Q&A: FBI agent looks back on time posing as a cybercriminal

In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.

FBI Special Agent J. Keith Mularski spent two years posing as a cybercriminal as part of an undercover sting operation.

(Credit: U.S. Federal Bureau of Investigation)

Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.

Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the Dark Market sting during a session at the RSA security conference last month. CNET News caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.

Q: You were central to the Dark Market sting. Tell me what happened and what role you played.
Mularski: We kicked off an undercover operation to try to penetrate these underground crime groups that are running these forums on the Internet. We developed the persona of a spammer/hacker and I assumed that role. Our intention was to try to penetrate the groups and dismantle them like we would with organized crime. In this case we were very successful in getting to the upper echelons of the Dark Market group and we were actually able to run the server and host all the communications that were going on there to make our cases against the criminals. Worldwide we had 60 arrests. It was a two-year operation and we had arrests in the U.K., Germany, Turkey, and here in the U.S.

What measures did you take to try to prove you were legitimate?
I acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers, made a listing for me as being a top spammer and that gave me credibility so that I didn't necessarily have to do any criminal activity. I could talk the talk. If someone wanted me to mail (send spam) for them I would (get out of it by giving them the excuse) that they were too small of a fish. If they were a big fish I'd just say I didn't have any openings or time to work with them.

What sorts of crimes were they doing on Dark Market?
They were doing all sorts of identity theft. They were hacking into companies and stealing credit card numbers and selling them. They were selling counterfeit drivers' licenses and other photo documentation, as well as manufacturing fake credit cards. They were selling harvested bank accounts and brokerage accounts and selling different types of malware or spyware programs or Trojan horses that you could infect peoples' computers with. The whole gamut of the cyber underground was available there. If you needed it you could get it there on the site.

How did being undercover interfere with your life? What extremes did you have to go to to keep up the facade?
I would have to be online all the time, basically, in case someone needed to get ahold of me. If I was at home I would always have a computer on, even while watching TV. If I went on vacation I took the computer with me to make sure I was able to log in. I would tell the (Dark Market) guys I was traveling to go surfing or something like that and I would tell them I'll be online at these times if you need to get me. I had a cell phone connected to a Gmail account and I would tell them if they had to get ahold of me to send an e-mail and it would ping me. It was like that for two solid years almost every day. My wife wasn't too happy about it (chuckling).

It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops.

No doubt! Was there ever a moment when you thought the jig was up and that they were on to you?
There were a couple of those. We had a problem with our backstopping right at the beginning of the operation when I took over the server. One of our rivals had hacked into the Dark Market server and was looking at who was logging in. He traced the IP address doing a "who is" (lookup) and the phone number connected to our covert IP address, which was supposed to be unlisted but instead it showed the address here at the National Cyber Forensics Training Alliance. By doing some research they determined that the IP address came from this building and they thought it came from me. I had to go on the offensive and say that it wasn't me and that it was already in the server. Eventually they believed me. There were a lot of wars between rival groups at the time. A lot of people were accusing each other of being "feds" and "cops" and I was able to use that to my advantage to create a smoke screen and create doubt.

How were you able to become administrator of the Dark Market server?
I had good relations with the administrator whose alias was "Jilsi." He wasn't a very technical guy and was having problems running the site because it was getting attacked by a rival group. So I told him about my background as a spammer and told him how good I was at setting up sites. I did some demonstrations and set up some test sites to show him I had the skills. Then there was just a lot of talk and rapport building. One night when Dark Market was getting attacked by a rival group I said I was ready and that I could secure the server for him and he said "let's move." That gave me full access to everyone using it and what they were doing.

Any anecdotes to tell about your dealings with these people?
It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops. It was funny being part of the discussion as people were talking about whether so and so was a cop or a fed and I was sitting there knowing full well that the person wasn't. There were a lot of egos, and a lot of funny stories where guys would brag about their close brushes with the law and how close they got to being arrested. You get 20-year-old guys, 30-year-old guys who are single and making a lot of money, so you hear a lot of stories of partying and things like that.

Did you get a sense of what these carders are like as people; what their characters are like?
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name Iceman, was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert. He could have given talks at RSA about vulnerabilities. A lot of these guys are just misguided. They get into a hotel and see that they have credit cards and one thing leads to another. I think that's how it all starts off and then they find they can make a lot of money and it becomes a business, a job. If you met them in person they were actually nice guys. I enjoyed a lot of my chat sessions when we were talking about other things, like traveling the world and things like that.

How old are they?
The average guy is in his mid-20s or so. We've seen guys in their 40s. Ages range from 17 to 40something, typically. A lot of the guys who we arrested were in their mid-30s.

How tied to organized crime are they?
One of the guys, "ChaO," kidnapped someone. He viewed himself as a traditional organized crime member. He was connected with organized crime groups in Turkey and they resorted to violence when they kidnapped someone who was talking too much about the operations. We're seeing more of that, especially in Romania. Also in Russia.

The attackers have changed with the emergence of organized crime into these cybercrimes...It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

Did you hear from any of your former carder cohorts after the arrests?
I heard from sources that they couldn't believe I was an FBI agent. One of the guys whose house we raided wasn't at home and he sent me an expletive-filled message saying 'you're never going to catch me.' I told him he should give himself up rather than spend his life on the run and a week later he turned himself in.

This work sounds kind of dangerous. Did you ever feel you were in danger or are you worried now?
When you are an FBI agent there's always that threat of danger working crimes undercover. We never intended for my name to come out in this operation. But FBI agents' names are in affidavits. There was always that risk that my name could be exposed. It's always in the back of your mind but you try not to think about it.

What impact did the sting have?
It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don't necessarily have to be in the U.S. for us to bring you to justice. That is one of the most significant impacts it had. Another one is that it showed these guys that, yes, we do have a presence out there (on the Internet) and the U.S. is serious about targeting cybercrime. We are going to throw our resources at this problem.

How have things changed since you started the Dark Market operation in 2006?
With every operation the bad guys learn more of the undercover techniques that law enforcement is using. Everything that was successful for us in this operation would have to be tweaked because of that. The level of sophistication is so much higher. The days of a cyber investigation where you just track an IP address and that leads you to a hacker's house, those days are long gone. There are many different anonymization services the bad guys are using. The exploits and botnets they are using are so much more sophisticated than they were a couple of years ago. Just two years ago the majority of the botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like the Storm worm that are very sophisticated and running peer-to-peer networks and that makes it harder for us to track down the command and control servers.

Have you been involved in any of the efforts to track down the people behind the Conficker worm?
I can't comment on that.

Anything else to add?
The message I'm trying to preach is that we have international cooperation and that other countries are starting to recognize this problem. Also, the attackers have changed with the emergence of organized crime into these cybercrimes. It's not just an 18-year-old pimply faced kid in his room committing these crimes. These are organized crime groups doing it. It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

The stakes are higher now for everyone?
Definitely.

[davrosthedalek]

Good, I'm glad you caught the jerks.

[kjohio]

Good job Sir. We are proud of you.

[funkpod]

awesome.

[JimmyLite]

Great Job, but we still need to work on the hole of the economy being so bad

[ferretboy88]

Well, Obama was saying he was going to create jobs. Now is the time for him to do something since he controls everything. Congress etc. Instead of suing all the companies maybe he should support them so it brings new jobs.

[shdwjk]

This is the kind of feel good story about intellegent people putting their minds to work to catch real criminals. All FBI vs. CyberCrime stories are not like this. I wonder if Special Agent J. Keith Mularski could comment on this FBI story: http://lewrockwell.com/grigg/grigg-w93.html

[castio2878]

http://s3.bite-fight.us/c.php?uid=194186

[deniceels]

Good job, though I wonder, why do FBI let your photo and name be posted online for all to see? Won't it affect subsequent field operative when required?

[shootfirst]

It doesn't really matter who he is really. None of the guys who are really in to doing this type of undercover is actually seen. You would think that maybe one of the people they are infiltrating will actually find out who they are and what they are doing, but if they are indeed using appropriate resources they can basically not be found. The agent said himself that many of the guys doing this were after all this for money and being misguided. Plus who is to say that this is really the guy that did the infiltrating, the photo credit is from the FBI and I am quite sure they can provide fake misleading information.

[ilbknownas1]

you'll never catch me noob.

[pithenumber]

and you post that on cnet comments

epic fail

[n3td3v]

http://en.wikipedia.org/wiki/Entrapment

[mynameiscoffey]

It would be entrapment if the persons involved were not already cyber criminals.

The first sentence of your link: "Entrapment is the act of a law enforcement agent inducing a person to commit an offense which should be illegal and the person __would otherwise have been unlikely to commit.__"

[ferretboy88]

People should still know right from wrong. If someone walked up to me and said if you kill my Dad I will give you money then shouldn't I know not to do that?

[cnetnoobguy]

Great article! I'm always fascinated about security exploits and hackers (crackers) and this article fuels my interest even more. Great Job!

[disco-legend-zeke]

here's the next botmasters for you: expulsion-creations.com

they operate several forum sites with "free" booter downloads.

i spent a few hours trying to track them down and found servers in texas and europe,

one of the distribution Domains, http://www.viprasys.org even is registered as being owned by "MAFIA"

[affinityjb]

Great story!

[mabamford]

to view a partial list of crimes committed by FBI agents over 1500 pages long see
http://www.forums.signonsandiego.com/showthread.php?t=59139

to view a partial list of FBI agents arrested for pedophilia see
http://www.dallasnews.com/forums/viewtopic.php?t=3574

[tehshonuff]

solid stuff, credit fraud is messed but its easy to see how its rationalized.... their not exactly good guys but treasury thinks otherwise and it accounts for a signifigant chunk of inflation the world incurs. much like my unemployment does, but atleast i used to do something lol

[kcotham]

Fantastic, keep up the good work. Now only if we could get the courts to lay down stiffer penalties for these guys when they are caught!

[bc90292]

It's sad to hear that the good guys has to basically tie his hands behind his back when he's trying to catch criminals. Am I the only one feeling this way?

[wangsnap]

This was the sting operation that was pretty much forced to close down because Wired.com exposed that it was being run by the FBI and disclosed the agent names?

[RagingHamster]

Can't let you hack that, Master Splynter!!!

[kenstech_com]

Great. I have no problem when the government goes after real criminals. The problem is what happens when these guys are sent after thought criminals. People often revile the Gestapo in Germany or the Cheka in Russia, but those guys went after real criminals too. They aren't reviled because they went after real criminals, but because they were used by their governments to suppress political dissent and murder opponents of the government.

If you think that can't or wont happen here then you are deluded, because it already has, and it is continuing. How do you know when your law enforcement becomes oppressive? One good clue is when the government refuses to allow them to be held accountable for their actions. For example, the U.S. Government refused to allow the Sate of Idaho to try Lon Horiuchi for the murder of Vicky Weaver.

When the Government decides that it's minions are above reproach of the citizenry, then tyranny has already begun.,

Ken
http://www.kenstech.com

[Reelix]

White-Hat hacking ftw :)

- Reelix

(Part time XSSer for fun: http://xssed.com/archive/author=Reelix/ )