Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (25 page)

Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online

Authors: Kevin Poulsen

Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology

BOOK: Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground
11.66Mb size Format: txt, pdf, ePub
 

Two days later, Max proved he was serious. He hacked into El Mariachi’s website, the Grifters, which Thomas had turned into a semi-legitimate security site dedicated to watching the carding forums. Max wiped the hard drive. The site never came back.

Iceman announced his triumph in a final public message to the blog. “I have nothing to prove, and now having beat down David Renshaw Thomas, federal snitch, I make my exit,” he wrote. “Unlike you people, I pay attention to my own business. Learn a lesson. Move on and leave me the fuck alone.”

But Max wasn’t going to be able to slip back into the shadows. Two reporters from
USA Today
had taken notice of the public carder war and confirmed the details of the hostile takeover with security firms watching the forums. The morning after Max declared victory over El Mariachi, delivery drivers around the country plunked down Thursday’s edition of
the paper on more than two million doorsteps from coast to coast. There, on the front page of the business section, was the whole sordid tale of Iceman’s annexation of the carding sites.

By letting his ego lead him into a public battle with David Thomas, Max had gotten Iceman into the largest-circulation daily in America.


The Secret Service and FBI declined to comment on Iceman or the takeovers,” the article read. “Even so, the activities of this mystery figure illustrate the rising threat that cybercrime’s relentless expansion—enabled in large part by the existence of forums—poses for us all.”

The story wasn’t a surprise; the reporters had approached Iceman for comment, and Max had e-mailed a long one, lobbing his Craigslist defense. His views didn’t make it into the article, and the story only made Max more defiant. He added a quote from the piece to the top of the Carders Market login page: “It’s like he created the Wal-Mart of the underground.”

Max showed the article to Charity. “I seem to have created quite a stir.”

Chris was apoplectic when he learned that Max had corresponded with the journalists. He’d watched as Max burned hours squabbling with Thomas. Now his partner was giving press interviews?


You’ve lost your fucking mind,” he said.

Max was swamped. Vouch requests were pouring into Carders Market in a torrent. The
USA Today
article seemed to bring out every street-level hood hoping to break into computer fraud. The site picked up over three hundred new members overnight. Two weeks later, they were still coming in.

He offloaded as much of the work as he could to his admins. Max had other things to worry about now. His spear-phishing attack against the financial institutions had been wildly successful, but getting past the banks’ firewalls had turned out to be the easy part.
Bank of America and Capital One, in particular, were huge institutions, and Max was lost in their vast
networks. He could easily spend years on either one, just looking for the data and the access he needed to make a big score. Max was having trouble staying motivated for the mind-numbing follow-through to his intrusions; cracking the networks had been the fun part, and now that was over.

Instead, Max put the banks on the back burner to focus on the carding war. Max’s new hosting provider was getting complaints about the rampant criminality on Carders Market. Max saw one of the e-mails, sent from an anonymous webmail account. On a hunch, Max tried logging in to the account with JiLsi’s password. It worked. JiLsi was trying to get him shut down.

Max retaliated by hacking into JiLsi’s account on the Russian forum Mazafaka and posting an avalanche of messages reading, simply, “I’m a fed.” Then he went public with the evidence of JiLsi’s malfeasance; snitching to Carders Market’s hosting company was a scummy tactic.

DarkMarket just didn’t have the decency to die. Max could have dropped the database again, but it would do no good—the site had come back before. His DDoS attacks had become ineffective, too. Overnight, DarkMarket had come into expensive high-bandwidth hosting and erected dedicated e-mail and database servers. It was suddenly a hard target.

Then Max heard an intriguing rumor about DarkMarket.

The story involved Silo, a Canadian hacker known for an uncanny ability to juggle dozens of false handles in the community, effortlessly switching writing styles and personalities for each one. Silo’s second claim to fame was his compulsive back-dooring of other carders. He was constantly posting software with hidden code that would let him spy on his peers.

Both traits were at play when Silo registered an account at DarkMarket under a new handle and submitted a piece of hacking software for vendor review. True to form, Silo had secreted a hidden function in the software that would smuggle a user’s files out to one of Silo’s servers.

When Silo looked at the results, he found a small cache of blank Microsoft Word templates, including a “malware report” form. The templates
carried the logo for an organization called the National Cyber Forensics and Training Alliance in Pittsburgh. Max looked them up; it was a fed shop. Someone connected with DarkMarket was working for the government.

Determined to investigate, Max breached DarkMarket again through his back door. This time, it was a reconnaissance mission. He dropped into a root shell and entered a command to bring up the recent login history and then started down the list in another window, checking the public registration records for each of the Internet IP addresses used by the administrators. When he got to Master Splyntr, he stopped. The supposedly Polish spammer had connected from an IP address belonging to a private corporation in the United States called Pembrooke Associates.

He pulled up the Whois.net registration records for the company’s website, Pembetal.com. The mailing address listed was a PO box in Warrendale, Pennsylvania, twenty miles north of Pittsburgh. There was also a phone number.

Another click of his mouse, another browser window—the reverse white pages at Anywho.com. He entered the phone number and this time got a real street address: 2000 Technology Drive, Pittsburgh, Pennsylvania.

It was the address he’d already found for the National Cyber Forensics and Training Alliance. Master Splyntr was a fed.

Carder Court
 

eith Mularski was screwed.

He got the word first from an agent at the Secret Service field office across town. “I think you may be in some trouble.” One of their myriad informants heard that Iceman had uncovered incontrovertible proof that Master Splyntr was either a snitch, a corporate security spy, or a federal agent. Iceman had forged a temporary alliance with his sometime enemy Silo and was preparing a comprehensive presentation for the leadership of Carders Market and DarkMarket. Iceman and Silo were going to put Master Splyntr on trial.

It had begun with Silo’s code. Master Splyntr’s reputation as a spammer and programmer made him DarkMarket’s go-to guy for malware reviews. It was one of the perks of his undercover operation: Mularski got the first look at the underground’s latest attack code and could pass it to CERT, who would in turn give it to all the antivirus companies. The malicious code would be detectable even before it went on the black market.

This time, Mularski had assigned the code as a training exercise to one of the CMU students interning at NCFTA. As standard procedure, the student ran the program isolated in a virtual machine—a kind of software petri dish that could be scrubbed afterward. But he forgot that he had a thumb drive in the USB port. The drive was loaded with blank malware report forms containing the NCFTA logo and mission statement.
Before the intern realized what was happening, the documents were in Silo’s hands.

Six DarkMarket admins and moderators had gotten a copy of Silo’s code. Now the Canadian knew that one of them was a fed.

Silo was a wild card. In real life, he was Lloyd Liske, a Vancouver auto shop manager and credit card forger who’d been busted a few months after Operation Firewall. When he was sentenced to eighteen months of house arrest, Liske changed his surname from Buckell and his handle from Canucka, and reemerged in the carding scene.

Now the Canadian was untouchable. It was widely known in law enforcement circles that Silo was an informant for the Vancouver Police Department. That’s why he was always back-dooring other hackers: The Trojan horse that infiltrated NCFTA wouldn’t have been intended to expose a law enforcement operation;
it was just Silo trying to gather intelligence on DarkMarket members for the police.

Silo had no allegiance to the FBI, but he probably wouldn’t have gone out of his way to expose a bureau undercover operation. Unfortunately, Iceman had learned about the discovery and staged his reconnaissance raid on DarkMarket. That’s where Mularski’s own personal screwup came into play. He normally logged in to DarkMarket through his KIRE shell, hiding his location. But JiLsi was a demanding boss, constantly hitting Master Splyntr with maintenance tasks—like swapping in a new banner ad—that simply had to be performed at once. Sometimes KIRE was down when Mularski got one of these requests, and he’d take a shortcut and log in directly. Iceman had caught him.

Even then, he should have been relatively safe. The office broadband service was set up under the name of a dummy corporation, with a phone number that rang to an unanswered VoIP line in the communications room. The phone line was supposed to be unlisted. Somehow, though, it wasn’t, and Iceman had gotten the address and recognized it as the NCFTA’s.

Mularski walked hurriedly to the communications room, swiped his
access card, keyed in the door code, and locked himself inside. He picked up the secure line to Washington. The FBI agent didn’t sugarcoat his report to the brass. After all his work winning undercover authority to take over DarkMarket, getting a buy-in from senior Justice Department and bureau officials, Iceman was going to blow them out of the water just three weeks into the operation.

Max struggled with how to handle the exposé—after his attacks on DarkMarket, he knew his findings would be viewed as partisan mudslinging. He considered shuttering Carders Market before exposing Master Splyntr, to avoid the perception that the whole thing was just another volley in the carding wars. Instead, he decided to send his new lieutenant, Th3C0rrupted0ne, to represent his site.

The trial was held over Silo’s “Carder IM”—a free, supposedly encrypted instant messaging program the Canadian hacker offered as an alternative to AIM and ICQ, supported by display ads for dumps vendors. Matrix001 showed up from the DarkMarket side—JiLsi was busy with the fallout from Max’s attack on Mazafaka. Silo and two other Canadian carders were also present. Silo opened the meeting by handing out a compressed RAR file containing the evidence gathered by him and Iceman.

When some of the carders opened the file, their antivirus software went wild. Silo had back-doored the evidence; not a promising start to a summit meeting.

C0rrupted and Silo walked them through the case: Silo’s document templates showed that someone at NCFTA held a privileged position on DarkMarket, and the access logs Iceman had stolen proved that Master Splyntr was the mole.

“One hundred percent undeniable proof,” wrote C0rrupted. “We worked hard to try and make peace, and if we go public LE [law enforcement] is going to come after us HARD. But if we don’t say anything, we are responsible for all those who get fucked over.”

“This is for real dude,” said Silo.

Matrix was unconvinced. He ran his own Whois on the Pembrooke Associates domain name and got back an anonymous listing through Domains by Proxy: no street address, no phone number. “Blah,” Matrix typed. “You did not even verify the whois info and the company, did you? Who passed you that stuff?”

“That’s not my stuff,” wrote Silo. “That’s Iceman.”

“So you believe every shit which is pasted to you? Without even verifying it?”

Silo’s evidence was no more convincing to Matrix: The NCFTA templates contained spelling and formatting errors—would the FBI, or a nonprofit security group, really do such shoddy work? Moreover, Iceman’s contempt for DarkMarket was well-known, and Silo was a constant annoyance on the board.

The conversation grew heated. C0rrupted dropped out, and the others fell silent while Silo and Matrix began exchanging insults. “What in the whole world should make me trust you?” asked Matrix.

“Don’t,” Silo finally said. “Don’t trust me. Get the fuck off my IM … Go get busted.”

Mularski was excluded from the meeting, but when it concluded, Matrix sent Master Spyntr a transcript. The agent was pleased to see his last-minute cleanup had worked: As soon as he’d learned about Iceman’s plans to expose him, he’d contacted the domain registrar and got the company to scrub the Pembrooke Associates name and phone number from the records. Then he asked Anywho to take out its listing for the undercover phone line. The cover-up was sure to convince Iceman all the more that Master Splyntr was a fed, but nobody else was able to independently verify his findings.

Now Mularski went into spin control over ICQ. He told Matrix and anyone else who’d listen that he was innocent. He directed the carders’ attention to the logs, highlighting all the occasions he’d logged in from
KIRE’s IP address. Those are my logins, he wrote. I don’t know who those other logins are.

Other books

Doctored Evidence by Donna Leon
Niko: Love me Harder by Serena Simpson
Counselor Undone by Lisa Rayne
Three Wishes by Alexander, Juli
Trust in Me by Cassia Leo
Lined With Silver by Roseanne Evans Wilkins
Deathscape by Dana Marton
No Place for a Lady by Maggie Brendan