Preet Bharara, the United States Attorney for the Southern District of New York, and Janice K. Fedarcyk, the Assistant Director in Charge of the New York Field Office of the Federal Bureau of Investigation (FBI), announced three more arrests arising out of the largest coordinated international law enforcement action in history directed at “carding” crimes—offenses in which the Internet is used to traffic in and exploit the stolen credit card, bank account, and other personal identification information of hundreds of thousands of victims globally.
As part of a coordinated international takedown involving more than 12 countries, 24 individuals were arrested on June 26, 2010. Federal and local authorities arrested 11 individuals in the United States, foreign law enforcement authorities arrested 13 individuals in seven countries.
Since the June 26 takedown, three more individuals have been arrested on federal charges unsealed in the Southern District of New York, bringing the total number of arrests to 27.
Nikhil Kolbekar, a/k/a “HellsAngel,” was arrested July 11, 2012 by Indian authorities in Mumbai, India; Eric Bogle, a/k/a “Swat Runs Train,” was arrested on July 2, 2012, by Canadian authorities in Red Deer, Alberta; and Justin Mills, a/k/a “xTGxKAKAROT,” was arrested by the FBI on June 27, 2012, in Aurora, Colorado.
Mills appeared in Manhattan federal court and was released on bail. The United States will seek to extradite Kolbekar and Bogle to the United States for prosecution.
Manhattan U.S. Attorney Preet Bharara said, “These arrests are yet another reminder that the international reach of cyber crime does not exceed our grasp. Law enforcement will pursue cyber criminals wherever they are. The charged conduct we announce today, coupled with the crimes we charged last month, represent a full menu of Internet fraud. Thanks to our law enforcement partnerships both here and abroad, we continue to bring these alleged criminals to justice.”
FBI Assistant Director in- Charge Janice K. Fedarcyk said, “These arrests in India, Canada, and the U.S. as part of Operation Card Shop are just another example that cyber criminals will be stopped even if they cross borders. Operation Card Shop is an international operation aimed at sophisticated, highly organized cyber criminals involved in buying and selling stolen identities, exploited credit cards, counterfeit documents, and sophisticated hacking tools. The FBI and all our law enforcement partners, here and abroad, will continue to root out criminal behavior on the Internet.”
The following allegations are based on the complaints previously unsealed in Manhattan federal court:
Background on Carding Crimes
Carding refers to various criminal activities associated with stealing personal identification information and financial information belonging to other individuals—including the account information associated with credit cards, bank cards, debit cards, or other access devices—and using that information to obtain money, goods, or services without the victims’ authorization or consent. For example, a criminal might gain unauthorized access to (or hack) a database maintained on a computer server and steal credit card numbers and other personal information stored in that database.
The criminal can then use the stolen information to, among other things: buy goods or services online; manufacture counterfeit credit cards by encoding them with the stolen account information; manufacture false identification documents (which can be used in turn to facilitate fraudulent purchases); or sell the stolen information to others who intend to use it for criminal purposes.
Carding refers to the foregoing criminal activity generally and encompasses a variety of federal offenses, including, but not limited to, identification document fraud, aggravated identity theft, access device fraud, computer hacking, and wire fraud.
“Carding forums” are websites used by criminals engaged in carding (“carders”) to facilitate their criminal activity. Carders use carding forums to, among other things: exchange information related to carding, such as information concerning hacking methods or computer-security vulnerabilities that could be used to obtain personal identification information; and to buy and sell goods and services related to carding, for example, stolen credit or debit card account numbers, hardware for creating counterfeit credit or debit cards, or goods bought with compromised credit card or debit card accounts.
Carding forums often permit users to post public messages—postings that can be viewed by all users of the site—sometimes referred to as “threads.” For example, a user who has stolen credit card numbers may post a public thread offering to sell the numbers. Carding forums also often permit users to communicate one-to-one through so-called private messages. Because carding forums are, in essence, marketplaces for illegal activities, access is typically restricted to avoid law enforcement surveillance.
Typically, a prospective user seeking to join a carding forum can only do so if other, already established users “vouch” for him or her, or if he or she pays a sum of money to the operators of the carding forum. User accounts are typically identified by a username and access is restricted by password. Users of carding forums typically identify themselves on such forums using aliases or online nicknames (“nics”).
Individuals who use stolen credit card information to purchase goods on the Internet are typically reluctant to ship the goods to their own home addresses, for fear that law enforcement could easily trace the purchases. Accordingly, carders often seek out “drop addresses”—addresses with which they have no association, such as vacant houses or apartments, where carded goods can be shipped and retrieved without leaving evidence of their involvement in the shipment.
Some individuals used carding forums to sell “drop services” to other forum members, usually in exchange for some form of compensation. One frequently used form of compensation is a “1-to-1” arrangement in which the carder wishing to ship to the drop must ship two of whatever items he has carded—one for the provider of the drop to forward to the carder, and the other for the provider of the drop to keep as payment in kind for the carder’s use of the drop.
Another frequently used compensation arrangement is for the carder and the drop provider to agree to resell the carded items shipped to the drop and to split the proceeds between them.
Background on the Undercover Operation
In June 2010, the FBI established an undercover carding forum, called “Carder Profit” (the “site”), enabling users to discuss various topics related to carding and to communicate offers to buy, sell, and exchange goods and services related to carding, among other things. Since individuals engaged in these unlawful activities on one of many other carding websites on the Internet, the FBI established the site in an effort to identify these cyber criminals, investigate their crimes, and prevent harm to innocent victims.
The site was configured to allow the FBI to monitor and to record the discussion threads posted to the site, as well as private messages sent through the site between registered users. The site also allowed the FBI to record the Internet protocol (IP) addresses of users’ computers when they accessed the site. The IP address is the unique number that identifies a computer on the Internet and allows information to be routed properly between computers.
Access to the site, which was taken offline in May 2012, was limited to registered members and required a username and password to gain entry. Various membership requirements were imposed from time to time to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity. For example, at times, new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site, or unless they paid a registration fee.
New users registering with the site were required to provide a valid e-mail address as part of the registration process. The e-mail addresses entered by registered members of the site were collected by the FBI.
Harm Prevented By the Undercover Operation
In the course of the undercover operation, the FBI contacted multiple affected institutions and/or individuals to advise them of discovered breaches in order to enable them to take appropriate responsive and protective measures. In so doing, the FBI has prevented estimated potential economic losses of more than $205 million, notified credit card providers of over 411,000 compromised credit and debit cards, and notified 47 companies, government entities, and educational institutions of the breach of their networks.
The Charged Conduct
As alleged in the complaints filed in the Southern District of New York, the defendants charged to date engaged in a variety of online carding offenses, in which they sought to profit through, among other means, the sale of hacked victim account information, personal identification information, hacking tools, “drop” services, and other services that could facilitate carding activity.
Eric Bogle, a/k/a “Swat Runs Train,” sold “fulls,” a term used by carders to refer to full credit card data including cardholder name, address, Social Security number, birth date, mother’s maiden name, and bank account information. In October 2010, he offered to sell fulls for expired, stolen accounts for $2 each, claiming that the account data could be used to open fraudulent accounts at billmelater.com, an online credit service, or for “many other uses.”
Nikhil Kolbekar, a/k/a “HellsAngel,” also allegedly trafficked in fulls. In an effort to enhance his reputation as a carder, Kolbekar “dumped,” or provided free access to, more than 75 usernames and passwords for stolen accounts at Facebook, Gmail, Hotmail, Yahoo, AOL, MySpace, and other online services on the site in June 2010. Kolbekar also offered to sell “RDPs” to assist others in hacking computers internationally. RDP is a reference to “remote desktop protocol,” a program that hackers sometimes use to access and gain control of another person’s computer remotely. In April 2011, Kolbekar offered to sell RDPs—specifically, the computer IP address, username, and password combinations—that could be used to hack into computers in Spain, Sweden, Italy, France, Gernmany, Brazil, South Africa, the Czech Republic, India, and Turkey.
Justin Mills, a/k/a “xTGxKAKAROT,” trafficked in “logs,” a term used by carders to refer to stolen username and password combinations for online accounts. At one point, Mills told the administrator of the site that he had 170,000 logs for sale and that he obtained the logs through a form of malicious software called “iStealer,” which steals website login information stored in the victim’s Internet browser application. Mills also used the Internet to sell a host of electronics and other items he obtained through carding, including Sony laptop computers, iPads, and Express.com gift cards. In April 2011, in response to an Internet posting seeking advice on how to make “1,000 a month or more” from carding, Mills replied, “1k a month? If you need suggestions, I can show you some ways to get that in a week.”
This case is being handled by the Office’s Complex Frauds Unit. AUSAs James Pastore, Serrin Turner, Timothy Howard, Rosemary Nidiry, Alexander Wilson, and Sarah McCallum are in charge of the prosecution.
The charges contained in the complaints are merely accusations, and the defendants are presumed innocent unless and until proven guilty.