Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
The police approached several international shipping companies and briefed them about Cha0’s operations. One of them identified some of the skimmer shipments from Istanbul to Europe,
fingering a known member of Cha0’s organization as the shipper.
That gave the police the evidence they needed. On September 5, five police in bulletproof vests raided Cha0’s apartment on the outskirts of Istanbul. They rushed into his house and pushed Cha0 and an associate to the ground at gunpoint.
Inside his apartment was a complete electrical lab and assembly line, with components neatly organized in trays and bins. Nearly a dozen computers were running on the desks. Cha0 had all the same card-counterfeiting equipment that had graced Chris Aragon’s factory, as well as giant cardboard boxes holding some one thousand skimmers and two thousand PIN pads, all awaiting international shipment. Cha0’s records showed that four of them had already gotten into the United States.
The cops brought Evyapan out in handcuffs,
a tall, beefy man with close-cropped hair and a black T-shirt emblazoned with the Grim Reaper. The face of organized crime in the Internet age.
Cha0 was the last listed target in Mularski’s undercover authorization; the other key DarkMarket players had already been taken down. Markus Kellerer, Matrix001, was arrested in Germany in May 2007 and spent four months in a high-security prison. Renukanth “JiLsi” Subramaniam, a Sri Lankan–born British citizen, was raided in London in June 2007 after detectives with the Serious Organised Crime Agency in Britain staked out the Internet café he used as an office,
matching his appearances at the Java Bean with JiLsi’s posts on DarkMarket and his chats with Master Splyntr.
JiLsi’s associate, sixty-seven-year-old John “Devilman” McHugh,
was picked up at the same time; police found a credit card counterfeiting factory in the senior citizen’s home.
In Turkey, six members of Cha0’s organization were charged along with Cha0. With Mularski’s help, the police also swooped in on
Erkan “Seagate” Findikoglu, a DarkMarket member who ran a massive King Arthur–style cash-out operation responsible for at least two million dollars in thefts from U.S. banks and credit unions—they recovered one million of it in cash at his arrest.
Twenty-seven members of Seagate’s organization were charged in Turkey, and the FBI rounded up six of his cashers in the United States.
With Cha0 and Seagate in jail, Mularski’s work was done—his two years running DarkMarket had now resulted in fifty-six arrests in four countries. On Tuesday, September 16, 2008, he drafted a post formally announcing the closure of the site. As an homage to the carding world’s history and culture, the FBI agent borrowed from King Arthur’s legendary message closing Carder Planet years before. “Good day, respected and dear forum members,” he began.
It is time to tell you the bad news—the forum should be closed. Yes, I really mean closed.
Over the last year we have lost a lot of the admins of the forums: Iceman on Carders Market; JiLsi and Matrix001 disappeared, and now, Cha0 on DM. It is apparent that this forum, which has been around almost three years, is attracting too much attention from a lot of the world services.…
I myself would rather go out like King Arthur than Iceman. Whereas Iceman decided that all he would do was change his nick to Aphex,
and continue to run CM, King Arthur closed CarderPlanet and faded into the night. History has shown that Iceman made a fatal mistake. I will not make the same.
Mularski planned to keep his Master Splyntr identity dormant but alive: He’d have a well-established underground legend that he could pull from his pocket whenever he needed it in future investigations. But it was not to be. About a week after DarkMarket went dark,
a reporter for Südwestrundfunk, Southwest Germany public radio, got his hands on court documents filed in Matrix’s case that laid bare Mularski’s double life.
The U.S. press picked up the story. Now 2,500 members of DarkMarket knew they’d been doing business on a sting site and that Iceman had been right all along.
Three days after the story broke in the United States, Mularski found an ICQ message to Master Splyntr waiting on his computer. It was from TheUnknown, a UK target who’d gone on the run after he was raided by the British police. “U fucking piece of shit. Motherfucker. Thought you can catch me. Hahaha. Fucking newb. U are nowhere near me.”
“If you want to make arrangements to turn yourself in, let me know,” Mularski wrote back. “It will be easier than looking over your shoulder the rest of your life.”
TheUnknown turned himself in a week later.
Mularski was almost relieved to have his secret identity revealed; for two years, his laptop had been his constant companion—even on vacation, he’d been online talking to carders. He’d enjoyed some of it—building online friendships with some of his targets, teasing and taunting others. Master Splyntr could say things to criminals that a respectable FBI agent never could.
Eager as Mularski was to have his life back, it would take time. Nearly a month after DarkMarket’s closing, he was still fighting a vague restlessness. Mularski had one more challenge to master. He’d have to learn how to not be Master Splyntr.
ax towered over the marshals as they brought him into the Pittsburgh courtroom to face sentencing. He wore an ill-fitting orange jail uniform, his hair trimmed short and neat.
His escorts uncuffed his hands, and he took a seat next to his public defender at the defense table. A half-dozen reporters talked among themselves on one side of the gallery, an equal number of feds on the other. Behind them, the long wooden pews were mostly empty: no friends, no family, no Charity; she’d already told Max she wasn’t going to wait for him.
It was February 12, 2010, two and a half years after his arrest at the safe house. Max had spent the first month locked up at the Santa Clara county jail, speaking daily with Charity in long phone calls more intimate than any conversations they’d had while he was immersed in his crimes. The marshals finally put him on a plane and checked him into a detention facility in Ohio, where Max made peace with his confinement, largely drained now of the self-righteous anger that carried him through his previous imprisonments. He made new friends in the joint: geeks like him. They started a Dungeons and Dragons campaign.
By year’s end, Max had no more secrets.
It had taken the CERT investigators only two weeks to find the encryption key in the image of his computer’s RAM. At one of his court appearances, prosecutor Luke Dembosky
handed Max’s lawyer a slip of paper with his passphrase written on it: “!!One man can make a difference!”
For years, Max had used his encrypted hard drive as an extension of his brain, storing everything he found and everything he did. That the feds had it was disastrous for his legal future, but more than that, it felt like an intimate violation. The government was in his head, reading his mind and memories. When he returned to his cell after the hearing, he wept into his pillow.
They had everything: five terabytes of hacking tools, phishing e-mails, dossiers he’d compiled on his online friends and enemies, notes on his interests and activities, and l.8 million credit cards accounts from over a thousand banks. The government broke it down:
Max had stolen 1.1 million of the cards from point-of-sale systems. The remainder mostly came from the carders Max had hacked.
It was eight miles of magstripe data, and the feds were prepared to charge him for every inch. The government had secretly flown Chris to Pittsburgh for weeks of debriefing while the credit card companies tallied the fraudulent charges on Max’s cards, arriving at a staggering $86.4 million in losses.
Max’s profits were far less: Max told the government he earned under $l million from his capers and had pissed most of it away on rent, meals, cab fare, and gadgets. The government found about $80,000 in Max’s WebMoney account. But federal sentencing guidelines in theft cases are based on victim harm, not the offender’s profits, so Max could be held responsible for the charges rung up by Chris, the carders who bought dumps from Digits and Generous, and potentially the fraud performed by the carders Max hacked. Rolled up with Max’s rap sheet, the $86 million translated to a sentence of thirty years to life, with no parole.
Faced with decades in prison, Max began cooperating with the investigation. Mularski took him out for long debriefing sessions about the hacker’s crimes. At one of them, after the DarkMarket sting broke in
the press, Max apologized to Mularski for his attempts to expose Master Splyntr. Mularski heard sincerity in his old foe’s voice and accepted his apology.
After a year of negotiation, Max’s lawyer and the government settled on their number—a joint recommendation to the judge of thirteen years. In July 2009, Max had pleaded guilty.
The deal wasn’t binding on the court; in theory, Max could be released on the spot, sentenced to life, or anything in between. The day before the sentencing, Max typed out a four-page letter to his judge, Maurice Cohill Jr., a seventy-year-old Ford appointee who’d been a jurist since before Max was born.
“I don’t believe further prison time in my case will help anyone,” Max wrote. “I don’t think it is necessary because all I want to do is help. I disagree with the blanket assessment of the sentencing guidelines. Unfortunately, I am facing such a horrible sentence that even 13 years seems ‘good’ in comparison. But I assure you it is overkill as I am the proverbial dead horse. That said, I plan to make the most of the time I have left on this earth be it in prison or otherwise.”
He continued. “I have a lot of regrets, but I think my essential failing was that I lost touch with the accountability and responsibility that comes with being a member of society. A friend of mine once told me to behave as though everyone could see what I was doing all the time. A sure way to avoid engaging in illegal conduct, but I guess I wasn’t a believer because when I was invisible, I forgot all about this advice. I know now that we can’t be invisible, and that it’s dangerous thinking.”
Max watched with studied calmness as his lawyer stood to confer with the prosecution over last-minute details and the courthouse staff went through their prehearing checklist, testing the microphones and shuffling papers. At ten thirty a.m. the door to chambers opened. “All rise!”
Judge Cohill took the bench. A wizened man with a close-cropped snow-white beard, he peered at the courtroom through round glasses and
announced the sentencing of Max Butler, the name under which Max had been charged. He read Max’s sentencing guidelines for the record, thirty years to life, then listened as prosecutor Dembosky laid out his case for leniency. Max had provided significant help to the government, he said, and was deserving of a sentence below the guidelines.
What followed could have been an awards presentation instead of a sentencing hearing, with Max’s lawyer, prosecutor, and judge taking turns praising Max’s computer skills and apparent remorse. “He’s an extremely bright, self-taught computer expert,” said federal public defender Michael Novara, albeit one who orchestrated “computer security breaches on a grand scale.”
Dembosky, a computer-crime specialist and seven-year veteran of the U.S. Attorney’s Office, called Max “extremely bright and articulate and talented.” He’d been at some of Max’s debriefings, and like virtually everyone who knew Max in real life, he’d grown to like the hacker. “He’s almost wide-eyed and optimistic in his view of the world,” he said. Max’s cooperation, he added, was why they were asking for only thirteen years instead of an “astronomical” sentence. “I believe that he is very sorry.”
Max had little to add. “I’ve changed,” he said. Hacking no longer held any appeal for him. He invited Judge Cohill to ask him any questions. Cohill didn’t need to. The judge said he was impressed by Max’s letter and by letters written by Charity, Tim Spencer, and Max’s mother, father, and sister. He was satisfied that Max was remorseful. “I don’t think I have to give you a lecture on the problems you’ve caused for your victims.”
Cohill had already written the sentencing order. He read from it aloud. Thirteen years in prison. Max would also be responsible for $27.5 million in restitution, based on the cost to the banks of reissuing the 1.1 million cards Max stole from point-of-sale systems. Upon his release, he’d serve five years of court supervision, during which he’d be allowed to use the Internet only for employment or education.
“Good luck,” he said to Max.
Max stood up—his face neutral—and let a marshal handcuff him behind his back, then lead him through the door in the back of the courtroom connecting to the holding cells. With credit for time served and good behavior, he’d be out just before Christmas 2018.
Almost nine years in prison were still ahead of him. At the time it was the longest U.S. sentence ever handed out to a hacker.
y the time Max was sentenced, the Secret Service had identified the mystery American hacker who’d made Maksik into the world’s top carder, and he was poised to get a sentence that would make Max’s look like a traffic fine.