DarkMarket: Cyberthieves, Cybercops and You
Page 24
The suspect led them to a luxury villa complete with outdoor swimming pool. After days of observation, the surveillance team had ascertained that several men were living in the villa. But it did not take Bilal long to establish who was giving orders to the team. Going through criminal records, he soon identified him as one Çağatay Evyapan.
At college a gifted student of electrical engineering, Çağatay now had real form. He had first been arrested on fraud charges in 1998. Two years later came his biggest miscalculation when he and his collaborators were caught red-handed using cloned white plastic credit cards to extract cash from ATMs in the port of Izmir. After having served five years of a twenty-seven-year sentence, the prospect of further incarceration was too much for him. And so one day in May 2005 Çağatay went over the top of his prison walls and off the radar. He was less a fugitive and more a ghost.
He blamed his arrest in 2000 on the men with whom he was working – something he was determined not to allow again. If you want something done properly, ran Çağatay’s basic philosophy, do it yourself.
Naturally he understood that during his five years in prison the cyber world had undergone significant changes. He knew all about Moore’s Law, which predicts that the number of transistors that may be placed inexpensively onto an integrated circuit will continue to double every two years until roughly 2015. Translated into real life, that law means that every year gadgets get funkier, computer programs more complex, hacking tools more devious and the rewards correspondingly more juicy. And so he set about adapting to the new circumstances.
First, he needed a new cyber identity. Çağatay disappeared for almost four years, his name being replaced on his passport with the name of one his subordinates, the bodyguard Hakan Öztan, and in the ether by Cha0 (pronounced like the Italian greeting). He had been using the first syllable of his name and the figure zero since he first graced the BBS boards in the early 1990s. At that time, Cha0’s exceptional security system had ensured that nobody could identify him. In public forums like CrimeEnforcers and DarkMarket, Cha0 sold skimmers. In private, he sold impenetrable security systems for computer users who really did not want their identity revealed.
But now Bilal had stumbled upon him. However, it was one thing spotting Cha0’s location. It was quite another gathering the requisite evidence to build a case against him. Turkey’s judges and prosecutors are even less acquainted with the Internet than their equivalents in Western Europe or America, and already the city had spawned several high-profile, expensive defence lawyers who were quickly learning how to exploit that ignorance for the benefit of their clients and their own bank balances.
Çağatay was enjoying his summer – he was a convivial chap who liked to step out with his friends. He often escorted beautiful women, including, it was rumoured, one daring member of the Saudi royal family. He liked expensive drinks, fine dining and attending parties on yachts, and over the years had put on some weight. Money appeared to be no object in the pursuit of his fancy lifestyle.
Bilal put tails on Çağatay’s various co-workers – the evidence was mounting that Cha0 was not just Çağatay Evyapan, but a well-oiled criminal syndicate. This was organised crime, not some script-kiddy hacking servers for the first time. As such, it was evidence of a growing trend around the world. For a long time traditional organised-crime syndicates regarded fraud on the Web as crime-lite and scarcely worthy of their attention. That was now beginning to change. Cybercrime was becoming more systematic, more efficient and more security-conscious as it moved out of its original incubator, where mischievous geeks giggle and play, and into the more adult realm of real mafia structures. By implication, Bilal’s quarry would have correspondingly greater resources and so building the case required close care and attention, if the Inspector were to avoid being tripped up in court.
The cops duly gathered evidence, and of course Keith Mularski and Cha0 were still fellow administrators on DarkMarket. The operation lasted a full five months, as Bilal stored tiny scraps of evidence day by day. He ascertained that Çağatay’s group of intimates was relatively small and that his security was military in its precision. But along with those scraps, which might link Çağatay with any crime, Bilal had a second agenda: he was still trying to establish whether Çağatay had someone on the inside – while praying that he didn’t.
In late August Çağatay disappeared. Panic spread throughout the team that had been tracking him. Nonetheless, the journalist with Haber 7 continued to receive messages, not from Cha0, but from a certain Yarris, who seemed to have an intimate knowledge of Cha0’s activities. Mercifully for Bilal, Cha0 turned up in Istanbul as unexpectedly as he had departed. Nonetheless it was a warning as to how precarious the situation was, and Bilal made the decision to move on him in early September.
Back at the villa in Tuzla, surveillance had identified that one of the residents would go out every few days or so to fetch provisions. On 8th September out he came. Bilal Şen was back in Ankara, biting his nails as the SWAT team surrounding the building relayed to him all the events minute by minute over the phone. Then, as the shopper returned, they swooped – crashing into the villa and pinning down four other men on the floor. Around them were countless computers and dozens upon dozens of skimmers, moulds, PIN pads, POS devices and lots of cash. The raid was a triumph – nobody was hurt and all the suspects were arrested.
Strangely Cha0’s arrest had been anticipated a few days earlier on the message boards of Wired magazine after one of the journal’s writers had posted a story about DarkMarket on Wired’s website. One of the comments placed at the bottom came from somebody purporting to be Lord Cyric, the DM administrator. He claimed to be in direct touch with Cha0. And he added cryptically that some of Cha0’s subordinates might see the inside of a jail, but Cha0 never would.
Farewell, Cha0?
35
THE DEATH OF DARKMARKET
Whoever Cha0 really was, the unexpected arrest of Çağatay Evyapan appeared to sow panic among his fellow administrators on DarkMarket. On 16th September 2008, less than a week after the bust in Istanbul, Master Splyntr announced on the DM website that the police successes were fraying his and his fellow administrators’ nerves. It was a burden they no longer felt able to shoulder:
It is apparent that this forum . . . is attracting too much attention from a lot of the world services (agents of FBI, SS, and Interpol). I guess it was only time before this would happen. It is very unfortunate that we have come to this situation, because . . . we have established DM as the premier English speaking forum for conducting business. Such is life. When you are on top, people try to bring you down.
In the space of a week the premier criminal website of the English-speaking world was dead. Its followers were distraught. ‘DarkMarket was our bridge to business, and if that bridge is broken . . .’ lamented a member named Iceburg, posting on Wired magazine’s website. ‘Long live cashing and carding. Short live all the RATS and FBI and all stupid secret agencies who are not just ruining our lives and families, but are destroying everything we left behind.’
It seemed as though the cybercops had won. This being DarkMarket, though, the story wasn’t quite so simple.
Part IV
36
DOUBLE JEOPARDY
Stuttgart, September 2007
Officer Dietmar Lingel was pleased with his work. A week earlier his boss had given him the logs from the Canadian webmail provider, hushmail. This email system was supposedly watertight – nobody could read your correspondence if you were using hushmail. This was largely true, but by 2007 the company had caved in to pressure from the Canadian police and afforded the cops access to log records. These revealed to an investigator which IP address had been logging on to a particular email account. And the RCMP had passed the logs for two accounts, auto432221@hushmail.com and auto496064@hushmail.com, to Agent Mularski of the FBI.
Back in May 2007 Matrix001 had sent Keith Mularski a redacted version of the anonymous email he had received warn
ing him that he was under surveillance by the German police. Mularski’s initial reaction was to assume that his colleagues at the US Secret Service were responsible for the leak. At the time, the Feds and the Secret Service were running competing operations into DarkMarket, multiplying the possibility of a security breach out of either incompetence or malice. But at least three overseas police forces knew about Matrix: the British, the French and, of course, the Germans.
Nobody from the police underestimated the importance of the emails. Along with the possible existence of a mole was the equally disturbing idea that someone had hacked into the computers belonging to one of the investigating units. Operation DarkMarket had begun in earnest, but the busts of Matrix001 and JiLsi were just the start – the plan was to expand it over several years. The emails jeopardised the whole strategy built up over two years of painstaking work. The leak had to be stopped. The need to find the source became the topmost priority for the international investigation.
The arrival of the hushmail logs on Lingel’s desk meant that a detailed examination of the evidence could begin. As the technical specialist on the team who had investigated Matrix001, it was Lingel’s job to establish who had attempted to access those accounts at around the time that Matrix was sent them.
Lingel identified that one IP address trying to access the anonymous hushmail accounts came from the Stuttgart area. He discounted that one immediately – it was his own. After Keith Mularski had first alerted Stuttgart to the existence of the emails, Lingel had attempted to log onto the hushmail account using some standard passwords (such as admin or password) and others belonging to prominent DarkMarketeers that were already known to law enforcement. The other login attempts came from IP addresses in Berlin and elsewhere in Germany. On the morning of 12th September during a discussion with his head of department Gert Wolf, Lingel explained that they did not have a suspect yet, but they had succeeded in narrowing down the possibilities.
After lunch Wolf put his head round Lingel’s door and said they had to go and see their divisional chief. Lingel walked into the room to find a panel of senior policemen awaiting him, including an officer from the sinister-sounding Dezernat 3.5, the Stuttgart department for internal police investigations. Lingel was baffled and rather nervous. The officer suddenly announced, ‘Mr Lingel, we are placing you under investigation on suspicion of having informed a suspect that he was under surveillance.’
Lingel was speechless. Gradually shock gave way to anger. ‘There I was,’ he thought, ‘working all week with my boss to resolve this mess, and then he pops his head round the door after lunch one day and sinks a knife straight into my back.’
‘Look, Mr Lingel,’ the officer continued, ‘you’ve got two choices. Either you cooperate with us in this investigation or we are going to place you right now in investigative custody.’
Lingel agreed to cooperate. His chief explained that he must now take all his remaining leave, after which he would be suspended until further notice.
In his mid-forties, Lingel had an unconventional history. He was born in Windhoek, the capital of Namibia, which, as South-West Africa, had been one of the few outposts of imperial Germany during the colonial period. As a five-year-old he then moved with his parents to Cape Town, so he grew up speaking fluent English as well as German. He returned to his parents’ homeland to study, and after graduating joined the police. Here he progressed well through the ranks of the motorway force, while never finding the work particularly challenging.
As an amateur geek, he leaped at the chance to apply for a post in the Baden-Württemberg police in 2001. The Stuttgart headquarters needed somebody with experience of the open-source operating system Linux, to provide network security. Five years later he was permitted to migrate with his computer skills to the criminal-investigations department, where he was assigned to work under Frank Eissmann.
Matrix001 was not the only German identified by Keith Mularski as an active member of DarkMarket. The other two were Soulfly, real name Michael Artamonow, and Fake, real name Bilge Ülusoy. Initially, the State Prosecutor sought to indict Matrix001 on charges of forming a criminal conspiracy, but this required proof that he was working in cahoots with the other two.
For some reason, however, no investigation was ever launched into Fake and Soulfly, and this was partly responsible for a judge in October 2007 forcing the State Prosecutor to drop the accusation of conspiracy in favour of the lesser charges of credit-card fraud. Why they dropped the investigation into the presumed co-conspirators was just the first of several unanswered questions, which were to undermine confidence in the ability of the Provincial and Federal Police in Germany to investigate the case.
And the Baden-Württemberg police in Stuttgart had a lot riding on the investigation into Matrix001. Usually all communication in international cases like this would be filtered through Wiesbaden, but the chief investigator, Frank Eissmann, had persuaded his superiors that he should be allowed to talk directly to Keith Mularski, the FBI’s key man.
There were thus jitters aplenty when Mularski heard from Matrix001 that the German hacker had received a message from an anonymous hushmail account warning him that he was about to be busted. And police in London, Pittsburgh and Stuttgart were all praying that the source was not too close to their own home.
After Lingel’s arrest, relief spread among the investigators – it seemed as though they had their man. But in December 2007 Dezernat 3.5 sent Lingel a letter saying that there was no further evidence linking him with the email breach and that he could return to work the following month, at the beginning of 2008. However, he did not return to Department IV, which was handling the Matrix001 investigation. Lingel felt extremely bitter towards his immediate boss, Frank Eissmann, who had, it seemed, been partially responsible for pointing the finger at his subordinate.
As the trial of Matrix approached in the late spring, the atmosphere in the Stuttgart police headquarters was gloomy and riven with discord. Unable to press charges of conspiracy against Matrix, the prosecution knew that they were unlikely to get a custodial sentence. Furthermore, they were back to square one in trying to ascertain who the source of the leak was.
Although Lingel was resentful at what had happened to him, his reassignment to Department I turned out to be perfectly palatable and his new colleagues’ behaviour towards him was exemplary. It was a relief and a welcome change after months of being viewed with suspicion.
Then, in May 2008, Lingel was placed under arrest again. But this time he was not accused of having written the emails to Matrix. Lingel was charged with having jeopardised the undercover identity of the FBI Agent, Keith J. Mularski.
37
ZORRO UNMASKED
Just as Matrix was standing trial in June 2008, a radio reporter, Kai Laufen, was flicking through a copy of the MIT’s3 Technology Review when he spotted an article on cybercrime. Until this moment the investigative journalist from Karlsruhe in south-west Germany had no idea that it was becoming such a problem. He was intrigued and decided to discover the extent to which cybercrime was affecting Germany.
Cautious but thorough, Laufen began by researching the clauses in Germany’s penal code relating to computer crime. Once he had found them, he dispatched emails to about fifty district and municipal courts around the country asking whether they were dealing with any such cases.
He received only a couple of replies, but conveniently one of them referred to a case of credit-card fraud at a local court in Göppingen, a small backwater in Baden-Württemberg, just a short drive from where Laufen lived. A young man, Detlef Hartmann, was awaiting sentencing on thirteen charges of having used cloned credit cards.
The story didn’t sound particularly interesting, but Laufen decided nonetheless to contact the provincial police in Stuttgart, and before long the basics of cybercrime were being explained to him by Inspector Frank Eissmann. In passing he said that the FBI had assisted his Department IV in the investigation of Hartmann.
The day af
ter Detlef received a nineteen-month suspended sentence on 2nd July, Kai wrote to him requesting an interview, sent quaintly by post rather than email. Detlef and his parents resisted the journalist’s first few attempts to talk to him, but after three months they relented, so in early October Kai found himself sitting opposite the young man over a cup of coffee.
Kai Laufen was no novice. Born in northern Germany, he was brought up partly in Brazil and spoke fluent Portuguese, Spanish and English. He had worked throughout South America and knew a thing or two about organised crime and gangsters. But now he could scarcely believe his ears as Detlef regaled him with the tale of Matrix001 and his adventures in a virtual world where everyone boasted peculiar names and communicated in a hybrid English – part gangster, part anarchist and part Tolkien – as they bought and sold stolen financial details.
Kai readily grasped the implications of this new style of wrongdoing. With the aid of the Internet, the perpetrators could commit crimes thousands of miles away, on a multitude of unknown victims who might or might not discover that their privacy had been violated and their money or identity stolen.
Yet if it was so foolproof, Kai wondered, how did Detlef manage to get himself arrested? ‘Simple,’ he replied, ‘one of my fellow administrators, who I worked with over many months, was an FBI agent. He was tracking me and he alerted the German police.’ The journalist thought the young man was perhaps exaggerating his own importance, so he asked him whether he had any documentary evidence to support that. ‘Yes,’ said Detlef, ‘I’ll send it to you.’
A few days later Detlef sent Laufen the prosecutor’s statement outlining the state’s case against the young man, written in the German language’s inimitable legalese: