For cybercriminals, everything hangs on a nickname.
At the peak of his career in the late-2000s, a mysterious online figure from Eastern Europe attained the position of administrator of DarkMarket. He had climbed to the highest rung of one of the most significant cybercriminal forums—where stolen credit-card data and other illicit goods and services are traded—in history. But before he could do all that, he had to choose a nickname.
For Pavel Kaminski, the reputed Warsaw-based spammer, getting his nickname right was the first step into one of the most elite circles of online criminality. His choice: an homage to a Teenage Mutant Ninja Turtles character, the rat sensei Master Splinter. But Kaminski customized the spelling to exude a certain “hackerish” quality. The handle, Master Splyntr, had no particular significance for its creator; but there was thought and strategy in its invention. In fact, for Keith Mularski, the real person behind Pavel Kaminski, there had to be.
Not only was Master Splyntr a creation; so too was the Polish spammer. Mularski was an FBI agent who had fabricated this cover with help from the spam-fighting organization Spamhaus. The agent was not working out of Warsaw but the offices of the National Cyber-Forensics and Training Alliance, in Pittsburgh. It amused Mularski that he had turned to an underground rat for his nickname. With the rat’s help, soon DarkMarket would be down, and major global cybercriminals would be in jail.
IN CYBERCRIME, IT IS difficult for criminals to establish bona fides. They can’t rely on their reputation in the neighborhood, or chest-pounding prowess. They have to build a virtual identity. In this, as one FBI agent who has spent time undercover online told me, a good nickname is “basically all that you have.”
The key to cybercriminal nicknames is less in the specific choice—the actual name hardly matters—than in the intricate function that they play. An effective handle provides anonymity, and can’t be easily used to identify the cybercriminal behind the name. This is the feature that allows users to advertise their criminality openly online. But a nickname is also the foundation of a cybercriminal’s reputation—of what amounts to a trusted brand. Without it they have no presence online. They’re just a newbie—a “noob.”
On the dark Web, it’s difficult to know who you are really talking to: maybe a Polish spammer or an FBI agent in Pittsburgh. Take the elite hacker Max Butler, aka Max Ray Vision. By the end of his dark digital career, he had accumulated at least five cyber identities: Ghost23, Generous, Iceman, Digits, and finally Aphex. Ghosts are a common trope online, but names Generous and Digits, used by Butler when vending stolen credit-card data, implied attractive profits for customers.
As Wired editor Kevin Poulsen explained in his biography of Butler, Kingpin, Butler took on the handle of Iceman when he established the forum CardersMarket—which would become a rival to DarkMarket. He chose Iceman specifically because it wasn’t unique: There were other Icemen floating around the dark Web. Butler thought that if he ever attracted heat from law enforcement, the multiplicity might thwart efforts to identify him. He further spread his risk by keeping his vendor identity, Digits, separate from his administrator identity, Iceman—in case one or the other was “apprehended.” Ultimately, a damaged reputation was what led to Iceman’s demise: He had started a cyberturf war with other carding forums, attracted media attention, and (ironically) made unproven accusations that the honorable Master Splyntr was a fed. So Butler retired Iceman, and up stepped Aphex as the “new” boss of CardersMarket.
Butler and Mularski both put some strategy into their handles. But one former American hacker told me handles are often simply what “sounds cool,” at the time. Veteran carder and film buff David Thomas used the online nickname El Mariachi as a tribute to the Robert Rodriguez film; Robert Schifreen, who hobby-hacked before it was illegal, in 1980s Britain, went by the name Triludan the Warrior, a reference to the antihistamine medication he used.
TO BUILD A TRUSTED brand, there is an incentive to maintain the same nickname over time, but that increases the risk of being caught. Cybercriminals have to carefully balance these competing interests.
One British identity thief I talked with tweaked his handle up to 20 times over his career—but maintained an identifiable (to the right people) strain throughout. The undercover FBI agent knows of Russian cybercriminals who replaced their nicknames every three months. But even these guarded types must subtly alert select collaborators to their new identity, or face starting from scratch.
Then there are those that value reputation over risk, like the hacker and former spammer I met with in Southeast Asia: He has used the same handle, chosen at random from the dictionary, since he was a teenager, through his forays into crime, and even after going straight. “I mean, I’ve got a reputation, I’ve got friends—people trust me,” he explained. Giving it up, he said, would be akin to relinquishing his identity in the physical world and starting again. Today, he works as what is called a penetration tester, a legal hacker of sorts, hired to find holes in a client’s system before a real attacker does. Some clients have discovered his past, and his long-established online reputation. But they seem pleased. They figure it means he’s more effective at his job.
This article was originally published in the Nov/Dec 2013 edition of Pacific Standard.