An FBI Agent's 3 Years Undercover With Identity Thieves

snydeq writes "InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws, the infamous underground carding board hacked by Max Butler and later transformed by Mularski into an FBI sting operation. The three-year tour sent Mularski deeper into the world of online computer fraud than any FBI agent before, resulting in 59 arrests and preventing an estimated $70 million in bank fraud before the FBI pulled the plug on the operation in October."

Actually

[DoofusOfDeath]

InfoWorld offers the inside story of how FBI Supervisory Special Agent J. Keith Mularski, aka Master Splynter, penetrated and took over DarkMarket.ws,

How on earth are we supposed to believe it's the real Agent Mularski now?

I like the way the government thinks

[jollyreaper]

Cool hacker name = geek culture reference + creative misspellings/capitalizations

Sample names:
Dark JedEYE
FeloniouS MonK
POPP3R SMRF
TERRORByTE
G\/\/B

I predict you will hear of these handles in future busts.

Re:I like the way the government thinks

[Compuser]

George Washington Bridge? What's so cool about that.

Re:I like the way the government thinks

[Abreu]

Those are also the initials for George W. Bush, a former president of the USA.

Since we all are already trying very hard to forget him, I guess you get a pass

Re:I like the way the government thinks

[Dark+JedEYE]

Oh fuck.

Re:I like the way the government thinks

[dubbreak]

Former president of the University of South Australia? I question how many people know that the current one is Professor Peter HÃj let alone the previous president.

I assume the USA must be the Australian equivalent to MIT.

Re:oh lord

[oodaloop]

I had heard about this at a law enforcement/fraud analysis/intelligence analysis conference a while back. Basically, ALL the major sites were running in the open. Before all the crackdowns, I guess they thought the anonymity of the web meant they were untouchable. After the FBI cracked down on a bunch, they got wise and went underground.

Fencing

[planckscale]

From an article I read on Wired what seemed to have brought the downfall upon Butler was some of his associates got nabbed for trying to use stolen cards to buy expensive retail items and then fence them on Ebay for cash. Seems to me that old fashioned F**k-ups are the way these guys usually get taken down. Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

Re:Fencing

[AKAImBatman]

Also from the article I read that corrupt retailers and waiters use portable card readers to steal all mag data on the card. How would you protect yourself against that kind of attack?

As long as we use credit cards, you and I can't protect ourselves. However, the credit card companies could. Using public key authentication via smartcard technology would make it easy to verify physical access to a credit card. Yet the only instance I can think of, of anyone trying to roll this out is American Express's Blue card. Even that was mostly ineffective as the smart card circuitry appears to go mostly unused.

Re:Fencing

[Grimbleton]

My girlfriend would NOT approve if I stopped eating out.

Re:Fencing

[samkass]

I think you're right here in the US. When I visited London last year, though, it seemed like every single person had chips in their cards. I felt like a Luddite asking the guy to actually swipe the magnetic strip on a card (and him having to try a couple times before it took), then go find a pen, sign it, then find a place to put the paper signature. Us old-fashioned Americans.

Re:Fencing

[Creepy+Crawler]

Or if you hand your CC to a drive-thru to pay for food/drink.. Our receipt paper is thin enough to easily take an imprint of a CC. All you'd need to do is remember 3-4 numbers, the CVV2.

I found out this accidently, while holding a customer CC while rubbing it: it indented the CC, expr, and name perfectly.

Good thing im honest in dealings... They wouldnt catch me if I wasnt. I know decent stat to calculate my danger, and how to mitigate any possible repercussions.

Re:Fencing

[atamido]

I had an experience nearly identical to this in London when a shop clerk asking if we had a card with a chip in it to use. The friend I was with didn't even know what he was talking about. I explained things to her, and then told the clerk we didn't, but could wander off and find an ATM to use instead. He dug around some and found a card reader, but it was obvious he hadn't used it in a while.

Re:Fencing

[vux984]

Mod parent +5 insightful. Cash is accepted everywhere and stolen cash can't be used for identity theft.

1) Tons of places won't accept 50's or 100's anymore. And carrying enough cash to live in 20's gets bulky.

2) Carrying lots of cash (see above) gets noticed (see below).

3) If you get robbed of cash its gone. No, phoning your bank to let them know your card was stolen. No contesting the purchases made with your stolen cash. Your insurance company won't even replace stolen cash. Its just gone.

While having my card lifted is a hassle, it won't actually likely cost me anything, even if my identity is stolen it will most likely be a hassle more than anything else. Getting robbed however is much more permanent.

Re:Fencing

[Bemopolis]

Does it really take that many calories to reinflate her?

Re:Yeah, well...

[Volante3192]

You mean like at http://www.fbi.gov/quickfacts.htm ?

The FBI's jurisdiction is essentially being the nation's police force as opposed to your local city force. You can't say "ignore these sections of the state, county or city code" to a local police force just like you can't tell the FBI to ignore the U.S. Code.

Re:How much more...

[morgan_greywolf]

All crimes or suspected crimes deserve thorough investigation. Ruling certain kinds of crimes out-of-reach of the FBI simply due to resource-constraints is equivalent to encouraging the said crimes.

Right. Because the FBI is out investigating every single federal crime within their jurisdiction, right?

No. Because the FBI does have limited resources, cases not specifically brought to their attention by promising, credible leads -- or at least serious media attention -- don't get investigated. Those with credible leads that may not look so promising might sit on the backburner -- often for months or years.

While the FBI does investigate people who turn out to not have been criminals, that's more the exception than the rule.

Re:This is SOOO cool.

[betterunixthanunix]

He probably wants a new assignment that involves less time at a computer. Did you RTFA? He was spending 18 hours a day on his computer, and was online every day of the week. His relationship with his wife was strained because he had to be available on his computer as often as possible to avoid suspicion and to keep his credibility up. He had to report his vacations to the people he was trying to bust weeks ahead of time, to keep up that reputation. To me, that sounds like the sort of assignment that you only participate in once, if only to keep your heart healthy.

Reloadable cards.

[khasim]

I'm still wondering why the various banks don't offer reloadable cards for their customers. Why wander around with your ENTIRE credit limit in your wallet?

And for debit cards, your ENTIRE checking account balance.

Instead, allow the user to transfer the amount that he thinks he will need to a secondary card. That way, if anything compromises that card, the MOST they can get is whatever he put on that card.

As for online purchases, how about one-use card numbers? Just go to the bank site, put in how much you want to pay and the bank will give you a one use number for that amount. Then the maximum you lose if the online site is fake is that specific amount. They never get the real numbers to your real accounts.

Re:Reloadable cards.

[kb9vcr]

For online purchases one-use card numbers already are available.

Bank of America has them, it's called 'Shopsafe' and it's a free feature if you have a card with them. I've used it for every web purchase now for years and it works great. You set your limit & expiration date, generate a number and your set. Easy and it limits your exposure.

(MBNA developed shopsafe and then Bank of America got it when they bought them out. Probably other companies have something similar)

Re:Patience

[Otter]

Sell those things for cash on the street. Don't sell in the same area that you bought the items. Stick to big cities, as the police have way more to deal with than small-time theft. Once you get a big enough stash, use it to start a cash friendly business or find a way to get it to a trusted party in the third world and do the same thing.

In other words, crime is more work with less reward than just keeping your day job writing Java middleware.

Re:rarely asked for my ID

[Achromatic1978]

Because the merchant agreement specifically states that they are not to use the "Ask For ID" thing as a credit card processing mechanism. In fact they can have their merchant account revoked if sufficient complaints are received about requesting ID for CC transactions and not others (though I know in your case you're asking for it).

TECHNICALLY, under YOUR agreement with Mastercard, Visa, or Amex, NOT signing your card with your signature is a breach of your cardholder agreement. In fact (though granted, in practice rarely), Visa requires merchants who come across an unsigned / ASK FOR ID card are supposed to not finish the transaction until the card is signed. If you refuse to sign, at least up until recently, the last time I looked at a merchant contract, they're meant to retain your card (uh oh, you do remember the clause in your cardholder agreement that states that the card remains the property of the issuer, not you, right?).

Not good advice.

Re:How much more...

[beav007]

FBI does do some drug crimes I guess, but usually by accident. They're more into the "cool" crimes like Murder, Sex, and Cyber.

This post is so much entertaining (and possibly accurate) when read without context...