DarkMarket: Cyberthieves, Cybercops and You
Page 22
The trustees, so read the certificate, ‘have granted this diploma as evidence thereof given in the city of London in the Cambridge at the twenty-second day of june two thousand four’.
Perhaps they conferred the diploma in the Cambridge Arms in the City of London? Wherever the fictitious ceremony had taken place, the certificate was so crude that it hardly merited the epithet ‘counterfeit’.
One of his colleagues at Toshiba’s IT department was struck by how often Mert boasted about his relationship with National Intelligence. He, too, had offered occasional assistance to the spooks, especially in the late 1990s when the Agency had yet to develop its own effective cyber division. But one did not brag about such matters. Mert’s constant mutterings about his close relationship with intelligence really did jar. However, Toshiba kept him for six months because whenever his bosses there asked him to come up with a solution to a problem, he invariably delivered the goods. He struck them as smart, but something told them to keep a close eye on him.
Of an evening, Mert would be called in by his control at the Intelligence Agency and asked to give a forensic assessment of various hard disks and computers, which they had conjured up seemingly from nowhere. He was supposed to gut the files, crack passwords where possible and deliver any incriminating materials. The Agency’s primary responsibility was for Turkey’s domestic security and it was tasked with monitoring the wide range of organisations that the government deemed were engaged in terrorism.
Towards the end of 2006 Toshiba sacked Mert – his attitude was not right, he boasted a little too much about his dubious exploits with credit cards, and yet he was also constantly asking his colleagues for loans or bonus payments.
Mert claimed that he left Toshiba on the instructions of his handlers at National Intelligence. They were working on finding him another cover job, he said.
Just before he began work at his new post, his handler brought him a hard disk that formed part of a highly sensitive investigation. Control wanted to know everything about each file on the disk, whether visible or hidden, accessible or encrypted. The disk belonged to a senior member of a left-wing underground organisation known by its acronym, the DHKP/C.
During the 1990s and early 2000s the DHKP/C had been one of the most violent and effective left-wing organisations committed to armed struggle in Turkey. The Revolutionary People’s Liberation Party/Front (the Party was the political wing and the Front, in theory, the military wing) was a splinter group from Dev Yol, the larger revolutionary movement, which bore the brunt of military repression during the 1970s and 1980s.
This group was no tinpot outfit – it took its politics and its terrorism seriously, concentrating primarily on attacking the collaboration between what it denounced as NATO imperialism and the Turkish military establishment. It carried out successful assassinations against Turkish, American and British citizens who were either influential businessmen or linked to the military. In contrast to most leftist armed outfits, it boasted a sophisticated counter-intelligence capacity and, as such, was one of National Intelligence’s trickiest surveillance targets.
On one raid agents had picked up a laptop, and it was handed to Mert in the guesthouse where he was first interviewed and where he now always worked. His handler explained that the user had been accessing a website called DarkMarket. The handler was also a geek and told Mert that he had followed DarkMarket’s connections as far as a server in Singapore, which looked to him like a proxy. After that, he said, he lost the digital trail. He knew nothing about who was behind this site, although the evidence strongly suggested to him that the DHKP/C was involved in carding as a way of maximising its revenue and perhaps also investigating the use of botnets and whether this might assist the DHKP/C in achieving its goals.
Suddenly DarkMarket was no longer just a criminal website: it was helping to fund a designated terrorist organisation.
Did Mert, the handler asked, know anything about this site?
Mert did not. He, too, tracked DarkMarket’s server back to Singapore, but try as he might he could not trace it any further. This was in fact thanks to Grendel’s sterling efforts. Nonetheless, Mert told his handler he knew somebody who might be better acquainted with DarkMarket.
Mert was tired. National Intelligence invariably expected him to complete these assignments overnight. His new job was working for the Turkish concession of Fox TV. Fox Turkey was not wholly owned by Rupert Murdoch’s News International because, according to Turkish law, a local citizen had to control 51 per cent of the stock. This majority shareholder was a former diplomat who was known to have links to the police and secret service. At Fox, Mert’s colleagues noticed that he was frequently, if not always, distracted. And that he would find it difficult to finish even simple jobs – not because he couldn’t do them, but because he was up to something else at the same time.
One of Mert’s contacts had asked the young man to keep an eye out for a certain Sadun Özkaya, a middle-class teenager whose parents were worried that he was straying. He had just been extracted from jail, where he was under investigation for fraud. The contact asked Mert to keep Sadun on the straight and narrow – which was like engaging a wolf to preach the benefits of veganism to another wolf, as the two of them lick their chops over the remains of a juicy young lamb.
Mert knew about cryptography and programming; Sadun knew about credit cards. Before long the two were pooling their skills. And, to Mert’s astonishment, Sadun told him that he was a member of DarkMarket, which he visited using two nicknames, Cryptos and PilotM. Within hours Mert Ortaç was logging in as the latter.
O, wonder! thought Mert as he espied the innards of DarkMarket for the first time:
How many goodly creatures are there here!
How beauteous mankind is! O brave new world,
That has such people in’t!
Mert was transfixed. He explored every nook and cranny of the website, looking into its forums, learning to imitate its argot and then trying to uncover its secrets through slightly more devious means. Until now, Mert’s criminal aspirations had been focused on the area of smart-card decryption and selling cloned cards once he had cracked their coding system. Let loose on DarkMarket, he was quickly picking up new tips about credit-card fraud. The combination of these skills would lead him and Sadun into some very murky, if financially nutritious, waters.
Before that, however, he started to map everything about DarkMarket as if it were an underground maze with hidden traps and treasures. His bosses at National Intelligence of course wanted to uncover anything that related to DHKP/C, the terrorist organisation they were investigating. But Mert was more interested in everything else that was going on across the boards.
He very quickly understood that Cha0, Master Splyntr, Shtirlitz and Lord Cyric were key members of the site. By the time Mert started playing on DarkMarket, JiLsi and Matrix001 had already been taken down.
It took him only seconds to figure out that Cha0 was Turkish, although this was entirely by accident and had nothing to do with his hacking skills. He was browsing the advertisements for Cha0’s skimming machines when he spotted a Turkish sign for a doner kebab in the background. On another photo a skimmer for sale was standing next to some Turkish washing powder.
He relayed the news about the heavy Turkish influence on the website to his supervisor at the Intelligence Agency, who became even more interested in DarkMarket: not only were there left-wing terrorists active on the site, but it was actually run by Turks! This could be something major, so it required further investigation. Mert was given the authority to make contact with Cha0 and any other Turks that he found loitering around the DarkMarket board. It was not long before he thought he had identified another – Lord Cyric.
Mert started searching the archives of the early 1990s, when many geeks were using something called the BBS, or Bulletin Board Service, a bridge between an electronic messaging system and the Internet. As he was looking through the logs, his jaw dropped when he came across two familiar nicknames, si
tting side by side: Cha0 and Lord Cyric! It would appear, he deduced, that these two masterminds of DarkMarket had known each other for a very long time.
31
A SERVANT OF TWO MASTERS
The fictional Lord Cyric had become popular among gamers and geeks in the 1980s and early 1990s. He was a self-appointed deity who haunted The Forgotten Realms, a godforsaken fantasy world where warriors roamed to seek out treasure and dark secrets while vanquishing creatures with magical powers and destructive urges. The Realms became a favourite territory for gamers to explore once they had assumed a fantasy role in a team of adventurers playing Dungeons and Dragons. Subsequently, these Badlands of a sub-Tolkienian world appeared in a variety of computer games, including the hugely popular Baldur’s Gate.
They were also described in many novels that were inspired in equal measure by Dungeons and Dragons and the Lord of the Rings. The figure of Lord Cyric had a crucial part to play in the mythology of the Forgotten Realms – in addition to being a god, he was thoroughly evil. More importantly for the world of carding and DarkMarket, Cyric was known inter alia as the Prince of Lies, whose satanic powers included a mastery of deception and illusion as well as the ability to promote strife and intrigue.
Whoever lay behind the avatar in CardersMarket, DarkMarket and elsewhere, he or she wanted to project the concept of what Dungeons and Dragons gamers refer to as ‘chaotic evil’, implying that the character scatters the seeds of mayhem and despair arbitrarily wherever he or she may roam. That certainly fitted DarkMarket’s Lord Cyric as snugly as his penchant for deception, illusion, strife and intrigue. Few carders generated as much hostility in the community as this character did. His speciality was to spread accusations through rumour and innuendo.
For reasons never understood, Cyric would pick a target, like RedBrigade, who had exploited Shadowcrew to such lucrative effect in New York. Then he would set out to destroy his reputation among fellow carders with a thousand cuts. A little hint here or a little insinuation there that RedBrigade was not all he appeared, or coded drop-ins to suggest that RedBrigade was in fact working for law and order. His language was snarky and childish, yet carefully designed to cause maximum distress to the target of his attacks.
Yet Cyric had his champions, too – none more stalwart than Cha0. With an oversized brain and a superiority complex to match, Cha0 only ever recognised two computer users as his equal. His contempt for the FBI’s cyber division was boundless, but he warmly acknowledged the hacking skills of Max Vision, aka Iceman, even though the two had often found themselves at loggerheads due to Iceman’s attacks on DarkMarket. And when talking of Lord Cyric, Cha0 almost went so far as to recognise his old friend as being even more elevated in the hackers’ pantheon than he himself was.
In a short space of time, Lord Cyric had succeeded in positioning himself as a key moderator and administrator on boards like The Grifters, CardersMarket and finally DarkMarket. Nobody understood what his game was or what he was trying to achieve, although those whom he targeted immediately assumed that he was working for law enforcement either as an officer or as a confidential informant.
In Pittsburgh, FBI Agent Keith Mularski had no idea. Like many others, he believed that the person behind Lord Cyric lived in Montreal, Canada, but his enquiries of the Royal Canadian Mounted Police cyber division brought him no joy. In fact, although Cyric’s IP addresses could be traced to Montreal, they would occasionally show up as being located in Toronto, which is where some sleuths suspected he really lived.
Several carders picked up and ran with the rumour that Lord Cyric was in reality Brian Krebs, a journalist writing on cyber security who at the time worked for The Washington Post. There was no evidence for this – indeed, quite the contrary, for Krebs is far too serious a writer to risk ruining his reputation by becoming involved with the people he is actually investigating. There followed a slew of rumours, but nobody ever got to the bottom of who Lord Cyric really was or what he was doing.
While exhorting others to indulge in all manner of dubious activities, Lord Cyric never engaged in criminal transactions himself, which reinforced the thesis that he was working for law enforcement or an intelligence agency.
Everybody believed, however, that Lord Cyric had a voluminous knowledge of the carding community and how it worked. And that is why he was much sought after. Carders wanted him to put them in touch with peers whom he could vouch for, or because they wanted to know what he had on them. And the police in the US and Western Europe were still searching for him in the hope of recruiting him as part of their crusade against cybercrime.
Cyric was the quintessential figure of the cyber underground – he appeared as if from nowhere; he displayed boundless, if unappealing arrogance; but above all his motivation for spending endless hours posting messages, engaging in often-futile debate and agitating his peers was obscure.
Until Mert Ortaç revealed that two of the most prominent posters on Turkey’s embryonic Internet, the Bulletin Board Service, were nicknamed Cha0 and Lord Cyric, nobody had even begun to pull the threads together.
Using his trademark mixture of charm and duplicity, Mert – posting as PilotM in the late spring of 2007 – introduced himself to Lord Cyric as a third person, a mutual acquaintance of them both. ‘Hey, old boy!’ he messaged him, ‘what are you doing on a board like this?’ Cyric was keen to ask the man masquerading as his old friend exactly the same question! Soon, however, they were chatting happily, especially about encryption issues. Mert noticed that Lord Cyric was an extremely gifted computer engineer, confirming his suspicions about the character’s real identity. After some days or weeks of exchanging ideas and information, Cyric agreed to facilitate a virtual meeting between Cha0 and Mert (still pretending to be somebody else). Using encrypted icq exchanges, Mert started chatting to Cha0 (in Turkish of course).
‘Look,’ Cha0 told Mert, ‘I don’t spend much time in Turkey. I prefer to be abroad.’ He went on that he didn’t much like his compatriots and avoided dealing with them whenever possible. ‘My name,’ he said, ‘is Şahin and I will only speak Turkish if I absolutely have to.’ He was prepared to talk Turkish with Mert because they were introduced by Lord Cyric. ‘He and I are very old friends,’ Cha0 said.
In April 2007 Cha0 had expelled Dron from DarkMarket, and with him went Dron’s ability to fix the microprocessors on his skimming machines. He asked Mert if he would be able to do this and Mert agreed. He was now becoming seriously involved with Cha0’s criminal business, which meant that he was garnering a most precious commodity – trust.
Only Mert has claimed an intimacy between himself, Cha0 and Cyric. Of course, the latter two cannot say with any certainty whether they exchanged messages with Mert because he was masquerading as somebody else. Cha0 explicitly denied ever having met or communicated with him until the fateful day when he abducted him and placed his photograph, via Haber 7, on the Internet.
More importantly, nobody else in Turkey or elsewhere has ever acknowledged the existence of the mysterious Şahin. Beyond Mert’s word, there is no evidence that Şahin exists, including when the two eventually met. But Mert did prove correct in one important fact: the friendship between Lord Cyric and Cha0 went back a very long way.
Mert, of course, was also still working for Turkey’s Intelligence Agency. And so most evenings after he had spent much of the day pretending to work at Fox Turkey, playing around on DarkMarket or fashioning microprocessors for Cha0’s illegal skimming industry, Mert would report back to his handlers on his day’s findings. He told them about a Polish spammer called Master Splyntr, about the security genius Grendel, about Lord Cyric and Cha0, about the backup servers that the DarkMarket administrators managed in different European countries, and about the activities of the DHKP/C.
What else was he up to? His boss at Fox Turkey began to grow very suspicious of him. He noted that Mert now almost never completed the tasks that were given to him, providing instead a litany of excuses as to why he was absent from his
work station. He claimed he had a serious medical condition and repeatedly tried to borrow money from his colleagues. If he was so successful, his boss wondered, how come he was always short of cash?
One day the boss discovered that Mert had asked for all his co-workers’ passwords. He allegedly needed them to install a major upgrade of the system. Just in time, the boss put a stop to this plan as he suspected that Mert wanted the passwords for less honourable reasons.
On another day, while quietly keeping an eye on Mert, he spotted a stack of credit cards on his table. Later he came across two ID cards for Mert, neither of which had his correct name, date or place of birth on them. Finally, he noticed Mert surfing a website with detailed instructions on how to crack open an ATM machine. The longer Mert stayed, the greater his need for money – and large sums of money at that.
Mert had met Sanem – a dream woman with whom he was besotted. Sanem is the one person in the world who can confirm whether or not Mert’s extraordinary story is true. And Sanem isn’t talking.
32
TURKISH DELIGHT
The Sükrü Saracoğlu Stadium in the bustling Asian district of Kadıköy was packed to the rafters for Fenerbahçe’s final home game of the season. Fenerbahçe had already won the Süper Lig title and so this game on a gorgeous Sunday in late May was a noisy celebration for some of the most fanatical football supporters in the world.
And into it stepped Mert Ortaç. Perhaps for real; perhaps just in his own mind.
Up in the executive boxes there was an expectant and convivial atmosphere. Şahin and his trusted lieutenant, Çağatay Evyapan, were awaiting the kick off at 5 p.m. The football fans of Istanbul were regarded as among the most fanatical in Europe and they were divided into three camps. Two were on the European side of the city, Galatasaray and Beşiktaş, while the yellow and navy-blue shirts of Fenerbahçe lay across the straits in Asia. Şahin and Çağatay were both committed Fenerbahçe supporters and the former’s visits to his home city usually coincided with a game – indeed, he had an executive box at the stadium.