FBI Busts Credit Card Cybergang

An alleged credit card thief, who has been identified as using the online handle "John Dillinger," has emerged as a suspect in an aggressive FBI law enforcement action to be announced Friday. The action, dubbed Operation Cardkeeper, has resulted in 17 arrests of hackers and carders this week in the United States and Poland. The investigation is also focusing on three suspects in Romania who were questioned this week by Romanian authorities, as well as U.S. suspects in seven states. Authorities say more arrests are likely.

A law enforcement source told Wired News that Dillinger and other Americans indicted in the case received stolen credit card numbers from Romanian phishers and others, then used the numbers to purchase items they later resold. According to an indictment unsealed Thursday in U.S. District Court in Virginia, the person identified as using the Dillinger nickname was seized in San Diego in June on unrelated charges before being transferred to Virginia where he faces at least five counts of identity theft and access device fraud for using stolen credit card numbers belonging to Capital One bank customers.

Wired News interviewed a carder using that nick earlier this year, who spoke on condition of anonymity. In the interview, the carder said that three Romanian phishers contacted him in 2004 looking for partners to cash out U.S. Bank accounts, using account and PINs they obtained through phishing.

The indictment doesn't mention U.S. Bank or other activities that Dillinger discussed with Wired News. Authorities say the indictment does not reflect everything that went into the charges against him. Dillinger likely faces two to five years in prison if convicted. He has a Nov. 13 hearing scheduled in Richmond, Virginia.

In addition to Dillinger, three other Americans and 11 Poles were arrested. The Americans are Dana Carlotta Warren, 29, of Atlanta, and Zanadu Lyons, 24, and Frederick Hale, 27, both of Columbus, Ohio. The suspects were caught with cards and MSR-206 machines used to encode data onto blank credit cards. "Zanadu (Lyons) was attempting to flush counterfeit credit cards down the toilet when authorities were attempting to execute the search warrant," the law enforcement source said.

According to the source, the Richmond FBI and the U.S. Attorney's office launched Cardkeeper around August 2004 after seeing a lot of theft involving Richmond-area banks. They were surprised at what they found once they started tracing the source of the stolen card numbers. "Just in Virginia we identified tens of thousands of compromised credit card numbers, maybe over 100,000," he said. "I don't know that anyone has ever tallied that up. There were also several thousand compromised identities (that we were seeing) trafficking over the internet."

The thieves obtained credit and debit card numbers through phishing scams and by hacking into databases, then distributed the numbers to accomplices through CcpowerForums, Darkmarket and other carding sites devoted to international cybercrime.

Among the Polish suspects arrested are Mateusz Rymski, aka "Blindroot," who the FBI identifies as a leader of the ring. The source said Rymski hacked into third-party web servers and then rented their illicit access to other criminals to host their phishing pages or use as a proxy to hide their trails. "He was selling root access to multiple Romanians who were engaged in phishing and credit card fraud," said the source. "And the Romanians were distributing compromised credit card numbers on the order of the thousands, if not higher than that."

The Romanians are also suspected of writing keystroke-logging software to collect card numbers and other data from infected computers.

Wired
3 November 2006