by Misha Glenny
That still doesn’t answer the question as to why people were prepared to speak openly with me. There is no single easy answer to that. But there is one thing always worth remembering: at some level, most people have a congenital urge to tell their story. The basic truth observed by Aristotle that man is a social or civic animal means that we are hard-wired to talk to one another and tell stories—about ourselves, about what we might have seen or what we think we might have seen – and then to express an opinion as to what these observations mean or what we should do about them.
Of course, that in itself does not explain people’s willingness to talk—in each case, there are specific reasons. Some feel as though they have been misunderstood or misrepresented—I have observed that this is often the case for people who have been subjected to the spotlight of daily news. The print media’s habitual presentation of DarkMarket’s chief administrator, Renukanth Subramaniam, aka JiLsi, as a master criminal who seemingly controlled large parts of the cyber underworld was very far from the truth. He was keen to set the record straight—not to deny that he was engaged in criminal activity but merely to explain that he was not nearly as powerful or indeed malevolent as the papers had made out. Although police gathered evidence that he was habitually involved in credit card fraud, he was not a big money maker.
This points to a significant problem as the new age of cybercrime dawns. There are very few journalists, especially working for mainstream news outlets, who grasp anything more than the basics when it comes to criminality on the Internet. I don’t believe that there is much blame to be apportioned here—it simply means that one should approach the reporting of cybercrimes with some trepidation.
Others felt it important to balance the police’s version of events. The identity of the FBI’s Undercover Agent Keith Mularski, who had infiltrated DarkMarket to such an extent that he had become one of its administrators, was exposed towards the end of the DarkMarket operation.3 In response, the FBI considered it sensible to allow him to publicise the case and its success in bringing down the website. He has told his story widely and he has told it well. It is gripping, illuminating and, to my mind, places the work of the FBI in a good light. But it is, of course, only one perspective and, as I researched the DarkMarket story, it became obvious that there were other aspects to its history that even Mularski as an administrator was not in a position to explain or even know. Above all that included the perspectives of hackers, carders and criminals who were active on DarkMarket. I believe it to be essential for our understanding of crimes like those committed through DarkMarket that their voice be heard, too. And I found them very receptive to this argument when telling their story.
I took Corey Louie’s advice and got in touch with Keith Mularski in Pittsburgh at the National Computer Forensic Training Alliance (NCFTA), a non-profit organisation that brings together law enforcement, business and academic researchers all engaged with operational cyber-security issues. Keith was very friendly and invited me to go and talk to him there. I had only ever driven through Pittsburgh once before but during my several visits there, I got to like the place.
THE VISION of Pittsburgh’s triangular downtown hit with unexpected drama as I emerged from the Fort Pitt tunnel. With sunlight bouncing off three rivers onto myriad green- and yellow-tinted windows, the buildings look springy and fresh. Although intangible, there is something profoundly optimistic about Pittsburgh.
This is almost certainly rooted in the sense that this city overcame the profound crisis that devastated its self-confidence from the late 1970s onwards. This mecca for steel had played such an important role in the rise of America to economic primacy in the twentieth century. But a series of tectonic shifts in global trade eviscerated the city and throughout the 1980s its population, productive output and very identity collapsed.
Its reinvention in the 1990s into one of the most pleasant urban environments in America has been remarkable. Painted in bright and warm colours, the body parts of this once great leviathan of metallurgy form a pleasing backdrop to the urban reimagining. The once oppressive polluter is now a gentle series of sculptures.
Downtown, however, still hobbles like a slightly threatening gnome. During the day, it is home to some modest life as government, banking, insurance, universities and business still have a significant presence here. But at night the skyscraper shadows close in on empty streets that echo with coughs, shouts, and the occasional squeal of tyres. It almost acts as a reminder of Pittsburgh’s decay of three decades ago.
If you cross the Monongahela River from downtown, you reach the bottom of Mount Washington. This is the South Side where skyscrapers give way to two- or three-storied nineteenth- and early twentieth-century buildings that flank East Carson, the main drag. Beloved of university students and Bohemians, this is where the highest concentration of cultural and religious centres of the many Slav communities lies. They migrated here to forge the steel. Old enemies like the Serbs and Croats, the Russians and the Poles, sit together contentedly side by side. Pretty though this is, when the students leave it, too, becomes a touch desolate.
If you continue heading east on Carlton, the quirky stores and restaurants soon yield to the deadening architecture of the shopping mall and food halls, which themselves give way to a rather barren road. Before long on your left there is a non-descript building in white stone that is surrounded by high black railings. It’s almost on the last block before you leave town. This is the local headquarters of the FBI.
There was nothing disingenuous about Keith Mularski. He sat there with a tight-lipped minder from the press department and was open about his work as an undercover agent on DarkMarket. Of course, he had been outed a few months earlier as I have described in DarkMarket but nonetheless for somebody in such a sensitive policing position, he was extremely constructive and was clearly willing to answer my questions as honestly as he could.
I knew the broad outline of Mularski’s role in DarkMarket because various publications, most notably the Wall Street Journal and Wired magazine, had written extensively on the subject. Furthermore, Mularski had already given a number of interviews. So I did not imagine that I was going to pick up an exclusive that day.
What interested me more were his peripheral observations—in particular, I found fascinating the relationship between Russian-language cyber criminals and those working predominantly in English. Soon after the Millennium, Russian and Ukrainian ‘carders’ had encouraged English-speakers to become involved in their activities. But a few years later, the Russians broke with English speakers, attempting to distance themselves wherever possible from those who a few years earlier they had tried to draw into their world.
For me these were little nuggets of information that gave me an indication how the world of cybercrime had its own history, its own culture and its own politics. Keith’s intimation that cooperation between US law enforcement and its Russian equivalents was often extremely difficult suggested to me a much broader political problem when it came to malfeasance on the web. Further research soon made it clear that as long as Russian carders targeted Western consumers and banks, then Russian police would turn a blind eye to their activities. Later on, I would uncover that this had important implications not just for cybercrime but the related areas of cyber espionage and cyber warfare.
Agent Mularski gave me an introduction to the lead personalities in DarkMarket. Interestingly, none of them were American (although later on arrests of American citizens were made). No—the main characters were European: of his fellow administrators, Mularski explained to me that JiLsi was a British citizen, Matrix001 was from Germany and Cha0 was Turkish.
Mularski looked genuinely baffled when I enquired about Lord Cyric. He told me that the only thing he knew about the notorious man was that his IP address resolved to Montreal. He continued that he had been in touch with the Royal Canadian Mounted Police but that they had been unable to help any further. On the one hand, I was slightly surprised that the FBI had drawn a blank
with the RCMP as the two organisations have a long record of close cooperation. On the other, Mularski did not seem to be dissembling. I got the impression that he really wanted to know who Lord Cyric was and what his aims were but that he had simply failed to run him down.
The other curious aspect to Lord Cyric’s activity on the board was that nobody could recall him actually engaging in any criminal business. There was no recollection of him buying or selling credit cards; no hint that he had advertised for sale ‘skimmers’ (the machines that read and store credit card information from ATM machines); and no record of him trading in malware. But he was a very active contributor, or ‘poster’.
So what was his game? People, mostly, just shrugged when asked. His chief supporter and sometime mentor El Mariachi, whose real name is David Thomas, was the most persistent and verbose poster but he could always rely on Cyric, Salacious Crumb-style, chipping in with snide and snarky remarks. (For David Thomas’s story, read Kim Zetter’s piece in Wired magazine, wired.com/politics/onlinerights/news/2007/01/72515.) His close relationship on earlier boards with El Mariachi meant that a lot of people believed Cyric was working with law enforcement. One of the reasons why El Mariachi’s reputation among carders was so poor was because it was common knowledge that he had worked with US law enforcement at one point.
But one influential administrator dismissed all these slurs and aspersions cast on Cyric’s character. This was Cha0. By common consent, Cha0 had been one of the great masterminds of DarkMarket. He had a security system that was second to none and he was clearly working as part of a bigger, organised operation. Before he joined DarkMarket, he had established his own website – crimeenforcers.com – through which he offered custom assistance for individuals wishing to embark on cyber-criminal activity or to improve their skills.
If there was one character I was even keener to speak to than Lord Cyric it was Cha0 or, the man who was arrested as being behind Cha0, Cağatay Evyapan. As a member of DarkMarket, Cha0 was as influential as it came, and his import certainly eclipsed that of Lord Cyric. But it was the interview with Mert Ortaç, mentioned above, that made me think the two of them lay at the heart of the story.
Mert’s story was almost unbelievable but mesmerising nonetheless. Unfortunately for me, however, his interview raised as many questions as it answered. And if I was going to begin to verify his bizarre tale, I knew that I would either have to speak to Cağatay or to track down whoever the man behind Lord Cyric really was. It was daunting, especially given that Cağatay was in a jail in western Turkey.
I had already pulled off a major coup by persuading the Turkish Interior Ministry to allow me to interview Bilal Sen, the detective who had masterminded the investigation into not only Cağatay but also into other major cyber criminals, most notably the notorious Ukrainian cyber criminal Maksym Jastremsky, aka Maksyk. No Turkish journalist had ever been given permission to speak to Inspector Sen and so initially I was fairly pessimistic about my prospects. Given the centrality of the inspector’s work to the entire DarkMarket operation, however, I knew that I dare not accept ‘no’ for an answer. Eventually, after months of considerable cajoling, persuading, string-pulling and some astonishingly good work from Sebnem Arsu, my ‘fixer’ in Turkey, we were told that we could travel to Ankara to see Inspector Sen at the headquarters of Turkey’s fabled Anti-Organised Crime Unit.
Bilal was an extremely thoughtful and decent man. As I say in DarkMarket, he was about as far away as the stereotypic image of a hard-nosed Turkish cop as you could get. Intellect and thoroughness were the two principal tools he used in an investigation. Among the many things I gleaned from Bilal was the detailed description of Cha0 as a much more organised and efficient operator than the other two DarkMarket administrators, Matrix001 and JiLsi, who I had already got to know by then.
Although hugely influential as administrators, compared to Cha0 these two, in south Germany and London respectively, were playing at being criminals. Matrix, for example, had in a three-year period only made about €60,000 and he had gambled away most of that. For an online criminal, a €20k a year average is barely respectable.
Cha0, however, was arrested in his luxury villa in the south of the Asian side of Istanbul. Here police found a factory devoted to skimming and carding. This was an industrial-strength money-making operation that justified the widely held belief among the DarkMarketeers that Cha0 was a big-time operator. And that squared with the investigation into his activities. Again, in contrast to his counterparts like Matrix and JiLsi, it had been much harder for the police to identify and eventually arrest Cha0. The chief reason for this lay in the impregnability of his computer security network. Cağatay Evyapan had been arrested in 2000 for his part in a raid on an ATM machine in the port of Izmir but he had absconded from jail in 2005 and appeared determined that he wouldn’t return there.
Try as they might, neither the Turkish police nor the FBI had succeeded in identifying Cha0 during over two years that he spent on DarkMarket. They only knew that he was Turkish and that he was probably in the Istanbul area. Even this was, in principle, supposition. Because he ran one of the world’s biggest ‘skimming’ operations, selling the machines which covertly read and store credit card information from ATM machines, the police assumed he would require the logistical capacity that only a major city like Istanbul could offer. But he might have been in Ankara or some of the other major industrial centres in Turkey.
Soon after I had spoken to Inspector Sen, I received a long, occasionally incoherent, reply to a letter I had sent to Mert Ortaç who at this time was still in jail on remand, accused of a computer crime unrelated to DarkMarket. Mert’s letter hinted at his extraordinary story—it was one of the most tantalising messages I had ever received. He warned me that Cha0 was one of the most dangerous criminals in the world and that I should avoid approaching him.
I felt I was getting closer to a deeper DarkMarket truth. Mert insisted that Cağatay was not the real Cha0 but that he was nonetheless in cahoots with the real Cha0, the mysterious Sahin, and with the equally elusive, Lord Cyric. But both Mert and Cağatay were out of reach in Turkish prisons.
Then I got an unexpected break. One or two of these never go amiss during a complex investigation. Sometimes you create the break yourself but this one just fell into my lap. Mert was released from jail on a technicality. And he was eager to talk.
As Mert described it, Lord Cyric was almost as important on DarkMarket as Cha0. Not only that, he described his identity in detail, claiming that Cyric was a Turkish businessman—let us call him KS—who had long been resident in Canada and who was renowned as one of the early pioneers of the Internet in Turkey. Mert then showed me evidence from the early 1990s during the time of the so-called Bulletin Board Systems (a forerunner of the Internet) in which Cha0 and Lord Cyric exchanged messages of friendship with each other.
The information was baffling but in one respect it chimed with what I had already learned from the FBI’s Keith Mularski. At his offices in Pittsburgh, he had told me that all the evidence suggested that Lord Cyric’s IP Address resolved to Montreal, Canada. I then contacted another board member of DarkMarket, who must remain anonymous. He was also very keen to uncover Lord Cyric’s identity and he had succeeded in establishing that while Cyric’s IP Address could usually be traced back to Montreal, on occasions it suddenly reverted to Toronto.
As I explained, Mularski had told me that he had contacted the Royal Canadian Mounted Police (RCMP) in Montreal for help in trying to identify Lord Cyric but the RCMP had never got back to him. The RCMP did not have anything approaching the cyber capacity of the FBI and it is credible that they felt unable to pursue Cyric. Nonetheless, it struck me as strange. Interestingly, Canadian law enforcement did not play an active role in the DarkMarket operation, which is slightly curious as there were a number of connections between the forum and Canada.
However, when I asked Mularski about Cyric a second time some months later, he said that there was also inform
ation that Cyric’s real identity was one Stephen Zack, a resident of Montreal. But again, it seemed, the Canadians weren’t interested in him. More than this Mularski could not say.
Toronto was where KS had built up his hi-tech start-up several years earlier. Initially, it had proved hugely successful as it was one of the companies that created the software enabling people to read their email on the web, not just through programmes like Microsoft’s Outlook.
One of the items I was scouring for on my quest was DarkMarket’s very own Holy Grail—a full or substantial archive of the Internet forum. This would have helped my research immeasurably. I knew that at least one copy existed. Almost certainly among the largest archives of DarkMarket it was in the possession of the FBI.
Mularski had been able to use his status as the DarkMarket administrator Master Splyntr to copy almost everything going down on the forum. As a rule, he was extremely accommodating and helped me where he could with my research. But for operational reasons, I knew that he would never let me trawl that archive. The FBI was using this material as a database to create profiles of hundreds of suspects and the last thing they wanted was a journalist blabbing any details. Occasionally, Mularski took pity on me and showed me chats and exchanges on the forum involving people who had already been arrested and convicted. But this was limited in scope.
I had been assured by others, however, and was fairly convinced myself that there must be other copies of DarkMarket somewhere out in cyber space. After all, its two most notorious predecessors, CarderPlanet and ShadowCrew, were easily accessible in the cloud for all and sundry to download. How many evenings did I waste, eyes sinking gradually into their sockets, following tenuous link after tenuous link, reading endless posts on various forums in the hope that someone might mention a link to the elusive DarkMarket archives! Even so I was pessimistic (rightly as it turned out) of ever finding the archive. And I was sure I would never hit the real goldmine: the private administrator messages in which the digital politburo communicated among themselves away from the hurly-burly of the main forum.