DarkMarket
Page 24
The thugs finally went to sleep, except that one was always awake to ensure that whenever Mert nodded off, they could rouse him with a shower of kicks and punches.
At midday on Monday, Şahin called, and Çağatay placed him on speaker phone. By this time Mert’s will had been broken. He assumed he was going to be killed. He was not surprised when Şahin told him to repeat everything he had already said. It was all filmed. At the end, Şahin spoke. ‘Okay, now is the time for your punishment,’ he said without irony, ‘I want you to do everything that Çağatay tells you to do and I will judge the outcome.’
Çağatay told Mert to stand up and strip. Fearing that he was about to be gang-raped, Mert finally snapped. ‘Oh, for God’s sake, just put a bullet through my head,’ he pleaded. ‘What the hell do you think you are doing with me?’
‘Shut up,’ Çağatay retorted. ‘You’ve got nothing to worry about. We’re not a bunch of shirt-lifters. Keep your boxers on and accept your punishment!’ On the phone to Şahin, Çağatay now scrawled the infamous piece of paper that branded Kier or Mert Ortaç a traitor and a snitch. This is how the myth of Kier was established. The journalist from Haber 7 had found Mert’s name on a website alongside the nickname ‘Kier’. In fact, Mert had never, and would never, use this name – his real nick was SLayraCkEr. But after Çağatay took the photograph, journalists, police and carders around the world would refer to Mert Ortaç as Kier, even though he had never been called that in his life.
After the photo session, Mert was thrown down onto the floor again and the blanket was tossed over him. ‘Stay here for half an hour and then you can leave,’ Çağatay said. ‘We are leaving you your clothes and we won’t touch your money. You can also have one ID. From now on – for the rest of your life – don’t even think of writing the name Cha0, because if you do, I’ll have my hands round your neck before you take another breath.’ Finally Çağatay could not resist adding a personal note, ‘If it had been up to me, I would have killed you here and now. But the man likes you. Be grateful and keep your mouth shut.’ (Çağatay himself considered any idea that he might want to murder someone like Mert – a little squit in his eyes – laughable.)
Half an hour later the battered Mert Ortaç, with just fifty dollars in his pocket, stumbled out of the apartment and headed for the national bus station, from where he caught a ride to the town of Izmir. Here he would lick his wounds and wonder what on earth he should do next. It was obvious: he would go underground. Mert disappeared for the last time – until he was arrested many months later while applying for a passport under a different name in November 2008.
Further strange tales inhabit Mert’s dream world – neither reality nor fantasy – but, for our purposes, this is where it ends.
34
TURKEY SHOOT
Before Mert was finally arrested, Inspector Bilal Şen had no idea whether the hacker was on the run, still a prisoner or simply dead. He did know, however, that time was not on his side. The only option open to the officer was to continue to track down Cha0 as efficiently and patiently as possible. At least he now had a photograph and a number for the man sending the skimmer, and he was convinced that this would eventually lead him to Cha0. Because the henchman who had delivered the skimmer was using one of the phone numbers that he had registered with the shipping company, the police were able to ‘triangulate’ the suspect – in other words, they could spot which cellphone masts the device was accessing. They soon had an accurate idea both of where he was and of the pattern of his movements.
Before long they had a second sighting and were able to put a tail on him. Sure enough, within a matter of days the man had led them to a villa in Tuzla, a distant suburb of Istanbul that lay about fifteen miles down the Asian coast. Home to one of Turkey’s largest naval bases, this area, once famous for its fishing, was one of only a handful in the city that had not been completely dominated by new buildings. With its spacious houses with their colourful exteriors, it was a highly sought-after neighbourhood, peopled largely by wealthy families.
The suspect led them to a luxury villa complete with outdoor swimming pool. After days of observation, the surveillance team had ascertained that several men were living in the villa. But it did not take Bilal long to establish who was giving orders to the team. Going through criminal records, he soon identified him as one Çağatay Evyapan.
At college a gifted student of electrical engineering, Çağatay now had real form. He had first been arrested on fraud charges in 1998. Two years later came his biggest miscalculation when he and his collaborators were caught red-handed using cloned white plastic credit cards to extract cash from ATMs in the port of Izmir. After having served five years of a twenty-seven-year sentence, the prospect of further incarceration was too much for him. And so one day in May 2005 Çağatay went over the top of his prison walls and off the radar. He was less a fugitive and more a ghost.
He blamed his arrest in 2000 on the men with whom he was working – something he was determined not to allow again. If you want something done properly, ran Çağatay’s basic philosophy, do it yourself.
Naturally he understood that during his five years in prison the cyber world had undergone significant changes. He knew all about Moore’s Law, which predicts that the number of transistors that may be placed inexpensively onto an integrated circuit will continue to double every two years until roughly 2015. Translated into real life, that law means that every year gadgets get funkier, computer programs more complex, hacking tools more devious and the rewards correspondingly more juicy. And so he set about adapting to the new circumstances.
First, he needed a new cyber identity. Çağatay disappeared for almost four years, his name being replaced on his passport with the name of one his subordinates, the bodyguard Hakan Öztan, and in the ether by Cha0 (pronounced like the Italian greeting). He had been using the first syllable of his name and the figure zero since he first graced the BBS boards in the early 1990s. At that time, Cha0’s exceptional security system had ensured that nobody could identify him. In public forums like CrimeEnforcers and DarkMarket, Cha0 sold skimmers. In private, he sold impenetrable security systems for computer users who really did not want their identity revealed.
But now Bilal had stumbled upon him. However, it was one thing spotting Cha0’s location. It was quite another gathering the requisite evidence to build a case against him. Turkey’s judges and prosecutors are even less acquainted with the Internet than their equivalents in Western Europe or America, and already the city had spawned several high-profile, expensive defence lawyers who were quickly learning how to exploit that ignorance for the benefit of their clients and their own bank balances.
Çağatay was enjoying his summer – he was a convivial chap who liked to step out with his friends. He often escorted beautiful women, including, it was rumoured, one daring member of the Saudi royal family. He liked expensive drinks, fine dining and attending parties on yachts, and over the years had put on some weight. Money appeared to be no object in the pursuit of his fancy lifestyle.
Bilal put tails on Çağatay’s various co-workers – the evidence was mounting that Cha0 was not just Çağatay Evyapan, but a well-oiled criminal syndicate. This was organised crime, not some script-kiddy hacking servers for the first time. As such, it was evidence of a growing trend around the world. For a long time traditional organised-crime syndicates regarded fraud on the Web as crime-lite and scarcely worthy of their attention. That was now beginning to change. Cybercrime was becoming more systematic, more efficient and more security-conscious as it moved out of its original incubator, where mischievous geeks giggle and play, and into the more adult realm of real mafia structures. By implication, Bilal’s quarry would have correspondingly greater resources and so building the case required close care and attention, if the Inspector were to avoid being tripped up in court.
The cops duly gathered evidence, and of course Keith Mularski and C
ha0 were still fellow administrators on DarkMarket. The operation lasted a full five months, as Bilal stored tiny scraps of evidence day by day. He ascertained that Çağatay’s group of intimates was relatively small and that his security was military in its precision. But along with those scraps, which might link Çağatay with any crime, Bilal had a second agenda: he was still trying to establish whether Çağatay had someone on the inside – while praying that he didn’t.
In late August Çağatay disappeared. Panic spread throughout the team that had been tracking him. Nonetheless, the journalist with Haber 7 continued to receive messages, not from Cha0, but from a certain Yarris, who seemed to have an intimate knowledge of Cha0’s activities. Mercifully for Bilal, Cha0 turned up in Istanbul as unexpectedly as he had departed. Nonetheless it was a warning as to how precarious the situation was, and Bilal made the decision to move on him in early September.
Back at the villa in Tuzla, surveillance had identified that one of the residents would go out every few days or so to fetch provisions. On 8th September out he came. Bilal Şen was back in Ankara, biting his nails as the SWAT team surrounding the building relayed to him all the events minute by minute over the phone. Then, as the shopper returned, they swooped – crashing into the villa and pinning down four other men on the floor. Around them were countless computers and dozens upon dozens of skimmers, moulds, PIN pads, POS devices and lots of cash. The raid was a triumph – nobody was hurt and all the suspects were arrested.
Strangely Cha0’s arrest had been anticipated a few days earlier on the message boards of Wired magazine after one of the journal’s writers had posted a story about DarkMarket on Wired’s website. One of the comments placed at the bottom came from somebody purporting to be Lord Cyric, the DM administrator. He claimed to be in direct touch with Cha0. And he added cryptically that some of Cha0’s subordinates might see the inside of a jail, but Cha0 never would.
Farewell, Cha0?
35
THE DEATH OF DARKMARKET
Whoever Cha0 really was, the unexpected arrest of Çağatay Evyapan appeared to sow panic among his fellow administrators on DarkMarket. On 16th September 2008, less than a week after the bust in Istanbul, Master Splyntr announced on the DM website that the police successes were fraying his and his fellow administrators’ nerves. It was a burden they no longer felt able to shoulder:
It is apparent that this forum . . . is attracting too much attention from a lot of the world services (agents of FBI, SS, and Interpol). I guess it was only time before this would happen. It is very unfortunate that we have come to this situation, because . . . we have established DM as the premier English speaking forum for conducting business. Such is life. When you are on top, people try to bring you down.
In the space of a week the premier criminal website of the English-speaking world was dead. Its followers were distraught. ‘DarkMarket was our bridge to business, and if that bridge is broken . . .’ lamented a member named Iceburg, posting on Wired magazine’s website. ‘Long live cashing and carding. Short live all the RATS and FBI and all stupid secret agencies who are not just ruining our lives and families, but are destroying everything we left behind.’
It seemed as though the cybercops had won. This being DarkMarket, though, the story wasn’t quite so simple.
Part IV
36
DOUBLE JEOPARDY
Stuttgart, September 2007
Officer Dietmar Lingel was pleased with his work. A week earlier his boss had given him the logs from the Canadian webmail provider, hushmail. This email system was supposedly watertight – nobody could read your correspondence if you were using hushmail. This was largely true, but by 2007 the company had caved in to pressure from the Canadian police and afforded the cops access to log records. These revealed to an investigator which IP address had been logging on to a particular email account. And the RCMP had passed the logs for two accounts, auto432221@hushmail.com and auto496064@hushmail.com, to Agent Mularski of the FBI.
Back in May 2007 Matrix001 had sent Keith Mularski a redacted version of the anonymous email he had received warning him that he was under surveillance by the German police. Mularski’s initial reaction was to assume that his colleagues at the US Secret Service were responsible for the leak. At the time, the Feds and the Secret Service were running competing operations into DarkMarket, multiplying the possibility of a security breach out of either incompetence or malice. But at least three overseas police forces knew about Matrix: the British, the French and, of course, the Germans.
Nobody from the police underestimated the importance of the emails. Along with the possible existence of a mole was the equally disturbing idea that someone had hacked into the computers belonging to one of the investigating units. Operation DarkMarket had begun in earnest, but the busts of Matrix001 and JiLsi were just the start – the plan was to expand it over several years. The emails jeopardised the whole strategy built up over two years of painstaking work. The leak had to be stopped. The need to find the source became the topmost priority for the international investigation.
The arrival of the hushmail logs on Lingel’s desk meant that a detailed examination of the evidence could begin. As the technical specialist on the team who had investigated Matrix001, it was Lingel’s job to establish who had attempted to access those accounts at around the time that Matrix was sent them.
Lingel identified that one IP address trying to access the anonymous hushmail accounts came from the Stuttgart area. He discounted that one immediately – it was his own. After Keith Mularski had first alerted Stuttgart to the existence of the emails, Lingel had attempted to log onto the hushmail account using some standard passwords (such as admin or password) and others belonging to prominent DarkMarketeers that were already known to law enforcement. The other login attempts came from IP addresses in Berlin and elsewhere in Germany. On the morning of 12th September during a discussion with his head of department Gert Wolf, Lingel explained that they did not have a suspect yet, but they had succeeded in narrowing down the possibilities.
After lunch Wolf put his head round Lingel’s door and said they had to go and see their divisional chief. Lingel walked into the room to find a panel of senior policemen awaiting him, including an officer from the sinister-sounding Dezernat 3.5, the Stuttgart department for internal police investigations. Lingel was baffled and rather nervous. The officer suddenly announced, ‘Mr Lingel, we are placing you under investigation on suspicion of having informed a suspect that he was under surveillance.’
Lingel was speechless. Gradually shock gave way to anger. ‘There I was,’ he thought, ‘working all week with my boss to resolve this mess, and then he pops his head round the door after lunch one day and sinks a knife straight into my back.’
‘Look, Mr Lingel,’ the officer continued, ‘you’ve got two choices. Either you cooperate with us in this investigation or we are going to place you right now in investigative custody.’
Lingel agreed to cooperate. His chief explained that he must now take all his remaining leave, after which he would be suspended until further notice.
In his mid-forties, Lingel had an unconventional history. He was born in Windhoek, the capital of Namibia, which, as South-West Africa, had been one of the few outposts of imperial Germany during the colonial period. As a five-year-old he then moved with his parents to Cape Town, so he grew up speaking fluent English as well as German. He returned to his parents’ homeland to study, and after graduating joined the police. Here he progressed well through the ranks of the motorway force, while never finding the work particularly challenging.
As an amateur geek, he leaped at the chance to apply for a post in the Baden-Württemberg police in 2001. The Stuttgart headquarters needed somebody with experience of the open-source operating system Linux, to provide network security. Five years later he was permitted to migrate with his computer skills to the criminal-investigations departme
nt, where he was assigned to work under Frank Eissmann.
Matrix001 was not the only German identified by Keith Mularski as an active member of DarkMarket. The other two were Soulfly, real name Michael Artamonow, and Fake, real name Bilge Ülusoy. Initially, the State Prosecutor sought to indict Matrix001 on charges of forming a criminal conspiracy, but this required proof that he was working in cahoots with the other two.
For some reason, however, no investigation was ever launched into Fake and Soulfly, and this was partly responsible for a judge in October 2007 forcing the State Prosecutor to drop the accusation of conspiracy in favour of the lesser charges of credit-card fraud. Why they dropped the investigation into the presumed co-conspirators was just the first of several unanswered questions, which were to undermine confidence in the ability of the Provincial and Federal Police in Germany to investigate the case.
And the Baden-Württemberg police in Stuttgart had a lot riding on the investigation into Matrix001. Usually all communication in international cases like this would be filtered through Wiesbaden, but the chief investigator, Frank Eissmann, had persuaded his superiors that he should be allowed to talk directly to Keith Mularski, the FBI’s key man.
There were thus jitters aplenty when Mularski heard from Matrix001 that the German hacker had received a message from an anonymous hushmail account warning him that he was about to be busted. And police in London, Pittsburgh and Stuttgart were all praying that the source was not too close to their own home.
After Lingel’s arrest, relief spread among the investigators – it seemed as though they had their man. But in December 2007 Dezernat 3.5 sent Lingel a letter saying that there was no further evidence linking him with the email breach and that he could return to work the following month, at the beginning of 2008. However, he did not return to Department IV, which was handling the Matrix001 investigation. Lingel felt extremely bitter towards his immediate boss, Frank Eissmann, who had, it seemed, been partially responsible for pointing the finger at his subordinate.