Industry of Anonymity

Inside the world of profit-driven cybercrime

How to Steal A Million

There is a rich tradition of biographies and autobiographies of mobsters. The most famous might be Wiseguy by Nicholas Pileggi, which tells the story of Lucchese crime family associate Henry Hill, and was adapted by Martin Scorsese into the classic movie Goodfellas. Other worthy reads include Underboss about the life of Sammy “The Bull” Gravano and Donnie Brasco, Joseph Pistone’s undercover account of life inside the Bonanno Crime Family in the 1970s.

Unfortunately, we are not as well served with personal accounts of major cybercriminal figures. Of course, there are books like Kevin Mitnick’s Ghost in the Wires and Michael Calce’s Mafiaboy, but these are stories of an earlier period of social engineering and hacking, rather than inside accounts of the financially-motivated industry of cybercrime that has existed since the turn of the Millennium. Only Kevin Poulsen’s excellent Kingpin provides a detailed biography of a leading cybercriminal (Max Butler), though this is largely an American-focussed narrative, with lesser information on the Eastern European scene.

Thankfully, Sergey Pavlovich’s autobiography How to Steal a Million has emerged to help fill this void. Throughout my travels in Eastern Europe, a number of people kept recommending a book written by a Belorussian former cybercriminal known as PoliceDog. Published in 2013, it was only available in Russian, limiting its reach and making it largely a regional curio. With its recent translation into English, with the help of Howard Amos, Pavlovich’s story can now be read by a much wider audience.

There is a lot of interest within this book. Primarily, it provides insight into the life and operations of an Eastern European cybercriminal. This is a world that is often talked about within cybersecurity circles, but usually from an outsider’s perspective. As a former member of the CarderPlanet network, Pavlovich provides a rare insider narrative of this world in the 2000s: the peculiar mechanics of operating within the “carding” business; the nature of the forum scene; his (sometimes gossipy) interactions with leading cybercriminals of the period; along with his his run-ins with the law (and also corrupt law enforcement officials). Additionally, he explicates the broader socioeconomic context that provides a cradle for leading cybercriminal actors:

“Many [cybercriminals] were very technically-minded, had taken maths or physics at universities and colleges and had engineer parents. […] But hackers in Russia also thrive because the police do not have enough resources to find murderers, let alone hunt hackers […] If the Russian police do find them, then there’s no need to go to prison: usually it’s easy enough to pay the police to be his protection. Even if the case ends up in court, hackers often receive conditional sentences because they can simply buy the courts”.

While this is a book about cybercrime, it is also a book about surviving life in the Belarusian prison system. My interest in reading Pavlovich’s story was his cybercriminal background, but I have to admit that I ended up finding his stories about confinement in ex-Soviet penitentiaries equally fascinating. This is not a perspective that many authors can provide. And, in the end, prison life is indeed a relevant aspect of understanding cybercriminal life in the region.

Pavlovich’s writing is clear and has a surprising literary quality. In some sense, it fits within a long tradition of writings about crime and gulag life in Eastern European prose. This is far from a prosaic account, but suggests the author has a talent and spark for endeavours beyond cybercrime. While not all are destined to be writers, this matches my experience – I have encountered significant talent among numerous Eastern European cybercriminals, which is probably what makes them such a global threat.

In an effort to maintain levity, one of the more interesting stylistic choices of the book is to use dialogue to convey technical details about cybercrime. Rather than long passages detailing dense information, uninformed characters ask the lead character the sorts of questions some readers might also wish to ask. Other characters speak with an unexpected precision and poetry: “When an entrepreneur doesn’t find a way to fulfil his talents, he becomes a criminal”, philosophises one of Pavlovich’s cellmates at one point.

For all its many positive qualities, it should not be forgotten that this book is effectively a rogue’s tale. Its biggest flaw is that, without other supporting evidence, we can’t know for certain what is true and what is not. To leave PoliceDog to conclude:

“This book is about my time as a successful cyber-criminal and my experience in the Belarusian penal system, which has changed little since the Soviet Union. The events and people are real. The way they are depicted, however, is my own. I’ve changed a few names and removed some altogether. I’ve softened some things and embellished others – it’s something all authors do. It is up to you to decide if I can be trusted. Read — and draw your own conclusions”.

For details on How to Steal a Million, go here or here.

Industry of Anonymity – the book!

9780674979413-lg

After seven years of fieldwork, the findings of my research have finally been put to ink. The result, Industry of Anonymity: Inside the Business of Cybercrime, published by Harvard University Press, is the most extensive account yet of the lives of cybercriminals and the vast international industry they have created.

Details about the book can be found on the Harvard University Press website. Currently available for pre-order here and here, it will be released in the US in October 2018 and in the UK the following month.

All’s Fair in Love and War?

As someone who studies trust among cybercriminals, I often field queries from the curious about what factors disrupt cooperation among online criminals. Until a recent visit to Eastern Europe, one element I hadn’t considered was the significant role that political animosity might play in damaging relationships. My visit to the region made clear that the war in eastern Ukraine is leading to a number of unexpected consequences in the cybercrime sphere, sowing the seeds of distrust among certain players in the Russian-speaking “scene”.

This was an issue raised by a number of local researchers I met with, who go “undercover” and monitor the key Russian-speaking marketplaces. In the past, most Eastern European actors rarely expressed their political views. But recent events have seen a shift. With the conflict simmering on the ground, a number of “flame wars” have developed online, between those broadly in support of Russia and those against it. This has damaged cooperation and led to the breakdown of some long-term and trusting partnerships. Some forums have even had to bring in and enforce rules against political discussion. Max Goncharov’s new report on the Russian underground suggests similar developments as a result of the Ukrainian conflict: fights between forum members with some even being banned or retreating into exile.

In order to understand the significance of these developments, it is important to note that the Russian underground is not actually Russian. It is merely Russian-speaking. While Russian nationals play a key role, and some may have a sense of centrality or superiority, cybercriminals from countries like Ukraine, Belarus and the Baltic States have played an important role in the business since the early days. Russian provided a common tongue and operating in a Russian-speaking online community opened up a much larger market for cybercriminals in the region. In self-preservation terms, the use of Russian also helped shield each participant’s nationality from local authorities or other criminals taking an interest in them.

A fundamental norm also quickly developed: don’t seek targets in the former Soviet Bloc. Part of this norm can be explained ideologically, stemming from Soviet era propaganda, in that wealthy “bourgeois” foreigners made more deserving targets than economically struggling “comrades” in Eastern Europe. There is also a practical explanation of not wanting to draw the wrath of local law enforcement and security agencies, especially when well insulated against foreign investigations. As Police Dog, one of the well-known CarderPlanet era cybercriminals, wrote: “If we didn’t make a mess on our own doorstep then our local cops and intelligence services didn’t have a problem with us”.

While these explanations have their place, there is almost certainly an economic component involved here as well. In the 1990s and early 2000s, some low-level scams seem to have targeted locals due to the ease of monetisation, avoiding the complications of moving money across borders. But as the West began to rapidly develop the Internet, comparatively wealthy victims and their data became available to those with the right skill sets. It was much more lucrative for Russian-speaking cybercriminals to invest their time and efforts in this new area, especially when Eastern Europeans were less likely to be using credit cards, online banking or purchasing products online and companies in the region were not adopting new technologies to the same degree as those in the West. Locals in former communist countries generally had far less money to steal in the first place, so it seemed only logical to focus attacks overseas.

But change is afoot: there is no longer a dearth of targets in the former Soviet Bloc. The widespread use of the Internet and other new technologies has taken hold in Eastern Europe. New wealth is also emerging. There is money to be made by cybercriminals seeking targets closer to home and there is no doubt that some have been taking advantage of the new opportunities. One Ukrainian researcher suggested that for the last few years Russian-speaking cybercriminals have begun to work “quietly” within their own part of the globe. Of course, there was a loud bang when those behind the Carberp malware began to target online bank accounts in the region, subsequently leading to a number of arrests. This case led to more open talk on forums about Eastern European targets, but many still operate cautiously.

The question now becomes whether recent geopolitical events will lead to the complete dismantling of the norm against carrying out attacks in the former Soviet Bloc. As tensions in the region continue, will the Russian-speaking cybercriminal community become increasingly disjointed and frayed? There is no doubt that politically motivated cyber attacks, whether state directed or not, have increased since the outbreak of war. Local security professionals that have spent much of their careers handling profit-driven cases are now having to shift some of their attention towards cyber espionage, sabotage, activism and terrorism. But some cybercriminals may also harness this opportunity to profit from citizens and institutions in “enemy” countries in the region, using this new political context as cover for their actions, just as the old Soviet propaganda could be used to justify targeting those in the West. Such actions are also likely to bring little heat from national law enforcement when the target is a (newly) unfriendly state’s citizens. Meanwhile, other cybercriminals might care little about politics and simply focus on business, being happy to collaborate with anyone and target any country in the region, as long as there is money to be made.

While norms can seem entrenched, the work of social scientists like Gerry Mackie suggests that if a convention ends, it does so quickly. The inherent nature of a norm is that it is widely agreed upon and applied by interdependent actors. As soon as a tipping point of dissatisfaction is reached, a norm can become unsustainable and almost immediately dissolve. Only time will tell whether the prohibition against targeting former Soviet countries will face this same swift fate.