Misuse of Computers: Shadowcrew and soupnazi
The Internet is a vehicle for bringing together people with common interests, but Shadowcrew was not your everyday social network.
White PapersMore >>
- Building and Refining Threat Hunting Practices in Your Enterprise
- Now That Ransomware Has Gone Nuclear, How Can You Avoid Becoming the Next Victim?
Shadowcrew was a notorious criminal conspiracy that operated from August 2002 to October 2004. It was a wake-up call for corporations, particularly retailers, with vulnerable networks. This community of credit-card fraudsters and identity thieves participated in an Internet-based exchange, a high-tech twist on trafficking in stolen goods. Shadowcrew.com was like a version of eBay for buyers and sellers from the black hat, or criminal side, of the hacker communityThe Shadowcrew conspiracy revealed network and database security problems were pervasive. Despite a decade of Internet commerce and an even longer history of criminal exploitation of credit cards, Shadowcrew confirmed there was still big money to be made due to weak security measures. It revealed a global community of criminal hackers was profiting from exploiting vulnerable networks and servers; the hacker's penetrations were not always detected. Why would a bank robber risk using explosives if he can find a bank vault that's routinely left open and no one notices repeated intrusions?
Shadowcrew founders, Andrew Mantovani and David Appleyard, came up with the idea of an online exchange for carders to swap hacking tips and to sell or auction off stolen data. The Shadowcrew members sent out thousands of phishing e-mails to get credit card information and they hacked into databases after penetrating 12 computer networks. Some Shadowcrew members used a sophisticated money laundering system created by Omar Dhanani to exchange cash for eGold, which was backed by gold bullion. Another method to avoid the oversight inherent in banking was to pay by Western Union money transfers.
Shadowcrew members used a combination of instant messaging, encryption, and anonymizers (virtual private networks, proxy servers, and rotating IP addresses) to hide their activity and they succeeded in operating for more than two years. Besides debit- and credit-card information, the Shadowcrew members also held auctions of other tools for identity theft, including information about bank accounts, Social Security cards, health insurance cards, birth certificates, and counterfeit passports, drivers' licenses, traveler's checks and college student IDs.
Crew members such as Brandon Monchamp and Matthew Johnson were moderators of forums that discussed topics such as how to create drivers' licenses or counterfeit bank cards. Other crew members, including Alexander Palacio, acted as reviewers who evaluated stolen merchandise such as credit card number collections. Vendors such as Rogerio Rodrigues and Omar Dhanani provided money laundering and other services. Shadowcrew vendor Nicolas Jacobsen hacked into T-Mobile's servers and customer database, giving him access to personal information for 16.3 million T-Mobile subscribers. The T-Mobile hack also enabled Shadowcrew to monitor e-mails for months. One account led Jacobsen to Peter Cavicchia, a US Secret Service agent involved in the investigation. Shadowcrew was able to monitor Secret Service e-mails and had access to government documents that contained sensitive information.
Shadowcrew was the introduction of law enforcement authorities to a criminal mastermind who was later to organize what CBS News called "the worst high-tech heist in shopping history." The conspiracy named 'Operation Get Rich or Die Tryin' was launched by Albert Gonzalez, also known as soupnazi.
Gonzalez had been arrested in 2003 while he was an administrator and moderator of the Shadowcrew.com website. The site had 4000 members selling and swapping stolen credit-card information using encrypted communications. After his arrest, Gonzalez cooperated with the Secret Service on a sting. Operation Firewall resulted in 28 arrests in 2004 of Shadowcrew members, including Mantovani and Appleyard. Besides the Secret Service in the US, the investigation and simultaneous arrests involved law enforcement agencies in Canada, Belarus, Bulgaria, Netherlands, Poland, Sweden, the United Kingdom and Ukraine.
Gonzalez had convinced the Shadowcrew conspirators to use a private VPN that was monitored by the Secret Service. Nicolas Jacobsen, who'd hacked T-Mobile servers, asked Gonzalez for a proxy server, not knowing Gonzalez was a Secret Service informant. In response, the Secret Service configured a honeypot proxy server that enabled its agents to monitor Shadowcrew activity. The agents learned of Jacobsen logging into Secret Service computers with the userid and password for Agent Cavicchia. A week later law enforcement agencies took down Shadowcrew with simultaneous arrests in several countries.
According to the Operation Firewall indictment,
"Shadowcrew members collectively trafficked in and made unauthorized use of at least 1.5 million stolen credit card numbers"
In October 2004, the Justice Department handed down indictments for 19 Shadowcrew leaders. The Justice Department announcement of the indictment of Kenneth J. Flury described the scheme as netting him almost $400,000 in three weeks of using counterfeit ATM cards:
"On October 18, 2005, a federal grand jury in Cleveland, Ohio, returned an indictment charging Flury with one count of bank fraud, arising from a Flury's scheme to defraud CitiBank which occurred between April 15, 2004, and May 4, 2004, and involved Flury obtaining stolen CitiBank debit card account numbers, PINs and personal identifier information of the true account holders which Flury fraudulently encoded onto blank ATM cards. After encoding blank cards with the stolen account information, Flury used the counterfeit ATM to obtain cash advances to withdraw cash and obtain cash advances totaling over $384,000 from ATM machines located in the Greater Cleveland area over a 3 week period. After Flury fraudulently obtained the funds, he transferred approximately $167,000 of the fraud proceeds via Western Union money transfers to the individuals supplying the stolen CitiBank account information located in Europe and Asia"
In 2006, the Shadowcrew criminals faced justice for Conspiracy and Bank Fraud. Kenneth J. Flury and Andrew Mantovani were fined and sentenced to 32 months in prison, followed by three years of supervised release. Five others were sentenced at that time. Flury was ordered to pay $300,748.64 in restitution to Citibank.
The Shadowcrew arrests followed a period of staggering growth in credit card fraud, which had become a multi-billion dollar nightmare. In 1980, Visa and Master Card lost $110 million to credit card fraud. By 1995, that number had grown to $1.63 billion. In 2004, the Federal Trade Commission reported $52 billion in goods and services had been purchased with fraudulently obtained personal identification. The FBI reported in 2005 that credit card fraud was the majority of the total U.S. financial fraud losses of $315 billion.
Next: Operation Get Rich or Die Tryin' -- Shadowcrew members used a combination of instant messaging, encryption, and anonymizers (virtual private networks, proxy servers, and rotating IP addresses) to hide their activity and they succeeded in operating for more than two years.