by Misha Glenny
It is almost a relief when I meet Corey Louie, Google’s Trust and Safety Manager, because people involved in security have a no-nonsense air and a penchant for secrecy, regardless of who they are working for. His demeanour is a welcome contrast to Google’s vibe of Buddhist oneness. A smart Asian American in his thirties, with a brisk but warm manner, Louie cut his cyber teeth not among the lotus eaters in Silicon Valley, but in the much more abrasive and masculine world of the United States Secret Service. He had been recruited to Google two and a half years before my visit, in late 2006. And by the time he left law enforcement Corey Louie was in charge of the Secret Service’s E-Crimes Unit. There was little he did not know about attacks on networks (so-called intrusion or penetration), credit-card fraud, the pervasive Distributed Denial of Service or DDoS attacks (capable of disabling websites and networks) and the malware that soon after the millennium began multiplying like rats in a sewer. And he knew a great deal about carding, the daily bread of cybercrime. This is the practice of buying or selling stolen or hacked credit-card details, hundreds of thousands of which are exchanged around the world before being used to buy goods or withdraw cash from ATMs.
How could Google resist a strategic asset like Corey Louie? Well, they couldn’t. And how could Louie resist a strategic career move to Google – the balmy weather of the United States’ southern Pacific rim versus DC’s humidity, the winter freeze and just one week of cherry blossom; the West Coast’s casual dress code or the stiff collars of the Beltway; the money and the sense that you were involved in a dynamic project or US government service? Hardly a fair fight, really.
As you drive down Freeway 101 from San Francisco, Google is not the only cyber icon that you pass – Sun Microsystems, Yahoo! and McAfee are among the many famous names whose headquarters drift past the window as you head south. The more companies you visit to discuss security, the more ex-government agents you meet from the FBI, the US SS, the CIA, the Drug Enforcement Administration (DEA) and the US Postal Inspection Service. An entire phalanx of erstwhile spooks and undercover cops have migrated from the clinical surroundings of DC to live the good life in Silicon Valley, attracted by the same gorgeous conditions that lured the movies to Hollywood.
This flow from state agencies into the private sector results in a distinct disadvantage for the government. The Treasury ploughs money into educating cyber investigators who, with a few years’ experience under their belt, then leave for more pleasant climes. Yet the investment is not entirely dead because this has led to the consolidation of powerful links between the public and private sectors. Google is not just a private corporation; it is a strategic national asset, in the eyes of the White House. The message from DC is quite clear – attack Google and you are attacking the US. Within that context, the ability of somebody like Corey Louie to pick up the phone and chat to his old pals at the Secret Service, alerting them, say, to a major attack on gmail, makes the critical cooperation between public and private sector in Internet security a lot easier.
I don’t know, but I’ll wager Corey’s standard of living has improved since he headed out west, but then he has to work extremely hard for it. Google is among the two largest depositories of data in the world – the other being Facebook. This is what makes them lucrative businesses (advertisers are happy to pay for the secrets about personal habits that this data reveals) and it is what makes them the holy grail for hackers working on behalf of themselves, of the underground, of industry and of rival states.
Towards the end of my conversation with Corey, he told me about a friend, a cop, who had invested much time in developing friendships with hackers. He had been so successful that he had taken over the administration of a vast criminal website. ‘He’ll probably be happy to talk to you,’ he said. ‘He ran a site called DarkMarket.’ It was the first time I had ever heard either of the website or the name of the FBI Special Agent Keith J. Mularski. It was the beginning of a strange journey.
I set out to meet and interview as many of the central characters in DarkMarket’s history as I could, spread out in a dozen countries: thieves, cops, double agents, lawyers, hackers, crackers and more prosaic criminals. I also consulted a large volume of court documents relating to DarkMarket and those involved in it. Former and current cyber criminals and police officers supplied me with additional documents and information. I was never able to access a full archive of the website itself, but managed to forage for significant chunks of it. Agent Mularski, with an almost full archive of DarkMarket, is the only person involved that I met who had complete documentary oversight.
Beyond the elusive archive, some of the documentary evidence – while helpful – was inaccurate; this especially relates to material that prosecutors presented at many of the trials. In my assessment, these inaccuracies were not the result of carelessness or vindictiveness, nor were they intentional. Rather they reflected the highly technical and often confusing nature of the evidence in cyber-related trials. Judges and attorneys were struggling to come to terms with this peculiar culture as anyone else does, when confronted with malfeasance on the Web for the first time.
So the core of the story lies in the personalities involved and their actions. This testimony is of course largely based on their personal memories stretching back over a decade. Beneath the well-established fallibility of recall, all players involved were pursuing their own agendas, seeking to highlight some parts of their DarkMarket activity and conceal others. In this they were assisted by the duplicitous nature of communication over the Internet, by a culture in which there are few sanctions against lying and dissembling.
My attempts to assess when an interviewee was lying, embellishing or fantasising and when an interviewee was earnestly telling the truth were only partially successful. Everybody I interviewed was brimming with intelligence, even if some lacked the firm hand on the moral rudder necessary to negotiate the troubled waters of cyber criminality. But as I delved deeper and deeper into DarkMarket’s weird world, I realised that the different versions of the same stories at the heart of the website’s history were contradictory and unreconcilable. It has been impossible to establish fully what was really going on between the players, and with whom they were ultimately working.
The Internet has generated unfathomable stores of data and information, a large percentage of which is valueless, a large percentage of which remains uninterpreted, and a small percentage of which is dangerous in its falsity. Our growing dependence on networked systems and the interconnectedness that sees highly specialised groups like hackers and intelligence agents migrate between crime, industrial espionage and cyber warfare means that documenting and trying to understand the history of phenomena like DarkMarket has become a vital intellectual and social exercise, even if the evidence is partial, tendentious and scattered both in the virtual and the real world.
BOOK ONE
Part I
1
AN INSPECTOR CALLS
Yorkshire, England, March 2008
The Reverend Andrew Arun John was in a minor state of shock one morning in early March 2008. Hard to blame him. Not only had he just survived the long journey from Delhi in cattle class, but it was two weeks before the opening of Heathrow’s new Terminal 5, and the world’s busiest international airport was exploring new standards in passenger misery. His flight had left India around three o’clock in the morning and, after negotiating passport control and the baggage mayhem, he still had to face a four-hour drive north to Yorkshire.
Switching on his mobile phone, Reverend John saw he had an inordinate number of missed calls from his wife. And before he’d had time to call back to ask her what the fuss was about, she was ringing again. She told him that the police had telephoned several times and were desperate to get in touch with him.
Taken aback and confused, the Reverend replied sharply to his wife, saying that she was talking nonsense – though he regretted his tone almost immediately.
His wife, happily, chose to ignore his grumpiness. Clearly
and calmly, she explained that the police had wanted to alert him to the fact that somebody had broken into his bank account, that this was a matter of urgency and that he should ring the number she had for the officer in charge as soon as possible.
His wife’s call unsettled the Reverend still further and his weary brain went into overdrive. ‘Who has broken into my account?’ he wondered. ‘What account? My Barclays here?’ he speculated. ‘My Standard Bank account in South Africa? Or my ICICI one in India? Or maybe all three?’ Even more puzzling: what did she actually mean? ‘How have they broken into my account?’
Coming so soon after his exhausting flight, the whole affair made the Reverend anxious and edgy. ‘I’ll deal with this later when I get to Bradford and after I’ve rested,’ he muttered to himself.
Bradford is 200 miles north of Heathrow Airport. Sixty miles due east of the city lies Scunthorpe, where Detective Sergeant Chris Dawson’s small team was nervously awaiting the Reverend John’s phone call. The officer began to feel he was sinking in the quicksand of a case that he suspected was very big, and which presented him with one seemingly insuperable problem – he couldn’t get his head round it. The evidence gathered so far included hundreds of thousands of computer files, some of which were large enough to hold the complete works of Shakespeare 350 times over. Inside these documents lay a planetary library of numbers and messages in a language that was effectively indecipherable to all but a tiny elite around the world who are trained in the arcane terminology of cybercrime.
DS Dawson may have known nothing about that novel and particularly rarefied branch of criminal investigation, but he was a first-class homicide officer with many years of service behind him. He could detect among the endless lists and number strings an agglomeration of sensitive data, which should not be in the possession of a single individual.
Yet as police officers in many parts of the world were discovering in the first decade of the twenty-first century, it was one thing to stumble across an information trove like this. It was quite another attempting to link it to a specific crime.
If DS Dawson were to persuade a magistrate in the sleepy town of Scunthorpe on the Humber estuary to place his suspect on remand, then he needed to show crystal-clear evidence of a specific crime. Furthermore, there was always a fair chance that he would be presenting said evidence to a doddery old circuit judge who might have difficulty using a TV remote, let alone accessing email. Convincing wasn’t sufficient – the case had to be watertight and simple enough for anyone to understand.
Time was dribbling away. The suspect could only be held for three days and two of those had already passed. Among the files, figures, weblogs, chatlogs and who-knows-what-else, Dawson had only one tiny scrap of evidence.
He stared at the fifty words on a sheet of A4. These included an account number, 75377983; the date the account was opened, 24/02/2006, along with the account balance, £4,022.81. But there was also a name on it: Mr A A John; an email address: [email protected]; a physical address: 63 St Paul’s Road, Manningham, Bradford; a corporate sign-on ID and, crucially, a corporate sign-on password: 252931.
If he could just confirm the account holder’s identity, and if that man were to state that he had never knowingly divulged his password, then Dawson would probably be able to persuade the judge to send the accused for trial and refuse bail. And that might just buy enough time for the Detective Sergeant to comprehend exactly what he was dealing with.
When Dawson had tried to contact Mr A.A. John he had learned that he was a minister of the Church of England who was taking a group of underprivileged children on holiday around India. He was also told that he would not be contactable until his return from Delhi. The Reverend was scheduled to arrive a few hours before the suspect had to be released. If he failed to come through, then the quicksand of this case would swallow up the ocean of data upon which Dawson had stumbled. Along with the data, the suspect would doubtless fade back into the anonymity of his virtual alter ego.
It was Dawson’s misfortune that the Reverend John was sufficiently unsettled by the telephone conversation with his wife that he resolved to deal with the matter only once he had arrived in his parish, Manningham. Indeed, he had turned off his mobile phone and concentrated instead on his long drive from the airport.
So why was he so upset?
Short and compact, the Reverend John was by temperament a jovial man. Born on the edge of the Thar Desert in Rajasthan, his slightly hexagonal face was usually all sunshine, radiating from behind his professorial glasses. He was born into the minority-faith community of India’s Christians and joined the priesthood to work for the Anglican Church of India in Delhi for fifteen years.
But in 1996 he was approached by the Church of the Province of South Africa to take charge of a parish in the Indian township of Lenasia, three miles south of Soweto, during the transition from apartheid to multi-party rule.
It was a challenging move for anybody, as these were testing times for his new home. The joy that greeted the end of the racist regime was tempered by the knowledge of how deep the resentments ran that had accumulated over the previous 200 years. Outsiders like the Reverend John required sophisticated political and social skills to understand the meaning of those tensions and how he might help to reduce them.
His successful work in South Africa was noticed further up the Anglican Church’s hierarchy and, after eight years, the Bishop of Bradford in the English county of West Yorkshire urged him to consider an equally challenging post in Manningham, a residential district on the edge of Bradford city centre. The Reverend John was reluctant – England had always struck him as a rather gloomy place, with its miserable weather and urban sprawl.
Equally, he knew that Manningham was no bed of roses. Many Britons regarded Bradford, and Manningham in particular, as a symbol of their country’s failing attempts to integrate its many ethnic and confessional groups. More malignant types saw in Manningham an opportunity to ratchet up the mistrust between those communities.
In July 2001 this district exploded into brief but violent riots that reflected a deepening division between the city’s large Asian constituency and its white population. Even earlier, Manningham had experienced the phenomenon of white flight and, by the time the Reverend John arrived, three years after the riots, 75 per cent of the population were Muslims whose origins lay largely in the rural districts of north-eastern Pakistan. ‘The remaining twenty-five per cent are Christians, although only about five per cent of those are church-going. The white community here looks and feels like the minority it is,’ said the Reverend John. Although its climate, architecture and culture bore no resemblance to the townships of Jo’burg, in other ways Manningham felt uncannily like South Africa.
This was a hardship posting. When the clouds gathered or the snow fell, there was little that appealed in streets lined by sombre neo-Gothic buildings. Yet a little more than a century ago Manningham had been a most desirable area in which to live. This was during the period, now forgotten to the outside world, when Bradford was hailed as ‘the wool capital of the world’, acting as a mighty engine of Britain’s Industrial Revolution.
By the beginning of the twenty-first century, however, Manningham had been in a state of decay for many years. Employment and prosperity, once flourishing, had moved away long before. Drug abuse, domestic violence, property crime and prostitution had taken their place. The Reverend John cared for more people in his drop-in centre, all trying to escape the traps of poverty and criminality, than attended his church on Sundays.
With the ever-present threat that latent violence could break through the surface, the Reverend John’s work was on the front line of Britain’s class, cultural and social wars. Not easily scared, he maintained a readiness to chuckle in most circumstances. Given the challenges of his daily work, he wondered why the news of his compromised bank account unsettled him to such a degree. Above all, he wanted to talk to his sons, who understood about computer things. And then he decided that
he needed to talk to the police quickly, to find out exactly what was going on. ‘Above all,’ he resolved, ‘I want this thing to be sorted out and put to bed as soon as possible.’
The Reverend’s nervous reaction is not uncommon. The psychological response on learning that one has become a victim of cybercrime is similar to that experienced on being burgled. Even though the act is confined to cyberspace, a world of accumulated tiny electronic impulses, it still feels like a physical violation. For if one’s bank account has been hacked into, what else might the thieves have discovered in the privacy of your computer?
Have they, perhaps, stolen your passport details, which some criminal or intelligence agent is now using as a fake travel document? Could they even, as you read this, be examining your emails, with confidential information about a colleague or employee? Might they have stumbled across some dangerously flirtatious emails or other indiscretion that you wrote or received? Is there any part of your life they could not explore, with access to your computer?
Now quite determined, the Reverend John called the police officer in the neighbouring county of Lincolnshire as soon as he arrived at the pleasant little cottage next to the imposing spire of his church in Manningham.
That this case should fall into the lap of Chris Dawson, a Scunthorpe-based policeman in early middle age, was especially unusual. Most cases of cybercrime in Britain are picked up by specialist units allied to three forces – the Metropolitan Police, the City of London Police and the Serious Organised Crime Agency (SOCA), also based in the capital. Untrained officers would mostly miss such cases because of their esoteric nature. But Dawson was unusual: he was an instinctive copper with a sharp eye. He also possessed a quiet charm, but was frank in a typical northern English fashion that contributed to his methodical and precise approach to policing. This attention to detail would serve him well in the coming months.