Barrett would take on a new customer and see if the digital dam he had set up would still hold. If not, he would rearrange his system to keep it functioning until he could get new equipment shipped to PureGig in Phoenix. Once the gear arrived, he would fly to Arizona and spend however long it took to install it, making more than a dozen trips in a few months.
Barrett was winning. But in his heart, mounting a successful defense didn’t feel like enough. The bad guys would just move on to weaker targets, raking in more cash and perhaps reinvesting it by rounding up new captive computers or better programmers. Thinking back to what he had done after helping Don Best, Barrett wondered if he could track the hackers at least partway to their lairs. He told Rachelle he wanted to look deeper, then turn over whatever he learned to the authorities. “Why can’t you be happy with saving your customers?” she asked. Barrett reflected for a moment. Trying to do some good in the world was part of it, but that sounded ridiculous. So he told her with equal honesty: “It’s an ego thing now. I want to beat these guys.”
Barrett wasn’t expecting any help from law enforcement. In 2004 very few U.S. hackers had been arrested, and the ones who had been caught were usually dumb teens who had broken into websites and then bragged about it on Internet Relay Chat channels, where officials could secretly track them by the nicknames they used to log on.
He had never heard of police arresting anyone for online extortion, and the bad guys most likely weren’t in the U.S., making any prosecution orders of magnitude more difficult. Moreover, if they were hurting anyone in the country, it was mainly people breaking the law to gamble. Barrett called the FBI anyway. When he got an agent on the phone, he explained that at least some of the zombies used in the attacks on BetCRIS and his other customers were American. Beyond that, it was likely that the same machines would be used at some point to go after U.S. companies. The agent listened, asked a couple of pro forma questions, and thanked him for his time. This looked like it was going to be a solo job.
On those nights when he made it back home to Sacramento, Barrett would go back to thinking like a hacker. He studied infected machines and saw that the program that had infected them instructed each machine to check back in with the attacker through the instant-messaging system ICQ., shorthand for “I seek you.” Barrett lifted the ICQ address and messaged the hacker himself but got no response.
Then Barrett tried doing what he had done after the smaller assault on Don Best. He told Dayton Turner to check for zombies that were running Simple Network Management Protocol in the open. Once he found one, he could see where that machine had been connecting. Sure enough, Dayton found an IRC server that was commanding the army of robots. As in the previous attack, it was in Kazakhstan. Other robots, or “bots” for short, were reporting to IRC servers on the ironically named
fbi.pp.ru
and on
mazafaka.ru
, an address notorious for the hackers using it. Both names had the .ru endings designated for sites in Russia. Barrett pronounced the second address aloud.
At least these guys have a sense of humor,
he thought. From another infected machine, Barrett picked up a password that would allow him and Dayton to get into the Kazakhstan chat channel. They joined and watched as hackers in the channel monitored attacks in progress against BetCRIS and other sites, including
Microsoft.com
. Barrett was tempted to call Microsoft and warn them, but he told himself he would do the software giant a bigger favor by staying focused and taking out its enemies.
Barrett and Dayton decided to see if they could learn about the assailant by going undercover. They crafted a character that they thought would have the most plausible reason for showing up, uninvited, on a private chat channel on the other side of the world. They logged on as “hardcore,” an imaginary hacker from Dayton’s Vancouver hometown who had been out of the scene for a while. They made hardcore smart but not too smart. Hardcore would have a modest supply of bots under his own control, 250 or so, and be a decent virus writer interested in joining forces.
It helped that most hackers, especially those living abroad, had a well-deserved sense of impunity. Many governments didn’t care if their citizens attacked foreigners, and even committed local authorities were ill equipped to handle technology-intensive investigations. Police in the West also lacked expertise, and they ran into all sorts of bureaucratic hurdles when they wanted to work undercover. As a private citizen, Barrett had no such issues.
Just to be on the safe side, he checked in again with the FBI. This time he got a visit from an agent in the Sacramento field office, Matthew Perry. Barrett showed the fortyish agent the chat channel and explained how the attackers used it to compare notes and to issue commands to the zombie computers. It was different from anything Perry had seen before, and he was enthusiastic about something so unusual for the Sacramento office. Looking over Barrett’s shoulder, Perry asked what else he could learn. Barrett said he might be able to find out how big the ring was, how many zombies they controlled, and who else they were attacking. He would just have to lie in order to get into their world, and he would have to run traces and other programs the feds needed warrants for.
Perry said he couldn’t sponsor anything illegal, but if it were for the greater good he wouldn’t ask how Barrett got his information. Perry coached him on what he should try to get out of the hackers, and he gave Barrett an agency code name—Plato.
Some hacking groups overlapped, with freelancers working a job for one group and then another, so it wasn’t unheard of to run across the trail of a fellow electronic criminal. When hardcore first logged on to the IRC channel, Barrett and Dayton saw that one member of the gang directing the robots used the online handle “eXe.”That rang a bell: one piece of the code installed on an infected machine had included the title eXe. “hi,” Dayton wrote to him in the channel. “yes, im here.”
“are you from quakenet?” eXe responded, referring to another hacking group. Dayton paused, wondering if a false yes would expose him. So he hedged: “originally, ya.” eXe started quizzing him in rough English, asking “what you doing here?” and “do you have your a bot?”
“I just came to see if this was still around ... looks like the scripts have changed a little.”
Other chatters were suspicious and hostile. “part plz our server,” wrote a hacker using the handle “uhdfed.” When hardcore didn’t go, uhdfed launched a miniature denial-of-service that forced Dayton off the network. But Barrett and Dayton kept coming back. Depending on which of the hackers were logged on, they would chat for as long as several hours. They developed the best rapport with eXe. They offered to lend their own zombie computers to the crew’s DDoS efforts and to improve the attack programs. “I could rewrite it,” Barrett told eXe at one point. “I did it last semester in school for a test—just to see how fast I could scan large groups of machines.”
Soon afterward, as he grew more comfortable with hardcore, eXe began making mistakes. He logged on from his home Internet service provider. A private file transfer gave away his true Internet address. The late-night conversations turned social—eXe asked for Britney Spears videos—and he let slip his real first name, Ivan, and that he was a twenty-one-year-old college student in Russia.
When Barrett told Perry what he was finding out, the agent didn’t seem as excited as Barrett had hoped. All the same, Perry told Barrett he had to be sworn in, over the phone. “Sworn in for what?” Barrett asked. “To become an agent of the FBI,” Perry told him. Not an FBI agent, mind you, but an agent of the agency. Someone else got on the line, and the officials recited the terms of their agreement. The point of it all was that Barrett was now clear to break the law, as long as he didn’t get caught. Oh, and if it ever came up, the FBI would deny that it had any such deal. Overall, Barrett’s experience with the FBI mirrored that of more established private security experts and, for that matter, the agency’s allies in law enforcement: the communication went only in one direction, and there would be little to show for it.
IT WAS A DIFFERENT STORY with the authorities in Britain. They were interested enough in what Barrett was doing that they tracked him down before he’d even heard of them.
After testing the waters with the bookies in Latin America, the Russian gang had attacked similar companies based in England and Australia, where gambling firms are legal. Soon they or their rivals had hit almost every significant U.K. betting firm at least once, and the matter grew to be a top priority for the London-based National Hi-Tech Crime Unit.
While the U.S. was still floundering for an answer to technology crime, Prime Minister Tony Blair had made it a major emphasis. According to NHTCU Deputy Chief Mickey Deats, the Queen herself had realized the essential role that electronic commerce would play in the growth of the world economy. In the late 1990s she told Blair that she wanted England safe for online business, and that meant trying to get a modicum of control of the Internet. Even if the inherently risky architecture of the Net presented a monumental technological challenge, Blair saw no reason to give up on law enforcement.
In September 1999, as the dot-com boom was in full swing, Blair’s office issued a report declaring that the government would strive to make the United Kingdom “the best environment in the world for e-commerce.” It recommended that the country establish an Internet crime unit to fight fraud and hacking. The NHTCU came into being in April 2001 as an offshoot of the National Crime Squad, which took the top-rated 5 percent of local police detectives for seven-year assignments.
In October 2003 the elite unit fielded a call from Canbet Ltd., an Australian-owned betting company in the southern English city of Portsmouth that was experiencing a DDoS attack. While working the Canbet case, the agents discovered what Barrett had done to protect companies from similar assaults. One emailed Barrett out of the blue, asking if they could send someone across the Atlantic to “chat.”
Three NHTCU agents flew to Los Angeles to meet Barrett. They included Bob Lewis, a former Royal Air Force noncommissioned officer; Andy Robbins, a computer forensics man; and Mat Proud, a white man with brown dreadlocks and serious technical expertise. Proud looked even less like a cop than Barrett did, and Barrett guessed he was on loan from British intelligence.
Two FBI agents hosted the get-together. They explained that the bureaucratic framework for international cooperation required Barrett to give his information to U.S. officials, who could pass it along. When the FBI agents made it clear that they were only there to facilitate, Barrett was again disappointed by their lack of enthusiasm.
Lewis immediately surprised Barrett by saying that the NHTCU had a different sense of mission. Yes, they wanted to punish the bad guys. But whether they succeeded or failed in that attempt, they also had a “duty of care” to protect U.K. citizens and businesses—a goal they could pursue through advocating policy changes or education campaigns. Their first job in any case was to learn as much as they could about what was happening. “We’re here,” Lewis continued, “because we want to make sure that England is the technology center of Europe. The Queen has decided that the U.K. will be one of the top players in information technology, and any threat to that is a direct threat to England.” Barrett saw one of the FBI men rolling his eyes, but he felt instantly in tune with the Brits. They reciprocated by insisting he remain in town overnight, paying the fees to change his airline ticket and treating him to a hotel room.
Barrett outlined what he had learned about the technical aspects of the extortion ring and what he was getting from his first chats with eXe. He kept the NHTCU agents updated by email afterward as his team tracked attacks to new servers and as the types of assaults morphed. The British agents urged Barrett and Dayton to get the nicknames of as many people in the chat channel as possible, along with any clues to their physical location. At the end of February 2004, Barrett turned in more than thirty pages of analysis and IRC transcripts. He gave the paper a title designed to get law enforcement to pay attention: “DDoS Terrorism Report.”
Like the FBI, the U.K. agents couldn’t make free use of common hacking tools, such as the scanners that look for openings into computers, and they were careful not to advise Barrett to use them. Instead, the British said they would gladly accept any information and wouldn’t press too hard to learn how it had come to them. In one email telling Barrett that his captured code had led them to a new chat server, Proud added: “The powers that be ask me to remind you that we can only use stuff that’s legally obtained in our investigation ;-),” closing with a winking smiley face. Proud said nothing about what Barrett could use in his own probe.