Countless Dens of Uncatchable Thieves

Team Infidel

Forum Spin Doctor
Cyber Threats

Countless Dens of Uncatchable Thieves
Sign In to E-Mail This Print Reprints Save By TOM ZELLER Jr.
YOU'VE probably never met Sergey Kozerev, a former student at the State University of Technology and Design in St. Petersburg, Russia, but it's possible that he's mugged you.

In the online world, he operates under the pseudonym Zo0mer, according to American investigators, and he smugly hawks all manner of stolen consumer information alongside dozens of other peddlers at a Web site he helps manage.

"My prices are lowers then most of other vendors have and I will deliver them in real time," reads a typically fractured Zo0mer post.

At the same forum, another user, "tabbot," offers "any U.S. bank accounts" for sale.

"Balance from 3K and above: $40," he writes. "Regular brokerage accounts from 3K and above: $70."

Tabbot also offers full access to hacked accounts from credit unions. One, with a $31,000 balance, is being sold for $400. "I can try search specific info such as signature, ssn, dob, email access," tabbot writes. "Account with an extra info will be more expensive."

The online trade in stolen financial data is thriving. So the news last week that the United States Secret Service has been Hoovering up identity thieves, document forgers and other members of online "carding" sites — Web forums that have become outposts for peddling hacked account numbers, bank passwords and PIN numbers, as well as the viruses, scripts and phishing scams designed to steal them — seemed a coup.

But however deserving those caught in this most recent sweep might be (20 have been arrested across the United States and one in Britain over the last three months, the agency said), the fact remains that in the transnational, Internet-driven market for stolen financial and consumer data, some thieves are simply easier to nab than others.

And while Russians and Eastern Europeans like Zo0mer have become the top bananas in the stolen data trade, the English-speaking — particularly American — players are really the lowest-hanging fruit.

"I deal with them only from an intelligence perspective," said Gregory Crabb, an investigator with the United States Postal Inspection Service and the economic crimes division of Interpol, referring to English-speaking carders. "And only to know if the big players in Eastern Europe and Russia are recruiting. They are a dime a dozen, and relatively easy to track down and pop."

Not surprisingly, despite ruling like dark knights behind their own cryptic pseudonyms, American traders are often exposed under harsh light as middling rubes or barely post-adolescent power-trippers who were easily duped by undercover agents working the same boards.

Even Operation Firewall, the Secret Service sledgehammer that managed to infiltrate and shatter the largest English-language crime board,, in October 2004, has done little, two years later, to slow the global data trade.

"The Secret Service says the defendants are part of a 'highly organized international criminal enterprise,' " blogged Brian McWilliams, the author of "Spam Kings" and a keen follower of cybercrime, at the time of the Shadowcrew arrests. "But I have a hard time believing that we're talking about a real sophisticated group of criminals here. One of the defendants, 20-year-old Paul A. Mendel Jr., aka Mintfloss, lives with his grandparents in Albany, N.Y."

To be fair, prosecutors estimated that Shadowcrew had done damages in excess of $4 million over its two-year history. That's not pocket change, and the true tally is surely much higher. And those arrests have led to others, which no one can argue is a bad thing.

But consider that just one young American, 22-year-old Douglas Cade Havard, using real contacts with the Russian underworld, managed to steal, along with a Scottish accomplice, more than $11 million in two years, according to investigators.

In one scheme, the pair, now in British prisons, encoded stolen account numbers onto blank cards and withdrew over $1.3 million from various Western banks in just 10 months. Of course, they were receiving the stolen account data from — and were kicking most of the proceeds back to — Russian hackers, who are presumably still at large.

There are other recent American arrests. Seventeen-year-old Hunter Moore of Manchester, N.H., was nabbed in a Secret Service sting and pled guilty in August to identity fraud and making counterfeit credit cards while living with his grandmother.

And a Virginia Tech student, Benjamin W. Pinkston, was among seven people arrested in last week's return of Operation Rolling Stone. According to The Roanoke Times, he was released to the custody of his parents on Tuesday and told to stay off the Internet. A judge eased that restriction, when it was suggested it would make it hard for the young man to do his homework.

Meanwhile, American law enforcement can often only watch the real kingpins like Zo0mer (which he spells with a signature zero) from afar.

"It's a big job to navigate the treaties and the rights to privacy in disclosing information to foreign law enforcement," Mr. Crabb said.

And that's just the beginning. Even when banks and credit card companies are willing to share the details of a breach (and many would prefer to keep mum rather than risk publicity), it is equally daunting to try to win the attention and cooperation of foreign investigators, Mr. Crabb said.

This is particularly true in parts of the former Eastern Bloc, where law enforcement is often facing down more immediate local problems — organized crime, tax schemes, corruption — and might understandably place the plight of American banks and consumers a bit lower on their priority list.

Indeed, in some countries, Mr. Crabb suggested, law enforcement officers responsible for combating online data thieves may have never owned a credit card themselves.

"That is actually one of the first things I tell financial institutions when I'm educating them about this," Mr. Crabb said. "Take that credit card out of the equation. Those law enforcement officials don't have one. They don't understand the power of one. It's a hurdle that we have to overcome."

And even when a big fish is caught, as happened last summer with the arrest in Ukraine of Dmitro Ivanovich Golubov, aka "Script," according to authorities, there is little that can be done when he is released.

Mr. Golubov's capture was described in The Wall Street Journal by Larry Johnson of the Secret Service, as "one of the most significant apprehensions of a high-level Eastern European responsible for criminal activity on the Internet."

Still, to the dismay of American law enforcement officials (and some of their Ukrainian counterparts), Mr. Golubov was quietly released from prison in December while awaiting trial.