by Misha Glenny
Further out from the centre, in the housing estates, drugs became the currency of choice. Penniless youngsters took to shooting up boltushka, a home-made amphetamine mix, leaving them scarred, mentally damaged or dead.
Gunmen and clans from as far away as Chechnya and Moscow battled with local Robin Hoods for control of the city – because although Odessa was theoretically part of a new independent Ukraine, it was entirely Russian-speaking and, even more important, was the only warm-water port able to handle Russia’s gas and oil exports.
Hyperinflation and nationalism destroyed the value of the ruble, the karbovanets, the hryvnia or whatever else the government claimed at any time was ‘real’ money. Only the Yankee dollar provided any real stability.
For most ordinary people, Odessa in the 1990s was about two things: survival and dollars. Nobody cared or disapproved of how you managed the first or acquired the second. In fact, they admired those that achieved either, although sudden wealth was no guarantee of a long life.
In this atmosphere, who could blame thirteen-year-old Dimitry Golubov for selling vehicle registration documents and driver’s licences with the forged signature of the head of the Municipal Transportation Bureau? If businessmen were prepared to pay for this, surely the trade must have a real value?
So far, so Odessa. But young Dimitry had something that placed him in a different world from the traditional city gangland of protection rackets, brothels, oil and caviar. Instead of packing a knife, he could drop down from the streets into smoky dark cellars where computer games like Street Fighter, Pacman and that Russian classic, Tetris, were busily turning teenage brains into mush. In this subterranean culture the only light emanated from soft-coloured neon shapes and flickering PC screens. Cigarettes and Coca-Cola were so ubiquitous it was as though they were the only kosher nutrition tolerated by some ancient Lore of the Geek.
Dimitry liked games as much as anyone, though his preference was for exploring the world from the comfort of Odessa’s Internet cafés. But young Golubov did not only enjoy surfing the sites of distant lands, he wanted to penetrate them and explore their innards.
By the time he was sixteen in 1999, Visa and MasterCard had blocked the use of their cards on the websites registered in the former Soviet Union. When Russian Internet companies submitted invoices to the two credit giants, they were ignored. But Golubov and his fellow pioneers soon worked out that if you could somehow extract the information held on a credit card and reproduce it, then you could use the data to take cash out of ATMs or to buy goods on the Internet and then send them to a third party somewhere else in the world. One option was to copy that information from the physical credit card itself, although at first that involved the laborious and hence wholly unsatisfactory act of conventional robbery. Much better by far, you could simply sniff out the information stored in the gold mines that were company databanks!
And even if some American websites would not deliver to the former Soviet Union, they were happy to send goods to places like the United Arab Emirates or Cyprus, two countries that had rapidly become favoured destinations of the new Russian moneyed elite. This was one of the first truly globalised crimes. Money was stolen by a Russian in Ukraine from an American company and paid out in Dubai – and the whole transaction need last no longer than ten minutes!
The other great breakthrough that moulded the new profession of ‘carding’ was the skimming device. ‘Skimmers’ are machines that read and store the magnetic strip on a credit card. They come in several shapes and sizes. Some are small rectangles that can be affixed to ATMs so that when a customer’s card is read by the bank’s machine, it is also read by the ‘skimmer’. Others are identical to the point-of-sale devices through which a waiter or petrol-station cashier will swipe a card for payment. At both the ATM or the rogue point-of-sale device there may well be a tiny camera hidden somewhere that is secretly recording the customer inputting their PIN (note to self: always cover the keypad when tapping in your PIN).
The machines are only referred to as ‘skimmers’ if they are being used for nefarious purposes, otherwise they are identical in function to those commercially available. Some ‘skimmers’ are commercially produced and then acquired by criminals, others are home-made. The ‘skimmer’ was the carding equivalent of James Watt’s steam engine at the outset of the Industrial Revolution. Over the next decade the great majority of credit-card and PIN numbers (‘dumps’ and ‘wholes’, as they are known) used fraudulently were ‘skimmed’ from ATMs and businesses around the world.
As a talented hacker, Dimitry also quickly noticed that the security systems developed by the nascent e-commerce community in the United States were primitive and easily cracked. How successful he was initially is entirely unclear. Dima liked to put it about that he had attained the gold standard of dollar millionaire before celebrating his seventeenth birthday. But never forget: lies are the most common currency of the Internet, and some of his cyber pals tell a different story.
‘He was greedy, deceitful and always drawn to the criminal milieu,’ blogged another Odessa hacker. ‘But the image of a successful millionaire was a far cry from reality.’
At this point, Dimitry disappeared, along with some of his more outrageous money-making schemes. Some months later he emerged from a chrysalis conferring anonymity as Script, a gloriously adept creature that flitted excitedly between two new websites, carder.org and carder.ru. These were little more than discussion forums where Russian hackers chewed the digital cud about how it might be possible to access the gazillions of dollars, pounds, yen and euros locked away behind credit cards. One of the original members of these sites remembered them as ‘desultory, unstable’ and ultimately ‘unrewarding’.
Script, however, thought long and hard. If you had websites for all other manner of commerce, why not develop one for the inchoate trade in stolen credit-card numbers, bank accounts and other valuable data? He had a compelling motive for wanting to establish such a presence on the Web. For Script himself had begun to accumulate large amounts of these data, which he had neither the time nor the resources to exploit. He wanted to turn all his numbers into cash. He wanted to sell.
The timing was perfect. In the preceding five years, the Internet had hosted a furious growth in commercial activity. Nobody had fully anticipated this, because its originators had envisaged the Web as a tool to improve and accelerate communication, an arena where ideas and gossip could be exchanged.
Amazon, eBay, lastminute.com and other first movers of the cyber enterprise world came out of left field. But their success did not go unnoticed. Thousands upon thousands of people tried their hand at setting up websites. This being one of those historical moments that emerge once in a generation, and where human greed and fantasy coincide, it was not long before banks and venture capitalists convinced themselves that e-commerce was a guarantee of quick riches. They began pouring money into these companies, the great majority of which were intrinsically worthless entities despite having been capitalised to the tune of millions, if not tens of millions, of dollars. The first major bubble of the globalised age had begun, and how fitting that the bubble was in high-tech stocks.
But while most dot.com companies were indeed commercial Potemkin villages, firms already well established in the real world found that there were distinct advantages to conducting part of their business on the Web.
Banks were swift out of the traps in this regard because, as already noted, it dawned on them that if they could persuade their clients to make payments and manage their accounts online, then they would not have to pay employees to do so. Those customers who felt comfortable with the Web were almost certain to prefer the close control over their finances that Internet banking enabled.
At this time the Masters of the Universe, the new class of financial capitalist, were casting off the fetters that had in the past restricted their speculative activity on derivative markets. Essentially, politicians in Washington and London had issued them with a licence to gamble
(the dot.com boom was a fine example) and, as the price of assets that were worth very little rose to great heights, money was lent on the supposed value of those assets. For a decade the Western world was bathed in cheap credit. The Ages of Empire and Capital morphed into the Age of Plastic.
Personal credit-card debt in the four biggest users of plastic – the US, the UK, Japan and Canada – started rising manically in the mid-1990s. In the space of ten years from 1997, the number of cards in circulation worldwide rose from just under 1.5 billion to 3 billion, and average individual debt among the most addicted users, the Americans, doubled from $5,000 to $10,000. Banks adored our new-found affection for credit cards because at a time of virtually 0 per cent interest rates, they were still gaily charging anywhere between 5 and 30 per cent. In Britain the head of Barclaycard confessed to a parliamentary Select Committee that he did not ‘borrow on credit cards because it is too expensive.’
Other parts of the globe were less inclined to be moulded by plastic. Western Europe had traditionally eschewed the buccaneer economics that had so bewitched America and Britain. As a consequence, credit-card ownership was much lower, along with the level of personal debt. In Eastern Europe there was neither sufficient capital spread across the population nor a secure banking industry to administer credit cards. Plastic was a rarity in the former communist world, an executive toy for the New Russians – that tiny proportion of the population who had made breathtaking fortunes by ripping off their countries and compatriots during the transition from communism to capitalism.
But in the Anglo-Saxon casino economics of the 1990s and 2000s, plastic was the closest invention to printing money ever devised by financial institutions and they were not slow to excavate this rich lode of capital. Tons of leaflets were sent daily to addresses in the Western world exhorting people to sign up for credit cards or to exchange an existing debt for a new account that would not charge interest for six months. For three or four years more diligent consumers were able to secure interest-free credit as they transferred their outstanding balance from one card to the next, while the banks became ever more frantic in their attempts to secure new customers.
So many cards. So much money with which to play. Since large electronic wads of the stuff were sloshing around on the Web, it was perhaps no surprise that it began to attract the attention of cyber men from the East who were short on cash, but brimming with technical ingenuity. One of them was Script, eighteen-year-old Dimitry Golubov from Odessa.
And so it was that CarderPlanet was born.
5
CARDERPLANET
A question fades up in flickering Star Wars script:
LOOKING FOR A PROFESSIONAL SOLUTION?
The shot zooms in on a rapidly spinning Earth that explodes into a metallic psychedelic pattern, accompanied by an aggressive electro-dance number, followed by a series of messages:
DISCOVER THE POWER OF TECHNOLOGY
FEEL TIRED OF EVERYDAY ROUTINE?
WANT TO CHANGE YOUR LIFESTYLE?
BECOME ONE OF US!
DUMPS — CREDIT CARDS
CAN MAKE YOU RICH!
The screen fades to black, before three more messages appear underscored by a militaristic bass drum:
THE TEAM YOU CAN RELY ON
Boom!
EVERYTHING YOU NEED FOR BUSINESS
Boom!
CARDERPLANET IS INEVITABLE
Boom!
A year after CarderPlanet was founded in 2001, Script invited his hacker friends to the First Worldwide Carders’ Conference in Odessa – the world’s first ever cybercrime convention – to celebrate the trailblazing website. This group could boast the same incredible cyber ability as the members of the Hacker Republic, the secret group to which heroine Lisbeth Salander belonged under her nickname, Wasp, in Stieg Larsson’s best-selling The Girl with the Dragon Tattoo.
But there was nothing fictional about Script and his friends. CarderPlanet was for real.
6
A FAMILY AFFAIR
The First Worldwide Carders’ Conference celebrated CarderPlanet’s first birthday. It was unique and remarkable. By 2002 Odessa had calmed down: there were even signs of normality. Its iconic boulevard, Deribasovskaya, was brimming with street vendors, shops and fancy restaurants. Surrounded by the four-leaved clover and Gaelic inscriptions of Mick O’Neill’s, one of post-communist Ukraine’s first fake Oirish pubs, an inner core of Ukraine’s top hackers, known as The Family, discussed the goals of the conference. Among them were top figures such as Auditor, Rayden and Bigbuyer, along with the moving spirits of the event: Boa, a communications and security boffin with a distinctive white beard, and the energetic if slightly juvenile Script.
Over the next three days in several different locations around the city they drank and sang, but above all they discussed the short- and long-term development of their nascent website, CarderPlanet, which was already changing the nature of cybercrime around the world.
General discussions were held in The Odessa Hotel, the most expensive in the city at the time. A fine example of ugly post-communist chic, the tall building did at least stand on a pier right opposite the Potemkin Steps, made famous in Eisenstein’s masterpiece of early Soviet film, Battleship Potemkin. Those topics in which all delegates took part at The Odessa included the need to understand the technical details of the lesser credit cards, such as JCB and Diners, which, it was felt, had been neglected in favour of the more lucrative Visa and MasterCard franchises. It was also agreed to develop or strengthen new networks of people who could ‘cash out’ stolen credit cards in regions such as South America, Oceania and Africa. After all, somebody had to undertake the actual criminal transaction of taking money from ATMs – outsourcing this riskiest part of the chain was a no-brainer.
The more secretive discussions, where only about fifteen leading ‘carders’ were present, took place in a small, dingy restaurant down by the sea. The aim of this group was to persuade delegates to establish their own regional networks of CarderPlanet franchises so that its owners could continue to make money, but for less work.
As the meeting started, one of the lesser-known delegates sent an inconspicuous signal to Boa. The man had performed an electronic sweep of the restaurant and detected that hidden video cameras and digital recording devices were active inside the room. In all probability, the SBU, Ukraine’s secret police, were carrying out the surveillance. And if the SBU were monitoring the event, so was Russia’s KGB, who at the time were able freely to exercise the intelligence equivalent of droit de seigneur over the SBU – the right to trawl over pristine data before the collector had even examined it.
The Family, CarderPlanet’s Politburo or Cupola, did not especially fear American and European intelligence and policing operations. But the KGB was another matter, and it was no coincidence that the most important resolution of the conference warned against hostile activities inside Russia and Ukraine. ‘One more time, we stressed the absolute inadmissibility of any action in relations to our billing systems, banks or financial institutions,’ it thundered. If Russian-speaking cyber criminals had turned on Russian banks or businesses, the entire project would have been shut down within five minutes.
Instead, CarderPlanet proved more durable. The website existed for nearly four years. It is no exaggeration to say that its creators were responsible for the emergence and consolidation of an entirely new method of engaging in major criminal activity: fraud that could be perpetrated on a huge scale with minimal resources and minimal risk.
CarderPlanet’s primary role (later adopted by its many successors) was to act as a bazaar for stolen data – credit-card numbers and PINs, bank accounts and their passwords – along with other goodies such as viruses and fake documents. Until this point, the exchange of such information generally took place in laborious one-to-one transactions over icq and IRC (the two messaging systems favoured by hackers).
Cybercrime’s perpetrators – so-called carders, spammers, skimmers and virus-makers –
already looked like a breed apart from criminals attached to traditional mafia structures. Script called them ‘lone wolves’ in an interview with Hacker (Xakep.ru), the great chronicler of Russia’s cyber underworld. ‘They don’t huddle together in groups or form their own distinctive networks; everyone works by himself, for himself.’
The Russians were not the only hackers developing the techniques of cybercrime, but CarderPlanet gave them a structure, hitherto elusive, enabling those lone wolves to form opportunistic packs in order to commit crime (or mere mischief) before evaporating back into a desolate cyber wilderness, brilliantly camouflaged in the clicking and whirring environment of the Web, resisting all attempts to identify who on earth they might be.
Very quickly, its members came to adore CarderPlanet. ‘You must understand,’ said a former consigliere from the website’s inner circle, ‘CarderPlanet was not just a source of information. People lived on CarderPlanet – we referred to it simply as The Planet as though it were our home.’
While theft, spamming and other forms of electronic malfeasance played a very important role, these were by no means the only activities attracting Russian speakers to land on the Planet and make their home there. The average user was gifted with a fascination for electronics, computing, games, network systems and hacking as sport.
These were not mere criminals who identified CarderPlanet as a vehicle through which they might ply their trade. Instead, they created a community of men largely in their teens and early twenties who were struggling to get by in a chaotic, ruthless historical moment and who possessed unique abilities. In Odessa, everybody was compelled to behave in a certain criminal fashion as a matter of course. But most were naturally confined by their location. The Planeteers armed themselves with the survivor’s logic, from an Odessa in political and economic turmoil, and replicated these behavioural patterns in cyberspace. They were not natural-born killers, but natural-born survivors.
