http://www.wired.com/news/technology/0,72585-0.html By Kim Zetter Feb, 01, 2007 It was mid-March 2004, and David Thomas was chatting online with a young hacker who went by the nickname "Ethics," when the latter suddenly asked him: "btw, you know anyone who would pay to get celebs private cell phone numbers? or any other number's from t-mobile's database?" Thomas replied, "hehehehehe oh man that would be so fuking cool." Ethics, aka Nicolas Jacobsen, did little on the boards but talk, Thomas says. He once discussed building a miniature submarine with carder middleman "Myth" to run cocaine from Colombia. But mostly he procrastinated and disappeared when it came time to do any jobs. So when Ethics told Thomas he'd hacked a T-Mobile server and had access to billing information and passwords for the company's 14 million customers, Thomas was skeptical. That is, until Jacobsen sent him Paris Hilton's Social Security number and password [1], as well as the security question and answer to her T-Mobile account and photos from her camera phone. Thomas didn't know it, but Ethics also had the password for the T-Mobile account of a Secret Service special agent named Peter Cavicchia who worked in the agency's cybercrime division. Sifting through the agent's e-mail, Ethics found documents related to a Secret Service sting operation, including, incredibly enough, evidence that the Secret Service was monitoring Ethics' own ICQ chats. Ethics had stumbled into the most organized and ambitious operation against online scammers in U.S. history. While Thomas had been working on the West Coast for the FBI, the Secret Service's New Jersey office had infiltrated Shadowcrew separately, with the help of a confidential informant, and begun gathering evidence against carders on that site. The sting known as "Operation Firewall" began when police arrested a top administrator of the Shadowcrew site in the summer of 2003 and called in the Secret Service. Secret Service agent Larry Johnson says his agency didn't initially realize the value of their catch. Once they did, they quickly flipped the suspect and sent him back to Shadowcrew to avoid suspicion that he'd been arrested. With the informant's help, they set up a private, encrypted computer network where Shadowcrew members could, ostensibly, communicate in secret. In reality, the network was run from the Secret Service's office in New Jersey, where communications were recorded and IP addresses tracked. The Secret Service won't discuss the identity of its informant, but today Thomas and other carders believe it was a scammer known as "Cumbajohnny," or "CJ", who appeared on Shadowcrew in the summer of 2003. When Shadowcrew's Kim "Macgyver" Taylor was jailed in Colorado around that time, CJ assumed control of the site. Though Thomas wasn't privy to the Secret Service operation, he suspected early that CJ had flipped. It was CJ, he says, who, in February 2004, invited Shadowcrew members to join the VPN that turned out to be under surveillance. Thomas says CJ also tried to sell members $150 AT&T calling cards that would allow them to make $1,000 to $7,000 in calls. Thomas thinks the cards were set up to allow authorities to trace the callers. Thomas became more suspicious of CJ when, in March 2004, Dmitry Golubov, aka "Script," disappeared from CarderPlanet, and CJ assumed a role on that board, too. It was CJ who had sent "King Arthur" Thomas' arrest report discussing federal agents and the Russians in an attempt to sabotage his dealings with King. Thomas sent CJ a note taunting him with his own accusations. "hey cumbacop ... so you're running (CarderPlanet) now eh ... did you bust script? ... so I guess your shiny badge is real shiny now1." It was 1 a.m. and the message was barely gone before Thomas' handler, Seattle FBI Agent Steve Butler, called him. "What are you doing? Who were you just talking to?" Butler demanded to know. When Thomas mentioned Cumbajohnny, the FBI agent grew angry. "These guys over there can shut you down in an instant," Butler said. "Don't you ever talk to him again." "I knew right then that Cumbajohnny wasn't kosher," Thomas says. The ongoing turf battles between TheGrifters and Shadowcrew administrators highlight a problem inherent in law enforcement agencies employing criminals in their operations. Such operatives come to the task bearing grudges and ego issues that can easily derail an investigation if not carefully managed. If Cumbajohnny was the Secret Service's informant, it meant that agents for the FBI and Secret Service were essentially battling to blow each other's covers. Regardless of Butler's warning to stay away from CJ, Thomas continued to taunt the carder and other members online. His enemies stepped up their attacks against him as well, tracing him to Seattle and attempting to locate his apartment to post pictures of it on the board. For the first time, Thomas began to fear for his safety. Then things started to change. Butler had been warning Thomas to stay away from CarderPlanet -- implying that events were about to converge on the Russian carding site. In July, Douglas Havard was arrested in the United Kingdom; shortly afterward, CarderPlanet suddenly shut down. King Arthur had taken control of the board by then, and, according to authorities, he and other senior members of the site decided it was time to take their operation deeper underground to make it harder for police to track them. In a note explaining the decision, King wrote: "This forum made them (LE) smarter and kept them in the loop of happening.... Now, everything will be the same, but (they) will not know where the wind is blowing from or what to do." In September, Butler announced he was leaving the cybercrimes task force for a new assignment with the Joint Terrorism Task Force and abruptly pulled the plug on TheGrifters [2]. Thomas says he was caught off-guard. "I thought it was going to be a long-term job that would last for five to 10 years," he says. The other shoe dropped at 9 p.m. EST Oct. 26, 2004, when police and federal agents swooped in on more than a dozen Shadowcrew members in several states and Canada in a coordinated bust. The Shadowcrew admins had told the members to convene online at the appointed hour for a mandatory discussion, ensuring they'd all be caught at their computers at the same time. Authorities nabbed 19 people in the bust, among them Kim Taylor, Thomas' former partner, who'd been released from jail a few months earlier. Ethics was nabbed separately. Cumbajohnny was the only major Shadowcrew admin whose nick did not appear on the indictment. Taylor pleaded guilty to one count of access-device fraud (another charge was dropped) and was sentenced to 30 months in jail and three years' probation. He's scheduled to be released from federal prison at the end of March. His lawyer, Bruce Rosen, says, "He did something, and he deserved to go to jail," but that the charges against his client were exaggerated. Taylor maintains he was only a forum moderator on Shadowcrew, not an administrator as authorities made him out to be, and that the title was in name only -- he never engaged in an active role as a moderator. The Shadowcrew bust was touted as a major success by law enforcement. Since the initial action, subsequent arrests in Operation Firewall have brought the total number of carders nabbed to 38 globally. Authorities say the suspects trafficked in more than 1.5 million stolen credit card numbers, resulting in losses estimated to be at least $4 million. The sting also netted more than 8.5 terabytes of forensic evidence -- the equivalent of 2.2 billion pieces of paper -- and involved more than a dozen criminal task forces in the United States and elsewhere. But the long-term effects of the operation on curbing criminal activity have proven to be almost nil. It wasn't long after Shadowcrew went down before new carding sites, such as CardersMarket and the International Association for the Advancement of Criminal Activity, or IAACA, popped up to take its place. And the bust opened the way for new problems as well. Amir Orad, executive vice president of security company Cyota (now owned by RSA Security), which has a command center in Israel from where researchers monitor the carding boards, says Operation Firewall made it more difficult for law enforcement to track carders. Once Shadowcrew went down, the community morphed from a small number of large carding sites to a larger number of small sites that have become harder to trace and infiltrate. And many of the most serious criminals have disappeared from the boards altogether, taking their activities further underground. "What we see clearly is that taking down ... one group doesn't solve the problem, it creates multiple small problems," Orad says. "(We) haven't seen a major impact of those arrests besides maybe the publicity and the awareness that this whole crime costs." Others have also disputed law enforcement's characterization of the significance of Shadowcrew's role in cybercrime, saying the website was more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that those who were arrested were mostly low-hanging fruit. Attorney Rosen said in a statement to the New Jersey court that although his client Taylor acknowledged that many of the activities on Shadowcrew were illegal or nefarious, the site was really just "a highly unorganized, inefficient message board frequented by immature geeks and social misfits." It's two years since Thomas says the FBI ended his work with them, and he and I are walking on a Midwest college campus where he now lives in student housing. After the FBI dropped him, he enrolled in the college's journalism program to keep from returning to a life of crime and to write his life story. As we stroll the campus pathways, clear-eyed students pass by, their futures still in front of them. "I want their lives," Thomas says with the envy of someone who's halfway through his life and knows that his options are running out. The campus is surrounded by snow-capped mountains, but the fresh air and scenery are lost on a digital animal like Thomas, who rarely leaves his apartment. Though he no longer works for the FBI he still wakes early before classes to jump on the boards and see what's happening and stays online after school until late in the evening. The draw of the boards, when he has little to take their place, is too strong. He's more than a little bitter about the way the FBI dropped him. After Butler pulled the plug on TheGrifters, Thomas says they discussed building a similar site to attract terrorists for the Joint Terrorism Task Force. But after Thomas developed a site, Butler failed to get approval for the project and cut Thomas loose. For a time, Thomas kept TheGrifters online and turned it into an "anti-carding site" with a few associates, including "John Dillinger." They spent hours building dossiers on carders and tracking arrests, and amassed a large database of information, including part of the Shadowcrew database that someone copied after the bust. Thomas hoped to turn it into a resource for law enforcement and use it as a platform to warn kids away from crime, but it hasn't worked out that way. "Crime is often harder work than a regular job," he says. "Every time I've done something -- it doesn't matter what it is, counterfeiting or whatever -- it's always been more work than a regular job would have been. And I would have much rather had a real job than be involved in a criminal act because it's less ... stress." Of his associates from TheGrifters, only Dillinger knows about his work for the FBI. Thomas wanted to tell the others, he says, but some of them defended him when his enemies accused him of working for the feds, and it's hard for him to explain to them why he did what he did. He realizes that this article will likely make him a pariah in the community. "The people on the fringes of society are the only ones who ever accepted me," he says. "Now I feel I've destroyed that for what I did for the government." Thomas' job with the government also cost him his relationship with Bridget Trevino, who left him about four months before the work ended because of his obsession with the boards. "I became so unhappy because I never got to spend any time with him anymore," she says. "Even though we were in the same room together, I was alone." Thomas says the FBI has threatened him with imprisonment in Texas, where he has an outstanding warrant for check fraud, if he talks to the press about what he did for them. "They don't want me discussing what the government was allowing to happen. They don't like the fact that people were authorized to do major crimes like that," he says [3]. There's a touch of self-destruction to his decision to talk now. He wants to leave the boards behind but lacks the willpower to do so. He knows that once this story is public, he'll have to close the chapter on "El Mariachi" and just be David Thomas again. "And maybe that's what I want," he says. "I want to get on with my life." For years he's had no offline friends and now is having to get used to being around other people again. Last spring, when the winter thaw was gone and people at his college were starting to emerge outdoors again, he walked the campus green looking at students and teachers lounging on the grass in the sun and thought to himself, "God, this is just so beautiful." "I feel like I've been locked up for years and years and years and I've just gotten parole," he says. But that's only during the day. At night, he's back in a dark room, surfing the boards. -==- [1] http://www.wired.com/news/technology/0,72585-0.html?tw=wn_technology_5# [2] http://www.wired.com/news/technology/0,72585-1.html?tw=wn_story_page_next1#fdesc2 [3] http://www.wired.com/news/technology/0,72585-2.html?tw=wn_story_page_next2#fdesc2 _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 22:20:06 PST