Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (24 page)

Additionally, only a few trusted associates knew that Digits and Iceman were one and the same: mostly admins, like Chris, a Canadian carder named NightFox, and a new recruit called Th3C0rrupted0ne.

Of everyone he’d met in the scene, it was Th3C0rrupted0ne with whom Max seemed to share the most hacking history. As a teenager,
C0rrupted had discovered the warez scene on dial-up bulletin board systems, then moved into recreational hacking under the handles Acid Angel, -null-, and others. He defaced websites for fun and joined a hacking gang called Ethical Hackers Against Pedophiles—vigilante gray hats working against Internet child pornography.

Like Max, he’d once thought of himself as one of the good guys, before he became Th3C0rrupted0ne.

In other ways, they were very different. A product of a hardscrabble childhood in a big-city housing project, C0rrupted became a drug dealer at an early age and picked up his first arrest—a gun charge—in 1996 when he was eighteen years old. In college he began making fake IDs for his friends, and his online research took him to Fakeid.net, a Web bulletin board where experts like ncXVI got their start. He graduated to small check and credit card scams around the time Shadowcrew went down and then found his way to the successor sites.

Diplomatic and even-tempered, C0rrupted was universally liked in the scene and enjoyed moderator or admin privileges on most of the forums. Max promoted him to admin on Carders Market in the summer
of 2005 and made him unofficial site spokesman after the hostile takeover. Max let C0rrupted in on his double identity about a week after his power play.

Chris remained the greatest threat to Max’s security. Every time they fought now, Max was reminded of how vulnerable he was to the only carder privy to his real-life identity. “
I can’t believe how much you know about me,” he’d spit out, angry at himself.

Meanwhile, Chris had been trying to drive Max into pulling one big score, something that would catapult them both out of the crime business for good and maybe fund a new legitimate start-up for Chris in Orange County. He’d crafted a flowchart and a step-by-step plan for each of them to follow; he called it the “Whiz List.”

Max was supposed to infiltrate banking networks and gain the power to direct millions of dollars to accounts specified by Chris. He’d delivered on his end—from the very start of their partnership, back when he was working from Chris’s garage, he’d been breaching small banks and savings and loans. He was in hundreds of them now and could transfer money out of customers’ accounts at will. But the scheme was hung up on Chris’s end. Chris had to find a safe harbor for the money Max would steal—an
offshore repository where they could park the cash without it being recalled by the victim bank. So far, he’d failed.

So when, in September, Max got his hands on a deadly new Internet Explorer zero day, he shared the news not with Chris but with a different partner, one who had more knowledge of international finance, the Carders Market admin called NightFox.

The security hole was a monster: another buffer overflow, this time in the Internet Explorer code designed to let websites draw vector graphics on a visitor’s screen. Sadly for Max, Eastern European hackers had found the bug first, and they’d been using it. A computer security company had already found the Russian exploit code infecting visitors to an Internet porn site and sent it to Microsoft. The Department of Homeland Security had issued a blunt warning to Internet Explorer users: “
Do not follow unsolicited links.”

The word was out, but there was no patch. Every Internet Explorer user was vulnerable. Max got his copy of the Russian exploit in the early morning hours of September 26 and informed NightFox enthusiastically.

“Assume we get a free pass today to own whatever company we want,” Max wrote over Carders Market’s messaging system. “There you go. No limits. Visa.com. Mastercard.com. egold.com. Whatever you can get the employee e-mails for. Google. Microsoft. Doesn’t matter. It’s all equally ownable right now.”

Microsoft pushed out a patch later that day, but Max knew that even the most secure company would take days or weeks to test and install the update. The Russian exploit was already detected by antivirus software, so he modified it to change its signature, running it through his antivirus lab to verify that it was now undetectable.

The only thing left was the social engineering: Max had to trick his targets into visiting a website loaded with the exploit code. Max decided on the domain name Financialedgenews.com, and set up hosting at ValueWeb.

NightFox came back with the target list: CitiMortage, GMAC, Experian’s Lowermybills.com, Bank of America, Western Union MoneyGram,
Lending Tree, and Capital One Financial, one of the largest credit card issuers in the country. NightFox had vast databases of internal corporate e-mail addresses he’d acquired from a “competitive intelligence” firm, and he sent Max thousands of them, spread across all the targets.

On September 29, Max fired up his spamming software and flung a personalized e-mail at his victims. The message was from “Gordon Reily,” with the return address [email protected].

Each copy of the message was customized, so every employee would think he or she was mentioned by name in the notional Financial Edge article. At Capital One, 500 employees got the message, from executives to PR spokespeople and IT workers. About 125 of them clicked on the poisoned link and were sent to a page loaded with generic finance industry news. While they puzzled over the page, a hidden payload zipped through the corporate firewall and onto their machines.

The software opened a back door that would allow Max to slip in at his leisure and scour the victims’ hard drives for sensitive data, sniff the banks’ internal networks, steal passwords. It wasn’t much different from what he’d done to thousands of Defense Department computers a lifetime ago. Back when it was all just fun and games.

eith Mularski stood at the podium, his PowerPoint presentation filling an LCD big-screen at his back. In front of him were fifteen senior FBI officials and Justice Department lawyers, sitting around the conference room table at Justice headquarters. They were riveted. Mularski was proposing something that had never been done before.

Group I “sensitive circumstances” authorizations were a rare thing in the bureau. Mularski first wrote out a twenty-page proposal, addressing every aspect of the plan and gathering legal opinions from FBI lawyers for each. The FBI’s general counsel was excited about the possibilities; if it were approved, the operation could set a precedent for future online undercover work.

The biggest obstacle for the Justice Department’s Undercover Review Committee was the third-party liability issue of letting crimes unfold over a website owned and operated by the U.S. government. How would Mularski mitigate the damage so innocent people and institutions wouldn’t suffer? Mularski had an answer at the ready. The criminal activity on DarkMarket was going to take place whether the FBI ran the forum or not. But with the bureau controlling the server, and Master Splyntr leading the site, the FBI could potentially intercept large amounts of stolen data that would otherwise flow freely through the black market. His proposal stipulated that any financial data would be sent immediately
to the affected banks. Stolen credit cards could be canceled before they were used.

The meeting lasted twenty minutes. When he returned to Pittsburgh on October 7, Mularski had written approval to acquire DarkMarket. Iceman was still listed as a subject of the undercover operation, but now JiLsi and DarkMarket’s other leaders were the primary targets.

Once his wife went to bed, Mularski settled in front of his couch, turned on
Saturday Night Live
, and looked for JiLsi on ICQ. After some pleasantries, he got down to business. DarkMarket was under yet another DDoS attack, and Mularski, as Master Splyntr, was ready to take the site onto a secure server—JiLsi need only say the word, and his problems with Iceman would be history.

JiLsi had some reservations. DarkMarket was his baby, and he didn’t want to be perceived by the community as ceding control. That wouldn’t be a problem, Mularski explained. Master Splyntr would be a stealth administrator. Nobody but he and JiLsi would know he was running the site. To everyone else, he’d still just be a moderator.

“Bro,” JiLsi typed back. “Get your server ready. We moving.”

Mularski went to work at once. He rented a server from a Texas-based hosting company called the Planet and went to the underground to shore it up, buying $500-a-month DDoS protection services from a Russian named Quazatron and paying for it in e-gold. Quazatron configured the site so its public face was at Staminus, a DDoS-resistant high-bandwidth hosting company. The company’s pipes could withstand a deluge, and Quazatron’s software would channel only the legitimate traffic to DarkMarket’s real server behind the scenes.

Everything would be done the way an Eastern European cybercrook would do it. When Mularski wanted to log in to the site’s back end, he’d go through KIRE, a Virginia company offering Linux “shell accounts”—a service that lets IRC users connect to chat rooms without being traced to their home IP addresses. Nobody would see that the Polish spam king was logging in from Pittsburgh.

Once the move was complete, Mularski went to court and won a sealed search warrant against his own server, allowing him to riffle through DarkMarket’s user database, access logs, and private messages.

There was one more thing to do. Post-Shadowcrew, it was de rigueur for carder forums to make users click on a terms-of-service agreement prohibiting illegal content and stipulating that the site’s operators weren’t responsible for anything on the board. Forum runners believed the legalistic language might shield them from prosecution. DarkMarket had a particularly long and detailed user agreement, so nobody noticed when Master Splyntr added a line.

“By your use of this forum you agree that the administrators may review any communication sent using this forum to ensure compliance with this policy,” he wrote, “or for any other purpose.”

“I think it’s important to note that Iceman is a foolish wannabe hacker who goes around and hacks sites for fun and pleasure.”

El Mariachi knew how to push Iceman’s buttons. After the hostile takeover, Dave Thomas returned to the Life on the Road blog to browbeat his foe relentlessly, calling him “Iceboy,” “Officer Ice,” and “a fucking piece of shit on my shoes.” He challenged Iceman to meet him in person, so they could resolve their dispute like men. And he implied he could hire a hit man to track down the carding kingpin and end his life.

Max responded with growing fury. He hadn’t forgotten the hassle and expense of finding a new host after Thomas shut him down in Florida. The aggressiveness he’d kept buried since Boise boiled from his gut and into his fingertips. “You small dick limp sack of shit. I could fucking tear you apart with my bare hands but a COWARD snitch like yourself would call the cops and scramble for a weapon at the first sight of me,” he wrote. “You better pray to your god that I am never outed, because not only will you look like even more of a jackass than you already do, but then I will have no inhibition about coming over and wringing your snitch punk neck.”

When he calmed down, he sent Thomas a private e-mail. He’d been thinking about taking down Carders Market and retiring his Iceman identity. It wouldn’t be a surrender; rather, it was the most serious threat imaginable to Thomas’s campaign.