Who knows what evil lurks in the hearts of shadowy Russian message boards? The Secret Service knows, apparently. On Monday Wired published a lengthy story about an Agent who, for about five years, was working undercover by selling fake IDs online. Members of the message board Carder.ru, home to identity thieves and credit card frauds, trusted him completely. And then the government brought the hammer down.
The US Government's "Operation Open Market" resulted in indictments against 55 defendants. According to Wired, Special Agent Mike Adams shipped out more than 125 fake IDs over about five years of activity while going by the username Celtic. Amazingly, the entire scheme started when the government arrested the real Celtic, a Nevada man who got caught shopping at a Whole Foods where he'd previously used a fake credit card.
Law enforcement discovered counterfeiting equipment among his possessions and learned about his online activities. Adams assumed his online identity and even improved Celtic's cred, shipping near-flawless IDs and becoming a trusted seller on Carder.ru.
While the story is about fake identities and not credit card scams, it's easy to extrapolate just how creepy and widespread identity theft and credit card scamming activities are. And, worse, how easy they can potentially be. Wired writes that Adams, masquerading as Celtic, spent his first few years "maintaining Celtic’s reputation as a reliable buyer of other people’s illicit products, and gathering evidence against sellers like “CC-TRADER,” who sold the agent 64,000 phished PayPal accounts for $5,000."
That's a lot of PayPal accounts. Adams, of course, was using the system against those who were breaking the law. Since he was creating Fake IDs for them, he got members of Carder.ru to send him their headshots, and he also got addresses to mail the fraudulent cards to. Some criminals were serving themselves up on a silver platter.
On the technology front, the Secret service issued more than 230 orders to obtain access to email and chat accounts on Hotmail, Gmail, and so on. They obtained access of a backup image of the Carder.ru forum from when it had been hosted through SoftLayer. The case now consists of 10 terabytes of data.
The government made its move in 2012, arresting dozens of fraudsters in the US and in countries where extradition is easy. But many more, including the founder of Cards.ru, remain at large. Those in Eastern European countries, especially, are largely out of the government's reach.
And the way the government is handling the case raises a couple concerning questions. Writes Wired:
"The main indictment is noteworthy because, in addition to the usual mix of credit card fraud and false identification charges, the 39 defendants have been charged under the mob-busting RICO act – a first for a cybercrime prosecution.
Enacted in 1970 to help the FBI crack down on the mafia, the Racketeer Influenced and Corrupt Organizations Act lets the feds hold every member of a criminal organization individually responsible for the actions of the group as a whole. The losses collectively inflicted by the Carder.su members are easily enough to give every RICO defendant 20 years in prison."
The lawyer of one defendant compares their online activities to a group of people on Facebook--interaction does not necessarily mean cooperation, or conspiracy.
Second: Is this entrapment--ethically, if not legally? One charge against a fraudster is that he knowingly cause someone else to traffic in illegal identifications by mailing them. Unless the letter of the law stretches to include the mailmen making deliveries, the person mailing those IDs was, of course, Special Agent Adams.
Critics also point out that dozens of IDs created by the Secret Service are still out there, and the people who bought them may never be arrested. It's a complicated case, and the entire story is worth a read at Wired.
Prosecution will be ongoing for years. If the members of Carder.ru are convicted under RICO, that could foretell a real change in how Internet-based crimes are charged. But it may not do much to change how those crimes are carried out. The founder of Carder.ru, still at large, has supposedly moved on to found Carder.pro. With, we're guessing, much tighter security.