Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (20 page)

He’d been working with the mystery hacker for over a year—mostly acquiring servers that Iceman used in his vulnerability scanning—and he was still constantly under Iceman’s electronic scrutiny. One day, the hacker sent Giannone a link purporting to be a CNN article about computer problems at JetBlue, the airline that had rebuffed Giannone’s long-ago extortion attempt. Giannone clicked on the link without thinking, and, just like that, Iceman was on his computer again. Client-side attacks for the win.

Giannone began routinely checking his computer for malware but couldn’t keep up with Iceman’s intrusions. Max got ahold of Giannone’s United Airlines Mileage Plus password and began tracking his movements around the world—Giannone was a serious air travel aficionado who’d sometimes fly just to accumulate miles. When he’d land at San Francisco International, he’d find a text message from Iceman waiting for him on his cell. “Why are you in San Francisco?”

It might have been amusing if it weren’t for Iceman’s frightening mood swings. He could turn on you in a minute—one day you’d be his best friend, his “number one guy”; the next he’d be convinced you were a snitch, a ripper, or worse. He wrote Giannone long, unprompted e-mail
diatribes, laundry lists of grievances against Chris or various members of the carding community.

It was jealousy, Giannone figured. While he and Chris were partying in Vegas and the OC, Iceman was locked in his apartment, working like a dog. Indeed, the hacker’s outbursts often coincided with one of Giannone’s California sojourns. In June 2005, Iceman picked a fight as Giannone boarded an early morning flight to Orange County—Iceman was taking him to task for some oversight in one of their joint operations. The first message hit Giannone’s BlackBerry at six a.m.—three in the morning San Francisco time—and the texts continued nonstop for 2,500 miles before Iceman finally fell silent as the plane landed. When Giannone checked his e-mail later, he found dozens of apologetic letters from the hacker. “Sorry, I apologize. I was bugging out.”

On an earlier occasion, in September 2004, Giannone told Iceman he was about to fly out to visit Chris, and Max remarked cryptically that he could prevent the trip if he wanted to. Giannone laughed. But an hour and a half into his flight, the plane suddenly turned around and headed for Chicago. As the airliner set down at O’Hare, the captain explained that the Los Angeles air traffic control center had gone dark, necessitating the change in itinerary.

It turned out a computer error was responsible. There was a known bug in the Windows-based radio control system at the Los Angeles Air Route Traffic Control Center in Palmdale, which
required technicians to reboot the machine every 49.7 days. They’d missed a reboot, and a backup system had failed at the same time. The outage resulted in hundreds of flights being grounded and five incidents of airplanes drifting closer to each other than safety regulations permit. No foul play was discovered, but years later, when the full range of Max Vision’s powers became clear, Giannone would find himself wondering if Iceman hadn’t cracked the FAA’s computers and crippled Los Angeles, just to stop him from going clubbing with Chris.

Giannone finally took radical measures to try to keep Iceman out of his stuff: He bought an Apple. Iceman could penetrate just about anything. But
Giannone was pretty sure he couldn’t hack Macs.

While Max kept up surveillance of his crime partners, Carders Market began slowly generating buzz, intensified by the mysterious swagger of its founders. As Iceman and Easylivin’, Max and Chris were unknown quantities among their fellow crooks, but experienced carders could practically smell the confidence and street smarts in their posts.

In Seattle, word of the new site reached Dave “El Mariachi” Thomas, the former FBI asset who, like Max, had tried to blow the whistle on Operation Firewall. Thomas had been feeling adrift since the feds pulled the plug on his intelligence-gathering operation, and he was looking for a new online home.

Wary at first, Thomas registered under a fake handle. But when Iceman invited a public discussion of Carders Market’s philosophy and charter, Thomas dove in, opining in detail on the course the site should follow to nurture successful ops while avoiding Shadowcrew’s fate.

At first, Chris and Max thought Thomas might be a valuable contributor. But they soon detected that he had a beef with one of their handpicked admins, Brett “Gollumfun” Johnson.

Rumors had been swirling about Johnson since his return to the scene—you don’t just disappear for two years and then come back onto the carder forums as though nothing has happened. In August, a hacker called “Manus Dei”—the Hand of God—added fuel to the fire when he cracked Johnson’s e-mail account and posted a blistering profile of the carder on a Google Group called FEDwatch. The write-up gave Johnson’s real name, his current address in Ohio, and a slew of personal details stolen from his in-box. Among the revelations: Johnson had been corresponding with a
New York Times
reporter about the carding scene and had registered
a mysterious domain name, Anglerphish.com—perhaps in preparation for starting his own site.

There was nothing to suggest that Johnson was snitching, though, and neither Max nor Chris had been particularly alarmed by the info dump. Thomas, on the other hand, was now convinced the Shadowcrew founder was an informant. After all, Johnson had announced his retirement before Operation Firewall and then reappeared afterward with no real explanation.

The last thing Chris and Max needed on their emerging site was a shootout between two old-school carders with a Shadowcrew-era grudge. Still possessed by an entrepreneurial pride, Chris wanted the site to be the best crime forum possible.
So he reached out to Thomas by ICQ to try to head off trouble.

“I’m not going to entertain any drama about Gollumfun, or others, who is a rat who isn’t a rat,” Chris wrote. “I just want a clean nice board so we can have a safe place to play.”

Chris promised he’d give Johnson the same message: Play nice. It was Conflict Resolution 101. He followed the paternalistic lecture by asking Thomas’s advice on running a successful forum—showing the elder carder respect for his years of experience. But to make sure his admonition was taken seriously, Chris added a warning. “We are not kids dude,” he wrote. “We are very old school. And we are very good at what we do.”

Thomas promised to behave, adding that he’d do his best to help make Carders Market the drama-free forum everyone wanted. But secretly, a hard pit of suspicion was forming in his gut. Why would anybody defend Brett Johnson, who was so obviously a snitch?

He noticed that Easylivin’ was using an old version of ICQ that leaked an Internet IP address. Thomas tried to trace the address and wound up in Boston, a known hotbed of federal informants. Carders Market’s hosting was based in Ft. Lauderdale, Florida, another perfect place to run an undercover operation. And the phone number on the domain name listing
went to a police department in California, albeit in a different area code. That was probably a coincidence, but who knows?

When he was done adding up the evidence, he felt sick to his stomach. Carders Market was a federal sting. It was obvious now. He vowed to himself that he’d do everything he could to destroy the new site and bring down the old-school assholes Easylivin’ and Iceman.

ax was developing suspicions of his own about Brett Johnson. He began keeping a close eye on the admin on Carders Market, checking his access logs and scouring his private messages. For good measure, he hacked into Johnson’s account on the International Association for the Advancement of Criminal Activity, IAACA, and reviewed his activity there. He found no smoking gun.

Could he really have brought an informant into the inner circle of his new crime site?

The problem was that there was no reliable test to determine if Johnson, or anyone else, was working for the government. Max wanted one badly—a jurisprudence security hole, like the buffer overflow in BIND, that he could use over and over again on anyone he suspected.
If (is_snitch(Gollumfun)) ban(Gollumfun);
. He confided in David Thomas, not realizing that Thomas had already put Iceman on his mile-long enemies list.

Brett Johnson was indeed dirty. But contrary to suspicions, his return to crime in the post-Firewall era hadn’t started as a snitching expedition. It had all begun with a girl.

Johnson’s crime and cocaine habits had driven away his wife of nine years—she threw out his MSR206 on her way out the door—and he’d been seeing a psychologist to cope with the loss. Then he met Elizabeth in a North Carolina bar. She was a twenty-four-year-old exotic dancer at a local strip club, and for Johnson it was love at first sight. He burned through his savings to buy her gifts, a $1,500 purse here, a $600 pair of shoes there, and she moved in with him after five months. But when they had sex for the first time, she wouldn’t let him kiss her.

Johnson’s darkest suspicions were confirmed when he located Elizabeth on a website on which men post reviews of strippers and prostitutes. There it was, line after line of disgusting detail about the services his girlfriend had been providing in exchange for cocaine and cash. He confronted her with the evidence, and she tearfully promised to quit the drugs and the prostitution.

Hoping to wrench her from the patterns of her old life, Johnson showered Elizabeth with more gifts and expensive dinners out. It was that, and not any hidden agenda, that impelled his return from retirement.
He needed the money, plain and simple.

The luck that had seen him through Operation Firewall failed him on February 8, 2005, when Charleston, North Carolina, police busted him for using counterfeit Bank of America cashier’s checks to pay for Krugerrands and watches he won on eBay and had shipped COD to his drops. After a week of stewing in the Charleston County Detention Center, pining for Elizabeth, the Secret Service paid him a visit. Once he convinced them he was Gollumfun—the admin who got away when they dropped the hammer on Shadowcrew—they agreed to help him with his state case if he’d work for them.

The Secret Service had Johnson’s bail lowered to $10,000. When he bonded out, the agents moved him from Charleston to Columbia, South Carolina, where they rented him a corporate apartment and paid him a $50 per diem. Now he was a daily visitor to the Columbia field office, checking in at four p.m. and working until nine, taking the Secret Service deep into Carders Market and the other boards. Everything that crossed his computer was recorded and
displayed simultaneously on a forty-two-inch plasma screen hanging on the wall of the office.

They called it Operation Anglerphish, and Johnson thought it would make a great book one day. That’s why he’d registered the domain name Anglerphish.com and opened up talks with a
New York Times
reporter. When Manus Dei cracked his e-mail and revealed those activities online, Johnson’s Secret Service handlers were irate. They promptly banned him
from using computers away from the office and told him to cut off contact with the reporter. Elizabeth left him—her name and occupation had been exposed in the breach.

Then Iceman stripped Johnson of his privileged position in Carders Market, and crooks he’d known since the Counterfeit Library days started refusing to do business with him. Johnson was running out of credibility, and the Secret Service was running out of patience.

In late March 2006, the agents decided to act on one of Anglerphish’s only catches, a California identity thief who’d stolen at least $200,000 by e-filing bogus tax returns through H&R Block, then collecting the refunds himself. Johnson, an expert in that particular scam, had been talking with the crook online, and the Secret Service had traced the chats to the C&C Internet Café in Hollywood. A Los Angeles agent visited the coffee shop and sat two tables away while the man filed his fake returns.

But when local police and Secret Service agents raided the target’s Hollywood apartment, they found it had been cleaned out: no computers and not a shred of documentary evidence.
The suspect had done everything but deep-clean the carpet and paint the walls.