The underground market of carders. Translation of KingPIN. Chapter 16. “Operation Firewall”

Kevin Poulsen, editor of WIRED magazine, and a blackhat hacker Dark Dante as a child, wrote a book about " one of his acquaintances ."

The book shows the path from a teenage geek (but at the same time pitching), to a seasoned cyberpowder, as well as some methods of work of special services to capture hackers and carders.

The quest to translate the book began in the summer in an IT camp for high school students - “ Shkvoren: schoolchildren translate a book about hackers, ” then Habrausers and even a little editors joined in the translation.

The second wind of the “book translation quest” was due to Edison , when I gave them a draft, and they shared their experience in creating a VPN network for anonymous clients.

Someone turned to them through anonymous ICQ, wrote distortedly, as if through a translator. Gave TK in English, paid webmoney. He said that even if they would keep track of him, he would take care of everything. 2 programmers worked on the task for a month, passed on time, there were no complaints. (There are few details that can be described in a separate article, if anyone is interested)

Chapter 16. Operation Firewall

(thanks for translation thanks to Find_The_Truth habruiser )

Something strange happened with ShadowCrew .

Max tried not to shine on one of the most criminal sites on the entire Internet. For him, ShadowCrew was just a platform where you could hack a couple of carders. However, in May 2004, the site administrator made a statement that caught Max's attention. Admin Cumbajohnny has introduced a new VPN service only for site members.

VPN - a virtual private network, used to provide remote access to the network over another network. For example, employee access from home to the company's office network. But the main reason for the emergence of a VPN service was the ability to encrypt data transmitted through these networks. For the underground, it was an ideal option to protect their transactions from curious providers or law enforcement agencies, since any attempts to track criminal activity will end where they begin.

Kumba Johnny was the last addition to the leadership - the former moderator quickly rose in the hierarchy of the site and began to have an effect on the mood of the forum. Other admins even noted an increase in user activity on the forum. Banners hung at the top of the site: “Stop talking, make money. Advertise here. Contact Kumba Johnny. ”ShadowCrew looked like a sign in Las Vegas: flashing banners promising an eternal party, women and tons of money.

Gollumfun, a well-known founder, publicly announced his retirement from ShadowCrew, when another BlackOps founder was also about to leave. He wrote: “Being a wonderful site, ShadowCrew fell humiliatingly surrounded by children who do not value knowledge, skills and communication with other members of the site in a positive way. Those thoughtful tutorials have disappeared, respected users have disappeared, civilization has disappeared. We will no longer help newcomers to search for their calling, from now on we will dishonor them until they leave the site, until we understand that there are no new users and there will not be any. BlackOps, you will be missed. Thank you for your contribution. "Kumba Johnny answered very briefly:" ShadowCrew is changing. It's for the best."

Max was not particularly interested in the changes in the political arena of the site, but the emergence of a VPN was very puzzling to him. It turned out that Kumba Johnny was selling the services to his personal VPN top ShadowCrew for three months. Now, Kumba wrote that any ShadowCrew member without fines can buy a piece of peace for $ 30-50 a month.

However, it is well known that VPN networks have one weak point - everything that is transmitted over the network passes through the central point in an unencrypted and vulnerable form. As one of the forum participants noted: “If the FBI or someone who really needs to get the data gets into the data center and changes some settings of the VPN server, then the users of this server will have a hard time.” “But it's just paranoia,” he admitted.

KumbaJoni hastened to reassure him: "No one can poke around a VPN without my knowledge."

These messages seemed to Max not convincing. Being a white hat, he once wrote a program for the Honeynet project called Privmsg. It was a PERL script that took data from a sniffer of data packets and restored IRC chat based on them. When an attacker started hacking one of the honeypot traps, he tried to keep in touch with other hackers. Through the Max PRIVMSG program, specialists could see all this correspondence. This was a major breakthrough in the fight against hackers, turning passive honeypots into powerful traps, shedding light on the motives and culture of the underground.

At the moment, Max was observing the same picture with the interception of data in the proposal of Kumba. There were other reasons to suspect Kumbu. Somehow hacking into random carders, Max saw a message sent to the ShadowCrew administrator, which looked like instructions for a federal agency informant. Something told Max that the changes with ShadowCrew had turned the site into a new Honeypot. After discussing his guesses with Chris, Max posted several messages on the forum, expressing his suspicions. Messages disappeared immediately. Suspicions of Max were confirmed. NYPD

caught Albert Cumba Johnny Gonzalesnine months ago when he was withdrawing money from an ATM on the Uper West Side. Originally from Miami, Gonzales was the 21 year old son of two Cuban immigrants. For a long time he was engaged in hacking, deciding to visit Def con in Vegas one day in 2001. Communicating with Gonzales in custody, the Secret Service quickly realized the usefulness of Kumba. Albert lived in Kearney’s garden house for $ 700 a month, had $ 12,000 in debt, and was officially unemployed. But as Kumba Johnny, he was a confidant and colleague with carders around the world and, most importantly, a moderator at ShadowCrew. He was in the den of the beast and, having prepared properly, he could deliver a crushing blow to the forum.

Under its own responsibility, the Secret Service released Gonzales and began to use him as an informant. VPN was a master agency trick. The equipment was bought and paid by the feds, and they also received warrants for intercepting data from all users of the site. Kumba Johnny just invited carders to this panopticon.

Major ShadowCrew players immediately came under the supervision of the Secret Service. Lacking VPN exposed the entire process of carding, which until then remained in the shadows - tough negotiations that were conducted through email and instant messengers.

Every day and every night, any deals were made, with a surge in trading on Sunday evenings. Transactions ranged from small to gigantic. On May 19, agents watched the transfer of Scarface and another member of the site on 115695 credit cards; in July, the agro-industrial complex transferred a fake British passport; In August, Mintfloss sold a fake New York driver’s license, a health insurance card, and a New York City University student ID to a person who requested a full set of documents. A few days later, another Scarface transaction took place - this time only two credit cards; after MALpadre bought immediately nine. In September, Dack sold his work in the form of a database of 18 million hacked e-mail addresses that contained the name, passwords and birthdays of users.

Fifty agents worked for the Secret Service, who monitored every transaction on the site, preparing an indictment base. However, the worst part was that the majority of ShadowCrew residents paid to be tracked by Secret Service agents.

Soon, the agents learned that there were gaps in their seemingly well-thought-out operation against hackers. On July 28, 2004, Gonzales told his mercenaries that a carder under the nickname Myth, one of King Arthur’s caches, had somehow obtained one of the Agency’s secret documents describing the Firewall operation. The myth immediately boasted this news in the IRC room.

The feds ordered Gonzales to find the source of the leak as soon as possible. Gonzales contacted Myth under his nickname and found out that the voiced documents were only a drop in the ocean of leaked Secret Service data. The myth also said that a criminal case was underway against ShadowCrew, even said that the agency had its own ICQ account.

Fortunately for Gonzales, the documents did not mention the informant. The myth refused to give its source to Gonzales, but agreed to arrange a meeting. the next day, Gonzales, Myth, and the mysterious hacker using the temporary nickname Anonyman met at the IRC. Gonzalez tried his best to earn Anonyman's trust before the hacker revealed his identity.

It was Ethics, a vendor that Kumba already knew from working for ShadowCrew. The leak began to take shape. In March, the Secret Service noticed that Etiks was selling access to the database of a major mobile operator, T-mobile. He wrote on the forum: “I offer access to customer information by T-Mobile operator number. At a minimum, you will receive the name, social security number, and customer's date of birth. As a maximum, you will receive a login and password to access the Internet, a voice mail password and a secret question / answer. ”

T-Mobile could not fix a critical security vulnerability in a server application that was purchased in San Jose from BEA Systems. The hole that was discovered by third-party researchers was offensively simple to use - an undocumented function made it possible to delete or modify files in the system by submitting a special web request. BEA released a patch for this bug in March 2003 and assigned it a high risk rating. In July of the same year, researchers who discovered the hole made a presentation at the Black Hats Collection in Vegas about this bug. Thus, pre-Def Con brought together 1,700 information security professionals and corporate executives, and provided a new round of information about T-Mobile's security flaws.

Etix learned about the BEA hole, wrote 21 exploits on Visual Basic, and began scanning the Internet for potential victims who could not or forgot to patch applications. By October 2003, he dipped the T-Mobile in the mud. Etiks wrote an application with which he could at any time access the customer database.

To begin with, he used his access to obtain data from Hollywood stars. He managed to get candid photos of Paris Hilton, Demi Moore, Ashton Kutcher and Nicole Richie stolen from their communicators. Now it was obvious that soon he would become an assistant to the Secret Service.

A simple Google search on the ICQ number of Etiks gave his real name, indicated in the resume of 2001 when looking for work in the field of computer security. It was Nicholas Jacobsen, a 21-year-old Oregon who moved to Irwin, California to work as a system administrator. All that the Secret Service needed to indict Jacobsen was important information on his communicator.

Here Gonzales again showed himself in all its glory. Now, being in a friendly relationship with Kumba Johnny, Etiks became interested in the VPN service of the ShadowCrew leader, explaining that by using a virtual network he would be able to use the T-Mobile database more securely. Gonzales happily agreed to help and his Secret Service bosses began to watch, rubbing their hands together, as Eix roamed the T-Mobile database using the username and password of agent Peter Cavicchia III, a veteran of the fight against cybercrime, who became famous thanks to the arrest of an AOL employee 92 million customer emails for sale to spammers.

A leak has been found. Cavicchia quietly resigned three months later, and Etiks was added to the list of targets for Operation FireWall. There was another threat to the investigation and, oddly enough, it came from one of the FBI assets.

David Thomas, a fraudster in life, discovered a criminal forum in the Fake Library and soon became one of the crooks in the criminal community. Now, 44-year-old El Mariachi, as he called himself, was one of the most respected members in the carder community, taking on the role of a mentor for young fraudsters, giving advice on all occasions, starting with identity theft and ending with the life lessons that he received while living on the outskirts.

However, his experience did not help him avoid the dangers of his profession. In October 2002, Thomas appeared in a park near an office in Isaqua, Washington, where he and his partner rented a shelter for one of the founders of CarderPlanet. They hoped to get $ 30,000 worth of goods at Outpost.com on Ukrainian orders. But instead, the local police were waiting for them.

Arresting Thomas, the detective read out his rights to him and gave him paper for signature, confirming that he understood them. Just thinking that the local cop was trying to interrogate him, Thomas laughed. “You don't know who you took.” Thomas asked the detective to call the feds. The secret service should have known who El Mariachi is, who can give them a case about Russians and "millions of dollars."

The Secret Service visited him in the county jail, but was not impressed with his $ 30,000 business. Then came an agent from the local FBI office in Seattle. At the second meeting, the agent brought with him an assistant US Attorney and a proposal - the federals cannot help Thomas in his local arrest, but when Thomas leaves prison, he will be able to work in the Northwest cybercrime investigation task force.

It would be an intelligence mission, the official name for the FBI operation without preliminary goals. The bureau would give Thomas a new computer, put him in a luxurious apartment, pay all his expenses and give $ 1,000 a month for pocket expenses. In return, Thomas was supposed to collect information about the underground and report all the news to the target group.

Thomas hated informers, but he liked the idea of ​​getting money for the opportunity to observe and comment on the underground he was obsessed with. However, the collection of information is not denunciation, as he believed. He could use the material he collected to write a book about carding, about something that he had been thinking about a lot lately.

He also definitely knew how to collect information about the target group itself.

Thomas was released from prison five months after his arrest. And in April, the FBI received a new asset in the war on cybercrime - El Mariachi and its brand new state-sponsored forum, called the Grifters. ( WIRED article )

Living in a paid office apartment in Seattle, Thomas very soon gathered enough information about his carder brothers, especially from Eastern Europe. Although Tomashi worked for the FBI, he did not feel any relationship with other government agencies, and the appearance of news about the VPN service prompted him correctly - Kumba Johnny was an informant of the federals.

Thomas was fixated on exposing his rival. Ignoring the instructions of his FBI curator, he constantly shouted the name Gonzales in the forums. Gonzales also did not remain in debt, he found a copy of the police report on the arrest of Thomas and sent it to the carders of Eastern Europe, paying attention to the lines where Thomas offered help in capturing the Russians. The war between the two informants began a large-scale war between the FBI and the Secret Service.

This was an inappropriate time for Western Europeans to complain about the American drama of carders. In May 2004, one of the Ukrainian founders of CarderPlanet was extradited to the United States after being arrested on vacation in Thailand. The following month, the British National Police moved to Leeds, a site for English-speaking administrators.

The script, which was handled by the FBI from Orange County and the American Postal Inspectorate, disappeared from the site, leaving King Arthur at the head. On July 28, 2004, the King made a statement.

He wrote: “It's time to tell you the bad news - the forum should be closed.” “Yes, it really means closing and there are many reasons for this.”

In broken English, he explained that CarderPlanet has become a magnet for law enforcement from around the world. When the carders came across, the police knocked out facts about the forum and its leaders. Under constant pressure, he could be wrong. “We are all just human beings and each of us can make mistakes.”

By closing the CarderPlanet website, he will strip his enemies of the thickest piece.

“Our forum prepared them well, constantly keeping in shape and reporting on all the latest in the underground world. Now everything will be the same. They will not know where the wind is coming from and what to do with it, ”said Arthur.

With this farewell speech, King Arthur, a ten-fold millionaire, became the legend of the Carders. He will be remembered as the man who neatly hatched the great CarderPlanet before anyone else could enjoy the destruction of it.

ShadowCrew leaders are less fortunate. In September, the FBI waved his hand at an operation with Thomas and gave him a month to leave his apartment and end his war with Kumba Johnny. The following month, October 26th, sixteen Secret Service agents gathered at the Washington Command Center, ready to launch Operation FireWall. Their goals were marked on a map of the United States filling computer screens. Agents knew that each of their victims should be at home, - on the orders of the Secret Service, Gonzales made an online appointment this evening, and no one refused Kumba.

At nine in the evening, agents armed with the semi-automatic MP5 broke into the houses of a ShadowCrew member, grabbing the three founders, the hacker Etix, and sixteen other buyers and sellers. It was the largest raid on thieves in American history. Two days later, a federal jury passed sixty-two convictions, and the Department of Justice addressed the public with information about Operation FireWall.

“This sentence hit the very heart of the organization, which positioned itself as a universal market for identity thieves.” - Attorney John Ashcroft boasted. “The Department of Justice seeks to catch those who engage in data theft or fraud, whether they are online or not.”

With the help of Gonzales, the Secret Service blocked the remaining 4,000 users of the site and replaced the home page with a banner of the Secret Service in the form of a lattice. The new page contained a new slogan “You are no longer anonymous !!”

In a panic, carders around the world began to read news and watch TV in search of information, as they were worried about their future and the future of fellow countrymen. They gathered in a small forum called the Stealth Division to assess the damage and accept the remaining. “I am scared to death for my family, for my children,” one of the cyber criminals wrote. “I just realized that my every move was tracked.”

Gradually, the remaining members of the site realized that Kumba Johnny was not on the list of defendants. It was then that he appeared on the network to make the final statement.

“I want everyone to know that I'm on the run and I have no idea where the US Secret Service had the opportunity to do what they did. From the news I learned that they got access to the VPN and to ShadowCrew. This is my last post, good luck. ”

Nick Jacobsen, Etix, was not allowed to press release and was held in Los Angeles. After the agency collected all the awards for Operation FireWall, Etix was charged with breaking the Secret Service email. And still it was a clear victory for the government. CarderPlanet was closed, ShadowCrew closed forever, their leaders, except Gonzales, in prison.

Carders were stunned, exhausted, and currently deprived of shelter. “It will take decades for something like ShadowCrew to appear on the Internet. And even if it does, the power of justice will defeat it again. And knowing what kind of retribution will follow this crime, I doubt that anyone will risk starting a new business. ”


To be continued