Script ruled as the godfather, at the very top. King Arthur and a man named Boa, who operated the site
Boafactory.com
, manufacturing new credit cards with the coded information provided by hackers, ranked near him. Beginning as a Russian-language site, CarderPlanet soon added sections in English, Chinese, Japanese, and Korean. By late 2003, more than 9,000 people had registered. Andy and his allies in law enforcement spent hours on the site, trying to learn as much as they could. They drafted crude portraits of the villains, ascribing specialties and business partners where they could. But with King Arthur and others, there were no pictures or true names to go with the organization charts. Instead, the investigators had to make do with the occasional capture of a lower-level operative in the West to round out their understanding of how the dark economy worked.
One of the more successful native English speakers was a young man from Texas named Douglas Havard. The child of a business executive, Havard went to a private high school and then Southern Methodist University. A smooth manipulator, Havard found that being captain of his high school football team wasn’t enough. He made extra money by buying cheap electronics, switching their UPC bar-codes, and returning them for a bigger refund. By seventeen, he was selling as much as $6,000 worth of Ecstasy in a month. Then one of his suppliers sold him some fake pills. Havard and two other young men barged into the man’s apartment with guns drawn. As they demanded their money back, the upstream dealer’s brother hid in a closet, dialing 911 on his cell phone. Police charged Havard with aggravated robbery in 2001. Out on bond, he entered college, set his dormmates to work turning out fake driver’s licenses, and preyed on a girl with the date-rape drug GHB. An undercover cop finally bought gallons of the drug from Havard and arrested him in mid-sale.
Havard skipped bail and traipsed through several countries before settling in England. There he answered an ad on CarderPlanet and went to work as a casher for King Arthur and others running the site. Havard also coordinated groups in America who were doing the same thing. They all re-encoded Citibank ATM cards with a special program and jotted down the numeric passcodes King Arthur had cracked. Havard was in awe of King Arthur, writing to a sidekick named On-The-Fringe: “He can transfer money between cards and see how much we take out. At one point he was making $1 million a week lol.”
The Americans hit multiple banks daily, splitting their 40 percent with Havard and sending 60 percent to the Russian. In online chats with his accomplices, Havard estimated that he had made millionaires of several Eastern Europeans, including Script, who were sharing the wealth among themselves. No wonder, he said, that he was getting promoted to “Capo di Capi,” or Boss of Bosses, one step below the ruling clique. Then twenty-four, Havard kept enough for himself—as much as $100,000 a month—to enjoy a champagne lifestyle in the nightclubs. “Mercedes don’t buy themselves,” he wrote to one associate. “I can’t rap and my jump shot sucks, so I really can’t think of another way to make this kind of money.”
U.S. agents caught one of Havard’s U.S. accomplices trying to board a plane in Austin, Texas, with $32,000 in cash. After he talked, the FBI called the NHTCU, which assigned Trevor Dickey to arrest Havard in Leeds in June 2004. Dickey surprised Havard in his room, finding him with guns, forged passports, and fake drivers’ licenses. Havard’s computer still contained chats with Script and with his U.S. team. In 2005 an English judge sent Havard to prison for six years.
SINCE CARDERPLANET OPERATED so openly and attracted so many, it quickly became a top target for the FBI and other law enforcement agencies. The U.S. Postal Service, like the Secret Service, proved more nimble than the larger force. It had long tracked credit cards that were stolen from the mail and the use of false addresses to receive plundered goods. A team of postal inspectors stuck with the mission as the criminals moved online, and they allied with FBI agents working out of Los Angeles. The FBI recruited a Russian-speaking informant who joined CarderPlanet in 2002. That fall the informant chatted with Script over ICQ and bought two collections of 110 stolen credit card numbers for $400 per batch, sending the money through Western Union to mules in Estonia and Ukraine. In his instant messages, Script said he had created CarderPlanet and lived in Odessa. Script worried so little about exposure that he granted interviews. Explaining his embrace of the underground market, he told a Ukrainian website: “There are no universal carders. Sooner or later, this carder will need services of another person.”
He emailed the website that his real name was Dmitry Golubov, providing his passport, phone numbers, and date of birth for good measure. Golubov obviously enjoyed special protection, investigators said. “There was always information that said there were cops involved,” said then FBI agent E. J. Hilbert, who helped lead the probe. Indeed, investigators at the Ukranian MVD would conclude that Golubov’s co-conspirators included Andrey Gerashenko, identified as a police captain by a researcher for antivirus firm McAfee.
A break in the CarderPlanet case came with the February 2003 arrest in Cyprus of Boa, whose real name was Roman Stepanenko and was also known as Roman Vega. Following an alert from a payment processor, police in the island country showed up at a Nicosia store that was submitting a suspiciously large number of credit card transactions. The local police officer found Stepanenko swiping through card after card. The authorities charged Stepanenko with fraud, won a conviction, and sent him off for a stint in jail. Near the end of his term, U.S. authorities who had heard about Boa’s remanufactured cards got Stepanenko extradited. They also got a better look at the largely encrypted Sony Vaio computer from his hotel room. It contained logs of his ICQ chats, which included negotiations to sell credit card data to Script, among others. The Justice Department announced Stepanenko’s transfer to the United States along with a slew of unrelated cybercrime busts, not realizing how big a fish it had. Prosecutors in San Francisco charged Stepanenko with making the bogus credit cards and defrauding some forty merchants. After he struck a secret deal to cooperate, he pleaded guilty to twenty counts and received a sentence of just a few years. But the cooperation was far short of what agents should have been able to wrest if they had known who they had, according to someone who worked the case. They could have gotten Stepanenko to help them break into the inner circle ruling CarderPlanet.
That’s because Stepanenko’s logs indicated that he did far more than try to sell thousands of credit card numbers and the supporting data, as the Justice Department had announced. In fact, they showed him bragging that his “guys” had pulled off one of the worst identity hacks of all time—albeit one that had gotten no press attention, because back then no laws required notification of those who lost sensitive financial information. The target was Data Processors International, later bought by another firm. The company handled millions of transactions for credit card issuers, and after some banks complained of mass fraud, it admitted that hackers had obtained 8 million card numbers in early 2003. Stepanenko told another hacker that the correct number was 14 million. No officials ever announced Stepanenko’s role, or that of any other hacker, in the DPI break-in. It was buried in a second indictment against him in New York, filed in 2007. Those charges suggested that prosecutors had initially missed how bad Stepanenko was, that he had fallen short of the promised help, and that agents hadn’t been eager to advertise either fact. “We thought he hadn’t cooperated,” a federal agent acknowledged.
Stepanenko’s chat logs as Boa did get U.S. officials closer to Script. They showed the founder of CarderPlanet identifying himself as Dmitry Golubov. A picture on Boa’s hard drive labeled “Scriptek” showed Golubov too. Postal Inspector Greg Crabb and FBI Agent Hilbert flew to Ukraine repeatedly to lobby the government there to help them. They got nowhere. “First they said ‘No, no, no, he’s clean,’” Hilbert recalled. “Then it became: ‘We know he’s bad, but we’ve been told we can’t go after him.’” Until fall 2003, hacking outside of the country’s borders wasn’t a crime. When the law changed, the ban carried a penalty of five years in jail or a mere $1,000 fine—the sort of money a carder could earn in a day.
Like Andy Crocker, Hilbert tried to ingratiate himself with his host country. Once he gave a cybercrime training class at the Ukraine national police academy. Over three and a half hours, he felt that he connected with the earnest but unskilled group. He got them on the Internet, showed them Internet Relay Chat, and covered the basic lingo. Then the staff brought in a young technical expert to modify the computer settings and enable an instant-messaging session. Hilbert looked down and saw that the expert was using the same handle as a carder he had been monitoring, Dracul. “Good to meet you,” Hilbert told the youth. Then Hilbert asked whether he had been involved in a particular scam. The kid said he had. When Hilbert reported this fact to his audience, they saw no problem at all.
It had been the same story with Russia. Numerous cases there fizzled, increasing the distrust on both sides. There were legitimate concerns about corruption among Russian officers. But the FBI took those concerns too far. With its insular culture, the FBI didn’t even care to share details about its cases with law enforcement peers in the U.S. and England, let alone rival powers. Besides, the agency gained clout in parallel with the rise of Red-obsessed leader J. Edgar Hoover. Working with the Russians, which necessitated sharing data with them, went against something very deep in the FBI’s fabric. “There was reluctance to send information on suspects to Russia,” Hilbert said. “There was concern they [the authorities] would go out and hire them for hacking.”
That attitude backfired. The Russians were offended and thought the FBI arrogant. In 2000, FBI Agent Michael Schuler posed as a private company executive to induce two Russian hackers to fly to Seattle, where they were arrested. After Schuler used Bureau machines to search the suspects’ computers back home, angry Russian police began investigating Schuler. Andy was lucky to be working for an agency that believed deeply in international cooperation, and he was lucky to be working in a country with less historical antipathy to Russia.
In 2004, the divided Ukraine populace elected a Western-oriented leader in what was dubbed the Orange Revolution. In mid- 2005, the new authorities changed direction and arrested Golubov. Hilbert interviewed the young man in jail. Golubov barely managed to keep a straight face as he denied that he was Script. Hilbert left the country convinced that one of the most dangerous and effective cybercriminals on the planet had been put away. Ukraine declined to extradite Golubov, saying it would try him in local court. He spent six months in jail.
Then two members of the Ukraine parliament vouched for Golubov, and the judge released him to howls from the Postal Service and FBI. “When you can call in some favors and get some politician in the Ukraine [to] vouch for your upstandedness, there’s not much the U.S. can do after that,” Postal Inspector Crabb told
Wired.com
.
In an online chat, Script told Doug Havard that legal pressure spurred his retirement. But he had an unorthodox way of showing any new circumspection. Golubov formed a political party, the Internet Party of Ukraine, which said it would push for greater national investment in technology. Security experts called the party a gag that didn’t exist beyond its website. Few in U.S. law enforcement thought it funny.
After Golubov’s arrest, control of CarderPlanet, its Web address, and its physical location shifted among King Arthur and others before the leadership shut it down in the summer of 2004, shortly after Havard’s arrest and not long before Andy’s first moves in Russia. By then CarderPlanet had facilitated fraud worth tens of millions of dollars or more, trained a generation of scammers, and established a model for black Internet commerce. Many more sites sprang up to succeed it, most with tighter internal security.