DarkMarket.ws, an online watering hole for thousands of identify thieves, hackers and credit card swindlers, has been secretly run by an FBI cybercrime agent for the last two years, until its voluntary shutdown earlier this month, according to documents unearthed by a German radio network.
Reports from the German national police obtained by the Südwestrundfunk, Southwest Germany public radio, blow the lid off the long running sting by revealing its role in nabbing a German credit card forger active on DarkMarket. The FBI agent is identified in the documents as J. Keith Mularski, a senior cybercrime agent based at the National Cyber Forensics Training Alliance in Pittsburgh, who ran the site under the hacker handle Master Splynter.
The NCFTA is a non-profit information sharing alliance funded by financial firms, internet companies and the federal government. It's also home to a seven-agent FBI headquarters unit called the Cyber Initiative and Resource Fusion Unit, which evidently ran the DarkMarket sting.
The FBI didn't return a phone call Monday.
Like earlier crime sites, DarkMarket allowed buyers and sellers of stolen identities and credit card data to meet and do business in an entrepreneurial, peer-reviewed environment. Products for sale ran the gamut from specialized hardware, to electronic banking logins collected from phishing attacks, stolen personal data needed to assume a consumer's identity ("full infos") and credit card magstripe swipes ("dumps), which are used to produce counterfeit cards. Vendors were encouraged to submit their goods for review before offering them for sale.
The unearthed documents, seen by Threat Level, show the FBI sting had begun by November, 2006. An FBI memo sent to the German national police regarding a forum member in that country boasts, "Currently, the FBI has been successful in penetrating the inner 'family' of the carding forum, DarkMarket." A March 2007 e-mail from Mularski's FBI address to his German counterpart puts it bluntly. "Master Splynter is me."
The documents indicate the FBI used DarkMarket to build "intelligence briefs" on its members, complete with their internet IP addresses and details of their activities on the site. In at least some cases, the bureau matched the information with transaction records provided by the electronic currency service E-Gold.
Last month, Master Splyntr -- now identified as Mularski -- announced he was shuttering the site as of October 4th, citing unwanted attention garnered by a fellow administrator, known as Cha0. From his home in Turkey, Cha0 had aggressively marketed a high-quality ATM skimmer and PIN pad that fraudsters could covertly affix to certain models of cash machines, capturing consumers account numbers and secret codes. But he began drawing heat this year after reportedly kidnapping and torturing a police informant. He was arrested in Turkey last month, where police identified him as one Cagatay Evyapan.
That's why it was time to close DarkMarket, Master Splynter explained, in a message that now rings with irony.
The German report confirm rumors that have swirled around DarkMarket since late 2006, when uber-hacker Max Ray Butler cracked the site's server and announced to the underground that he'd caught Master Splynter logging in from the NCFTA's office on the banks of the Monongahela River. Butler ran a site of his own, and the warning was generally dismissed as inter-forum rivalry, even when Butler was arrested in San Francisco last year on credit card fraud charges, and shipped to Pittsburgh for prosecution.
Until this afternoon, SpamHaus listed Master Splynter as an Eastern European spammer named Pavel Kaminski, who was active as recently as 2005. It's possible the FBI took over the handle sometime thereafter. In 2004, the Secret Service ran a similar scheme on the crime board ShadowCrew, but that agency used an informant, who went on to commit more crimes -- a risk not likely present with agent Mularski.
Lord Cyric, another former DarkMarket administrator, says Master Splynter was invited onto DarkMarket as an admin about two years ago, and was still known as a spammer. Based in Canada, Lord Cyric has sold fake IDs and checks in the underground, but he's convinced he's out of reach of any sting operation.
"Worry? Me? Nah," he wrote in an IM interview. "It's a long, slow hard process for them to interest Canadian [law enforcement] to go after someone who doesn't touch drugs nor deals with skimmers. ... It's all about U.S. busts, unless there's a big drug deal and DEA gets involved."
Threat Level admires Lord Cyric's bluster, but thinks his days in the underground are numbered. The FBI almost certainly closed DarkMarket in preparation for a global wave of arrests that will unfold in the next month or so. The site was likely shuttered to avoid an Agatha Christie scenario in which a diminishing pool of cybercrooks are free to speculate about why they're disappearing one-by-one like the hapless dinner guests in Ten Little Indians.
Kudos to Südwestrundfunk reporter Kai Laufen, who discovered the operation. I'm sending him the "I Spotted the Fed" tee-shirt I took home from DefCon 7.
By Kevin Poulsen