Cybercrime flourishes in online hacker forums
By Byron Acohido and Jon Swartz, USA TODAY
SEATTLE -- Criminals covet your identity data like never before. What's
more, they've perfected more ways to access your bank accounts, grab
your Social Security number and manipulate your identity than you can
Want proof? Just visit any of a dozen or so thriving cybercrime
forums, websites that mirror the services of Amazon.com and the
efficiencies of eBay. Criminal buyers and sellers convene at these
virtual emporiums to wheel and deal in all things related to
cyberattacks -- and in the fruit of cyberintrusions: pilfered credit
and debit card numbers, hijacked bank accounts and stolen personal
The cybercrime forums gird a criminal economy that robs
U.S. businesses of $67.2 billion a year, according to an FBI
projection. Over the past two years, U.S. consumers lost more than $8
billion to viruses, spyware and online fraud schemes, Consumer Reports
In 2004, a crackdown by the FBI and U.S. Secret Service briefly
disrupted growth of the forums. But they soon regrouped, more robust
than ever. Today, they are maturing -- and consolidating -- just
like any other fast-rising business sector, security experts and law
enforcement officials say. In fact, this summer a prominent forum
leader who calls himself Iceman staged a hostile takeover of four
top-tier rivals, creating a megaforum.
Security firms CardCops, of Malibu, Calif., and RSA Security, a
division of Hopkinton, Mass.-based EMC, and volunteer watchdog group
Shadowserver observed the forced mergers, as well, and compiled dozens
of takeover-related screen shots. "It's like he created the Wal-Mart
of the underground," says Dan Clements, CEO of CardCops, an
identity-theft-prevention company. "Anything you need to commit your
crimes, you can get in his forum."
The Secret Service and FBI declined to comment on Iceman or the
takeovers. Even so, the activities of this mystery figure illustrate the
rising threat that cybercrime's relentless expansion -- enabled in large
part by the existence of forums -- poses for us all.
In the spy vs. spy world of cybercrime, where trust is ephemeral and
credibility hard won, CardersMarket's expansion represents the latest
advance of a criminal business segment that began to take shape with the
formation of the pioneering Shadowcrew forum.
Shadowcrew, which peaked at about 4,000 members in 2004, arose in
2002. It established the standard for cybercrime forums -- set up
on well-designed, interactive Web pages and run much like a
well-organized co-op. Communication took place methodically, via the
exchange of messages posted in topic areas. Members could also
exchange private messages.
Shadowcrew gave hackers and online scammers a place to congregate,
collaborate and build their reputations, says Scott Christie, a former
assistant U.S. Attorney in New Jersey who helped prosecute some of its
In the October 2004 dragnet, called Operation Firewall, federal agents
arrested 22 forum members in several states, including co-founder Andrew
Mantovani, 24, aka ThnkYouPleaseDie. At the time, Mantovani was a
community college student in Scottsdale, Ariz. In August, he began
serving a 32-month federal sentence for credit card fraud and
Shadowcrew as catalyst
Shadowcrew's takedown became the catalyst for the emergence of forums as
they operate today. With billions to be made, new forums have reformed
like amoebas, splintering into 15 to 20 smaller-scale co-ops. "They
learned that it's best to disperse," says Yohai Einav, director of RSA
Security's Tel Aviv-based fraud intelligence team.
Forum leaders have become increasingly selective about accepting new
members. "Vouching" for new members is now the norm, requiring a
member in good standing to extend an invitation to new recruits. Some
forums charge an initiation fee; others limit the power to invite new
members to the forum leaders.
Veteran vendors and buyers typically do business in multiple forums
simultaneously, in case any particular forum shuts down.
"If criminals get caught one way, they modify their behavior," says
Kevin O'Dowd, an assistant U.S. Attorney in New Jersey who prosecuted
the Shadowcrew case.
Some forums have become known for their specialties, such as offering
free research tools to do things such as confirming the validity of a
stolen credit card number or learning about security weaknesses at
specific banks. A few offer escrow services, handling the details of
complex deals for a fee.
The better-run forums invest in tech-security measures that have
become the norm in the corporate world, such as use of encrypted Web
pages. All forums run aggressive campaigns to identify and sweep out
rippers -- the con artists who gain membership and instigate deals,
only to renege on their part of the bargain.
From this post-Shadowcrew milieu, Iceman has emerged as a forum leader
RSA Security has tracked Iceman's postings on CardersMarket since
October 2005; CardCops has compiled an archive of hundreds of postings
on several forums by someone using the nickname Iceman since January
In the boastful world of cybercrime, nicknames, or nics, are
sacrosanct. It's not unusual for a hacker or cyberthief to go by two
or three different nics, but unthinkable for two or three people to
knowingly share the same nic, says RSA Security's Einav. "I believe
we're talking about one guy and not a group hiding behind his name,"
Clearly enterprising and given to posting rambling messages explaining
his strategic thinking, Iceman grew CardersMarket's membership to
1,500. On Aug. 16, he hacked into four rival forums' databases,
electronically extracted their combined 4,500 members, and in one
stroke quadrupled CardersMarket's membership to 6,000, according to
security experts who monitored the takeovers.
The four hijacked forums -- DarkMarket, TalkCash, ScandinavianCarding and
TheVouched -- became inaccessible to their respective members. Shortly
thereafter, all of the historical postings from each of those forums
turned up integrated into the CardersMarket website.
To make that happen, Iceman had to gain access to each forum's
underlying database, tech-security experts say. Iceman boasted in
online postings that he took advantage of security flaws lazily left
unpatched. CardCops' Clements says he probably cracked weak database
passwords. "Somehow he got through to those servers to grab the
historical postings and move them to CardersMarket," he says.
Iceman lost no time touting his business rationale and hyping the
benefits. In a posting on CardersMarket shortly after completing the
takeovers he wrote: "basically, (sic) this was long overdue ... why
(sic) have five different forums each with the same content, splitting
users and vendors, and a mish mash of poor security and sometimes poor
He dispatched an upbeat e-mail to new members heralding
CardersMarket's superior security safeguards. The linchpin: a recent
move of the forum's host computer server to Iran, putting it far
beyond the reach of U.S. authorities. He described Iran as "possibly
the most politically distant country to the united states (sic) in the
At USA TODAY's request, CardCops traced CardersMarket's point of origin
and confirmed that it is registered to a computer server in Iran.
If Iceman succeeds in establishing CardersMarket as the Wal-Mart of
forums, its routing through an Iranian server will make an already
complex law enforcement challenge that much more difficult, security
"Chasing these carding fraudsters is like chasing terrorists in
Afghanistan," says RSA Security's Einav. "You know they are somewhere
out there, but finding their caves, their underground bunkers, is
The U.S. Secret Service declined to answer questions about Iceman and
CardersMarket. It would not acknowledge whether they are under
investigation as part of Operation Rolling Stone, the most intensive
federal probe of cybercrime since Operation Firewall. This year, 35
suspects have been arrested. No names were initially released, but a
few have surfaced after indictments were unsealed.
Suspects include Binyamin Schwartz, 28, of Oak Park, Mich., indicted
in July in Nashville for allegedly trafficking more than 100,000
Social Security numbers, and Paulius Kalpokas, 23, of Lithuania, whose
extradition to Nashville on charges of trafficking stolen credit card
data has been requested.
Schwartz "got caught up in something on the Internet but did not
profit from it," says Sanford Schulman, Schwartz's attorney. "He
inquired about acquiring information online without criminal intent,
nor was he involved in a sophisticated enterprise."
Secret Service spokesman Thomas Mazur says Operation Rolling Stone is
designed to "disrupt and dismantle any of these carding forums," but
he declined to say which forums or how many are being investigated.
Security experts worry that CardersMarket's emergence as a model for
setting up hypersafe forums could translate into a spike of activity
by the best and brightest cybercrooks.
"It's called bulletproofing," says CardCops' Clements. "Guys will now
migrate to CardersMarket because they really are untouchable there."
Trust a thief?
Iceman's masterstroke rattled his rivals and raised suspicions among his
In the tech industry, companies routinely spread what they call FUD --
fear, uncertainty and doubt -- about a competitor's business model.
Shortly after Iceman swept up TalkCash's 2,600 members onto
CardersMarket's website, TalkCash's leader, nicknamed Unknown Killer,
e-mailed a shrill warning to TalkCash members: "I've talked to a number
of guys and all say that they didn't merge a (expletive) with that site
... so please beware as they can be feds."
Speculation abounds on the Internet that the FBI helped install Iceman
as head of a dominant forum set up to lure kingpin cybercrooks into
In busting up Shadowcrew, law enforcement had used a high-ranking
member of Shadowcrew as an inside informant, beginning in August 2003,
according to court records. Security experts say it's possible, though
unlikely, Iceman could be an informant. While not commenting directly
about Iceman, FBI spokesman Paul Bresson says, "The FBI is not in the
business of exposing Americans to fraud."
Instead of being admired by his peers, Iceman found himself scrambling
to deal with an intensifying backlash. A forum member, nicknamed Silo,
posted this public comment on CardersMarket: "How Can we TRUST you and
this boards admin? You breached our community's security. Stole the
Databases of other forums ... you've breached what little trust
exist's (sic) in the community."
Ten days after the forced mergers, the deposed leaders of DarkMarket
and ScandinavianCarding managed to reconstitute forums under those
names. And CardersMarket appeared to be under assault, with some of
the features on its website functioning sporadically, according to RSA
Security experts expect the infighting to run its course. They say
Iceman's attack prompted forum leaders to beef up database passwords
and patch other security holes, making both hostile takeovers and law
enforcement investigations more difficult. Most experts expect the
activity level of the forums to rise, because many consumers and
businesses are uninformed or apathetic.
Consumers' lax attitudes
Consumers continue to exhibit lax attitudes, even as Internet
intrusions and scams rise in frequency and sophistication. John
Thompson, CEO of anti-virus giant Symantec, contends Internet users
must adopt the same "sixth sense about security" they use when they
get in their cars or leave home.
Meanwhile, the commercial sector has been slow to ask consumers to
take other steps, such as using a smartcard or fingerprint reader —
along with typing a log-on and password — to prove they are who
they say online.
Thomas Harkins spent two decades as operations director for MasterCard
International's fraud division, gaining an insider's view of
cybercrime's breakneck rise. Now COO of security firm Edentify, based
in Bethlehem, Pa., Harkins says identity theft is poised to increase
by a factor of 20 over the next two years.
"There's so many stolen identities in criminals' hands that (identity
theft) could easily rise 20 times," Harkins says. "The criminals are
still trying to figure out what to do with all the data."
Meanwhile, stories such as Kevin Munro's will continue to pile up. In
late August, the name, Social Security number and other data of the
51-year-old Warsaw, N.Y., building inspector turned up for sale on a
forum monitored by CardCops. Munro recalls changing checking accounts
after a thief tried to cash several bad checks in 2002. Since then,
his personal data have persisted in circulation.
Cybercrooks have used it online to order magazines, purchase three
Dell computers and attempt to take out a real estate loan. Recently,
MasterCard notified Munro that an account he's had for 20 years and
uses infrequently was being canceled.
"I work for a living," Munro says. "I do everything on the up-and-up,
and some lowlife comes by and takes it away."
Acohido reported from Seattle, Swartz from San Francisco.
Find this article at:
Copyright 2007 USA TODAY, a division of Gannett Co. Inc.
NOTE: For more telecom/internet/networking/computer news from the
daily media, check out our feature 'Telecom Digest Extra' each day at
http://telecom-digest.org/td-extra/more-news.html . Hundreds of new
articles daily. And, discuss this and other topics in our forum at
For more news and headlines, please go to: