by Misha Glenny
Cha0’s reputation as a scrupulously honest escrow broker was built on his success as a wholesaler of skimming machines. Everybody trusted him. He, by contrast, trusted no one. He never gave away his IP address; he never sent a message that might implicate him in wrongdoing without encrypting it; and nobody could locate him digitally.
Accepting that Cha0 had created a black hole in cyberspace where he was safe and invisible from the cops, Bilal Şen decided he would have to rely on more traditional policing methods to track down his suspect – the ‘plod’ factor has proved surprisingly important in the work of cybercops.
29
SOFTLY SOFTLY
Istanbul, Turkey, 2008
Still anxious that Cha0 might enjoy protection from above, Bilal Şen nonetheless persevered with his investigation. He promised to maintain close contact with Agent Mularski in Pittsburgh once he had returned to Istanbul. They had discussed the possibility of requesting the use of Cha0’s Escrow Service on DarkMarket to see if they could smoke him out that way, but quickly concluded that this was too laborious and unlikely to yield results.
The other thing they knew about him, of course, was that he traded in skimmers. Digitally he was impossible to track down. But if Cha0 was selling these skimmers, Bilal reasoned, there were two weak points to his operation – their manufacture and their dispatch.
Skimming ATMs was becoming such a popular sport in Turkey that ever more police officers were now schooled in how to spot them, once they had been put in place. Many of the devices were shoddily built and installed by amateurs. But flicking through the arrest and confiscation reports, the Inspector had observed that in some areas their design and style were not only improving, but it appeared that they were being manufactured in large numbers. Somewhere there must be a factory. Intelligence alerted Şen to the possible presence of skimmer factories in Romania and Bulgaria, so he sent out assistance requests to their respective police forces. The other possibility was that Cha0’s operation was masquerading as a legitimate business and ordering them from licensed manufacturers of card readers inside Turkey.
Once he had acquired the skimmers, Cha0 would somehow have to distribute them. Mularski and Şen had uncovered some evidence suggesting that his products were going as far abroad as the United States, New Zealand and South America, and that some were bulk purchases. In that event, he was unlikely to be using personal couriers. Given the numbers he was beginning to shift, this was probably prohibitively complicated. Bilal pondered the reasons for the increase in productivity, but drew a blank.
He was unaware that one year earlier, in the late spring of 2007, Cha0 had fallen out with Dron, the Canadian skimmer specialist whom the Secret Service and Detective Spencer Frizzell of the Calgary Police were preparing to arrest. Cha0 claimed that Dron was ‘a difficult character’ who irritated his customers and had therefore sullied the good reputation of DarkMarket. The many positive messages about Dron’s service suggested that Cha0’s motivation may have been different – certainly other carders on the board maintained that Cha0 had deliberately targeted Dron for his own reasons.
About a month before the young Canadian skimming expert and salesman was picked up by Detective Frizzell, Cha0, using his position as administrator, announced that Dron would be excluded from DarkMarket and would not be allowed back. Cha0 could now activate his plan to dominate the skimming market and move into action.
DarkMarket had provided a vital platform for Dron’s wares – a large number of his devices were sold to carders who had spotted his paid adverts on the board. DarkMarket was also used as the primary advertising vehicle for CrimeEnforcers.com, through which Cha0 was selling his own skimmers. Cha0 also offered packaged solutions to wannabe cyber criminals, including training, manuals and all the equipment needed for a start-up operation.
But once he had removed Dron from the equation, he changed his business model: interested parties were no longer at liberty to purchase his skimmers; they had to hire them instead. Cha0 would send them out, but with a little added modification.
After Dron’s expulsion, Cha0 was in a position to jack up the unit price of the skimmers – from now on they would cost $7,000 to hire, up from $5,000 to buy. For this, clients would receive a PIN pad along with the skimmer. They would install the skimmer on the mouth of an ATM and lay the PIN pad over the existing one. When bank customers inserted their cards and typed in their PINs, these were both recorded on the fake pad and the skimmer. The two fraudulent devices would then be detached and Cha0’s client would download the information onto a computer using a USB lead.
With Dron’s skimmers, the client would then be able to use that information to obtain funds fraudulently. But with Cha0’s skimmers, the data downloaded onto the computer was encrypted. The only person who possessed the key to decrypt this information was . . . Cha0. So the youthful criminal who had so painstakingly placed the skimmer and PIN pad onto the ATM could not simply go out and clone credit cards himself – he would have to send the information back to Istanbul. Cha0 would then organise the cash-out. Once he had the money, he would then send a cut to the client who had actually done the hard work. He was effectively renting out his skimmers – a much more profitable strategy than Dron’s outright selling.
This was a daring business model within the world of cyber criminality. If it succeeded, Cha0 stood to make untold sums, creaming off a huge percentage of illegal skimmer transactions around the world. All he had to do was maintain his supply of skimmers and ship them forward, without being detected. Not beyond the wit of man. Obviously there might come a time when a competitor might seek to undercut his strategy, or indeed return to the old-style simple sale of skimmers. But until then, by controlling the most influential board in the English-speaking world, Cha0 could enjoy the high life. And enjoy it he did.
By 2008 Istanbul was well on the way to becoming the city with the highest growth rate in the world. The population had been rising almost uncontrollably for fifteen years and it was now home to about fifteen million people, an estimated two million of whom were unregistered migrants, not just foreigners, but Turks and Kurds from Anatolia who were streaming into the city that straddled the mighty Bosphorus, the grand body of water separating Europe and Asia.
In contrast to many cities in East Asia, notably in China, Istanbul has not achieved this phenomenal and invigorating growth at the expense of its glittering legacy. History inhabits almost every building. Everywhere reveals the rich traditions of more than a millennium of Byzantine history and 600 years of Ottoman grandeur – two of the most magical, violent, successful and awe-inspiring imperial constructs of all time. Contrary to popular imagination, for much of its history the Ottoman Empire was renowned for the tolerance that its rulers displayed towards the three ‘Peoples of the Book ’, Jews, Christians and Muslims. Its reputation for violence originated in the bloody massacres of its distant past, only to re-emerge during its slow demise in the nineteenth and early twentieth centuries.
In the Turkish republic that arose from the ashes of Empire after the First World War, Istanbul had experienced some depressing times: first, when its status as the country’s capital was lost to Ankara, an Anatolian upstart to the east; and later, during the Cold War, when a merciless military sought to suppress the city’s independent spirit. Its infrastructure began to crumble and people actually started moving away, its population stagnating at about two million. But since the early 1990s Istanbul had been making swift strides towards regaining its place at the top table of the world’s most dynamic and intriguing cities.
Crowded, noisy and exuberant, with economic activity flying back and forth between its European and Asian sectors, Istanbul could sometimes feel suffocating, as tens of thousands of rickety cars and trucks plied their way across its two continental bridges. On the European side, the traffic shuffled at a snail’s pace around Taksim Square or along Dolmabahçe, the former imperial garden
s, which looked across at Asia. Even when the weather was cool, the dust kicked into the back of the throat. But in the last decade, the city has been brimming with possibilities – artistic, commercial and political – and there can be few greater pleasures in life, at the end of a hard day’s work, than taking a ferry from Europe while staring at the Bosphorus and heading for a scrumptious meal in Kadıköy on the Asian side.
For all the fears that the ruling AK Party might represent a fifth column of Islamic fundamentalism, since it came to power Istanbul’s youthful middle class has seized economic opportunity with both hands and begun to create successful manufacturing, design, high-tech and service companies that compete with the best from Europe, America and Asia.
Of course, policing the city is a complete nightmare, especially since few inhabitants have any trust in a force that for many decades was a key symbol of the repressive state apparatus.
New crimes engendered a new breed of cop, and Bilal was not associated with any of the old traditions of the Deep State, nor had he antagonised any especially powerful people, so he was welcomed in Istanbul when he arrived from Turkey’s capital, Ankara, aiming to discover the distribution network for Cha0’s skimming operation.
This being Istanbul, however, Inspector Şen was looking for a needle in a haystack. Legal, semi-legal and illegal export/import had for centuries been a trademark of the city’s economy – shifting goods out and bringing them in. Since the 1960s vast quantities of white goods had found their way to Istanbul through the Balkans from Germany, where some two million Turks had migrated since the 1960s as Gastarbeiter. But the volume of this trade had gone through the roof since the collapse of the Soviet Union: new markets had opened up in Russia, Ukraine, the Caucasus and in several Central Asian republics with their Turkic languages.
But Bilal had to start somewhere and so he chose the three biggest shipping firms in the city. First, he and his assistants spent half a day training the staff of the courier companies in the art of spotting a skimmer. They are most often registered as spare parts for vehicles or as machine tools. The staff were given skimmers to handle, to get used to their weight and shape.
Unproductive days went by and Inspector Şen decided he should return to headquarters in Ankara. Weeks passed and he began to experience a familiar despondency. But then, just over a month later, some good news came through from Istanbul – a man had entered one of the shipping companies with a package bound for Finland. It turned out to be a skimming device. The receptionist was calling from the back office with the news that the package had also included a PIN pad.
‘Bingo!’ thought Bilal, telling the receptionist to let the sender go: they had already captured his image on CCTV. After many months the Inspector had at last hit upon a lead. Unsurprisingly the man had used a fake ID, but then Bilal got a second break. The suspect had also given the courier company three phone numbers – and one of them was a real. They checked the name to identify the legal owner of the phone: it didn’t seem to belong to a criminal. But they monitored the mobile number, and the man with the package was using it – the phone was active.
‘This might be the guy who will lead us to Cha0,’ thought Bilal.
But he was faced with a dilemma. It was at about this time that the news organisation, Haber 7, published the photograph of the humiliated hacker, Mert Ortaç, and pressure was ramping up both on the Istanbul police, who were tasked with finding Ortaç, and on Bilal, whose primary target was Cha0. Bilal had to speed things up, but he knew he must not allow impatience to jeopardise the operation.
By abducting Ortaç, Cha0 had betrayed anxiety and vulnerability for the first time. But why had Ortaç’s revelations in Haber 7 so unsettled him?
Cha0 knew that Ortaç was Turkish. Cha0 also seemed to believe that Ortaç was a police informant. Furthermore, he had worked out that Ortaç was on the run and in a state of fear. If the police had picked him up before Cha0 did, there was a real risk he might start blabbing.
But who on earth was Mert Ortaç and how had he become involved in this extraordinary criminal affair? It had all begun the previous spring when, unbeknownst to Ortaç, Matrix and JiLsi were about to be arrested, marking the end of Phase I in Operation DarkMarket and the beginning of Phase II.
Part III
ORIENTATION
Within a year DarkMarket had taken me a long way from the headquarters of Google to a restaurant in Cihangir, the chic district just below Taksim Square in European Istanbul. Opposite me danced the effervescent smile of Mert Ortaç. After spending several hours in his company, I concluded that the adjective ‘mischievous’ had never fitted anything on this earth as snugly as it did Mert.
During one lazy dinner in Kadıköy, my friend, Şebnem, and I had our iPhones lying on the table. Suddenly, they alerted us to the simultaneous arrival of text messages. My message had been sent from Şebnem’s phone. Şebnem’s from mine. Both read, ‘Greetings from Mert!’ As we read the texts, Mert’s bubbling laughter burst from across the table, along with an explanation that he had successfully hacked the international roaming system. As a result, he continued, he was in a position to send a message from any mobile phone in the world to any other – in the wrong hands (like Mert’s), such a skill could turn life into an endless series of Shakespearean plots based on misunderstandings, both tragic and comic.
I had been corresponding with Mert while he was in jail, from where he had sent me snippets of a tale that outdid all other DarkMarket legends in its sheer invention. Whereas I was conscious, when talking to most other characters involved in DarkMarket, that they were holding things back, Mert was overflowing with information, anecdotes and mind-boggling stories.
It is critical that hackers, cyber criminals and cybercops maintain a full grip on their compartmentalised lives – they must know the boundaries between the real and virtual, and they must be able to disengage as they move from one life to the other. Mert had utterly failed to identify in his own mind when he was speaking the truth and when not.
Life would have been incomparably easier if Mert had been an unashamed fantasist who simply talked nonsense. Tracking down the hackers, members and cops associated with DarkMarket was among the most enervating experiences in my journalistic career. But nothing was quite so exasperating as the attempt to establish the veracity of Mert’s story. Actually, that is not quite accurate: much of his tale turned out to be true and verifiable in essence, but embellished at times with such frills and twirls that it was transformed into something quite different. Bizarrely, when Mert told straight untruths, they often related to the most mundane matters that were the easiest to check. He told me boldly, for example, that he was born on 10th April 1982. In fact, he was born on the same day four years later.
In the following chapters I tell Mert’s story largely as he told it to me. But there are two key moments when his narrative simply doesn’t add up, where I am unable to confirm his claims; indeed, in the first instance, one of the main characters flatly denies Mert’s version of events. When we arrive at those moments, I will alert the reader.
The ultimate test of Mert’s credibility lay in his answer to the question that has vexed many aficionados of the cyber underground since the inception of DarkMarket. Who was Lord Cyric?
30
THE DREAM WORLD OF MERT ORTAÇ
Istanbul, Turkey, May 2007
Mert Ortaç drew in his breath as he was shown into the drawing room of the opulent guesthouse. The room reminded him of the Sultan Suite at the Çirağan Palace, the late nineteenth-century masterpiece built at the behest of his imperial highness, Sultan Abdülaziz, and acquired more recently by the Kempiński hotel chain. Swirls of gold leaf adorned the sofas and chairs, while the wallpaper, with its Arabic patterns, glittered as it caught the sun.
In fact, the Çirağan Palace stood only 800 yards away from the guesthouse, which was itself sealed off in a heavily guarded compo
und. Agents stalked the environs and scowled at anybody with the temerity to try to park there. Set at the very edge of Beşiktaş district, the mansion stared imperiously from atop a hill in Europe, across the Bosphorus Straits to Asia. Most surprising was that the drawing room, into which they had shown Mert, boasted no portrait of Kemal Atatürk, modern Turkey’s revered founder. Portraits of Kemal are de rigueur throughout Turkey, and not just in private and public offices: they will often be found in every room of a building. Not in this room, though, despite this being the guesthouse at the Istanbul regional headquarters of the Milli ˙Istihbarat Teşkilati (M˙IT), Turkey’s National Intelligence Agency.
In most anxiety-inducing situations, Mert would react either by giggling gently behind his infectiously mischievous smile or he would cut and run. On this occasion, neither was appropriate. Mert was transfixed by the elegant waiters as they served tea and coffee. Above all, the image of their immaculate white gloves as they placed the refreshments on the table in front of him stayed in his mind. He felt a surreal sense of well-being and controlled excitement. But this did not last long.
Accompanying him was a colleague from the Senior Sciences Technology Institute, but Mert did not know the three others who greeted him. Once the waiters had silently withdrawn, these men turned their attention to Mert. ‘We wish to ask you a few questions,’ one of them began. Then they placed a digital recorder on the table in front of him.
