The New Cyber Crime Lords

A Geopolitical Struggle No One Wants to Fight

Joseph Menn’s Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet travels through the underworld of cybercrime and finds – beyond the pseudonymous hackers, mob kingpins, and devoted investigators –  state police forces that look the other way, dangerous cracks in the global system of online commerce, and the first signs of major geopolitical conflict. Below, Menn, Financial Times Technology Correspondent, adapts from his book the story of two investigators going after the elusive crime lord called King Arthur.

Fatal System Error, by Joseph MennBARRETT LYON AND ANDY CROCKER had done what no one thought possible, catching and jailing Russian hackers who were attacking Western targets for financial gain. Now Andy wanted to see how much further they could go. He didn’t see any way to cut off the cybercrime forums. But he had worked with good men at all levels of the MVD national police, and he had been impressed with the prosecutor and judge.

Together, could they go after the kingpins? Before he left the country, Andy thought he would aim as high as possible, at King Arthur. Through dogged but until now secret work on the CarderPlanet case, the U.S. Postal Service’s Greg Crabb had succeeded in identifying King Arthur as Artur Galegov, a man in his early twenties living in the Russian republic of Dagestan. Galegov was taking in millions of dollars from Citibank phishing and other scams with the aid of numerous U.S. accomplices, according to Postal Service documents.

In a meeting with two MVD men to discuss other business, Andy pressed his luck. “This case is going well. Let’s keep it going, follow this thing upstream,” he told the others. “Let’s go after King Arthur. He’s as bad as they get, and he’s gotten millions of dollars. If we get him, that will show everyone how serious the Russian government is. It could change everything.”

There was an awkward pause. “He’s in Dagestan,” one of the MVD men said. The tone reminded Andy of the famous line from Roman Polanski’s great corruption movie: “Forget it, Jake, it’s Chinatown.” “So, he’s in Dagestan, great, you know where he is!” Andy persisted, feigning ignorance. “It’s different there, very rough,” the other man put in, as if talking to a child. “That’s not a problem,” Andy said. “I’m not afraid; I can go anywhere.”

The MVD men exchanged looks. The first cleared his throat. “The FSB is dealing with him. They know who he is,” he said, trying to sound reassuring as he brought up the spy agency that was the greatest power in the country. “Well, then, the FSB can go to Dagestan,” Andy said. But he sensed this wasn’t going to work out. “They aren’t interested in him right now,” the MVD agent shrugged, signaling an end to the subject.

What they didn’t tell Andy was that Dept. K operatives had already tried to get King Arthur. They had prepared a report and sent it to the MVD Investigative Committee, asking the elite squad to conduct interviews and make an arrest. The committee never pursued the case. Andy also brought up the issue with Igor Yakovlev, his closest MVD friend. “Why won’t anyone arrest King Arthur?” he asked. The politically savvy Igor shrugged, said he didn’t know, and gave the all-purpose explanation Andy had heard most of the days he had been in the country. “Eta Rossiya.” It is Russia.

It made an unfortunate amount of sense to Andy. They’ve got him with the threat of ten years in prison, he thought. They said, “Either come work for us, or go to prison.” Why would he not, especially if they let him continue making money? Knowing how things worked in Russia, it was possible that King Arthur was just bribing his way to continued freedom. But that was unlikely. In the ordinary course of events, a suspect would be arrested first, giving officials the most leverage to negotiate payment. Not only had King Arthur not been arrested, no one had come close to arresting him. Besides, too many countries had been demanding King Arthur’s head for too long for a simple bribe to work.

“It would be too sensitive to just take money to not arrest him,” Andy told a friend. “So the only reason it goes nowhere is, he’s protected by someone.” In 2009, King Arthur was still dispensing advice on carder forums, serving as a mentor to the next generation.

During the three years Andy had been locked in on the Maksakov ring and its allies, identity theft and related crimes had gotten much worse. Broad phishing attacks rose and then declined. In their place came wider distribution, often through legitimate websites that had been hacked, of the worst kind of spyware – the type that logged users when they enter passwords to brokerage or bank accounts. Some variants built on the success of the extortion racket, locking consumers’ computer files and demanding ransom.

The sheer volume of new viruses and other “malware” grew so vast – being reported at clips as rapid as two a minute – that security firms could no longer analyze each one by hand. Instead, they relied on machines to identify the most pernicious. The number that could evade antivirus software and firewalls soared as well. Hackers even trained viruses to mutate on their own, making them harder to block systematically: one called Storm spawned 5,000 variants within days of its release. Facebook, Twitter, and other social networks soon made it easy to take one stolen identity and then induce the victims’ friends to click on poisoned links.

A Gartner survey found that 30 percent of Americans had been victimized by identity fraud by 2009. They got back an average of 86 percent of the money drained from credit cards and 77 percent of the money stolen from ATM and debit cards. Victims of bogus account transfers, though, recovered only 54 percent of their losses. Small businesses were increasingly targeted in account transfers, and the banks often refused to make up the losses. Convictions remained an extreme rarity, striking far less than half of 1 percent of the perpetrators.

THOSE WHO ESCAPED ANDY’S GRASP were just a sampling of the dangerous men protected by superior political force. For every entry-level crook picked up overseas in cooperation with U.S. or U.K. investigators, a known modern-day mob boss thumbed his nose, certain of safety. In 2005, the FBI and Secret Service worked with other U.S. officials to try to bust one notorious Russian gang, the HangUp Team. Their officials met with Russian authorities multiple times, identified the members behind the crew, and even provided their locations. The Russians did nothing. “Same goes for King Arthur,” said one agent involved. “American authorities couldn’t even get a picture of the guy.”

Worst of all was the Russian Business Network, Andy learned. By following the trail from the denial-of-service hackers, he realized, he had come as near to the infamous RBN as anyone in the West, perhaps within a steel door’s thickness of a close affiliate. Now Andy began to doubt that anyone would ever get that close again.

Researchers who spent much of their time tracking the RBN said the group enjoyed some kind of special protection. A key figure in the group called himself Flyman and might have been the world’s largest supplier of child pornography. But he was off-limits to police, according to reports from several investigators, including VeriSign’s Kimberly Zenz, who spent many months in Russia. Zenz reported that a senior MVD investigator told her in Moscow in 2006 that his efforts to arrest Flyman “met forceful, official resistance. Flyman’s father is an influential St. Petersburg politician who used his leverage and money to persuade law enforcement authorities to prevent do-gooders from pursuing the case.”

Without some cover from above, no organization could have been so public that it advertised and so deeply involved in everything from spyware to denial-of-service attacks of the sort that were launched first against companies that had turned to Barrett and Andy and, beginning in 2007, against enemies of the Kremlin including the governments of Estonia and Georgia.

The RBN also provided the home for the first major marketplace for automated hacking as a service. On those computers, an outfit called 76service, successor to the HangUp Team, sold subscriptions for access to machines infected by a Trojan called Gozi. Would-be criminals could purchase a freshly infected machine most likely to provide new and valuable financial data for $1,000 a month.

A leading figure at the group that ran Gozi was in all likelihood one of the two critical allies for Albert Gonzalez, the biggest American identity thief ever accused. A source close to the 2009 prosecution of Gonzalez in the 130 million-card Heartland Payment Systems breach said that Gonzalez’s indicted but unnamed Russian coconspirators, “Hacker 1” and “Hacker 2,” used the online nicknames Anex and Grig, and the source said Grig had used that alias in posting to Shadowcrew. Don Jackson, a SecureWorks analyst who logged into Gozi’s customer interface and chatted with Russians involved there, said that only one major Shadowcrew poster went by Grig. That was the hacker who refashioned himself as a major figure in the HangUp Team and as the leader of 76service. As Gonzalez pleaded guilty in August 2009, the FBI asked the FSB to go after Grig and Anex. But Jackson said that Grig’s longtime prominence made it plain that the FSB already knew who he was and had decided not to arrest him. “If they wanted to do it, they would have,” Jackson said. “They have had many opportunities.”

While Andy had advanced against cybercrime on one front, the situation on every other front had deteriorated. It was now a full-blown geopolitical struggle, and neither the U.K. nor the U.S. wanted to fight it.

Adapted from Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet by Joseph Menn.  Excerpted by arrangement with PublicAffairs, a member of the Perseus Books Group.  Copyright © 2010.

*Photo courtesy -dreaming-.


Send A Letter To the Editors

    Please tell us your thoughts. Include your name and daytime phone number, and a link to the article you’re responding to. We may edit your letter for length and clarity and publish it on our site.

    (Optional) Attach an image to your letter. Jpeg, PNG or GIF accepted, 1MB maximum.