Developers Club geek daily blog

2 years, 12 months ago
Underground market of crankcases. Transfer of the book "KingPIN". Chapter 16. "Operation Firewall"Kevin Poulsen, the editor of the WIRED log, and in blackhat childhood the hacker of Dark Dante, wrote the book about "one acquaintance".

In the book the way from the teenage geek (but at the same time rolling), to the experienced cyberkingpin, and also some methods of work of intelligence agencies on capture of hackers and crankcases is shown.

The quest on transfer of the book began in the summer in Itshny camp for seniors — "The Pin: school students translate the book about hackers", then were connected to transfer also Habrayuzera and even a few edition.

"the quest on transfer of the book" received a second wind thanks to the Edison company when I allowed them to read a draft copy, and they shared the experience in creation of a VPN network for anonymous clients.

Somebody addressed them via anonymous ICQ, wrote in a wrong way as though through the translator. Gave TZ in English, paid off vebmanyam. Told that even if it will be traced, then he took care of everything. 2 programmers worked month on a task, handed over in time, claims were not. (There are a few details about which it is possible to tell in separate article if to whom it is interesting)

Chapter 16. Operation Fayervol

(for transfer thanks to a habrayuzer of Find_The_Truth)

Something strange happened to ShadowCrew.

Max tried not to shine on one of the most criminal websites on all Internet. For it ShadowCrew was only a site where it was possible to crack a two-three of crankcases. However, in May, 2004, the site administrator made the statement which drew Max's attention. The administrator Kumbadzhonni (Cumbajohnny) provided new VPN service only for participants of the website.

VPN — a virtual private area network, is used for ensuring remote access to a network over other network. For example, access for the employee from the house to office network of the company. But the possibility of data encryption, transmitted through these networks became a basic reason of emergence of VPN service. For an underground it was the ideal option to secure the transactions against curious providers or law enforcement agencies as any attempts to monitor criminal activity will end in the same place where will begin.

Kumbadzhonni was the last addition in the manual — the former moderator quickly rose in hierarchy of the website and began to have influence on mood of a forum. Other administrators even noted increase in activity of users at a forum. Above the website banners hung: "Stop talking, make money. Place advertizing here. Contact Kumbadzhonni." ShadowCrew became similar to a sign in Las Vegas: the flashing banners promising an eternal party, women and a lot of money.

imageGollumfan (Gollumfun), the famous founder, publicly declared the leaving from affairs of ShadowCrew when other founder of BlackOps was also going to leave. He wrote: "Being the beautiful platform, ShadowCrew humiliating fell in an environment of children who do not appreciate knowledge, skills and communication with other members of the website positively. Those thought-over tyyutoriala disappeared, dear users disappeared, the civilization disappeared. We will not help beginners to look for their calling any more, from now on we will dishonor them until they leave the website, will not understand yet that there are no new users and will not be. BlackOps, will lack you. Thanks for your contribution." Kumbadzhonni answered very briefly: "ShadowCrew changes. It to the best."

Max not especially was interested in changes in political arena of the website, but emergence of VPN very puzzled him. It turned out that Kumbadzhonni sold services of its personal VPN to ShadowCrew top within three months. Now Kumba wrote that any member of ShadowCrew who does not have penalties can purchase a tranquility piece for 30-50 dollars a month.

However it is well known that VPN networks take one weak place — everything that is transferred on a network, passes through the central point in not ciphered and vulnerable type. As one of participants of a forum noticed: "If FBI or someone who needs very to obtain data gets to a data-center and will change some VPN settings of the server, then it is necessary to users of this server hardly." "But it is just paranoia." — he was recognized.

Kumbadzhoniya hurried to calm him: "Nobody will be able to be picked VPN without my permission".

These messages seemed to Max not convincing. Being a white hat, he somehow he wrote the program for the Honeynet project called by Privmsg. It was the script on PERL which took data from a sniffer of data packets and recovered an IRC chat on their basis. When the malefactor began cracking of one of honeypot'a traps, he tried to keep in contact with other hackers. By means of Max PRIVMSG's program, specialists could see all this correspondence. It was strong break in fight against hackers, turning passive honeypot'y into powerful traps, shedding light on motives and culture of an underground.

At present Max observed the same picture with interception of data in the sentence of Kumby. There were also other reasons to suspect Kumbu. Somehow cracking accidental crankcases, Max saw the message sent to the ShadowCrew administrator which looked as the instruction for the informant of federal agency. Something prompted to Max that changes with ShadowCrew turned the website into new Honeypot. After discussion of the guesses with Chris, Max posted several messages at a forum, having stated the suspicions. Messages disappeared at once. Max's suspicions were confirmed.

image The police of New York caught Albert Kumbadzhonni Gonzalesa nine months ago when he withdrew money in the ATM for Uper West Side. A sort from Miami, Gonzalesa was 21 summer sons of two Cuban immigrants. Long time he was engaged in cracking, having decided to visit Def con in Vegas in 2001 once. Communicating with Gonzales in the conclusion, the Secret Service quickly thought about usefulness of Kumby. Albert lived a garden lodge of Kearney for 700 dollars a month, had a debt in 12000 dollars and officially was registered as the unemployed. But as Kumbadzhonni it was an authorized representative and the colleague at crankcases all over the world and that the most important, the moderator in ShadowCrew. It was in a den of an animal and, having prepared properly, he could strike a crushing blow on a forum.

Under the responsibility the Secret Service released Gonzales and began to use it as the informant. VPN was a masterful trick of agency. The equipment was purchased and paid by federals, and they received warrants for interception of these all users of the website. Kumbadzhonni only invited crankcases to this waxworks exhibition.

Large players of ShadowCrew at once got under supervision of the Secret Service. VPN full of holes bared all process of karting which remained in the shadow before — tough negotiations which were conducted by e-mail and messengers.

Every day and every night any transactions, with surge in trade on Sunday evenings were carried out. Transactions varied from small to huge. On May 19 agents watched Skarfeys's transfer and other member of the website on 115695 credit cards; in July the agrarian and industrial complex transferred the counterfeit British passport; in August Mintfloss sold the counterfeit driving license of New York, a card of the health insurance and the student ID card of city university of New York to the person who requested complete set of documents. Several days later there passed one more transaction of Skarfeys — this time only two credit cards; after Malpadre purchased nine at once. In September Dek sold the practices in the form of base of 18 million cracked email addresses which contained a name, passwords and dates of birth of users.

Fifty agents who traced everyone transaction on the website worked for the Secret Service, preparing accusatory base. However, worst of all there was the fact that the most part of inhabitants of ShadowCrew paid for that they were traced by secret service agents.

Soon agents learned that in them, apparently, the thought-over operation against hackers, there were spaces. On July 28, 2004 the Gonzales reported it lodgers that the crankcase under a nickname the Myth (Myth), one of King Arthur's kesher, somehow got one of classified documents of Agency in which operation Fayervol was described. The myth at once bragged of this news in IRC руме.

Federals ordered to Gonzales to find a leak source as soon as possible. The Gonzales contacted the Myth under the nickname and learned that the read documents only a drop in the ocean of the flowed-away data of the Secret Service. The myth also told that concerning ShadowCrew criminal case was processed, told even that the agency had the ICQ account.

Fortunately for Gonzales, in documents it was not mentioned the informant. The myth refused to issue to Gonzales the source, but agreed to organize a meeting. next day the Gonzales, the Myth and the mysterious hacker using a temporary nickname of "Anonyman" met in IRC. Gonzalez tried very much to be credible Anonyman before the hacker revealed the personality.

It was Etiks (Ethics), the supplier whom Kumba already knew on work on ShadowCrew. Leak began to find outlines. In March the Secret Service noticed that Etiks sold access to the database of the large T-mobile cellular operator. He wrote at a forum: "I offer an access to the information about the client of number of the operator T-Mobile. At least you get a name, a number of social insurance and date of birth of the client. As at most you receive login and the password for Internet connection, the password of voice mail and a confidential question / answer."

T-Mobile could not correct a critical gap in protection of the application of the server which was purchased in San Jose from the BEA company of Sistems. The hole which was found third-party researchers was disappointingly simple for use — undocumented function allowed to delete or change files in system by giving of a special web request. BEA let out a patch for this bug in March, 2003 and assigned it score of high danger. In July of the same year, researchers who found a hole made the report on Collecting of Black Hats in Vegas concerning this bug. Thus, pre-Def Con the corporation brought together 1700 specialists in the field of information protection and heads, gave a new round of information on a gap in protection of T-Mobile.

Etiks learned about BEA hole, wrote 21 exploits on Visual Basic and began to scan the Internet on presence of the potential victims who could not or forgot to propatchit applications. By October, 2003 he dipped T-Mobile into dirt. Etiks wrote the application by means of which could address base of clients at any time.

For a start he used the access for data acquisition of Hollywood stars. It managed to receive candid photos Paris Hilton, Demi Moore, Asheton Kutcher and Nicole Richie stolen from their communicators. Now it was obvious that soon and he will become the assistant to the Secret Service.

Simple search in Google in ICQ number of Etiks issued its presents the name entered in the summary of 2001 by job search in the field of a computer security. It was Nicholas Jacobsen, 21 summer oregonets who moved to Irvin, the State of California to work as the system administrator. Everything that was necessary for the Secret Service for brining charges to Jacobsen — important information on its communicator.

Here the Gonzales proved to be in all beauty again. Now, being in the friendly relations with Kumbadzhonni, Etiks became interested in VPN service of the leader of ShadowCrew, explaining it with the fact that by means of a virtual area network he will be able to use the T-Mobile base more safely. The Gonzales with pleasure agreed to help and his owners from the Secret Service began to observe, rubbing hands as Etiks wanders about the T-Mobile database, using login and the password of the agent Pyotr Kavichchia of III, the veteran of fight against cybercrime who became famous thanks to arrest of the employee of AOL, on theft of 92 million e-mail'ov of clients for sale to spammers.

Leak was found. The Kavichchia quietly retired three months later, and Etiks was added from scribblers of the purposes of the operation "FireWall". There was one more threat to investigation and, strangely enough, it proceeded from one of assets of FBI.

imageDavid Thomas is a swindler on life, found a criminal forum in False library and soon became one of swindlers in criminal community. Now 44 summer El Mariachi as he called himself, were one of the most dear members in community of crankcases, having undertaken a role of the mentor for young swindlers, distributing councils on all cases, beginning with theft of personal data and finishing with life lessons which he received, living on the suburb.

However its experience did not help it to avoid dangers of its profession. In October, 2002 Thomas seemed in park near office in Isakva, the State of Washington where it and his workmate rented a shelter for one of founders of CardPlanet. They hoped to obtain 30 000 dollars goods in to the order of the Ukrainian. But instead they were waited by local police.

Having arrested Thomas, the detective read to him its rights and gave him paper for the signature, confirmatory that he understood them. From one thought that the local cop tries to interrogate him Thomas burst out laughing. "You do not know whom you took." Thomas asked the detective to call federals. The secret service had to know who such El Mariachi who can give them case of Russians and "millions of dollars".

The secret service visited him in district prison, but was not impressed with its business for 30 000 dollars. Then there was an agent from local department of FBI in Seattle. On the second meeting the agent brought with himself the assistant prosecutor of the USA and the sentence — federals cannot help Thomas with his local arrest, but when Thomas goes out of prison, it will be able to work in Northwest target group on investigation of cyber-crimes.

It would be prospecting mission, the official name for operation of FBI without the preliminary purposes. The bureau would select Tomasa the new computer, would lodge him in magnificent apartments, would pay all its expenses and gave 1000 dollars a month on pocket expenses. In exchange Thomas had to collect information on an underground and report all news to target group.

Thomas hated informers, but he liked idea to receive money for a possibility of supervision and commenting of an underground with which he was obsessed. However collection of information it not informing, so it considered. He could use material which will collect to write the book about karting, about something what he thought much recently of.

Also he definitely knew how to collect information and on the most target group.

Thomas went out of prison five months later after arrest. And in April FBI received a new asset in war with cybercrime — El Mariachi and its absolutely new, financed by the state forum called Kidala (Grifters). (Article in WIRED)

Living on the apartment paid by bureau in Seattle, Thomas collected enough information on his brothers-karderakh, in particular from Eastern Europe soon. Though Tomasi worked for FBI, did not feel relationship with other government bodies, and emergence of news about VPN service prompted to it truly — Kumbadzhonni was an informant of federals.

Thomas went in cycles in exposure of his competitor. Ignoring instructions of his curator from FBI, he constantly cried out a name Gonzales at forums. The Gonzales returned the favor too, it found the copy of the police report on Thomas's arrest and sent it to crankcases of Eastern Europe, turning attention to lines where Thomas offered the help in capture of Russians. Because of war of two informants large-scale war between FBI and the Secret Service began.

It was improper time for discontent of the western Europeans with the American drama of crankcases. In May, 2004 one of the Ukrainian founders of CardPlanet was extradited to the USA, after arrest on vacation in Thailand. Next month the British national police moved to Leeds, to the website for English-speaking administrators.

The script which FBI from the district Orange and the American mail inspection wore out was washed away from the website, having left at the head of King Arthur. On July 28, 2004 King made the statement.

He wrote: "Time to tell you bad news came — the forum has to be closed." "Yes, it really means closing and to that there are many reasons."

In broken English he explained that CardPlanet became a magnet for law enforcement agencies from all over the world. When crankcases came across, the police beat out from them the facts about a forum and its leaders. Under constant pressure he could be mistaken. "All of us are just people and each of us can make mistakes."

Having closed the website CardPlanet, it will deprive of his enemies of the most big chunk.

"Our forum well prepared them, constantly keeping in a form and reporting about all innovations in the world of an underground. Now everything will be identical. They will not know which way the wind is blowing also that with it to do" — Artur told.

With this farewell speech King Arthur, the ten-time millionaire, became a legend of crankcases. It will be remembered as the person who accurately bore great CardPlanet before someone another could receive pleasures from its destruction.

Leaders of ShadowCrew were lucky less. In September FBI waved a hand on operation with Thomas and gave it month for departure from the apartment and completion of its war from Kumbadzhonni. Next month, on October 26, sixteen secret service agents gathered in the command center of Washington, ready to begin the Operation "FireWall". Their purposes were marked on the USA map filling screens of computers. Agents knew that they each their victim have to be at home — by order of the Secret Service the Gonzales made online an appointment this evening, and nobody refused to Kumbe.

At nine in the evening the agents armed with semi-automatic MP5 broke into the houses the member of ShadowCrew, having seized three founders, the hacker Etiks and sixteen other buyers and sellers. It was the biggest round-up of thieves in the American history. Two days later the federal jury pronounced sixty two convictions, and the Ministry of Justice addressed public with information on the Operation "FireWall".

"This sentence affected the heart of the organization which positioned as the universal market for thieves of personal data." — the prosecutor John Ashcroft bragged. "The Ministry of Justice aims to catch those who are engaged in theft or fraud with data irrespective of, on the Internet they, or not."

By means of Gonzales the Secret Service blocked the remained 4000 users of the website and replaced the home page with a banner of the Secret Service in the form of a grid. The new page contained a new slogan "You are not anonymous any more!!"

In panic crankcases began to read news worldwide and to watch TV in information searches as were concerned for the future and for the future of fellow countrymen. They gathered on the small forum called the Stealth Divizhn to assess damages and to accept remained. "I am afraid to death for my family, for my children" — one of cyber-criminals wrote. "I just realized that each my step was traced".

Gradually, the remained participants of the website understood that Kumbadzhonni was not in the list of defendants. Here then it also appeared in a network that made the final statement.

"I want that everyone knew that I am in hiding and I have no idea from where the Secret Service of the USA had an opportunity to make what they made. From news I learned that they got access to VPN and to ShadowCrew. It is my last post, good luck."

Nick Jacobsen, Etiks, was not allowed to the press release and kept in Los Angeles. After the agency collected all awards for the Operation "FireWall", Etiksa charge for cracking of e-mail of the Secret Service was brought. And all the same it was the flawless victory for the government. CardPlanet was closed, ShadowCrew is closed forever, their leaders, except Gonzales, in prison.

Crankcases were dumbfounded, exhausted and shelters are at the moment deprived. "Decades that on the Internet there was something, similar ShadowCrew will leave. And even if it will appear, justice force will win against it again. And knowing what payment will follow this crime, I doubt that someone will risk to begin new business."

Chapter 16: Operation Firewall

1 Banner ads appeared at the top of the site: This and other reporting on
Shadowcrew’s contents comes from a mirror of the public portion of the site captured
in October 2004, immediately before it was shuttered.

2 The posts disappeared at once: Interviews with Max. Aragon independently stated
that he and Max tried to warn Shadowcrew members in advance of the Operation
Firewall raids.

3 The transactions ranged from the petty to the gargantuan: Transaction details come
from the Operation Firewall indictment, U.S. v. Mantovani et al., 2:04-cr-00786, U.S.
District Court for the District of New Jersey.

4 Secret Service had noticed Ethics was selling: Ethics’s hacking of the Secret
Service agent was first reported by the author: "Hacker penetrates T-Mobile
syst ems,", January 11, 2005. His use of the BEA Systems exploit
came from sources close to the case and was first reported by the author: "Known
Hole Aided T-Mobile Breach,", February 28, 2005
( Also see U.S. v. Nicolas
Lee Jacobsen, 2:04-mj-02550, U.S. District Court for the Central District of California.

5 David Thomas was a lifelong scammer who’d discovered the crime forums: For
Thomas’s history with the forums and the details of his work for the FBI, see Kim
Zetter, "I Was a Cybercrook for the FBI,", January 20, 2007. A U.S.
government source confirmed to the author that Thomas had worked for the bureau
while running his forum, Grifters.

6 "You do not know who you have here": From the police report of Thomas’s arrest.
"The problem with the Bureau and the Secret Service is they look at the largest
biggest deals they can get in on," Thomas said in a 2005 interview with the author.
"They want the big enchilada."

7 Their targets were marked on a map of the United States: Brian Grow, "Hacker
Hunters," Businessweek, May 30, 2005 (
/ content/05_22/b3935001_mz001.htm). The identification of the Secret Service
agents’ guns also comes from this story.

8 Attorney General John Ashcroft boasted in a press release: "Nineteen Individuals
Indicted in Internet ‘Carding’ Conspiracy," October 28, 2004

To be continued

The published transfers and the plan of publications (a status for November 16)
PROLOGUE (School students of GoTo camp)
1. The Key (Grisha, Sasha, Katya, Alyona, Sonya)
2. Deadly Weapons (Young programmers of FSB of the Russian Federation, 23 Aug)
3. The Hungry Programmers (Young programmers of FSB of the Russian Federation)
4. The White Hat (Sasha To, ShiawasenaHoshi)
5. Cyberwar! (ShiawasenaHoshi)
6. I Miss Crime (Valentin)
7. Max Vision (Valentin, 14 Aug)
8. Welcome to America (Alexander Ivanov, 16 Aug)
9. Opportunities (jellyprol)
10. Chris Aragon (Timur Usmanov)
11. Script’s Twenty-Dollar Dumps (Georges)
12. Free Amex! (Greenhouse of social technologies)
13. Villa Siena (Lorian_Grace)
14. The Raid (Georges)
15. UBuyWeRush (Ungswar)
16. Operation Firewall (Georges)
17. Pizza and Plastic (is ready)
18. The Briefing (Georges)
19. Carders Market (Ungswar)
20. The Starlight Room (Ungswar)
21. Master Splyntr (Ungswar)
22. Enemies (Alexander Ivanov)
23. Anglerphish (Georges)
24. Exposure
25. Hostile Takeover
26. What’s in Your Wallet?
27. Web War One (Lorian_Grace)
28. Carder Court
29. One Plat and Six Classics
30. Maksik
31. The Trial
32. The Mall (Shuflin)
33. Exit Strategy
34. DarkMarket (Valera of an ak Dima)
35. Sentencing
36. Aftermath

This article is a translation of the original post at
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here:

We believe that the knowledge, which is available at the most popular Russian IT blog, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.
Best wishes.

comments powered by Disqus