How Pittsburgh became a global center for fighting cybercrime
July 19, 2015 12:00 AM
J. Keith Mularski, supervisory special agent for the FBI Pittsburgh's cyber squad, monitors cyber criminal activities at National Cyber Forensic and Training Alliance Center, a nonprofit based in South Oakland.
By Rich Lord / Pittsburgh Post-Gazette
When Jaap van Oss first visited Pittsburgh in 2012, he knew he’d be in the company of “almost legendary cybercrime investigators,” he said. Mr. van Oss, the team leader of Europol’s European Cybercrime Center, couldn’t have known how the legend would grow.
Back then, law enforcement was just starting to break out of its stop-at-the-border approach to crime, in response to the explosion of international online theft. Three years later, investigators in Pittsburgh are fresh from coordinating an unprecedented six-continent cybercrime bust that international law enforcement is touting as a new phase in combating data crimes.
“I think that this operation shows that we can properly fight cybercrime,” said Mr. van Oss. “We should do it on an international level.”
The factors that made Pittsburgh a cybercrime-fighting hub are well documented. Carnegie Mellon University’s 27-year-old cybersecurity team, the Oakland-based nonprofit National Cyber Forensic and Training Alliance, prosecutors dedicated to computer cases and the presence of celebrated online sleuths J. Keith Mularski and Chris Geary at the FBI branch here put the city on the map.
Last week, Pittsburgh dominated the map. From offices in the Dixon Federal Building on the South Side, agents and analysts directed a takedown of the Darkode.com cybercrime bazaar, and the execution of some 70 warrants globally.
The Pittsburgh-led coalition included investigators and prosecutors in numerous states, Australia, Bosnia, Brazil, Canada, Colombia, Costa Rica, Cyprus, Croatia, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia, Sweden and the United Kingdom.
Mr. van Oss said Pittsburgh is “a focal point in cybercrime” investigation not only because of the skill and leadership here, but because of the local attitude.
“They acknowledge the need to cooperate with industry and to share with international partners,” Mr. van Oss said, in a phone interview from his office in the Hague. He said that Mr. Mularski, the Pittsburgh FBI cybersquad’s supervisory special agent, is “an investigator that is very persistent, very enthusiastic, that is always smiling, in good spirits, and has a very good vantage point on the cybersecurity world.”
Lizards in the dark
For hackers who weren’t fluent in Chinese or Russian, Darkode was the go-to marketplace for stolen data and hacking tools.
Those who earned a password — obtainable only through references and a sufficiently impressive hacker vitae — could buy databases of Social Security numbers and dates of birth, credit card numbers, passwords, access to hacked servers or to “botnets” of secretly enslaved computers. Also for sale were the tools to pry such treasures loose.
On Wednesday the infamous hacking crew Lizard Squad mourned Darkode’s passing. “Long live darkode,” a Twitter member called @LizardLands posted. “Go ahead and take our forum; we’re still here.”
Darkode “was believed by many to be impenetrable,” said U.S. Attorney David Hickton on Wednesday. It used constantly changing aliases, rotating site administrators and what he called “bulletproof servers” to hide from law enforcement, while turning social media sites, individuals’ smartphones and even gaming consoles into instruments of thievery.
With alleged members hailing from Glendale, Wisc., Karachi, Pakistan and dozens of countries in between, Darkode’s roots were broad.
It was a worthy target for Mr. Mularski, whose exploits include engineering the FBI’s 2008 takeover of the DarkMarket online crime site and sparring with Max Ray “Max Vision” Butler, 43 and now a federal prisoner, for control over the trade in stolen credit cards. In 2005, the FBI assigned him to run the training alliance, giving him the opportunity to teach and learn from other top computer cops globally.
“Personal relationships are very big,” said Mr. Geary, the supervisory special agent focused on Chinese hacking. To achieve an international arrest, information must be shared, and that demands trust. Partner countries “still have that rule of law that they have to be able to document and show why this person is bad if they’re going to arrest them or execute a search.”
Global cooperation “with the Pittsburgh office started to flow really well about two or three years ago,” said Mr. van Oss.
Mr. Mularski’s down-to-earth personality — honed at McKeesport Area High School and Duquesne University, where he majored in history — led to amiable, trusting, crucial relationships.
“There is no individual country or organization that can really put a dent into cybercrime anymore,” said Mr. van Oss. “The lone hacker is a very romantic view among cybercriminals,” he said, but that model has been replaced by “the fluid kind of networks that exist and are created on the underground forums and the underground economy.”
Early targets were the Cryptolocker and Gameover Zeus schemes, which, respectively, encrypted the data of common computer users and extorted payment, and enlisted infected computers to steal money. The trail led to Evgeniy Mikhailovich Bogachev of Russia.
It took a coalition of law enforcement agencies in Ukraine, Canada, France, Germany, Luxembourg, the Netherlands and the United Kingdom to take down Mr. Bogachev’s botnet. Mr. Hickton indicted the Russian, but the lack of an effective extradition treaty has prevented his arrest.
Also last spring, Mr. Hickton indicted five members of Unit 61398 of the Chinese People’s Liberation Army. The five were accused of hacking secrets from U.S. Steel, Westinghouse Electric, Alcoa, Allegheny Technologies, the United Steelworkers International Union and the German company SolarWorld. Chinese diplomats protested the charges. In October, a judge declared the five cybersoldiers to be fugitives.
Pittsburgh’s team is “punching well above their weight class,” says Marc Goodman, author of the book “Future Crimes” and a cybersecurity consultant who has worked for the Los Angeles Police Department and Interpol. “Pittsburgh, if you look at the number of agents, is not a big field office, and yet the guys are putting together world-class cases around the globe.”
Finger in the SpyEye
Efforts to defeat Darkode were international from the beginning.
In 2010, an undercover agent negotiated with a Darkode administrator known as “Mafi” to buy access to three hacked computer servers. That administrator turned out to be Johan Anders Gudmunds, 27, of Sollebrunn, Sweden, according to his indictment. He was searched and questioned Wednesday, and will be prosecuted in Pittsburgh for fraud and money laundering conspiracy.
An indictment handed down under seal in 2011 in Atlanta accused two Darkode members of writing and spreading the malicious SpyEye program, which stole online banking passwords. The suspects, Hamza Bendelladj of Algeria and Aleksandr Andreevich Panin of Russia, seemed to be out of the law’s reach. But their wanderlust got the best of them. Mr. Bendelladj was arrested in Thailand, and Mr. Panin in the Dominican Republic. Both await sentencing.
There hasn’t previously been a cybercrime roundup as extensive as last week’s Darkode sweep, which involved at least 28 arrests. Just one defendant — Morgan C. Culbertson, 20, of Churchill — is from Western Pennsylvania.
“This type of takedown is something we want to continue to build upon,” said John Lynch, chief of the Department of Justice Criminal Division’s Computer Crime and Intellectual Property Section.
“This was a great case, really good police work,” said Mr. Goodman. “Our ability to prosecute this crime is ridiculously small,” he added, so every arrest counts — though prosecution alone won’t thwart cybercrime.
“There will be other forums taking over the role that Darkode has played so far,” said Mr. van Oss. Thanks to the growing coalition, and to Pittsburgh’s “different and significant and more proficient role,” he said, law enforcement has shown “that it is very well possible to launch, coordinate and execute an action against international cybercrime.”
Rich Lord: firstname.lastname@example.org or 412-263-1542. Twitter @richelord.
To report inappropriate comments, abuse and/or repeat offenders, please send an email to
email@example.com and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner.