Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (36 page)

Read Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground Online

Authors: Kevin Poulsen

Tags: #Technology & Engineering, #Computer hackers, #Commercial criminals - United States, #Commercial criminals, #Social Science, #True Crime, #Computers, #General, #United States, #Criminals & Outlaws, #Computer crimes, #Butler; Max, #Case studies, #Computer crimes - United States, #Biography & Autobiography, #Computer hackers - United States, #Security, #Engineering (General), #Criminology

BOOK: Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground
12.95Mb size Format: txt, pdf, ePub
Chapter 33: Exit Strategy

  
1
Max decided to invest in a rope ladder:
Interview with Max.

  
2
Max finally learned about Giannone’s bust from a news article:
Kim Zetter, “Secret Service Operative Moonlights as Identity Thief,”
Wired.com
. June 6, 2007 (
http://www.wired.com/politics/law/news/2007/06/secret_service
).

  
3
He was growing jumpier every day:
Based on an interview with Charity Majors. Max says he was alert but not jumpy.

  
4
a judge approved his legal name change from Max Butler to Max Ray Vision:
In
Re: Max Ray Butler
, CNC-07-543988, County of San Francisco, Superior Court of California.

  
5
Silo had hidden a second message:
Interview with Max. Lloyd Liske would neither confirm nor deny this account.

  
6
The company openly marketed the service as a way to circumvent FBI surveillance:
“In some countries, government sponsored projects have been set up to collect massive amounts of data from the Internet, including emails, and store them away for future analysis. […] One example of such a program was the FBI’s Carnivore project. By using Hushmail, you can be assured that your data will be protected from that kind of broad government surveillance.”
http://www.hushmail.com/about/technology/security/
.

  
7
forced Hushmail officials to sabotage their own system and compromise specific surveillance targets’ decryption keys:
Ryan Singel, “Encrypted E-Mail Company Hushmail Spills to Feds,”
Wired.com
. November 7, 2007. Detective Mark Fenton of the Vancouver Police Department said he provided Max’s Hushmail e-mail to the Secret Service.

  
8
It was supposed to be a training run for one of Chris’s new recruits:
Interviews with Tsengeltsetseg Tsetsendelger and Chris Aragon.

  
9
a female Secret Service agent disguised as a maid:
The Secret Service’s surveillance,
including the ride up the elevator with Max, was described in an affidavit in
U. S. v. Max Ray Butler
, 2:07-cr-00332, U.S. District Court for the Western District of Pennsylvania. Max said in an interview that the agent was dressed as a maid. FBI agent Mularski says the surveillance was on and off for months.

10
Chris picked out Max’s mugshot from the photos: U.S. v. Max Ray Butler
, 2:07-cr-00332, U.S. District Court for the Western District of Pennsylvania. Aragon says the government tricked him by telling him Max had already been arrested, but he also gave them information on Max’s security measures, which undermines that claim. Court records for Aragon’s criminal case in Orange County indicate a sealed letter from Dembosky is on file.
The People of the State of California vs. Christopher John Aragon, et al.
, 07HF0992, Superior Court of California, County of Orange.

11
Two had lost power when an agent tripped over an electrical cable:
According to Max.

12
Max’s head snapped to look at Master Splyntr:
Interview with Mularski.

13
“You were right”:
Interview with Charity Majors.

14
“Why do you hate us?”:
Interview with Max.

Chapter 34: DarkMarket

  
1
he told a harrowing story:
“Son bilgiyi verecekken yok oldu!” Haber 71, August 12, 2008 (
http://www.haber7.com/haber/20080812/Son-bilgiyi-verecekken-yok-oldu.php
).

  
2
fingering a known member of Cha0’s organization as the shipper:
Mularski described the genesis of the investigation. The role played by the shipping companies was detailed by Uri Rivner of RSA in a blog post (
http://www.rsa.com/blog/blog_entry.aspx?id=1451
). The Turkish National Police referred inquiries to their embassy in Washington, DC, which declined to make detectives available for interviews.

  
3
a tall, beefy man with close-cropped hair and a black T-shirt emblazoned with the Grim Reaper:
Per police video of the arrest and search. Also see “Enselenen Chao sanal semayi anlatti,” Haber 7, September 12, 2008 (
http://www.haber7.com/haber/20080912/Enselenen-Chao-sanal-semayi-anlatti.php
).

  
4
matching his appearances at the Java Bean with JiLsi’s posts:
Interview with Mularski. Also see Caroline Davies, “Welcome to DarkMarket—global one-stop shop for cybercrime and banking fraud,”
Guardian
, January 4, 2010 (
http://www.guardian.co.uk/technology/2010/jan/14/darkmarket-online-fraud-trial-wembley
).

  
5
JiLsi’s associate, sixty-seven-year-old John “Devilman” McHugh
, Ibid.

  
6
Erkan “Seagate” Findikoglu:
Interview with Mularski. Also see Fusun S. Nebil, “FBI Siber Suçlarla, ABD Içinde ve Disinda Isbirlikleri ile Mücadele,”
Turk.internet.com
, June 15, 2010 (
http://www.turk.internet.com/portal/yazigoster.php?yaziid=28171
).

  
7
Twenty-seven members of Seagate’s organization were charged in Turkey:
Interview with Mularski.

  
8
a reporter for Südwestrundfunk, Southwest Germany public radio:
The reporter was Kai Laufen. See
http://www.swr.de/swr2/programm/sendungen
/wissen/-/id=660374/nid=660374/did=3904422/p6601i/index.html
.

  
9
The U.S. press picked up the story:
The author was the first to identify J. Keith Mularski by name as the FBI agent posing as Master Splyntr, in “Cybercrime Supersite ‘DarkMarket’ Was FBI Sting, Documents Confirm,”
Wired.com
, October 13, 2008 (
http://www.wired.com/threatlevel/2008/10/darkmarket-post/
).

Chapter 35: Sentencing

  
1
It had taken the CERT investigators only two weeks to find the encryption key:
Max well knew that the key was vulnerable while in RAM, but he believed the software security on his server would prevent anyone from gaining access to its memory. CERT’s Matt Geiger, who led the forensics team, declined to comment on how he bypassed that security but he said he was able to run memory-acquisition software on Max’s computer.

  
2
Max had stolen 1.1 million of the cards from point-of-sale systems:
Max didn’t challenge this amount for sentencing, but in interviews he expressed disbelief that the number could be that high.

Chapter 36: Aftermath

  
1
An undercover Secret Service operative lured him to a nightclub: “2010 Data Breach Investigations Report,”
Verizon RISK Team in cooperation with the United States Secret Service, July 28, 2010.

  
2
ICQ user 201679996:
Affidavit In Support of Arrest Warrant, May 8, 2007,
U.S. v. Albert Gonzalez
, 2:08-mj-00444, U.S. District Court for the Eastern District of New York.

  
3
it was Jonathan James who would pay the highest price:
See the author’s “Former Teen Hacker’s Suicide Linked to TJX Probe,”
Wired.com
, July 9, 2009 (
http://www.wired.com/threatlevel/2009/07/hacker/
).

  
4
They recruit ordinary consumers as unwitting money launderers:
For more detail on these so-called “money mule” scams, see the blog of former
Washingtonpost.com
reporter Brian Krebs, who has covered the crime extensively:
http://krebsonsecurity.com/
.

  
5
the Secret Service had been paying Gonzalez an annual salary of $75,000 a year:
First reported in Kim Zetter, “Secret Service Paid TJX Hacker $75,000 a Year,”
Wired.com
, March 22, 2010.

  
6
filed by the attorneys general of 41 states:
Sources include Dan Kaplan, “TJX settles over breach with 41 states for $9.75 million,”
SC Magazine
, June 23, 2009 (
http://www.scmagazineus.com/tjx-settles-over-breach-with-41-states-for-975-million/article/138930/
).

  
7
another $40 million to Visa-issuing banks:
Mark Jewell, “TJX to pay up to $40.9 million in settlement with Visa over data breach,” Associated Press, November 30, 2007.

  
8
Heartland had been certified PCI compliant:
Sources include Ellen Messmer, “Heartland breach raises questions about PCI standard’s effectiveness,”
Network World
, January 22, 2009 (
http://www.networkworld.com/news/2009/012209-heartland-breach.html
).

  
9
Hannaford Brothers won the security certification even as hackers were in its systems:
Sources include Andrew Conry-Murray, “Supermarket Breach Calls PCI Compliance into Question,”
InformationWeek
, March 22, 2008.

10
The restaurants filed a class-action lawsuit:
http://www.prlog.org/10425165-secret-service-investigation-lawsuit-cast-shadow-over-radiant-systems-and-distributo.html
. Also, “Radiant Systems and Computer World responsible for breach affecting restaurants—lawsuit,” Databreaches.net, November 24, 2010 (
http://www.databreaches.net/?p=8408
) and Kim Zetter, “Restaurants Sue Vendor for Unsecured Card Processor,”
Wired.com
, November 30, 2009 (
http://www.wired.com/threatlevel/2009/11/pos
).

11
White hats have devised attacks against chip-and-PIN:
See Steven J. Murdoch, Saar Drimer, Ross Anderson, and Mike Bond, “Chip and PIN Is Broken,” University of Cambridge Computer Laboratory, Cambridge, UK. Presented at the 2010 IEEE Symposium on Security and Privacy, May 2010 (
http://www.cl.cam.ac.uk/research/security/banking/nopin/
). The response by the UK Card Association is at
http://www.theukcardsassociation.org.uk/
view_point_and_publications/what_we_think/-/page/906/
.

12
hundreds of thousands of point-of-sale terminals with new gear:
The cards themselves are more expensive as well. For a more thorough discussion of the issues holding back chip-and-PIN’s adoption in the United States, see Clases Bell, “Are chip and PIN credit cards coming?”
Bankrate.com
, February 18, 2010 (
http://www.foxbusiness.com/story/personal-finance/financial-planning/chip-pin-creditcards-coming/
). See also Allie Johnson, “U.S. credit cards becoming outdated, less usable abroad,”
Creditcards.com
(
http://www.creditcards.com/credit-card-news/outdated-smart-card-chip-pin-1273.php
).

Epilogue

  
1
His mother suggested he get an agent:
A letter to the author from Aragon.

ACKNOWLEDGMENTS
 

I first encountered Max Vision some ten years ago, when I was a newbie reporter for the computer security site SecurityFocus.com. Max was then facing charges over his scripted attack on thousands of Pentagon systems, and I was fascinated by the story playing out in the Silicon Valley courtroom, where the federal justice system was bearing down on a once-respected computer security expert who’d upended his life with a single, quixotic hack.

Years later, after I’d reported on hundreds of computer crimes, vulnerabilities, and software glitches, Max was arrested again, and a new federal indictment exposed the secret life he’d led after his fall from grace. As I investigated, I grew certain that Max, more than anyone else, embodied the sea change I’d witnessed in the world of hacking, and would be the perfect lens through which to explore the modern computer underground.

Fortunately, others agreed. I owe a debt of thanks to my agent, David Fugate, who guided me through the process of developing my idea into a book proposal, and my editor at Crown, Julian Pavia, who worked tirelessly to keep me on course and only slightly behind schedule throughout a year of reporting, writing, and rewriting.

Also crucial was the enormous support from my boss, Evan Hansen, editor in chief at Wired.com. And I’m grateful to my colleagues at Wired.com’s Threat Level blog, Kim Zetter, Ryan Singel, and David Kravets, who
collectively shouldered the burden of my absence for two months while I finished the book and then braved the burden of my irritable, bleary-eyed return afterward.

My thanks also to Joel Deane and Todd Lapin, who showed me the ropes when I became a journalist in 1998, and Al Huger and Dean Turner of SecurityFocus.com. Jason Tanz at
Wired
magazine did an amazing job with my feature article on Max, “Catch Me If You Can,” in the January 2009 issue.

Among my guides in this book were the cops, feds, hackers, and carders who spoke with me at length, with no benefit to themselves. FBI Supervisory Special Agent J. Keith Mularski was particularly generous with his time, and Max Vision spent many hours on the prison phone and writing long e-mails and letters to share his story with me.

My thanks to U.S. Postal Inspector Greg Crabb, Detective Bob Watts of the Newport Beach Police Department, former FBI agent E. J. Hilbert, and Assistant U.S. Attorney Luke Dembosky, the latter of whom wouldn’t tell me much, but was always nice about it. And I’m grateful to Lord Cyric, Lloyd Liske, Th3C0rrupted0ne, Chris Aragon, Jonathan Giannone, Tsengeltsetseg Tsetsendelger, Werner Janer, Cesar Carranza, and other veterans of the carder scene who asked to remain unnamed.

Other books

The Strength of the Wolf by Douglas Valentine
Did Not Finish by Simon Wood
Saving Sunni by Reggie Alexander, Kasi Alexander
First Drop by Zoe Sharp
Hell or High Water by Alexander, Jerrie
Llama Drama by Rose Impey
The Red Planet by Charles Chilton