Security Experts:

Carder Forum Sting Operation by FBI Leads to 24 Arrests

Fake Carder Forum Setup by the FBI Let Agents Monitor and Record Discussions and Private Messages Between Cybercriminals

A sting operation setup by the FBI that roots back to 2010 resulted in 24 arrests on Tuesday, following what the bureau said was the largest coordinated international law enforcement action in history directed at “carding” crimes.

Tuesday’s coordinated action—which the FBI said involved 13 countries, including the United States—resulted in the arrest of 11 individuals in the U.S. and 13 individuals abroad. Four additional defendants remain at large. In addition to the arrests, federal, local, and foreign authorities conducted more than 30 subject interviews and executed more than 30 search warrants.

FBI Arrests 24 Alleged CybercriminalsTuesday’s actions come as a result of a two-year undercover operation headed by the FBI and designed to track down, investigate and disrupt the cybercriminal’s illegal “carding” activity.

The allegations unsealed on Tuesday show a astounding spectrum of cyber schemes and scams. As described in court documents, individuals sold troves of credit card and personal information on thousands of individuals. 

“From New York to Norway and Japan to Australia, Operation Card Shop targeted sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools,” said FBI Assistant Director in Charge Janice K. Fedarcyk.

“Carding” refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals—including the account information associated with credit cards, bank cards, debit cards, or other access devices—and using that information to obtain money, goods, or services without the victims’ authorization or consent. “Carding forums” are websites used by criminals engaged in carding (“carders”) to facilitate their criminal activity. 

Inside on the Undercover Operation

The FBI said that in June 2010, it established an undercover carding forum called “Carder Profit” (the “UC Site”), which let users discuss various topics related to carding and to facilitate ways for cybercriminals to buy, sell, and exchange goods and services related to carding, and other malicious activities.

According to the FBI, the UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The UC Site also allowed the FBI to record the Internet protocol (IP) addresses of users’ computers when they accessed the site. The IP address is the unique number that identifies a computer on the Internet and allows information to be routed properly between computers.

Access to the UC Site, which the FBI said was taken offline in May 2012, was limited to registered members and required a username and password to gain entry. Various membership requirements were imposed from time to time to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity. For example, the FBI explained, sometimes new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site or unless they paid a registration fee.

New users registering with the UC Site were required to provide a valid e-mail address as part of the registration process which were harvested by the FBI. During the undercover operation, the FBI said that it contacted multiple affected institutions and/or individuals to advise them of discovered breaches in order to enable them to take appropriate responsive and protective measures. As a result, the FBI said that it prevented an estimated potential economic losses of more than $205 million, notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.

Eleven individuals were arrested this week in the United States, all being charged with engaging in a variety of online carding offenses in which they sought to profit through, among other means, the sale of hacked victim account information, personal identification information, hacking tools, drop services, and other services that could facilitate carding activity. According to the FBI:

Michael Hogue, a/k/a “xVisceral,” offered malware for sale, including remote access tools (RATs) that allowed the user to take over and remotely control the operations of an infected victim-computer. Hogue’s RAT, for example, enabled the user to turn on the web camera on victims’ computers to spy on them and to record every keystroke of the victim-computer’s user. If the victim visited a banking website and entered his or her user name and password, the key logging program could record that information, which could then be used to access the victim’s bank account. Hogue sold his RAT widely over the Internet, usually for $50 per copy and boasted that he had personally infected “50-100” computers with his RAT and that he’d sold it to others who had infected “thousands” of computers with malware. Hogue’s RAT infected computers in the United States, Canada, Germany, Denmark, Poland, and possibly other countries.

Jarand Moen Romtveit, a/k/a “zer0,” used hacking tools to steal information from the internal databases of a bank, a hotel, and various online retailers, and then sold the information to others. In February 2012, in return for a laptop computer, Romtveit sold credit card information to an individual he believed to be a fellow carder, but who, in fact, was an undercover FBI agent.

Mir Islam, a/k/a “JoshTheGod,” trafficked in stolen credit card information and possessed information for more than 50,000 credit cards. Islam also held himself out as a member of “UGNazi,” a hacking group that has claimed credit for numerous recent online hacks, and as a founder of “Carders.Org,” a carding forum on the Internet. Last night, Islam met in Manhattan with an individual he believed to be a fellow carder—but who, in fact, was an undercover FBI agent—to accept delivery of what Islam believed were counterfeit credit cards encoded with stolen credit card information. Islam was placed under arrest after he attempted to withdraw illicit proceeds from an ATM using one of the cards. Today, the FBI seized the web server for UGNazi.com and seized the domain name of Carders.org, taking both sites offline.

Steven Hansen, a/k/a “theboner1,” and Alex Hatala, a/k/a, “kool+kake,” sold stolen CVVs, a term used by carders to refer to credit card data that includes the name, address, and zip code of the card holder, along with the card number, expiration date, and security code printed on the card. Hatala advertised to fellow carders that he got “fresh” CVVs on a “daily” basis from hacking into “DBs [databases] around the world.”

Ali Hassan, a/k/a “Badoo,” also sold “fulls,” a term used by carders to refer to full credit card data including cardholder name, address, Social Security number, birthdate, mother’s maiden name, and bank account information. Hassan claimed to have obtained at least some of them by having hacked into an online hotel booking site.

Joshua Hicks, a/k/a “OxideDox,” and Lee Jason Jeusheng, a/k/a “iAlert, a/k/a “Jason Kato,” each sold “dumps,” which is a term used by carders to refer to stolen credit card data in a form in which the data is stored on the magnetic strips on the backs of credit cards. Hicks sold 15 credit card dumps in return for a camera and $250 in cash to a fellow carder who, unbeknownst to Hicks, was an undercover FBI agent. Hicks met the undercover agent in downtown Manhattan to consummate the sale. Similarly, Jeusheng sold 119 credit card dumps in return for three iPad 2s to a carder who was an undercover FBI agent. Jeusheng provided his shipping address in Japan to the undercover agent, which in part led to his identification and arrest.

Mark Caparelli, a/k/a “Cubby,” engaged in a so-called “Apple call-in” scheme in which he used stolen credit cards and social engineering skills to fraudulently obtain replacement products from Apple Inc., which he then resold for profit.The scheme involved Caparelli obtaining serial numbers of Apple products he had not bought. He would then call Apple with the serial number, claim the product was defective, arrange for a replacement product to be sent to an address he designated, and give Apple a stolen credit card number to charge if he failed to return the purportedly defective product. Caparelli sold and shipped four iPhone 4 cell phones that he had stolen through the Apple call-in scheme to an individual whom he believed to be a fellow-carder, but who, in fact, was an undercover FBI agent.

Sean Harper, a/k/a “Kabraxis314,” and Peter Ketchum, a/k/a “iwearaMAGNUM,” each sold drop services to other carders in return for money or carded merchandise. Harper provided drop addresses in Albuquerque, New Mexico, to which co-conspirators sent expensive electronics, jewelry, and clothing, among other things. Ketchum advertised drop locations “spread across multiple cities” in the United States and allegedly received and shipped carded merchandise including sunglasses and air purifiers, as well as synthetic marijuana.

Christian Cangeopol CANGEOPOL, a/k/a “404myth,” engaged in illegal “instoring” at Walmart to obtain Apple electronic devices with stolen credit cards. Instoring is a term used by carders to refer to using stolen credit card accounts to make in-store, as opposed to online, purchases of items using stolen credit card information and matching fake identifications. As part of the alleged scheme, Cangeopol and a co-conspirator used stolen credit card data to order electronic devices on Walmart’s website; in selecting a delivery option, they opted to have items delivered to various Walmart stores in Georgia; Cangeopol then picked up the items using a fake identification; Cangeopol and the co-conspirator then resold the carded electronics and split the proceeds.

“The coordinated law enforcement actions taken by an unprecedented number of countries around the world today demonstrate that hackers and fraudsters cannot count on being able to prowl the Internet in anonymity and with impunity, even across national boundaries,” said U.S. Attorney Preet Bharara.