Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (36 page)

  
1
Max decided to invest in a rope ladder:
Interview with Max.

  
2
Max finally learned about Giannone’s bust from a news article:
Kim Zetter, “Secret Service Operative Moonlights as Identity Thief,”
Wired.com
. June 6, 2007 (
http://www.wired.com/politics/law/news/2007/06/secret_service
).

  
3
He was growing jumpier every day:
Based on an interview with Charity Majors. Max says he was alert but not jumpy.

  
4
a judge approved his legal name change from Max Butler to Max Ray Vision:
In
Re: Max Ray Butler
, CNC-07-543988, County of San Francisco, Superior Court of California.

  
5
Silo had hidden a second message:
Interview with Max. Lloyd Liske would neither confirm nor deny this account.

  
6
The company openly marketed the service as a way to circumvent FBI surveillance:
“In some countries, government sponsored projects have been set up to collect massive amounts of data from the Internet, including emails, and store them away for future analysis. […] One example of such a program was the FBI’s Carnivore project. By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.”
http://www.hushmail.com/about/technology/security/
.

  
7
forced Hushmail officials to sabotage their own system and compromise specific surveillance targets’ decryption keys:
Ryan Singel, “Encrypted E-Mail Company Hushmail Spills to Feds,”
Wired.com
. November 7, 2007. Detective Mark Fenton of the Vancouver Police Department said he provided Max’s Hushmail e-mail to the Secret Service.

  
8
It was supposed to be a training run for one of Chris’s new recruits:
Interviews with Tsengeltsetseg Tsetsendelger and Chris Aragon.

  
9
a female Secret Service agent disguised as a maid:
The Secret Service’s surveillance,
including the ride up the elevator with Max, was described in an affidavit in
U. S. v. Max Ray Butler
, 2:07-cr-00332, U.S. District Court for the Western District of Pennsylvania. Max said in an interview that the agent was dressed as a maid. FBI agent Mularski says the surveillance was on and off for months.

10
Chris picked out Max’s mugshot from the photos: U.S. v. Max Ray Butler
, 2:07-cr-00332, U.S. District Court for the Western District of Pennsylvania. Aragon says the government tricked him by telling him Max had already been arrested, but he also gave them information on Max’s security measures, which undermines that claim. Court records for Aragon’s criminal case in Orange County indicate a sealed letter from Dembosky is on file.
The People of the State of California vs. Christopher John Aragon, et al.
, 07HF0992, Superior Court of California, County of Orange.

11
Two had lost power when an agent tripped over an electrical cable:
According to Max.

12
Max’s head snapped to look at Master Splyntr:
Interview with Mularski.

13
“You were right”:
Interview with Charity Majors.

14
“Why do you hate us?”:
Interview with Max.

  
1
he told a harrowing story:
“Son bilgiyi verecekken yok oldu!” Haber 71, August 12, 2008 (
http://www.haber7.com/haber/20080812/Son-bilgiyi-verecekken-yok-oldu.php
).

  
2
fingering a known member of Cha0’s organization as the shipper:
Mularski described the genesis of the investigation. The role played by the shipping companies was detailed by Uri Rivner of RSA in a blog post (
http://www.rsa.com/blog/blog_entry.aspx?id=1451
). The Turkish National Police referred inquiries to their embassy in Washington, DC, which declined to make detectives available for interviews.

  
3
a tall, beefy man with close-cropped hair and a black T-shirt emblazoned with the Grim Reaper:
Per police video of the arrest and search. Also see “Enselenen Chao sanal semayi anlatti,” Haber 7, September 12, 2008 (
http://www.haber7.com/haber/20080912/Enselenen-Chao-sanal-semayi-anlatti.php
).

  
4
matching his appearances at the Java Bean with JiLsi’s posts:
Interview with Mularski. Also see Caroline Davies, “Welcome to DarkMarket—global one-stop shop for cybercrime and banking fraud,”
Guardian
, January 4, 2010 (
http://www.guardian.co.uk/technology/2010/jan/14/darkmarket-online-fraud-trial-wembley
).

  
5
JiLsi’s associate, sixty-seven-year-old John “Devilman” McHugh
, Ibid.

  
6
Erkan “Seagate” Findikoglu:
Interview with Mularski. Also see Fusun S. Nebil, “FBI Siber Suçlarla, ABD Içinde ve Disinda Isbirlikleri ile Mücadele,”
Turk.internet.com
, June 15, 2010 (
http://www.turk.internet.com/portal/yazigoster.php?yaziid=28171
).

  
7
Twenty-seven members of Seagate’s organization were charged in Turkey:
Interview with Mularski.

  
8
a reporter for Südwestrundfunk, Southwest Germany public radio:
The reporter was Kai Laufen. See
http://www.swr.de/swr2/programm/sendungen
/wissen/-/id=660374/nid=660374/did=3904422/p6601i/index.html
.

  
9
The U.S. press picked up the story:
The author was the first to identify J. Keith Mularski by name as the FBI agent posing as Master Splyntr, in “Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm,”
Wired.com
, October 13, 2008 (
http://www.wired.com/threatlevel/2008/10/darkmarket-post/
).

  
1
It had taken the CERT investigators only two weeks to find the encryption key:
Max well knew that the key was vulnerable while in RAM, but he believed the software security on his server would prevent anyone from gaining access to its memory. CERT’s Matt Geiger, who led the forensics team, declined to comment on how he bypassed that security but he said he was able to run memory-acquisition software on Max’s computer.

  
2
Max had stolen 1.1 million of the cards from point-of-sale systems:
Max didn’t challenge this amount for sentencing, but in interviews he expressed disbelief that the number could be that high.

  
1
An undercover Secret Service operative lured him to a nightclub: “2010 Data Breach Investigations Report,”
Verizon RISK Team in cooperation with the United States Secret Service, July 28, 2010.

  
2
ICQ user 201679996:
Affidavit In Support of Arrest Warrant, May 8, 2007,
U.S. v. Albert Gonzalez
, 2:08-mj-00444, U.S. District Court for the Eastern District of New York.

  
3
it was Jonathan James who would pay the highest price:
See the author’s “Former Teen Hacker’s Suicide Linked to TJX Probe,”
Wired.com
, July 9, 2009 (
http://www.wired.com/threatlevel/2009/07/hacker/
).

  
4
They recruit ordinary consumers as unwitting money launderers:
For more detail on these so-called “money mule” scams, see the blog of former
Washingtonpost.com
reporter Brian Krebs, who has covered the crime extensively:
http://krebsonsecurity.com/
.

  
5
the Secret Service had been paying Gonzalez an annual salary of $75,000 a year:
First reported in Kim Zetter, “Secret Service Paid TJX Hacker $75,000 a Year,”
Wired.com
, March 22, 2010.

  
6
filed by the attorneys general of 41 states:
Sources include Dan Kaplan, “TJX settles over breach with 41 states for $9.75 million,”
SC Magazine
, June 23, 2009 (
http://www.scmagazineus.com/tjx-settles-over-breach-with-41-states-for-975-million/article/138930/
).

  
7
another $40 million to Visa-issuing banks:
Mark Jewell, “TJX to pay up to $40.9 million in settlement with Visa over data breach,” Associated Press, November 30, 2007.

  
8
Heartland had been certified PCI compliant:
Sources include Ellen Messmer, “Heartland breach raises questions about PCI standard’s effectiveness,”
Network World
, January 22, 2009 (
http://www.networkworld.com/news/2009/012209-heartland-breach.html
).

  
9
Hannaford Brothers won the security certification even as hackers were in its systems:
Sources include Andrew Conry-Murray, “Supermarket Breach Calls PCI Compliance into Question,”
InformationWeek
, March 22, 2008.

10
The restaurants filed a class-action lawsuit:
http://www.prlog.org/10425165-secret-service-investigation-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html
. Also, “Radiant Systems and Computer World responsible for breach affecting restaurants—lawsuit,” Databreaches.net, November 24, 2010 (
http://www.databreaches.net/?p=8408
) and Kim Zetter, “Restaurants Sue Vendor for Unsecured Card Processor,”
Wired.com
, November 30, 2009 (
http://www.wired.com/threatlevel/2009/11/pos
).

11
White hats have devised attacks against chip-and-PIN:
See Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond, “Chip and PIN Is Broken,” University of Cambridge Computer Laboratory, Cambridge, UK. Presented at the 2010 IEEE Symposium on Security and Privacy, May 2010 (
http://www.cl.cam.ac.uk/research/security/banking/nopin/
). The response by the UK Card Association is at
http://www.theukcardsassociation.org.uk/
view_point_and_publications/what_we_think/-/page/906/
.

12
hundreds of thousands of point-of-sale terminals with new gear:
The cards themselves are more expensive as well. For a more thorough discussion of the issues holding back chip-and-PIN’s adoption in the United States, see Clases Bell, “Are chip and PIN credit cards coming?”
Bankrate.com
, February 18, 2010 (
http://www.foxbusiness.com/story/personal-finance/financial-planning/chip-pin-creditcards-coming/
). See also Allie Johnson, “U.S. credit cards becoming outdated, less usable abroad,”
Creditcards.com
(
http://www.creditcards.com/credit-card-news/outdated-smart-card-chip-pin-1273.php
).

  
1
His mother suggested he get an agent:
A letter to the author from Aragon.