Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground

"Kingpin" explores the early days of large-scale credit card theft. Poulsen, a convicted hacker himself, details the mechanics of how hackers stole credit card numbers (mostly from restaurant point of sale systems), manufactured fake cards, and employed a team of buyers to make fraudulent purchases with the cards. The book is nominally about the hacker Max Butler, a.k.a. "Max Vision," but I found him fairly snooze-worthy compared to the more philosophically interesting "Dread Pirate Roberts" of "American Kingpin". "Kingpin" includes some background on the cyberintelligence community and the institutions like the National Cyber Forensics and Training Alliance and ROKSO that fight digital fraud.

The global "carding" community's small size (6,000) surprised me. It really seems like a pretty small number of people. And given the stated annual totals for credit card fraud (~$3B), that comes out to something like $500K per person per year. It's a fair chunk of change, but not really in the grand scheme of things.

It was also interesting to see the use of pre-bitcoin "e-gold" as the way that criminals transferred money online. Although Carders Market has been shut down, the "carding" saga continues - Wikipedia contains a fairly up-to-date list of new marketplaces and recent busts.

This book was part of my 2018 reading theme on "Crime and Punishment".

My highlights below.


On August 16, 2006, he dispatched an unapologetic mass e-mail to the denizens of the sites he’d destroyed: They were all now members of Iceman’s own Cardersmarket.com, suddenly the largest criminal marketplace in the world, six thousand users strong and the only game in town.

The first people to identify themselves as hackers were software and electronics students at MIT in the 1960s.

Salgado represented the first of a new breed of profit-oriented hacker, and he posed a threat to the future of e-commerce.

“Now, the FBI wanted me to tell you that it was good for Mr. Salgado that he talked.” Granick paused. “That’s bullshit. “Just say no!” she said, and cheers and whistles swelled from the audience. “There’s never any good reason to talk to a cop... If you’re going to cooperate, you’re going to cooperate after consulting with a lawyer and cutting a deal. There’s never any reason to give them information for free.”

Russian police had ignored a diplomatic request to detain and question Ivanov, and that was when the feds created Invita, a full-blown undercover business designed to lure the hacker into a trap.

With top-flight technical colleges but few legitimate opportunities for their graduates, Russia and the former Soviet satellite states were incubating a new breed of hacker.

The discussion was sparked by the success of a UK-hosted website erected in 2000 called Counterfeit Library, which solved one of the fundamental weaknesses of conducting criminal business in IRC chat rooms, where the wisdom and experience of years of crime vanished into the air as soon as the chat was over. Founded by a handful of Western cybercrooks, Counterfeit Library collected underground tutorials onto a single website and attached an online discussion forum where identity thieves could gather to swap tips and buy and sell “novelty” identification cards—a euphemism distilled from the same spirit in which hookers go on “dates.”

In June 2001, the result of the Odessa summit was unveiled: the International Carders Alliance, or simply Carderplanet.com, a tightly organized reinvention of Counterfeit Library catering to the underworld of the former Soviet empire. While Counterfeit Library was a freewheeling discussion board and BOA Factory a straightforward storefront operation, CarderPlanet was a disciplined online bazaar, charged with the excitement of a commodities exchange.

CarderPlanet was soon imitated by a second site, this one aimed at the English-speaking world: Shadowcrew.

With the motto “For Those Who Like to Play in the Shadows,” Shadowcrew was at once a study-at-home college and an online supermarket for nearly anything illegal. Its tutorials offered lessons on how to use a stolen credit card number, forge a driver’s license, defeat a burglar alarm, or silence a gun. It boasted a wiki that tracked which state driver’s licenses were forgeable. And its approved vendors around the world could provide a dizzying array of illicit products and services: credit reports, hacked online bank accounts, and names, birth dates, and Social Security numbers of potential identity theft targets.

When it was introduced by Visa in 1992, the CVV began driving down fraud costs immediately, from nearly .18 percent of Visa transactions that year to around .15 percent a year later.

Hackers began breaching transaction-processing systems for the data, but the most straightforward way for ordinary crooks to steal the information was to recruit a cash-hungry restaurant employee and equip him with a pocket-sized “skimmer,” a magstripe reader with built-in memory.

A dump was worth about $20 for a standard card, $50 for a gold card, and $80 to $100 for a high-limit corporate card.

To guard against what Chris was contemplating, many high-end stores require the checkout clerk to physically type the last four digits from the face of the credit card; the point-of-sale terminal rejects the card, or worse, if the digits don’t match what’s on the stripe. A reprogrammed card was only good at spots where employees never get to lay their hands on the plastic, like gas stations or drugstores.

The greedy banks and credit card companies who saddle consumers with $400 billion in debt each year while charging usurious interest and hooking kids on plastic before they’ve graduated college. And because consumers were never held directly liable for fraudulent charges—by law they could only be billed for the first $50, and most banks waived even that — credit card fraud was a victimless crime, costing only these soulless institutions money. Credit wasn’t real, Max reasoned, just an abstract concept; he would be stealing numbers in a system, not dollars in someone’s pocket. The financial institutions would be left holding the bag, and they deserved it.

The exploit took advantage of the fact that Internet Explorer can process more than just Web pages. In 1999, Microsoft added support for a new type of file called an HTML Application—a file written in the same markup and scripting languages used by websites but permitted to do things on a user’s computer that a website would never be allowed to do, like creating or deleting files at will and executing arbitrary commands.

One is a translucent image of the California state seal, set in a repeating pattern in the clear laminate over the face of the license. To simulate it, Chris used Pearl Ex, a fine colored powder sold at arts-and-crafts stores for less than three dollars a jar. The trick was to dust a sheet of laminate with a mix of gold and silver Pearl Ex, feed it into a printer loaded with a clear ink cartridge, and print a mirror image of the California pattern with the transparent ink. It didn’t matter that the ink was invisible—it was the heat from the print head he was after. When the sheet came out, the printer had heat-fused the pattern onto the surface, and the extra Pearl Ex was easily washed away in a cold rinse.

Then there were the odd comments at the monthly Hungry Programmers’ dinner at Jing Jing in Palo Alto.

DDoS attacks started as a way for quarreling hackers to knock each other out of IRC. Then one day in February 2000, a fifteen-year-old Canadian named Michael “MafiaBoy” Calce experimentally programmed his botnet to hose down the highest-traffic websites he could find. CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade all buckled under the deluge, leading to national headlines and an emergency meeting of security experts at the White House. Since then, DDoS attacks had grown to become one of the Internet’s most monstrous problems.

But Commerce Bank was just the beginning. In 2004, nearly half America’s banks, S&Ls, and credit unions still weren’t bothering to verify the CVV on ATM and debit transactions, which is why America’s in-boxes were being flooded with phishing e-mails targeting PIN codes for what the carders called “cashable” banks. Citibank, the nation’s largest consumer bank by holdings, was the most high-profile victim.

To keep his prints off the machines, he’d press the buttons through a piece of paper or with his fingernails, or coat the pads of his fingers with hydroxyquinoline—a clear, tacky antiseptic sold in drugstores as the liquid bandage New-Skin.

In May 2005, a Gartner analyst organized a survey of five thousand online consumers and, extrapolating the results, estimated that it had cost U.S. financial institutions $2.75 billion. In just one year.

But VPNs have one well-known weakness: everything transpiring over the network has to be funneled through a central point, unencrypted and vulnerable to eavesdropping.

And the best part was, many of Shadowcrew’s denizens were unwittingly paying the Secret Service for the privilege of being monitored.

A full-blown proxy war had broken out between the FBI and Secret Service, by way of two informants.

With that farewell note, King Arthur, almost certainly a millionaire ten times over, became a carder legend. He would be remembered as the one who gently folded the great CarderPlanet before anyone else could enjoy the pleasure of taking it down.

He was assigned to the civilian office of an industry nonprofit group in Pittsburgh called the National Cyber Forensics and Training Alliance. The NCFTA had been formed by banks and Internet companies a couple of years earlier to track and analyze the latest scams targeting consumers online—mostly phishing attacks.

Anderson was a legend as “ncXVI,” a fake-ID expert and author of the self-published book Shedding Skin, the bible of identity reinvention.

The alternate handle was a keystone in Max’s new business strategy. Shadowcrew had fallen because prosecutors proved that the founders were themselves buying, selling, and using stolen data — running an informational website wasn’t, in and of itself, illegal, Max reasoned. So Iceman would be the public face of Carders Market but would never buy or sell stolen data. Digits, his alter ego, would handle that, vending the dumps Max was siphoning from the Vancouver pizza joint to anyone who could afford them.

The criminals weren’t hiding at all. They were advertising their services on the forums. That made them vulnerable, in the same way the New York and Chicago Mafia’s rituals and strict hierarchy had given the FBI a roadmap to crack down on the mob decades before.

Borrowing a page from a Robert Ludlum novel, Mularski decided Master Splyntr needed a background legend that could propel him into the new crime boards. His thoughts turned to a Europe-based antispam organization called Spamhaus that he’d worked with as part of previous FBI initiatives.

Peopled by the likes of Alan “Spam King” Ralsky and the Russian Leo “BadCow” Kuvayev, the Registry of Known Spam Operations, or ROKSO, is second only to a federal grand jury indictment on the list of places an Internet scammer doesn’t want to see his name.

Johnson’s specialty was the same scam the Los Angeles target had been carrying out. He’d mine victims’ Social Security numbers from online databases, including California’s Death Index of recently departed Golden State residents, then file bogus tax returns on their behalf, directing the refunds into prepaid debit cards that could be used for ATM withdrawals. He’d pulled in more than $130,000 in tax refunds under forty-one names, all under the nose of the Secret Service.

Carders Market had six thousand members now. It was larger than Shadowcrew had ever been.

Max’s hostile takeover was about fixing the community, not personal profit. But his business in stolen magstripe data was stronger than ever after the merger — he was earning a thousand dollars a day now selling dumps to carders around the world, in addition to the five to ten thousand a month he was still pulling in through his partnership with Chris.

As Digits, Max accumulated page after page of positive reviews on Carders Market and a reputation for square dealing. It was a point of pride with Max—and a sign of the moral compartmentalization he’d practiced since childhood. Max would happily hack a carder and copy his entire hard drive, but if a customer paid him for information, Max wouldn’t even consider shortchanging him. His generosity, too, was well known. If Max had dumps that were about to expire, he’d give them away for free rather than let them go to waste. Together, his exemplary business practices and the quality of his product made Max one of the top five dumps vendors in the world, in a market traditionally dominated by Eastern European sellers.

The story involved Silo, a Canadian hacker known for an uncanny ability to juggle dozens of false handles in the community, effortlessly switching writing styles and personalities for each one.

Like virtually all carders, Matrix preferred to be paid by e-gold, an electronic payment system created by a former Florida oncologist named Douglas Jackson in 1996. A competitor to PayPal, e-gold was the first virtual currency backed by deposits of actual gold and silver bullion held in bank vaults in London and Dubai. It had been Jackson’s dream to forge a true international monetary system independent of any government. Criminals loved it. Unlike a real bank, e-gold took no measures to verify the identity of its users—account holders included “Mickey Mouse” and “No Name.” To get money in or out of e-gold, users availed themselves of any of hundreds of independent e-gold exchangers around the world, businesses that would accept bank transfers, anonymous money orders, or even cash in hand and convert it to e-gold for a cut. Exchangers took another slice when a user wanted to convert in the other direction, changing the virtual money into the local currency or receiving it by Western Union, PayPal, or wire transfer.

Thanks in large part to Maksik’s hacker and Max Vision, the popular consumer impression that Web transactions were less secure than real-life purchases was now completely false. In 2007, the majority of compromised cards were stolen from brick-and-mortar retailers and restaurants. The large retail intrusions were compromising millions of cards at a time, but breaches at smaller merchants were far more common—Visa’s analysis found 83 percent of credit card breaches were at merchants processing one million Visa transactions or less annually, with the majority of thefts taking place at restaurants.

The feds responded with a draconian counterproposal that would have made it a five-year felony to sell any encryption software in America that lacked a back door for law enforcement and government spies.

But the feds lost the crypto wars, and by 2005 unbreakable crypto was widely available to anyone who wanted it.

Federal criminal trials are rare. Faced with the long prison terms recommended by rigid sentencing guidelines, most defendants opt to take a plea deal in exchange for a slightly shortened sentence or limit their exposure by becoming an informant. Some 87 percent of prosecutions were resolved in this manner in 2006, the year of Giannone’s trial. In another 9 percent of the cases, charges were dismissed before reaching a trial, the government preferring to drop a marginal case rather than risk a loss. Once a jury is seated, a defendant’s chances for acquittal are about one in ten.

But, like e-gold, Hushmail was another formerly crime-friendly service now being mined by law enforcement. U.S. and Canadian agencies had been winning special orders from the Supreme Court of British Columbia that forced Hushmail officials to sabotage their own system and compromise specific surveillance targets’ decryption keys.

The key to cracking a full-disk encryption program is to get at it while it’s still running on the computer. At that point, the disk is still fully encrypted, but the decryption key is stored in RAM, to allow the software to decrypt and encrypt the data from the hard drive on the fly.

They had everything: five terabytes of hacking tools, phishing e-mails, dossiers he’d compiled on his online friends and enemies, notes on his interests and activities, and l.8 million credit cards accounts from over a thousand banks. The government broke it down: Max had stolen 1.1 million of the cards from point-of-sale systems. The remainder mostly came from the carders Max had hacked.

The government had secretly flown Chris to Pittsburgh for weeks of debriefing while the credit card companies tallied the fraudulent charges on Max’s cards, arriving at a staggering $86.4 million in losses. Max’s profits were far less: Max told the government he earned under $l million from his capers and had pissed most of it away on rent, meals, cab fare, and gadgets.

The carder turncoat who’d made Operation Firewall possible had gone on to stage the largest identity thefts in U.S. history.

The thieves have devised an ingenious solution to the problem that had bedeviled Chris Aragon: how to get at the money. They recruit ordinary consumers as unwitting money launderers, dangling bogus work-at-home opportunities, in which the “work” consists of accepting money transfers and payroll deposits, then sending the bulk of the cash to Eastern Europe by Western Union. In 2009, the scheme’s first year of widespread operation, banks and their customers lost an estimated $120 million to the attack, with small businesses the most common target.

After Operation Firewall, the Secret Service had been paying Gonzalez an annual salary of $75,000 a year, even as he staged some of the largest credit card hacks in history.

Credit card magstripes are a technological anachronism, a throwback to the age of the eight-track tape, and today the United States is virtually alone in nurturing this security hole. More than a hundred other countries around the globe, in Europe, Asia, and even Canada and Mexico, have implemented or begun phasing in a far more secure system called EMV or “chip-and-PIN.” Instead of relying on a magstripe’s passive storage, chip-and-PIN cards have a microchip embedded in the plastic that uses a cryptographic handshake to authenticate itself to the point-of-sale terminal and then to the transaction-processing server. The system leaves nothing for a hacker to steal—an intruder sitting on the wire could eavesdrop on the entire transaction and still be unable to clone a card, because the handshake sequence changes every time.

American banks and credit card companies have rejected chip-and-PIN because of the enormous cost of replacing hundreds of thousands of point-of-sale terminals with new gear. In the end, the financial institutions have decided their fraud losses are acceptable, even with the likes of Iceman prowling their networks.

Jason Tanz at Wired magazine did an amazing job with my feature article on Max, “Catch Me If You Can,” in the January 2009 issue.

The underworld that Kingpin delves into has been illuminated by a number of first-rate journalists, including Bob Sullivan, Brian Krebs, Joseph Menn, Byron Acohido, Jon Swartz, and my Wired colleague Kim Zetter.

He oversees cybercrime, privacy, and political coverage for Wired.com and edits the award-winning Threat Level blog (wired.com/threatlevel), which he founded in 2005.