DarkMarket: Cyberthieves, Cybercops and You

by Misha Glenny

  40

  MIDDAY EXPRESS

  Tekirdağ Prison, Western Turkey, March 2011

  A vaguely handsome man in an elegant black suit and black tie scrutinised me carefully as he entered the small, oblong room. His black eyes under a slightly receding hairline accentuated the hypnotic stare and, momentarily, I was tongue-tied. Here was the man I had been reading about, talking about, thinking about for nearly two years. Now, when I finally met him, I was suddenly unable to think of anything appropriate to say.

  He may have been wasting in prison for two and a half years, but he had lost neither his poise nor his careful self-control. Throughout our three hours of discussion I was keenly aware that he was interviewing me just as much as I was interviewing him.

  My first brief stay in Tekirdag˘ occurred in 1976, just before publication of the book Midnight Express, which was later made into a successful film by Alan Parker. It tells the story of Billy Hayes, a young American who was caught smuggling drugs out of Turkey. The hideous ordeal he suffered at the hands of a sadistic prison officer shocked audiences throughout Europe and the United States. Turkey had a reputation as a brutal and unforgiving country at the time; indeed, while I was there I had been attacked, while sleeping in a tent, by a group of hoodlums, to the accompaniment of demands for foreigners to go home.

  Thirty-five years later I approached Tekirdağ prison. Like the one where Hayes had been kept, it was a top-security facility. Lying a mile or so up a moderate incline, it was surrounded by barren fields as far as the eye could see. Behind a thick curtain of heavy snow I spotted the prison’s high, faded cream walls and watchtowers manned by silhouetted machine-gunners. My first impression suggested that nothing had changed since Parker’s movie.

  Inside, however, I was relieved to learn that in this part of the country at least prison conditions had improved beyond recognition. All inmates had a television, shower and toilet in their cell. The food was a touch spartan, but undoubtedly nutritious and reasonably tasty, while the guards acted with courtesy, not just towards me, but towards the prisoners as well. In several respects conditions here were preferable to those found in many British prisons.

  There were some notorious convicts in Tekirdağ, including the instigator of the murder of Hrant Dink, the ethnic Armenian writer assassinated by extremists for, well, being an ethnic Armenian writer. It was also no surprise that the prison contained some of Turkey’s most notorious drug lords.

  And among the terrorists and mafia dons there was a representative of the most state-of-the-art form of malfeasance – cybercrime. It had taken me more than a year to get an audience with Çağatay Evyapan: I had needed to convince both the Turkish authorities and Evyapan himself. For months, this seemed completely impossible. My astonishment was boundless when I received a message one Monday in early March 2011 from the Prison Directorate in Ankara informing me that, if Çağatay was willing, I would be permitted to see him that very Wednesday. After that, I was told, Çağatay would be moved and my window of opportunity would be slammed shut.

  What the Turkish authorities did not know, nor would they have cared, was that my passport was deep in the bowels of the consular section of the Chinese Embassy in London, having a visa processed. My attempts to extract the passport in order to fly to Istanbul on Tuesday were dismissed robotically by the Chinese officials. Instead, I contacted Tekirdağ prison directly and begged them to allow me to postpone the interview for one day. I was informed that if they received the order to move Cha0 before Thursday, then regardless of whether or not I travelled there, I would not be permitted to see him. The hunt would be over.

  So I was extremely agitated as I battled my way through the snowstorm from Istanbul to Tekirdağ on Thursday morning, a day late. It was quite possible that I would arrive only to be told that I had lost the chance to meet Cha0 in person. After a long wait I was taken through three thick revolving steel gates whose mechanism had a biometric print of my hand, and was introduced to the Director of the prison. Far from the ogre one might have expected, he was charming and affable. He said that they had not received any directive from Ankara and that after lunch in the canteen I would be able to talk to Mr Evyapan.

  Eventually I was led through to the small, oblong room. Çağatay Evyapan is cautious but self-confident. Just as Bilal Şen had told me, his instincts would detect immediately if I was trying to ferret out some snippet of information in a devious way. He reminded me of Julian Assange, the mastermind behind WikiLeaks – super-smart, but with an iron conviction in his own intellectual superiority, which at times might be taken for extreme narcissism.

  When I suggested to him that Lord Cyric was Tony – the tubby, bespectacled businessman named by Mert Ortaç – he emitted a snort of the deepest contempt. ‘You’ve been talking to Turkish intelligence, haven’t you?’ he said sharply. In a manner of speaking Cha0 was correct: if Mert was lying (let’s face it, a real possibility), then the bespectacled man must have been planted in his story by MIT, Turkish intelligence.

  But as we talked Çağatay confirmed some very important aspects of Mert’s story, including the location of the apartment where Mert was kidnapped and the existence of exchanges between Mert and the local American Embassy worker, Lucy Hoover. He also conceded that once again his own arrest had been prompted by a real-world error.

  For all his self-possessed intelligence, Cha0 indicated he had one great fear – ironically the same unspoken worry that stalked his nemesis from the Turkish police. He claimed that during his questioning one of his interrogators offered him the opportunity to go into witness protection. In exchange, he would be asked to testify in the Ergenekon investigation. They demanded that he admit to having established a secret cyber network for the Deep State conspiracy among the military, intelligence services and media. The police flatly deny that any such offer was made.

  Cha0 refused – the last thing he would want, like Inspector Şen, is to come under the wheels of a struggle between the Deep State and the government. They do things differently in cyberspace.

  Throughout our chat Çağatay suggested that he and a narrow group of hackers possessed a far greater grasp of what was happening on the darkside of the Web than anybody from the authorities. He implied that his aim was merely to demonstrate the hopelessness of the attempts by the forces of law and order to police the Internet – he contended that there will always be people like him who are ahead of the game.

  Remarkably, he seemed unperturbed by his incarceration and the fact that he may have to serve the remaining twenty-two years on his earlier conviction from 2000, not to mention any additional charges that may be preferred against him as a consequence of his activity on DarkMarket.

  When we broached the subject of the FBI and Keith Mularski, a withering look spread slowly across his face. ‘The FBI have nothing on me. If they did, why did not Master Splyntr send information which the Turkish police could use to charge me?’ he asked. ‘Instead all they can do is use this small-time nobody, Ortaç, to try and trap me.’ Çağatay then claimed that he had hacked into Mularski’s database and extracted the information gathered by the FBI on all the DarkMarket members, including the material on himself.

  Being in prison, Çağatay was of course unable to document his claims. He said he knew that Splyntr was FBI from the beginning (although Çağatay joined DarkMarket at JiLsi’s invitation in February 2006 when Master Splyntr was quite well established on the board) and that his strategy was ‘to keep my friends close and my enemies even closer’ – hence his willingness to work with Splyntr as an administrator.

  It was an appropriate topic on which to end. At its heart, the story of DarkMarket was about two men – Çağatay Evyapan and Keith Mularski, both supported by impressive teams and contacts. Cha0 was no ordinary criminal. While making money was the primary purpose of the enterprise, Çağatay seemed to regard the struggle between himself and law enforcement as having a deeper significance, almost as though he was seeking to demonstrate his superior a
bility and, by implication, the futility of law enforcement’s attempts to police cyberspace. In this lay a strong element of the original anarchism of geek culture – behavioural patterns and moral codes undergo a shift as we move from the real to the virtual. The rules of the game are different and new.

  The FBI agent ran out the winner, but it was a narrow victory and by no means complete. Three years after DarkMarket closed down, the echoes of this extraordinary criminal venture can be heard in prisons and courts in several parts of the world. And, of course, many DarkMarketeers are still stalking cyberspace.

  The Internet is a transcendental invention that has seeped into every part of our lives and into every room in our homes. But beware – Lord Cyric might be hiding in a virtual cupboard somewhere.

  EPILOGUE

  At first glance the demise of DarkMarket appeared to deal a major blow to crime on the Internet. But it didn’t. It did, however, temporarily place a spanner in the works of some major carding networks, including Cha0’s operation in Turkey, Maksik’s in Ukraine and Freddybb’s in England. But the primary message that other serious cyber criminals took from the whole affair was simple: engagement in carding forums like Shadowcrew and DarkMarket, especially those English-language sites with large memberships, now entailed an unacceptable level of risk.

  There was already some evidence that members whose main aim was to make money rather than enhance their reputation were far less present on DarkMarket than they had been on Shadowcrew. The number of posts made by people like Freddybb declined dramatically from one to the other. On Shadowcrew he posted fifty public messages and 200 private. On DarkMarket this stood at fifteen and twelve respectively. The US Secret Service’s takedown of Shadowcrew clearly demonstrated the vulnerability of these sites and Freddybb had learned the lesson: lower your visibility.

  Alongside the dangers of being busted, the carding forums had in any event outlived their use. It was via these websites that criminals had, over almost a decade of activity, established global networks of people they could trust. Whether as buyers or sellers of illegally procured data and documents, they had found their markets.

  But the exposure of Keith Mularski as Master Splyntr, and the revelation that DarkMarket was in part a law-enforcement sting operation, undoubtedly hastened the demise of the carding forums. This wrecked the long-term strategy of the FBI and its partner agencies in Western Europe. The plan had been for Master Splyntr to re-emerge as the one honest carder who had foiled the FBI’s attempts at capture, who was hence deserving of even greater levels of trust within the carding fraternity.

  Instead, in response to the DarkMarket affair, hackers, crackers and cyber criminals are burrowing deeper into the digital underground. There is also increasing specialisation in the business. Hackers and malware coders are developing designer programs that target specific systems or seek out particular information. They then sell this to a group that actually supervises the penetration of a financial institution or its customers. Once they have access to the money, they will contact a ‘mule herder’, a person or group who employs ‘money mules’ across the world. There are countless advertisements on websites offering work to people using their computers at home. A number of these are placed by mule herders. The herder asks potential mules to place their bank accounts at the herder’s disposal in exchange for a percentage of the sums flowing through them.

  The breaking down of criminal activity into these distinct entities makes it more difficult for law enforcement to identify what is actually going on and who is cooperating with whom. The proliferation of mobile devices and apps also offers huge opportunities to cyber criminals.

  The rapid expansion of Internet users presents another major problem. Police in Western Europe have noted that the size of the Chinese criminal hacking community is growing apace. Until recently, the 419 or Advanced Fraud Fee scam was the preserve of West African criminal groups, especially Nigerians, the proud creators of those bizarre emails urgently entreating the recipient to assist in the movement of millions of dollars of a deceased dictator.

  419, named after the relevant paragraph in Nigeria’s penal code, is a very old trick – it forms the heart of The Alchemist, a comedy by the Elizabethan playwright Ben Jonson. In essence, the fraudster persuades the victim to advance a small sum of money on the promise that this will lead to the victim receiving a much greater amount later on. He then either milks his victim for more money or simply disappears with the first tranche. While possible in Elizabethan times, it was a laborious business. The Internet has made it extremely lucrative because, using spam emails, the criminal can reach an audience of tens of millions. The chances of finding a sucker are very greatly enhanced.

  The 419 scam comes in many shapes and sizes. It sometimes arrives as an appeal to rich Westerners to come to the aid of an impoverished African child. Letters, faxes and emails beseeching Americans in particular for funds to erect a new church or bolster a congregation are frequent – in these cases, the motivation of the victims is well intentioned and charitable. Another lucrative prey of the 419 scammers are the lovelorn, in particular middle-aged widows and divorcees who develop virtual relationships with West African toy boys, who slowly leech them of their savings as an advance on sexual dalliance that never comes to pass.

  419s are now being dispatched from China in both Chinese and English. This complements a second Chinese hacking speciality, which is the theft of items from MMORPG, an awkward acronym for the awkwardly named Massively Multiple Online Role-Playing Games, such as World of Warcraft, or the ‘real life’ games, Second Life or Habbo Hotel. These all have digital currencies that can be exchanged for genuine money. This in turn invests value in the virtual goods and services, which players can purchase to add to the pleasure of their gaming experience. Although they are not alone, Chinese hackers have learned to ‘steal’ these digital items or monies, which they can convert to actual real-world cash. China’s monumental computing potential remains largely untapped at the moment, yet it is already regarded in most sectors relating to computer security in civilian and military life as second in the global pecking order after the United States. As China begins to realise that potential, the nature of the Internet will change.

  To combat these growing threats, governments and industry are now pouring hundreds of billions of dollars into cyber security, whether in law enforcement, the protection of intellectual copyright or the military domain. Almost all of these funds are invested in technology, the idea being that this will be sufficient to protect the Internet from all the bad code, malware and viruses that are prowling around cyberspace looking for unprotected computer networks to attack.

  By contrast, there is virtually no investment in trying to ascertain who is hacking and why. Nobody differentiates between the hackers from WikiLeaks, from the American or Chinese military, from criminal syndicates and from the simply curious.

  But hackers are a rare and very special breed. Their psychological and social profiles differ, on the whole, from those of traditional criminals, above all the ones who are key to unlocking the criminal business opportunities on the Web, but are not very interested in money – in other words, the geeks. Understanding their abilities and their motivation in engaging in specific activities, whether criminal or otherwise, would enormously benefit a security industry that is over-dependent on technical solutions. On those rare occasions when law enforcement or the private sector tracks down hackers, leading to their prosecution and conviction, little is done to engage with the wrongdoers. Instead, the criminal-justice systems of Europe and the United States seek to impose heavy jail sentences on them and thereafter to restrict their access to computers.

  Given their peculiar psycho-sociological profile, this is a big error. First, one should take their age into consideration: most hackers engage at a very early age in activity that one might best describe as legally ambiguous. Like Detlef Hartmann, they can be seduced into illegal work on the Web before their moral compass has properly
evolved and before they fully understand the implications of what they are doing.

  In real life they are often psychologically vulnerable, which means that locking them away among real criminals can be very counter-productive, as was the case with Max Vision. While he has an unpredictable ego, all officials agree that Vision has a planet-sized brain with an unparalleled understanding of computer security. In a world where there is a dearth of computer security specialists and where the threats are proliferating, it seems unwise to incarcerate a phenomenal asset. This is not to argue that hackers who have engaged in criminal activity should escape punishment, but that the need for rehabilitation is not only a moral imperative for the state, but potentially of considerable practical value.

  Raoul Chiesa, a former hacker, runs a small academic centre called the Hacker Profiling Unit based in Turin and funded by the United Nations. His research is grounded in his intimate knowledge of the hacking community and on hackers’ answers to the extensive questionnaires that he sends out to them. The early results from his work offer important clues as to the make-up of the hacker.

  Most striking is the gender imbalance that pervades not just the illicit domains of cyber, but also the organisation and operation of the Internet as a whole. It is a subject only alluded to in the pages of this book, but deserves detailed study. While men still dominate politics and the economy the world over, this domination is extreme when it comes to new technology. There are, of course, many very dynamic women engaged in new technology and new media, but statistically they comprise a tiny percentage: according to Chiesa, just 5 per cent. Hackers are almost invariably men.

  A second finding in Chiesa’s study is that the average hacker is either smart or very smart. Furthermore he has noted that there is a high incidence, close to 100 per cent, among hackers of advanced ability in science – physics, maths and chemisty. This is combined with a relatively low level of ability in the humanities.