http://www.wired.com/news/technology/0,72515-0.html
By Kim Zetter
Jan, 30, 2007
By the time David Thomas eased his Cadillac into the parking lot of an
office complex in Issaquah, Washington, he already suspected the police
were on to him.
An empty Crown Victoria in one of the parking spaces confirmed it.
"That's heat right there," he told his two passengers -- 29-year-old
girlfriend Bridget Trevino, and his crime partner Kim Marvin Taylor, a
balding, middle-aged master of fake identities he'd met on the internet.
It was November 2002, and Thomas, then a 44-year-old Texan, was in
Washington to collect more than $30,000 in merchandise that a Ukrainian
known as "Big Buyer" ordered from Outpost.com with stolen credit card
numbers. His job was to collect the goods from a mail drop, fence them
on eBay and wire the money to Russia, pocketing 40 percent of the take
before moving to another city to repeat the scam.
But things didn't go as planned.
Ignoring Thomas' suspicions, Taylor walked into the Meadow Creek
Professional Center to collect the Outpost shipment, and found the cops
waiting for him. Thomas and his girlfriend tried to escape in the
Cadillac but were caught half a mile away.
An ID badge that Taylor wore when he was arrested indicated that he
worked for Microsoft. But that was no more accurate than the two-dozen
other employee badges he possessed for E-Trade and AT&T Broadband, or
the 15 driver's licenses from various states that featured his congenial
face and a dozen aliases. Nor did Thomas's California driver's license
help authorities identify him. Although it had his picture, the name and
address on the ID belonged to a producer for the A&E channel.
With so many fake IDs in play it was unclear to police exactly who they
had in custody. Then as they read Thomas his rights, he told them: "Get
me some federal agents and I'll give you a case involving the Russians
and millions of dollars."
Thus was the beginning of Thomas' turn to the other side. For 18 months
beginning in April 2003, Thomas worked as a "paid asset" for the FBI
running a website for identity and credit card thieves from a
government-supplied apartment in the tony Queen Anne neighborhood of
Seattle.
From bedrise to bedrest, seven days a week, he rode the boards and
forums of his and other carding sites using the online nickname El
Mariachi. He recorded private messages and IRC chats for the FBI as
"carders" schemed to, among other things, sell stolen credit and debit
card numbers, defraud the George Bush and John Kerry campaign sites,
drain hundreds of thousands of dollars from bank and investment
accounts, sell access to Paris Hilton's T-Mobile account and run
phishing scams against U.S. Bank and the FDIC. He did it all while
battling denial-of-service attacks against his site and dodging attempts
by his old partner Taylor and other carders to track his whereabouts and
out him as a fed.
Just as his enemies were closing in on him in September 2004, the FBI
pulled the plug on his work and cut him loose. But not before Thomas had
given authorities a valuable look at the internet's underworld, even
though the strain of leading a double life nearly broke him.
Now Thomas is telling the story of his work during this period. It's a
tale that provides a rare glimpse of the thriving international computer
underground of high and low-tech thieves and swindlers whose crimes cost
millions each year. It also illuminates the rarely seen world of federal
law enforcement's war against these organized criminals, and the moral
and ethical tradeoffs sworn agents make in pursuing their mission --
providing crooks with an electronic marketplace where they can
congregate and conduct their ignominious business anonymously. Even
allowing some crimes to go unpunished.
The full scope of the problem is hard to judge, but nonetheless
staggering. U.S. banks lost $546 million to debit card fraud in 2004,
according to banking research firm Dove Consulting, and credit card
fraud losses were estimated to be about $3.8 billion globally in 2003
according to The Nilson Report. The Federal Trade Commission estimates
that 10 million Americans are victims of identity theft each year. The
financial impact of identity theft remains untold.
Thomas says he is telling his story now because he's tired of the life
he's lived on the boards over the last five years and resentful of the
control the FBI maintained over him for so long. He also wants to warn
the public about the risks they face from the carding community and
deter kids from being seduced into a life of crime.
The FBI's Seattle office wouldn't discuss Thomas, and neither confirmed
nor denied that he worked for them. But over the last year Wired News
verified other key aspects of Thomas' account in dozens of interviews
with members of the underground, victims of online crimes he observed,
as well as attorneys and other people connected with Thomas -- his
former apartment manager, for example, confirmed that the FBI paid
Thomas' rent.
Additionally, Thomas provided hundreds of chat logs and forum posts from
his former website, The Grifters [1] -- a criminal marketplace that
played a key role in a parade of diverse frauds, ranging from bank theft
to telephone records hacking, all unfolding in a sprawling international
tableau spanning from the former Soviet empire to the tropics of
Colombia.
It was July 2004 and Brian Campbell had been on Isla Mujeres off the
coast of Cancun for three days for a relative's wedding when he
discovered he'd been scammed.
An American MBA student studying in Australia at the time, Campbell (not
his real name [2]) was accustomed to checking his investment portfolio
daily over the internet. But the wedding distracted him a couple of
days, and when he finally got online, he found he was locked out of his
Schwab trading account.
He called Schwab and discovered that his user name and password had been
changed. What's more, $106,000 had recently been wired from his account
to a Fortis bank account in Belgium. Campbell hadn't requested the
transfer.
Unknown to Campbell, a cyber thief who went by the nick "desertmack" had
gained access to his e-mail account and had been watching him for weeks.
The Mexico wedding was the break desertmack needed. He'd been hoping a
little tequila and sunshine would distract Campbell from obsessively
checking his brokerage account long enough to steal the money and send
it to Brussels, where an accomplice would withdraw it.
But while desertmack was watching Campbell, the FBI was watching him. Or
at least David Thomas was. Sitting in a 500-square-foot Seattle
apartment, window shades drawn and cramped with three computers that
emitted an oppressive heat, Thomas recorded every conversation that
desertmack and his accomplice, who used the nick jonjacob, exchanged in
a private area of TheGrifters.net.
TheGrifters was a members-only "carding" site that Thomas launched in
December 2003, eight months after beginning his work for the FBI. The
goal of the site was to attract identity and bank thieves. It was the
kind of site authorities called a "build it and they will come" site.
And they did.
By mid-2004 the site was crawling with thieves trafficking in fake IDs,
stolen credit card numbers, card-embossing equipment and ATM skimmers
that capture data on a debit card's magnetic stripe so criminals can
encode it on blank cards and drain an account. TheGrifters was a
successful crime hub in a crowded field, competing with other sites like
Shadowcrew, CarderPlanet and DarkProfits to attract the biggest
criminals.
None of the carders knew that Thomas was working for law enforcement,
although there were many who accused him of it. Indeed, if a carder was
arrested and returned to the boards, as Thomas had done, often he was
working for "LE," in carder lingo. But the boards were always thick with
a fog of police paranoia, and no one took the accusations seriously
enough to stay away from Thomas.
Thomas began following desertmack closely after he saw the crook
purchase a credit report for Campbell from a Florida woman who used the
nick Decepgal. Decep ran a carding site called Muzzfuzz and, according
to bankruptcy filings in her real name, worked as a transcriber of
psychiatrists' notes. She also ran a side business selling credit
reports to identity thieves -- $40 for a standard report or $75 for
full-info reports that included a victim's property holdings, bankruptcy
filings and lists of possible relatives [3]
The report, coupled with e-mail account statements, gave desertmack all
he needed to access Campbell's Schwab account and initiate the money
transfer. Jonjacob and another associate in Brussels then opened a
Fortis business account -- chosen because of the bank's $40,000-a-day
withdrawal limit on such accounts. As the day for the transfer neared,
the thieves could hardly contain their excitement: "Hehe, fingers firmly
crossed, along with my legs, testicles and anything else I can think
of," one associate wrote desertmack.
Then, on the day of the theft: "well ... I expect our friends are off
enjoying their holiday. And with a bit of luck, you're busy raping that
juicy account of theirs."
The night before the attack, desertmack changed the contact number on
Campbell's account so Schwab would call him for verification instead of
Campbell if it suspected the wire request was fraudulent. The ruse
worked. Within 24 hours the money was on its way to Brussels. But that
was the last desertmack heard of it. Once the funds were overseas, his
accomplice jonjacob disappeared.
If desertmack suspected a double-cross, he was wrong. Campbell, who
confirmed the details of the theft for Wired News, learned from Schwab
that a suspect was arrested in Brussels while trying to withdraw money
from Fortis. [4])
Shortly after that, it appears that desertmack was arrested too, though
not for the Schwab crime. Oregon sheriffs arrested a 47-year-old man on
unrelated identity theft charges in September 2004, after his wife was
involved in a car accident and deputies discovered outstanding warrants
on both of them for an old eBay fraud caper.
Police searching the couple's apartment found equipment for making
credit cards and fake IDs, as well as 432 stolen credit card numbers,
176 bank account and routing numbers and boxes of credit reports in
other people's names. E-mail found in the suspect's computer inbox was
addressed to desertmack@private
"He was very organized," Oregon deputy sheriff David Thompson told Wired
News. He had 510 dossiers on victims that consisted of "each person's
credit cards and IDs that he had created, bundled up with a rubber band
so that he could just grab a bundle and have that identity for a day to
go out and go shopping." The suspect claimed it was all research for a
book he was writing about fraud prevention.
Oregon FBI spokeswoman Beth Ann Steele said the man was suspected of
initiating the Schwab wire transfer, but said the bureau didn't pursue
charges because local authorities had a stronger identity theft case
against him.
The Schwab case illustrates a running theme in Thomas' dealings with the
FBI. Although Thomas says he provided his handlers at the Seattle FBI
with logs depicting desertmack's scheme, the bureau apparently never
acted on that information -- the Oregon FBI only learned of the theft
because Campbell, the victim, reported it himself after it occurred. "If
we had left it up to Schwab, they might never have gotten the FBI
involved at all," Campbell says [5],
Schwab, too, was less than responsive. Campbell got his money back from
the company only after several calls to the firm pointing out the
obvious security flaws in a system that failed to flag a wire request
made on an account a day after contact information on the account was
changed. "Schwab was pretty bad with customer service," Campbell says.
"For a long time they wouldn't tell me they were going to take
responsibility for it and return (the money)." (Schwab had no comment).
As for Thomas, he was unaware of desertmack's fate until Wired News
tracked down the suspect. As with all of the information Thomas provided
the FBI, he was kept in the dark and never knew what, if anything, the
agency did with the intelligence he gave his handler.
Thomas began his work for the FBI five months after his Issaquah arrest
and after serving three months in jail. His partner, Kim Marvin Taylor,
known by the nick "Macgyver," left Washington before he could be
charged, and landed quickly back on Shadowcrew, where he was a top
administrator of the site.
After Thomas' arrest, federal agents came to see him in jail, as he'd
requested. He told Secret Service agent Michael Levin what he'd done for
the Russians, but Levin wasn't impressed. According to Thomas, the agent
replied that he had multi-million-dollar cases on his desk and wasn't
going to waste time on a lousy $50,000 internet scam.
Seattle FBI Agent Steve Butler also came to see him and seemed just as
unresponsive at first. The jailhouse chat through a glass partition
lasted less than 10 minutes with no mention of a job. But when Thomas
was transferred to Nebraska to face an outstanding warrant for check
fraud, Butler showed up for a repeat visit, an assistant U.S. attorney
in tow.
The agent laid out his plan: Thomas would work for the Northwest Cyber
Crimes Task Force in Seattle to gather intelligence and teach Butler how
the carding sites operated; in return, the FBI would pay his rent and
all of his expenses. It would be an intelligence gathering mission, not
aimed at making arrests, but rather at learning how the international
carding scene operated.
"They made a big show down there," Thomas says. "They told me that
they'd take care of me, and I'd have a legit job with them." [6].
He didn't have to think twice. No one had ever sought him out for work
before, and in an age of background checks they likely wouldn't. But
that wasn't the only reason he took the offer. He wanted to write a book
about the carding world, and figured this was the perfect chance to
gather material. "(The FBI) wanted to see just what they could get out
of it, and I wanted to see what was really going on and to write about
it," Thomas says. "It was a win-win situation." [7].
His lawyer got the Nebraska charges reduced to a misdemeanor and fine,
and by April 2003 Thomas was back in Seattle, where girlfriend Trevino
joined him, and on the boards, using computers the FBI supplied him.
But almost immediately the words he'd spoken in Issaquah came back to
bite him. On CarderPlanet, someone posted a copy of his police report
containing the statement he made to police about the Russians and
federal agents. Taylor, still a fugitive, took to the boards and accused
Thomas of selling him out to the feds. A war of words broke out between
Thomas' supporters on CarderPlanet and Taylor's supporters at
Shadowcrew.
"All of a sudden, whatever I was hired to do (for the FBI) looked like I
wasn't going to be able to do it," Thomas says. "In my mind I was toast.
Because that report was too damning."
Thomas denied the claims to little avail. Then, two months later Taylor
was jailed in Colorado on new charges unrelated to the Issaquah bust. He
served eleven months before being released in May 2004.
But his absence did little to foster calm. Over the next year, the board
war would escalate from verbal scuffling to all-out Joe Jobs and DDoS
attacks. And every 45 days or so when things would quiet down, someone
would repost Thomas' police report to stir them up again.
Between battling other carders and gathering information for the feds,
Thomas's workdays were long and full of non-stop activity.
He became obsessed with knowing everything that was happening on the
boards. He'd often sleep during the day, then work all night when the
boards were most active. Each day when he awoke, he'd hop on the boards
to see what had happened while he'd slept. Were any carding sites down?
Had anyone been arrested? Then he'd run through a checklist of scams
unfolding that day. He spent 18 to 20 hours a day online with 15 to 20
chat windows open on his screen at a time. When he wasn't chatting
online, he was talking on the phone.
"People would talk to me -- I've got this deal, I've got that deal. What
do you think of this, what do you think of that?" he says. "El had a
huge following."
His job was to log every message he received and sent as well as every
note that members posted to the boards. At the end of each day he sent
Butler a report. Sometimes there were more than 300 messages in a single
discussion thread. Every morning Butler debriefed him by phone, and once
a week they met in person. Everything he recorded for the FBI, he
recorded for himself as well.
His task for the FBI was to track who was doing what, which wasn't
always easy since members changed their nicks often and used anonymous
e-mail, proxy servers and pre-paid cell phones to mask their identities
and whereabouts. Occasionally, however, they'd let their guard down.
Thomas never pressed for details. But like a good psychiatrist, he did
the cyber equivalent of nodding with interest, and people were happy to
talk.
Ironically, even though the carders constantly accused each other of
working for the feds, they often acted as if a cloak of invisibility
shielded them. Larry Johnson, special agent for the Secret Service's
investigative division who headed an undercover operation for his agency
on the boards, says agents were often dumbfounded by the carders' lack
of discretion. "If I were going undercover they would accuse me, accuse
me and accuse me (of being a fed) and then buy something from me
(anyway)," he says. "Figure that out."
Thomas says the carders believed they operated in a protected world. "It
was all some fantasy criminal paradise," he says. "Nobody believed law
enforcement was out there in force."
In truth, law enforcement agents were (and still are) some of the fraud
sites' most determined users, and it wasn't just undercover U.S. feds
scouring the boards. There were also agents from Russia, the U.K.,
Australia, Israel and Brazil. Fraud investigators from Visa, Bank of
America, eBay and others also lurked on the sites, determined to gather
intelligence about threats to their customers.
The presence of so many watchers meant that authorities sometimes
targeted the wrong person for investigation. Although U.S. agencies held
deconfliction meetings to apprise each other of who was doing what, word
didn't always get around. When Thomas once asked Butler who was the
biggest target the feds were tracking, Butler laughed and replied,
"You're the biggest target. Everyone is after you."
Although the Seattle neighborhood where Thomas lived was upscale, his
apartment was strictly low-rent. Except for a small couch and TV, the
only living room furniture was an Ikea table that groaned from the
weight of two desktop computers -- one for watching the boards and
chatting with carders, the other later used for hosting TheGrifters --
and a laptop for compiling reports to Butler. Trevino occasionally
helped out with research but for the most part avoided Thomas's work and
spent her time chatting with friends online and playing digital games.
"I didn't want to be there doing what he was doing," Trevino says. "I
didn't want to be a part of it. Because I had done my time (in the
carding community) and I didn't want to do any more."
To conduct his work, Thomas was allowed to facilitate and commit crimes,
but only after clearing them with Butler. Butler said undercover agents
from other agencies who didn't know what Thomas was up to would try to
set him up, and Butler would need to run interference when he saw it
happening. He was also told that if he committed any crimes without
clearing them first, Butler would make sure that he went to prison, and
that other inmates would know he'd worked for the FBI. [8].
The boards had a strict hierarchy that Thomas had little trouble
infiltrating. At the top were administrators, like Taylor, who handled
day-to-day operations and served as gatekeepers to private areas of the
board where the best deals were made. Admins also meted out punishment
to carders they didn't like or to "rippers" who cheated fellow carders.
An admin could ban someone from the board or, worse, post his photo
online and expose his identity. The pictures came from fake-ID vendors
who often held on to the photos of customers just to use them when
someone got out of line.
Beneath the admins were moderators who oversaw forums dedicated to
various topics, such as bank fraud and identity theft. Then came vendors
and reviewers. Before a vendor could sell his merchandise on the boards,
a reviewer evaluated the quality of his offerings based on such criteria
as the quality of a hologram on a fake ID, or whether the stolen credit
card numbers a vendor was hawking were still live and valid. Most
reviews consisted of a couple of lines: "Cards good. Premium numbers
with high balances."
The organized chain of command allowed a rich economy to flourish -- and
the range of products and services at offer was staggering. While credit
card fraud was a staple of the cyber underground, a wide variety of
other crimes also unfolded -- and still unfold -- on the boards. Some
underground denizens offered spamming and "bullet-proof" hosting
services from servers placed in locations unreachable by law
enforcement. Extortionists used botnets to deliver DDoS attacks against
websites that didn't pay protection money. And hackers designed and sold
rootkits, spyware and spam mailers, alongside peddlers of stolen source
code from companies like Microsoft. Pretty much anything went in the
underground if it could produce a profit.
Of course, the quickest way to make money was to, literally, make money.
And when a Colombian counterfeiter named Dexer showed up on the boards
peddling top-quality fake dollars and euros, Thomas was interested.
After consulting with Butler, Thomas asked Dexer to send him some sample
bills to review their quality. Two weeks later they arrived at an FBI
mail drop in Seattle, secreted in a hollowed-out book cover.
Although Thomas never saw the bills, Butler told him the counterfeiters
had bleached $1 and $5 bills then printed $50 and $100 denominations
onto the paper to produce near-perfect fakes. Thomas gave Dexer a
glowing review on CarderPlanet, and orders began pouring in -- that is,
until members started complaining that bills they ordered never arrived.
Dexer said U.S. customs was holding them up. He discussed plans to get
around the blockade, but shortly thereafter his nick disappeared from
the boards, leading others to wonder whether he'd been arrested or
simply skipped out to avoid the anger of dissatisfied customers who
never received their bills.
Did the FBI move in on Dexer? As usual, Butler kept Thomas in the dark.
The uneven power relationship between Thomas and his handler, and the
increasing claustrophobic nature of Thomas's life, took their toll over
time. The strain wasn't helped by the differences in Thomas' and
Butler's personalities.
As Trevino describes him, Butler was the polar opposite of Thomas --
tall and confident with tightly cropped blond hair and the physique and
jaw of a college jock. According to Thomas, Butler's background was in
drug investigations not cyber crime, and the two of them frequently
butted heads over how to run the operation, often resulting in shouting
matches in Butler's car as they drove around the neighborhood for their
debriefing sessions.
"He was very intelligent," Thomas says. "But ... we just never hit it
off."
The conflict came to a head one day after Butler rebuffed Thomas's
requests for some time off to get some rest. When Butler next phoned for
their routine debriefing session, Thomas, exhausted, refused. "I'm on
vacation."
Another shouting match ensued, culminating in Butler coming to the
apartment and carting off the computer Thomas used to host TheGrifters
website. As Butler left with the PC, he told Thomas he was fired and
gave him a week to leave the apartment. Dumbfounded, Thomas sat there
for days struggling to figure out where he'd go with no money when
Butler, his point finally made, called back. "Okay. Are you ready to get
back to work now?"
When TheGrifters went back online Thomas had to cover for his downtime
by telling board members he'd been taken out by a DDoS attack.
The troubles with Butler were only compounded by the continuing attacks
that Thomas faced from enemy carders trying to expose him and take out
his site. To deal with the stress of maintaining his double identity and
battling Butler, he'd often retreat to the bathroom where he'd turn on
the shower and lie on the floor, letting the water run for hours to
clear the chatter from his head.
The shower ran so long one month that the FBI got a bill for 18,000
gallons of water. Thomas says federal investigators appeared at his door
to see if he was growing marijuana or making homebrew. "They opened a
federal investigation to find out where the water went," Thomas says
laughing. "And the water went down the drain. Because it was my only way
to relax."
Tomorrow: Enter the Russians.
-==-
[1] ... posts from his former website, The Grifters. The logs appear to
be legitimate but Wired News was unable to verify that they were
recorded on behalf of the FBI or that they were unaltered by Thomas.
[2] Campbell asked Wired News not to publish his real name for fear that
other thieves would target him.
[3] ... and lists of possible relatives. According to Thomas, Decep had
previously worked for a Florida prosecutor and had access to a
Lexis-Nexis database used by law enforcement agents and businesses.
[4] ... trying to withdraw money from Fortis. I was unable to confirm
the arrest in Brussels with either Schwab or the FBI.
[5] "If we had left it up to Schwab, they might never have gotten the
FBI involved at all." Even then, it was the Oregon sheriff's
department that nailed the suspect on unrelated charges. And the
Oregon prosecutor handling the identity theft cast against the
suspect says no one told him about the Schwab crime and
investigation. The victim, Campbell, said he was told that
authorities were able to connect the suspect to the theft of his
Schwab money because the suspect had changed the contact phone
number on his account to the suspect's real cell phone number. I was
unable to confirm this.
[6] "They told me that they'd take care of me, and I'd have a legit job
with them." One of Thomas's former public defenders in Seattle,
Thomas Hillier, was reluctant to speak with me but confirmed the
jailhouse visit with Butler. He said his memory of the four-year-old
case was foggy and that he didn't recall a federal job offer for
Thomas, although his file notes do contain a cryptic reference to a
job offer next to the name of former assistant U.S. Attorney Hugh
Berry. According to Thomas, Berry was the U.S. attorney who visited
him in Nebraska with FBI agent Steve Butler.
The Nebraska prosecutor, Andrea Belgau, who Thomas says was present
at the Nebraska meeting with Butler and Berry, was also very
reluctant to discuss the meeting. "I can't speak very completely
about it other than he did offer assistance to the federal
authorities," she said. She wouldn't discuss the details, but said
she wouldn't dispute what Thomas told me either. "I don't think it's
appropriate for me to delve into it," she said. "The defendant may
be free to speak about it, but those of us employed by government
agencies have more restrictions."
[7] "It was a win-win situation." Thomas says the FBI paid him no
salary, but covered his rent and expenses. The former apartment
manager at the complex where Thomas lived confirmed that the FBI
paid rent on the apartment and that FBI Agent Steve Butler and
another agent whom the manager identified as an FBI district
supervisor accompanied Thomas the day he and Trevino moved in. The
manager, who asked not be identified by name because he spoke
without permission from his former employer, said Butler gave him
his cell phone number and told him to call if Thomas caused any
problems while living there.
Candace Hamel, who worked in the property management head office at
the time, said she couldn't confirm that the FBI paid for the
apartment, but then added after a pause and without prompting, "I'm
not denying it either." When asked if the management company had an
ongoing deal with the FBI to supply the agency with apartments, as
Thomas contends, Hamel again said she couldn't confirm or deny then
added, "That's confidential information."
FBI Agent Steve Butler was polite and friendly but declined to
comment on whether Thomas worked for the FBI. "We would never
confirm or deny something like this," he said, saying that such
comments would make other people reluctant to work in such capacity
with the FBI. I should note here that there is a David A. Thomas who
works for the FBI as chief of the agency's Cyber Division Criminal
Computer Intrusion Unit. He's often quoted in articles about cyber
crime and should not be confused with David R. Thomas, who is the
source for this story.
[8] Butler would make sure that he went to prison, and that other
inmates would know he'd worked for the FBI Thomas says he was cowed
by Butler's threat and never considered committing crimes behind his
back because he assumed the feds were watching his every move. But
recent court records involving another carder in South Carolina show
how easily a criminal working for the feds can commit crimes under
the nose of agents who are supposed to be watching him. According to
an affidavit in the case, while working a few hours each day out of
a government-supplied apartment, this other carder allegedly
continued to card secretly on the side.
_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:24:41 PST