A former security researcher turned criminal hacker has been sentenced to 13 years in federal prison for hacking into financial institutions and stealing credit card account numbers.
Max Ray Butler, who used the hacker pseudonym Iceman, was sentenced Friday morning in U.S. District Court in Pittsburgh on charges of wire fraud and identity theft.
In addition to his 13-year sentence, Butler will face five years of supervised release and must pay $27.5 million in restitution to his victims, according to Assistant U.S. Attorney Luke Dembosky, who prosecuted the case for the federal government.
Dembosky believes the 13 year sentence is the longest-ever handed down for hacking charges.
Butler, also known as Max Vision, pleaded guilty to wire fraud charges in June last year.
He gained notoriety for hacking into carder forum Web sites, where stolen credit card numbers are bought and sold, and forcing members to conduct their business through his own site — CardersMarket.com.
Criminals used the stolen credit card numbers to create fake debit and credit cards that were then used to steal money or merchandise.
This isn’t Butler’s first time facing a federal hacking sentence.
After a promising start as a security consultant who did volunteer work for the U.S. Federal Bureau of Investigation, Butler was arrested for writing malicious software that installed a back-door program on computers — including some on federal government networks — that were susceptible to a security hole.
He served an 18-month prison term for the crime and fell on hard times after his 2002 release, he said in a sentencing memorandum filed Thursday.
“I was homeless, staying on a friends couch. I couldn’t get work,” he wrote. In desperation, he said, he turned again to cybercrime.
By the time of his arrest in September 2007, he had built the largest marketplace for stolen credit and debit card information in the world.
“It is a shame that someone with so much ability chose to use it in a manner that hurt many people,” Dembosky said in an e-mail message.
“This sentence sends a message that cyber crime is taken very seriously.”
Butler’s public defender, Michael Novara, could not immediately be reached for comment.
The court is recommending that Butler be incarcerated at the minimum-security Federal Prison Camp in Sheridan, Oregon.
Over the past couple of years, the FBI has made remarkable progress in bringing hackers to justice – and one agent who has delved deeper into the world of online computer fraud is Supervisory Special Agent J. Keith Mularski.
He succeeded in infiltrating DarkMarket — a “carder” site, which functions like an eBay for online criminals.
It was where identity thieves could buy and sell stolen credit card numbers, online identities and the tools to make fake credit cards.
In late 2006, Mularski, who had risen through the ranks using the name Master Splynter, had just been made administrator of the site.
Mularski not only had control over the technical data available there, but he had the power to make or break up-and-coming identity thieves by granting them access to the site. And not everybody was happy with the arrangement.
But Iceman was apparently aware of Mularski wasn’t the Polish spammer he claimed to be.
He began alleging that Master Splynter was really an agent for the U.S. Federal Bureau of Investigation.
Iceman had some evidence to back up his claim but couldn’t prove anything conclusively.
At the time, every otheradministrator on the site was being accused of being a federal agent, and Iceman had credibility problems of his own.
He had just hacked DarkMarket and three other carder forums in an aggressive play at seizing control of the entire black marketfor stolen credit card information.
That’s when Mularski went for the takeaway. Salesmen have long used this tactic to seal difficult deals: You simply take the deal off the table in the hope it will spur the customer to come to you. Badgered by questions about his credibility, he threatened to quit altogether.
“I decided to risk it all and just said, ‘Hey, if you think you can do a better job running the site and if you think I’m a fed, then by all means take the stuff. I don’t want anything to do with it,” herecalled recently in an interview.”What law enforcement agency would, after they were monitoring the site, want to give it back to the bad guys?”
Mularski’s gambit paid off, and the other DarkMarket administrators let him stay on for another two years.
In the end they would regret that decision. Iceman was right: Supervisory Special Agent J. Keith Mularski had gone deeper into the world of online computer fraud than any FBI agent before.
Working with police agencies in Germany, the U.K., Turkey and other countries, he spearheaded a remarkable investigation that netted 59 arrests and prevented an estimated $70 million in bank fraud before the FBI pulled the plug on Operation DarkMarket on Oct. 4, 2008.
Mularski works for a little-known FBI division called the Cyber Initiative and Resource Fusion Unit, run out of the National Cyber-Forensics & Training Alliance in Pittsburgh, Pennsylvania. The unit is different from a typical FBI field office.
It works hand in hand with industry and takes the time to do the deep research required to penetrate the world of online criminals.
They have a direct personal relationship with industry people in all areas, but specifically a great relationship with the financial institutions,” said Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.
The group also works closely with international law enforcement, laying the groundwork to prosecute Internet criminals who launch attacks across national borders. “Those relationships
Mularski’s life as an undercover spammer began around July of 2005, when he created his handle Master Splynter in a tribute to the cartoon rat who plays sensei to the Teenage Mutant Ninja Turtles. His unit ran a project called Slam-Spam, and Mularski, a self-confessed computer nerd, said he had picked up a lot of spamming tricks before he started the operation. “I could talk shop,” he said.
He didn’t send out spam himself, but he knew what questions to ask and — more importantly — what not to ask. He kept to his character as a spammer. If someone approached him with a new “zero day” attack, he wouldn’t ask for details. And he avoided going after personal information, not asking forum members obvious cop-giveaways such as where did they live.
“The thing is with these guys, you can’t necessarily target them and just approach them out of the blue,” he said. “So by being out there and not really caring about things — I played a lot of things off nonchalant — I was able to gain their trust.”
The hours were long; scammers don’t work 9 to 5. “Sometimes I spent as much as 18 hours in a day online,” Mularski said. “I was online every day from August 2006 until the operation came down.”
His most active discussion time was between 10 o’clock at night and one or two in the morning. “Every night I’d be watching TV with my wife next to me and I’d have the computer on, just in case somebody needed to get a hold of me,” he recalled.
After 10 years of marriage to an FBI agent, Mularski’s wife knew that operations could cut into personal time. It couldn’t have been easy, though. “She was the real saint in this whole thing,” he said.
Master Splynter didn’t take vacations either, even if Mularski did. “Usually, if you’re not going to be online, you’ve got to give notice because they wonder what you’re doing, whether you got busted or not. So if I was travelling somewhere and I couldn’t be online, I’d always give these guys advance notice.”
By September 2006, Mularski had becomea moderator on DarkMarket. Not as powerful as an administrator, he was still a trusted manager, one step above the reviewers who assessed the quality of products being sold on the site.
That’s when he got his big break. And it came from an unlikely source: Iceman himself. According to authorities, Iceman was making a play to control the market for fake credit cards by hacking into four carder sites, including DarkMarket, knocking them offline and moving their membership to his own site, CardersMarket.
Even when the site was back up and running, Iceman continued to hit DarkMarket with distributed denial of service (DDoS) attacks, which would overwhelm it with wave after wave of useless Internet traffic.
Mularski wasn’t sure how things would play out, but in September 2006 he saw his chance. He started talking with Iceman about joining CardersMarket as a moderator, but soon realized that he the had a better shot with another administrator at DarkMarket, Renu Subramaniam, aka JiLsi.
“I basically told him, ‘Hey, I can secure your servers for you,'” Mularski said. JiLsi made him a moderator, but held off granting him administrative access.
Then one Saturday night a month later, DarkMarket started getting hammered with another DDoS attack. “I was talking with JiLsiand I said, ‘Hey I can secure the site? The servers are all set.'”
JiLsi’s reply: “Let’s move it.”
Mularski was now a made man. As administrator to the site he could track people who logged in and, most importantly, read everything the cyberthieves were saying to each other. Working with his international law enforcement contacts, Mularski compiled evidence and, one by one, his team tracked down the crooks who ran DarkMarket.
The first big one to go was Markus Kellerer, a.k.a. Matrix001. German authorities picked him up with five other scammers in May 2007. A few months later Mularski’s patron, JiLsi, was arrested in the U.K., one of the first targets of a newly created U.K. organization called the Serious Organized Crime Agency.
By September last year the operation had pretty much run its course. FBI approval for Operation DarkMarket was set to expire on Oct. 5, and Turkish authorities had finally rounded up Cha0, (real name Cagatay Evyapan), considered one of the FBI’s top targets.
An electrical engineer who manufactured ATM and point-of-sale skimming devices that could be hooked up to legitimate machines to steal information, Evyapan considered himself a “very traditional, organized criminal,” not just a computer hacker, Mularski said.
He showed his nasty side when an associate named Kier (news reports have named him as Mert Ortac) spoke with Turkish media in early 2008, angering Evyapan. “He kidnapped him and tortured him and posted a picture of Kier in his underwear that’s now famous,” Mularski said.
The sign read, among other things, “I am rat. I am pig. I am reporter. I am ****ed by Cha0.”
With Evyapan gone, “We had taken out all the administrators of DarkMarket, and that pretty much left me at the top,” Mularski said.
Still, he remained in character for a few weeks longer. In September he posted a note saying he was closing the site, in part because of police infiltration. “It obvious [sic] that the Special Services and Security f***s are still here lurking in our ranks. They continue to gather evidence on us. They read our posts, they talk with our vendors, they look to see who are the active members of the forum,” he wrote, according to a posting published on Wired.com.
But Mularski always knew that with all the international arrests being made there was a chance, through error or differences in judicial processes, that his name would be made public. And that’s ultimately what happened.
A German reporter, Kai Laufen, working on a story about cybercrime, discovered Mularski’s name in court documents relating to the Kellerer case. On Oct. 13 Wired reported the story and everybody knew.
Still, some of Mularski’s carder buddies refused to believe the reports. “These guys trusted me so much that even after the Wired article came out exposing me, for two days afterwards people were reaching out to me on ICQ thinking that it was a hoax and making sure I was alright.”
Most were silent, however, after Mularski wrote them back saying that he was indeed an FBI agent.
One hacker who called himself Theunknown swore at Mularski, “You piece of crap fed… you’re never going to catch me.”
“Why don’t you turn yourself in? It beats living the rest of your life on the run,” Mularski wrote back. A week later, Theunknown followed his advice.