Cybercrime Supersite 'DarkMarket' Was FBI Sting

Eugen Leitl eugen at leitl.org
Tue Oct 14 09:17:51 PDT 2008


http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html

Cybercrime Supersite 'DarkMarket' Was FBI Sting, Documents Confirm

By Kevin Poulsen EmailOctober 13, 2008 | 4:20:08 PMCategories: Crime
Ncfta_outside

While criminals thought it was based in Eastern Europe, the internet's top
English-speaking cybercrime forum was secretly run by the FBI from this
building on the banks of the Monongahela River in Pittsburgh.

Photo: John Monroe Butler/ Wired.com

DarkMarket.ws, an online watering hole for thousands of identify thieves,
hackers and credit card swindlers, has been secretly run by an FBI cybercrime
agent for the last two years, until its voluntary shutdown earlier this
month, according to documents unearthed by a German radio network.

Reports from the German national police obtained by the SC<dwestrundfunk,
Southwest Germany public radio, blow the lid off the long running sting by
revealing its role in nabbing a German credit card forger active on
DarkMarket. The FBI agent is identified in the documents as J. Keith
Mularski, a senior cybercrime agent based at the National Cyber Forensics
Training Alliance in Pittsburgh, who ran the site under the hacker handle
Master Splynter.

The NCFTA is a non-profit information sharing alliance funded by financial
firms, internet companies and the federal government. It's also home to a
seven-agent FBI headquarters unit called the Cyber Initiative and Resource
Fusion Unit, which evidently ran the DarkMarket sting.

The FBI didn't return a phone call Monday.

Like earlier crime sites, DarkMarket allowed buyers and sellers of stolen
identities and credit card data to meet and do business in an
entrepreneurial, peer-reviewed environment. Products for sale ran the gamut
from specialized hardware, to electronic banking logins collected from
phishing attacks, stolen personal data needed to assume a consumer's identity
("full infos") and credit card magstripe swipes ("dumps), which are used to
produce counterfeit cards. Vendors were encouraged to submit their goods for
review before offering them for sale.  Ncfta_inside_660x Inside the National
Cyber Forensics Training Alliance, FBI agents work with graduate students and
industry representatives to track computer crime.  Photo: John Monroe Butler/
Wired.com

The unearthed documents, seen by Threat Level, show the FBI sting had begun
by November, 2006. An FBI memo sent to the German national police regarding a
forum member in that country boasts, "Currently, the FBI has been successful
in penetrating the inner 'family' of the carding forum, DarkMarket." A March
2007 e-mail from Mularski's FBI address to his German counterpart puts it
bluntly. "Master Splynter is me."

The documents indicate the FBI used DarkMarket to build "intelligence briefs"
on its members, complete with their internet IP addresses and details of
their activities on the site. In at least some cases, the bureau matched the
information with transaction records provided by the electronic currency
service E-Gold.

Last month, Master Splyntr -- now identified as Mularski -- announced he was
shuttering the site as of October 4th, citing unwanted attention garnered by
a fellow administrator, known as Cha0. From his home in Turkey, Cha0 had
aggressively marketed  a high-quality ATM skimmer and PIN pad that fraudsters
could covertly affix to certain models of cash machines, capturing consumers
account numbers and secret codes. But he began drawing heat this year after
reportedly kidnapping and torturing a police informant. He was arrested in
Turkey last month, where police identified him as one Cagatay Evyapan.

That's why it was time to close DarkMarket, Master Splynter explained, in a
message that now rings with irony.

"It is apparent that this forum b& is attracting too much attention from a lot
of the world services (agents of FBI, SS, and Interpol). I guess it was only
time before this would happen. It is very unfortunate that we have come to
this situation, because ... we have established DM as the premier English
speaking forum for conducting business. Such is life. When you are on top,
people try to bring you down."

Darkmarket

The German report confirm rumors that have swirled around DarkMarket since
late 2006, when uber-hacker Max Ray Butler cracked the site's server and
announced to the underground that he'd caught Master Splynter logging in from
the NCFTA's office on the banks of the Monongahela River. Butler ran a site
of his own, and the warning was generally dismissed as inter-forum rivalry,
even when Butler was arrested in San Francisco last year on credit card fraud
charges, and shipped to Pittsburgh for prosecution.

Until this afternoon, SpamHaus listed Master Splynter as an Eastern European
spammer named Pavel Kaminski, who was active as recently as 2005. It's
possible the FBI took over the handle sometime thereafter. In 2004, the
Secret Service ran a similar scheme on the crime board ShadowCrew, but that
agency used an informant, who went on to commit more crimes -- a risk not
likely present with agent Mularski.

Lord Cyric, another former DarkMarket administrator, says Master Splynter was
invited onto DarkMarket as an admin about two years ago, and was still known
as a spammer. Based in Canada, Lord Cyric has sold fake IDs and checks in the
underground, but he's convinced he's out of reach of any sting operation.

"Worry? Me? Nah," he wrote in an IM interview. "It's a long, slow hard
process for them to interest Canadian [law enforcement] to go after someone
who doesn't touch drugs nor deals with skimmers. ... It's all about U.S.
busts, unless there's a big drug deal and DEA gets involved."

Threat Level admires Lord Cyric's bluster, but thinks his days in the
underground are numbered.  The FBI almost certainly closed DarkMarket in
preparation for a global wave of arrests that will unfold in the next month
or so. The site was likely shuttered to avoid an Agatha Christie scenario in
which a diminishing pool of cybercrooks are free to speculate about why
they're disappearing one-by-one like the hapless dinner guests in Ten Little
Indians.

Kudos to SC<dwestrundfunk reporter Kai Laufen, who discovered the operation.
I'm sending him the "I Spotted the Fed" tee-shirt I took home from DefCon 7. 





More information about the cypherpunks-legacy mailing list