Kingpin: How One Hacker Took Over the Billion Dollar Cyber Crime Underground (8 page)

The evening news beat him to the punch: Alleged computer hacker Max Butler had just turned himself in on a fifteen-count indictment charging illegal interception of communications, computer intrusion, and possession of stolen passwords.

After two nights in jail, Max was brought in front of a federal magistrate in San Jose for arraignment. Kimi, Tim Spencer, and a dozen Hungry Programmers filled the gallery. Max was released on a $100,000 bond—Tim signed for half, and a fellow Hungry who’d struck it rich at a dot-com put down the remainder in cash.

The arrest sent shock waves through the computer security world. Hiverworld canceled its job offer on the spot—no security start-up could hire a man facing current computer intrusion charges. The community fretted over what would happen to the arachNIDS database without Max’s curatorship. “
It’s his stuff,” Roesch ruled in a post on a security mailing list. “So barring him explicitly ceding it to someone, it’s still his to maintain.”

Max responded personally in a long message sweeping through his early love of computers and the future direction of intrusion detection. Whitehats.com and arachNIDS would continue no matter what, he predicted. “My family and friends have been incredibly supportive and there are offers to maintain the sites to a certain degree should tragedy occur.”

Casting himself as a victim, he railed against the “frenzy of the hacker witch-hunt” and slammed Hiverworld for disloyalty. “After the smoke cleared and I was in the press, Hiverworld decided not to continue our relationship,” he wrote. “The corporation expressed cowardice that is deplorable. I can’t tell you how disappointed I was to feel the complete lack of support from the Hive.

“I am innocent until proven guilty,” he wrote. “And would appreciate the recognition of this by our community.”

Six months later, Max pleaded guilty. The news was nearly lost amid a flurry of federal hacker prosecutions. The same month,
Patrick “MostHateD” Gregory, the leader of a hacker gang called globalHell, was sentenced to twenty-six months in prison and ordered to pay $154,529.86 in restitution for a string of website defacements. At the same time, prosecutors charged twenty-year-old
Jason “Shadow Knight” Diekman of California with cracking NASA and university systems for fun, and
sixteen-year-old Jonathan James, known as “C0mrade,” received a six-month sentence for
his recreational intrusions into Pentagon and NASA computers—the first term of confinement ever handed down in a juvenile hacking case.

To all appearances, federal law enforcement now had firm control of the computer intrusions that had for so long struck fear into corporate America and government officials. In truth, all these victories were battles in yesterday’s cyberwar against bedroom hackers, a dying breed. Even as Max copped his plea in a San Jose courtroom, the FBI was discovering a twenty-first-century threat gathering five thousand miles away—one intimately entwined with Max Vision’s future.

he two Russians made themselves at home in the small office in Seattle. Alexey Ivanov, twenty, typed on a computer keyboard while his associate, nineteen-year-old Vasiliy Gorshkov, stood by and watched. They were straight off a flight from Russia and already knee-deep into the biggest job interview of their lives—negotiating for a lucrative international partnership with the U.S. computer-security start-up Invita.

Office workers milled around them, and tinny pop music spilled from the computer’s speaker. After a few minutes, Gorshkov drifted off to another computer across the room, and Michael Patterson, Invita’s CEO, struck up a conversation.

It had been Patterson who’d invited the Russians to Seattle. Invita, he’d told them in an e-mail, was a young company, but it was gaining customers through contacts the founders had made while working at Microsoft and Sun. Now the company wanted help expanding into Eastern Europe. Ivanov, who claimed to have as many as twenty talented programmers working with him, seemed perfect for the job; Gorshkov was a tag-along, invited by Ivanov to act as the duo’s spokesman. He had a fiancée waiting back home, pregnant with his first child.

Patterson began casually asking Gorshkov about a recent rash of computer intrusions into U.S. companies, some of whom paid money to the
attackers to make them stop. “Just so I know you guys are as good as I think you are,” Patterson said, “could any of that have been you guys?”

Gorshkov—bundled in the heavy jacket he wore back home in Chelyabinsk, a bleak, polluted industrial city in the Ural Mountains—hedged for a minute and finally answered. “A few months ago we tried, but we found it’s not so profitable.”

The Russian was being modest. For nearly a year, small to midsized Internet companies around the United States had been plagued by extortionate cyberattacks from a group calling itself the Expert Group of Protection Against Hackers—a name that probably sounds better in Russian. The crimes always unfolded the same way: Attackers from Russia or Ukraine breached the victim’s network, stole credit card numbers or other data, then sent an e-mail or a fax to the company demanding payment to keep quiet about the intrusion and to fix the security holes the hackers exploited. If the company didn’t pay up, the Expert Group would threaten to destroy the victim’s systems.

The gang had lifted tens of thousands of credit card numbers from the Online Information Bureau, a financial transaction clearinghouse in Vernon, Connecticut. The Seattle ISP Speakeasy had been hit. Sterling Microsystems in Anaheim, California, had been hacked, along with a Cincinnati ISP, a Korean bank in Los Angeles, a financial services company in New Jersey, the electronic payment company E-Money in New York, and even the venerable Western Union, which had lost nearly sixteen thousand customer credit card numbers in an attack that came with a $50,000 extortion threat. When music-seller CD Universe didn’t give in to a $100,000 ransom demand, thousands of its customers’ credit card numbers showed up on a public website.

Several companies wound up paying the Expert Group small amounts to go away, while the FBI did its best to track the intrusions. They finally zeroed in on one of the ringleaders, “subbsta,” whose real name was Alexey Ivanov. It wasn’t that hard—the hacker, convinced he was out of
reach of American justice, had given his résumé to Speakeasy during the extortion negotiations there.

Russian police had ignored a diplomatic request to detain and question Ivanov, and that was when the feds created Invita, a full-blown undercover business designed to lure the hacker into a trap. Now Ivanov and Gorshkov were surrounded by undercover FBI agents posing as company employees, along with a white-hat hacker from the nearby University of Washington who was playing the role of a computer geek named Ray. Hidden cameras and microphones recorded everything in the office, and FBI-installed spyware captured every keystroke typed on the computers. In the parking lot outside, around twenty FBI agents were standing by to help with the arrest.

The agent playing CEO Patterson tried to draw Gorshkov out some more. “What about credit cards? Credit card numbers? Anything like that?”

“When we’re here, we’ll never say that we got access to credit card numbers,” the hacker replied.

The FBI agent and Gorshkov laughed conspiratorially. “I understand. I hear ya, I hear ya,” said Patterson.

When the two-hour meeting concluded, Patterson ushered the men into a car, ostensibly to take them to the temporary housing arranged for their visit. After a short drive, the car stopped. Agents threw open the doors and arrested the Russians.

Back at the office, an FBI agent realized the keystroke logger installed on the bureau computers at Invita presented him with a rare opportunity. What he did next would make him the first FBI agent to be accused by the Russian federal police of committing a computer crime. He went into the keystroke logs and retrieved the password the pair had used to access their computer in Chelyabinsk. Then, after checking with his supervisor and a federal prosecutor, he logged in to the hackers’ Russian server over the Internet and started scrounging through the directory names, looking for the files belonging to Ivanov and Gorshkov.

When he found them, he downloaded 2.3 gigabytes of compressed data and burned it onto CD-ROMs, only later obtaining a warrant from a federal judge to search through the information he’d grabbed. It was the first international evidence seizure through hacking.

When the feds dug into the data, the breathtaking scope of Ivanov’s activity became clear. In addition to the extortion plots, Ivanov had developed a frighteningly effective method for cashing out the cards he stole, using custom software to automatically open PayPal and eBay accounts and bid on auctioned goods with one of the half-million stolen credit cards in his collection. When the program won an auction, it had the goods shipped to Eastern Europe, where an associate of Ivanov picked them up. Then the software did it all again and again. PayPal checked the stolen credit card list against its internal databases and found it had absorbed a stunning $800,000 in fraudulent charges.

It was the first tremor in a tectonic shift that would fundamentally change the Internet for the next decade. Maybe forever. With top-flight technical colleges but few legitimate opportunities for their graduates, Russia and the former Soviet satellite states were incubating a new breed of hacker.

Some, like Ivanov, were amassing personal fortunes by looting consumers and companies, protected by corrupt or lazy law enforcement in their home countries and poor international cooperation. Others, like Gorshkov, were driven into crime by tough economic circumstances. The hacker graduated from Chelyabinsk State Technical University with a degree in mechanical engineering and sank a small inheritance from his father into a computer-hosting and Web-design business. Despite his swaggering hacker machismo at Invita, Gorshkov had been a late addition to Ivanov’s gang, and he’d paid his own way to America in the hope of improving his fortunes. In a way, he did: After his arrest in Seattle, he was earning more in prison doing janitorial and kitchen work at eleven cents an hour than his fiancée was drawing on public assistance back home.

After his arrest, Ivanov began cooperating with the FBI, rattling off a
list of friends and accomplices still hacking back home. The bureau realized there were dozens of profit-oriented intruders and fraud artists from Eastern Europe already reaching their tentacles into Western computers.

In the years to come, the number would grow to thousands. Ivanov and Gorshkov were Magellan and Columbus: Their arrival in America instantly redrew the global cybercrime map for the FBI and placed Eastern Europe indisputably at its center.

ax wore a blazer and rumpled cargo pants to his sentencing hearing and watched silently as the lawyers sparred over his fate.

Jennifer Granick, the defense attorney, told Judge James Ware that Max deserved a lowered sentence for his service as the Equalizer. The prosecutor took the opposite position. Max, he argued, had
pretended
to be an FBI informant while secretly committing crimes against the U.S. government. It was worse than if he had never cooperated at all.

It was a strange sentencing hearing for a computer criminal. A dozen of Max’s colleagues in the security world—people devoted to thwarting hackers—had written to Judge Ware on Max’s behalf. Dragos Ruiu, a prominent security evangelist in Canada, called Max “a brilliant innovator in this field.” French programmer Renaud Deraison credited Max’s early support with making possible Nessus, Deraison’s vulnerability scanner and one of the most important free security tools then available. “Given Max’s potential and his clear vision of Internet security … it would be more useful for society as a whole that he stays among us as a computer security specialist … rather than spend time in a cell and see his computing talent go through a slow but sure decay.”

From a technology worker in New Zealand: “Without the work that Max has done … it would be so much harder for my company and countless others to protect themselves from hackers.” From a fan in Silicon Valley:
“Taking Max out of the security community would greatly hurt our ability to protect ourselves.” A former Defense Department worker wrote, “To imprison this individual would be a travesty.”