The Information Age has spawned a new kind of criminal. Not one who knocks over banks through armed robbery. No. It’s the kind that sits at a laptop and sneaks inside digital vaults to steal money.
In the last decade, San Francisco was home to one of the world’s most powerful cybercriminals … a man who oversaw a network of identity thieves who stole billions of dollars from credit card companies. But he wasn’t just a bad guy – he worked on both sides of the law, using his hacking skills to fix some system weaknesses even as he exploited others.
That’s the story Wired.com editor Kevin Poulsen tells in his book Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground. He sat down with KALW’s Ben Trefny to talk about how it happened.
* * *
KEVIN POULSEN (reading from Kingpin): “The taxi idled in front of a convenience store in downtown San Francisco while Max Vision paid the driver and unfolded his 6’5″ frame from the back of the car, his thick, brown hair pulled into a sleek ponytail. He stepped into the store and waited for the cab to disappear down the street before emerging for the two-block walk to his safe house.
Around him tiny shops and newsstands awakened under the overcast sky and suited workers filed into the office towers looming above. Max was going to work too. But his job wouldn’t have him home after nine hours for a good night’s sleep. He’d be cloistered for days this time. Once he put his plan into motion there would be no going home, no slipping out for a bite of dinner, no date night at the multiplex, nothing, until he was done.
This was the day he was declaring war. Nobody knew his name, not his real one anyway.
And nobody knew his past…
Here he wasn’t Max Butler, the small-town troublemaker driven by obsession to moment of life-changing violence. He wasn’t Max Vision, a self-named computer security expert, paid $100 an hour to harden the security networks of Silicon Valley companies. As he rode up the apartment building elevator, Max became someone else, Ice Man, a rising leader in criminal economy responsible for billions of dollars in thefts from American companies and consumers.”
BEN TREFNY: So, in writing King Pin you got to know Max Ray Vision pretty well. Tell me about him.
POULSEN: He’s a complicated guy. He kind of came into the Bay Area in the late 1990s, from seemingly nowhere, and almost instantly made a name for himself in what’s called the white hat hacking community. So these are legitimate computer security researchers who are battling the bad guys…
TREFNY: The black hats.
POULSEN: The black hats. There was a side to him that people didn’t know about, where in his spare time he was staging recreational computer intrusions, like a black hat would do. And he got caught for a big one – he hacked into the Pentagon on a massive scale and fixed their security holes for them, without permission. So he went to prison for that.
TREFNY: So that’s not necessarily such a bad thing to do right? I mean he hacked in which is bad, but then he fixed things, which is good.
POULSEN: But he also left backdoors in all the computers he hacked, which is bad. So it was a little bit of both. He was treated fairly harshly for it, so he served an 18 months sentence, and it was while he was in prison that he ran into, he began associating with more serious career criminals. And when he got out and found he couldn’t get legitimate work anymore because of his hacking convictions, he turned to those criminals and began a very aggressive cybercrime spree.
TREFNY: And this book that, and the industry, and the whole credit card hacking industry essentially, that Max Ray Vision was part of. So tell me about this industry, how did you get to know about it?
POULSEN: I’ve been covering computer crime now for about 12 years. And this has been kind of the background radiation of all the major computer intrusions that we’re seeing. The data gets stolen and then wind up in this vast, global, underground marketplace, where identity information gets bought and sold like pork bellies on the commodities exchange. So I had been covering major developments in it; I covered Max’s case when he was hacking the Pentagon, and then he emerged again as this ringleader in this global underground.
TREFNY: So how does one become a ringleader in this kind of industry? I mean, you talk about the information clearing houses, the chat rooms almost, amongst cyber criminals, so tell me a little more about that, as you relay in King Pin.
POULSEN: Max kind of came into this community cold. When he decided to become a criminal, he was a very good hacker, he could break into pretty much any system that he wanted to, but he wasn’t a great criminal at first. He didn’t really know how to make money off of this stuff. So he started by hacking other hackers, on a fairly large scale, breaking into their computers, figuring out what they were doing, that’s how he discovered this underground, he discovered these carder forums. He eventually set up his own, and then he hacked all of the competing forums and absorbed their membership by force onto his site, and destroyed the other forums on his way out.
TREFNEY: What was the draw for him?
POULSEN: He was still something of a white hat hacker, even while he was doing this. And it’s kind of core, core to hack in, the good kind of hack in, that if you see something broken, you want to fix it. That’s kind of how he got in trouble with the Pentagon. So he thought that there were too many forums, that the criminal community was too divided, and it was bad for business, and it was bad for the community. So he kind of appointed himself the benevolent ruler of this massive underground, and muscled in, and used his skills to take it over.
TREFNY: So Max Ray Vision, Max Butler, wavers between wearing the white hat, so to speak and the back hat. So tell me about that duality.
POULSEN: Yeah, I mean, in the old days, hacking, computer intrusion, was done purely recreationally, right? So it’s like Matthew Broderick in “War Games” – you’re breaking into stuff in order to explore. In the early 1990s, that kind of fell out of fashion. Part of it was because with the Internet, you no longer had to break into networks to enjoy the benefits of a global network, and then there was also a lot of money to be made as a white hat hacker.
TREFNY: And that’s someone who is solving the security breaches.
POULSEN: So the, well, the most successful white hats probably make nearly as much as the most successful black hats. But it’s a lot easier to make money as a black hat. Like you can make a decent salary as a white hat hacker, but as a black hat you can make millions, routinely – there is just a huge amount of money flowing into the underground.
Max for a time did this. He found somebody that was doing this ATM cash-outs for a hacker in Eastern Europe. He hacked the person that was doing the cash-outs, the mule, started steeling the ATM data, and doing his own cash-outs. Then he contacted the guy in Eastern Europe who was pulling the strings, and told him one day what he had done, said, “Hey, I hacked your mule, I’ve been steeling your stuff.” So the guy in Eastern Europe wound up switching his business to Max, because Max had proven that his mule was unreliable.
TREFNY: That seemed to be an interesting development for a lot of these people, that they would as you just said, they would hack somebody else, and then tell them about it, and prove their worth then in that way, and then get hired. And I think that’s also the way possibly the black hats then end up working as say people who are working for the industry, whether its for starting their own cyber security companies, “Hey, I was able to do these kinds of hacks, and that’s my skill level.” It’s part of their resume.
POULSEN: Yeah, there was a lot of that maybe 10 years ago. Now, not so much. There’s enough homegrown computer talent now, it’s much harder to go from a black hat to a white hat. Your best chance of doing that now is to not admit that you were a black hat, where as it used to be the opposite.
TREFNY: So how do you get your insight into this industry and into you know, some of the hacking minds?
POULSEN: Well I’ve been covering it for quite a long time, and if you go back far enough, I myself am an ex-hacker.
TREFNY: What was the draw for you?
POULSEN: It was the classic kind of hacking, where I was interested in how things worked. My thing was the phone company. And I was doing this, we’re talking the late ’80s now, I was doing this before there was any real Internet, as we understand it now. And the phone network was the big global network, both for voice and for data. It was quite fascinating to me.
TREFNY: That’s called phone freaking, is that right?
POULSEN: Phone freaking or phone hacking, that’s right.
TREFNY: And what would you get out of it, what exactly would you do?
POULSEN: For me it was mostly exploration, and experimentation, although at one point I did start using my access to cheat at radio station phone in contests.
TREFNY: Oh, so would you block the lines from being answered by other people?
POULSEN: So if they were taking the 100th caller, I would let the first 80 or 90 calls go through and then arrange for that, for all subsequent calls to be me.
TREFNY: What was the best thing you got out of that?
POULSEN: Ah, five years in prison! (laughs) Oh, you said the best thing. I got a Porsche and I got some sizable cash prizes.
TREFNY: Wow, wow. And did you go to prison?
POULSEN: I did.
TREFNY: Ah. So, for Max Vision, when he was in prison he met all kinds of people who wanted to continue their criminal enterprises, and were making connections in there, and when they got out they continued. For you, you went a different way, you became a senior editor at Wired.com, and you wrote this book – so how is your experience different?
POULSEN: You do meet a lot of interesting people in prison. That’s one of the few benefits is it’s a kind of think tank of crime. And a lot of scheming takes place. When I got out though, I was just at the point where I wanted to go in a different direction with my life.
Sign up here with your email
ConversionConversion EmoticonEmoticon