seemed surprised at his politeness—his sheer likability. Max wasn’t what they expected from the cold, calculating kingpin they’d been tracking for a year.
On the drive to jail, McKenzie finally voiced her puzzlement. You seem like a nice guy, she said, and that’s going to help you. “But I have this one question for you.…
“
Why do you hate us?”
Max was speechless. He never hated the Secret Service, or the FBI, or even the informants on Carders Market. Iceman did. But Iceman was never real; he was a guise, a personality Max slipped on like a suit when he was in cyberspace.
Max Vision never hated anyone in his life.
The Hungry Programmers were the first to hear the news that Max had been arrested again. Tim Spencer offered to sign for Max’s bail bond. For collateral, he had twenty acres of land in Idaho that he’d bought as his dream retirement property. When Tim heard the details of the charges against his old friend, he hesitated. What if he didn’t really know Max at all?
The moment of doubt passed, and he signed the form. Max’s mother offered to post the equity in her house as well to secure her son’s release. Ultimately, though, it didn’t matter. When Max came up for arraignment
in San Jose, a federal magistrate ordered the hacker held without bail pending his transport to Pittsburgh.
The government announced Iceman’s arrest on September 11, 2007. The news hit Carders Market, sparking a flurry of activity. Achilous immediately deleted the entire database of posts and private messages, not knowing the feds already had it. “I think the SQL database almost had a heart attack when I did it, but it’s done now. I think this is what Aphex would have wanted,” he wrote. “This forum is open for posting, so people can chat and figure out where to go from here. Just be very careful, specifically about following links. Try to keep the conspiracy theories to a minimum everyone, please.
“Good luck, be safe.”
Silo jumped in under an alias to wrongly label his former rival a snitch, based on news reports that misunderstood Max’s work for the FBI during his white-hat days. “It’s sad to see a brilliant guy go,” he wrote. “He brought a lot to this board and the scene as a vendor and an administrator. A lot of guys made a lot of money from him.”
But “once a rat always a rat,” he wrote, with no trace of irony. “This whole board is spawned out of the fact that years ago the FBI and Aphex had a disagreement on whom he was snitching out.… Bottom line, he is the biggest hypocrite to ever grace the scene.”
Back at his desk in Pittsburgh, Mularski put on Master Splyntr’s black hat to join the postgame analysis. The FBI agent knew full well that Iceman hadn’t been an informant, but his alter ego would be expected to seize on the news that Max had once worked with the feds. “Oh just where do I even begin?” He gloated on DarkMarket, enjoying the moment. “Let’s see … let’s see … How about with this headline from SFGate.com? And I quote, ‘Ex-FBI snitch in S.F. indicted in hacking of financial institutions.’
“Did anyone else notice anything about that headline? Ahh yeah, FBI Snitch. This is turning out to be just like Gollumfun and El. No wonder
why Iceman always had a hard-on for them, because he was just like them and was competing for his handlers’ praises.”
When Max arrived in Pittsburgh, his new public defender tried again to get him released on bail, but the judge refused after prosecutors speculated that Max was sitting on vast stores of hidden cash and could easily use his contacts to disappear with a new name. To prove that he’d tried to evade the feds, they played their trump card: private messages written by Max himself describing his use of false IDs while traveling and his “evasive move” to his final safe house. Max had sent the messages to a Pittsburgh Secret Service informant who’d been an admin on Carders Market for a full year.
Max wasn’t at all surprised to see that it was Th3C0rrupted0ne.
he man is sitting rigid on a polished wooden chair and staring balefully into the camera. Paint peels from a cracked plaster wall behind him. He’s been stripped down to his underwear, and he’s holding a handwritten sign over his exposed paunch.
I AM KIER
, it reads, in large block letters.
MY REAL NAME IS MERT ORTAC
.…
I AM RAT. I AM PIG. I AM FUCKED BY CHA0
.
The appearance of the photo on DarkMarket in May 2008 sent Mularski hurrying back into the NCFTA communications room. Headquarters would want to know that one of Master Splyntr’s admins had just kidnapped and tortured an informant.
Cha0 was an engineer in Istanbul who sold high-quality ATM skimmers and PIN pads to fraudsters around the world. Covertly affixed to a cash machine, the skimmer would record the magstripe data on every debit or credit card fed into the ATM, while the PIN-pad overlay stored the user’s secret code.
Cha0 cut a jaunty presence in the underground. His Flash-animated banner ad on DarkMarket was a classic, opening with a cartoon man wading through a house full of cash. “Is that you?” the text asks. “Yes. If you bought a skimmer and PIN pad from Cha0.” A similarly styled video tutorial for new customers was narrated by a smiling caricature of Cha0 himself. “Hi, my name is Cha0. I’m a developer of skimming devices. I work
for you twenty-four hours a day and make the best devices for skimming. You’ll be able to make money in this business with me and my group. We make these devices for newbies—it’s that easy to use!” The animated Cha0 goes on to offer practical advice: Don’t install your skimmer in the morning, because passersby are more vigilant at that time. Don’t choose a location where 250 people or more pass a day. Avoid cities with a population less than 15,000—residents know too well what the ATM is supposed to look like and might notice Cha0’s product.
Notwithstanding his whimsical marketing, Cha0 had always made it clear to his friend Master Splyntr that he was a serious criminal, not afraid to get physical to protect his multimillion-dollar business. Now he’d proven it. Mert “Kier” Ortac had been part of Cha0’s organization, the Crime Enforcers, until he went running to a Turkish TV station to blab about Cha0’s activities. After a couple of interviews, he vanished. When he resurfaced a short time later,
he told a harrowing story about being abducted and beaten by Cha0 and his henchmen.
Now Cha0 had confirmed the tale by posting the kidnap photo to DarkMarket as a warning to others.
The image put proof to the FBI’s long-held suspicions that the computer underground was getting violent. With hundreds of millions of dollars pouring into the scene every year, it had seemed inevitable that the carders would take on the brutal methods of traditional organized crime to enlarge or protect their illegal income.
With Max safely locked up in an Ohio detention center, DarkMarket had been free to grow, and Mularski was closing in on its heaviest hitters—Cha0 among them. A Turkish cybercrime detective had spent three months at the NCFTA on a fellowship and was working with Mularski to run down the skimmer maker.
Mularski had sent Cha0 two lightweight PCs as a gift the previous year, opening the first door in the investigation. Cha0 had directed the shipment to flunkies in his organization, who were promptly put under surveillance by the Turkish National Police. That led to Cagatay Evyapan,
an electrical engineer with a prior criminal record—details that jibed with the biography Cha0 had shared privately with Mularski.