Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online
Authors: Kevin Poulsen
Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology
The feds arrived in force, as many as twenty agents swarming like ants through the apartment. They found only the routine trappings of a San Francisco computer geek with hippie leanings: a bookshelf with Orwell’s
1984
, Huxley’s
Brave New World
, Orson Scott Card’s sci-fi classic
Ender’s Game
, and a smattering of Asimov and Carl Sagan. There was a bicycle, and stuffed penguins were strewn everywhere. Max loved penguins.
They discovered not one of Max’s slapdash hiding spots, and this time, the hacker had nothing to say. The agents left without any evidence linking Max to the Valve intrusion, much less any hints of the crimes he was committing with Chris. Just a stack of CDs, a broken hard drive, and a vanilla Windows machine he’d left out as diversions.
But Charity had just learned what it meant to be in Max Vision’s world. Max insisted he was innocent of the source code theft. It was probably
the truth. There’d been several first-person shooter fans crawling around Valve’s Swiss cheese network in anticipation of Half-Life 2. Max happened to be one of them.
The FBI later settled on a different Valve hacker: a twenty-year-old German hacker named Axel “Ago” Gembe, who admitted to his intrusions in e-mails to Valve’s CEO, though he too denied stealing the code.
Gembe was already notorious for creating Agobot, a pioneering computer worm that did more than just spread from one Windows machine to another. When Agobot took over a machine, the user might not notice anything but a sudden sluggishness in performance. But deep in the PC’s subconscious, it was joining a hacker’s private army. The malware was programmed to automatically log in to a preselected IRC room, announce itself, and then linger to accept commands broadcast by its master in the chat channel.
Thousands of computers would report at once, forming a kind of hive mind called a botnet. With one line of text, a hacker could activate keystroke loggers on all the machines to capture passwords and credit card numbers. He could instruct the computers to open secret e-mail proxies to launder spam. Worst of all, he could direct all those PCs to simultaneously flood a targeted website with traffic—a distributed denial-of-service attack that could take down a top site for hours while network administrators blocked each IP address one at a time.
DDoS attacks started as a way for quarreling hackers to knock each other out of IRC. Then one day in February 2000, a fifteen-year-old Canadian named Michael “MafiaBoy” Calce experimentally programmed his botnet to hose down the highest-traffic websites he could find. CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade all buckled under the deluge, leading to national headlines and an emergency meeting of security experts at the White House. Since then, DDoS attacks had grown to become one of the Internet’s most monstrous problems.
Bots like Ago’s marked the decade’s major innovation in malware, inaugurating an era where any pissed-off script kiddie can take down part
of the Web at will. Gembe’s confession in the Valve hack provided the FBI with a golden opportunity to snare one of the innovators most responsible.
The FBI tried to lure Gembe to America with an Invita-style job offer from Valve. After months of negotiations and telephone interviews with Valve executives, the hacker seemed ready to hop a flight to the States.
Then the German police intervened, arrested the hacker, and charged him locally as a youthful offender. Gembe was sentenced to one year of probation.
The raid on Max’s house shook him, filling his head with unpleasant memories of the FBI’s search warrant over the BIND attacks. Max decided he needed a safe house in the city, a place where he could ply his trade and store his data free from the threat of search warrants—something like Chris’s Villa Siena plant.
Under an alias, Chris rented a second apartment for Max, a spacious penthouse in the Fillmore District, with a balcony and a fireplace—Max liked working by an open fire, and he’d joked that he could burn the evidence in an emergency.
Max tried to get home to Charity daily, but with a comfortable hacker safe house to retreat to, he began disappearing for days at a stretch, sometimes only emerging when his girlfriend interrupted his work with a prodding phone call.
“Dude, time to come home. I miss you.”
As money started to flow into Max and Chris’s joint operation, so did the mistrust. Some of the cashers in Chris’s crew liked to party, and the constant presence of cocaine, ecstasy, and pot called to Chris like a forgotten melody. In February, he was pulled over near his home and arrested for driving under the influence. He began routinely vanishing with his comely employees for weekend-long bacchanals in Vegas: The day was for shopping; at night, Chris would snort some coke and take the girls out to the Hard Rock to party or snag a VIP table at the sleek Ghostbar
atop the Palms, where he’d blow $1,000 on dinner and another grand on wine. Back in Orange County, he took a mistress—an eighteen-year-old woman he met through one of his cashers.
Max found both drugs and marital infidelity distasteful. But what really irked him was the financial arrangement. Chris was paying Max haphazardly—in whatever amount he felt like turning over at any given moment. Max wanted a straight 50 percent of Chris’s profits. He was certain that Chris was making serious bank from their joint operation.
Chris tried to set him straight, and he e-mailed Max a detailed spreadsheet showing where the profits were going. Out of a hundred cards, maybe fifty worked, and only half of those could buy anything worth selling—the others were seeds and stems, cards with $500 security limits that were good only for trifles like gas and meals. Chris had expenses, too—spreading his hustle meant flying his crew to far-flung cities, and airline seats weren’t getting any cheaper. Meanwhile, he was paying rent at Villa Siena for his credit card factory.
Max was unconvinced. “
Call me back when you’re not stoned.”
The last straw came when Chris, three months after the Half-Life raid, suffered a close call himself. He’d driven up to San Francisco to meet with Max and make some carding runs at Peninsula malls. He and his crew were checked into adjacent rooms at the W, a posh hotel in the Soma district, when Chris got a call from the front desk. His credit card had been declined.
Hungover and fuzzy-headed from the flu, Chris took the elevator to the marbled lobby and pulled a new fake card from his swollen wallet. He watched as the clerk swiped it. It was declined. He produced another one, and it failed too. The third one worked, but by then the clerk was suspicious, and as the elevator was carrying Chris back to the twenty-seventh floor, she was picking up the phone and calling the credit card company.
The next knock on Chris’s door was the San Francisco Police Department. They cuffed him and searched his rooms and car, seizing his Sony laptop, an MSR206, and his SUV, which had a fake VIN tag—Chris had
experimented with renting cars using his plastic in Las Vegas, then
sending them to Mexico to be fitted with clean VINs.
Chris was thrown in the county jail. His disappearance worried Max, but Chris bailed out quickly and confessed his blunder to his partner. Fortunately for him the police investigation went no further. Chris was sentenced a month later to three years of probation and ordered not to return to the W. He boasted afterward that he’d been a beneficiary of San Francisco’s liberal justice system.
It was the kind of bullshit local bust that happened to Chris’s girls all the time; that was why Chris kept a bail bondsman on retainer and even let him crash at his Villa Siena factory. But Max was furious. It was unforgivably sloppy for someone at Chris’s level to be arrested carding a hotel room.
Max decided he could no longer rely exclusively on his partner. He needed a Plan B.
he run-down strip mall was plunked down in that vast, flat interior of Los Angeles County that doesn’t make it onto postcards, far from the ocean and so distant from the hills that the squat stucco buildings could be a Hollywood set, the featureless sky behind them a blue screen to be filled in with mountains or trees in post-production.
Chris pulled his car into the trash-strewn parking lot. A marquee at the entrance gave top billing to the Cowboy Country Saloon, and below that it was the usual south Los Angeles mix: a liquor store, a pawnshop, a nail salon. And one more that was less usual: UBuyWeRush—the only retail sign in Los Angeles that was also a handle on CarderPlanet and Shadowcrew.
He walked into the front office, where an empty reception window suggested the sixty-cent-per-square-foot space had once been a medical clinic. On the wall a Mercator projection map of the world bristled with pushpins. Then Chris was greeted warmly by UBuy himself, Cesar Carrenza.
Cesar had come to the underground by a circuitous course. He graduated from the DeVry Institute in 2001 with a degree in computer programming, hoping to get an Internet job. When he couldn’t find one, he decided to try his hand as an independent businessman on the Web.
From an ad in the
Daily Commerce
, he learned about an upcoming auction at a public storage facility in Long Beach, where the owners were selling off the contents of abandoned lockers. When he showed up he found the auction observed a very specific ritual. The manager, wielding an imposing bolt cutter, would snip off the defaulting renter’s lock while the bidders watched, and then open the door. The bidders, about twenty of them, were expected to evaluate the contents from where they stood several feet away. The winner would then secure the unit with his own padlock and clear out the contents within twenty-four hours.
The experienced bidders were easy to spot: Padlocks hung from their belts, and they held flashlights to peer into the dark lockers. Cesar was less prepared but no less eager. He was the only bidder on the first lot, claiming a locker full of old clothes for $1.
He sold the clothes at a yard sale and on eBay for about $60. Figuring he’d found a nice little niche, Cesar started going to more auctions at storage facilities and business liquidations, breaking down large lots and moving them on eBay for a tidy profit. He put the money back into the business and opened his storefront in the Long Beach strip mall to accept consignments from neighbors with office furniture, lawn chairs, and unbranded jeans to sell online.
It was good, honest work—not like his last independent business. For most of the 1990s Cesar had been into credit card fraud. He was happier selling on eBay, but thinking about the past made him wonder if there was a market for the kind of gear he’d used as a crook. He ordered some MSR206s from the manufacturer and offered them for sale through the UBuyWeRush eBay store. He was impressed by how fast they were snapped up.
Then one of his new customers told him about a website where he could really sell. He introduced Cesar to Script, who approved UBuyWeRush as a CarderPlanet vendor. Cesar posted his introduction on August 8, 2003. “I decided to supply all you guys making the real big bucks,” he wrote.
“So if you need me I sell card printers, card embossers, tippers, encoders, small readers and more. I know it sounds like advertising, but it’s for you, a SAFE place to shop.”
Business exploded overnight. Cesar built his own website, began vending on Shadowcrew, got an 800 number, and started accepting e-gold, an anonymous online currency favored by carders. He developed a reputation for excellent customer service. With customers in every time zone, he was scrupulous about answering the phone whenever it rang, day or night. It was always money on the other end of the line.
A canny businessman, he guaranteed same-day shipping and forged relationships with his rivals, so if he was caught short on an item, he could buy stock from a competitor to fill his orders and keep his customers happy. Strategic moves like that soon turned UBuyWeRush into the top supplier of hardware to a worldwide community of hackers and identity thieves. “Really good person, great to deal with,” wrote a carder named Fear, advising a Shadowcrew newbie. “Don’t scam UBuyWeRush cause he’s a cool guy, and he’ll keep your info on the downlow.”
Cesar soon expanded his offerings to include hundreds of different products: skimmers, passport cameras, foil stampers, blank plastic, barcode printers, embossers, check paper, magnetic ink cartridges, even cable TV descramblers.
Selling equipment wasn’t in and of itself illegal, as long as he wasn’t conspiring in its criminal applications. He even had some law-abiding customers who bought his gear to make corporate ID cards and school lunch vouchers.
Inundated with orders, Cesar ran a help-wanted ad in the classifieds and began hiring workers to inventory, pack, and ship his gear. As adjoining offices opened up, he annexed them for the extra storage space, doubling and then tripling his square footage. Fascinated by the global reach of his low-rent strip-mall operation, he bought a wall map, and every time he shipped to a new city he’d sink a pin into the location. After six months, the map was porcupined with pins throughout the United States,
Canada, Europe, Africa, and Asia. An impenetrable forest of metal grew southwest of Russia on the Black Sea. Ukraine.