[ISN] One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards

From: InfoSec News <alerts_at_private>
Date: Tue, 23 Dec 2008 03:09:10 -0600 (CST)

By Kevin Poulsen
Wired Magazine 17.01

The heat in Max Butler's safe house was nearly unbearable. It was the 
equipment's fault. Butler had crammed several servers and laptops into 
the studio apartment high above San Francisco's Tenderloin neighborhood, 
and the mass of processors and displays produced a swelter that pulsed 
through the room. Butler brought in some fans, but they didn't provide 
much relief. The electric bill was so high that the apartment manager 
suspected Butler of operating a hydroponic dope farm.

But if Butler was going to control the online underworld, he was going 
to have to take the heat. For nearly two decades, he had honed his 
skills as a hacker. He had swiped free calls from local telephone 
companies and sneaked onto the machines of the US Air Force. Now, in 
August 2006, he was about to pull off his most audacious gambit yet, 
taking over the online black markets where cybercriminals bought and 
sold everything from stolen identities to counterfeiting equipment. 
Together, these sites accounted for millions of dollars in commerce 
every year, and Butler had a plan to take control of it all.

Settling into his chair and resting his fingers on his keyboard like a 
concert pianist, Butler began his attack. Most illegal online loot was 
fenced through four so-called carder sites—marketplaces for online 
criminals to buy and sell credit card numbers, Social Security numbers, 
and other purloined data. One by one, Butler took them down. (This 
story, like the rest of this article, has been reconstructed using court 
documents and conversations with friends and associates; Butler declined 
to be interviewed.) First, he breached their defenses, tricking their 
SQL database servers into running his own commands or simply slipping in 
with a hacked password. Once inside, he sucked out their content, 
including the logins, passwords, and email addresses of everyone who 
bought and sold through the sites. And then he decimated them, wiping 
out the databases with the ease of an arsonist flicking a match. He 
worked for two straight days; when he tired, he crashed out on the 
apartment's foldaway bed for an hour or two, then got up and went back 
at it. Butler sent an email under the handle Iceman to all the thieves 
whose accounts he had usurped. Whether they liked it or not, he wrote, 
they were now members of his own site, CardersMarket.com. In one bold 
stroke, Butler had erected one of the largest criminal marketplaces the 
Internet had ever seen, 6,000 users strong.

The takeover was all business. The stolen-data market had become 
fractured across too many sites, and they were pocked with snitches and 
security holes. By taking control of the entire underworld, Butler had 
created a marketplace he could trust. Even more important, it satisfied 
his competitive urge. Offline, Butler was a gentle giant with a generous 
nature and hippie sensibilities. But in the privacy of his hidden 
redoubt, Iceman pursued his online enterprise with ruthless zeal. He 
wasn't after money, not really. He just wanted to prove that he was 
smarter, bolder, and tougher than everyone else.


Help InfoSecNews.org with a donation!
Received on Tue Dec 23 2008 - 01:09:10 PST

This archive was generated by hypermail 2.2.0 : Tue Dec 23 2008 - 01:21:52 PST