In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.
Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.
Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the DarkMarket sting during a session at the RSA security conference last month. ZDNet Asia's sister site CNET News.com caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.
Q: You were central to the Dark Market sting. Tell me what happened and
what role you played.
Mularski: We kicked off an undercover
operation to try to penetrate these underground crime groups that are running
these forums on the Internet. We developed the persona of a spammer/hacker and I
assumed that role. Our intention was to try to penetrate the groups and
dismantle them like we would with organized crime. In this case we were very
successful in getting to the upper echelons of the Dark Market group and we were
actually able to run the server and host all the communications that were going
on there to make our cases against the criminals. Worldwide we had 60 arrests.
It was a two-year operation and we had arrests in the United Kingdom, Germany, Turkey, and
here in the United States.
What measures did you take to try to prove you were legitimate?
I
acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers,
made a listing for me as being a top spammer and that gave me credibility so
that I didn't necessarily have to do any criminal activity. I could talk the
talk. If someone wanted me to mail (send spam) for them I would (get out of it
by giving them the excuse) that they were too small of a fish. If they were a
big fish I'd just say I didn't have any openings or time to work with them.
What sorts of crimes were they doing on DarkMarket?
They were
doing all sorts of identity theft. They were hacking into companies and stealing
credit card numbers and selling them. They were selling counterfeit drivers'
licenses and other photo documentation, as well as manufacturing fake credit
cards. They were selling harvested bank accounts and brokerage accounts and
selling different types of malware or spyware programs or Trojan horses that you
could infect peoples' computers with. The whole gamut of the cyber underground
was available there. If you needed it you could get it there on the site.
How did being undercover interfere with your life? What extremes did you
have to go to to keep up the facade?
I would have to be online all the
time, basically, in case someone needed to get a hold of me. If I was at home I
would always have a computer on, even while watching TV. If I went on vacation I
took the computer with me to make sure I was able to log in. I would tell the
(DarkMarket) guys I was traveling to go surfing or something like that and I
would tell them I'll be online at these times if you need to get me. I had a
cell phone connected to a Gmail account and I
would tell them if they had to get a hold of me to send an e-mail and it would
ping me. It was like that for two solid years almost every day. My wife wasn't
too happy about it (chuckling).
No doubt! Was there ever a moment when you thought the jig was up and that
they were on to you?
There were a couple of those. We had a problem with
our backstopping right at the beginning of the operation when I took over the
server. One of our rivals had hacked into the DarkMarket server and was looking
at who was logging in. He traced the IP address doing a "who is" (lookup) and
the phone number connected to our covert IP address, which was supposed to be
unlisted but instead it showed the address here at the National Cyber Forensics
Training Alliance. By doing some research they determined that the IP address
came from this building and they thought it came from me. I had to go on the
offensive and say that it wasn't me and that it was already in the server.
Eventually they believed me. There were a lot of wars between rival groups at
the time. A lot of people were accusing each other of being "feds" and "cops"
and I was able to use that to my advantage to create a smoke screen and create
doubt.
How were you able to become administrator of the DarkMarket
server?
I had good relations with the administrator whose alias was
"Jilsi". He wasn't a very technical guy and was having problems running the site
because it was getting attacked by a rival group. So I told him about my
background as a spammer and told him how good I was at setting up sites. I did
some demonstrations and set up some test sites to show him I had the skills.
Then there was just a lot of talk and rapport building. One night when DarkMarket was getting attacked by a rival group I said I was ready and that I could
secure the server for him and he said "let's move". That gave me full access to
everyone using it and what they were doing.
Any anecdotes to tell about your dealings with these people?
It
was like a soap opera. There was constant drama going on. A lot of people were
accusing one another of being cops. It was funny being part of the discussion as
people were talking about whether so and so was a cop or a fed and I was sitting
there knowing full well that the person wasn't. There were a lot of egos, and a
lot of funny stories where guys would brag about their close brushes with the
law and how close they got to being arrested. You get 20-year-old guys,
30-year-old guys who are single and making a lot of money, so you hear a lot of
stories of partying and things like that.
Did you get a sense of what these carders are like as people; what their
characters are like?
There are a lot of guys who I think their curiosity
just got the best of them and it led them down a dark path. One of the guys, Max
Butler, who ran our rival site called Carders Market and used the hacker name
Ice Man, was arrested in San Francisco. He was very intelligent. He could have
been an excellent security expert. He could have given talks at RSA about
vulnerabilities. A lot of these guys are just misguided. They get into a hotel
and see that they have credit cards and one thing leads to another. I think
that's how it all starts off and then they find they can make a lot of money and
it becomes a business, a job. If you met them in person they were actually nice
guys. I enjoyed a lot of my chat sessions when we were talking about other
things, like traveling the world and things like that.
How old are they?
The average guy is in his mid-20s or so. We've
seen guys in their 40s. Ages range from 17 to 40-something, typically. A lot of
the guys who we arrested were in their mid-30s.
How tied to organized crime are they?
One of the guys, "ChaO,"
kidnapped someone. He viewed himself as a traditional organized crime member. He
was connected with organized crime groups in Turkey and they resorted to
violence when they kidnapped someone who was talking too much about the
operations. We're seeing more of that, especially in Romania. Also in Russia.
Did you hear from any of your former carder cohorts after the
arrests?
I heard from sources that they couldn't believe I was an FBI
agent. One of the guys whose house we raided wasn't at home and he sent me an
expletive-filled message saying 'you're never going to catch me'. I told him he
should give himself up rather than spend his life on the run and a week later he
turned himself in.
This work sounds kind of dangerous. Did you ever feel you were in danger
or are you worried now?
When you are an FBI agent there's always that
threat of danger working crimes undercover. We never intended for my name to
come out in this operation. But FBI agents' names are in affidavits. There was
always that risk that my name could be exposed. It's always in the back of your
mind but you try not to think about it.
What impact did the sting have?
It showed that we can get you no
matter where you live. We were able to make internal relationships and work
cases jointly with law enforcement in other countries. In the future there will
be other joint cases in Europe and around the world. You don't necessarily have
to be in the United States for us to bring you to justice. That is one of the most
significant impacts it had. Another one is that it showed these guys that, yes,
we do have a presence out there (on the Internet) and the United States is serious about
targeting cybercrime. We are going to throw our resources at this problem.
How have things changed since you started the DarkMarket operation in
2006?
With every operation the bad guys learn more of the undercover
techniques that law enforcement is using. Everything that was successful for us
in this operation would have to be tweaked because of that. The level of
sophistication is so much higher. The days of a cyber investigation where you
just track an IP address and that leads you to a hacker's house, those days are
long gone. There are many different anonymization services the bad guys are
using. The exploits and botnets they are using are so much more sophisticated
than they were a couple of years ago. Just two years ago the majority of the
botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like
the Storm worm that
are very sophisticated and running peer-to-peer networks and that makes it
harder for us to track down the command and control servers.
Have you been involved in any of the efforts to track down the people
behind the Conficker
worm?
I can't comment on that.
Anything else to add?
The message I'm trying to preach is that we
have international cooperation and that other countries are starting to
recognize this problem. Also, the attackers have changed with the emergence of
organized crime into these cybercrimes. It's not just an 18-year-old pimply-faced kid in his room committing these crimes. These are organized crime groups
doing it. It's all about the money now and not just about how elite my hacking
skills are to get into this Web site. Profit is driving these groups.
The stakes are higher now for everyone?
Definitely.
This article was first published as a blog post on CNET News.
Play video
There are currently no comments for this post.