Executive Summary
Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007. His downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with lush descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions. In much the same way that Cuckoo's Egg reads like a spy novel, Kingpin reads like a crime novel. Cyber security professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them. Because of that, Kingpin is cyber-security-canon worthy, and you should have read this by now.
Introduction
I first learned of the Max Butler story when I still worked at iDefense and contributed to the annual iDefense cyber security trends paper. I remember being fascinated at the time that this guy was linked to another strange and amazing story about the hackers behind the TJX breaches in 2007.[1][2] I even presented the story at RSA in 2010.[3] Kevin Poulsen, from Wired magazine, did some of the original reporting on the story in 2008[4] and then took the time to publish this book about it in 2011.[5] And I am glad that he did.
It is a fascinating account of a hacker extraordinaire named Max Butler—a.k.a. Iceman among other aliases—who just happened to be one of the most notorious carders who ever graced the hacking scene at the time. For the uninitiated, a carder is a hacker who engages in the illicit collection (theft) and underground-market selling of stolen credit card information.[6] Butler’s infamy did not just come from his brilliant hacker prowess, however. The hacking community considers him to be a hacker god because of his unbelievable moxie.
The Story
In Kingpin, Poulsen tells the life story of how Max Butler achieved hacker-god status and the book is filled with unbelievable stories of hacking derring-do. In my humble opinion though, Butler’s most astonishing act is when he decided that he did not like the status quo of the current carding scene.
Two years after the feds shut down the de facto underground carding forum—called Shadowcrew—in October 2004,[7] the carding community was fractured. Multiple carding groups emerged to fill the space left by Shadowcrew, but there was mistrust in the air, and none of the hackers were sharing information. Butler had a naive view of the hacking world and believed that there should be a place for underground researchers to freely share and discuss this kind of credit card information without the worry of getting arrested. He thought there needed to be a place where people like him could meet and discuss tradecraft and business within a trusted environment so he decided to fix the situation.
In a 48-hour marathon hacking session, Butler compromised the four leading carding forums of the day, which were run by criminal hackers; stole the user databases that resided there, which included user IDs and passwords; stole the forum transcripts that also resided there, which included everybody’s chat sessions; reinstalled everything on his own forum called CardersMarket; destroyed the data that resided on those rival forums; and then sent an e-mail to every user on the four compromised servers saying that he was now the forum Kingpin. How awesome is that? What gigantic cojones does it take to even think that you could get away with such an operation? But he did. The customers of the now-defunct servers—the cyber criminals—grumbled a bit, but because they could continue to operate, most stayed on Butler’s new CardersMarket forum.
One of the four forums that Butler compromised was called DarkMarket. This is the same forum that FBI agent Keith Mularski was able to penetrate as an undercover agent just months prior to Butler’s takeover.[8] Mularski convinced the owner of DarkMarket to let him be the forum administrator. Because of that, DarkMarket was the only forum to survive Butler’s attacks. Mularski was scrupulous about making backups, and because of that, he had DarkMarket back online only days after Butler’s blitzkrieg. He remained undercover as a forum administrator and monitored every conversation on the forum for the FBI for two years. Because of that effort, Mularski helped put the puzzle pieces together that ultimately resulted in Butler’s arrest.
Before Kingpin, I always assumed that Butler suspected Mularski as being a fed from the start. According to Poulsen, Butler had traced Mularski’s IP address back to the National Cyber-Forensics & Training Alliance (NCFTA) and knew he was a plant. Butler told anybody on the forums who would listen to him to stay away from Mularski, but nobody believed him.
According to Poulsen, the “new” CardersMarket forum was a cesspool of mistrust and politics, and Butler accused a lot of hackers of working for the feds as they accused him of doing likewise. Nobody got any traction. Butler’s takeover did not instigate a new era of trust and cooperation among the carders; it had almost the opposite effect.
The Tech
Butler’s gateway drug to hacking was probably the online phenomenon called TinyMUDs, the successors to multi-user dungeons (MUDs). MUDs were typically Dungeons & Dragons (D&D)-themed multi-user text-based games, the precursor to the three-dimensional and graphical massively multiplayer online role-playing games (MMORPGs) like World of Warcraft today.[9] TinyMUDs discarded the D&D game elements and allowed users to meet each other and build onto their environments as they saw fit, kind of like the precursor to the three-dimensional MMORPG called Second Life.[10] I recently highlighted this MUD culture in a blog about another cyber-security-canon-worthy novel called The Blue Nowhere.[11] Just like both hacker characters in The Blue Nowhere, Butler was an avid TinyMUD player, and also just like the hacker characters, he stored the tools of his trade in unsuspecting compromised sites, tools likes NetXray,[12] Laplink,[13] and Symantec’s pcAnywhere.[14]
Throughout Poulsen’s book, it is clear that Butler never really understood where the line existed between white-hat and black-hat activity.[15] One of Butler’s early epic hacks came about when the security community discovered a gigantic security vulnerability in the BIND implementation of the domain name system (DNS).[16] Thinking that it was his duty as a white-hat security researcher to fix the problem, Butler crafted a buffer overflow attack[17] that leveraged the vulnerability, scanned the Internet for DNS systems that were vulnerable, compromised those machines with the buffer overflow attack, downloaded a rootkit[18] to each of the machines that he now owned, and installed the patch that fixed the vulnerability. He thought he was doing a worthy community service to the world. The owners of all of those DNS boxes had a different opinion.
As a white-hat researcher, he helped develop BRO, one of the first experiments in intrusion detection systems.[19] While assisting the Honeynet Project,[20] he developed a program called Privmsg that allowed him to reconstruct hacker chat messages by listening to network traffic. The guts of Privmsg became a part of BRO.[5]
Wearing his black hat, he became an expert at wardriving to find unprotected WiFi sites that he could use to hide his hacking activity.[21] He used the Bifrost Trojan to gain entry into unsuspecting victim computers but modified it to bypass anti-virus engines. He tested his modifications on multiple VMware instances running different versions of anti-virus engines. Then he delivered his creation to other black-hat hackers in order to see what they were doing and to steal their credit card dumps for his own profit.[5] He took advantage of a serious vulnerability in a software program called RealVNC. VNC stands for virtual network console, and the RealVNC software ran on point-of-sale devices on many small businesses’ computers. Like he did with the DNS vulnerability, Butler scanned the Internet looking for vulnerable instances in order to compromise the machines and steal the credit card information that the business owners collected daily.[5] To say the least, he was a little conflicted.
Butler’s business partner, Chris Aragon, was responsible for the money-laundering piece of their illicit carding enterprise. After reading Poulsen’s description of the mechanics, you cannot help but think that being a cyber criminal is really hard work. Most non-geeks never really think about the difficulty of converting stolen credit card numbers into real cash. There is a convoluted process involving specialized equipment and many small transactions involving multiple people. You essentially have to make credit cards, and the accompanying driver’s licenses, by imprinting the credit card numbers and user information onto blank card material. You hand those cards to your mules—in Aragon’s case, four or five young and attractive women—who would spend the day shopping for high-end luxury items. The mules return the merchandise back to Aragon, who in turn sells it on eBay at reduced prices. Poulsen goes into great detail about how Aragon, and later Butler on his own, went about this daily business.[5]
Poulsen also describes how the advent of distributed denial of service (DDoS) attacks originated in the hacking community as a way for black-hat hackers to mess with each other.[22] But when Michael Calce—a.k.a. MafiaBoy—launched an experimental DDoS attack against some prominent public websites—CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade—the cat was out of the bag, and the result was an emergency meeting of security experts at the White House.[5][23]
Butler used hard drive encryption to protect his data and, by inference, his hacking activity. The thought was that this best practice in the hacker community would protect hackers in case law enforcement seized their equipment. Law enforcement officials could grab the hard drives, but because the drives were encrypted, officials would not be able to read any of the information. When the feds finally showed up on Butler’s doorstep, accompanied by some forensics experts from Carnegie Mellon, Butler thought he was secure. Unfortunately, they showed up almost unannounced, and Butler did not have the time to power his systems down. What he did not realize is that while the systems are running, the key for the encryption is stored in RAM. It took them a while, but the forensics experts were able find the encryption key in RAM and unlock Butler’s hard drives.[5]
Conclusion
Poulsen nails this story. He recounts the transition of Max Butler from pure white-hat hacker into something gray: sometimes a white hat, sometimes a black hat. The technical hacking detail is fascinating, but more importantly, Poulsen is able to pull the curtain back on the cyber criminal world. In much the same way that Cuckoo's Egg reads like a spy novel,[24] Kingpin reads like a crime novel. Cyber security professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them. Because of that, Kingpin is cyber-security-canon worthy, and you should have read this by now.
Note
I worked for iDefense (a VeriSign Inc. business unit) the first time that I wrote about Kingpin. Jason Greenwood, the current general manager and an old friend of mine, has graciously allowed me to reuse some of the original content from that essay for this updated blog post. iDefense is still one of the best commercial cyber security intelligence outfits out there. If you have cyber intelligence needs, you should consider calling those guys.
Sources
[1] "TJX, Heartland Hacker Hit With A Second 20-Year Prison Sentence," by Kelly Jackson Higgins, Dark Reading, 26 March 2010, last visited 25 January 2014,
http://www.darkreading.com/attacks-breaches/tjx-heartland-hacker-hit-with-a-second-2/224200531
[2] "TJX Hacker Stole 47.5 Million Card Numbers, Rampaged Through Company’s System," by Ryan Singel, Wired Magazine, 29 March 2007, last visited 25 January 2014,
http://www.wired.com/threatlevel/2007/03/tjx_hacker_stol/#previouspost
[3] "Cyber Security Trends and Future Cyber," by Rick Howard, RSA Conference 2010, starts at minute 4:44, ends at 8:58, last visited 25 January 2014,
http://www.youtube.com/watch?v=61u1Odmqb9A
[4] "One Hacker's Audacious Plan to Rule the Black Market in Stolen Credit Cards," by Kevin Poulsen, Wired Magazine, 22 December 2008, last visited 25 January 2014,
http://www.wired.com/techbiz/people/magazine/17-01/ff_max_butler?currentPage=all
[5] "Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground,” by Kevin Poulsen, Published by Crown, 1 January 2011, last visited 22 January 2014,
https://www.goodreads.com/book/show/9319468-kingpin?ac=1
[6] "How 'carders' trade your stolen personal info," by Robert Vamosi, CNET, 29 September 2008, last visited 22 January 2013,
http://news.cnet.com/8301-10789_3-10053523-57.html
[7] "US Secret Service's Operation Firewall Nets 28 Arrests," by the US Secret Service, Press Release, 28 October 2004, last visited 22 January 2014,
http://www.secretservice.gov/press/pub2304.pdf
[8] "The FBI Agent Who became a Black-Market Mole," by Zoe Chace, NPR, 17 June 2011, Last Visited 8 March 2014,
http://www.npr.org/blogs/money/2011/06/17/137251254/the-fbi-agent-who-ran-a-stolen-credit-card-ring
[9] "World of Warcraft: Mists of Pandaria," Blizzard Entertainment, last visited 25 January 2014,
http://us.battle.net/wow/en/
[10] "SecondLIFE," by Linden Research, last visited 25 January 2014,
http://secondlife.com/?gclid=CPK6ntSrmrwCFeZj7AodogQARw
[11] "Book Review: The Blue Nowhere by Jeffery Deaver (2001)," by Rick Howard, Terebrate, 11 January 2014, last visited 25 January 2014,
http://terebrate.blogspot.com/2012/11/book-review-blue-nowhere-by-jeffery.html
[12] "NetXray 3.0," by Michael P. Deignan, Windows IT Pro, 31 December 1997, last visited 25 January 2014,
http://windowsitpro.com/windows/netxray-30
[13] "laplink everywhere: User Guide," by laplink, 24 July 1996, last visited 25 January 2014,
http://www.laplink.com/products/lle/LLE4_User_Guide.pdf
[14] "Opinion: Difficult to become a hacker? It's easier than you think: With Symantec's Web client for pcANYWHERE, you can hack away without really trying," by Mark Gibbs, CNN, 12 February 1999, last visited 25 January 2014,
http://www.cnn.com/TECH/computing/9902/12/hack.idg/
[15] "Hacker Hat Colors Explained: Black Hats, White Hats, and Gray Hats," by Chris Hoffman, How-To Geek, 20 April 2013, last visited 26 January 2014,
http://www.howtogeek.com/157460/hacker-hat-colors-explained-black-hats-white-hats-and-gray-hats/
[16] "CERT* Advisory CA-98.05," by The Software Engineering Institute, Carnegie Mellon University, original issue date: 8 April 1998, last updated: 16 November 1998, last visited 26 January 2014,
http://www.cert.org/advisories/CA-98.05.bind_problems.html
[17] "Conficker: How a Buffer Overflow Works," by Kevin Poulsen, Wired Magazine, 31 March 2009, last visited 26 January 2014,
http://www.wired.com/threatlevel/2009/03/conficker-how-a/
[18] "10+ things you should know about rootkits," by Michael Kassner, TechRepublic, 17 September 2008, last visited 26 January 2014,
http://www.techrepublic.com/blog/10-things/10-plus-things-you-should-know-about-rootkits/
[19] "Episode336: Tech Segment: Liam and Seth on Bro IDS," by Seth Hall and Liam Randall, Security Weekly, 20 June 2013, last visited 26 January 2014,
http://wiki.pauldotcom.com/wiki/index.php/Episode336#History
[20] "About The Honeynet Project," by The Honeynet Project, last visited 26 January 2014,
http://www.honeynet.org/about
[21] "What is ‘Wardriving’ and How Can It Affect Your Company’s Computer Network?" by Scott Aurnou, TheSecurityAdvocate, 25 March 2013, last visited 26 January 2014,
http://www.thesecurityadvocate.com/2013/03/25/what-is-wardriving-and-how-can-it-affect-your-companys-computer-network/
[22] "How Zombie Computers Work," by Jonathan Strickland, howstuffworks, 2007, last visited 26 January 2014,
http://computer.howstuffworks.com/zombie-computer3.htm
[23] "'Mafiaboy' breaks silence, paints 'portrait of a hacker,'" by Doug Gross, CNN, 15 August 2011, last visited 26 January 2014,
http://www.cnn.com/2011/TECH/web/08/15/mafiaboy.hacker/
[24] "Book Review: The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (1989) by Clifford Stoll," by Rick Howard, Terebrate, 14 July 2013, last visited 21 January 2014,
http://terebrate.blogspot.com/2013/07/book-review-cuckoos-egg-tracking-spy.html
References
"CERT® Advisory CA-1998-05 Multiple Vulnerabilities in BIND," by Carnegie Mellon University, Computer Emergency Response Team (CERT), originally published on 16 April 1998, last updated on 16 November 1998, last visited 23 January 2014,
http://www.cert.org/advisories/CA-1998-05.html
"Cybercrime: Max Butler," by CNBC, American Greed, last visited 25 January 2014,
http://www.cnbc.com/id/100000049
“Matt Harrigan: President & CEO at PacketSled," LinkedIn, last visited 23 January 2014,
https://www.linkedin.com/in/harrigan
"Sex, Drugs, and the Biggest Cybercrime of All Time," by Sabrina Rubin Erdely, Rolling Stone Magazine, 10 June 2010, last visited 22 January 2014,
http://www.rollingstone.com/culture/news/sex-drugs-and-the-biggest-cybercrime-of-all-time-20101111