Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (32 page)

The big break in the case came from Turkey. In July 2007, the Turkish National Police learned from the Secret Service that Maksik, twenty-five-year-old Maksym Yastremski, was vacationing in their country.
An undercover Secret Service operative lured him to a nightclub in Kemer, where police arrested Yastremski and seized his laptop.

The police found the laptop hard drive impenetrably encrypted, just as when the Secret Service performed its sneak-and-peek in Dubai a year earlier. But after a few days in a Turkish jail, Maksik coughed up the seventeen-character passphrase. The police gave the passphrase and a copy of the disk to the Secret Service, which began poring over its contents, taking particular interest in the logs Maksik kept of his ICQ chats.

One chat partner stood out:
ICQ user 201679996 could be seen helping the Ukrainian with a hack attack against the restaurant chain Dave & Buster’s and discussing some of the earlier high-profile intrusions that had put Maksik on the map. The agents checked out the ICQ number and obtained the e-mail address used to first register the account: [email protected].

SoupNazi was a name the agency had heard before—in 2003, when they arrested Albert Gonzalez.

Gonzalez was the informant who’d lured Shadowcrew carders into a wiretapped VPN, leading to the twenty-one arrests in Operation Firewall—the Secret Service’s legendary crackdown on the carding scene. But years before he was known as Cumbajohnny on Shadowcrew, Gonzalez had used the
Seinfeld-
inspired handle SoupNazi in IRC.

The carder turncoat who’d made Operation Firewall possible had gone on to stage the largest identity thefts in U.S. history.

One month after Firewall, Gonzalez had gotten permission to move from New Jersey back to his home, Miami, where he’d launched the second act of his hacking career. He took on the name Segvec and passed himself off as a Ukrainian, hanging his hat on the Eastern European forum Mazafaka. Under the rubric Operation Get Rich or Die Tryin’—the title of a 50 Cent album and Maksik’s Shadowcrew motto—he went on to create a multimillion-dollar cybertheft ring that touched tens of millions of Americans.

On May 8, 2008, the feds swooped in on Gonzalez and his U.S. associates. Hoping for leniency at sentencing, Gonzalez cooperated again, providing agents with the encryption key for his hard drive and giving them information on his entire gang. He admitted to the breaches at TJX, OfficeMax, DSW, Forever 21, and Dave & Buster’s, and to helping Eastern European hackers penetrate the grocery chain Hannaford Bros., 7-Eleven’s ATM network, Boston Market, and the credit card processing company Heartland Payment Systems, which alone leaked nearly 130 million cards. It was a lucrative business for the hacker. Gonzalez drew the Secret Service a map to over $1 million in cash he’d buried in his parents’ backyard; the government sought forfeiture of the money, his 2006 BMW, and a Glock 27 firearm with ammunition.

Gonzalez had built his crew from an untapped reservoir of hacker talent—onetime bedroom hackers who had trouble finding a place in the white-hat world. Among them was Jonathan “C0mrade” James, who’d
hacked NASA as a teenager and received a landmark six-month juvenile sentence the same week Max Vision pleaded guilty to his Pentagon hacks in 2000. After a brief flurry of fame—including an interview on PBS’s
Frontline
—James slipped into obscurity, living quietly in a house he inherited from his mother in Miami.

Then in 2004 he allegedly began working with Gonzalez and an associate named Christopher Scott. The government believes James and Scott were responsible for one of the earliest magstripe hauls to make their way into Maksik’s vaults, cracking OfficeMax’s Wi-Fi from a store parking lot in Miami and stealing thousands of swipes and encrypted PINs. The two allegedly provided the data to Gonzalez, who arranged with another hacker to decrypt the PIN codes. Credit card companies later reissued some two hundred thousand cards in response to the attack.

Of all the hackers,
it was Jonathan James who would pay the highest price in the post-Shadowcrew carder crackdown. In the days after his May 2008 raid, James became convinced the Secret Service would try to pin all of Gonzalez’s breaches on him to wring public relations juice out of his notorious past and protect their informant, Gonzalez. On May 18, the twenty-four-year-old stepped into the shower with a handgun and shot himself dead.

“I have no faith in the ‘justice’ system,” read his five-page suicide note. “Perhaps my actions today, and this letter, will send a stronger message to the public. Either way, I have lost control over this situation, and this is my only way to regain control.”

In March 2010, Gonzalez was sentenced to twenty years in prison. His U.S. coconspirators drew sentences ranging from two to seven years. In Turkey, Maksik was convicted of hacking Turkish banks and sentenced to thirty years.

Since Max’s arrest, new scams have emerged in the underground, the worst of them involving specialized Trojan horse software designed to
steal a target’s online banking passwords and initiate money transfers from the victim’s account right through his own computer. The thieves have devised an ingenious solution to the problem that had bedeviled Chris Aragon: how to get at the money.
They recruit ordinary consumers as unwitting money launderers, dangling bogus work-at-home opportunities, in which the “work” consists of accepting money transfers and payroll deposits, then sending the bulk of the cash to Eastern Europe by Western Union. In 2009, the scheme’s first year of widespread operation, banks and their customers lost an estimated $120 million to the attack, with small businesses the most common target.

Meanwhile, the sale of dumps continues, dominated now by a new crop of vendors, same as the old crop—Mr. BIN; Prada; Vitrium; The Thief.

Law enforcement, though, has claimed some lasting victories. So far, no prominent English-speaking board has risen to replace Carders Market and DarkMarket, and the Eastern Europeans have become more cloistered and protective. The big players have retreated to invitation-only encrypted chat servers. The marketplace exists, but the carders’ sense of invulnerability is shattered, and their commerce is tariffed by paranoia and mistrust, thanks primarily to the FBI, the Secret Service, their international partners, and the unheralded work of the post office.

The veil of secrecy that once protected hackers and corporations alike has mostly evaporated, with law enforcement no longer going out of its way to shield companies from responsibility for their poor security. More than one of Gonzalez’s hacking targets were made public for the first time in his federal indictment.

Finally, Mularski’s DarkMarket sting proved the feds don’t have to get in bed with the bad guys to make busts.

All the lowest moments in the war on the computer underground came about through the antics of informants. Brett “Gollumfun” Johnson, the snitch who briefly worked as a Carders Market administrator, turned the Secret Service’s Operation Anglerphish into a circus by staging a tax
refund scam on the side. Albert Gonzalez provided the clearest example. After Operation Firewall,
the Secret Service had been paying Gonzalez an annual salary of $75,000 a year, even as he staged some of the largest credit card hacks in history.

The post-Shadowcrew magstripe breaches led to a reckoning in the civil courts. TJX paid $10 million to settle a lawsuit
filed by the attorneys general of 41 states and
another $40 million to Visa-issuing banks whose cards were compromised. Banks and credit unions filed lawsuits against Heartland Payment Systems for the massive breach at the transaction-processing firm. Gonzalez’s attacks also tore a hole in the credit card industry’s primary bulwark against breaches: the so-called Payment Card Industry—or PCI—Data Security Standard, which dictates the steps merchants and processors must take to protect systems handling credit card data.
Heartland had been certified PCI compliant before it was breached, and
Hannaford Brothers won the security certification even as hackers were in its systems, stealing credit card swipes.

When the dust began to settle from Gonzalez’s large-scale hacks, the smaller but far more numerous attacks against restaurant point-of-sale systems began to come out. Seven restaurants in Mississippi and Louisiana who’d suffered intrusions figured out they were all using the same point-of-sale system, the Aloha POS that was once Max’s favorite target.
The restaurants filed a class-action lawsuit against the manufacturer and the company that sold them the terminals, Louisiana-based Computer World, which allegedly installed the remote-access software pcAnywhere on all the machines and set the passwords on all of them to “computer.”

Underlying all these breaches is a single systemic security flaw, exactly 3.375 inches long. Credit card magstripes are a technological anachronism, a throwback to the age of the eight-track tape, and today the United States is virtually alone in nurturing this security hole. More than a hundred
other countries around the globe, in Europe, Asia, and even Canada and Mexico, have implemented or begun phasing in a far more secure system called EMV or “chip-and-PIN.”

Instead of relying on a magstripe’s passive storage, chip-and-PIN cards have a microchip embedded in the plastic that uses a cryptographic handshake to authenticate itself to the point-of-sale terminal and then to the transaction-processing server. The system leaves nothing for a hacker to steal—an intruder sitting on the wire could eavesdrop on the entire transaction and still be unable to clone a card, because the handshake sequence changes every time.

White hats have devised attacks against chip-and-PIN, but nothing that would lend itself to the mass market in dumps that still exists today. So far, the biggest flaw in the system is that it supports magstripe transactions as a fallback for Americans traveling abroad or tourists visiting the United States.

American banks and credit card companies have rejected chip-and-PIN because of the enormous cost of replacing
hundreds of thousands of point-of-sale terminals with new gear. In the end, the financial institutions have decided their fraud losses are acceptable, even with the likes of Iceman prowling their networks.

n the Orange County men’s jail, Chris Aragon is lonely, feeling abandoned by his friends and torn with grief that his children are growing up without him. In October 2009, Clara filed for divorce, seeking custody of their two children. His girlfriend filed for child support.

Chris is studying the
Bhagavad Gita
and has a full-time job as an inmate representative, helping several hundred prisoners with legal matters, medical complaints, and issues with the jail staff. His lawyer is playing a waiting game, winning endless continuances for the criminal trial that, if he loses, still carries a twenty-five-to-life term. After Chris’s story was featured in a
Wired
magazine article on Max, Chris was contacted by a Hollywood screenwriter and a producer, but he didn’t respond.
His mother suggested he get an agent.

Max was assigned to FCI Lompoc, a low-security prison an hour north of Santa Barbara, California. He hopes to use his time to get a degree in physics or math—finally completing the college education that was interrupted a decade earlier in Boise.

He’s taken a mental inventory and is dismayed to find that, despite everything, he still has the same impulses that guided him into a life of hacking. “I’m not sure how to really mitigate that, except ignore it,” he said in an interview from jail. “I really believe that I’m reformed. But I don’t know what’s going to happen later.”

It might seem a curious confession—admitting that the elements of his personality that landed him in prison still remain buried deep inside. But Max’s new self-awareness shows hope for real change. If one is born a hacker, no amount of prison can drive it out. No therapy, or court supervision, or prison workshop can offer reform. Max has to reform himself—learn to own his actions and channel the useful parts of his nature into something productive.

To that end, Max has volunteered to help the government during his confinement, defending U.S. networks or perhaps counterattacking foreign adversaries online. He wrote out a menu of the services he could offer in a memo headed “Why the USA Needs Max.” “I could penetrate China’s military networks and military contractors,” he suggested. “I can hack al Qaida.” He’s hopeful he might do enough for the government that he could apply for a lowered sentence from his judge.

It’s a long shot, and so far, the feds haven’t taken him up on his offer. But a month after his sentencing, Max took a baby step in that direction. Keith Mularski arranged for Max to speak at the NCFTA for an eager audience of law enforcement officials, students, financial and corporate security experts, and academics from Carnegie Mellon.

Mularski checked him out of jail for the appearance. And for an hour or two, Max Vision was a white hat again.