Living undercover for three years with identity thieves

Salesmen and parents know the technique well. It’s called the takeaway, and as far as Keith Mularski is concerned, it’s the reason he kept his job as administrator of online fraud site DarkMarket.

DarkMarket was what’s known as a “carder” site. Like an eBay for criminals, it was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards. In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site. Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement.

A hacker named Iceman — authorities say he was actually San Francisco resident Max Butler — who ran a competing Web site, was saying that Mularski wasn’t the Polish spammer he claimed to be. According to Iceman, Master Splynter was really an agent for the U.S. Federal Bureau of Investigation.

Iceman had some evidence to back up his claim but couldn’t prove anything conclusively. At the time, every other administrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own. He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black market for stolen credit card information.

That’s when Mularski went for the takeaway. Salesmen have long used this tactic to seal difficult deals: You simply take the deal off the table in the hope it will spur the customer to come to you. Badgered by questions about his credibility, he threatened to quit altogether. “I decided to risk it all and just said, ‘Hey, if you think you can do a better job running the site and if you think I’m a fed, then by all means take the stuff. I don’t want anything to do with it,” he recalled recently in an interview. “What law enforcement agency would, after they were monitoring the site, want to give it back to the bad guys?”

Mularski’s gambit paid off, and the other DarkMarket administrators let him stay on for another two years.

In the end they would regret that decision. Iceman was right: Supervisory Special Agent J. Keith Mularski had gone deeper into the world of online computer fraud than any FBI agent before. Working with police agencies in Germany, the U.K., Turkey and other countries, he spearheaded a remarkable investigation that netted 59 arrests and prevented an estimated US$70 million in bank fraud before the FBI pulled the plug on Operation DarkMarket on Oct. 4, 2008.

Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office. It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online criminals.

How to stop ID theft

Tips to thwart ID thieves

“They have a direct personal relationship with industry people in all areas, but specifically a great relationship with the financial institutions,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.

The group also works closely with international law enforcement, laying the groundwork to prosecute Internet criminals who launch attacks across national borders. “Those relationships allow them to take on cases that nobody else would take on,” Warner said.

Mularski’s life as an undercover spammer began around July of 2005, when he created his handle Master Splynter in a tribute to the cartoon rat who plays sensei to the Teenage Mutant Ninja Turtles. His unit ran a project called Slam-Spam, and Mularski, a self-confessed computer nerd, said he had picked up a lot of spamming tricks before he started the operation. “I could talk shop,” he said.

He didn’t send out spam himself, but he knew what questions to ask and — more importantly — what not to ask. He kept to his character as a spammer. If someone approached him with a new “zero day” attack, he wouldn’t ask for details. And he avoided going after personal information, not asking forum members obvious cop-giveaways such as where did they live. “The thing is with these guys, you can’t necessarily target them and just approach them out of the blue,” he said. “So by being out there and not really caring about things — I played a lot of things off nonchalant — I was able to gain their trust.”

The hours were long; scammers don’t work 9 to 5. “Sometimes I spent as much as 18 hours in a day online,” Mularski said. “I was online every day from August 2006 until the operation came down.”

His most active discussion time was between 10 o’clock at night and one or two in the morning. “Every night I’d be watching TV with my wife next to me and I’d have the computer on, just in case somebody needed to get a hold of me,” he recalled.

After 10 years of marriage to an FBI agent, Mularski’s wife knew that operations could cut into personal time. It couldn’t have been easy, though. “She was the real saint in this whole thing,” he said.

Master Splynter didn’t take vacations either, even if Mularski did. “Usually, if you’re not going to be online, you’ve got to give notice because they wonder what you’re doing, whether you got busted or not. So if I was travelling somewhere and I couldn’t be online, I’d always give these guys advance notice.”

By September 2006, Mularski had become a moderator on DarkMarket. Not as powerful as an administrator, he was still a trusted manager, one step above the reviewers who assessed the quality of products being sold on the site.

That’s when he got his big break. And it came from an unlikely source: Iceman himself. According to authorities, Iceman was making a play to control the market for fake credit cards by hacking into four carder sites, including DarkMarket, knocking them offline and moving their membership to his own site, CardersMarket.

Even when the site was back up and running, Iceman continued to hit DarkMarket with distributed denial of service (DDoS) attacks, which would overwhelm it with wave after wave of useless Internet traffic.

Mularski wasn’t sure how things would play out, but in September 2006 he saw his chance. He started talking with Iceman about joining CardersMarket as a moderator, but soon realized that he the had a better shot with another administrator at DarkMarket, Renu Subramaniam, aka JiLsi. “I basically told him, ‘Hey, I can secure your servers for you,'” Mularski said. JiL

Related Download
CanadianCIO Census 2016 Mapping Out the Innovation Agenda Sponsor: Cogeco Peer 1
CanadianCIO Census 2016 Mapping Out the Innovation Agenda
The CanadianCIO 2016 census will help you answer those questions and more. Based on detailed survey results from more than 100 senior technology leaders, the new report offers insights on issues ranging from stature and spend to challenges and the opportunities ahead.
Register Now