Rogue Agent: March 2014

Rogue Agent

The Story of the Greatest Hack in History

Outline

Who I Am
Hacking for Profit
Running the Source
HQ and Threats
Confessions and Surrender
Blackballed
Cyber Jihad
Disillusioned
Axe To Grind
New FBI

“Three O’clock, where had the day gone?” There I was standing in line at the Target in suit and jacket, trying to hide my gun as I paid for my lunch Pizza Hut pepperoni pizza and fountain coke. I had popped into Target to grab some diapers and household supplies as I was returning form an interview. It was only after I bad the purchases that I realized I had forgotten lunch. Not that missing lunch was unheard of but it was New Years Eve 2004 and I was on call until the wee hours of the morning. I needed to eat.

I grabbed my lunch, placing it in the child seat section of the shopping cart and headed out the door to the parking lot and my 1999 Gold Chrysler Cirrus with hideous multi-colored interior and a large dent on the right rear corner panel where a safe had hit the car. Yes a safe.

As I got to the car, I fumbled with the remote and keys. The remote to unlock the doors and pop the trunk and the keys to unlock the master lock attached to two sections of heavy gauge chain used to secure the trunk lid to the car frame from the inside. The trunk chain and lock were an extra precaution to protect the radio, shot gun and MP5 machine gun I stored in the trunk along with my ballistic vest spare rounds and other tools of the trade.

I finally got the trunk opened and began loading the diapers and other Target purchases into the trunk when my cell phone began to vibrate on my left hip. Understand the mid section of my body looked something like a Batman utility belt going from right to left I had my Glock 22, a spare magazine, handcuffs, a retractable asp (which I was only carrying because I just been on an interview) two more magazines, a can of pepper spray (again only because of the interview), my cell phone and of course my badge. In my pocket I also carried one more trade tool, a thumb drive with some cool software I used in special circumstances.

But back to the phone…

As I glanced at the caller ID I noted it was coming form an International exchange. Very few people had this number and even fewer lived or worked outside the

When I recognized the prefix as being from Easter Europe, the caller’s identity was limited to either a select group of associates within the Ministries of the Interior (MVD) of Russia, Belorussia or the

Ukraine

or it was one of my sources who provided information about criminal activities.

“Hello, this is EJ.”

“E.J.? E.J.! we got a big problem. You’ve been hacked. They have my name, they have everyone’s name and its up for sale. They could come after me. If you don’t stop this, Im dead.”

For the next twenty minutes, I tried to calm my source and get the details I needed to address the issue.

Based on the documents being shared and the names contained within the documents, the email systems of the DOJ.gov, USSS.gov and/or FBI.gov had been compromised by hackers. Worse was, the breach appeared to grant complete access to all communications about cases, suspects, sources and techniques on all email addresses in the systems. Meaning the hacker would have access to the log ons and passwords for almost every federal law enforcement official including the Director of the FBI, the Director of the Secret Service and the Attorney General of the

United States

And it was now my job to find out who had cracked the systems, what they were doing with the information and try to put them in jail.

The best way to make that happen is to re-enter the cyber underworld and get access to the stolen data. But sometimes, there are items, stolen items, that are too “hot” for anyone to touch no matter who they are, including FBI agents.

For my part, this hack would turn my world upside down. It would make me question everything and everyone I worked with and eventually it would murder a dream.

For the world, this hack will seemingly never have occurred. Only one 3 paragraph article was ever written about the hack.

Publically the hack never occurred but its impact was felt around the world.

Why? Because if the information made available by the access obtained had been made public, it would have rattled the foundation of federal law enforcement for the whole of the United States.

My name is E.J. Hilbert and I was a Special Agent with the Federal Bureau of Investigation.

I joined the FBI in August 1999, 5 days before my 30^th birthday. As long as I can remember I wanted to be an FBI agent. I graduated from college in 1992 with a degree in History and a California teaching credential. I did not enter college thinking I was going to be a teacher, I wanted to join the FBI and like many I thought I would need law enforcement or military experience. I fully intended to join the Marines like my father, a career marine and veteran of the both the Korean and Vietnam wars, but I promised I would not join the military until I graduated college. As such, throughout college I changed majors several times, from business, to biology, to communication, to pre law and then pre-med. How I ended on History I don’t know and then in education is as yet another mystery.

When I graduated, the FBI had a hiring freeze, no new agent classes were being accepted. The military was still an option but as I had a teaching credential I thoguth I would give it a try. I was hired to teach High School history to 9-12^th graders three weeks before my 23^rd birthday.

After 6 years of teaching, I had decided I needed a change. Originally, I though the change would simply be a new school but one day while I was teaching a publications class (Im pretty good with computer but Ill explain more later) I was showing my class the difference between computer aided layouts versus manual page layouts. I had brought in my high school year books as example. Well as in any yearbook, my friends had made comments and a couple of my students zeroed in on the numerous references to me wanting to be in the FBI. “Good luck making it into the FBI.” or “Hope your goal of being in the FBI comes true.” And my students called me out.

“What’s this about wanting to be in the FBI?” They asked.

I replied “Oh its just what I wanted to do when I was your age.”

“Well then you are a hypocrite,” they said. “You force us to follow our dreams and try for the things we want, yet you never did.”

And they were right. So a month later, scared to death, I went to the FBI office in San Diego, CA and picked up an application to become an FBI agent.

One year after my initial testing I was sitting in classroom in Quantico, VA at the FBI Academy suffering through week one of a 22 week train program.

In the year between application and new agent appointment , my life had changed for the better, not only was I in great shape I had met the love of my life and gotten engaged.

One of the hardest parts about the FBI Academy is not the course work or physical training or practical testing but rather it’s the lack of knowing where you are going to be stationed. The FBI has field offices in 56 different cities and each of those have satellite offices known as Resident Agencies. An example is the FBI Field Office in Honolulu, Hawaii with a Resident Agency on the island of Guam, 3820 miles away. The FBI also has agents in over 40 different countries around the world serving as legal attaches as well as other roles.

Now a new agent would never be sent overseas he or she was at the mercy of the FBI to determine where they would be sent. Some speculate that the way new agents are assigned to offices relies solely on the shoulders of a monkey throwing darts with agent’s names on them at a map of the United States.

During your first couple of week in Quantico, new agents are asked to rank the 56 field offices in order of preference. Then on the 7^th week, provided you have survived, you will be notified which of your picks you received. Some would receive their first pick and others their 56^th.

For me, being newly engaged and my future bride having been accepted to law school in southern California really turned my plans topsy-turvy. I had planned on packing up and moving to the east coast but now I had a reason to comeback home.

As such, I ranked San Diego #1, Los Angeles #2, then Atlanta, New York, Boston and then randomly selected the others. Since LA and New York were large field offices, I was sure to get one of the two and I did.

I was assigned to Los Angeles Field Office (LAFO). But what type of crime I was going to be working was still in unknown.

Understanding that as much as a new agent could request an assignment and the type of crime they would be working, again you were placed based on the needs of the Bureau. This could mean you were working drugs in headquarters city or assigned to one of the field office’s satellite offices known as Resident Agencies.

One of the greatest things about working out of an RA was because it was not a field office manpower was often limited. So, though an agent was assigned to work one crime, he or she would often be called upon to help out on all the other crimes to include search warrants, arrests, surveillances, buy bust, the works.

My weekly calls from Quantico to LAFO to try to determine my investigative fate became something of a nuisance to the Assistant Special Agent in Charge’s (ASAC) secretary. As a result, she finally told me that if I stopped calling I would be sent to wherever I wanted. I requested the Santa Ana RA in Orange County, CA and stopped calling. My fiancé was attending law school in Orange County and we planned live in the area after we were married.

Upon graduation from Quantico and true to ASAC secretary’s word I was assigned to Santa Ana Resident Agency Squad 3 (SARA-3) to work white collar crime. WCC included public corruption, bank fraud, wire fraud, environmental cases and several others. Also included in this category was cyber crime, namely using a computer to commit a crime such as hacking, but also identity theft, stalking and fraud schemes.

I was extremely happy with my assignment. Not that I knew a lot about fraud schemes but in my youth I was something of a hacker. I have no formal computer training, meaning I never took programming classes but my brain just comprehends computers and though my parents did not have much money, I got my first computer at 12 yrs old, a Commodore 64. When I was 16, I used every dime I had saved to buy an Apple IIe. And In 1992, when America Online started their service I jumped online.

To this day, I have not had formal classroom computer instruction but I still understand the systems, obtained my Certified Information Security System Professional credential after 5 days of review and understand the schemes behind computer fraud and intrusions better than most.

Let me interject something of significance at this point. In 1999, when I entered the FBI, cyber crime was the dream of Hollywood script writers. Sure some big time hackers had done their thing and when they damage systems or stole data they crossed into the realm of criminals but cyber crime and identity theft were not prevalent. In fact, the FBI really was not prepared from a investigative methodology and procedure prospective to handle what was about to occur. As more people, companies and commerce moved online, so did the criminals.

When I entered the FBI, cyber crime, hacking for profit began to take off out of control and law enforcement simply was not ready.

Prior to 2000, cyber crime was something committed by anti-social “kids” working from their parents basements. The use of modems to enter other systems and manipulate data or cause damage was more an act of defiance and aggression then a money making opportunity.

The expansion of the world wide web and the dotcom explosion changed the online world dramatically and with it the denizens there in.

The profile of a hacker being a male under the age of 30, extremely introverted and anti social was blown away despite the opinion of many of the legal “old guard” and those charged with crafting and passing laws. Hackers were and are now male and female, 13-60, introverts and extroverts, rich and poor, college educated and high school drop outs. A hacker does not have a profile except for the reason he/she hacks.

After 2000, the reason a hacker hacks can be broken down into 5 categories with each being an escalation of the prior.

Just Because: Many hackers hack out of pure curiosity. “what will happen if I do this?” Liken it to working on your car and seeing how runs, or taking apart a piece of electronics to see what makes it tick. Hacking for this reason has no malicious intent rather it is ideal curiosity.
E-rep: Once hackers figured out they could take systems apart they began to get a reputation. The best hackers are “l33t” or elite and the those with no skill are “lamerz/noob” or lame. If you used the scripts and codes that others wrote you were a “script kiddie.” Though elite hackers have been around since computers existed their reputation was limited to word of mouth on the online underground but as the Internet grew and everyone could talk with anyone, these elite hackers reputation began to circulate and maintain and prove their status they constantly were upping their hacking game. Breaking into harder and bigger systems to show off their skill and give shout-outs to their friends and naysayers.
Theft of Data: Once hackers started hitting bigger targets they also began looking at what they had access to once they were inside systems. Personal data, credit card information, medical records, corporate intellectual property, etc were now at their finger tips, literally. And the original reason they hacked, popped back into their minds. “If I take this data and use it on this site to buy that product what would happen?” What happened was the data was accepted and a product purchased via fraud. And thus the birth of online identity theft and hacking for profit.
Theft of Services: As hackers began to steal data, law enforcement began to track them. Hackers needed a way to hide their tracks. By breaking into unsuspecting systems, not touching anything on those systems but rather using those systems to attack other systems, hackers were able to hide their tracks by giving law enforcement a false trail. The most common statement when I confronted a hacker about a hack I knew they committed was “it wasn’t me, my system must have been hacked.”
Its Their Job: Hackers who moved past the curiosity phase and feared being caught realized their skills were worth high salaries in the corporate world. Despite all their moaning and bitching about companies and products, as the elite aged, they took on jobs finding holes before other hackers or defending systems against the “new elites” around the world.

It is also in 2000, that the FBI realized they needed to address the growing threat of cyber crime. A Cyber Crime Division was set up and staffed by senior agents who had an interest in cyber crime but little experience. In fact the FBI had very few agents with the technical know how to address the issues of computer hacking and the subsequent fraud. Even the Department of Justice, had to scramble to set up a special section to address the cyber crime issue called CCIPS, Computer Crime and Intellectual Property Section. (In all honesty, the FBI had agents focused on cyber crime throughout the 90’s but most of the focus was on child predators and Economic/International Espionage. Internet fraud was not a crime the FBI was accustomed)

The FBI has two “manuals” that every agent is made familiar with during their months of training in Quantico. They are the manual of investigative and operations guidelines, the MIOG and the manual of administrative and operational procedures, the MAOP. These tomes contain the basis for how investigations are to be conducted for all aspects of crimes. Unfortunately, they did not explain how to investigate cyber crime, how to adequately deal with its international aspects or how to adapt to the changing attacks.

Back to the FBI and eventually the “hack.”

Each new FBI agent is assigned a Training Agent upon his/her entrance into the field. That training agent is responsible for your first 2 year on the job, during which you are an “Probationary Agent,” a newbie, an FNG (Fuckin New Guy.)

As such, you don’t really have your own cases for the first few months and your days are taken up with helping out on other cases or more menial tasks like washing senior agents cars or ferry documents back and forth to the United States Attorney’s Office.

One of the most hated jobs for an FBI agent is called complaint duty.

The duty-agent is an agent who is assigned to sit at the front desk of the FBI office with the office switchboard operator and handle incoming calls from individuals reporting crimes. One of the other perks of being the duty agent, and this statement is laced with sarcasm, is you get to handle any “walk-ins.” “Walk-ins” are people off the street who feel the need to come to an FBI office and report what they feel are crimes. The emphasis on THEY. 99 out every 100 walk-in is, for lack of a better word, a nut job. These are the individuals who believe the government is listening to their thoughts via the fillings in their head, or see black helicopters at night or take pictures of their neighbors showering as proof the neighbor is a druggy. It’s a little known fact that everyone who is deemed a “walk-in” fills out a contact form. This from is used to run a check for wants and warrants but is also used to check their name against the “nut-box.” If you see a guy walking the street with a tinfoil hat and a chain of paper clips dragging from his pant leg, don’t be surprised if he recently visited the local FBI office and was told that is the only way to insure the CIA, Secret Service or Martians won’t be able to read his mind.

Oddly, my first real case in the FBI came from complaint duty. Between the various nut jobs on the phone and walking into the office, I received a call form a company that handled credit card processing. This was January 2000 and all the various rules regarding privacy and security were not in place as of yet. Also the stigma of admitting your business was hacked could be a business killer.

The victim company, we will call the SM, had been notified via email, fax and phone that their system had been hacked and 15,000 credit cards had been stolen. The hackers wanted $1000 and they would help the company plug the hole the hackers had utilized.

As the duty agent, I filled out the FD-71 complaint form with all the information the victim could provide and sent it up to the supervisor desk for determination if a case could be opened. Every case assigned to an FBI agent has to be approved by their supervisor to insure the facts warranted spending the manpower.

Understand here that the FBI has about 11,000 agents in the field of which about 9,000 work cases (the others are management or operations). Compare this number to the 35,000 cops in New York City and you can see FBI manpower is limited. The FBI also has five years from the last illegal act to finish an investigation and present it to the United States Attorney’s Office who then decide if a case should be prosecuted. In a city like New York or Los Angeles, fraud cases where the loss is under $250,000 may not be looked at simply because it is not cost effective.

The FD-71 for the SM hacking case ended up on my supervisor’s desk and though he thought little could be done with it, at my requesting, the case was assigned to me.

My first FBI case is a computer intrusion via the Internet. There are no detailed rules or procedures laid out by the FBI on how to truly handle these types of cases so where do I start.

Well the obvious trail was to get online and see if I could track back the where the email extortion had come from. The problem was the SARA did not have Internet access.

In 2000, the only access I had to the Internet was via a AOL dial up account accessible in the mail room of the office. In fact, the computer I did my case work on or reviewed the FBI’s internal database, known as ACS (Automated Case System) was accomplished via a PC running Windows 3.1 on a “lazy suzanne” shared between my training agent and myself. In order to do my do research online, I had to utilize my home DSL broadband connection.

As my first case began to take shape and it became apparent that SM was not the only victim of these hackers. I was able to link similar hacks and extortions to victims in Seattle, Sacramento, Newark and Hartford. It appeared the SM hackers were involved in 35 different hacks and extortions of U.S. based companies. Each of these offices had agents assigned to work the cases and eventually we all began to connect the dots and work together. At this time FBI HQ became involved and began to support the investigations. Support in the form of equipment and eventually funding for an amazing undercover operation.

Within the RA, my bosses took notice of the significance of the case. Other major intrusions were being reported across the country. A 15 yr old boy from

Canada

who’s father was connected to the Mafia had launched a distributed denial of service attack (similar to 10,000 crank calls a minute to a particular website) against all the major ecommerce sites of the day. Cyber crime was on the rise and my bosses knew steps had to be taken.

About two months into the investigation, mysteriously a DSL with five unique IP addresses was installed in the RA. My supervisor told me the cost of the line was hidden in the RA’s monthly phone bill and to use the new access to solve these cases.

And that’s just what I did.

I was able to track the extortionist hacker of SM back to his home in Chelyabinsk, Russia and to figure out that other hacking groups in Eastern Europe not only existed but were attacking US companies in the same way.

In June 2000, as a result of the investigation I was sent with a team of senior agents to Moscow, Russia for the first working group on international crime. I was an agent for 6 months being sent to the place I had been taught was the greatest enemy of the United States and I was to cooperate with them as equals and friends. Needless to say I was scared.

In the end the meeting was a success. Though officially the Russian investigators of the MVD (Ministry of the Interior) had few details and the representatives from the FSB, formerly known as the KGB, offered no answers, its amazing how much you have in common when the neckties are off and your place setting has a bottle of vodka and a bottle of brandy.

Also a word to the wise, if you go to Russia, or any former enemy country for that matter, as a representative of the US government, your room will be bugged, your phone will be bugged, your luggage will be gone through and you will be watch all the time. Those watching you will be looking for any opportunity to compromise you and thus control you. Despite sharing this information with my wife, when we got in a phone argument which I later found out she planned, not 10 minutes after I got off the hotel phone did I have prostitutes at my hotel door asking if I wanted company. Not to take no for an answer, each night of my visit to Moscow was met with a different set of prostitutes looking to entice me. I did not cave.

Though the stories of my trips overseas in support of the various cases I worked could fill thousands of pages they will have to wait for another time.

The first FBI/MVD working group turned into a second working group meeting in Washington DC and forged a working relationship and friendship between FBI agents and MVD officers. That relationship would then extend to the MVD officers’ colleagues in Belarus and the Ukraine. And though I did not know it at the time, but that first trip to Moscow would result in another 15 trips overseas during the next seven years.

After returning for the first trip and armed with new information about how systems overseas worked my methodology on how to address internationally based hackers changed.

Though the

was in the throws of a new criminal enterprise, the threat had not spread to other portions of the world and thus were not a priority. Simply but the Russians could not or would not help on stopping these hackers.

After tracking back the emails through an internet service provider in San Diego, I was able to but a name to the extortionist hacker, Alexey Ivanov. I then found Ivanov’s resume online. An operation was devised to utilize this information. Unfortunately as a junior agent, I was not allowed to runt he operation and my training agent was not interested in assisting. Luckily, some fellow agents out of Seattle were willing to step out of the FBI norm and had a Assistant United States Attorney who was willing to back them. The operation, code named Flyhook, was the first ever international hacker lure. The FBI set up a fake business entitled Invita (I believe the name was suggested by SA Grey or SA Stone out of the New Haven Office). Once the business was established, we invited the hackers to the US for job interviews. The targets were Alexey Ivanov and Vasilli Gorshkov, two Russian twenty-somethings who had turned hacking US companies and ecommerce fraud into a budding business.

During their “job interview”, Ivanov logged on to his computers located in Chelyabinsk, Russia and down loaded a series of tools he would need to showcase his hacking skills. Luckily for our operation Ivanov was unable to see that we were recording every keystroke and command he sent via the Internet or on the Invita company computers.

The Ivanov/Invita case eventually earned the case agents from Seattle the FBI’s case of the year award. For my part, I was not allowed to go undercover as I was a junior agent but I did handle the arrest and interview of Ivanov outside of his hotel.

The story of Ivanov and Gorschov has been laid out in the media and the book “The Lure” by former federal prosecutor Steve Schroeder. I have also heard of several other books being written about the case but for this story the Invita case was the precursor that forced me into the role of subject matter expert on international cyber crime and hacking groups.

As I stated above, working the case against Ivanov, introduced me to the fledging cyber underground and the realization that many hackers other than Ivanov were using the same methodology and extortionate claims. One of the primary sites in this underground was Carderplanet.com. I joined Carderplanet when it first went live online and though most discussions were in Russian, I was able to understand most and thus extract intelligence about the international hacking world. (Carderplanet plays a bigger role in this story and will be covered in depth later.)

After the arrest and interview of Ivanov and Gorschov it became clear that original number of intrusion and extortion victims set at 35 was actually more like 700. and that though Ivanov and Gorschov were involved in a number of them, actually the intrusions were the work of multiple hackers and hacking groups. In fact, my fellow special agents had another such hacker in custody on the East Coast.

As to not put this person or their family in danger of grevious bodily harm, I will not layout how an international hacker came to be in the US but it is important to understand that he was part of a group of international hackers who had met online and developed a way to convert stolen data into profit via identity theft. This person, we will call him Denis, was sentenced to 5 years in prison for his part in the hacks.

However, after one year in jail, Denis wanted to deal. He wanted to help the FBI to go after the international hacking groups or at least that was his claim. It more likely he wanted to get out of jail but either way the FBI needed a source like Denis.

For approximately 18 months, I had been infiltrating hacker forums, chat channels and international hacker groups. But I lacked one key requirement to being truly accepted into these groups, I did not speak the language.

The hackers I was chasing used a mix of hacker speak, English and their native language for many of which was Russian.

When I heard that Denis, a Russian speaker, wanted to deal, I approached my bosses and the US Attorney’s Office with a plan. Though I knew that cases could still be made against Denis, for hacks the FBI knew he committed but had not yet been charged, we could do what law enforcement does on a daily basis. We could make this guy a deal to go after the bigger fish in the sea.

Chapter 3

In order to truly understand the significance and some say “revolutionary” aspects of my plan, you have to understand how the FBI works.

In 2007 there were approximately 35,000 gun carrying sworn police officers in New York City. In comparison, the FBI had 22,000 employees. Of that number approximately half are “support” employees and the other half 11,000 are sworn gun carrying agents. Of those about 2000 are in management roles. This means there are 9000 FBI agents responsible for investigating federal crime in 56 different field offices across the US and over 50 different countries.

Despite what Hollywood and the media like to put forward in novels and movies, the 9000 agents who hold the title of Special Agents are to only ones who work cases.

If an individual graduates from the Special Agent program at the FBI academy in Quantico, VA they are given the title “Special Agent” and are assigned to the field to work cases. Each agent, depending on the nature of the crime they are working, will have a case load of 5-20 cases at any given time. The reason for this is that something does not happen on a case everyday and most cases require court orders, review of information, interviews, etc.

Also, FBI agents work alone. Each agent has his or her own cases and as such if they need the help of another agent for interviews or surveillances, you have to schedule time with others to help.

As such when the media covers an FBI raid on a building or a gang takedown or major arrest, the agents involved in that takedown are agents form multiple squads who work multiple different crimes who have all been briefed on the case and come together safely and securely execute the tasks at hand.

One other key point is FBI agents have 5 years from the last overt act, the last criminal act, to bring charges. This fact is key, because when a major criminal event occurs, such as a kidnapping or god-forbid a terrorist attack like that which occurred on September 11, 2001, all work on other cases can be halted and all resources can then focus on the event.

However, such an event is a case and thus it is assigned to an agent and he/she is responsible for guiding how the investigation will go, who needs to be interviewed, what files need to be retrieved and from whom and so on.

Another fact about the FBI is that in no other organization do so many work so hard, to stay at the bottom. And the bottom of the FBI is a Special Agent.

Squads are managed by SSA’s, Supervisory Special Agents. These are agents who have chosen to seek promotion and thus manage other agents rather than manage and investigate cases.

There was a time that an agent could not be considered for promotion until they had five years under their belt as a special agent and thus had worked a number of crimes. Those days are long gone and agents can be promoted after 2 years in the Bureau meaning, right after they get off probation.

Now most agents are not “blue flamers” meaning they do not try to jump into management, in large part because they realize they do not have the street experience to effectively manage a group of people with such diverse and complicated cases, but there are always those whose egos make them blind.

Each FBI SA is assigned to a squad. Each squad is managed by an SSA. SSA are managed by the Assistant Special Agent in Charge aka ASAC and each ASAC is managed by the Special Agent in Charge aka SAC. Usually the SAC is the highest position in the field. They run the office sort of like a lord over his fiefdom. In the largest FBI field offices, such as New York and Los Angeles, the SAC is managed by an Assistant Director in Charge aka the ADIC. His/Her role is the same as the SAC for the smaller offices.

The successes of the agents assigned to a field office are toted as the success of the management. As such, the Federal Bureau of Investigation is one of the world’s most risk-adverse groups. Agents are willing to have guns pulled on them, chase down killers, operate undercover but only after they have approvals in triplicate and even then they will rethink going forward. The reason for this is that many of those in management only got there because they road the coat tails of agents willing to take risks. Sadly, these same coat tail riders operate with a CYA “cover your ass” attitude and are the first to throw their meal ticket agents under the bus.

The FBI is part of the United States government meaning that those who rise in the ranks play the politics game and are willing to “eat their own” in order to raise one step higher.

A fact I personally find sad and maddening as each and every agent takes an oath to defend the U.S. and its citizens against all enemies, foreign or domestic, with disregard to personal advancement. Many seem to have forgotten that oath. But I digress.

Each of the field offices and their management is in turned managed by FBI Headquarters. FBI Headquarters is locate din Washington DC in the J. Edgar Hoover building. FBI Headquarters does not work cases. Rather all FBI special agents who work in the FBIHQ are SSA or above. FBIHQ is liken to a corporate headquarters. You can’t go to Mattel Toy’s HQ in El Segundo, Ca and see toys being built and you can’t go to FBI HQ and see cases being solved.

In my 8 years in the FBI I spent an inordinate amount of time talking to and lecturing in FBI HQ. In all my visits to FBIHQ rarely did I see an SSA wearing his/her gun on there hip, a standard requirement for all FBI special agents. And the agents I did see wearing their weapons and that I knew did so because they work in the field had earned them a supervisory role. They were there on merit and not on coat tails.

FBI HQ’s SSA are managed by United Chiefs who are in turn managed by Section Chiefs who are in turn managed by Assistant Directors. These are program management position. They handle the full administration of the FBI from personnel placement to congressional inquiries to White House briefings.

I know that my explanation of the FBI management seems negative as if they are a bunch of stuffed shirts but understand, that is the belief of many field agents. It is said the first thing that happens when you get your 14, a reference to your pay scale on the Government Service pay schedule, is that you receive you free lobotomy. It is often said, when a SSA from FBIHQ sends a request to the field or asks for a lead be run down or tries to order a field agent to do something, “What does he know, he is just an HQ suit. I bet he hasn’t investigated a case in 10 years.”

Agents who join the FBI to solve cases stay as agents. Those who join because they think they can make the FBI better or different may seek a supervisory role.

The FBI is the best law enforcement organization in the world because of the diversity and high level of people that are accepted into its ranks. FBI agents are not just drawn form the ranks of the military, police or lawyers. A large number of agents are selected from those applicants who have over 4 years of work experience in a field that fosters skills important to the daily work of an agent, such as communication, research, and interpersonal skills. Only the FBI has responsibility to enforce the laws over 400 different federal crimes to include crimes that are the focus of other federal agencies such as the DEA, ATF or Secret Service.

How to conduct investigations into each of these crimes is contained in the FBI’s guidelines for operations and investigations. The Manual of Investigations and Operations Guidelines (MIOG) and the Manual of Administrative and Operational Procedures (MAOP) lay out acceptable FBI investigative procedures. Each new agent is required to be familiar with these guidelines and procedures when they are at FBI Academy. Also each FBI agent must go through yearly legal training to address changes in laws, rules and acceptable investigative methodologies.

A couple of other interesting facts about the FBI:

The average age of new FBI agents is 30

FBI agents have a mandatory retirement age of 57

Between 60,000-80,000 applicants apply to the FBI each year

Less that 1000 new agents enter the FBI each year

FBI agents make a maximum of $150K a year but only after being the FBI more that 15 years.

FBI agents do not get paid overtime

The FBI work week is a minimum of 50 hours per week

FBI agents are on call 24/7 and are to carry their credentials and weapons at all times to include when travelling on airplanes within the U.S.

With all this shared about the FBI, the most important aspect of working for the FBI is not included.

The Federal Bureau of Investigation is part of the United States Department of Justice. The purview of the FBI is to investigate federal crimes by or against Americans and/or American entities.

The FBI does not prosecute criminals.

This fact is an extremely important aspect of everything the FBI and Special Agents of the FBI do.

The title Special Agent is often called into question by defense attorney’s during trials. “Special Agent Hilbert, why are you called a “special” agent?” The simple answer to that question is because that is the title of the position but that leads to the question of “what is so special about the position?” The true answer to that question is that Special Agents in the FBI are held to different standards that others to include law enforcement personnel by both the general public and internal department they answer to.

Everything an FBI agent does both in their personal life and on the job is fair game in a trial. Everything is subject to Monday morning quarterbacking by not only their supervisors but also the Assistant United States Attorney who will ultimately make the decision if the investigation and case are sound enough to go to trial. Each case is presented to an AUSA who is assigned to prosecute the particular criminal activity. This individual is required to go through all of the details of the case, ask questions and suggest additional evidence that would be needed from a legal perspective.

The United States Attorney’s Office is the prosecutive arm of the DOJ. The United States Attorney in each district of the U.S. such as the Central District of California is a political appointee under each new Attorney General. The individuals who fill these roles are selected because they agree with the Attorney General on legal issues and what crimes should be focused on.

The Assistant United States Attorneys, AUSA answer to the US attorney in their district. Again this is similar to the FBI in the each U.S. Attorney runs his/her district as a fiefdom while relying on DOJ HQ for guidance of programs and priorities.

When a crime is committed and an investigation ensues an AUSA is needed in order for an agent, any federal agent, to get warrants, record an interview, obtain subpoenas or any other court ordered processes. Each agent has a favored AUSA they bring cases to. A trust develops between the agent and the AUSA, both know the rules will be followed both know that the other will be straight with them about what happened or did not happen. In essence, the AUSA becomes an agent’s partner for that case.

As an agent I worked with eight different AUSA’s that I trusted. I know for each case what they would need, want in order to seek a prosecution. Some were idealists, willing to take a case to trial with little concern for their win/lose record. Others are very focused on whether or not they can win the case and that factor guides their willingness to prosecute.

Early on in my FBI career, a senior and somewhat jaded fellow agent warned me against sharing to much with the AUSA. He said you only need share the fact that a source exists or that a wire was placed on the source rather than the exact type of wire. His reasoning is that AUSAs have an on the job life span of 5 years. After 5 years as a criminal AUSA, many leave and go to the dark side, defending criminals against the FBI’s cases. If the AUSA knows all our tricks they will find a way to attack them in court. A former Federal Prosecutor can demand a huge paycheck by going into private practice.

Being an idealist myself and thinking that the AUSAs I worked with were as committed to the fight as I was and that their position was not just a stepping stone, I chose not to heed his advice.

But just like there are those in the FBI that are “blue flamers” seeking to get to the top for their own personal gain, the same is true of attorneys in the DOJ.

So despite what Hollywood and the media likes to put forward, every case the FBI under takes is not solely guided by the agent rather there is an enormous amount of oversight and approvers for each action. In fact as of 2001, if an agent wanted to conduct an interview of a primary subject in a terrorism case, the interview had to be approved by the agent’s supervisor, the AUSA, the Assistant Special Agent in Charge and in many cases people from both FBI and DOJ headquarters.

This level of bureaucracy is expected in the government but often glossed over by outsiders. It is this bureaucracy that is a safe guard to civil liberties but can also cause serious issues.

Chapter 4

The international hacker, Denis Pinhaus, is sitting in a US prison for hacking American companies. He is there in part because of me and others who believed he was responsible for far more crimes then he was convicted of and because we forced him to take a polygraph, which he failed.

Denis now wanted a deal. He claimed he would come clean about all crimes that he had committed and/or been apart of. But what could he offer given he had been in jail for a year, had not access to computers or the Internet and all of his “hacker” friends were overseas.

Though the crimes Pinhaus were involved in spread across the whole of the US, somehow dealing with him was delegated to me.

If we could be sure Denis would be honest, the USAO could offer Denis a reduced sentence for the intrusions he had yet to be convicted of. In exchange, Denis had to work with me.

AUSA Arif Alikhan of the Central District of California and I travelled to the jurisdiction where Pinhaus was being incarcerated and conducted a series of interviews to determine the validity of Pinhaus’ claim of wanting to work with the FBI.

As the interviews occurred and AUSA Alikhan and Pinhaus’ lawyers negotiated a possible cooperation agreement, it was left to me to devise how exactly to use Pinhaus.

Understanding Pinhuas was to remain in jail and that his cyber underworld colleagues were located literally around the world how exactly is he going to cooperate?

In most cases a source would be used to conduct monitored phone calls or face to face meetings after he or she ingratiated themselves to the criminal element but in the world of cyber crime phones and face to face meetings were rare.

Nonetheless, I had a plan.

As much as the Invita undercover operation which called for an international job offer, a one way traffic sniffer and the subjects to showcase their hacking skills before being arrested was “unheard of” in the FBI prior to it being pulled off. My plan was downright impossible.

And that is what I was told by any number of individuals within FBI management.

In order to run an undercover operation you have to get specialized oversight and approval from FBIHQ.

That approval was never granted and not for lack of trying. Rather, as there would be no face-to-face communication nor was any FBI agent truly taking on an undercover role that required a full and verifiable back story, the FBI powers-that-be denied my plan stating it was not an formal undercover operation and thus did not need their approval.

When I heard this I thought the plan was sunk but in truth the Undercover Oversite Board was saying you don’t need approval to do what you want to do as this is a “cooperating witness” or an “informant” operation that only required AUSA approval to consensually record communication between the source and the bad guys.

AUSA Alikan approved the recording of conversation/online chats and thus one key element of the plan.

The next key element required Pinhaus being transferred to California and doing something that had never been done before.

Pinhaus claims of being willing to help were determined to be genuine and AUSA Alikhan began the process of getting Pinhaus transferred. As he was in the custody of the Bureau of Prison, Pinhaus would have to be moved to a Federal facility or a local facility with a federal inmate housing contract. Luckily for me, Santa Ana, California had such a contract and I was able to make certain arrangements between the Bureau of Prisons, the US Marshals and the administration of the Santa Ana Jail.

Now the truly hard part began.

A team of agents would be needed to transport Pinhaus from the holding facility to the off site location where the real work would begin.

We would also need agents to serve as guards to protect against escape and at least one full time translator to read and translate any messages received by or sent to Pinhaus once we let him back online.

See the plan was for Pinhuas to take on a new identity online. He would reenter the cyber underground, build a reputation and develop a list of targets. His reputation would be bolstered by several other online personas managed by myself and a team of agents assigned to the case.

We would work Monday through Friday for a minimum of six months ingratiating ourselves to the hacker community.

Pinhaus was transferred in the summer of 2002 but his cooperation was stalled. In July of 2002, Hesham Mohamed Hadayet, a 41-year-old Egyptian national living in Irvine California walked into the Los Angeles International airport and opened fire on the patrons at the El Al Airline ticket counter before turning the weapon on himself. I was called into the case to handle the search warrants for the websites and email addresses for Hadayet and help determine if the attack was an act of terrorism. Three weeks later five year old Samantha Runnion was kidnapped and murdered by Alejandro Avila. I served as the FBI liaison to the Runnion family during those three horrible days.

For the latter case, Pinhaus actually contacted me from his jail cell to let me know that all I needed to do was book Avila into the Santa Ana Jail and the inmates would take care of him. Not exactly a comment to convey that Pinhaus would stay on the straight and narrow but he knew my role in the case and either he was trying to ingratiate himself to his new “boss” of he truly hated child predators as much I do.

In August of 2002, my work load had settle enough and most of the logistics were worked out to reintroduce Pinhaus to the cyber underground.

Pinhaus was getting antsy to start working. While waiting in prison he signed up for a word processing and photoshop class. You have to love a legal system that allows a convicted computer criminal access to unmonitored computers inside of prison. While sitting in class one day, Pinhaus tried to print some of his work as was allowed by the instructor. When it was determined that the printer was not working, Pinhaus utilized the workstation he was assigned to scan the network and find a different printer and sent it work there. Of course, this action was seen as “hacking” the jail’s network and Pinhaus was ban from taking computer classes.

Given occurrences like that, it was clear, it was time to put Pinhaus to work.

And so we began…

Four to five days a week for the next nine months, myself and three other agents, two in each car, would drive to the location in which Pinhaus was housed. Pinhuas was hand cuffed and leg shackled and then walked to the car and seated in the back seat along with one of my fellow agents. We would then drive to our offsite location, all the while being tailed by two agents in a follow car.

Once we arrived at the off-site, Pinhaus was walked inside. His leg shackles were removed and replaced with a leg cuff, connected to a 10 foot chain that was bolted into the wall. Only then were his handcuffs removed and Pinhuas was granted access to a computer workstation connected to the Internet.

But this was not just any work station. Every keystroke typed into the computer was captured and recorded on a different system secured away from Pinhaus.

A FBI translator sat side by side with Pinhaus and myself to insure when Pinhaus wrote in a language I could not read, the translator would read it as he typed.

Screenshots of every page viewed on the monitored were taken at a rate of 5 per second.

We also deployed a series of traffic sniffers and event logs to monitor all programs running, traffic sent from or received by the system and very piece of data touched.

These sniffers would come in handy later in the operation when a number of hackers tried to crack our system from around the world to include Max Butler, the hacker profiled in Kevin Poulsen’s book “Kingpin.”

Everything done on Pinhuas’ computer was recorded and copied four times from the original each night. One copy for the case file, one copy for AUSA Alikhan, one copy for the defense and one copy for Work. The original data was stored as permanent evidence, complete with a chain of custody and locked in a vault for use if and when any of the investigations went to trial.

The plan was scary in its simplicity. Pinhaus would go online, re-connect or join the cyber underworld and identify international hackers. In some cases I would be introduced as his partner in the US or as a fellow hacking carder thus to vouch for each other. Seems easy enough right?

Except, you cant just walk into a group of criminals on cyber space and get them to accept you. Where do they hang out? Do they talk in code? How are you going to get them to trust you? These are just some of the questions that had to be ferreted out, starting with a basic physical concern. Yes there are physical concerns when dealing in the cyber world because eventually every crime comes down to a physical human contact.

Understand that hackers do reconnaissance. They track details. And they talk.

Going after hackers is also dangerous. Just as when Ivanov hacked Sterling Microsystems and tried to extort them for $1000 or he would go public about the data stolen, the same could happen and did happen to the hacker hunters. Hackers will turn their skills they use to attack a network and steal data to hacking a person’s life, stealing personal data and sharing it with the world. They can also attack your credit, your social standing and your identity.

Putting personal safety aside for the moment, the first physical concern was the geo-location of the Internet Protocol Address (IP) being used by Denis to make contact?

This simple question could undo the operation before it got started.

But this is the FBI surely they have tools to route traffic around the world and make it appear like it is coming from anywhere.

This is true but using that level of sophistication would immediately throw up red flags to the hackers we were targeting.

When running an undercover operation, your identity needs to be backstopped. Meaning everything has to fit, but not fit too well. And backstopping is not only for the person, it includes everything from the cars you drive to the clothes you wear.

Now given that this was the first time the FBI had sanctioned a operation such as this and the fact that all of it was going to be conducted online, save for any arrests, no one really knew how to backstop this operation

When I busted my first hacker and sat down for a long and lengthy interview, he shared a number of unique insights. One such insight was that all hackers know the FBI uses AT&T for its internet provider so if you see an AT&T IP address ping your site or in the headers of an email, you have to assume it’s the Fed’s.

So in order to avoid such a simple slip up, I arranged for a non-AT&T Internet Service provider. This fact also guided where our off-site office, which consisted of two rooms on the first floor of an office building. We had a separate entrance around the back of the building hidden behind 6-8 feet tall shrubbery and easy access to a parking garage. It also had to be in an area where AT&T was not the contracted ISP.

Sadly the office picked as an off-site did not have a working air conditioner, something I should have checked before agreeing to the space. Its amazing how hot a 15*15 room gets in September when the room is filled with 6 computers and four people. And please note, this was not Hollywood stylized FBI office with fancy touch screen projection boards or multiple flat panel monitors on roof mounts. The equipment was the remnants of a Warez (pirated software ) seizure where the equipment had been forfeited to the FBI. The office walls were covered with white butcher paper so that we could write out link analysis, nick names, alias and other personal data for quick reference glances. In other words our office sucked but we were there to work not to impress. But I digress.

Once we had a non-AT&T IP address we then would access the internet via a series of free proxies in other countries. Of course if one of those proxies failed, our true IPA would be broadcast. That is when the cover story kicked in. The IP belonged to some person in the US which we had hacked and we routed all of our traffic through the hacked IP in case the FBI or USSS came looking. Our tracks would lead to some unsuspecting person in the states.

The next big issue was the computers themselves.

Once Pinhaus and I became players in the cyber underground, it was a guaranteed fact, our system would be hacked.

And when “they” got in “they” would look at the system. Our computers had to look like a standard everyday computer that would be used by hackers. The software had to be tweaked and have odd licenses. They could not be top of the line or have the latest and greatest hardware.

So, the first order of business for Pinhaus, myself and the rest of the team was to insure our systems weren’t too good and that they were properly laden with the junky data that would indicate a long time elite “l33t” hacker.

Amongst the things we need to add were language packs, Pinhaus would be speaking/typing in Russian and English, dummy documents, an eclectic Internet browsing history and of course we needed to back date everything. We also needed to install the Russian language set and a Russian keyboard lay out. We did the same with several other languages including Greek, Spanish and Arabic.

Im not going to say we got everything right but we did pretty well.

As we prepared our systems and did the physical leg work of dirtying up our computers, we came across an online game entitled Ant-City. In the game, you played as a giant kid with a magnifying glass which you would move to focus the sun’s beam on the various aspects of a standard city. Your beam would heat up tanker trucks and cause them to explode or you could set fire to trees, etc. You could even focus on the little inhabitants of the city and cause them to melt.

After playing that game, the team agreed, though the FBI official name for the operation was Major Case 144 Cardkeeper, the code name we would use for our little cyber intel gathering mission would be Operation AntCity. Our focus was to find and shine a bright beam of light on the cyber underground and as non-politically correct as it may sound burn some of the inhabitants.

AntCity-

With everything in place, to the best of our abilities it was time to go active. We, Dennis, myself and the team, split up the work load into four categories:

Target acquisition- Trolling the web for forums, IRC channels, chat rooms, etc where hackers congregated and talked about their hacks, exploits and plans

Ingratiation- Once a target site was located members of the team would create covert accounts and online personas. This required email addresses and demographic information to make each persona appear as a different person. Young, male or female, skilled or noob, etc. The accounts would be set up to lurk and occasionally comment in the rooms and grab relevant data. Sometimes, the accounts were used to promote another account and sometimes they were used to troll. Trolling in when you pick fights online just to pick a fight.

The Approach- Once a persona was known in a group and was receiving inquiries from other members, the team would take on the persona and engage other players. Engagement could include the discussion of how to hack and attack but very quickly AntCity engagement turned to the role of money man.

The Investigation- When people or victims were identified the data run against information in the FBI systems to try to obtain a true identity and in the case of victims, notify them of the intrusion. If a victim was id’d a FBI case would be opened and AntCity intel would be used as evidence in the prosecution of the hackers responsible.

Dennis’ had a role in all but the investigations. Dennis had no access to the FBI systems or databases. In fact access was not located in the same room or building as Dennis.

A word about “sources” like Dennis, though they are considered part of the team, they are not. They are a pawn in a game and are never truly trusted. As I said before, sources do what they do in order to get a better deal for themselves once they have been caught. Their motives are not altruistic.

When working with sources you tell them what they need to hear and what you think they want to hear in order to get them to do what needs to be done. This does not mean they are unlikable or that they should be disrespected. But sources are manipulated by their handlers just as the sources are trying to manipulate the system.

In short every law enforcement person who actually “runs” a successful confidential source, informant , snitch, asset, whatever the term used, knows the source will one day break bad. And when they do break “bad” those who will judge the situation and the performance of the handler will be people who have never run a successful source.

Sources are the life blood of law enforcement. They are the man on the inside and one thing that is evaluated during every inspection. How many sources does the agent have and how successful are those sources?

With that said, Dennis was a con man at heart. As his handler, it was my job to direct his con-man skills away from trying to manipulate me and the rest of the team and rather to focus on the hackers, scammers, and fraudsters we found in the cyber underworld.

And it worked.

Within 7 days of going “live” on the web and engaging “hackers” AntCity had two subjects under investigations and had purchased 1000 stolen credit cards for $200.

We paid the hackers via Western Union and tracked exactly where the money was picked up and by whom.

This pace would continue for the next 9 months. Day after day, sometimes including weekends we lived the life of the online denizens. Since most of those living in the cyber underground work at night our work schedule adapted but as our focused became more defined on the international hacking crews of Eastern Europe, we were able to switch back.

8 am Pacific Standard time corresponded very nicely with the “hacking” hours of Eastern Europe.

It was not uncommon for the team to be running multiple instant messenger sessions with subjects while reading various forums and chatting in IRC (Internet Relay Chat) channels dedicated to the theft, selling, buying and trading of hacked data.

Playing the various roles related to our undercover or covert employee personas seemed to require a certain amount of schizophrenia on the part of all players. One minute you are a hacker, another a buyer, sometimes you’re a internet troll looking to cause a fight and other times you are just lurking gleaning information. Also all of the agents on this case were between 30 and 40 yrs of age but we were playing 20-somethings. Imagine playing a 20 something female who is chatting up a 20 something hacker who is looking for an online romance while on another screen you are a hard ass data buyer who is ticked because the data, accounts, etc would not work.

The cool thing about online chat is if you are on multiple chats the other guy is on multiple chats and if you can get him flustered you can sometimes get them to make mistakes by saying, sending or revealing the wrong thing. Thought we were never face to face with someone we could still get inside their head and mess with them because we were so many different people targeting different information.

AntCity was not concerned with the small fish, those who resold data stolen by others. We focused on those responsible for the intrusions, the guys running the crews.

We would build huge handwritten link analysis charts to showcase how each hacker was connected to a website, forum, IRC channel or other hacker. We would do the same on the victim side because sometimes, hacking one company opened a door into another. A hack of Amazon, because it is housed in the same data center as twenty other companies may indicate those companies were also victims.

When, through our social engineering of the hackers, we were able to identify a victim, we would then contact that victim as the FBI and explain that they had been breached and that their customer data was being sold on the Internet.

Many companies were justifiably concerned and would take action to address the breach but I distinctly remember one company in New York who were hacked 2 or 3 separate times. When I notified the owner of the company of the breach, he simply said, “So what, its not my credit card.” Another company was losing $2-3 million a day in stolen cards, data and product but to fix the issue would require a company shutdown of several days costing them $10 of millions with no proof it would work. The company chose to lose the $2-3 million rather than shut down.

Of course the most common data being sold was full dumps of credit cards or dumpz. Dumps included all the data on the magnetic stripe on the back of a credit card to include the card number, the card holders name and other data.

AntCity became the go to operation for anything cyber related across the FBI. FBIHQ received weekly updates of who was being targeted or what was being discussed. The AUSA was versed on all tactics and concurred. Many in management offered up AntCity as proof of their good management skills when seeking higher positions (in the FBI individuals submit their achievements when seeking promotions rather than being identified and approached by management for advancement).

As the “Go-To” operations we were in nearly daily contact with all interested parties, the U.S. Attorney’s Office, FBI HQ, and other case agents who needed our help.

This meant near daily reports on the progress and issues we encountered.

One major rule in the FBI, document everything because if it is not documented it did not happen.

At one point a large credit card processing firm in the central part of the US, was hacked into and 10 million credit cards were believed stolen. This intrusion would later serve as the straw that broke the camels back resulting in Congress to demand the payment card industry do something about the ease of access to credit cards by hackers and the subsequent fraud schemes.

Either way, news of the breach and theft made it to the airwaves and the FBI was called in. As the local agents worked with the victim company, DataP (Im not providing their real name because there is no need to sully their reputation) to figure out how the hackers got into the system, AntCity was contacted to see if we could find and procure any of the stolen cards from the web.

This brought up a logistics question. How do we compare the various cards we were buying against the 10 million stolen cards and how did we know the cards were stolen from the victim DataP and not some other company.

As luck would have it, the media coverage of the hack helped us out.

The hackers, actually a team of hackers, saw the news coverage as well and knew that once the breach was announced the cards would soon be shut down and thus would hold no value. Also they understood they made a big mistake. By taking all of the cards rather than one or two at a time as throw-away cards, they had tipped off the company of the intrusion and thus sealed their fate.

There was very limited time to use, sell or trade the stolen data.

Dennis was able to locate a contact who knew a guy who knew a guy who claimed to be the hacker behind the breach. The guy, we’ll call him Ivan, was willing to sell the cards to us. But Dennis and AntCity would not pay up front for the cards until we could verify they were still active. We wanted to make sure the cards were good. We also wanted to compare the numbers against the list 10 million stolen cards as well as the list of stolen cards form other sites we had already acquired.

Ivan balked at providing us free cards so we said no thanks and we discontinued talking with him. By doing this we were taking a calculated risk. Dennis continued hit up the contacts we had made but we also continued to go about business as usual. The AntCity team had become known in the cyber underworld as the guys to go to sell your stolen product. We were hard to deal with but we were fair and we always paid. We had a reputation as being money men.

Ivan found out about this reputation and after several hours of us not responding to his IM’s when we finally did, he was ready to deal.

Not only was Ivan willing to provide us with sample cards before we sent him cash, but he had a sweeter deal. He was whiling to sell us access to the DataP servers for a period of several hours for $3000. The access would include a current user name and password with full admin rights. Also he would give us access immediately as proof, we could pay him the following day.

Now because the account had a time limit, it meant that Ivan had more that one account with administrator level access into DataP. It also meant that if he wanted to Ivan could monitor all the cards we downloads and if we did not pay him, he could simply report them as stolen or post them on the web for anyone to take and destroy their value.

Ivan had one other card up his sleeve in making this offer. Assuming the FBI had not tracked him down at this point in time, which they had not since he was sitting in

Latvia

, when Dennis and the AntCity team logged in to test the account, a new trail for the FBI to follow would be created. In essence, the FBI would think that this recent intrusion and download was the original hackers coming back and follow that lead rather than focus on Ivan.

Need lees to say, I instructed Dennis to take the deal.

Ivan provided us with the account as promised as well as the name and location of whom to Western Union the money.

Upon receiving the account, I arranged a call with the DataP’s management and the local FBI office. During the call I informed the CEO of DataP and all on the call that their system was still wide open and that we had just arranged to buy full access into their credit card database. Now this was a bold statement on my part because that same day, DataP had publicly announced that they had locked down their system and they were sure the hackers had been booted.

When I shared that we had received a username and password for access to the account and prior to sharing it with the CEO, the CEO piped in with “Ill bet a years salary that our system is locked down.” Now I’m a betting man and I like to gamble but being and FBI agent and this being a victim I was not able to take the bet. I suggested that the CEO not be so confident and asked for permission to try to use the account and password.

My request was based on two very specific reasons. One it would have been illegal for me to use the account and password without permission because it would have been “unauthorized access to a protected computer.” Second, I was certain Ivan was monitoring the account, when it was used and the IP address associated with the use. If it was shown to be used internally by DataP, AntCity or at least the persona Dennis used when speaking with Ivan would have been burned.

The CEO of DataP granted permission and three seconds later, Dennis, myself and the rest of the AntCity team were looking at millions of credit card records.

A few minutes after we logged in, the collected group at DataP logged in to the same results. The phone line went silent and after a long pause the CEO stated, “We’ll have to get back to you.”

As for Ivan, he was watching our log in and also the subsequent log in and account shut down. After a period of flaming chats back and forth, it was agreed that his back doors were not as secure as he thought and that the FBI was watching. That is why the account was quickly found and disabled by DataP.

Dennis’ persona was intact and we would later work with and buy stolen data from Ivan from a different victim and collect enough evidence to build a case against him for our colleagues overseas.

Simply stated, the trick to catching and identifying the hackers was following the money. No matter how many technological road blocks the hackers, fraudsters and scammers put in front of themselves, eventually they had to enter the real world to collect their “winnings.” We always wired the money on our terms, in part because we knew what we could track and what we could not. Electronic money changers like E-gold and Webmoney made profiting form hacking very easy for the hackers and very hard for those chasing them. So if you did business with any of the AntCity personas, you had to agree to Western Union or MoneyGram. But we did have one unique situation…

Dennis had been contacted by a hacker in the Ukraine wanting to sell a couple thousand cards he had acquired. As this was an approach out of the blue, we thought that the seller, we’ll call him Misha, was either another law enforcement sting operation trying tp identify us or someone scraping cards of the IRC channels that offer them up for free and then trying to resell them.

If it was another law enforcement agency, it meant that our cover was very secure and the bad guys were trying to dime us out. This would surely lead to deconfliction issues later.

If he was a scraper and reseller we were not interested. We were just as capable of scraping but AntCity’s focus was on the hackers who actually cracked systems.

But for some reason, I gave Dennis permission to engage Misha and see what was really going on. The situation opened our eyes.

Misha shared a story that gave a new perspective on the Eastern European hackers. For Misha’s part he was hacker, and apparently a fairly good one. He had successfully hacked a number of companies and made a lot of money. Now this is a relative concept. Mnay of the hackers who target companies would ask for $1000-$15000 or they would let the world know the company was hacked. This is seemingly a small amount of money given what they were stealing but when you consider that many of the hackers were making less that $100 a week doing regular jobs in their homelands, making $1000 was huge money. And they were untouchable because the victims were in the US and they weren’t.

The problem was all the money they were making.

When a hacker made extra money he would spend it on nice cars or clothes or fancy dinners. Well when you do that in Kiev or Minsk or even Moscow you get noticed. Not necessarily by the cops but definitely by the local mobsters.

In Misha’s case he was taking advantage of his new found wealth when one night just as he was going out, he had some visitors at his door. In short they said, we don’t know how you are making money and we don’t care but you are now working for us and we are taking our cut. Ukrainian organized crime was now involved with hacking.

Misha went on to tell us that one individual decided he did not like having to share his hacker profits so he began running schemes on the side. The hacker’s online handle was ||_VAN_||. Several months after running his side gigs, ||_VAN_|| was found dead or more accurately ||_VAN_||’s hands and head were found in a ditch. Misha was not sure about where his body was.

For me, I take that as a sign not to undercut the mob but for Misha he believed ||_VAN_|| only got caught because he continued to receive cash for his side hacking. Misha had away around that, he wanted to sell us his stolen data but we could not pay him in cash or western union or by wire. Instead Misha wanted us to buy him shoes and clothes and stuff for his girlfriend and send it to him as payment for the cards.

Now I was intrigued.

I had Dennis send Misha to Nordstoms.com and VictoriasSecret.com and make a list of what he wanted us to buy. The deal was we would buy the items and ship them to him as payment. He would provide half the cards up front and the other half after receiving shipment.

I thought the idea was a good one because we would have a shipping address that was either Misha’s real location or connected to him in some way. The intention was to mark the items we bought in a non-descript yet specific place so that when the package was delivered to its final destination and a person was eventually arrested maybe they would e wearing or have in possession the “purchased” items bearing the special mark.

Well try explaining that one to my supervisors and the AUSA as any purchase had to be approved because all funds had to be accounted for, was not an easy task.

In the end we did not make the purchase. And upon the declination, a female member of AntCity told the team we should be relieved. Why? Because where exactly were we going to mark the thong underwear and lingerie Misha had requested from VictoriasSecret and how were we going to search for those marks when a subject was arrested? Mark inside a shoe easy to find, inside underwear, not so much.

It is important to remember that the when AntCity was occurring, cyber crime and identity theft were new to the world.

Most of those stealing the cards came form cash based societies and the theft of credit card data and its use was not an attack on an individual rather it was an attack on the system and thus a victimless and harmless crime.

As such finding the hackers, carders and frauders online was a easier than expected, in large part because of prior cases the team had worked before engaging Dennis.

The paranoia we feared would govern the hacking community seemed to be tempered by the promise of cash, the international nature of the crime, the lack of prosecution and little to know fear of being caught.

Each team member had their favored location for flushing out the bad guys. Usually it was forum or chat group we had come across in prior investigations but do to varying factors like language or time or the statement “you cant do that” by the suits in the front office.

Everyone likened what we were doing to some how wire tapping the Internet when in fact everything we did was available to the public if the public knew where to look.

For me the most favored site to find the bad guys was Carderplanet.com.

Carderplanet was an online forum originally created by a group of 5 or 6 hackers, carders, scammers. The site originally split the world into spheres of influence for its primary members being sure not to attack any country within the Commonwealth of Independent States aka the former Soviet Union. The original members were Script, BoA (Bank of America), DeveloperCC, Bigbuyer, Klykva and a couple of others. The site was primarily in Russian and most of those on the site were Russian speakers.

Put the site grew in popularity as the online bazaar for all stolen goods. Members took on roles related to status with Script as the Godfather, others as Dons, Consigliore’s so on down the chain. If you wanted to openly sell or buy products or services on Carderplanet you had to be verified by senior members. Verification included offering free services to those members and in turn they would write a review of how you performed.

Carderplanet grew from a Russian only site to include English, Arabic and other languages.

Carderplanet saw the site as an online gang, where you would meet up with other hackers on an ad hoc basis to take on a hack, split the profits and then go your separate ways. This ad-hoc hacking crew is common even today. If you were a member of Carderplanet, you defended Carderplanet. So when other sites offering the same structure and services began to pop up online, some Carderplanet members would go on the offensive by sending emails to everyone including the FBI and USSS diming out the rival group as selling child porn or stinger missiles or other things sure to cause and uproar.

The flame wars primarily existed between Carderplanet and the US-based carder forum Shadowcrew with a little smattering toward DarkProfits.

Of course with Dennis’ language skills, Carderplanet became a target of AntCity and more specifically we were targeting Script.

At one point we were making so many cash buys that the hierarchy, Script included questioned our cash flow. They wanted to see cash rather or they would stop selling to us. Well the FBI does not have hundreds of thousands of dollars in cash lying around for use and the process to get the cash and then return it takes weeks and mounds of paperwork. Instead, I contacted the agents assigned to bank robberies and asked for a favor.

Two days later, the team followed our normal routine of getting Denis out of jail, but this time we had him change into street clothes as if he were going to a court appearance. Once outside of the jail’s gated sally port, rather than head to the offsite a caravan of three FBI cars and 6 agents drove to a local bank. Once there we were ushered into a back room where the telcom equipment and computer network systems were stored. The bank manager and three employees then joined us with $200,000 in $20, $50 and $100 bills. Denis was uncuffed and a video was made of him thumbing through the cash while a sign in Russian was on the table that read, “Is this enough cash for you?” Only Denis’ hands and lower torso were visible in the video.

Once the video was shot all of the money was recounted and the caravan of FBI cars left the bank and headed back to the offsite.

The “cash” video became a big hit in the carder forums and offers to sell stolen databases of information started to flow in.

As we worked the case and targeted the hackers, carders and fraudsters around the world, the intel we gathered was disseminated to various offices and agencies to support ongoing investigations as well as to educate law enforcement personnel about how “carding” worked.

During the operation of AntCity, Dennis was successful in ingratiating himself to Script, the Godfather of Carderplanet and we even bought stolen credit cards from him. We also bought cards from a guy going by the name cumbajohnny aka soupnazi who was a member of both Carderplanet and Shadowcrew.

We toyed with the idea of becoming administrators on the site which would have given us full access to the whole site and the members there in. We were aware that this had been tried by others and that the USSS had an ongoing case working to do that exact thing on the ShadowCrew side. The biggest blockade was a question of legality. Namely could we let a criminal organization continue to prosper and victimize people once we had been given “admin” control or were we required to take it down as soon as control was obtained?

Given that AntCity was already using never tried before investigative techniques, we decided instead to use our level of access and reputation as a back stop to other operations.

Our investigation into Script, revealed his real name to be Dmitry Golubov of the Ukraine. Golubov will later be arrested by the Ukrainian MVD with the help of Us Postal Inspector Greg Crabb based in part on evidence from the AntCity investigation.

Golubov will re-enter this story later but for now it important to note that Script was the target of FBI, Secret Service and US Postal investigations.

The same is true of Cumbjohnny whose real name is Albert Gonzalez. Gonzalez will eventually be arrested by the local PD in New Jersey and be turned over to the Secret Service. He will become a source for the Secret Service in their investigations of Shadow Crew and Carderplanet. That relationship will break bad and return to a life of hacking only to be caught again and sentenced to 20 years in prison for hacking and stealing 40 million credit cards from the processor Heartland Payment Systems.

As a point of clarification, the US Secret Service, originally part of the Department of the Treasury is not only responsible for the protection of the President of the US and other dignitaries, they are also responsible for investigating counterfeiting of legal tender. This role will eventually be expanded to include the counterfeiting of credit cards and thus the USSS entrance into the world of cyber crime.

For the US Postal Inspectors Service, their inclusion in the cyber world is a result of the shipping of packages that are illegally purchased with stolen credit cards. Again all the stolen data in the world is no good unless it can be used and in this case it was used to buy goods and then have them shipped via the US postal services to locations around the world which is mail fraud.

So each of the agencies has a stake in the cyber underground economy seemingly for the same reason but in truth, money and power come into play as well. The Cyber crime fighting bucket of money is only so deep and when each agency wants its piece battles begin to rage. These battles other agencies and players will use to their advantage later on.

Within the FBI, we had an effective information sharing platform and as such we were able to limit the number of toes we stepped on but when it came to other agencies. Very little information sharing occurred and as such de-confliction of cases became a role for the Department of Justice and the Assistant US Attorney’s assigned to the cases. Since they each had cases from different agencies, they also got to choose whose investigation was better suited for prosecution. Also, all rules regarding investigations, evidence, source management, disclosure of witness identities, etc. is governed by the United States Attorney General. Who better to know all the rules and the correct way to handle issues than the lawyers charged with prosecuting the bad guys and watching over the agents to insure everything is done properly?

Over the next nine months, the AntCity crew worked at a blistering pace. We took part in over 2500 consensually recorded online chats, bought more than 400,000 stolen credit cards, identified and notified over 700 companies who were the victim of hacks and fully identified more than 100 hackers, scammers and/or fraudsters.

With pressure from FBI management to show “stats” namely indictments or convictions, it was time to wrap up the operation and send some people to jail.

Denis had been in custody of the US government for almost two years. During that time he had waved his right to a speedy trial but now it was time for him to have his day in court and the charges against him addressed.

Denis’s court appointed defense attorney was a former AUSA and well versed in FBI procedures including undercover operations. He was made aware of all the assistance Denis had provided to the FBI with the result being that Denis’ defense attorney and AUSA Alikhan arranged for Denis to plead guilty to the charges against him and in turn he would get a 5K motion meaning his sentence on the charges would be reduced to time served.

During his appearance in court, Judge Carter was made aware of Denis’ work as the reason for the AUSA’s “time served” recommendation. This was then followed by Denis’ defense attorney stating for the record his gratitude for the way my fellow agent and I treated his client. Then the strangest thing happened, Judge Carter came down off the bench, walked to the court gallery were members of the AntCity crew were seated. Judge Carter then shook each of our hands and commended us on a “amazing” job.

Given that Denis was an illegal alien in the United States (a fact that was not shared with the Judge), upon his release from prison, he would be turned over to the custody of the Immigration and Naturalization Service and deported to his home country. Denis was going to be going home.

This fact was great for Denis but a huge negative in terms of the possible prosecution of those identified during the AntCity Operation. The FBI still needed Denis and as such a deal was reached between the AUSA Alikhan, Denis’ Defense Attorney and Denis.

Denis would stay in the United States and he would continue to work with the FBI. Denis’ housing would be taken care of and he would receive $1000 per month in spending cash from the FBI. And, if in a couple of months, if he decided, he would be sent home on the FBI’s dime. If and when he was needed to testify, he would return to the U.S. as a witness.

FBI management agreed to this arrangement, in part because of the success of AntCity.

Denis’ deal with the AUSA required Denis to be placed on probation. He would be assigned a probation officer and would be required to check in accordingly. This arrangement had several huge hitches. The first of which was if Denis was given probation his real name and information would be searchable in the online court records accessible through PACER.gov. Again, hackers do research and given that Denis was a known hacker before he was incarcerated. If after he is sentenced he is released and remains in the

then everyone will assume he is cooperating with the FBI and thus his family and friends would be in danger.

The hackers we had been hunting, and seemingly would continue to hunt were making millions and we were taking away their livelihood. Families were fair game.

With the fear on the table, it was necessary that all documents related to Denis’ cooperation, charges, sentencing and probation had to not only be sealed by the court but had to no be placed into Pacer. No small logistic feat but it was arranged.

When Denis’ finally had his day in court, he stood before Federal Judge David Carter and plead guilty. The recommendation for sentencing was made by AUSA Alikhan and accepted by Judge Carter. Then something strange happened, Denis’ Defense Attorney made a statement on the record commending the FBI agents in the room and all those that had worked with his client, thanking us for our professionalism and dedication. This was then followed by Judge Carter stepping off the bench and coming to the courtroom gallery and walking to each of the agents present, myself included to shake our hands and thank us for our work.

I did not know at the time but later found out, that Judge Carter was well aware of the work and the type of cases Denis’ had been working on and that he was aware that Denis’ would be staying in the US and continuing his work with the FBI.

If makes sense that the Judge in the case would know about the arrangement made between the Defense Attorney and the ASUA because Denis was illegally in the U.S. and by giving him probation the court had allowed him to remain in the

U.S.

illegally.

As I said earlier, the arrangement had hitches.

Denis needed a place to live and money but his illegal status meant he had no valid identification to provide as proof of identity.

Per the terms of his probation, which were sealed by the court, Denis’ probation officer was not allowed to speak with me about his case. Denis was also forbade from having any contact with law enforcement which meant that working with the FBI was strictly prohibited.

Also per the terms, Denis was to get a job. Well if you have no social security number and no identification papers, you can’t get a job or a bank account or a driver’s license.

In short, Denis was told to lie and commit additional crimes in order to stay in the US. All of these issues were brought to the attention of the AUSA but were seemingly not a concern.

AntCity moved into phase two. Daily Denis would come to the offsite on his own, no more picking him up from the jail, no more handcuffs or leg irons or chain shackling him to the table. He could come and go has he choose but if he did not work he did not get paid.

On one occasion right after Denis’ release as Denis was being moved into his new apartment, he asked for a ride to the grocery store to pick up supplies. One thing in particular he wanted was mustard. As we entered a Ralph’s grocery store and began to look around, it became apparent that Denis had no idea what life in the US was like. The mustard aisle alone had over 40 different types of mustard in various shapes, sizes and flavors. Denis was in awe and stated he was going to like it here.

Work on AntCity continued to progress very well. Phase II was focused on solidifying evidence on 20 different subjects that had been identified as crew leaders who had sold us credit cards but had also indicated they were the hackers behind several major breaches. They had names like Ganjabaz and Hiroksuson and of course Script and the major players at Carderplanet.

The team was successful in filing 10 federal complaints against those carders we had fully identified around the world. Others would be charged by either other agencies or in relation to other cases and the evidence AntCity collected would be used without detailing how it was collected.

One of the major accomplishments was the takedown of Carderplanet. As Carderplanet was forum or online bazaar of numerous cyber criminals offering up their wares, albeit ill-gotten wares, going after the players would not truly disrupt the operation. We needed to take the site offline.

The USSS was planning a major sweep on Shadowcrew and had some luck in getting the Russians to help on Carderplanet server shutdowns in Russia but Carderplanet stayed active. The heads of the forum even went so far as to change the forums banner to read something to the effect of “The FBI cant find Us.” They were taunting us which was not a good move.

If the goal is to shut down a site then attacking or targeting the people on the site only has limited success. Through link analysis we determined key players on the site that if removed would have the greatest impact and in the end the analysis showed the people were not to objective, we needed to focus on the servers behind the site. And we found them in our own backyard.

Carderplanet was being hosted and run out of a set of servers in the basement of Paul Ashley’s home outside Columbus, Ohio. Ashley was the owner and operator of Foonet, an independent Internet Service Provider. Foonet was built to withstand outside attacks and to rotate IP addresses to continually hide where sites were actually hosted. Foonet was also being used as a DDoS for hire shop.

A DDoS is a distributed denial of service which is liken to a series of crank calls. “Hello is your refrigerator running?” “It is?” “Shouldn’t you stop it before it gets out the front door?” One crank call an hour is bad, 50,000 a second will shutdown the phone switches or in the case of sites attacked by Foonet, it will shutdown Internet access to and from the site. But again Foonet was designed to defeat DDoS attacks so when Ashley and friends wanted to convince a site to host on their servers, they would DDoS the current host until the site realized they should change hosts.

During Phase II of AntCity, the takedown of Carderplanet was accomplished. All the hard work was paying off and all were happy or so it seemed.

Denis, was not happy. He missed home, he had no friends in the

, he had no transportation and very little money, at least in his eyes. $1000 a month was great except when he saw how much those 40 different types of mustard cost. And since he could not get a legal job and his probation officer was hounding him about how he was making money, things were coming to a head.

Denis decided it was time to go home.

It was clear to me that once Denis left the US he had no intention of returning. He was done working for the FBI and he missed his home and his family.

(to be continued)

Rogue Agent

Friday, March 21, 2014

Chapter 1 maybe....