[Infowarrior] - Cybercrime Supersite 'DarkMarket' Was FBI Sting

[Richard Forno]

Cybercrime Supersite 'DarkMarket' Was FBI Sting, Documents Confirm
By Kevin Poulsen EmailOctober 13, 2008 | 4:20:08 PMCategories: Crime

http://blog.wired.com/27bstroke6/2008/10/darkmarket-post.html


DarkMarket.ws, an online watering hole for thousands of identify  
thieves, hackers and credit card swindlers, has been secretly run by  
an FBI cybercrime agent for the last two years, until its voluntary  
shutdown earlier this month, according to documents unearthed by a  
German radio network.

Reports from the German national police obtained by the  
Südwestrundfunk, Southwest Germany public radio, blow the lid off the  
long running sting by revealing its role in nabbing a German credit  
card forger active on DarkMarket. The FBI agent is identified in the  
documents as J. Keith Mularski, a senior cybercrime agent based at the  
National Cyber Forensics Training Alliance in Pittsburgh, who ran the  
site under the hacker handle Master Splynter.

The NCFTA is a non-profit information sharing alliance funded by  
financial firms, internet companies and the federal government. It's  
also home to a seven-agent FBI headquarters unit called the Cyber  
Initiative and Resource Fusion Unit, which evidently ran the  
DarkMarket sting.

The FBI didn't return a phone call Monday.

Like earlier crime sites, DarkMarket allowed buyers and sellers of  
stolen identities and credit card data to meet and do business in an  
entrepreneurial, peer-reviewed environment. Products for sale ran the  
gamut from specialized hardware, to electronic banking logins  
collected from phishing attacks, stolen personal data needed to assume  
a consumer's identity ("full infos") and credit card magstripe swipes  
("dumps), which are used to produce counterfeit cards. Vendors were  
encouraged to submit their goods for review before offering them for  
sale.

The unearthed documents, seen by Threat Level, show the FBI sting had  
begun by November, 2006. An FBI memo sent to the German national  
police regarding a forum member in that country boasts, "Currently,  
the FBI has been successful in penetrating the inner 'family' of the  
carding forum, DarkMarket." A March 2007 e-mail from Mularski's FBI  
address to his German counterpart puts it bluntly. "Master Splynter is  
me."

The documents indicate the FBI used DarkMarket to build "intelligence  
briefs" on its members, complete with their internet IP addresses and  
details of their activities on the site. In at least some cases, the  
bureau matched the information with transaction records provided by  
the electronic currency service E-Gold.

Last month, Master Splyntr -- now identified as Mularski -- announced  
he was shuttering the site as of October 4th, citing unwanted  
attention garnered by a fellow administrator, known as Cha0. From his  
home in Turkey, Cha0 had aggressively marketed  a high-quality ATM  
skimmer and PIN pad that fraudsters could covertly affix to certain  
models of cash machines, capturing consumers account numbers and  
secret codes. But he began drawing heat this year after reportedly  
kidnapping and torturing a police informant. He was arrested in Turkey  
last month, where police identified him as one Cagatay Evyapan.

That's why it was time to close DarkMarket, Master Splynter explained,  
in a message that now rings with irony.

"It is apparent that this forum … is attracting too much attention  
from a lot of the world services (agents of FBI, SS, and Interpol). I  
guess it was only time before this would happen. It is very  
unfortunate that we have come to this situation, because ... we have  
established DM as the premier English speaking forum for conducting  
business. Such is life. When you are on top, people try to bring you  
down."

Darkmarket

The German report confirm rumors that have swirled around DarkMarket  
since late 2006, when uber-hacker Max Ray Butler cracked the site's  
server and announced to the underground that he'd caught Master  
Splynter logging in from the NCFTA's office on the banks of the  
Monongahela River. Butler ran a site of his own, and the warning was  
generally dismissed as inter-forum rivalry, even when Butler was  
arrested in San Francisco last year on credit card fraud charges, and  
shipped to Pittsburgh for prosecution.

Until this afternoon, SpamHaus listed Master Splynter as an Eastern  
European spammer named Pavel Kaminski, who was active as recently as  
2005. It's possible the FBI took over the handle sometime thereafter.  
In 2004, the Secret Service ran a similar scheme on the crime board  
ShadowCrew, but that agency used an informant, who went on to commit  
more crimes -- a risk not likely present with agent Mularski.

Lord Cyric, another former DarkMarket administrator, says Master  
Splynter was invited onto DarkMarket as an admin about two years ago,  
and was still known as a spammer. Based in Canada, Lord Cyric has sold  
fake IDs and checks in the underground, but he's convinced he's out of  
reach of any sting operation.

"Worry? Me? Nah," he wrote in an IM interview. "It's a long, slow hard  
process for them to interest Canadian [law enforcement] to go after  
someone who doesn't touch drugs nor deals with skimmers. ... It's all  
about U.S. busts, unless there's a big drug deal and DEA gets involved."

Threat Level admires Lord Cyric's bluster, but thinks his days in the  
underground are numbered.  The FBI almost certainly closed DarkMarket  
in preparation for a global wave of arrests that will unfold in the  
next month or so. The site was likely shuttered to avoid an Agatha  
Christie scenario in which a diminishing pool of cybercrooks are free  
to speculate about why they're disappearing one-by-one like the  
hapless dinner guests in Ten Little Indians.

Kudos to Südwestrundfunk reporter Kai Laufen, who discovered the  
operation. I'm sending him the "I Spotted the Fed" tee-shirt I took  
home from DefCon 7.