by Misha Glenny
To combat these growing threats, governments and industry are now pouring hundreds of billions of dollars into cyber security, whether in law enforcement, the protection of intellectual copyright or the military domain. Almost all of these funds are invested in technology, the idea being that this will be sufficient to protect the Internet from all the bad code, malware and viruses that are prowling around cyberspace looking for unprotected computer networks to attack.
By contrast, there is virtually no investment in trying to ascertain who is hacking and why. Nobody differentiates between the hackers from WikiLeaks, from the American or Chinese military, from criminal syndicates and from the simply curious.
But hackers are a rare and very special breed. Their psychological and social profiles differ, on the whole, from those of traditional criminals, above all the ones who are key to unlocking the criminal business opportunities on the Web, but are not very interested in money – in other words, the geeks. Understanding their abilities and their motivation in engaging in specific activities, whether criminal or otherwise, would enormously benefit a security industry that is over-dependent on technical solutions. On those rare occasions when law enforcement or the private sector tracks down hackers, leading to their prosecution and conviction, little is done to engage with the wrongdoers. Instead, the criminal-justice systems of Europe and the United States seek to impose heavy jail sentences on them and thereafter to restrict their access to computers.
Given their peculiar psycho-sociological profile, this is a big error. First, one should take their age into consideration: most hackers engage at a very early age in activity that one might best describe as legally ambiguous. Like Detlef Hartmann, they can be seduced into illegal work on the Web before their moral compass has properly evolved and before they fully understand the implications of what they are doing.
In real life they are often psychologically vulnerable, which means that locking them away among real criminals can be very counter-productive, as was the case with Max Vision. While he has an unpredictable ego, all officials agree that Vision has a planet-sized brain with an unparalleled understanding of computer security. In a world where there is a dearth of computer security specialists and where the threats are proliferating, it seems unwise to incarcerate a phenomenal asset. This is not to argue that hackers who have engaged in criminal activity should escape punishment, but that the need for rehabilitation is not only a moral imperative for the state, but potentially of considerable practical value.
Raoul Chiesa, a former hacker, runs a small academic centre called the Hacker Profiling Unit based in Turin and funded by the United Nations. His research is grounded in his intimate knowledge of the hacking community and on hackers’ answers to the extensive questionnaires that he sends out to them. The early results from his work offer important clues as to the make-up of the hacker.
Most striking is the gender imbalance that pervades not just the illicit domains of cyber, but also the organisation and operation of the Internet as a whole. It is a subject only alluded to in the pages of this book, but deserves detailed study. While men still dominate politics and the economy the world over, this domination is extreme when it comes to new technology. There are, of course, many very dynamic women engaged in new technology and new media, but statistically they comprise a tiny percentage: according to Chiesa, just 5 per cent. Hackers are almost invariably men.
A second finding in Chiesa’s study is that the average hacker is either smart or very smart. Furthermore he has noted that there is a high incidence, close to 100 per cent, among hackers of advanced ability in science – physics, maths and chemisty. This is combined with a relatively low level of ability in the humanities.
Finally, there is the critical issue of hackers’ relationships. Most – but not all – hackers find it much easier to form relationships in the impersonal environment of the Internet than they do in real life. The interesting question is why.
Hackers usually enter the fray as adolescents, exactly at the time when a great majority find it difficult to establish relationships, especially with the opposite sex. So, at least in part, their difficulties in this area are entirely natural. But Chiesa has also identified that an abnormally high number of hackers have described problems in communicating with family, above all with their parents.
Reading Chiesa’s research and having spent a great deal of time interviewing different types of hackers put me in mind of the work of Simon Baron-Cohen, Professor of Developmental Psychopathology at Cambridge University. His pioneering work on autism has led to a deeper understanding of the spectrum of male/female behavioural patterns. In essence, typical males show an enhanced ability to ‘systematise’ the external world, whereas typical females show a greater skill at ‘empathising’. This is not to say that all women are poor map-readers and that all men are hopeless listeners, merely that there is a pronounced tendency in each gender towards either ‘systematising’ among men or ‘empathising’ among women.
Baron-Cohen’s subsequent research led to him uncovering a link between the extreme male mind, which in certain circumstances could be described as ‘autistic’, and high levels of testosterone to which a foetus may be exposed in the womb. His thesis is controversial, but in many respects convincing, and without question of value when considering hackers and their behavioural patterns. Hackers are not, of course, all autistic; in fact very few of them are (although some celebrated ones, such as Gary McKinnon, wanted in the United States for hacking into the Pentagon, have been diagnosed with Asperger’s syndrome). But they do appear to conform to many of the clinical observations recorded by Professor Baron-Cohen of personalities who sit quite far down the ‘male’ end of the spectrum.
With further research, this could mean that it will be possible to identify hacker personality types among children who are still at school. In this way, peers and mentors could encourage their skills while, at the same time, offering them ethical guidance so that their abilities can be channelled in positive directions. The word ‘hacker’ tends to carry pejorative overtones. But the capacity to hack is in fact an asset, both personal and societal. Computers and networks will never be safe if they are not protected by advanced hackers. Some such individuals are already working to that end. In my experience, 90 per cent of the hackers involved in criminal activities expressed a powerful desire to work within the licit security industry – and, even with a criminal conviction, they should surely be given the chance.
Adewale Taiwo, aka Freddybb
On 1st January 2009 Adewale Taiwo was sentenced to four years’ imprisonment by Hull Crown Court for conspiracy to defraud between June 2004 and February 2008. He had pleaded guilty the previous November to one count, having already admitted to defrauding just under £600,000 from bank accounts around the world. The judge recommended that, on completion of his sentence, he be deported to Nigeria.
With time discounted for good behaviour, Taiwo was due for release on 29th August 2010. Two weeks earlier he had appeared in court in Grimsby, across the Humber estuary from Hull. This was a hearing stipulated by Britain’s Proceeds of Crime Act, one of Tony Blair’s rare sensible amendments to the criminal-justice system, which enables the state to recover assets from criminals. It was a farcical end to a serious case. The prosecutor had mislaid a key file, triggering an unexpected reaction from the bearded Judge Graham Robinson, whose initial good humour quickly turned sour. He announced that he was not going to reschedule the hearing and so the two sides should therefore come to an agreement more or less immediately. This placed Adewale in a very strong position. The judge finally accepted a figure of just over £53,000, which had been whittled down from the initial assessment of £353,067. Taiwo announced that he would not be paying, which meant that he would have to serve an extra year in prison. In fact, on 7th April 2011 he was deported to Nigeria. One of the most intelligent characters to grace the carding boards, Taiwo almost succeeded in s
ustaining his dual life as a gifted chemical engineer and a cyber criminal.
Detective Sergeant Chris Dawson
DS Chris Dawson had worked on Freddybb’s case with exceptional diligence, putting in many of his own hours to ensure that the jumble of figures, dates and technological detail was comprehensible to any lay person when it reached court. In a break for consultations during Taiwo’s Proceeds of Crime hearing, Dawson thought he heard Taiwo say, ‘Fuck it, I’m not paying.’ When the judge left the courtroom, the detective stormed out in a fury caused by the incompetence of the English judicial system.
He continues to work as a senior homicide officer in Hull.
Dimitry Golubov
Following his arrest in Odessa, the hacker Dimitry Golubov spent five and a half months in prison, during which time he was interrogated by American law-enforcement officials, including Greg Crabb of the US Postal Inspection Service. However, on the intervention of two Ukrainian MPs, he was released and finally exonerated of any wrongdoing by a court in Kiev in 2009.
Six foot two, with a charismatic blue-eyed gaze, Golubov denies any relationship with Script although there are inconsistencies in his version of events, and the digital evidence in the hands of American law enforcement tells a very different story (this included data uncovered on Roman Vega’s computer that Script was Golubov).
Script faded away after his release from custody, but Golubov returned with a renewed commitment to social change and enterprise by forming The Internet Party of Ukraine. Still based in Odessa, Golubov has developed a political programme that aims at fighting corruption, pornography and drug-dealing on the Internet. He is confident that within a decade he will be elected either Prime Minister or President of the Ukraine, and although at the moment that looks like an outside bet, his drive and ambition should be taken seriously. The Internet Party has fielded dozens of candidates at local council elections in Odessa, and although, so far, it has only won a single seat, there is no question that the movement is growing throughout the country.
Strangely, though, despite his organisation’s fierce moral stands on some criminal issues, such as child pornography, Golubov has launched a campaign to secure the release of the notorious carder Maksik from his thirty-year jail sentence in Turkey.
Roman Vega
Roman Vega has been incarcerated since his arrest in Nicosia in February 2003. Transferred to California in June 2004 at the request of the United States, he has been in custody ever since, but has never been tried. At the time of writing he is a prisoner in the Metropolitan Detention Center, Brooklyn, a dour facility near Gowanus Bay. During this entire period Vega has had no visitors except for his legal representatives.
In August 2007 a hearing was scheduled in front of Judge Charles R. Breyer in the Northern District of California. Prosecution and defence were ready to sign off on a plea bargain, which would have seen Vega released, having already served the forty-six months’ sentence that the lawyers had agreed. On the afternoon before his release a prosecutor from the Eastern District of New York filed a whole new set of charges, requesting Vega’s transfer to Brooklyn. The charges were in substance identical to the Californian ones. The prosecuting counsel in New York, however, chose a different statute under which to file the charges, to avoid a double-jeopardy ruling.
The transcript of the court hearing makes it clear that Judge Breyer, a brother of the Supreme Court member Stephen Breyer, was embarrassed and angered by the tactics of New York’s Eastern District. The new indictment was based on information furnished by agents of the US Secret Service.
After Vega arrived in Brooklyn, the Secret Service offered him a deal: if he were to testify against Dimitry Golubov and other members of Ukraine’s establishment (not hackers, but senior political figures), then they would drop the charges. But if he refused, they would bring further charges against him filed in different states of the Union. They would continue until he agreed to cooperate.
Regardless of what Vega has or has not done, he has already spent three times longer in jail than those sentenced for their activity in Shadowcrew, with two unresolved cases still hanging over him and the threat of more in the wings. Vega has been suffering from advanced dental decay for several years and is in constant pain, often unable to eat properly. He has been refused medical assistance by the Bureau of Prisons and the US Marshall Service.
There is no prospect of Vega being released in the foreseeable future.
Maksym Kovalchuk, aka Blade
Kovalchuk was arrested in May 2003 in Thailand and extradited to the United States, where he served four years in jail. The FBI consented to a negotiated plea agreement and he was released in late 2007, after which he returned to anonymity in the Ukraine. The FBI’s decision to release him contrasts starkly with the Secret Service’s tactic of holding onto Roman Vega.
Renukanth Subramaniam, aka JiLsi
On 26th February 2010 Subramaniam pleaded guilty to one charge of credit-card fraud and four charges of mortgage fraud, for which the judge at Blackfriars Crown Court sentenced him to four years’ imprisonment. At the time of writing he is an inmate at West London’s Wormwood Scrubs prison, whose alumni include the composer Sir Michael Tippett and the Rolling Stones guitarist, Keith Richards.
With time off for good behaviour, Subramaniam is expected to be released in late July 2012. The bulk of his case relates not to DarkMarket but to mortgage fraud. The prosecution included five such instances (although three of these applications were turned down by the financial institutions). While mortgage fraud is a crime in its own right, the prosecution suggested a link between Subramaniam’s earnings from DarkMarket and his ability to pay the mortgages. In fact, Subramaniam argues that he was not responsible for the mortgage payments, as he applied for the loans on behalf of friends who were not eligible to do so themselves. Additionally, Subramaniam is awaiting the outcome of his Proceeds of Crime hearing to see whether he is liable to further forfeiture of funds. Under the terms of his Prevention of Crime Order, he will have no unsupervised access to computers for five years following his release from prison.
Detlef Hartmann, aka Matrix001
On 9th October 2007 the Regional Court in Stuttgart ruled that Hartmann should stand trial on thirteen counts of credit-card fraud. However, the same court announced that the motion to prosecute him on a charge of Forming a Criminal Conspiracy was rejected. With the more serious charge dropped, Hartmann was released from Stammheim prison, where he had spent the previous four months. The key decision preventing his prosecution on the charge of conspiracy lay in the court’s interpretation of Germany’s Basic Law, its constitution, which states that a member of a conspiracy must feel part of a ‘unified group’ in which there is presumed ‘the subordination of the individual to the will of the collective’. The judge argued that the fluid nature of the Internet and the membership structures of DarkMarket did not meet these criteria – a ruling that, of course, has important implications for the development of laws relating to crime on the Internet in Germany.
In July 2008 Hartmann received a suspended sentence of twenty-one months for the fraud charges. He has since taken up his studies in graphic design again and has completely broken any links with the underground.
RedBrigade
He has largely gone straight and is currently in Europe.
Max Vision, aka Max Butler, aka Iceman
On 12th February 2010 Max Vision was sentenced by a court in Pittsburgh to thirteen years behind bars, the longest jail term ever handed down by an American court for hacking. The prosecution calculated that his hacking resulted in credit-card losses of more than $85 million. He is now an inmate at the low-security Federal Correctional Institution Lompoc in southern California, where he is allowed no access to computers of any sort.
Vision’s hacking ability is unparalleled – he is unquestionably one of the smartest men serving time in the U
nited States. At a closed conference in the autumn of 2010 I discussed his case with one of the most senior officials from the Department of Homeland Security to deal with cyber threats. He agreed with me that having a computer user of Vision’s ability languishing in jail was probably a misuse of the US’s human assets, but pointed out that Vision’s ego – almost as large as his intellect – had also played a major part in the affair.
Nicholas Joehle, aka Dron
Joehle has been released from prison, having served his sentence for credit-card fraud and the illegal manufacture of skimming machines.
Hakim B, aka Lord Kaisersose
Lord Kaisersose is in Marseilles still awaiting trial, but on bail. France is another country where the wheels of justice could use a spot of grease.
Cha0
Cha0 is either running his businesses in Slovenia or in jail, depending on whether the real Cha0 is Şahin or Çağatay Evyapan. The latter is on remand at one of Turkey’s highest-security facilities in Tekirdağ. His trial is due to begin this year, but the prosecutor has dropped the more serious charges relating to organised crime.
Mert Ortaç, aka SLayraCkEr