Three years undercover with the identity thieves
- 21 January, 2009 08:22
Salesmen and parents know the technique well. It's called the takeaway, and as far as Keith Mularski is concerned, it's the reason he kept his job as administrator of online fraud site DarkMarket.
DarkMarket was what's known as a "carder" site. Like an eBay for criminals, it was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards. In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site. Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement.
A hacker named Iceman -- authorities say he was actually San Francisco resident Max Butler -- who ran a competing Web site, was saying that Mularski wasn't the Polish spammer he claimed to be. According to Iceman, Master Splynter was really an agent for the U.S. Federal Bureau of Investigation.
Iceman had some evidence to back up his claim but couldn't prove anything conclusively. At the time, every other administrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own. He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black market for stolen credit card information.
That's when Mularski went for the takeaway. Salesmen have long used this tactic to seal difficult deals: You simply take the deal off the table in the hope it will spur the customer to come to you. Badgered by questions about his credibility, he threatened to quit altogether. "I decided to risk it all and just said, 'Hey, if you think you can do a better job running the site and if you think I'm a fed, then by all means take the stuff. I don't want anything to do with it," he recalled recently in an interview. "What law enforcement agency would, after they were monitoring the site, want to give it back to the bad guys?"
Mularski's gambit paid off, and the other DarkMarket administrators let him stay on for another two years.
In the end they would regret that decision. Iceman was right: Supervisory Special Agent J. Keith Mularski had gone deeper into the world of online computer fraud than any FBI agent before. Working with police agencies in Germany, the U.K., Turkey and other countries, he spearheaded a remarkable investigation that netted 59 arrests and prevented an estimated US$70 million in bank fraud before the FBI pulled the plug on Operation DarkMarket on Oct. 4, 2008.
Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online criminals.
"They have a direct personal relationship with industry people in all areas, but specifically a great relationship with the financial institutions," said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham. The group also works closely with international law enforcement, laying the groundwork to prosecute Internet criminals who launch attacks across national borders. "Those relationships allow them to take on cases that nobody else would take on," Warner said.
Mularski's life as an undercover spammer began around July of 2005, when he created his handle Master Splynter in a tribute to the cartoon rat who plays sensei to the Teenage Mutant Ninja Turtles. His unit ran a project called Slam-Spam, and Mularski, a self-confessed computer nerd, said he had picked up a lot of spamming tricks before he started the operation. "I could talk shop," he said.
He didn't send out spam himself, but he knew what questions to ask and -- more importantly -- what not to ask. He kept to his character as a spammer. If someone approached him with a new "zero day" attack, he wouldn't ask for details. And he avoided going after personal information, not asking forum members obvious cop-giveaways such as where did they live. "The thing is with these guys, you can't necessarily target them and just approach them out of the blue," he said. "So by being out there and not really caring about things -- I played a lot of things off nonchalant -- I was able to gain their trust."
The hours were long; scammers don't work 9 to 5. "Sometimes I spent as much as 18 hours in a day online," Mularski said. "I was online every day from August 2006 until the operation came down."
His most active discussion time was between 10 o'clock at night and one or two in the morning. "Every night I'd be watching TV with my wife next to me and I'd have the computer on, just in case somebody needed to get a hold of me," he recalled.
After 10 years of marriage to an FBI agent, Mularski's wife knew that operations could cut into personal time. It couldn't have been easy, though. "She was the real saint in this whole thing," he said.
Master Splynter didn't take vacations either, even if Mularski did. "Usually, if you're not going to be online, you've got to give notice because they wonder what you're doing, whether you got busted or not. So if I was travelling somewhere and I couldn't be online, I'd always give these guys advance notice."
By September 2006, Mularski had become a moderator on DarkMarket. Not as powerful as an administrator, he was still a trusted manager, one step above the reviewers who assessed the quality of products being sold on the site.
That's when he got his big break. And it came from an unlikely source: Iceman himself. According to authorities, Iceman was making a play to control the market for fake credit cards by hacking into four carder sites, including DarkMarket, knocking them offline and moving their membership to his own site, CardersMarket.
Even when the site was back up and running, Iceman continued to hit DarkMarket with distributed denial of service (DDoS) attacks, which would overwhelm it with wave after wave of useless Internet traffic.
Mularski wasn't sure how things would play out, but in September 2006 he saw his chance. He started talking with Iceman about joining CardersMarket as a moderator, but soon realized that he the had a better shot with another administrator at DarkMarket, Renu Subramaniam, aka JiLsi. "I basically told him, 'Hey, I can secure your servers for you,'" Mularski said. JiLsi made him a moderator, but held off granting him administrative access.
Then one Saturday night a month later, DarkMarket started getting hammered with another DDoS attack. "I was talking with JiLsi and I said, 'Hey I can secure the site? The servers are all set.'"
JiLsi's reply: "Let's move it."
Mularski was now a made man. As administrator to the site he could track people who logged in and, most importantly, read everything the cyberthieves were saying to each other. Working with his international law enforcement contacts, Mularski compiled evidence and, one by one, his team tracked down the crooks who ran DarkMarket.
The first big one to go was Markus Kellerer, a.k.a. Matrix001. German authorities picked him up with five other scammers in May 2007. A few months later Mularski's patron, JiLsi, was arrested in the U.K., one of the first targets of a newly created U.K. organization called the Serious Organized Crime Agency.
By September last year the operation had pretty much run its course. FBI approval for Operation DarkMarket was set to expire on Oct. 5, and Turkish authorities had finally rounded up Cha0, (real name Cagatay Evyapan), considered one of the FBI's top targets. An electrical engineer who manufactured ATM and point-of-sale skimming devices that could be hooked up to legitimate machines to steal information, Evyapan considered himself a "very traditional, organized criminal," not just a computer hacker, Mularski said.
He showed his nasty side when an associate named Kier (news reports have named him as Mert Ortac) spoke with Turkish media in early 2008, angering Evyapan. "He kidnapped him and tortured him and posted a picture of Kier in his underwear that's now famous," Mularski said.
The sign read, among other things, "I am rat. I am pig. I am reporter. I am ****ed by Cha0."
With Evyapan gone, "We had taken out all the administrators of DarkMarket, and that pretty much left me at the top," Mularski said.
Still, he remained in character for a few weeks longer. In September he posted a note saying he was closing the site, in part because of police infiltration. "It obvious [sic] that the Special Services and Security f***s are still here lurking in our ranks. They continue to gather evidence on us. They read our posts, they talk with our vendors, they look to see who are the active members of the forum," he wrote, according to a posting published on Wired.com.
But Mularski always knew that with all the international arrests being made there was a chance, through error or differences in judicial processes, that his name would be made public. And that's ultimately what happened. A German reporter, Kai Laufen, working on a story about cybercrime, discovered Mularski's name in court documents relating to the Kellerer case. On Oct. 13 Wired reported the story and everybody knew.
Still, some of Mularski's carder buddies refused to believe the reports. "These guys trusted me so much that even after the Wired article came out exposing me, for two days afterwards people were reaching out to me on ICQ thinking that it was a hoax and making sure I was alright."
Most were silent, however, after Mularski wrote them back saying that he was indeed an FBI agent.
One hacker who called himself Theunknown swore at Mularski, "You piece of crap fed... you're never going to catch me."
"Why don't you turn yourself in. It beats living the rest of your life on the run," Mularski wrote back. A week later, Theunknown followed his advice.