Last week, U.S. authorities in conjunction with international law enforcement issued a press release on the dismantling of a cyber criminal infrastructure known as Avalanche. A joint statement by U.S. agencies noted that “this network hosted more than two dozen of the world’s most pernicious types of malware and several money laundering campaigns”. The Avalanche network, which has been operating since at least 2010, is estimated to involve hundreds of thousands of infected computers worldwide. The monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of dollars worldwide, although exact calculations are difficult due to the high number of malware families present on the network”.
Cyber-enabled crimes are a prevalent and growing threat in today’s financial crime landscape. In recognition of this disturbing reality, I decided to share the details of a recent U.S. court case to illustrate how compromised passwords are often the launching point for the perpetration of various financial crimes.
The alleged charges in the criminal complaint featured in this article include access device fraud; computer fraud; wire fraud; aggravated identity theft; and money laundering.
The synopsis below walks through in-depth details from the criminal complaint and provides an insightful illustration of how multiple specified unlawful activities (SUAs) are frequently involved in the perpetration of cyber-enabled financial crime in today’s ever-shifting landscape.
Case highlights outlined in this article include:
- Detailed information provided by the Defendant in an interview with law enforcement which reveals how he perpetrated the alleged illegal activities
- Reference to manner by which four financial institutions were exploited by the Defendant in execution of the alleged scheme
- Example transactions which show deposits the Defendant made to a U.S. bank account that he controlled to conceal the source of the proceeds
- Verbatim online chat communications between the Defendant and other individuals about his hacking expertise; the operations of his lucrative business; and amount of money he makes
In November 2013, the FBI began investigating the Defendant in connection with his involvement with a hidden online marketplace on the Tor network that specialized in the sale of illegal narcotics, stolen credit cards, and other illicit items. For the purpose of this article, I will refer to the 34-year-old male Defendant as “MR”.
The FBI subsequently obtained information that “MR” may have been involved in an online phishing scheme whereby he would obtain people’s usernames and passwords in an effort to steal their bitcoins.
Admissions by “MR” During Interview with FBI Agents
In November 2014, FBI agents and other law enforcement officers executed a search and seizure warrant at “MR’s” residence during which they located and seized multiple computers, external hard drives, and thumb drives.
“MR” agreed to an interview with FBI agents at his residence as the search was being executed. During the interview, “MR” admitted the information noted in the bulleted points below.
Note that for the purpose of this article I have anonymized some specifics (e.g. financial institution names, online services names, business name, usernames, file names, etc.) and the undisclosed references which I have substituted are denoted by enclosure in square brackets.
- “MR” has his own business called [“Business A”].
- “MR” steals bitcoins from users and vendors trying to access online marketplaces on the Tor network.
- “MR” used two types of scams to steal user’s login credentials to these sites:
- “MR” would post fake links on forums to these markets which would direct users to a fake login page hosted on a laptop at his house. The login page would look exactly like the real login pages for the various market sites. When users would attempt to log in, “MR” would steal their usernames and passwords.
- “MR” would post fake links on forums that when clicked would “port forward” the users through “MR’s” computer server to the actual marketplace site where users would log in. “MR” would keylog all of the user’s traffic including their login information.
- Once “MR” had access to a user’s account, he would use a program called [“BM Program”] to notify him when a deposit was made into the user’s bitcoin wallet. After receiving notification of a deposit, “MR” would log in to the account and withdraw the bitcoins before the user could spend them.
- “MR” would often use an online bitcoin tumbling service [“Bitcoin Tumbling Service X”] when transferring the bitcoins to hide his trail. (Some background information on bitcoin tumblers is provided in the Supplementary Information section at the end of the article).
- The bitcoins would then be deposited into “MR’s” bitcoin wallet with [“Online Bitcoin Service Y”]. (Some background information on online bitcoin exchanges and services is provided in the Supplementary Information section at the end of the article).
- “MR” would sell those bitcoins in exchange for cash deposits into his:
- [redacted BANK NAME #1] account;
- [redacted BANK NAME #2] prepaid debit cards;
- [redacted MONEY TRANSFER COMPANY NAME #3] transfers; or
- [redacted MONEY TRANSFER COMPANY NAME #4] transfers
- “MR’s” username with [“Online Bitcoin Service Y”] was [“MR Username – Online Bitcoin Service Y”].
- “MR” estimated that he had stolen over “six figures” worth of bitcoins.
- “MR” stated he had a program on his laptop that stored the stolen usernames and passwords in a file called [“NF.txt”].
- “MR” believed the file “NF.txt” currently had over 10,000 lines of text.
- “MR” advised FBI agents that he had additional computer hard drives in a safety deposit box at [redacted BANK NAME #5]. FBI agents subsequently visited [redacted BANK NAME #5] and seized the contents of “MR’s” safety deposit box, which contained a hard drive and thumb drives.
- FBI computer forensic examiners subsequently examined the computers and hard drives seized from “MR’s” residence and safety deposit box. Among the files recovered from “MR’s” computers and hard drives were dozens of files created between November 2013 and October 2014 that contain what appear to be thousands of usernames and passwords.
- Numerous files titled “NF” were followed by a date. One file titled “NF0929.txt” had a created date of September 29, 2014. The file contained what appear to be over 10,000 usernames and passwords.
- An FBI agent stated in an affidavit that he believed these are usernames and passwords belonging to other individuals that “MR” stole through the methods he described in his interview.
“MR” Verbatim Online Chat Messages
FBI computer forensic examiners also recovered numerous online chats between someone with usernames [“FF82828”] and [“FF82829”] and other individuals.
In one of the chats, “FF82828” asks another individual to email him at [“BusinessAllc@gmail.com”].
In another chat, one of the participants asks, “BusinessAllc@gmail.com[.] who is?? u?” to which “FF82829 replies, “me”. As noted earlier in this article, “MR” told law enforcement he has a business named “Business A”.
An FBI agent reviewed online records from a U.S. state Secretary of State’s website indicating that “MR” is the manager of “Business A LLC”.
An FBI agent reviewed bank records for “Business A LLC” at [redacted BANK NAME #1] which lists “MR” as the manager of “Business A LLC”.
An FBI agent also reviewed records from [redacted BANK NAME #2] for prepaid debit cards registered to “MR” which indicate he registered one card using an email address “BusinessAllc@gmail.com”.
In the chats, “FF82828” admits to using a phishing scheme to steal individuals’ login credentials in order to steal their bitcoins, and further admits he is an experienced computer hacker who has been hacking computers since he was 12 years old.
Below are some online chat messages between “FF82828” and other individuals. An FBI agent stated in his affidavit that he believes “FF82828” and “FF82829” are both “MR”.
On November 30, 2013, “FF82828” wrote:
“i make my own phishing sites for darknet .onion drug sites[.] i make $1000 a day[.]”
Later in the same conversation, “FF82828” sent the other chat participant the username, password, and bitcoin address of another individual and wrote:
“see those[?] username, passwor [sic], pin, balance, and all BTC deposit addresses to a private illegal site … when i detect BTC payment there, i login, and withdraw[.] make $1000 day[.] all off 1 phishing site i built myself[.] so i know, how to do this, big time[.] i am prettty big too, but within TOR network[.]”
(Note: BTC is an abbreviation for bitcoin.)
On December 26, 2013, “FF82828” wrote:
“i’ve been in hacking game hmm 15 years and before internet 5 years[.] when i was 12 years old i had police called on me for hacking bbs[.] 16 [years old] fbi raided my work i ran shellbox in the basement[.]”
(Note: BBS is an abbreviation for bulletin board system.)
Later in the same conversation, “FF82828” wrote:
“i have 5000 l/p’s to darknet sites …. i live in a house by myself by the beach drive Mercedes all paid by :)…. i ‘d like to pass my business on and do other work but theres $500,000 a year to be made here[.] im making $30,000 a month[.] $5,000 a week or so[.]”
(Note: An FBI agent indicated he believes “l/p” is short for logins and passwords.)
At another point in the conversation, the other chat participant asked “FF82828” what he does to make money, and “FF82828” responded:
“phish but on darknet websites[.] i set up phish’s scam pages for secret web pages[.]”
On December 27, 2013, “FF82828” wrote:
“i have 5000 l/p’s to illegal websites that deal in bitcoin[.] so i write scanners, that beat captcha, and login as each user[.] then i monitor each adddress and withdraw when they deposit[.] .. made $8700 in 1 minute once[.]”
Later in the same conversation, “FF82828” wrote:
“i also have much experience with exploits, scanning, etc, rooting boxes, backdoors[.] i am building a botnet, for windows … last time i ran botnet i had 2000 hosts join in 1 day.”
(Note: Botnet is an interconnected network of computers infected with malware without the computer users’ knowledge and controlled by cybercriminals. They are typically used to send spam emails, transmit viruses and engage in other acts of cybercrimes.)
He further wrote:
“i do all my work over TOR[.] most of my attacks are on hidden sites within TOR[.] i run phishing sites that mimick other TOR sites[.] … i am writing something new, a botnet, for keylogging, etc.”
(Note: “Tor,” which is an acronym for “The Onion Router,” is a special network of computers on the Internet, distributed around the world, that is designed to conceal the true IP addresses of the computers on the network, and, thereby, the identities of the network’s users.)
(Note: Keylogging, sometimes referred to as keystroke logging, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that the person using the keyboard is unaware that their actions are being monitored.)
Transactions by “MR” in Records Provided by “Online Bitcoin Service Y” and [redacted BANK NAME #1]
An FBI agent reviewed records from “Online Bitcoin Service Y” for the username “MR Username – Online Bitcoin Service Y” which “MR” stated was his username. The records state the account holder’s real name is “MR” and his email address is “BusinessAllc@gmail.com”.
The agent stated in an affidavit that:
“In my review of the records provided by [“Online Bitcoin Service Y”], I observed hundreds of bitcoin transactions during the period from September 2013 to November 2014, including sales of bitcoins to other individuals in exchange for U.S. currency.
I also obtained and reviewed bank records for [“Business A” LLC] at [redacted BANK NAME #1] and observed numerous deposits of U.S. currency, some of which correspond to the bitcoin sales I observed in the records from [“Online Bitcoin Service Y”].”
In total, from November 2013 to October 2014, there were over $100,000 in cash deposits into “Business A” [redacted BANK NAME #1] account, the majority having the description “counter credit.”
EXAMPLE TRANSACTIONS ARE LISTED BELOW.
November 5, 2013
Bitcoin sale transactions on “Online Bitcoin Service Y” – $350 and $340
Deposits into “Business A” [redacted BANK NAME #1] account – $350 and $340 with the description “counter credit”
November 8, 2013
Bitcoin sale transactions on “Online Bitcoin Service Y” – $200, $350, $999.88, and $1,000
Deposits into “Business A” [redacted BANK NAME #1] account – $200, $350, $999.88, and $1,000 with the description “counter credit”
November 9, 2013
Bitcoin sale transaction on “Online Bitcoin Service Y” – $378
November 12, 2013
Deposit into “Business A” [redacted BANK NAME #1] account – $378 with the description “counter credit”
November 12, 2013
Bitcoin sale transaction on “Online Bitcoin Service Y” – $801
Deposit into “Business A” [redacted BANK NAME #1] account – $801 with the description “counter credit”
“Passwords Themselves Are Often the Most Valuable Treasure for Attackers”
Michael Chertoff, former head of Homeland Security, recently wrote in an opinion editorial for CNBC that “The password is by far the weakest link in cybersecurity today.” He also stated that “passwords themselves are often the most valuable treasure for attackers” and indicated that one study showed most Americans would rather perform unpleasant household chores than deal with the burden of creating and then remembering a complex password. He further added that “even when so-called “strong” passwords are required, they are still vulnerable to phishing attacks, key-loggers and other compromises”.
This viewpoint is obviously shared by the respondents of a survey which was conducted at the Black Hat 2016 conference. Security firm Thycotic surveyed 250+ attendees live at the event including self-identified “Hackers” (i.e. official conference attendees who personally identified themselves as a hacker at the time of the poll) and one of the findings published in the Hacker Survey Report indicates that 77% believe no password is safe from hackers.
The case that I recounted above is strong testament to Chertoff’s proclamation that passwords are a valuable treasure for attackers. In the criminal complaint against “MR”, although there are five distinct alleged charges as summarized below, they are very much interconnected.
Access Device Fraud
“MR” allegedly possessed unauthorized access devices, namely usernames and passwords he stole from other individuals through an online phishing scheme, with intent to defraud. He also allegedly committed access device fraud by using those login credentials to steal bitcoins from those other individuals.
“MR” allegedly committed computer fraud by using stolen usernames and passwords to access the bitcoin accounts of other individuals to obtain a certain dollar worth of bitcoins.
“MR” allegedly committed wire fraud by devising and executing a scheme to defraud other individuals and obtain their bitcoins through materially false representations, namely, using stolen usernames and passwords to login to their bitcoin accounts via the internet and then transferring the bitcoins to himself and selling the bitcoins for U.S. currency which was deposited into a bank account he controlled.
Aggravated Identity Theft
“MR” allegedly committed aggravated identity theft by committing access device fraud, computer fraud, and wire fraud, by using means of identification, that is login credentials, of other individuals.
“MR” allegedly committed money laundering by selling the bitcoins he obtained as a result of the aforementioned violations in exchange for U.S. currency and then causing the currency to be deposited into a bank account controlled by him in order to conceal or disguise the nature, location, source, ownership or control of such proceeds.
The most significant takeaway I would like those who perused this article to have is not the mere knowledge of how the crimes in the cited case were perpetrated, but much more importantly, the disturbing reality – this case is just one example of numerous (and ongoing) real life cyber crimes in which compromised passwords have served as the launching point for the perpetration of various financial crimes.
FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (FIN-2016-A005)
In October 2016, FinCEN issued a very informative advisory to “assist financial institutions in understanding their Bank Secrecy Act (BSA) obligations regarding cyber-events and cyber-enabled crime”. This advisory discusses reporting cyber-enabled crime and cyber-events through Suspicious Activity Reports (SARs) and including relevant and available cyber-related information (e.g. Internet Protocol (IP) addresses with timestamps, virtual-wallet information, device identifiers) in SARs.
I highly recommend that financial crime investigators review the guidance outlined in this advisory which discusses:
- SAR Reporting of Cyber-Events
- Including Cyber-Related Information in SAR Reporting
- Collaboration between BSA/AML and Cybersecurity Units
- Sharing Cyber-Related Information between Financial Institutions
I also recommend financial crime investigators read the FinCEN supplement to this advisory titled Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber- Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs).
The FAQs point out how using Section 314(b) of the USA PATRIOT Act to share cyber-event and cyber-enabled crime information with other financial institutions can facilitate the filing of more comprehensive and complete SARs than otherwise may have been filed, in the absence of 314(b) information sharing.
Supplementary Background Information: “Bitcoin Tumbling Service X” and “Online Bitcoin Service Y”
“Bitcoin Tumbling Service X”
A bitcoin tumbler is a mixing service which is utilized to help mask the trail of bitcoins. Since all bitcoin transactions are documented on the Blockchain, a tumbler attempts to mask the transactional trail by having a person send their bitcoins to this service, often for a nominal fee, which then will combine them with many other people’s bitcoins. The service, over a period of time and multiple random transactions will send the bitcoins to a new bitcoin address in the control of the mixing service’s client.
“Online Bitcoin Service Y”
There are a number of online exchanges that allow users to buy and sell bitcoins for fiat currency, such as U.S. currency. In addition, there are online services that allow users to exchange their bitcoins directly with other users. “Online Bitcoin Service Y” is one such service.
According to the “Online Bitcoin Service Y” website:
“[“Online Bitcoin Service Y”] is a person-to-person bitcoin trading site. At [“Online Bitcoin Service Y.com”], people from different countries can exchange their local currency to bitcoins. The site allows users to post advertisements where they state exchange rate and payment methods for buying or selling bitcoins.”