DarkMarket: Cyberthieves, Cybercops and You
Page 25
As evidenced by the investigation dossier, this administrator who in the final analysis had complete control over all arrangements at least from June 2006 onwards was the FBI Agent, Keith Mularski, who had offered to host the server in order to gather more accurate information about the buyers and sellers. I refer here to the Case Document 148, File 1, in which Mr Keith Mularski informs the investigating officer of the Regional Police, Frank Eismann [sic], as follows: Master Splynter [sic] is me. That the user Master Splynter [sic] ran the server is proven by Case Document 190, Email from Keith Mularski dated 09.03.2007: He paid me for the Server.
Kai was startled. He read the key sentence again. Master Splynter is me. Not only was Detlef Hartmann correct that the FBI had been on his cyber tail, but the prosecutor’s office had named the agent and his alias. The game was up and he, Kai Laufen, had uncovered the truth about one of the world’s most prominent cybercops. Three months earlier he had barely heard of cybercrime.
When Kai called the National Cyber Forensics Training Alliance in Pittsburgh, he was put straight through to Keith Mularski, whose manner was, as always, most accommodating. But as the journalist read the sentence from the email – Master Splynter is me – there was total silence on the other end of the line. Keith knew he had been nailed. On the bright side, he had been nailed by a radio journalist in south-western Germany and there was an outside chance, even in the age of the Internet, that the news might not get much further than the borders of Baden-Württemberg. In his heart, however, he knew that it really was an outside chance.
Was this the famous leak again?
Kai Laufen was unaware that Stuttgart’s police Commissioner had for a second time sanctioned the suspension of Dietmar Lingel from the force. On this occasion, however, they suspected the officer of having intentionally fed Mularski’s name and alias to the prosecutor for inclusion in his outline of the case. Lingel’s aim, it was alleged, was to bring Mularski’s identity into the public domain as a way of discrediting the FBI. The motivation, the Commissioner claimed, lay in Lingel’s dissatisfaction with some of the policing methods involved in the Hartmann investigation.
The allegations against Lingel served to highlight fundamental differences in the philosophy of law enforcement in Europe and the United States. Europeans tend to shun sting operations as risky, as well as morally and legally questionable. The Americans by contrast use them frequently. There is an intense debate in America as to where a sting ends and entrapment begins. In Europe some police officers regarded the DarkMarket operation as verging on entrapment, especially as the Secret Service, in particular, seemed to encourage members to engage in criminal activity (in the case of Dron) during their investigation. The FBI and Keith Mularski vigorously defended their actions, emphasising that the presence of Mularski and his team on DarkMarket enabled intelligence-gathering – notably about the intended expansion of Cha0’s US operation – which prevented, so Mularski claimed, $70 million in potential losses.
Just as he was putting the finishing touches to his radio feature on this peculiar, yet important story, Kai Laufen suffered a slipped disc. Almost completely unable to move, the journalist was forced to brood in bed for two weeks. He arrived at the conclusion that nobody in Germany would care about the fact that the FBI had busted a German carder and that he, Kai, had uncovered the agent’s identity. On the other hand, the DarkMarket story had attracted considerable attention in the US tech media. Led by the San Francisco-based Wired magazine, a fair amount had already been published on the subject, especially after the dramatic kidnapping of Mert Ortaç in April that year and then the arrest of Cha0 in September.
Kai felt strongly that he should disseminate the proof that DarkMarket was in part an FBI sting operation. But just as the Atlantic divides the culture of policing, so it does the ethical standards of German journalists and their Anglo-American counterparts. (Britain’s police are more European than American, but their newshounds have even fewer scruples than America’s do.)
In Germany it is considered bad form to publish the full names of alleged criminals while they are still on trial, and in many cases the German media desist from doing so even if the criminals are subsequently found guilty. The same goes for undercover police agents. For anybody familiar with the Anglo-American media, the notion is, of course, as foreign as can possibly be.
So when Kai Laufen spoke by phone to Kevin Poulsen, Wired magazine’s Security Editor, in early October 2008, he said that he would provide Mr Poulsen with documentary evidence which proved that law enforcement had penetrated DarkMarket. He would include Keith Mularski’s email admission of his role as Master Splyntr, but only on the strict condition that Poulsen did not publish Mularski’s name. Reiterating the point, Laufen ended his email, which included the document scans, with the exhortation: ‘Burn after reading!’
Poulsen remembers it differently: he only agreed to keep Matrix’s name out of the paper. Over the years he and his team had done an impressive job in tracking most cybercrime stories, including DarkMarket. Indeed, he brought the same ruthless zeal to the job that he did to his previous occupation as a hacker – a career that ended in a criminal conviction. And so Poulsen did not burn after reading. On Monday 13th October he published. Master Splyntr was dead.
For his part, Keith Mularski was furious when Wired published his name – the trust that he had built up with so many carders was instantly lost. He had closed the DarkMarket board a couple of weeks earlier because JiLsi’s registration of the domain name was about to expire. Had Master Splyntr attempted to re-register it, a curious hacker might have used the opportunity to uncover his identity.
The DarkMarket operation was the opening phase in a long-term plan by law enforcement to infiltrate the world of cyber criminality. In fifteen months, prior to the publication of Mularski’s name in Wired magazine, the FBI, SOCA and the other police agencies involved had been careful to pick off individuals here and there. They had deliberately decided not to go for a large-scale sweep of DarkMarket members, in contrast to the tactics used by the Secret Service in 2004 with Shadowcrew. Master Splyntr fully intended to return with his reputation enhanced, armed with his large database of carders and their activities. That plan was now blown out of the water.
Not that Mularski’s efforts had been in vain – in a remarkable example of cross-border cooperation among disparate police forces, they had caught one of the biggest fish in the carding world, Cha0, and had arrested dozens of others, some of whom were already convicted, most of whom were awaiting trial.
But neither Agent Mularski nor anybody else was in a position to blame Dietmar Lingel. He had not allowed the identity of Master Splyntr to slip into the court papers for the Matrix case, as the officer from Dezernat 3.5 had alleged.
That distinction belonged to Detective Frank Eissmann, Lingel’s boss, who later confessed that he had ‘made a big mistake’ in submitting the document to the State Prosecutor as part of the police evidence against Matrix. It was Eissmann’s error that led to Kai Laufen identifying Mularski, which in turn triggered the collapse of the long-term operation against the carders.
Dietmar Lingel, however, remained suspended and heard nothing from his employers until Dezernat 3.5 informed him in September 2010 that he was to stand trial. The prosecutor had dropped the unsubstantiated claim that Lingel had intentionally leaked Mularski’s name. Instead, the original charge was resurrected: he was accused of having informed a suspect that he was under surveillance.
Lingel opted to contest the charges and later that month the longest trial anywhere related to the DarkMarket case began in Stuttgart. Ironically, it did not involve any actual cyber criminals (except that Matrix001 and Fake testified as witnesses), but pitted the Baden-Württemberg police against one of its own. It was a fascinating event played out in front of a handful of people in a clean, small, anonymous court in Bad Cannstatt, Stuttgart’s spa district. The testimony of almost a dozen actors in the drama was startling, revealing many of the erro
rs and misfortunes that plagued the policing operation in both Europe and the United States.
* * *
3 Massachusetts Institute of Technology, not to be confused with the acronym of Turkey’s National Intelligence Agency.
38
WHO ARE YOU?
Istanbul, October 2008
Çağatay Evyapan appeared relaxed in jail. Now and then a member of the Istanbul force would whisper something about a supercop flying in from Ankara to conduct the main interrogation of Çağatay. In Turkey the longest you can hold someone suspected of involvement in organised criminal activity is four days. The prisoner was intrigued to see if this Mr Big from the capital would turn up.
Finally, Inspector Şen arrived. He needed to know only one thing.
‘Who is the little bird? Who are you talking to inside? This is all I want to know from you.’
The prisoner hesitated and then looked desperate.
‘There is nobody.’
39
ON THE ROAD TO NOWHERE
Inspector Şen’s work was done. After the arrest, the case was handed over to the prosecution service, as required by Turkish law. But if Çağatay Evyapan was Cha0, then who was this character Şahin, whom Mert Ortaç insisted was the real Cha0. Was Şahin a mere figment of Mert’s imagination? After all, Mert did have a history as a fantasist and embellisher.
Fond though he was of spinning a yarn, the fundamental aspects of Mert’s story were true. He did work for various official organisations, including the Intelligence Agency; he was a highly gifted programmer with a particular skill for decrypting smart cards; he did make huge sums of money from selling fake Digiturk cards, for which he was later investigated; he did lavish money and entertainment on people he wanted to impress; he did tread the DarkMarket boards using Sadun’s nicknames, Cryptos and PilotM; he did holiday with his girlfriend at the Adam & Eve Hotel in Antalya; and he was most definitely kidnapped and humiliated by Çağatay Evyapan.
However, he was unable to offer any proof for his central claim that Cha0’s real identity was the mysterious Şahin. Mert demonstrated such a detailed knowledge of the inner workings of DarkMarket that, if he was lying, somebody or some organisation must have furnished him with some or all of these details. The question is – and it remains stubbornly unanswered – why? And who were they trying to frame or discredit by throwing the extraordinary Mr Ortaç into the mix? Certainly not Çağatay Evyapan as he emerges from Mert’s story as a lesser criminal? The police? Or was it perhaps the man who Mert claims was Lord Cyric, a prominent member of the Turkish and global internet scene?
Even so, Mert’s truth remains no less plausible than Inspector Şen’s truth. The key lies not in the identity of Şahin or Çağatay. It is hidden within the character of Cha0. There is no doubt that the man who masterminded the skimming factory and acted as administrator on DarkMarket was Çağatay Evyapan. The issue is whether Evyapan controlled the entire operation or whether he was working on behalf of a bigger criminal syndicate.
All in all, Turkish police arrested some two dozen people who, the evidence suggests, were connected to Cha0’s operation either as an inner core or as satellites. The virtual criminal was just that – he was not a real character, but an amalgam of individuals with different skills working as a unit. In the same way the Ukrainian founder of CarderPlanet, Script, had recognised that the generic term ‘carder’ in fact hid a multitude of different skills: some were real hackers; some were graphic designers; some were electronic engineers building skimmers; some skimmed ATMs; some cashed out; some provided security; some gathered intelligence, sometimes on behalf of the criminals and sometimes on behalf of the police.
Thus both men, Cha0 and Script, anticipated the world of cybercrime post-DarkMarket – a move away from a loosely bound community of individuals engaged in opportunistic criminal activity towards a much more systematic criminal organisation in which its members fulfilled specialist tasks: spamming, virus-writing, money-laundering, operating botnets and other essential criminal activities of the virtual world.
So maybe ‘Cha0’ was just such an operation – the whole caboodle rolled into one. Cha0 was a collective name that sought in the first instance to gain at least a partial monopoly in the new industry of credit-card fraud through skimming. It was an audacious plan, which came very close to succeeding, had it not been for the combined efforts of Keith Mularski and Bilal Şen, as well as the backup provided by other police agencies and by certain other individuals.
The degree to which Cha0, the entity, was organised hints strongly at something else. Traditional criminal fraternities have until recently ‘tended to regard cyber criminals as second-class citizens’, as one of SOCA’s leading cybercops described them. But during the existence of DarkMarket police forces across the world started observing how traditional organised-crime groups were making unexpected appearances during investigations into cybercrime.
Within DarkMarket itself there were three quite well-defined circles involved in the project. The first were the administrators, moderators and others holding senior ‘bureaucratic’ positions on the site. These tended to be men with advanced hacking skills and certainly fluent computer skills. Furthermore, with the exception of Cha0, they were either not making large sums of money or were working directly as police agents or as confidential informants.
Beyond this, the second circle mostly comprised skilful experienced criminals who worked largely on their own – like Freddybb and RedBrigade. They demonstrated varying degrees of computing ability and, if they themselves were unable to solve a technical problem, they always knew people who could. These individuals were less conspicuous on boards like DarkMarket than the administrators and their crew. Their aim was to make as much money as possible without drawing attention to themselves, although they, too, would occasionally engage in banter and chat about the carding community as a whole.
The third circle was home to highly professional criminals who were virtually invisible – unknown except by myth and reputation to the police and their fellow carders. These were people even beyond major wholesalers of credit cards and malware – such as the Ukrainian Maksik, arrested by Turkey’s cybercrime team in Antalya in 2007. The most famous one (who, it is believed, supplied Maksik with much of his material) is the Russian known simply as Sim, who, police assume, is actually another very efficient syndicate. These are people who never emerge from the shadows.
Cha0 was fascinating and important because this was the first time that an outfit resembling traditional organised crime had involved itself in large-scale cybercrime and sought to influence the workings of a website like DarkMarket. This was the first real proof that cybercrime was no longer the domain of second-class citizens alone – it was beginning to attract some bigger figures.
Organised crime has traditionally played a huge role in Turkey. For example, in combination with Kurdish and some other Balkan groups, Turkish gangs dominate the wholesale heroin trade throughout Western Europe.
In late 1996 an armoured Mercedes was involved in a spectacular road accident in the small town of Susurluk. Among the dead were the Chief of the Police Academy and the leader of the right-wing terror group, the Grey Wolves, who also happened to be on Interpol’s most-wanted list as one of Europe’s major heroin-traffickers and a recognised assassin. The one person who survived was an MP for the then-ruling party.
This event enabled journalists and opposition politicians to start untangling the web of violent deceit that implicated Turkey’s Deep State with the most influential members of organised criminal groups. For years they had been enjoying one another’s friendship, hospitality and protection. Not only did the stories shock ordinary Turks, but they gave an important fillip to emerging forces in Turkish politics – like the organisation that would eventually become the AK Party, which made the fight against crime and corruption a central part of its political platform.
Turkey has moved on somewhat since then. But when the roots of corruption and
organised crime extend as deeply as they did in Turkey during the 1980s and 1990s, it takes several decades before they can be eradicated from the body politic. This explains Bilal Şen’s fears when he was first told that Cha0 might live under the protective wing of powerful establishment figures. It is also credible, as some of Bilal’s law-enforcement collaborators outside Turkey believe, that the Cha0 who inhabited DarkMarket was part of a much larger organisation. Crime groups in Turkey straddle various sectors – along with heroin-trafficking, Turkey is a major centre for people-trafficking (again because of the proximity of the European Union). And in the last two decades a huge money-laundering trade has grown up there as well.
So Çağatay Evyapan, their theory goes, was actually just a lieutenant for the real CEO of Cha0 Criminal Holdings. Çağatay would be the Vice President for the cybercrime division and he was content to return to jail because he is, speaking metaphorically, ‘taking a bullet for the boss’. Perhaps Şahin is the CEO of the whole company. Were that the case, Mert’s ‘Şahin’ might exist, but Inspector Şen would still have arrested the correct man.
DarkMarket was closed down in October 2008, but nobody – whether from law enforcement or among the criminals themselves – has a grasp on what its real history was and its real significance is. Three years on and only a tiny proportion of the nearly 100 arrests carried out around the world have made it to trial.
Legal systems are finding it extremely hard to come to terms with the highly technical nature of evidence in cybercrime, but the pattern that sees most crimes committed in third countries also creates tremendous barriers to the detection and prosecution of the offences. Ambiguity, doubt, illusion and dissemblance have always played an important role in fathoming the ways and means of organised crime. And the Internet magnifies their power severalfold.