by Misha Glenny
As the trial of Matrix approached in the late spring, the atmosphere in the Stuttgart police headquarters was gloomy and riven with discord. Unable to press charges of conspiracy against Matrix, the prosecution knew that they were unlikely to get a custodial sentence. Furthermore, they were back to square one in trying to ascertain who the source of the leak was.
Although Lingel was resentful at what had happened to him, his reassignment to Department I turned out to be perfectly palatable and his new colleagues’ behaviour towards him was exemplary. It was a relief and a welcome change after months of being viewed with suspicion.
Then, in May 2008, Lingel was placed under arrest again. But this time he was not accused of having written the emails to Matrix. Lingel was charged with having jeopardised the undercover identity of the FBI Agent, Keith J. Mularski.
37
ZORRO UNMASKED
Just as Matrix was standing trial in June 2008, a radio reporter, Kai Laufen, was flicking through a copy of the MIT’s3 Technology Review when he spotted an article on cybercrime. Until this moment the investigative journalist from Karlsruhe in south-west Germany had no idea that it was becoming such a problem. He was intrigued and decided to discover the extent to which cybercrime was affecting Germany.
Cautious but thorough, Laufen began by researching the clauses in Germany’s penal code relating to computer crime. Once he had found them, he dispatched emails to about fifty district and municipal courts around the country asking whether they were dealing with any such cases.
He received only a couple of replies, but conveniently one of them referred to a case of credit-card fraud at a local court in Göppingen, a small backwater in Baden-Württemberg, just a short drive from where Laufen lived. A young man, Detlef Hartmann, was awaiting sentencing on thirteen charges of having used cloned credit cards.
The story didn’t sound particularly interesting, but Laufen decided nonetheless to contact the provincial police in Stuttgart, and before long the basics of cybercrime were being explained to him by Inspector Frank Eissmann. In passing he said that the FBI had assisted his Department IV in the investigation of Hartmann.
The day after Detlef received a nineteen-month suspended sentence on 2nd July, Kai wrote to him requesting an interview, sent quaintly by post rather than email. Detlef and his parents resisted the journalist’s first few attempts to talk to him, but after three months they relented, so in early October Kai found himself sitting opposite the young man over a cup of coffee.
Kai Laufen was no novice. Born in northern Germany, he was brought up partly in Brazil and spoke fluent Portuguese, Spanish and English. He had worked throughout South America and knew a thing or two about organised crime and gangsters. But now he could scarcely believe his ears as Detlef regaled him with the tale of Matrix001 and his adventures in a virtual world where everyone boasted peculiar names and communicated in a hybrid English – part gangster, part anarchist and part Tolkien – as they bought and sold stolen financial details.
Kai readily grasped the implications of this new style of wrongdoing. With the aid of the Internet, the perpetrators could commit crimes thousands of miles away, on a multitude of unknown victims who might or might not discover that their privacy had been violated and their money or identity stolen.
Yet if it was so foolproof, Kai wondered, how did Detlef manage to get himself arrested? ‘Simple,’ he replied, ‘one of my fellow administrators, who I worked with over many months, was an FBI agent. He was tracking me and he alerted the German police.’ The journalist thought the young man was perhaps exaggerating his own importance, so he asked him whether he had any documentary evidence to support that. ‘Yes,’ said Detlef, ‘I’ll send it to you.’
A few days later Detlef sent Laufen the prosecutor’s statement outlining the state’s case against the young man, written in the German language’s inimitable legalese:
As evidenced by the investigation dossier, this administrator who in the final analysis had complete control over all arrangements at least from June 2006 onwards was the FBI Agent, Keith Mularski, who had offered to host the server in order to gather more accurate information about the buyers and sellers. I refer here to the Case Document 148, File 1, in which Mr Keith Mularski informs the investigating officer of the Regional Police, Frank Eismann [sic], as follows: Master Splynter [sic] is me. That the user Master Splynter [sic] ran the server is proven by Case Document 190, Email from Keith Mularski dated 09.03.2007: He paid me for the Server.
Kai was startled. He read the key sentence again. Master Splynter is me. Not only was Detlef Hartmann correct that the FBI had been on his cyber tail, but the prosecutor’s office had named the agent and his alias. The game was up and he, Kai Laufen, had uncovered the truth about one of the world’s most prominent cybercops. Three months earlier he had barely heard of cybercrime.
When Kai called the National Cyber Forensics Training Alliance in Pittsburgh, he was put straight through to Keith Mularski, whose manner was, as always, most accommodating. But as the journalist read the sentence from the email – Master Splynter is me – there was total silence on the other end of the line. Keith knew he had been nailed. On the bright side, he had been nailed by a radio journalist in south-western Germany and there was an outside chance, even in the age of the Internet, that the news might not get much further than the borders of Baden-Württemberg. In his heart, however, he knew that it really was an outside chance.
Was this the famous leak again?
Kai Laufen was unaware that Stuttgart’s police Commissioner had for a second time sanctioned the suspension of Dietmar Lingel from the force. On this occasion, however, they suspected the officer of having intentionally fed Mularski’s name and alias to the prosecutor for inclusion in his outline of the case. Lingel’s aim, it was alleged, was to bring Mularski’s identity into the public domain as a way of discrediting the FBI. The motivation, the Commissioner claimed, lay in Lingel’s dissatisfaction with some of the policing methods involved in the Hartmann investigation.
The allegations against Lingel served to highlight fundamental differences in the philosophy of law enforcement in Europe and the United States. Europeans tend to shun sting operations as risky, as well as morally and legally questionable. The Americans by contrast use them frequently. There is an intense debate in America as to where a sting ends and entrapment begins. In Europe some police officers regarded the DarkMarket operation as verging on entrapment, especially as the Secret Service, in particular, seemed to encourage members to engage in criminal activity (in the case of Dron) during their investigation. The FBI and Keith Mularski vigorously defended their actions, emphasising that the presence of Mularski and his team on DarkMarket enabled intelligence-gathering – notably about the intended expansion of Cha0’s US operation – which prevented, so Mularski claimed, $70 million in potential losses.
Just as he was putting the finishing touches to his radio feature on this peculiar, yet important story, Kai Laufen suffered a slipped disc. Almost completely unable to move, the journalist was forced to brood in bed for two weeks. He arrived at the conclusion that nobody in Germany would care about the fact that the FBI had busted a German carder and that he, Kai, had uncovered the agent’s identity. On the other hand, the DarkMarket story had attracted considerable attention in the US tech media. Led by the San Francisco-based Wired magazine, a fair amount had already been published on the subject, especially after the dramatic kidnapping of Mert Ortaç in April that year and then the arrest of Cha0 in September.
Kai felt strongly that he should disseminate the proof that DarkMarket was in part an FBI sting operation. But just as the Atlantic divides the culture of policing, so it does the ethical standards of German journalists and their Anglo-American counterparts. (Britain’s police are more European than American, but their newshounds have even fewer scruples than America’s do.)
In Germany it is considered b
ad form to publish the full names of alleged criminals while they are still on trial, and in many cases the German media desist from doing so even if the criminals are subsequently found guilty. The same goes for undercover police agents. For anybody familiar with the Anglo-American media, the notion is, of course, as foreign as can possibly be.
So when Kai Laufen spoke by phone to Kevin Poulsen, Wired magazine’s Security Editor, in early October 2008, he said that he would provide Mr Poulsen with documentary evidence which proved that law enforcement had penetrated DarkMarket. He would include Keith Mularski’s email admission of his role as Master Splyntr, but only on the strict condition that Poulsen did not publish Mularski’s name. Reiterating the point, Laufen ended his email, which included the document scans, with the exhortation: ‘Burn after reading!’
Poulsen remembers it differently: he only agreed to keep Matrix’s name out of the paper. Over the years he and his team had done an impressive job in tracking most cybercrime stories, including DarkMarket. Indeed, he brought the same ruthless zeal to the job that he did to his previous occupation as a hacker – a career that ended in a criminal conviction. And so Poulsen did not burn after reading. On Monday 13th October he published. Master Splyntr was dead.
For his part, Keith Mularski was furious when Wired published his name – the trust that he had built up with so many carders was instantly lost. He had closed the DarkMarket board a couple of weeks earlier because JiLsi’s registration of the domain name was about to expire. Had Master Splyntr attempted to re-register it, a curious hacker might have used the opportunity to uncover his identity.
The DarkMarket operation was the opening phase in a long-term plan by law enforcement to infiltrate the world of cyber criminality. In fifteen months, prior to the publication of Mularski’s name in Wired magazine, the FBI, SOCA and the other police agencies involved had been careful to pick off individuals here and there. They had deliberately decided not to go for a large-scale sweep of DarkMarket members, in contrast to the tactics used by the Secret Service in 2004 with Shadowcrew. Master Splyntr fully intended to return with his reputation enhanced, armed with his large database of carders and their activities. That plan was now blown out of the water.
Not that Mularski’s efforts had been in vain – in a remarkable example of cross-border cooperation among disparate police forces, they had caught one of the biggest fish in the carding world, Cha0, and had arrested dozens of others, some of whom were already convicted, most of whom were awaiting trial.
But neither Agent Mularski nor anybody else was in a position to blame Dietmar Lingel. He had not allowed the identity of Master Splyntr to slip into the court papers for the Matrix case, as the officer from Dezernat 3.5 had alleged.
That distinction belonged to Detective Frank Eissmann, Lingel’s boss, who later confessed that he had ‘made a big mistake’ in submitting the document to the State Prosecutor as part of the police evidence against Matrix. It was Eissmann’s error that led to Kai Laufen identifying Mularski, which in turn triggered the collapse of the long-term operation against the carders.
Dietmar Lingel, however, remained suspended and heard nothing from his employers until Dezernat 3.5 informed him in September 2010 that he was to stand trial. The prosecutor had dropped the unsubstantiated claim that Lingel had intentionally leaked Mularski’s name. Instead, the original charge was resurrected: he was accused of having informed a suspect that he was under surveillance.
Lingel opted to contest the charges and later that month the longest trial anywhere related to the DarkMarket case began in Stuttgart. Ironically, it did not involve any actual cyber criminals (except that Matrix001 and Fake testified as witnesses), but pitted the Baden-Württemberg police against one of its own. It was a fascinating event played out in front of a handful of people in a clean, small, anonymous court in Bad Cannstatt, Stuttgart’s spa district. The testimony of almost a dozen actors in the drama was startling, revealing many of the errors and misfortunes that plagued the policing operation in both Europe and the United States.
* * *
3 Massachusetts Institute of Technology, not to be confused with the acronym of Turkey’s National Intelligence Agency.
38
WHO ARE YOU?
Istanbul, October 2008
Çağatay Evyapan appeared relaxed in jail. Now and then a member of the Istanbul force would whisper something about a supercop flying in from Ankara to conduct the main interrogation of Çağatay. In Turkey the longest you can hold someone suspected of involvement in organised criminal activity is four days. The prisoner was intrigued to see if this Mr Big from the capital would turn up.
Finally, Inspector Şen arrived. He needed to know only one thing.
‘Who is the little bird? Who are you talking to inside? This is all I want to know from you.’
The prisoner hesitated and then looked desperate.
‘There is nobody.’
39
ON THE ROAD TO NOWHERE
Inspector Şen’s work was done. After the arrest, the case was handed over to the prosecution service, as required by Turkish law. But if Çağatay Evyapan was Cha0, then who was this character Şahin, whom Mert Ortaç insisted was the real Cha0. Was Şahin a mere figment of Mert’s imagination? After all, Mert did have a history as a fantasist and embellisher.
Fond though he was of spinning a yarn, the fundamental aspects of Mert’s story were true. He did work for various official organisations, including the Intelligence Agency; he was a highly gifted programmer with a particular skill for decrypting smart cards; he did make huge sums of money from selling fake Digiturk cards, for which he was later investigated; he did lavish money and entertainment on people he wanted to impress; he did tread the DarkMarket boards using Sadun’s nicknames, Cryptos and PilotM; he did holiday with his girlfriend at the Adam & Eve Hotel in Antalya; and he was most definitely kidnapped and humiliated by Çağatay Evyapan.
However, he was unable to offer any proof for his central claim that Cha0’s real identity was the mysterious Şahin. Mert demonstrated such a detailed knowledge of the inner workings of DarkMarket that, if he was lying, somebody or some organisation must have furnished him with some or all of these details. The question is – and it remains stubbornly unanswered – why? And who were they trying to frame or discredit by throwing the extraordinary Mr Ortaç into the mix? Certainly not Çağatay Evyapan as he emerges from Mert’s story as a lesser criminal? The police? Or was it perhaps the man who Mert claims was Lord Cyric, a prominent member of the Turkish and global internet scene?
Even so, Mert’s truth remains no less plausible than Inspector Şen’s truth. The key lies not in the identity of Şahin or Çağatay. It is hidden within the character of Cha0. There is no doubt that the man who masterminded the skimming factory and acted as administrator on DarkMarket was Çağatay Evyapan. The issue is whether Evyapan controlled the entire operation or whether he was working on behalf of a bigger criminal syndicate.
All in all, Turkish police arrested some two dozen people who, the evidence suggests, were connected to Cha0’s operation either as an inner core or as satellites. The virtual criminal was just that – he was not a real character, but an amalgam of individuals with different skills working as a unit. In the same way the Ukrainian founder of CarderPlanet, Script, had recognised that the generic term ‘carder’ in fact hid a multitude of different skills: some were real hackers; some were graphic designers; some were electronic engineers building skimmers; some skimmed ATMs; some cashed out; some provided security; some gathered intelligence, sometimes on behalf of the criminals and sometimes on behalf of the police.
Thus both men, Cha0 and Script, anticipated the world of cybercrime post-DarkMarket – a move away from a loosely bound community of individuals engaged in opportunistic criminal activity towards a much more systematic criminal organisation in which its members fulfilled s
pecialist tasks: spamming, virus-writing, money-laundering, operating botnets and other essential criminal activities of the virtual world.
So maybe ‘Cha0’ was just such an operation – the whole caboodle rolled into one. Cha0 was a collective name that sought in the first instance to gain at least a partial monopoly in the new industry of credit-card fraud through skimming. It was an audacious plan, which came very close to succeeding, had it not been for the combined efforts of Keith Mularski and Bilal Şen, as well as the backup provided by other police agencies and by certain other individuals.
The degree to which Cha0, the entity, was organised hints strongly at something else. Traditional criminal fraternities have until recently ‘tended to regard cyber criminals as second-class citizens’, as one of SOCA’s leading cybercops described them. But during the existence of DarkMarket police forces across the world started observing how traditional organised-crime groups were making unexpected appearances during investigations into cybercrime.
Within DarkMarket itself there were three quite well-defined circles involved in the project. The first were the administrators, moderators and others holding senior ‘bureaucratic’ positions on the site. These tended to be men with advanced hacking skills and certainly fluent computer skills. Furthermore, with the exception of Cha0, they were either not making large sums of money or were working directly as police agents or as confidential informants.
Beyond this, the second circle mostly comprised skilful experienced criminals who worked largely on their own – like Freddybb and RedBrigade. They demonstrated varying degrees of computing ability and, if they themselves were unable to solve a technical problem, they always knew people who could. These individuals were less conspicuous on boards like DarkMarket than the administrators and their crew. Their aim was to make as much money as possible without drawing attention to themselves, although they, too, would occasionally engage in banter and chat about the carding community as a whole.