An article in BusinessWeek documents the rise and fall of ShadowCrew, a community of crackers and traders. The story mirrors much of the net world and if you took away the bias and the element of crime, you could be forgiven for mistaking them for any of dozens of sophisticated online communities Here are some choice quotes.
Indeed, today's cybercrooks are becoming ever more tightly organized. Like the Mafia, hacker groups have virtual godfathers to map strategy, capos to issue orders, and soldiers to do the dirty work. Their omertà, or vow of silence, is made easier by the anonymity of the Web. And like legit businesses, they're going global. The ShadowCrew allegedly had 4,000 members operating worldwide -- including Americans, Brazilians, Britons, Russians, and Spaniards. "Organized crime has realized what it can do on the street, it can do in cyberspace," says Peter G. Allor, a former Green Beret who heads the intelligence team at Internet Security Systems Inc. (ISSX ) in Atlanta.
This place was organised as a market - buying and selling. The owners' innovation was to bring buyers together with sellers in a trading market and make their crime more efficient.
Because most of the gang members held day jobs, the crew came alive on Sunday nights. From 10 p.m. to 2 a.m. hundreds would meet online, trading credit-card information, passports, and even equipment to make fake identity documents. Platinum credit cards cost more than gold ones. Discounts were offered for package deals. How big was the business? One day in May, 2004, a crew member known as "Scarface" sold 115,695 stolen credit-card numbers in one trade. Overall, the gang made more than $4.3 million in credit-card purchases during its two-year run. The actual tally could be more than twice as large, the feds say. It was like an eBay for the underworld.
Much of the information in the article is unclear in factual terms but it is very good for giving one the scope of the problem. Here's a case of a stupid "money launderer" being caught:
This was a big break, since the cops could use the doorway to monitor all the members' communications. Among the communiqués: Omar Dhanani, aka Voleur (French for "thief"), bragged he could set up a special payment system for cybercrime transactions, police say. For a 10% commission, he would exchange cash for "eGold," an electronic currency backed by gold bullion. The Secret Service watched as he laundered money from at least a dozen deals for ShadowCrew members.
A professional money launderer would know that e-gold and other online currencies are pretty much completely traceable, and not the money laundering nirvana that competitors would have you believe.
In sum, a great story of one such gang. We need this information widely disseminated so as to assess the threats to our own operations, and the Secret Service and the FBI of the US are to be thanked for their openness. Still, this is only one such gang, and there are hundreds others out there. The scope of the problem is ... huge.
Posted by iang at May 22, 2005 03:47 PM | TrackBackForensically speaking what procedure do they use to test the validity of their assumptions of presumed guilty prior to trial? The simple possession of data is not a crime in fact the interpretation of binary data is highly suspect. Playing the devils advocate couldn’t an attorney simple state that the so called credit card data was really pornography ring using encoded data to trade illegal pictures, or perhaps a cipher club trading large blocks of information in a five year contest? Since the data collected as evidence is considered to have derived from a binary source it can be made into anything. If the glove does not fit they must acquit. These so called gangs are really user groups organized around an undisclosed interest which they are not required to reveal. They maybe kept in jail or bonded out but the methodology for proving that a private set of data taken from a private computer and obtained from a private groups activities on a private site on the internet makes that data subject to being rendered useless if the group or users claim that the stated purpose is one not identified by the prosecution. Mary had a little lamb could easily be some threat unless someone tells the law enforcement that this message is known amongst this group to mean that. To further the questionable procedures for forensically determining the validity of guilty prior to trials evidence if one member of the group thought the Mary had a little lamb meant something different. They must prove that one is guilty beyond a reasonable doubt and since they have already convicted these people without a trial I suspect their assumptions are incorrect. The reality might just as easily be that the CIA is using stolen information to fund its illegal narcotics trade. Why not assume anything you wish (Opium from Central Asia)? The standards for understanding the information obtained are not well established within the legal venue and are therefore easily derailed. Claiming a criminal network can only be done by showing the trail of evidence leads to illegal activity not the possession of data that may be viewed in anyway the user tells you he views it. The posting of this comment is by the writer a private event and also coded to reflect cartoon animations of small frogs jumping over brooks and streams. What you think it means it does not and I shall not have to prove it to you to maintain my innocence.
Posted by: Jim Nesfield at May 23, 2005 08:04 AMAFAIK, what digital money-launderers do is exchanging various digital currencies in different jurisdictions a few dozen times back-and-forth. Sure, it costs money, but with each crossing of jurisdictions they cause a lot of trouble for the police.
If law enforcement only monitors the transactions of the issuer in their jurisdiction, the transactions are untraceable. Monitoring transactions in other jurisdictions is more difficult, if not downright impossible.
One can even download tools that do this rapid-fire exchange from WebMoney to e-gold and back automagically a dozen or so times. From the money-launderer's point of view, this is a terrific security measure, as it costs them very little in both time and money, while making the life of the adversary (the police, in this case) much harder.
Untraceable digital cash (a la Chaum) would, on one hand, make this a lot easier, but on the other hand, how can one trust an issuer that can issue money without anybody noticing? I think that the Chaumian scheme for untraceable cash is fundamentally flawed in that it leaves the users wide open to hyperinflation by the issuer, which cannot be detected until too late.
Posted by: Daniel A. Nagy at May 24, 2005 04:27 AMOn Money Laundering in DGCs - I've seen some cases of bona fide money laundering in the gold currencies, but they were easily spotted, and hardly what you would call sophisticated. What you describe isn't likely to work on a real scale, but yes it will work on a small scale. The problem for the money launderer is that the digital currencies are very modern, very digitalised, and it is very easy to do cross-issuer tracing on mass. Data mining if you will, and the money launderer has no way to know whether it is happening in complete contrast to the banks.
You won't find a serious money launderer thinking that such an approach is any more than a short term thing, IMHO; there will be a few that might benefit from it, but as soon as it becomes noticed, the tables are turned very easily.
Posted by: Iang at May 24, 2005 06:35 AMUntraceable digital cash is a bit of a misnomer. It is a paper concept that defies easy implementation. The reason for this is that most transactions are done in such a way that traffic analysis reveals the patterns - blinded tokens are only untraceable if you keep them off the server for a while. You in effect have to "launder" token money as well as use blinded formulas, which means that you stick out like a sort thumb. Most users will keep their value in an account for safety, and all merchants roll over immediately. So there is a clear contradiction between the technical requirement of untraceability and the motives and actions of the users. Feed that into the business, and pretty generally, untraceability is a sort of "interesting feature" that won't be serious enough for the professional MLer.
You mention the inflation part. Yes, we also call this "the bank robbery problem." Blinded money has no easy solution to this, so it tends to be more applicable to low valued systems. Having said all that, token money has a good future, there are people who desperately want to field token money systems, but in a slightly different way to that which the canonical untraceable cash design was envisaged.
Posted by: Iang at May 24, 2005 06:37 AMWhat do you mean by token-money? In the financial literature it is used synonymously to "Fiat money". See e.g. http://www.factbites.com/topics/Fiat-money
Cryptographic untraceability is not a very useful feature for digital payment, IMHO. Paper money is traceable, so what? Who cares?
I also agree that traffic analysis defeats untraceability big time and tricking people into keeping their money on long-term accounts is a far worse intrusion into one's privacy than transaction tracking.
I think that traceable transactions between disposable anonymous accounts is the way to go.
Blinded sigs are great for credentials, though.
Posted by: Daniel A. Nagy at May 24, 2005 07:55 AMTranslated from http://owebmoney.ru/savewm.shtml
Save Thyself
by Nikita Sechenko (translation from Russian by myself)
There are two approaches to one's personal safety. The first one is difficult: never leave the iron plugged in, never smoke in bed, do not place the gas stove near the window. The second approach is a lot easier: you don't follow any rules and hope that there will be no fire. Same with WebMoney. There's a difficult way: for example, read "Security Encyclopedia" (http://owebmoney.ru/security.shtml) and follow all the rules in there. This, of course, requires time and effort, which is unacceptable for many. The other method -- not reading anything, ignoring all the warnings in the Keeper (WM's wallet application), indiscriminately opening all your email, launching all sorts of suspicious programs, not using antivirus software and firewalls. This article is dedicated to those who have chosen this easy way. Since there is a substantial risk that the money from your pruses will be stolen, it's useful to know how to get them back. That's what we'll talk about below.
So, the bad guys have "planted" a virus on your computer (you like opening email attachments, don't you?), found the *.kwm key-files on your harddrive (you don't keep them on removable media, do you?), caught the passphrase as you typed it, and sent all of that to their mailbox (your *.kwm files weighed a mere 50K, didn't they?). Then he connects to your WMID using his computer (you have, of course, turned pre-activation by email and IP blocking off) and stole all the title certificates in there. What can you do?
First, don't panic. You should know that the staff of WebMoney, in particular the arbitration service and tech support, are responsive to pleas of help in case of stolen keys and assets from purses. Be assured, they will do everything they can. Secondly, the solution of the problem should not be postponed. You should act as fast as possible. Every minute counts. Your main task is to get ahead of the bad guys. Taking into account their head start, it will be difficult, but still possible. Finally, the third rule is not giving up. From my experience as an arbiter, I can tell that returning your assets is often possible even in situations that look hopeless at first.
And now for the concrete measures. Your actions will depend on several factors. First and foremost whether or not you have lost access to your identifier.
(to be continued...)
(cont'd)
If you do have access to your WMID and you can check your transaction history and find out the WMID of the offender, the most effective way of proceeding is filing a complaint under "unauthorized payment" against that WMID at the website of the arbitration service (http://arbitrage.webmoney.ru). At this point you will need to pay the arbitration fee immediately, as doing so automatically block payments from the WMID with a certification level lower than "initial" (note of the translator: basically, it means blocking anonymous accounts). This way, the assets on the defendant's account will stay there until the arbitration comission rules on the case. WMIDs with an initial level certificate or a registrator level certificate can be blocked only with a sanction of the arbitration comission, but holders of such certificates are not in the theft business, as a rule.
In order to file an "unauthorized payment" complaint, a pseudonym certificate suffices (note of the translator: these are given to whoever asks without any verification). The arbitration fee is 10% of the contested payment. First, it can make sense to file a minimal complaint, as low as 1 WMZ and pay a 0.1 WMZ fee. Filing the complaint will take only a few minutes.
However, as the funds could have been transfered a number of times in order to confuse the investigation, after filing the complaint, you can immediately contact the arbitration service's administrator (WMID 937717494180, arbitrage@webmoney.ru) and ask him to trace the chain of payments, should one exist. The administrator (after careful consideration), may block all the accounts along the chain and will send you a report on how much money has been "caught" where. You will need this information for further arbitration proceedings. Keep in mind, however, that arbitration is a service for resolving conflicts, not a 911 service. They work from monday to friday between 10am and 6pm.
If the offender has left, for some reason, funds on your WMID or you have other WMIDs for the security of which you cannot vouch after the attack, contact the tech support (+7 095 727-43-33, support@wmtransfer.com, WMID 941977853154) and ask them to temporarily block outgoing payments from your accounts as well.
As we have said, filing a complaint is the best solution in this situation. But what can be done if everything has been stolen up to the last penny, and quickly finding a few WMZ to pay the arbitration fee is not an option? In this case, you should email and telephone tech suport and arbitration asking them to block the WMID of the offender, after which you should, nevertheless, file a complaint initiating arbitration proceedings as quickly as you can. Keep in mind that tech support can only block WMIDs, but they have no means of tracing the payment chain along which your money has been siphoned off. The arbitration sercive, on the other hand, can block accounts, trace payments and check balances.
But, as you understand, thieves typically do not transfer funds to their purses or if they do, they don't leave them there for a longer period of time in order to buy ebook classics, should they get bored, but try to hide their traces and get rid of evidence as quickly as they can. In order to do so, they exchange stolen WM for assets in other payment systems, typically e-gold. Then exchange them back to WM and repeat a number of times. In this case, the problem becomes significantly more complex. You should contact the administration of the automated exchange through which the exchange has been transacted and find out the fate of your assets (filing a complaint against the exchange makes no sense, see below). Later the administrator of the arbitration service will send a query to the other payment system, but that seldom helps. E-gold, for example, having received a request from WebMoney, blocks offending accounts, but gives transaction information out only at the requests of courts and law enforcement.
In the worst case, the offender uses an "offline" exchange, cashing the stolen assets. In this case, arbitration cannot help: the exchange did their job and had no means of knowing about the origin of the funds. Hence, the accounts of the exchange won't be blocked and they are under no obligation whatsoever to return your funds. This is when you should turn to law enforcement and hope that the exchange has checked and recorded the passport data of their clients as required by the rules of our system.
(to be continued...)
Posted by: Daniel A. Nagy at May 29, 2005 03:33 AMFascinating .. let's make this a full blog entry!
Hey, so this is the most advanced system of after-the-fact fraud resolution I've found - it is exactly like I have predicted. An arbitration service that couples with the Issuer and has juridical oversight and powers.
One question - "E-gold, for example, having received a request from WebMoney, blocks offending accounts, but gives transaction information out only at the requests of courts and law enforcement."
Firstly are you saying that they accept requests from law enforcement *without* a court order? That's news to me.
Also, why are they rejecting the Arbitrator's request? E-gold is an organisation that specifically and explicitly recognises arbitration. I could go on but take it from me - it is deeply rooted and if they are rejecting arbitration then that would be very odd.
Another question - how big is WebMoney?
Posted by: Iang at May 29, 2005 08:00 AMThis is a more-or-less literal translation of Sechenko's article; I have no idea how WebMoney's arbitration service deals with that of e-gold. I can easily imagine that he is incorrect in stating that e-gold acts upon law-enforcement requests without court orders. However, I am pretty certain that he tells the truths about the limitations that they (WebMoney's arbitration service) experience.
Sechenko is one of the founders of WebMoney and one of its first arbiters, as far as I know. He has a very informative website: http://owebmoney.ru (where "o" means "about" in Russian). Unfortunately, it's Russian only, as far as language goes.
This brings us to your second question: WebMoney is as big as the Russian-speaking world. All of the ex-ussr, and places with large numbers of russian-speaking immigrants: US, Israel, Canada, Germany, etc. Here's a first approximation of it's geography:
http://geo.wmtransfer.com/asp/geoMain.asp
This is a website where webmoney-related services can register themselves. Not all of them do, of course. Actually, a large number doesn't. Their attempts at targeting a non-russian-speaking audience failed. Early on, their website was bilingual English-Russian, and they kept both parts up to date (the company is actually registered in Vermont, USA). Today, the English sites are often out-of date and many things never get translated. Their English language forums are silent most of the time.
In Russia and Ukraine they are huge: all cellular providers accept webmoney for paying bills and topping up prepaid accounts, the overwhelming majority of on-line vendors accept it, auction websites accept it, and so do many ISPs. Scratch-cards for topping up webmoney accounts are on sale in many places, and there are credit cards where one can pay the bills with webmoney.
I admire what they have accomplished. My only complaints about webmoney are the following
1. they are constantly reinventing and reimplementing the wheel: for some reason, they refuse to rely on standard tools and protocols.
2. It is impossible to make a webmoney payment to someone unprepared.
3. They keep their software closed. Some protocols are open (maybe all of them), but the source for the wallet application (WM-Keeper) is not available. Nor is the software for running an issuer.
Basically, ePointSystem tries to fix these problems, but we draw big time on the experience of WebMoney. In more than one way, we are walking in their footsteps.
This is a more-or-less literal translation of Sechenko's article; I have no idea how WebMoney's arbitration service deals with that of e-gold. I can easily imagine that he is incorrect in stating that e-gold acts upon law-enforcement requests without court orders. However, I am pretty certain that he tells the truths about the limitations that they (WebMoney's arbitration service) experience.
Sechenko is one of the founders of WebMoney and one of its first arbiters, as far as I know. He has a very informative website: http://owebmoney.ru (where "o" means "about" in Russian). Unfortunately, it's Russian only, as far as language goes.
This brings us to your second question: WebMoney is as big as the Russian-speaking world. All of the ex-ussr, and places with large numbers of russian-speaking immigrants: US, Israel, Canada, Germany, etc. Here's a first approximation of its geography:
http://geo.wmtransfer.com/asp/geoMain.asp
This is a website where webmoney-related services can register themselves. Not all of them do, of course. Actually, a large number doesn't. Their attempts at targeting a non-russian-speaking audience failed. Early on, their website was bilingual English-Russian, and they kept both parts up to date (the company is actually registered in Vermont, USA). Today, the English sites are often out-of date and many things never get translated. Their English language forums are silent most of the time.
In Russia and Ukraine they are huge: all cellular providers accept webmoney for paying bills and topping up prepaid accounts, the overwhelming majority of on-line vendors accept it, auction websites accept it, and so do many ISPs. Scratch-cards for topping up webmoney accounts are on sale in many places, and there are credit cards where one can pay the bills with webmoney.
I admire what they have accomplished. My only complaints about webmoney are the following
1. they are constantly reinventing and reimplementing the wheel: for some reason, they refuse to rely on standard tools and protocols.
2. It is impossible to make a webmoney payment to someone unprepared.
3. They keep their software closed. Some protocols are open (maybe all of them), but the source for the wallet application (WM-Keeper) is not available. Nor is the software for running an issuer.
Basically, ePointSystem tries to fix these problems, but we draw big time on the experience of WebMoney. In more than one way, we are walking in their footsteps.
(cont'd)
If, however, you have lost access to your WMID (the attacker has changed the password or the key file), then you should immediately contact tech support and ask them to block your WMID, just in case there is some money left there. In addition, you should contact the administrator of the arbitration service and report the loss of access to your WMID. It is desirable to correspond using the same email address that is indicated in your certificate and in the Keeper's personal data section. In your email, you should give information as comprehensive as possible in order to establish that you are, indeed, the legitimate owner of the WMID in question. Namely, your WMID, the purses' numbers, the last transactions complete with dates and so on. The administrator, in turn, will tell you the current balance of your purses, where funds were transfered and whether they were successfully blocked. The rest of the procedure is analogous to the one described in the previous section.
That's all. I hope, you will make the right conclusions and choose for yourself that difficult way of protecting yourself from calamities. Remember: lost nerve cells cannot be recovered.
* * *
Note from the translator: This is a translation for which I have not received a permission from the author, completed for purely educational purposes. I have done my best to provide an accurate translation, but take no responsibility for its correctness.
Posted by: Daniel A. Nagy at May 30, 2005 05:06 PMAs promised Dani's translation was turned into a full blog entry, click on:
Posted by: "Save Thyself" Russia's WebMoney at June 6, 2005 02:24 PMSo lets just break this down, digital currency is traceable, Very simple.
Posted by: Stew at June 18, 2005 11:41 PMA few missing questions here: token money is money made from tokens of some form, as opposed to account money. So coins are token money, as is paper notes. Fiat falls in the latter as modern bank issue, but paper notes originally were promises to deliver on specie, so not all paper money is fiat.
Token money also includes Chaum style blinded coins because the packet is a token that can be passed from hand to hand. But there is a fudge in this, due to infinite copying, the coin has to be rolled over at the server, so this stretches the notion of token.
Account money is things like Ricardo, Paypal, the DGCs and payment systems run by the banking sector. In accounts, the center of gravity is the account, and it holds a quantity of units. In token money, the token is the center of gravity and it is always the same unit.
Smart card money for example is account money, where the money is in an account on the card.
It is a myth that token money is "private." The real situation is more complex than that, all forms of monies have varying and complex privacy features. Physical token money is private because there is no center that can observe, but digital token money has a center; and some forms of tokens had chains of ownership revealed in the token. Paper financial instruments for example would include a chain of ownership written on the reverse.
Posted by: Iang at June 19, 2005 07:50 AM> So lets just break this down, digital currency is traceable, Very simple.
I do not understand this comment. Is this a question?
A claim? A suggestion?
Interestingly enough, this Voleur was only charged with Conspiracy to commit access device fraud. Contrary to all of the news articles, he was never charged with Money Laundering according to the Docket. Additionally, he was the last one to be released on bail. Any thoughts?
From what i've read, he was acting as an E-Gold exchanger. There was no money laundering going on, only e-gold exchange. He bought and sold e-gold for a 10% commission (more than other exchangers, mind you). Money Laundering requires the movement of moneys for purposes of concealment. E-Gold does not store any form of currency, they only store gold (grams/oz). It seems that he was selling a commodity, not simply moving currency.
I honestly don't see how they could convict him, or most of the others indicted. Perhaps they are hoping that they will turn on eachother and plead guilty in exchange for 5K1 agreements?
Posted by: Maestro at July 5, 2005 05:57 PMInterestingly enough, this Voleur was only charged with Conspiracy to commit access device fraud. Contrary to all of the news articles, he was never charged with Money Laundering according to the Docket. Additionally, he was the last one to be released on bail. Any thoughts?
From what i've read, he was acting as an E-Gold exchanger. There was no money laundering going on, only e-gold exchange. He bought and sold e-gold for a 10% commission (more than other exchangers, mind you). Money Laundering requires the movement of moneys for purposes of concealment. E-Gold does not store any form of currency, they only store gold (grams/oz). It seems that he was selling a commodity, not simply moving currency.
I honestly don't see how they could convict him, or most of the others indicted. Perhaps they are hoping that they will turn on eachother and plead guilty in exchange for 5K1 agreements?
Posted by: Maestro at July 5, 2005 05:57 PM