I began committing crimes when I was ten years old. Not cybercrimes but shoplifting and stealing food. Everyone on my mother’s side of the family was a fraudster or involved in some crime, so I grew up in a crime family.
I grew up knowing how to do insurance fraud, stealing cars, faking accidents, burning homes for cash, illegally strip mining coal, document fraud, and cheque kiting. I had experience with all of that stuff.
My history of cybercrime
I got married in 1994 and moved from Hazard, Kentucky to Lexington, Kentucky. I was running small street scams and things like that. I was not doing really well, so I found eBay. This would have been probably 95 at this point. I knew there was a way to make money on it but didn’t know how.
I got a lot of inspiration from a TV show called Inside Edition, which was a news tabloid show. The first show they were doing was a show on Beanie Babies, these high-dollar collectible stuffed animals that were very popular in the late nineties.
That’s how I started. I was selling fake and fraudulent Beanie Babies on eBay. From there, it grew into selling pirated software. Pirated software led to mod chips, first in the gaming systems, then into cable television boxes so you could watch all the pay-per-view channels.
Finally, that led to programming satellite DSS cards. In the United States, you’ve got these 18-inch RCA satellite systems with dishes on them. You can pull the access card out of it, program it, and turn on all the channels.
I started doing that, made a lot of money, and ripped people off at the same time. I figured I needed a driver’s licence to do it under some other name, so I started to look around for a fake ID. I thought I found a guy; sent him the money and my picture. The guy ripped me off.
That led to ShadowCrew because I still needed that ID. I found a site called Counterfeit Library, a degree mill that specialised in counterfeit degrees and certificates. They had a forum that no one was using, so I went in there, and every day, I just complained about being ripped off while trying to get a fake ID.
That led to other people coming in and talking about fraud. When you look at the genesis of modern cybercrime, you see three websites: CounterfeitLibrary, ShadowCrew, and Carter Planet. I ran CounterfeitLibrary. I built and ran ShadowCrew. A guy named Dmitry Golubov, a Ukrainian national, built Carter Planet.
Counterfeit Library was the genesis of financial cybercrime. We were doing things like eBay and PayPal fraud. Dmitry Golubov was a spammer who was getting these credit card details, and he saw what we were doing on Counterfeit Library.
His idea at the time was, “I wonder if someone would buy stolen credit card details.” Turned out they would. He picks up the phone. He calls his Ukranian buddies. They call their buddies. They have a physical conference in Odessa; 150 of these Ukrainian criminals show up, and they launch Carter Planet, which is the genesis of credit card theft as we know it today.
The problem was that then, Dmitry and the Ukrainians had committed so much card fraud in Ukraine that all the card providers had shut everything down. Even if you were a legitimate cardholder, you could not use your card in Ukraine at that point.
He had card data, but he couldn’t use it. So he ended up coming over to CounterfeitLibrary, and we formed a partnership. That partnership ultimately led to ShadowCrew. Now, ShadowCrew is important because, first of all, it was the first dark web marketplace before the dark web existed.
It dealt in all financial crimes, goods, and services that you wanted back then. We also, to a degree, dealt drugs online. So ecstasy, marijuana, and opiates, things like that. We had gotten so big on CounterfeitLibrary and with the partnership with Carter Planet, that we shifted and came up with ShadowCrew. ShadowCrew is important because it establishes a trust mechanism that criminals use.
Honour among thieves
If you think about it, it’s never a single attack. It’s always a group of people who are online working together to commit these crimes. We have to trust each other even though we don’t know each other’s names, we don’t know what we look like, and we’ll never meet face-to-face. So how does trust work in an online criminal community? First, you need to have a large communication channel, a forum-type structure.
So if you go to DREAD and some of these marketplaces on the dark web today, you see that DREAD is a forum-type structure where individuals from different time zones can reference conversations days, weeks, or months old, take part in those conversations, and learn from those conversations. The screen name, the username of the individual, becomes their brand.
You know by looking at that name what the history of that person is — if they’ve ever ripped anyone off, if they can be trusted, if you can network with them, if you can learn from them. We had vouching systems in place, review systems in place, and escrow systems in place, all with the singular purpose of establishing trust between one criminal and another. That’s how modern cybercrime started.
My road to redemption
In August of 2004, ShadowCrew made the front cover of Forbes with the headline, “Who’s stealing your identity?”
On October 26, 2004, the United States Secret Service arrested 33 people in six countries, in six hours. I’m the only guy who’s publicly mentioned as having gotten away. They picked me up four months later. They give me a job. Me! Idiot that I was, I continued to break the law from inside Secret Service offices for the next ten months until they found out about it.
At that point, I took off on a cross-country crime spree, stole $600,000 in four months, woke up one morning on the United States’ most wanted list and went to Disney World. I lasted, I don’t know, four or five weeks at Disney World. They arrested me and sent me to prison. I escaped from prison. Then they arrested me again, and I finally served out my time.
Only after this experience did I decide that it was time to turn my life around. My sister, my only sibling, had cut me off and wouldn’t have anything to do with me. We grew up together in a very abusive environment, and we were all we had, so that really hurt. And then when she came back into my life after the escape, that meant something, and it hit hard that I needed to change my life.
That was the first real impetus to change. When I got out of prison, I met my wife, Michelle, and she showed me what a healthy relationship was. I’d been dating strippers and partying and stuff like that.
She didn’t want me for the things that I could give her. She wanted me for me, and I had never had that. Finally, just in an act of absolute desperation, I was about to go back and commit a crime again. I reached out to the FBI and this agent, Keith Malarski, responded within two hours.
He took me under his wing. He gave me references. He gave me advice. And those three things were the major reasons I turned my life around. I came into the cyber security and anti-fraud communities, and they were very accepting. There was never any fuss about not letting me in the environment, and because of all that, I was given the opportunity to change, and I did.
Why businesses struggle to collaborate
The issue is that the bad guys are much better at working together and sharing information than the good guys are. There are a few reasons. You’ve got privacy concerns; you’ve got regulations with governments, so you can’t share some information.
Certainly in the United States, it’s like that. More importantly, many companies don’t share information because of competitive edges. Take a company like Amazon that got hit with friendly fraud around 2013. They did not share that information with anyone else in their vertical. And they didn’t do that because it gave them a competitive edge. They knew as they put security and implemented security, those criminals would go elsewhere.
They would go to Microsoft, they would go to Apple, and then they would bleed down into the retail environment. Not sharing information makes those other companies the lowest-hanging fruits in that tree. So it’s easier to victimise them than it is to victimise Amazon.
The second thing is companies simply do not like to share that information. I worked with Microsoft, and they were very adamant about not sharing any type of information, insider threat that they had, or hack that they’d been hit with.
There’s a saying by the Under Armour CEO, “Trust is gained in droplets, but it’s lost in buckets.” If you’re running a company and you announce to the public that you’ve been breached, what does that tell every single customer that you’ve got? You lose the trust of the majority of those customers, and gaining that trust back is very difficult.
A lot of companies don’t want to do that. Also, in the United States, it is believed that if you are a breached company, the FBI or federal authorities are going to come in. And if you’ve done anything wrong, if you’ve not protected your customers properly, they’re going to charge you too. Because of that, companies are scared to share information as well. However, this perception is changing.
How businesses and individuals leave themselves vulnerable
One of the problems is that we call online criminals or attackers, hackers, and that name comes with certain connotations.
“You can’t catch these guys. These guys are computer geniuses. They’re better than us.” But that’s not true. The truth is, we are criminals, and while we do have some computer geniuses, the 98, and 99 percentile are just good social engineers. They know what it takes to manipulate you into doing things.
So, what’s the problem? The problem is that more than 90% of every attack uses a known threat. It’s not the stuff we don’t know about. It’s the stuff we know about, that we’ve been told about, that creates that threat landscape.
The two biggest cyber attacks in history, SolarWinds and NotPetya, were nation-state attacks that both used known exploits. So it’s the stuff we are told about that we’re not doing anything about. As a company or an individual, you have to look at that threat landscape.
You have to scan your environment to see what vulnerabilities are out there. You should be scanning your network for the vulnerabilities that are listed because that’s exactly what a criminal does every day.
When an update comes out, criminals know that you’re not going to apply the update immediately, so they start scanning networks to see what vulnerabilities are available every day.
The second step is understanding that for me to victimise you as an individual or an organisation, I have to get you to trust me.
If I can’t get you to trust me, you’re not going to give me information, access, data, or cash. So what does trust look like in an online environment? Well, trust is usually established through technology, tools, and social engineering. We inherently trust the technology that is given to us. Criminals use tools to manipulate that technology; once that’s done, social engineers come in to manipulate you to give them that data, so realise what it takes to establish trust with you and design security around it.
The biggest cyber threats today
For individuals, it’s always going to be identity theft, and the reason for that is that most financial cybercrime has an element of identity theft.
Understand that there’s a necessity on the criminal’s part to steal an element of your identity. It’s all about protecting your identity. In the United States, that means freezing your credit, monitoring your accounts and placing alerts, multi-factor authentication, and stuff like that.
For a company, there are a variety of threats. Take a step back and ask, How do I gain trust in a company? Does it take a stolen credential? Does it take a stolen identity? A browser fingerprint? Figure that out and work with that. Also know that the way I will attack you absolutely depends on who you are and what you do.
So if you’re an employee of a company and on payroll, I may try to launch some sort of business email compromise. Same thing with a CEO. But if you’re just some lowly individual, I might just try to get you to get me access to that network, so I can go in and steal data or lock it down with ransomware.
