Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (16 page)

The Secret Service had fifteen full-time agents combing through the activity—every purchase would be another “underlying offense” in a grand jury indictment. And the best part was, many of Shadowcrew’s denizens were unwittingly paying the Secret Service for the privilege of being monitored.

But running a game against hackers was never cut-and-dried, as the agency learned on July 28, 2004. That was when Gonzalez informed his handlers that a carder named Myth, one of King Arthur’s cashers, had somehow obtained one of the agency’s confidential documents about Operation Firewall. Myth had been boasting about it in an IRC chat room.

The feds told Gonzalez to find the source of the leak, and fast. As Cumbajohnny, Gonzalez made contact with Myth and learned that the documents represented just a few droplets in a full-blown Secret Service data spill. Myth knew about subpoenas issued in the Shadowcrew probe and had even discovered that the agency was monitoring his own ICQ account. Fortunately, the documents didn’t mention an informant.

Myth refused to tell Gonzalez who his source was but agreed to arrange an introduction. The next day, Gonzalez, Myth, and a mystery hacker using the temporary handle “Anonyman” met on IRC. Gonzalez worked
to gain Anonyman’s trust, and the hacker finally revealed himself as Ethics, a vendor whom Cumba already knew on Shadowcrew.

The leak was starting to make sense. In March,
the Secret Service had noticed Ethics was selling access to the database of a major wireless carrier, T-Mobile. “I am offering reverse lookup of information for a T-Mobile cell phone, by phone number,” he wrote in a post. “At the very least, you get name, SSN, and DOB. At the upper end of the information returned, you get Web username/password, voicemail password, secret question/answer.”

T-Mobile had failed to patch a critical security hole in a commercial server application it had purchased from the San Jose, California, company BEA Systems. The hole, discovered by outside researchers, was painfully simple to exploit: An undocumented function allowed anyone to remotely read or replace any file on a system by feeding it a specially crafted Web request. BEA produced a patch for the bug in March 2003 and issued a public advisory rating it a high-severity vulnerability. In July of that year, the researchers who discovered the hole gave it more attention by presenting it at the Black Hat Briefings convention in Las Vegas, an annual pre–Def Con gathering attended by 1,700 security professionals and corporate executives.

Ethics learned of the BEA hole from the advisory, crafted his own twenty-line exploit in Visual Basic, then began scanning the Internet for potential targets who had failed to patch. By October 2003, he hit pay dirt at T-Mobile. He wrote his own front end to the customer database to which he could return at his convenience.

At first, he used his access to raid the files of Hollywood stars, circulating grainy candid photos of Paris Hilton, Demi Moore, Ashton Kutcher, and Nicole Richie stolen from their Sidekick PDAs. It was evident now that he’d gotten into a Secret Service agent’s Sidekick as well.

A simple Google search on Ethics’s ICQ number turned up his real name on a 2001 résumé seeking computer security work. He was Nicholas Jacobsen, a twenty-one-year-old Oregonian who’d recently relocated
to Irvine, California, to take a job as a network administrator. All that was left was to confirm which Secret Service agent was violating policy by accessing sensitive material on his PDA.

That’s where Gonzalez proved his worth again. Now that he was buddies with Cumbajohnny, Ethics hit up the Shadowcrew leader for an account on his much-touted VPN, figuring it would be a safer way to access T-Mobile.

Gonzalez happily obliged, and his Secret Service handlers got to watch as Ethics surfed to T-Mobile’s customer service website and logged in with the user name and password of New York agent Peter Cavicchia III, a veteran cybercrime officer who’d distinguished himself by busting a former AOL employee for stealing ninety-two million customer e-mail addresses to sell to spammers.

The leak had been found. Cavicchia would quietly retire a few months later, and Ethics was added to the list of Operation Firewall targets.

There was just one more threat to the investigation, and, bizarrely, it was coming from one of the FBI’s underground assets.

David Thomas was a lifelong scammer who’d discovered the crime forums in the Counterfeit Library days and soon became addicted to the high-speed deal making and criminal camaraderie. Now forty-four years old, El Mariachi, as he styled himself, was one of the most respected members in the carding community, assuming the role of mentor to younger scammers and dispensing advice on everything from identity theft to basic life lessons gleaned from decades on the fringe.

His experience, though, didn’t immunize him from the hazards of his profession. In October 2002, Thomas showed up in an office park in Issaquah, Washington, where he and his partner had rented a drop for one of CarderPlanet’s founders. They were hoping to claim $30,000 in Outpost.com merchandise ordered by the Ukrainian. Instead, they found local police waiting for them.

The police arrested Thomas, and a detective read him his Miranda rights and gave him a form to sign acknowledging he understood them. Thomas scoffed at the idea of a local cop trying to question him. “
You don’t know who you have here,” he said. He urged the detective to call in the feds; the Secret Service would know who El Mariachi was, and he could give them a case involving Russians and “millions of dollars.”

A Secret Service agent visited him in the county jail but wasn’t impressed by Thomas’s $30,000-drop business. Then an FBI agent from the Seattle field office showed up. On the second meeting, the agent brought along an assistant U.S. attorney and an offer: The feds couldn’t help Thomas with his local case, but when he got out he could go to work for the Northwest Cyber Crime Task Force in Seattle.

It would be an intelligence-gathering mission, an official designation for an FBI operation with no predetermined targets. The bureau would get Thomas a new computer, put him up in a nice apartment, pay all of his expenses, and give him $1,000 a month in spending money. In return, Thomas would gather information on the underground and report it back to the task force.

Thomas hated snitches, but he liked the idea of being paid to observe and comment on the underground with which he’d become obsessed. Intelligence gathering wasn’t the same as snitching, he reasoned, and he could use the material he collected to write a book about the carding scene, something he’d been thinking a lot about lately.

He also knew exactly how to gather the information the task force was after.

Thomas was released from jail five months after his arrest. And in April, the FBI gained a new asset in the war on cybercrime: El Mariachi and his brand-new government-funded crime forum, the Grifters.

From his bureau-rented corporate apartment in Seattle, El Mariachi was soon gathering information on his fellow carders, particularly the Eastern Europeans. But though Thomas was working for the FBI, he didn’t exactly feel kinship with other government assets, and the VPN announcement
convinced him—correctly—that Cumbajohnny was a federal informant.

Thomas became fixated on exposing his rival. Ignoring admonishments from his FBI handler, he continuously called out Gonzalez on the forums. Gonzalez, too, seemed to have it in for El Mariachi—he dug up a copy of the police report from Thomas’s Seattle arrest and circulated it among the Eastern European carders, drawing their attention to the part where Thomas offered to help catch Russians. A full-blown proxy war had broken out between the FBI and Secret Service, by way of two informants.

It was a bad time to be distracting the Eastern Europeans with American carder drama. In May 2004, one of CarderPlanet’s Ukrainian founders was extradited to the United States, after being arrested on vacation in Thailand. The next month, the British national police moved in on the site’s only native English-speaking administrator in Leeds.

Script, getting heat from the Orange County FBI and the U.S. Postal Inspection Service, had already retired from the site, leaving King Arthur in charge. On July 28, 2004, King made an announcement.

“It is time to tell you the bad news—the forum should be closed,” he wrote. “Yes, it really means closed and there are a lot of reasons for that.”

In broken English he explained that CarderPlanet had become a magnet for law enforcement agencies around the world. When carders were busted, police interrogators badgered them with questions about the forum and its leaders. Under the relentless pressure, he implied, even he might slip up. “All of us are just people and all of us can make mistakes.”

By closing CarderPlanet, he would be depriving his enemies of their greatest asset. “Our forum held them well informed and up to date, and on our forum they and the bank employees just have been raising their level of proficiency and knowledge,” he wrote.

“Now all of thing will be the same but they will not know where the wind blows from and what to do.”

With that farewell note, King Arthur, almost certainly a millionaire ten times over, became a carder legend. He would be remembered as the
one who gently folded the great CarderPlanet before anyone else could enjoy the pleasure of taking it down.

Shadowcrew’s leaders wouldn’t be so lucky. In September, the FBI pulled the plug on Thomas’s operation and gave him a month to move out of his apartment—ending his war with Cumbajohnny. The next month, on October 26, sixteen Secret Service agents gathered in a Washington command center to drop the hammer on Operation Firewall.
Their targets were marked on a map of the United States filling a wall of computer displays. Every one of them would be at home, the agents knew; at the Secret Service’s behest, Gonzalez had called an online meeting for that evening, and nobody said no to Cumbajohnny.

At nine p.m., agents armed with MP5 semiautomatic assault rifles burst into Shadowcrew members’ homes around the country, grabbing three founders, T-Mobile hacker Ethics, and seventeen other buyers and sellers. It was the biggest crackdown on identity thieves in American history. Two days later, a federal grand jury handed down a sixty-two-count conspiracy indictment and the Justice Department went public with Operation Firewall.

“This indictment strikes at the heart of an organization that is alleged to have served as a one-stop marketplace for identity theft,”
Attorney General John Ashcroft boasted in a press release. “The Department of Justice is committed to taking on those who deal in identity theft or fraud, whether they act online or off.”

With Gonzalez’s help, the Secret Service locked Shadowcrew’s remaining four thousand users out of the site and swapped in a new front page featuring a Secret Service banner and an image of a prison cell. The new page struck the Shadowcrew tagline, “For Those Who Like to Play in the Shadows,” and substituted a new motto: “You Are No Longer Anonymous!!”

Panicked carders around the around the world soaked up the news
reports and watched the television coverage, worrying for themselves and their fallen compatriots. They collected on a small forum called Stealth Division to assess the damage and take a head count of survivors. “I am scared to death for my family right now—for my children,” wrote one cyberthief. “I just learned that my every move has been recorded.”

Slowly, they realized that Cumbajohnny wasn’t on the list of defendants. That’s when he logged in to make a final appearance.

“I want everyone to know I’m on the run and I had no fucking idea the USSS had the capabilities of doing what they did,” Gonzalez wrote. “From the news articles I can tell they’ve wiretapped my VPN and wiretapped the Shadowcrew server. This is my last post, good luck everyone.”

Nick Jacobsen, Ethics, was kept out of the press release and quietly indicted separately in Los Angeles—his intrusion into the Secret Service’s e-mail wouldn’t emerge until well after the agency had collected its accolades for Operation Firewall. Even then, the dragnet was a clear victory for the government. CarderPlanet was shuttered, and now Shadowcrew was closed for good, and its leaders—save Gonzalez—were in jail.

The carders were confused, paranoid, and, for the moment, homeless. “It will take years and years for any message board like Shadowcrew to build up,” wrote one. “And when or if it does, law enforcement will bust it again.

“And knowing what can be done, I doubt anyone will take the risk of putting another one up.”

n the top floor of the Post Street Towers, Max’s computers sat on the wood-veneer floor, silent and cool. Outside the bay window, shops and apartments were ready to unwittingly feed him bandwidth through his oversized antenna.

Max had gone dormant for a few months after accumulating a pile of cash from the Citibank operation; he’d abandoned his penthouse apartment and put his hacking on the back burner. But he couldn’t stay away long. He’d asked Chris to rent him a new safe house, one with more neighborhood Wi-Fi options than the last. “I just need a closet, I don’t need any space,” he’d said.