Animated Graphic >>
In an unmarked building in downtown Washington, Brian K. Nagel and 15 other Secret Service agents manned a high-tech command center, poised for the largest-ever roundup of a cybercrime gang. A huge map of the U.S., spread across 12 digital screens, gave them a view of their prey, from Arizona to New Jersey. It was Tuesday, Oct. 26, 2004, and Operation Firewall was about to be unleashed. The target: the ShadowCrew, a gang whose members were schooled in identity theft, bank account pillage, and the fencing of ill-gotten wares on the Web, police say. For months, agents had been watching their every move through a clandestine gateway into their Web site, shadowcrew.com. To ensure the suspects were at home, a gang member-turned-informant had pressed his pals to go online for a group meeting.
At 9 p.m., Nagel, the Secret Service's assistant director for investigations, issued the "go" order. Agents armed with Sig-Sauer 229 pistols and MP5 semi-automatic machine guns swooped in, aided by local cops and international police. The adrenaline was pumping, in part, because several ShadowCrew members were known to own weapons. Twenty-eight members were arrested, most still at their computers. The alleged ringleaders went quietly, but one suspect jumped out a second-story window. Agents nabbed him on the ground. Later, they found a loaded assault rifle in his apartment. The operation was swift and bloodless. "[Cybergangs] always thought they operated with anonymity," says Nagel, a tall, chiseled G-man. "We rattled them."
There's a new breed of crime-fighter prowling cyberspace: the hacker hunters. Spurred by big profits, professional cyber-criminals have replaced amateur thrill-seeking hackers as the biggest threat on the Web. Software defenses are improving rapidly, but law enforcement and security companies understand they can no longer rely on technology alone to deal with the plague of virus attacks, computer break-ins, and online scams. Instead, they're marshaling their forces and using gumshoe tactics to fight back -- infiltrating hacker groups, monitoring their chatter on underground networks, and when they can, busting the baddies before they do any more damage. "The wave of the future is getting inside these groups, developing intelligence, and taking them down," says Christopher M.E. Painter, deputy chief of the Computer Crime section of the Justice Dept., who will help prosecute ShadowCrew members at a trial scheduled for October.
Step by step, the cops are figuring out how to play the cybercrime game. They're employing some of the same tactics used to crush organized crime in the 1980s -- informants and the cyberworld equivalent of wiretaps. They're also busy coming up with brand new moves. FBI agent Daniel J. Larkin, a 20-year vet who heads up the bureau's Internet Crime Complaint Center, taps online service providers to help pierce the Web's veil of anonymity and track down criminal hackers. In late April, leads supplied by the FBI and eBay Inc. (EBAY ) helped Romanian police round up 11 members of a gang that set up fake eBay accounts and auctioned off cell phones, laptops, and cameras they never intended to deliver. "We're getting smarter every day," says Larkin.
Smarter and more collaborative. While the FBI and other investigators have been criticized for fighting each other almost as fiercely as the criminals on traditional cases, they cooperate more than ever when it comes to cybercrime. Local, state, and federal agencies regularly share tips and team up for busts. The FBI and Secret Service, which received jurisdiction over financial crimes when it was part of the Treasury Dept., have even formed a joint cybercrime task force in Los Angeles. Public agencies also are linking with tech companies and private security experts who often are the first to discover crimes and clues.
This makes the hacker hunters an eclectic bunch. Larkin ends up working in tandem with people like Mikko H. Hypponen, director of antivirus research at Finnish security outfit F-Secure Corp. Larkin is a straitlaced, 45-year-old native of Indiana, Pa., who honed his skills during Operation Illwind, the 1980s investigation into kickbacks paid to Pentagon officials by defense contractors. Hypponen is a 35-year-old computer whiz who lives on an island southwest of Helsinki populated by fewer than 100 people and a herd of moose.
On a Rampage
There's a clear reason for this newfound collaboration: The bad guys are winning. They're stealing more money, swiping more identities, wrecking more corporate computers, and breaking into more secure networks than ever before. Total damage last year was at least $17.5 billion, a record -- and 30% higher than 2003, according to research firm Computer Economics Inc. Among the computers compromised were those at NASA, a break-in in which one of the prime suspects is a 16-year-old from the Swedish university town of Uppsala.
Part of the problem is that cops don't have all the weapons they need to fight back. They clearly lack the financial resources to match their adversaries' technical skills and global reach. The FBI will spend just $150 million of a $5 billion fiscal 2005 budget on cybercrime -- not including personnel -- in spite of its being given the third-highest priority. (Terrorism and counterintelligence come first.)
The Secret Service won't discuss the funding breakdown for cybercrime. Both agencies are aggressively lobbying Congress for more money. Cybercrime laws haven't been much of a help. Hacking into computer networks was long seen as little more than a prank, and punishment was typically a slap on the wrist. That's beginning to change, however. Prosecutors are starting to make aggressive use of the Computer Fraud & Abuse Act, which carries penalties of up to 20 years in prison. The lengthiest sentence so far has been nine years, issued last December. Now prosecutors plan to send a message with the ShadowCrew case. Several members face prison sentences of 5 to 10 years if convicted. "There have to be consequences," says Painter.
The wiliest of the hackers still run rings around the cops. A Russian gang called the HangUp Team has been pummeling e-commerce Web sites and taunting its pursuers for two years, police say. The gang plants software bugs in computers that allow it to steal passwords, and it rents out huge networks of computers to others for sending out viruses and spam. HangUp Team hides in plain sight. Its Web site -- rat.net.ru/index.php -- is decorated with a red-and-black swastika firing off lightning bolts. Its blog discusses hacker tactics and rails against Americans. Its motto: In Fraud We Trust. "We think we know what they've done, where they are, and who they are," says Nagel. But authorities haven't been able to nab them so far. The Secret Service won't say why.
Devilish trickery keeps the criminals one step ahead. In January, 2004, a new virus called MyDoom attacked the Web site of the SCO Group Inc. (SCOX ), a software company that claimed the open-source Linux program violated its copyrights. Most security experts suspected the virus writer was a Linux fan seeking revenge. They were wrong. While the SCO angle created confusion, MyDoom acted like a Trojan horse, infecting millions of computers and then opening a secret backdoor for its author. Eight days after the outbreak, the author used that backdoor to download personal data from computer owners. F-Secure's Hypponen figured this out in time to warn his clients. It was too late, however, for many others. MyDoom caused $4.8 billion in damage, the second-most-expensive software attack ever. "The enemy we have been fighting is changing," says Hypponen.
Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.
Yet there may be hope for a shift in the fortunes of battle. Among cybercops, the ShadowCrew case is seen as a model for taking the battle to the Black Hats. Law enforcement officials are often loath to reveal details of their operations, but the Secret Service and Justice Dept. wanted to publicize a still-rare victory. So they agreed to reveal the inner dynamics of their cat-and-mouse chase to BusinessWeek. The case provides a window into the arcane culture of cybercriminals and the methods of their pursuers.
The story starts with an unlikely partnership. Andrew Mantovani was a part-time student at Scottsdale Community College in Arizona. David Appleyard was a onetime mortgage broker who lived in Linwood, N.J., just outside of Atlantic City. This is the duo who led the ShadowCrew from 2002 until they were arrested last fall, according to an indictment filed in U.S. District Court in New Jersey -- the state in which their servers were located. The two are believed to have met online, although the details of their first encounters are unknown. From their home computers, Mantovani, now 23, and Appleyard, 45, allegedly ran shadowcrew.com as an international clearinghouse for stolen credit cards and identity documents. "It was a criminal bazaar," says Nagel, a 22-year veteran who served on the protection teams for Presidents George H.W. Bush and Bill Clinton.
ShadowCrew, it appears, was largely Mantovani's creation. A business student at Scottsdale, he became a true entrepreneur in front of his computer screen. He was previously a member of a different cybergang that mainly stored stolen data, Justice Dept. officials say. He then allegedly came up with the idea of bringing together buyers and sellers in an online community so they could auction off stolen goods and share hacking tricks. Once the ShadowCrew site was established, he often reminded members in online chats that he could help them rise or fall in the gang depending on their loyalty to him, says Scott S. Christie, a former assistant U.S. attorney who helped build the legal case. "It was important [to Mantovani] to be recognized as the spiritual leader of ShadowCrew," says Christie.
If Mantovani was the brains, Appleyard was the brawn, according to the indictment. The older man adopted the online persona of a former soldier. He went by the nickname "BlackOps" and stood ready to mete out punishment to anyone who stepped out of line. One time, a gang member known as "ccsupplier" failed to deliver merchandise he had sold -- and then failed to refund the money that had been paid. Appleyard allegedly posted the guy's real name, address, and phone numbers on the ShadowCrew Web site, immediately putting him out of business. On another occasion, police say he threatened somebody with physical harm, in an online message. All the while, the former mortgage broker was living with his wife, two kids, and mother, who suffers from Alzheimer's.
The ShadowCrew gang got hold of credit-card numbers and other valuable information through all sorts of clever tricks. One of the favorites was sending millions of phishing e-mails -- messages that appeared to be from legit companies such as Yahoo! Inc. (YHOO ) and Juno Online Services Inc. but in fact were fakes designed to steal passwords and credit-card numbers. The gang also excelled at hacking into databases to steal account data. According to sources familiar with the investigation, the ShadowCrew cracked the networks of 12 unnamed companies that weren't even aware their systems had been breached.
Because most of the gang members held day jobs, the crew came alive on Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online, trading credit-card information, passports, and even equipment to make fake identity documents. Platinum credit cards cost more than gold ones. Discounts were offered for package deals. How big was the business? One day in May, 2004, a crew member known as "Scarface" sold 115,695 stolen credit-card numbers in one trade. Overall, the gang made more than $4.3 million in credit-card purchases during its two-year run. The actual tally could be more than twice as large, the feds say. It was like an eBay for the underworld.
Too Big to Hide
The operation was quite sophisticated. Mantovani, who used the handle "ThnkYouPleaseDie," and Appleyard, who went by "BlackBagTricks" as well as "Black Ops," were the "administrators," according to the government's indictment. They were in charge of strategic planning, determined which ShadowCrew aspirants got access to the Web site, and collected payments from participants to keep it running. "Moderators" hosted online forums where gang members could share tips for making fake IDs or ask questions about creating credible phishing e-mail. Below them were "reviewers," who vetted stolen information such as credit-card numbers for quality and value. The largest group, the "vendors," sold the goods to other gang members, often in online auctions. Speed was essential, since credit-card numbers had to be used quickly before they were canceled.
But their operation was too big to escape notice by the cops. In mid-2003, the Secret Service launched Operation Firewall to nab purveyors of fake credit and debit cards. They quickly focused on ShadowCrew, says Nagel, because it was among the largest gangs operating openly on the Web. Within months, agents turned one of ShadowCrew's members into a snitch. While they decline to name the person or detail how he was flipped, an affidavit says he was a high-ranking member of the gang, and one of its moderators. Last August the man helped the Secret Service set up a new electronic doorway for ShadowCrew members to enter their Web site and then spread the word that the new gateway was a more secure way in. It was the first-ever tap of a private computer network under a 1968 crime act that set legal guidelines for wiretaps. "We became shadowcrew.com," says Nagel.
This was a big break, since the cops could use the doorway to monitor all the members' communications. Among the communiqués: Omar Dhanani, aka Voleur (French for "thief"), bragged he could set up a special payment system for cybercrime transactions, police say. For a 10% commission, he would exchange cash for "eGold," an electronic currency backed by gold bullion. The Secret Service watched as he laundered money from at least a dozen deals for ShadowCrew members.
The online taps helped the cops set up real-world stakeouts, too. They started by subpoenaing records from Internet service providers such as Time Warner Inc.'s (TWX ) Road Runner. They then traced the computing addresses to actual houses and apartments so they could observe their prey in person. One target: Rogerio Rodrigues. Investigators say they saw him load a bulging bank-deposit bag into his Ford Explorer and drop it off at a Citibank (C ) branch. Later, he stopped into a Kinko's (FDX ), where agents believe he picked up counterfeit merchandise.
Cutting-edge digital monitoring combined with old-fashioned shoe leather resulted in reams of incriminating evidence. At the peak of the investigation, a dozen Secret Service agents worked 18-hour days to sift through the gang's communiqués. E-mail, instant messages, and computer addresses led them to the suspected ringleaders. Mantovani, it turned out, lived with another alleged ShadowCrew member, Brandon Monchamp. Dhanani operated from a quaint stucco house in Fountain Valley, Calif. Addresses in hand, the Secret Service was ready to conduct last fall's bust.
The ShadowCrew case is far from over, though. Charged with credit-card fraud and identity theft, most of the suspects arrested that day have been released on bail pending trial. Mantovani returned home to live with his parents on Long Island and works as a construction laborer. His lawyer, Pasquale F. Giannetta, insists Mantovani is no criminal. "He is like a normal 23-year-old boy," Giannetta says. Appleyard has not issued a plea in the case, pending additional evidence from the government. His lawyer, William J. Hughes Jr., says Appleyard was just a techie running the ShadowCrew Web site, not a criminal profiting from it. Brandon Monchamp's lawyer, Elizabeth S. Smith, declined to comment. Dhanani's and Rodrigues' attorneys did not return calls seeking comment.
The bust yielded a treasure trove of evidence. So far the Secret Service has uncovered 1.7 million credit-card numbers, access data to more than 18 million e-mail accounts, and identity data for thousands of people including counterfeit British passports and Michigan driver's licenses. They say the ShadowCrew pillaged more than a dozen companies, from MasterCard Inc. to Bank of America Corp. (BAC ) The bust has yielded evidence against more than 4,000 suspects and links to people in Bulgaria, Canada, Poland, and Sweden. "We will be arresting people for months and months and months," says Nagel.
Now, with the ShadowCrew bust as their inspiration, cops and security experts are becoming more aggressive. They're tapping shady Web sites and chat rooms, stepping up cooperation with investigators in other countries, and flipping informants to build cases. In the past six months, the FBI persuaded members of several spam and phishing rings to rat on their accomplices. Larkin says some of these cases will become public in the coming months.
Despite these successes, cops face major hurdles as they try to get cybercrime under control. The biggest? Their global scope. Gang members hide out in countries with weak hacking laws and lax enforcement. They can even shelter servers in a separate country, snarling the trail for investigators. Their favorite hideouts: Russia, Eastern Europe, and China.
And little wonder. In Russia, the authorities can appear at times to be more interested in protecting cybercrooks than in prosecuting them. In 2000, the FBI lured two Russian hackers to Seattle with job offers, then arrested them. Agents involved in the case later downloaded data from the duo's computers, located in Chelyabinsk, Russia, over the Web. Two years after that, Russia filed charges against the FBI sleuths for hacking -- alleging the downloads were illegal. "When you have a case that involves servers in Russia, you can almost hear the law-enforcement officials sigh," says Hypponen.
The HangUp Team has been operating in Russia with impunity for years. Some members are allegedly based in Archangelsk, an Arctic Circle city of rusting Soviet nuclear submarines and nearly perpetual winter. In 2000 the alleged original members of the team, Alexei Galaiko, Ivan Petrichenko, and Sergei Popov, were arrested for infecting two local computer networks with malicious code. But Russian authorities let them off with suspended sentences.
Little was heard from the HangUp Team for the next two years. But in 2003 the gang released the viruses Berbew and Webber. Then last year the group infected online stores with a fiendish piece of software called the Scob worm. Scob waited for Web surfers to connect, then planted software in their hard disks that spied on their typing and relayed thousands of passwords and credit-card numbers to a server in Russia, police say. "These guys have set a new standard for sophistication among criminal hackers," says A. James Melnick, 51, director of threat intelligence at iDEFENSE, a Reston (Va.) cybersecurity firm.
The HangUp crew isn't even covering its tracks. Each of the three bugs contained a telltale signature: "Coded by HangUp Team." With HangUp operating so publicly, it's not clear why its members have been so hard to catch. Russian authorities say they have been hampered by the red tape of securing warrants, coordinating with U.S. and British police, and translating documents.
It's one more sign that the battle for cyberspace has changed forever. Criminals are swarming the Web, and their attacks come from the most remote corners of the globe. There are no easy answers. But one thing is clear: The old practice of erecting defenses out of software isn't enough. "That's a Band-Aid," says Larkin. "If you don't try to take these guys down, they'll come back. You have to find a way to get to the live bodies and take them out at their roots. If you don't, you aren't solving the problem." Investigators scored an impressive success in taking down the hackers behind the ShadowCrew. But the hunt is just beginning.
By Brian Grow, with Jason Bush in Moscow