Following a two-year undercover operation led by the FBI, a coordinated action involving law enforcement agencies from 13 countries has led to the arrest of 24 individuals involved in “carding” crimes both in the US and abroad.
Eleven individuals were arrested throughout the United States, as well as two minors in California. Another 13 individuals were arrested in seven foreign countries: the UK, Bosnia, Bulgaria, Norway, and Germany, Italy and Japan.
Australia, Canada, Denmark, and Macedonia conducted interviews, executed search warrants, or took other coordinated action in connection with today’s takedown.
Charges were also unsealed in the Southern District of New York against four additional defendants who remain at large.
“The allegations chronicle a breathtaking spectrum of cyber schemes and scams. As described in the charging documents, individuals sold credit cards by the thousands and took the private information of untold numbers of people,” commented Manhattan U.S. Attorney Preet Bharara.
“As alleged, the defendants casually offered every stripe of malware and virus to fellow fraudsters, even including software-enabling cyber voyeurs to hijack an unsuspecting consumer’s personal computer camera. To expose and prosecute individuals like the alleged cyber criminals charged today will continue to require exactly the kind of coordinated response and international cooperation that made today’s arrests possible.”
How did the FBI manage to discover these individuals in the first place?
In June 2010, the FBI established an undercover carding forum called “Carder Profit” (the “UC Site”), enabling users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things.
The UC Site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. It also allowed the FBI to record the Internet protocol (IP) addresses of users’ computers when they accessed the site.
Access to the UC Site, which was taken offline in May 2012, was limited to registered members and required a username and password to gain entry. Various membership requirements were imposed from time to time to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity. For example, at times, new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site or unless they paid a registration fee.
New users registering with the UC Site were required to provide a valid e-mail address as part of the registration process. The e-mail addresses entered by registered members of the site were collected by the FBI.
In the course of the undercover operation, the FBI contacted multiple affected institutions and/or individuals to advise them of discovered breaches in order to enable them to take appropriate responsive and protective measures. All in all, the FBI has notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.
As alleged in the complaints unsealed in the Southern District of New York, the defendants are charged with engaging in a variety of online carding offenses in which they sought to profit through, among other means, the sale of hacked victim account information, personal identification information, hacking tools, drop services, and other services that could facilitate carding activity.
Michael Hogue, a/k/a “xVisceral,” offered malware for sale, including remote access tools (RATs) that allowed the user to take over and remotely control the operations of an infected victim-computer. Hogue sold his RAT widely over the Internet, usually for $50 per copy and boasted that he had personally infected “50-100” computers with his RAT and that he’d sold it to others who had infected “thousands” of computers with malware.
Jarand Moen Romtveit, a/k/a “zer0,” used hacking tools to steal information from the internal databases of a bank, a hotel, and various online retailers, and then sold the information to others.
Mir Islam, a/k/a “JoshTheGod,” trafficked in stolen credit card information and possessed information for more than 50,000 credit cards. Islam also held himself out as a member of “UGNazi,” a hacking group that has claimed credit for numerous recent online hacks, and as a founder of “Carders.Org,” a carding forum on the Internet. The FBI seized the web server for UGNazi.com and seized the domain name of Carders.org, taking both sites offline.
Steven Hansen, a/k/a “theboner1,” and Alex Hatala, a/k/a, “kool+kake,” sold stolen CVVs, a term used by carders to refer to credit card data that includes the name, address, and zip code of the card holder, along with the card number, expiration date, and security code printed on the card. Hatala advertised to fellow carders that he got “fresh” CVVs on a “daily” basis from hacking into “DBs [databases] around the world.”
Ali Hassan, a/k/a “Badoo,” also sold “fulls,” a term used by carders to refer to full credit card data including cardholder name, address, Social Security number, birthdate, mother’s maiden name, and bank account information. Hassan claimed to have obtained at least some of them by having hacked into an online hotel booking site.
Joshua Hicks, a/k/a “OxideDox,” and Lee Jason Jeusheng, a/k/a “iAlert, a/k/a “Jason Kato,” each sold “dumps,” which is a term used by carders to refer to stolen credit card data in a form in which the data is stored on the magnetic strips on the backs of credit cards.
Mark Caparelli, a/k/a “Cubby,” engaged in a so-called “Apple call-in” scheme in which he used stolen credit cards and social engineering skills to fraudulently obtain replacement products from Apple Inc., which he then resold for profit.The scheme involved Caparelli obtaining serial numbers of Apple products he had not bought. He would then call Apple with the serial number, claim the product was defective, arrange for a replacement product to be sent to an address he designated, and give Apple a stolen credit card number to charge if he failed to return the purportedly defective product.
Sean Harper, a/k/a “Kabraxis314,” and Peter Ketchum, a/k/a “iwearaMAGNUM,” each sold drop services to other carders in return for money or carded merchandise. Harper provided drop addresses in Albuquerque, New Mexico, to which co-conspirators sent expensive electronics, jewelry, and clothing, among other things. Ketchum advertised drop locations “spread across multiple cities” in the United States and allegedly received and shipped carded merchandise including sunglasses and air purifiers, as well as synthetic marijuana.
Christian Cangeopol CANGEOPOL, a/k/a “404myth,” engaged in illegal “instoring” at Walmart to obtain Apple electronic devices with stolen credit cards. Instoring is a term used by carders to refer to using stolen credit card accounts to make in-store, as opposed to online, purchases of items using stolen credit card information and matching fake identifications. As part of the alleged scheme, Cangeopol and a co-conspirator used stolen credit card data to order electronic devices on Walmart’s website; in selecting a delivery option, they opted to have items delivered to various Walmart stores in Georgia; Cangeopol then picked up the items using a fake identification; Cangeopol and the co-conspirator then resold the carded electronics and split the proceeds.