by Misha Glenny
The new site was divided into categories, each devoted to a specific aspect of Internet crime or hacking. The first time one of Odessa’s young hackers logged onto CarderPlanet, he was overwhelmed. ‘I swear it was the same feeling that Ali Baba must have experienced when he first opened the cave and saw it stuffed full of treasure. Each section had heaps of information, which you could use to make yourself stinking rich without ever getting up from your computer!’
In the first year, hundreds upon hundreds of Russian-speaking hackers began exploring the site, attracted by its entertaining graphics and efficient organisation. The visual logo for CarderPlanet was a cigar-smoking gent with a twinkle in his eye – a dead ringer for Flash Harry, the cheeky spiv played by George Cole in Britain’s post-war comedy classic, The Belles of St Trinian’s.
‘For innocent lads from the provinces like me who could at best expect to earn one hundred dollars a month,’ the young Odessa hacker continued, ‘the financial promise of this unknown language – including words like Dumps, Drops, Wires, COBs – was mesmerising.’
The website was not open to all-comers. To access its walled-off areas one had to become a member, and that meant being vetted by the administrators. Along with Script, four others assumed this privileged role in the first year of CP’s activity, including Script’s most influential collaborator, Boa.
Among other tasks, the administrators’ job was to decide who should be granted membership and who not. In the first instance, these security measures were designed to ward off the interest of law-enforcement and intelligence agencies from around the globe. The US Secret Service and Britain’s MI6 were well acquainted with CP’s predecessors, carder.org and carder.ru. Script was determined to keep them at bay this time round. He was confident that the local Ukrainian police would present no great threat to the website. ‘They’re equipped with nothing, neither personnel nor resources,’ he argued. ‘No one in the Ukrainian agencies has fluent English and they hardly understand anything in any case. So even if they do get information from the “enemy”, i.e. from us, they’re not going to read it (and they don’t get funds for it), so, essentially, they have nothing to read at all.’
More assiduous than the Ukrainian police were their Russian counterparts in Department R of the Interior Ministry, which was later reorganised, eventually re-emerging as Department K, dealing with all high-tech crime. CarderPlanet was penetrated and compromised by the Russian Secret Police almost as soon as it was set up. But as the Belorussian carder, Police Dog, has pointed out, ‘If we didn’t make a mess on our own doorstop then our local cops and intelligence services didn’t have a problem with us.’ Why would the KGB waste resources on investigating networks that are ripping off American and European credit cards? A complete waste of time. So for the moment Moscow was content to observe and store information. They knew exactly who was who in the Odessa carding community.
Ironically, given that CarderPlanet and cyber criminals boasted a very different social, cultural and psychological profile from traditional crime syndicates, Script and his collaborators nonetheless chose to designate their membership structure by borrowing the terminology of the Sicilian mafia. Later, carders reflected that it was unwise to use such an obvious criminal metaphor, although in these early days the language also hinted at Script’s specific psychological profile and his future ambition to lead a powerful social movement.
The most senior members (never more than six) belonged, then, to ‘The Family’, whose highest representatives or administrators were each entitled to the honorific ‘Godfather’. Once these Family chiefs granted somebody admission into CarderPlanet, the member could explore the website’s various sections. In one part, for example, he could browse through a whole raft of viruses on sale, which he could later use to launch a specific type of attack against other computer users. Virus writers also offered to write a piece of customised malware, for payment, that could infiltrate specific systems or programs.
Most activity took place on the Carders’ Forum. In this department you could buy and sell stolen credit-card and bank-account data. ‘In the course of his work,’ Script explained, ‘a carder can specialise in one or more areas of carding. But there’s nobody who does everything. Sooner or later that carder will need someone else’s services. That’s why there’s a place for the networks and groups – people exchange numbers and information. That could be bank accounts, complete information on card owners, sometimes even including passport details. Carders can also be part-time hackers, since sometimes you can’t come up with the necessary information (without paying for it) unless you break into a server.’
In another department you could purchase a Western passport or, say, an American driver’s licence. In most instances, the counterfeit documents were of the highest quality. But, as purchaser, how could you be certain of the quality of these fakes? And furthermore how could you be confident that the seller was not going to rip you off? After all, you already knew that the person you were buying from was a criminal! ‘Rippers’ – criminals who rip off criminals – were already an established presence on the Internet.
This was CarderPlanet’s trump card. The Family members were monitoring all the comings and goings. After introducing the vetting system, they further strengthened security by making this a pay site to keep out mischief-makers. There was initially ‘a big influx of amateurs who just cluttered up the forum’, whom Script wanted rid of, but even more damaging was the presence of the rippers, ‘who offer low-quality services or fail to deliver services in exchange for the money they take’.
But CarderPlanet was not just a department store for cyber thieves, for the vetting system enabled administrators to act as guarantors for the business conducted via their website. In exchange, they received adulation, cash and a much bigger and more efficient market for their own products, all in one go.
While a genuine hacker, Script was unusual inasmuch as he was driven primarily by a desire to make money. Although young, he well appreciated the oceans of cash in which the Western world and particularly America was floating. Profit is indubitably a powerful force, but the creative genius behind CarderPlanet was not Script, but his senior collaborator, Boa, for whom money was a secondary consideration.
Boa was a very different character from the rest of the Planet’s inhabitants. In his late thirties when Script first created the Planet, he was a good two decades older than most of his colleagues and vastly more experienced in the ways of the world.
In the 1980s when the Soviet Union still existed, Boa had proved himself a gifted student of electronics, completing two university degrees. He developed a particular interest in the world of amateur short-wave radio. In those days that was a sensitive hobby to pursue, as Soviet intelligence (and, in the case of short-wave radio, military intelligence) was intent on maintaining control of all communication flowing in and out of the country.
Boa was hugely popular, with an easy manner that could mutate into charisma at a moment’s notice. Even though some friends assumed he was working with the signals section of military intelligence, he nonetheless became a poster-boy for the ham-radio fraternity around the world, which, as one might imagine, includes a high percentage of rather shy, geeky characters.
Boa attained a worldwide reputation for becoming the first amateur radio operator to broadcast from the military-restricted area of the Vietnamese Spratly Islands, following this up with an even more astonishing achievement: sending the first ever amateur signals from North Korea. He was fêted from America across Europe to Australia for this ham-radio first, drawing large crowds of fans when he appeared at their conventions in the 1990s. Good-looking and exceptionally articulate, he was instinctively liked by people, and everyone wanted to be his friend.
Boa came across CarderPlanet while surfing the Web in the autumn of 1999 and was immediately impressed by its entrepreneurial, if chaotic spirit. Living on Malta, he already had a successful global business that sold high-end surveillance, counter-sur
veillance and anti-terrorist technology to politicians and businessmen in more than sixty countries around the world.
Aware of Boa’s professional experience and organisational ability, Script invited him to join ‘The Family’ after a few months. Struck by Script’s drive and energy after he first spotted the website in early 2002, Boa agreed to join CarderPlanet. ‘When Boa came on board, he completely reanimated the Planet,’ remembered one of the youngsters who had moved to the Planet. ‘He was responsible for the slick design and introduced a number of new sections. He became a local celebrity.’
At the same time, Boa agreed with Script that he would set up a second website, Boa Factory, whose activities would complement the work of CarderPlanet while emphasising different sectors of the trade – Boa Factory was known, amongst other things, as a specialist producer of counterfeit passports and ID cards, as well as developing a larger wholesale trade in cloned credit cards and dumps. Whereas Boa was exclusively a business site, CarderPlanet emphasised the social aspect of the underground where individual carders could meet, chat, buy and sell on the Web.
Boa Factory developed a revolutionary tool, subsequently adopted by CarderPlanet, that enabled the growth of cybercrime on an industrial scale. The greatest challenge facing cyber thieves lay in the knowledge that the person they were doing business with was also a criminal and, ipso facto, untrustworthy. Boa devised the escrow system, known initially as the Warrant Service, to solve the problem. A vendor would provide the escrow officer with a sample of his wares (a dozen or so credit card numbers and PINs) while the potential buyer would send the money to him at the same time. The escrow officer would then test the wares and, if they delivered the cash as promised, he would release the money to the vendor and the dumps and PINs to the buyer. This simple device proved to be a touch of genius. From now on, the trade was protected and it boomed accordingly.
It was Boa’s idea to bring the Family together to the First Worldwide Carders’ Conference in the summer of 2002. So when his invitation to visit Odessa dropped on electronic doormats across the former Soviet Union, the recipients were only too willing to pay the airfare south (though naturally enough they were almost certainly charging it to someone else’s credit card). Would a Catholic turn down the chance to visit Lourdes? Or a Muslim an opportunity to see Mecca? Well, no self-respecting criminal would pass up the offer of a week in Odessa.
The Planet was on top of the world. Its users raved about its money-making properties while hundreds of hackers, crackers and spammers waited nervously to see if the Cupola would grant them the precious privilege of membership.
Script prefaced the gathering by giving the first ever public interview by a major carder. Xakep.ru (Hacker magazine), which still publishes today, is the bible of the Russian underground, but even its readers were shocked to see Script reveal the secrets of the Planet in March 2002. ‘What motivates someone to become a carder?’ the magazine asked Script, pointing out that Russia’s notorious Department R was created to hunt down carders and their ilk.
Script: They’re motivated by what their hearts and minds tell them. Science has shown that people who take risks experience a rush of the so-called happiness hormone. That hormone, multiplied by whatever quantity of rustling dollar bills, plays the fundamental, decisive part in motivating someone to keep working in this not entirely honest industry.
Hacker: Guilt-free?
Script: Guilt-free. Not only because anyone can cancel any payment even after a long period of time has elapsed just by sending the bank a statement to that effect, but also because carding isn’t as heinous an occupation as it might seem. It’s a lot less shameful than robbery. We don’t cause card owners any problems; they’ll get back everything from the banks, right down to the last penny if they ask for it. Instead, our government should feel guilty about the fact that teenagers are becoming embezzlers at such a young age.
Golubov was rationalising the trade as most carders do: the banks will always pick up the tab, and so ordinary people remain unaffected. Such sentimental, populist twaddle conveniently overlooks how banks pass on the costs of fraud to their customers, and so the carders are having a direct and negative effect on the ordinary people for whom Script showed apparent concern.
Nonetheless, his point regarding the government not giving a damn about how large numbers of teenagers were turning to crime is near the mark. Ukraine was little more than a mafia state and its leading politicians and businessmen were setting an appalling example, one that Script proved adept at following.
Set against this backdrop, Script believed that CarderPlanet would be able to furnish him with sufficient funds to enter into the bigger league of Ukrainian business. He was nothing if not ambitious.
What could possibly go wrong?
7
BOA CONSTRICTED
Around the time that Script was launching CarderPlanet in Odessa, researchers at the software giant Autodesk in San Rafael, California, decided it was time to contact the FBI. The largest global manufacturer of 2D and 3D modelling software, Autodesk sell its products across the world to architects, designers, town planners, model-makers, mortgage brokers, vehicle manufacturers – well, they are even the chosen suppliers of software to Scunthorpe’s firm of chemical engineers, Grimley Smith Associates.
Specialist software like this does not come cheap. Single licences for Autodesk’s professional CAD programs range between $3,000 and $7,000, reflecting the huge amounts invested in the research and development of the product.
In 2002 the company’s Piracy Protection Unit noticed that a seller in the Ukraine was offering brand-new versions of one of Autodesk’s design programs on eBay for a bargain $200, when in the shops exactly the same product was retailing at $3,500. ‘Hmm,’ they thought, ‘something’s not right here!’
Silicon Valley suffers from the same problem as the Hollywood studios. The making of motion pictures often involves resources comparable to those required in the development of complex software programs. As production costs rise, the emergence of a global network of counterfeit DVD manufacturers, frequently linked to organised-crime syndicates, has reduced revenues from movies. This is especially true in a recession – if you have a choice between spending $15 to watch a film in a theatre or seeing it on a perfect DVD copy for $1, two months before it is even released to cinemas, the latter course is hard to resist.
Likewise, you might run a company in a competitive field where you must have access to, say, an Autodesk product. To buy the requisite software and licences for your needs from the company might weigh in at almost $20,000, but if you bought them from this Ukrainian chap on eBay, your total outlay would be $800. Let us be frank: it may be illegal, but it’s tempting!
Since the 1970s, when software started to become commercially available for the first time, manufacturers have tried in vain to develop technology that can prevent it from being copied (as they have also attempted with CDs and DVDs). No such technology has ever lasted more than a few days before being cracked by one of the tens of thousands of hackers and crackers around the world. It has proved to be one of the most quixotic branches of the high-tech industry over the past three decades.
The hackers of Eastern Europe played a particularly important role in cracking security devices placed on software. In the 1980s, before the fall of communism, the Soviet Union had tasked various allies in its trading bloc, COMECON, to develop a personal computer and a software industry – notably Bulgaria and East Germany. The defining characteristics of communist computers were common to all Eastern Bloc consumer products: they were ugly and constantly breaking down. The challenges posed to the region’s nascent computer engineers were so considerable that they developed an exceptional ingenuity in overcoming glitches and bugs.
Furthermore, the software factories that the East Europeans built in the 1980s could not compete with Silicon Valley during the 1990s after the fall of the Berlin Wall – there was no money to invest in research or equipment. But the powerful
new organised-crime syndicates that exerted such a huge influence over the economies of the former communist countries saw the factories as a genuine opportunity. First, they acquired these facilities (usually by foul means rather than fair), then they employed those talented engineers to produce counterfeit software on an industrial scale. Bulgaria, Ukraine and Russia set the pace, with the Romanians not far behind.
So when Autodesk spotted that a single seller on eBay was shifting significant numbers of a counterfeited version of their product from Ukraine to buyers in the United States, they naturally felt obliged to do something about it. After some deliberation they called the FBI, who in turn alerted the US Attorney’s Office in San Jose, California. And because the fraud involved eBay, the Attorney’s Office called up one particular investigator: Greg Crabb of the US Postal Inspection Service (USPIS), who at the time was based in San Francisco.
There are three main American law-enforcement agencies that claim authority in cases of cybercrime: the FBI (because its job is to stop crime); the Secret Service (because its brief includes protection of the US currency and credit-card fraud); and the USPIS (because its job is to monitor any illegal activity related to the federal mail service). The last-named became involved in the cyber game primarily because scams perpetrated through eBay and similar services often involve sending goods by post (whether illegally purchased or as part of a money-laundering scam).
Over the past fifteen years the USPIS has built up a dedicated team that investigates high-tech crime, and Greg Crabb was so successful that he eventually moved from San Francisco to head up its Global Cyber Investigations unit, out of a large anonymous building in Washington DC’s large anonymous complex called the Federal Center (remember to strike it off your ‘must do’ list when visiting the US capital).
Crabb’s Teutonic looks and slightly gravelly drawl are simultaneously attractive and intimidating. He qualified as a chartered accountant and it is hard to dispel the feeling that if he were to have a look at your finances, it would not take him long to turn up evidence of major wrongdoing, even if you are squeaky clean. This quality confers a real professional advantage on Crabb, as the ability to study long lists of numbers, short messages and seemingly incomprehensible data is a sine qua non for a good cybercop. The job may sound exciting, but like so much to do with computing, most of the work is grindingly tedious.