Not Just the Money
- DarkMarket: How Hackers Became the New Mafia by Misha Glenny
Vintage, 432 pp, £8.95, July 2012, ISBN 978 0 09 954655 9
Message boards are online forums typically concerned with a single subject, whose users can post public messages in ‘threads’ to do with a particular aspect of that subject, or exchange private messages. Most message boards are small operations that barely manage to cover the cost of server space. Users are brought together by a shared (usually offline) interest and tend to number in the hundreds or thousands. While Facebook requires that users’ online avatars mirror their legal, offline identities, almost everyone on message boards uses a pseudonym. While exchanges are frequently untruthful, gossipy or abusive, they also allow their authors’ personalities to surface in a way that would not be possible face to face or in anything they published online under their real names.
Message boards tend to fall under the influence of the users who have the most time to spend on them, and it often takes only a few conversational iterations before users are speaking a jargon of their own making. Here is a post from twoplustwo.com, a popular message board devoted to poker: ‘This results in bum hunters grimming people that want action, and others being afraid to sit because the likelihood of getting grimmed makes it inherently -ev to ever sit.’ And here is another, from a board devoted to the cultivation of magic mushrooms:
they colonised very fast with really thick myc, (sometimes fast growth gives me weak myc with some strains), after birthing to a 12qt sweater box, I let sit for 3 days to seal up a bit, then cased with 50/50+lime soaked in some bullseye water for a bit to help buffer. I saw one early pin on day 5, then my first count of 10 or so on day 7, it’s day 8 today and they are looking thick and good.
Message boards help the weird find the weird and get weirder. In the case of DarkMarket, one of the rogue message boards that Misha Glenny writes about, the bad found the bad and got even worse. Glenny’s story takes the form of a police procedural, set in Eastern Europe and the former Soviet Union. His shifting band of hackers and unscrupulous entrepreneurs targeted the newly global network of credit and debit cards. Forged cards imprinted with the appropriate magnetic strip made it possible for them to withdraw cash from hundreds of thousands of ATM machines. The cybercriminals’ trail was gradually picked up by law enforcement agencies around the world as the authorities struggled to modernise laws and investigative techniques designed to deal with old-fashioned varieties of organised crime.
Glenny covered the Balkans during the collapse of the Soviet Union, and wrote three ambitious histories of the region. His fourth book, McMafia, examined how the underworld took advantage of globalisation in the 1990s, establishing partnerships and franchises in the manner of their corporate counterparts. In DarkMarket, Glenny traces a virtual landscape that maps onto familiar political geography, explaining, for instance, how the unreliable Soviet computers used in Ukraine and Bulgaria bred some of the world’s most adept technicians.
Glenny explains the attractions of ‘carding’: it has relatively low upfront costs and manageable legal risks. The possibility of violence and injury is part and parcel of physical robbery, but carding can seem almost victimless. Banks in many countries reimburse defrauded customers, although they then pass on their insurance premiums in the form of ATM surcharges and monthly fees. Inside the sanctuary of the message board communities, carders treat confidential account information like any other commodity. They break the fraud down into a series of separate operations, which allows them to increase profits and spread risk across continents and jurisdictions. If the victim is British and the perpetrator from Nigeria, while the illicit data are on a server in Israel and processed by Turks, then it’s easy to understand why the police might decide their time is better spent chasing terrorists, drug smugglers and other criminals who can be physically tracked. (In terms of scale, it might be added, carders are small fry. One FBI agent told Glenny that his carding investigation forestalled $70 million in losses. Even if we accept this figure at face value, it isn’t much of a bite considering that US consumers pay roughly $7 billion in ATM fees every year, on cash withdrawals approaching $700 billion.)
At the top of the carding food chain are those who harvest account numbers together with their PIN codes, each pair known as a ‘dump’ or a ‘whole’. These can be obtained in a variety of ways: hacking bank systems, compromising insiders or installing a ‘skimmer’ on a cash machine that can read the information on a card surreptitiously. MSR206 machines then encode these stolen data on a blank card and, finally, ‘mule herders’ organise the most vulnerable leg of the operation, the moment when someone goes up to a machine with a bogus card, walks away with the cash, and then transfers most of the proceeds back up the ladder.
DarkMarket, and other message boards such as CardersMarket and Shadowcrew, made it possible for carders and other cybercriminals to share their expertise, helping spread the practice across the world. The message boards allowed distant operators to collaborate without disclosing their real names. Boards were controlled by moderators, who received little or nothing for their labour other than premium gossip and a sense of their own superiority. They had the power to certify pseudonymous carders as worthy business partners. In the traditional crime world that Glenny examined in McMafia, this kind of trust was gained through links with a family, an ethnic group, or the word of a third party. The boards created a system where a reputation as an honest carder was worth more than the option of cheating a counterparty. There was, in other words, honour among thieves.
The carders’ style of loose co-operation has something in common with the battlefield as imagined in Swarming and the Future of Conflict (2000) by the RAND Corporation’s John Arquilla and David Ronfeldt. Technology, Arquilla and Ronfeldt argue, will soon make it possible for small clusters of loosely organised military units to conduct brief and co-ordinated strikes, then disperse. Message boards, similarly, allow lone hackers to share targets and information when it suits them, then scatter when there is any danger of legal repercussions, only to reassemble elsewhere.
Glenny’s criminal sources devised ingenious methods that made it possible for them to form lasting business relationships in this anarchic space without legally enforceable contracts. Some of the ringleaders had actually met – Glenny recounts one such meeting in Odessa, a longstanding hub of the global black market – but most of the boards’ administration happened online. Moderators vetted prospective members, published codes of behaviour, punished those who deviated from the code by deleting their contributions or exiling them, and kept an eye out for ‘rippers’, whose business model was to accept payment for goods that they never delivered. Some boards even developed an escrow service, usually run by a senior member, who would receive the seller’s data and hold the buyer’s money until the seller’s information checked out.
This trade in illicit data shows how the combination of capitalism and technology can transcend most barriers. The only real difficulty during carding’s first years was language: carders had to choose between Russophone boards whose slang offered an extra layer of protection from Western law enforcement, and boards conducted in pidgin English, where a typical contribution might be: ‘Dumps checking by ask, we always replace bad one. We will send order immidiately after payment.’ Or: ‘Don’t cry with me, u have been rip by ripper … I never give test free when u cry with me.’ Or: ‘With me I never give test free or demo … TRUST is IMPORTANT because I need more big buyer.’
Today carders still migrate from forum to forum, laying their goods out as if on a table at a bazaar:
PRICES FOR DUMPS WITH PIN:
US (Classic, Platinum, MC Standard)=200$
US (Gold, Purchasing, Signature)=250$
US (MC World, Business, Corporate)=300$
The English boards were so accessible and well maintained that they were soon teeming with informers and undercover police, who could fabricate counterfeit identities just as easily as the carders could pass themselves off as the legitimate holders of their victims’ accounts. The boards were eventually shut down when police in Turkey, Britain and the United States independently stumbled on frauds and followed them back to the carders’ online nests.
Glenny reports on both sides of the divide, on the police as well as the thieves, and discusses the split between his subjects’ online and offline personas. Many carders, he suggests, aren’t in it just for the money. The carder known as JiLsi turns out to be Renukanth Subramaniam, a lonely Sri Lankan immigrant in London. In his ‘real’ life he drank too much, was addicted to crack cocaine and spent most of the day in dingy internet cafés. But the long hours he devoted to moderating DarkMarket and his obsessive pursuit of other users’ respect soon put him among the site’s elite. It also put him on a level with far more worldly criminals like the Ukrainian Roman Vega, known as Boa, who had once sold surveillance equipment and made the first amateur radio broadcasts from North Korea (there was kudos attached to broadcasts from places to which it was hard to gain access). The pleasure of being part of a community was reinforced by the cognitive rush to be had from online communications – Glenny describes it as a ‘flood of dopamine around the brain’s frontal lobe’. A young hacker told Glenny that the first time he logged onto a carding site, he felt like Ali Baba ‘when he first opened the cave and saw it stuffed full of treasure’. The joy in money seeming to appear ex nihilo is reminiscent of the pleasure counterfeiters are said to feel when they see sheets of bills rolling off the presses.
Glenny interviewed Subramaniam and Vega in prison (Subramaniam in Wormwood Scrubs and Vega in the US), as well as talking to investigators and examining the legal record, to build up a convincing version of their stories. But in other cases it’s unclear whether Glenny’s characters deserve the trust he appears to have placed in them. A man whose name is given only as RedBrigade, for example, tells Glenny that in 2003 he used to withdraw as much as $70,000 a week from banks in New York. He flew first class, lived in fancy hotels and bought a new luxury car ‘every two or three months’. Glenny describes a day when RedBrigade woke up ‘at around eleven in the morning’, his head ‘still groggy from the previous night’s partying’, and hit a branch of the Washington Mutual Bank, withdrawing $10,000, delivered in the form of ‘two hundred fresh $50 bills’. Glenny appears to believe RedBrigade’s account of these exploits, though he does warn us that his ‘attempts to assess when an interviewee was lying, embellishing or fantasising … were only partially successful’. This caveat applies especially to ChaO, the dark lord of the carding scene, who locked his accomplices into a kind of serfdom by renting out card skimmers that automatically encrypted purloined data and relayed them back to his headquarters in Turkey. There is a digital image showing a young man who is said to have provoked ChaO’s displeasure, stripped to his underwear and sitting in a chair holding a handwritten sign saying: ‘I am rat. I am pig. I am reporter. I am fucked by ChaO.’
Who is ChaO? Some of Glenny’s sources suggest he was a front for another man. Others say that the name ChaO was an umbrella identity for a group of carders. Still others believe that he is Çagatay Evyapan, a Turkish man who went to prison for some of ChaO’s crimes. Glenny tracked down Mert Ortaç, the young man in the chair, whose story he treats with scepticism, describing his vividly detailed tale as ‘neither reality nor fantasy’. Ortaç claims to have met ChaO and to have investigated his cabal on behalf of contacts in Turkey’s intelligence service. When ChaO learned of Ortaç’s betrayal, through a virus covertly installed on Ortaç’s laptop, he ordered Ortaç’s online humiliation at the hands of Evyapan. (Glenny was unable to verify Ortaç’s claim that ChaO was a mysterious man named Sahin whom he once met in the executive box at a football game in Istanbul.) Glenny interviewed Evyapan in prison, but the deeper into the mystery he went, the more Cha0’s identity dissolved into rumour and contradiction.
Whether or not Ortaç’s stories hold water, he is the sort of character familiar to those who followed the case of Bradley Manning. Manning was promised journalistic and priestly confidentiality by the hacker Adrian Lamo, who then betrayed him to the US government and to his contacts at Wired magazine. What most hackers really want is deliverance from obscurity. Money is one means to this end; the media are another. Some, like Lamo, want this badly enough to ruin, to betray and to lie, though as Glenny notes, having been socialised by an online culture where manipulation is the norm, they don’t really see it as lying. Mark Zuckerberg’s reference to what he calls the ‘Hacker Way’ in Facebook’s public stock filing, and particularly his directive that employees should ‘move fast and break things,’ should give pause to the millions who have trusted his company with their data.