From White Hat to Black 5: Darkmarket and Undercover FBI Operation

In the final part of the story, Kevin Poulsen dwells on the undercover FBI operation targeting Max Vision’s carding business, and speaks on where Max’s black hat activities ended up getting him in the long run.

What happened next was there was another vulnerability. In fact, his whole career is kind of vulnerability driven, he discovers a vulnerability and then he starts playing with it and gets in trouble. This was a big one; it emerged first in the Eastern European underground and then was discovered by the computer security community. Max got on it before there was a patch available; he got with another partner that he’d met online and said: “This is huge. Nobody is going to be patching this anytime soon. I have an exploit, I’m going to customize this so that nobody can detect it. Tell me what systems you want to get into, tell what companies you want to target that you think will get us money. We have a free pass to own data in any company we want.”

Major spear phishing attack targeting the financial industry

Major spear phishing attack targeting the financial industry

So his friend came up with a list of targets: Bank of America, GMAC, CitiMortgage, Capital One. Max staged a spear phishing attack, and this was the first reported spear phishing attack aimed against the financial industry. And he got into, he says, all of these targets. We know for a fact he got into Capital One. 500 people got this phish. It was Max posing as a reporter, asking about a breach at Capital One and providing a link to what the reporter said was a story that was already up about it in another publication.

So if you clicked on that link, you got hit with this vulnerability and Max was on your system. So at Capital One 500 people clicked on the link, and Max got on their network.

It turns out that, too, was not a path to instant money for Max, because these networks that he was cracking were huge, so he kind of got lost in the networks and distracted by things that were going on back in the carding scene where he found that people were being disrespectful to Iceman.

He couldn’t really stay focused on the business end of this. He decided that the carding scene as it then existed was fundamentally broken and inefficient. There were too many forums. There were, in addition to his forum, 4 others that had about the same number of users – like 2000 users each, and that the whole market was broken. He wanted to restore things to where they were in the ShadowCrew days, when there was one forum everybody did business on, and naturally he thought that that should be his forum. So he used a variety of hacks in order to penetrate all of his competitors’ systems. This is what he did instead of making money.

Max Vision managed to take over the biggest competitor carder forums

Max Vision managed to take over the biggest competitor carder forums

So he broke into TalkCash, Darkmarket, ScandinavianCarding and TheVouched which was supposed to be a high security invite-only forum. He used SQL injection and other hacks to do this. He stole all of their user databases and all of their content. He incorporated them into his own, into Carders Market, and then he dropped the tables on all of these sites.

So he destroyed all the sites behind him. He sent out a big message, an email to his entire new user base, which was now 6000 users instead of 2000, saying: “Welcome to Carders Market. You’re a member of my site now, you’ll find that the old sites don’t work anymore.”

This turned out to be his wrongdoing. He got a lot of attention over this hack: USA Today learned about it and they wrote it up; they quoted Dan Clements saying: “It’s like he’s created the Wal-Mart of the underground.” The secret service took an interest in him and the FBI took an interest in him. The FBI was interested because one of the sites he hacked, Darkmarket – one of the administrators on this site was an undercover FBI agent. It’s Keith Mularski, who you’ve probably seen at the conference. Keith Mularski had been in the forums for a while under the handle “Master Splyntr” and he’d taken a very passive role: he was just intelligence gathering.

Actual hackers and undercover FBI agent running Darkmarket

Actual hackers and undercover FBI agent running Darkmarket

But after Max hacked Darkmarket, he went to Darkmarket’s capo – a UK carder called JilSi, and he said: “Hey, I can see you’re in trouble here; you can’t keep out this Iceman guy, you’re getting DDoS attacks now, your reputation is going down to hell. I’m an experienced Eastern European cyber crook, I know how to set up servers that can withstand attacks and won’t be hacked and can’t be DDoSed. Why don’t you let me take over Darkmarket?” So JilSi said “Yes”, and with approval from Washington, D.C., Master Splyntr (Keith Mularski) took over Darkmarket and began running it as a very ambitious undercover operation.

A lot of my book which you should all read is devoted to what happened over the following year. Basically there were only 2 big crime sites now, at least in the English-speaking world. One of them was run by an undercover FBI agent and the other one was run by Max Vision, an undercover computer security guy who turned black hat hacker, who used to work with the FBI. And they were each trying to destroy the other one. As Master Splyntr – Keith Mularski – was constantly baiting his foe Iceman, calling him a snitch ironically, and mocking him and enraging him further; Max in the meantime kept hacking into Darkmarket, where he eventually discovered through IP logs that Master Splyntr was logging in from an FBI office in Pittsburgh. So Max tried to expose Darkmarket as an undercover operation.

Mularski crafted a very finely honed strategy to try and debug that. Part of that was he covered up a lot of evidence that Max had discovered: he got some WhoIs records changed at the last minute and stuff like that. So when Max’s lieutenants held kind of a trial of Master Splyntr designed to prove that Master Splintr was a fed, a lot of the evidence was gone now and the other carders that Max was making this case to began to think: “Maybe Iceman was the fed and was trying to disparage poor Master Splyntr.”

Final charges and sentence for Max

Final charges and sentence for Max

This cat and mouse game continued for about a year, and in the end, well… I should have given a spoiler warning. Anyway, so Max got caught. He’s now in prison for 13 years. This is a lot less time than he could have done just for the stolen credit card numbers. It’s still, obviously, a very harsh sentence. He’s going to be out in January of 2019.

In the end, the final tally was he’d stolen 1,1 million cards from restaurant point of sale terminals and about 700,000 from other criminals. The feds calculated 86 million dollars in charges on the cards that he’d stolen. Max, in the end, not being terribly concerned about money, made a tiny fraction of that: he made probably around a million dollars and he spent a lot of that on things like a Sony robotic dog and giving money to homeless people, and so on and so forth. He was an impulse spender, like a lot of hackers.

Conclusions to draw

Conclusions to draw

So the final lesson here is: Shop online – it’s safer than shopping in real life. This is counterintuitive, but what we learned from Max, and to a much greater degree from the Albert Gonzalez hacks of major retailers like T.J. Maxx, is that all credit card numbers are going online, even if you think they’re not. And because the dumps are what’s needed to actually produce cards that you could use in real life, and the dumps can only be stolen from real-life point of sale systems and the infrastructure behind them, the dumps are what the hackers have been going after. If you ever read a story that says: “Credit card numbers are so plentiful in the underground that they’re selling for 2 dollars, or 50 cents, or something like that,” they’re just talking about the credit card numbers on the front of your credit card, which, in fact, are nearly worthless to carders because they don’t contain that CVV code, because they’re not dumps.

The magstripe data – that’s still worth upwards of at least 5 dollars and up to 40 or 50 dollars depending on the type of card and what kind of limit it has. And then the rest are obvious.

Read previous: From White Hat to Black 4: ATM Fraud and Point of Sale Hacks

Like This Article? Let Others Know!
Related Articles:


  1. Andre says:

    didn’t know it was a series, very nicely done. will be bookmarking the website.

    is there more to come?

    • Terry says:

      Seems that’s all

    • david b. says:

      Andre, thanks for your interest in our work. This was the final article on this particular subject. But there is definitely a lot of captivating stuff yet to come – we’re constantly updating the site with relevant content related to computer security, user privacy, hacking and the like.
      So, be sure to check for more updates!

  2. philip says:

    Very nice article thank you for sharing.

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: