by Misha Glenny
THE OFFICE
Renu Subramaniam’s office was a terminal at the Java Bean Internet café. For much of the previous eighteen months Renu had been working on the Web against a background of grinding and screeching, as the modest Java Bean lay in the shadow of Wembley Stadium – and the stadium was undergoing a monumental reconstruction, which, by the middle of 2006, was already overdue and over budget.
In most respects, the café was like thousands of others dotted around the world. Its surroundings were not salubrious. Nestled between the Bowling Nail Bar and a rather dingy-looking chartered accountant’s office, it housed several decrepit, bulky screens and sticky keyboards that were attached to unreliable computers inscribed with faux brand names, marking them as cheap knockoffs from East Asia. Heaven only knows what activities have gone on behind the rickety wooden partitions dividing the grimy consoles.
Bent over the screens, adolescents played online games for hours, often with unparalleled levels of concentration; backpackers composed amusing emails brimming with their impressions of newly discovered lands; curious teenagers and frustrated middle-aged men surfed weird porn sites; idealistic youths planned political protests, imagining that by dropping into these anonymous venues they had dodged Big Brother; drug dealers arranged drop-off points and methods of laundering money; and cyber criminals logged on to see the value of the latest haul.
Apart from its location in the shadow of the inchoate Wembley Stadium, there was one other peculiarity about the Java Bean. Usually the computers in Internet cafés are equipped with only limited protection from external attack. Viruses, trojans and other digital bacteria lie around these places, rather as their organic equivalents infest hospitals with lax cleaning regimes.
But Renu took his security seriously and persuaded the Java Bean’s manager to install a special program on the café’s systems called Deep Freeze. This restored the hard disks to an earlier configuration, which ensured that the network was no longer able to ‘see’ any malware it might have downloaded during the day, thus rendering the bad stuff ineffective and enhancing Renu’s protection.
If the Java Bean was Renu’s office space, then the filing cabinet that contained the secrets of DarkMarket consisted of a tiny memory stick. Renu usually kept this portable hard drive literally close to his heart. When he arrived at his office, he would plug the memory stick into one of the computer terminals and start working on DarkMarket.
Once logged in, Renu donned his pirate’s mask to become JiLsi, one of eight administrators that ran DarkMarket during the site’s three-year existence. Never more than four-strong at any one time, this team was one of the most influential units on the global carding scene. This most senior post did not bring them much in the way of extra revenue, but it was a privileged position that generated considerable respect among hackers and crackers. They also enjoyed access to great stores of information and held the key to virtual life or death – the power to exclude members for real or perceived transgressions.
There were two major drawbacks to attaining the exalted position of administrator. First, it was very hard work, regularly involving fifteen to seventeen hours of keyboard-hammering a day. There were no holidays for these people – they were expected to be on permanent call, every day of the year. Master Splyntr, for example, always carried a cellphone that alerted him when one of his fellow DarkMarketeers needed him and he would respond whenever it rang. JiLsi complained that he would log on at nine in the morning and would still be sat there at ten in the evening. Much of the work was drudgery: monitoring posts to check that the members were abiding by the forum’s rules and that they were posting messages in the right section. Much of the time it was mere bureaucracy, mostly trivial and mind-numbing.
Second, the admin team was forever accessing the inner workings of the criminal websites. The digital trail it left behind on the Web was potentially much more visible than that identifying ordinary members, making them the primary target for cybercops.
This was paradoxical as it was ‘ordinary’ members who routinely made the most money from DarkMarket: the administrators would often assume the greatest risk for the least financial reward. Over a three-year period JiLsi and Matrix made a paltry amount of money, while Master Splyntr only charged for the upkeep of the servers, focusing elsewhere on his spamming empire.
Then there was the intriguing character Shtirlitz, who was there almost from the beginning. The nickname referred to the fictional Max Otto von Stirlitz. In the novels of Julian Semyonov, Stirlitz was a senior Nazi officer spying for Moscow during the Second World War. Characterised as the Soviet James Bond, Stirlitz became entrenched in Russian consciousness thanks to a series of popular films based on the books in the 1970s. Quiet, but with devastating good looks, Stirlitz remains a powerful patriotic symbol in post-communist Russia for his immense courage, intelligence and unswerving commitment to the motherland.
So we know Stirlitz the Soviet spy, but who was Shtirlitz the carder (who transliterated his name into English from Russian, hence the extra ‘h’)? Was he an agent for the KGB too? Or perhaps a double agent, working for the Feds or the Secret Service? Or was he a master carder? One member of CarderPlanet who had met him described him as being ‘Aryan-looking and in his late twenties’. He regularly purchased counterfeit passports and at one point lived in Prague, the capital of the Czech Republic. On CarderPlanet he was described as ‘a good guy and reliable’, but later on other carders began to suspect that he may have emulated his fictional role model by morphing into one of America’s most experienced law enforcement officials.
Whatever his true goals as one of DarkMarket’s senior members, he was omnipresent but silent, logging relatively little activity. Likewise, a latecomer to the administration of the board, Lord Cyric appeared not to be involved in buying or selling at all. Each was too busy keeping everything afloat, while basking in their status as legends among the fraternity.
Equally, though, each harboured his own secrets, and some were not at all what they seemed.
Ironically, the one who took his personal security most seriously was in some respects the most transparent. This was Cha0. The Turkish criminal had come to the carding boards relatively late in the day. Unlike the rest, he was not a veteran of Shadowcrew or IAACA, but appeared out of nowhere in early 2006 as the owner of a board called crimeenforcers.com, an elegantly designed site that offered aspiring cyber criminals all manner of back-up services. It was especially notable for its animated tutorial lessons featuring a cartoon version of Cha0, walking the viewer through the finer points of carding.
Cha0 used DarkMarket to promote crimeenforcers (paid advertising was an important revenue stream for the boards) and his ubiquitous presence and relentless business transactions were soon translated into real influence. He joined DarkMarket in February 2006 and within seven months was appointed one of the bosses.
Unlike his colleagues, he was that rare breed, a geek with a brilliant criminal mind. His motivation for accepting the top role was simple – he could use it to advance his enterprise as a distributor of the accessories needed to perpetrate economic crime, such as ‘skimmers’ – machines that could read, store and transmit a victim’s credit-card data.
But, as with the other leading figures on DarkMarket, Cha0’s story eventually turned out to be more byzantine than that – appropriately enough, for a resident of Istanbul.
Leaving aside the anomaly of Cha0, the most successful thieves on DarkMarket did not help manage the site. They were men like Freddybb and Recka, the carders from Scunthorpe and Sweden, who just dropped in now and then to conduct business and then disappeared for days, weeks and even months. Law enforcement across the world has arrested a much higher proportion of geeks than it has hardened criminals in its cyber operations.
As they slaved away at their PCs, the four senior managers were collectively responsible for four main tasks. Protecting the website’s servers and
general maintenance were the responsibility of Master Splyntr and Matrix001. The quotidian threats to the site came not from law enforcement, but from DarkMarket’s rivals and enemies elsewhere in criminal cyberspace, such as Iceman. Splyntr, Matrix and JiLsi would sigh whenever there was a dust-up between members. Splyntr became accustomed to a pattern, if a little weary of it. One carder would accuse another of some transgression, possibly baseless, possibly true. The accused would throw his toys out of the pram and before long the injured party had marshalled a botnet in order to launch a DDoS attack. Tens of thousands of computers under a single Command and Control machine would request access to DarkMarket and the site would go down. If it had been in the physical world, Splyntr muttered to himself, you’d just go beat the bastard up. But in cyberspace you have little choice except to close the site down, wait for the attacker to calm down or negotiate some sort of agreement.
As a consequence, the administrators had to monitor all the conflicts brewing between members and try to defuse them before they erupted. Your average cyber criminal has the manners of a chimpanzee and the tongue of a Sicilian fishwife. Anonymity breeds an intrinsic lack of trust across the Internet, and the criminal world is especially susceptible to this because of the potential threat from the police and from the perceived invulnerability conferred by the user’s anonymity. So the insults on forums like DarkMarket escalate swiftly into open verbal warfare. Herein, incidentally, lay one of the trump cards held by police investigating cybercrime – in a community riven by a variety of suspicions, a skilled reader can manipulate disputes to his own advantage.
The admin team naturally decided the fate of members’ status within the DM hierarchy. The four would go into a private conclave – a forum to which only they had access – to discuss whether, for example, a salesman of stolen credit cards had a sufficiently reliable record to be awarded the coveted title of Reviewed Vendor, which enabled him to sell cards without restriction through DarkMarket.
Naturally the administrators were also permanently scanning for the presence of cybercops, not to mention the ‘scumbags and rippers’ – those criminals who refused to adhere to the rules of the underworld.
Spotting ‘rippers’ was also a key part in the admin’s third and most vital job – operating the escrow service to ensure fair play in the realm of the unfair. As with the original carding site, CarderPlanet, the successful management of escrow was a critical factor in transforming DarkMarket into the pre-eminent criminal website of its day. JiLsi ran the escrow, but the most important arbiter of the service was Cha0.
Finally, the administrators had to keep a sharp eye out for anyone using the site to distribute child pornography or to sell and buy drugs and weapons. This was not born of moral indignation, but of the belief that the police would be less energetic in their pursuit of the site if they restricted themselves to carding and identity crimes.
The first half of 2006 had been a mixed time for Renu. The bad luck had started in February. He had walked out of the Java Bean café following a hard day’s work and headed for a night on the Martell and crack-pipe. The next morning he woke to find his invaluable memory stick was not in its usual place, nestling close to his chest. He had left the damn thing in the café!
He was seized by panic. When he walked into the Java Bean he went straight to the manager to enquire whether anyone had handed it in. The manager shook his head. ‘You’ve just lost me a quarter of a million pounds!’ screamed Renu, temporarily forgetting that he alone was responsible for the catastrophe. He was less worried about his own limited funds than about the money and data that he was holding in escrow.
Over the next few weeks JiLsi mounted a damage-control operation. He had to reassure DarkMarket members who had placed their trust in him that their security had not been compromised. Meanwhile, in the real world, Renu struggled to meet the payments on the mortgages he had taken out on dingy properties across north London. DarkMarket was prospering, but JiLsi was not enriching himself. On the contrary, he was sinking into debt and approached some ‘friends’ for a loan. Being a fugitive in cyberspace was no preparation for coping with this more traditional ‘underworld’.
Even after the loss of the memory stick, Renu continued to devote himself selflessly to DarkMarket and its progress. But the stress of running the site was overwhelming him. Above all, he realised that DarkMarket and CardersMarket were now engaged in a fight to the death. The website was vulnerable, but JiLsi was even more vulnerable still, and sometimes he felt extremely weary of the whole affair.
Iceman upped his attacks, raining down DDoS assaults and throwing at DarkMarket any other digital weapon that he could lay his hands on. Carders around the world lined up behind one or other of the sites, arguing that the opponent should give way and allow one megasite to dominate. This indeed was Iceman’s central argument: competition in this instance did not increase efficiency; it only led to acrimony.
By September 2006 the relentless attacks were driving Renu to despair. His dependency on crack cocaine was also becoming marked at this time, a dangerous development both for his own security – not to mention his health – and for the security of DarkMarket itself.
He decided to discuss the attacks on DarkMarket with Master Splyntr, who was at this time a moderator, two rungs below JiLsi, the key administrator. For a long time Master Splyntr had been arguing that JiLsi should allow him, Kaminski, to take over the servers. Kaminski argued that he had a much better security arrangement in place and, if he were to take over, it would relieve the pressure on JiLsi.
Master Splyntr was JiLsi’s reserve choice. He had asked Cha0 first but the Turk had dismissed the offer, doubtless not enthused by the thankless work involved in maintaining servers. Nobody else would commit and so JiLsi felt he had no choice but to invite Master Splyntr.
Kaminski received the call at about 11.30 in the evening in early October 2006. ‘My servers are ready, JiLsi,’ he said. JiLsi hesitated no longer, happy at last to relinquish responsibility for his vulnerable servers, ‘Okay. Let’s move!’
Perhaps anticipating their irritation, JiLsi didn’t consult his fellow administrators when handing over control of the server to Splyntr, although in the event none of them seemed to object. They were quickly convinced of its wisdom – Splyntr proved a more efficient manager of the service than JiLsi.
Kaminski was as good as his word: his servers were effective and secure. Not only that, but when anyone tried to discover where the DarkMarket servers were really located (whether fellow hackers, law-enforcement, military or intelligence services), they could not track them beyond an anonymous server in Singapore.
Master Splyntr was appointed administrator. Traffic through the site began to grow again. Every time Iceman hacked DarkMarket and destroyed its database, Master Splyntr would have it back up and running within twenty-four hours. And although Iceman was unquestionably the most gifted technician in the game, his arrogance had alienated hundreds of carders. DarkMarket grew ever stronger and nothing, it seemed, could stop its rise to the top. But Iceman still had one last throw of the dice.
18
SUSPICIOUS MINDS
Iceman’s outer calm belied his absolute fury. He had lost track of time. It might have been three in the morning; it might have been three in the afternoon. But when engaged in a major hack that can take hours and hours, it was easy to become disoriented. For the most obsessive hackers, time and place evaporate. When the fury descended on Iceman, there was no real world – only the bidding of Nemesis, the goddess of retribution, mattered.
She now appeared in several forms. The first was El Mariachi, an embittered carder whose website, The Grifters, Iceman had destroyed. El Mariachi was shouting from the digital hills that he had incontrovertible proof of Iceman’s real identity as an FBI collaborator. His accusation was echoed by Lord Cyric, El Mariachi’s lapdog, constantly yapping and growling across the carding boards. Like man
y others, Iceman detested Lord Cyric.
Vitriolic accusations were hurled from one carding site to the next. It was the equivalent of a war between several mafia clans except that nobody really knew who belonged to which family, who was an informer and who was a Fed. It was chaos.
But when Iceman discovered what he then believed to be the truth, he sat almost dumbfounded in his comfortable apartment in the centre of San Francisco, paid for by Jeffrey Normington and another partner, in exchange for a regular stream of stolen credit-card numbers. From here amidst the stale pizza crusts and Coke cans, Iceman would administer CardersMarket and obsessively hack other carding sites. In October he had succeeded in hacking the very heart of DarkMarket’s servers.
He started examining all the administrators’ traffic and then spotted some IP addresses that looked odd. Anyone can look up IP addresses and see where they are located – which company or individual is associated with them, and the name of their parent Internet Service Provider. One was registered to a company called Pembrooke Associates. Iceman looked high and low on the Web for information about the company, but there was nothing except on a website listing businesses. Here was the company name and a phone number. He then performed a reverse search on the phone number and found its associated address: 2000 Technology Drive, Pittsburgh, PA.
When he read the address, it was enough to make even Iceman shiver. He had come across it only a couple of weeks earlier, after one of his colleagues on CardersMarket had found a template document on a website, which included the acronym NCFTA and that same address in Pittsburgh. When Iceman looked up this organisation, he discovered it was the National Cyber Forensic Training Alliance, a quasi-governmental body that assists a variety of US law-enforcement agencies in their work on a broad range of cyber-security issues.
Deep in his virtual existence, Iceman suddenly felt the chill touch of the real world. He had always suspected that law enforcement was lurking around every corner, but this was unambiguous – he was convinced that it could not be a mistake. Having believed for many months that he was untouchable and the man controlling the carding community, Max Vision was suddenly worried.
