by Misha Glenny
The third circle was home to highly professional criminals who were virtually invisible – unknown except by myth and reputation to the police and their fellow carders. These were people even beyond major wholesalers of credit cards and malware – such as the Ukrainian Maksik, arrested by Turkey’s cybercrime team in Antalya in 2007. The most famous one (who, it is believed, supplied Maksik with much of his material) is the Russian known simply as Sim, who, police assume, is actually another very efficient syndicate. These are people who never emerge from the shadows.
Cha0 was fascinating and important because this was the first time that an outfit resembling traditional organised crime had involved itself in large-scale cybercrime and sought to influence the workings of a website like DarkMarket. This was the first real proof that cybercrime was no longer the domain of second-class citizens alone – it was beginning to attract some bigger figures.
Organised crime has traditionally played a huge role in Turkey. For example, in combination with Kurdish and some other Balkan groups, Turkish gangs dominate the wholesale heroin trade throughout Western Europe.
In late 1996 an armoured Mercedes was involved in a spectacular road accident in the small town of Susurluk. Among the dead were the Chief of the Police Academy and the leader of the right-wing terror group, the Grey Wolves, who also happened to be on Interpol’s most-wanted list as one of Europe’s major heroin-traffickers and a recognised assassin. The one person who survived was an MP for the then-ruling party.
This event enabled journalists and opposition politicians to start untangling the web of violent deceit that implicated Turkey’s Deep State with the most influential members of organised criminal groups. For years they had been enjoying one another’s friendship, hospitality and protection. Not only did the stories shock ordinary Turks, but they gave an important fillip to emerging forces in Turkish politics – like the organisation that would eventually become the AK Party, which made the fight against crime and corruption a central part of its political platform.
Turkey has moved on somewhat since then. But when the roots of corruption and organised crime extend as deeply as they did in Turkey during the 1980s and 1990s, it takes several decades before they can be eradicated from the body politic. This explains Bilal Şen’s fears when he was first told that Cha0 might live under the protective wing of powerful establishment figures. It is also credible, as some of Bilal’s law-enforcement collaborators outside Turkey believe, that the Cha0 who inhabited DarkMarket was part of a much larger organisation. Crime groups in Turkey straddle various sectors – along with heroin-trafficking, Turkey is a major centre for people-trafficking (again because of the proximity of the European Union). And in the last two decades a huge money-laundering trade has grown up there as well.
So Çağatay Evyapan, their theory goes, was actually just a lieutenant for the real CEO of Cha0 Criminal Holdings. Çağatay would be the Vice President for the cybercrime division and he was content to return to jail because he is, speaking metaphorically, ‘taking a bullet for the boss’. Perhaps Şahin is the CEO of the whole company. Were that the case, Mert’s ‘Şahin’ might exist, but Inspector Şen would still have arrested the correct man.
DarkMarket was closed down in October 2008, but nobody – whether from law enforcement or among the criminals themselves – has a grasp on what its real history was and its real significance is. Three years on and only a tiny proportion of the nearly 100 arrests carried out around the world have made it to trial.
Legal systems are finding it extremely hard to come to terms with the highly technical nature of evidence in cybercrime, but the pattern that sees most crimes committed in third countries also creates tremendous barriers to the detection and prosecution of the offences. Ambiguity, doubt, illusion and dissemblance have always played an important role in fathoming the ways and means of organised crime. And the Internet magnifies their power severalfold.
40
MIDDAY EXPRESS
Tekirdağ Prison, Western Turkey, March 2011
A vaguely handsome man in an elegant black suit and black tie scrutinised me carefully as he entered the small, oblong room. His black eyes under a slightly receding hairline accentuated the hypnotic stare and, momentarily, I was tongue-tied. Here was the man I had been reading about, talking about, thinking about for nearly two years. Now, when I finally met him, I was suddenly unable to think of anything appropriate to say.
He may have been wasting in prison for two and a half years, but he had lost neither his poise nor his careful self-control. Throughout our three hours of discussion I was keenly aware that he was interviewing me just as much as I was interviewing him.
My first brief stay in Tekirdag˘ occurred in 1976, just before publication of the book Midnight Express, which was later made into a successful film by Alan Parker. It tells the story of Billy Hayes, a young American who was caught smuggling drugs out of Turkey. The hideous ordeal he suffered at the hands of a sadistic prison officer shocked audiences throughout Europe and the United States. Turkey had a reputation as a brutal and unforgiving country at the time; indeed, while I was there I had been attacked, while sleeping in a tent, by a group of hoodlums, to the accompaniment of demands for foreigners to go home.
Thirty-five years later I approached Tekirdağ prison. Like the one where Hayes had been kept, it was a top-security facility. Lying a mile or so up a moderate incline, it was surrounded by barren fields as far as the eye could see. Behind a thick curtain of heavy snow I spotted the prison’s high, faded cream walls and watchtowers manned by silhouetted machine-gunners. My first impression suggested that nothing had changed since Parker’s movie.
Inside, however, I was relieved to learn that in this part of the country at least prison conditions had improved beyond recognition. All inmates had a television, shower and toilet in their cell. The food was a touch spartan, but undoubtedly nutritious and reasonably tasty, while the guards acted with courtesy, not just towards me, but towards the prisoners as well. In several respects conditions here were preferable to those found in many British prisons.
There were some notorious convicts in Tekirdağ, including the instigator of the murder of Hrant Dink, the ethnic Armenian writer assassinated by extremists for, well, being an ethnic Armenian writer. It was also no surprise that the prison contained some of Turkey’s most notorious drug lords.
And among the terrorists and mafia dons there was a representative of the most state-of-the-art form of malfeasance – cybercrime. It had taken me more than a year to get an audience with Çağatay Evyapan: I had needed to convince both the Turkish authorities and Evyapan himself. For months, this seemed completely impossible. My astonishment was boundless when I received a message one Monday in early March 2011 from the Prison Directorate in Ankara informing me that, if Çağatay was willing, I would be permitted to see him that very Wednesday. After that, I was told, Çağatay would be moved and my window of opportunity would be slammed shut.
What the Turkish authorities did not know, nor would they have cared, was that my passport was deep in the bowels of the consular section of the Chinese Embassy in London, having a visa processed. My attempts to extract the passport in order to fly to Istanbul on Tuesday were dismissed robotically by the Chinese officials. Instead, I contacted Tekirdağ prison directly and begged them to allow me to postpone the interview for one day. I was informed that if they received the order to move Cha0 before Thursday, then regardless of whether or not I travelled there, I would not be permitted to see him. The hunt would be over.
So I was extremely agitated as I battled my way through the snowstorm from Istanbul to Tekirdağ on Thursday morning, a day late. It was quite possible that I would arrive only to be told that I had lost the chance to meet Cha0 in person. After a long wait I was taken through three thick revolving steel gates whose mechanism had a biometric print of my hand, and was introduced to the Director of the prison. Far fro
m the ogre one might have expected, he was charming and affable. He said that they had not received any directive from Ankara and that after lunch in the canteen I would be able to talk to Mr Evyapan.
Eventually I was led through to the small, oblong room. Çağatay Evyapan is cautious but self-confident. Just as Bilal Şen had told me, his instincts would detect immediately if I was trying to ferret out some snippet of information in a devious way. He reminded me of Julian Assange, the mastermind behind WikiLeaks – super-smart, but with an iron conviction in his own intellectual superiority, which at times might be taken for extreme narcissism.
When I suggested to him that Lord Cyric was Tony – the tubby, bespectacled businessman named by Mert Ortaç – he emitted a snort of the deepest contempt. ‘You’ve been talking to Turkish intelligence, haven’t you?’ he said sharply. In a manner of speaking Cha0 was correct: if Mert was lying (let’s face it, a real possibility), then the bespectacled man must have been planted in his story by MIT, Turkish intelligence.
But as we talked Çağatay confirmed some very important aspects of Mert’s story, including the location of the apartment where Mert was kidnapped and the existence of exchanges between Mert and the local American Embassy worker, Lucy Hoover. He also conceded that once again his own arrest had been prompted by a real-world error.
For all his self-possessed intelligence, Cha0 indicated he had one great fear – ironically the same unspoken worry that stalked his nemesis from the Turkish police. He claimed that during his questioning one of his interrogators offered him the opportunity to go into witness protection. In exchange, he would be asked to testify in the Ergenekon investigation. They demanded that he admit to having established a secret cyber network for the Deep State conspiracy among the military, intelligence services and media. The police flatly deny that any such offer was made.
Cha0 refused – the last thing he would want, like Inspector Şen, is to come under the wheels of a struggle between the Deep State and the government. They do things differently in cyberspace.
Throughout our chat Çağatay suggested that he and a narrow group of hackers possessed a far greater grasp of what was happening on the darkside of the Web than anybody from the authorities. He implied that his aim was merely to demonstrate the hopelessness of the attempts by the forces of law and order to police the Internet – he contended that there will always be people like him who are ahead of the game.
Remarkably, he seemed unperturbed by his incarceration and the fact that he may have to serve the remaining twenty-two years on his earlier conviction from 2000, not to mention any additional charges that may be preferred against him as a consequence of his activity on DarkMarket.
When we broached the subject of the FBI and Keith Mularski, a withering look spread slowly across his face. ‘The FBI have nothing on me. If they did, why did not Master Splyntr send information which the Turkish police could use to charge me?’ he asked. ‘Instead all they can do is use this small-time nobody, Ortaç, to try and trap me.’ Çağatay then claimed that he had hacked into Mularski’s database and extracted the information gathered by the FBI on all the DarkMarket members, including the material on himself.
Being in prison, Çağatay was of course unable to document his claims. He said he knew that Splyntr was FBI from the beginning (although Çağatay joined DarkMarket at JiLsi’s invitation in February 2006 when Master Splyntr was quite well established on the board) and that his strategy was ‘to keep my friends close and my enemies even closer’ – hence his willingness to work with Splyntr as an administrator.
It was an appropriate topic on which to end. At its heart, the story of DarkMarket was about two men – Çağatay Evyapan and Keith Mularski, both supported by impressive teams and contacts. Cha0 was no ordinary criminal. While making money was the primary purpose of the enterprise, Çağatay seemed to regard the struggle between himself and law enforcement as having a deeper significance, almost as though he was seeking to demonstrate his superior ability and, by implication, the futility of law enforcement’s attempts to police cyberspace. In this lay a strong element of the original anarchism of geek culture – behavioural patterns and moral codes undergo a shift as we move from the real to the virtual. The rules of the game are different and new.
The FBI agent ran out the winner, but it was a narrow victory and by no means complete. Three years after DarkMarket closed down, the echoes of this extraordinary criminal venture can be heard in prisons and courts in several parts of the world. And, of course, many DarkMarketeers are still stalking cyberspace.
The Internet is a transcendental invention that has seeped into every part of our lives and into every room in our homes. But beware – Lord Cyric might be hiding in a virtual cupboard somewhere.
EPILOGUE
At first glance the demise of DarkMarket appeared to deal a major blow to crime on the Internet. But it didn’t. It did, however, temporarily place a spanner in the works of some major carding networks, including Cha0’s operation in Turkey, Maksik’s in Ukraine and Freddybb’s in England. But the primary message that other serious cyber criminals took from the whole affair was simple: engagement in carding forums like Shadowcrew and DarkMarket, especially those English-language sites with large memberships, now entailed an unacceptable level of risk.
There was already some evidence that members whose main aim was to make money rather than enhance their reputation were far less present on DarkMarket than they had been on Shadowcrew. The number of posts made by people like Freddybb declined dramatically from one to the other. On Shadowcrew he posted fifty public messages and 200 private. On DarkMarket this stood at fifteen and twelve respectively. The US Secret Service’s takedown of Shadowcrew clearly demonstrated the vulnerability of these sites and Freddybb had learned the lesson: lower your visibility.
Alongside the dangers of being busted, the carding forums had in any event outlived their use. It was via these websites that criminals had, over almost a decade of activity, established global networks of people they could trust. Whether as buyers or sellers of illegally procured data and documents, they had found their markets.
But the exposure of Keith Mularski as Master Splyntr, and the revelation that DarkMarket was in part a law-enforcement sting operation, undoubtedly hastened the demise of the carding forums. This wrecked the long-term strategy of the FBI and its partner agencies in Western Europe. The plan had been for Master Splyntr to re-emerge as the one honest carder who had foiled the FBI’s attempts at capture, who was hence deserving of even greater levels of trust within the carding fraternity.
Instead, in response to the DarkMarket affair, hackers, crackers and cyber criminals are burrowing deeper into the digital underground. There is also increasing specialisation in the business. Hackers and malware coders are developing designer programs that target specific systems or seek out particular information. They then sell this to a group that actually supervises the penetration of a financial institution or its customers. Once they have access to the money, they will contact a ‘mule herder’, a person or group who employs ‘money mules’ across the world. There are countless advertisements on websites offering work to people using their computers at home. A number of these are placed by mule herders. The herder asks potential mules to place their bank accounts at the herder’s disposal in exchange for a percentage of the sums flowing through them.
The breaking down of criminal activity into these distinct entities makes it more difficult for law enforcement to identify what is actually going on and who is cooperating with whom. The proliferation of mobile devices and apps also offers huge opportunities to cyber criminals.
The rapid expansion of Internet users presents another major problem. Police in Western Europe have noted that the size of the Chinese criminal hacking community is growing apace. Until recently, the 419 or Advanced Fraud Fee scam was the preserve of West African criminal groups, especially Nigerians, the proud
creators of those bizarre emails urgently entreating the recipient to assist in the movement of millions of dollars of a deceased dictator.
419, named after the relevant paragraph in Nigeria’s penal code, is a very old trick – it forms the heart of The Alchemist, a comedy by the Elizabethan playwright Ben Jonson. In essence, the fraudster persuades the victim to advance a small sum of money on the promise that this will lead to the victim receiving a much greater amount later on. He then either milks his victim for more money or simply disappears with the first tranche. While possible in Elizabethan times, it was a laborious business. The Internet has made it extremely lucrative because, using spam emails, the criminal can reach an audience of tens of millions. The chances of finding a sucker are very greatly enhanced.
The 419 scam comes in many shapes and sizes. It sometimes arrives as an appeal to rich Westerners to come to the aid of an impoverished African child. Letters, faxes and emails beseeching Americans in particular for funds to erect a new church or bolster a congregation are frequent – in these cases, the motivation of the victims is well intentioned and charitable. Another lucrative prey of the 419 scammers are the lovelorn, in particular middle-aged widows and divorcees who develop virtual relationships with West African toy boys, who slowly leech them of their savings as an advance on sexual dalliance that never comes to pass.
419s are now being dispatched from China in both Chinese and English. This complements a second Chinese hacking speciality, which is the theft of items from MMORPG, an awkward acronym for the awkwardly named Massively Multiple Online Role-Playing Games, such as World of Warcraft, or the ‘real life’ games, Second Life or Habbo Hotel. These all have digital currencies that can be exchanged for genuine money. This in turn invests value in the virtual goods and services, which players can purchase to add to the pleasure of their gaming experience. Although they are not alone, Chinese hackers have learned to ‘steal’ these digital items or monies, which they can convert to actual real-world cash. China’s monumental computing potential remains largely untapped at the moment, yet it is already regarded in most sectors relating to computer security in civilian and military life as second in the global pecking order after the United States. As China begins to realise that potential, the nature of the Internet will change.