Double deception. How the FBI used the Ukrainian hacker Maxim Popov
On a cold day, January 18, 2001, Maxim Igorevich Popov, a 20-year-old Ukrainian guy, nervously pushed through the doors of the American embassy in London. He could be taken for a student exchange program participant who came to receive a visa, but in fact Maxim was a hacker, a member of an Eastern European hacker group that attacked American commercial companies, earning on extortion and frode. The wave of such attacks looked like a harbinger of a new stage of the Cold War between the United States and organized hacker groups in the countries of the former Soviet bloc. Maxim Popov with a childish face, glasses and a short haircut, was going to become the first defector in this war.
This was preceded by four months of telephone conversations and two preliminary visits to the embassy. Now Popov has met with the assistant to the FBI legal attache to present a passport and approve the final agreement. Having finished with the formalities, he soon wandered through Grosvenor Square through the winter cold into the hotel room, which the embassy had rented for him. He opened his laptop, as well as the hotel minibar, and read the new mail, emptying the small bottles of whiskey, until he passed out. The next day, January 19, 2001, Popov, accompanied by FBI agents, arrived at the airport and took a TWA flight to the United States.
Maxim was nervous, but it was a joyful excitement. He left the parents, the institute and everything that was familiar, but in the USA he will become more than just an obedient son and student. Popov was wanted and participated in an international conspiracy, as a character in one of the cyberpunk novels he loved so much. He will provide services to the government for a fair fee, using his knowledge in the field of information security, and then he will launch an Internet startup to make a fortune and become rich. Such were the plans.
')
But when the plane landed, it became clear that the contract works a little differently. The FBI’s formerly friendly agents threw Maxim into the detention center, and an hour later they returned with the federal prosecutor, the lawyer, and the terms of the deal that weren’t discussed: Popov would be their informant, work seven days a week to lure his accomplices to the traps set by the FBI. If he refuses, he will go to jail.
Maxim was completely discouraged. He realized that he had been fingered. The guy was placed under the 24-hour FBI guard at a safe house in Fehr Lakes, Virginia, and ordered to chat with his friends in Russian-language chat rooms while the bureau was recording everything. But Maxim had his own trump cards up his sleeve. He only pretended to be cooperating, and he himself used incomprehensible American colloquial words to warn his comrades that the US government had taken him into custody. When the agents finally received the translated logs after three months, they became enraged. Maxim was immediately taken out of the safe house to the cell of a small local jail, intending to bring charges against past cybercrime. The Ukrainian behaved provocatively: “Go to the% poo,” he said. “You don't know what you're dealing with.” But the guy was scared. Prosecutors from all over the country lined up to participate in the process. It seemed that nothing would save from the bleak future of prison cells and endless American courts.
Otherwise, Ernest Gilbert (Ernest “EJ” Hilbert), an agent from the provincial office of the FBI in Santa Ana, California, thought. He knew better than anyone that Popov was needed by the government.
Gilbert realized that the United States is at a crucial stage in the development of computer crime. During the 90s hacking was a sport for fun. But in the 2000s, the first shocks of an impending earthquake came from Eastern Europe. Signs were everywhere if you knew where to look: changes in types of hacked websites, spam and phishing attacks, fraud spike on credit cards after many years of constant decline. Hacking turned into a professional and profitable occupation.
In 2001, Ukrainian and Russian hackers launched the CarderPlanet site , which gave the underground community an additional dangerous advantage: scalability. CarderPlanet worked as a universal market for buying and selling credit card numbers, passwords, stolen bank accounts and sensitive data. The site placed paid advertising; there was an eBay-style rating system here, a well-organized forum. For the first time, a novice carder could find all the necessary materials for working on a single site. Thousands of new users have been registered.
Gilbert concluded that he could hack this system. But first, he needed to split a pissed Ukrainian hacker who had already fooled the FBI once before.
Maxim Popov grew up in the 1000-year-old city of Zhytomyr two hours west of Kiev, at a time when Ukraine was taking its first steps after the collapse of the Soviet Union. He mastered computers early on, having received his first education at school on Ukrainian clumsy IBM XT clones, called Search 1. On his 15th birthday, his father bought him a home computer and a modem, and Maxim first went online.
Raised on cyberpunk science fiction and the 1995 Hackers film, Maxim Popov knew two things from the very beginning. First, he will become an outlaw hacker. Secondly, he will earn money from it. Maxim found many like-minded people in Russian-speaking forums. In the late 90s, the former Soviet republics were literally teeming with smart young programmers, who at the same time did not have particular career prospects. Carders and hackers launched their own dotkom gold rush, stealing credit cards from American online stores.
Popov was not as technically savvy as many of his colleagues, but he had the talent for manipulating people and good knowledge of English. He began to cash in on cash from stolen credit cards, using almost flawless English to confirm phone calls in American stores by telephone. The business went great for about a year, but the stores gradually began to be suspicious of the shipping addresses from Eastern Europe, so the scheme was rotten.
At the same time, local gangsters found out about Maxim’s big earnings and began visiting him, extorting money. Popov realized that he himself could apply an extortion scheme in a more elegant way. He hacked the computers of one company with friends, copied the user base, and then Popov contacted the company and offered the services of an “information security consultant” to keep the fact of hacking secret and not to publish the base with appropriate payment for their services.
In July 2000, they broke into E-Money, the now-defunct electronic payment system from Washington, and stole credit card data from 38,000 customers. From the Western Union website, they extracted another 16,000 user records, with names, addresses, passwords and bank cards. Popov went on contact with companies and offered protection against hacking and destruction of lost data for a small fee for consulting services in the amount of $ 50,000 to $ 500,000.
However, the tactic brought an unpleasant result. E-Money was holding out negotiations, secretly contacting the FBI, and Western Union publicly announced a burglary, depriving the hacker of the hope of getting money. His efforts came to nothing lead, and the pressure of neighboring groups grew. Popov felt trapped, remaining in Zhytomyr, surrounded by mediocre fraudsters and under the threat of violence. He began to think about a bold move: go to the side of the American police. Maksim thought that he could run away from Ukraine and impersonate himself as a reformed hacker and computer security expert in a country of open opportunities.
As a result, he was locked up in the prison of St. Louis near the Western Union office. At least until Agent Gilbert came for him.
The family man of strict rules, as if from the TV screen of the 50s, Gilbert looked exactly like a federal agent, with a serious look and neat combed dark hair. At the age of 29, he abandoned his career as a school history teacher in order to fulfill an old dream and wear an FBI badge. From the first case, he was put into cybercrime: he figured out an experienced Ural hacker who got into the computers of a commercial company in Anaheim, California, and then helped organize a trap to lure this hacker to Seattle, where the FBI could arrest him. Gilbert understood the hackers. Being a San Diego suburb boy, he himself indulged in innocent hacking, taking on his nickname Idolin - an ancient term meaning ghost or spirit .
Gilbert knew that the Russian-speaking and experienced swindler Popov was able to penetrate the places where the FBI had ordered entry through underground chat rooms and forums, establishing connections with community members and providing the bureau with much-needed evidence and intelligence. The trick was to start gently courting Popov, stroking his pride and showing respect for his hacker skills.
Gilbert discussed the plan with the Los Angeles Prosecutor, who was leading the case against Maxim Popov, and soon they two met with the Ukrainian hacker and his lawyers in the office of the St. Louis Prosecutor. They explained the terms of the transaction. Popov will serve on the case in Missouri, and the government will unite the rest of the case and transfer to Southern California, where the hacker will work out all the charges, becoming an undercover agent for the FBI.
This time, Maxim was not required to pledge friends. His targets were chosen by strangers to whom the hacker had no sympathy. Gilbert called it an intelligence gathering mission, like in the James Bond movies. “I really respect the skills you have,” he said. Popov signed a plea bargain and accepted a government proposal in March 2002. Gilbert had a mule.
Popov could not refuse a chance to demonstrate their skills. Before he could get off the flight of Con Air to California, he was already sitting at the computer, intended for studying the legislation, in the library of the prison of Santa Ana. He found that the machine was connected to the prison's local network, and in a few keystrokes, Maxim sent out “defamatory comments and observations” - as was indicated later in the disciplinary report - to printers in all offices. The guards laid his face to the floor, but Popov did not regret what he had done. In prison, even the smallest hack became a breath of fresh air.
The long-awaited relief came in August, when Gilbert and another agent took the hacker from the camera on his first working day. During the procedure, which became a daily routine, the arrested person's legs and hands were chained while he was taken out to the car. After a short trip, they opened the back door of an office building and got Maxim into a small room furnished with office furniture, with several computers under Windows confiscated during an anti-piracy raid. Gilbert strapped the handcuffs to the table in front of the computer and the Cyrillic keyboard. Maxim was in ecstasy. Compared to the prison, the gray office room seemed like a presidential suite. Here he could do anything.
The operation was called Ant City. Returning to the online, Popov took a new identity, began to hang out in underground chats and post messages on CarderPlanet, posing as an outstanding Ukrainian scammer who constantly needs credit cards. His first major goal was one of the top in the secret hierarchy of CarderPlanet: the mysterious Ukrainian hacker, known only by his nickname Script. Popov contacted him in early September, and two began to correspond directly in ICQ. Two weeks later, Popov agreed to buy stolen credit cards for $ 400. By sending electronic information to a buyer in California, Script became a criminal in American jurisdiction. Subsequently, the evidence obtained will lead to the arrest of a hacker by the American police, although he will be released after six months.
Such “test purchases” of stolen cards were a key element of Gilbert's strategy: throwing some money for Popov was an easy way to make contacts, and having received the cards, Gilbert could find out the source of the leak through credit companies. Popov continued to make deals and collect intelligence.
Sometimes they worked for several hours, and sometimes they worked 10 hours a day. Regardless of the success of the hacker, every day ended the same way: Gilbert was returning home to his family, and Popov - in a dirty prison cell. But one day at Thanksgiving, a federal agent made an unexpected surprise to his ward. When Popov arrived at work, he saw on the table a projector aimed at a wall. Gilbert pushed a couple of buttons on a laptop — and the opening credits of The Lord of the Rings: The Fellowship of the Ring, which had just been released on DVD, appeared on the screen.
For lunch, Gilbert brought real holiday food: stuffed turkey with cranberry syrup and sweet potatoes, and even pumpkin pie. Maxim was touched, because Gilbert decided to spend part of the weekend with him, and not with his own family.
Agent Gilbert was so pleased with Popov’s success that he bought him dinner for Thanksgiving and brought a projector with the movie “The Lord of the Rings”
Rumors of an Ant City operation were distributed to the Bureau, and over time, Gilbert began receiving requests from other FBI units to investigate specific hacks. The largest occurred in February 2003: 8 million customer bank cards were withdrawn from the processing company Data Processing International. Popov started asking about DPI on the forums, and one of his acquaintances, a 21-year-old Russian student under the nickname RES, said that he knew three hackers who had done this hacking.
Popov boldly stated that he wanted to buy all 8 million cards for $ 200,000, but first he wanted to get a small sample. This sample would allow Gilbert to determine that the maps were actually obtained from DPI computers. But RES only laughed at the offer. Popov’s relatively modest past purchases did not indicate that he had two hundred thousand dollars.
Gilbert came up with a solution. Maxim was dressed in street clothes and escorted by FBI agents for security, was taken to the nearest bank, which agreed to cooperate. Bank employees took out $ 200,000 of hundred dollar bills from the vault and placed them on the table. Gilbert removed the handcuffs from Maxim and recorded a short video of him shuffling wads of cash.
“Look, I show bablos,” said Popov in Russian. - Money is real, your mother, without garbage. I will put them on my account. ” He took a bill out of the pack and brought it close to the camera: “All the fucking watermarks are all shit here. I show you to stop, - he scornfully threw the bill on the table. - So call the gang and let the damn deal! ”
The video satisfied the Russians. Identifying RES was even easier. Popov mentioned that part of the money earned at work in the company "Hermes-Plast", which is engaged in the manufacture of plastic cards. Assuming that the Russian hacker would try to get a job at this company, he gave a link to their website and the email address of the alleged boss Anatoly Feldman.
RES sent a resume to Feldman’s address on the same day, along with a scanned copy of his national passport of the Russian Federation.
Of course, Germest Plast was a fictional company that was organized by Gilbert and Popov. Now the FBI knew the real name of RES, its date of birth and address. This surprisingly simple trick worked over and over again. One thing Popov always knew about Eastern European hackers: they always need work.
After 8 months of work at the bureau, on April 8, 2003, Maxim Popov was taken out of Santa Ana prison and was escorted to court for sentencing. At the request of the US government, federal judge David Carter passed a sentence on the repayment of the term of imprisonment and three years of judicial review. The judge immediately ordered to seal all records of this sentence.
28 months after he got on a plane to the United States, Maxim Popov was finally free - in the middle of Orange County, California, 13 kilometers from Disneyland and on the other side of the planet from Zhitomir. His immigration status was unclear. Maxim did not have a green card or social security number, so he could not get a legal job in America or a driver's license. Gilbert made sure that the FBI rented an apartment near the beach and paid a thousand dollars in monthly “scholarships” for participating in an Ant City operation. But Popov could not get used to the routine life in the suburban heat of the middle of highways and shopping centers. One day in July, he stood at a bus stop outside the probation office, when a local resident approached him, he was drunk, behaved aggressively and cursed. Maxim Popov hit him lightly, but a local resident fainted and lay flat on the sidewalk. In a panic, Maxim called the FBI, already imagining that he would be sent back to prison. He firmly decided for himself: if you can get out of this, he will return home.
Judge Carter gave permission to Popov to visit Ukraine, with the condition of mandatory return until August 18 to California, where he must live the rest of his three-year term under judicial supervision. Gilbert took him to the airport and said goodbye, knowing that he would never see him again.
Operation Ant City has ended. According to Gilbert, about 400,000 stolen credit cards were discovered on the black market during this time, and more than 700 companies were warned that hackers from Eastern Europe had hacked them. Ten suspects were accused, including against Script, but no one was extradited.
Gilbert maintained contact with Popov after his return to his homeland. He founded his business, opened a company called Cybercrime Monitoring Systems (Cycmos). As Popov himself describes it, the company tracks the underground markets and sells intelligence to companies that are being prepared or have already been attacked. Gilbert confirmed that it is. Apparently, Maxim Popov began to apply the skills acquired during the operation Ant City in his business. He also sent Gilbert a steady stream of leads and information on an old friendship.
On the eve of the year 2004, Gilbert's mobile phone rang: “Hey, do you know what? - it was said by Popov in his even, pleasant accent, - here is something new. " He explained that this is a big hack. And, characteristically, this time the victim was not some company, but the FBI itself.
Popov was following a hacker group that specialized in working with the pre-Internet era network protocol X.25, which was used in the 70s and 80s in the first packet-switched public networks. By 2004, the X.25 protocol was outdated, like Betamax in relation to VHS, but the old networks still supported it for reciprocity in thousands of corporations and government agencies around the world.
Russian hackers rummaged through these ancient networks, and once came across something interesting. They infiltrated the computer network of the AT & T data center in New Jersey, where the mail servers of a number of US government agencies were installed under the contract. One of them was the FBI, which gave Russian access to the correspondence of all agents with fbi .gov mailing addresses.
Gilbert hung up and immediately called his boss. Soon he was on a plane to Washington to lead the investigation. Gilbert got the FBI to set aside $ 10,000 to pay for Cycmos’s services, which would take any material stolen from the FBI’s servers, and identify any of the hackers who participated in the operation. Popov handed over two documents, he said, received from the FBI mailboxes: an 11-page dossier on one of the CarderPlanet administrators under the nickname King Arthur , as well as spreadsheets listing the cybercrime targets of the FBI and the Secret Service, divided by jurisdiction.
The list of goals was six months old and marked with “Law Enforcement Sensitive” (“Law Enforcement Confidential Information”) and “Do Not Transmit Over the Internet” (“Do Not Transmit via Internet”). For the community, it was potentially a goldmine, because the documents contained nicknames - and in some cases real names - more than 100 hackers caught by the American government, with superficial marks like "priority target" or "currently cooperating with the government." The White House was informed about the leak, which raised the stakes even higher. Gilbert asked Popov to get more information.
Maxim began to dig. He pointed Gilbert underground chat room where you can find the leader of a hacker group that specializes in X.25. Soon Gilbert himself talked with Leonid Sokolov, a student at St. Petersburg University. In a conversation, he confirmed the hacking of the AT & T data center and the theft of documents. Gilbert got what he wanted. It was the biggest thing in his career.
“Bablos is real!” Stated Popov in a video made for a Russian hacker. - So call the gang and let the damn deal! ”
But not without unpleasant incidents. On February 10, 2005, Gilbert was summoned to the FBI headquarters. In the conference room sat five superiors, and the angry federal prosecutor cursed on the speakerphone.
It turned out that several corporations became victims of the X.25 hacker group, and Maxim Popov turned to them, offering his help. One of the victims was the Boston EMC with multi-billion-dollar turnover, with its hackers stole the source code of the popular VMware virtualization software. If the source code gets into open access, then hackers from all over the world can research it in search of vulnerabilities. VMware , , .
- « » (Denis Pinhaus), EMC . . , EMC , : .
, EMC , , . (Stephen Heymann), . , - - , .
: ? , , . « », — . . , . .
. . .
— , . , , . « !», — .
. , EMC: « , ? — . — . . ».
AT&T. -, Red Notice , , . , -: « ».
. FBI.gov Newsweek 2005 , , , .
. 600 18 . .
, - . , , , . 2006 - . -, , . « ?», — . , : . , — , EMC.
. , , . , 2007 , , . .
, , . , . .
« , , , , — - 2013 . — , , , — ».
, . , . , 2009 , .
, . . EMC . , EMC.
, EMC 2005 , , $30 000 , $40 000 , VMware . . , , , .
EMC, $70 000, , ( EMC ). EMC VMware . , , .
, , —
. — Hardcore Charlie , Anonymous. 23 2012 , , 520 VMware .
, VMware -. 2004 , - . (Iain Mulholland), , , , . , , 10 . , 2012 , .
. , - : EMC .
«, », — .
, , , , X.25. « », — . - AT&T, , $150 000, . AT&T , , , .
, , «» . , . «, - , , — . — ».
, - , , Ant City PricewaterhouseCoopers.
, , 35 , . . , , .
2002 , « ».
« , — . — , - . « » (“blackhat”), . ? ».
, Ant City, . Target Home Depot 100 2013 2014 . ZeuS - 10 . , , , $100 — . , . , . , , $3000 . — — . . .
, . , . , , . , Ant City , . , 160 — 20- 2010 . , , 25 .
, — . — , , , , , .
Source: https://habr.com/ru/post/301246/
All Articles