[ISN] Crime Boards Come Crashing Down

From: InfoSec News (alerts@private)
Date: Thu Feb 01 2007 - 22:14:16 PST


http://www.wired.com/news/technology/0,72585-0.html

By Kim Zetter
Feb, 01, 2007

It was mid-March 2004, and David Thomas was chatting online with a young 
hacker who went by the nickname "Ethics," when the latter suddenly asked 
him: "btw, you know anyone who would pay to get celebs private cell 
phone numbers? or any other number's from t-mobile's database?"

Thomas replied, "hehehehehe oh man that would be so fuking cool."

Ethics, aka Nicolas Jacobsen, did little on the boards but talk, Thomas 
says. He once discussed building a miniature submarine with carder 
middleman "Myth" to run cocaine from Colombia. But mostly he 
procrastinated and disappeared when it came time to do any jobs. So when 
Ethics told Thomas he'd hacked a T-Mobile server and had access to 
billing information and passwords for the company's 14 million 
customers, Thomas was skeptical. That is, until Jacobsen sent him Paris 
Hilton's Social Security number and password [1], as well as the 
security question and answer to her T-Mobile account and photos from her 
camera phone.

Thomas didn't know it, but Ethics also had the password for the T-Mobile 
account of a Secret Service special agent named Peter Cavicchia who 
worked in the agency's cybercrime division. Sifting through the agent's 
e-mail, Ethics found documents related to a Secret Service sting 
operation, including, incredibly enough, evidence that the Secret 
Service was monitoring Ethics' own ICQ chats.

Ethics had stumbled into the most organized and ambitious operation 
against online scammers in U.S. history. While Thomas had been working 
on the West Coast for the FBI, the Secret Service's New Jersey office 
had infiltrated Shadowcrew separately, with the help of a confidential 
informant, and begun gathering evidence against carders on that site. 
The sting known as "Operation Firewall" began when police arrested a top 
administrator of the Shadowcrew site in the summer of 2003 and called in 
the Secret Service.

Secret Service agent Larry Johnson says his agency didn't initially 
realize the value of their catch. Once they did, they quickly flipped 
the suspect and sent him back to Shadowcrew to avoid suspicion that he'd 
been arrested.

With the informant's help, they set up a private, encrypted computer 
network where Shadowcrew members could, ostensibly, communicate in 
secret. In reality, the network was run from the Secret Service's office 
in New Jersey, where communications were recorded and IP addresses 
tracked.

The Secret Service won't discuss the identity of its informant, but 
today Thomas and other carders believe it was a scammer known as 
"Cumbajohnny," or "CJ", who appeared on Shadowcrew in the summer of 
2003. When Shadowcrew's Kim "Macgyver" Taylor was jailed in Colorado 
around that time, CJ assumed control of the site.

Though Thomas wasn't privy to the Secret Service operation, he suspected 
early that CJ had flipped. It was CJ, he says, who, in February 2004, 
invited Shadowcrew members to join the VPN that turned out to be under 
surveillance. Thomas says CJ also tried to sell members $150 AT&T 
calling cards that would allow them to make $1,000 to $7,000 in calls. 
Thomas thinks the cards were set up to allow authorities to trace the 
callers.

Thomas became more suspicious of CJ when, in March 2004, Dmitry Golubov, 
aka "Script," disappeared from CarderPlanet, and CJ assumed a role on 
that board, too. It was CJ who had sent "King Arthur" Thomas' arrest 
report discussing federal agents and the Russians in an attempt to 
sabotage his dealings with King. Thomas sent CJ a note taunting him with 
his own accusations. "hey cumbacop ... so you're running (CarderPlanet) 
now eh ... did you bust script? ... so I guess your shiny badge is real 
shiny now1."

It was 1 a.m. and the message was barely gone before Thomas' handler, 
Seattle FBI Agent Steve Butler, called him. "What are you doing? Who 
were you just talking to?" Butler demanded to know. When Thomas 
mentioned Cumbajohnny, the FBI agent grew angry. "These guys over there 
can shut you down in an instant," Butler said. "Don't you ever talk to 
him again."

"I knew right then that Cumbajohnny wasn't kosher," Thomas says.

The ongoing turf battles between TheGrifters and Shadowcrew 
administrators highlight a problem inherent in law enforcement agencies 
employing criminals in their operations. Such operatives come to the 
task bearing grudges and ego issues that can easily derail an 
investigation if not carefully managed. If Cumbajohnny was the Secret 
Service's informant, it meant that agents for the FBI and Secret Service 
were essentially battling to blow each other's covers.

Regardless of Butler's warning to stay away from CJ, Thomas continued to 
taunt the carder and other members online. His enemies stepped up their 
attacks against him as well, tracing him to Seattle and attempting to 
locate his apartment to post pictures of it on the board. For the first 
time, Thomas began to fear for his safety.

Then things started to change.

Butler had been warning Thomas to stay away from CarderPlanet -- 
implying that events were about to converge on the Russian carding site.

In July, Douglas Havard was arrested in the United Kingdom; shortly 
afterward, CarderPlanet suddenly shut down. King Arthur had taken 
control of the board by then, and, according to authorities, he and 
other senior members of the site decided it was time to take their 
operation deeper underground to make it harder for police to track them.

In a note explaining the decision, King wrote: "This forum made them 
(LE) smarter and kept them in the loop of happening.... Now, everything 
will be the same, but (they) will not know where the wind is blowing 
from or what to do."

In September, Butler announced he was leaving the cybercrimes task force 
for a new assignment with the Joint Terrorism Task Force and abruptly 
pulled the plug on TheGrifters [2]. Thomas says he was caught off-guard. 
"I thought it was going to be a long-term job that would last for five 
to 10 years," he says.

The other shoe dropped at 9 p.m. EST Oct. 26, 2004, when police and 
federal agents swooped in on more than a dozen Shadowcrew members in 
several states and Canada in a coordinated bust. The Shadowcrew admins 
had told the members to convene online at the appointed hour for a 
mandatory discussion, ensuring they'd all be caught at their computers 
at the same time.

Authorities nabbed 19 people in the bust, among them Kim Taylor, Thomas' 
former partner, who'd been released from jail a few months earlier. 
Ethics was nabbed separately. Cumbajohnny was the only major Shadowcrew 
admin whose nick did not appear on the indictment.

Taylor pleaded guilty to one count of access-device fraud (another 
charge was dropped) and was sentenced to 30 months in jail and three 
years' probation. He's scheduled to be released from federal prison at 
the end of March.

His lawyer, Bruce Rosen, says, "He did something, and he deserved to go 
to jail," but that the charges against his client were exaggerated. 
Taylor maintains he was only a forum moderator on Shadowcrew, not an 
administrator as authorities made him out to be, and that the title was 
in name only -- he never engaged in an active role as a moderator.

The Shadowcrew bust was touted as a major success by law enforcement. 
Since the initial action, subsequent arrests in Operation Firewall have 
brought the total number of carders nabbed to 38 globally. Authorities 
say the suspects trafficked in more than 1.5 million stolen credit card 
numbers, resulting in losses estimated to be at least $4 million. The 
sting also netted more than 8.5 terabytes of forensic evidence -- the 
equivalent of 2.2 billion pieces of paper -- and involved more than a 
dozen criminal task forces in the United States and elsewhere.

But the long-term effects of the operation on curbing criminal activity 
have proven to be almost nil. It wasn't long after Shadowcrew went down 
before new carding sites, such as CardersMarket and the International 
Association for the Advancement of Criminal Activity, or IAACA, popped 
up to take its place. And the bust opened the way for new problems as 
well.

Amir Orad, executive vice president of security company Cyota (now owned 
by RSA Security), which has a command center in Israel from where 
researchers monitor the carding boards, says Operation Firewall made it 
more difficult for law enforcement to track carders. Once Shadowcrew 
went down, the community morphed from a small number of large carding 
sites to a larger number of small sites that have become harder to trace 
and infiltrate. And many of the most serious criminals have disappeared 
from the boards altogether, taking their activities further underground.

"What we see clearly is that taking down ... one group doesn't solve the 
problem, it creates multiple small problems," Orad says. "(We) haven't 
seen a major impact of those arrests besides maybe the publicity and the 
awareness that this whole crime costs."

Others have also disputed law enforcement's characterization of the 
significance of Shadowcrew's role in cybercrime, saying the website was 
more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that 
those who were arrested were mostly low-hanging fruit.

Attorney Rosen said in a statement to the New Jersey court that although 
his client Taylor acknowledged that many of the activities on Shadowcrew 
were illegal or nefarious, the site was really just "a highly 
unorganized, inefficient message board frequented by immature geeks and 
social misfits."

It's two years since Thomas says the FBI ended his work with them, and 
he and I are walking on a Midwest college campus where he now lives in 
student housing. After the FBI dropped him, he enrolled in the college's 
journalism program to keep from returning to a life of crime and to 
write his life story. As we stroll the campus pathways, clear-eyed 
students pass by, their futures still in front of them.

"I want their lives," Thomas says with the envy of someone who's halfway 
through his life and knows that his options are running out.

The campus is surrounded by snow-capped mountains, but the fresh air and 
scenery are lost on a digital animal like Thomas, who rarely leaves his 
apartment. Though he no longer works for the FBI he still wakes early 
before classes to jump on the boards and see what's happening and stays 
online after school until late in the evening. The draw of the boards, 
when he has little to take their place, is too strong.

He's more than a little bitter about the way the FBI dropped him. After 
Butler pulled the plug on TheGrifters, Thomas says they discussed 
building a similar site to attract terrorists for the Joint Terrorism 
Task Force. But after Thomas developed a site, Butler failed to get 
approval for the project and cut Thomas loose.

For a time, Thomas kept TheGrifters online and turned it into an 
"anti-carding site" with a few associates, including "John Dillinger." 
They spent hours building dossiers on carders and tracking arrests, and 
amassed a large database of information, including part of the 
Shadowcrew database that someone copied after the bust. Thomas hoped to 
turn it into a resource for law enforcement and use it as a platform to 
warn kids away from crime, but it hasn't worked out that way.

"Crime is often harder work than a regular job," he says. "Every time 
I've done something -- it doesn't matter what it is, counterfeiting or 
whatever -- it's always been more work than a regular job would have 
been. And I would have much rather had a real job than be involved in a 
criminal act because it's less ... stress."

Of his associates from TheGrifters, only Dillinger knows about his work 
for the FBI. Thomas wanted to tell the others, he says, but some of them 
defended him when his enemies accused him of working for the feds, and 
it's hard for him to explain to them why he did what he did. He realizes 
that this article will likely make him a pariah in the community.

"The people on the fringes of society are the only ones who ever 
accepted me," he says. "Now I feel I've destroyed that for what I did 
for the government." Thomas' job with the government also cost him his 
relationship with Bridget Trevino, who left him about four months before 
the work ended because of his obsession with the boards.

"I became so unhappy because I never got to spend any time with him 
anymore," she says. "Even though we were in the same room together, I 
was alone."

Thomas says the FBI has threatened him with imprisonment in Texas, where 
he has an outstanding warrant for check fraud, if he talks to the press 
about what he did for them. "They don't want me discussing what the 
government was allowing to happen. They don't like the fact that people 
were authorized to do major crimes like that," he says [3].

There's a touch of self-destruction to his decision to talk now. He 
wants to leave the boards behind but lacks the willpower to do so. He 
knows that once this story is public, he'll have to close the chapter on 
"El Mariachi" and just be David Thomas again. "And maybe that's what I 
want," he says. "I want to get on with my life."

For years he's had no offline friends and now is having to get used to 
being around other people again. Last spring, when the winter thaw was 
gone and people at his college were starting to emerge outdoors again, 
he walked the campus green looking at students and teachers lounging on 
the grass in the sun and thought to himself, "God, this is just so 
beautiful."

"I feel like I've been locked up for years and years and years and I've 
just gotten parole," he says.

But that's only during the day. At night, he's back in a dark room, 
surfing the boards.
 

-==-
 

[1] http://www.wired.com/news/technology/0,72585-0.html?tw=wn_technology_5#
[2] http://www.wired.com/news/technology/0,72585-1.html?tw=wn_story_page_next1#fdesc2
[3] http://www.wired.com/news/technology/0,72585-2.html?tw=wn_story_page_next2#fdesc2


_____________________________
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn
 



This archive was generated by hypermail 2.1.3 : Thu Feb 01 2007 - 22:20:06 PST