by Misha Glenny
The deeper he involved himself in the carding world, the more tangled he wove his moral web. As Iceman, he never bought and sold credit cards. But Vision created other online persona who did trade in them. The ability to section off parts of the personality was a common trait among hackers. At times Vision even appeared to believe that his virtual characters were autonomous in thought and deed, and therefore morally distinct entities.
As Iceman, he sought to defeat both his criminal competitors and the police in order to emerge as the unchallenged master of the carding world. This required a dual-pronged strategy. First, he must identify and expose all snitches (Confidential Informants or CIs) and cops who were stalking the carding boards. Second, he must vanquish the competition – all the other carding boards vying for criminal traffic.
Long before the US Secret Service successfully engineered the closure of Shadowcrew, Iceman had identified that several of its key members were either informants for American and Canadian law enforcement or, perhaps, full-blown police officers. Those like Iceman who practised deception knew they must be equally skilled in perceiving the art in others. Experienced cyber thieves and cybercops alike knew that nothing encouraged disguise and dissemblance like the Internet. Iceman reasoned that spotting snitches was an essential part of the job.
When Iceman did uncover informants, he wrote famously vitriolic rants about them on the boards. Some members concluded that Iceman did protest too much. Was it possible that the master brain of CardersMarket was himself an informant? It certainly looked that way as he launched his master plan for annihilating the competition – a series of attacks on rival carding forums, aimed both at taking them out and absorbing their voluminous member databases into his own CardersMarket. Vision was quite open about his intentions: with his hallmark arrogance, he said he didn’t believe that other criminal websites like scandinaviacarding.com or TalkCash ‘had any right to exist’.
To underline his superiority, he first created a false digital trail, which made it appear as though the CardersMarket server was located in Iran, way out of reach of both law enforcement and other carders. In fact, the server was in California, but so great was Iceman’s capacity for subterfuge that he did indeed convince everybody that the site was based in Iran. Naturally this added to the rumour mill: was Iceman an agent of Iranian intelligence, charged with sowing confusion among US law enforcement and raising funds for its covert operations?
Whoever he was, it was clear that he meant business. One after another, he successfully hacked the rival carding sites, hoovering up their databases, which included all the email addresses and passwords of the members, along with a record of all postings ever made. He then integrated all this information into CardersMarket before deleting the records on the original site.
His attacks were relentless – even the Russians were not spared his wrath. He had the temerity to hack mazafaka.ru, the iconic site that had replaced CarderPlanet in the affections of Russian hackers. But although his ego sometimes clouded his judgement, he knew perfectly well that destroying the Russian sites in the way he had the English ones would have been most unwise. The Russians included some of the most brilliant hackers in the world, and Iceman had no wish to provoke them. Furthermore, following the Shadowcrew takedown, the Russians had promptly left the carding party. That is to say, they departed – more or less en masse – from the English-speaking boards. The Babylonian exchange of criminals, informers, spies and police officers on the anglophone websites was becoming irritating and oppressive: it was getting in the way of business. The risk they ran was negligible, provided they kept away from countries where American law enforcement could act.
And so Russian hackers established a series of boards that were exclusively or predominantly Russian-speaking, including mazafaka.ru. US law enforcement found these much harder to infiltrate, while cooperation with the Russian police or the more influential KGB proved extremely difficult. The first line of defence of criminal hackers in Russia or Ukraine is always the ever-changing local slang. While some Western police officers could hold a conversation in Russian, it was much harder to keep up with the dynamic shifts in the language attached to a popular culture with which few in Washington or London could keep pace.
While the Russian sites rumbled along happily, by the summer of 2006 Iceman had killed off almost all English-language opponents. And when he noticed any of them attempting to resurrect themselves, he would launch a devastating Distributed Denial of Service (DDoS) attack.
DDoS attacks had emerged as the most common weapon in cyberspace. They were the work of so-called botnets, the cyber equivalent of the 1950s Hollywood classic, Invasion of the Body Snatchers. A virus ‘captures’ a computer, which then falls under the influence of a so-called Command and Control Server. The virus would infect thousands of computers in this way, which were referred to thereafter as zombies, enjoying the status of drones that carry out the bidding of the mighty C-and-C Server. To most intents and purposes, they continued to function as normal computers. An ordinary user would be unaware that his other machine was now a soldier in a vast Army of the Digital Dead. If an especially active zombie, the innocent victim might have noticed his or her computer running a little slowly, usually because it was being overworked to assist unseen in the distribution of billions of spam emails, either advertising penis enlargements and Vicodin or containing a new copy of the virus that could infect still more computers.
But often botnets are instructed instead to mount DDoS attacks whereby the zombies are all ordered to access a specific website at the same time. If a website or a server is subject to a DDoS, it simply collapses under the strain of having to accommodate so much computer traffic. The page freezes. If the attack is powerful enough, whole systems freeze.
His relentless use of DDoS attacks ensured that Iceman was widely loathed among the criminal hacking community for his arrogance. But his tactics also aroused the suspicion that he was working for the Feds, because so many of his victims were hackers and criminals.
However, nobody could argue with his figures and turnover, as CardersMarket now had several thousand members, all of them still active, buying and selling credit cards, bank accounts, viruses, identities and more. By August 2006 he was cock of the cyber walk.
There was only one thorn in his flesh. One criminal website wouldn’t die. Every time he hit it, whether by clearing out its database and wiping all its files or by ordering his army of zombies to take it down from the Web, it just kept coming back like a weeble, those funny dolls that always spring back up when you knock them down.
The battle with DarkMarket had begun.
16
DARKMARKET
Cyberspace, 2005–8
As the souped-up car rolled down the western edge of the Alps, the sun bounced off the crisp Mediterranean, reinforcing the sense that this was going to be a stupendous weekend. The group of twenty-something Scandinavian lads led by Recka, the king of Sweden’s carders, turned off the A8 and onto the Grande Corniche highway before snaking down through the mountains to Monaco.
One of the smallest and most densely populated countries in the world, the principality had been drowning in its own glamour for most of the last century. In 1956 it set a gold standard for post-war global celebrity hysteria when one of Hollywood’s most alluring princesses, Grace Kelly, joined a real royal family by marrying Crown Prince Rainier, heir to the Monégasque throne.
Now, exactly fifty years after Monaco’s marriage of the century, a group of DarkMarketeers armed with a trove of rare plastic booty were preparing a brief raid on this temple of decadence. Soon after passing the border from France to Monaco, the first casinos hove into sight. These cash factories have been underwriting the principality’s budget since the 1860s. The locals call them ‘Monaco’s wallet’ and they are the reason why the Monégasques pay no taxes. Why would they need to? A single room at the Monte Carlo Bay Hotel, for example, costs $800 a night, and if the guests can afford that, they can obvio
usly throw silly money into the casino vaults. The result – a surfeit of lucre all round.
The indigenous population thus bathes gently in the huge pools of money which the super-rich fritter away on the blackjack and roulette tables. Guest residents often feel able to dispense with this cash so lightly because it’s money that, under other circumstances, they would be paying in tax to those national exchequers where they or their businesses spend most of their time. As Monaco is a haven for tax evasion – and, according to the venerable Organisation for Economic Cooperation and Development, money laundering too – the authorities on this rocky outpost of fiscal freedom are used to not asking questions of visitors to their tiny land or the origins of their funds.
A perfect place, then, for a group of DarkMarketeers armed with twelve American Express Centurions, the fabled Black Amex cards, Olympian deities in the Age of Plastic who grant audiences by special invitation only to squillionaires from the West, Japan, Hong Kong and the Middle East. In America, the Centurion user has to pay a $5,000 joining fee and then subsequent annual fees of $2,500. But in exchange, Centurion Man receives free plane tickets, dedicated concierge services, personal shoppers and membership of elite clubs dotted discreetly around a world of which we inhabitants of Planet Drudgery have no notion.
And did we talk cash? Present your Centurion and swaddle yourself in the bucks, euros, sterling, Swiss francs or yen that the bank cashier will hand over with a hint of a smile that is reserved for someone of your value and status. A single Centurion could almost pay the ransom for a hostage captured by Somali pirates.
There is nothing unusual in a group of youngsters with too much money for their own good pitching up in Monte Carlo to spend, spend, spend with their Centurions – in this environment spoilt brats are the norm. They were determined to exploit their twelve magic tokens to the full. First a luxury hotel, then cocktails and a sumptuous meal before they hit the Casino. ‘It was a crazy party,’ one of them remembered dreamily, ‘2006 was the time when DarkMarket began to soar in the sky.’ By the time they left two days later the young carders had taken out €400,000 on those Black Amex. Even they admit to being shocked at how easy it was. ‘They didn’t bat an eyelid. Nobody challenged us once, and you got the feeling that people did this sort of thing all the time.’
The Scandinavians were not alone in hitting the jackpot. Maksik, a notorious Ukrainian carder, was earning hundreds of thousands of dollars by reselling ‘dumps and fulls’, credit-card numbers with their PINs and the three digits on the back of the card. Cha0 in Turkey created a veritable factory of criminal activity, cashing out cloned credit cards, selling ‘skimmers’ around the world to other thieves so that they could steal card data on their own.
Darkmarket.com was founded in May 2005, but in the first few months of its existence it was a fairly lifeless affair. In the autumn of that year, however, it attracted some significant figures from other carding boards. The most energetic of all was JiLsi, the hacker from Sri Lanka, who had already founded one site, The Vouched, and had achieved moderator status on mazafaka’s small but influential English-language section.
Before long, JiLsi had been appointed global moderator on DarkMarket, one rung below the kingpin status of administrator. He took it upon himself to elevate DarkMarket’s profile. His aim was the same as Iceman’s with CardersMarket – JiLsi wanted it to be recognised as the top criminal website in the English-speaking world. Working tirelessly from the Java Bean Internet café in north London, he succeeded in attracting hundreds of new members by May 2006. They were mainly English-speakers, although a number of Russians floated in and out as well.
Just as the site was becoming popular among carders the world over, its original founders decided to bring an end to DarkMarket because they feared its penetration by the security services. One of them even worried that it was becoming too successful. JiLsi and his friends wished to build on its growing reputation and simply reregistered the site as darkmarket.ws (the country domain for Western Samoa).
Now they could really get to work. Along with JiLsi, DarkMarket boasted the sponsorship of a renowned Russian hacker who went under the name of Shtirlitz, a veteran from CarderPlanet, who acted as a bridge between the Russian carding sites and DM.
There were others. Matrix001 had a look around DM. His reputation as a specialist in graphic design had been growing since he became a member of the International Association for the Advancement of Criminal Activity. He was unimpressed by what he saw – the message board was clunky and its security poor. He sent the administrator JiLsi a blunt message, pointing out that enemies like Iceman were hacking the website on a daily basis due to the inadequate software. Matrix offered to install a better system, which JiLsi welcomed, and Matrix began his ascent up the hierarchy.
More help was on the way. JiLsi was quick to promote a certain Master Splyntr to accept the post of moderator on the forum. Master Splyntr was the nickname of a notorious Polish spammer called Pavel Kaminski. In a typically adolescent reference, his nickname referred to the rat who trained the Teenage Mutant Ninja Turtles in the art of martial combat in the popular children’s cartoon. In deference to his hero and his skills, Master Splyntr was also known among the spamming and hacking community as ‘sensei’.
Master Splyntr’s true identity had been revealed by the secretive British anti-spam organisation, spamhaus.org. The businessmen, techies, former spooks and God-knows-who-else comprising this team run an effective crusade to blacklist high-rollers of the spam, carding and child-pornography worlds. It scours the digital world for ‘rogue’ ISPs, those Internet Service Providers that turn a blind eye to the criminal activities of their customers. Kaminski, Spamhaus reported on its website, was one of the world’s top five spammers, responsible for vast amounts of unwanted ads for penis enlargements, Vicodin and the rest.
Spamhaus’s interest in Master Splyntr meant that he was a marked man, and five police forces from around the world launched investigations into his activities when he moved from spamming into the realm of carders. Kaminski was also linked to the wholesale distribution of malware, viruses and trojans. He was an established bad dude, and JiLsi was quietly thrilled at having enticed such a big fish into the waters of DarkMarket. He cultivated both Splyntr and Matrix001 assiduously. This was developing into quite a team and when Cha0, the Turkish criminal mastermind, joined the party, DarkMarket developed an undoubted aura of success.
To look at, there was nothing remarkable about DarkMarket. It functioned just like message boards that discuss the perils of parenting or the thrills of bee-keeping. It was harder to access because members had to be nominated and vetted, but this rarely proved a problem for those acquainted with the carding scene and with a determination to join. Actual business – buying and selling – was hardly ever conducted over the forum, for security reasons. Rather it was a place for vendors and buyers to meet; it was where manufacturers of skimming machines could find a market; it was an opportunity for holders of credit-card databases to recruit a team doing ‘cash out’ work (the critical job of going from ATM to ATM extracting cash from accounts). But the details of any deal were almost always hammered out in private messages held on encrypted icq networks. Once a deal was struck, it was back to the website to put in a request for the escrow service where administrators would ensure fair play.
The forum attracted ever more members, and business boomed. Key individuals acted as a bridge between Russian criminals and Western carders, but at the same time JiLsi noticed the geographical circle widening. Turkey was becoming an important cybercrime zone. The communities in Spain and Germany were growing very fast, while even those in France – whose carders felt, like most French people, more comfortable in a French-speaking environment even on the Web – brushed up on their English to enter the fray.
The Golden Age of DarkMarket was under way.
17
THE OFFICE
Renu Subramaniam’s office was a terminal at the Java Bean Internet café. For
much of the previous eighteen months Renu had been working on the Web against a background of grinding and screeching, as the modest Java Bean lay in the shadow of Wembley Stadium – and the stadium was undergoing a monumental reconstruction, which, by the middle of 2006, was already overdue and over budget.
In most respects, the café was like thousands of others dotted around the world. Its surroundings were not salubrious. Nestled between the Bowling Nail Bar and a rather dingy-looking chartered accountant’s office, it housed several decrepit, bulky screens and sticky keyboards that were attached to unreliable computers inscribed with faux brand names, marking them as cheap knockoffs from East Asia. Heaven only knows what activities have gone on behind the rickety wooden partitions dividing the grimy consoles.
Bent over the screens, adolescents played online games for hours, often with unparalleled levels of concentration; backpackers composed amusing emails brimming with their impressions of newly discovered lands; curious teenagers and frustrated middle-aged men surfed weird porn sites; idealistic youths planned political protests, imagining that by dropping into these anonymous venues they had dodged Big Brother; drug dealers arranged drop-off points and methods of laundering money; and cyber criminals logged on to see the value of the latest haul.
Apart from its location in the shadow of the inchoate Wembley Stadium, there was one other peculiarity about the Java Bean. Usually the computers in Internet cafés are equipped with only limited protection from external attack. Viruses, trojans and other digital bacteria lie around these places, rather as their organic equivalents infest hospitals with lax cleaning regimes.
But Renu took his security seriously and persuaded the Java Bean’s manager to install a special program on the café’s systems called Deep Freeze. This restored the hard disks to an earlier configuration, which ensured that the network was no longer able to ‘see’ any malware it might have downloaded during the day, thus rendering the bad stuff ineffective and enhancing Renu’s protection.
