Want more features on Pastebin? Sign Up, it's FREE!
Guest

kingpin by kevin poulson txt

By: a guest on Aug 18th, 2011  |  syntax: None  |  size: 484.00 KB  |  views: 2,384  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1.  
  2.  
  3. Copyright © 2011 by Kevin Poulsen
  4. All rights reserved.
  5. Published in the United States by Crown Publishers,
  6. an imprint of the Crown Publishing Group,
  7. a division of Random House, Inc., New York.
  8. www.crownpublishing.com
  9. CROWN and the Crown colophon are registered
  10. trademarks of Random House, Inc.
  11. Library of Congress Cataloging-in-Publication Data
  12. Poulsen, Kevin, 1965–
  13. Kingpin / Kevin Poulsen.—1st ed.
  14. p. cm.
  15. 1. Butler, Max. 2. Computer crimes—United States—Case
  16. studies.
  17. 3. Computer hackers—United States—Case studies. 4.
  18. Commercial criminals—
  19. United States—Case studies. I. Title.
  20. HV6773.2.P68 2010
  21. 364.16′8092—dc22 2010027952
  22. eISBN: 978-0-307-58870-8
  23. Jacket design by Chris Sergio
  24. Jacket photographs © Jonathan Kitchen/Photographer’s
  25. Choice
  26. v3.1
  27. For Lauren,
  28. my unindicted coconspirator in life
  29.  
  30. CONTENTS
  31. Cover
  32. Title Page
  33. Copyright
  34. Dedication
  35. COPS AND CARDERS
  36. PROLOGUE
  37. 1. The Key
  38. 2. Deadly Weapons
  39. 3. The Hungry Programmers
  40. 4. The White Hat
  41. 5. Cyberwar!
  42. 6. I Miss Crime
  43. 7. Max Vision
  44. 8. Welcome to America
  45. 9. Opportunities
  46. 10. Chris Aragon
  47. 11. Script’s Twenty-Dollar Dumps
  48. 12. Free Amex!
  49. 13. Villa Siena
  50. 14. The Raid
  51. 15. UBuyWeRush
  52. 16. Operation Firewall
  53. 17. Pizza and Plastic
  54. 18. The Briefing
  55. 19. Carders Market
  56. 20. The Starlight Room
  57. 21. Master Splyntr
  58. 22. Enemies
  59. 23. Anglerphish
  60. 24. Exposure
  61. 25. Hostile Takeover
  62. 26. What’s in Your Wallet?
  63. 27. Web War One
  64. 28. Carder Court
  65. 29. One Plat and Six Classics
  66. 30. Maksik
  67. 31. The Trial
  68. 32. The Mall
  69. 33. Exit Strategy
  70. 34. DarkMarket
  71. 35. Sentencing
  72. 36. Aftermath
  73. EPILOGUE
  74. NOTES
  75. ACKNOWLEDGMENTS
  76. About the Author
  77.  
  78. COPS AND CARDERS
  79. Max Vision, born Max Butler. Ran Carders Market under
  80. the handle Iceman. Also known as Ghost23, Generous,
  81. Digits, Aphex, and the Whiz.
  82. Christopher Aragon, aka Easylivin’, Karma, and the
  83. Dude. Max’s partner on Carders Market, who ran a
  84. lucrative credit card counterfeiting ring fueled by Max’s
  85. stolen data.
  86. Script. A Ukrainian seller of stolen credit card data and
  87. founder of CarderPlanet, the first carder forum.
  88. King Arthur. The Eastern European phisher and ATM
  89. cashout king who took over CarderPlanet from Script.
  90. Maksik. The Ukrainian carder Maksym Yastremski, who
  91. replaced Script as the underground’s top vendor of stolen
  92. credit card data.
  93. Albert Gonzalez, aka Cumbajohnny and SoupNazi. An
  94. administrator on Shadowcrew, the largest crime site on the
  95. Web until the Secret Service took it down.
  96. David Thomas, aka El Mariachi. A veteran scammer who
  97. ran a carding forum called the Grifters as an intelligencegathering
  98. operation for the FBI.
  99. John Giannone, aka Zebra, Enhance, MarkRich, and the
  100. Kid. A young carder from Long Island who worked with Max
  101. online and with Chris Aragon in real life.
  102. J. Keith Mularski, aka Master Splyntr, Pavel Kaminski.
  103. The Pittsburgh-based FBI agent who took over DarkMarket
  104. in a high-stakes undercover operation.
  105. Greg Crabb. A U.S. postal inspector, and Keith Mularski’s
  106. mentor, who spent years tracking the underground’s elusive
  107. international leaders.
  108. Brett Johnson, aka Gollumfun. A Shadowcrew founder
  109. who went on to serve as an administrator on Carders
  110. Market.
  111. Tea, aka Alenka. Tsengeltsetseg Tsetsendelger, a
  112. Mongolian immigrant who helped run Carders Market from
  113. a safe house in Orange County.
  114. JiLsi. Renukanth Subramaniam, the Sri Lankan–born
  115. British citizen who founded DarkMarket.
  116. Matrix001. Markus Kellerer, a German DarkMarket
  117. administrator.
  118. Silo. Lloyd Liske, a Canadian hacker who became an
  119. informant for the Vancouver police.
  120. Th3C0rrupted0ne. A former drug dealer and recreational
  121. hacker who served as an administrator on Carders Market.
  122.  
  123. PROLOGUE
  124. he taxi idled in front of a convenience store in
  125. downtown San Francisco while Max Vision paid the driver
  126. and unfolded his six-foot-five frame from the back of the
  127. car, his thick brown hair pulled into a sleek ponytail. He
  128. stepped into the store and waited for the cab to disappear
  129. down the street before emerging for the two-block walk to
  130. his safe house.
  131. Around him, tiny shops and newsstands awakened under
  132. the overcast sky, and suited workers filed into the office
  133. towers looming above. Max was going to work too, but his
  134. job wouldn’t have him home after nine hours for a good
  135. night’s sleep. He’d be cloistered for days this time. Once
  136. he put his plan into motion, there’d be no going home. No
  137. slipping out for a bite of dinner. No date night at the
  138. multiplex. Nothing until he was done.
  139. This was the day he was declaring war.
  140. His long gait took him to the Post Street Towers, from the
  141. street a five-by-fourteen grid of identical bay windows, trim
  142. painted the color of the Golden Gate Bridge. He’d been
  143. coming to this apartment complex for months, doing his
  144. best to blend in with the exchange students drawn by short
  145. leases and reasonable rents. Nobody knew his name—not
  146. his real one anyway. And nobody knew his past.
  147. Here, he wasn’t Max Butler, the small-town troublemaker
  148. driven by obsession to a moment of life-changing violence,
  149. and he wasn’t Max Vision, the self-named computer
  150. security expert paid one hundred dollars an hour to harden
  151. the networks of Silicon Valley companies. As he rode up
  152. the apartment building elevator, Max became someone
  153. else: “Iceman”—a rising leader in a criminal economy
  154. responsible for billions of dollars in thefts from American
  155. companies and consumers.
  156. And Iceman was fed up.
  157. For months, he’d been popping merchants around the
  158. country, prying out piles of credit card numbers that should
  159. have been worth hundreds of thousands on the black
  160. market. But the market was broken. Two years earlier
  161. Secret Service agents had driven a virtual bulldozer through
  162. the computer underworld’s largest gathering spot, arresting
  163. the ringleaders at gunpoint and sending the rest scurrying
  164. into chat rooms and small-time Web forums—all riddled
  165. with security holes and crawling with feds and snitches. It
  166. was a mess.
  167. Whether they knew it or not, the underworld needed a
  168. strong leader to unify them. To bring order.
  169. Off the elevator, Max idled in the hallway to check for a
  170. tail, then walked to his apartment door and entered the
  171. oppressive warmth of the rented studio. Heat was the
  172. biggest problem with the safe house. The servers and
  173. laptops crammed into the space produced a swelter that
  174. pulsed through the room. He’d brought in fans over the
  175. summer, but they provided scant relief and lofted the
  176. electric bill so high that the apartment manager suspected
  177. him of running a hydroponic dope farm. But it was just the
  178. machines, entwined in a web of cables, the most important
  179. snaking to a giant parabolic antenna aimed out the window
  180. like a sniper rifle.
  181. Shrugging off his discomfort, Max sat at his keyboard
  182. and trained a bead on the Web forums where computer
  183. criminals gathered—virtual cantinas with names like
  184. DarkMarket and TalkCash. For two days, he hacked, his
  185. fingers flying at preternatural speed as he breached the
  186. sites’ defenses, stealing their content, log-ins, passwords,
  187. and e-mail addresses. When he tired, he crashed out on
  188. the apartment’s foldaway bed for an hour or two, then
  189. returned bleary-eyed to his work.
  190. returned bleary-eyed to his work.
  191. He finished with a few keystrokes that wiped out the
  192. sites’ databases with the ease of an arsonist flicking a
  193. match. On August 16, 2006, he dispatched an unapologetic
  194. mass e-mail to the denizens of the sites he’d destroyed:
  195. They were all now members of Iceman’s own
  196. Cardersmarket.com, suddenly the largest criminal
  197. marketplace in the world, six thousand users strong and the
  198. only game in town.
  199. With one stroke, Max had undermined years of careful
  200. law enforcement work and revitalized a billion-dollar
  201. criminal underworld.
  202. In Russia and Ukraine, Turkey and Great Britain, and in
  203. apartments, offices, and houses across America, criminals
  204. would awaken to the announcement of the underground’s
  205. first hostile takeover. Some of them kept guns in their
  206. nightstands to protect their millions in stolen loot, but they
  207. couldn’t protect themselves from this. FBI and Secret
  208. Service agents who’d spent months or years infiltrating the
  209. now-destroyed underground forums would read the
  210. message with equal dismay, and for a moment, all of them
  211. —hacking masterminds, thuggish Russian mobsters,
  212. masters of fake identities, and the cops sworn to catch
  213. them—would be unified by a single thought.
  214. Who is Iceman?
  215.  
  216. 1
  217. The Key
  218. s soon as the pickup truck rolled up to the curb, the
  219. teenage computer geeks squatting on the sidewalk knew
  220. there’d be trouble. “Fucking wavers!” one of the cowboys
  221. called out the window. A beer bottle flew from the truck and
  222. crashed on the pavement. The geeks, who’d left the club to
  223. talk away from the din of music, had seen it all before. In
  224. Boise in 1988, being caught in public without a wide belt
  225. buckle and a cowboy hat was a bottlin’ offense.
  226. Then one of the geeks did something the cowboys
  227. weren’t expecting: He stood up. Tall and broad shouldered,
  228. Max Butler cut a quietly imposing figure that was enhanced
  229. by his haircut, a spiky punk-rock brush that added three
  230. inches to his height. “Waver?” Max asked calmly, feigning
  231. ignorance of the Boise slang for New Wave music fans and
  232. other freaks. “What’s that?” The two cowboys blustered and
  233. swore, then finally drove away with a screech of tires and
  234. the waving of mud flaps.
  235. Since they met one another in junior high, Max had
  236. become the unofficial bodyguard in the klatch of fellow
  237. computer nerds in Meridian, Idaho, a bedroom community
  238. then separated from Boise by eight miles of patchy
  239. farmland. The town fathers had named Meridian a century
  240. earlier for its placement directly on the Boise Meridian, one
  241. of the thirty-seven invisible north-south lines that form the Yaxes
  242. in America’s land survey system. But that was
  243. probably the only thing geeky about the town, where the
  244. high school rodeo team got all the girls.
  245. Max’s parents had married young, and they’d moved to
  246. Idaho from Phoenix when he was an infant. In some ways,
  247. Max combined their best qualities: Robert Butler was a
  248. Vietnam veteran and enthusiastic technology buff who ran a
  249. computer store in Boise. Natalie Skorupsky was the
  250. daughter of Ukrainian immigrants—a humanist and a
  251. peacenik, she liked to relax in front of the Weather Channel
  252. and nature documentaries. Max inherited his mother’s
  253. clean-living values, eschewing red meat, cigarettes, and
  254. alcohol and drugs, except for an ill-fated experiment with
  255. chewing tobacco. From his father, Max acquired a deep
  256. passion for computers. He grew up surrounded by exotic
  257. machines, from giant business computers that could double
  258. as an office desk to the first suitcase-sized “portable” IBM
  259. compatibles. Max was allowed to play with them freely. He
  260. started programming in BASIC at the age of eight.
  261. But Max’s equilibrium disappeared when his parents
  262. divorced in his fourteenth year. His father wound up in
  263. Boise, while Max lived in Meridian with his mother and his
  264. younger sister, Lisa. The divorce devastated the teenager
  265. and seemed to reduce him to two modes of operation:
  266. relaxed, and full-bore insane. When his manic side flared,
  267. the world was too slow to keep up; his brain moved at light
  268. speed and focused like a laser on whatever task was
  269. before him. After he got his driver’s license, he drove his
  270. silver Nissan like the accelerator was a toggle switch,
  271. speeding from stop sign to stop sign, wearing lab goggles
  272. like a mad scientist conducting an experiment in Newtonian
  273. physics.
  274. As Max protected his friends, they tried to protect Max
  275. from himself. His best buddy, a genial kid named Tim
  276. Spencer, found Max’s world exciting but was constantly
  277. reining in his friend’s impetuousness. One day he emerged
  278. from his home to find Max standing over an elaborate
  279. geometric pattern burning in the lawn. Max had found a
  280. canister of gasoline nearby. “Max, this is our house!” Tim
  281. shouted. Max sputtered apologies as the pair stamped out
  282. the blaze.
  283. • • •
  284. It was Max’s impulsive side that made his friends resolve
  285. not to tell him about the key.
  286. The Meridian geeks had found the key ring in an
  287. unlocked desk at the back of the chemistry lab. For a time,
  288. they just watched it, sliding open the desk drawer when the
  289. lab instructor wasn’t around and checking to see if it was
  290. still there. Finally, they swiped it, smuggled it from the lab,
  291. and discreetly began testing its keys against various locks
  292. on the Meridian High campus. That was how they
  293. discovered that one of the keys was a master key to the
  294. school; it opened the front door and every door behind it.
  295. Four copies were made, one for each of them: Tim, Seth,
  296. Luke, and John. The key ring was returned to the darkness
  297. of the chem lab desk after being carefully wiped down for
  298. fingerprints. They all agreed that Max must not know. A
  299. master key to the high school is a very special talisman that
  300. must be wielded with great care—not squandered on
  301. foolishness. So the juniors vowed to save the key for an
  302. epic senior-year prank. They would sneak into the school
  303. and hijack the PA system, blaring music into every
  304. classroom. Until that day, the four keys would stay in hiding,
  305. a burden borne in silence by the four of them.
  306. Nobody liked keeping secrets from Max, but they could
  307. see that he was already on a collision course with the
  308. school’s administrators. Max scoffed at the curriculum, and
  309. while instructors droned on about history or sketched
  310. equations on the blackboard, Max would sit at his desk
  311. thumbing through computer printouts from dial-up bulletin
  312. board systems and the pre-Web Internet. His favorite read
  313. was an online hacker newsletter called Phrack, a product of
  314. the late-1980s hacking scene. In its plain, unadorned text,
  315. Max could follow the exploits of editors Taran King and
  316. Knight Lightning, and contributors like Phone Phanatic,
  317. Crimson Death, and Sir Hackalot.
  318. The first generation to come of age in the home
  319. computing era was tasting the power at its fingertips, and
  320. Phrack was a jolt of subversive, electric information from a
  321. world far beyond Meridian’s sleepy borders. A typical issue
  322. was packed with tutorials on packet-switched networks like
  323. Telenet and Tymnet, guides to telephone-company
  324. computers like COSMOS, and inside looks at large-scale
  325. operating systems powering mainframe and minicomputers
  326. in air-conditioned equipment rooms around the
  327. globe.
  328. Phrack also diligently tracked news reports from the
  329. frontier battleground between hackers and their opponents
  330. in state and federal law enforcement, who were just
  331. beginning to meet the challenges posed by recreational
  332. hackers. In July 1989, a Cornell graduate student named
  333. Robert T. Morris Jr. was charged under a brand-new
  334. federal computer crime law after he launched the first
  335. Internet worm—a virus that spread to six thousand
  336. computers, clogging network bandwidth and dragging
  337. systems to a halt. The same year, in California, a young
  338. Kevin Mitnick picked up his second hacking arrest and
  339. received one year in prison—a startlingly harsh sentence at
  340. the time.
  341. Max became “Lord Max” on the Boise bulletin board
  342. systems and delved into phone phreaking—a hacking
  343. tradition dating to the 1970s. When he used his
  344. Commodore 64 modem to scan for free long-distance
  345. codes, he had his first run-in with the federal government: A
  346. Secret Service agent from the Boise field office visited Max
  347. at school and confronted him with the evidence of his
  348. phreaking. Because he was a juvenile, he wasn’t charged.
  349. But the agent warned Max to change course before he got
  350. in real trouble.
  351. Max promised he’d learned his lesson.
  352. Then the unthinkable happened. Max noticed an odd
  353. shape on John’s key ring and asked what it was. John
  354. confessed the truth.
  355. Max and John entered the school that very night and went
  356. berserk. One or both of them scrawled messages on the
  357. walls, sprayed fire extinguishers in the hallways, and
  358. plundered the locked closet in the chemistry lab. Max
  359. carted off an assortment of chemicals and piled them into
  360. the backseat of his car.
  361. Seth’s phone rang early the next morning. It was Max;
  362. he’d left Seth a gift in his front yard. Seth walked out to find
  363. the bottles of chemicals sitting in a pile on his lawn.
  364. Panicked, he scooped them up and took them into the
  365. back, where he grabbed a shovel and started digging a
  366. hole.
  367. His mother stepped out back and caught Seth in the act
  368. of burying the evidence.
  369. “You know I have to tell the school now, right?” she said.
  370. Seth was brought into the principal’s office and
  371. interrogated, but he refused to name Max. One by one, the
  372. other Meridian High geeks were dragged in by the school’s
  373. uniformed security officer for questioning, some in
  374. handcuffs. When it was John’s turn, he spilled the beans.
  375. The school called the police, who found a telltale yellow
  376. iodine stain in the back of Max’s Nissan.
  377. The chemical theft was taken very seriously in Meridian.
  378. Max was expelled from school and prosecuted as a
  379. juvenile. He pleaded guilty to malicious injury to property,
  380. first-degree burglary, and grand theft, and spent two weeks
  381. at an in-care facility under psychiatric evaluation, where the
  382. staff diagnosed him as bipolar. His final sentence was
  383. probation. His mother sent him to Boise to live with his
  384. father and attend Bishop Kelly, the only Catholic high
  385. school in the state.
  386. Max’s first criminal conviction was a minor one. But the
  387. impulsiveness and mischievousness that spawned it ran
  388. deep in Max’s personality. And he was destined to hold a
  389. lot more master keys.
  390.  
  391. 2
  392. Deadly Weapons
  393. HIS is the Rec Room!!!!
  394. This large, darkened room has no obvious exits. A
  395. crowd relaxes on pillows in front of a giant screen TV, and
  396. there is a fully stocked fridge and a bar.
  397. Those words welcomed visitors to TinyMUD, an online
  398. virtual world contained in a beige computer the size of a
  399. minifridge squatting on the floor of a Pittsburgh graduate
  400. student’s office. In 1990, hundreds of people from around
  401. the globe projected into the world over the Internet. Max,
  402. now a freshman at Boise State University, was one of them.
  403. The Internet was seven years old then, and about three
  404. million people had access through a measly three hundred
  405. thousand host computers at defense contractors, military
  406. sites, and, increasingly, colleges and universities. In
  407. academia, the Net was once seen as too important to
  408. expose directly to undergraduates, but that was changing,
  409. and now any decent U.S. college allowed students online.
  410. MUDs—“multi-user dungeons”—became a favorite
  411. hangout.
  412. Like most everything else on the pre-Web Internet, a
  413. MUD was a purely textual experience—a universe defined
  414. entirely by prose and navigated by simple commands like
  415. “north” and “south.” TinyMUD was distinct as the first online
  416. world to shrug off the Dungeons and Dragons–inspired
  417. rules that had shackled earlier MUDs. Instead of limiting the
  418. power of creation to select administrators and “wizards,” for
  419. example, TinyMUD granted all its inhabitants the ability to
  420. alter the world around them. Anyone could create a space
  421. of his own, define its attributes, mark its borders, and
  422. receive visitors. Inhabitants quickly anointed the usercreated
  423. recreation room the world’s social hub, building off
  424. it until its exits and entrances connected directly to
  425. TinyMUD spaces like Ghondahrl’s Flat, Majik’s Perversion
  426. Palace, and two hundred other locales.
  427. Also gone from TinyMUD was the D & D–style reward
  428. system that emphasized collecting wealth, finishing quests,
  429. and slaying monsters. Now, instead of doing battle with
  430. orcs and building up their characters’ experience points,
  431. users talked, flirted, fought, and had virtual sex. It turned out
  432. that freeing the game from the constraints of Tolkienesque
  433. roleplay made it more like real life and added to its
  434. addictive power. A common joke had it that MUD really
  435. stood for “multi-undergraduate destroyer.” For Max, that
  436. would prove more than just a joke.
  437. At Max’s urging, his girlfriend Amy had joined him in one
  438. of the TinyMUDs.* The original at Carnegie Mellon
  439. University had closed in April, but by then the same free
  440. software was powering several successor MUDs scattered
  441. around the Net. Max became Lord Max, and Amy took the
  442. name Cymoril, after a tragic heroine in Michael Moorcock’s
  443. Elric of Melniboné series of books and short stories—
  444. some of Max’s favorites.
  445. In the stories, Cymoril is the beloved of Elric, a weak
  446. albino transformed into a fearsome wizard emperor by dint
  447. of a magic sword called Stormbringer. To Max, the fictional
  448. sword was a metaphor for the power of a computer—
  449. properly wielded, it might turn an ordinary man into a king.
  450. But for Elric, Stormbringer was also a curse: He was bound
  451. to the sword, fought to tame it, and was ultimately mastered
  452. by it instead.
  453. Elric’s epic, doomed romance with Cymoril was very
  454. much of a piece with the fraught, uncompromising vision of
  455. romantic love Max had formed after his parents’ divorce:
  456. Cymoril meets her fate during a battle between Elric and
  457. his hated cousin Yyrkoon. Cymoril pleads with Elric to
  458. sheath Stormbringer and stop the fight, but Elric,
  459. sheath Stormbringer and stop the fight, but Elric,
  460. possessed by rage, presses on, striking Yyrkoon with a
  461. mortal blow. With his last breath, Yyrkoon exacts a
  462. heartbreaking revenge, pushing Cymoril onto the tip of
  463. Stormbringer.
  464. Then the dark truth dawned on his clearing brain
  465. and he moaned in grief, like an animal. He had slain
  466. the girl he loved. The runesword fell from his grasp,
  467. stained by Cymoril’s lifeblood, and clattered
  468. unheeded down the stairs. Sobbing now, Elric
  469. dropped beside the dead girl and lifted her in his
  470. arms.
  471. “Cymoril,” he moaned, his whole body throbbing.
  472. “Cymoril—I have slain you.”
  473. When she first met Max, Amy thought he was cool,
  474. rebellious, and kind of punky—different from the usual
  475. Boise crowd. But as they spent every free moment
  476. together, she began to see a darker, obsessive side to his
  477. personality, particularly after he introduced her to the
  478. Internet and TinyMUD.
  479. At first Max was thrilled that his girlfriend shared his
  480. passion for the online world. But as Amy started making
  481. friends of her own in the MUD, including guys, he became
  482. jealous and combative. To Max it made no difference if
  483. Amy was cheating on him in the virtual world or the real
  484. one: It was cheating either way. He tried to get her to stop
  485. logging on, but she refused, and the couple began arguing
  486. online and off.
  487. Eventually, Amy’d had enough; they were arguing about a
  488. stupid computer game? On a Wednesday night in early
  489. October 1990, the couple were in another user’s room in
  490. TinyMUD when Cymoril finally told Lord Max that she wasn’t
  491. sure they really belonged together after all.
  492. It was Max’s first serious relationship, and his reaction
  493. was powerful. They had sworn to spend their lives united.
  494. Now they should both die, rather than be parted, he wrote in
  495. the MUD. Then he got explicit, telling her how he’d kill her.
  496. Other users watched with growing concern as his raging
  497. took on the tone of a serious threat. What should they do?
  498. One of the in-world wizards got Max’s Internet IP address
  499. from the server—a unique identifier that was easily traced
  500. to Boise State University. The MUDers looked up the
  501. phone number for the Ada County Sheriff’s Department in
  502. Boise and called in a warning that a potential murdersuicide
  503. was unfolding.
  504. The year had begun hopefully for Max. He excelled at the
  505. part-time job his dad gave him at his computer store,
  506. HiTech Systems, performing clerical work, making
  507. deliveries in the company van, and assembling PCcompatible
  508. computers in the shop. And he managed to
  509. stay clean of probation violations—though he’d stopped
  510. taking his bipolar medication; his father didn’t want him
  511. drugged, and, anyway, Max didn’t agree with the diagnosis.
  512. He began dating Amy in February of 1990, four months
  513. after meeting her at the Zoo, a dance club in Boise that
  514. catered to an underage crowd. A year younger than Max,
  515. she was blond, blue-eyed, and, when he first saw her, on
  516. the arm of Max’s friend Luke Sheneman, one of the former
  517. Meridian key bearers. As Max finished up his last year in
  518. high school, they began getting serious.
  519. Max did nothing in half measures, and his devotion to
  520. Amy was absolute. She planned on attending Boise State
  521. University, so Max applied there, postponing his dream of
  522. attending CMU or MIT. He brought her home to meet his
  523. computer, and the couple played Tetris together. Their
  524. relationship was everything his parents’ hadn’t been. They
  525. both thought it would never end.
  526. His old friends barely saw him over summer break. Then
  527. the fall term began at Boise State. Max declared a major in
  528. computer science and enrolled in a battery of courses:
  529. calculus, chemistry, and a computer class on data
  530. structures. Like all students, he was given an account on
  531. the school’s shared UNIX system. Like a few of them, he
  532. started hacking the computer right away. Max’s path was
  533. eased by another student, David, who’d already worried his
  534. way into a bunch of the faculty accounts. They spent hours
  535. in the BSU terminal room, staring at the luminous green text
  536. of the terminals and banging on the clacky keyboards.
  537. They’d skim through faculty e-mail boxes while holding long,
  538. silent conversations, shooting messages back and forth
  539. across the room through the computer. David struggled to
  540. keep up with Max’s overclocked mind and typing speed,
  541. and Max would often get impatient. “What are you waiting
  542. for?” Max would type when David fell behind in the
  543. conversation. “Respond.”
  544. A little local hacking was generally tolerated by
  545. administrators. But then Max started poking at the
  546. defenses of other Internet systems, earning him a brief ban
  547. from the BSU computer. When his access was restored, he
  548. was back on TinyMUD, fighting with Amy.
  549. The sheriff called BSU’s network administrator at two in the
  550. morning to tell him about the murder-suicide threat. The
  551. police wanted a copy of Max’s computer files to examine
  552. for evidence—a request that raised difficult privacy issues
  553. for the college. After some discussion with the university’s
  554. lawyer, administrators decided not to voluntarily hand over
  555. anything. Instead, they’d preserve Max’s files on a
  556. computer tape and lock Max out of the computer at once.
  557. Amy worried about what Max might do next, even as she
  558. pressed through the slow process of breaking up with him.
  559. She still cared about Max, she’d later testify, and was afraid
  560. he’d really hurt himself.
  561. Max continued to call her after the TinyMUD incident, and
  562. the conversations followed a predictable pattern. Max
  563. would start off nice—showing the friendly, caring side that
  564. his friends and family knew well. Then he’d escalate into
  565. self-pity and threats before hanging up in anger.
  566. On October 30, Max told Amy he wanted to talk to her in
  567. person. Still hoping to end the relationship amicably—she
  568. was bound to see Max on campus, and she didn’t want him
  569. hating her—Amy agreed to come over.
  570. Max had just moved back to his mother’s home in
  571. Meridian, a ranchstyle house on a quiet street a block from
  572. his old high school. He met Amy at the door, and after
  573. reassuring her that he wouldn’t do anything crazy, she
  574. followed him to his bedroom at the back of his house. His
  575. mother was out, and his fourteen-year-old sister was
  576. watching TV.
  577. His bed was still disassembled, so they sat together on
  578. the mattress on the floor and began discussing their
  579. feelings. Amy admitted that she’d met another boy in
  580. TinyMUD. His name was Chad, and he lived in North
  581. Carolina. The relationship had moved beyond the
  582. keyboard; they’d sent each other photos in the mail, and
  583. she’d been calling him on the phone.
  584. Max struggled to control his feelings, holding back tears.
  585. He felt betrayed, he said. At the same time, he couldn’t
  586. quite believe what he was hearing. He asked her for
  587. Chad’s phone number, produced a calling card, and dialed
  588. his online rival.
  589. A strained three-way conversation followed; Max
  590. introduced himself to Chad and then let Amy take over. She
  591. told Chad how she felt. Then Chad asked Amy for her
  592. phone number. She gave it to him, and the conversation
  593. drifted into an idle banter that only added to Max’s
  594. agitation. He grabbed at the phone and hung it up.
  595. Amy watched Max carefully as his breathing intensified
  596. and his eyes darted around the room.
  597. “I’m going to kill you,” he finally said. “I’m going to—you’re
  598. going to die now.”
  599. She told Max that she didn’t feel like she’d betrayed him,
  600. and she wouldn’t apologize. Max began trembling. Then his
  601. and she wouldn’t apologize. Max began trembling. Then his
  602. hands were around her throat and he was pushing her
  603. down onto the mattress.
  604. “Fine,” she said. “Why don’t you just kill me then?”
  605. Once Max regained his self-control, he wanted Amy out
  606. of his sight. He pulled her from the mattress, pushed her out
  607. of his bedroom, and shuffled her through the house and out
  608. the front door.
  609. “Go, now,” he said. “Just get out, because I don’t want to
  610. kill you. But I might change my mind.” Amy jumped into her
  611. car and took off fast.
  612. As she headed back to Boise, she replayed the events in
  613. her mind. Lost in thought, she didn’t see the other car until
  614. she was slamming into it with a jolt and the crunch of metal
  615. against metal.
  616. Both cars were totaled, but no one was seriously hurt.
  617. When Amy’s parents learned about the confrontation at
  618. Max’s house, though, they began to fear for her life. A week
  619. after the accident, Amy went to the police, and Max was
  620. arrested.
  621. Max told his friends that Amy was exaggerating the
  622. incident. In Amy’s version of events, Max had kept her
  623. prisoner in his bedroom for an hour, his hands returning to
  624. her throat repeatedly, at one point briefly cutting off her
  625. breathing. In Max’s version, he’d put his fingers loosely on
  626. her throat for one minute, but he hadn’t choked her, and she
  627. was always free to leave. Amy said Max continued to
  628. phone her obsessively after the incident, issuing more
  629. threats; Max said he left her alone after pushing her out of
  630. his house. As far as Max was concerned, Amy was
  631. sacrificing him to get out of trouble for her car accident.
  632. The county prosecutor offered Max a misdemeanor deal.
  633. But a month before he was scheduled to receive a fortyfive-
  634. day slap on the wrist from the judge, Max—free on his
  635. own recognizance—spotted Amy walking hand in hand with
  636. a new boyfriend down University Avenue.
  637. Once again, Max’s emotions overrode his common
  638. sense. On impulse he pulled his father’s repair-shop van
  639. onto a lawn and caught up with the couple on foot. His body
  640. was tight with tension as he circled the pair.
  641. “Hi,” he said.
  642. “You’re not supposed to be around me,” Amy said in
  643. protest.
  644. “Don’t you remember what we used to have?”
  645. Amy’s escort spoke up, and Max gave him a warning:
  646. “Better watch yourself, friend.” Then he stalked off. A
  647. moment later, the roar of an engine. Max was back in the
  648. van, zooming across the center line toward the couple on
  649. the sidewalk. He passed close enough for Amy to feel the
  650. wind from the van as it tore off.
  651. The deal was canceled. The district attorney stretched
  652. the law to slam Max with a felony charge of assault with a
  653. deadly weapon—his hands. It was a questionable charge:
  654. Max’s hands were no deadlier a weapon than anyone
  655. else’s.
  656. The prosecution offered him a new deal: nine months in
  657. jail, if Max would admit to choking Amy. He refused. After a
  658. three-day trial, and just an hour and a half of deliberation,
  659. the jury found him guilty. On May 13, 1991, Tim Spencer
  660. and some of the other Meridian High geeks sat in the
  661. courtroom and watched as Judge Deborah Bail sentenced
  662. their friend to five years in prison.
  663. * Amy is not her real name.
  664.  
  665. 3
  666. The Hungry Programmers
  667. ax found Tim Spencer’s house perched at a summit
  668. in the hills separating the suburban sprawl of the San
  669. Francisco Peninsula from the quiet, undeveloped towns
  670. clinging to the Pacific coast. But “house” was too small a
  671. word. It was a villa, six thousand square feet sprawling
  672. across a fifty-acre plot overlooking the sleepy coastal town
  673. of Half Moon Bay. Max passed through the entranceway
  674. columns to the double front doors and entered the
  675. cavernous living room, where a curved wall of windows
  676. stretched from floor to ceiling.
  677. It was a year after his parole, and Max had come to San
  678. Francisco to start over. Tim and some of his friends from
  679. Idaho had been renting the house they called “Hungry
  680. Manor,” the name a reference to their first enterprise when
  681. they’d migrated to the Bay Area a year earlier. They’d
  682. planned to bootstrap into the Silicon Valley economy by
  683. forming a computer consulting business called the Hungry
  684. Programmers—will code for food. Instead, the valley
  685. quickly metabolized the geeks into full-time employment,
  686. and the Hungry Programmers morphed into an unofficial
  687. club for Tim’s friends from Meridian High and the University
  688. of Idaho, two dozen in all. Hungry Manor was the group’s
  689. party house and home to five of them. Max would be the
  690. sixth.
  691. Max walked into Hungry Manor with few belongings but
  692. lots of baggage, not least a deep bitterness over his
  693. treatment by the justice system. In 1993, while Max was on
  694. his second year in prison, Idaho’s Supreme Court ruled in a
  695. similar case that hands “or other body parts or
  696. appendages” couldn’t be considered deadly weapons.
  697. That meant Max should never have been convicted of
  698. aggravated assault. Despite the ruling, Max’s own appeal
  699. was denied on procedural grounds: The judge conceded
  700. that Max was technically not guilty of the felony for which he
  701. was serving time, but his old lawyer had failed to raise the
  702. issue in an earlier appeal, and it was too late now.
  703. When Max was finally paroled on April 26, 1995, he left
  704. knowing that he’d served more than four years in the Idaho
  705. State Penitentiary for what, by law, should have been a
  706. misdemeanor worth sixty days in the county jail. He’d
  707. served hard time on an unjust sentence, while beyond the
  708. prison fence his friends had gone off to college, earned
  709. four-year degrees, then left Idaho to start promising
  710. careers.
  711. He’d moved in with his dad near Seattle, and Tim, Seth,
  712. and Luke drove up from San Francisco for a reunion party
  713. of the old Meridian High geeks. They marveled at Max’s
  714. prison-enhanced physique and his seemingly boundless
  715. optimism, despite having no degree and a serious felony
  716. conviction on his record. Max knew it was a time of
  717. opportunity: A British computer scientist had created the
  718. World Wide Web three months after Max’s sentencing.
  719. Now there were nearly nineteen thousand websites,
  720. including one for the White House. Dial-up Internet service
  721. providers were surfacing in every major city, and America
  722. Online and CompuServe were adding Web access to their
  723. offerings.
  724. Everyone was going online; Max was no longer the
  725. weirdo, addicted to a network nobody had heard of. Now, it
  726. turned out, he’d been at the head of a pack that was
  727. growing to include millions of people. Yet, thanks to his
  728. record, Max struggled to win computer employment in
  729. Seattle, working odd tech-support jobs through a temp
  730. agency.
  731. Online, Max was hanging out in some rough
  732. neighborhoods. Looking for the technical challenges his
  733. neighborhoods. Looking for the technical challenges his
  734. day jobs denied him, Max returned to a network of chat
  735. rooms called IRC, Internet relay chat, a surviving vestige of
  736. the old Internet of his teenage years. When he’d gone to
  737. prison, IRC had been a social hotspot. But with the
  738. gentrification of the Net, most inhabitants moved uptown to
  739. easy-to-use instant messaging clients and Web-based chat
  740. systems. Those who remained on IRC tended to be either
  741. hard-core geeks or disreputable sorts—hackers and
  742. pirates scheming in the forgotten tunnels and alleyways
  743. below the whitewashed, commercialized Internet growing
  744. above them.
  745. Max fancied himself an invisible, spectral presence in
  746. cyberspace. He chose “Ghost23” as his IRC identity—23
  747. was his lucky number, and among other meanings it was
  748. the I Ching hexagram representing chaos. He floated into
  749. the IRC “warez” scene, where scofflaws build their
  750. reputations by pirating music, commercial software, and
  751. games. There, Max’s computer skills found an appreciative
  752. audience. Max found an unprotected FTP file server at an
  753. ISP in Littleton, Colorado, and turned it into a cache for
  754. stolen software for himself and his new friends, stocked
  755. with bootlegged copies of programs like NetXray, Laplink,
  756. and Symantec’s pcAnywhere.
  757. It was a mistake. The ISP noticed the drain on its
  758. bandwidth and traced Max’s uploads to the corporate
  759. offices of CompuServe in Bellevue, where Max had just
  760. started working a new temp job. Max was fired. Barely a
  761. year after his release from prison, his name was mud.
  762. That was when Max decided to start over again in Silicon
  763. Valley, where the dot-com economy was swelling to
  764. ripeness and a talented computer genius could pick up
  765. work without a lot of questions about his past.
  766. He’d need a new name, unstained by his past folly. Max
  767. had been known by a nickname in the joint, one
  768. abbreviated from a cyberpunk-themed ’zine he’d published
  769. from the prison typewriter: Maximum Vision. It was a clean,
  770. optimistic name that exemplified everything he wanted to
  771. be and crystallized his clarity and hopefulness.
  772. As he left Seattle in the rearview mirror, he said goodbye
  773. to Max Butler. From now on, he would be Max Ray
  774. Vision.
  775. • • •
  776. Max Vision found that life in Hungry Manor was good.
  777. Surrounded by rolling meadows on all sides, the house
  778. boasted two wings, four bedrooms, a maid’s quarters, a full
  779. dining room, a livestock pen, and a brick pizza oven and
  780. indoor barbecue in a vented room adjoining the vast, sunlit
  781. kitchen. The Hungries had turned the library into a computer
  782. lab and server room, packing in a slew of custom-built
  783. gaming PCs for recreation. They ran networking cable into
  784. every room and energized it with a high-speed Internet link
  785. that necessitated the partial shutdown of the 92 freeway as
  786. the phone company trenched a new cable run alongside the
  787. road. A vintage phone system linked the west wing to the
  788. east. As a finishing touch, one of the Hungry Programmers
  789. had brought in a hot tub and set it up on the grounds, under
  790. the stars.
  791. Max couldn’t have asked for a better launchpad for his
  792. new life. One of the resident Hungries got him a job as a
  793. system administrator at MPath Interactive, a computer
  794. gaming start-up in Silicon Valley that was flush with venture
  795. capital. He threw himself into the job. Defying the
  796. stereotype of a computer nerd, he drew his greatest
  797. satisfaction from his support duties. He liked helping
  798. people.
  799. But it wasn’t long before Max’s antics in Seattle caught
  800. up with him. One morning, a process server showed up at
  801. his cubicle to hand him a $300,000 lawsuit filed by the
  802. Software Publishers Association—an industry group that
  803. had decided to use his piracy bust to send a message.
  804. “This action is a warning to Internet users who believe they
  805. can infringe software copyrights without fear of exposure or
  806. penalty,” the association proclaimed in a press release.
  807. As the first lawsuit of its kind, the case earned Max Butler
  808. a brief write-up in Wired magazine and a mention in a
  809. congressional hearing on Internet piracy. Max Vision,
  810. though, emerged largely unscathed—few in his new life
  811. made the connection to the man named in the high-profile
  812. lawsuit.
  813. When the press attention faded, the SPA was willing to
  814. quietly settle the case for $3,500 and some free computer
  815. consulting. The whole affair even had a silver lining. It
  816. introduced Max to the FBI.
  817. Chris Beeson, a young agent with the bureau’s San
  818. Francisco computer crime squad, gave Max his pitch. The
  819. FBI could use Max’s assistance navigating the computer
  820. underground. Recreational hackers were no longer a target
  821. for the bureau, he said. There was a new, more dangerous
  822. breed of computer criminal emerging: “real” criminals. They
  823. were cyberthieves, pedophiles, even terrorists. The FBI
  824. was no longer chasing people like Max and his ilk. “We’re
  825. not the enemy,” said Beeson.
  826. Max wanted to help, and in March 1997 he was formally
  827. inducted into the FBI’s Criminal Informant program. His first
  828. written report for the bureau was an introductory course on
  829. the virus-writing, warez, and computer-hacking scenes. His
  830. follow-up report ten days later ran down compromised filetransfer
  831. sites—like the one he’d exploited in Seattle—and
  832. a music piracy gang called Rabid Neurosis that had
  833. debuted the previous October with a bootlegged release of
  834. Metallica’s Ride the Lightning.
  835. When Max got his hands on a pirated version of
  836. AutoCAD that was being circulated by a crew called
  837. SWAT, the FBI rewarded him with a $200 payment.
  838. Beeson had Max sign the receipt with the bureau’s code
  839. name for its new asset: Equalizer.
  840. Max liked the FBI agent, and the feeling seemed to be
  841. mutual. Neither of them knew that Chris Beeson would one
  842. day put his Equalizer back behind bars and begin Max’s
  843. transformation into one of the “real” criminals Beeson had
  844. hoped to catch.
  845.  
  846. 4
  847. The White Hat
  848. ax was building his new life at a time of profound
  849. change in the hacking world.
  850. The first people to identify themselves as hackers were
  851. software and electronics students at MIT in the 1960s. They
  852. were smart kids who took an irreverent, antiauthoritarian
  853. approach to the technology they would wind up pioneering
  854. —a scruffy counterweight to the joyless suit and lab-jacket
  855. culture then epitomized by the likes of IBM. Pranks were a
  856. part of the hacker culture, and so was phone phreaking—
  857. the usually illegal exploration of the forbidden back roads of
  858. the telephone network. But hacking was above all a
  859. creative effort, one that would lead to countless watershed
  860. moments in computer history.
  861. The word “hacker” took on darker connotations in the
  862. early 1980s, when the first home computers—the
  863. Commodore 64s, the TRS-80s, the Apples—came to
  864. teenagers’ bedrooms in suburbs and cities around the
  865. United States. The machines themselves were a product of
  866. hacker culture; the Apple II, and with it the entire home
  867. computer concept, was born of two Berkeley phone
  868. phreaks named Steve Wozniak and Steve Jobs. But not all
  869. teenagers were content with the machines, and in the
  870. impatience of youth, they weren’t inclined to wait for grad
  871. school to dip into real processing power or to explore the
  872. global networks that could be reached with a phone call
  873. and the squeal of a modem. So they began illicit forays into
  874. corporate, government, and academic systems and took
  875. their first tentative steps into the ARPANET, the Internet’s
  876. forerunner.
  877. When those first young intruders began getting busted in
  878. 1983, the national press cast about for a word to describe
  879. them and settled on the one the kids had given themselves:
  880. “hackers.” Like the previous generation of hackers, they
  881. were pushing the limits of technology, outwitting the
  882. establishment, and doing things that were supposed to be
  883. impossible. But for them, that involved breaching corporate
  884. computers, taking over telephone switches, and slipping
  885. into government systems, universities, and defense
  886. contractor networks. The older generation winced at the
  887. comparison, but from that point on, the word “hacker” would
  888. have two meanings: a talented programmer who pulled
  889. himself up by his own bootstraps, and a recreational
  890. computer intruder. Adding to the confusion, many hackers
  891. were both.
  892. Now, in the mid-1990s, the hacking community was
  893. dividing again. The FBI and the Secret Service had staged
  894. arrests of high-profile intruders like Kevin Mitnick and Mark
  895. “Phiber Optik” Abene, a New York phone phreak, and the
  896. prospect of prison stigmatized recreational intrusion while
  897. raising the risk far beyond the rewards of ego and
  898. adventure. The impetus for cracking computers was fading
  899. as well: The Internet was open to anyone now, and personal
  900. computers had grown powerful enough to run the same
  901. operating systems and programming languages that fueled
  902. the big machines denied to amateurs. Most of all, there
  903. was real money to be made defending computers and
  904. none attacking them.
  905. Cracking systems was becoming uncool. Those
  906. possessed of a hacker’s mind-set were increasingly
  907. rejecting intrusion and going right into legitimate security
  908. work. And the intruders started hanging up their black hats
  909. to join them. They became the “white-hat hackers”—
  910. referencing the square-jawed heroes in old cowboy films—
  911. applying their computer skills on the side of truth and
  912. justice.
  913. Max thought of himself as one of the white hats. Watching
  914. Max thought of himself as one of the white hats. Watching
  915. for new types of attacks and emerging vulnerabilities was
  916. now in his job description, and as Max Vision, he was
  917. beginning to contribute to some of the computer-security
  918. mailing lists where the latest developments were
  919. discussed. But he couldn’t completely exorcise Ghost23
  920. from his personality. It was an open secret among Max’s
  921. friends that he was still cracking systems. When he saw
  922. something novel or interesting, he saw no harm in trying it
  923. out for himself.
  924. Tim was at work one day when he got a call from a
  925. flummoxed system administrator at another company who’d
  926. traced an intrusion back to Hungry.com—the online home
  927. of the Hungry Programmers, where they hosted their
  928. projects, hung their résumés, and maintained e-mail
  929. addresses that would remain steady through job changes
  930. and other upheavals. There were dozens of geeks on the
  931. shared system, but Tim knew at once who was responsible.
  932. He put the sysadmin on hold and phoned up Max.
  933. “Stop. Hacking. Now,” he said.
  934. Max stammered out an apology—it was the burning lawn
  935. all over again. Tim switched back to the other line, where
  936. the system administrator happily reported that the attack
  937. had stopped in its tracks.
  938. The complaint surprised and confused Max—if his
  939. targets knew what a good guy he was, they wouldn’t take
  940. issue with some harmless intrusions. “Max, you gotta get
  941. permission,” Tim explained. He offered some life advice.
  942. “Look, just sort of imagine that everyone’s looking at you.
  943. That’s a good way to ensure that what you’re doing is
  944. correct. If I was standing there, or your dad was standing
  945. there, would you still feel the same about doing it? What
  946. would we say?”
  947. If there was one thing Max was missing in his new life, it
  948. was a partner to share it with. He met twenty-year-old Kimi
  949. Winters at a rave called Warmth, held on an empty
  950. warehouse floor in the city—Max had become a fixture in
  951. the rave scene, dancing with a surprising, fluid grace,
  952. whirling his arms like a Brazilian flame dancer. Kimi was a
  953. community college student and part-time barista. A foot
  954. shorter than Max, she sported an androgynous appearance
  955. in the shapeless black hoodie she liked to wear when she
  956. went out. But on a second look, she was decidedly cute,
  957. with apple cheeks and her Korean mother’s copper-tinted
  958. skin. Max invited Kimi to a party at his place.
  959. The parties at Hungry Manor were legendary, and when
  960. Kimi arrived the living room was already packed with
  961. dozens of party guests from Silicon Valley’s keyboard class
  962. —programmers, system administrators, and Web
  963. designers—mingling under the glass chandelier. Max lit up
  964. when he spotted her. He led her on a tour of the house,
  965. pointing out the geeky accoutrements the Hungry
  966. Programmers had added.
  967. The tour ended in Max’s bedroom in Hungry Manor’s
  968. east wing. For all of the grandeur of the house, Max’s room
  969. had the charm of a monk’s cell—no furniture but a futon on
  970. the floor, no comforts except a computer. For the party, Max
  971. had trained blue and red spotlights on a bottle of
  972. peppermint schnapps—his only vice. Kimi returned for
  973. dinner the next night, and there was a single item on his
  974. vegetarian menu: raw cookie dough. Max shaved the
  975. sugary sludge off in slices and served it to his date with the
  976. schnapps. Why, after all, would anyone not eat raw cookie
  977. dough for dinner, given the option?
  978. Kimi was intrigued. Max needed so little to be happy. He
  979. was like a child. When his birthday came soon after the
  980. party, she sent a decorated box of balloons to his office at
  981. MPath, and Max was moved nearly to tears by the gesture.
  982. She was his “dream girl,” he told her later. They began to
  983. talk about committing to a life together.
  984. In September, Hungry Manor’s landlord, unhappy with the
  985. programmers’ upkeep of the estate, reclaimed the house,
  986. and after a final bash to bid farewell to their communal
  987. mansion, the Hungries scattered to rentals throughout the
  988. Bay Area. Max and Kimi landed in their own place in
  989. Mountain View, a cramped studio in a barracks-like
  990. apartment complex alongside the 101 freeway, Silicon
  991. Valley’s congested main artery.
  992. Max resumed his work for the FBI, and his haunting of
  993. IRC led him to a new opportunity—his chance to break out
  994. as a white-hat hacker. He’d made a friend in the chat
  995. rooms who was starting a real consulting business in San
  996. Francisco and was interested in bringing Max on board.
  997. Max went up to the city to visit Matt Harrigan, aka, “Digital
  998. Jesus.”
  999. Harrigan, just twenty-two, was one of four white hats who’d
  1000. been profiled in a Forbes cover story the previous year,
  1001. and he’d cannily used his fifteen minutes of fame to win
  1002. some seed money for a business: a professional hacking
  1003. shop in San Francisco’s financial district.
  1004. The idea was simple: Corporations would pay his
  1005. company, Microcosm Computer Resources, to put their
  1006. networks through a real hack attack, culminating in a
  1007. detailed report on the client’s security strengths and
  1008. weaknesses. The business of “penetration testing”—as it
  1009. was called—had been dominated by the Big Five
  1010. accounting firms, but Harrigan was already signing up
  1011. clients by admitting something that no accounting firm
  1012. would ever announce: that his experience came from reallife
  1013. hacking, and he was freely hiring other ex-hackers.
  1014. MCR would be billing out between $300 and $400 an
  1015. hour, Harrigan explained. Max would work as a
  1016. subcontractor, making $100 to $150. All for doing two of
  1017. the things he liked most in the world: hacking into shit and
  1018. writing reports.
  1019. Max had found his niche. It turned out his singlemindedness
  1020. made him a natural at penetration testing: He
  1021. was immune to frustration, hammering at a client’s network
  1022. for hours, moving from one attack vector to another until he
  1023. found a way in.
  1024. With Max making real money at MCR, Kimi quit her job
  1025. as a barista and found more rewarding work teaching
  1026. autistic students. The couple moved from the cramped
  1027. apartment in Mountain View to a duplex in San Jose. In
  1028. March, they got married in a church on a college campus in
  1029. Lakewood, Washington, where Kimi’s family lived.
  1030. Tim Spencer and most of the Hungry Programmers went
  1031. up to Washington to see their problem child married off.
  1032. Max’s parents, his sister, Kimi’s family, and scores of
  1033. friends and extended family showed up for the ceremony.
  1034. Max wore a tuxedo and a broad grin, and Kimi glowed in
  1035. her white wedding dress and veil. Surrounded by family and
  1036. beloved friends, they were a picture-perfect young couple
  1037. beginning a life together.
  1038. They posed outside: Kimi’s father, a military man, stood
  1039. proudly in his dress uniform, her mother in a traditional
  1040. Korean hanbok. Flanked by his own parents, Max beamed
  1041. at the camera, while storm clouds gathered overhead in the
  1042. Pacific Northwest sky.
  1043. It was three years almost to the day since Max walked
  1044. out of prison, and he had everything now—a devoted wife,
  1045. a promising career as a white-hat hacker, a nice home. In
  1046. just a few weeks, he’d throw it all away.
  1047.  
  1048. 5
  1049. Cyberwar!
  1050. ack home in San Francisco, a temptation was waiting
  1051. for Max, written in computer code.
  1052. bcopy (fname, anbuf, alen = (char *)*cpp - fname);
  1053. It was one line of nine thousand comprising the Berkeley
  1054. Internet Name Domain, an ancient girder in the Internet’s
  1055. infrastructure, as important as any router or fiber-optic
  1056. cable. Developed in the early 1980s with a grant from the
  1057. Pentagon’s Defense Advanced Research Projects Agency
  1058. (DARPA), BIND implemented the scalable Domain Name
  1059. System, a kind of distributed telephone directory that
  1060. translates strings like Yahoo.com, which humans
  1061. understand, into the numeric addresses the network
  1062. comprehends. Without BIND, or one of the competing
  1063. programs that followed, we’d be getting our online news
  1064. from 157.166.226.25 instead of CNN.com and visiting
  1065. 74.125.67.100 to perform a Google search.
  1066. BIND was one of the innovations that made the explosive
  1067. growth of the Internet possible—it replaced a crude
  1068. mechanism that couldn’t have expanded with the Net. But in
  1069. the 1990s, it was also one of the legacy programs that
  1070. were shaping up as the modern Internet’s biggest security
  1071. problem. The code was a product of a simpler time, when
  1072. the network was cloistered and threats were few. Now
  1073. hackers were plumbing its depths and coming back with a
  1074. seemingly endless supply of security holes.
  1075. A high priesthood of network experts called the Internet
  1076. Software Consortium appointed themselves keepers of the
  1077. code and had begun furiously rewriting it. But in the
  1078. meantime, the most modern, sophisticated networks in the
  1079. world, with sparkling new servers and workstations, were
  1080. running a buggy computer program from another age.
  1081. In 1998, security experts discovered the latest flaw in the
  1082. code. It boiled down to that single line. It accepted an
  1083. inquiry from the Internet, as it should, and copied it byte for
  1084. byte into the temporary buffer “anbuf” in the server’s
  1085. memory. But it didn’t properly check the size of the
  1086. incoming data. Consequently, a hacker could transmit a
  1087. deliberately overlong query to a BIND server, overflow the
  1088. buffer, and spill data into the rest of the computer’s memory
  1089. like oil from the Exxon Valdez.
  1090. Performed haphazardly, such an attack would cause the
  1091. program to crash. But a careful hacker could do much
  1092. worse. He could load the buffer with his own small snippet
  1093. of executable computer code, then he could keep going,
  1094. tripping cautiously all the way to the top of the program’s
  1095. memory space, where a special short-term storage area
  1096. called the “stack” resides.
  1097. The stack is where the computer’s processor keeps
  1098. track of what it’s doing—every time a program diverts the
  1099. computer off to a subroutine, the processor pushes its
  1100. current memory address onto the stack, like a bookmark,
  1101. so it knows where to return to when it’s done.
  1102. Once a hacker is in the stack, he can overwrite the last
  1103. return address with the location of his own malicious
  1104. payload. When the computer is done with the current
  1105. subroutine, it returns not to where it began, but to the
  1106. hacker’s instruction—and because BIND runs under the allpowerful
  1107. administrative “root” account, the attacker’s code
  1108. does as well. The computer is now under the hacker’s
  1109. control.
  1110. Two weeks after Max and Kimi’s wedding, the
  1111. government-funded Computer Emergency Response Team
  1112. at Carnegie Mellon University—which runs a kind of
  1113. Emergency Broadcast System for security holes—issued
  1114. an alert about the BIND flaw, along with a link to the simple
  1115. fix: two additional lines of computer code that rejected
  1116. overlong queries. But CERT packaged its alert with two
  1117. other BIND vulnerabilities that were of little consequence
  1118. and understated the importance of the hole. Consequently,
  1119. not everyone appreciated the gravity of the situation.
  1120. Max understood perfectly.
  1121. He read the CERT advisory with amazement. BIND
  1122. came installed standard with Linux, and it ran on servers on
  1123. corporate, ISP, nonprofit, educational, and military
  1124. networks. It was everywhere. And so was the defective line
  1125. of code. The only thing holding back a feeding frenzy of
  1126. attacks was that nobody had written a program to exploit
  1127. the security hole. But that was just a matter of time.
  1128. Sure enough, on May 18, an exploit program showed up
  1129. on Rootshell.com, a computer security news site run by
  1130. hobbyists. Max picked up the phone and called his FBI
  1131. contact, Chris Beeson, at home. The situation was serious,
  1132. he explained. Anybody who hadn’t installed the BIND patch
  1133. could now be hacked by any script kiddy capable of
  1134. downloading a program and typing a command.
  1135. If history was a guide, government computers would be
  1136. particularly vulnerable. Just a month earlier, a less serious
  1137. bug in the Sun Solaris operating system had led to a
  1138. hacker cracking computers at a dozen U.S. military bases,
  1139. in what a deputy defense secretary called “the most
  1140. organized and systematic attack to date” on American
  1141. defense systems. Those attacks had set off a full-blown
  1142. cyberwarfare false alarm: The Pentagon gave the intrusions
  1143. the code name “Solar Sunrise” and considered Saddam
  1144. Hussein the prime suspect until investigators traced the
  1145. attacks to a young Israeli hacker who was just playing
  1146. around.
  1147. Max called Beeson again the next day, when a hacker
  1148. group named ADM released a weaponized version of the
  1149. BIND exploit designed to scan the Internet at random
  1150. BIND exploit designed to scan the Internet at random
  1151. looking for unpatched servers, then break in, install itself,
  1152. and use the newly compromised computer as a platform for
  1153. still more scans and break-ins. It was a certainty now that
  1154. someone was going to own the entire Internet. It was just a
  1155. question of who.
  1156. He hung up and pondered. Someone was going to do it.
  1157. He shared his plans with his new wife in boyish, excited
  1158. tones. Max would author his own BIND attack. His version
  1159. would close the hole everywhere it found it, like releasing
  1160. sterile fruit flies to tamp down an infestation. He would limit
  1161. his attack to the targets most in need of an emergency
  1162. security upgrade: U.S. military and civilian government
  1163. sites.
  1164. “Don’t get caught,” said Kimi, who’d learned not to argue
  1165. with Max when he was like this, his mind hostage to an
  1166. idea.
  1167. Max was struggling with the binary nature of his
  1168. personality: the professional married man with a stake in
  1169. the world around him, and the impulsive child tempted by
  1170. every call to mischief. The child won. He sat at his keyboard
  1171. and plunged into furious programming.
  1172. His code would operate in three rapid-fire stages. It
  1173. would begin by flinging a virtual grappling hook through the
  1174. BIND hole, executing commands that forced the machine to
  1175. reach out over the Internet and import a 230-byte script.
  1176. That script, in turn, would connect it to a different host
  1177. infiltrated by Max, where it would download a hefty package
  1178. of evil called a “rootkit.”
  1179. A rootkit is a bundle of standard system programs that
  1180. have been corrupted to secretly serve the hacker: A new
  1181. login program operates just like the real thing but now
  1182. includes a back door through which the intruder can reenter
  1183. the machine. The “passwd” program still lets users change
  1184. their passwords but also quietly records and stores the new
  1185. password where it can be retrieved later. The new list
  1186. program lists the contents of a directory, as it should, but
  1187. takes care to conceal any files that are part of the rootkit.
  1188. Once the rootkit was in place, Max’s code would
  1189. accomplish what the government failed to do: It would
  1190. upgrade the hacked computer to the latest version of BIND,
  1191. closing the security hole through which it had entered. The
  1192. computer would now be safe from any future attacks, but
  1193. Max, the benevolent meddler, would still be able to reenter
  1194. the system at will. Max was at once fixing the problem and
  1195. exploiting it; he was a black hat and a white hat at the same
  1196. time.
  1197. The whole attack would take just a couple of minutes
  1198. each time. One moment, the computer would be controlled
  1199. by the system administrators; then, grappling hook,
  1200. download script, rootkit, and it was in Max’s pocket.
  1201. Max was still programming when the FBI got back to him
  1202. and asked for a full report on the BIND hole. But the feds
  1203. had had their chance; Max’s code would speak for him
  1204. now. He took a moment to crack a couple of college
  1205. machines to use as a staging ground, then, on May 21, a
  1206. Tuesday, he dialed the Internet through a stolen Verio
  1207. account … and launched.
  1208. The results were instant and highly satisfying. Max’s
  1209. grappling-hook code was designed to signal its success to
  1210. his computer over the Verio dial-up, so he could watch the
  1211. attack spread. Hacked machines around the country
  1212. reported back to him, an Xterm window popping up on his
  1213. screen for each one. Brooks Air Force Base—now
  1214. property of Max Vision. Mc-Chord, Tinker, Offutt, Scott,
  1215. Maxwell, Kirtland, Keesler, Robins. His code wormed into
  1216. Air Force servers, Army computers, a machine in the office
  1217. of a cabinet secretary. Each machine now had a back door
  1218. that Max could use any time he wanted.
  1219. Max was notching up military conquests like points in a
  1220. video game. When his code swept into the Navy’s Internet
  1221. space, it found so many unpatched BIND servers that the
  1222. stream of pop-ups turned into a torrent. His own computer
  1223. struggled under the strain, then crashed.
  1224. After some fine-tuning, he relaunched. For five days he
  1225. was absorbed in his growing dominion over cyberspace.
  1226. He ignored e-mail from the FBI, who still wanted that report.
  1227. “Where’s the stuff?” Agent Beeson wrote. “Please call.”
  1228. There had to be more he could do with the power to
  1229. crack almost any network he wanted. Max trained his BIND
  1230. exploit on the servers of Id Software in Mesquite, Texas, a
  1231. gaming company developing a third installment of the
  1232. enormously popular first-person shooter Quake. Max loved
  1233. first-person shooters. He was on the network in a flash, and
  1234. after some exploring, he emerged with his trophy. He
  1235. announced to Kimi that he’d just obtained the source code
  1236. —the virtual blueprints—for Quake III, the most anticipated
  1237. game of the year.
  1238. Kimi was unmoved. “Can you put it back?”
  1239. Max soon realized that his attacks were getting some
  1240. attention. At Lawrence Berkeley National Laboratory, a
  1241. researcher named Vern Paxson spotted Max’s scanning
  1242. using a new system he’d developed called BRO, for Big
  1243. Brother. BRO was an experiment in a relatively new kind of
  1244. security countermeasure called an intrusion detection
  1245. system—a cyber burglar alarm with the sole function of
  1246. sitting quietly on a network and sifting through all the traffic
  1247. for suspicious activity, alerting administrators when it spots
  1248. something that doesn’t look right.
  1249. Paxson wrote a full report on the attack for CERT. Max
  1250. intercepted it and was impressed. The researcher had not
  1251. only detected his attack, he’d compiled a list of servers that
  1252. Max’s code was attacking through Lawrence Berkeley’s
  1253. network—Max was using the network as one of his
  1254. secondary launch points. He sent Paxson an anonymous
  1255. note from the lab’s root account.
  1256. Vern,
  1257. I’m sorry to have caused you any inconvenience, but I
  1258. single-handed fixed a MAJOR GAPING SECURITY
  1259. HOLE in many of your systems. I admit there were new
  1260. holes but these were all passworded, and I would
  1261. never cause damage to someone’s computer system.
  1262. If I didn’t hit these, someone else would have, and
  1263. they would have been dirty. These kids leave warez
  1264. and IRC BS laying everywhere, and /bin/rm systems
  1265. when they are unhappy. Lame.
  1266. You might not appreciate what I was doing, but it
  1267. was for the greater good. I am abandoning all hosts on
  1268. that list that you captured.… I am not touching those
  1269. systems since I know you turned them over to CERT.
  1270. CERT should hire people with my skill. Of course, if
  1271. paid I would never leave rootkits or such.
  1272. Pretty clever though? Heh. It was a blast. Owning
  1273. hundreds, nay thousands of systems, and knowing that
  1274. you were FIXING them on the way …
  1275. Uhm, I’m not ever doing this sort of shit again. You
  1276. have my tools now. That pisses me off …
  1277. Hrm. Anyway I just don’t want this to happen again,
  1278. so I’m going to let it lie …
  1279. “The Cracker”
  1280. With that, Max shut down his five-day attack on the
  1281. government, with more cracked systems behind him than
  1282. he could count. He was satisfied that he’d made the Internet
  1283. safer than it was before; thousands of computers that had
  1284. been vulnerable to every hacker in the world were now
  1285. vulnerable to only one: Max Vision.
  1286. Max immediately jumped into a new, more socially
  1287. acceptable project: He would write a Web application that
  1288. would let anyone on the Internet request an automatic realtime
  1289. scan of their network to assess whether or not they
  1290. were open to the BIND attack. He also conceived a benign
  1291. variant of the siege he’d just concluded. Like before, he
  1292. would scan government and military networks. But instead
  1293. of cracking the vulnerable computers, he’d automatically
  1294. send an e-mail warning to the administrators. There’d be
  1295. no need to hide behind a hacked dial-up account this time.
  1296. Both services would live on his brand-new public website:
  1297. Whitehats.com.
  1298. After two days and nights of work, he was knee-deep in
  1299. his new, legal hacking project when Beeson e-mailed
  1300. again. “What happened? Thought you’d send me e-mail.”
  1301. Max could hardly explain to his FBI friend that he’d been
  1302. busy staging one of the largest government computer
  1303. breaches in history. So he emphasized his new project
  1304. instead. “I am almost finished creating a public service
  1305. vulnerability scanner and patch site—but there are some
  1306. parts that aren’t ready for release,” he wrote back.
  1307. “Oh, and here is the ADM worm program,” he added. “I
  1308. don’t think it will spread very far.”
  1309.  
  1310. 6
  1311. I Miss Crime
  1312. n the afternoon of June 2, Max opened the door of his
  1313. San Jose duplex to greet Chris Beeson and registered
  1314. instantly that he was in trouble: There were three other suits
  1315. with the FBI agent, including Beeson’s surly boss, Pete
  1316. Trahon, head of the computer crime squad.
  1317. The month after the BIND attack had been a busy time
  1318. for Max. He launched Whitehats.com, and it was an instant
  1319. success in the security world. In addition to housing his
  1320. scanning tool, the site collected the latest CERT advisories
  1321. and links to BIND software patches, as well as a paper Max
  1322. had written dissecting the ADM worm with the clarity and
  1323. the discerning eye of a connoisseur. Nobody in the
  1324. community suspected that Max Vision, the rising star
  1325. behind Whitehats.com, had personally provided the
  1326. brightest example of the seriousness of the BIND security
  1327. hole.
  1328. He was also continuing to file reports to the FBI. After his
  1329. last one, Beeson began e-mailing to arrange a casual
  1330. meeting, supposedly to go over Max’s latest findings. “How
  1331. ’bout if we just meet at your place?” Beeson wrote. “I know I
  1332. have the address somewhere around here.”
  1333. Now that he was on Max’s doorstep, Beeson explained
  1334. why they were really there. He knew all about Max’s attack
  1335. on the Pentagon. One of the men with him, a young
  1336. Washington, DC–based Air Force investigator named Eric
  1337. Smith, had traced the BIND intrusions to Max’s house.
  1338. Beeson had a search warrant.
  1339. Max let them in, already apologizing. He only meant to
  1340. help, he explained.
  1341. They chatted amicably. Max, happy for an audience,
  1342. grew expansive, describing the twists and turns of his
  1343. attack and listening with interest as Smith described how
  1344. he’d tracked Max through the pop-up messages Max had
  1345. used to alert himself when a system was subverted: The
  1346. messages went to a Verio dial-up, and a subpoena to the
  1347. ISP produced Max’s phone number. It hadn’t been difficult.
  1348. Max had convinced himself he was doing something
  1349. positive for the Internet, so he hadn’t done much to cover
  1350. his tracks.
  1351. The feds asked if anyone had known what Max was up
  1352. to, and he said his boss was involved. Matt Harrigan—
  1353. Digital Jesus—had not completely given up hacking
  1354. himself, Max said, adding that Harrigan’s company was
  1355. about to get a contract with the National Security Agency.*
  1356. At the agents’ behest, Max wrote out a confession. “My
  1357. motives were purely for research and ‘to see if it could be
  1358. done,’ ” Max wrote. “I know this is no excuse, and believe
  1359. me, I am sorry for it, but it’s the truth.”
  1360. Kimi came home from school to find the feds still tossing
  1361. the house. Like grazing deer, they looked up in unison as
  1362. she entered, dismissed her as unthreatening, and turned
  1363. wordlessly back to their work. When they left, they hauled
  1364. Max’s computer equipment with them.
  1365. The door closed, leaving the newlyweds alone in what
  1366. was left of their home. An apology formed on Max’s lips.
  1367. Kimi cut him off angrily.
  1368. “I told you not to get caught!”
  1369. The FBI agents saw an opportunity in Max’s crime. Trahon
  1370. and Beeson returned to Max’s home and gave their former
  1371. ally the score. If Max hoped for leniency, he’d have to work
  1372. for them—and writing reports wasn’t going to cut it
  1373. anymore.
  1374. Eager to make amends and determined to salvage his
  1375. life and career, Max didn’t ask for anything in writing. He
  1376. took it on faith that if he helped the FBI agents, they would
  1377. help him.
  1378. Two weeks later, Max got his first assignment. A gang of
  1379. phone phreaks had just hijacked the phone system at the
  1380. networking company 3Com and were using it as their own
  1381. private teleconferencing facility. Beeson and Trahon could
  1382. dial into the illicit chat line, but they doubted their ability to
  1383. blend in with the hackers and gain any useful intelligence.
  1384. Max studied up on the latest phone phreaking methods,
  1385. then dialed into the system from the FBI’s field office while
  1386. the bureau recorded the call.
  1387. Dropping the names of hackers he knew and drawing on
  1388. his own expertise, Max easily persuaded the phone
  1389. phreaks that he was one of them. They opened up and
  1390. revealed that they were an international gang of about thirtyfive
  1391. phone hackers called DarkCYDE, living mostly in
  1392. Britain and Ireland. DarkCYDE aspired to “unite Phreakers
  1393. and Hackers all over the world into one big digital army,”
  1394. according to the group’s blustery manifesto. But at root they
  1395. were just kids playing with the phone, just as Max had done
  1396. in high school. After the call, Beeson asked Max to stay
  1397. close to the gang. Max chatted them up on IRC and turned
  1398. over the logs to his handlers.
  1399. Pleased with Max’s work, the agents summoned him to
  1400. the federal building in San Francisco a week later to brief
  1401. him on a new assignment. This time, he’d be going to
  1402. Vegas.
  1403. Max’s eyes moved over the nest of linen-clad card tables in
  1404. the gaudy exhibit hall of the Plaza Hotel and Casino.
  1405. Dozens of young men in T-shirts and shorts or jeans—the
  1406. hacker’s uniform—were at the tables hunkered over a bank
  1407. of computer workstations or standing on the sidelines,
  1408. occasionally pointing at something on a screen.
  1409. To the untrained eye, it was a strange way to spend a
  1410. weekend in Sin City—banging on keyboards like some
  1411. anonymous cubical drone, far from the pool, the slots, and
  1412. the shows. But the hackers were in pitched competition,
  1413. working in teams to penetrate a clutch of computers
  1414. hanging off a hastily erected network. The first team to
  1415. leave their virtual marker in one of the targets would claim a
  1416. $250 prize and valuable bragging rights—with points also
  1417. awarded for hacking other competitors. New attacks and
  1418. ruses were flowing from the hackers’ fingers, and secret,
  1419. stockpiled exploits were being pulled from virtual armories
  1420. to be used in public for the first time.
  1421. At Def Con, the world’s largest hacking convention, the
  1422. Capture the Flag competition was Fischer vs. Spassky
  1423. every year.
  1424. Kimi wasn’t impressed, but Max was in heaven. Across
  1425. the floor, more tables were cluttered with vintage computer
  1426. gear, odd electronics, lock-picking tools, T-shirts, books,
  1427. and copies of 2600: The Hacker Quarterly. Max spotted
  1428. Elias Levy, a famous white-hat hacker, and pointed him out
  1429. to Kimi. Levy, aka Aleph One, was the moderator of the
  1430. Bugtraq mailing list—the New York Times of computer
  1431. security—and the author of a seminal tutorial on buffer
  1432. overflows called “Smashing the Stack for Fun and Profit”
  1433. that had appeared in Phrack. Max didn’t dare approach the
  1434. luminary. What would he say?
  1435. Max wasn’t the only law enforcement mole at Def Con, of
  1436. course. From its humble beginnings in 1992 as a one-off
  1437. conference pulled together by a former phone phreak, Def
  1438. Con had grown into a legendary gathering that drew nearly
  1439. two thousand hackers, computer security professionals,
  1440. and hangers-on from around the world. They came to party
  1441. in person with comrades they’d befriended online, present
  1442. and attend technical talks, buy and sell merchandise, and
  1443. get very, very drunk in all-night bashes in the hotel rooms.
  1444. Def Con was such an obviously target-rich environment
  1445. for the government that the organizer, Jeff “the Dark
  1446. Tangent” Moss, had invented a new convention game
  1447. called Spot the Fed. A hacker who thought he’d identified a
  1448. G-man in the crowd could point him out, make a case, and,
  1449. if the audience concurred, take home a coveted I SPOTTED
  1450. THE FED AT DEF CON T-shirt. Often the suspected fed would
  1451. just give up and good-naturedly whip out a badge, giving
  1452. the hacker an easy win.
  1453. Max’s mission was broad. Trahon and Beeson wanted
  1454. him to chum up to his fellow hackers and try to get their real
  1455. names, then lure them into exchanging public PGP
  1456. encryption keys, which security-minded geeks use like
  1457. sealing wax to encrypt and sign their e-mail. Max’s heart
  1458. just wasn’t in it. Writing reports for the bureau was one
  1459. thing, and he’d had no qualms about getting the goods on
  1460. the DarkCYDE phreaks, who were too young to get in real
  1461. trouble. But this assignment smelled like snitching.
  1462. Personal loyalty was written deep into Max’s firmware, and
  1463. one look at the Def Con crowd told him these were his
  1464. people.
  1465. Many of the hackers were reluctantly giving up childish
  1466. things, migrating into legitimate dot-com jobs or starting
  1467. security companies. They were becoming white hats, like
  1468. Max. A popular T-shirt at the conference summed up the
  1469. mood: I MISS CRIME.
  1470. Max shrugged off the FBI’s edict and began attending
  1471. the parties and the talks. On the roster this year was a
  1472. much-anticipated software release by the Cult of the Dead
  1473. Cow. The cDc were the rock stars of the hacker world—
  1474. literally: They recorded and performed music and infused
  1475. their conference presentations with over-the-top theatrics
  1476. that made them media darlings. At this Def Con the group
  1477. was unleashing Back Orifice, a sophisticated remotecontrol
  1478. program for Windows machines. If you could trick
  1479. someone into running Back Orifice, you could access their
  1480. files, see what was on their screen, and even look through
  1481. their webcam. It was designed to embarrass Microsoft for
  1482. the shoddy security in Windows 98.
  1483. The crowd at the Back Orifice presentation was ecstatic,
  1484. The crowd at the Back Orifice presentation was ecstatic,
  1485. and Max found the energy infectious. But of more
  1486. pragmatic interest to Max was a talk on the legalities of
  1487. computer hacking by a San Francisco criminal defense
  1488. attorney named Jennifer Granick. Granick opened her
  1489. presentation by describing the recent landmark prosecution
  1490. of a Bay Area hacker named Carlos Salgado Jr., a thirtysix-
  1491. year-old computer repairman who, more than any other
  1492. hacker, represented the future of computer crime.
  1493. From his room in his parents’ house in Daly City, a few
  1494. miles south of San Francisco, Salgado had cracked a
  1495. major technology company and stolen a database of eighty
  1496. thousand credit card numbers, with names, ZIP codes, and
  1497. expiration dates. Credit card numbers had been hacked
  1498. before, but what Salgado did next assured him a place in
  1499. the cybercrime history books. Using the handle “Smak,” he
  1500. jumped into the #carding chat room on IRC and put the
  1501. entire list up for sale.
  1502. It was like offering a 747 for sale at a flea market. At the
  1503. time, the online credit card fraud underground was a
  1504. depressing bog of kids and small timers who’d barely
  1505. advanced beyond the previous generation of fraudsters
  1506. fishing receipt carbons from the Dumpsters behind the
  1507. mall. Their typical deals were in the single digits, and their
  1508. advice to one another was tainted by myth and idiocy. Much
  1509. of the conversation unfolded in an open channel where
  1510. anyone in law enforcement could log in and watch—the
  1511. carders’ only security was the fact that nobody would
  1512. bother.
  1513. Remarkably, Salgado found a prospective buyer in
  1514. #carding—a San Diego computer science student who’d
  1515. been putting himself through college by counterfeiting credit
  1516. cards, getting the account numbers from billing statements
  1517. pilfered from the U.S. mail. The student had mob contacts
  1518. who, he believed, would buy Smak’s entire stolen database
  1519. for six figures.
  1520. The deal went south when Salgado, looking to perform a
  1521. little due diligence, hacked his customer’s ISP and poked
  1522. through his files. When the student found out, he got mad
  1523. and secretly began working with the FBI. On the morning of
  1524. May 21, 1997, Salgado showed up at a meeting with his
  1525. buyer at the smoking lounge at San Francisco International
  1526. Airport, where he expected to trade a CD-ROM containing
  1527. the database for a suitcase packed with $260,000 in cash.
  1528. Instead, he was arrested by the San Francisco computer
  1529. crime squad.
  1530. The foiled plot was an eye-opener for the FBI: Salgado
  1531. represented the first of a new breed of profit-oriented
  1532. hacker, and he posed a threat to the future of e-commerce.
  1533. Surveys showed that Web users were anxious about
  1534. sending credit card numbers into the electronic ether—it
  1535. was the number one thing holding them back from Internet
  1536. purchasing. Now, after years of struggling to gain
  1537. consumers’ trust and reward the faith of investors, ecommerce
  1538. companies were starting to win over Wall
  1539. Street. Less than two weeks before Salgado’s arrest,
  1540. Amazon.com had launched its long-awaited initial public
  1541. offering and ended the day $54 million richer.
  1542. Salgado’s IPO was higher: The credit card companies
  1543. determined the total spending limits on his eighty thousand
  1544. cards amounted to over a billion dollars—$931,568,535 if
  1545. you subtracted the legitimate owners’ outstanding
  1546. balances. The only thing he’d been missing was a
  1547. NASDAQ to trade on. Once the underground figured out
  1548. that part of the equation, it would be an industry of its own.
  1549. As soon as Salgado was arrested, he’d confessed
  1550. everything to the FBI. That, Granick told the Def Con
  1551. hackers in her presentation, was his big mistake. Despite
  1552. his cooperation, Salgado had been sentenced to thirty
  1553. months in prison earlier that year.
  1554. “Now, the FBI wanted me to tell you that it was good for
  1555. Mr. Salgado that he talked.” Granick paused. “That’s
  1556. bullshit.
  1557. “Just say no!” she said, and cheers and whistles swelled
  1558. from the audience. “There’s never any good reason to talk
  1559. to a cop.… If you’re going to cooperate, you’re going to
  1560. cooperate after consulting with a lawyer and cutting a deal.
  1561. There’s never any reason to give them information for free.”
  1562. In the back of the room, Kimi prodded Max in the ribs
  1563. with her elbow. Everything Granick was advising computer
  1564. intruders not to do, Max had done. Everything.
  1565. Max was having second thoughts about his arrangement
  1566. with the feds.
  1567. • • •
  1568. “We need to make some changes in the way we do
  1569. business.”
  1570. Max could feel the frustration radiating from his screen as
  1571. he read the latest note from Chris Beeson. Max had
  1572. returned from Def Con empty-handed and then blown off a
  1573. meeting at the federal building at which he was supposed
  1574. to get a new assignment, pissing off Beeson’s supervisor,
  1575. Pete Trahon. Continuing his e-mail, Beeson warned Max of
  1576. dark consequences for continued flakiness. “In the future,
  1577. missed appointments without exceptional reasons will be
  1578. considered uncooperative on your part. If you are not willing
  1579. to cooperate then we HAVE to take the appropriate
  1580. actions. Pete is meeting with the prosecutor on YOUR case
  1581. Monday. He wants to meet with you promptly in our office at
  1582. 10:00am sharp, MONDAY 8/17/98. I am not available next
  1583. week (that is why I wanted to meet with you this week) so
  1584. you’re going to have to deal directly with Pete.”
  1585. This time, Max showed up. Trahon explained that he’d
  1586. become interested in Max’s boss at MCR, Matt Harrigan.
  1587. The agent was alarmed at the idea of a hacker running a
  1588. cybersecurity shop staffed with other hackers, like Max, and
  1589. vying for a contract with the NSA. If Max wanted to make
  1590. the FBI happy, he had to get Harrigan to admit he was still
  1591. hacking and had played a role in Max’s BIND attack.
  1592. The agent gave Max a new form to sign. It was Max’s
  1593. written consent to wire him for sound. Trahon handed him a
  1594. bureau-issued recording device disguised as a pager.
  1595. On the way home, Max pondered the situation. Harrigan
  1596. was a friend and fellow hacker. Now the FBI was asking
  1597. Max to perform the ultimate betrayal—to become Digital
  1598. Jesus’s real-life Judas.
  1599. The next day, Max met Harrigan at a Denny’s diner in
  1600. San Jose, without the FBI wire. His eyes scanned over the
  1601. other diners and looked out the window into the parking lot.
  1602. There could be feds anywhere.
  1603. He pulled out a piece of paper and slipped it across the
  1604. booth. “Here’s what’s going on.…”
  1605. Max phoned Jennifer Granick after the meeting—he’d
  1606. gotten her card at the conclusion of her Def Con talk—and
  1607. she agreed to represent him.
  1608. When they learned Max had lawyered up, Beeson and
  1609. Trahon wasted no time in officially dropping him as an
  1610. informant. Granick began phoning the FBI and the
  1611. prosecutor’s office to find out what the government had
  1612. planned for her new client. Three months later she finally got
  1613. an answer from the government’s top cybercrime
  1614. prosecutor in Silicon Valley. The United States was no
  1615. longer interested in Max’s cooperation. He could look
  1616. forward to going back to prison.
  1617. * Harrigan’s involvement is in dispute. Max says he planned
  1618. the BIND attack with Harrigan at the MCR office and that
  1619. Harrigan wrote the program that built the target list of
  1620. government computers. Harrigan says he was not involved
  1621. but was aware of what Max was up to.
  1622.  
  1623. 7
  1624. Max Vision
  1625. ith his government service at an end, Max went to
  1626. work building his reputation as a white-hat hacker, even as
  1627. he lived under the sword of Damocles of a pending federal
  1628. indictment.
  1629. The BIND vulnerability and the resultant success of
  1630. Whitehats.com had given him a running start. Now Max
  1631. hung up his own shingle as a computer security consultant,
  1632. erecting a new website touting his services as a hacker for
  1633. hire at one hundred dollars an hour—or free to nonprofit
  1634. groups. His chief selling point: a 100 percent success rate
  1635. in penetration tests. He had never once confronted a
  1636. network he couldn’t crack.
  1637. It was an exciting time to be a white hat. The rebellious
  1638. spirit that drove the open-source software movement was
  1639. planting itself in the computer security world, and a new
  1640. crop of college graduates, dropouts, and former and
  1641. current black hats was upending the conservative
  1642. assumptions that had dominated security thinking for
  1643. decades.
  1644. First to be dustbinned was the tenet that security holes
  1645. and attack methods should be kept quiet, held privately
  1646. among a cadre of trusted responsible adults. The white
  1647. hats called this notion “security through obscurity.” The new
  1648. generation preferred “full disclosure.” Discussing security
  1649. problems widely not only helped get them fixed, but it also
  1650. advanced the science of security, and hacking, as a whole.
  1651. Keeping bugs private only benefited two groups: the bad
  1652. guys who were exploiting them, and vendors like Microsoft
  1653. that preferred to fix security holes without confessing the
  1654. details of their screwups.
  1655. The full-disclosure movement spawned the Bugtraq
  1656. mailing list, where hackers of any hat color were
  1657. encouraged to send in detailed reports of security flaws
  1658. they’d found in software. If they could provide an “exploit”—
  1659. code that demonstrated the flaw—so much the better. The
  1660. preferred path to full disclosure was to first notify the
  1661. software maker and give that company time to issue a
  1662. patch before releasing the flaw or exploit on Bugtraq. But
  1663. Bugtraq didn’t censor, and it was common for a bug finder
  1664. to drop a previously unknown exploit onto the list, releasing
  1665. it simultaneously to thousands of security researchers and
  1666. hackers in the span of minutes. The maneuver was all but
  1667. guaranteed to kick a software company into rapid
  1668. response.
  1669. Bugtraq provided hackers with a way to show off their
  1670. expertise without breaking the law. The ones who were still
  1671. cracking systems had an invigorated white-hat community
  1672. to deal with, armed with a growing arsenal of defensive
  1673. tools.
  1674. In late 1998, a former NSA cybersecurity contractor
  1675. named Marty Roesch developed one of the best. Roesch
  1676. thought it would be fun to see what random attacks were
  1677. crossing his home cable modem connection while he was
  1678. at work. As a weekend project, he cranked out a packet
  1679. sniffer called Snort and released it as an open-source
  1680. project.
  1681. At first, Snort was nothing special—a packet sniffer is a
  1682. common security tool that eavesdrops on the traffic
  1683. crossing a network and dumps it to a file for analysis. But a
  1684. month later, Roesch turned his program into a full-blown
  1685. intrusion detection system (IDS), which would alert the
  1686. operator whenever it spotted network traffic that matched
  1687. the signature of a known attack. There were a number of
  1688. proprietary IDSs on the market, but Snort’s versatility and
  1689. open-source licensing instantly appealed to the white hats,
  1690. who loved nothing more than tinkering with a new security
  1691. who loved nothing more than tinkering with a new security
  1692. tool. Volunteer programmers jumped in to add functionality
  1693. to the program.
  1694. Max was excited by Snort. The software was similar to
  1695. BRO, the Lawrence Berkeley lab project that had helped
  1696. sniff out Max’s BIND attack, and Max knew it could be a
  1697. game changer for online security. Now white hats could
  1698. watch in real time for anyone trying to exploit the
  1699. vulnerabilities discussed on Bugtraq and elsewhere. Snort
  1700. was like an early-warning system for a network—the
  1701. computer equivalent of the NORAD radar mesh that
  1702. monitors America’s airspace. All it was lacking was a
  1703. comprehensive and up-to-date list of attack signatures, so
  1704. the software would know what to look for.
  1705. In the first few months after Snort’s release, a
  1706. disorganized trickle of user-created signatures put the total
  1707. number at about 200. In a single sleepless night, Max more
  1708. than doubled the count, whipping up 490 signatures. Some
  1709. were original, others were improved versions of the existing
  1710. rules or ports from Dragon IDS, a popular proprietary
  1711. system. Writing a rule meant identifying unique
  1712. characteristics in the network traffic produced by a
  1713. particular attack, like the port number or a string of bytes.
  1714. For instance, the incantation alert udp any any -> $INTERNAL
  1715. 31337 (msg:“BackOrifice1-scan”; content:“|ce63 d1d2 16e7 13cf 38a5
  1716. a586|”;) detected black hats trying to use the Cult of the
  1717. Dead Cow’s Back Orifice malware that had so transfixed
  1718. the crowd at Def Con 6.0. It told Snort that an incoming
  1719. connection to port 31337, with a particular string of twelve
  1720. bytes in the network traffic, was someone trying to exploit
  1721. the back door.
  1722. Max put the signatures online as a single file on
  1723. Whitehats.com, crediting a handful of other security geeks
  1724. for their contributions, including Ghost23—a nod to his alter
  1725. ego. Later, he converted the file to a full-fledged database
  1726. and invited other experts to contribute their own rules. He
  1727. gave the project the catchy name arachNIDS, for Advanced
  1728. Reference Archive of Current Heuristics for Network
  1729. Intrusion Detection Systems.
  1730. ArachNIDS was a hit and helped Snort surge to new
  1731. levels of popularity in the security community, with Max
  1732. Vision riding the swell to security stardom. As more white
  1733. hats contributed to the project, it became the computersecurity
  1734. equivalent of the FBI’s fingerprint database,
  1735. capable of identifying virtually every known attack technique
  1736. and variant. Max built on his success by writing papers
  1737. dissecting Internet worms with the same clear eye he’d
  1738. applied to the ADM worm. The technology press started
  1739. seeking him out for comment on the latest attacks.
  1740. In 1999, Max injected himself into another promising
  1741. venture aimed directly at tricking black-hat hackers. The
  1742. Honeynet Project, as it would later be called, was the work
  1743. of a former Army officer who applied his interest in military
  1744. tactics to erect network “honeypots”—decoy computers that
  1745. served no purpose but to be hacked. The Honeynet Project
  1746. would secretly wire a packet sniffer to the system and place
  1747. it unprotected on the Internet, like an undercover vice cop
  1748. decked out in pumps and a short skirt on a street corner.
  1749. When a hacker targeted a honeypot, his every move
  1750. would be recorded and then analyzed by security experts,
  1751. with the results released to the world in the spirit of full
  1752. disclosure. Max delved into the forensic work,
  1753. reconstructing crimes from raw packet data and producing
  1754. cogent analyses that blew the lid off some of the
  1755. underground’s concealed techniques.
  1756. But Max knew his rising recognition as a white hat
  1757. wouldn’t save him from the federal grand jury. In quiet
  1758. moments, he fantasized with Kimi about escaping his fate.
  1759. They could run off together, to Italy or some remote island.
  1760. They’d start over. He’d find a benefactor, someone with
  1761. money who recognized Max’s talent and would pay him to
  1762. hack.
  1763. The couple’s relationship was suffering under the weight
  1764. of the government’s silent looming presence in their life.
  1765. Before the raid, they hadn’t much planned for the future.
  1766. Now they couldn’t. The future had been taken out of their
  1767. control, and the uncertainty was toxic. They fought in private
  1768. and snipped at each other in public. “The reason I signed
  1769. the confession is because we’d just gotten married, and I
  1770. didn’t want to hurt you,” Max said. He blamed himself, he
  1771. added. By getting married, he’d given his enemies a
  1772. weapon to use against him, a fatal flaw.
  1773. Kimi transferred from De Anza, a community college, to
  1774. UC Berkeley, and the couple moved across the bay to live
  1775. just off campus. The move proved fortuitous for Max. In the
  1776. spring of 2000, a Berkeley company named Hiverworld
  1777. offered him a long-awaited shot at the dot-com success
  1778. that had already graced other Hungry Programmers. The
  1779. company’s plan was to create a new antihacking system
  1780. that would detect intrusions, like Snort, but also actively
  1781. scan the user’s network for vulnerabilities, allowing it to
  1782. ignore malicious volleys that had no chance of success.
  1783. Snort author Marty Roesch was employee number 11. Now
  1784. the company wanted Max Vision as number 21.
  1785. Max’s first day was set for March 21. It was an early
  1786. position at a promising technology start-up. The American
  1787. dream, circa 2000.
  1788. On the morning of March 21, 2000, the FBI knocked on
  1789. Max’s door.
  1790. At first he thought it was a Hiverworld hazing, a practical
  1791. joke. It wasn’t. “Just don’t answer it!” he said to Kimi. He
  1792. grabbed a phone and found a hiding place, in case the
  1793. agents peered through the windows. He dialed Granick and
  1794. told her what was happening. The indictment must have
  1795. finally come down. The FBI was there to take him to jail.
  1796. What should he do?
  1797. The agents left—their arrest warrant didn’t authorize
  1798. them to crash into Max’s home, so he’d temporarily
  1799. thwarted them by the simple act of not answering the door.
  1800. On her end, Granick called the prosecutor to try to arrange
  1801. for a civilized self-surrender at the FBI field office in
  1802. Oakland. Max contacted Hiverworld’s CTO, his new boss,
  1803. to report that he wouldn’t be showing up for his first day at
  1804. work. He’d be in touch in a day or two to explain everything,
  1805. he said.
  1806. The evening news beat him to the punch: Alleged
  1807. computer hacker Max Butler had just turned himself in on a
  1808. fifteen-count indictment charging illegal interception of
  1809. communications, computer intrusion, and possession of
  1810. stolen passwords.
  1811. After two nights in jail, Max was brought in front of a
  1812. federal magistrate in San Jose for arraignment. Kimi, Tim
  1813. Spencer, and a dozen Hungry Programmers filled the
  1814. gallery. Max was released on a $100,000 bond—Tim
  1815. signed for half, and a fellow Hungry who’d struck it rich at a
  1816. dot-com put down the remainder in cash.
  1817. The arrest sent shock waves through the computer
  1818. security world. Hiverworld canceled its job offer on the spot
  1819. —no security start-up could hire a man facing current
  1820. computer intrusion charges. The community fretted over
  1821. what would happen to the arachNIDS database without
  1822. Max’s curatorship. “It’s his stuff,” Roesch ruled in a post on
  1823. a security mailing list. “So barring him explicitly ceding it to
  1824. someone, it’s still his to maintain.”
  1825. Max responded personally in a long message sweeping
  1826. through his early love of computers and the future direction
  1827. of intrusion detection. Whitehats.com and arachNIDS would
  1828. continue no matter what, he predicted. “My family and
  1829. friends have been incredibly supportive and there are offers
  1830. to maintain the sites to a certain degree should tragedy
  1831. occur.”
  1832. Casting himself as a victim, he railed against the “frenzy
  1833. of the hacker witch-hunt” and slammed Hiverworld for
  1834. disloyalty. “After the smoke cleared and I was in the press,
  1835. Hiverworld decided not to continue our relationship,” he
  1836. wrote. “The corporation expressed cowardice that is
  1837. wrote. “The corporation expressed cowardice that is
  1838. deplorable. I can’t tell you how disappointed I was to feel
  1839. the complete lack of support from the Hive.
  1840. “I am innocent until proven guilty,” he wrote. “And would
  1841. appreciate the recognition of this by our community.”
  1842. Six months later, Max pleaded guilty. The news was
  1843. nearly lost amid a flurry of federal hacker prosecutions. The
  1844. same month, Patrick “MostHateD” Gregory, the leader of a
  1845. hacker gang called globalHell, was sentenced to twenty-six
  1846. months in prison and ordered to pay $154,529.86 in
  1847. restitution for a string of website defacements. At the same
  1848. time, prosecutors charged twenty-year-old Jason “Shadow
  1849. Knight” Diekman of California with cracking NASA and
  1850. university systems for fun, and sixteen-year-old Jonathan
  1851. James, known as “C0mrade,” received a six-month
  1852. sentence for his recreational intrusions into Pentagon and
  1853. NASA computers—the first term of confinement ever
  1854. handed down in a juvenile hacking case.
  1855. To all appearances, federal law enforcement now had
  1856. firm control of the computer intrusions that had for so long
  1857. struck fear into corporate America and government
  1858. officials. In truth, all these victories were battles in
  1859. yesterday’s cyberwar against bedroom hackers, a dying
  1860. breed. Even as Max copped his plea in a San Jose
  1861. courtroom, the FBI was discovering a twenty-first-century
  1862. threat gathering five thousand miles away—one intimately
  1863. entwined with Max Vision’s future.
  1864.  
  1865. 8
  1866. Welcome to America
  1867. he two Russians made themselves at home in the
  1868. small office in Seattle. Alexey Ivanov, twenty, typed on a
  1869. computer keyboard while his associate, nineteen-year-old
  1870. Vasiliy Gorshkov, stood by and watched. They were
  1871. straight off a flight from Russia and already knee-deep into
  1872. the biggest job interview of their lives—negotiating for a
  1873. lucrative international partnership with the U.S. computersecurity
  1874. start-up Invita.
  1875. Office workers milled around them, and tinny pop music
  1876. spilled from the computer’s speaker. After a few minutes,
  1877. Gorshkov drifted off to another computer across the room,
  1878. and Michael Patterson, Invita’s CEO, struck up a
  1879. conversation.
  1880. It had been Patterson who’d invited the Russians to
  1881. Seattle. Invita, he’d told them in an e-mail, was a young
  1882. company, but it was gaining customers through contacts
  1883. the founders had made while working at Microsoft and Sun.
  1884. Now the company wanted help expanding into Eastern
  1885. Europe. Ivanov, who claimed to have as many as twenty
  1886. talented programmers working with him, seemed perfect
  1887. for the job; Gorshkov was a tag-along, invited by Ivanov to
  1888. act as the duo’s spokesman. He had a fiancée waiting
  1889. back home, pregnant with his first child.
  1890. Patterson began casually asking Gorshkov about a
  1891. recent rash of computer intrusions into U.S. companies,
  1892. some of whom paid money to the attackers to make them
  1893. stop. “Just so I know you guys are as good as I think you
  1894. are,” Patterson said, “could any of that have been you
  1895. guys?”
  1896. Gorshkov—bundled in the heavy jacket he wore back
  1897. home in Chelyabinsk, a bleak, polluted industrial city in the
  1898. Ural Mountains—hedged for a minute and finally answered.
  1899. “A few months ago we tried, but we found it’s not so
  1900. profitable.”
  1901. The Russian was being modest. For nearly a year, small
  1902. to midsized Internet companies around the United States
  1903. had been plagued by extortionate cyberattacks from a
  1904. group calling itself the Expert Group of Protection Against
  1905. Hackers—a name that probably sounds better in Russian.
  1906. The crimes always unfolded the same way: Attackers from
  1907. Russia or Ukraine breached the victim’s network, stole
  1908. credit card numbers or other data, then sent an e-mail or a
  1909. fax to the company demanding payment to keep quiet
  1910. about the intrusion and to fix the security holes the hackers
  1911. exploited. If the company didn’t pay up, the Expert Group
  1912. would threaten to destroy the victim’s systems.
  1913. The gang had lifted tens of thousands of credit card
  1914. numbers from the Online Information Bureau, a financial
  1915. transaction clearinghouse in Vernon, Connecticut. The
  1916. Seattle ISP Speakeasy had been hit. Sterling
  1917. Microsystems in Anaheim, California, had been hacked,
  1918. along with a Cincinnati ISP, a Korean bank in Los Angeles,
  1919. a financial services company in New Jersey, the electronic
  1920. payment company E-Money in New York, and even the
  1921. venerable Western Union, which had lost nearly sixteen
  1922. thousand customer credit card numbers in an attack that
  1923. came with a $50,000 extortion threat. When music-seller
  1924. CD Universe didn’t give in to a $100,000 ransom demand,
  1925. thousands of its customers’ credit card numbers showed
  1926. up on a public website.
  1927. Several companies wound up paying the Expert Group
  1928. small amounts to go away, while the FBI did its best to
  1929. track the intrusions. They finally zeroed in on one of the
  1930. ringleaders, “subbsta,” whose real name was Alexey
  1931. Ivanov. It wasn’t that hard—the hacker, convinced he was
  1932. out of reach of American justice, had given his résumé to
  1933. out of reach of American justice, had given his résumé to
  1934. Speakeasy during the extortion negotiations there.
  1935. Russian police had ignored a diplomatic request to
  1936. detain and question Ivanov, and that was when the feds
  1937. created Invita, a full-blown undercover business designed
  1938. to lure the hacker into a trap. Now Ivanov and Gorshkov
  1939. were surrounded by undercover FBI agents posing as
  1940. company employees, along with a white-hat hacker from
  1941. the nearby University of Washington who was playing the
  1942. role of a computer geek named Ray. Hidden cameras and
  1943. microphones recorded everything in the office, and FBIinstalled
  1944. spyware captured every keystroke typed on the
  1945. computers. In the parking lot outside, around twenty FBI
  1946. agents were standing by to help with the arrest.
  1947. The agent playing CEO Patterson tried to draw Gorshkov
  1948. out some more. “What about credit cards? Credit card
  1949. numbers? Anything like that?”
  1950. “When we’re here, we’ll never say that we got access to
  1951. credit card numbers,” the hacker replied.
  1952. The FBI agent and Gorshkov laughed conspiratorially. “I
  1953. understand. I hear ya, I hear ya,” said Patterson.
  1954. When the two-hour meeting concluded, Patterson
  1955. ushered the men into a car, ostensibly to take them to the
  1956. temporary housing arranged for their visit. After a short
  1957. drive, the car stopped. Agents threw open the doors and
  1958. arrested the Russians.
  1959. Back at the office, an FBI agent realized the keystroke
  1960. logger installed on the bureau computers at Invita
  1961. presented him with a rare opportunity. What he did next
  1962. would make him the first FBI agent to be accused by the
  1963. Russian federal police of committing a computer crime. He
  1964. went into the keystroke logs and retrieved the password the
  1965. pair had used to access their computer in Chelyabinsk.
  1966. Then, after checking with his supervisor and a federal
  1967. prosecutor, he logged in to the hackers’ Russian server
  1968. over the Internet and started scrounging through the
  1969. directory names, looking for the files belonging to Ivanov
  1970. and Gorshkov.
  1971. When he found them, he downloaded 2.3 gigabytes of
  1972. compressed data and burned it onto CD-ROMs, only later
  1973. obtaining a warrant from a federal judge to search through
  1974. the information he’d grabbed. It was the first international
  1975. evidence seizure through hacking.
  1976. When the feds dug into the data, the breathtaking scope
  1977. of Ivanov’s activity became clear. In addition to the extortion
  1978. plots, Ivanov had developed a frighteningly effective method
  1979. for cashing out the cards he stole, using custom software to
  1980. automatically open PayPal and eBay accounts and bid on
  1981. auctioned goods with one of the half-million stolen credit
  1982. cards in his collection. When the program won an auction, it
  1983. had the goods shipped to Eastern Europe, where an
  1984. associate of Ivanov picked them up. Then the software did
  1985. it all again and again. PayPal checked the stolen credit
  1986. card list against its internal databases and found it had
  1987. absorbed a stunning $800,000 in fraudulent charges.
  1988. It was the first tremor in a tectonic shift that would
  1989. fundamentally change the Internet for the next decade.
  1990. Maybe forever. With top-flight technical colleges but few
  1991. legitimate opportunities for their graduates, Russia and the
  1992. former Soviet satellite states were incubating a new breed
  1993. of hacker.
  1994. Some, like Ivanov, were amassing personal fortunes by
  1995. looting consumers and companies, protected by corrupt or
  1996. lazy law enforcement in their home countries and poor
  1997. international cooperation. Others, like Gorshkov, were
  1998. driven into crime by tough economic circumstances. The
  1999. hacker graduated from Chelyabinsk State Technical
  2000. University with a degree in mechanical engineering and
  2001. sank a small inheritance from his father into a computerhosting
  2002. and Web-design business. Despite his swaggering
  2003. hacker machismo at Invita, Gorshkov had been a late
  2004. addition to Ivanov’s gang, and he’d paid his own way to
  2005. America in the hope of improving his fortunes. In a way, he
  2006. did: After his arrest in Seattle, he was earning more in
  2007. did: After his arrest in Seattle, he was earning more in
  2008. prison doing janitorial and kitchen work at eleven cents an
  2009. hour than his fiancée was drawing on public assistance
  2010. back home.
  2011. After his arrest, Ivanov began cooperating with the FBI,
  2012. rattling off a list of friends and accomplices still hacking
  2013. back home. The bureau realized there were dozens of
  2014. profit-oriented intruders and fraud artists from Eastern
  2015. Europe already reaching their tentacles into Western
  2016. computers.
  2017. In the years to come, the number would grow to
  2018. thousands. Ivanov and Gorshkov were Magellan and
  2019. Columbus: Their arrival in America instantly redrew the
  2020. global cybercrime map for the FBI and placed Eastern
  2021. Europe indisputably at its center.
  2022.  
  2023. 9
  2024. Opportunities
  2025. ax wore a blazer and rumpled cargo pants to his
  2026. sentencing hearing and watched silently as the lawyers
  2027. sparred over his fate.
  2028. Jennifer Granick, the defense attorney, told Judge James
  2029. Ware that Max deserved a lowered sentence for his service
  2030. as the Equalizer. The prosecutor took the opposite
  2031. position. Max, he argued, had pretended to be an FBI
  2032. informant while secretly committing crimes against the U.S.
  2033. government. It was worse than if he had never cooperated
  2034. at all.
  2035. It was a strange sentencing hearing for a computer
  2036. criminal. A dozen of Max’s colleagues in the security world
  2037. —people devoted to thwarting hackers—had written to
  2038. Judge Ware on Max’s behalf. Dragos Ruiu, a prominent
  2039. security evangelist in Canada, called Max “a brilliant
  2040. innovator in this field.” French programmer Renaud
  2041. Deraison credited Max’s early support with making
  2042. possible Nessus, Deraison’s vulnerability scanner and one
  2043. of the most important free security tools then available.
  2044. “Given Max’s potential and his clear vision of Internet
  2045. security … it would be more useful for society as a whole
  2046. that he stays among us as a computer security
  2047. specialist … rather than spend time in a cell and see his
  2048. computing talent go through a slow but sure decay.”
  2049. From a technology worker in New Zealand: “Without the
  2050. work that Max has done … it would be so much harder for
  2051. my company and countless others to protect themselves
  2052. from hackers.” From a fan in Silicon Valley: “Taking Max
  2053. out of the security community would greatly hurt our ability to
  2054. protect ourselves.” A former Defense Department worker
  2055. wrote, “To imprison this individual would be a travesty.”
  2056. Several of the Hungries wrote letters as well, as did
  2057. Max’s mother and sister. In her note, Kimi pleaded
  2058. eloquently for Max’s freedom. “He saved my life by helping
  2059. me out of an abusive relationship and teaching me the
  2060. meaning of self-respect,” she wrote. “He gave me shelter
  2061. when I had no place to live. He took very good care of me
  2062. when I was seriously ill, saving my life again by taking me to
  2063. the emergency room when I protested that I was ‘fine’ even
  2064. as I was dying.”
  2065. When the lawyers finished their arguments, Max spoke
  2066. for himself, with the earnest politeness he always exhibited
  2067. away from his computer. His attack, he explained, had
  2068. been born of good intentions. He’d just wanted to close the
  2069. BIND hole and had lost his head.
  2070. “I got swept up,” he said softly. “It’s hard to explain the
  2071. feelings of someone who’s gotten caught up in the
  2072. computer security field.… I felt at the time that I was in a
  2073. race. That if I went in and closed the holes quickly, I could
  2074. do it before people with more malicious intentions could
  2075. use them.
  2076. “What I did was reprehensible,” Max continued. “I’ve hurt
  2077. my reputation in the computer security field. I’ve hurt my
  2078. family and friends.”
  2079. Judge Ware listened attentively but had already made up
  2080. his mind. Letting Max off without a prison term would send
  2081. the wrong message to other hackers. “There’s a need for
  2082. those who would follow your footsteps to know that this can
  2083. result in incarceration,” the judge said.
  2084. The sentence: eighteen months in prison, followed by
  2085. three years of supervised release in which Max wouldn’t be
  2086. allowed on the Internet without the permission of his
  2087. probation officer.
  2088. The prosecutor asked the judge to order Max
  2089. immediately taken into custody, but Ware denied the
  2090. request and gave the hacker a month to put his affairs in
  2091. request and gave the hacker a month to put his affairs in
  2092. order and turn himself in to the U.S. marshals.
  2093. • • •
  2094. Max and Kimi had moved to Vancouver, near her family,
  2095. after his guilty plea. When they returned home, Max wasted
  2096. no time arranging for Whitehats.com and arachNIDS to
  2097. survive his incarceration. He set up automatic bill payments
  2098. for his bandwidth and wrote out a list of items for Kimi to
  2099. take care of in his absence. She was in charge of
  2100. arachNIDS now, he said, indicating the server squatting on
  2101. the floor of their apartment.
  2102. The couple adopted two kittens to keep Kimi company
  2103. while he was gone, named for the swords from Elric of
  2104. Melniboné. The orange boy-cat was Mournblade; the gray
  2105. female was Stormbringer.
  2106. Max spent his last weekend of freedom in front of his
  2107. keyboard, getting arachNIDS ready for Kimi’s stewardship.
  2108. When Monday came he turned himself in on schedule. On
  2109. June 25, 2001, he was locked in the county jail pending his
  2110. shipment to his new home, Taft Federal Prison, a
  2111. corporate-run facility owned by Wackenhut, positioned near
  2112. a small town in central California.
  2113. As far as Max was concerned, it was another injustice,
  2114. just like back in Idaho. He’d been sent back to prison not
  2115. for his hacking but for refusing to set up Matt Harrigan. He
  2116. was being punished for his loyalty, once again a victim of a
  2117. capricious justice system. He doubted Judge Ware had
  2118. even looked at the details of his case.
  2119. Kimi was adrift, alone for the first time since she’d met
  2120. Max. For all his talk about staying with her forever, he’d
  2121. chosen a course of action that guaranteed their separation.
  2122. Two months later, Kimi was talking to him on the phone
  2123. from prison when she heard a pop! and the smell of acrid
  2124. smoke filled her nostrils. The motherboard on Max’s server
  2125. had burst into flames. Max tried to calm her—all she had to
  2126. do was replace the motherboard. He could do it in his
  2127. sleep. Max talked her through the process, but Kimi was
  2128. realizing she wasn’t cut out for life as the prison wife of a
  2129. hacker.
  2130. In August, she went to the Burning Man festival in Nevada
  2131. to forget her troubles. When she got home, she broke some
  2132. bad news to Max over the phone. She’d met someone else.
  2133. It was another betrayal. Max took the news with eerie
  2134. calm, interrogating her about every detail: What drugs was
  2135. she on when she cheated on him? What sexual positions
  2136. did they use? He wanted to hear her ask for his forgiveness
  2137. —he’d have given it to her in a heartbeat. But that wasn’t
  2138. what she was asking for. She wanted a divorce. “I don’t
  2139. know if you even think about the future anymore,” she said.
  2140. In search of closure, Kimi caught a flight to California and
  2141. drove to Taft, where she sat nervously in the waiting room,
  2142. her eyes playing over a wall of posters depicting
  2143. Wackenhut’s network of hivelike prisons around the
  2144. country. When Max was brought in, he took his place
  2145. across the stainless steel picnic table in the visiting room
  2146. and launched into an appeal. He did think of the future, he
  2147. told her, and he’d been making plans in the joint.
  2148. “I’ve been talking to some people,” he said, lowering his
  2149. voice to a hush. “People I think I could work with.”
  2150. Jeffrey James Norminton was at the tail end of a twentyseven-
  2151. month stretch when Max met him in Taft. At thirtyfour,
  2152. Norminton had the stolid physical presence of a
  2153. brawler, thick necked with an oversized forehead and a
  2154. Kirk Douglas cleft in his chin. An alcoholic and an
  2155. accomplished con man, he was a financial wizard who did
  2156. his best work half-sober. He’d start chain-chugging Coors
  2157. Lights as soon as he rolled out of bed, and by the end of
  2158. the day he’d be useless, but in that sweet spot between the
  2159. morning’s sobriety and the blurriness of midafternoon,
  2160. Norminton was a master of the high-stakes con—a criminal
  2161. rainmaker who could produce seven-figure sums from thin
  2162. air. Norminton’s latest caper had required little more than a
  2163. telephone and a fax machine. The target had been the
  2164. Entrust Group, a Pennsylvania investment brokerage
  2165. house. On a summer day in 1997, Norminton picked up the
  2166. phone and called a vice president at Entrust, adopting the
  2167. persona of an investment manager at Highland Federal
  2168. Bank, a real bank in Santa Monica, California.
  2169. Oozing confidence and charm, the swindler persuaded
  2170. Entrust to buy into the bank’s high-yield certificates of
  2171. deposit, promising the VP a healthy 6.20 percent return on
  2172. a one-year investment. When Entrust eagerly wired
  2173. $297,000 to Highland, the cash wound up in the account of
  2174. a dummy corporation Norminton’s accomplice had set up
  2175. under Entrust’s name. To the bank, the transaction looked
  2176. like an investment house moving money from one branch to
  2177. another.
  2178. The grifters promptly withdrew all but $10,000 of the cash
  2179. and then ran the scam again, this time with Norminton’s
  2180. partner making the phone call to the same VP and
  2181. pretending to be from a different bank, City National,
  2182. offering an even higher return. Entrust promptly sent two
  2183. more transfers totaling $800,000.
  2184. Norminton was undone by his ambition. He sent his
  2185. accomplice into City National to pull out $700,000 in a
  2186. single cashier’s check. An investigator at the bank got
  2187. suspicious and backtracked the incoming wire transfers to
  2188. the real Entrust. At the next withdrawal, FBI agents were
  2189. waiting. The financial mastermind was now cooling his
  2190. heels in Taft. The only silver lining to his incarceration was
  2191. that he’d met a talented hacker looking to get back at the
  2192. system.
  2193. Norminton made it clear that he saw real potential in
  2194. Max, and the pair took to walking the yard every day,
  2195. swapping war stories and fantasizing about how they might
  2196. work together when they hit the streets. With Norminton’s
  2197. guidance, Max could easily learn to crack brokerage
  2198. guidance, Max could easily learn to crack brokerage
  2199. houses, where they’d tap into overstuffed trading accounts
  2200. and drain them into offshore banks. One big haul and they’d
  2201. have enough cash for the rest of their lives.
  2202. After five months, Norminton and his schemes were sent
  2203. home to sunny Orange County, California, while Max
  2204. remained at Taft with another year left on his sentence—
  2205. long, tedious days of bad food, standing for count, and the
  2206. sound of chains and keys.
  2207. In August 2002, Max was granted early release to a sixtyone-
  2208. bed halfway house in Oakland, where he shared a
  2209. room with five other ex-cons. Kimi met with Max to present
  2210. him with divorce papers. She was getting serious with the
  2211. guy she’d met at Burning Man; it was time, she said, for
  2212. Max to let her go. Max refused to sign.
  2213. Max’s relative freedom at the halfway house was tenuous
  2214. —the facility demanded that he obtain gainful employment
  2215. or go back to prison, and telecommuting wasn’t allowed.
  2216. He reached out to his old contacts in Silicon Valley and
  2217. found his employability had been shattered by his highprofile
  2218. hacking conviction and over a year in prison.
  2219. Desperate, he borrowed a laptop from one of the Hungry
  2220. Programmers and banged out a message to an
  2221. employment list watched by the computer security experts
  2222. who had once admired him. “I have been showing up at
  2223. places that farm out manual labor, 5:30 am, and still haven’t
  2224. found any work,” he wrote. “My situation is just ridiculous.”
  2225. He offered his services at fire-sale prices. “I am willing to
  2226. work for minimum wage for the next few months. Surely
  2227. there is some open position at a security company in the
  2228. area.… The last half dozen employers I have had paid me
  2229. at least $100/hr for my time, now I am only asking for
  2230. $6.75.”
  2231. A consultant answered the plea, agreeing to let Max work
  2232. out of his home office in Fremont, a short BART ride from
  2233. the halfway house. He’d pay ten dollars an hour for Max to
  2234. help build servers, a throwback to Max’s first job for his
  2235. father as a teen. Tim Spencer loaned Max a bike to pedal
  2236. to the train station every day. Max was freed from the
  2237. halfway house after two months, and the Hungry
  2238. Programmers once again stepped up to provide him with
  2239. shelter. He moved into an apartment in San Francisco
  2240. shared by Chris Toshok, Seth Alves—a veteran of the
  2241. Meridian master-key adventure—and Toshok’s ex-girlfriend
  2242. Charity Majors.
  2243. Despite the jailhouse fantasies he and Norminton had
  2244. hatched, Max was determined to go straight. He resumed
  2245. his search for work. But the job offers failed to pour in for
  2246. the ex-con. Even the Honeynet Project, to which he’d
  2247. donated his expertise just a couple of years earlier,
  2248. shunned him.
  2249. His lot began improving in other ways: He started dating
  2250. his housemate Charity Majors, a fellow Idaho refugee who
  2251. designed herself like an avatar from a virtual world, painting
  2252. her fingernails like Skittles—each a different color—and
  2253. wearing contact lenses that tinted her eyes an impossible
  2254. emerald. Money was tight for both of them: Charity worked
  2255. as a system administrator for a porn website in Nevada,
  2256. earning Silver State wages that were stretched thin in San
  2257. Francisco. Max was nearly broke.
  2258. One of Max’s former clients in Silicon Valley tried to help
  2259. by giving Max a $5,000 contract to perform a penetration
  2260. test on the company’s network. The company liked Max
  2261. and didn’t really care if he produced a report, but the
  2262. hacker took the gig seriously. He bashed at the company’s
  2263. firewalls for months, expecting one of the easy victories to
  2264. which he’d grown accustomed as a white hat. But he was in
  2265. for a surprise. The state of corporate security had improved
  2266. while he was in the joint. He couldn’t make a dent in the
  2267. network of his only client. His 100 percent success record
  2268. was cracking.
  2269. “I’ve never failed to get into a system before,” Max told
  2270. Charity in disbelief.
  2271. “Sweetie, you haven’t touched a computer for years,” she
  2272. “Sweetie, you haven’t touched a computer for years,” she
  2273. said. “It’ll take you a little while. Don’t feel like you have to
  2274. get in today.”
  2275. Max pushed harder, only becoming more frustrated over
  2276. his powerlessness. Finally, he tried something new. Instead
  2277. of looking for vulnerabilities in the company’s hardened
  2278. servers, he targeted some of the employees individually.
  2279. These “client side” attacks are what most people
  2280. experience of hackers—a spam e-mail arrives in your inbox,
  2281. with a link to what purports to be an electronic greeting
  2282. card or a funny picture. The download is actually an
  2283. executable program, and if you ignore the warning
  2284. message on your Windows machine and install the
  2285. software, your computer is no longer your own.
  2286. In 2003 the dirty secret of these attacks was that even
  2287. savvy users who knew better than to install foreign software
  2288. could be broadsided. “Browser bloat” was largely to blame.
  2289. In the nineties a fierce battle with Netscape for control of the
  2290. browser market had driven Microsoft to stuff Internet
  2291. Explorer with unnecessary features and functionality. Every
  2292. added capability expanded the attack surface of the
  2293. browser. More code meant more bugs.
  2294. Now Internet Explorer holes were constantly surfacing.
  2295. They were usually discovered by one of the good guys first:
  2296. Microsoft’s own programmers or a white hat who often, but
  2297. not always, warned the company before detailing the hole
  2298. on Bugtraq.
  2299. But once a hole was public, the race was on. Black hats
  2300. worked to exploit the bug by setting up Web pages serving
  2301. the attack code and then tricking victims into visiting them.
  2302. Just looking at the Web page would yield control of the
  2303. victim’s computer, without any outward sign of infection.
  2304. Even if the bugs were not made public, the bad guys could
  2305. figure them out by reverse-engineering the vulnerability
  2306. from Microsoft’s patches. Security experts had been
  2307. watching with dismay as the time between a vulnerability’s
  2308. announcement and its exploitation by black hats shrank
  2309. from months to days. In the worst-case scenario, the black
  2310. hats found a bug first: a “zero day” vulnerability that left the
  2311. good guys playing catch-up.
  2312. With new Microsoft patches coming out nearly every
  2313. week, even vigilant corporations tended to lag in installing
  2314. them, and average users often didn’t patch at all. A global
  2315. survey of one hundred thousand Internet Explorer users
  2316. conducted around the time of Max’s effort found that 45
  2317. percent suffered from unpatched remote access
  2318. vulnerabilities; narrowing the field to American users
  2319. cooled the number only slightly, to 36 percent.
  2320. Max’s attack was effective. After securing access to an
  2321. employee’s Windows machine, he hopped on the
  2322. company’s network from the inside, grabbed some
  2323. trophies, and popped out like the chest-bursting monster in
  2324. Alien.
  2325. “It was then that I decided to scrap my old model of
  2326. penetration testing and include client-centric attack as a
  2327. mandatory part of the exercise,” he later wrote a white-hat
  2328. colleague. “I’ve been confident about the 100 percent rate
  2329. ever since.”
  2330. But instead of gratitude, Max’s final report was greeted
  2331. with outrage. Using a client-side attack in a penetration test
  2332. was almost unseemly; if you were hired to test physical
  2333. security at a company’s corporate headquarters, you
  2334. wouldn’t necessarily feel free to burglarize an employee’s
  2335. home to steal the keys. The client gave him a tonguelashing;
  2336. they’d paid Max to attack their servers, not their
  2337. employees.
  2338. Max began to wonder if he had a future in computer
  2339. security at all. His former friends in the community had all
  2340. moved on. Hiverworld, where Max had nearly been
  2341. employee 21, revamped its executive team and won $11
  2342. million in venture capital, changing its name to nCircle
  2343. Network Security. Marty Roesch left the company to build
  2344. on the success of Snort—to which Max had contributed—
  2345. starting a firm of his own called Sourcefire in Maryland.
  2346. Both companies were on a path to success, nCircle kicking
  2347. off an expansion that would take it to 160 employees in the
  2348. years to come and Sourcefire heading to an IPO on the
  2349. NASDAQ.
  2350. In some alternate universe in which Max had never
  2351. hacked the Pentagon, or never used that Verio dialup, or
  2352. had simply kept his mouth shut and worn a wire on Matt
  2353. Harrigan, the hacker would have been riding one of those
  2354. companies to financial success and rewarding, challenging
  2355. work. Instead, he could only watch from the sidelines.
  2356. He was itinerant, grasping for cash, and flailing for
  2357. something to do with his freedom. That was when he
  2358. checked his Whitehats.com e-mail in-box and found an
  2359. anonymous note from “an old friend from Shaft.” It was the
  2360. code phrase Max had worked out with Jeff Norminton.
  2361. Max met Jeff Norminton in a room at the St. Francis Hotel,
  2362. and they caught up. Norminton hadn’t taken well to
  2363. supervised release: His sentencing judge required him to
  2364. submit monthly urine samples, so his probation officer
  2365. could make sure he hadn’t started drinking again. That was
  2366. a problem, since he was drinking again. After he’d refused
  2367. two piss tests, the court had ordered him to check into
  2368. Impact House, a drug and alcohol rehab center in
  2369. Pasadena. He walked away after three weeks and was
  2370. now looking to scam enough zeroes to flee to Mexico.
  2371. It was time to act on the plans they’d made in prison,
  2372. Norminton said. He was ready to bankroll Max in his new
  2373. career as a professional hacker.
  2374. Max was ready. He’d struggled long enough trying to
  2375. make an honest living, and he was tired of being punished.
  2376. He knew he was wearing out his welcome at the Hungry
  2377. Programmers’ house, even if they’d never complain. His
  2378. diet was down to noodles and vegetables. He had no
  2379. health insurance and dental problems that would cost
  2380. thousands to fix.
  2381. Room service interrupted the conversation to deliver a
  2382. hospitality basket. Norminton made a show of carrying the
  2383. delivery into the bathroom, turning on the shower, and
  2384. closing the door—in case the basket was bugged, he said.
  2385. When they were done laughing, Max gave Norminton a
  2386. short shopping list of gear he’d need to get started, a highperformance
  2387. Alienware laptop, for one. And an antenna. A
  2388. big one.
  2389. There was just one little hitch. Norminton was broke.
  2390. They’d need to bring in someone else for seed money.
  2391. Fortunately, Jeff knew just the guy.
  2392.  
  2393. 10
  2394. Chris Aragon
  2395. ax met his future friend and criminal partner Chris
  2396. Aragon in North Beach, San Francisco’s little Italy, where
  2397. seedy strip clubs and fortune tellers coexist with a row of
  2398. pleasantly gaudy restaurants serving warm bread and hot
  2399. pasta to sidewalk diners. The meeting was set for a coffee
  2400. shop near the City Lights bookstore, cradle of the Beat
  2401. Generation in the 1950s, and kitty-corner from Vesuvio
  2402. Café, a saloon announced by colorful wall murals with wine
  2403. bottles and a peace sign. Down the hill the Transamerica
  2404. Pyramid stood sentry over the financial district, stabbing
  2405. the sky.
  2406. Norminton introduced Chris to Max over the muted clatter
  2407. of coffee cups and dishes. The two hit it off immediately.
  2408. The forty-one-year-old Chris was a student of eastern
  2409. spirituality, a vegetarian who practiced meditation to center
  2410. his mind. Max, with his hippie values, seemed a kindred
  2411. spirit on the road of life. They’d even read some of the
  2412. same books.
  2413. And like Max, Chris had been arrested more than once.
  2414. It had all started in Colorado, when Chris was twenty-one
  2415. years old. He was working as a masseuse at a hot springs
  2416. resort, earning enough to cover his rent and support a
  2417. modest cocaine habit, when he hooked up with a troubled
  2418. veteran named Albert See whom he’d met in the joint while
  2419. serving a juvenile sentence. See had just escaped from a
  2420. minimum-security prison camp and needed money to get
  2421. out of the country.
  2422. Chris came from a privileged background—his mother,
  2423. Marlene Aragon, worked in Hollywood as voice talent, and
  2424. she’d recently enjoyed a run on ABC’s Saturday morning
  2425. cartoon Challenge of the Superfriends, voicing Wonder
  2426. Woman’s feline nemesis the Cheetah. But he also had
  2427. romantic notions of crime and criminals; on the wall of his
  2428. condo hung a poster of the cover art from the Waylon
  2429. Jennings album Ladies Love Outlaws. He took Albert in,
  2430. and the two embarked on a series of bold, and mostly
  2431. botched, bank robberies in the resort towns dotting
  2432. Colorado.
  2433. The first robbery, at the Aspen Savings and Loan, started
  2434. off well enough: Chris, wearing a blue and white bandana
  2435. over his mouth to conceal his braces, pulled an Army-issue
  2436. .45 automatic on the bank manager as he unlocked the
  2437. door in the morning. He and Albert forced the manager
  2438. inside, where they found a cleaning woman hiding under
  2439. one of the desks, phoning the police. They left in a hurry.
  2440. The second robbery, at the Pitkin County Bank and Trust,
  2441. was over before it even began. Chris’s partner hid in a
  2442. Dumpster by the back door, planning to jump out with his
  2443. shotgun when the first employees came into work in the
  2444. morning. The plan was aborted when Chris, watching from
  2445. across the street, saw a garbage truck pull into the alley to
  2446. empty the Dumpster.
  2447. The third robbery was better planned. On July 22, 1981,
  2448. Chris and Albert visited Voit Chevrolet in Rifle and
  2449. declared they wanted to test-drive a new Camaro. The
  2450. luckless salesman insisted on going with them, and when
  2451. they cleared the town limit, Chris steered to the side of the
  2452. road, and Albert pulled the salesman from the car at
  2453. gunpoint. They tied him up with rope, gagged him, and left
  2454. him in a field before peeling away in the silver sports car.
  2455. The next day at 4:50 p.m., Chris drove the stolen Camaro
  2456. up to the Valley Bank and Trust in Glenwood Springs,
  2457. where the town locals parked the cash they earned from a
  2458. flourishing tourist industry. Chris himself was a customer
  2459. there. He waited outside behind the wheel of the car while
  2460. Albert walked in wearing tinted sunglasses and toting a
  2461. leather briefcase. Albert ran out minutes later with $10,000
  2462. in cash and jumped into the Camaro, and Chris sped away.
  2463. Chris drove them south out of town on an unpaved road
  2464. that snaked through the rocky red hills surrounding
  2465. Glenwood Springs, then transferred to a jeep trail where his
  2466. girlfriend was waiting with the switch car. Jubilant and
  2467. excited, Chris drove past her and spun the Camaro into a
  2468. triumphant fishtail, sending a plume of dust twenty feet into
  2469. the air.
  2470. He was jumping up and down and shouting, “We did it!”
  2471. when a police cruiser, drawn by the dust cloud, rolled up on
  2472. the robbers. Chris and Albert made a mad dash on foot
  2473. over the craggy, tree-dotted terrain. Chris tumbled down a
  2474. ridge and landed on a cactus, and the two cops caught up
  2475. with them. Chris dropped his shotgun and surrendered.
  2476. Chris learned a valuable lesson from his experience: not
  2477. that crime didn’t pay, but that guns and getaway cars were
  2478. a stupid way to rob a bank. When he made parole in 1986,
  2479. after five years in federal prison, he delved into credit card
  2480. fraud and enjoyed some modest success. Then he hooked
  2481. up with a Mexican drug smuggler he’d met in the joint. Chris
  2482. helped with the delivery of two thousand pounds of
  2483. marijuana to a twenty-acre ranch near Riverside, California,
  2484. only to be busted in a nationwide DEA undercover
  2485. operation. He went back to prison in September of 1991.
  2486. When he got out in 1996, he was thirty-five years old and
  2487. had spent more than half his adult life, and a portion of his
  2488. childhood, behind bars. He vowed to go straight. With his
  2489. mother’s help, he founded a legitimate business called
  2490. Mission Pacific Capital, a leasing firm providing computer
  2491. and business equipment to start-up companies hustling to
  2492. claim their place in the dot-com race.
  2493. Clean-cut and handsome with an empathetic gaze, Chris
  2494. fit easily into the role of a Southern California entrepreneur.
  2495. After a lifetime of crime and uncertainty, the charms of a
  2496. normal, middle-class existence had an exotic and satisfying
  2497. normal, middle-class existence had an exotic and satisfying
  2498. appeal. He loved traveling to conventions, interviewing and
  2499. hiring employees, schmoozing with colleagues. At a
  2500. marketing convention in New Orleans, he met Clara Shao
  2501. Yen Lee, a stylish woman of Chinese descent who’d
  2502. emigrated from Brazil. Taken by Clara’s beauty and
  2503. intelligence, he promptly married her.
  2504. Under Chris’s leadership, Mission Pacific built a
  2505. reputation as an innovative leasing broker, one of the first
  2506. to offer instant contracts through the Web, which helped the
  2507. firm gain tens of thousands of clients around the country.
  2508. The former bank robber and drug smuggler had two
  2509. prominent Orange County businessmen as partners and
  2510. twenty-one employees working in a spacious office a block
  2511. from the Pacific Coast Highway. Clara dropped in
  2512. periodically to help out with the look and feel of the
  2513. company’s website and marketing material. By 2000, the
  2514. couple had an upscale condo in Newport Beach, a son,
  2515. and had staked a claim in a business that seemed as
  2516. limitless in its potential as the Internet itself.
  2517. That spring, the dream died; the dot-com bubble burst,
  2518. and the torrent of new companies that had been Mission
  2519. Pacific’s lifeblood started to dry up. Then larger companies
  2520. like American Express entered the leasing arena,
  2521. squeezing out smaller firms. Chris’s company was one of
  2522. dozens of leasing brokers to crash and burn. He began
  2523. shedding employees and finally had to tell the stragglers
  2524. that Mission Pacific wouldn’t be able to cut their next payroll
  2525. checks.
  2526. Chris went to work for another leasing company but was
  2527. cut in a round of layoffs when a large bank acquired the
  2528. firm. Meanwhile, his wife gave birth to a second boy. So
  2529. when Jeff Norminton showed up talking about the
  2530. superhacker he’d met in Taft, Chris was ready to listen.
  2531. By the time he and Max met in that North Beach
  2532. restaurant, Chris had already been funding Norminton’s
  2533. scheme, providing some of the specialized equipment
  2534. Norminton said his hacker needed. Now that Chris had met
  2535. Max in person, he was eager for a demonstration. After
  2536. talking for hours, the three of them left the coffee shop to
  2537. find someplace to hack from.
  2538. They wound up at the twenty-seven-story Holiday Inn in
  2539. Chinatown, a few blocks away. At Max’s direction, they
  2540. asked for a room high above the street. Max positioned
  2541. himself at the window, booted his laptop, plugged in the
  2542. antenna, and began scanning for Wi-Fi networks.
  2543. In 2003, the world was going wireless in a big way and
  2544. bringing a massive security hole with it. The revolution had
  2545. begun with Apple’s AirPort wireless access point and then
  2546. was joined by hardware makers like Linksys and Netgear.
  2547. As hardware prices dropped, more and more companies
  2548. and home users began breaking free of the tethers of their
  2549. blue Ethernet cables.
  2550. But the wireless gear being ushered into homes and
  2551. offices around the country was a hacker’s dream. It
  2552. overwhelmingly employed a wireless standard called
  2553. 802.11b, which included an encryption scheme that, in
  2554. theory, would make it difficult to jump onto someone’s
  2555. wireless network without authorization or to passively
  2556. eavesdrop on computer traffic. But in 2001, researchers at
  2557. the University of California at Berkeley revealed a number
  2558. of severe weaknesses in the encryption scheme that made
  2559. it crackable with ordinary off-the-shelf equipment and the
  2560. right software. And as a practical matter that technical
  2561. black magic was usually not even needed. To speed
  2562. adoption, manufacturers were shipping wireless access
  2563. points with encryption turned off by default. Businesses
  2564. small and large simply plugged in the boxes and forgot
  2565. about them—sometimes assuming falsely that their office
  2566. walls would keep their networks from seeping out onto the
  2567. street.
  2568. A few months before Max went to jail, a white-hat hacker
  2569. had invented a sport called “war driving” to highlight the
  2570. prevalence of leaky networks in San Francisco. After
  2571. prevalence of leaky networks in San Francisco. After
  2572. slapping a magnetically mounted antenna to the roof of his
  2573. Saturn, the white hat cruised the city’s downtown streets
  2574. while his laptop scanned for beaconing Wi-Fi access
  2575. points. After one hour in the financial district, his setup
  2576. would find close to eighty networks. A year and a half had
  2577. passed since then, and San Francisco, like other large
  2578. cities, was now blanketed in an invisible sea of network
  2579. traffic, available to anyone who cared to dip in.
  2580. Hacking from home was for idiots and teenagers—Max
  2581. had learned that lesson the hard way. Thanks to Wi-Fi, he
  2582. could now work from almost anywhere with complete
  2583. anonymity. This time, if the police traced back one of Max’s
  2584. hack attacks, they’d wind up on the doorstep of whatever
  2585. poor sap Max had used for connectivity.
  2586. The antenna Max used was a monster, a two-foot-wide
  2587. wire-grid parabolic that quickly teased out dozens of
  2588. networks from the ether surrounding the Holiday Inn. He
  2589. jumped on one and showed Chris how it all worked.
  2590. Wielding a vulnerability scanner—the same kind of tool
  2591. he’d used in his pen tests—he could quickly scan huge
  2592. chunks of Internet address space for known vulnerabilities,
  2593. like sending a drift net into the Web. Security holes were
  2594. everywhere. He was confident he’d be in financial
  2595. institutions and e-commerce sites in no time. It was up to
  2596. Norminton and Chris to decide what kind of data they
  2597. needed and how they’d exploit it.
  2598. Chris was blown away. This six-foot-five, semivegetarian
  2599. hacker knew his stuff, even if he was rusty from
  2600. the joint.
  2601. Chris introduced Max to one of his prison contacts, a real
  2602. estate fraudster named Werner Janer whom Chris had met
  2603. in Terminal Island in ’92. Janer offered to pay Max $5,000
  2604. to penetrate the computer of a personal enemy. He wrote
  2605. the check out to Charity so Max wouldn’t have to explain the
  2606. income to his probation officer.
  2607. The money gave Max some breathing room. He began
  2608. flying to Orange County, misspelling his name on the ticket
  2609. so there’d be no record of his violating his supervised
  2610. release by leaving the Bay Area. He and Norminton began
  2611. crashing at Chris’s place for a week at a stretch, hacking
  2612. from Chris’s garage.
  2613. He downloaded a list of small-sized financial institutions
  2614. from the FDIC’s website, figuring they’d be most
  2615. vulnerable, and launched a script to scan each bank for
  2616. known security holes. An electronic chime rang out through
  2617. the garage whenever it scored a hit. He wormed into the
  2618. banks and pulled out customer names, financial data, and
  2619. checking account numbers.
  2620. The scattershot approach meant Max would be spared
  2621. the frustration he’d felt in his last legitimate penetration test.
  2622. Hacking any one particular target can be difficult;
  2623. depending on the target, maybe even impossible. But scan
  2624. hundreds or thousands of systems, and you’re guaranteed
  2625. to find some that are soft. It was a numbers game, like
  2626. trying car doors as you walk through a parking lot.
  2627. Charity had only the broadest notion of what Max was up
  2628. to, and she didn’t like it. In an effort to win her over, Chris
  2629. and Norminton invited the couple down to Orange County
  2630. for a short vacation, paying their way for a weekend at
  2631. Disneyland. Charity could see that Max and Chris were
  2632. clicking, but something about Chris didn’t smell right. He
  2633. was too slick, too polished.
  2634. Max’s hacking moved to small e-commerce sites, where
  2635. he grabbed transaction histories, some with credit card
  2636. numbers. But his efforts were unfocused, and neither Chris
  2637. nor Norminton was sure what to do with all the data he was
  2638. stealing.
  2639. Fortunately, Chris had some money coming in. Werner
  2640. Janer owed him $50,000 and was ready to wire-transfer
  2641. the money to a bank account of Chris’s choosing.
  2642. Determined to get his hands on cold, hard, unreported
  2643. cash, Chris asked Norminton to do what he did best;
  2644. Norminton agreed to have one of his friends receive the
  2645. Norminton agreed to have one of his friends receive the
  2646. transfer and pull it out over the course of a few days.
  2647. The first round of withdrawals went as planned, and
  2648. Norminton and his friend showed up at Chris’s and handed
  2649. over $30,000 in $100 bills. The following day, though,
  2650. Norminton reported that his friend had taken ill and would
  2651. have to take the day off.
  2652. In truth, Norminton had discovered the source of the
  2653. windfall: It was Chris’s cut from a real estate scam he’d
  2654. helped Janer pull off. The money was dirty, and Norminton
  2655. was now implicated in the scheme. The next morning, Chris
  2656. found the Honda he’d loaned Norminton parked outside his
  2657. office, one tire flat and a fresh dent in the fender. There was
  2658. a note from Norminton inside: The FBI is after me. I’m
  2659. skipping town.
  2660. Chris phoned Norminton’s cash mule, already knowing
  2661. what the score would be: Norminton’s associate was in
  2662. perfect health and had withdrawn the other $20,000 the day
  2663. before, as planned. He’d given it to Norminton. Didn’t Chris
  2664. get it?
  2665. Chris tracked down Max through Charity and demanded
  2666. answers: What did Max know about Norminton’s
  2667. whereabouts? Where was Chris’s money? Max was as
  2668. surprised as Chris at Norminton’s disappearance, and
  2669. eventually the two agreed to continue their partnership
  2670. without Norminton.
  2671. Max and Chris fell into a routine. Once a month, Chris flew
  2672. or drove north and met Max in downtown San Francisco,
  2673. where they checked into a hotel. They’d carry Max’s
  2674. massive antenna up the fire stairs to their room and mount
  2675. it on a tripod near the window. Then Max would putter for a
  2676. while to locate a high-speed Wi-Fi with a strong signal.
  2677. They learned that altitude wasn’t as important in Wi-Fi
  2678. hacking as the sprawl of buildings visible out the window. If
  2679. they came up dry, Chris would run down to the front desk to
  2680. ask for a different room, explaining earnestly that he
  2681. couldn’t get a cell phone signal or was too afraid of heights
  2682. to remain on the twentieth floor.
  2683. Max treated it like a job, saying good-bye to Charity and
  2684. then vanishing for up to a week into one of the city’s finest
  2685. hotels, the Hilton, Westin, W, or Hyatt. While the clang of
  2686. cable car bells rose from the streets below, Max cast his
  2687. net over cyberspace, scooping up whatever data he could
  2688. find—not really sure what he was looking for.
  2689. On a whim, he cracked Kimi’s computer and that of her
  2690. boyfriend, with whom she’d moved in. Max contemplated
  2691. plundering her address book and sending out a mass email
  2692. in her name, detailing how she betrayed him. He
  2693. thought everyone should know that Kimi’s new life was built
  2694. on a foundation of infidelity.
  2695. He didn’t go through with it. He had Charity now. Kimi
  2696. had moved on, and nothing would be gained by trying to
  2697. shame her, he realized. Shortly thereafter, he signed the
  2698. divorce papers.
  2699. Returning to his work, he began performing Google
  2700. searches for guidance in his targeting: What were other
  2701. fraudsters doing? How were they monetizing stolen data?
  2702. That was when he discovered where the real criminal
  2703. action was online: two websites called CarderPlanet and
  2704. Shadowcrew.
  2705.  
  2706. 11
  2707. Script’s Twenty-Dollar Dumps
  2708. n the spring of 2001, some 150 Russian-speaking
  2709. computer criminals convened a summit at a restaurant in
  2710. the Ukraine port city of Odessa to brainstorm the launch of
  2711. a revolutionary website. Present were Roman Vega, a
  2712. thirty-seven-year-old man who sold counterfeit credit cards
  2713. to the underground through his online storefront BOA
  2714. Factory; a cybercrook known as “King Arthur”; and the man
  2715. who would emerge as their leader, a Ukrainian credit card
  2716. seller known by the handle “Script.”
  2717. The discussion was sparked by the success of a UKhosted
  2718. website erected in 2000 called Counterfeit Library,
  2719. which solved one of the fundamental weaknesses of
  2720. conducting criminal business in IRC chat rooms, where the
  2721. wisdom and experience of years of crime vanished into the
  2722. air as soon as the chat was over. Founded by a handful of
  2723. Western cybercrooks, Counterfeit Library collected
  2724. underground tutorials onto a single website and attached
  2725. an online discussion forum where identity thieves could
  2726. gather to swap tips and buy and sell “novelty” identification
  2727. cards—a euphemism distilled from the same spirit in which
  2728. hookers go on “dates.”
  2729. Counterfeit Library had more in common with the
  2730. electronic bulletin board systems of the pre-Web days than
  2731. with IRC. Members could post in permanent discussion
  2732. threads and build personal reputations and brands. As
  2733. criminals around the globe discovered this patch of dry land
  2734. in the murky ephemeral sea of underground commerce, the
  2735. site collected hundreds, then thousands, of members from
  2736. across North America and Europe. They were identity
  2737. thieves, hackers, phishers, spammers, currency
  2738. counterfeiters, credit card forgers, all of whom had been
  2739. slaving away in their apartments and warehouses, blind,
  2740. until now, to the vastness of their secret brotherhood.
  2741. The carders of Eastern Europe had watched Counterfeit
  2742. Library with envy. Now they wanted to apply the same
  2743. alchemy to their own underground.
  2744. In June 2001, the result of the Odessa summit was
  2745. unveiled: the International Carders Alliance, or simply
  2746. Carderplanet.com, a tightly organized reinvention of
  2747. Counterfeit Library catering to the underworld of the former
  2748. Soviet empire. While Counterfeit Library was a
  2749. freewheeling discussion board and BOA Factory a
  2750. straightforward storefront operation, CarderPlanet was a
  2751. disciplined online bazaar, charged with the excitement of a
  2752. commodities exchange.
  2753. Unabashed in its purpose, the site adopted the
  2754. nomenclature of the Italian Mafia for its rigid hierarchy. A
  2755. registered user was a “sgarrista”—a soldier, without
  2756. special privileges. One step up was a “giovane d’honore,”
  2757. who helped moderate the discussions under the
  2758. supervision of a “capo.” At the top of the food chain was
  2759. CarderPlanet’s don, Script.
  2760. Russian-speaking vendors flocked to the new site to
  2761. offer an array of products and services. Credit card
  2762. numbers were a staple, naturally, but only the beginning.
  2763. Some sellers specialized in the more valuable “full infos”—
  2764. a credit card number accompanied by the owner’s name,
  2765. address, Social Security number, and mother’s maiden
  2766. name, all for around $30. Hacked eBay accounts were
  2767. worth $20. Ambitious buyers could spend $100 for a
  2768. “change of billing,” or COB, a stolen credit card account
  2769. where the billing address could be changed to a mail drop
  2770. under the buyer’s control. Other vendors sold counterfeit
  2771. checks or money orders, or rented drop addresses in the
  2772. United States where merchandise ordered on American
  2773. credit cards could be delivered without raising alarms and
  2774. credit cards could be delivered without raising alarms and
  2775. then reshipped to the scammer.
  2776. Physical products like blank plastic “magstripe”
  2777. (magnetic stripe) cards were in the offering, as well as
  2778. “novelty” IDs, complete with holograms, which sold for
  2779. anywhere from $75 to $150, depending on the quality. One
  2780. could purchase a package of ten identification cards with
  2781. the same photo but different names for $500.
  2782. CarderPlanet’s registration was open to anyone, but to
  2783. sell on the site, vendors first had to submit their products or
  2784. services to an approved reviewer for inspection. New
  2785. vendors would sometimes be required to escrow their
  2786. transactions through Script or to post a bond with the site’s
  2787. emergency fund, used to pay out buyers in case an
  2788. approved vendor went out of business with unfilled orders
  2789. in his queue. Vendors were expected to keep the board
  2790. apprised of any vacation plans, safeguard buyers’
  2791. information from hacker attacks, and respond promptly to
  2792. customer complaints. “Rippers,” vendors who failed to
  2793. deliver on a sale, were subject to banishment, as was any
  2794. vendor who accumulated five customer complaints.
  2795. CarderPlanet was soon imitated by a second site, this
  2796. one aimed at the English-speaking world: Shadowcrew. In
  2797. September 2002, after witnessing the stunning success of
  2798. CarderPlanet’s regimented hierarchy, a carder named
  2799. “Kidd” brought over the heaviest hitters from Counterfeit
  2800. Library to do business the Russian way. News of the site
  2801. spread through IRC chat rooms and prison yards alike, and
  2802. by April 2003, Shadowcrew had four thousand registered
  2803. users.
  2804. With the motto “For Those Who Like to Play in the
  2805. Shadows,” Shadowcrew was at once a study-at-home
  2806. college and an online supermarket for nearly anything
  2807. illegal. Its tutorials offered lessons on how to use a stolen
  2808. credit card number, forge a driver’s license, defeat a
  2809. burglar alarm, or silence a gun. It boasted a wiki that
  2810. tracked which state driver’s licenses were forgeable. And
  2811. its approved vendors around the world could provide a
  2812. dizzying array of illicit products and services: credit reports,
  2813. hacked online bank accounts, and names, birth dates, and
  2814. Social Security numbers of potential identity theft targets.
  2815. As on CarderPlanet, each product had its own
  2816. specialists, and every vendor had to be reviewed by a
  2817. trusted site member before they were allowed to sell.
  2818. Disputes were handled judiciously, with administrators and
  2819. moderators working overtime to expose and ban rippers
  2820. selling bunk products.
  2821. The trading wandered beyond data into tangible items
  2822. like ATM skimmers, prescription drugs, and cocaine, and
  2823. into services like distributed denial-of-service (DDoS)
  2824. attacks—take down any website for $200—and malware
  2825. customization to evade antivirus products. One wellreviewed
  2826. vendor offered a test-taking service that
  2827. promised to get customers technical certifications within
  2828. days. A vendor called UBuyWeRush sprang up to flood the
  2829. underground with magnetic stripe writers, as well as musthaves
  2830. like safety paper and magnetic ink cartridges for
  2831. counterfeiting checks.
  2832. Child porn was forbidden, and one vendor who asked to
  2833. be reviewed for exotic animal sales was laughed off the
  2834. board. But nearly anything else was fair game on
  2835. Shadowcrew.
  2836. By this time, CarderPlanet had launched subforums for
  2837. criminals from Asia, Europe, and the States, but it was
  2838. Shadowcrew that forged a true international marketplace: a
  2839. cross between the Chicago Mercantile Exchange and Star
  2840. Wars’s Mos Eisley cantina, where criminals of varying
  2841. disciplines could meet up and collaborate on heists. An
  2842. identity thief in Denver could buy credit card numbers from
  2843. a hacker in Moscow, send them to Shanghai to be turned
  2844. into counterfeit cards, then pick up a fake driver’s license
  2845. from a forger in Ukraine before hitting the mall.
  2846. Max shared his discovery with Chris, who was fascinated.
  2847. Chris logged on to the forums and studied the content like a
  2848. textbook. A lot of things hadn’t changed since he’d dealt in
  2849. credit card fraud in the 1980s. Other things had changed a
  2850. lot.
  2851. There was a time when crooks could literally pull credit
  2852. card numbers from the trash by Dumpster-diving for
  2853. receipts or the carbon-paper slips left over from retailers’
  2854. sliding imprint machines. Now mechanical imprinting was
  2855. dead, and Visa and MasterCard insisted that receipts not
  2856. include full credit card account numbers. Even if you got the
  2857. numbers, that was no longer enough to make counterfeit
  2858. cards. The credit card companies now added a special
  2859. code to every magnetic stripe—like a PIN, but unknown
  2860. even to the cardholder.
  2861. Called a Card Verification Value, or CVV, the code is a
  2862. number distilled from other data on the stripe—primarily the
  2863. account number and expiration date—and then encrypted
  2864. with a secret key known only to the issuing bank. When the
  2865. magstripe is swiped at the point-of-sale terminal the CVV
  2866. is sent along with the account number and other data to the
  2867. issuing bank for verification; if it doesn’t match, the
  2868. transaction is declined.
  2869. When it was introduced by Visa in 1992, the CVV began
  2870. driving down fraud costs immediately, from nearly .18
  2871. percent of Visa transactions that year to around .15 percent
  2872. a year later. In the 2000s, the innovation proved a strong
  2873. bulwark against phishing attacks, in which a spammer
  2874. spews thousands of falsified e-mails aimed at luring
  2875. consumers into entering their credit card numbers into a
  2876. fake bank website. Without the CVV on the magnetic stripe
  2877. —which consumers didn’t know, and thus couldn’t reveal—
  2878. those stolen numbers were useless at real-world cash
  2879. registers. Nobody could walk into a Vegas casino, slap
  2880. down a card derived from a phishing attack, and get a pile
  2881. of black chips to carry to the roulette table.
  2882. MasterCard followed Visa’s lead with its own Card
  2883. MasterCard followed Visa’s lead with its own Card
  2884. Security Code, or CSC. Then in 1998, Visa introduced the
  2885. CVV2, a different secret code printed on the backs of
  2886. cards for consumers to use exclusively over the phone or
  2887. the Web. That further reduced crime losses and completed
  2888. the Chinese wall between fraud on the Internet and in real
  2889. life: Accounts stolen from e-commerce sites or in phishing
  2890. attacks could only be used online or over the phone, while
  2891. magstripe data could be used in-store but not on the Web,
  2892. because it didn’t include the printed CVV2.
  2893. By 2002, the security measure had turned raw magstripe
  2894. data into one of the underground’s most valuable
  2895. commodities and pushed the point of compromise closer
  2896. to the consumer.
  2897. Hackers began breaching transaction-processing
  2898. systems for the data, but the most straightforward way for
  2899. ordinary crooks to steal the information was to recruit a
  2900. cash-hungry restaurant employee and equip him with a
  2901. pocket-sized “skimmer,” a magstripe reader with built-in
  2902. memory. As small as a cigarette lighter and readily
  2903. concealed in the apron pocket of a fast-food worker or the
  2904. suit jacket of an upscale maître d’, a skimmer can hold
  2905. hundreds of cards in its memory for later retrieval through a
  2906. USB port. A server needs only a second of privacy to swipe
  2907. a customer’s card through the device.
  2908. In the late 1990s, thieves began fanning out in big cities
  2909. across the United States, eyeing waiters, waitresses, and
  2910. drive-through attendants who might be interested in a little
  2911. extra cash, typically $10 a swipe. Though it was riskier, gas
  2912. station managers and retail workers could get in on the
  2913. action as well by installing tiny skimming circuit boards in
  2914. pay-at-the-pump readers and point-of-sale terminals. Some
  2915. of the data would be exploited locally, but much of it was
  2916. sent to Eastern Europe, where the swipes were sold over
  2917. the Internet ten, twenty, a hundred, or even thousands at a
  2918. time.
  2919. The carders call these “dumps”; each contained just two
  2920. lines of text, one for each track on a credit card’s threeinch-
  2921. long magstripe.
  2922. Track 1: B4267841463924615^SMITH/
  2923. JEFFREY^04101012735200521000000
  2924. Track 2: 4267841463924615=041010127352521
  2925. A dump was worth about $20 for a standard card, $50
  2926. for a gold card, and $80 to $100 for a high-limit corporate
  2927. card.
  2928. Chris decided to try some carding himself. He
  2929. determined that Script, the godfather of CarderPlanet, was
  2930. the most reliable source of dumps in the world. He paid the
  2931. Ukrainian $800 for a set of twenty Visa Classic numbers
  2932. and elsewhere parted with around $500 for an MSR206,
  2933. the underground’s favorite magnetic stripe encoder.
  2934. Once the shoebox-sized MSR206 was plugged into his
  2935. computer and the right software installed, he could take an
  2936. anonymous Visa gift card, or one of his own credit cards,
  2937. and encode it in two quick swipes with one of Script’s
  2938. dumps.
  2939. With the reprogrammed card burning a hole in his
  2940. pocket, Chris browsed his local Blockbuster and some
  2941. retailers to scope out the opportunities. Simple magstripe
  2942. fraud might be cheap and easy, but it had severe
  2943. limitations. Through observation, Chris quickly determined
  2944. that shopping for consumer electronics or expensive
  2945. clothes would be tough: To guard against what Chris was
  2946. contemplating, many high-end stores require the checkout
  2947. clerk to physically type the last four digits from the face of
  2948. the credit card; the point-of-sale terminal rejects the card,
  2949. or worse, if the digits don’t match what’s on the stripe. A
  2950. reprogrammed card was only good at spots where
  2951. employees never get to lay their hands on the plastic, like
  2952. gas stations or drugstores.
  2953. Chris made his move at a local supermarket. He loaded
  2954. his cart indiscriminately and checked out, sliding his plastic
  2955. through the point-of-sale terminal. After a moment, the word
  2956. “Approved” flickered across the display, and somewhere in
  2957. America a random consumer was charged for $400 in
  2958. groceries.
  2959. Chris delivered his ill-gotten groceries to an Orange
  2960. County couple in worse financial shape than himself and
  2961. then took the husband—a contractor who’d recently had his
  2962. tools stolen—to a local Walmart to purchase new
  2963. construction gear. Word spread that Chris had credit cards,
  2964. and he began doling out his reprogrammed plastic to a few
  2965. friends, who were always thoughtful enough to make small
  2966. purchases for Chris as a thank-you.
  2967. He could see the outlines of a business plan in his
  2968. circulating plastic. Drop everything else, he told Max. The
  2969. real money is in dumps.
  2970.  
  2971. 12
  2972. Free Amex!
  2973. ax broached his plan obliquely with Charity over the
  2974. rare indulgence of a sushi dinner. “Which institutions would
  2975. you say deserve to be punished the most?” he asked.
  2976. He had the answer ready: the moneylenders. The greedy
  2977. banks and credit card companies who saddle consumers
  2978. with $400 billion in debt each year while charging usurious
  2979. interest and hooking kids on plastic before they’ve
  2980. graduated college. And because consumers were never
  2981. held directly liable for fraudulent charges—by law they could
  2982. only be billed for the first $50, and most banks waived even
  2983. that—credit card fraud was a victimless crime, costing only
  2984. these soulless institutions money.
  2985. Credit wasn’t real, Max reasoned, just an abstract
  2986. concept; he would be stealing numbers in a system, not
  2987. dollars in someone’s pocket. The financial institutions
  2988. would be left holding the bag, and they deserved it.
  2989. Charity had learned to accept the bitterness Max brought
  2990. back from prison: Living with him meant never again
  2991. watching a crime drama on TV, because any depiction of
  2992. the police as good guys set Max fuming. She wasn’t
  2993. entirely sure what Max had in mind now, and she didn’t
  2994. want to know. But one thing was clear. Max had decided he
  2995. was going to be Robin Hood.
  2996. • • •
  2997. Max knew exactly where to get the magstripe data Chris
  2998. wanted. There were thousands of potential sources sitting
  2999. in plain sight, right on CarderPlanet and Shadowcrew. The
  3000. carders themselves would be his prey.
  3001. Most of them weren’t hackers, they were just crooks; they
  3002. knew a bit about fraud but little about computer security.
  3003. They certainly wouldn’t be much harder to hack than the
  3004. Pentagon. It was also a morally palatable proposition: He
  3005. would be stealing credit card numbers that had already
  3006. been stolen—a criminal was going to use them, so it might
  3007. as well be Chris Aragon, his criminal.
  3008. He started by choosing his weapon, picking out the slick
  3009. Bifrost Trojan horse program already circulating online and
  3010. customizing it to evade antivirus detection. To test the
  3011. results, he used the computer emulation software VMware
  3012. to run a dozen different virtual Windows boxes on his
  3013. computer at once, each loaded with a different flavor of
  3014. security software.
  3015. When the malware went undetected on all, he moved to
  3016. the next step: harvesting a list of carders’ ICQ numbers and
  3017. e-mail addresses from public forum posts, collecting
  3018. thousands of them into a database. Then, posing as a wellknown
  3019. dumps vendor named Hummer911, he fired off a
  3020. message to the entire list. The note announced that
  3021. Hummer911 had acquired more American Express dumps
  3022. than he could use or sell, so he was giving some away.
  3023. Click here, Max wrote, to get your free Amex.
  3024. When a carder clicked on the link, he found himself
  3025. looking at a list of fake Amex dumps Max had generated,
  3026. while invisible code on the Web page exploited a new
  3027. Internet Explorer vulnerability.
  3028. The exploit took advantage of the fact that Internet
  3029. Explorer can process more than just Web pages. In 1999,
  3030. Microsoft added support for a new type of file called an
  3031. HTML Application—a file written in the same markup and
  3032. scripting languages used by websites but permitted to do
  3033. things on a user’s computer that a website would never be
  3034. allowed to do, like creating or deleting files at will and
  3035. executing arbitrary commands. The idea was to let
  3036. developers already accustomed to programming for the
  3037. developers already accustomed to programming for the
  3038. Web use the same skills to craft fully functional desktop
  3039. applications.
  3040. Internet Explorer recognizes that HTML Applications can
  3041. be deadly and won’t execute them from the Web, only from
  3042. the user’s hard drive. In theory.
  3043. In practice, Microsoft had left a hole in the way the
  3044. browser screened content embedded on a Web page.
  3045. Many Web pages contain OBJECT tags, which are simple
  3046. instructions that tell the browser to grab something from
  3047. another Web address—typically a movie or music file—and
  3048. include it as part of the page. But it turned out you could
  3049. also load an HTML Application through the OBJECT tag
  3050. and get it to execute. You just had to disguise it a little.
  3051. While Max’s victims salivated over the bogus American
  3052. Express dumps, an unseen OBJECT tag instructed their
  3053. browsers to pull in a malicious HTML Application that Max
  3054. had coded for the occasion. Crucially, Max had given the
  3055. file a name ending in “.txt”—a superficial indication that it
  3056. was an ordinary text file. Internet Explorer saw that file
  3057. name and decided it was safe to run.
  3058. Once the browser started downloading the file, however,
  3059. Max’s server transmitted a content type indicator of
  3060. “application/hta”—identifying it now as an HTML
  3061. Application. Essentially, Max’s server changed its story,
  3062. presenting the file as a harmless document for the
  3063. browser’s security check, then correctly identifying it as an
  3064. HTML Application when it came time for the browser to
  3065. decide how to interpret the file.
  3066. Having judged the file safe based on the name, Internet
  3067. Explorer didn’t reevaluate that conclusion once it learned
  3068. the truth. It just ran Max’s code as an HTML Application
  3069. instead of a Web page.
  3070. Max’s HTML Application was a tight Visual Basic script
  3071. that wrote out and executed a small grappling-hook
  3072. program on the user’s machine. Max named the grappling
  3073. hook “hope.exe.” Hope was Charity’s middle name.
  3074. The grappling hook, in turn, downloaded and installed his
  3075. modified Bifrost Trojan horse. And just like that, Max was in
  3076. control.
  3077. • • •
  3078. The carders converged like hungry piranhas on his
  3079. poisoned page: Hundreds of their machines reported back
  3080. to Max for duty. Excited, he began poking around the
  3081. criminals’ hard drives at random. He was surprised by how
  3082. small-time it all looked. Most of his victims were buying
  3083. small batches of dumps, ten or twenty at a time—even less.
  3084. But there were lots of carders, and there was nothing to
  3085. keep him from returning to their machines over and over
  3086. again. In the end, the Free Amex attack would score him
  3087. about ten thousand dumps.
  3088. He siphoned the dumps to Chris as he found them and
  3089. vacuumed other useful data from his victims: details on
  3090. their scams, stolen identity information, passwords, mailing
  3091. lists used in phishing schemes, some real names, photos,
  3092. and e-mail and ICQ addresses of their friends—useful for
  3093. future attacks on the underground.
  3094. With a single well-constructed ruse, he was now invisibly
  3095. embedded in the carders’ ecosystem. This was the start of
  3096. something big. He’d be a stick-up man among the carders,
  3097. living off whatever he could skim from their illegal economy.
  3098. His victims couldn’t call the cops, and with his anonymous
  3099. Internet connection and other precautions, he’d be immune
  3100. to reprisal.
  3101. It wasn’t long, though, before Max discovered that not all
  3102. of the carders were what they seemed to be.
  3103. The victim was in Santa Ana. When Max strolled into the
  3104. computer through his back door and began poking around,
  3105. he saw at once that something was very wrong.
  3106. The computer was running a program called Camtasia
  3107. that keeps a video record of everything crossing the
  3108. computer’s screen—not the kind of information a criminal
  3109. normally wants to archive. Max foraged through the hard
  3110. drive, and his suspicions were confirmed: The disk was
  3111. packed with FBI reports.
  3112. Chris was shaken by the discovery of an FBI cybercrime
  3113. agent in his own backyard, but Max was intrigued—the
  3114. agent’s hard drive offered potentially useful insight into the
  3115. bureau’s methods. They talked about what to do next.
  3116. Some of the files indicated the agent had an informant who
  3117. was providing information on Script, the CarderPlanet
  3118. leader who sold Chris his first dumps. Should they warn
  3119. Script that there was an informant in his circle?
  3120. They decided to do nothing; if he were ever busted, Max
  3121. figured, he might be able to play this as a trump card. If it
  3122. got out that he’d accidentally hacked an FBI agent, it could
  3123. embarrass the bureau, maybe even cost them some
  3124. convictions.
  3125. He returned to his work hacking the carders. But he knew
  3126. now that he wasn’t the only outsider worming into the crime
  3127. forums.
  3128.  
  3129. 13
  3130. Villa Siena
  3131. alm trees rose at the entrance of Villa Siena, a
  3132. sprawling gated community in Irvine, half a mile from John
  3133. Wayne Airport. Beyond the front gate, European-inspired
  3134. fountains bubbled in the manicured courtyards, and four
  3135. swimming pools sparkled blue beneath the sunny Southern
  3136. California sky. Residents were enjoying the clubhouse,
  3137. relaxing in the spas, getting in a workout at one of the three
  3138. fitness rooms, or perhaps visiting the full-time concierge to
  3139. make plans for the evening.
  3140. In one of the spacious apartments, Chris Aragon was
  3141. running his factory. The drapes were drawn over the giant
  3142. picture window to hide the riot of machinery crowding the
  3143. Ikea tables and granite countertops. He flipped on his card
  3144. printer, and it awakened with a whining rumble, wheels
  3145. spinning up to speed, motors pulling the ribbons taut as a
  3146. hospital bedsheet.
  3147. Max was snagging dumps regularly now, and when he
  3148. got a new haul, there was no time to waste—the swipes
  3149. were stolen property twice over, and Chris had to burn
  3150. through them before the crooks who’d purchased or
  3151. hacked the numbers maxed them out first or blundered and
  3152. got them flagged by the credit card companies. Chris had
  3153. tapped the last of his reserves to invest in about $15,000
  3154. worth of credit card printing gear and the apartment to
  3155. house it. Now the investment was paying dividends.
  3156. Chris loaded blank PVC cards into the hopper of an
  3157. unwieldy oblong machine called a Fargo HDP600 card
  3158. printer, a $5,000 device used to print corporate ID cards.
  3159. With a click on his laptop, the machine drew a card into its
  3160. maw and hummed once, twice, a third, and a fourth time,
  3161. each sound marking another color as it moved to a clear
  3162. transfer ribbon and was rapidly vaporized by heating
  3163. elements and fused to the surface of the card. A final low
  3164. grinding from the Fargo meant a clear laminate coat was
  3165. settling over the plastic.
  3166. It was forty-four seconds from start to finish, and then the
  3167. machine spat out the card—a glossy, brightly colored
  3168. consumer objet d’art. A bald eagle staring purposefully at a
  3169. Capitol One logo, or the grim American Express centurion,
  3170. or the simple smudge of sky blue across the white face of a
  3171. Sony-branded MasterCard. For the high-limit cards, the
  3172. process was the same, except sometimes Chris would
  3173. start with gold- or platinum-colored PVC stock, purchased,
  3174. like the white cards, in boxes of hundreds.
  3175. Once he had a pile of freshly printed plastic in hand,
  3176. Chris moved to a second stop in the assembly line: a
  3177. monochrome printer for the fine print on the back of the
  3178. card. Then if the design called for a hologram, he’d pluck a
  3179. sheet of Chinese-produced counterfeits from a stack, align
  3180. it carefully in a die punch, and pull the lever to cut out an
  3181. oval or rounded rectangle the size of a postage stamp. A
  3182. $2,000 Kwikprint Model 55 heat stamper, resembling a drill
  3183. press crossed with a medieval torture instrument, fused the
  3184. metal foil to the surface of the PVC.
  3185. The embosser was next: a giant motorized carousel
  3186. wheel of letters and numbers that sounded like an IBM
  3187. Selectric as it banged the name, account number, and
  3188. expiration date one character at a time into the plastic,
  3189. tipping each with silver or gold foil. From a Chinese
  3190. supplier, Chris had obtained the special security keys for
  3191. Visa’s “flying V” and MasterCard’s joined “MC”—two
  3192. distinctive raised characters found only on credit cards, real
  3193. and fake.
  3194. Credit card verification systems don’t check the
  3195. customer’s name, which meant Chris had the luxury of
  3196. choosing whatever moniker he liked for the front of his
  3197. choosing whatever moniker he liked for the front of his
  3198. plastic; he preferred “Chris Anderson” for the cards he
  3199. used himself. On his computer, Chris edited Max’s dumps
  3200. to make the name on the magstripe match the alias—
  3201. conveniently, the name was the one piece of magstripe
  3202. data not used in calculating the CVV security code, so it
  3203. could be altered at will.
  3204. Finally, it was two swipes through the trusty MSR206 to
  3205. program Max’s dump onto the magstripe, and Chris had a
  3206. counterfeit credit card that duplicated in nearly every way
  3207. the plastic nestled in a consumer’s wallet or purse
  3208. somewhere in America.
  3209. He wasn’t done yet.
  3210. Driver’s licenses were a must for high-end purchases,
  3211. and there, too, Chris’s assembly line and Shadowcrew’s
  3212. tutorials got the job done. For licenses, he’d switch from
  3213. PVC to Teslin, a thinner, more flexible material sold in 8½ ×
  3214. 11 inch sheets. It was one sheet for the front, another for the
  3215. back, ten licenses to a sheet.
  3216. California licenses include two security features that took
  3217. some extra hacking. One is a translucent image of the
  3218. California state seal, set in a repeating pattern in the clear
  3219. laminate over the face of the license. To simulate it, Chris
  3220. used Pearl Ex, a fine colored powder sold at arts-andcrafts
  3221. stores for less than three dollars a jar. The trick was
  3222. to dust a sheet of laminate with a mix of gold and silver
  3223. Pearl Ex, feed it into a printer loaded with a clear ink
  3224. cartridge, and print a mirror image of the California pattern
  3225. with the transparent ink. It didn’t matter that the ink was
  3226. invisible—it was the heat from the print head he was after.
  3227. When the sheet came out, the printer had heat-fused the
  3228. pattern onto the surface, and the extra Pearl Ex was easily
  3229. washed away in a cold rinse.
  3230. The ultraviolet printing on the face of the license was no
  3231. more difficult. An ordinary ink-jet printer would do the trick,
  3232. as long as one drained the ink from the cartridge reservoirs
  3233. and replaced it with multicolored UV ink bought in tubes.
  3234. After all the dusting, printing, and washing, Chris was left
  3235. with four sheets of material. He would sandwich the two
  3236. sheets of printed Teslin between the laminate and run it
  3237. through a pressure laminator. After die-cutting, the result
  3238. was impressive: Run your fingers over the license and feel
  3239. the flawless silken surface; hold it at an angle and witness
  3240. the ghostly state seal; put it under a UV bulb, and the state
  3241. flag glowed eerily, the words “California Republic” in red,
  3242. above them a brown bear walking on four legs across a
  3243. yellow hilltop.
  3244. With cards and licenses complete, Chris got on the
  3245. phone and summoned his girls. He’d figured out that
  3246. attractive college-aged women made the best cashers.
  3247. There was Nancy, a five-foot-three-inch Latina with “love”
  3248. tattooed on one wrist; Lindsey, a pale girl with brown hair
  3249. and hazel eyes; Adrian, a young Italian woman; and Jamie,
  3250. who’d worked as a waitress at the Hooters in Newport
  3251. Beach.
  3252. He’d met the twin brunettes Liz and Michelle Esquere at
  3253. Villa Siena, where they lived. Michelle was just hanging
  3254. around with the group, but Liz was invaluable: She had
  3255. worked in the mortgage industry and was whip-smart, well
  3256. educated, and responsible enough to take over some of
  3257. the administrative work, like maintaining the spreadsheet of
  3258. payouts, in addition to making in-store purchases.
  3259. Chris had a talent for recruitment. He might meet a new
  3260. prospect at a restaurant and invite her to go partying with
  3261. his friends. She’d join them at the clubs and expensive
  3262. dinners, ride in the back of the rented limousine when one
  3263. of them had a birthday to celebrate. She’d see money
  3264. everywhere. Then, when the time was right, maybe months
  3265. later, maybe when the girl confessed she had bills to pay or
  3266. was behind on her rent, he would casually mention that he
  3267. knew a way she could earn quick and easy money. He’d tell
  3268. her how it worked. It was a victimless crime, he’d explain.
  3269. They’d be “sticking it to the man.”
  3270. None of the girls knew where Chris got his credit card
  3271. None of the girls knew where Chris got his credit card
  3272. data. When he referred to Max, it was as “the Whiz,” an
  3273. unnamable superhacker whom they’d never have the
  3274. privilege of meeting. Chris’s code name was “the Dude.”
  3275. Now that his operation was purring, the Dude was paying
  3276. the Whiz around $10,000 a month for the dumps—
  3277. transferring the payments through a prepaid debit card
  3278. called Green Dot.
  3279. Marketed to students and consumers with poor credit, a
  3280. Green Dot Visa or MasterCard is a credit card without the
  3281. credit: The consumer funds the card in advance with direct
  3282. payroll deposits, transfers from a bank account, or cash.
  3283. The last option made it an ideal money pipeline between
  3284. Chris in Orange County and Max in San Francisco: Chris
  3285. would drop in at a neighborhood 7-Eleven or Walgreens
  3286. and purchase a Green Dot recharge number, called a
  3287. MoneyPak, for any amount up to $500. He’d then IM or email
  3288. the number to Max, who’d apply it to one of his Green
  3289. Dot cards at the company’s website. He could then use the
  3290. card for everyday purchases or make withdrawals from San
  3291. Francisco ATMs.
  3292. Once his crew arrived, ready for work, Chris passed out
  3293. their cards, separated into low-limit classic cards and highlimit
  3294. gold and platinum. They should stick to small
  3295. purchases for the classics, he’d remind them—$500 or so.
  3296. With the high-limit plastic they should go for the big bucks,
  3297. purchases from $1,000 to $10,000 dollars. The girls were
  3298. all young, but affecting the privileged bearing of stylish
  3299. Orange County youth they could walk into a Nordstrom’s
  3300. and snatch up a couple of $500 Coach bags without raising
  3301. eyebrows, then cross to the other side of the mall and do
  3302. the same thing at Bloomingdale’s.
  3303. New cashers were always nervous at first, but once the
  3304. first fake card was approved at the register, they were
  3305. hooked. In no time they’d be sending Chris excited text
  3306. messages from their shopping excursions: “Can we use
  3307. amex at new bloomingdales?” or “I did over 7k on a mc!
  3308. yeah!”
  3309. At the end of the day, they met Chris in a parking lot and
  3310. transferred the purses trunk-to-trunk. He paid them on the
  3311. spot, 30 percent of the retail value, and carefully recorded
  3312. the transaction on a payout sheet like a real businessman.
  3313. The handbags—elegant cloth and suede and gleaming
  3314. buckles—would go in boxes until Chris’s wife, Clara, could
  3315. sell them on eBay.
  3316. As night fell over Villa Siena, the lights went on above the
  3317. tennis courts and the outdoor fireplaces ignited. Miles away
  3318. Chris and his crew were at a restaurant, ordering a
  3319. celebratory dinner and a bottle of wine. As always, it was
  3320. Chris’s treat.
  3321.  
  3322. 14
  3323. The Raid
  3324. ice TV!” said Tim, admiring the sixty-one-inch
  3325. Sony plasma hanging on the wall. Charity, a compulsive
  3326. reader, hated the new flat-screen, the way it dominated the
  3327. living room in their new apartment, but Max loved his
  3328. gadgets, and this one was more than a high-def toy. It was
  3329. a symbol of the couple’s newfound financial security.
  3330. Max’s friends knew that he was into something, and not
  3331. just because he was no longer struggling to make ends
  3332. meet. Max had begun slipping Tim CD-ROMs burned with
  3333. the latest exploits from the underground, giving the system
  3334. administrator an edge in protecting his work machines.
  3335. Then there were the odd comments at the monthly Hungry
  3336. Programmers’ dinner at Jing Jing in Palo Alto. When
  3337. everyone was done describing their latest projects, Max
  3338. would only offer a cryptic note of envy. “Wow, I wish I was
  3339. doing something positive.”
  3340. But nobody was pressing Max for the details of his new
  3341. gig; they could only hope it was something quasilegitimate.
  3342. The hacker scrupulously avoided burdening his friends with
  3343. the knowledge of his double life, even as he slipped farther
  3344. to the edge of their circle. Until the day one of his hacks
  3345. followed him home.
  3346. • • •
  3347. It was 6:30 a.m. and still dark out when Chris Toshok
  3348. awoke to the sound of his doorbell buzzing, the long
  3349. continuous drone of someone holding their thumb on the
  3350. button. Figuring it for a neighborhood drunk, he rolled over
  3351. and tried to get back to sleep. Then the buzz broke into an
  3352. insistent rhythm, bzzz, bzzz, bzzz, like a busy signal. He
  3353. reluctantly crawled out of bed, grabbed his pants and a
  3354. sweatshirt, and moved groggily down the stairs.
  3355. When he opened the door he found himself squinting into
  3356. the glare of a flashlight.
  3357. “Are you Chris Toshok?” said a woman’s voice.
  3358. “Uh, yes.”
  3359. “Mr. Toshok, we’re with the FBI. We have a warrant to
  3360. search the premises.”
  3361. The agent—a long-haired blonde—showed Toshok her
  3362. badge and pressed a thin sheaf of papers into his hands.
  3363. Another agent put a firm hand on his arm and guided him
  3364. outside to the porch, clearing the doorway to admit a flood
  3365. of suits into the house. They roused Toshok’s roommate,
  3366. then began tossing Chris’s bedroom, riffling through his
  3367. bookshelves and pawing through his underwear drawer.
  3368. The blonde, joined by a Secret Service agent, sat down
  3369. with Toshok to explain why they were there. Four months
  3370. earlier the source code for the unreleased first-person
  3371. shooter Half-Life 2 had been stolen from the computers of
  3372. Valve Software in Bellevue, Washington. It was swapped in
  3373. IRC for a while and then showed up on file-sharing
  3374. networks.
  3375. Half-Life 2 was perhaps the most anticipated game of all
  3376. time, and the emergence of the secret source code had
  3377. electrified the gaming world. Valve announced it would
  3378. have to delay the launch of the game, and the company
  3379. CEO issued a public call for Half-Life fans to help track
  3380. down the thief. Based on sales of the original game, Valve
  3381. valued the software at a quarter of a billion dollars.
  3382. The FBI had traced some of the hacking activity to
  3383. Toshok’s Internet IP address at his old house, the agent
  3384. explained. The judge would go easier on Toshok if he told
  3385. them where he’d stashed the source code.
  3386. Toshok protested his innocence, though he
  3387. acknowledged that he knew about the breach. His old
  3388. friend Max Vision was staying with him at the time of the
  3389. intrusion, and he got very excited when the source code
  3390. popped up online.
  3391. Hearing Max Vision’s name sent the agents into double
  3392. time—they nearly tripped over themselves to finish the
  3393. search and get back to the office to prepare a warrant
  3394. application for Max’s new apartment. Chris watched
  3395. gloomily as they gathered his nine computers, some music
  3396. CDs, and his Xbox. The blonde agent registered the look
  3397. on his face. “Yeah,” she said, “this is going to be hard for
  3398. you.”
  3399. When Max heard about the raid, he knew he didn’t have
  3400. much time. He ran around his apartment stashing his gear.
  3401. He hid an external hard drive in a stack of sweaters in the
  3402. closet, another in a cereal box. One of his laptops fit under
  3403. the sofa cushions; he hung a second one out the bathroom
  3404. window in a garbage bag. Everything sensitive on his
  3405. computers was encrypted, so even if they found his
  3406. hardware, the agents wouldn’t get any evidence of his
  3407. hacking. But under the terms of his supervised release, he
  3408. wasn’t supposed to be using encryption at all. Moreover, it
  3409. would be incredibly inconvenient to let the FBI take all of his
  3410. computers.
  3411. The feds arrived in force, as many as twenty agents
  3412. swarming like ants through the apartment. They found only
  3413. the routine trappings of a San Francisco computer geek
  3414. with hippie leanings: a bookshelf with Orwell’s 1984,
  3415. Huxley’s Brave New World, Orson Scott Card’s sci-fi
  3416. classic Ender’s Game, and a smattering of Asimov and
  3417. Carl Sagan. There was a bicycle, and stuffed penguins
  3418. were strewn everywhere. Max loved penguins.
  3419. They discovered not one of Max’s slapdash hiding spots,
  3420. and this time, the hacker had nothing to say. The agents left
  3421. without any evidence linking Max to the Valve intrusion,
  3422. much less any hints of the crimes he was committing with
  3423. Chris. Just a stack of CDs, a broken hard drive, and a
  3424. vanilla Windows machine he’d left out as diversions.
  3425. But Charity had just learned what it meant to be in Max
  3426. Vision’s world. Max insisted he was innocent of the source
  3427. code theft. It was probably the truth. There’d been several
  3428. first-person shooter fans crawling around Valve’s Swiss
  3429. cheese network in anticipation of Half-Life 2. Max
  3430. happened to be one of them.
  3431. The FBI later settled on a different Valve hacker: a
  3432. twenty-year-old German hacker named Axel “Ago” Gembe,
  3433. who admitted to his intrusions in e-mails to Valve’s CEO,
  3434. though he too denied stealing the code.
  3435. Gembe was already notorious for creating Agobot, a
  3436. pioneering computer worm that did more than just spread
  3437. from one Windows machine to another. When Agobot took
  3438. over a machine, the user might not notice anything but a
  3439. sudden sluggishness in performance. But deep in the PC’s
  3440. subconscious, it was joining a hacker’s private army. The
  3441. malware was programmed to automatically log in to a
  3442. preselected IRC room, announce itself, and then linger to
  3443. accept commands broadcast by its master in the chat
  3444. channel.
  3445. Thousands of computers would report at once, forming a
  3446. kind of hive mind called a botnet. With one line of text, a
  3447. hacker could activate keystroke loggers on all the
  3448. machines to capture passwords and credit card numbers.
  3449. He could instruct the computers to open secret e-mail
  3450. proxies to launder spam. Worst of all, he could direct all
  3451. those PCs to simultaneously flood a targeted website with
  3452. traffic—a distributed denial-of-service attack that could
  3453. take down a top site for hours while network administrators
  3454. blocked each IP address one at a time.
  3455. DDoS attacks started as a way for quarreling hackers to
  3456. knock each other out of IRC. Then one day in February
  3457. 2000, a fifteen-year-old Canadian named Michael
  3458. “MafiaBoy” Calce experimentally programmed his botnet to
  3459. hose down the highest-traffic websites he could find. CNN,
  3460. hose down the highest-traffic websites he could find. CNN,
  3461. Yahoo!, Amazon, eBay, Dell, and E-Trade all buckled under
  3462. the deluge, leading to national headlines and an
  3463. emergency meeting of security experts at the White House.
  3464. Since then, DDoS attacks had grown to become one of the
  3465. Internet’s most monstrous problems.
  3466. Bots like Ago’s marked the decade’s major innovation in
  3467. malware, inaugurating an era where any pissed-off script
  3468. kiddie can take down part of the Web at will. Gembe’s
  3469. confession in the Valve hack provided the FBI with a
  3470. golden opportunity to snare one of the innovators most
  3471. responsible. The FBI tried to lure Gembe to America with
  3472. an Invita-style job offer from Valve. After months of
  3473. negotiations and telephone interviews with Valve
  3474. executives, the hacker seemed ready to hop a flight to the
  3475. States.
  3476. Then the German police intervened, arrested the hacker,
  3477. and charged him locally as a youthful offender. Gembe was
  3478. sentenced to one year of probation.
  3479. The raid on Max’s house shook him, filling his head with
  3480. unpleasant memories of the FBI’s search warrant over the
  3481. BIND attacks. Max decided he needed a safe house in the
  3482. city, a place where he could ply his trade and store his data
  3483. free from the threat of search warrants—something like
  3484. Chris’s Villa Siena plant.
  3485. Under an alias, Chris rented a second apartment for
  3486. Max, a spacious penthouse in the Fillmore District, with a
  3487. balcony and a fireplace—Max liked working by an open
  3488. fire, and he’d joked that he could burn the evidence in an
  3489. emergency.
  3490. Max tried to get home to Charity daily, but with a
  3491. comfortable hacker safe house to retreat to, he began
  3492. disappearing for days at a stretch, sometimes only
  3493. emerging when his girlfriend interrupted his work with a
  3494. prodding phone call.
  3495. “Dude, time to come home. I miss you.”
  3496. As money started to flow into Max and Chris’s joint
  3497. operation, so did the mistrust. Some of the cashers in
  3498. Chris’s crew liked to party, and the constant presence of
  3499. cocaine, ecstasy, and pot called to Chris like a forgotten
  3500. melody. In February, he was pulled over near his home and
  3501. arrested for driving under the influence. He began routinely
  3502. vanishing with his comely employees for weekend-long
  3503. bacchanals in Vegas: The day was for shopping; at night,
  3504. Chris would snort some coke and take the girls out to the
  3505. Hard Rock to party or snag a VIP table at the sleek
  3506. Ghostbar atop the Palms, where he’d blow $1,000 on
  3507. dinner and another grand on wine. Back in Orange County,
  3508. he took a mistress—an eighteen-year-old woman he met
  3509. through one of his cashers.
  3510. Max found both drugs and marital infidelity distasteful.
  3511. But what really irked him was the financial arrangement.
  3512. Chris was paying Max haphazardly—in whatever amount
  3513. he felt like turning over at any given moment. Max wanted a
  3514. straight 50 percent of Chris’s profits. He was certain that
  3515. Chris was making serious bank from their joint operation.
  3516. Chris tried to set him straight, and he e-mailed Max a
  3517. detailed spreadsheet showing where the profits were
  3518. going. Out of a hundred cards, maybe fifty worked, and only
  3519. half of those could buy anything worth selling—the others
  3520. were seeds and stems, cards with $500 security limits that
  3521. were good only for trifles like gas and meals. Chris had
  3522. expenses, too—spreading his hustle meant flying his crew
  3523. to far-flung cities, and airline seats weren’t getting any
  3524. cheaper. Meanwhile, he was paying rent at Villa Siena for
  3525. his credit card factory.
  3526. Max was unconvinced. “Call me back when you’re not
  3527. stoned.”
  3528. The last straw came when Chris, three months after the
  3529. Half-Life raid, suffered a close call himself. He’d driven up
  3530. to San Francisco to meet with Max and make some
  3531. carding runs at Peninsula malls. He and his crew were
  3532. checked into adjacent rooms at the W, a posh hotel in the
  3533. checked into adjacent rooms at the W, a posh hotel in the
  3534. Soma district, when Chris got a call from the front desk. His
  3535. credit card had been declined.
  3536. Hungover and fuzzy-headed from the flu, Chris took the
  3537. elevator to the marbled lobby and pulled a new fake card
  3538. from his swollen wallet. He watched as the clerk swiped it. It
  3539. was declined. He produced another one, and it failed too.
  3540. The third one worked, but by then the clerk was suspicious,
  3541. and as the elevator was carrying Chris back to the twentyseventh
  3542. floor, she was picking up the phone and calling the
  3543. credit card company.
  3544. The next knock on Chris’s door was the San Francisco
  3545. Police Department. They cuffed him and searched his
  3546. rooms and car, seizing his Sony laptop, an MSR206, and
  3547. his SUV, which had a fake VIN tag—Chris had
  3548. experimented with renting cars using his plastic in Las
  3549. Vegas, then sending them to Mexico to be fitted with clean
  3550. VINs.
  3551. Chris was thrown in the county jail. His disappearance
  3552. worried Max, but Chris bailed out quickly and confessed his
  3553. blunder to his partner. Fortunately for him the police
  3554. investigation went no further. Chris was sentenced a month
  3555. later to three years of probation and ordered not to return to
  3556. the W. He boasted afterward that he’d been a beneficiary
  3557. of San Francisco’s liberal justice system.
  3558. It was the kind of bullshit local bust that happened to
  3559. Chris’s girls all the time; that was why Chris kept a bail
  3560. bondsman on retainer and even let him crash at his Villa
  3561. Siena factory. But Max was furious. It was unforgivably
  3562. sloppy for someone at Chris’s level to be arrested carding
  3563. a hotel room.
  3564. Max decided he could no longer rely exclusively on his
  3565. partner. He needed a Plan B.
  3566.  
  3567. 15
  3568. UBuyWeRush
  3569. he run-down strip mall was plunked down in that vast,
  3570. flat interior of Los Angeles County that doesn’t make it onto
  3571. postcards, far from the ocean and so distant from the hills
  3572. that the squat stucco buildings could be a Hollywood set,
  3573. the featureless sky behind them a blue screen to be filled in
  3574. with mountains or trees in post-production.
  3575. Chris pulled his car into the trash-strewn parking lot. A
  3576. marquee at the entrance gave top billing to the Cowboy
  3577. Country Saloon, and below that it was the usual south Los
  3578. Angeles mix: a liquor store, a pawnshop, a nail salon. And
  3579. one more that was less usual: UBuyWeRush—the only
  3580. retail sign in Los Angeles that was also a handle on
  3581. CarderPlanet and Shadowcrew.
  3582. He walked into the front office, where an empty reception
  3583. window suggested the sixty-cent-per-square-foot space
  3584. had once been a medical clinic. On the wall a Mercator
  3585. projection map of the world bristled with pushpins. Then
  3586. Chris was greeted warmly by UBuy himself, Cesar
  3587. Carrenza.
  3588. Cesar had come to the underground by a circuitous
  3589. course. He graduated from the DeVry Institute in 2001 with
  3590. a degree in computer programming, hoping to get an
  3591. Internet job. When he couldn’t find one, he decided to try his
  3592. hand as an independent businessman on the Web.
  3593. From an ad in the Daily Commerce, he learned about an
  3594. upcoming auction at a public storage facility in Long
  3595. Beach, where the owners were selling off the contents of
  3596. abandoned lockers. When he showed up he found the
  3597. auction observed a very specific ritual. The manager,
  3598. wielding an imposing bolt cutter, would snip off the
  3599. defaulting renter’s lock while the bidders watched, and then
  3600. open the door. The bidders, about twenty of them, were
  3601. expected to evaluate the contents from where they stood
  3602. several feet away. The winner would then secure the unit
  3603. with his own padlock and clear out the contents within
  3604. twenty-four hours.
  3605. The experienced bidders were easy to spot: Padlocks
  3606. hung from their belts, and they held flashlights to peer into
  3607. the dark lockers. Cesar was less prepared but no less
  3608. eager. He was the only bidder on the first lot, claiming a
  3609. locker full of old clothes for $1.
  3610. He sold the clothes at a yard sale and on eBay for about
  3611. $60. Figuring he’d found a nice little niche, Cesar started
  3612. going to more auctions at storage facilities and business
  3613. liquidations, breaking down large lots and moving them on
  3614. eBay for a tidy profit. He put the money back into the
  3615. business and opened his storefront in the Long Beach strip
  3616. mall to accept consignments from neighbors with office
  3617. furniture, lawn chairs, and unbranded jeans to sell online.
  3618. It was good, honest work—not like his last independent
  3619. business. For most of the 1990s Cesar had been into
  3620. credit card fraud. He was happier selling on eBay, but
  3621. thinking about the past made him wonder if there was a
  3622. market for the kind of gear he’d used as a crook. He
  3623. ordered some MSR206s from the manufacturer and
  3624. offered them for sale through the UBuyWeRush eBay store.
  3625. He was impressed by how fast they were snapped up.
  3626. Then one of his new customers told him about a website
  3627. where he could really sell. He introduced Cesar to Script,
  3628. who approved UBuyWeRush as a CarderPlanet vendor.
  3629. Cesar posted his introduction on August 8, 2003. “I
  3630. decided to supply all you guys making the real big bucks,”
  3631. he wrote. “So if you need me I sell card printers, card
  3632. embossers, tippers, encoders, small readers and more. I
  3633. know it sounds like advertising, but it’s for you, a SAFE
  3634. place to shop.”
  3635. place to shop.”
  3636. Business exploded overnight. Cesar built his own
  3637. website, began vending on Shadowcrew, got an 800
  3638. number, and started accepting e-gold, an anonymous
  3639. online currency favored by carders. He developed a
  3640. reputation for excellent customer service. With customers in
  3641. every time zone, he was scrupulous about answering the
  3642. phone whenever it rang, day or night. It was always money
  3643. on the other end of the line.
  3644. A canny businessman, he guaranteed same-day
  3645. shipping and forged relationships with his rivals, so if he
  3646. was caught short on an item, he could buy stock from a
  3647. competitor to fill his orders and keep his customers happy.
  3648. Strategic moves like that soon turned UBuyWeRush into
  3649. the top supplier of hardware to a worldwide community of
  3650. hackers and identity thieves. “Really good person, great to
  3651. deal with,” wrote a carder named Fear, advising a
  3652. Shadowcrew newbie. “Don’t scam UBuyWeRush cause
  3653. he’s a cool guy, and he’ll keep your info on the downlow.”
  3654. Cesar soon expanded his offerings to include hundreds
  3655. of different products: skimmers, passport cameras, foil
  3656. stampers, blank plastic, barcode printers, embossers,
  3657. check paper, magnetic ink cartridges, even cable TV
  3658. descramblers. Selling equipment wasn’t in and of itself
  3659. illegal, as long as he wasn’t conspiring in its criminal
  3660. applications. He even had some law-abiding customers
  3661. who bought his gear to make corporate ID cards and
  3662. school lunch vouchers.
  3663. Inundated with orders, Cesar ran a help-wanted ad in the
  3664. classifieds and began hiring workers to inventory, pack,
  3665. and ship his gear. As adjoining offices opened up, he
  3666. annexed them for the extra storage space, doubling and
  3667. then tripling his square footage. Fascinated by the global
  3668. reach of his low-rent strip-mall operation, he bought a wall
  3669. map, and every time he shipped to a new city he’d sink a
  3670. pin into the location. After six months, the map was
  3671. porcupined with pins throughout the United States,
  3672. Canada, Europe, Africa, and Asia. An impenetrable forest
  3673. of metal grew southwest of Russia on the Black Sea.
  3674. Ukraine.
  3675. Chris had become friends with Cesar. He’d even had
  3676. him over for dinner, along with Mrs. UBuyWeRush, Clara,
  3677. and Chris’s two boys—well-mannered kids who stayed at
  3678. the dinner table all the way through dessert. Chris
  3679. particularly liked hanging out at Cesar’s office. You never
  3680. knew who would show up at UBuyWeRush. Carders too
  3681. paranoid to have counterfeiting gear shipped even to a
  3682. drop would make a pilgrimage to Los Angeles to pick up
  3683. their items in person, opening the front door through their
  3684. shirtsleeve to leave no prints and paying in cash. Foreign
  3685. carders vacationing in California would stop by just to see
  3686. the legendary warehouse with their own eyes and shake
  3687. Cesar’s hand.
  3688. On this day, the man walking in to pick up an MSR206
  3689. was the last person Chris expected to see in Cesar’s shop,
  3690. a six-foot-five hacker with a long ponytail.
  3691. Chris was stunned; Max rarely left San Francisco these
  3692. days, and he hadn’t said anything about coming to town.
  3693. Max was equally surprised to see Chris. They exchanged
  3694. pleasantries awkwardly.
  3695. There was only one reason Max would sneak into Los
  3696. Angeles to buy his own magstripe encoder, Chris knew.
  3697. Max had decided to stop sharing his most valuable data.
  3698. Max had become privy to one of the biggest security
  3699. blunders in banking history, one that most consumers would
  3700. never hear about, even as it enriched carders to the tune of
  3701. millions of dollars.
  3702. The midsized Commerce Bank in Kansas City, Missouri,
  3703. may have been the first to figure out what was going on. In
  3704. 2003, the bank’s security manager was alarmed to find that
  3705. customer accounts were being sacked for $10,000 to
  3706. $20,000 a day from cash machines in Italy—he would
  3707. come in on a Monday and find his bank had lost $70,000
  3708. over the weekend. When he investigated, he learned that
  3709. the victim customers had all fallen for a phishing attack
  3710. aimed specifically at their debit card numbers and PINs.
  3711. But something didn’t make sense: CVVs were supposed
  3712. to prevent exactly this kind of scam. Without the CVV
  3713. security code programmed onto the magnetic stripe of the
  3714. real cards, the phished information shouldn’t have worked
  3715. at any ATM in the world.
  3716. He dug some more and discovered the truth: His bank
  3717. simply wasn’t checking the CVV codes on ATM
  3718. withdrawals, nor on debit card purchases, where the
  3719. consumer enters the PIN at the register. In fact, the bank
  3720. couldn’t perform such a check consistently if it wanted to;
  3721. the third-party processing network used by the bank didn’t
  3722. even forward the secret code. The Italian phishers could
  3723. program any random garbage into the CVV field, and the
  3724. card would be accepted as the real thing.
  3725. The manager moved the bank to another processing
  3726. network and reprogrammed his servers to verify the CVV.
  3727. The mysterious withdrawals from Italy halted overnight.
  3728. But Commerce Bank was just the beginning. In 2004,
  3729. nearly half America’s banks, S&Ls, and credit unions still
  3730. weren’t bothering to verify the CVV on ATM and debit
  3731. transactions, which is why America’s in-boxes were being
  3732. flooded with phishing e-mails targeting PIN codes for what
  3733. the carders called “cashable” banks.
  3734. Citibank, the nation’s largest consumer bank by holdings,
  3735. was the most high-profile victim. “This e-mail was sent by
  3736. the Citibank server to verify your e-mail address,” read a
  3737. message spammed from Russia in a September 2003
  3738. campaign. “You must complete this process by clicking on
  3739. the link below and entering in the small window your
  3740. Citibank ATM/Debit Card number and PIN that you use on
  3741. ATM.”
  3742. A more artful message in 2004 capitalized on
  3743. consumers’ well-founded fears of cybercrime. “Recently
  3744. consumers’ well-founded fears of cybercrime. “Recently
  3745. there have been a large number of identity theft attempts
  3746. targeting Citibank customers,” read the spam, emblazoned
  3747. with Citi’s iconography. “In order to safeguard your account,
  3748. we require that you update your Citibank ATM/Debit card
  3749. PIN.” Clicking on the link took customers to a perfect
  3750. simulacrum of a Citibank site, hosted in China, where the
  3751. victim would be prompted for the data.
  3752. Good for direct cash, PINs were the holy grail of carding.
  3753. And it was CarderPlanet’s King Arthur who was most
  3754. successful in the quest. King, as he was known to his
  3755. friends, ran an international ring that specialized in hitting
  3756. Citibank customers, and he was a legend in the carding
  3757. world. One of King Arthur’s lieutenants, an American expat
  3758. in England, once let it slip to a colleague that King was
  3759. making $1 million a week from the global operation. And he
  3760. was just one of many Eastern Europeans running cash-outs
  3761. in America.
  3762. Max plugged himself into the Citibank cash-outs in his
  3763. own way: He Trojaned an American mule named Tux, and
  3764. started intercepting the PINs and account numbers the
  3765. carder was getting from his supplier. After a while, he
  3766. contacted the source—an anonymous Eastern European
  3767. whom Max suspected of being King Arthur himself—and
  3768. told him candidly what he’d done: Tux, he said, had been
  3769. guilty of the crime of slipshod security. For good measure,
  3770. Max claimed falsely that the mule had been ripping off the
  3771. supplier.
  3772. The supplier cut off Tux on the spot and began providing
  3773. Max with his PINs directly, anointing the hacker as his
  3774. newest cash-out mule.
  3775. When the PINs first started rolling in, Max had passed
  3776. them all to Chris, who tore into them with a vengeance.
  3777. Chris would pull $2,000 in cash—the daily ATM withdrawal
  3778. limit—and then send his girls out to make in-store debit
  3779. purchases with the PINs until the account was drained dry.
  3780. He was raping the cards. Max didn’t like it. The whole point
  3781. of a cash-out was to get cash, not merchandise that sold
  3782. for a fraction of its worth. With a little finesse, the PINs could
  3783. be producing a lot more liquid.
  3784. Then it occurred to him he didn’t need his partner at all
  3785. for this particular operation.
  3786. When he returned from UBuyWeRush with his very own
  3787. MSR206, Max went into business for himself. He
  3788. programmed a stack of Visa gift cards with the account
  3789. data and wrote each card’s PIN on a sticky note affixed to
  3790. the plastic. Then he’d get on his bicycle or take a long
  3791. meandering walk through the city, visiting small, customerowned
  3792. cash machines at locations free of surveillance
  3793. cameras.
  3794. He’d enter the PIN, then the withdrawal amount, and
  3795. chump, chump, chump, chump, the ATM spat out cash
  3796. like a slot machine. Max would pocket the money, write the
  3797. new, lower account balance on the Post-it, then look around
  3798. discreetly to make sure he hadn’t drawn any attention
  3799. before drawing the next card from his deck. To keep his
  3800. prints off the machines, he’d press the buttons through a
  3801. piece of paper or with his fingernails, or coat the pads of
  3802. his fingers with hydroxyquinoline—a clear, tacky antiseptic
  3803. sold in drugstores as the liquid bandage New-Skin.
  3804. Max dutifully sent a fixed percentage of his take to
  3805. Russia via Western Union MoneyGram, per his agreement
  3806. with the supplier. He was an honest criminal now, doing
  3807. straightforward business in the underground. And even
  3808. after getting his own magstripe writer, Max continued to
  3809. give some of his PINs to Chris, who continued tapping his
  3810. crew to burn through the cards aggressively.
  3811. On the surface, Max’s ATM visits weren’t much of a
  3812. Robin Hood operation, but Max took moral solace in the
  3813. fact that the cash-outs always ended with the cards being
  3814. canceled. That meant the fraudulent withdrawals were
  3815. being discovered, and Citibank would be forced to
  3816. reimburse its customers for the thefts.
  3817. After some months, Max built a nice nest egg from
  3818. Citibank’s losses: He moved with Charity to a $6,000-amonth
  3819. house rental in San Francisco’s Cole Valley and
  3820. installed a safe for his profits: $250,000 in cash.
  3821. His earnings were just a tiny piece of the losses from the
  3822. CVV gaffe. In May 2005, a Gartner analyst organized a
  3823. survey of five thousand online consumers and, extrapolating
  3824. the results, estimated that it had cost U.S. financial
  3825. institutions $2.75 billion. In just one year.
  3826.  
  3827. 16
  3828. Operation Firewall
  3829. here was something fishy going on with Shadowcrew.
  3830. Max kept his presence on the Internet’s top crime site
  3831. low-key; to him, Shadowcrew was just a hunting ground
  3832. conveniently stocked with hackable carders. But in May
  3833. 2004, a Shadowcrew administrator made an offer on the
  3834. board that got Max’s attention. The admin, Cumbajohnny,
  3835. was announcing a new VPN service just for Shadowcrew
  3836. members.
  3837. A VPN—virtual private network—is typically used to
  3838. provide telecommuters with access to their employer’s
  3839. network from home. But a trustworthy underground VPN
  3840. appealed to carders for another reason. It meant every byte
  3841. of traffic from their computers could be encrypted—immune
  3842. to sniffing by a nosy ISP or a law enforcement agency with
  3843. a surveillance warrant. And any attempt to trace their
  3844. activities would get no farther than Cumbajohnny’s own
  3845. data center.
  3846. Cumbajohnny was a recent addition to Shadowcrew’s
  3847. leadership—a former moderator who was growing in
  3848. power and influence and changing the mood on the board.
  3849. Some other admins were complaining about a new meanspiritedness
  3850. on the forum. Banner ads appeared at the top
  3851. of the site: “Stop talking. Do Business. Advertise here.
  3852. Contact Cumbajohnny.” Shadowcrew was taking on the feel
  3853. of the Las Vegas strip, with flashy ads promising a lifestyle
  3854. of partying, beautiful women, and piles and piles of cash.
  3855. Gollumfun, an influential founder, had already publicly
  3856. retired from the site when another founder named
  3857. BlackOps announced he was leaving as well. “Shadowcrew
  3858. has been reduced from its once lustrous form to a
  3859. degrading environment of children who lack knowledge, the
  3860. skills or desire to interact with other members in a positive
  3861. way,” he wrote. “Gone are the well thought out tutorials;
  3862. gone are the well-respected members; and gone is the
  3863. civility. No longer do we help the newbies find their way, we
  3864. simply flame them to death until they leave and then
  3865. complain that there aren’t any new members.”
  3866. “BlackOps, you will be missed, thank you for your
  3867. services,” Cumbajohnny wrote tactfully. “SC is changing,
  3868. and for the best.”
  3869. Max paid little attention to the politics of the carding
  3870. scene. But the VPN announcement made him uneasy. It
  3871. turned out Cumbajohnny had been privately selling his VPN
  3872. service to Shadowcrew’s leaders for three months. Now,
  3873. Cumbajohnny wrote, any Shadowcrew member in good
  3874. standing could buy the same peace of mind for $30 to $50
  3875. a month.
  3876. But VPNs have one well-known weakness: everything
  3877. transpiring over the network has to be funneled through a
  3878. central point, unencrypted and vulnerable to
  3879. eavesdropping. “If the FBI, or whoever, really wanted to they
  3880. could get into the datacenter and change some of the
  3881. configs on the VPN box and start logging, and then you
  3882. would be kinda screwed,” one member noted. “But that is
  3883. just straight paranoia,” he conceded.
  3884. Cumbajohnny reassured him. “No one can touch the VPN
  3885. without me knowing about it.”
  3886. Max wasn’t convinced. In his white-hat days, he’d written
  3887. a program for the Honeynet Project called Privmsg—a
  3888. PERL script that took the data from a packet sniffer and
  3889. used it to reconstruct IRC chats. When an intruder was
  3890. lured into cracking one of the project’s honeypots, the
  3891. attacker would often use the system to hold online
  3892. conversations with his fellow hackers. With Privmsg, the
  3893. white hats could see the whole thing. It had been a strong
  3894. innovation in hacker tracking, turning passive honeypots
  3895. innovation in hacker tracking, turning passive honeypots
  3896. into digital wiretaps and opening a window into the
  3897. underground’s culture and motives.
  3898. Max could see the same wiretap tactic at play now in
  3899. Cumbajohnny’s VPN offer. There was other evidence, too;
  3900. while hacking random carders, he saw a message to a
  3901. Shadowcrew administrative account that read like a federal
  3902. agent giving orders to an informant. Max couldn’t shake the
  3903. feeling that someone was turning Shadowcrew into the
  3904. ultimate honeypot.
  3905. After talking it over with Chris, Max posted several
  3906. messages to Shadowcrew summarizing his doubts. The
  3907. posts disappeared at once.
  3908. Max’s suspicions were right on the money.
  3909. The NYPD had nabbed Albert “Cumbajohnny” Gonzalez
  3910. nine months earlier pulling cash out of a Chase ATM on
  3911. New York’s Upper West Side. Originally from Miami,
  3912. Gonzalez was twenty-one years old and the son of two
  3913. Cuban immigrants. He was also a longtime hacker who’d
  3914. been dedicated enough to trek to Vegas for the 2001 Def
  3915. Con.
  3916. The Secret Service interviewed Gonzalez in custody and
  3917. quickly ascertained his worth. The hacker was living in a
  3918. $700-a-month garden apartment in Kearny, New Jersey,
  3919. had $12,000 in credit card debt, and was officially
  3920. unemployed. But as “Cumbajohnny,” he was a trusted
  3921. confidant and colleague of carders around the world and,
  3922. most importantly, a moderator at Shadowcrew.
  3923. He was in the belly of the beast, and properly handled, he
  3924. might strike a deathblow against the forum.
  3925. The Secret Service took over the case and sprang
  3926. Gonzalez to use him as an informant. The VPN was the
  3927. agency’s masterstroke. The equipment was bought and
  3928. paid for by the feds, and they’d obtained wiretap warrants
  3929. for all the users. Cumbajohnny’s carder-only VPN service
  3930. was an invitation to an Internet panopticon.
  3931. Shadowcrew’s biggest players were drawn inexorably
  3932. into the Secret Service’s surveillance net. The tapped VPN
  3933. laid bare all the wheeling and dealing the carders kept off
  3934. the public website—the hard negotiating that unfolded
  3935. mostly in e-mail and over IM.
  3936. There were deals every day and every night, with a
  3937. weekly surge in trading Sunday evenings. The transactions
  3938. ranged from the petty to the gargantuan. On May 19, agents
  3939. watched Scarface transfer 115,695 credit card numbers to
  3940. another member; in July, APK moved a counterfeit UK
  3941. passport; in August, Mintfloss sold a fake New York driver’s
  3942. license, an Empire Blue Cross health insurance card, and a
  3943. City University of New York student ID card to a member in
  3944. need of a full identification portfolio. A few days later,
  3945. another sale by Scarface, just two cards this time; then
  3946. MALpadre bought nine. In September, Deck sold off
  3947. eighteen million hacked e-mail accounts with user names,
  3948. passwords, and dates of birth.
  3949. The Secret Service had fifteen full-time agents combing
  3950. through the activity—every purchase would be another
  3951. “underlying offense” in a grand jury indictment. And the best
  3952. part was, many of Shadowcrew’s denizens were unwittingly
  3953. paying the Secret Service for the privilege of being
  3954. monitored.
  3955. But running a game against hackers was never cut-anddried,
  3956. as the agency learned on July 28, 2004. That was
  3957. when Gonzalez informed his handlers that a carder named
  3958. Myth, one of King Arthur’s cashers, had somehow obtained
  3959. one of the agency’s confidential documents about
  3960. Operation Firewall. Myth had been boasting about it in an
  3961. IRC chat room.
  3962. The feds told Gonzalez to find the source of the leak, and
  3963. fast. As Cumbajohnny, Gonzalez made contact with Myth
  3964. and learned that the documents represented just a few
  3965. droplets in a full-blown Secret Service data spill. Myth knew
  3966. about subpoenas issued in the Shadowcrew probe and
  3967. had even discovered that the agency was monitoring his
  3968. had even discovered that the agency was monitoring his
  3969. own ICQ account. Fortunately, the documents didn’t
  3970. mention an informant.
  3971. Myth refused to tell Gonzalez who his source was but
  3972. agreed to arrange an introduction. The next day, Gonzalez,
  3973. Myth, and a mystery hacker using the temporary handle
  3974. “Anonyman” met on IRC. Gonzalez worked to gain
  3975. Anonyman’s trust, and the hacker finally revealed himself as
  3976. Ethics, a vendor whom Cumba already knew on
  3977. Shadowcrew.
  3978. The leak was starting to make sense. In March, the
  3979. Secret Service had noticed Ethics was selling access to
  3980. the database of a major wireless carrier, T-Mobile. “I am
  3981. offering reverse lookup of information for a T-Mobile cell
  3982. phone, by phone number,” he wrote in a post. “At the very
  3983. least, you get name, SSN, and DOB. At the upper end of
  3984. the information returned, you get Web username/password,
  3985. voicemail password, secret question/answer.”
  3986. T-Mobile had failed to patch a critical security hole in a
  3987. commercial server application it had purchased from the
  3988. San Jose, California, company BEA Systems. The hole,
  3989. discovered by outside researchers, was painfully simple to
  3990. exploit: An undocumented function allowed anyone to
  3991. remotely read or replace any file on a system by feeding it
  3992. a specially crafted Web request. BEA produced a patch for
  3993. the bug in March 2003 and issued a public advisory rating
  3994. it a high-severity vulnerability. In July of that year, the
  3995. researchers who discovered the hole gave it more attention
  3996. by presenting it at the Black Hat Briefings convention in Las
  3997. Vegas, an annual pre–Def Con gathering attended by
  3998. 1,700 security professionals and corporate executives.
  3999. Ethics learned of the BEA hole from the advisory, crafted
  4000. his own twenty-line exploit in Visual Basic, then began
  4001. scanning the Internet for potential targets who had failed to
  4002. patch. By October 2003, he hit pay dirt at T-Mobile. He
  4003. wrote his own front end to the customer database to which
  4004. he could return at his convenience.
  4005. At first, he used his access to raid the files of Hollywood
  4006. stars, circulating grainy candid photos of Paris Hilton, Demi
  4007. Moore, Ashton Kutcher, and Nicole Richie stolen from their
  4008. Sidekick PDAs. It was evident now that he’d gotten into a
  4009. Secret Service agent’s Sidekick as well.
  4010. A simple Google search on Ethics’s ICQ number turned
  4011. up his real name on a 2001 résumé seeking computer
  4012. security work. He was Nicholas Jacobsen, a twenty-oneyear-
  4013. old Oregonian who’d recently relocated to Irvine,
  4014. California, to take a job as a network administrator. All that
  4015. was left was to confirm which Secret Service agent was
  4016. violating policy by accessing sensitive material on his PDA.
  4017. That’s where Gonzalez proved his worth again. Now that
  4018. he was buddies with Cumbajohnny, Ethics hit up the
  4019. Shadowcrew leader for an account on his much-touted
  4020. VPN, figuring it would be a safer way to access T-Mobile.
  4021. Gonzalez happily obliged, and his Secret Service
  4022. handlers got to watch as Ethics surfed to T-Mobile’s
  4023. customer service website and logged in with the user name
  4024. and password of New York agent Peter Cavicchia III, a
  4025. veteran cybercrime officer who’d distinguished himself by
  4026. busting a former AOL employee for stealing ninety-two
  4027. million customer e-mail addresses to sell to spammers.
  4028. The leak had been found. Cavicchia would quietly retire a
  4029. few months later, and Ethics was added to the list of
  4030. Operation Firewall targets.
  4031. There was just one more threat to the investigation, and,
  4032. bizarrely, it was coming from one of the FBI’s underground
  4033. assets.
  4034. David Thomas was a lifelong scammer who’d
  4035. discovered the crime forums in the Counterfeit Library days
  4036. and soon became addicted to the high-speed deal making
  4037. and criminal camaraderie. Now forty-four years old, El
  4038. Mariachi, as he styled himself, was one of the most
  4039. respected members in the carding community, assuming
  4040. the role of mentor to younger scammers and dispensing
  4041. advice on everything from identity theft to basic life lessons
  4042. gleaned from decades on the fringe.
  4043. His experience, though, didn’t immunize him from the
  4044. hazards of his profession. In October 2002, Thomas
  4045. showed up in an office park in Issaquah, Washington,
  4046. where he and his partner had rented a drop for one of
  4047. CarderPlanet’s founders. They were hoping to claim
  4048. $30,000 in Outpost.com merchandise ordered by the
  4049. Ukrainian. Instead, they found local police waiting for them.
  4050. The police arrested Thomas, and a detective read him
  4051. his Miranda rights and gave him a form to sign
  4052. acknowledging he understood them. Thomas scoffed at the
  4053. idea of a local cop trying to question him. “You don’t know
  4054. who you have here,” he said. He urged the detective to call
  4055. in the feds; the Secret Service would know who El Mariachi
  4056. was, and he could give them a case involving Russians and
  4057. “millions of dollars.”
  4058. A Secret Service agent visited him in the county jail but
  4059. wasn’t impressed by Thomas’s $30,000-drop business.
  4060. Then an FBI agent from the Seattle field office showed up.
  4061. On the second meeting, the agent brought along an
  4062. assistant U.S. attorney and an offer: The feds couldn’t help
  4063. Thomas with his local case, but when he got out he could
  4064. go to work for the Northwest Cyber Crime Task Force in
  4065. Seattle.
  4066. It would be an intelligence-gathering mission, an official
  4067. designation for an FBI operation with no predetermined
  4068. targets. The bureau would get Thomas a new computer, put
  4069. him up in a nice apartment, pay all of his expenses, and
  4070. give him $1,000 a month in spending money. In return,
  4071. Thomas would gather information on the underground and
  4072. report it back to the task force.
  4073. Thomas hated snitches, but he liked the idea of being
  4074. paid to observe and comment on the underground with
  4075. which he’d become obsessed. Intelligence gathering
  4076. wasn’t the same as snitching, he reasoned, and he could
  4077. wasn’t the same as snitching, he reasoned, and he could
  4078. use the material he collected to write a book about the
  4079. carding scene, something he’d been thinking a lot about
  4080. lately.
  4081. He also knew exactly how to gather the information the
  4082. task force was after.
  4083. Thomas was released from jail five months after his
  4084. arrest. And in April, the FBI gained a new asset in the war
  4085. on cybercrime: El Mariachi and his brand-new governmentfunded
  4086. crime forum, the Grifters.
  4087. From his bureau-rented corporate apartment in Seattle,
  4088. El Mariachi was soon gathering information on his fellow
  4089. carders, particularly the Eastern Europeans. But though
  4090. Thomas was working for the FBI, he didn’t exactly feel
  4091. kinship with other government assets, and the VPN
  4092. a n n o u n c e m e n t convinced him—correctly—that
  4093. Cumbajohnny was a federal informant.
  4094. Thomas became fixated on exposing his rival. Ignoring
  4095. admonishments from his FBI handler, he continuously
  4096. called out Gonzalez on the forums. Gonzalez, too, seemed
  4097. to have it in for El Mariachi—he dug up a copy of the police
  4098. report from Thomas’s Seattle arrest and circulated it
  4099. among the Eastern European carders, drawing their
  4100. attention to the part where Thomas offered to help catch
  4101. Russians. A full-blown proxy war had broken out between
  4102. the FBI and Secret Service, by way of two informants.
  4103. It was a bad time to be distracting the Eastern
  4104. Europeans with American carder drama. In May 2004, one
  4105. of CarderPlanet’s Ukrainian founders was extradited to the
  4106. United States, after being arrested on vacation in Thailand.
  4107. The next month, the British national police moved in on the
  4108. site’s only native English-speaking administrator in Leeds.
  4109. Script, getting heat from the Orange County FBI and the
  4110. U.S. Postal Inspection Service, had already retired from the
  4111. site, leaving King Arthur in charge. On July 28, 2004, King
  4112. made an announcement.
  4113. “It is time to tell you the bad news—the forum should be
  4114. closed,” he wrote. “Yes, it really means closed and there
  4115. are a lot of reasons for that.”
  4116. In broken English he explained that CarderPlanet had
  4117. become a magnet for law enforcement agencies around
  4118. the world. When carders were busted, police interrogators
  4119. badgered them with questions about the forum and its
  4120. leaders. Under the relentless pressure, he implied, even he
  4121. might slip up. “All of us are just people and all of us can
  4122. make mistakes.”
  4123. By closing CarderPlanet, he would be depriving his
  4124. enemies of their greatest asset. “Our forum held them well
  4125. informed and up to date, and on our forum they and the
  4126. bank employees just have been raising their level of
  4127. proficiency and knowledge,” he wrote.
  4128. “Now all of thing will be the same but they will not know
  4129. where the wind blows from and what to do.”
  4130. With that farewell note, King Arthur, almost certainly a
  4131. millionaire ten times over, became a carder legend. He
  4132. would be remembered as the one who gently folded the
  4133. great CarderPlanet before anyone else could enjoy the
  4134. pleasure of taking it down.
  4135. Shadowcrew’s leaders wouldn’t be so lucky. In September,
  4136. the FBI pulled the plug on Thomas’s operation and gave
  4137. him a month to move out of his apartment—ending his war
  4138. with Cumbajohnny. The next month, on October 26, sixteen
  4139. Secret Service agents gathered in a Washington command
  4140. center to drop the hammer on Operation Firewall. Their
  4141. targets were marked on a map of the United States filling a
  4142. wall of computer displays. Every one of them would be at
  4143. home, the agents knew; at the Secret Service’s behest,
  4144. Gonzalez had called an online meeting for that evening, and
  4145. nobody said no to Cumbajohnny.
  4146. At nine p.m., agents armed with MP5 semiautomatic
  4147. assault rifles burst into Shadowcrew members’ homes
  4148. around the country, grabbing three founders, T-Mobile
  4149. hacker Ethics, and seventeen other buyers and sellers. It
  4150. was the biggest crackdown on identity thieves in American
  4151. history. Two days later, a federal grand jury handed down a
  4152. sixty-two-count conspiracy indictment and the Justice
  4153. Department went public with Operation Firewall.
  4154. “This indictment strikes at the heart of an organization
  4155. that is alleged to have served as a one-stop marketplace
  4156. for identity theft,” Attorney General John Ashcroft boasted in
  4157. a press release. “The Department of Justice is committed
  4158. to taking on those who deal in identity theft or fraud,
  4159. whether they act online or off.”
  4160. With Gonzalez’s help, the Secret Service locked
  4161. Shadowcrew’s remaining four thousand users out of the
  4162. site and swapped in a new front page featuring a Secret
  4163. Service banner and an image of a prison cell. The new
  4164. page struck the Shadowcrew tagline, “For Those Who Like
  4165. to Play in the Shadows,” and substituted a new motto: “You
  4166. Are No Longer Anonymous!!”
  4167. Panicked carders around the around the world soaked
  4168. up the news reports and watched the television coverage,
  4169. worrying for themselves and their fallen compatriots. They
  4170. collected on a small forum called Stealth Division to assess
  4171. the damage and take a head count of survivors. “I am
  4172. scared to death for my family right now—for my children,”
  4173. wrote one cyberthief. “I just learned that my every move has
  4174. been recorded.”
  4175. Slowly, they realized that Cumbajohnny wasn’t on the list
  4176. of defendants. That’s when he logged in to make a final
  4177. appearance.
  4178. “I want everyone to know I’m on the run and I had no
  4179. fucking idea the USSS had the capabilities of doing what
  4180. they did,” Gonzalez wrote. “From the news articles I can tell
  4181. they’ve wiretapped my VPN and wiretapped the
  4182. Shadowcrew server. This is my last post, good luck
  4183. everyone.”
  4184. Nick Jacobsen, Ethics, was kept out of the press release
  4185. and quietly indicted separately in Los Angeles—his
  4186. and quietly indicted separately in Los Angeles—his
  4187. intrusion into the Secret Service’s e-mail wouldn’t emerge
  4188. until well after the agency had collected its accolades for
  4189. Operation Firewall. Even then, the dragnet was a clear
  4190. victory for the government. CarderPlanet was shuttered,
  4191. and now Shadowcrew was closed for good, and its leaders
  4192. —save Gonzalez—were in jail.
  4193. The carders were confused, paranoid, and, for the
  4194. moment, homeless. “It will take years and years for any
  4195. message board like Shadowcrew to build up,” wrote one.
  4196. “And when or if it does, law enforcement will bust it again.
  4197. “And knowing what can be done, I doubt anyone will take
  4198. the risk of putting another one up.”
  4199.  
  4200. 17
  4201. Pizza and Plastic
  4202. n the top floor of the Post Street Towers, Max’s
  4203. computers sat on the wood-veneer floor, silent and cool.
  4204. Outside the bay window, shops and apartments were ready
  4205. to unwittingly feed him bandwidth through his oversized
  4206. antenna.
  4207. Max had gone dormant for a few months after
  4208. accumulating a pile of cash from the Citibank operation;
  4209. he’d abandoned his penthouse apartment and put his
  4210. hacking on the back burner. But he couldn’t stay away long.
  4211. He’d asked Chris to rent him a new safe house, one with
  4212. more neighborhood Wi-Fi options than the last. “I just need
  4213. a closet, I don’t need any space,” he’d said.
  4214. Chris had delivered. There was ample Wi-Fi swimming
  4215. around the Post Street Towers, and the apartment was
  4216. indeed a closet: a three-hundred-square-foot studio that
  4217. seemed scarcely larger than a prison cell. Decked out in
  4218. blond wood, with a Formica counter, a full-sized fridge, and
  4219. a bed that unfolded from the wall, it was a clean and
  4220. functional McApartment, bare of all distractions and able to
  4221. provide the necessities for Max’s all-night hacking sprees.
  4222. The high turnover in the building made him anonymous.
  4223. Chris just had to flash a fake ID at the rental office, pay a
  4224. $500 deposit, and sign the six-month lease.
  4225. Once his computers were plugged in and his antenna
  4226. was latched on to some patsy’s network, Max wasted little
  4227. time in getting back on the job. As ever, he targeted
  4228. fraudsters, and he developed some novel ways to steal
  4229. from them. He monitored the alerts put out by an
  4230. organization called the Anti-Phishing Working Group,
  4231. staying on top of the latest phishing attacks. The alerts
  4232. included the Web addresses of the phishing sites linked to
  4233. the forged e-mails, allowing Max to hack the phishers’
  4234. servers, resteal the stolen data, and erase the original
  4235. copy, frustrating the phishers and grabbing valuable
  4236. information at the same time.
  4237. Other attacks were less focused. Max was still plugged
  4238. into the white-hat scene, and he was on the private mailing
  4239. lists where security holes often appeared for the first time.
  4240. He had machines scanning the Internet day and night for
  4241. servers running vulnerable software, just to see what he’d
  4242. turn up. He was scanning for a Windows server-side buffer
  4243. overflow when he made the discovery that would lead to his
  4244. public entry into the carding scene.
  4245. His scanning put him inside a Windows machine that, on
  4246. closer inspection, was in the back office of a Pizza
  4247. Schmizza restaurant in Vancouver, Washington; he knew
  4248. the place, it was near his mother’s house. As he looked
  4249. around the computer, he realized the PC was acting as the
  4250. back-end system for the point-of-sale terminals at the
  4251. restaurant—it collected the day’s credit card transactions
  4252. and sent them in a single batch every night to the credit
  4253. card processor. Max found that day’s batch stored as a
  4254. plain text file, with the full magstripe of every customer card
  4255. recorded inside.
  4256. Even better, the system was still storing all the previous
  4257. batch files, dating back to when the pizza parlor had
  4258. installed the system about three years earlier. It was some
  4259. fifty thousand transactions, just sitting there, waiting for him.
  4260. Max copied the files, then deleted them—they weren’t
  4261. needed by Pizza Schmizza; in fact, just storing them in the
  4262. first place was a violation of Visa’s security standards.
  4263. After sorting and filtering out the duplicate and expired
  4264. cards, he was left with about two thousand dumps.
  4265. For the first time, Max had a primary source, and they
  4266. were virgin cards, almost guaranteed to be good.
  4267. Chris had been complaining about the staleness of some
  4268. Chris had been complaining about the staleness of some
  4269. of Max’s dumps. That would end now. A customer could
  4270. walk into the Pizza Schmizza and order a twelve-inch pie
  4271. for his family, and his credit card could be on Max’s hard
  4272. drive while the leftovers were still cooling in the garbage.
  4273. Once he was done organizing his numbers, Max gave
  4274. Chris a taste. “These are extremely fresh,” he said. “They’re
  4275. from two days ago.”
  4276. There was no way that Chris and his crew could metabolize
  4277. the fifty dumps a day coming from the Pizza Schmizza. So
  4278. Max decided to make his first forays into vending in the
  4279. carding scene.
  4280. Chris offered to handle the sales in exchange for half the
  4281. profits. Chris’s recklessness still concerned Max—Chris
  4282. had nearly been arrested buying gold in, of all places, India,
  4283. fleeing the country one step ahead of the police. But Chris
  4284. knew too much about Max for the hacker to just cut him
  4285. loose, so he agreed to let Chris act as his representative to
  4286. the underground. Chris soon claimed success in marketing
  4287. Max’s dumps, until Max—who had a back door on Chris’s
  4288. computer—figured out that Chris was actually using the
  4289. magstripe data himself, getting a 50 percent price break by
  4290. claiming to have resold them. Economically, it was all the
  4291. same. But Max couldn’t help feeling cheated yet again.
  4292. Max turned to someone who might be easier to control: a
  4293. teenage carder from Long Island named John Giannone
  4294. who had become Chris’s sidekick.
  4295. Giannone was a smart middle-class kid with a coke habit
  4296. and burning desire to be a ruthless, badass cyberpunk. His
  4297. early ops failed to impress: He boasted to another carder
  4298. that he’d once pushed all the buttons on an elevator before
  4299. getting off, so the next passenger would have to stop at
  4300. every floor. On another occasion, he claimed, he walked
  4301. into a bank and wrote a note on the back of a deposit slip:
  4302. “This is a robbery. I have a bomb. Give me money or I’ll
  4303. blow the bank.” Then he put the slip back on the pile as a
  4304. surprise for the next customer.
  4305. When he was seventeen, Giannone joined Shadowcrew
  4306. and CarderPlanet under the handle MarkRich, and started
  4307. participating in small operations. His reputation went south
  4308. when he was busted carding plane tickets and a rumor
  4309. spread that he’d snitched on a forum regular while in
  4310. juvenile hall.
  4311. Undaunted, Giannone paid a more established carder
  4312. for the exclusive right to take over his handle and
  4313. reputation. As “Enhance,” the teen became more bold but
  4314. not more successful. In May 2003, copying an extortion
  4315. tactic perfected by the Russians, he borrowed a hacker’s
  4316. botnet and launched a DDoS attack against JetBlue, taking
  4317. down the airline’s website for some twenty-five minutes
  4318. before sending an e-mail demanding $500,000 in
  4319. protection money. But JetBlue paid him neither cash nor
  4320. the respect a cybergangster deserved. “We will forward this
  4321. to the appropriate law enforcement agencies,” the
  4322. company wrote. “Yesterday’s outage was due to a system
  4323. upgrade.”
  4324. When Max found Giannone with his Free Amex hack, the
  4325. teen was running his operations from the computer in his
  4326. mother’s bedroom. But Max and Chris had looked over
  4327. Giannone’s files and decided he could be partner material.
  4328. Chris in particular may have seen something of himself in
  4329. the young, coke-snorting gangster wannabe. Giannone was
  4330. already a regular visitor to Orange County—he liked
  4331. vacationing in the sun—and the two began partying
  4332. together. Chris called his apprentice “the Kid.”
  4333. Max knew everything about Giannone, while Giannone
  4334. knew virtually nothing about him. For Max, it was an ideal
  4335. arrangement for a partnership. Giannone made some sales
  4336. of Max’s dumps and then introduced Max to other carders
  4337. interested in making buys over ICQ. Max set up a new
  4338. online identity for his vending: “Generous.”
  4339. Dealing with strangers was a big step for Max, and he
  4340. took elaborate precautions to stay safe. When using carder
  4341. took elaborate precautions to stay safe. When using carder
  4342. forums or instant-messaging services, he’d bounce his
  4343. connection through his private network of hacked PCs
  4344. around the world—ensuring nobody could easily trace him
  4345. even as far as his hacked WiFi. He disguised his writing
  4346. style online for fear that some ill-considered turn of phrase
  4347. or choice of punctuation might be matched to one of Max
  4348. Vision’s security white papers or Bugtraq posts—the FBI
  4349. had once remarked on the copious ellipses in his
  4350. anonymous note to Lawrence Berkeley Laboratory during
  4351. the BIND attacks.
  4352. To collect revenue, he accepted payment through an
  4353. anonymous e-gold account linked to an ATM card.
  4354. Giannone helped him with a second remittance system.
  4355. The teenager established a business account at Bank of
  4356. America for a car repair shop called A&W Auto Clinic, then
  4357. sent Max the magstripe data and PIN code for his ATM
  4358. card, allowing Max to clone the card with his MSR206.
  4359. Dumps buyers in the United States could make a cash
  4360. deposit for A&W at their nearest Bank of America branch,
  4361. which Max could then withdraw at his leisure with his cloned
  4362. ATM card.
  4363. Max didn’t need the money the way he used to. He’d
  4364. squandered most of his nest egg from the Citibank cashouts,
  4365. frittering it away on everything from handouts for the
  4366. homeless to a $1,500 Sony AIBO robotic dog. But he
  4367. wasn’t broke yet, and Charity had just started a well-paying
  4368. job as a system administrator at Linden Lab, the brick-andmortar
  4369. home of Second Life—a fully realized threedimensional
  4370. online universe growing by thousands of
  4371. inhabitants a month.
  4372. There was just one reason he was upping the ante now.
  4373. He’d become addicted to life as a professional hacker. He
  4374. loved the cat-and-mouse games, the freedom, the secret
  4375. power. Cloaked in the anonymity of his safe house, he
  4376. could indulge any impulse, explore every forbidden corridor
  4377. of the Net, satisfy every fleeting interest—all without fear of
  4378. consequence, fettered only by the limits of his conscience.
  4379. At bottom, the master criminal was still the kid who couldn’t
  4380. resist slipping into his high school in the middle of the night
  4381. and leaving his mark.
  4382.  
  4383. 18
  4384. The Briefing
  4385. n a briefing room near Washington, two dozen male faces
  4386. filled a computer monitor on the wall, some scowling for a
  4387. mugshot, others smiling for a passport photo. A couple of
  4388. them looked like teenagers barely out of puberty; others
  4389. were older, unkempt and vaguely dangerous in
  4390. appearance.
  4391. Around the table a handful of FBI agents in suits and ties
  4392. stared back at the faces of the international computer
  4393. underground. For one of the agents, a lot of things were
  4394. suddenly making sense.
  4395. At thirty-five years old, J. Keith Mularski had been an FBI
  4396. agent for seven years. But he’d been on the computer
  4397. crime beat for just four months, and he had a lot to learn.
  4398. Enthusiastically friendly and quick to laugh, Mularski had
  4399. wanted to be an FBI agent since his freshman year at
  4400. Pennsylvania’s Westminster College, when a bureau
  4401. recruiter came in to speak to one of his classes. He’d held
  4402. on to the list of qualifications even as he walked a more
  4403. pedestrian career path, starting as a furniture salesman in
  4404. Pittsburgh, then working his way up to a position as
  4405. operations manager for a national furniture chain with fifty
  4406. employees reporting to him at four stores.
  4407. In 1997, after eight years of waiting, he finally decided he
  4408. was ready for the FBI. After a yearlong application process
  4409. and sixteen weeks of training at the FBI academy in
  4410. Quantico, he was sworn in as an agent in July 1998.
  4411. As part of the bureau’s graduation ritual, the newly
  4412. minted agent was instructed to rank all the FBI field offices
  4413. in order of assignment preference. He rated his hometown
  4414. of Pittsburgh as number one—it was where Mularski had
  4415. grown up, gone to school, and met his wife. His chances of
  4416. transferring there evaporated the next month, when Islamic
  4417. terrorists bombed U.S. embassy buildings in Kenya and
  4418. Tanzania. Veteran FBI agents were dispatched from the
  4419. Washington, DC, field office to investigate the attacks, and
  4420. Mularski was one of fifteen fresh recruits sent to fill the
  4421. vacancies in DC—the city marked thirty-second on his list.
  4422. Almost overnight Mularski went from managing furniture
  4423. stores to working on some of the FBI’s most important, and
  4424. highly classified, investigations. When, in 1999, a listening
  4425. device was found in an office on the top floor of the State
  4426. Department’s headquarters, he was part of the team that
  4427. identified a Russian diplomat monitoring the transmitter
  4428. from outside. In 2001, he helped bring down Robert
  4429. Hanssen, a fellow counterespionage agent who’d been
  4430. secretly spying for the KGB and its successor agency for
  4431. twenty years.
  4432. It was heady work, but the secrecy chafed Mularski: He
  4433. held a top-secret clearance and couldn’t talk about his job
  4434. with outsiders—even his wife. So when headquarters
  4435. announced openings for two experienced agents to kickstart
  4436. an ambitious cybercrime initiative in Pittsburgh, he
  4437. saw a chance to go home and step out of the shadows at
  4438. the same time.
  4439. His new job wouldn’t be in an FBI office. He was
  4440. assigned to the civilian office of an industry nonprofit group
  4441. in Pittsburgh called the National Cyber Forensics and
  4442. Training Alliance. The NCFTA had been formed by banks
  4443. and Internet companies a couple of years earlier to track
  4444. and analyze the latest scams targeting consumers online—
  4445. mostly phishing attacks. Mularski’s job wouldn’t consist of
  4446. chasing individual scams—in isolation, each round of
  4447. phishing was too small to meet the FBI’s minimum loss
  4448. threshold of $100,000. Rather, he would be looking for
  4449. trends that pointed to a common culprit—a group or a
  4450. single hacker—responsible for a large number of
  4451. single hacker—responsible for a large number of
  4452. cyberthefts. Then he’d shop the results to the various FBI
  4453. field offices and, hopefully, hand off the investigation.
  4454. It was passive intelligence gathering, meticulous but
  4455. unexciting. Mularski wasn’t in charge of the cases, and he
  4456. never got the satisfaction of putting handcuffs on a bad guy.
  4457. But for the first time in seven years, he could talk about his
  4458. work with his wife over dinner.
  4459. Now he was back in the DC area for his first briefing on
  4460. the carding scene. At the head of the room was Postal
  4461. Inspector Greg Crabb, a solidly built man with world-weary
  4462. eyes who worked in the post office’s international fraud unit.
  4463. Crabb had stumbled upon the carding underground in 2002
  4464. while tracking a software counterfeiter with a sideline in
  4465. credit card fraud. Since then, he’d been on the ground in
  4466. twenty-five countries, working with local police to make
  4467. busts and building a massive database of raw intelligence
  4468. on the growing community: nicknames, IP addresses,
  4469. instant messages, and e-mails of more than two thousand
  4470. people. He’d become the government’s top expert on the
  4471. scene, but the enormity of his crusade now threatened to
  4472. overwhelm him. So he’d come to the FBI for help.
  4473. The briefing for about half a dozen FBI agents was held
  4474. at a nondescript Calverton, Baltimore, office where the
  4475. bureau ran its Innocent Images anti–child porn operation.
  4476. Speaking slowly in a rumbling, midwestern twang, the
  4477. postal inspector weighed each word like a parcel as he ran
  4478. through the history of the scene: CardersLibrary spawning
  4479. CarderPlanet, the legend of King Arthur, the influence of the
  4480. Russians and Ukrainians, and the rise and fall of
  4481. Shadowcrew. He threw up a screenshot of CarderPlanet to
  4482. show the underground’s structure: A site operator was the
  4483. don. Admins were capos. It was a metaphor to which the
  4484. FBI was institutionally attuned; hackers were the new mafia.
  4485. Operation Firewall, Crabb explained, had left the carders
  4486. scattered, paranoid, and disorganized. But they were
  4487. rebuilding. And unlike before, with Shadowcrew, there was
  4488. no singular target to go after. Instead, a slew of new,
  4489. smaller forums was popping up. Crabb didn’t say it, but the
  4490. Secret Service had treated the carders with half a dose of
  4491. penicillin; the survivors were immune and plentiful.
  4492. Mularski hung on every word. In his brief time at the
  4493. NCFTA, the agent had seen patterns in the raw intelligence
  4494. bubbling up from the underground: references to
  4495. nicknames, coded messages, and forums. It made sense
  4496. now. It was the carders organizing themselves again.
  4497. When Crabb wrapped up his talk and the other agents
  4498. began to file out, Mularski approached the postal inspector
  4499. at the head of the table and extended his hand
  4500. enthusiastically. “This stuff is fascinating,” he said. “I’d love
  4501. to work with you. I’d love to partner up with you.”
  4502. Crabb was surprised by the suggestion; in his
  4503. experience, a more typical proposal from an FBI agent
  4504. might take the form “Give me all your information. Thanks,
  4505. bye.” He met with Mularski and his boss privately and gave
  4506. the agents a more thorough rundown on the carder scene.
  4507. Mularski returned to Pittsburgh, his head swimming. He’d
  4508. thought he’d left behind the world of Russian spies, double
  4509. agents, and secret identities. He’d been wrong. And the
  4510. safe, satisfying routine of his new job was about to be
  4511. shattered.
  4512.  
  4513. 19
  4514. Carders Market
  4515. ry as he might, Max couldn’t get situated on any of the
  4516. new forums sprouting in Shadowcrew’s ruins. They were all
  4517. corrupt, run by dumps vendors hostile to outside
  4518. competition. In a way, it was a blessing. He could never
  4519. really trust any of the sites; he knew all too well that the
  4520. scene was rank with cops and informants.
  4521. He finally made up his mind that if he was going to vend,
  4522. the only sensible venue would be a site he personally
  4523. controlled. Still thinking of himself as Robin Hood, he came
  4524. up with the perfect name for his own forum: Sherwood
  4525. Forest.
  4526. Chris approved of the plan—he liked the idea of vending
  4527. his counterfeit credit cards and driver’s licenses in a safe
  4528. environment—but hated the name. As an exercise in
  4529. branding, “Sherwood Forest” wasn’t going to cut it for a
  4530. criminal marketplace. The partners went back to the
  4531. drawing board, and in June 2005 Max used a fake name
  4532. and bogus address in Anaheim to register
  4533. Cardersmarket.com.
  4534. It was a critical time for Max: He was near the end of his
  4535. federal supervised release, and if he could make it until
  4536. midnight, October 10, 2005, he would be a free agent, no
  4537. longer obliged to play the role of an underemployed
  4538. computer consultant for the benefit of his probation officer.
  4539. It should have been easy enough to survive a few more
  4540. months. Besides Chris, there were only two people who
  4541. knew about Max’s double life, both Chris’s friends: Jeff
  4542. Norminton and Werner Janer, the real estate fraudster who
  4543. wrote Charity a $5,000 check that helped bootstrap Max’s
  4544. hacking operation.
  4545. Then, in September 2005, Werner Janer got busted.
  4546. Since hooking up with Max, Chris had been dropping
  4547. Janer a few cards here and there—maybe eighty over three
  4548. years—in exchange for 10 percent of whatever Janer
  4549. netted from his in-store purchases. That month Janer asked
  4550. for another batch of two dozen cards—a money shortage
  4551. had forced him to sell the family home in Los Angeles, and
  4552. he’d moved to Westport, Connecticut, to make a new start
  4553. of it. Soon after his arrival he was robbed by a criminal
  4554. associate of nearly all the proceeds of the house sale, and
  4555. he needed an income boost to support himself and his wife
  4556. and three children.
  4557. When Chris’s FedEx arrived, Janer, an avid watch
  4558. collector, headed straight to Richard’s of Greenwich, a
  4559. men’s clothing and accessory store that kept an inventory
  4560. of high-end timepieces. Janer had quality plastic and a
  4561. matching driver’s license in his pocket, all bearing the
  4562. name Stephen Leahy. What he didn’t have was a knack for
  4563. carding. He selected not one, not two, but four Anonimo
  4564. watches, each worth between $1,000 and $3,000, and
  4565. asked the store owner to ring each of them up separately
  4566. on four different Visa cards, which he conspicuously pulled
  4567. from a deck of a dozen. Two of the hefty transactions were
  4568. declined, so Janer left with two watches worth a total of
  4569. $5,777, charged to two Bank of America cards.
  4570. A patrol car pulled over Janer about two miles away.
  4571. While the cops looked over Janer’s genuine driver’s
  4572. license and asked him if he’d been watch shopping
  4573. recently, a second cruiser drove by with the store owner in
  4574. the passenger seat. He eyed Janer and confirmed that they
  4575. had the right guy.
  4576. The cops arrested Janer and searched his car, pulling
  4577. out the watches, twenty-eight credit cards, and six
  4578. California driver’s licenses, each with a different name.
  4579. When detectives served a search warrant on his house they
  4580. found more watches and a .22-caliber Walther P22
  4581. found more watches and a .22-caliber Walther P22
  4582. handgun.
  4583. The gun was bad news. Instead of a larceny charge and
  4584. a probation violation Janer was now facing a federal beef
  4585. for being a felon in possession of a firearm. Janer wasted
  4586. no time in offering to lead the feds to the source of the
  4587. counterfeit cards. In the standard arrangement for snitches,
  4588. the government agreed to let Janer “proffer” his information
  4589. under a limited grant of immunity: Nothing he said would be
  4590. used directly against him. If they found it useful—if it led to
  4591. arrests—they’d consider recommending a reduced
  4592. sentence on his gun-possession charge.
  4593. In two proffer sessions totaling nearly eight hours, Janer
  4594. spilled his guts to a local Secret Service agent and a
  4595. federal prosecutor. He told them about Chris Aragon, his
  4596. ring of cashers, and “Max the Hacker,” a six-foot-five
  4597. computer genius who’d been cracking banks from San
  4598. Francisco hotel rooms.
  4599. He didn’t know Max’s last name, he said, but he’d once
  4600. written a check to the hacker’s girlfriend for $5,000. Her
  4601. name was Charity Majors.
  4602. The Secret Service wrote up the interviews and entered
  4603. the data into the agency’s computer, but the agency never
  4604. followed up on the information, and prosecutors declined to
  4605. grant Janer any special consideration. He was sentenced
  4606. to twenty-seven months in prison.
  4607. Max Vision had dodged a bullet. Janer’s statements
  4608. sank into a giant government computer—they might as well
  4609. have been stashed in the cavernous warehouse in the final
  4610. scene of Raiders of the Lost Ark. As long as nobody had
  4611. occasion to dig them up, Max was safe.
  4612. Meanwhile, Max began the process of getting Carders
  4613. Market up and running. He had plenty of experience setting
  4614. up legitimate websites, but starting a crime site would take
  4615. special preparations. For one thing, he couldn’t just put the
  4616. Carders Market server on the floor of his safe house—that
  4617. would make him a sitting duck.
  4618. He hacked into a Florida data center run by Affinity
  4619. Internet and installed a VMware virtual machine on one of
  4620. its servers—secreting an entire simulated computer on one
  4621. of its systems. His hidden server grabbed an unused
  4622. Internet address from Affinity’s pool of addresses. The site
  4623. would be a ghost ship, not officially owned or operated by
  4624. anyone.
  4625. Max played with different Internet forum software and
  4626. finally settled on the flexible package vBulletin. He spent
  4627. months customizing the layout and designing his own
  4628. templates for the look and feel of the site, styling it in
  4629. shades of gray and muted gold. The work felt satisfying.
  4630. For the first time in years, he was creating something
  4631. instead of stealing. It was just like setting up
  4632. Whitehats.com, except in those ways in which it was the
  4633. opposite.
  4634. Finally, on the one-year anniversary of the Operation
  4635. Firewall raids, he conjured a new name in his everchanging
  4636. lineup of noms de guerre: Iceman. He chose the
  4637. handle in part for its commonality: There were lots of
  4638. Icemen in the underground—there’d even been one on
  4639. Shadowcrew. If law enforcement tried to track him down,
  4640. they’d find several mirages on their radar.
  4641. Max, as Iceman, launched Cardersmarket.com in late
  4642. 2005 with little fanfare. Chris joined as the first
  4643. coadministrator, inventing the handle EasyLivin’ for the site.
  4644. From their careful observation of Shadowcrew and the
  4645. splinter forums that followed, Max and Chris knew that the
  4646. key to gaining acceptance was to appoint big names who
  4647. could help run the board and attract still more heavy hitters
  4648. from their circle of friends. The partners soon managed to
  4649. draw two household names from the Shadowcrew
  4650. diaspora.
  4651. Bradley Anderson, a forty-one-year-old Cincinnati
  4652. bachelor, was their first pick. Anderson was a legend as
  4653. “ncXVI,” a fake-ID expert and author of the self-published
  4654. book Shedding Skin, the bible of identity reinvention. Their
  4655. second recruit was Brett Shannon Johnson, thirty-five, a
  4656. Charleston, South Carolina, identity thief famous online as
  4657. “Gollumfun,” a founder of both Counterfeit Library and
  4658. Shadowcrew who’d retired from the latter site before the
  4659. Secret Service swept in.
  4660. After vanishing from the scene for over a year, Johnson
  4661. was crawling out of retirement—Chris’s sidekick John
  4662. Giannone had spotted him online that spring and struck up
  4663. a conversation on ICQ, bringing him up to date on the latest
  4664. busts and gossip.
  4665. Giannone wound up selling Johnson twenty-nine of Max’s
  4666. dumps for an easy six hundred bucks, then introduced him
  4667. to Max, who sold him another five hundred cards. “I can see
  4668. that you and I are going to be doing some good business in
  4669. the future,” Johnson had told Max.
  4670. Johnson accepted Max’s and Chris’s invitation to
  4671. become an admin on Carders Market, lending the site the
  4672. experience and contacts of the only Shadowcrew
  4673. administrator to survive Operation Firewall.
  4674. Giannone joined Carders Market as “Zebra,” and Max
  4675. created a second, secret identity for himself, “Digits.” The
  4676. alternate handle was a keystone in Max’s new business
  4677. strategy. Shadowcrew had fallen because prosecutors
  4678. proved that the founders were themselves buying, selling,
  4679. and using stolen data—running an informational website
  4680. wasn’t, in and of itself, illegal, Max reasoned. So Iceman
  4681. would be the public face of Carders Market but would never
  4682. buy or sell stolen data. Digits, his alter ego, would handle
  4683. that, vending the dumps Max was siphoning from the
  4684. Vancouver pizza joint to anyone who could afford them.
  4685. To complete his vision for the site, Max needed one
  4686. more admin with a particular qualification: a command of
  4687. the Russian language. He wanted to repair the rift that
  4688. Operation Firewall had torn between Eastern European
  4689. carders and their Western counterparts. Two Russian
  4690. Shadowcrew members had fallen into Cumbajohnny’s VPN
  4691. trap, and the whole affair had left the Russians deeply
  4692. suspicious of English-speaking forums.
  4693. Max resolved that Carders Market would distinguish itself
  4694. by having an Eastern European section moderated by a
  4695. native Russian speaker. He just needed to find one.
  4696. Chris offered to help out, and Max accepted. If there was
  4697. one thing that Chris had proven to his partner, it was that he
  4698. knew how to recruit new talent.
  4699.  
  4700. 20
  4701. The Starlight Room
  4702. ine chandeliers hung over the lush velvet booths at
  4703. Harry Denton’s Starlight Room, the light scattering off a
  4704. two-hundred-pound mirror ball suspended over the dance
  4705. floor. Heavy crimson drapes parted from the picture
  4706. windows like a stage, revealing the glimmering San
  4707. Francisco skyline beyond.
  4708. Positioned on the twenty-first floor of the Sir Francis
  4709. Drake Hotel, the Starlight Room was an opulent fixture in
  4710. the city’s teeming nightlife—a flashback to 1930s style,
  4711. strewn with deep red and gold damask and hand-rubbed
  4712. silk. More garish than hip, the club kept people coming by
  4713. hosting regular theme nights. This was Russian
  4714. Wednesday, and tuxedoed servers were pouring vodka
  4715. shots at the crowded bar while music from the motherland
  4716. spilled over the crowd.
  4717. In the ladies’ room, Tsengeltsetseg Tsetsendelger was
  4718. being kissed. Tipsy from a night out, the young Mongolian
  4719. immigrant wasn’t sure how it happened, or why, but a pretty
  4720. five-foot-four girl with tumbling brown hair had decided to
  4721. kiss her. Then Tsengeltsetseg blinked. There was another,
  4722. identical woman beside her.
  4723. Michelle and Liz introduced themselves, and a wide,
  4724. unaffected pumpkin smile crept onto Tsengeltsetseg’s
  4725. face. She told the Esquere twins that they could call her
  4726. “Tea.”
  4727. Tea was a regular at Russian Night and fluent in both
  4728. Russian and English. Born in northern Mongolia at a time
  4729. when the country was still under Soviet influence, she’d
  4730. learned Russian in school—until the Soviet empire
  4731. collapsed and Mongolia’s prime minister declared English
  4732. the landlocked nation’s official second language.
  4733. Looking for adventure and the proverbial better way of
  4734. life, she won a student visa and emigrated to the United
  4735. States in 2001. Her first thought upon landing at Los
  4736. Angeles International Airport that summer was that
  4737. Americans were awfully fat, but when she got out into the
  4738. city she was more impressed; she enjoyed beautiful
  4739. people, and L.A. was filled with them.
  4740. After one semester at a community college in Torrance,
  4741. she moved to the Bay Area and got her green card. Now
  4742. she was attending classes at Peralta College in Oakland,
  4743. paying her rent and tuition by dishing ice cream at Fenton’s
  4744. Creamery.
  4745. Liz seemed strangely delighted to learn that Tea spoke
  4746. Russian. The twins bought her a drink and then suggested
  4747. they continue the party with some friends at their hotel four
  4748. blocks away. It was after midnight when they got to Chris
  4749. Aragon’s suite at the luxe Clift Hotel near Union Square.
  4750. Chris was relaxing there; Tea was struck at once by how
  4751. handsome he was. He seemed interested in her as well,
  4752. particularly after the twins mentioned that Tea knew
  4753. Russian. Joined by two of Chris’s female employees, they
  4754. opened some booze and hung out until the small hours of
  4755. the morning, when the girls all left to go to their own rooms
  4756. and Tea crashed in Chris’s for the night.
  4757. She was still shaking off sleep the next morning when the
  4758. room became a hive of activity. Liz and a handful of other
  4759. attractive young women—all alert and cleanly scrubbed
  4760. after their night of partying—began popping in and out,
  4761. receiving envelopes and cryptic instructions from Chris.*
  4762. They came and went all day, picking up more envelopes,
  4763. dropping off department store shopping bags, sometimes
  4764. lingering for a time before departing again. The party
  4765. atmosphere hung in the air, but there was a nervous,
  4766. excited edge to it now that made Tea curious—but not so
  4767. curious as to pry.
  4768. curious as to pry.
  4769. When the sun had set and the gang had gathered back
  4770. at the suite, Tea said her good-byes; she had to go home
  4771. to the East Bay, to be at work at the ice-cream parlor in the
  4772. morning.
  4773. Chris had a better idea. He was starting a website with a
  4774. business partner—“Sam”—and they happened to be in
  4775. need of a full-time Russian translator. It would pay better
  4776. than spooning out Coffee Cookie Dream to yuppies all day.
  4777. “Don’t go,” said Liz. “You’ll make more money with us.”
  4778. Tea looked over her pretty new friends. They reminded
  4779. her of the New Russians who had emerged following the
  4780. collapse of the Soviet regime, flush with suspiciously
  4781. acquired wealth, consuming with more hunger than taste.
  4782. She liked Chris, though—he seemed different. And an
  4783. Internet translating job would grant her the freedom and
  4784. flexibility to focus on her college studies. She said yes.
  4785. The next day, Chris packed up his team for the next leg in
  4786. their travels, a road trip to Vegas. Tea, he said, should
  4787. meet them there for more fun. He told her to get a Yahoo! email
  4788. account, and he’d send her flight information once
  4789. they’d arrived.
  4790. Back in her apartment, the whole adventure felt like a
  4791. strange dream. But the next day, Tea had a confirmation
  4792. number for her prepaid flight to Las Vegas in her Yahoo! inbox.
  4793. She packed a bag and headed to the airport.
  4794. Chris relocated Tea to his own neighborhood and paid for
  4795. her to rent an apartment in her real name in Dana Point, a
  4796. coastal town in southern Orange County. At the end of a
  4797. quiet, winding cul-de-sac, painted an Umbrian orange with
  4798. Spanish tiles combing the roof, the “Tea House,” as he
  4799. dubbed it, was a world away from the Mongolian city where
  4800. Tea grew up.
  4801. They made love on her new bed, and afterward, Chris left
  4802. $40 on the nightstand so she could get her nails done.
  4803. Tea’s feelings were hurt. She wasn’t a hooker. She was
  4804. falling in love.
  4805. Chris and his team moved his card-printing gear from
  4806. Villa Siena into the Dana Point apartment’s attached
  4807. garage—the Tea House would be his new plant and party
  4808. house, as well as the base of operations for Tea’s twentyfour-
  4809. hour-a-day job on Carders Market. Her task would be
  4810. to haunt the Eastern European carder forums, like
  4811. Mazafaka and Cardingworld, and summarize what was
  4812. happening there for the Russian section of Carders Market.
  4813. She’d need a “nick,” Chris explained, a handle or
  4814. nickname for her online alter-ego. She decided on
  4815. “Alenka,” the name of a Russian candy.
  4816. Alenka went to work at once, glued to the monitor at the
  4817. Tea House day and night, doing her best to lure the highpowered
  4818. Russians onto the site run by Chris and “Sam,”
  4819. the Whiz.
  4820. * Liz was one of Chris Aragon’s cashers, but there’s no
  4821. evidence that her sister Michelle was involved.
  4822.  
  4823. 21
  4824. Master Splyntr
  4825. aking up one floor of a lime-green office building on the
  4826. bank of the Monongahela River, the National Cyber
  4827. Forensics and Training Alliance was far removed from the
  4828. cloistered secrecy of Washington’s intelligence community,
  4829. where Mularski had cut his teeth. Here, dozens of security
  4830. experts from banks and technology companies worked
  4831. alongside students from nearby Carnegie Mellon University
  4832. in a cluster of neat cubicles, surrounded by a ring of offices
  4833. that followed the smoked-glass walls around the building.
  4834. With Aeron chairs and dry-erase boards, the office had the
  4835. feel of one of the technology companies that provided the
  4836. NCFTA with the bulk of its funds. The FBI had made a few
  4837. changes before moving in, transforming one office into an
  4838. electronic communications room, packed with governmentapproved
  4839. computer and crypto gear to securely
  4840. communicate with Washington.
  4841. In his office, Mularski looked over a “linkchart” Crabb, the
  4842. postal inspector, had e-mailed him—a massive
  4843. organization schematic showing the disparate connections
  4844. among 125 hard targets in the underground. Mularski
  4845. realized he’d been going about it all wrong by waiting for a
  4846. crime, then working to track it back to the culprit. The
  4847. criminals weren’t hiding at all. They were advertising their
  4848. services on the forums. That made them vulnerable, in the
  4849. same way the New York and Chicago Mafia’s rituals and
  4850. strict hierarchy had given the FBI a roadmap to crack down
  4851. on the mob decades before.
  4852. All he had to do now was join the carders.
  4853. He selected a forum from a list provided by Crabb and
  4854. clicked on the account registration link. Under Justice
  4855. Department regulations, Mularski could infiltrate the forums
  4856. without approval from Washington, provided he observed
  4857. strict limits on his activities. To maintain his cover, he could
  4858. post messages to the forum bulletin boards, but he couldn’t
  4859. engage anyone directly; he would be permitted no more
  4860. than three “substantive contacts” with any other forum
  4861. member. Participating in crimes, or making controlled buys
  4862. from a vendor, was out of the question. It could be an
  4863. intelligence-gathering operation only; he would be a
  4864. sponge, soaking up information about his adversaries.
  4865. As soon as he connected, he was confronted with his
  4866. first important strategic decision: What would his hacker
  4867. handle be? Mularski went with his gut. Inspired by the
  4868. Saturday morning cartoon Teenage Mutant Ninja Turtles ,
  4869. the agent settled on the moniker of the sewer-dwelling
  4870. karate champs’ rodent sensei, a biped rat called Master
  4871. Splinter. For uniqueness, and a hackerish timbre, he
  4872. spelled his surname without major vowels.
  4873. So in July 2005, Master Splyntr signed up for his first
  4874. crime forum, CarderPortal, laughing to himself over the
  4875. poetry in assuming the name of an underground rat.
  4876. Mularski was soon playing the carder forums like a
  4877. chessboard, drawing on the NCFTA’s stream of scam data
  4878. for his opening moves.
  4879. The center was plugged directly into the antifraud efforts
  4880. at banks and e-commerce sites, so when a new criminal
  4881. innovation showed up, Mularski knew about it. He posted
  4882. about the schemes on CarderPortal, portraying them as his
  4883. own inventions. The experienced crooks marveled at the
  4884. newcomer who’d independently reinvented their newest
  4885. tricks. And when the scams eventually became public in the
  4886. press, the newbies remembered they’d heard it first from
  4887. Master Splyntr.
  4888. In the meantime, the FBI agent was soaking up the
  4889. history of the forums while honing his prose to affect the
  4890. cynical, profanity-laced style of the underground.
  4891. After a few months, Mularski faced the first challenge to
  4892. his intelligence-gathering operation. The initial crop of
  4893. forums that grew from the detritus of Shadowcrew had
  4894. been wide open to new members—spooked by Operation
  4895. Firewall, many scammers had adopted new handles, and
  4896. without reputations to trade on there’d been no way for
  4897. carders to vet one another. Now that was changing. A new
  4898. breed of “vouched” forums was emerging. The only way to
  4899. get on them was to win the sponsorship of two existing
  4900. members. Constrained by the Justice Department’s
  4901. guidelines, Mularski had deliberately avoided forming
  4902. direct relationships in the underground. Who would vouch
  4903. for him?
  4904. Borrowing a page from a Robert Ludlum novel, Mularski
  4905. decided Master Splyntr needed a background legend that
  4906. could propel him into the new crime boards. His thoughts
  4907. turned to a Europe-based antispam organization called
  4908. Spamhaus that he’d worked with as part of previous FBI
  4909. initiatives.
  4910. Founded in 1998 by a former musician, Spamhaus
  4911. charts the ever-changing lineup of Internet addresses
  4912. spewing garbage into consumers’ in-boxes; its database of
  4913. spam sources is used by two-thirds of the world’s ISPs as
  4914. a blacklist. Of more interest to Mularski was the
  4915. organization’s public most-wanted list of notorious
  4916. spammers. Peopled by the likes of Alan “Spam King”
  4917. Ralsky and the Russian Leo “BadCow” Kuvayev, the
  4918. Registry of Known Spam Operations, or ROKSO, is
  4919. second only to a federal grand jury indictment on the list of
  4920. places an Internet scammer doesn’t want to see his name.
  4921. Mularski phoned up founder Steve Linford in Monaco to
  4922. explain his scheme: He wanted to be on ROKSO—or, at
  4923. least, he wanted Master Splyntr there. Linford agreed, and
  4924. Mularski went to work crafting his background story. The
  4925. best lies hew to the truth, so Mularski decided to make
  4926. Splyntr a Polish spammer. Mularski was descended on his
  4927. father’s side from Polish immigrants—his bureau-issue
  4928. button-down concealed a tattoo on his left arm of the Orzel
  4929. Bialy, the white eagle with golden beak and talons that
  4930. adorns Poland’s coat of arms. Mularski would locate
  4931. Master Splyntr in Warsaw; he’d visited Poland’s capital and
  4932. could roughly describe its landmarks if pressed.
  4933. In August, the ROKSO listing went live, for the first time
  4934. stapling a “real” name to Mularski’s cartoon-inspired alter
  4935. ego.
  4936. Pavel Kaminski aka “Master Splyntr” runs a loosely
  4937. organized spam and scam crew from Eastern Europe.
  4938. Possibly a BadCow affiliate. He is linked to: proxy
  4939. spam; phishing; pump’n’dump; javascript exploits;
  4940. carder forums; botnets.
  4941. The profile included samples of scammy spam
  4942. messages supposedly sent out by “Pavel Kaminski,”
  4943. handcrafted by Spamhaus, and an analysis of his hosting
  4944. arrangements.
  4945. Now the carders who Googled Master Splyntr could see
  4946. for themselves that he was the real deal, a bona fide
  4947. Eastern European cybercrook with sticky fingers in a lot of
  4948. pies. When Mularski logged on to CarderPortal, he found
  4949. business proposals waiting in his in-box from crooks
  4950. hoping to partner with him. Still not allowed to engage any
  4951. suspects, he blew them off sneeringly.
  4952. You’re not much of a player, he’d write back. I don’t want
  4953. to deal with you because I’m a professional and you’re
  4954. obviously a newbie at this. To rebuff upper-echelon
  4955. scammers, he challenged their pocketbooks: You don’t
  4956. have enough money to invest in what I’m doing.
  4957. Like an unattainable girl on prom night, Master Splytnr’s
  4958. aloofness only made him more attractive. When a new site
  4959. called the International Association for the Advancement of
  4960. Criminal Activity launched as a closed forum, he posted a
  4961. simple note—Hey, I need a vouch—and two existing
  4962. members spoke up for him solely on the strength of his
  4963. reputation.
  4964. He was vouched on Theft Services next, then
  4965. CardersArmy. In November 2005, he was one of the first
  4966. members invited to a brand-new forum called
  4967. Darkmarket.ws.
  4968. A few months later, another, competing site got big
  4969. enough to cross his radar, and Master Splyntr joined
  4970. Cardersmarket.com.
  4971.  
  4972. 22
  4973. Enemies
  4974. onathan Giannone was learning that loss of privacy
  4975. was the cost of doing business with Iceman.
  4976. He’d been working with the mystery hacker for over a
  4977. year—mostly acquiring servers that Iceman used in his
  4978. vulnerability scanning—and he was still constantly under
  4979. Iceman’s electronic scrutiny. One day, the hacker sent
  4980. Giannone a link purporting to be a CNN article about
  4981. computer problems at JetBlue, the airline that had rebuffed
  4982. Giannone’s long-ago extortion attempt. Giannone clicked
  4983. on the link without thinking, and, just like that, Iceman was
  4984. on his computer again. Client-side attacks for the win.
  4985. Giannone began routinely checking his computer for
  4986. malware but couldn’t keep up with Iceman’s intrusions. Max
  4987. got ahold of Giannone’s United Airlines Mileage Plus
  4988. password and began tracking his movements around the
  4989. world—Giannone was a serious air travel aficionado who’d
  4990. sometimes fly just to accumulate miles. When he’d land at
  4991. San Francisco International, he’d find a text message from
  4992. Iceman waiting for him on his cell. “Why are you in San
  4993. Francisco?”
  4994. It might have been amusing if it weren’t for Iceman’s
  4995. frightening mood swings. He could turn on you in a minute
  4996. —one day you’d be his best friend, his “number one guy”;
  4997. the next he’d be convinced you were a snitch, a ripper, or
  4998. worse. He wrote Giannone long, unprompted e-mail
  4999. diatribes, laundry lists of grievances against Chris or
  5000. various members of the carding community.
  5001. It was jealousy, Giannone figured. While he and Chris
  5002. were partying in Vegas and the OC, Iceman was locked in
  5003. his apartment, working like a dog. Indeed, the hacker’s
  5004. outbursts often coincided with one of Giannone’s California
  5005. sojourns. In June 2005, Iceman picked a fight as Giannone
  5006. boarded an early morning flight to Orange County—Iceman
  5007. was taking him to task for some oversight in one of their
  5008. joint operations. The first message hit Giannone’s
  5009. BlackBerry at six a.m.—three in the morning San Francisco
  5010. time—and the texts continued nonstop for 2,500 miles
  5011. before Iceman finally fell silent as the plane landed. When
  5012. Giannone checked his e-mail later, he found dozens of
  5013. apologetic letters from the hacker. “Sorry, I apologize. I was
  5014. bugging out.”
  5015. On an earlier occasion, in September 2004, Giannone
  5016. told Iceman he was about to fly out to visit Chris, and Max
  5017. remarked cryptically that he could prevent the trip if he
  5018. wanted to. Giannone laughed. But an hour and a half into
  5019. his flight, the plane suddenly turned around and headed for
  5020. Chicago. As the airliner set down at O’Hare, the captain
  5021. explained that the Los Angeles air traffic control center had
  5022. gone dark, necessitating the change in itinerary.
  5023. It turned out a computer error was responsible. There
  5024. was a known bug in the Windows-based radio control
  5025. system at the Los Angeles Air Route Traffic Control Center
  5026. in Palmdale, which required technicians to reboot the
  5027. machine every 49.7 days. They’d missed a reboot, and a
  5028. backup system had failed at the same time. The outage
  5029. resulted in hundreds of flights being grounded and five
  5030. incidents of airplanes drifting closer to each other than
  5031. safety regulations permit. No foul play was discovered, but
  5032. years later, when the full range of Max Vision’s powers
  5033. became clear, Giannone would find himself wondering if
  5034. Iceman hadn’t cracked the FAA’s computers and crippled
  5035. Los Angeles, just to stop him from going clubbing with
  5036. Chris.
  5037. Giannone finally took radical measures to try to keep
  5038. Iceman out of his stuff: He bought an Apple. Iceman could
  5039. penetrate just about anything. But Giannone was pretty sure
  5040. penetrate just about anything. But Giannone was pretty sure
  5041. he couldn’t hack Macs.
  5042. While Max kept up surveillance of his crime partners,
  5043. Carders Market began slowly generating buzz, intensified
  5044. by the mysterious swagger of its founders. As Iceman and
  5045. Easylivin’, Max and Chris were unknown quantities among
  5046. their fellow crooks, but experienced carders could
  5047. practically smell the confidence and street smarts in their
  5048. posts.
  5049. In Seattle, word of the new site reached Dave “El
  5050. Mariachi” Thomas, the former FBI asset who, like Max, had
  5051. tried to blow the whistle on Operation Firewall. Thomas had
  5052. been feeling adrift since the feds pulled the plug on his
  5053. intelligence-gathering operation, and he was looking for a
  5054. new online home.
  5055. Wary at first, Thomas registered under a fake handle. But
  5056. when Iceman invited a public discussion of Carders
  5057. Market’s philosophy and charter, Thomas dove in, opining
  5058. in detail on the course the site should follow to nurture
  5059. successful ops while avoiding Shadowcrew’s fate.
  5060. At first, Chris and Max thought Thomas might be a
  5061. valuable contributor. But they soon detected that he had a
  5062. beef with one of their handpicked admins, Brett “Gollumfun”
  5063. Johnson.
  5064. Rumors had been swirling about Johnson since his return
  5065. to the scene—you don’t just disappear for two years and
  5066. then come back onto the carder forums as though nothing
  5067. has happened. In August, a hacker called “Manus Dei”—
  5068. the Hand of God—added fuel to the fire when he cracked
  5069. Johnson’s e-mail account and posted a blistering profile of
  5070. the carder on a Google Group called FEDwatch. The writeup
  5071. gave Johnson’s real name, his current address in Ohio,
  5072. and a slew of personal details stolen from his in-box.
  5073. Among the revelations: Johnson had been corresponding
  5074. with a New York Times reporter about the carding scene
  5075. and had registered a mysterious domain name,
  5076. Anglerphish.com—perhaps in preparation for starting his
  5077. own site.
  5078. There was nothing to suggest that Johnson was
  5079. snitching, though, and neither Max nor Chris had been
  5080. particularly alarmed by the info dump. Thomas, on the other
  5081. hand, was now convinced the Shadowcrew founder was an
  5082. informant. After all, Johnson had announced his retirement
  5083. before Operation Firewall and then reappeared afterward
  5084. with no real explanation.
  5085. The last thing Chris and Max needed on their emerging
  5086. site was a shootout between two old-school carders with a
  5087. Shadowcrew-era grudge. Still possessed by an
  5088. entrepreneurial pride, Chris wanted the site to be the best
  5089. crime forum possible. So he reached out to Thomas by ICQ
  5090. to try to head off trouble.
  5091. “I’m not going to entertain any drama about Gollumfun, or
  5092. others, who is a rat who isn’t a rat,” Chris wrote. “I just want
  5093. a clean nice board so we can have a safe place to play.”
  5094. Chris promised he’d give Johnson the same message:
  5095. Play nice. It was Conflict Resolution 101. He followed the
  5096. paternalistic lecture by asking Thomas’s advice on running
  5097. a successful forum—showing the elder carder respect for
  5098. his years of experience. But to make sure his admonition
  5099. was taken seriously, Chris added a warning. “We are not
  5100. kids dude,” he wrote. “We are very old school. And we are
  5101. very good at what we do.”
  5102. Thomas promised to behave, adding that he’d do his
  5103. best to help make Carders Market the drama-free forum
  5104. everyone wanted. But secretly, a hard pit of suspicion was
  5105. forming in his gut. Why would anybody defend Brett
  5106. Johnson, who was so obviously a snitch?
  5107. He noticed that Easylivin’ was using an old version of
  5108. ICQ that leaked an Internet IP address. Thomas tried to
  5109. trace the address and wound up in Boston, a known hotbed
  5110. of federal informants. Carders Market’s hosting was based
  5111. in Ft. Lauderdale, Florida, another perfect place to run an
  5112. undercover operation. And the phone number on the
  5113. domain name listing went to a police department in
  5114. California, albeit in a different area code. That was
  5115. probably a coincidence, but who knows?
  5116. When he was done adding up the evidence, he felt sick
  5117. to his stomach. Carders Market was a federal sting. It was
  5118. obvious now. He vowed to himself that he’d do everything
  5119. he could to destroy the new site and bring down the oldschool
  5120. assholes Easylivin’ and Iceman.
  5121.  
  5122. 23
  5123. Anglerphish
  5124. ax was developing suspicions of his own about Brett
  5125. Johnson. He began keeping a close eye on the admin on
  5126. Carders Market, checking his access logs and scouring his
  5127. private messages. For good measure, he hacked into
  5128. Johnson’s account on the International Association for the
  5129. Advancement of Criminal Activity, IAACA, and reviewed his
  5130. activity there. He found no smoking gun.
  5131. Could he really have brought an informant into the inner
  5132. circle of his new crime site?
  5133. The problem was that there was no reliable test to
  5134. determine if Johnson, or anyone else, was working for the
  5135. government. Max wanted one badly—a jurisprudence
  5136. security hole, like the buffer overflow in BIND, that he could
  5137. use over and over again on anyone he suspected. If
  5138. (is_snitch(Gollumfun)) ban(Gollumfun);. He confided in David
  5139. Thomas, not realizing that Thomas had already put Iceman
  5140. on his mile-long enemies list.
  5141. At one point in checking him out, he sent us some
  5142. PayPal fulls that were valid, which I pegged as illegal. It
  5143. made me think, okay, this guy isn’t a fed or fed lackey.
  5144. This is very important for me to find out, because it
  5145. is how I have been making trust decisions. We have it
  5146. in mind to have a lawyer give us the definitive answer,
  5147. my partner said he was on that and would find out. I am
  5148. skeptical that we’ll ever get a straight answer though,
  5149. because lawyers seem to enjoy taking your money and
  5150. providing you heuristic guesses rather than concrete
  5151. facts. Maybe I’ve just had bad lawyers.
  5152. I would really like to know a specific way that I can
  5153. find something a cop or CI can’t do. Something that if
  5154. they do it, their cases are all thrown out 100%. What a
  5155. holy grail. So far I have been living as though “doing a
  5156. criminal act” disqualifies them. Like people who
  5157. smoke a joint with someone to make sure that person
  5158. isn’t a cop. Or a hooker who asks her john, “Are you a
  5159. cop? You know you have to tell me if you are.”
  5160. Brett Johnson was indeed dirty. But contrary to
  5161. suspicions, his return to crime in the post-Firewall era
  5162. hadn’t started as a snitching expedition. It had all begun
  5163. with a girl.
  5164. Johnson’s crime and cocaine habits had driven away his
  5165. wife of nine years—she threw out his MSR206 on her way
  5166. out the door—and he’d been seeing a psychologist to cope
  5167. with the loss. Then he met Elizabeth in a North Carolina
  5168. bar. She was a twenty-four-year-old exotic dancer at a local
  5169. strip club, and for Johnson it was love at first sight. He
  5170. burned through his savings to buy her gifts, a $1,500 purse
  5171. here, a $600 pair of shoes there, and she moved in with
  5172. him after five months. But when they had sex for the first
  5173. time, she wouldn’t let him kiss her.
  5174. Johnson’s darkest suspicions were confirmed when he
  5175. located Elizabeth on a website on which men post reviews
  5176. of strippers and prostitutes. There it was, line after line of
  5177. disgusting detail about the services his girlfriend had been
  5178. providing in exchange for cocaine and cash. He confronted
  5179. her with the evidence, and she tearfully promised to quit the
  5180. drugs and the prostitution.
  5181. Hoping to wrench her from the patterns of her old life,
  5182. Johnson showered Elizabeth with more gifts and expensive
  5183. dinners out. It was that, and not any hidden agenda, that
  5184. impelled his return from retirement. He needed the money,
  5185. plain and simple.
  5186. The luck that had seen him through Operation Firewall
  5187. failed him on February 8, 2005, when Charleston, North
  5188. Carolina, police busted him for using counterfeit Bank of
  5189. America cashier’s checks to pay for Krugerrands and
  5190. watches he won on eBay and had shipped COD to his
  5191. drops. After a week of stewing in the Charleston County
  5192. Detention Center, pining for Elizabeth, the Secret Service
  5193. paid him a visit. Once he convinced them he was Gollumfun
  5194. —the admin who got away when they dropped the hammer
  5195. on Shadowcrew—they agreed to help him with his state
  5196. case if he’d work for them.
  5197. The Secret Service had Johnson’s bail lowered to
  5198. $10,000. When he bonded out, the agents moved him from
  5199. Charleston to Columbia, South Carolina, where they rented
  5200. him a corporate apartment and paid him a $50 per diem.
  5201. Now he was a daily visitor to the Columbia field office,
  5202. checking in at four p.m. and working until nine, taking the
  5203. Secret Service deep into Carders Market and the other
  5204. boards. Everything that crossed his computer was
  5205. recorded and displayed simultaneously on a forty-two-inch
  5206. plasma screen hanging on the wall of the office.
  5207. They called it Operation Anglerphish, and Johnson
  5208. thought it would make a great book one day. That’s why
  5209. he’d registered the domain name Anglerphish.com and
  5210. opened up talks with a New York Times reporter. When
  5211. Manus Dei cracked his e-mail and revealed those activities
  5212. online, Johnson’s Secret Service handlers were irate. They
  5213. promptly banned him from using computers away from the
  5214. office and told him to cut off contact with the reporter.
  5215. Elizabeth left him—her name and occupation had been
  5216. exposed in the breach.
  5217. Then Iceman stripped Johnson of his privileged position
  5218. in Carders Market, and crooks he’d known since the
  5219. Counterfeit Library days started refusing to do business
  5220. with him. Johnson was running out of credibility, and the
  5221. Secret Service was running out of patience.
  5222. In late March 2006, the agents decided to act on one of
  5223. Anglerphish’s only catches, a California identity thief who’d
  5224. stolen at least $200,000 by e-filing bogus tax returns
  5225. through H&R Block, then collecting the refunds himself.
  5226. Johnson, an expert in that particular scam, had been talking
  5227. with the crook online, and the Secret Service had traced
  5228. the chats to the C&C Internet Café in Hollywood. A Los
  5229. Angeles agent visited the coffee shop and sat two tables
  5230. away while the man filed his fake returns.
  5231. But when local police and Secret Service agents raided
  5232. the target’s Hollywood apartment, they found it had been
  5233. cleaned out: no computers and not a shred of documentary
  5234. evidence. The suspect had done everything but deep-clean
  5235. the carpet and paint the walls.
  5236. Johnson’s handlers in Columbia already suspected their
  5237. asset of leaking his informant status after the drama on
  5238. Carders Market. Now they had reason to believe he’d
  5239. tipped off the target of an impending raid. They brought in a
  5240. polygraph examiner and strapped Johnson to the box.
  5241. The needles were steady as Johnson answered the first
  5242. two questions: Did he contact the target? Did he have
  5243. anyone else contact the target? No and no. The final
  5244. question was broader: Did Johnson have any unauthorized
  5245. contact with anyone? “No,” he said again, his galvanic skin
  5246. response skittering up the chart.
  5247. Despite the agents’ admonishments, Johnson had
  5248. secretly continued his talks with the New York Times
  5249. reporter, he admitted, and he was very serious about
  5250. getting a book deal. The feds interrogated him until two in
  5251. the morning, then had him sign a form consenting to a
  5252. search of his agency-funded apartment.
  5253. Tossing the apartment was like an Easter egg hunt. The
  5254. agents found a stored value card in a shoe in the bedroom
  5255. closet. A memo book containing account numbers, PINs,
  5256. and identity information was in a toiletry kit in the bathroom.
  5257. A sock stuffed in a pair of men’s pants in the closet
  5258. contained sixty-three ATM cards. A Rubbermaid bowl at
  5259. the bottom of the laundry bin was keeping fresh nearly two
  5260. thousand dollars in cash. Finally, there were loaded Kinko’s
  5261. payment cards; Johnson had been buying computer time at
  5262. the local copy shop.
  5263. He’d been leading a triple life almost from the start of his
  5264. service to the agency, posing as a crook at the Columbia
  5265. field office and pulling his own very real capers in his off
  5266. hours.
  5267. Johnson’s specialty was the same scam the Los
  5268. Angeles target had been carrying out. He’d mine victims’
  5269. Social Security numbers from online databases, including
  5270. California’s Death Index of recently departed Golden State
  5271. residents, then file bogus tax returns on their behalf,
  5272. directing the refunds into prepaid debit cards that could be
  5273. used for ATM withdrawals. He’d pulled in more than
  5274. $130,000 in tax refunds under forty-one names, all under
  5275. the nose of the Secret Service.
  5276. The agents phoned up Johnson’s bail bondsman and
  5277. persuaded him to revoke the $10,000 bond that had set the
  5278. fraudster free. Then they put Johnson back in the county jail.
  5279. After three days, Johnson’s handler showed up with a
  5280. senior agent, who was not happy with the informant.
  5281. “Before we begin, Brett, I just want to say that you are either
  5282. going to tell us everything that you have done the past six
  5283. years, or I’m going to make it my mission in life to fuck over
  5284. you and your family,” the supervisor growled. “And I’m not
  5285. just talking about these current charges. Once you get out, I
  5286. will hound you for the rest of your life.”
  5287. Johnson refused to cooperate, and the agents stormed
  5288. out. The U.S. Attorney’s Office started working on a federal
  5289. indictment. But the swindler had one more trick up his
  5290. sleeve. Two weeks later he managed to get his bond
  5291. reinstated, bailed from the detention center, and promptly
  5292. vanished.
  5293. Anglerphish was a debacle. After 1,500 hours of work,
  5294. the government was left with a fugitive informant and tens of
  5295. thousands of dollars in new fraud. There was only one silver
  5296. thousands of dollars in new fraud. There was only one silver
  5297. lining: that first batch of twenty-nine platinum dumps
  5298. Johnson had bought in May for $600.
  5299. The Secret Service had tracked some of the cards to a
  5300. pizza parlor in Vancouver—a dead end. But the corporate
  5301. Bank of America account the seller used to accept his
  5302. payment belonged to one John Giannone, a twenty-oneyear-
  5303. old living in Rockville Centre on Long Island.
  5304.  
  5305. 24
  5306. Exposure
  5307. ea, these girls are white trash. Don’t be friends
  5308. with them,” said Chris. “Their minds are different.”
  5309. They were at Naan and Curry, a twenty-four-hour Indian
  5310. and Pakistani restaurant in San Francisco’s theater district.
  5311. It had been three months since Tea hooked up with Chris,
  5312. and she was with him for one of his monthly trips to the Bay
  5313. Area, where’d he’d meet his mysterious hacker friend
  5314. “Sam” just before dawn. They were only four blocks from
  5315. Max’s safe house now, but Tea wouldn’t be introduced to
  5316. the hacker on this trip or any other. Nobody met Sam in
  5317. person.
  5318. She was fascinated by how it all worked: the cashless
  5319. nature of the crime, the way Chris organized his crew. He’d
  5320. told her everything, once he thought she was ready, but
  5321. never asked her to hit the stores with the others. She was
  5322. special. He didn’t even like her hanging out with his cashing
  5323. crew, for fear that they’d somehow taint her personality.
  5324. Tea was also the only employee not being paid. After
  5325. she’d protested the $40 Chris left on the nightstand, Chris
  5326. concluded that Tea didn’t want any money from him at all,
  5327. despite the long hours she was spending on Carders
  5328. Market and the Russian crime boards. Chris was taking
  5329. care of the rent on the Tea House, buying her clothes, and
  5330. paying for her travel—but she found it a strange existence,
  5331. living online, traveling on confirmation numbers instead of
  5332. plane tickets. She’d become a ghost, her body in Orange
  5333. County, her mind more often projecting into Ukraine and
  5334. Russia, befriending organized cybercrime chieftains in her
  5335. role as Iceman’s emissary from the carding world of the
  5336. West.
  5337. Iceman, she’d decided, was pretty cool. He was always
  5338. respectful and friendly. When Chris and his partner got into
  5339. one of their fights, each man would whine and gossip about
  5340. the other to Tea over ICQ, like children. At one point,
  5341. Iceman sent her a bunch of dumps and suggested she go
  5342. into business for herself, a move that sent Chris into a
  5343. petulant rage.
  5344. As Chris and Tea chatted over Indian food, a tall man
  5345. with a ponytail walked in from the street and headed for the
  5346. cash register in back, his eyes flickering over them, just for
  5347. a moment, before he picked up a bag of takeout and left.
  5348. Chris smiled. “That was Sam.”
  5349. Back in Orange County, Chris’s counterfeiting operation
  5350. was earning enough for him to send his kids to private
  5351. schools, cover Tea’s apartment, and, in July, start
  5352. searching for a bigger and better home for himself and his
  5353. family. He went house-hunting with Giannone and found a
  5354. spacious rental—a two-story house in the coastal town of
  5355. Capistrano Beach at the end of a quiet cul-de-sac on a bluff
  5356. rising above the sandy beach. It was a family-friendly
  5357. neighborhood, basketball hoops hanging above garages
  5358. and a boat parked in a neighbor’s driveway. His move-in
  5359. date was July 15.
  5360. Giannone flew back out for the July 4 weekend—Chris’s
  5361. last holiday at his old condo—but wound up back at the Tea
  5362. House while Chris spent time with his family. It happened all
  5363. the time; Giannone would fly into John Wayne Airport,
  5364. expecting a weekend of clubbing with Chris, and instead
  5365. would end up holed up with one of the crew or be tasked
  5366. with babysitting Chris’s boys at his house. Tea was
  5367. tolerable, different from the cheap party girls cashing out
  5368. Chris’s cards, but time at the Dana Point apartment
  5369. dragged.
  5370. He phoned Chris and complained that he was bored.
  5371. “Come to the house,” Chris said. They were at the pool.
  5372. “The wife’s here with the kids.”
  5373. Giannone invited Tea, who’d never seen Chris’s condo
  5374. complex just four miles away. When they arrived, Chris,
  5375. Clara, and the two boys were splashing around in the pool,
  5376. enjoying the sun. Giannone and Tea said hello and made
  5377. themselves at home on some deck chairs.
  5378. Chris looked stunned. “I see you brought your friend,” he
  5379. said to Giannone testily.
  5380. Clara knew Giannone, the babysitter, but had never met
  5381. Tea. She looked at the stranger, then at Giannone, then
  5382. back at the Mongolian, awareness and anger creeping
  5383. over her face.
  5384. Giannone realized he’d made a blunder. The two women
  5385. looked uncannily alike. Tea was a younger version of
  5386. Chris’s wife, and at a glance, Clara knew her husband was
  5387. sleeping with this woman.
  5388. Chris pulled himself out of the pool and walked around to
  5389. where they were sitting, his face neutral. He squatted down
  5390. in front of Giannone, his hair dripping water onto the
  5391. concrete. “What are you doing?” he said in a low voice.
  5392. “Get out of here.”
  5393. They left. And for the first time since she joined up with
  5394. Chris Aragon and his gang, Tea felt dirty.
  5395. Chris wasn’t angry—he got a guilty, alpha-male pleasure
  5396. out of seeing Tea and Clara in the same place. But Tea’s
  5397. crush was becoming a problem. He had genuine affection
  5398. for her and her quirky ways, but she was becoming an
  5399. unwanted complication.
  5400. There was an ideal solution at his disposal. He bought
  5401. her a plane ticket to visit her home country for an extended
  5402. vacation, literally banishing his overardent paramour to
  5403. Outer Mongolia.
  5404. With Chris distracted by his tangled love life, Carders
  5405. Market was consuming more of Max’s time, and he still had
  5406. his business as “Digits” to run. He was working in the food
  5407. service industry now, and it was paying off big.
  5408. It had started in June 2006, when a serious security hole
  5409. emerged in the software RealVNC, for “virtual network
  5410. console”—a remote-control program used to administer
  5411. Windows machines over the Internet.
  5412. The bug was in the brief handshake sequence that opens
  5413. every new session between a VNC client and the RealVNC
  5414. server. A crucial part of the handshake comes when the
  5415. server and client negotiate the type of security to apply to
  5416. the session. It’s a two-step process: First, the RealVNC
  5417. server sends the client a shorthand list of the security
  5418. protocols the server is configured to support. The list is just
  5419. an array of numbers: [2,5], for example, means the server
  5420. supports VNC’s type 2 security, a relatively simple
  5421. password authentication scheme, and type 5, a fully
  5422. encrypted connection.
  5423. In the second step, the client tells the server which of the
  5424. offered security protocols it wants to use by sending back
  5425. its corresponding number, like ordering Chinese food off a
  5426. menu.
  5427. The problem was, RealVNC didn’t check the response
  5428. from the client to see if it was on the menu in the first place.
  5429. The client could send back any security type, even one the
  5430. server hadn’t offered, and the server unquestioningly
  5431. accepted it. That included type 1, which is almost never
  5432. offered, because type 1 is no security at all—it allows you
  5433. to log in to RealVNC with no password.
  5434. It was a simple matter to modify a VNC client to always
  5435. send back type 1, turning it into a skeleton key. An intruder
  5436. like Max could point his hacked software at any box running
  5437. the buggy RealVNC software and instantly enjoy unfettered
  5438. access to the machine.
  5439. Max started scanning for vulnerable RealVNC
  5440. installations as soon as he learned of this gaping hole. He
  5441. watched, stunned, as the results scrolled down his screen,
  5442. thousands of them: computers at homes and college
  5443. thousands of them: computers at homes and college
  5444. dorms; machines in Western Union offices, banks, and
  5445. hotel lobbies. He logged in to some at random; in one, he
  5446. found himself looking at the feeds from closed-circuit video
  5447. surveillance cameras in an office-building lobby. Another
  5448. was a computer at a Midwest police department, where he
  5449. could listen in on 911 calls. A third put him in a home
  5450. owner’s climate control system; he raised the temperature
  5451. ten degrees and moved on.
  5452. A tiny fraction of the systems were more interesting and
  5453. also familiar from his ongoing intrusion into the Pizza
  5454. Schmizza: They were restaurant point-of-sale systems.
  5455. They were money.
  5456. Unlike the simple dumb terminals sitting on the counters
  5457. of liquor stores and neighborhood grocers, restaurant
  5458. systems had become sophisticated all-in-one solutions that
  5459. handled everything from order taking to seating
  5460. arrangements, and they were all based on Microsoft
  5461. Windows. To support the machines remotely, service
  5462. vendors were installing them with commercial back doors,
  5463. including VNC. With his VNC skeleton key, Max could open
  5464. many of them at will.
  5465. So Max, who’d once scanned the entire U.S. military for
  5466. vulnerable servers, now had his computers trolling the
  5467. Internet day and night, finding and cracking pizza joints,
  5468. Italian ristorantes, French bistros, and American-style grills;
  5469. he harvested magstripe data everywhere he found it.
  5470. Under Visa-issued security standards, that shouldn’t
  5471. have been possible. In 2004 the company outlawed the use
  5472. of any point-of-sale system that stores magstripe data after
  5473. a transaction is complete. In an effort to comply with the
  5474. standards, all the major vendors produced patches that
  5475. would stop their systems from retaining the swipes. But
  5476. restaurants weren’t racing to install the upgrade, which in
  5477. some cases was a paid extra.
  5478. Max’s scanning machinery had several moving parts.
  5479. The first was aimed at finding VNC installations by
  5480. performing a high-speed “port sweep”—a standard
  5481. reconnaissance technique that relies on the Internet’s
  5482. openness and standardization.
  5483. From the start, the network’s protocols were designed to
  5484. let computers juggle a variety of different types of
  5485. connections simultaneously—today that can include e-mail,
  5486. Web traffic, file transfers, and hundreds of other more
  5487. esoteric services. To keep it all separate, a computer
  5488. initiates new connections with two pieces of information:
  5489. the IP address of the destination machine, and a virtual
  5490. “port” on that machine—a number from 0 to 65,535—that
  5491. identifies the type of service the connection is seeking. The
  5492. IP address is like a phone number, and a port is akin to a
  5493. telephone extension you read off to the switchboard
  5494. operator so he can send your call to the right desk.
  5495. Port numbers are standardized and published online. Email
  5496. software knows to connect to port 25 to send a
  5497. message; Web browsers connect to port 80 to retrieve a
  5498. website. If a connection on the specified port is refused, it’s
  5499. like an unanswered extension; the service you’re looking for
  5500. isn’t available at that IP address.
  5501. Max was interested in port 5900—the standard port for a
  5502. VNC server. He set his machines sweeping through broad
  5503. swaths of Internet address space, sending to each a single
  5504. sixty-four-byte synchronization packet that would test
  5505. whether port 5900 was open for service.
  5506. The addresses that answered his sweep streamed into a
  5507. PERL script Max wrote that connected to each machine
  5508. and tried to log in through the RealVNC bug. If the exploit
  5509. didn’t work, the script would try some common passwords:
  5510. “1234,” “vnc,” or an empty string.
  5511. If it got in, the program grabbed some preliminary
  5512. information about the computer: the name of the machine
  5513. and the resolution and color depth of the monitor. Max
  5514. snubbed computers with low-quality displays, on the
  5515. assumption that they were home PCs and not businesses.
  5516. It was a high-speed operation: Max was running on five or
  5517. It was a high-speed operation: Max was running on five or
  5518. six servers at once, each capable of zipping through a
  5519. Class B network, over sixty-five thousand addresses, in a
  5520. couple of seconds. His list of vulnerable VNC installations
  5521. grew by about ten thousand every day.
  5522. The point-of-sale systems were needles in a massive
  5523. haystack. He could spot some just from the name: “Aloha”
  5524. meant the machine was likely an Aloha POS made by
  5525. Atlanta-based Radiant Systems, his favorite target.
  5526. “Maitre’D” was a competing product from Posera Software
  5527. in Seattle. The rest of them took some guesswork. Any
  5528. machine with a name like “Server,” “Admin,” or “Manager”
  5529. needed a second look.
  5530. Slipping in over his VNC client, Max could see what was
  5531. on the computer’s screen as though standing right in front
  5532. of it. Since he worked at night, the display on the dormant
  5533. PC was usually dark, so he’d nudge his mouse to clear the
  5534. screen saver. If there was anyone in the room, it might have
  5535. been a little spooky: Remember that time your computer
  5536. monitor flipped on for no reason, and the cursor twitched? It
  5537. might have been Max Vision taking a quick look at your
  5538. screen.
  5539. That manual examination was the slow part. Max
  5540. recruited Tea to help out—he gave her a VNC client and
  5541. started feeding her lists of vulnerable machines, along with
  5542. instructions on what to look for. Soon, Max was wired into
  5543. eateries throughout America. A Burger King in Texas. A
  5544. sports bar in Montana. A trendy nightclub in Florida. A
  5545. California grill. He moved up to Canada and found still
  5546. more.
  5547. Max had gotten his start vending by stealing the dumps
  5548. from a single restaurant. Now he had as many as a hundred
  5549. feeding him credit card data in nearly real time. Digits
  5550. would be doing a lot more business.
  5551. With so much work to be done, Dave “El Mariachi” Thomas
  5552. had chosen a bad time to become a real pain in Iceman’s
  5553. ass. In June, Thomas did something nearly unheard of in
  5554. the insular computer underground: He took their dispute off
  5555. the forums and into public, civilian cyberspace, attacking
  5556. Carders Market in the comments section of a widely read
  5557. computer security blog, where he accused Iceman of being
  5558. “LE”—law enforcement.
  5559. “Here is a site hosted in Ft Lauderdale Florida,” Thomas
  5560. wrote. “Matter of fact, it’s hosted right out of a guy’s house.
  5561. Yet, LE refuses to shutter them. Instead, this site promotes
  5562. vending of PINs and numbers and PayPals and eBays and
  5563. so forth, all the while LE looks on at all the players.
  5564. “LE claims they can’t do anything to a site hosted on U.S.
  5565. soil. Yet, truth be told, it’s LE running the site just like they
  5566. ran Shadowcrew.”
  5567. By highlighting Carders Market’s hosting arrangements,
  5568. Thomas was targeting Iceman’s Achilles’ heel. The site had
  5569. been purring along unmolested because Affinity didn’t
  5570. notice the illicit server among its tens of thousands of
  5571. legitimate hosted sites. El was working to change that,
  5572. lodging complaints with the company over and over again.
  5573. The tactic was lacking in logic: If Carders Market really was
  5574. under government control, the complaints would fall on deaf
  5575. ears; only if it was a real crime site would Affinity kick it off.
  5576. If Iceman drowns, then he’s not a witch.
  5577. A week after Thomas’s post, Affinity abruptly cut off
  5578. Carders Market. The shutdown angered Max; he’d had a
  5579. good thing going at ValueWeb. He searched overseas for
  5580. new, legitimate hosting that would stand up to El Mariachi,
  5581. approaching companies in China, Russia, India, and
  5582. Singapore. It always turned out the same way—they’d
  5583. demand some upfront money as the price of admission
  5584. and then roll a spool of red tape in front of the door, asking
  5585. for a passport and a business license or corporate papers.
  5586. “Couldn’t be because you have some STUPID FUCKING
  5587. NAME called CARDERS this or CARDERS MARKET that,
  5588. now could it?” Thomas wrote, taunting Iceman. “Maybe if
  5589. you didn’t scream ‘CARDERS WORK HERE,’ you could
  5590. you didn’t scream ‘CARDERS WORK HERE,’ you could
  5591. get a small site going, and possibly grow to be the beast
  5592. you so desperately need to be.”
  5593. It was personal now: Thomas hated Iceman, whether he
  5594. was a fed or not, and the feeling had become mutual.
  5595. Max finally set up at Staminus, a California firm
  5596. specializing in high-bandwidth hosting resistant to DDoS
  5597. attacks. By then, Thomas was tearing into him in the
  5598. comments section of a random blog called “Life on the
  5599. Road.” The blogger had quoted Thomas’s comments about
  5600. Carders Market in a brief entry about the forums, unwittingly
  5601. volunteering his blog as the new battlefield in the El
  5602. Mariachi-versus-Iceman war.
  5603. Iceman picked up the gauntlet and posted a lengthy
  5604. public rebuttal to Thomas’s indictment, accusing his foe of
  5605. “hypocrisy and slander.”
  5606. CM is NOT a “crime board” or an “empire” or any
  5607. of this bullshit accusation. We are simply a forum that
  5608. chooses to allow discussion of financial crime. We
  5609. also lend authority in judging which members are real
  5610. and which are the fakes, but those are just our
  5611. opinions, we make no money from this service. We
  5612. are just a CARRIER for the information, a FORUM
  5613. through which this communication can occur without
  5614. oppression. CM is not involved in any crime
  5615. whatsoever. It is not illegal to operate a forum and
  5616. allow discussion.
  5617. Craigslist.com has people posting about
  5618. prostitution, drug hookups, and other obvious crime,
  5619. yet people don’t call craigslist a “hookers and blow
  5620. one stop shop” or a crime empire. It is recognized as a
  5621. CARRIER which is not responsible for the content of
  5622. posts therein. This is the state of Carders Market.
  5623. The spirited defense completely ignored the detailed
  5624. crime tutorials and review system on Carders Market, not
  5625. to mention the secret impetus for the site: to give Max a
  5626. place to sell stolen data.
  5627. Knowing his California hosting wouldn’t satisfy the
  5628. underground, Max resumed his search for an arrangement
  5629. overseas. The next month, he hacked himself a new server,
  5630. this time in a country as far from U.S. influence as any on
  5631. the Net—a nation unlikely to respond to complaints from
  5632. Dave Thomas or even the American government.
  5633. “Carders Market is now hosted in IRAN,” he announced
  5634. on August 11. “Registration is reopened.”
  5635.  
  5636. 25
  5637. Hostile Takeover
  5638. apidity is the essence of war. Take advantage of
  5639. the enemy’s unreadiness, make your way by unexpected
  5640. routes, and attack unguarded spots.”
  5641. Max had been reading Sun Tzu’s The Art of War, using
  5642. the 2,600-year-old tome as his hacking manual. He
  5643. sketched out his plans on a pair of whiteboards in his safe
  5644. house; after some attrition and new entrants, there were
  5645. five English-language carding sites that mattered in the
  5646. underground, and that was four too many. He’d spent
  5647. weeks infiltrating his competitors: ScandinavianCarding,
  5648. the Vouched, TalkCash, and his chief rival, DarkMarket, the
  5649. UK-run site that emerged a month before Carders Market
  5650. and was building a powerful reputation as a ripper-free
  5651. zone.
  5652. In a way, Max’s plan to muscle in on the other forums was
  5653. coming from the white-hat side of his personality. The
  5654. status quo was working fine for Max the criminal—he
  5655. wasn’t greedy, and he was doing brisk business on
  5656. Carders Market. But the post-Shadowcrew carding scene
  5657. was broken, and when Max the white hat saw something
  5658. broken, he couldn’t resist fixing it—just as he’d done for the
  5659. Pentagon a few years earlier.
  5660. Ego played a role too. The whole carding world seemed
  5661. to think Iceman was just another forum administrator,
  5662. bankrupt of any skill except the ability to set up forum
  5663. software. Max saw a golden opportunity to show the
  5664. carders how wrong they were.
  5665. DarkMarket turned out to be an unguarded spot. A
  5666. British carder called JiLsi ran the site, and he’d made the
  5667. mistake of choosing the same password—“MSR206”—
  5668. everywhere, including Carders Market, where Max knew
  5669. everyone’s passwords. Max could just walk in and take
  5670. over. The Vouched, on the other hand, was a fortress—you
  5671. couldn’t even connect to the website without a privately
  5672. issued digital certificate installed in your browser.
  5673. Fortunately, JiLsi was also a member of that site, and he
  5674. had moderator privileges there. Max found a copy of the
  5675. certificate in one of JiLsi’s webmail accounts, protected by
  5676. the carder’s usual password. From there, it was just a
  5677. matter of logging in as JiLsi and leveraging his access to
  5678. get at the database.
  5679. On TalkCash and ScandinavianCarding, Max
  5680. determined that the forum software’s search function was
  5681. vulnerable to an “SQL injection” attack. It wasn’t a
  5682. surprising discovery. SQL injection vulnerabilities are the
  5683. Web’s most persistent weakness.
  5684. SQL injection has to do with the behind-the-scenes
  5685. architecture of most sophisticated websites. When you visit
  5686. a website with dynamic content—news articles, blog posts,
  5687. stock quotes, virtual shopping carts—the site’s software is
  5688. pulling the content in raw form from a back-end database,
  5689. usually running on a completely different computer than the
  5690. host to which you’ve connected. The website is a facade—
  5691. the database server is the important part, and it’s locked
  5692. down. Ideally, it won’t even be accessible from the Internet.
  5693. The website’s software speaks to the database server in
  5694. a standard syntax called Structured Query Language, or
  5695. SQL (pronounced “sequel”). The SQL command SELECT,
  5696. for example, asks the database server for all the
  5697. information that fits a specified criteria. INSERT puts new
  5698. information in the database. The rarely used DROP
  5699. instruction will mass-delete data.
  5700. It’s a potentially perilous arrangement, because there are
  5701. any number of situations where the software has to send a
  5702. visitor’s input as part of an SQL command—in a search
  5703. query, for example. If a visitor to a music site enters
  5704. query, for example. If a visitor to a music site enters
  5705. “Sinatra” in the search box, the website’s software will ask
  5706. the database to look for matches.
  5707. SELECT titles FROM music_catalog
  5708. WHERE artist = ‘Sinatra’;
  5709. An SQL injection vulnerability occurs when the software
  5710. doesn’t properly sanitize the user’s input before including it
  5711. in a database command. Punctuation is the real killer. If a
  5712. user in the above scenario searches on “Sinatra’; DROP
  5713. music_catalog;” it’s tremendously important that the
  5714. apostrophe and semicolons not make it through.
  5715. Otherwise, the database server sees this.
  5716. SELECT * FROM music_catalog
  5717. WHERE artist = ‘Sinatra’; DROP music_catalog;’;
  5718. As far as the database is concerned, that’s two
  5719. commands in succession, separated by a semicolon. The
  5720. first command finds Frank Sinatra albums, the second one
  5721. “drops” the music catalog, destroying it.
  5722. SQL injection is a standard weapon in every hacker’s
  5723. arsenal—the holes, even today, plague websites of all
  5724. stripes, including e-commerce and banking sites. And in
  5725. 2005, the forum software used by TalkCash and
  5726. ScandinavianCarding was a soft target.
  5727. To exploit the bug on TalkCash, Max registered for a new
  5728. account and posted a seemingly innocuous message on
  5729. one of the discussion threads. His SQL attack was hidden
  5730. in the body of the message, the font color set to match the
  5731. background so nobody would see it.
  5732. He ran a search query designed to find the post, and the
  5733. buggy forum software passed his command to the
  5734. database system, which executed it, INSERTing a new
  5735. administrator account just for Max. A similar attack worked
  5736. at ScandinavianCarding.
  5737. On August 14, Max was ready to show the carding world
  5738. what he was capable of. He slid into the sites through the
  5739. holes he’d secretly blasted in their ramparts, using his illicit
  5740. admin access to copy their databases. The plan would
  5741. have made Sun Tzu proud: Attacking and absorbing rival
  5742. forums was an unexpected route indeed. Most carders
  5743. wanted to avoid attention, not thrust themselves into
  5744. prominence. A hostile takeover was unprecedented.
  5745. When he was done with the English-speaking sites, Max
  5746. went to Eastern Europe. He’d strived to unite the Eastern
  5747. European carders with the West, but Tea’s efforts had
  5748. been largely fruitless—the Russians liked her but didn’t
  5749. trust an American board. Diplomacy had failed; it was time
  5750. for action. He found Cardingworld.cc and Mazafaka.cc no
  5751. more secure than the western boards and was soon
  5752. downloading their databases of private messages and
  5753. forum posts. Megabytes of Cyrillic flowed onto his
  5754. computer, a secret history of scams and hacks against the
  5755. West stretching back months, now permanently
  5756. warehoused on Max’s hard drive in San Francisco’s
  5757. Tenderloin.
  5758. When he was done, he executed the DROP command
  5759. on all the sites’ databases, wiping them out.
  5760. ScandinavianCarding, the Vouched, TalkCash,
  5761. DarkMarket, Cardingworld—the bustling, twenty-four-houra-
  5762. day marketplaces supporting a billion-dollar global
  5763. underground economy all winked out of existence. Ten
  5764. thousand criminals around the world, men with six-figure
  5765. deals in the works; wives, children, and mistresses to
  5766. support; cops to buy off; mortgages to pay; debts to satisfy;
  5767. and orders to fill, were, in an instant, blind. Adrift. Losing
  5768. money.
  5769. They would all know the name “Iceman.”
  5770. Max then went to work on the stolen membership data,
  5771. ignoring, for now, the Eastern European carders. After
  5772. culling the duplicates and undesirables from the four
  5773. English-language sites, there were 4,500 new members for
  5774. Carders Market. He rolled them all into his site’s database,
  5775. Carders Market. He rolled them all into his site’s database,
  5776. so the carders could use their old nicknames and
  5777. passwords to log in to their new home. Carders Market had
  5778. six thousand members now. It was larger than Shadowcrew
  5779. had ever been.
  5780. He announced the forced merger in a mass e-mail to his
  5781. new members. As the morning dawned in San Francisco,
  5782. he watched them gather, confused and angry, on his
  5783. consolidated crime forum. Matrix001, a German
  5784. DarkMarket administrator, demanded an explanation for
  5785. Iceman’s actions. A previously taciturn spam king named
  5786. Master Splyntr spoke up to criticize the organization of the
  5787. material Iceman had stolen from the other boards. The
  5788. entire contents of the competing sites now lived in a new
  5789. section of Carders Market called “Historical posts from
  5790. merged forums.” They were unsorted and difficult to
  5791. navigate; Max had found the sites’ content worthy of
  5792. preserving but not of organizing.
  5793. Max watched the grumbling for a while, then stepped in
  5794. and let everyone know who was in charge.
  5795. @Master Splyntr: unless you have something
  5796. constructive or specific to say, your comment is
  5797. unwelcome. If you are unhappy with the layout, then go
  5798. away and come back later, because it is not yet sorted
  5799. out! @matrix001: The old forums were negligent in their
  5800. security, using shared hosting, failing to use encryption
  5801. of the data, logging IP addresses, using “1234” as the
  5802. administrative passwords (yes really people this is
  5803. true!), and general administrative Nazism. Some, such
  5804. as TheVouched, were even giving a false sense of
  5805. security, which as you know is far worse than none at
  5806. all.
  5807. You ask, what is the meaning of “all this”? If you
  5808. mean, why would we merge five carding forums
  5809. together, the short answer is because I didn’t have
  5810. time nor interest to merge in the other four for a total of
  5811. nine!
  5812. Basically, this was overdue. Why have five different
  5813. forums each with the same content, splitting users and
  5814. vendors, and a mish-mash of poor security and
  5815. sometimes poor administration and poor moderation. I
  5816. am not saying that is the case in all, but it was for most.
  5817. With the right moderation, CM will return to its
  5818. previous “tight” reign, with zero tolerance policy
  5819. against ripping, and almost anarchist policy of not
  5820. locking threads and promoting discussion. In the
  5821. meantime, there is extra “fluff” from the previous
  5822. forums, but that will be cleaned up.
  5823. What is the point? Security. Convenience. Increase
  5824. quality and decrease the noise. Bringing order to a
  5825. mess …
  5826. A Canadian hacker called Silo countered that Iceman
  5827. had dissolved the social glue that held the carder
  5828. community together. He’d violated their trust.
  5829. You breached our community’s security. Stole the
  5830. databases of other forums. Couldn’t your merger have
  5831. taken place with the admins of all the boards
  5832. consenting to it? What’s the difference between me
  5833. hacking your e-mails and reading up on your business
  5834. and posting your communications on my board?
  5835. Either way you look at it, you’ve breached what little
  5836. trust exists in the community. My suggestion is that you
  5837. delete the databases you have that aren’t yours to
  5838. display. The proper thing to do is ASK the admins of
  5839. the boards if one true unified board is in the best
  5840. interests of our community, and wait and see if they
  5841. would be interested in such a board.
  5842. That is my two cents.
  5843. There are people out here with a lot of skills Iceman.
  5844. How they use them is what determines our community.
  5845. The Vouched came back online, but not for long—it was
  5846. supposed to be a private, secure forum open only to a
  5847. select few. When Max had broken its security, he’d
  5848. shattered its credibility, and nobody bothered to return.
  5849. TalkCash and ScandinavianCarding were doomed—they
  5850. had no backups of the databases Max had destroyed.
  5851. Their members mostly stayed on at Carders Market.
  5852. Aside from the Russian forums, which Max was having
  5853. trouble assimilating because of the language barrier, there
  5854. was just one black mark on Max’s triumph: DarkMarket. His
  5855. chief competitor had backups and managed to crawl back
  5856. to life within days. It was a slap in the face to everything
  5857. Max was trying to achieve for himself and the community.
  5858. The war had begun.
  5859. In Orange County, Chris was consolidating his end of the
  5860. business too. He decided it would be convenient to have
  5861. his full-time workers all living in the same place, and the
  5862. Archstone chain of apartment complexes offered an
  5863. Internet-based move-in process perfectly suited to his
  5864. plans. Prospective tenants could fill out a lease on the
  5865. company’s website and pay the easy $99 deposit and the
  5866. first month’s rent with a credit card. Chris could handle
  5867. everything online, and his people wouldn’t have to put in an
  5868. appearance until move-in day, when they’d stop by the
  5869. rental office to flash their fake ID and pick up the door key.
  5870. He moved two of his cashers, and Marcos, his pot
  5871. connection, into the Archstone Mission Viejo, a labyrinth of
  5872. McMansion-style apartments painted the colors of a sunset
  5873. and clinging to a hill dotted with palm trees and hightension
  5874. lines alongside Interstate 5, ten minutes from his
  5875. house. He was also looking to expand his crew. One girl
  5876. had dropped out and moved to Toledo after her second instore
  5877. bust, and two others had quit in disgust when Chris
  5878. impregnated his teenage girlfriend—he was now paying for
  5879. an apartment for the young woman and their son, whose
  5880. existence he kept secret even from his mother.
  5881. At the NCFTA office in Pittsburgh, Keith Mularski, in his
  5882. Master Splyntr guise, got a private message from Iceman
  5883. himself two days after the hostile takeover. The hacker
  5884. wanted to apologize for some of his hasty words on his
  5885. forum.
  5886. Anticipating the next stage in the DarkMarket–Carders
  5887. Market conflict, Iceman had boasted that he would easily
  5888. defuse any DDoS attacks leveled against his site. But
  5889. afterward, he Googled Master Splyntr and learned he was
  5890. a world-class spammer with a botnet army. Iceman
  5891. seemed loath to turn a mere critic into a full-blown enemy.
  5892. Don’t take offense to my smartass comments. It is
  5893. true that if someone attacks me I will just track the
  5894. botnet and try to jack it or shut it down, but it’s not
  5895. something I want to taunt people with. No one needs to
  5896. waste their time with such activity, really DDoS is no
  5897. fun and so don’t get the wrong idea plz. :-)
  5898. Mularski was beginning to see an opportunity in the
  5899. upheaval gripping the underground. Nobody knew who to
  5900. trust anymore; everyone was angry at everyone else. If he
  5901. were to play both sides, he might make inroads against the
  5902. forum administrators as they grappled for allies in the
  5903. brewing battle.
  5904. He was allowed three substantive contacts. He decided
  5905. to use one of them to respond to Iceman.
  5906. No worries brotha, we’re kewl. I’m a smartass
  5907. myself. I got no interest in attacking. Shit, my bots
  5908. aren’t even configured to attack. Mailing makes me far
  5909. more money! I really got no interest in doing anything
  5910. that doesn’t make me money, unless I have a vendetta,
  5911. which I don’t. And if you do get attacked, I’m also pretty
  5912. good in tracking and hijacking, so hit me on ICQ
  5913. 340572667 if ya need help.… :-) MS
  5914. Mularski watched his screen, waiting. A few minutes
  5915. later, a response.
  5916. Excellent thank you :-) BTW, do you have any
  5917. suggestions for running things here, aside from the
  5918. obvious organizational mess? Also, I will change it so
  5919. you are a vendor and have user selectable title. (Done)
  5920. I don’t know if you vend mailing services with your net,
  5921. but that is a cool thing to have around and I’m sure
  5922. we’re better off having you available for hire. Also, if
  5923. you were a vendor before (or other?) then please
  5924. accept my apologies for the title loss. I preserved
  5925. some of the status like DM vendors, but messed up on
  5926. the other forums and those didn’t get preserved. Just
  5927. FYI. Thanks bro :-) Also added you to VIP group.
  5928. It was a promising response. Mularski talked things over
  5929. with his supervisor, then applied to headquarters for Group
  5930. II authority, the lesser of two tiers of undercover
  5931. engagement available to the FBI but still a step up from his
  5932. previous “passive observation only” mandate. The new
  5933. latitude wouldn’t let him participate in crimes, but he would
  5934. finally be permitted to actively engage with the
  5935. underground. He named Carders Market, and everyone
  5936. associated with running the site, as the investigation’s
  5937. targets.
  5938. The approval came quickly. But despite his encouraging
  5939. words, Iceman proved a slippery target; he kept Mularski at
  5940. arm’s length, not confiding in him and only chatting through
  5941. Carders Market’s internal messaging system. The FBI
  5942. agent had better luck on the other side of the battlefield.
  5943. He’d been an early member of DarkMarket, and now that
  5944. he was interactive, the site’s founder, JiLsi, quickly
  5945. identified Master Splyntr as management material. In early
  5946. September, Splyntr was appointed as a moderator on the
  5947. site.
  5948. The war was heating up. Despite the lessons of the
  5949. August incursion, JiLsi couldn’t manage to completely lock
  5950. down DarkMarket. Iceman began sneaking in regularly and
  5951. deleting accounts at random, just to mess with JiLsi’s head.
  5952. When DarkMarket retaliated with a fierce DDoS attack
  5953. against Carders Market’s Iranian host, Iceman fired back
  5954. with a DDoS of his own against DarkMarket. Both sites
  5955. groaned under the weight of the junk packets. Iceman
  5956. quietly set up service at a U.S. hosting company with the
  5957. bandwidth to absorb the DDoS packets, cleaning the traffic
  5958. before channeling it back to his real server over an
  5959. encrypted VPN.
  5960. JiLsi was tearing his hair out, voicing his frustrations to
  5961. Master Splyntr. Mularski shifted his focus away from
  5962. Iceman and toward the British cybercrime boss who was
  5963. starting to treat him like a friend. Tentatively, he suggested
  5964. that JiLsi consider turning over DarkMarket to someone
  5965. seasoned in setting up bulletproof hosting. Someone
  5966. accustomed to running sites that everyone hates. A
  5967. spammer.
  5968. Hey, you know my background, he wrote in a chat. I’m
  5969. real good at setting up servers. I secure servers all the time.
  5970. I could set this up for you.
  5971. Mularski was toying with an extraordinary plan. In the
  5972. past, the Secret Service and FBI had both run admins as
  5973. informants: Albert Gonzalez on Shadowcrew and Dave
  5974. Thomas on the Grifters. But actually running a crime forum
  5975. directly would provide access to everything from the
  5976. carders’ IP addresses to their private communications,
  5977. while giving Master Splyntr, as the site’s runner, more
  5978. credibility in the underground than any agent could dream
  5979. of.
  5980. JiLsi expressed interest in Master Splyntr’s offer, and
  5981. Mularski braced himself for another trip to Washington, DC.
  5982.  
  5983. 26
  5984. What’s in Your Wallet?
  5985. Selling USA 100% APPROVED DUMPS
  5986. *NEW* Discounted Prices for approved dumps:
  5987. $11 MasterCard
  5988. $8 Visa Classic
  5989. $13 Visa Gold/Premium
  5990. $19 Visa Platinum
  5991. $24 Visa Signature
  5992. $24 Visa Business
  5993. $19 Visa Corporate
  5994. $24 Visa Purchasing
  5995. $19 American Express = new price drop (was 24)
  5996. $24 Discover = new price drop (was 29)
  5997. Minimum order 10 pieces.
  5998. Dumps sold by type of card. No bin list.
  5999. Max’s hostile takeover was about fixing the community,
  6000. not personal profit. But his business in stolen magstripe
  6001. data was stronger than ever after the merger—he was
  6002. earning a thousand dollars a day now selling dumps to
  6003. carders around the world, in addition to the five to ten
  6004. thousand a month he was still pulling in through his
  6005. partnership with Chris.
  6006. Publicly, at FTC meetings and elsewhere, the credit card
  6007. industry was doing its best to conceal the impact of the
  6008. rampant magstripe theft happening worldwide. Credit
  6009. leader Visa held up an industry-funded report by Javelin
  6010. Strategy and Research that claimed consumers, not
  6011. companies, were the source of the vast majority of identity
  6012. theft and credit card fraud cases: Some 63 percent of
  6013. cases originated with consumers, primarily victims of lost
  6014. or stolen wallets, followed by theft by trusted associates,
  6015. stolen mail, and Dumpster diving.
  6016. The report was grossly misleading, only tallying cases in
  6017. which the victim knew how his information had been stolen.
  6018. Visa’s private numbers told the real story. Stolen wallets
  6019. hadn’t been the primary source of fraud since mid-2001,
  6020. when credit card theft from e-commerce sites sent
  6021. fraudulent “card not present” transactions—online and
  6022. telephone purchases—rocketing up the chart, while every
  6023. other category held steady.
  6024. In 2004, when stolen magstripe data became a massive
  6025. underground commodity, losses to counterfeit cards
  6026. followed the same stratospheric climb. In the first quarter of
  6027. 2006, Chris Aragon–style counterfeiting edged out cardnot-
  6028. present fraud for the first time, topping $125 million in
  6029. quarterly losses to Visa’s member banks alone.
  6030. Nearly all those losses began with a price list like Max’s.
  6031. As Digits, Max accumulated page after page of positive
  6032. reviews on Carders Market and a reputation for square
  6033. dealing. It was a point of pride with Max—and a sign of the
  6034. moral compartmentalization he’d practiced since
  6035. childhood. Max would happily hack a carder and copy his
  6036. entire hard drive, but if a customer paid him for information,
  6037. Max wouldn’t even consider shortchanging him.
  6038. His generosity, too, was well known. If Max had dumps
  6039. that were about to expire, he’d give them away for free
  6040. rather than let them go to waste. Together, his exemplary
  6041. business practices and the quality of his product made Max
  6042. one of the top five dumps vendors in the world, in a market
  6043. traditionally dominated by Eastern European sellers.
  6044. Max was cautious with his vending. By refusing to sell
  6045. dumps by BIN—bank identification number—he made it
  6046. tough for the feds to identify his breaches: The government
  6047. couldn’t just buy twenty dumps sourced to a single financial
  6048. institution and ask that bank to look for a common purchase
  6049. point in its transaction records. Instead, a batch of twenty
  6050. cards could belong to twenty different banks. They’d all
  6051. cards could belong to twenty different banks. They’d all
  6052. have to cooperate with one another to nail down the source.
  6053. Additionally, only a few trusted associates knew that
  6054. Digits and Iceman were one and the same: mostly admins,
  6055. like Chris, a Canadian carder named NightFox, and a new
  6056. recruit called Th3C0rrupted0ne.
  6057. Of everyone he’d met in the scene, it was
  6058. Th3C0rrupted0ne with whom Max seemed to share the
  6059. most hacking history. As a teenager, C0rrupted had
  6060. discovered the warez scene on dial-up bulletin board
  6061. systems, then moved into recreational hacking under the
  6062. handles Acid Angel, -null-, and others. He defaced
  6063. websites for fun and joined a hacking gang called Ethical
  6064. Hackers Against Pedophiles—vigilante gray hats working
  6065. against Internet child pornography.
  6066. Like Max, he’d once thought of himself as one of the
  6067. good guys, before he became Th3C0rrupted0ne.
  6068. In other ways, they were very different. A product of a
  6069. hardscrabble childhood in a big-city housing project,
  6070. C0rrupted became a drug dealer at an early age and
  6071. picked up his first arrest—a gun charge—in 1996 when he
  6072. was eighteen years old. In college he began making fake
  6073. IDs for his friends, and his online research took him to
  6074. Fakeid.net, a Web bulletin board where experts like ncXVI
  6075. got their start. He graduated to small check and credit card
  6076. scams around the time Shadowcrew went down and then
  6077. found his way to the successor sites.
  6078. Diplomatic and even-tempered, C0rrupted was
  6079. universally liked in the scene and enjoyed moderator or
  6080. admin privileges on most of the forums. Max promoted him
  6081. to admin on Carders Market in the summer of 2005 and
  6082. made him unofficial site spokesman after the hostile
  6083. takeover. Max let C0rrupted in on his double identity about
  6084. a week after his power play.
  6085. So obviously I am Digits also. Might as well say it
  6086. straight since I blew cover in ICQ (talking about “our
  6087. forum,” etc.)
  6088. It is a pain in the ass trying to keep that separate
  6089. from people I know and trust and like such as yourself.
  6090. So there you go …
  6091. Anyway, reasoning is, Iceman is legal. Digits is
  6092. breaking the law. I assumed if I could keep it separate
  6093. there would be no legal leg to stand on for coming after
  6094. “me” as the forum admin.
  6095. Chris remained the greatest threat to Max’s security.
  6096. Every time they fought now, Max was reminded of how
  6097. vulnerable he was to the only carder privy to his real-life
  6098. identity. “I can’t believe how much you know about me,”
  6099. he’d spit out, angry at himself.
  6100. Meanwhile, Chris had been trying to drive Max into
  6101. pulling one big score, something that would catapult them
  6102. both out of the crime business for good and maybe fund a
  6103. new legitimate start-up for Chris in Orange County. He’d
  6104. crafted a flowchart and a step-by-step plan for each of them
  6105. to follow; he called it the “Whiz List.”
  6106. Max was supposed to infiltrate banking networks and
  6107. gain the power to direct millions of dollars to accounts
  6108. specified by Chris. He’d delivered on his end—from the
  6109. very start of their partnership, back when he was working
  6110. from Chris’s garage, he’d been breaching small banks and
  6111. savings and loans. He was in hundreds of them now and
  6112. could transfer money out of customers’ accounts at will. But
  6113. the scheme was hung up on Chris’s end. Chris had to find a
  6114. safe harbor for the money Max would steal—an offshore
  6115. repository where they could park the cash without it being
  6116. recalled by the victim bank. So far, he’d failed.
  6117. So when, in September, Max got his hands on a deadly
  6118. new Internet Explorer zero day, he shared the news not with
  6119. Chris but with a different partner, one who had more
  6120. knowledge of international finance, the Carders Market
  6121. admin called NightFox.
  6122. The security hole was a monster: another buffer overflow,
  6123. this time in the Internet Explorer code designed to let
  6124. websites draw vector graphics on a visitor’s screen. Sadly
  6125. for Max, Eastern European hackers had found the bug first,
  6126. and they’d been using it. A computer security company had
  6127. already found the Russian exploit code infecting visitors to
  6128. an Internet porn site and sent it to Microsoft. The
  6129. Department of Homeland Security had issued a blunt
  6130. warning to Internet Explorer users: “Do not follow
  6131. unsolicited links.”
  6132. The word was out, but there was no patch. Every Internet
  6133. Explorer user was vulnerable. Max got his copy of the
  6134. Russian exploit in the early morning hours of September 26
  6135. and informed NightFox enthusiastically.
  6136. “Assume we get a free pass today to own whatever
  6137. company we want,” Max wrote over Carders Market’s
  6138. messaging system. “There you go. No limits. Visa.com.
  6139. Mastercard.com. egold.com. Whatever you can get the
  6140. employee e-mails for. Google. Microsoft. Doesn’t matter.
  6141. It’s all equally ownable right now.”
  6142. Microsoft pushed out a patch later that day, but Max
  6143. knew that even the most secure company would take days
  6144. or weeks to test and install the update. The Russian exploit
  6145. was already detected by antivirus software, so he modified
  6146. it to change its signature, running it through his antivirus lab
  6147. to verify that it was now undetectable.
  6148. The only thing left was the social engineering: Max had to
  6149. trick his targets into visiting a website loaded with the
  6150. exploit code. Max decided on the domain name
  6151. Financialedgenews.com, and set up hosting at ValueWeb.
  6152. NightFox came back with the target list: CitiMortage,
  6153. GMAC, Experian’s Lowermybills.com, Bank of America,
  6154. Western Union MoneyGram, Lending Tree, and Capital
  6155. One Financial, one of the largest credit card issuers in the
  6156. country. NightFox had vast databases of internal corporate
  6157. e-mail addresses he’d acquired from a “competitive
  6158. intelligence” firm, and he sent Max thousands of them,
  6159. spread across all the targets.
  6160. On September 29, Max fired up his spamming software
  6161. and flung a personalized e-mail at his victims. The
  6162. message was from “Gordon Reily,” with the return address
  6163. g.reily@lendingnewsgroup.com.
  6164. I am a reporter for Lending News doing a follow up
  6165. story on the recent leak of customer records from
  6166. Capital One. I saw the name Mary Rheingold in the
  6167. article from Financial Edge and would like to interview
  6168. you for a follow up piece.
  6169. http://financialedgenews.com/news/09/29/Disclosure_Capital0ne
  6170. If you have time I would greatly appreciate an
  6171. opportunity to further discuss the details of the above
  6172. article.
  6173. Each copy of the message was customized, so every
  6174. employee would think he or she was mentioned by name in
  6175. the notional Financial Edge article. At Capital One, 500
  6176. employees got the message, from executives to PR
  6177. spokespeople and IT workers. About 125 of them clicked
  6178. on the poisoned link and were sent to a page loaded with
  6179. generic finance industry news. While they puzzled over the
  6180. page, a hidden payload zipped through the corporate
  6181. firewall and onto their machines.
  6182. The software opened a back door that would allow Max
  6183. to slip in at his leisure and scour the victims’ hard drives for
  6184. sensitive data, sniff the banks’ internal networks, steal
  6185. passwords. It wasn’t much different from what he’d done to
  6186. thousands of Defense Department computers a lifetime
  6187. ago. Back when it was all just fun and games.
  6188.  
  6189. 27
  6190. Web War One
  6191. eith Mularski stood at the podium, his PowerPoint
  6192. presentation filling an LCD big-screen at his back. In front
  6193. of him were fifteen senior FBI officials and Justice
  6194. Department lawyers, sitting around the conference room
  6195. table at Justice headquarters. They were riveted. Mularski
  6196. was proposing something that had never been done
  6197. before.
  6198. Group I “sensitive circumstances” authorizations were a
  6199. rare thing in the bureau. Mularski first wrote out a twentypage
  6200. proposal, addressing every aspect of the plan and
  6201. gathering legal opinions from FBI lawyers for each. The
  6202. FBI’s general counsel was excited about the possibilities; if
  6203. it were approved, the operation could set a precedent for
  6204. future online undercover work.
  6205. The biggest obstacle for the Justice Department’s
  6206. Undercover Review Committee was the third-party liability
  6207. issue of letting crimes unfold over a website owned and
  6208. operated by the U.S. government. How would Mularski
  6209. mitigate the damage so innocent people and institutions
  6210. wouldn’t suffer? Mularski had an answer at the ready. The
  6211. criminal activity on DarkMarket was going to take place
  6212. whether the FBI ran the forum or not. But with the bureau
  6213. controlling the server, and Master Splyntr leading the site,
  6214. the FBI could potentially intercept large amounts of stolen
  6215. data that would otherwise flow freely through the black
  6216. market. His proposal stipulated that any financial data
  6217. would be sent immediately to the affected banks. Stolen
  6218. credit cards could be canceled before they were used.
  6219. The meeting lasted twenty minutes. When he returned to
  6220. Pittsburgh on October 7, Mularski had written approval to
  6221. acquire DarkMarket. Iceman was still listed as a subject of
  6222. the undercover operation, but now JiLsi and DarkMarket’s
  6223. other leaders were the primary targets.
  6224. Once his wife went to bed, Mularski settled in front of his
  6225. couch, turned on Saturday Night Live, and looked for JiLsi
  6226. on ICQ. After some pleasantries, he got down to business.
  6227. DarkMarket was under yet another DDoS attack, and
  6228. Mularski, as Master Splyntr, was ready to take the site onto
  6229. a secure server—JiLsi need only say the word, and his
  6230. problems with Iceman would be history.
  6231. JiLsi had some reservations. DarkMarket was his baby,
  6232. and he didn’t want to be perceived by the community as
  6233. ceding control. That wouldn’t be a problem, Mularski
  6234. explained. Master Splyntr would be a stealth administrator.
  6235. Nobody but he and JiLsi would know he was running the
  6236. site. To everyone else, he’d still just be a moderator.
  6237. “Bro,” JiLsi typed back. “Get your server ready. We
  6238. moving.”
  6239. Mularski went to work at once. He rented a server from a
  6240. Texas-based hosting company called the Planet and went
  6241. to the underground to shore it up, buying $500-a-month
  6242. DDoS protection services from a Russian named
  6243. Quazatron and paying for it in e-gold. Quazatron configured
  6244. the site so its public face was at Staminus, a DDoSresistant
  6245. high-bandwidth hosting company. The company’s
  6246. pipes could withstand a deluge, and Quazatron’s software
  6247. would channel only the legitimate traffic to DarkMarket’s
  6248. real server behind the scenes.
  6249. Everything would be done the way an Eastern European
  6250. cybercrook would do it. When Mularski wanted to log in to
  6251. the site’s back end, he’d go through KIRE, a Virginia
  6252. company offering Linux “shell accounts”—a service that lets
  6253. IRC users connect to chat rooms without being traced to
  6254. their home IP addresses. Nobody would see that the Polish
  6255. spam king was logging in from Pittsburgh.
  6256. Once the move was complete, Mularski went to court and
  6257. won a sealed search warrant against his own server,
  6258. allowing him to riffle through DarkMarket’s user database,
  6259. access logs, and private messages.
  6260. There was one more thing to do. Post-Shadowcrew, it
  6261. was de rigueur for carder forums to make users click on a
  6262. terms-of-service agreement prohibiting illegal content and
  6263. stipulating that the site’s operators weren’t responsible for
  6264. anything on the board. Forum runners believed the
  6265. legalistic language might shield them from prosecution.
  6266. DarkMarket had a particularly long and detailed user
  6267. agreement, so nobody noticed when Master Splyntr added
  6268. a line.
  6269. “By your use of this forum you agree that the
  6270. administrators may review any communication sent using
  6271. this forum to ensure compliance with this policy,” he wrote,
  6272. “or for any other purpose.”
  6273. “I think it’s important to note that Iceman is a foolish
  6274. wannabe hacker who goes around and hacks sites for fun
  6275. and pleasure.”
  6276. El Mariachi knew how to push Iceman’s buttons. After the
  6277. hostile takeover, Dave Thomas returned to the Life on the
  6278. Road blog to browbeat his foe relentlessly, calling him
  6279. “Iceboy,” “Officer Ice,” and “a fucking piece of shit on my
  6280. shoes.” He challenged Iceman to meet him in person, so
  6281. they could resolve their dispute like men. And he implied he
  6282. could hire a hit man to track down the carding kingpin and
  6283. end his life.
  6284. Max responded with growing fury. He hadn’t forgotten the
  6285. hassle and expense of finding a new host after Thomas
  6286. shut him down in Florida. The aggressiveness he’d kept
  6287. buried since Boise boiled from his gut and into his
  6288. fingertips. “You small dick limp sack of shit. I could fucking
  6289. tear you apart with my bare hands but a COWARD snitch
  6290. like yourself would call the cops and scramble for a weapon
  6291. at the first sight of me,” he wrote. “You better pray to your
  6292. god that I am never outed, because not only will you look
  6293. like even more of a jackass than you already do, but then I
  6294. will have no inhibition about coming over and wringing your
  6295. snitch punk neck.”
  6296. When he calmed down, he sent Thomas a private e-mail.
  6297. He’d been thinking about taking down Carders Market and
  6298. retiring his Iceman identity. It wouldn’t be a surrender;
  6299. rather, it was the most serious threat imaginable to
  6300. Thomas’s campaign.
  6301. You haven’t read the Art of War, have you, cunt?
  6302. You know NOTHING about me. I know EVERYTHING
  6303. about you.
  6304. I kill CM, I kill Iceman, then what do you have you
  6305. punk bitch? Shadowboxing?? You are FUCKED. An
  6306. enemy who will fuck you over constantly for years, that
  6307. you have NO DEFENSE and NO TARGET for
  6308. retribution.
  6309. I am your worst nightmare you little bitch, and you
  6310. and your family will be feeling the effects of the money
  6311. you cost me for a long, long time.
  6312. Two days later, Max proved he was serious. He hacked
  6313. into El Mariachi’s website, the Grifters, which Thomas had
  6314. turned into a semi-legitimate security site dedicated to
  6315. watching the carding forums. Max wiped the hard drive. The
  6316. site never came back.
  6317. Iceman announced his triumph in a final public message
  6318. to the blog. “I have nothing to prove, and now having beat
  6319. down David Renshaw Thomas, federal snitch, I make my
  6320. exit,” he wrote. “Unlike you people, I pay attention to my own
  6321. business. Learn a lesson. Move on and leave me the fuck
  6322. alone.”
  6323. But Max wasn’t going to be able to slip back into the
  6324. shadows. Two reporters from USA Today had taken notice
  6325. of the public carder war and confirmed the details of the
  6326. hostile takeover with security firms watching the forums.
  6327. The morning after Max declared victory over El Mariachi,
  6328. delivery drivers around the country plunked down
  6329. Thursday’s edition of the paper on more than two million
  6330. doorsteps from coast to coast. There, on the front page of
  6331. the business section, was the whole sordid tale of Iceman’s
  6332. annexation of the carding sites.
  6333. By letting his ego lead him into a public battle with David
  6334. Thomas, Max had gotten Iceman into the largest-circulation
  6335. daily in America.
  6336. “The Secret Service and FBI declined to comment on
  6337. Iceman or the takeovers,” the article read. “Even so, the
  6338. activities of this mystery figure illustrate the rising threat that
  6339. cybercrime’s relentless expansion—enabled in large part
  6340. by the existence of forums—poses for us all.”
  6341. The story wasn’t a surprise; the reporters had
  6342. approached Iceman for comment, and Max had e-mailed a
  6343. long one, lobbing his Craigslist defense. His views didn’t
  6344. make it into the article, and the story only made Max more
  6345. defiant. He added a quote from the piece to the top of the
  6346. Carders Market login page: “It’s like he created the Wal-
  6347. Mart of the underground.”
  6348. Max showed the article to Charity. “I seem to have
  6349. created quite a stir.”
  6350. Chris was apoplectic when he learned that Max had
  6351. corresponded with the journalists. He’d watched as Max
  6352. burned hours squabbling with Thomas. Now his partner
  6353. was giving press interviews?
  6354. “You’ve lost your fucking mind,” he said.
  6355. Max was swamped. Vouch requests were pouring into
  6356. Carders Market in a torrent. The USA Today article
  6357. seemed to bring out every street-level hood hoping to
  6358. break into computer fraud. The site picked up over three
  6359. hundred new members overnight. Two weeks later, they
  6360. were still coming in.
  6361. He offloaded as much of the work as he could to his
  6362. admins. Max had other things to worry about now. His
  6363. spear-phishing attack against the financial institutions had
  6364. been wildly successful, but getting past the banks’ firewalls
  6365. had turned out to be the easy part. Bank of America and
  6366. Capital One, in particular, were huge institutions, and Max
  6367. was lost in their vast networks. He could easily spend years
  6368. on either one, just looking for the data and the access he
  6369. needed to make a big score. Max was having trouble
  6370. staying motivated for the mind-numbing follow-through to
  6371. his intrusions; cracking the networks had been the fun part,
  6372. and now that was over.
  6373. Instead, Max put the banks on the back burner to focus
  6374. on the carding war. Max’s new hosting provider was getting
  6375. complaints about the rampant criminality on Carders
  6376. Market. Max saw one of the e-mails, sent from an
  6377. anonymous webmail account. On a hunch, Max tried
  6378. logging in to the account with JiLsi’s password. It worked.
  6379. JiLsi was trying to get him shut down.
  6380. Max retaliated by hacking into JiLsi’s account on the
  6381. Russian forum Mazafaka and posting an avalanche of
  6382. messages reading, simply, “I’m a fed.” Then he went public
  6383. with the evidence of JiLsi’s malfeasance; snitching to
  6384. Carders Market’s hosting company was a scummy tactic.
  6385. DarkMarket just didn’t have the decency to die. Max
  6386. could have dropped the database again, but it would do no
  6387. good—the site had come back before. His DDoS attacks
  6388. had become ineffective, too. Overnight, DarkMarket had
  6389. come into expensive high-bandwidth hosting and erected
  6390. dedicated e-mail and database servers. It was suddenly a
  6391. hard target.
  6392. Then Max heard an intriguing rumor about DarkMarket.
  6393. The story involved Silo, a Canadian hacker known for an
  6394. uncanny ability to juggle dozens of false handles in the
  6395. community, effortlessly switching writing styles and
  6396. personalities for each one. Silo’s second claim to fame
  6397. was his compulsive back-dooring of other carders. He was
  6398. was his compulsive back-dooring of other carders. He was
  6399. constantly posting software with hidden code that would let
  6400. him spy on his peers.
  6401. Both traits were at play when Silo registered an account
  6402. at DarkMarket under a new handle and submitted a piece
  6403. of hacking software for vendor review. True to form, Silo
  6404. had secreted a hidden function in the software that would
  6405. smuggle a user’s files out to one of Silo’s servers.
  6406. When Silo looked at the results, he found a small cache
  6407. of blank Microsoft Word templates, including a “malware
  6408. report” form. The templates carried the logo for an
  6409. organization called the National Cyber Forensics and
  6410. Training Alliance in Pittsburgh. Max looked them up; it was
  6411. a fed shop. Someone connected with DarkMarket was
  6412. working for the government.
  6413. Determined to investigate, Max breached DarkMarket
  6414. again through his back door. This time, it was a
  6415. reconnaissance mission. He dropped into a root shell and
  6416. entered a command to bring up the recent login history and
  6417. then started down the list in another window, checking the
  6418. public registration records for each of the Internet IP
  6419. addresses used by the administrators. When he got to
  6420. Master Splyntr, he stopped. The supposedly Polish
  6421. spammer had connected from an IP address belonging to
  6422. a private corporation in the United States called
  6423. Pembrooke Associates.
  6424. He pulled up the Whois.net registration records for the
  6425. company’s website, Pembetal.com. The mailing address
  6426. listed was a PO box in Warrendale, Pennsylvania, twenty
  6427. miles north of Pittsburgh. There was also a phone number.
  6428. Another click of his mouse, another browser window—
  6429. the reverse white pages at Anywho.com. He entered the
  6430. phone number and this time got a real street address: 2000
  6431. Technology Drive, Pittsburgh, Pennsylvania.
  6432. It was the address he’d already found for the National
  6433. Cyber Forensics and Training Alliance. Master Splyntr was
  6434. a fed.
  6435.  
  6436. 28
  6437. Carder Court
  6438. eith Mularski was screwed.
  6439. He got the word first from an agent at the Secret Service
  6440. field office across town. “I think you may be in some
  6441. trouble.” One of their myriad informants heard that Iceman
  6442. had uncovered incontrovertible proof that Master Splyntr
  6443. was either a snitch, a corporate security spy, or a federal
  6444. agent. Iceman had forged a temporary alliance with his
  6445. sometime enemy Silo and was preparing a comprehensive
  6446. presentation for the leadership of Carders Market and
  6447. DarkMarket. Iceman and Silo were going to put Master
  6448. Splyntr on trial.
  6449. It had begun with Silo’s code. Master Splyntr’s reputation
  6450. as a spammer and programmer made him DarkMarket’s
  6451. go-to guy for malware reviews. It was one of the perks of
  6452. his undercover operation: Mularski got the first look at the
  6453. underground’s latest attack code and could pass it to
  6454. CERT, who would in turn give it to all the antivirus
  6455. companies. The malicious code would be detectable even
  6456. before it went on the black market.
  6457. This time, Mularski had assigned the code as a training
  6458. exercise to one of the CMU students interning at NCFTA.
  6459. As standard procedure, the student ran the program
  6460. isolated in a virtual machine—a kind of software petri dish
  6461. that could be scrubbed afterward. But he forgot that he had
  6462. a thumb drive in the USB port. The drive was loaded with
  6463. blank malware report forms containing the NCFTA logo
  6464. and mission statement. Before the intern realized what was
  6465. happening, the documents were in Silo’s hands.
  6466. Six DarkMarket admins and moderators had gotten a
  6467. copy of Silo’s code. Now the Canadian knew that one of
  6468. them was a fed.
  6469. Silo was a wild card. In real life, he was Lloyd Liske, a
  6470. Vancouver auto shop manager and credit card forger
  6471. who’d been busted a few months after Operation Firewall.
  6472. When he was sentenced to eighteen months of house
  6473. arrest, Liske changed his surname from Buckell and his
  6474. handle from Canucka, and reemerged in the carding
  6475. scene.
  6476. Now the Canadian was untouchable. It was widely known
  6477. in law enforcement circles that Silo was an informant for the
  6478. Vancouver Police Department. That’s why he was always
  6479. back-dooring other hackers: The Trojan horse that
  6480. infiltrated NCFTA wouldn’t have been intended to expose a
  6481. law enforcement operation; it was just Silo trying to gather
  6482. intelligence on DarkMarket members for the police.
  6483. Silo had no allegiance to the FBI, but he probably
  6484. wouldn’t have gone out of his way to expose a bureau
  6485. undercover operation. Unfortunately, Iceman had learned
  6486. about the discovery and staged his reconnaissance raid on
  6487. DarkMarket. That’s where Mularski’s own personal
  6488. screwup came into play. He normally logged in to
  6489. DarkMarket through his KIRE shell, hiding his location. But
  6490. JiLsi was a demanding boss, constantly hitting Master
  6491. Splyntr with maintenance tasks—like swapping in a new
  6492. banner ad—that simply had to be performed at once.
  6493. Sometimes KIRE was down when Mularski got one of
  6494. these requests, and he’d take a shortcut and log in directly.
  6495. Iceman had caught him.
  6496. Even then, he should have been relatively safe. The office
  6497. broadband service was set up under the name of a dummy
  6498. corporation, with a phone number that rang to an
  6499. unanswered VoIP line in the communications room. The
  6500. phone line was supposed to be unlisted. Somehow, though,
  6501. it wasn’t, and Iceman had gotten the address and
  6502. recognized it as the NCFTA’s.
  6503. Mularski walked hurriedly to the communications room,
  6504. Mularski walked hurriedly to the communications room,
  6505. swiped his access card, keyed in the door code, and
  6506. locked himself inside. He picked up the secure line to
  6507. Washington. The FBI agent didn’t sugarcoat his report to
  6508. the brass. After all his work winning undercover authority to
  6509. take over DarkMarket, getting a buy-in from senior Justice
  6510. Department and bureau officials, Iceman was going to blow
  6511. them out of the water just three weeks into the operation.
  6512. Max struggled with how to handle the exposé—after his
  6513. attacks on DarkMarket, he knew his findings would be
  6514. viewed as partisan mudslinging. He considered shuttering
  6515. Carders Market before exposing Master Splyntr, to avoid
  6516. the perception that the whole thing was just another volley in
  6517. the carding wars. Instead, he decided to send his new
  6518. lieutenant, Th3C0rrupted0ne, to represent his site.
  6519. The trial was held over Silo’s “Carder IM”—a free,
  6520. supposedly encrypted instant messaging program the
  6521. Canadian hacker offered as an alternative to AIM and ICQ,
  6522. supported by display ads for dumps vendors. Matrix001
  6523. showed up from the DarkMarket side—JiLsi was busy with
  6524. the fallout from Max’s attack on Mazafaka. Silo and two
  6525. other Canadian carders were also present. Silo opened the
  6526. meeting by handing out a compressed RAR file containing
  6527. the evidence gathered by him and Iceman.
  6528. When some of the carders opened the file, their antivirus
  6529. software went wild. Silo had back-doored the evidence; not
  6530. a promising start to a summit meeting.
  6531. C0rrupted and Silo walked them through the case: Silo’s
  6532. document templates showed that someone at NCFTA held
  6533. a privileged position on DarkMarket, and the access logs
  6534. Iceman had stolen proved that Master Splyntr was the mole.
  6535. “One hundred percent undeniable proof,” wrote
  6536. C0rrupted. “We worked hard to try and make peace, and if
  6537. we go public LE [law enforcement] is going to come after
  6538. us HARD. But if we don’t say anything, we are responsible
  6539. for all those who get fucked over.”
  6540. “This is for real dude,” said Silo.
  6541. Matrix was unconvinced. He ran his own Whois on the
  6542. Pembrooke Associates domain name and got back an
  6543. anonymous listing through Domains by Proxy: no street
  6544. address, no phone number. “Blah,” Matrix typed. “You did
  6545. not even verify the whois info and the company, did you?
  6546. Who passed you that stuff?”
  6547. “That’s not my stuff,” wrote Silo. “That’s Iceman.”
  6548. “So you believe every shit which is pasted to you?
  6549. Without even verifying it?”
  6550. Silo’s evidence was no more convincing to Matrix: The
  6551. NCFTA templates contained spelling and formatting errors
  6552. —would the FBI, or a nonprofit security group, really do
  6553. such shoddy work? Moreover, Iceman’s contempt for
  6554. DarkMarket was well-known, and Silo was a constant
  6555. annoyance on the board.
  6556. The conversation grew heated. C0rrupted dropped out,
  6557. and the others fell silent while Silo and Matrix began
  6558. exchanging insults. “What in the whole world should make
  6559. me trust you?” asked Matrix.
  6560. “Don’t,” Silo finally said. “Don’t trust me. Get the fuck off
  6561. my IM … Go get busted.”
  6562. Mularski was excluded from the meeting, but when it
  6563. concluded, Matrix sent Master Spyntr a transcript. The
  6564. agent was pleased to see his last-minute cleanup had
  6565. worked: As soon as he’d learned about Iceman’s plans to
  6566. expose him, he’d contacted the domain registrar and got
  6567. the company to scrub the Pembrooke Associates name
  6568. and phone number from the records. Then he asked
  6569. Anywho to take out its listing for the undercover phone line.
  6570. The cover-up was sure to convince Iceman all the more that
  6571. Master Splyntr was a fed, but nobody else was able to
  6572. independently verify his findings.
  6573. Now Mularski went into spin control over ICQ. He told
  6574. Matrix and anyone else who’d listen that he was innocent.
  6575. He directed the carders’ attention to the logs, highlighting
  6576. all the occasions he’d logged in from KIRE’s IP address.
  6577. all the occasions he’d logged in from KIRE’s IP address.
  6578. Those are my logins, he wrote. I don’t know who those other
  6579. logins are.
  6580. Then he spun and attacked. The doubt Iceman had sown
  6581. about JiLsi worked to his advantage. Things were going
  6582. crazy, he wrote. JiLsi had been acting suspiciously. For
  6583. one thing, he’d instructed Master Splyntr not to tell anyone
  6584. that he was running the server. And while JiLsi cultivated
  6585. the impression that DarkMarket was hosted in a country out
  6586. of reach of western law enforcement, he was actually
  6587. hosting it in Tampa, Florida, where the feds could just waltz
  6588. in any time and serve a search warrant. It was odd behavior
  6589. indeed.
  6590. JiLsi protested his innocence, but it was looking bad for
  6591. him. Master Splyntr publicly thanked Iceman for bringing the
  6592. matter to his attention and said he’d move DarkMarket out
  6593. of the United States at once.
  6594. Mularski reached out to law enforcement contacts in
  6595. Ukraine, and they helped him quickly get hosting there. In
  6596. the blink of an eye, DarkMarket was in Eastern Europe.
  6597. Most of the carders had to agree that no fed would move a
  6598. sting site to a former Soviet state.
  6599. There was no formal verdict, but a consensus formed that
  6600. Master Splyntr was innocent. They weren’t too sure about
  6601. JiLsi.
  6602. When the controversy subsided, Mularski returned to the
  6603. routine business of running his undercover operation. He
  6604. was at his desk filling out reports a couple of weeks later
  6605. when he got a call from another agent.
  6606. Special Agent Michael Schuler was a legend among the
  6607. bureau’s cybercrime agents. It was he who’d hacked into
  6608. the Russians’ computers in the Invita sting. Now stationed
  6609. in the Richmond, Virginia, field office, Schuler was calling
  6610. about a breach at nearby Capital One. The bank’s security
  6611. officials had detected an attack using an Internet Explorer
  6612. exploit. They’d sent Schuler a copy of the code, and he
  6613. wanted Mularski to get one of the NCFTA’s geeks to take a
  6614. look at it.
  6615. Mularski listened as Schuler described his investigation
  6616. to date. He’d focused on the fake news website,
  6617. Financialedgenews.com, used to deliver the malware. The
  6618. domain was registered to a false identity in Georgia. But
  6619. when the registrar, Go Daddy, checked its records, it found
  6620. the same user had once registered another address
  6621. through the company.
  6622. Cardersmarket.com.
  6623. Mularski recognized the significance at once. Iceman
  6624. positioned himself as the innocent operator of a website
  6625. that happened to discuss illegal activity. Now Schuler had
  6626. evidence that he was also a profit-oriented hacker, one
  6627. who’d broken into the network of the fifth-largest credit card
  6628. issuer in America. “Dude, you got the case!” Mularski
  6629. laughed. “You got the case right now on the guy we were
  6630. just trying to target on our Group II. We’ve got to work
  6631. together on this.”
  6632. Across town, Secret Service agents at the Pittsburgh
  6633. field office had made a discovery of their own about
  6634. Iceman: An informant tipped them off that Carders Market’s
  6635. kingpin had a second identity as the dumps vendor Digits.
  6636. Four days after the USA Today article, the agents
  6637. exploited that knowledge by having a second snitch make a
  6638. controlled buy from Digits: twenty-three dumps for $480 in
  6639. e-gold.
  6640. It was more than they needed for a felony charge.
  6641.  
  6642. 29
  6643. One Plat and Six Classics
  6644. eith Mularski hadn’t known what he was in for when he
  6645. took over DarkMarket.
  6646. His days were crazy now. He’d start at eight in the
  6647. morning, logging in to his undercover computer at the office
  6648. and checking for overnight ICQ messages—any urgent
  6649. business for Master Splyntr. Then he’d hit DarkMarket and
  6650. make sure it was up and running. It was always hit-or-miss
  6651. with Iceman on the loose.
  6652. Next came the drudgery of backing up the SQL
  6653. database. Iceman had somehow dropped the tables twice
  6654. since his failed attempt to expose Mularski, so now the
  6655. backups were a part of Mularski’s morning routine. They
  6656. served an investigative function as well: While the database
  6657. was being copied, a simple script authored by an NCFTA
  6658. coder scanned every line for sixteen-digit numbers
  6659. beginning with the numerals 3 through 6. The stolen credit
  6660. card numbers would be automatically sorted by BIN and
  6661. sent to the proper banks for immediate cancellation.
  6662. Next, Mularski had to review all the private messages,
  6663. pick out the interesting chats, and check them into the FBI’s
  6664. central ELSUR electronic surveillance database. An hour or
  6665. two of report writing followed. As Master Splyntr, Mularski
  6666. had begun his own modest cash-out operation. Some
  6667. banks had agreed to issue him disposable dumps as bait,
  6668. with fake names but real lines of credit that the FBI would
  6669. cover out of its investigative budget. Mularski handed them
  6670. out with PINs to carders around the country, while the
  6671. financial institutions reported back daily on where and when
  6672. each withdrawal took place. Mularski had to pass the
  6673. information to the local agents in whatever city his cashers
  6674. were operating from, which meant writing up a detailed
  6675. memo each time.
  6676. At three, when the carders came online in force,
  6677. Mularski’s second life shifted into high gear. Everyone
  6678. wanted something from Master Splyntr. There were
  6679. disputes to settle, like a dumps vendor complaining that his
  6680. ad wasn’t displayed as prominently as a competitor’s, or a
  6681. vendor facing accusations of ripping off a customer.
  6682. Beggars approached him asking for free dumps or
  6683. spamming services.
  6684. Mularski went home at the end of the day, only to log on
  6685. again. Keeping his credibility as Master Splyntr meant he
  6686. had to work the same hours as a real carder, so every night
  6687. saw Mularski on the sofa at home, the television turned to
  6688. whatever was on, his laptop open and online. He was on
  6689. DarkMarket, and AIM, and ICQ, answering questions,
  6690. assigning reviewers, approving vendors, and banning
  6691. rippers. He stayed online and in character until two in the
  6692. morning, nearly every day, dealing with the underground.
  6693. To ingratiate himself to his primary targets, he’d give
  6694. them gifts or sell them discounted merchandise,
  6695. supposedly purchased with stolen credit cards but actually
  6696. paid for by the bureau. Cha0, a Turkish crime boss and
  6697. DarkMarket admin, coveted an $800 lightweight PC sold in
  6698. the States, so Mularski shipped two of them off to Cha0’s
  6699. drop address in Turkey. Playing Santa Claus was in his job
  6700. description now: He had to appear to be running ops and
  6701. making money, and he sure as hell wasn’t going to spam
  6702. anyone.
  6703. Being a cybercrime boss, he was discovering, was hard
  6704. work.
  6705. When he traveled or vacationed, he had to let the forum
  6706. know in advance—even a brief unexplained absence would
  6707. invite suspicion that he’d been busted and turned. In
  6708. January 2007, he let the board know that he’d be on a
  6709. plane for a while. He didn’t say where or why. He was going
  6710. plane for a while. He didn’t say where or why. He was going
  6711. to Germany to talk with prosecutors about DarkMarket’s
  6712. cofounder Matrix001.
  6713. Among other things, Matrix001 was DarkMarket’s
  6714. resident artist par excellence. He created and sold
  6715. Photoshop templates used by forgers to produce credit
  6716. cards or fake ID. He had them all: Visa, MasterCard,
  6717. American Express, Discover, the U.S. Social Security card,
  6718. notary seals, and driver’s licenses for several states. His
  6719. template for an American passport sold for $45. A Bank
  6720. One Visa was $125.
  6721. Matrix001 and Master Splyntr had grown tight since the
  6722. attempted exposé three months earlier: Mularski and the
  6723. German both liked video games, and they chatted about
  6724. the latest titles well into the night. They talked business, too,
  6725. and Matrix001 had confided that he received wire transfers
  6726. for some of his sales in the town of Eislingen in southern
  6727. Germany. That was the first clue to tracking him down.
  6728. From there, it was a matter of following the money. Like
  6729. virtually all carders, Matrix preferred to be paid by e-gold,
  6730. an electronic payment system created by a former Florida
  6731. oncologist named Douglas Jackson in 1996. A competitor
  6732. to PayPal, e-gold was the first virtual currency backed by
  6733. deposits of actual gold and silver bullion held in bank vaults
  6734. in London and Dubai.
  6735. It had been Jackson’s dream to forge a true international
  6736. monetary system independent of any government.
  6737. Criminals loved it. Unlike a real bank, e-gold took no
  6738. measures to verify the identity of its users—account holders
  6739. included “Mickey Mouse” and “No Name.” To get money in
  6740. or out of e-gold, users availed themselves of any of
  6741. hundreds of independent e-gold exchangers around the
  6742. world, businesses that would accept bank transfers,
  6743. anonymous money orders, or even cash in hand and
  6744. convert it to e-gold for a cut. Exchangers took another slice
  6745. when a user wanted to convert in the other direction,
  6746. changing the virtual money into the local currency or
  6747. receiving it by Western Union, PayPal, or wire transfer. One
  6748. company even offered a preloaded ATM card—the “GCard”—
  6749. that would let account holders withdraw their e-gold
  6750. from any cash machine.
  6751. By all evidence, criminals were e-gold’s bread and
  6752. butter. By December 2005, the company’s internal
  6753. investigations had identified more than three thousand
  6754. accounts involved in carding, another three thousand used
  6755. for buying and selling child porn, and thirteen thousand
  6756. accounts linked to various investment scams. They were
  6757. easy enough to spot: the “memo” field in child porn
  6758. transactions would read, for example, “Lolita”; in Ponzi
  6759. schemes, “HYIP,” for “high-yield investment program.”
  6760. Carders included shorthand descriptions of what they were
  6761. buying: “For 3 IDs”; “for dumps”; “10 classics”; “Fame’s
  6762. dumps”; “10 M/C”; “one plat and six classics”; “20
  6763. vclassics”; “18 ssns”; “10 AZIDs”; “4 v classics”; “four
  6764. cvv2s”; “for 150 classics.”
  6765. For a long time, e-gold largely turned a blind eye to the
  6766. criminal trade; employees locked down some accounts
  6767. used by child porn sellers but didn’t stop them from
  6768. transferring out their money. But the company’s attitude
  6769. changed dramatically in December 2005, when FBI and
  6770. Secret Service agents executed a search warrant at egold’s
  6771. Melbourne, Florida, offices and accused Jackson of
  6772. running an unlicensed money transfer service.
  6773. Jackson began voluntarily searching his database for
  6774. signs of criminality and sending tips to the only agency that
  6775. wasn’t trying to put him in jail, the U.S. Postal Inspection
  6776. Service. His newfound commitment to law and order was a
  6777. boon to Mularski. Through Greg Crabb and his team at the
  6778. post office, Mularski asked Jackson for information about
  6779. Matrix001’s e-gold account, which was under the alias
  6780. “Ling Ching.” When Jackson looked in his database, he
  6781. found that the account had originally been set up under
  6782. another name: Markus Kellerer, with a street address in
  6783. Eislingen. In November, Mularski sent a formal request for
  6784. Eislingen. In November, Mularski sent a formal request for
  6785. assistance to the German national police through the U.S.
  6786. consulate in Frankfurt. The police confirmed that Kellerer
  6787. was a real person and not just another alias, and Mularski
  6788. booked his flight to Stuttgart.
  6789. Matrix001 would be the first arrest from the DarkMarket
  6790. sting. Mularski would have to find someone else to chat
  6791. with about video games.
  6792. • • •
  6793. Once he was back in Pittsburgh, Mularski began working a
  6794. new, farfetched theory about Iceman. He’d been running
  6795. down every “Iceman” he could find—there’d been an
  6796. Iceman on Shadowcrew and others on IRC. They always
  6797. turned out to be red herrings. Now Mularski was toying with
  6798. the idea that his Iceman didn’t really exist.
  6799. It was Iceman’s supposed collaboration with the
  6800. Canadian informant Lloyd “Silo” Liske that intrigued him.
  6801. Silo had worked with Iceman to try to expose Mularski.
  6802. That, in itself, didn’t mean much—informants often call out
  6803. suspected cops and snitches to deflect suspicion from
  6804. themselves. But Silo had told his handler at the Vancouver
  6805. Police Department that he’d hacked Iceman’s computer,
  6806. yet when push came to shove, he couldn’t produce
  6807. Iceman’s real name or even a good Internet IP address.
  6808. And it turned out that Silo had dozens of e-gold accounts—
  6809. one of them under the name “Keyser Söze.”
  6810. If Liske was a fan of The Usual Suspects, it might occur
  6811. to him to create a phantom criminal mastermind and then
  6812. feed law enforcement false information about the supposed
  6813. kingpin in his role as an informant.
  6814. Mularski flew to Washington and presented his theory to
  6815. the Secret Service at their headquarters. It was shot down
  6816. at once. They were working closely with Silo’s handler at
  6817. the Vancouver Police Department, and they knew Silo as
  6818. one of the good guys.
  6819. The Secret Service had run down some false leads
  6820. themselves. In a lab in the Pittsburgh field office, the agents
  6821. had a whiteboard scrawled with handles and names
  6822. connected by squiggles and lines. Many of the names were
  6823. crossed out. It was their ever-changing road map to Iceman
  6824. and his world.
  6825. Mularski returned to Pittsburgh, and both agencies
  6826. resumed their search for the real Keyser Söze of the
  6827. cyberworld—the elusive hacking kingpin Iceman.
  6828.  
  6829. 30
  6830. Maksik
  6831. ax could see what was coming. With an FBI agent at
  6832. the helm, DarkMarket was going to put a lot of carders in
  6833. prison. But like Cassandra from Greek mythology, he was
  6834. cursed to know the future and have nobody believe him.
  6835. Between the USA Today article and his failed attempt to
  6836. expose Master Splyntr, Max could feel the heat coming at
  6837. him. In November, he declared Iceman’s retirement and
  6838. made a show of handing control of the site to
  6839. Th3C0rrupted0ne. He secluded himself while things cooled
  6840. down and three weeks later took back the board under
  6841. another handle. Iceman was dead; long live “Aphex.”
  6842. Max was getting tired of the tight quarters at the Post
  6843. Street Towers, so Chris brought Nancy, one of his cashers,
  6844. up to San Francisco to rent Max a one-bedroom at
  6845. Archstone’s towering Fox Plaza corporate apartment
  6846. complex in the financial district. She posed as a sales
  6847. representative at Capital Solutions, a corporate front
  6848. Aragon used to launder some of his income. Tea, back
  6849. from her trip to Mongolia, was conscripted to sit in the
  6850. apartment and accept delivery of a bed, paid for with her
  6851. legitimate American Express card. Chris reimbursed her
  6852. afterward.
  6853. By January 2007, Max was back in business at his new
  6854. safe house, with a stew of Wi-Fi brewing outside. Fox
  6855. Plaza was a giant step up in luxury from the Post Street
  6856. Towers, but Max could afford it—he could pay a month’s
  6857. rent with a couple of good days of dumps vending. As
  6858. Digits, Max was now regarded by some carders as the
  6859. second-most-successful magstripe vendor in the world.
  6860. The number one spot was firmly occupied by a Ukrainian
  6861. known as Maksik. Maksik operated outside the carding
  6862. forums, running his own Web-based dispensary for his
  6863. stolen cards at Maksik.cc. Buyers would begin by sending
  6864. Maksik upfront money by e-gold, WebMoney, wire transfer,
  6865. or Western Union. That would buy them access to his
  6866. website, where they could select the dumps they wanted by
  6867. BIN and type of card and place an order. On his end,
  6868. Maksik would press a button to approve the transaction,
  6869. and the buyer would get an e-mail with the dumps he’d
  6870. ordered, straight from Maksik’s massive database of
  6871. stolen cards.
  6872. Maksik’s wares were phenomenal, with a high success
  6873. rate at the register and a mammoth selection of BINs. Like
  6874. Max’s, Maksik’s cards came from swipes at point-of-sale
  6875. terminals. But instead of targeting scores of small stores
  6876. and restaurants, Maksik got his cards from a smaller
  6877. number of giant targets: Polo Ralph Lauren in 2004; Office
  6878. Max in 2005. In three months, Discount Shoe Warehouse
  6879. lost 1.4 million cards taken from 108 stores in 25 states—
  6880. straight into Maksik’s database. In July 2005, a recordbreaking
  6881. 45.6 million dumps were stolen from the TJXowned
  6882. retail chains T. J. Maxx, Marshalls, and
  6883. HomeGoods.
  6884. There was a time when such breaches might have
  6885. remained a secret between the hackers, the companies,
  6886. and federal law enforcement—with the victim consumers
  6887. kept in the dark. To encourage companies to report
  6888. breaches, some FBI agents had an unofficial policy of
  6889. keeping company names out of indictments and press
  6890. releases, protecting corporations from bad publicity over
  6891. their shoddy security. In the 1997 Carlos Salgado Jr. case
  6892. —the first large-scale online credit card heist—the
  6893. government persuaded the sentencing judge to
  6894. permanently seal the court transcripts, for fear the targeted
  6895. company would suffer “loss of business due to the
  6896. perception by others that computer systems may be
  6897. perception by others that computer systems may be
  6898. vulnerable.” Consequently, the eighty thousand victims were
  6899. never notified that their names, addresses, and credit card
  6900. numbers had been offered for sale on IRC.
  6901. In 2003, the state of California effectively ended such
  6902. cover-ups when the legislature enacted SB1386, the
  6903. nation’s first compulsory breach-disclosure law. The law
  6904. requires hacked organizations doing business in the
  6905. Golden State to promptly warn potential identity theft
  6906. victims of a breach. In the years that followed, forty-five
  6907. other states passed similar legislation. Now no significant
  6908. breach of consumer data remains a secret for long, once
  6909. detected by the company and the banks.
  6910. The headlines over the giant retail breaches only added
  6911. luster to Maksik’s product—he didn’t try to hide the fact that
  6912. he was vending the dumps from the retail chains. When the
  6913. TJX attack made news in January 2007, the details that
  6914. emerged also confirmed what many carders already
  6915. suspected: the Ukrainian had a stateside hacker supplying
  6916. him with dumps. Maksik was a middleman for a mystery
  6917. hacker in the States.
  6918. In mid-2006, the hacker was apparently in Miami, where
  6919. he parked at two TJX-owned Marshalls outlets and cracked
  6920. the stores’ Wi-Fi encryption. From there, he hopped on the
  6921. local network and swam upstream to the corporate
  6922. headquarters, where he launched a packet sniffer to
  6923. capture credit card transactions live from the Marshalls, T.
  6924. J. Maxx, and HomeGoods stores around the country. The
  6925. sniffer, an investigation would later find, ran undetected for
  6926. seven months.
  6927. Max had a rival in America, and a damn good one.
  6928. Thanks in large part to Maksik’s hacker and Max Vision,
  6929. the popular consumer impression that Web transactions
  6930. were less secure than real-life purchases was now
  6931. completely false. In 2007, the majority of compromised
  6932. cards were stolen from brick-and-mortar retailers and
  6933. restaurants. The large retail intrusions were compromising
  6934. millions of cards at a time, but breaches at smaller
  6935. merchants were far more common—Visa’s analysis found
  6936. 83 percent of credit card breaches were at merchants
  6937. processing one million Visa transactions or less annually,
  6938. with the majority of thefts taking place at restaurants.
  6939. Max tried to keep the sources of his dumps a secret,
  6940. falsely claiming in his forum posts that the data came from
  6941. credit card processing centers to throw investigators off
  6942. track. But Visa knew that restaurant point-of-sale terminals
  6943. were being hit hard. In November 2006, the company
  6944. issued a bulletin to the food service industry warning about
  6945. hack attacks unfolding through VNC and other remoteaccess
  6946. software. Max, though, continued to find a steady
  6947. stream of vulnerable eateries.
  6948. But for Max, it wasn’t enough. He hadn’t gone into the
  6949. data-theft business to be second-best. Maksik was costing
  6950. him money. Even Chris was now buying from both Maksik
  6951. and Max, going with whichever vendor offered him a good
  6952. deal on the best dumps.
  6953. At Max’s direction, Tea befriended the Ukrainian over the
  6954. course of months and urged him to start vending on
  6955. Carders Market. Maksik declined graciously and
  6956. suggested she visit him sometime in Ukraine. Rebuffed,
  6957. Max took the gloves off and got Tea to send Maksik a
  6958. Trojan horse program, hoping to get control of the
  6959. Ukranian’s database of dumps. Maksik laughed off the
  6960. hacking attempt.
  6961. If he’d known, Max might have taken comfort in the fact
  6962. that he wasn’t the only one frustrated by Maksik’s tight
  6963. security.
  6964. Federal law enforcement had been tracking Maksik
  6965. since his rise to infamy in the wake of Operation Firewall.
  6966. An undercover Secret Service agent had been buying
  6967. dumps from him. Postal Inspector Greg Crabb had worked
  6968. with law enforcement in Europe to bust carders who’d done
  6969. business with Maksik, and he shared the resulting
  6970. information with the Ukrainian national police. In early 2006,
  6971. information with the Ukrainian national police. In early 2006,
  6972. the Ukranians finally identified Maksik as one Maksym
  6973. Yastremski, from Kharkov. But they didn’t have enough
  6974. evidence to make an arrest.
  6975. The United States refocused on identifying Maksik’s
  6976. hacking source. E-gold once again provided the entry
  6977. point. The Secret Service analyzed Maksik’s accounts in
  6978. the e-gold database and found that between February and
  6979. May 2006, Maksik had transferred $410,750 out of his
  6980. account to “Segvec,” a Mazafaka dumps vendor generally
  6981. thought to be in Eastern Europe. An outward transfer
  6982. implied Segvec wasn’t one of Maksik’s customers but a
  6983. supplier getting his cut.
  6984. The feds got a chance at more direct information in June
  6985. 2006, when Maksik was vacationing in Dubai. Secret
  6986. Service agents from San Diego worked with local police to
  6987. execute a “sneak-and-peek” in his room, where they
  6988. secretly copied his hard drive for analysis. But it was a
  6989. dead end. The sensitive material on the drive was all
  6990. encrypted with a program called Pretty Good Privacy. It
  6991. was good enough to stop the Secret Service in its tracks.
  6992. Carders like Maksik and Max were at the fore in embracing
  6993. one of the unheralded gifts of the computer revolution:
  6994. cryptography software so strong that, in theory, even the
  6995. NSA couldn’t crack it.
  6996. In the 1990s the Justice Department and Louis Freeh’s
  6997. FBI had tried hard to make such encryption illegal in the
  6998. United States, fearing that it would be embraced by
  6999. organized crime, pedophiles, terrorists, and hackers. It was
  7000. a doomed effort. American mathematicians had decades
  7001. before developed and published high-security encryption
  7002. algorithms that rivaled the government’s own classified
  7003. systems; the genie was out of the bottle. In 1991, a U.S.
  7004. programmer and activist named Phil Zimmerman had
  7005. released the free software Pretty Good Privacy, which was
  7006. available on the Web.
  7007. But that didn’t stop law enforcement and intelligence
  7008. officials from trying. In 1993, the Clinton administration
  7009. began producing the so-called Clipper Chip, an NSAdeveloped
  7010. encryption chip intended for use in computers
  7011. and telephones and designed with a “key recovery” feature
  7012. that would allow the government to crack the crypto on
  7013. demand, with the proper legal authority. The chip was a
  7014. dismal failure in the marketplace, and the project was dead
  7015. by 1996.
  7016. Then lawmakers began swinging the opposite direction,
  7017. talking about repealing Cold War–era export regulations
  7018. that classified strong encryption as a “munition” generally
  7019. prohibited from export. The regulations were forcing
  7020. technology companies to keep strong crypto out of key
  7021. Internet software, weakening online security; meanwhile,
  7022. overseas companies weren’t bound by the laws and were
  7023. in position to overtake America in the encryption market.
  7024. The feds responded with a draconian counterproposal
  7025. that would have made it a five-year felony to sell any
  7026. encryption software in America that lacked a back door for
  7027. law enforcement and government spies. In testimony to a
  7028. House subcommittee in 1997, a Justice Department lawyer
  7029. warned that hackers would be a prime customer of legal
  7030. encryption and used the Carlos Salgado bust to illustrate
  7031. his point. Salgado had encrypted the CD-ROM containing
  7032. the eighty thousand stolen credit card numbers. The FBI
  7033. had only been able to access it because the hacker gave
  7034. his supposed buyer the key.
  7035. “We were lucky in this case, because Salgado’s
  7036. purchaser was cooperating with the FBI,” the official
  7037. testified. “But if we had discovered this case another way,
  7038. law enforcement could not have penetrated the information
  7039. on Salgado’s CD-ROM. Crimes like this one have serious
  7040. implications for law enforcement’s ability to protect
  7041. commercial data as well as personal privacy.”
  7042. But the feds lost the crypto wars, and by 2005
  7043. unbreakable crypto was widely available to anyone who
  7044. unbreakable crypto was widely available to anyone who
  7045. wanted it. The predictions of doom had largely failed to
  7046. materialize; most criminals weren’t tech-savvy enough to
  7047. adopt encryption.
  7048. Max, though, was. If all his tradecraft failed and the feds
  7049. crashed through his safe house door, they’d find everything
  7050. he accumulated in his crimes, from credit card numbers to
  7051. hacking code, scrambled with an Israeli-made encryption
  7052. program called DriveCrypt—1,344-bit military-grade crypto
  7053. he’d purchased for about $60.
  7054. The government would arrest him anyway, he expected,
  7055. and demand his passphrase. He would claim to have
  7056. forgotten it. A federal judge somewhere would order him to
  7057. disclose the secret key, and he’d refuse. He’d be held on
  7058. contempt charges for maybe a year and then be released.
  7059. Without his files, the government wouldn’t have any
  7060. evidence of his real crimes.
  7061. Nothing had been left to chance—Max was certain. He
  7062. was untouchable.
  7063.  
  7064. 31
  7065. The Trial
  7066. onathan Giannone, the Long Island carder Max and
  7067. Chris had discovered as a teenager, was keeping a secret
  7068. from everyone.
  7069. The same day Max had absorbed his competitors,
  7070. Secret Service agents had arrested Giannone at his
  7071. parents’ house for selling some of Max’s dumps to Brett
  7072. Johnson, the Secret Service informant known as Gollumfun.
  7073. Giannone was released on bail, but he told nobody about
  7074. the bust. To him, it was just a bump in the road—how much
  7075. trouble could he really get in for selling twenty-nine dumps?
  7076. The impression that he was facing a slap on the wrist
  7077. was bolstered when the judge in South Carolina lifted his
  7078. travel restrictions a month after his arrest. Giannone
  7079. promptly flew into Oakland Airport on a carding run, and
  7080. Tea picked him up and showed him around. They drove up
  7081. and down the Pacific Coast Highway, and she bought him
  7082. a pizza at Fat Slice on Berkeley’s Telegraph Avenue.
  7083. She’d always found Giannone amusing—a boastful, curlyhaired
  7084. white kid with hip-hop sensibilities who’d once
  7085. bragged that he’d beat up a member of the New York Jets
  7086. at a local bar. Now, though, they had something in common:
  7087. Chris had stopped talking to Giannone around the time of
  7088. his arrest, while Tea, for her part, had been ordered to
  7089. return to the Bay Area so she couldn’t make any more
  7090. trouble with Chris’s relationships. Chris had exiled them
  7091. both.
  7092. Chris called Tea while they were hanging out and was
  7093. surprised to hear that Giannone was in town. He had her
  7094. put Giannone on the phone. “So, you take my girls out to
  7095. party now?” he demanded, angry that Giannone was
  7096. forging a relationship with one of his people—perhaps
  7097. courting her for a cashing crew of his own.
  7098. “No, I just happen to be here and I looked her up,”
  7099. Giannone said a little defensively.
  7100. It would be Chris’s and Giannone’s last phone
  7101. conversation. Giannone flew home. He kept in touch with
  7102. Tea, and a few months later, he warned her that he might
  7103. not be a good person to be associating with. He was pretty
  7104. sure he’d been followed on his trip to the Bay Area.
  7105. “I got some heat on me right now,” Giannone said.
  7106. “What kind of heat?” Tea asked. Giannone liked to affect
  7107. an air of danger.
  7108. “I go to trial next week.”
  7109. Federal criminal trials are rare. Faced with the long prison
  7110. terms recommended by rigid sentencing guidelines, most
  7111. defendants opt to take a plea deal in exchange for a slightly
  7112. shortened sentence or limit their exposure by becoming an
  7113. informant. Some 87 percent of prosecutions were resolved
  7114. in this manner in 2006, the year of Giannone’s trial. In
  7115. another 9 percent of the cases, charges were dismissed
  7116. before reaching a trial, the government preferring to drop a
  7117. marginal case rather than risk a loss. Once a jury is seated,
  7118. a defendant’s chances for acquittal are about one in ten.
  7119. But Giannone liked his odds. Most cases don’t hinge on
  7120. the undercover work performed by an active computer
  7121. criminal. Soon after he’d snitched on Giannone, Brett
  7122. “Gollumfun” Johnson had gone on a four-month crosscountry
  7123. crime spree, pulling his IRS scam in Texas,
  7124. Arizona, New Mexico, Las Vegas, California, and Florida,
  7125. where he was finally nabbed in Orlando with nearly
  7126. $200,000 stuffed in backpacks in his bedroom. He wouldn’t
  7127. make a very good witness for the prosecution.
  7128. The bailiff passed out pads and pencils to the twelve
  7129. jurors, and the prosecutor began his opening statement,
  7130. adopting a down-home, country tone.
  7131. “I love the Internet,” he said. “The Internet is a fascinating
  7132. thing. It’s a place where we can entertain ourselves; we can
  7133. get information; we can watch videos; we can play games;
  7134. we can buy things. eBay is a great place, you can bid on
  7135. things. If you can think about it, you can buy it on eBay.
  7136. “But, ladies and gentlemen, there’s a side of the Internet
  7137. that we don’t like to think about. There’s kind of a dark
  7138. underbelly to the Internet, one where not trinkets or bobbles
  7139. are bought, sold, and traded. There’s a part of the Internet
  7140. where people’s lives are bought, sold, and traded.…
  7141. “You are going to see that side of the Internet. And I
  7142. suspect that you are never going to look at the Internet
  7143. exactly the same way again.”
  7144. The trial lasted three days. The prosecutor disposed of
  7145. Brett Johnson right out of the gate, acknowledging that
  7146. Gollumfun was a liar and a thief who’d betrayed the trust of
  7147. his Secret Service handlers. That was why the government
  7148. wasn’t calling him to testify. The prosecution’s “star
  7149. witness” would be the computer logs of Giannone’s chats
  7150. with the informant. The record would speak for itself.
  7151. Giannone’s lawyer did his best to attack the logs.
  7152. “Machines make mistakes.” He argued that because the
  7153. stolen credit cards were never fraudulently used, there were
  7154. no victims. He reminded the jurors that nobody died or
  7155. suffered physical harm.
  7156. After one day of deliberation, the verdict came in: guilty.
  7157. The first federal trial of the carding underground was over.
  7158. The judge ordered Giannone taken into custody.
  7159. A week later, Giannone was summoned from his cell at
  7160. the Lexington County Jail. He instantly recognized the
  7161. Secret Service agents waiting by the sally port, two steel
  7162. doors away from freedom; the two men had been
  7163. Johnson’s handlers, and they’d testified at Giannone’s trial.
  7164. “We want to know who this guy Iceman is,” one of them
  7165. said.
  7166. “Who’s Iceman?” Giannone answered innocently.
  7167. The situation was serious, the agents said; they’d
  7168. learned that Iceman had threatened to kill the president.
  7169. Giannone asked for his lawyer, and the agents phoned him
  7170. on the spot. The attorney consented to an interview in the
  7171. hope of winning leniency for his client at sentencing.
  7172. In a series of meetings over the next three weeks, the
  7173. agents pulled Giannone out of jail again and again, shuttling
  7174. him to the same field office where Gollumfun had
  7175. orchestrated his downfall. Unlike most carders, Giannone
  7176. had held his mud at his arrest and taken a chance on a trial
  7177. instead of cutting a snitch deal. But now he was looking
  7178. down the barrel of a five-year sentence. He was only
  7179. twenty-one years old.
  7180. Giannone told them everything he knew: Iceman lived in
  7181. San Francisco, did a brisk business in dumps, sometimes
  7182. used the aliases Digits and Generous to sell his goods. He
  7183. used hacked Wi-Fi to cover his tracks. A Mongolian
  7184. woman called Tea was his Russian translator.
  7185. Most crucially, he had a partner named Christopher
  7186. Aragon in Orange County, California. You want Iceman?
  7187. Get Chris Aragon.
  7188. The revelations electrified the agents tracking Iceman.
  7189. When Keith Mularski typed Chris Aragon’s name into the
  7190. FBI’s case management system, he found Werner Janer’s
  7191. 2006 proffer sessions, in which he’d named Chris’s dumps
  7192. supplier as a tall, ponytailed man he knew as “Max the
  7193. Hacker.” It got better. Way back in December 2005, Jeff
  7194. Norminton had been arrested for receiving Janer’s wire
  7195. transfer on behalf of Aragon. He’d told the FBI about
  7196. introducing Aragon to the superhacker Max Butler after his
  7197. release from Taft. The interviewing agent was only
  7198. interested in real estate fraud and hadn’t pursued the lead.
  7199. Now Mularski and his Secret Service counterparts had a
  7200. name. Giannone’s statements confirmed it. Iceman had told
  7201. Giannone that he was once raided as a suspect in the Half-
  7202. Life 2 source-code theft. Mularski ran another search and
  7203. saw there were only two U.S. search warrants executed in
  7204. that investigation: one against Chris Toshok, and one
  7205. against Max Ray Butler.
  7206. Iceman’s identity had been hidden in the government’s
  7207. computers all along. Giannone had given them the
  7208. password to unlock it.
  7209. Knowing Iceman’s identity wasn’t the same as proving it,
  7210. though. The feds had enough for a search warrant, but they
  7211. didn’t have the location of Max’s safe house. Worse,
  7212. Giannone had tipped them that Iceman used DriveCrypt.
  7213. That meant that even if they tracked down Max’s address,
  7214. they couldn’t count on finding evidence on his hard drive.
  7215. They could bust down Max’s door, then watch him walk out
  7216. of a courtroom twenty-four hours later on bail or a signature
  7217. bond. With an international network of fake ID vendors and
  7218. identity thieves at his beck and call, Max might vanish,
  7219. never to be seen again.
  7220. They needed to sew up the case before making a move.
  7221. Mularski decided Chris Aragon was the key. Thanks to
  7222. Norminton, they knew all about the wire transfer and real
  7223. estate fraud scheme he’d profited from almost five years
  7224. earlier. If they could nail Aragon for that, they could press
  7225. him to cooperate against Max.
  7226. Unaware of the net tightening around him, Max continued
  7227. his round-the-clock management of Carders Market as
  7228. “Aphex.” Not that his new identity was really fooling anyone.
  7229. He couldn’t resist carrying Iceman’s campaign against
  7230. DarkMarket’s leaders into his new persona, calling them
  7231. “idiots and incompetents” and circulating the evidence he’d
  7232. gathered against Master Splyntr. He was astonished that
  7233. so many people didn’t believe him. “DarkMarket is founded
  7234. and run by NCFTA/FBI for Christ sake!”
  7235. Th3C0rrupted0ne believed Max and gave up his status
  7236. on DarkMarket to work as a full-time admin on Max’s board
  7237. —he was devoting fourteen hours a day to the site now. But
  7238. Max didn’t trust him either. It was well-known that C0rrupted
  7239. lived in Pittsburgh, the home of the NCFTA.
  7240. Max had developed a new test function for possible
  7241. informants, and in March he’d tried it out on the carder,
  7242. announcing out of the blue that he was working with a
  7243. terrorist cell “and we should have a shot at killing President
  7244. Bush this coming weekend.” If C0rrupted was a fed, he’d
  7245. be obliged to discourage the notional assassination plot,
  7246. Max figured, or he’d ask for more details.
  7247. C0rrupted’s response briefly assuaged Max’s doubts.
  7248. “Good luck with the president thing. Make sure you get the
  7249. vice president as well. He is no better.”
  7250. There was a lot of work to do on the board. Carders
  7251. Market was hopping, with over a dozen specialized
  7252. vendors: DataCorporation, Bolor, Tsar Boris, Perl, and
  7253. RevenantShadow sold credit card numbers with CVV2s,
  7254. stolen variously from the United States, UK, and Canada;
  7255. Yevin vended California driver’s licenses; Notepad would
  7256. check the validity of dumps for a small fee; Snake Solid
  7257. moved U.S. and Canadian dumps; Voroshilov offered
  7258. identity thieves a service that could obtain a victim’s Social
  7259. Security number and date of birth; DelusionNFX vended
  7260. hacked online banking logins; Illusionist was Carders
  7261. Market’s answer to JiLsi, selling novelty templates and
  7262. credit card images; Imagine competed with EasyLivin’ in
  7263. the plastics trade.
  7264. Max tried to run a tight ship—a “military base,” one
  7265. carder critic groused. As in his white-hat days, he prized
  7266. intellectual honesty, refusing to grant special favor to even
  7267. his closest allies.
  7268. In April, C0rrupted prepared a review of Chris’s latest
  7269. generation of “novelty” IDs and plastics. He found them
  7270. wanting—for one thing, the signature strips were printed
  7271. right on the cards; you had to sign them with a felt-tip. He
  7272. right on the cards; you had to sign them with a felt-tip. He
  7273. thought the products were worth five stars out of ten, but he
  7274. asked Max if he should fluff his findings a little. “I know you
  7275. and Easylivin’ are close, so I wanted to know if I should post
  7276. a true opinion review about these things that I felt, or if I
  7277. should not be so harsh?”
  7278. “I think definitely post the truth, and if possible back it up
  7279. with pics etc.,” Max wrote back. “I am tight with Easylivin’,
  7280. but I think the truth is more important. Besides, if he is
  7281. covered for, and continues to ship poor quality (damn … it’s
  7282. really that bad?) then it will reflect badly on you and Carders
  7283. Market.”
  7284. A bad review would cost Chris money. But Max didn’t
  7285. hesitate when it came to the integrity of his crime site.
  7286.  
  7287. 32
  7288. The Mall
  7289. hris pulled his Tahoe into the garage at Fashion Island
  7290. Mall in Newport Beach, parked, and got out with his new
  7291. partner, twenty-three-year-old Guy Shitrit. They walked
  7292. toward the Bloomingdale’s, fake American Express cards
  7293. in their wallets.
  7294. Originally from Israel, Shitrit was a handsome guitar
  7295. player and ladies’ man whom Chris had met on Carders
  7296. Market. Shitrit had been running a skimming operation in
  7297. Miami, recruiting professional strippers at work and
  7298. equipping them with exceedingly small skimming devices
  7299. to steal patrons’ magstripe data. When the strip-club
  7300. managers found out, Shitrit had to get out of town in a hurry.
  7301. He’d landed in Orange County, where Chris hooked him up
  7302. with a fake ID, a rental car, and an apartment at the
  7303. Archstone. Then they hit the stores.
  7304. Chris was close now, so close, to getting out. His wife,
  7305. Clara, had brought in $780,000 on eBay in a little over
  7306. three years: 2,609 Coach bags, iPods, Michele watches,
  7307. and Juicy Couture clothes. She had an employee working
  7308. twenty hours a week just shipping the ill-gotten
  7309. merchandise. Chris added to the take with his sales of
  7310. plastics and novelties on Carders Market, an enterprise
  7311. that wasn’t helped by Th3C0rrupted0ne’s nitpicking review.
  7312. Max, he felt, was ignoring the Whiz List, their blueprint for
  7313. building one big score and getting out. Chris had finally
  7314. figured it out: Max didn’t want to quit. He liked hacking; it
  7315. was all he wanted to do. So screw him. Chris had his own
  7316. exit strategy in place. He’d poured his profits into an
  7317. enterprise for Clara, a denim fashion company called
  7318. Trendsetter USA that already employed several full-time
  7319. workers at a bright, pleasant office in Aliso Viejo.
  7320. Eventually, he was certain, it would be profitable. And 100
  7321. percent legit.
  7322. Until then, he’d be busy.
  7323. Shitrit was a clotheshorse, and they’d already
  7324. squandered some of their stolen credit on men’s clothing
  7325. for him. On this visit, they’d stay focused. They walked into
  7326. the air-conditioned coolness of the Bloomingdale’s and
  7327. made a beeline for Ladies’ Handbags. The Coach purses
  7328. rested on small shelves along one wall, individually spotlit
  7329. like museum exhibits. Chris and Guy each picked some out
  7330. and went to the register. After some swipes at the point-ofsale
  7331. terminal, they were headed for the door with $13,000
  7332. worth of Coach in their hands.
  7333. Chris was breaking his own rules by going in-store
  7334. himself, but his crew was suddenly thinning. Nancy, who’d
  7335. helped set up Max’s new safe house, had since moved to
  7336. Atlanta and was doing only a little cashing there. Liz was
  7337. becoming paranoid—she was constantly accusing Chris of
  7338. ripping her off, conveying her displeasure in meticulous,
  7339. hand-drawn spreadsheets summing up how much Chris
  7340. owed her for each in-store appearance: $1,918 from a trip
  7341. to Vegas; $674 for iPods and GPS systems; $525 for four
  7342. Coach purses worth $1,750. The “amount paid to me”
  7343. column was zeroes all the way down. In the meantime, his
  7344. newest recruit, Sarah, was balking at big-ticket items,
  7345. though she was still useful for running errands. On
  7346. Valentine’s Day she bought Chris’s presents for his wife
  7347. and his girlfriend.
  7348. With the demands of vending, starting a legitimate
  7349. business, and trying to resuscitate his crew, Chris now
  7350. found it more efficient to pay someone else to make his
  7351. plastic. He’d met Federico Vigo at UBuyWeRush. Vigo
  7352. was looking for a way to pay down a $100,000 debt to the
  7353. Mexican Mafia, after accepting that amount in front money
  7354. to import a pallet of ephedra from China, only to have the
  7355. to import a pallet of ephedra from China, only to have the
  7356. product intercepted at the border. Chris put him to work.
  7357. The counterfeiting gear was moved from the Tea House to
  7358. Vigo’s office in Northridge, and one of Chris’s gophers was
  7359. running out to the Valley a couple of times a week to collect
  7360. the latest batch of credit cards hot off the presses, paying
  7361. Vigo $10 for each card.
  7362. Chris and Guy left the Bloomingdale’s and kept their
  7363. unhurried pace back to the SUV. Chris popped the back
  7364. and found a place for the new purchases amid a dozen
  7365. plain brown department store bags already jostling for
  7366. space, each filled with purses, watches, and a smattering
  7367. of men’s clothing. He closed up; they got into the car and
  7368. started planning their next stop.
  7369. They were still planning when a white police cruiser
  7370. zoomed into the garage. It stopped near them and
  7371. disgorged two uniformed Newport Beach Police
  7372. Department officers.
  7373. Chris’s heart sank. Another bust.
  7374. The police booked Chris at the Newport Beach Police
  7375. Station just down the road from the mall, then searched his
  7376. car, turning up seventy credit cards and small amounts of
  7377. Ecstasy and Xanax. Once he was fingerprinted, Chris was
  7378. ushered into an interrogation room, where Detective Bob
  7379. Watts handed him a Miranda waiver.
  7380. Chris signed and launched into the same basic story that
  7381. had gotten him out of serious trouble in San Francisco a
  7382. few years earlier. He promptly admitted his real name and
  7383. confessed with evident shame to using counterfeit credit
  7384. cards at Bloomingdale’s and elsewhere. It was the
  7385. economy, he said. He’d worked in the mortgage industry
  7386. and was hit hard when the real estate market collapsed.
  7387. That’s when the head of an Orange County carding ring
  7388. recruited him to card merchandise for a small percentage
  7389. of the profits. He was just a mule.
  7390. It was a familiar tale to Watts, who’d busted low-level
  7391. cashers before. It even explained Aragon’s amateurish
  7392. Bloomingdale’s run—gobbling up thousands of dollars’
  7393. worth of Coach bags at once. Bloomingdale’s security
  7394. people didn’t like to upset the store’s customers, so when
  7395. they had a suspicious one, they normally called Watts or his
  7396. partner, who’d arrange for a discreet traffic stop on a
  7397. “vehicle code violation” to check out the suspect away from
  7398. the store. If the shopper was innocent, they’d never know
  7399. that Bloomingdale’s had called the cops on them. Chris’s
  7400. and Shitrit’s behavior, though, was so blatant that the store
  7401. had no worries that they might be innocent. The security
  7402. team called the police dispatch desk directly to make sure
  7403. the men didn’t get out of the parking lot.
  7404. But Watts wasn’t buying Chris Aragon’s hard-luck story.
  7405. He’d been a detective for only eight months but a cop for
  7406. seven years; the first thing he’d done when Aragon came in
  7407. was run him through NCIC. He’d seen that Chris’s criminal
  7408. record stretched back to the seventies, and technically, he
  7409. was still on probation from his most recent bust in San
  7410. Francisco—for credit card fraud.
  7411. He figured he had a ringleader in his holding cell. He got
  7412. a search warrant in a hurry and converged with a team of
  7413. detectives and uniformed cops at the only address he could
  7414. find for Chris: Trendsetter USA. One look at the baffled
  7415. faces of the employees as the cops stormed the door told
  7416. Watts they were innocent. After some questioning, one of
  7417. the workers mentioned that their boss, Clara, ran an eBay
  7418. business in the back office.
  7419. Watts opened the storage cabinets in back and took
  7420. inventory: thirty-one Coach bags, twelve new Canon
  7421. PowerShot digital cameras, several TomTom GPS
  7422. navigators, Chanel sunglasses, Palm organizers, and
  7423. iPods, all new in the box.
  7424. Clara walked into the office in the middle of the search
  7425. and was promptly arrested. In her purse, Watts found
  7426. several utility bills for an address in Capistrano Beach, all in
  7427. different names. Clara reluctantly admitted she lived there;
  7428. different names. Clara reluctantly admitted she lived there;
  7429. her face fell when Watts told her it was his next stop.
  7430. With Clara’s house keys and a new search warrant in
  7431. hand, the detectives arrived at the Aragon home and began
  7432. their search. In Chris’s home office, they found an unlocked
  7433. safe in the closet. Inside were two plastic index-card cases
  7434. crammed with counterfeit cards. There were more cards in
  7435. the bedroom, bundled in rubber bands and stashed in the
  7436. night table. An MSR206 rested on a shelf in the family
  7437. room, and in the connecting garage, a box of purses sat on
  7438. the floor next to the fitness machine.
  7439. Aside from the dining room and bathrooms, the only
  7440. space in the house clean of evidence was the boys’
  7441. comfortable bedroom. Just two twin beds, side by side,
  7442. some stuffed animals and toys.
  7443. For all his talk about credit card fraud as a victimless
  7444. crime, Chris had overlooked the two most vulnerable
  7445. victims of his conduct. They were four and seven, and their
  7446. dad wasn’t coming home.
  7447.  
  7448. 33
  7449. Exit Strategy
  7450. hat’s a fed,” Max said, indicating a sedan passing
  7451. them on the street. Charity glanced skeptically at the Ford.
  7452. American-made cars were just one of the many things that
  7453. alarmed Max these days.
  7454. Weeks had passed since Chris’s arrest, and reading the
  7455. press coverage from Orange County, Max couldn’t get over
  7456. how much evidence the police had found in Aragon’s
  7457. home. Using Chris’s payout sheets as a road map, the
  7458. cops had rounded up his entire cashing crew; even Marcus,
  7459. Chris’s pot grower and errand boy, was busted with a
  7460. hydroponic dope farm growing in his Archstone apartment.
  7461. After two weeks of hunting, the police converged on Chris’s
  7462. credit card factory at Federico Vigo’s office in the Valley,
  7463. arrested Vigo, and seized the counterfeiting gear. Chris
  7464. was being held on a million dollars’ bail.
  7465. The entire operation had been dismantled piece by
  7466. piece. They were calling it perhaps the largest identity-theft
  7467. ring in Orange County’s history.
  7468. “Shit, I wonder what kind of records he kept on all that,”
  7469. Max later wrote The3C0rrupted0ne. “I mean, if he was
  7470. sloppy enough to have equipment at his house.”
  7471. Max had already ditched his prepaid cell phone and
  7472. instituted a “security ban” on his former partner’s Carders
  7473. Market account. They were routine precautions—he was
  7474. largely unconcerned about the bust at first; it was, after all,
  7475. just a state case. Chris had been caught red-handed at the
  7476. W, too, and that time he walked away with probation.
  7477. But as the weeks passed with Chris still in jail, Max
  7478. started to worry. He was noticing strange cars parked on
  7479. his street—an animal control van aroused his suspicion so
  7480. much he got out a flashlight to peer in the windows. Then a
  7481. San Francisco FBI agent called him out of the blue to
  7482. inquire about Max’s long-dead arachNIDS database. Max
  7483. decided to invest in a rope ladder; he kept it by the back
  7484. window of the apartment he shared with Charity, in case he
  7485. had to get out fast.
  7486. He’d pause every now and then to reflect on his freedom
  7487. —here he was, enjoying life, hacking, while at that very
  7488. moment Chris was in a jail cell in Orange County.
  7489. Max picked a random San Francisco criminal defense
  7490. attorney from the yellow pages, walked into his office, and
  7491. handed over a pile of cash; he wanted the lawyer to travel
  7492. to Southern California to check on Chris and see if there
  7493. was anything he could do. The attorney said he’d look into
  7494. it, but Max never heard back from him.
  7495. It was then that Max finally learned about Giannone’s bust
  7496. from a news article about Brett Johnson’s life as an
  7497. informant. Max had lost track of Giannone, and for all his
  7498. hacking, Max had never thought to run the names of his
  7499. associates through the public federal court website. The
  7500. news that Giannone had lost a criminal trial worried him.
  7501. “Of all the rat snitch piece of shit motherfuckers out there,
  7502. Giannone is the closest to being able to finger me for the
  7503. feds,” he confided in a post to the private administrators’
  7504. forum on Carders Market. “The little dipshit might actually
  7505. be able to get the feds close to me.”
  7506. Max uprooted from Fox Plaza, hiding his equipment at
  7507. home until he was set up with a new sanctuary. On June 7,
  7508. he picked up the keys at the Oakwood Geary, another
  7509. corporate apartment building carved out of gleaming
  7510. marble in the Tenderloin. He was “Daniel Chance” now, just
  7511. another displaced software drone relocating to the Bay
  7512. Area. The real Chance was fifty years old and bearded,
  7513. while Max was clean shaven with long hair—but the fake
  7514. driver’s license and genuine money order were enough to
  7515. get him in.
  7516. get him in.
  7517. The next evening, Max checked out a red Mustang from
  7518. his neighborhood Zipcar and packed it with his computer
  7519. gear. For all his paranoia, he didn’t notice the Secret
  7520. Service agents tailing him on the drive to the Oakwood and
  7521. watching from the street as he moved into his new safe
  7522. house.
  7523. A month later, Max jolted awake, shot upright in bed, and
  7524. blinked into the darkness of the flat. It was just Charity; she
  7525. had crawled into bed next to him, trying in vain not to wake
  7526. him. He was growing jumpier every day.
  7527. “Sweetie, you can’t keep doing this,” Charity murmured.
  7528. “You may not realize it, but I realize it. I can see it. You’re
  7529. getting too sucked into it mentally. You’re losing focus of
  7530. who you are and what you’re doing.”
  7531. “You’re right,” he said. “I’m done.”
  7532. A lot of time had passed since his last prison term, he
  7533. thought. Maybe he could find honest work again. NightFox
  7534. had already offered him a legitimate job in Canada, but
  7535. he’d turned it down. He couldn’t bring himself to leave
  7536. Charity. He’d been contemplating marriage, playing with
  7537. the idea of luring her to Las Vegas on a vacation and
  7538. popping the question there. She was fiercely independent,
  7539. but she couldn’t argue that he hadn’t given her space.
  7540. It was time, he decided, for Max Vision, white hat, to
  7541. return. It would be official. He visited the San Francisco
  7542. courthouse and filled out the necessary paperwork. On
  7543. August 14, a judge approved his legal name change from
  7544. Max Butler to Max Ray Vision.
  7545. He already had an idea for a new website that could
  7546. catapult him back into the white-hat scene: a system for
  7547. disclosing and managing zero-day vulnerabilities. He could
  7548. seed it with the security holes he was privy to in the
  7549. underground, bringing the exploits into the white-hat world
  7550. like a defector crossing Checkpoint Charlie with a suitcase
  7551. full of state secrets.
  7552. But after all his work making Carders Market the top
  7553. crime forum in the English-speaking world, he couldn’t
  7554. bring himself to just abandon it.
  7555. Max returned to his safe house. It was August, and the
  7556. heat was back—the temperature topped 90 degrees
  7557. outside, and higher in his studio. His CPU was threatening
  7558. to burn itself alive. He turned on his fans, sat at his
  7559. keyboard, and began the work of phasing out his Digits
  7560. and Aphex identities.
  7561. He logged on to Carders Market and, as Digits, posted a
  7562. note that he was shunting his dumps vending to
  7563. Unauthorized, one of his admins. Then, as Aphex, he
  7564. announced that he was retiring from carding and was
  7565. selling Carders Market. He let the announcement sit for a
  7566. few minutes and then took down the site. When he brought
  7567. it back up, Achilous, one of his administrators in Canada,
  7568. was in charge. Max created a new, generic handle for
  7569. himself, “Admin,” to help Carders Market’s new kingpin
  7570. during the transition.
  7571. He was still working on his exit strategy when an instant
  7572. message popped up on his screen. It was from Silo, the
  7573. Canadian carder who was always trying, and failing, to
  7574. hack him. Max had tracked him down and identified him as
  7575. Lloyd Liske in British Columbia. He suspected Liske was
  7576. an informant.
  7577. The note was odd, a long sentence about newbies
  7578. making dumb mistakes. But Silo had hidden a second
  7579. message within it by strategically capitalizing nine of the
  7580. letters.
  7581. They spelled out “MAX VISION.”
  7582. A guess, Max thought. Silo couldn’t possibly know
  7583. anything.
  7584. It was just a guess.
  7585. • • •
  7586. The day after Max announced his retirement, Secret
  7587. Service agent Melissa McKenzie and a federal prosecutor
  7588. from Pittsburgh flew to California to tie up some loose
  7589. ends.
  7590. The investigation was nearly complete. The Secret
  7591. Service had gotten ahold of Digits’s e-mail from a contact
  7592. at the Vancouver Police Department—Silo’s handler. Max
  7593. had been using a Canadian-based webmail provider called
  7594. Hushmail that provides high-security encryption, using a
  7595. Java applet that decrypts a customer’s messages right on
  7596. his own PC instead of the company’s server. In theory, the
  7597. arrangement ensures that even Hushmail can’t get at a
  7598. customer’s secret key or incoming e-mail messages. The
  7599. company openly marketed the service as a way to
  7600. circumvent FBI surveillance.
  7601. But, like e-gold, Hushmail was another formerly crimefriendly
  7602. service now being mined by law enforcement. U.S.
  7603. and Canadian agencies had been winning special orders
  7604. from the Supreme Court of British Columbia that forced
  7605. Hushmail officials to sabotage their own system and
  7606. compromise specific surveillance targets’ decryption keys.
  7607. Now the feds had Max’s e-mail.
  7608. At the same time, the agency had located Tea living in
  7609. Berkeley serving a probation sentence—it turned out she’d
  7610. been caught using Aragon-produced gift cards at the
  7611. Emeryville Apple Store months earlier. It was supposed to
  7612. be a training run for one of Chris’s new recruits, but Tea
  7613. had never cashed before, and when she impulsively added
  7614. a PowerBook to her iPod purchase, she was arrested
  7615. along with the trainee. Eager to avoid more trouble, she’d
  7616. told the Secret Service everything she knew.
  7617. Meanwhile, the Secret Service had begun sporadic
  7618. physical surveillance of Max. From Werner Janer’s proffers,
  7619. Mularski had learned that Max had a girlfriend named
  7620. Charity Majors. Public records provided her address, and a
  7621. subpoena of her bank records showed she had a joint
  7622. account with Max. The Secret Service staked out the house
  7623. and eventually trailed Max to the Oakwood Geary.
  7624. Electronic surveillance confirmed that Max was operating
  7625. from the Oakwood. The FBI had won a secret court order
  7626. letting them electronically monitor the IP addresses
  7627. connecting to Carders Market’s false front at a U.S. hosting
  7628. company—the modern equivalent of taking down the
  7629. license plates outside a mob hangout. Several traced back
  7630. to broadband subscribers living within a block of the
  7631. corporate apartment complex and running Wi-Fi.
  7632. Two weeks earlier, a female Secret Service agent
  7633. disguised as a maid had ridden up the elevator with Max
  7634. and watched him unlock apartment 409. The apartment
  7635. number was the last piece of data they’d needed.
  7636. There was just one more stop before they’d move in: the
  7637. Orange County Central Men’s Jail, a grim lockup in the flat,
  7638. sun-baked center of Santa Ana, California. McKenzie and
  7639. federal prosecutor Luke Dembosky were shown to an
  7640. interview room to meet Chris Aragon.
  7641. Chris was the last holdout in the Orange County crew.
  7642. Clara and six members of his crew were headed to plea
  7643. deals that would ultimately net them from six months to
  7644. seven years in prison. Clara would get two years and eight
  7645. months. Chris’s mother was looking after the two boys.
  7646. Once the introductions were made, McKenzie and
  7647. Dembosky got down to business. They couldn’t do anything
  7648. about Chris’s state case, but if he cooperated, he’d have a
  7649. nice letter in his file from the U.S. government attesting that
  7650. he’d helped in a major federal prosecution. That could sway
  7651. the judge at sentencing time. It was all they could do.
  7652. McKenzie produced a photo lineup and asked Chris if
  7653. anyone looked familiar.
  7654. Chris’s situation was grim. With his bank robberies and
  7655. drug-smuggling convictions, he was eligible for California’s
  7656. tough three-strikes law. That meant a mandatory twentyfive-
  7657. to-life.
  7658. Chris picked out Max’s mugshot from the photos. And
  7659. then he told the feds the story of Max Vision’s drift to the
  7660. dark side.
  7661. • • •
  7662. On Wednesday, September 5, 2007, Max dropped Charity
  7663. at the post office on an errand and directed his cab driver
  7664. downtown to the CompUSA store on Market Street. He
  7665. picked up a new fan for his CPU, walked to his apartment,
  7666. stripped down, and crashed out on his bed amid a tangle of
  7667. unfolded laundry. He settled into a deep slumber.
  7668. Max had stopped hacking, but he was still disentwining
  7669. himself from his double life—after five years, he had a lot of
  7670. relationships and ventures that he couldn’t just sever
  7671. overnight.
  7672. He slept right through the knock at his door at about two
  7673. p.m. Then the door flew open, and a half-dozen agents
  7674. rushed into the room, guns drawn, shouting orders. Max
  7675. bolted upright and screamed.
  7676. “Put your hands where I can see them!” an agent yelled.
  7677. “Lay down!” The agent was positioned between Max and
  7678. his computers. Max had often thought that, in a raid, he
  7679. might be able to pull the plug on his server, making his
  7680. already formidable cyberdefenses completely bulletproof.
  7681. Now that it was really happening, he realized that diving for
  7682. his machines wasn’t an option, unless he wanted to be
  7683. shot.
  7684. Max recovered his composure. Unplugged or not, his
  7685. machines were locked down, and his encryption was rock
  7686. solid. He managed to relax a little as the agents let him get
  7687. dressed, then walked him down the hall in handcuffs.
  7688. On the way, they passed a three-man team who’d been
  7689. waiting for the Secret Service to secure the safe house.
  7690. They weren’t feds; they were from Carnegie Mellon
  7691. University’s Computer Emergency Response Team, and
  7692. they were there to bust Max’s crypto.
  7693. It was the first time CERT had been invited to a raid—but
  7694. the circumstances were special. Chris Aragon had
  7695. employed the same DriveCrypt whole-disk-encryption
  7696. software that Max used, and neither the Secret Service nor
  7697. CERT had been able to recover anything from the drive.
  7698. Full-disk encryption keeps the entire hard drive encrypted
  7699. at all times: all the files, the file names, the operating
  7700. system, the software, the directory structure—any clue to
  7701. what the user has been doing. Without the decryption key,
  7702. the disk might as well have been a Frisbee.
  7703. The key to cracking a full-disk encryption program is to
  7704. get at it while it’s still running on the computer. At that point,
  7705. the disk is still fully encrypted, but the decryption key is
  7706. stored in RAM, to allow the software to decrypt and encrypt
  7707. the data from the hard drive on the fly.
  7708. The knock on Max’s door had been intended to draw
  7709. Max away from his machines; if he’d shut them down
  7710. before the Secret Service got the cuffs on, there wouldn’t
  7711. have been much CERT could do—the contents of the RAM
  7712. would have evaporated. But Max had been caught napping,
  7713. and his servers were still running.
  7714. CERT had spent the last two weeks gaming out different
  7715. scenarios for what they might encounter in Max’s safe
  7716. house. Now the team leader looked over the setup: Max’s
  7717. server was wired to half a dozen hard drives. Two had lost
  7718. power when an agent tripped over an electrical cable
  7719. snaking across the floor, but the server itself was still
  7720. running, and that was what mattered.
  7721. While Secret Service flashbulbs bounced off the walls of
  7722. Max’s cluttered apartment, the forensics experts moved to
  7723. the machines and began their work, using memoryacquisition
  7724. software they’d brought with them to suck down
  7725. the live data from the RAM onto an external storage device.
  7726. Down the hall, Max cooled his heels in the feds’
  7727. apartment.
  7728. Two agents watched over him. Max would be questioned
  7729. later—for now, the agents were just babysitting, chatting
  7730. with one another. The Secret Service agent was from the
  7731. local San Francisco field office; he asked his FBI
  7732. local San Francisco field office; he asked his FBI
  7733. counterpart where he worked.
  7734. “I’m from Pittsburgh,” Keith Mularski answered.
  7735. Max’s head snapped to look at Master Splyntr. There
  7736. was no doubt who had won the carder war.
  7737. The Secret Service agents exulted over the bust. “I’ve
  7738. been dreaming about you,” agent Melissa McKenzie said
  7739. as she drove Max to the field office. On seeing his raised
  7740. eyebrow, she added, “I mean about Iceman. Not you
  7741. personally.”
  7742. Two of the local agents were dispatched to Charity’s
  7743. house. They told her what happened and took her
  7744. downtown to say good-bye to Max.
  7745. “I’m sorry,” he told her when she walked in. “You were
  7746. right.”
  7747. Max talked to the agents at the field office for a while,
  7748. trying to feel them out for what they knew and gauge how
  7749. much trouble he was in. Some of them seemed surprised
  7750. at his politeness—his sheer likability. Max wasn’t what they
  7751. expected from the cold, calculating kingpin they’d been
  7752. tracking for a year.
  7753. On the drive to jail, McKenzie finally voiced her
  7754. puzzlement. You seem like a nice guy, she said, and that’s
  7755. going to help you. “But I have this one question for you.…
  7756. “Why do you hate us?”
  7757. Max was speechless. He never hated the Secret
  7758. Service, or the FBI, or even the informants on Carders
  7759. Market. Iceman did. But Iceman was never real; he was a
  7760. guise, a personality Max slipped on like a suit when he was
  7761. in cyberspace.
  7762. Max Vision never hated anyone in his life.
  7763. The Hungry Programmers were the first to hear the news
  7764. that Max had been arrested again. Tim Spencer offered to
  7765. sign for Max’s bail bond. For collateral, he had twenty acres
  7766. of land in Idaho that he’d bought as his dream retirement
  7767. property. When Tim heard the details of the charges
  7768. against his old friend, he hesitated. What if he didn’t really
  7769. know Max at all?
  7770. The moment of doubt passed, and he signed the form.
  7771. Max’s mother offered to post the equity in her house as well
  7772. to secure her son’s release. Ultimately, though, it didn’t
  7773. matter. When Max came up for arraignment in San Jose, a
  7774. federal magistrate ordered the hacker held without bail
  7775. pending his transport to Pittsburgh.
  7776. The government announced Iceman’s arrest on
  7777. September 11, 2007. The news hit Carders Market,
  7778. sparking a flurry of activity. Achilous immediately deleted
  7779. the entire database of posts and private messages, not
  7780. knowing the feds already had it. “I think the SQL database
  7781. almost had a heart attack when I did it, but it’s done now. I
  7782. think this is what Aphex would have wanted,” he wrote.
  7783. “This forum is open for posting, so people can chat and
  7784. figure out where to go from here. Just be very careful,
  7785. specifically about following links. Try to keep the conspiracy
  7786. theories to a minimum everyone, please.
  7787. “Good luck, be safe.”
  7788. Silo jumped in under an alias to wrongly label his former
  7789. rival a snitch, based on news reports that misunderstood
  7790. Max’s work for the FBI during his white-hat days. “It’s sad to
  7791. see a brilliant guy go,” he wrote. “He brought a lot to this
  7792. board and the scene as a vendor and an administrator. A
  7793. lot of guys made a lot of money from him.”
  7794. But “once a rat always a rat,” he wrote, with no trace of
  7795. irony. “This whole board is spawned out of the fact that
  7796. years ago the FBI and Aphex had a disagreement on
  7797. whom he was snitching out.… Bottom line, he is the biggest
  7798. hypocrite to ever grace the scene.”
  7799. Back at his desk in Pittsburgh, Mularski put on Master
  7800. Splyntr’s black hat to join the postgame analysis. The FBI
  7801. agent knew full well that Iceman hadn’t been an informant,
  7802. but his alter ego would be expected to seize on the news
  7803. that Max had once worked with the feds. “Oh just where do I
  7804. even begin?” He gloated on DarkMarket, enjoying the
  7805. even begin?” He gloated on DarkMarket, enjoying the
  7806. moment. “Let’s see … let’s see … How about with this
  7807. headline from SFGate.com? And I quote, ‘Ex-FBI snitch in
  7808. S.F. indicted in hacking of financial institutions.’
  7809. “Did anyone else notice anything about that headline?
  7810. Ahh yeah, FBI Snitch. This is turning out to be just like
  7811. Gollumfun and El. No wonder why Iceman always had a
  7812. hard-on for them, because he was just like them and was
  7813. competing for his handlers’ praises.”
  7814. When Max arrived in Pittsburgh, his new public defender
  7815. tried again to get him released on bail, but the judge
  7816. refused after prosecutors speculated that Max was sitting
  7817. on vast stores of hidden cash and could easily use his
  7818. contacts to disappear with a new name. To prove that he’d
  7819. tried to evade the feds, they played their trump card: private
  7820. messages written by Max himself describing his use of
  7821. false IDs while traveling and his “evasive move” to his final
  7822. safe house. Max had sent the messages to a Pittsburgh
  7823. Secret Service informant who’d been an admin on Carders
  7824. Market for a full year.
  7825. Max wasn’t at all surprised to see that it was
  7826. Th3C0rrupted0ne.
  7827.  
  7828. 34
  7829. DarkMarket
  7830. he man is sitting rigid on a polished wooden chair and
  7831. staring balefully into the camera. Paint peels from a
  7832. cracked plaster wall behind him. He’s been stripped down
  7833. to his underwear, and he’s holding a handwritten sign over
  7834. his exposed paunch. I AM KIER, it reads, in large block
  7835. letters. MY REAL NAME IS MERT ORTAC.… I AM RAT. I AM PIG. I AM
  7836. FUCKED BY CHA0.
  7837. The appearance of the photo on DarkMarket in May
  7838. 2008 sent Mularski hurrying back into the NCFTA
  7839. communications room. Headquarters would want to know
  7840. that one of Master Splyntr’s admins had just kidnapped and
  7841. tortured an informant.
  7842. Cha0 was an engineer in Istanbul who sold high-quality
  7843. ATM skimmers and PIN pads to fraudsters around the
  7844. world. Covertly affixed to a cash machine, the skimmer
  7845. would record the magstripe data on every debit or credit
  7846. card fed into the ATM, while the PIN-pad overlay stored the
  7847. user’s secret code.
  7848. Cha0 cut a jaunty presence in the underground. His
  7849. Flash-animated banner ad on DarkMarket was a classic,
  7850. opening with a cartoon man wading through a house full of
  7851. cash. “Is that you?” the text asks. “Yes. If you bought a
  7852. skimmer and PIN pad from Cha0.” A similarly styled video
  7853. tutorial for new customers was narrated by a smiling
  7854. caricature of Cha0 himself. “Hi, my name is Cha0. I’m a
  7855. developer of skimming devices. I work for you twenty-four
  7856. hours a day and make the best devices for skimming. You’ll
  7857. be able to make money in this business with me and my
  7858. group. We make these devices for newbies—it’s that easy
  7859. to use!” The animated Cha0 goes on to offer practical
  7860. advice: Don’t install your skimmer in the morning, because
  7861. passersby are more vigilant at that time. Don’t choose a
  7862. location where 250 people or more pass a day. Avoid
  7863. cities with a population less than 15,000—residents know
  7864. too well what the ATM is supposed to look like and might
  7865. notice Cha0’s product.
  7866. Notwithstanding his whimsical marketing, Cha0 had
  7867. always made it clear to his friend Master Splyntr that he
  7868. was a serious criminal, not afraid to get physical to protect
  7869. his multimillion-dollar business. Now he’d proven it. Mert
  7870. “Kier” Ortac had been part of Cha0’s organization, the
  7871. Crime Enforcers, until he went running to a Turkish TV
  7872. station to blab about Cha0’s activities. After a couple of
  7873. interviews, he vanished. When he resurfaced a short time
  7874. later, he told a harrowing story about being abducted and
  7875. beaten by Cha0 and his henchmen.
  7876. Now Cha0 had confirmed the tale by posting the kidnap
  7877. photo to DarkMarket as a warning to others.
  7878. The image put proof to the FBI’s long-held suspicions
  7879. that the computer underground was getting violent. With
  7880. hundreds of millions of dollars pouring into the scene every
  7881. year, it had seemed inevitable that the carders would take
  7882. on the brutal methods of traditional organized crime to
  7883. enlarge or protect their illegal income.
  7884. With Max safely locked up in an Ohio detention center,
  7885. DarkMarket had been free to grow, and Mularski was
  7886. closing in on its heaviest hitters—Cha0 among them. A
  7887. Turkish cybercrime detective had spent three months at the
  7888. NCFTA on a fellowship and was working with Mularski to
  7889. run down the skimmer maker.
  7890. Mularski had sent Cha0 two lightweight PCs as a gift the
  7891. previous year, opening the first door in the investigation.
  7892. Cha0 had directed the shipment to flunkies in his
  7893. organization, who were promptly put under surveillance by
  7894. the Turkish National Police. That led to Cagatay Evyapan,
  7895. an electrical engineer with a prior criminal record—details
  7896. an electrical engineer with a prior criminal record—details
  7897. that jibed with the biography Cha0 had shared privately with
  7898. Mularski.
  7899. The police approached several international shipping
  7900. companies and briefed them about Cha0’s operations.
  7901. One of them identified some of the skimmer shipments
  7902. from Istanbul to Europe, fingering a known member of
  7903. Cha0’s organization as the shipper.
  7904. That gave the police the evidence they needed. On
  7905. September 5, five police in bulletproof vests raided Cha0’s
  7906. apartment on the outskirts of Istanbul. They rushed into his
  7907. house and pushed Cha0 and an associate to the ground at
  7908. gunpoint.
  7909. Inside his apartment was a complete electrical lab and
  7910. assembly line, with components neatly organized in trays
  7911. and bins. Nearly a dozen computers were running on the
  7912. desks. Cha0 had all the same card-counterfeiting
  7913. equipment that had graced Chris Aragon’s factory, as well
  7914. as giant cardboard boxes holding some one thousand
  7915. skimmers and two thousand PIN pads, all awaiting
  7916. international shipment. Cha0’s records showed that four of
  7917. them had already gotten into the United States.
  7918. The cops brought Evyapan out in handcuffs, a tall, beefy
  7919. man with close-cropped hair and a black T-shirt
  7920. emblazoned with the Grim Reaper. The face of organized
  7921. crime in the Internet age.
  7922. Cha0 was the last listed target in Mularski’s undercover
  7923. authorization; the other key DarkMarket players had
  7924. already been taken down. Markus Kellerer, Matrix001, was
  7925. arrested in Germany in May 2007 and spent four months in
  7926. a high-security prison. Renukanth “JiLsi” Subramaniam, a
  7927. Sri Lankan–born British citizen, was raided in London in
  7928. June 2007 after detectives with the Serious Organised
  7929. Crime Agency in Britain staked out the Internet café he
  7930. used as an office, matching his appearances at the Java
  7931. Bean with JiLsi’s posts on DarkMarket and his chats with
  7932. Master Splyntr. JiLsi’s associate, sixty-seven-year-old John
  7933. “Devilman” McHugh, was picked up at the same time;
  7934. police found a credit card counterfeiting factory in the
  7935. senior citizen’s home.
  7936. In Turkey, six members of Cha0’s organization were
  7937. charged along with Cha0. With Mularski’s help, the police
  7938. also swooped in on Erkan “Seagate” Findikoglu, a
  7939. DarkMarket member who ran a massive King Arthur–style
  7940. cash-out operation responsible for at least two million
  7941. dollars in thefts from U.S. banks and credit unions—they
  7942. recovered one million of it in cash at his arrest. Twentyseven
  7943. members of Seagate’s organization were charged in
  7944. Turkey, and the FBI rounded up six of his cashers in the
  7945. United States.
  7946. With Cha0 and Seagate in jail, Mularski’s work was done
  7947. —his two years running DarkMarket had now resulted in
  7948. fifty-six arrests in four countries. On Tuesday, September
  7949. 16, 2008, he drafted a post formally announcing the closure
  7950. of the site. As an homage to the carding world’s history and
  7951. culture, the FBI agent borrowed from King Arthur’s
  7952. legendary message closing Carder Planet years before.
  7953. “Good day, respected and dear forum members,” he
  7954. began.
  7955. It is time to tell you the bad news—the forum should
  7956. be closed. Yes, I really mean closed.
  7957. Over the last year we have lost a lot of the admins of
  7958. the forums: Iceman on Carders Market; JiLsi and
  7959. Matrix001 disappeared, and now, Cha0 on DM. It is
  7960. apparent that this forum, which has been around
  7961. almost three years, is attracting too much attention
  7962. from a lot of the world services.…
  7963. I myself would rather go out like King Arthur than
  7964. Iceman. Whereas Iceman decided that all he would do
  7965. was change his nick to Aphex, and continue to run CM,
  7966. King Arthur closed CarderPlanet and faded into the
  7967. night. History has shown that Iceman made a fatal
  7968. mistake. I will not make the same.
  7969. Mularski planned to keep his Master Splyntr identity
  7970. dormant but alive: He’d have a well-established
  7971. underground legend that he could pull from his pocket
  7972. whenever he needed it in future investigations. But it was
  7973. not to be. About a week after DarkMarket went dark, a
  7974. reporter for Südwestrundfunk, Southwest Germany public
  7975. radio, got his hands on court documents filed in Matrix’s
  7976. case that laid bare Mularski’s double life. The U.S. press
  7977. picked up the story. Now 2,500 members of DarkMarket
  7978. knew they’d been doing business on a sting site and that
  7979. Iceman had been right all along.
  7980. Three days after the story broke in the United States,
  7981. Mularski found an ICQ message to Master Splyntr waiting
  7982. on his computer. It was from TheUnknown, a UK target
  7983. who’d gone on the run after he was raided by the British
  7984. police. “U fucking piece of shit. Motherfucker. Thought you
  7985. can catch me. Hahaha. Fucking newb. U are nowhere near
  7986. me.”
  7987. “If you want to make arrangements to turn yourself in, let
  7988. me know,” Mularski wrote back. “It will be easier than
  7989. looking over your shoulder the rest of your life.”
  7990. TheUnknown turned himself in a week later.
  7991. Mularski was almost relieved to have his secret identity
  7992. revealed; for two years, his laptop had been his constant
  7993. companion—even on vacation, he’d been online talking to
  7994. carders. He’d enjoyed some of it—building online
  7995. friendships with some of his targets, teasing and taunting
  7996. others. Master Splyntr could say things to criminals that a
  7997. respectable FBI agent never could.
  7998. Eager as Mularski was to have his life back, it would take
  7999. time. Nearly a month after DarkMarket’s closing, he was
  8000. still fighting a vague restlessness. Mularski had one more
  8001. challenge to master. He’d have to learn how to not be
  8002. Master Splyntr.
  8003.  
  8004. 35
  8005. Sentencing
  8006. ax towered over the marshals as they brought him
  8007. into the Pittsburgh courtroom to face sentencing. He wore
  8008. an ill-fitting orange jail uniform, his hair trimmed short and
  8009. neat.
  8010. His escorts uncuffed his hands, and he took a seat next
  8011. to his public defender at the defense table. A half-dozen
  8012. reporters talked among themselves on one side of the
  8013. gallery, an equal number of feds on the other. Behind them,
  8014. the long wooden pews were mostly empty: no friends, no
  8015. family, no Charity; she’d already told Max she wasn’t going
  8016. to wait for him.
  8017. It was February 12, 2010, two and a half years after his
  8018. arrest at the safe house. Max had spent the first month
  8019. locked up at the Santa Clara county jail, speaking daily with
  8020. Charity in long phone calls more intimate than any
  8021. conversations they’d had while he was immersed in his
  8022. crimes. The marshals finally put him on a plane and
  8023. checked him into a detention facility in Ohio, where Max
  8024. made peace with his confinement, largely drained now of
  8025. the self-righteous anger that carried him through his
  8026. previous imprisonments. He made new friends in the joint:
  8027. geeks like him. They started a Dungeons and Dragons
  8028. campaign.
  8029. By year’s end, Max had no more secrets. It had taken the
  8030. CERT investigators only two weeks to find the encryption
  8031. key in the image of his computer’s RAM. At one of his court
  8032. appearances, prosecutor Luke Dembosky handed Max’s
  8033. lawyer a slip of paper with his passphrase written on it:
  8034. “!!One man can make a difference!”
  8035. For years, Max had used his encrypted hard drive as an
  8036. extension of his brain, storing everything he found and
  8037. everything he did. That the feds had it was disastrous for
  8038. his legal future, but more than that, it felt like an intimate
  8039. violation. The government was in his head, reading his
  8040. mind and memories. When he returned to his cell after the
  8041. hearing, he wept into his pillow.
  8042. They had everything: five terabytes of hacking tools,
  8043. phishing e-mails, dossiers he’d compiled on his online
  8044. friends and enemies, notes on his interests and activities,
  8045. and l.8 million credit cards accounts from over a thousand
  8046. banks. The government broke it down: Max had stolen 1.1
  8047. million of the cards from point-of-sale systems. The
  8048. remainder mostly came from the carders Max had hacked.
  8049. It was eight miles of magstripe data, and the feds were
  8050. prepared to charge him for every inch. The government had
  8051. secretly flown Chris to Pittsburgh for weeks of debriefing
  8052. while the credit card companies tallied the fraudulent
  8053. charges on Max’s cards, arriving at a staggering $86.4
  8054. million in losses.
  8055. Max’s profits were far less: Max told the government he
  8056. earned under $l million from his capers and had pissed
  8057. most of it away on rent, meals, cab fare, and gadgets. The
  8058. government found about $80,000 in Max’s WebMoney
  8059. account. But federal sentencing guidelines in theft cases
  8060. are based on victim harm, not the offender’s profits, so Max
  8061. could be held responsible for the charges rung up by Chris,
  8062. the carders who bought dumps from Digits and Generous,
  8063. and potentially the fraud performed by the carders Max
  8064. hacked. Rolled up with Max’s rap sheet, the $86 million
  8065. translated to a sentence of thirty years to life, with no
  8066. parole.
  8067. Faced with decades in prison, Max began cooperating
  8068. with the investigation. Mularski took him out for long
  8069. debriefing sessions about the hacker’s crimes. At one of
  8070. them, after the DarkMarket sting broke in the press, Max
  8071. apologized to Mularski for his attempts to expose Master
  8072. apologized to Mularski for his attempts to expose Master
  8073. Splyntr. Mularski heard sincerity in his old foe’s voice and
  8074. accepted his apology.
  8075. After a year of negotiation, Max’s lawyer and the
  8076. government settled on their number—a joint
  8077. recommendation to the judge of thirteen years. In July 2009,
  8078. Max had pleaded guilty.
  8079. The deal wasn’t binding on the court; in theory, Max could
  8080. be released on the spot, sentenced to life, or anything in
  8081. between. The day before the sentencing, Max typed out a
  8082. four-page letter to his judge, Maurice Cohill Jr., a seventyyear-
  8083. old Ford appointee who’d been a jurist since before
  8084. Max was born.
  8085. “I don’t believe further prison time in my case will help
  8086. anyone,” Max wrote. “I don’t think it is necessary because
  8087. all I want to do is help. I disagree with the blanket
  8088. assessment of the sentencing guidelines. Unfortunately, I
  8089. am facing such a horrible sentence that even 13 years
  8090. seems ‘good’ in comparison. But I assure you it is overkill
  8091. as I am the proverbial dead horse. That said, I plan to make
  8092. the most of the time I have left on this earth be it in prison or
  8093. otherwise.”
  8094. He continued. “I have a lot of regrets, but I think my
  8095. essential failing was that I lost touch with the accountability
  8096. and responsibility that comes with being a member of
  8097. society. A friend of mine once told me to behave as though
  8098. everyone could see what I was doing all the time. A sure
  8099. way to avoid engaging in illegal conduct, but I guess I
  8100. wasn’t a believer because when I was invisible, I forgot all
  8101. about this advice. I know now that we can’t be invisible, and
  8102. that it’s dangerous thinking.”
  8103. Max watched with studied calmness as his lawyer stood
  8104. to confer with the prosecution over last-minute details and
  8105. the courthouse staff went through their prehearing checklist,
  8106. testing the microphones and shuffling papers. At ten thirty
  8107. a.m. the door to chambers opened. “All rise!”
  8108. Judge Cohill took the bench. A wizened man with a
  8109. close-cropped snow-white beard, he peered at the
  8110. courtroom through round glasses and announced the
  8111. sentencing of Max Butler, the name under which Max had
  8112. been charged. He read Max’s sentencing guidelines for the
  8113. record, thirty years to life, then listened as prosecutor
  8114. Dembosky laid out his case for leniency. Max had provided
  8115. significant help to the government, he said, and was
  8116. deserving of a sentence below the guidelines.
  8117. What followed could have been an awards presentation
  8118. instead of a sentencing hearing, with Max’s lawyer,
  8119. prosecutor, and judge taking turns praising Max’s computer
  8120. skills and apparent remorse. “He’s an extremely bright, selftaught
  8121. computer expert,” said federal public defender
  8122. Michael Novara, albeit one who orchestrated “computer
  8123. security breaches on a grand scale.”
  8124. Dembosky, a computer-crime specialist and seven-year
  8125. veteran of the U.S. Attorney’s Office, called Max “extremely
  8126. bright and articulate and talented.” He’d been at some of
  8127. Max’s debriefings, and like virtually everyone who knew
  8128. Max in real life, he’d grown to like the hacker. “He’s almost
  8129. wide-eyed and optimistic in his view of the world,” he said.
  8130. Max’s cooperation, he added, was why they were asking
  8131. for only thirteen years instead of an “astronomical”
  8132. sentence. “I believe that he is very sorry.”
  8133. Max had little to add. “I’ve changed,” he said. Hacking no
  8134. longer held any appeal for him. He invited Judge Cohill to
  8135. ask him any questions. Cohill didn’t need to. The judge said
  8136. he was impressed by Max’s letter and by letters written by
  8137. Charity, Tim Spencer, and Max’s mother, father, and sister.
  8138. He was satisfied that Max was remorseful. “I don’t think I
  8139. have to give you a lecture on the problems you’ve caused
  8140. for your victims.”
  8141. Cohill had already written the sentencing order. He read
  8142. from it aloud. Thirteen years in prison. Max would also be
  8143. responsible for $27.5 million in restitution, based on the
  8144. cost to the banks of reissuing the 1.1 million cards Max
  8145. stole from point-of-sale systems. Upon his release, he’d
  8146. stole from point-of-sale systems. Upon his release, he’d
  8147. serve five years of court supervision, during which he’d be
  8148. allowed to use the Internet only for employment or
  8149. education.
  8150. “Good luck,” he said to Max.
  8151. Max stood up—his face neutral—and let a marshal
  8152. handcuff him behind his back, then lead him through the
  8153. door in the back of the courtroom connecting to the holding
  8154. cells. With credit for time served and good behavior, he’d
  8155. be out just before Christmas 2018.
  8156. Almost nine years in prison were still ahead of him. At the
  8157. time it was the longest U.S. sentence ever handed out to a
  8158. hacker.
  8159.  
  8160. 36
  8161. Aftermath
  8162. y the time Max was sentenced, the Secret Service had
  8163. identified the mystery American hacker who’d made
  8164. Maksik into the world’s top carder, and he was poised to
  8165. get a sentence that would make Max’s look like a traffic
  8166. fine.
  8167. The big break in the case came from Turkey. In July
  8168. 2007, the Turkish National Police learned from the Secret
  8169. Service that Maksik, twenty-five-year-old Maksym
  8170. Yastremski, was vacationing in their country. An undercover
  8171. Secret Service operative lured him to a nightclub in Kemer,
  8172. where police arrested Yastremski and seized his laptop.
  8173. The police found the laptop hard drive impenetrably
  8174. encrypted, just as when the Secret Service performed its
  8175. sneak-and-peek in Dubai a year earlier. But after a few
  8176. days in a Turkish jail, Maksik coughed up the seventeencharacter
  8177. passphrase. The police gave the passphrase
  8178. and a copy of the disk to the Secret Service, which began
  8179. poring over its contents, taking particular interest in the logs
  8180. Maksik kept of his ICQ chats.
  8181. One chat partner stood out: ICQ user 201679996 could
  8182. be seen helping the Ukrainian with a hack attack against
  8183. the restaurant chain Dave & Buster’s and discussing some
  8184. of the earlier high-profile intrusions that had put Maksik on
  8185. the map. The agents checked out the ICQ number and
  8186. obtained the e-mail address used to first register the
  8187. account: soupnazi@efnet.ru.
  8188. SoupNazi was a name the agency had heard before—in
  8189. 2003, when they arrested Albert Gonzalez.
  8190. Gonzalez was the informant who’d lured Shadowcrew
  8191. carders into a wiretapped VPN, leading to the twenty-one
  8192. arrests in Operation Firewall—the Secret Service’s
  8193. legendary crackdown on the carding scene. But years
  8194. before he was known as Cumbajohnny on Shadowcrew,
  8195. Gonzalez had used the Seinfeld-inspired handle SoupNazi
  8196. in IRC.
  8197. The carder turncoat who’d made Operation Firewall
  8198. possible had gone on to stage the largest identity thefts in
  8199. U.S. history.
  8200. One month after Firewall, Gonzalez had gotten
  8201. permission to move from New Jersey back to his home,
  8202. Miami, where he’d launched the second act of his hacking
  8203. career. He took on the name Segvec and passed himself
  8204. off as a Ukrainian, hanging his hat on the Eastern
  8205. European forum Mazafaka. Under the rubric Operation Get
  8206. Rich or Die Tryin’—the title of a 50 Cent album and
  8207. Maksik’s Shadowcrew motto—he went on to create a
  8208. multimillion-dollar cybertheft ring that touched tens of
  8209. millions of Americans.
  8210. On May 8, 2008, the feds swooped in on Gonzalez and
  8211. his U.S. associates. Hoping for leniency at sentencing,
  8212. Gonzalez cooperated again, providing agents with the
  8213. encryption key for his hard drive and giving them
  8214. information on his entire gang. He admitted to the breaches
  8215. at TJX, OfficeMax, DSW, Forever 21, and Dave & Buster’s,
  8216. and to helping Eastern European hackers penetrate the
  8217. grocery chain Hannaford Bros., 7-Eleven’s ATM network,
  8218. Boston Market, and the credit card processing company
  8219. Heartland Payment Systems, which alone leaked nearly
  8220. 130 million cards. It was a lucrative business for the hacker.
  8221. Gonzalez drew the Secret Service a map to over $1 million
  8222. in cash he’d buried in his parents’ backyard; the
  8223. government sought forfeiture of the money, his 2006 BMW,
  8224. and a Glock 27 firearm with ammunition.
  8225. Gonzalez had built his crew from an untapped reservoir
  8226. of hacker talent—onetime bedroom hackers who had
  8227. trouble finding a place in the white-hat world. Among them
  8228. was Jonathan “C0mrade” James, who’d hacked NASA as
  8229. a teenager and received a landmark six-month juvenile
  8230. sentence the same week Max Vision pleaded guilty to his
  8231. Pentagon hacks in 2000. After a brief flurry of fame—
  8232. including an interview on PBS’s Frontline—James slipped
  8233. into obscurity, living quietly in a house he inherited from his
  8234. mother in Miami.
  8235. Then in 2004 he allegedly began working with Gonzalez
  8236. and an associate named Christopher Scott. The
  8237. government believes James and Scott were responsible
  8238. for one of the earliest magstripe hauls to make their way
  8239. into Maksik’s vaults, cracking OfficeMax’s Wi-Fi from a
  8240. store parking lot in Miami and stealing thousands of swipes
  8241. and encrypted PINs. The two allegedly provided the data to
  8242. Gonzalez, who arranged with another hacker to decrypt the
  8243. PIN codes. Credit card companies later reissued some two
  8244. hundred thousand cards in response to the attack.
  8245. Of all the hackers, it was Jonathan James who would pay
  8246. the highest price in the post-Shadowcrew carder
  8247. crackdown. In the days after his May 2008 raid, James
  8248. became convinced the Secret Service would try to pin all of
  8249. Gonzalez’s breaches on him to wring public relations juice
  8250. out of his notorious past and protect their informant,
  8251. Gonzalez. On May 18, the twenty-four-year-old stepped into
  8252. the shower with a handgun and shot himself dead.
  8253. “I have no faith in the ‘justice’ system,” read his five-page
  8254. suicide note. “Perhaps my actions today, and this letter, will
  8255. send a stronger message to the public. Either way, I have
  8256. lost control over this situation, and this is my only way to
  8257. regain control.”
  8258. In March 2010, Gonzalez was sentenced to twenty years
  8259. in prison. His U.S. coconspirators drew sentences ranging
  8260. from two to seven years. In Turkey, Maksik was convicted
  8261. of hacking Turkish banks and sentenced to thirty years.
  8262. Since Max’s arrest, new scams have emerged in the
  8263. underground, the worst of them involving specialized Trojan
  8264. horse software designed to steal a target’s online banking
  8265. passwords and initiate money transfers from the victim’s
  8266. account right through his own computer. The thieves have
  8267. devised an ingenious solution to the problem that had
  8268. bedeviled Chris Aragon: how to get at the money. They
  8269. recruit ordinary consumers as unwitting money launderers,
  8270. dangling bogus work-at-home opportunities, in which the
  8271. “work” consists of accepting money transfers and payroll
  8272. deposits, then sending the bulk of the cash to Eastern
  8273. Europe by Western Union. In 2009, the scheme’s first year
  8274. of widespread operation, banks and their customers lost an
  8275. estimated $120 million to the attack, with small businesses
  8276. the most common target.
  8277. Meanwhile, the sale of dumps continues, dominated now
  8278. by a new crop of vendors, same as the old crop—Mr. BIN;
  8279. Prada; Vitrium; The Thief.
  8280. Law enforcement, though, has claimed some lasting
  8281. victories. So far, no prominent English-speaking board has
  8282. risen to replace Carders Market and DarkMarket, and the
  8283. Eastern Europeans have become more cloistered and
  8284. protective. The big players have retreated to invitation-only
  8285. encrypted chat servers. The marketplace exists, but the
  8286. carders’ sense of invulnerability is shattered, and their
  8287. commerce is tariffed by paranoia and mistrust, thanks
  8288. primarily to the FBI, the Secret Service, their international
  8289. partners, and the unheralded work of the post office.
  8290. The veil of secrecy that once protected hackers and
  8291. corporations alike has mostly evaporated, with law
  8292. enforcement no longer going out of its way to shield
  8293. companies from responsibility for their poor security. More
  8294. than one of Gonzalez’s hacking targets were made public
  8295. for the first time in his federal indictment.
  8296. Finally, Mularski’s DarkMarket sting proved the feds
  8297. don’t have to get in bed with the bad guys to make busts.
  8298. All the lowest moments in the war on the computer
  8299. All the lowest moments in the war on the computer
  8300. underground came about through the antics of informants.
  8301. Brett “Gollumfun” Johnson, the snitch who briefly worked as
  8302. a Carders Market administrator, turned the Secret
  8303. Service’s Operation Anglerphish into a circus by staging a
  8304. tax refund scam on the side. Albert Gonzalez provided the
  8305. clearest example. After Operation Firewall, the Secret
  8306. Service had been paying Gonzalez an annual salary of
  8307. $75,000 a year, even as he staged some of the largest
  8308. credit card hacks in history.
  8309. The post-Shadowcrew magstripe breaches led to a
  8310. reckoning in the civil courts. TJX paid $10 million to settle a
  8311. lawsuit filed by the attorneys general of 41 states and
  8312. another $40 million to Visa-issuing banks whose cards
  8313. were compromised. Banks and credit unions filed lawsuits
  8314. against Heartland Payment Systems for the massive
  8315. breach at the transaction-processing firm. Gonzalez’s
  8316. attacks also tore a hole in the credit card industry’s primary
  8317. bulwark against breaches: the so-called Payment Card
  8318. Industry—or PCI—Data Security Standard, which dictates
  8319. the steps merchants and processors must take to protect
  8320. systems handling credit card data. Heartland had been
  8321. certified PCI compliant before it was breached, and
  8322. Hannaford Brothers won the security certification even as
  8323. hackers were in its systems, stealing credit card swipes.
  8324. When the dust began to settle from Gonzalez’s largescale
  8325. hacks, the smaller but far more numerous attacks
  8326. against restaurant point-of-sale systems began to come
  8327. out. Seven restaurants in Mississippi and Louisiana who’d
  8328. suffered intrusions figured out they were all using the same
  8329. point-of-sale system, the Aloha POS that was once Max’s
  8330. favorite target. The restaurants filed a class-action lawsuit
  8331. against the manufacturer and the company that sold them
  8332. the terminals, Louisiana-based Computer World, which
  8333. allegedly installed the remote-access software pcAnywhere
  8334. on all the machines and set the passwords on all of them to
  8335. “computer.”
  8336. Underlying all these breaches is a single systemic
  8337. security flaw, exactly 3.375 inches long. Credit card
  8338. magstripes are a technological anachronism, a throwback
  8339. to the age of the eight-track tape, and today the United
  8340. States is virtually alone in nurturing this security hole. More
  8341. than a hundred other countries around the globe, in Europe,
  8342. Asia, and even Canada and Mexico, have implemented or
  8343. begun phasing in a far more secure system called EMV or
  8344. “chip-and-PIN.”
  8345. Instead of relying on a magstripe’s passive storage,
  8346. chip-and-PIN cards have a microchip embedded in the
  8347. plastic that uses a cryptographic handshake to authenticate
  8348. itself to the point-of-sale terminal and then to the
  8349. transaction-processing server. The system leaves nothing
  8350. for a hacker to steal—an intruder sitting on the wire could
  8351. eavesdrop on the entire transaction and still be unable to
  8352. clone a card, because the handshake sequence changes
  8353. every time.
  8354. White hats have devised attacks against chip-and-PIN,
  8355. but nothing that would lend itself to the mass market in
  8356. dumps that still exists today. So far, the biggest flaw in the
  8357. system is that it supports magstripe transactions as a
  8358. fallback for Americans traveling abroad or tourists visiting
  8359. the United States.
  8360. American banks and credit card companies have
  8361. rejected chip-and-PIN because of the enormous cost of
  8362. replacing hundreds of thousands of point-of-sale terminals
  8363. with new gear. In the end, the financial institutions have
  8364. decided their fraud losses are acceptable, even with the
  8365. likes of Iceman prowling their networks.
  8366.  
  8367. EPILOGUE
  8368. n the Orange County men’s jail, Chris Aragon is lonely,
  8369. feeling abandoned by his friends and torn with grief that his
  8370. children are growing up without him. In October 2009, Clara
  8371. filed for divorce, seeking custody of their two children. His
  8372. girlfriend filed for child support.
  8373. Chris is studying the Bhagavad Gita and has a full-time
  8374. job as an inmate representative, helping several hundred
  8375. prisoners with legal matters, medical complaints, and
  8376. issues with the jail staff. His lawyer is playing a waiting
  8377. game, winning endless continuances for the criminal trial
  8378. that, if he loses, still carries a twenty-five-to-life term. After
  8379. Chris’s story was featured in a Wired magazine article on
  8380. Max, Chris was contacted by a Hollywood screenwriter and
  8381. a producer, but he didn’t respond. His mother suggested
  8382. he get an agent.
  8383. Max was assigned to FCI Lompoc, a low-security prison
  8384. an hour north of Santa Barbara, California. He hopes to use
  8385. his time to get a degree in physics or math—finally
  8386. completing the college education that was interrupted a
  8387. decade earlier in Boise.
  8388. He’s taken a mental inventory and is dismayed to find
  8389. that, despite everything, he still has the same impulses that
  8390. guided him into a life of hacking. “I’m not sure how to really
  8391. mitigate that, except ignore it,” he said in an interview from
  8392. jail. “I really believe that I’m reformed. But I don’t know
  8393. what’s going to happen later.”
  8394. It might seem a curious confession—admitting that the
  8395. elements of his personality that landed him in prison still
  8396. remain buried deep inside. But Max’s new self-awareness
  8397. shows hope for real change. If one is born a hacker, no
  8398. amount of prison can drive it out. No therapy, or court
  8399. supervision, or prison workshop can offer reform. Max has
  8400. to reform himself—learn to own his actions and channel the
  8401. useful parts of his nature into something productive.
  8402. To that end, Max has volunteered to help the government
  8403. during his confinement, defending U.S. networks or
  8404. perhaps counterattacking foreign adversaries online. He
  8405. wrote out a menu of the services he could offer in a memo
  8406. headed “Why the USA Needs Max.” “I could penetrate
  8407. China’s military networks and military contractors,” he
  8408. suggested. “I can hack al Qaida.” He’s hopeful he might do
  8409. enough for the government that he could apply for a
  8410. lowered sentence from his judge.
  8411. It’s a long shot, and so far, the feds haven’t taken him up
  8412. on his offer. But a month after his sentencing, Max took a
  8413. baby step in that direction. Keith Mularski arranged for Max
  8414. to speak at the NCFTA for an eager audience of law
  8415. enforcement officials, students, financial and corporate
  8416. security experts, and academics from Carnegie Mellon.
  8417. Mularski checked him out of jail for the appearance. And
  8418. for an hour or two, Max Vision was a white hat again.
  8419.  
  8420. NOTES
  8421.  
  8422. Prologue
  8423. 1 The taxi idled: Interviews with Max Vision.
  8424.  
  8425. Chapter 1: The Key
  8426. 1 As soon as the pickup truck rolled up to the curb:
  8427. Interviews with Max’s friend Tim Spencer. The
  8428. confrontation was also described in less detail by
  8429. Kimi Mack, Max’s ex-wife. Though Max could
  8430. intimidate bullies, he was never forced into a
  8431. physical confrontation with them.
  8432. 2 Max’s parents had married young: State of Idaho
  8433. v. Max Butler, 1991. District Court of the Fourth
  8434. Judicial District, Ada County, Case No. 17519.
  8435. 3 Robert Butler was a Vietnam veteran: State of
  8436. Idaho v. Max Butler and interviews with Max.
  8437. 4 Weather Channel and nature documentaries:
  8438. Interviews with Kimi Winters and Max, respectively.
  8439. Max’s parents declined to be interviewed.
  8440. 5 relaxed, and full-bore insane: Interviews with Tim
  8441. Spencer and with “Amy,” Max’s ex-girlfriend. Max’s
  8442. emotional problems at this time are also reflected in
  8443. court records in State of Idaho v. Max Butler. Max
  8444. acknowledges that his parents’ divorce had a deep
  8445. effect on him.
  8446. 6 One day he emerged from his home: Interview with
  8447. Tim Spencer. Max confirms the incident but says he
  8448. lit the fire in a field adjacent to Spencer’s house.
  8449. 7 The Meridian geeks had found the key ring: The
  8450. account of the master-key incident comes from
  8451. interviews with Tim Spencer. Court records confirm
  8452. Max’s juvenile conviction. Max admits the trespass
  8453. and chemical theft but declined to detail what
  8454. occurred inside the school. John, his uncharged
  8455. accomplice in the burglary, declined comment.
  8456. 8 Max became “Lord Max”: Max described his run-in
  8457. with the Secret Service in an interview. Also
  8458. referenced in a letter Max wrote that was filed in
  8459. State of Idaho v. Max Butler.
  8460.  
  8461. Chapter 2: Deadly Weapons
  8462. 1 THIS is the Rec Room!!!!: From MUDs to Virtual
  8463. Worlds, Don Mitchell, Microsoft social computing
  8464. group (March 23, 1995).
  8465. 2 three hundred thousand host computers:
  8466. Numerous sources, including “Illuminating the net’s
  8467. Dark Ages,” Colin Barras, BBC News, August 23,
  8468. 2007.
  8469. 3 At Max’s urging: The events surrounding Max’s
  8470. assault conviction are based on transcripts and
  8471. other documents in State of Idaho v. Max Butler, as
  8472. well as interviews with Max and “Amy.” Where there
  8473. are significant factual disputes, they are noted
  8474. herein.
  8475. 4 Then the dark truth: “The Dreaming City,” Michael
  8476. Moorcock, Science Fantasy 47 (June 1961).
  8477. 5 Like a few of them, he started hacking the
  8478. computer right away: The hacking at BSU was
  8479. described by Max and David in interviews. David
  8480. described Max’s speed and impatience. BSU
  8481. professor Alexander Feldman discussed Max’s
  8482. computer ban in an interview and said Max had
  8483. probed other computers.
  8484. 6 The sheriff called BSU’s network administrator at
  8485. two in the morning: Interview with Greg Jahn, a
  8486. former BSU system administrator responsible for
  8487. locking down Max’s account and preserving his files.
  8488.  
  8489. Chapter 3: The Hungry Programmers
  8490. 1 Idaho’s Supreme Court ruled: State v. Townsend ,
  8491. 124 Idaho 881, 865 P.2d 972 (1993).
  8492. 2 Max found an unprotected FTP file server: Cinco
  8493. Network, Inc. v. Max Butler, 2:96-cv-1146, U.S.
  8494. District Court, Western District of Washington. Max
  8495. confirms this account but says he was primarily
  8496. interested in distributing music files, not pirated
  8497. software.
  8498. 3 Chris Beeson, a young agent: The details of Max’s
  8499. assistance to the FBI come from court filings by the
  8500. defense attorney in his subsequent criminal case,
  8501. USA v. Max Ray Butler, 5:00-cr-20096, U.S.
  8502. District Court, Northern District of California. Details
  8503. of his recruitment and his relationship with the
  8504. agents come from interviews with Max and Max’s
  8505. Internet writings immediately following his guilty plea.
  8506. See
  8507. http://www.securityfocus.com/comments/articles/203/5729/threaded
  8508. (May 24, 2001). Max says he did not consider
  8509. himself an informant and only provided technical
  8510. information.
  8511.  
  8512. Chapter 4: The White Hat
  8513. 1 The first people to identify themselves as hackers:
  8514. The seminal work on the early hackers is Steven
  8515. Levy, Hackers: Heroes of the Computer Revolution
  8516. (New York: Anchor Press/Doubleday, 1984). Also
  8517. see Steve Wozniak and Gina Smith, iWoz: From
  8518. Computer Geek to Cult Icon: How I Invented the
  8519. Personal Computer, Co-Founded Apple, and Had
  8520. Fun Doing It (New York: W. W. Norton and
  8521. Company, 2006).
  8522. 2 Tim was at work one day: This anecdote was
  8523. recalled by Tim Spencer. Max later recalled
  8524. Spencer’s advice in a letter to his sentencing judge
  8525. in Pittsburgh.
  8526. 3 If there was one thing Max: Details of Max’s
  8527. relationship with Kimi come primarily from
  8528. interviews with Kimi.
  8529. 4 Max went up to the city to visit Matt Harrigan:
  8530. Harrigan’s business and his work with Max were
  8531. described primarily by Harrigan, with some details
  8532. confirmed by Max.
  8533.  
  8534. Chapter 5: Cyberwar!
  8535. 1 In 1998, security experts discovered the latest flaw
  8536. in the code: This account of Max’s BIND attack
  8537. draws primarily from court records, including Max’s
  8538. written confession, interviews with Kimi, and
  8539. interviews with former air force investigator Eric
  8540. Smith. E-mail snippets between Max and the FBI
  8541. are from court records. Technical details come
  8542. primarily from a contemporaneous analysis of Max’s
  8543. code that can be found at http://www.mailarchive.
  8544. com/redhatlist@
  8545. redhat.com/msg01857.html.
  8546. 2 issued an alert: “Inverse Query Buffer Overrun in
  8547. BIND 4.9 and BIND 8 Releases,” CERT Advisory
  8548. CA-98.05.
  8549. 3 He sent Paxson an anonymous note: The note
  8550. was provided to the author by Vern Paxson. Max
  8551. confirmed that he sent it.
  8552.  
  8553. Chapter 6: I Miss Crime
  8554. 1 Kimi came home from school: Kimi described this
  8555. portion of the FBI search and its aftermath.
  8556. 2 The FBI agents saw an opportunity in Max’s crime:
  8557. The details come from court filings by the defense
  8558. attorney in USA v. Max Ray Butler, 5:00-cr-20096,
  8559. U.S. District Court, Northern District of California.
  8560. 3 Max was in heaven: Interviews with Max and Kimi.
  8561. 4 Carlos Salgado Jr., a thirty-six-year-old computer
  8562. repairman: Details of the Salgado caper come from
  8563. interviews with Salgado, Salgado’s intended buyer,
  8564. the former system administrator of the ISP he
  8565. hacked, and court records in USA v. Carlos Felipe
  8566. Salgado, Jr., 3:97-cr-00197, U.S. District Court,
  8567. Northern District of California. The FBI declined to
  8568. comment on the case or to identify the victim of the
  8569. credit card breach.
  8570. 5 The next day, Max met Harrigan at a Denny’s:
  8571. Interviews with Matt Harrigan and Max.
  8572.  
  8573. Chapter 7: Max Vision
  8574. 1 In late 1998, a former NSA cybersecurity: Interview
  8575. with Marty Roesch.
  8576. 2 The reason I signed the confession: Interviews with
  8577. Kimi. In interviews with the author, Max expressed
  8578. the sentiment that his attachment to Kimi worsened
  8579. his legal situation.
  8580. 3 “It’s his stuff”: Snort IDS mailing list, April 3, 2000.
  8581. (http://archives.neohapsis.com/archives/snort/2000-
  8582. 04/0021.html).
  8583. 4 Patrick “MostHateD” Gregory: “Computer Hacker
  8584. Sentenced,” U.S. Department of Justice press
  8585. release, September 6, 2000
  8586. (http://www.justice.gov/criminal/cybercrime/gregorysen.htm).
  8587. 5 Jason “Shadow Knight” Diekman: “Orange County
  8588. Man in Federal Custody for Hacking into
  8589. Government Computers,” U.S. Department of
  8590. Justice press release, September 21, 2000
  8591. (http://www.justice.gov/criminal/cybercrime/diekman.htm).
  8592. 6 Sixteen-year-old Jonathan James: “Juvenile
  8593. Computer Hacker Sentenced to Six Months in
  8594. Detention Facility,” U.S. Department of Justice
  8595. press release, September 21, 2000
  8596. (http://www.justice.gov/criminal/cybercrime/comrade.htm).
  8597.  
  8598. Chapter 8: Welcome to America
  8599. 1 The two Russians: The details of the Invita sting
  8600. and the background of the Russian defendants
  8601. come primarily from court records, particularly USA
  8602. v. Vassily Gorshkov, 2:00:mj:00561, U.S. District
  8603. Court, Western District of Washington, as well as an
  8604. interview with a former FBI agent who worked on the
  8605. operation. The description of the Russians’ attire
  8606. and the reference to “the Expert Group” comes from
  8607. the excellent Washington Post story “A Tempting
  8608. Offer for Russian Pair” by Ariana Eunjung Cha, May
  8609. 19, 2003. Quotes from within the Invita office come
  8610. from a transcript of the surveillance tape, with minor
  8611. grammatical changes for readability.
  8612.  
  8613. Chapter 9: Opportunities
  8614. 1 Max wore a blazer and rumpled cargo pants: The
  8615. author was present at Max’s sentencing hearing:
  8616. see “As the Worm Turns,” SecurityFocus,
  8617. Businessweek online, May 21, 2001
  8618. (http://www.businessweek.com/technology/
  8619. content/jul2001/tc20010726_443.htm). The letters
  8620. written on Max’s behalf are filed in USA v. Max Ray
  8621. Butler, 5:00-cr-20096, U.S. District Court, Northern
  8622. District of California.
  8623. 2 Kimi was talking to him on the phone: Interview
  8624. with Kimi.
  8625. 3 Max took the news with eerie calm: Interview with
  8626. Max.
  8627. 4 “I’ve been talking to some people”: Interview with
  8628. Kimi.
  8629. 5 Jeffrey James Norminton: Three of Norminton’s
  8630. close associates, Chris Aragon, Werner Janer, and
  8631. an anonymous source, described Norminton’s
  8632. alcoholism, and Aragon discussed its effect on
  8633. Norminton’s criminal productivity. Federal court
  8634. records show Norminton’s assignment to a drug and
  8635. alcohol rehabilitation center, and local court records
  8636. reflect two DUI arrests in 1990 (Orange County
  8637. Superior Court cases SM90577 and SM99355).
  8638. 6 Norminton’s latest caper: USA v. Jeffrey James
  8639. Norminton, 2:98-cr-01260, U.S. District Court,
  8640. Central District of California.
  8641. 7 Norminton made it clear that he saw real potential
  8642. in Max: Interviews with Max, Chris Aragon, Werner
  8643. Janer, and another source familiar with Max’s and
  8644. Norminton’s jailhouse planning.
  8645. 8 Max refused to sign: Kimi and Max agree on this.
  8646. Max says he refused to sign because Kimi
  8647. appeared to be wavering in her commitment to
  8648. divorce him.
  8649. 9 I have been showing up at places: Max’s plea to
  8650. the security community is archived at
  8651. http://seclists.org/fulldisclosure/2002/Aug/257.
  8652. 10 Even the Honeynet Project: Max says the project
  8653. shunned him. Founder Lance Spitzner did not
  8654. answer an inquiry from the author.
  8655. 11 A global survey: Conducted by the Belgian
  8656. computer security company Scanit by way of a free
  8657. online vulnerability assessment tool, July 9, 2003.
  8658.  
  8659. Chapter 10: Chris Aragon
  8660. 1 Max met his future friend and criminal partner
  8661. Chris Aragon: Chris Aragon provided this account
  8662. of his first meeting with Max. Max doesn’t remember
  8663. where they first met.
  8664. 2 The first robbery: The first attempted bank robbery
  8665. and the final successful one are described in court
  8666. records for USA v. Christopher John Aragon and
  8667. Albert Dwayne See, 81-cr-133, U.S District Court
  8668. for the District of Colorado. Additional details,
  8669. including the Dumpster incident and Aragon’s
  8670. lifestyle at the time, come from the author’s
  8671. interviews with Albert See, Aragon’s former crime
  8672. partner. In interviews, Aragon generally
  8673. acknowledged his bank robbery conviction and his
  8674. use of cocaine in this period.
  8675. 3 he delved into credit card fraud: Per Aragon, and
  8676. confirmed by his former associate Werner Janer
  8677. and Max.
  8678. 4 busted in a nationwide DEA undercover operation:
  8679. Kathryn Sosbe, “13 arrested in marijuana
  8680. bust/Colombian cartel used Springs as distribution
  8681. p o i nt , ” Colorado Springs Gazette-Telegraph,
  8682. September 13, 1991. The Federal Bureau of
  8683. Prisons confirmed Aragon’s conviction and
  8684. sentencing on a charge of travel in interstate
  8685. commerce in aid of a business enterprise involving
  8686. the distribution of marijuana.
  8687. 5 They wound up at the twenty-seven-story Holiday
  8688. Inn: The descriptions of Max and Aragon’s work
  8689. together here and throughout this book come
  8690. primarily from interviews with Max and Aragon, as
  8691. well as their associates Werner Janer, Jonathan
  8692. Giannone, Tsengeltsetseg Tsetsendelger, and
  8693. another source involved in their crimes. Statements
  8694. provided by Jeffrey Norminton to the FBI,
  8695. summarized in court documents, also confirm many
  8696. of the details.
  8697. 6 a white-hat hacker had invented a sport called “war
  8698. driving”: “Evil” Pete Shipley. See the author’s “War
  8699. Driving by the Bay,” Securityfocus.com, April 12,
  8700. 2001 (http://www.securityfocus.com/news/192).
  8701. 7 Janer offered to pay Max $5,000 to penetrate the
  8702. computer of a personal enemy: According to
  8703. Aragon, Max, and other sources. Janer says the
  8704. money was a loan. Charity confirms she received
  8705. the check on Max’s behalf.
  8706. 8 Charity had only the broadest notion of what Max
  8707. was up to: Interviews with Charity Majors.
  8708. 9 On a whim, he cracked Kimi’s computer: Interview
  8709. with Max.
  8710.  
  8711. Chapter 11: Script’s Twenty-Dollar
  8712. Dumps
  8713. 1 In the spring of 2001, some 150 Russianspeaking
  8714. computer criminals: Greg Crabb, U.S.
  8715. Postal Inspection Service. Roman Vega, currently in
  8716. U.S. custody, declined comment, as did the
  8717. Ukrainian widely suspected to be Script.
  8718. 2 The discussion was sparked by: This history of the
  8719. carding forums comes from interviews with several
  8720. veteran carders, court records, interviews with law
  8721. enforcement officials, and a detailed examination of
  8722. the archives of Counterfeit Library, CarderPlanet,
  8723. and Shadowcrew.
  8724. 3 the CVV began driving down fraud costs
  8725. immediately: Fraud figures come from a
  8726. presentation by Steven Johnson, director, Visa USA
  8727. Public Sector Sales, at the ninth annual GSA
  8728. SmartPay Conference in Philadelphia, August 23,
  8729. 2007.
  8730. 4 Chris decided to try some carding himself: Aragon
  8731. described his dealings with Script and his first
  8732. fraudulent purchases.
  8733.  
  8734. Chapter 12: Free Amex!
  8735. 1 Max broached his plan obliquely with Charity:
  8736. Interview with Charity Majors.
  8737. 2 Internet Explorer can process more than just Web
  8738. pages: Drew Copley and eEye Digital Security,
  8739. “Internet Explorer Object Data Remote Execution
  8740. Vulnerability,” August 20, 2003. See CERT
  8741. Vulnerability Note VU#865940. The author located
  8742. Max’s attack code in a 2003 post to a hacker Web
  8743. forum, and computer security researcher Marc
  8744. Maiffret, an executive at eEye, confirmed that it
  8745. exploited this bug. Max remembers having the
  8746. vulnerability before it was public but isn’t sure how
  8747. he obtained it. He says eEye and its researchers
  8748. never leaked bugs in advance.
  8749. 3 The disk was packed with FBI reports: Aragon,
  8750. Max, and Werner Janer all related the story of Max’s
  8751. intrusion into the FBI agent’s computer. Max, Janer,
  8752. and another source confirmed the agent’s name.
  8753. The agent, E. J. Hilbert, insists he was never hacked
  8754. and that Max likely penetrated an FBI honeypot filled
  8755. with fake information.
  8756.  
  8757. Chapter 13: Villa Siena
  8758. 1 Chris loaded blank PVC cards: Aragon admits his
  8759. credit card counterfeiting operation and provided
  8760. some details in interviews. The author examined
  8761. Aragon’s counterfeiting gear, and dozens of his
  8762. finished cards, at the Newport Beach Police
  8763. Department. The blow-by-blow on how the
  8764. equipment operates comes from interviews with
  8765. another experienced card counterfeiter who used
  8766. the same gear.
  8767. 2 summoned his girls: Nancy Diaz Silva and
  8768. Elizabeth Ann Esquere have pleaded guilty for their
  8769. roles in Aragon’s operation. The other cashers were
  8770. described variously by Aragon’s former associates
  8771. Werner Janer, Jonathan Giannone, and
  8772. Tsengeltsetseg Tsetsendelger.
  8773. 3 They’d be “sticking it to the man”: The Newport
  8774. Beach Police Department interviewed one of
  8775. Aragon’s later cashers, Sarah Jean Gunderson, in
  8776. 2007. According to the police report: “Aragon stated
  8777. that it was ‘The man that we are sticking it to.’
  8778. Gunderson said she knew it was wrong, however all
  8779. of her bills were getting paid.” Gunderson has
  8780. pleaded guilty.
  8781.  
  8782. Chapter 14: The Raid
  8783. 1 Chris Toshok awoke to the sound of his doorbell
  8784. buzzing: The details of the raid come primarily from
  8785. Toshok’s blog post “The whole surreal story,” I am
  8786. Pleased Precariously on January 15, 2004.
  8787. 2 The FBI tried to lure Gembe to America: Cassell
  8788. Bryan-Low, “Hacker Hitmen,” Wall Street Journal,
  8789. October 6, 2003. Also see the author’s “Valve Tried
  8790. to Trick Half-Life 2 Hacker into Fake Job Interview,”
  8791. Wired.com, November 12, 2008.
  8792. (http://www.wired.com/threatlevel/2008/11/valvetricked-
  8793. h/).
  8794. 3 “Call me back when you’re not stoned”: Aragon
  8795. and Max both agree they fought over money. This
  8796. quote was recalled by Aragon.
  8797. 4 sending them to Mexico to be fitted with clean
  8798. VINs: Interviews with Werner Janer and Jonathan
  8799. Giannone. Court records from Aragon’s San
  8800. Francisco arrest show his car was found to have
  8801. fake VIN tags, and as part of the case settlement
  8802. Aragon agreed to forfeit the vehicle. Aragon
  8803. declined to elaborate on that aspect of his activities
  8804. in interviews.
  8805.  
  8806. Chapter 15: UBuyWeRush
  8807. 1 Cesar had come to the underground by a
  8808. circuitous course: Interview with Carranza.
  8809. 2 Selling equipment wasn’t in and of itself illegal:
  8810. Carranza pleaded guilty to money laundering in
  8811. December 2009 for running an e-gold exchange
  8812. service for carders under the UBuyWeRush brand.
  8813. U.S. v. Cesar Carranza, 1:08-cr-0026 U.S. District
  8814. Court for the Eastern District of New York. On
  8815. September 16, 2010, he was sentenced to six years
  8816. in prison.
  8817. 3 The midsized Commerce Bank in Kansas City,
  8818. Missouri, may have been the first: Interview with
  8819. Mark J. Tomasic, former vice president of bank card
  8820. security with Commerce Bank. Also see “Hey,
  8821. banks, earn your stripes and fight ATM fraud
  8822. scams,” Kansas City Star, June 1, 2008.
  8823. 4 Citibank, the nation’s largest consumer bank by
  8824. holdings, was the most high-profile victim: The
  8825. CVV attacks were widely known as the “Citibank
  8826. cash-outs” in carding circles. One of King Arthur’s
  8827. cashers, Kenneth Flury, was prosecuted in the
  8828. United States after admitting to stealing $384,000 in
  8829. Citibank ATM withdrawals in ten days in the spring
  8830. of 2004: U.S. v. Kenneth J. Flury, 1:05-cr-00515,
  8831. U.S. District Court for the Northern District of Ohio.
  8832. Citibank declined comment. To discourage
  8833. competitors, masterminds of the cash-outs often
  8834. claimed to have secret algorithms at their disposal
  8835. to generate workable magstripes. Max and other
  8836. carders confirmed this was a myth, as did FBI agent
  8837. J. Keith Mularski. Any data would work.
  8838. 5 once let it slip to a colleague that King was making
  8839. $1 million a week: Joseph Menn, “Fatal System
  8840. Error,” Public Affairs, January 2010.
  8841. 6 Max had passed them all to Chris, who tore into
  8842. them with a vengeance: Interview with Max. Werner
  8843. Janer confirmed that Chris worked on the Citibank
  8844. cash-outs with Max, but Janer did not know the
  8845. details. Aragon declined to comment on the cashouts.
  8846. 7 In just one year: Avitan Litan, “Criminals Exploit
  8847. Consumer Bank Account and ATM System
  8848. Weaknesses,” Gartner report G00129989, July 28,
  8849. 2005. The loss estimate includes two types of
  8850. magstripe “discretionary” data that was not being
  8851. properly verified: the CVV and an optional PIN offset
  8852. used by some banks.
  8853.  
  8854. Chapter 16: Operation Firewall
  8855. 1 Banner ads appeared at the top of the site: This
  8856. and other reporting on Shadowcrew’s contents
  8857. comes from a mirror of the public portion of the site
  8858. captured in October 2004, immediately before it
  8859. was shuttered.
  8860. 2 The posts disappeared at once: Interviews with
  8861. Max. Aragon independently stated that he and Max
  8862. tried to warn Shadowcrew members in advance of
  8863. the Operation Firewall raids.
  8864. 3 The transactions ranged from the petty to the
  8865. gargantuan: Transaction details come from the
  8866. Operation Firewall indictment, U.S. v. Mantovani et
  8867. al., 2:04-cr-00786, U.S. District Court for the District
  8868. of New Jersey.
  8869. 4 the Secret Service had noticed Ethics was selling:
  8870. Ethics’s hacking of the Secret Service agent was
  8871. first reported by the author: “Hacker penetrates TMobile
  8872. systems,” Securityfocus.com, January 11,
  8873. 2005. His use of the BEA Systems exploit came
  8874. from sources close to the case and was first
  8875. reported by the author: “Known Hole Aided T-Mobile
  8876. B r e a c h , ” Wired.com, February 28, 2005
  8877. (http://www.wired.com/politics/security/news/2005/02/66735).
  8878. Also see U.S. v. Nicolas Lee Jacobsen, 2:04-mj-
  8879. 02550, U.S. District Court for the Central District of
  8880. California.
  8881. 5 David Thomas was a lifelong scammer who’d
  8882. discovered the crime forums: For Thomas’s history
  8883. with the forums and the details of his work for the
  8884. FBI, see Kim Zetter, “I Was a Cybercrook for the
  8885. F B I, ” Wired.com, January 20, 2007. A U.S.
  8886. government source confirmed to the author that
  8887. Thomas had worked for the bureau while running his
  8888. forum, the Grifters.
  8889. 6 “You don’t know who you have here”: From the
  8890. police report of Thomas’s arrest. “The problem with
  8891. the Bureau and the Secret Service is they look at the
  8892. largest biggest deals they can get in on,” Thomas
  8893. said in a 2005 interview with the author. “They want
  8894. the big enchilada.”
  8895. 7 Their targets were marked on a map of the United
  8896. States: Brian Grow, “Hacker Hunters,”
  8897. Businessweek, May 30, 2005
  8898. (http://www.businessweek.com/magazine
  8899. /content/05_22/b3935001_mz001.htm). The
  8900. identification of the Secret Service agents’ guns
  8901. also comes from this story.
  8902. 8 Attorney General John Ashcroft boasted in a press
  8903. release: “Nineteen Individuals Indicted in Internet
  8904. ‘Carding’ Conspiracy,” October 28, 2004
  8905. (http://www.justice.gov/usao/nj/press/files/pdffiles/fire1028rel.pdf).
  8906.  
  8907. Chapter 17: Pizza and Plastic
  8908. 1 His scanning put him inside a Windows machine:
  8909. Max, Jonathan Giannone, and Brett Johnson each
  8910. independently identified the Pizza Schmizza in
  8911. Vancouver, Washington, as the source of Max’s
  8912. dumps in this period. The store manager said the
  8913. restaurant has since changed ownership, and she
  8914. had no knowledge of a breach.
  8915. 2 Max couldn’t help feeling cheated yet again:
  8916. Interviews with Max.
  8917. 3 Giannone was a smart middle-class kid with a
  8918. coke habit: Giannone confirmed the cocaine use
  8919. and all the details of his relationship with Max and
  8920. Aragon. He discussed the elevator button pressing
  8921. and the “bank robbery” prank in a chat with another
  8922. carder, a log of which was provided to the author.
  8923. Giannone confirmed in an interview that he
  8924. discussed the bank robbery hoax but said it was an
  8925. idle boast, and he didn’t actually pull it off. He said
  8926. he did not recall the elevator matter.
  8927. 4 Giannone joined Shadowcrew and CarderPlanet
  8928. under the handle MarkRich: Giannone’s transition
  8929. through various handles was confirmed by Giannone
  8930. in an interview. Posts on the forums reviewed by the
  8931. author confirm he gave up his original handle after
  8932. being suspected of informing on an associate while
  8933. a juvenile.
  8934. 5 launched a DDoS attack against JetBlue:
  8935. Giannone also discussed this attack in the
  8936. abovementioned chat logs. He confirmed it in
  8937. interviews with the author.
  8938. 6 the teen was running his operations from the
  8939. computer in his mother’s bedroom: Interviews with
  8940. Max.
  8941.  
  8942. Chapter 18: The Briefing
  8943. 1 Mularski had wanted to be an FBI agent since his
  8944. freshman year: Mularski’s biographical details and
  8945. his early work at NCFTA come from interviews with
  8946. Mularski.
  8947. 2 The briefing for about half a dozen FBI agents:
  8948. Interviews with J. Keith Mularski and Postal
  8949. Inspector Greg Crabb.
  8950.  
  8951. Chapter 19: Carders Market
  8952. 1 “Sherwood Forest” wasn’t going to cut it for a
  8953. criminal marketplace: Aragon’s rejection of the
  8954. name comes from interviews with Max and a letter
  8955. Max later wrote his sentencing judge.
  8956. 2 Janer, an avid watch collector, headed straight to
  8957. Richard’s: Janer explained his motives in the failed
  8958. watch caper in interviews, and Aragon confirmed he
  8959. provided Janer with cards as a favor. The criminal
  8960. case file describes how he was busted and his
  8961. subsequent cooperation, which Janer confirmed.
  8962. U.S. v. Werner William Janer, 3:06-cr-00003, U.S.
  8963. District Court for the District of Connecticut.
  8964. 3 He hacked into a Florida data center run by
  8965. Affinity Internet: Court records confirm Carders
  8966. Market was hosted at Affinity at this time and that
  8967. Affinity later provided the FBI with a copy of the file
  8968. system. Max detailed the hack in interviews and in
  8969. contemporaneous postings to an Internet message
  8970. board as “Iceman.”
  8971. 4 “I’m looking to make a good pile of money”: Chat
  8972. logs admitted as evidence in U.S. v. Jonathan
  8973. Giannone, 3:06-cr-01011, U.S. District Court for the
  8974. District of South Carolina. Online chats and
  8975. message board posts in this book are verbatim
  8976. when they appear within quotes, except for some
  8977. minor changes of grammar, punctuation, or spelling
  8978. for readability.
  8979.  
  8980. Chapter 20: The Starlight Room
  8981. 1 Tsengeltsetseg Tsetsendelger was being kissed:
  8982. Aragon, Max, and other sources confirm that
  8983. Tsetsendelger was recruited at the Starlight Room
  8984. and brought back to Aragon’s hotel. The details
  8985. come from interviews with Tsetsendelger. Liz and
  8986. Michelle Esquere declined comment.
  8987.  
  8988. Chapter 22: Enemies
  8989. 1 required technicians to reboot the machine every
  8990. 49.7 days: Sources include Linda Geppert, “Lost
  8991. Radio Contact Leaves Pilots on Their Own,” IEEE
  8992. Spectrum, November 2004
  8993. (http://spectrum.ieee.org/aerospace/aviation/lostradio-
  8994. contact-leaves-pilots-on-their-own).
  8995. 2 Giannone was pretty sure he couldn’t hack Macs:
  8996. Interview with Giannone. Max acknowledges that he
  8997. hacked Giannone frequently and tracked his
  8998. movements, and was also prone to sending long
  8999. messages to Giannone, and others, reflecting his
  9000. thoughts. He also clarified that he had no problem
  9001. hacking Macs.
  9002. 3 So he reached out to Thomas by ICQ to try to
  9003. head off trouble: Max and Aragon discussed their
  9004. ongoing conflict with Thomas, who also detailed his
  9005. suspicions about Carders Market and Johnson on
  9006. his own website, the Grifters. Additionally, the author
  9007. obtained a log of the chat between Aragon and
  9008. Thomas quoted herein.
  9009.  
  9010. Chapter 23: Anglerphish
  9011. 1 He needed the money, plain and simple:
  9012. Johnson’s personal story comes from a sworn
  9013. affidavit he filed in his criminal case on April 13,
  9014. 2007, and a letter he wrote his sentencing judge on
  9015. March 1, 2007. See U.S. v. Brett Shannon
  9016. Johnson, 3:06-cr-01129, U.S. District Court for the
  9017. District of South Carolina.
  9018. 2 displayed simultaneously on a forty-two-inch
  9019. plasma screen hanging on the wall of the office:
  9020. Trial transcript in U.S. v. Jonathan Giannone, 3:06-
  9021. cr-01011, U.S. District Court for the District of South
  9022. Carolina.
  9023. 3 The suspect had done everything but deep-clean
  9024. the carpet and paint the walls: Interview with Justin
  9025. Feffer, senior investigator, High Technology Crime
  9026. Division, Los Angeles County District Attorney’s
  9027. Office. Also see The People of the State of
  9028. California v. Shawn Mimbs, BA300469, Superior
  9029. Court of California, County of Los Angeles. Mimbs
  9030. declined comment.
  9031. 4 The needles were steady as Johnson answered
  9032. the first two questions: According to Johnson. The
  9033. Secret Service declined to discuss Operation
  9034. Anglerphish.
  9035. 5 “I will hound you for the rest of your life”: From
  9036. Johnson’s letter to his sentencing judge.
  9037.  
  9038. Chapter 24: Exposure
  9039. 1 “Tea, these girls are white trash”: Interview with
  9040. Tsengeltsetseg Tsetsendelger. Aragon mentioned
  9041. his fondness for Tsetsendelger in interviews and a
  9042. letter to the author.
  9043. 2 Iceman, she’d decided, was pretty cool: Interview
  9044. with Tsetsendelger. Max says he was respectful in
  9045. chats with her but privately disliked her.
  9046. 3 “Get out of here”: The incident at the pool comes
  9047. from interviews with Tsetsendelger and Giannone.
  9048. 4 The bug was in the brief handshake sequence:
  9049. See CERT Vulnerability Note VU#117929. The bug
  9050. was discovered accidentally by Steve Wiseman of
  9051. Intelliadmin.com while he was writing and testing a
  9052. VNC client. Technical details come from an analysis
  9053. by James Evans; see http://marc.info/?
  9054. l=bugtraq&m=114771408013890&w=2.
  9055. 5 a widely read computer security blog: “Schneier on
  9056. Security” by Bruce Schneier.
  9057. http://www.schneier.com/blog/archives/2006/06/interview_with_1.html.
  9058. 6 a random blog called “Life on the Road”: See
  9059. http://afterlife.wordpress.com/2006/06/19/cardersmarketshadowcrew-
  9060. and-credit-card-theft/ and
  9061. http://afterlife.wordpress.com/2006/07/12/cardingweb-
  9062. sites/.
  9063.  
  9064. Chapter 25: Hostile Takeover
  9065. 1 Carders Market had six thousand members now:
  9066. Max, his former administrator Th3C0rrupted0ne,
  9067. and other carders say the site had in excess of six
  9068. thousand users after the hostile takeover. The
  9069. Justice Department, though, has put the number at
  9070. forty-five hundred.
  9071. 2 secret even from his mother: According to his
  9072. mother, Marlene Aragon.
  9073.  
  9074. Chapter 26: What’s in Your Wallet?
  9075. 1 industry-funded report by Javelin Research:
  9076. Javelin Strategy and Research, “2007 Identity Fraud
  9077. Survey Report,” February 2007. The report was
  9078. sponsored by Visa USA, Wells Fargo, and
  9079. CheckFree, and then prominently cited by Visa USA
  9080. in a PowerPoint presentation at a Federal Trade
  9081. Commission workshop: “50% of known thieves
  9082. —were known by the victim!” (emphasis original).
  9083. Also see the author’s “Stolen Wallets, Not Hacks,
  9084. Cause the Most ID Theft? Debunked,” Wired.com,
  9085. February 12, 2009
  9086. (http://www.wired.com/threatlevel/2009/02/stolenwallets/).
  9087. 2 Visa’s private numbers told the real story:
  9088. Presentation by Steven Johnson, director, Visa
  9089. U.S.A. Public Sector Sales, at the ninth annual GSA
  9090. SmartPay Conference in Philadelphia, August 23,
  9091. 2007. The presentation slides are marked “Visa
  9092. Confidential.”
  9093. 3 C0rrupted had discovered the warez scene on
  9094. dial-up bulletin board systems: Biographical
  9095. information comes from telephone and online
  9096. interviews with Th3C0rrupted0ne, who spoke on
  9097. condition that his real name not be reported.
  9098. 4 “I can’t believe how much you know about me”:
  9099. Interview with Aragon.
  9100. 5 “Do not follow unsolicited links”: US-CERT
  9101. Technical Cyber Security Alert TA06-262A
  9102. (http://www.kb.cert.org/vuls/id/416092).
  9103. 6 Each copy of the message was customized: The
  9104. text of the spear phishing e-mail comes from an FBI
  9105. affidavit filed in U.S. v. Max Ray Butler, 3:07-mj-
  9106. 00438, U.S. District Court for the Eastern District of
  9107. Virginia. “Mary Rheingold” is not a real name and
  9108. was added by the author in place of “[First Name
  9109. and Last Name of Recipient]” in the original court
  9110. document.
  9111.  
  9112. Chapter 27: Web War One
  9113. 1 “The Secret Service and FBI declined to comment
  9114. on Iceman or the takeovers”: Byron Acohido and
  9115. Jon Swartz, “Cybercrime flourishes in online hacker
  9116. forums,” USA Today, October 11, 2006.
  9117. 2 “You’ve lost your fucking mind”: Interview with
  9118. Chris Aragon.
  9119. 3 Bank of America and Capital One, in particular,
  9120. were huge institutions: Of his spear-phishing
  9121. attacks, Max was charged only with the Capital One
  9122. intrusion. The other victims were identified by Max.
  9123.  
  9124. Chapter 28: Carder Court
  9125. 1 it was just Silo trying to gather intelligence on
  9126. DarkMarket members for the police: Max, Mularski,
  9127. and Th3C0rrupted0ne identified Liske as Silo. In
  9128. extensive interviews, Liske was evasive about his
  9129. activities on the forums but spoke obliquely of his
  9130. work as an informant and his relationship with Max.
  9131. “Max was a good case. You know, he was a
  9132. challenge.” On the NCFTA Trojan, he said: “Isn’t it
  9133. reasonable to assume that whoever was dishing out
  9134. Trojans was actually dishing out Trojans to everyone
  9135. in the scene?” Later, “If it were malicious I could
  9136. have—someone could have caused real damage.”
  9137. Detective Mark Fenton of the Vancouver Police
  9138. Department said Canadian law prohibits him from
  9139. identifying or confirming an informant’s identity. On
  9140. the subject of whether he received hacked evidence
  9141. from informants, he said: “I know down in the States,
  9142. if an individual received any information that is
  9143. suspect, it’s not admissible. Up here, if someone
  9144. tells me something, I say, ‘Where did you hear that
  9145. from?’ He says, ‘I heard it from some guy.’ ” He
  9146. likened the arrangement to the Crime Stoppers tip
  9147. program. “Should Crime Stoppers be scrapped
  9148. because we have criminals phoning in tips about
  9149. other criminals?” One unanswered question is to
  9150. what degree, if any, the Secret Service leaned on
  9151. hacked information provided by the VPD to build
  9152. cases in the United States. The Secret Service
  9153. declined to make agents available to the author:
  9154. “Although we have chosen not [to] participate with
  9155. this particular project, feel free to approach us with
  9156. other ideas in the future.”
  9157. 2 the same user had once registered another
  9158. address through the company: Max says Night Fox
  9159. was responsible for registering the Financial Edge
  9160. News website and made this blunder.
  9161.  
  9162. Chapter 29: One Plat and Six Classics
  9163. 1 “for 150 classics”: Affidavit of Secret Service
  9164. Special Agent Roy Dotson, July 24, 2007, filed in
  9165. USA v. E-Gold, LTD , 1:07-cr-0019, U.S. District
  9166. Court for the District of Columbia. For the complete
  9167. history of e-gold, see Kim Zetter, “Bullion and
  9168. Bandits: The Improbable Rise and Fall of E-Gold,”
  9169. Wired.com, June 9, 2007.
  9170. 2 They were working closely with Silo’s handler at
  9171. the Vancouver Police Department: Word of the
  9172. meeting got back to Liske. “There was an
  9173. accusation that I was Iceman,” he said in an
  9174. interview. “And there was a big presentation made
  9175. that this guy was Iceman. And the people this was
  9176. presented to knew full well that I wasn’t.”
  9177.  
  9178. Chapter 30: Maksik
  9179. 1 straight from Maksik’s massive database of stolen
  9180. cards: U.S. v. Maksym Yastremski , 3:06-cr-01989,
  9181. U.S. District Court for the Southern District of
  9182. California.
  9183. 2 In early 2006, the Ukranians finally identified
  9184. Maksik as one Maksym Yastremski: Interview with
  9185. Greg Crabb.
  9186. 3 they secretly copied his hard drive for analysis:
  9187. Government filing dated July 24, 2009, in U.S. v.
  9188. Albert Gonzalez, 2:08-cr-00160, U.S. District Court
  9189. for the Eastern District of New York.
  9190. 4 “We were lucky in this case, because Salgado’s
  9191. purchaser was cooperating with the FBI”: Written
  9192. testimony of Robert S. Litt, deputy attorney general,
  9193. before the Subcommittee on Telecommunications,
  9194. Trade and Consumer Protection, House Commerce
  9195. Committee, September 4, 1997
  9196. (http://www.justice.gov/criminal/cybercrime/daag9_97.htm).
  9197. 5 But the feds lost the crypto wars: For a detailed
  9198. history, see Steven Levy, Crypto: How the Code
  9199. Rebels Beat the Government—Saving Privacy in
  9200. the Digital Age (New York: Penguin Books, 2002).
  9201.  
  9202. Chapter 31: The Trial
  9203. 1 “So, you take my girls out to party now?”: Interview
  9204. with Giannone.
  9205. 2 Once a jury is seated, a defendant’s chances for
  9206. acquittal are about one in ten: Fiscal year 2006.
  9207. Calculated from “Federal Justice Statistics, 2006—
  9208. Statistical Tables,” U.S. Department of Justice,
  9209. Bureau of Justice Statistics, May 1, 2009
  9210. (http://bjs.ojp.usdoj.gov/index.cfm?
  9211. ty=pbdetail&iid=980).
  9212. 3 “I suspect that you are never going to look at the
  9213. Internet exactly the same way again”: Trial
  9214. transcript in U.S. v. Jonathan Giannone, 3:06-cr-
  9215. 01011, U.S. District Court for the District of South
  9216. Carolina. Some grammatical changes were made
  9217. for readability.
  9218. 4 “Who’s Iceman?”: Interview with Giannone.
  9219.  
  9220. Chapter 32: The Mall
  9221. 1 his new partner, twenty-three-year-old Guy Shitrit:
  9222. Information about Shitrit’s trouble in Miami comes
  9223. from Aragon. Detective Robert Watts of the Newport
  9224. Beach Police Department confirmed he’d heard the
  9225. same account. Shitrit, now in custody, did not
  9226. respond to a letter from the author.
  9227. 2 His wife, Clara, had brought in $780,000 on eBay
  9228. in a little over three years: Based on sales figures
  9229. from Clara Aragon’s eBay account obtained by the
  9230. Newport Beach Police Department. Aragon
  9231. declined to discuss his profits.
  9232. 3 Max, he felt, was ignoring the Whiz List, their
  9233. blueprint for building one big score and getting out:
  9234. Interview with Aragon. When police searched
  9235. Aragon’s cell phone, they found this entry on his
  9236. electronic to-do list: “tackle whiz list.”
  9237. 4 in meticulous, hand-drawn spreadsheets
  9238. summing up how much Chris owed her for each instore
  9239. appearance: One such spreadsheet was
  9240. seized by the Newport Beach Police Department
  9241. and seen by the author.
  9242. 5 Vigo was looking for a way to pay down a $100,000
  9243. debt to the Mexican Mafia: This according to Vigo’s
  9244. statements to the police following his arrest. The
  9245. Newport Beach Police Department found a copy of
  9246. the shipping manifest in Vigo’s office.
  9247. 6 Bloomingdale’s security people didn’t like to upset
  9248. the store’s customers: Interview with Detective
  9249. Robert Watts.
  9250. 7 thirty-one Coach bags, twelve new Canon
  9251. PowerShot digital cameras: Per the search warrant
  9252. seizure records.
  9253.  
  9254. Chapter 33: Exit Strategy
  9255. 1 Max decided to invest in a rope ladder: Interview
  9256. with Max.
  9257. 2 Max finally learned about Giannone’s bust from a
  9258. news article: Kim Zetter, “Secret Service Operative
  9259. Moonlights as Identity Thief,” Wired.com. June 6,
  9260. 2007
  9261. (http://www.wired.com/politics/law/news/2007/06/secret_service).
  9262. 3 He was growing jumpier every day: Based on an
  9263. interview with Charity Majors. Max says he was alert
  9264. but not jumpy.
  9265. 4 a judge approved his legal name change from
  9266. Max Butler to Max Ray Vision: In Re: Max Ray
  9267. Butler, CNC-07-543988, County of San Francisco,
  9268. Superior Court of California.
  9269. 5 Silo had hidden a second message: Interview with
  9270. Max. Lloyd Liske would neither confirm nor deny this
  9271. account.
  9272. 6 The company openly marketed the service as a
  9273. way to circumvent FBI surveillance: “In some
  9274. countries, government sponsored projects have
  9275. been set up to collect massive amounts of data from
  9276. the Internet, including emails, and store them away
  9277. for future analysis. […] One example of such a
  9278. program was the FBI’s Carnivore project. By using
  9279. Hushmail, you can be assured that your data will be
  9280. protected from that kind of broad government
  9281. surveillance.”
  9282. http://www.hushmail.com/about/technology/security/.
  9283. 7 forced Hushmail officials to sabotage their own
  9284. system and compromise specific surveillance
  9285. targets’ decryption keys: Ryan Singel, “Encrypted EMail
  9286. Company Hushmail Spills to Feds,” Wired.com.
  9287. November 7, 2007. Detective Mark Fenton of the
  9288. Vancouver Police Department said he provided
  9289. Max’s Hushmail e-mail to the Secret Service.
  9290. 8 It was supposed to be a training run for one of
  9291. Chris’s new recruits: Interviews with Tsengeltsetseg
  9292. Tsetsendelger and Chris Aragon.
  9293. 9 a female Secret Service agent disguised as a
  9294. maid: The Secret Service’s surveillance, including
  9295. the ride up the elevator with Max, was described in
  9296. an affidavit in U. S. v. Max Ray Butler, 2:07-cr-
  9297. 00332, U.S. District Court for the Western District of
  9298. Pennsylvania. Max said in an interview that the
  9299. agent was dressed as a maid. FBI agent Mularski
  9300. says the surveillance was on and off for months.
  9301. 10 Chris picked out Max’s mugshot from the photos:
  9302. U.S. v. Max Ray Butler, 2:07-cr-00332, U.S. District
  9303. Court for the Western District of Pennsylvania.
  9304. Aragon says the government tricked him by telling
  9305. him Max had already been arrested, but he also
  9306. gave them information on Max’s security measures,
  9307. which undermines that claim. Court records for
  9308. Aragon’s criminal case in Orange County indicate a
  9309. sealed letter from Dembosky is on file. The People
  9310. of the State of California vs. Christopher John
  9311. Aragon, et al., 07HF0992, Superior Court of
  9312. California, County of Orange.
  9313. 11 Two had lost power when an agent tripped over an
  9314. electrical cable: According to Max.
  9315. 12 Max’s head snapped to look at Master Splyntr:
  9316. Interview with Mularski.
  9317. 13 “You were right”: Interview with Charity Majors.
  9318. 14 “Why do you hate us?”: Interview with Max.
  9319.  
  9320. Chapter 34: DarkMarket
  9321. 1 he told a harrowing story: “Son bilgiyi verecekken
  9322. yok oldu!” Haber 71, August 12, 2008
  9323. (http://www.haber7.com/haber/20080812/Sonbilgiyi-
  9324. verecekken-yok-oldu.php).
  9325. 2 fingering a known member of Cha0’s organization
  9326. as the shipper: Mularski described the genesis of
  9327. the investigation. The role played by the shipping
  9328. companies was detailed by Uri Rivner of RSA in a
  9329. blog post (http://www.rsa.com/blog/blog_entry.aspx?
  9330. id=1451). The Turkish National Police referred
  9331. inquiries to their embassy in Washington, DC, which
  9332. declined to make detectives available for interviews.
  9333. 3 a tall, beefy man with close-cropped hair and a
  9334. black T-shirt emblazoned with the Grim Reaper:
  9335. Per police video of the arrest and search. Also see
  9336. “Enselenen Chao sanal semayi anlatti,” Haber 7,
  9337. September 12, 2008
  9338. (http://www.haber7.com/haber/20080912/Enselenen-
  9339. Chao-sanal-semayi-anlatti.php).
  9340. 4 matching his appearances at the Java Bean with
  9341. JiLsi’s posts: Interview with Mularski. Also see
  9342. Caroline Davies, “Welcome to DarkMarket—global
  9343. one-stop shop for cybercrime and banking fraud,”
  9344. Guardian, January 4, 2010
  9345. (http://www.guardian.co.uk/technology/2010/jan/14/darkmarketonline-
  9346. fraud-trial-wembley).
  9347. 5 JiLsi’s associate, sixty-seven-year-old John
  9348. “Devilman” McHugh, Ibid.
  9349. 6 Erkan “Seagate” Findikoglu: Interview with
  9350. Mularski. Also see Fusun S. Nebil, “FBI Siber
  9351. Suçlarla, ABD Içinde ve Disinda Isbirlikleri ile
  9352. Mücadele,” Turk.internet.com, June 15, 2010
  9353. (http://www.turk.internet.com/portal/yazigoster.php?
  9354. yaziid=28171).
  9355. 7 Twenty-seven members of Seagate’s organization
  9356. were charged in Turkey: Interview with Mularski.
  9357. 8 a reporter for Südwestrundfunk, Southwest
  9358. Germany public radio: The reporter was Kai
  9359. Laufen. See
  9360. http://www.swr.de/swr2/programm/sendungen
  9361. /wissen/-
  9362. /id=660374/nid=660374/did=3904422/p6601i/index.html.
  9363. 9 The U.S. press picked up the story: The author
  9364. was the first to identify J. Keith Mularski by name as
  9365. the FBI agent posing as Master Splyntr, in
  9366. “Cybercrime Supersite ‘DarkMarket’ Was FBI Sting,
  9367. Documents Confirm,” Wired.com, October 13, 2008
  9368. (http://www.wired.com/threatlevel/2008/10/darkmarketpost/).
  9369.  
  9370. Chapter 35: Sentencing
  9371. 1 It had taken the CERT investigators only two
  9372. weeks to find the encryption key: Max well knew that
  9373. the key was vulnerable while in RAM, but he
  9374. believed the software security on his server would
  9375. prevent anyone from gaining access to its memory.
  9376. CERT’s Matt Geiger, who led the forensics team,
  9377. declined to comment on how he bypassed that
  9378. security but he said he was able to run memoryacquisition
  9379. software on Max’s computer.
  9380. 2 Max had stolen 1.1 million of the cards from pointof-
  9381. sale systems: Max didn’t challenge this amount
  9382. for sentencing, but in interviews he expressed
  9383. disbelief that the number could be that high.
  9384.  
  9385. Chapter 36: Aftermath
  9386. 1 An undercover Secret Service operative lured him
  9387. to a nightclub: “2010 Data Breach Investigations
  9388. Report,” Verizon RISK Team in cooperation with the
  9389. United States Secret Service, July 28, 2010.
  9390. 2 ICQ user 201679996: Affidavit In Support of Arrest
  9391. Warrant, May 8, 2007, U.S. v. Albert Gonzalez,
  9392. 2:08-mj-00444, U.S. District Court for the Eastern
  9393. District of New York.
  9394. 3 it was Jonathan James who would pay the highest
  9395. price: See the author’s “Former Teen Hacker’s
  9396. Suicide Linked to TJX Probe,” Wired.com, July 9,
  9397. 2009
  9398. (http://www.wired.com/threatlevel/2009/07/hacker/).
  9399. 4 They recruit ordinary consumers as unwitting
  9400. money launderers: For more detail on these socalled
  9401. “money mule” scams, see the blog of former
  9402. Washingtonpost.com reporter Brian Krebs, who has
  9403. covered the crime extensively:
  9404. http://krebsonsecurity.com/.
  9405. 5 the Secret Service had been paying Gonzalez an
  9406. annual salary of $75,000 a year: First reported in
  9407. Kim Zetter, “Secret Service Paid TJX Hacker
  9408. $75,000 a Year,” Wired.com, March 22, 2010.
  9409. 6 filed by the attorneys general of 41 states: Sources
  9410. include Dan Kaplan, “TJX settles over breach with
  9411. 41 states for $9.75 million,” SC Magazine, June 23,
  9412. 2009 (http://www.scmagazineus.com/tjx-settlesover-
  9413. breach-with-41-states-for-975-
  9414. million/article/138930/).
  9415. 7 another $40 million to Visa-issuing banks: Mark
  9416. Jewell, “TJX to pay up to $40.9 million in settlement
  9417. with Visa over data breach,” Associated Press,
  9418. November 30, 2007.
  9419. 8 Heartland had been certified PCI compliant:
  9420. Sources include Ellen Messmer, “Heartland breach
  9421. raises questions about PCI standard’s
  9422. effectiveness,” Network World, January 22, 2009
  9423. (http://www.networkworld.com/news/2009/012209-
  9424. heartland-breach.html).
  9425. 9 Hannaford Brothers won the security certification
  9426. even as hackers were in its systems: Sources
  9427. include Andrew Conry-Murray, “Supermarket Breach
  9428. Calls PCI Compliance into Question,”
  9429. InformationWeek, March 22, 2008.
  9430. 10 The restaurants filed a class-action lawsuit:
  9431. http://www.prlog.org/10425165-secret-serviceinvestigation-
  9432. lawsuit-cast-shadow-over-radiantsystems-
  9433. and-distributo.html. Also, “Radiant Systems
  9434. and Computer World responsible for breach
  9435. affecting restaurants—lawsuit,” Databreaches.net,
  9436. November 24, 2010 (http://www.databreaches.net/?
  9437. p=8408) and Kim Zetter, “Restaurants Sue Vendor
  9438. for Unsecured Card Processor,” Wired.com,
  9439. November 30, 2009
  9440. (http://www.wired.com/threatlevel/2009/11/pos).
  9441. 11 White hats have devised attacks against chipand-
  9442. PIN: See Steven J. Murdoch, Saar Drimer,
  9443. Ross Anderson, and Mike Bond, “Chip and PIN Is
  9444. Broken,” University of Cambridge Computer
  9445. Laboratory, Cambridge, UK. Presented at the 2010
  9446. IEEE Symposium on Security and Privacy, May
  9447. 2010
  9448. (http://www.cl.cam.ac.uk/research/security/banking/nopin/).
  9449. The response by the UK Card Association is at
  9450. http://www.theukcardsassociation.org.uk/
  9451. view_point_and_publications/what_we_think/-
  9452. /page/906/.
  9453. 12 hundreds of thousands of point-of-sale terminals
  9454. with new gear: The cards themselves are more
  9455. expensive as well. For a more thorough discussion
  9456. of the issues holding back chip-and-PIN’s adoption
  9457. in the United States, see Clases Bell, “Are chip and
  9458. PIN credit cards coming?” Bankrate.com, February
  9459. 18, 2010
  9460. (http://www.foxbusiness.com/story/personalfinance/
  9461. financial-planning/chip-pin-creditcardscoming/).
  9462. See also Allie Johnson, “U.S. credit cards
  9463. becoming outdated, less usable abroad,”
  9464. Creditcards.com (http://www.creditcards.com/creditcard-
  9465. news/outdated-smart-card-chip-pin-1273.php).
  9466. Epilogue
  9467. 1 His mother suggested he get an agent: A letter to
  9468. the author from Aragon.
  9469.  
  9470. ACKNOWLEDGMENTS
  9471. I first encountered Max Vision some ten years ago, when I
  9472. was a newbie reporter for the computer security site
  9473. SecurityFocus.com. Max was then facing charges over his
  9474. scripted attack on thousands of Pentagon systems, and I
  9475. was fascinated by the story playing out in the Silicon Valley
  9476. courtroom, where the federal justice system was bearing
  9477. down on a once-respected computer security expert who’d
  9478. upended his life with a single, quixotic hack.
  9479. Years later, after I’d reported on hundreds of computer
  9480. crimes, vulnerabilities, and software glitches, Max was
  9481. arrested again, and a new federal indictment exposed the
  9482. secret life he’d led after his fall from grace. As I
  9483. investigated, I grew certain that Max, more than anyone
  9484. else, embodied the sea change I’d witnessed in the world
  9485. of hacking, and would be the perfect lens through which to
  9486. explore the modern computer underground.
  9487. Fortunately, others agreed. I owe a debt of thanks to my
  9488. agent, David Fugate, who guided me through the process
  9489. of developing my idea into a book proposal, and my editor
  9490. at Crown, Julian Pavia, who worked tirelessly to keep me
  9491. on course and only slightly behind schedule throughout a
  9492. year of reporting, writing, and rewriting.
  9493. Also crucial was the enormous support from my boss,
  9494. Evan Hansen, editor in chief at Wired.com. And I’m grateful
  9495. to my colleagues at Wired.com’s Threat Level blog, Kim
  9496. Zetter, Ryan Singel, and David Kravets, who collectively
  9497. shouldered the burden of my absence for two months while
  9498. I finished the book and then braved the burden of my
  9499. irritable, bleary-eyed return afterward.
  9500. My thanks also to Joel Deane and Todd Lapin, who
  9501. showed me the ropes when I became a journalist in 1998,
  9502. and Al Huger and Dean Turner of SecurityFocus.com.
  9503. and Al Huger and Dean Turner of SecurityFocus.com.
  9504. Jason Tanz at Wired magazine did an amazing job with my
  9505. feature article on Max, “Catch Me If You Can,” in the
  9506. January 2009 issue.
  9507. Among my guides in this book were the cops, feds,
  9508. hackers, and carders who spoke with me at length, with no
  9509. benefit to themselves. FBI Supervisory Special Agent J.
  9510. Keith Mularski was particularly generous with his time, and
  9511. Max Vision spent many hours on the prison phone and
  9512. writing long e-mails and letters to share his story with me.
  9513. My thanks to U.S. Postal Inspector Greg Crabb,
  9514. Detective Bob Watts of the Newport Beach Police
  9515. Department, former FBI agent E. J. Hilbert, and Assistant
  9516. U.S. Attorney Luke Dembosky, the latter of whom wouldn’t
  9517. tell me much, but was always nice about it. And I’m grateful
  9518. to Lord Cyric, Lloyd Liske, Th3C0rrupted0ne, Chris
  9519. Aragon, Jonathan Giannone, Tsengeltsetseg
  9520. Tsetsendelger, Werner Janer, Cesar Carranza, and other
  9521. veterans of the carder scene who asked to remain
  9522. unnamed.
  9523. The story of Max Vision would have listed heavily to his
  9524. criminal side were it not for Tim Spencer and Marty
  9525. Roesch, who shared their experience of Max as white-hat
  9526. hacker, and Kimi Mack, who spoke candidly about her
  9527. marriage to Max. My thanks also to security wunderkind
  9528. Marc Maiffret, who helped isolate some of Max’s exploits.
  9529. The underworld that Kingpin delves into has been
  9530. illuminated by a number of first-rate journalists, including
  9531. Bob Sullivan, Brian Krebs, Joseph Menn, Byron Acohido,
  9532. Jon Swartz, and my Wired colleague Kim Zetter.
  9533. Finally, my thanks to my wife, Lauren Gelman, without
  9534. whose loving support and sacrifice this book would not
  9535. have been possible, and to Sadelle and Asher, who will find
  9536. their computer use closely supervised until they’re eighteen.
  9537.  
  9538. ABOUT THE AUTHOR
  9539. KEVIN POULSEN is a senior editor at Wired.com and a
  9540. contributor to Wired magazine. He oversees cybercrime,
  9541. privacy, and political coverage for Wired.com and edits the
  9542. award-winning Threat Level blog (wired.com/threatlevel),
  9543. which he founded in 2005. He’s broken numerous national
  9544. stories, including the FBI’s use of spyware in criminal and
  9545. national security investigations; a hacker’s penetration of a
  9546. Secret Service agent’s confidential files; and the secret
  9547. arrest of an Army intelligence officer accused of leaking
  9548. documents to whistle-blowing website WikiLeaks. In 2009
  9549. he was inducted into MIN’s Digital Hall of Fame for online
  9550. journalism and in 2010 was voted one of the “Top Cyber
  9551. Security Journalists” by his peers.
clone this paste RAW Paste Data