Spot the Fed

In the early days of the major hacker conference Def Con, a game developed called “Spot the Fed”. Designed to playfully poke fun at law enforcement operatives believed to be collecting intelligence at the gathering, its rules are quite simple. As explained by The Dark Tangent (aka Jeff Moss), the founder and organiser of Def Con, they are as follows:

If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. Just get my attention and claim out loud you think you have spotted a fed. The people around at the time will then (I bet) start to discuss the possibility of whether or not a real fed has been spotted. Once enough people have decided that a fed has been spotted, and the Identified Fed (I.F.) has had a say, and informal vote takes place, and if enough people think it’s a true fed, or fed wanna-be, or other nefarious style character, you win a “I spotted the fed!” shirt, and the I.F. gets an “I am the fed!” shirt.

Def Con has been known to attract hackers of all types and stripes, including some cybercriminals. Nonetheless, the likelihood of law enforcement agents making arrests at the conference is relatively low.  “Spot the Fed” is more a matter of fun than anything serious.

But for cybercriminals operating in an online environment, spotting the fed becomes an important business. On the Internet, it is more of an occupational hazard than a game. Anonymity is as much of a benefit to law enforcement as it is for cybercriminals. If an undercover agent is able to build a credible cover and ingratiate him/herself among cybercriminals, the criminals could soon be out of business and in gaol.

So how do cybercriminals attempt to differentiate between the real deal and law enforcement imposters? Perhaps without knowing it, they look for what sociologists and others call “discriminatory signals”, statements and actions that are very costly to fake. One well-known example of a discriminatory signal is a suspected poisoner proving his innocence by drinking the “poison”. A real poisoner would be unlikely to take the drink, knowing death would follow.

Some “tests” used by cybercriminals don’t do a good job of discriminating between bona fide criminals and law enforcement. For instance, like any other subculture, cybercriminals have their own patterns of behaviour and language, an important part of “fitting in”. But with time, experience and the benefit of being behind a computer screen, law enforcement agents have shown themselves able to mimic such patterns. They have also shown themselves able to gather the knowledge and contacts to locate and infiltrate the shadowy online places where cybercriminals congregate, and which the average user would never happen upon by accident.

Instead, the more effective signals for distinguishing undercover agents from genuine cybercriminals are ones that require individuals to demonstrate evidence of actual criminality. This is because many law enforcement agencies bar their operatives from committing crimes in the course of their undercover assignments. If an online figure is happy to chat, share and participate in the community, but refuses to involve themselves in actual cybercrime, they are probably not a cybercriminal (or are a very discrete one).

Different types of cybercriminal have worked this out already. In the same way that online paedophile rings request pornographic images of children in order to join, certain for-profit cybercriminal forums have required the provision of compromised credit card details. For instance, DarkMarket required prospective members to provide details of 100 compromised credit cards, which would then be tested by two reviewers who would write reports on whether the person should be admitted or not. Although only indirectly linked to criminality, other forums request an entry fee that can be quite a large sum of money, supposed proof that each member is a serious operator. Law enforcement can raise such money, but it certainly provides a bureaucratic hurdle.

Along with asking for proof of criminality by provision of illegal goods/services, cybercriminals can also perform background checks on each other. One method is to “dox” someone by pulling up a user’s online footprint and then comparing it to information they have drawn out of that person directly. Another method, employed by online forums, is to require that one or more existing members vouch for new members. The stricter forums require the vouchers themselves to be of a certain standing within the community.

While these mechanisms appear to present stricter tests, they have all been breached by law enforcement and security researchers in different forums. Ultimately, it is a game of cat and mouse. As law enforcement overcome existing tests, criminals attempt to invent more discriminatory ones. When the undercover FBI agent Joseph Pistone (aka Donnie Brasco) infiltrated the Bonanno crime family in New York in the late 1970s, he built such trust with the family that he was under consideration to become a “made” man. When the operation ended, the mafia was so horrified at how far a mole had made it into their organisation, that they changed the rules and required prospective candidates to carry out a murder before being admitting into La Cosa Nostra. That, at least, is one test cyber feds don’t have to worry about online…

Read more about how cybercriminals spot feds in “Trust in the World of Cybercrime”.