Rogue Agent
The Story of the Greatest Hack in History
Outline
- Who I Am
- Hacking for Profit
- Running the Source
- HQ and Threats
- Confessions and Surrender
- Blackballed
- Cyber Jihad
- Disillusioned
- Axe To Grind
- New FBI
“Three O’clock, where had the day
gone?” There I was standing in line at
the Target in suit and jacket, trying to hide my gun as I paid for my lunch
Pizza Hut pepperoni pizza and fountain coke.
I had popped into Target to grab some diapers and household supplies as
I was returning form an interview. It
was only after I bad the purchases that I realized I had forgotten lunch. Not that missing lunch was unheard of but it
was New Years Eve 2004 and I was on call until the wee hours of the
morning. I needed to eat.
I grabbed my lunch, placing it in the child
seat section of the shopping cart and headed out the door to the parking lot
and my 1999 Gold Chrysler Cirrus with hideous multi-colored interior and a
large dent on the right rear corner panel where a safe had hit the car. Yes a safe.
As I got to the car, I fumbled with the
remote and keys. The remote to unlock
the doors and pop the trunk and the keys to unlock the master lock attached to
two sections of heavy gauge chain used
to secure the trunk lid to the car frame from the inside. The trunk chain and lock were an extra
precaution to protect the radio, shot gun and MP5 machine gun I stored in the
trunk along with my ballistic vest spare rounds and other tools of the trade.
I finally got the trunk opened and began
loading the diapers and other Target purchases into the trunk when my cell
phone began to vibrate on my left hip. Understand the mid section of my body
looked something like a Batman utility belt going from right to left I had my
Glock 22, a spare magazine, handcuffs, a retractable asp (which I was only
carrying because I just been on an interview) two more magazines, a can of
pepper spray (again only because of the interview), my cell phone and of course
my badge. In my pocket I also carried
one more trade tool, a thumb drive with some cool software I used in special
circumstances.
But back to the phone…
As I glanced at the caller ID I noted it
was coming form an International exchange.
Very few people had this number and even fewer lived or worked outside
the US .
When I recognized the prefix as being from
Easter Europe, the caller’s identity was limited to either a select group of
associates within the Ministries of the Interior (MVD) of Russia , Belorussia
or the Ukraine
or it was one of my sources who provided information about criminal activities.
“Hello, this is EJ.”
“E.J.? E.J.! we got a big problem. You’ve been hacked. They have my name, they have everyone’s name
and its up for sale. They could come
after me. If you don’t stop this, Im
dead.”
For the next twenty minutes, I tried to
calm my source and get the details I needed to address the issue.
Based on the documents being shared and the
names contained within the documents, the email systems of the DOJ.gov,
USSS.gov and/or FBI.gov had been compromised by hackers. Worse was, the breach appeared to grant
complete access to all communications about cases, suspects, sources and
techniques on all email addresses in the systems. Meaning the hacker would have access to the log
ons and passwords for almost every federal law enforcement official including
the Director of the FBI, the Director of the Secret Service and the Attorney
General of the United States .
And it was now my job to find out who had
cracked the systems, what they were doing with the information and try to put
them in jail.
The best way to make that happen is to
re-enter the cyber underworld and get access to the stolen data. But sometimes, there are items, stolen items,
that are too “hot” for anyone to touch no matter who they are, including FBI
agents.
For my part, this hack would turn my world
upside down. It would make me question
everything and everyone I worked with and eventually it would murder a dream.
For the world, this hack will seemingly
never have occurred. Only one 3 paragraph
article was ever written about the hack.
Publically the hack never occurred but its
impact was felt around the world.
Why?
Because if the information made available by the access obtained had
been made public, it would have rattled the foundation of federal law
enforcement for the whole of the United States .
My name is E.J. Hilbert and I was a Special
Agent with the Federal Bureau of Investigation.
I joined the FBI in August 1999, 5 days
before my 30th birthday. As
long as I can remember I wanted to be an FBI agent. I graduated from college in 1992 with a
degree in History and a California
teaching credential. I did not enter
college thinking I was going to be a teacher, I wanted to join the FBI and like
many I thought I would need law enforcement or military experience. I fully intended to join the Marines like my
father, a career marine and veteran of the both the Korean and Vietnam wars,
but I promised I would not join the military until I graduated college. As such, throughout college I changed majors
several times, from business, to biology, to communication, to pre law and then
pre-med. How I ended on History I don’t
know and then in education is as yet another mystery.
When I graduated, the FBI had a hiring
freeze, no new agent classes were being accepted. The military was still an option but as I had
a teaching credential I thoguth I would give it a try. I was hired to teach High School history to
9-12th graders three weeks before my 23rd birthday.
After 6 years of teaching, I had decided I
needed a change. Originally, I though
the change would simply be a new school but one day while I was teaching a
publications class (Im pretty good with
computer but Ill
explain more later) I was showing my class the difference between computer aided
layouts versus manual page layouts. I
had brought in my high school year books as example. Well as in any yearbook, my friends had made
comments and a couple of my students zeroed in on the numerous references to me
wanting to be in the FBI. “Good luck
making it into the FBI.” or “Hope your
goal of being in the FBI comes true.”
And my students called me out.
“What’s this about wanting to be in the
FBI?” They asked.
I replied “Oh its just what I wanted to do
when I was your age.”
“Well then you are a hypocrite,” they
said. “You force us to follow our dreams
and try for the things we want, yet you never did.”
And they were right. So a month later, scared to death, I went to
the FBI office in San Diego ,
CA and picked up an application
to become an FBI agent.
One year after my initial testing I was
sitting in classroom in Quantico , VA at the FBI
Academy suffering through
week one of a 22 week train program.
In the year between application and new
agent appointment , my life had changed for the better, not only was I in great
shape I had met the love of my life and gotten engaged.
One of the hardest parts about the FBI Academy
is not the course work or physical training or practical testing but rather
it’s the lack of knowing where you are going to be stationed. The FBI has field offices in 56 different
cities and each of those have satellite offices known as Resident
Agencies. An example is the FBI Field
Office in Honolulu , Hawaii
with a Resident Agency on the island
of Guam , 3820 miles away. The FBI also has agents in over 40 different
countries around the world serving as legal attaches as well as other
roles.
Now a new agent would never be sent
overseas he or she was at the mercy of the FBI to determine where they would be
sent. Some speculate that the way new
agents are assigned to offices relies solely on the shoulders of a monkey
throwing darts with agent’s names on them at a map of the United States .
During your first couple of week in Quantico , new agents are
asked to rank the 56 field offices in order of preference. Then on the 7th week, provided you
have survived, you will be notified which of your picks you received. Some would receive their first pick and
others their 56th.
For me, being newly engaged and my future
bride having been accepted to law school in southern California really turned my plans
topsy-turvy. I had planned on packing up
and moving to the east coast but now I had a reason to comeback home.
As such, I ranked San
Diego #1, Los Angeles #2, then Atlanta , New York , Boston
and then randomly selected the others.
Since LA and New York
were large field offices, I was sure to get one of the two and I did.
I was assigned to Los Angeles Field Office
(LAFO). But what type of crime I was
going to be working was still in unknown.
Understanding that as much as a new agent
could request an assignment and the type of crime they would be working, again
you were placed based on the needs of the Bureau. This could mean you were working drugs in headquarters
city or assigned to one of the field office’s satellite offices known as
Resident Agencies.
One of the greatest things about working
out of an RA was because it was not a field office manpower was often limited.
So, though an agent was assigned to work one crime, he or she would often be
called upon to help out on all the other crimes to include search warrants, arrests,
surveillances, buy bust, the works.
My weekly calls from Quantico to LAFO to try to determine my
investigative fate became something of a nuisance to the Assistant Special
Agent in Charge’s (ASAC) secretary. As a
result, she finally told me that if I stopped calling I would be sent to
wherever I wanted. I requested the Santa
Ana RA in Orange County , CA and stopped calling. My fiancé was attending law school in Orange County
and we planned live in the area after we were married.
Upon graduation from Quantico and true to ASAC secretary’s word I
was assigned to Santa Ana Resident Agency Squad 3 (SARA-3) to work white collar
crime. WCC included public corruption,
bank fraud, wire fraud, environmental cases and several others. Also included in this category was cyber
crime, namely using a computer to commit a crime such as hacking, but also
identity theft, stalking and fraud schemes.
I was extremely happy with my
assignment. Not that I knew a lot about
fraud schemes but in my youth I was something of a hacker. I have no formal computer training, meaning I
never took programming classes but my brain just comprehends computers and
though my parents did not have much money, I got my first computer at 12 yrs
old, a Commodore 64. When I was 16, I used every dime I had saved to buy an
Apple IIe. And In 1992, when America
Online started their service I jumped online.
To this day, I have not had formal
classroom computer instruction but I still understand the systems, obtained my
Certified Information Security System Professional credential after 5 days of
review and understand the schemes behind computer fraud and intrusions better
than most.
Let me interject something of significance
at this point. In 1999, when I entered
the FBI, cyber crime was the dream of Hollywood
script writers. Sure some big time
hackers had done their thing and when they damage systems or stole data they
crossed into the realm of criminals but cyber crime and identity theft were not
prevalent. In fact, the FBI really was
not prepared from a investigative methodology and procedure prospective to
handle what was about to occur. As more
people, companies and commerce moved online, so did the criminals.
When I entered the FBI, cyber crime,
hacking for profit began to take off out of control and law enforcement simply
was not ready.
Prior to 2000, cyber crime was something
committed by anti-social “kids” working from their parents basements. The use of modems to enter other systems and
manipulate data or cause damage was more an act of defiance and aggression then
a money making opportunity.
The expansion of the world wide web and the
dotcom explosion changed the online world dramatically and with it the denizens
there in.
The profile of a hacker being a male under
the age of 30, extremely introverted and anti social was blown away despite the
opinion of many of the legal “old guard” and those charged with crafting and
passing laws. Hackers were and are now
male and female, 13-60, introverts and extroverts, rich and poor, college
educated and high school drop outs. A
hacker does not have a profile except for the reason he/she hacks.
After 2000, the reason a hacker hacks can
be broken down into 5 categories with each being an escalation of the prior.
- Just Because: Many
hackers hack out of pure curiosity.
“what will happen if I do this?”
Liken it to working on your car and seeing how runs, or taking
apart a piece of electronics to see what makes it tick. Hacking for this reason has no malicious
intent rather it is ideal curiosity.
- E-rep: Once hackers
figured out they could take systems apart they began to get a
reputation. The best hackers are
“l33t” or elite and the those with no skill are “lamerz/noob” or
lame. If you used the scripts and
codes that others wrote you were a “script kiddie.” Though elite hackers have been around
since computers existed their reputation was limited to word of mouth on
the online underground but as the Internet grew and everyone could talk
with anyone, these elite hackers reputation began to circulate and
maintain and prove their status they constantly were upping their hacking
game. Breaking into harder and
bigger systems to show off their skill and give shout-outs to their
friends and naysayers.
- Theft of Data: Once
hackers started hitting bigger targets they also began looking at what
they had access to once they were inside systems. Personal data, credit card information,
medical records, corporate intellectual property, etc were now at their
finger tips, literally. And the
original reason they hacked, popped back into their minds. “If I take this data and use it on this
site to buy that product what would happen?” What happened was the data was accepted
and a product purchased via fraud.
And thus the birth of online identity theft and hacking for profit.
- Theft of Services: As
hackers began to steal data, law enforcement began to track them. Hackers needed a way to hide their
tracks. By breaking into
unsuspecting systems, not touching anything on those systems but rather
using those systems to attack other systems, hackers were able to hide
their tracks by giving law enforcement a false trail. The most common statement when I
confronted a hacker about a hack I knew they committed was “it wasn’t me,
my system must have been hacked.”
- Its Their Job: Hackers
who moved past the curiosity phase and feared being caught realized their
skills were worth high salaries in the corporate world. Despite all their moaning and bitching
about companies and products, as the elite aged, they took on jobs finding
holes before other hackers or defending systems against the “new elites”
around the world.
It is also in 2000, that the FBI realized
they needed to address the growing threat of cyber crime. A Cyber Crime Division was set up and staffed
by senior agents who had an interest in cyber crime but little experience. In fact the FBI had very few agents with the
technical know how to address the issues of computer hacking and the subsequent
fraud. Even the Department of Justice, had to scramble to set up a special
section to address the cyber crime issue called CCIPS, Computer Crime and
Intellectual Property Section. (In all honesty, the FBI had agents focused on
cyber crime throughout the 90’s but most of the focus was on child predators
and Economic/International Espionage.
Internet fraud was not a crime the FBI was accustomed)
The FBI has two “manuals” that every agent
is made familiar with during their months of training in Quantico .
They are the manual of investigative and operations guidelines, the MIOG
and the manual of administrative and operational procedures, the MAOP. These tomes contain the basis for how
investigations are to be conducted for all aspects of crimes. Unfortunately, they did not explain how to
investigate cyber crime, how to adequately deal with its international aspects
or how to adapt to the changing attacks.
Back to the FBI and eventually the “hack.”
Each new FBI agent is assigned a Training
Agent upon his/her entrance into the field.
That training agent is responsible for your first 2 year on the job,
during which you are an “Probationary Agent,” a newbie, an FNG (Fuckin New
Guy.)
As such, you don’t really have your own
cases for the first few months and your days are taken up with helping out on
other cases or more menial tasks like washing senior agents cars or ferry
documents back and forth to the United States Attorney’s Office.
One of the most hated jobs for an FBI agent
is called complaint duty.
The duty-agent is an agent who is assigned
to sit at the front desk of the FBI office with the office switchboard operator
and handle incoming calls from individuals reporting crimes. One of the other perks of being the duty
agent, and this statement is laced with sarcasm, is you get to handle any
“walk-ins.” “Walk-ins” are people off
the street who feel the need to come to an FBI office and report what they feel
are crimes. The emphasis on THEY. 99 out every 100 walk-in is, for lack of a
better word, a nut job. These are the
individuals who believe the government is listening to their thoughts via the
fillings in their head, or see black helicopters at night or take pictures of
their neighbors showering as proof the neighbor is a druggy. It’s a little known fact that everyone who is
deemed a “walk-in” fills out a contact form.
This from is used to run a check for wants and warrants but is also used
to check their name against the “nut-box.”
If you see a guy walking the street with a tinfoil hat and a chain of
paper clips dragging from his pant leg, don’t be surprised if he recently
visited the local FBI office and was told that is the only way to insure the
CIA, Secret Service or Martians won’t be able to read his mind.
Oddly, my first real case in the FBI came
from complaint duty. Between the various
nut jobs on the phone and walking into the office, I received a call form a
company that handled credit card processing.
This was January 2000 and all the various rules regarding privacy and
security were not in place as of yet.
Also the stigma of admitting your business was hacked could be a
business killer.
The victim company, we will call the SM,
had been notified via email, fax and phone that their system had been hacked
and 15,000 credit cards had been stolen.
The hackers wanted $1000 and they would help the company plug the hole
the hackers had utilized.
As the duty agent, I filled out the FD-71
complaint form with all the information the victim could provide and sent it up
to the supervisor desk for determination if a case could be opened. Every case assigned to an FBI agent has to be
approved by their supervisor to insure the facts warranted spending the
manpower.
Understand here that the FBI has about
11,000 agents in the field of which about 9,000 work cases (the others are
management or operations). Compare this
number to the 35,000 cops in New York
City and you can see FBI manpower is limited. The FBI also has five years from the last
illegal act to finish an investigation and present it to the United States
Attorney’s Office who then decide if a case should be prosecuted. In a city like New York
or Los Angeles ,
fraud cases where the loss is under $250,000 may not be looked at simply
because it is not cost effective.
The FD-71 for the SM hacking case ended up
on my supervisor’s desk and though he thought little could be done with it, at
my requesting, the case was assigned to me.
My first FBI case is a computer intrusion
via the Internet. There are no detailed
rules or procedures laid out by the FBI on how to truly handle these types of
cases so where do I start.
Well the obvious trail was to get online
and see if I could track back the where the email extortion had come from. The problem was the SARA did not have Internet
access.
In 2000, the only access I had to the
Internet was via a AOL dial up account accessible in the mail room of the
office. In fact, the computer I did my
case work on or reviewed the FBI’s internal database, known as ACS (Automated
Case System) was accomplished via a PC running Windows 3.1 on a “lazy suzanne”
shared between my training agent and myself.
In order to do my do research online, I had to utilize my home DSL
broadband connection.
As my first case began to take shape and it
became apparent that SM was not the only victim of these hackers. I was able to link similar hacks and
extortions to victims in Seattle , Sacramento , Newark and Hartford . It appeared the SM hackers were involved in
35 different hacks and extortions of U.S. based companies. Each of these offices had agents assigned to
work the cases and eventually we all began to connect the dots and work
together. At this time FBI HQ became
involved and began to support the investigations. Support in the form of equipment and
eventually funding for an amazing undercover operation.
Within the RA, my bosses took notice of the
significance of the case. Other major
intrusions were being reported across the country. A 15 yr old boy from Canada who’s father was connected
to the Mafia had launched a distributed denial of service attack (similar to
10,000 crank calls a minute to a particular website) against all the major
ecommerce sites of the day. Cyber crime
was on the rise and my bosses knew steps had to be taken.
About two months into the investigation,
mysteriously a DSL with five unique IP addresses was installed in the RA. My supervisor told me the cost of the line
was hidden in the RA’s monthly phone bill and to use the new access to solve
these cases.
And that’s just what I did.
I was able to track the extortionist hacker
of SM back to his home in Chelyabinsk , Russia and to figure out that other hacking
groups in Eastern Europe not only existed but
were attacking US companies in the same way.
In June 2000, as a result of the
investigation I was sent with a team of senior agents to Moscow , Russia
for the first working group on international crime. I was an agent for 6 months being sent to the
place I had been taught was the greatest enemy of the United States
and I was to cooperate with them as equals and friends. Needless to say I was scared.
In the end the meeting was a success. Though officially the Russian investigators
of the MVD (Ministry of the Interior) had few details and the representatives
from the FSB, formerly known as the KGB, offered no answers, its amazing how
much you have in common when the neckties are off and your place setting has a
bottle of vodka and a bottle of brandy.
Also a word to the wise, if you go to
Russia, or any former enemy country for that matter, as a representative of the
US government, your room will be bugged, your phone will be bugged, your
luggage will be gone through and you will be watch all the time. Those watching you will be looking for any
opportunity to compromise you and thus control you. Despite sharing this information with my
wife, when we got in a phone argument which I later found out she planned, not
10 minutes after I got off the hotel phone did I have prostitutes at my hotel
door asking if I wanted company. Not to
take no for an answer, each night of my visit to Moscow was met with a different set of
prostitutes looking to entice me. I did
not cave.
Though the stories of my trips overseas in
support of the various cases I worked could fill thousands of pages they will
have to wait for another time.
The first FBI/MVD working group turned into
a second working group meeting in Washington
DC and forged a working
relationship and friendship between FBI agents and MVD officers. That relationship would then extend to the
MVD officers’ colleagues in Belarus
and the Ukraine . And though I did not know it at the time, but
that first trip to Moscow
would result in another 15 trips overseas during the next seven years.
After returning for the first trip and
armed with new information about how systems overseas worked my methodology on
how to address internationally based hackers changed.
Though the US was in the throws of a new
criminal enterprise, the threat had not spread to other portions of the world
and thus were not a priority. Simply but the Russians could not or would not
help on stopping these hackers.
After tracking back the emails through an
internet service provider in San Diego ,
I was able to but a name to the extortionist hacker, Alexey Ivanov. I then found Ivanov’s resume online. An operation was devised to utilize this
information. Unfortunately as a junior agent,
I was not allowed to runt he operation and my training agent was not interested
in assisting. Luckily, some fellow
agents out of Seattle
were willing to step out of the FBI norm and had a Assistant United States
Attorney who was willing to back them. The operation, code named Flyhook, was
the first ever international hacker lure. The FBI set up a fake business
entitled Invita (I believe the name was suggested by SA Grey or SA Stone out of
the New Haven Office). Once the business
was established, we invited the hackers to the US for job interviews. The targets were Alexey Ivanov and Vasilli
Gorshkov, two Russian twenty-somethings who had turned hacking US companies and
ecommerce fraud into a budding business.
During their “job interview”, Ivanov logged
on to his computers located in Chelyabinsk ,
Russia and down
loaded a series of tools he would need to showcase his hacking skills. Luckily for our operation Ivanov was unable
to see that we were recording every keystroke and command he sent via the
Internet or on the Invita company computers.
The Ivanov/Invita case eventually earned
the case agents from Seattle
the FBI’s case of the year award. For my
part, I was not allowed to go undercover as I was a junior agent but I did
handle the arrest and interview of Ivanov outside of his hotel.
The story of Ivanov and Gorschov has been
laid out in the media and the book “The Lure” by former federal prosecutor
Steve Schroeder. I have also heard of
several other books being written about the case but for this story the Invita
case was the precursor that forced me into the role of subject matter expert on
international cyber crime and hacking groups.
As I stated above, working the case against
Ivanov, introduced me to the fledging cyber underground and the realization
that many hackers other than Ivanov were using the same methodology and
extortionate claims. One of the primary
sites in this underground was Carderplanet.com.
I joined Carderplanet when it first went live online and though most
discussions were in Russian, I was able to understand most and thus extract intelligence
about the international hacking world.
(Carderplanet plays a bigger role in this story and will be covered in
depth later.)
After the arrest and interview of Ivanov
and Gorschov it became clear that original number of intrusion and extortion
victims set at 35 was actually more like 700.
and that though Ivanov and Gorschov were involved in a number of them,
actually the intrusions were the work of multiple hackers and hacking groups. In
fact, my fellow special agents had another such hacker in custody on the East
Coast.
As to not put this person or their family
in danger of grevious bodily harm, I will not layout how an international
hacker came to be in the US but it is important to understand that he was part
of a group of international hackers who had met online and developed a way to
convert stolen data into profit via identity theft. This person, we will call him Denis, was
sentenced to 5 years in prison for his part in the hacks.
However, after one year in jail, Denis
wanted to deal. He wanted to help the
FBI to go after the international hacking groups or at least that was his
claim. It more likely he wanted to get
out of jail but either way the FBI needed a source like Denis.
For approximately 18 months, I had been
infiltrating hacker forums, chat channels and international hacker groups. But I lacked one key requirement to being
truly accepted into these groups, I did not speak the language.
The hackers I was chasing used a mix of
hacker speak, English and their native language for many of which was Russian.
When I heard that Denis, a Russian speaker,
wanted to deal, I approached my bosses and the US Attorney’s Office with a
plan. Though I knew that cases could
still be made against Denis, for hacks the FBI knew he committed but had not
yet been charged, we could do what law enforcement does on a daily basis. We could make this guy a deal to go after the
bigger fish in the sea.
Chapter 3
In order to truly understand the
significance and some say “revolutionary” aspects of my plan, you have to
understand how the FBI works.
In 2007 there were approximately 35,000 gun
carrying sworn police officers in New
York City . In
comparison, the FBI had 22,000 employees.
Of that number approximately half are “support” employees and the other
half 11,000 are sworn gun carrying agents.
Of those about 2000 are in management roles. This means there are 9000 FBI agents
responsible for investigating federal crime in 56 different field offices
across the US
and over 50 different countries.
Despite what Hollywood and the media like to put forward
in novels and movies, the 9000 agents who hold the title of Special Agents are
to only ones who work cases.
If an individual graduates from the Special
Agent program at the FBI academy in Quantico ,
VA they are given the title
“Special Agent” and are assigned to the field to work cases. Each agent, depending on the nature of the
crime they are working, will have a case load of 5-20 cases at any given time. The reason for this is that something does
not happen on a case everyday and most cases require court orders, review of
information, interviews, etc.
Also, FBI agents work alone. Each agent has his or her own cases and as
such if they need the help of another agent for interviews or surveillances,
you have to schedule time with others to help.
As such when the media covers an FBI raid
on a building or a gang takedown or major arrest, the agents involved in that
takedown are agents form multiple squads who work multiple different crimes who
have all been briefed on the case and come together safely and securely execute
the tasks at hand.
One other key point is FBI agents have 5
years from the last overt act, the last criminal act, to bring charges. This fact is key, because when a major
criminal event occurs, such as a kidnapping or god-forbid a terrorist attack
like that which occurred on September 11, 2001, all work on other cases can be
halted and all resources can then focus on the event.
However, such an event is a case and thus
it is assigned to an agent and he/she is responsible for guiding how the
investigation will go, who needs to be interviewed, what files need to be
retrieved and from whom and so on.
Another fact about the FBI is that in no
other organization do so many work so hard, to stay at the bottom. And the bottom of the FBI is a Special Agent.
Squads are managed by SSA’s, Supervisory
Special Agents. These are agents who
have chosen to seek promotion and thus manage other agents rather than manage
and investigate cases.
There was a time that an agent could not be
considered for promotion until they had five years under their belt as a
special agent and thus had worked a number of crimes. Those days are long gone and agents can be
promoted after 2 years in the Bureau meaning, right after they get off
probation.
Now most agents are not “blue flamers”
meaning they do not try to jump into management, in large part because they
realize they do not have the street experience to effectively manage a group of
people with such diverse and complicated cases, but there are always those
whose egos make them blind.
Each FBI SA is assigned to a squad. Each
squad is managed by an SSA. SSA are managed by the Assistant Special Agent in
Charge aka ASAC and each ASAC is managed by the Special Agent in Charge aka
SAC. Usually the SAC is the highest
position in the field. They run the
office sort of like a lord over his fiefdom.
In the largest FBI field offices, such as New York
and Los Angeles ,
the SAC is managed by an Assistant Director in Charge aka the ADIC. His/Her role is the same as the SAC for the
smaller offices.
The successes of the agents assigned to a
field office are toted as the success of the management. As such, the Federal Bureau of Investigation
is one of the world’s most risk-adverse groups.
Agents are willing to have guns pulled on them, chase down killers,
operate undercover but only after they have approvals in triplicate and even
then they will rethink going forward.
The reason for this is that many of those in management only got there
because they road the coat tails of agents willing to take risks. Sadly, these same coat tail riders operate
with a CYA “cover your ass” attitude and are the first to throw their meal
ticket agents under the bus.
The FBI is part of the United States
government meaning that those who rise in the ranks play the politics game and
are willing to “eat their own” in order to raise one step higher.
A fact I personally find sad and maddening
as each and every agent takes an oath to defend the U.S. and its citizens against all
enemies, foreign or domestic, with disregard to personal advancement. Many seem to have forgotten that oath. But I digress.
Each of the field offices and their
management is in turned managed by FBI Headquarters. FBI Headquarters is locate din Washington DC
in the J. Edgar Hoover building. FBI
Headquarters does not work cases. Rather
all FBI special agents who work in the FBIHQ are SSA or above. FBIHQ is liken to a corporate
headquarters. You can’t go to Mattel
Toy’s HQ in El Segundo, Ca and see toys being built and you can’t go to FBI HQ
and see cases being solved.
In my 8 years in the FBI I spent an
inordinate amount of time talking to and lecturing in FBI HQ. In all my visits to FBIHQ rarely did I see an
SSA wearing his/her gun on there hip, a standard requirement for all FBI
special agents. And the agents I did see
wearing their weapons and that I knew did so because they work in the field had
earned them a supervisory role. They
were there on merit and not on coat tails.
FBI HQ’s SSA are managed by United Chiefs
who are in turn managed by Section Chiefs who are in turn managed by Assistant
Directors. These are program management
position. They handle the full
administration of the FBI from personnel placement to congressional inquiries
to White House briefings.
I know that my explanation of the FBI
management seems negative as if they are a bunch of stuffed shirts but
understand, that is the belief of many field agents. It is said the first thing that happens when
you get your 14, a reference to your pay scale on the Government Service pay
schedule, is that you receive you free lobotomy. It is often said, when a SSA from FBIHQ sends
a request to the field or asks for a lead be run down or tries to order a field
agent to do something, “What does he know, he is just an HQ suit. I bet he
hasn’t investigated a case in 10 years.”
Agents who join the FBI to solve cases stay
as agents. Those who join because they
think they can make the FBI better or different may seek a supervisory
role.
The FBI is the best law enforcement
organization in the world because of the diversity and high level of people
that are accepted into its ranks. FBI
agents are not just drawn form the ranks of the military, police or
lawyers. A large number of agents are
selected from those applicants who have over 4 years of work experience in a
field that fosters skills important to the daily work of an agent, such as
communication, research, and interpersonal skills. Only the FBI has
responsibility to enforce the laws over 400 different federal crimes to include
crimes that are the focus of other federal agencies such as the DEA, ATF or
Secret Service.
How to conduct investigations into each of
these crimes is contained in the FBI’s guidelines for operations and
investigations. The Manual of
Investigations and Operations Guidelines (MIOG) and the Manual of
Administrative and Operational Procedures (MAOP) lay out acceptable FBI
investigative procedures. Each new agent
is required to be familiar with these guidelines and procedures when they are
at FBI Academy .
Also each FBI agent must go through yearly legal training to address
changes in laws, rules and acceptable investigative methodologies.
A couple of other interesting facts about
the FBI:
The average age of new FBI agents is 30
FBI agents have a mandatory retirement age
of 57
Between 60,000-80,000 applicants apply to
the FBI each year
Less that 1000 new agents enter the FBI
each year
FBI agents make a maximum of $150K a year
but only after being the FBI more that 15 years.
FBI agents do not get paid overtime
The FBI work week is a minimum of 50 hours
per week
FBI agents are on call 24/7 and are to
carry their credentials and weapons at all times to include when travelling on
airplanes within the U.S.
With all this shared about the FBI, the
most important aspect of working for the FBI is not included.
The Federal Bureau of Investigation is part
of the United States Department of Justice.
The purview of the FBI is to investigate federal crimes by or against
Americans and/or American entities.
The FBI does not prosecute criminals.
This fact is an extremely important aspect
of everything the FBI and Special Agents of the FBI do.
The title Special Agent is often called
into question by defense attorney’s during trials. “Special Agent Hilbert, why are you called a
“special” agent?” The simple answer to
that question is because that is the title of the position but that leads to
the question of “what is so special about the position?” The true answer to that question is that
Special Agents in the FBI are held to different standards that others to
include law enforcement personnel by both the general public and internal
department they answer to.
Everything an FBI agent does both in their
personal life and on the job is fair game in a trial. Everything is subject to Monday morning
quarterbacking by not only their supervisors but also the Assistant United
States Attorney who will ultimately make the decision if the investigation and
case are sound enough to go to trial.
Each case is presented to an AUSA who is assigned to prosecute the
particular criminal activity. This
individual is required to go through all of the details of the case, ask
questions and suggest additional evidence that would be needed from a legal perspective.
The United States Attorney’s Office is the
prosecutive arm of the DOJ. The United
States Attorney in each district of the U.S. such as the Central District
of California is a political appointee under each new Attorney General. The individuals who fill these roles are
selected because they agree with the Attorney General on legal issues and what
crimes should be focused on.
The Assistant United States Attorneys, AUSA
answer to the US
attorney in their district. Again this
is similar to the FBI in the each U.S. Attorney runs his/her district as a
fiefdom while relying on DOJ HQ for guidance of programs and priorities.
When a crime is committed and an
investigation ensues an AUSA is needed in order for an agent, any federal
agent, to get warrants, record an interview, obtain subpoenas or any other
court ordered processes. Each agent has
a favored AUSA they bring cases to. A
trust develops between the agent and the AUSA, both know the rules will be
followed both know that the other will be straight with them about what
happened or did not happen. In essence,
the AUSA becomes an agent’s partner for that case.
As an agent I worked with eight different
AUSA’s that I trusted. I know for each
case what they would need, want in order to seek a prosecution. Some were idealists, willing to take a case
to trial with little concern for their win/lose record. Others are very focused on whether or not
they can win the case and that factor guides their willingness to prosecute.
Early on in my FBI career, a senior and
somewhat jaded fellow agent warned me against sharing to much with the
AUSA. He said you only need share the
fact that a source exists or that a wire was placed on the source rather than
the exact type of wire. His reasoning is
that AUSAs have an on the job life span of 5 years. After 5 years as a criminal AUSA, many leave
and go to the dark side, defending criminals against the FBI’s cases. If the AUSA knows all our tricks they will
find a way to attack them in court. A
former Federal Prosecutor can demand a huge paycheck by going into private
practice.
Being an idealist myself and thinking that
the AUSAs I worked with were as committed to the fight as I was and that their
position was not just a stepping stone, I chose not to heed his advice.
But just like there are those in the FBI
that are “blue flamers” seeking to get to the top for their own personal gain,
the same is true of attorneys in the DOJ.
So despite what Hollywood and the media likes
to put forward, every case the FBI under takes is not solely guided by the
agent rather there is an enormous amount of oversight and approvers for each
action. In fact as of 2001, if an agent
wanted to conduct an interview of a primary subject in a terrorism case, the
interview had to be approved by the agent’s supervisor, the AUSA, the Assistant
Special Agent in Charge and in many cases people from both FBI and DOJ
headquarters.
This level of bureaucracy is expected in
the government but often glossed over by outsiders. It is this bureaucracy that is a safe guard
to civil liberties but can also cause serious issues.
Chapter 4
The international hacker, Denis Pinhaus, is
sitting in a US
prison for hacking American companies.
He is there in part because of me and others who believed he was
responsible for far more crimes then he was convicted of and because we forced
him to take a polygraph, which he failed.
Denis now wanted a deal. He claimed he would come clean about all
crimes that he had committed and/or been apart of. But what could he offer given he had been in
jail for a year, had not access to computers or the Internet and all of his
“hacker” friends were overseas.
Though the crimes Pinhaus were involved in
spread across the whole of the US ,
somehow dealing with him was delegated to me.
If we could be sure Denis would be honest,
the USAO could offer Denis a reduced sentence for the intrusions he had yet to
be convicted of. In exchange, Denis had
to work with me.
AUSA Arif Alikhan of the Central District
of California and I travelled to the jurisdiction where Pinhaus was being
incarcerated and conducted a series of interviews to determine the validity of
Pinhaus’ claim of wanting to work with the FBI.
As the interviews occurred and AUSA Alikhan
and Pinhaus’ lawyers negotiated a possible cooperation agreement, it was left
to me to devise how exactly to use Pinhaus.
Understanding Pinhuas was to remain in jail
and that his cyber underworld colleagues were located literally around the
world how exactly is he going to cooperate?
In most cases a source would be used to
conduct monitored phone calls or face to face meetings after he or she
ingratiated themselves to the criminal element but in the world of cyber crime
phones and face to face meetings were rare.
Nonetheless, I had a plan.
As much as the Invita undercover operation
which called for an international job offer, a one way traffic sniffer and the
subjects to showcase their hacking skills before being arrested was “unheard
of” in the FBI prior to it being pulled off.
My plan was downright impossible.
And that is what I was told by any number
of individuals within FBI management.
In order to run an undercover operation you
have to get specialized oversight and approval from FBIHQ.
That approval was never granted and not for
lack of trying. Rather, as there would
be no face-to-face communication nor was any FBI agent truly taking on an
undercover role that required a full and verifiable back story, the FBI
powers-that-be denied my plan stating it was not an formal undercover operation
and thus did not need their approval.
When I heard this I thought the plan was
sunk but in truth the Undercover Oversite Board was saying you don’t need
approval to do what you want to do as this is a “cooperating witness” or an
“informant” operation that only required AUSA approval to consensually record
communication between the source and the bad guys.
AUSA Alikan approved the recording of
conversation/online chats and thus one key element of the plan.
The next key element required Pinhaus being
transferred to California
and doing something that had never been done before.
Pinhaus claims of being willing to help
were determined to be genuine and AUSA Alikhan began the process of getting
Pinhaus transferred. As he was in the
custody of the Bureau of Prison, Pinhaus would have to be moved to a Federal
facility or a local facility with a federal inmate housing contract. Luckily for me, Santa Ana ,
California had such a contract and I was able
to make certain arrangements between the Bureau of Prisons, the US Marshals and
the administration of the Santa Ana Jail.
Now the truly hard part began.
A team of agents would be needed to
transport Pinhaus from the holding facility to the off site location where the
real work would begin.
We would also need agents to serve as
guards to protect against escape and at least one full time translator to read
and translate any messages received by or sent to Pinhaus once we let him back
online.
See the plan was for Pinhuas to take on a
new identity online. He would reenter
the cyber underground, build a reputation and develop a list of targets. His reputation would be bolstered by several
other online personas managed by myself and a team of agents assigned to the
case.
We would work Monday through Friday for a
minimum of six months ingratiating ourselves to the hacker community.
Pinhaus was transferred in the summer of
2002 but his cooperation was stalled. In
July of 2002, Hesham Mohamed
Hadayet, a 41-year-old Egyptian national living in Irvine California walked
into the Los Angeles International airport and opened fire on the patrons at
the El Al Airline ticket counter before turning the weapon on himself. I was called into the case to handle the search
warrants for the websites and email addresses for Hadayet and help determine if
the attack was an act of terrorism.
Three weeks later five year old Samantha Runnion
was kidnapped and murdered by Alejandro Avila.
I served as the FBI liaison to the Runnion family during those three
horrible days.
For the latter case, Pinhaus actually
contacted me from his jail cell to let me know that all I needed to do was book
Avila into the Santa
Ana Jail and the inmates would take care of him. Not exactly a comment to convey that Pinhaus
would stay on the straight and narrow but he knew my role in the case and
either he was trying to ingratiate himself to his new “boss” of he truly hated
child predators as much I do.
In August of 2002, my work load had settle
enough and most of the logistics were worked out to reintroduce Pinhaus to the
cyber underground.
Pinhaus was getting antsy to start
working. While waiting in prison he
signed up for a word processing and photoshop class. You have to love a legal system that allows
a convicted computer criminal access to unmonitored computers inside of
prison. While sitting in class one day,
Pinhaus tried to print some of his work as was allowed by the instructor. When it was determined that the printer was
not working, Pinhaus utilized the workstation he was assigned to scan the
network and find a different printer and sent it work there. Of course, this action was seen as “hacking”
the jail’s network and Pinhaus was ban from taking computer classes.
Given occurrences like that, it was clear,
it was time to put Pinhaus to work.
And so we began…
Four to five days a week for the next nine
months, myself and three other agents, two in each car, would drive to the
location in which Pinhaus was housed.
Pinhuas was hand cuffed and leg shackled and then walked to the car and
seated in the back seat along with one of my fellow agents. We would then drive to our offsite location,
all the while being tailed by two agents in a follow car.
Once we arrived at the off-site, Pinhaus
was walked inside. His leg shackles were
removed and replaced with a leg cuff, connected to a 10 foot chain that was
bolted into the wall. Only then were his
handcuffs removed and Pinhuas was granted access to a computer workstation
connected to the Internet.
But this was not just any work
station. Every keystroke typed into the
computer was captured and recorded on a different system secured away from
Pinhaus.
A FBI translator sat side by side with
Pinhaus and myself to insure when Pinhaus wrote in a language I could not read,
the translator would read it as he typed.
Screenshots of every page viewed on the
monitored were taken at a rate of 5 per second.
We also deployed a series of traffic
sniffers and event logs to monitor all programs running, traffic sent from or
received by the system and very piece of data touched.
These sniffers would come in handy later in
the operation when a number of hackers tried to crack our system from around
the world to include Max Butler, the hacker profiled in Kevin Poulsen’s book
“Kingpin.”
Everything done on Pinhuas’ computer was
recorded and copied four times from the original each night. One copy for the
case file, one copy for AUSA Alikhan, one copy for the defense and one copy for
Work. The original data was stored as permanent
evidence, complete with a chain of custody and locked in a vault for use if and
when any of the investigations went to trial.
The plan was scary in its simplicity. Pinhaus would go online, re-connect or join
the cyber underworld and identify international hackers. In some cases I would be introduced as his
partner in the US
or as a fellow hacking carder thus to vouch for each other. Seems easy enough
right?
Except, you cant just walk into a group of
criminals on cyber space and get them to accept you. Where do they hang out? Do they talk in code?
How are you going to get them to trust you?
These are just some of the questions that had to be ferreted out,
starting with a basic physical concern.
Yes there are physical concerns when dealing in the cyber world because
eventually every crime comes down to a physical human contact.
Understand that hackers do
reconnaissance. They track details. And
they talk.
Going after hackers is also dangerous. Just as when Ivanov hacked Sterling
Microsystems and tried to extort them for $1000 or he would go public about the
data stolen, the same could happen and did happen to the hacker hunters. Hackers will turn their skills they use to attack
a network and steal data to hacking a person’s life, stealing personal data and
sharing it with the world. They can also
attack your credit, your social standing and your identity.
Putting personal safety aside for the
moment, the first physical concern was the geo-location of the Internet
Protocol Address (IP) being used by Denis to make contact?
This simple question could undo the
operation before it got started.
But this is the FBI surely they have tools
to route traffic around the world and make it appear like it is coming from
anywhere.
This is true but using that level of
sophistication would immediately throw up red flags to the hackers we were
targeting.
When running an undercover operation, your
identity needs to be backstopped.
Meaning everything has to fit, but not fit too well. And backstopping is not only for the person,
it includes everything from the cars you drive to the clothes you wear.
Now given that this was the first time the
FBI had sanctioned a operation such as this and the fact that all of it was going
to be conducted online, save for any arrests, no one really knew how to
backstop this operation
When I busted my first hacker and sat down
for a long and lengthy interview, he shared a number of unique insights. One such insight was that all hackers know
the FBI uses AT&T for its internet provider so if you see an AT&T IP
address ping your site or in the headers of an email, you have to assume it’s
the Fed’s.
So in order to avoid such a simple slip up,
I arranged for a non-AT&T Internet Service provider. This fact also guided where our off-site
office, which consisted of two rooms on the first floor of an office
building. We had a separate entrance
around the back of the building hidden behind 6-8 feet tall shrubbery and easy
access to a parking garage. It also had
to be in an area where AT&T was not the contracted ISP.
Sadly the office picked as an off-site did
not have a working air conditioner, something I should have checked before
agreeing to the space. Its amazing how
hot a 15*15 room gets in September when the room is filled with 6 computers and
four people. And please note, this was
not Hollywood stylized FBI office with fancy
touch screen projection boards or multiple flat panel monitors on roof
mounts. The equipment was the remnants
of a Warez (pirated software ) seizure where the equipment had been forfeited
to the FBI. The office walls were
covered with white butcher paper so that we could write out link analysis, nick
names, alias and other personal data for quick reference glances. In other words our office sucked but we were
there to work not to impress. But I digress.
Once we had a non-AT&T IP address we
then would access the internet via a series of free proxies in other
countries. Of course if one of those
proxies failed, our true IPA would be broadcast. That is when the cover story kicked in. The IP belonged to some person in the US which we had
hacked and we routed all of our traffic through the hacked IP in case the FBI
or USSS came looking. Our tracks would lead to some unsuspecting person in the
states.
The next big issue was the computers
themselves.
Once Pinhaus and I became players in the
cyber underground, it was a guaranteed fact, our system would be hacked.
And when “they” got in “they” would look at
the system. Our computers had to look
like a standard everyday computer that would be used by hackers. The software had to be tweaked and have odd
licenses. They could not be top of the
line or have the latest and greatest hardware.
So, the first order of business for
Pinhaus, myself and the rest of the team was to insure our systems weren’t too
good and that they were properly laden with the junky data that would indicate
a long time elite “l33t” hacker.
Amongst the things we need to add were
language packs, Pinhaus would be speaking/typing in Russian and English, dummy
documents, an eclectic Internet browsing history and of course we needed to
back date everything. We also needed to
install the Russian language set and a Russian keyboard lay out. We did the same with several other languages
including Greek, Spanish and Arabic.
Im not going to say we got everything right
but we did pretty well.
As we prepared our systems and did the
physical leg work of dirtying up our computers, we came across an online game
entitled Ant-City. In the game, you
played as a giant kid with a magnifying glass which you would move to focus the
sun’s beam on the various aspects of a standard city. Your beam would heat up tanker trucks and
cause them to explode or you could set fire to trees, etc. You could even focus on the little
inhabitants of the city and cause them to melt.
After playing that game, the team agreed, though
the FBI official name for the operation was Major Case 144 Cardkeeper, the code
name we would use for our little cyber intel gathering mission would be
Operation AntCity. Our focus was to find
and shine a bright beam of light on the cyber underground and as
non-politically correct as it may sound burn some of the inhabitants.
AntCity-
With everything in place, to the best of
our abilities it was time to go active.
We, Dennis, myself and the team, split up the work load into four
categories:
Target acquisition- Trolling the web for forums, IRC channels,
chat rooms, etc where hackers congregated and talked about their hacks,
exploits and plans
Ingratiation- Once a target site was located members of the
team would create covert accounts and online personas. This required email addresses and demographic
information to make each persona appear as a different person. Young, male or female, skilled or noob,
etc. The accounts would be set up to
lurk and occasionally comment in the rooms and grab relevant data. Sometimes, the accounts were used to promote
another account and sometimes they were used to troll. Trolling in when you pick fights online just
to pick a fight.
The Approach- Once a persona was known in a group and was
receiving inquiries from other members, the team would take on the persona and
engage other players. Engagement could include
the discussion of how to hack and attack but very quickly AntCity engagement
turned to the role of money man.
The Investigation- When people or victims were identified the
data run against information in the FBI systems to try to obtain a true identity
and in the case of victims, notify them of the intrusion. If a victim was id’d a FBI case would be
opened and AntCity intel would be used as evidence in the prosecution of the
hackers responsible.
Dennis’ had a role in all but the
investigations. Dennis had no access to
the FBI systems or databases. In fact
access was not located in the same room or building as Dennis.
A word about “sources” like Dennis, though
they are considered part of the team, they are not. They are a pawn in a game and are never truly
trusted. As I said before, sources do
what they do in order to get a better deal for themselves once they have been
caught. Their motives are not altruistic.
When working with sources you tell them
what they need to hear and what you think they want to hear in order to get
them to do what needs to be done. This
does not mean they are unlikable or that they should be disrespected. But sources are manipulated by their handlers
just as the sources are trying to manipulate the system.
In short every law enforcement person who
actually “runs” a successful confidential source, informant , snitch, asset,
whatever the term used, knows the source will one day break bad. And when they do break “bad” those who will
judge the situation and the performance of the handler will be people who have
never run a successful source.
Sources are the life blood of law
enforcement. They are the man on the
inside and one thing that is evaluated during every inspection. How many sources does the agent have and how
successful are those sources?
With that said, Dennis was a con man at
heart. As his handler, it was my job to
direct his con-man skills away from trying to manipulate me and the rest of the
team and rather to focus on the hackers, scammers, and fraudsters we found in
the cyber underworld.
And it worked.
Within 7 days of going “live” on the web
and engaging “hackers” AntCity had two subjects under investigations and had
purchased 1000 stolen credit cards for $200.
We paid the hackers via Western
Union and tracked exactly where the money was picked up and by
whom.
This pace would continue for the next 9
months. Day after day, sometimes
including weekends we lived the life of the online denizens. Since most of those living in the cyber
underground work at night our work schedule adapted but as our focused became
more defined on the international hacking crews of Eastern
Europe , we were able to switch back.
8 am Pacific Standard time corresponded
very nicely with the “hacking” hours of Eastern Europe .
It was not uncommon for the team to be
running multiple instant messenger sessions with subjects while reading various
forums and chatting in IRC (Internet Relay Chat) channels dedicated to the
theft, selling, buying and trading of hacked data.
Playing the various roles related to our
undercover or covert employee personas seemed to require a certain amount of
schizophrenia on the part of all players.
One minute you are a hacker, another a buyer, sometimes you’re a
internet troll looking to cause a fight and other times you are just lurking
gleaning information. Also all of the
agents on this case were between 30 and 40 yrs of age but we were playing
20-somethings. Imagine playing a 20
something female who is chatting up a 20 something hacker who is looking for an
online romance while on another screen you are a hard ass data buyer who is
ticked because the data, accounts, etc would not work.
The cool thing about online chat is if you
are on multiple chats the other guy is on multiple chats and if you can get him
flustered you can sometimes get them to make mistakes by saying, sending or
revealing the wrong thing. Thought we
were never face to face with someone we could still get inside their head and
mess with them because we were so many different people targeting different
information.
AntCity was not concerned with the small
fish, those who resold data stolen by others.
We focused on those responsible for the intrusions, the guys running the
crews.
We would build huge handwritten link
analysis charts to showcase how each hacker was connected to a website, forum,
IRC channel or other hacker. We would do
the same on the victim side because sometimes, hacking one company opened a
door into another. A hack of Amazon,
because it is housed in the same data center as twenty other companies may
indicate those companies were also victims.
When, through our social engineering of the
hackers, we were able to identify a victim, we would then contact that victim
as the FBI and explain that they had been breached and that their customer data
was being sold on the Internet.
Many companies were justifiably concerned
and would take action to address the breach but I distinctly remember one
company in New York
who were hacked 2 or 3 separate times.
When I notified the owner of the company of the breach, he simply said,
“So what, its not my credit card.”
Another company was losing $2-3 million a day in stolen cards, data and
product but to fix the issue would require a company shutdown of several days
costing them $10 of millions with no proof it would work. The company chose to lose the $2-3 million
rather than shut down.
Of course the most common data being sold
was full dumps of credit cards or dumpz.
Dumps included all the data on the magnetic stripe on the back of a
credit card to include the card number, the card holders name and other
data.
AntCity became the go to operation for
anything cyber related across the FBI.
FBIHQ received weekly updates of who was being targeted or what was
being discussed. The AUSA was versed on
all tactics and concurred. Many in
management offered up AntCity as proof of their good management skills when
seeking higher positions (in the FBI individuals submit their achievements when
seeking promotions rather than being identified and approached by management
for advancement).
As the “Go-To” operations we were in nearly
daily contact with all interested parties, the U.S. Attorney’s Office, FBI HQ,
and other case agents who needed our help.
This meant near daily reports on the
progress and issues we encountered.
One major rule in the FBI, document
everything because if it is not documented it did not happen.
At one point a large credit card processing
firm in the central part of the US ,
was hacked into and 10 million credit cards were believed stolen. This intrusion would later serve as the straw
that broke the camels back resulting in Congress to demand the payment card
industry do something about the ease of access to credit cards by hackers and
the subsequent fraud schemes.
Either way, news of the breach and theft
made it to the airwaves and the FBI was called in. As the local agents worked with the victim company,
DataP (Im not providing their real name because there is no need to sully their
reputation) to figure out how the hackers got into the system, AntCity was
contacted to see if we could find and procure any of the stolen cards from the
web.
This brought up a logistics question. How do we compare the various cards we were
buying against the 10 million stolen cards and how did we know the cards were
stolen from the victim DataP and not some other company.
As luck would have it, the media coverage
of the hack helped us out.
The hackers, actually a team of hackers,
saw the news coverage as well and knew that once the breach was announced the
cards would soon be shut down and thus would hold no value. Also they understood they made a big
mistake. By taking all of the cards rather
than one or two at a time as throw-away cards, they had tipped off the company
of the intrusion and thus sealed their fate.
There was very limited time to use, sell or
trade the stolen data.
Dennis was able to locate a contact who
knew a guy who knew a guy who claimed to be the hacker behind the breach. The guy, we’ll call him Ivan, was willing to
sell the cards to us. But Dennis and
AntCity would not pay up front for the cards until we could verify they were
still active. We wanted to make sure the
cards were good. We also wanted to
compare the numbers against the list 10 million stolen cards as well as the
list of stolen cards form other sites we had already acquired.
Ivan balked at providing us free cards so
we said no thanks and we discontinued talking with him. By doing this we were taking a calculated
risk. Dennis continued hit up the
contacts we had made but we also continued to go about business as usual. The AntCity team had become known in the
cyber underworld as the guys to go to sell your stolen product. We were hard to deal with but we were fair
and we always paid. We had a reputation
as being money men.
Ivan found out about this reputation and
after several hours of us not responding to his IM’s when we finally did, he
was ready to deal.
Not only was Ivan willing to provide us
with sample cards before we sent him cash, but he had a sweeter deal. He was whiling to sell us access to the DataP
servers for a period of several hours for $3000. The access would include a current user name
and password with full admin rights.
Also he would give us access immediately as proof, we could pay him the
following day.
Now because the account had a time limit,
it meant that Ivan had more that one account with administrator level access
into DataP. It also meant that if he
wanted to Ivan could monitor all the cards we downloads and if we did not pay
him, he could simply report them as stolen or post them on the web for anyone
to take and destroy their value.
Ivan had one other card up his sleeve in
making this offer. Assuming the FBI had
not tracked him down at this point in
time, which they had not since he was sitting in Latvia , when Dennis and the AntCity
team logged in to test the account, a new trail for the FBI to follow would be
created. In essence, the FBI would think
that this recent intrusion and download was the original hackers coming back
and follow that lead rather than focus on Ivan.
Need lees to say, I instructed Dennis to
take the deal.
Ivan provided us with the account as
promised as well as the name and location of whom to Western
Union the money.
Upon receiving the account, I arranged a
call with the DataP’s management and the local FBI office. During the call I informed the CEO of DataP
and all on the call that their system was still wide open and that we had just
arranged to buy full access into their credit card database. Now this was a bold statement on my part
because that same day, DataP had publicly announced that they had locked down
their system and they were sure the hackers had been booted.
When I shared that we had received a
username and password for access to the account and prior to sharing it with
the CEO, the CEO piped in with “Ill bet a years salary that our system is
locked down.” Now I’m a betting man and
I like to gamble but being and FBI agent and this being a victim I was not able
to take the bet. I suggested that the
CEO not be so confident and asked for permission to try to use the account and
password.
My request was based on two very specific
reasons. One it would have been illegal
for me to use the account and password without permission because it would have
been “unauthorized access to a protected computer.” Second, I was certain Ivan was monitoring the
account, when it was used and the IP address associated with the use. If it was shown to be used internally by
DataP, AntCity or at least the persona Dennis used when speaking with Ivan
would have been burned.
The CEO of DataP granted permission and
three seconds later, Dennis, myself and the rest of the AntCity team were
looking at millions of credit card records.
A few minutes after we logged in, the
collected group at DataP logged in to the same results. The phone line went silent and after a long
pause the CEO stated, “We’ll have to get back to you.”
As for Ivan, he was watching our log in and
also the subsequent log in and account shut down. After a period of flaming chats back and
forth, it was agreed that his back doors were not as secure as he thought and
that the FBI was watching. That is why
the account was quickly found and disabled by DataP.
Dennis’ persona was intact and we would
later work with and buy stolen data from Ivan from a different victim and
collect enough evidence to build a case against him for our colleagues
overseas.
Simply stated, the trick to catching and
identifying the hackers was following the money. No matter how many technological road blocks
the hackers, fraudsters and scammers put in front of themselves, eventually
they had to enter the real world to collect their “winnings.” We always wired the money on our terms, in
part because we knew what we could track and what we could not. Electronic money changers like E-gold and
Webmoney made profiting form hacking very easy for the hackers and very hard
for those chasing them. So if you did
business with any of the AntCity personas, you had to agree to Western Union or MoneyGram. But we did have one unique situation…
Dennis had been contacted by a hacker in
the Ukraine
wanting to sell a couple thousand cards he had acquired. As this was an
approach out of the blue, we thought that the seller, we’ll call him Misha, was
either another law enforcement sting operation trying tp identify us or someone
scraping cards of the IRC channels that offer them up for free and then trying
to resell them.
If it was another law enforcement agency,
it meant that our cover was very secure and the bad guys were trying to dime us
out. This would surely lead to
deconfliction issues later.
If he was a scraper and reseller we were
not interested. We were just as capable of
scraping but AntCity’s focus was on the hackers who actually cracked systems.
But for some reason, I gave Dennis
permission to engage Misha and see what was really going on. The situation opened our eyes.
Misha shared a story that gave a new
perspective on the Eastern European hackers.
For Misha’s part he was hacker, and apparently a fairly good one. He had successfully hacked a number of
companies and made a lot of money. Now
this is a relative concept. Mnay of the
hackers who target companies would ask for $1000-$15000 or they would let the
world know the company was hacked. This
is seemingly a small amount of money given what they were stealing but when you
consider that many of the hackers were making less that $100 a week doing
regular jobs in their homelands, making $1000 was huge money. And they were untouchable because the victims
were in the US
and they weren’t.
The problem was all the money they were
making.
When a hacker made extra money he would
spend it on nice cars or clothes or fancy dinners. Well when you do that in Kiev
or Minsk or even Moscow you get noticed. Not necessarily by the cops but definitely by
the local mobsters.
In Misha’s case he was taking advantage of
his new found wealth when one night just as he was going out, he had some
visitors at his door. In short they
said, we don’t know how you are making money and we don’t care but you are now
working for us and we are taking our cut.
Ukrainian organized crime was now involved with hacking.
Misha went on to tell us that one
individual decided he did not like having to share his hacker profits so he
began running schemes on the side. The
hacker’s online handle was ||_VAN_||.
Several months after running his side gigs, ||_VAN_|| was found dead or
more accurately ||_VAN_||’s hands and head were found in a ditch. Misha was not sure about where his body was.
For me, I take that as a sign not to
undercut the mob but for Misha he believed ||_VAN_|| only got caught because he
continued to receive cash for his side hacking.
Misha had away around that, he wanted to sell us his stolen data but we
could not pay him in cash or western union or by wire. Instead Misha wanted us to buy him shoes and
clothes and stuff for his girlfriend and send it to him as payment for the
cards.
Now I was intrigued.
I had Dennis send Misha to Nordstoms.com
and VictoriasSecret.com and make a list of what he wanted us to buy. The deal was we would buy the items and ship
them to him as payment. He would provide
half the cards up front and the other half after receiving shipment.
I thought the idea was a good one because
we would have a shipping address that was either Misha’s real location or
connected to him in some way. The
intention was to mark the items we bought in a non-descript yet specific place
so that when the package was delivered to its final destination and a person
was eventually arrested maybe they would e wearing or have in possession the
“purchased” items bearing the special mark.
Well try explaining that one to my
supervisors and the AUSA as any purchase had to be approved because all funds
had to be accounted for, was not an easy task.
In the end we did not make the
purchase. And upon the declination, a
female member of AntCity told the team we should be relieved. Why?
Because where exactly were we going to mark the thong underwear and
lingerie Misha had requested from VictoriasSecret and how were we going to
search for those marks when a subject was arrested? Mark inside a shoe easy to find, inside
underwear, not so much.
It is important to remember that the when
AntCity was occurring, cyber crime and identity theft were new to the
world.
Most of those stealing the cards came form
cash based societies and the theft of credit card data and its use was not an
attack on an individual rather it was an attack on the system and thus a
victimless and harmless crime.
As such finding the hackers, carders and
frauders online was a easier than expected, in large part because of prior
cases the team had worked before engaging Dennis.
The paranoia we feared would govern the
hacking community seemed to be tempered by the promise of cash, the
international nature of the crime, the lack of prosecution and little to know
fear of being caught.
Each team member had their favored location
for flushing out the bad guys. Usually
it was forum or chat group we had come across in prior investigations but do to
varying factors like language or time or the statement “you cant do that” by
the suits in the front office.
Everyone likened what we were doing to some
how wire tapping the Internet when in fact everything we did was available to
the public if the public knew where to look.
For me the most favored site to find the
bad guys was Carderplanet.com.
Carderplanet was an online forum originally
created by a group of 5 or 6 hackers, carders, scammers. The site originally split the world into
spheres of influence for its primary members being sure not to attack any
country within the Commonwealth of Independent States aka the former Soviet Union . The
original members were Script, BoA (Bank of America), DeveloperCC, Bigbuyer,
Klykva and a couple of others. The site
was primarily in Russian and most of those on the site were Russian
speakers.
Put the site grew in popularity as the
online bazaar for all stolen goods. Members
took on roles related to status with Script as the Godfather, others as Dons,
Consigliore’s so on down the chain. If
you wanted to openly sell or buy products or services on Carderplanet you had
to be verified by senior members.
Verification included offering free services to those members and in
turn they would write a review of how you performed.
Carderplanet grew from a Russian only site
to include English, Arabic and other languages.
Carderplanet saw the site as an online
gang, where you would meet up with other hackers on an ad hoc basis to take on
a hack, split the profits and then go your separate ways. This ad-hoc hacking crew is common even today. If you were a member of Carderplanet, you
defended Carderplanet. So when other
sites offering the same structure and services began to pop up online, some
Carderplanet members would go on the offensive by sending emails to everyone
including the FBI and USSS diming out the rival group as selling child porn or
stinger missiles or other things sure to cause and uproar.
The flame wars primarily existed between
Carderplanet and the US-based carder forum Shadowcrew with a little smattering
toward DarkProfits.
Of course with Dennis’ language skills,
Carderplanet became a target of AntCity and more specifically we were targeting
Script.
At one point we were making so many cash
buys that the hierarchy, Script included questioned our cash flow. They wanted to see cash rather or they would
stop selling to us. Well the FBI does
not have hundreds of thousands of dollars in cash lying around for use and the
process to get the cash and then return it takes weeks and mounds of paperwork. Instead, I contacted the agents assigned to
bank robberies and asked for a favor.
Two days later, the team followed our
normal routine of getting Denis out of jail, but this time we had him change
into street clothes as if he were going to a court appearance. Once outside of the jail’s gated sally port,
rather than head to the offsite a caravan of three FBI cars and 6 agents drove
to a local bank. Once there we were
ushered into a back room where the telcom equipment and computer network
systems were stored. The bank manager
and three employees then joined us with $200,000 in $20, $50 and $100
bills. Denis was uncuffed and a video
was made of him thumbing through the cash while a sign in Russian was on the
table that read, “Is this enough cash for you?”
Only Denis’ hands and lower torso were visible in the video.
Once the video was shot all of the money
was recounted and the caravan of FBI cars left the bank and headed back to the
offsite.
The “cash” video became a big hit in the
carder forums and offers to sell stolen databases of information started to
flow in.
As we worked the case and targeted the
hackers, carders and fraudsters around the world, the intel we gathered was
disseminated to various offices and agencies to support ongoing investigations
as well as to educate law enforcement personnel about how “carding” worked.
During the operation of AntCity, Dennis was
successful in ingratiating himself to Script, the Godfather of Carderplanet and
we even bought stolen credit cards from him.
We also bought cards from a guy going by the name cumbajohnny aka soupnazi
who was a member of both Carderplanet and Shadowcrew.
We toyed with the idea of becoming
administrators on the site which would have given us full access to the whole
site and the members there in. We were
aware that this had been tried by others and that the USSS had an ongoing case
working to do that exact thing on the ShadowCrew side. The biggest blockade was a question of
legality. Namely could we let a criminal
organization continue to prosper and victimize people once we had been given “admin”
control or were we required to take it down as soon as control was
obtained?
Given that AntCity was already using never
tried before investigative techniques, we decided instead to use our level of
access and reputation as a back stop to other operations.
Our investigation into Script, revealed his
real name to be Dmitry Golubov of the Ukraine . Golubov will later be arrested by the
Ukrainian MVD with the help of Us Postal Inspector Greg Crabb based in part on
evidence from the AntCity investigation.
Golubov will re-enter this story later but
for now it important to note that Script was the target of FBI, Secret Service
and US Postal investigations.
The same is true of Cumbjohnny whose real
name is Albert Gonzalez. Gonzalez will eventually
be arrested by the local PD in New
Jersey and be turned over to the Secret Service. He will become a source for the Secret
Service in their investigations of Shadow Crew and Carderplanet. That relationship will break bad and return
to a life of hacking only to be caught again and sentenced to 20 years in
prison for hacking and stealing 40 million credit cards from the processor
Heartland Payment Systems.
As a point of clarification, the US Secret
Service, originally part of the Department of the Treasury is not only
responsible for the protection of the President of the US and other
dignitaries, they are also responsible for investigating counterfeiting of
legal tender. This role will eventually
be expanded to include the counterfeiting of credit cards and thus the USSS
entrance into the world of cyber crime.
For the US Postal Inspectors Service, their
inclusion in the cyber world is a result of the shipping of packages that are
illegally purchased with stolen credit cards.
Again all the stolen data in the world is no good unless it can be used
and in this case it was used to buy goods and then have them shipped via the US postal
services to locations around the world which is mail fraud.
So each of the agencies has a stake in the
cyber underground economy seemingly for the same reason but in truth, money and
power come into play as well. The Cyber
crime fighting bucket of money is only so deep and when each agency wants its
piece battles begin to rage. These
battles other agencies and players will use to their advantage later on.
Within the FBI, we had an effective
information sharing platform and as such we were able to limit the number of
toes we stepped on but when it came to other agencies. Very little information sharing occurred and
as such de-confliction of cases became a role for the Department of Justice and
the Assistant US Attorney’s assigned to the cases. Since they each had cases from different
agencies, they also got to choose whose investigation was better suited for
prosecution. Also, all rules regarding
investigations, evidence, source management, disclosure of witness identities,
etc. is governed by the United States Attorney General. Who better to know all the rules and the
correct way to handle issues than the lawyers charged with prosecuting the bad
guys and watching over the agents to insure everything is done properly?
Over the next nine months, the AntCity crew
worked at a blistering pace. We took part in over 2500 consensually recorded
online chats, bought more than 400,000 stolen credit cards, identified and
notified over 700 companies who were the victim of hacks and fully identified
more than 100 hackers, scammers and/or fraudsters.
With pressure from FBI management to show
“stats” namely indictments or convictions, it was time to wrap up the operation
and send some people to jail.
Denis had been in custody of the US government
for almost two years. During that time
he had waved his right to a speedy trial but now it was time for him to have
his day in court and the charges against him addressed.
Denis’s court appointed defense attorney
was a former AUSA and well versed in FBI procedures including undercover
operations. He was made aware of all the assistance Denis had provided to the
FBI with the result being that Denis’ defense attorney and AUSA Alikhan
arranged for Denis to plead guilty to the charges against him and in turn he
would get a 5K motion meaning his sentence on the charges would be reduced to
time served.
During his appearance in court, Judge
Carter was made aware of Denis’ work as the reason for the AUSA’s “time served”
recommendation. This was then followed
by Denis’ defense attorney stating for the record his gratitude for the way my
fellow agent and I treated his client.
Then the strangest thing happened, Judge Carter came down off the bench,
walked to the court gallery were members of the AntCity crew were seated. Judge Carter then shook each of our hands and
commended us on a “amazing” job.
Given that Denis was an illegal alien in
the United States
(a fact that was not shared with the Judge), upon his release from prison, he
would be turned over to the custody of the Immigration and Naturalization
Service and deported to his home country. Denis was going to be going home.
This fact was great for Denis but a huge
negative in terms of the possible prosecution of those identified during the
AntCity Operation. The FBI still needed
Denis and as such a deal was reached between the AUSA Alikhan, Denis’ Defense Attorney
and Denis.
Denis would stay in the United States
and he would continue to work with the FBI. Denis’ housing would be taken care
of and he would receive $1000 per month in spending cash from the FBI. And, if in a couple of months, if he decided,
he would be sent home on the FBI’s dime.
If and when he was needed to testify, he would return to the U.S. as a
witness.
FBI management agreed to this arrangement,
in part because of the success of AntCity.
Denis’ deal with the AUSA required Denis to
be placed on probation. He would be
assigned a probation officer and would be required to check in
accordingly. This arrangement had
several huge hitches. The first of which was if Denis was given probation his
real name and information would be searchable in the online court records
accessible through PACER.gov. Again,
hackers do research and given that Denis was a known hacker before he was
incarcerated. If after he is sentenced
he is released and remains in the US then everyone will assume he is
cooperating with the FBI and thus his family and friends would be in
danger.
The hackers we had been hunting, and
seemingly would continue to hunt were making millions and we were taking away
their livelihood. Families were fair
game.
With the fear on the table, it was
necessary that all documents related to Denis’ cooperation, charges, sentencing
and probation had to not only be sealed by the court but had to no be placed
into Pacer. No small logistic feat but
it was arranged.
When Denis’ finally had his day in court,
he stood before Federal Judge David Carter and plead guilty. The recommendation for sentencing was made by
AUSA Alikhan and accepted by Judge Carter.
Then something strange happened, Denis’ Defense Attorney made a
statement on the record commending the FBI agents in the room and all those
that had worked with his client, thanking us for our professionalism and
dedication. This was then followed by
Judge Carter stepping off the bench and coming to the courtroom gallery and
walking to each of the agents present, myself included to shake our hands and
thank us for our work.
I did not know at the time but later found
out, that Judge Carter was well aware of the work and the type of cases Denis’
had been working on and that he was aware that Denis’ would be staying in the
US and continuing his work with the FBI.
If makes sense that the Judge in the case
would know about the arrangement made between the Defense Attorney and the ASUA
because Denis was illegally in the U.S.
and by giving him probation the court had allowed him to remain in the U.S.
illegally.
As I said earlier, the arrangement had
hitches.
Denis needed a place to live and money but
his illegal status meant he had no valid identification to provide as proof of
identity.
Per the terms of his probation, which were
sealed by the court, Denis’ probation officer was not allowed to speak with me
about his case. Denis was also forbade
from having any contact with law enforcement which meant that working with the
FBI was strictly prohibited.
Also per the terms, Denis was to get a
job. Well if you have no social security
number and no identification papers, you can’t get a job or a bank account or a
driver’s license.
In short, Denis was told to lie and commit
additional crimes in order to stay in the US .
All of these issues were brought to the attention of the AUSA but were
seemingly not a concern.
AntCity moved into phase two. Daily Denis would come to the offsite on his
own, no more picking him up from the jail, no more handcuffs or leg irons or
chain shackling him to the table. He
could come and go has he choose but if he did not work he did not get paid.
On one occasion right after Denis’ release
as Denis was being moved into his new apartment, he asked for a ride to the
grocery store to pick up supplies. One
thing in particular he wanted was mustard.
As we entered a Ralph’s grocery store and began to look around, it
became apparent that Denis had no idea what life in the US was
like. The mustard aisle alone had over
40 different types of mustard in various shapes, sizes and flavors. Denis was in awe and stated he was going to
like it here.
Work on AntCity continued to progress very
well. Phase II was focused on
solidifying evidence on 20 different subjects that had been identified as crew
leaders who had sold us credit cards but had also indicated they were the
hackers behind several major breaches.
They had names like Ganjabaz and Hiroksuson and of course Script and the
major players at Carderplanet.
The team was successful in filing 10
federal complaints against those carders we had fully identified around the
world. Others would be charged by either
other agencies or in relation to other cases and the evidence AntCity collected
would be used without detailing how it was collected.
One of the major accomplishments was the
takedown of Carderplanet. As
Carderplanet was forum or online bazaar of numerous cyber criminals offering up
their wares, albeit ill-gotten wares, going after the players would not truly
disrupt the operation. We needed to take
the site offline.
The USSS was planning a major sweep on
Shadowcrew and had some luck in getting the Russians to help on Carderplanet
server shutdowns in Russia
but Carderplanet stayed active. The
heads of the forum even went so far as to change the forums banner to read
something to the effect of “The FBI cant find Us.” They were taunting us which was not a good
move.
If the goal is to shut down a site then
attacking or targeting the people on the site only has limited success. Through link analysis we determined key
players on the site that if removed would have the greatest impact and in the
end the analysis showed the people were not to objective, we needed to focus on
the servers behind the site. And we
found them in our own backyard.
Carderplanet was being hosted and run out
of a set of servers in the basement of Paul Ashley’s home outside Columbus , Ohio . Ashley was the owner and operator of Foonet,
an independent Internet Service Provider.
Foonet was built to withstand outside attacks and to rotate IP addresses
to continually hide where sites were actually hosted. Foonet was also being used as a DDoS for hire
shop.
A DDoS is a distributed denial of service
which is liken to a series of crank calls.
“Hello is your refrigerator running?”
“It is?” “Shouldn’t you stop it
before it gets out the front door?” One
crank call an hour is bad, 50,000 a second will shutdown the phone switches or
in the case of sites attacked by Foonet, it will shutdown Internet access to
and from the site. But again Foonet was
designed to defeat DDoS attacks so when Ashley and friends wanted to convince a
site to host on their servers, they would DDoS the current host until the site
realized they should change hosts.
During Phase II of AntCity, the takedown of
Carderplanet was accomplished. All the
hard work was paying off and all were happy or so it seemed.
Denis, was not happy. He missed home, he had no friends in the US , he
had no transportation and very little money, at least in his eyes. $1000 a month was great except when he saw
how much those 40 different types of mustard cost. And since he could not get a legal job and
his probation officer was hounding him about how he was making money, things
were coming to a head.
Denis decided it was time to go home.
It was clear to me that once Denis left the
US
he had no intention of returning. He was
done working for the FBI and he missed his home and his family.
(to be continued)