When the Internet first started becoming popular, many talked of it in magical and even terms. Many imagined that human nature would evolve with more sharing and empathy. People could explore their own identities and actualize themselves in higher ways.
Now, about a dozen years in, Misha Glenny’s “DarkMarket: Cyberthieves, Cybercops and You” offers a different side of the Internet, built on a physical substructure of phone lines and computers around the world. Its inhabitants are eminently trackable and identifiable; there’s no anonymity or facelessness here. Any vulnerabilities in this space are quickly exploited.
The world’s rush to go online for convenience and economic growth have exposed many parts of the critical national infrastructures to high risks of compromise and take-down. Cyberspace has been reified as a fifth military domain (along with land, sea, air, and space).
Glenny’s story follows the global nature of “carders” who hack financial systems around the world, abscond with people’s personal financial data, and sell that data to individuals around the world who clone credit cards, order goods from various manufacturers, and withdraw massive amounts of ill-gotten cash.
These carders set up innocuous-sounding message boards, vet members through a trust system, set up their own escrow system to increase protections against rippers (cyber criminals who “rip off” other cyber criminals), and are on the constant look-out for possible infiltration by law enforcement agents who trawl such sites. Others sell card “skimmers” that fit over the tops of ATM machines or that may be hidden by a cash register to swipe card holder data.
The international legal regime has been slow to catch up to the threat. The US is a leader in passing laws against cybercrimes, training law enforcement officers in identifying and capturing online criminals, and then prosecuting aggressively. “Unlike its Chinese, Russian or Middle Eastern counterparts, the American government does not need to hack Google to explore its secrets. It can get a court order instead,” observes Glenny.
Further, US law enforcement may use a broader range of tools to learn about criminal networks online. They may turn hackers into confidential informants. They may place law enforcement agents into certain networks, or they may create “sting” sites directly (and let the criminals come to them). They may legally hack systems. For the past ten years, according to Glenny, they have been busy mapping the skill sets and social networks of hackers and storing this information on a database.
Many cybersecurity experts who work for the top firms in Silicon Valley hail from the FBI, US Secret Service, the CIA, the DEA, and the US Postal Inspection Service, which are known to have some of the world’s best cyber investigators. The relationships between private and public sectors mean that critical learning about criminal methodologies may be shared with more efficiencies.
Some hackers profiled in this book prefer going after European and Canadian cards instead. Other hackers hailing from Russia and some Eastern European countries know better than to go after Russian financial systems. “If Russian-speaking cyber criminals had turned on Russian banks or businesses, the entire project would have been shut down within five minutes,” writes Glenny.
The tools used by hackers are generally known ones. They create anonymity by using virtual private networks (VPNs) in which users may hide behind one IP address but log in from anywhere in the world, and others use proxy servers which do not broadcast the original IP of the administrator. The idea is to separate a real person’s identity from what he or she is doing under an anonymous handle (like JiLsi, Master Splynter, Shtirlitz, Lord Cyric, Cha0, Freddybb, Recka, Lord Kaisersose, Theeeel, Dron, and Iceman).
Another approach is to encrypt documents although there are suspicions that most publicly available encryption methods are breakable by brute-force methods available to the US’s National Security Agency (NSA). (High-level encryption software has been labeled a munition by the US in the 1990s and cannot be exported.)
Glenny hopscotches through over a dozen countries in pursuit of the story of DarkMarket. He meets with “thieves, cops, double agents, lawyers, hackers, crackers and more prosaic criminals.” He peruses court documents. He forages online for chunks of the DarkMarket website. The technological complexity means that some of the data he engages is plain wrong. With so much fronting and dishonesty on the Internet, he finds that the evidence is “partial, tendentious and scattered both in the virtual and the real world.” To tell his story, he focuses on some of the main players-the criminals and law enforcement-ultimately matching their online personas and reputations with their real selves.
He visits Google headquarters in Mountain View, California, with its enormous database of information about people, to chat with their Trust and Safety Manager. Google maintains one of the world’s largest depositories of data (the other being Facebook), information which may be used in a variety of ways.
He writes: “The jolly pastel mix of primary and secondary colours, familiar from Google’s logo, is replicated throughout the ‘campus.’ Often they use soft, rounded edges to define the large objects scattered around the place with precision higgledy-pigglediness. The sculptures are designed for sitting on, looking at or playing with, so that the entire complex resembles either a vast kindergarten or, depending on your anxiety and paranoia levels, the bizarre toytown village from the 1960s TV show The Prisoner, whither national-security risks were sent and whence there was no escape. Is it my imagination or does everyone I see on the campus, from cleaners to senior management, sport a trance-like smile? This both strengthens the paranoid interpretation of Google’s essence and gives the impression that they are all working a little too hard on not being evil.”
The profiled individuals in DarkMarket are engaging. There’s a low-key IT systems administrator at a global energy firm in Britain notices anomalies in his network, which leads to one of their star chemical engineers who works as a carder on the side. There’s a white-hat hacker who informs the government of a security vulnerability in a network serving the government but who writes himself a backdoor into that system and serves time in a federal pen-where he turns to the dark side.
Others find their way into crime in a more prosaic way. Online ads by criminal hackers invite people to enter into business partnerships. One scam involved the selling of pirated copies of CAD-software which market for $3,000 to $7,000 through official channels but with stolen copies selling for $200. (Such endeavors were often part of state-sponsored industrial-scale counterfeiting, with crime syndicates working in Bulgaria, Ukraine, Russia, and Romania.) In the case of the Autodesk software, some 15 US citizens served as “mules” to money-launder the proceeds.
“Money-laundering and scams depend on these (largely) unwitting characters, who respond to advertisements offering good returns on work carried out from your home computer. Successful candidates are then required to place their bank accounts at the disposal of their new employer. In the Autodesk case, the mules would receive $200 and then forward $180, holding back $20 as their commission,” Glenny writes.
Digital rights management systems tend to not last more than a few days “before being cracked by one of the tens of thousands of hackers and crackers around the world.”
Financial institutions have not always worked with law enforcement to pursue those who’ve compromised their networks because they do not want to spook customers with revelations in public court documents. Further, most banks are insured and just pass on their costs to customers.
Misha Glenny describes well the “bare-knuckled gangster capitalism” that evolved after the fall of communism in the Eastern bloc countries in the 1990s. “Hyperinflation and nationalism destroyed the value of the ruble, the Karbovanets, the hryvnia or whatever else the government claimed at any time was ‘real’ money. Only the Yankee dollar provided any real stability,” he observes. (The greenback has long been the target of all sorts of counterfeiting schemes.) He describes the First Worldwide Carters’ Conference in Odessa, Ukraine.
The build-up to the dot-com bubble happened with the mass rush to monetize the WWW and Internet in a time when “human greed and fantasy collide,” but no real value was being created. The inspiration for the carders was that the Western love affair with credit could be exploited along with the weak security regimens of financial institutions. The logic went like this: “If you had websites for all other manner of commerce, why not develop one for the inchoate trade in stolen credit-card numbers, bank accounts and other valuable data?”
Thus began the CarderPlanet site which brought together some of the top hackers working in criminal endeavors to share varying skill sets (including the counterfeiting of travel documents and driver’s licenses). Later on, the administrators of CarderPlanet started franchising their site to other locations around the world to make more money for less work and less direct risk. This site lasted for four years and was a prototype for subsequent similar sites (and criminal networks) like Shadowcrew,
The online lives of the cyberthieves were not without drama, with one or another accusing others of colluding with law enforcement, hacking each other’s accounts, or maneuvering fellow thieves out of a certain market. In the background, law enforcement is putting together a fuller picture of these individuals behind the hacking. They are mining hard drives. They are turning individuals. They are taking on criminal identities. They are also waiting for political regimes to change-so that they can encourage the law enforcement in other countries to arrest known hackers.
Glenny describes some young hacker arrivistes linked to the DarkMarket site who crash Monaco’s casinos with American Express Centurion (Black Amex) cards and flaunt their wealth.
The potential for highly intrusive government actions is high. In the 1990s, the FSB (successor to the KGB) recognized the importance of cyberspace. They set up the System for Operative-Investigative Activities: “SORM-2 is truly frightening. Should you request information over the Web from your computer in Vladivostock or Krasnodar, then when it reaches your Internet Service Provider, a duplicate package dutifully trots off to FSB central in Moscow, to be read, mulled over, laughed at and (who knows?) used in evidence against you, at the FSB’s pleasure. At the very least, it will be stored.” Encryption is illegal in the Russian federation.
Glenny suggests that the military, private sector, police, and intelligence agencies are free-riding the ingenuity of hackers in cyberspace. The Stuxnet worm could not have been made without the “computer code and techniques from the many tens of thousands of blackhat or greyhat hackers out in cyberspace,” he writes. Hackers tend to be science-minded and bright, the author notes, and many would gladly work for the licit computer security industry and more socially constructive enterprises.
Glenny worked for the BBC as a journalist. He is the author of McMafia; The Rebirth of History; The Fall of Yugoslavia, and The Balkans: Nationalism, War and the Great Powers. He lives in London.
Shalin Hai-Jew works for Kansas State University. She lives in Manhattan.