Archive

TribLIVE exclusive: How FBI Pittsburgh led takedown of Darkode thieves | TribLIVE.com
Local News

TribLIVE exclusive: How FBI Pittsburgh led takedown of Darkode thieves

Assistant U.S. Attorney Jimmy Kitchen and two FBI agents from Pittsburgh sat two weeks ago around a large square table inside the ultramodern, glass-walled offices of Europol, Europe's leading law enforcement agency.

The Pittsburghers were joined by top prosecutors and police officers from 20 nations. Some were familiar from FBI training they had done in Pittsburgh, and others had become friendly during the previous six months as they worked together to take down Darkode, a private online black market for hackers and criminals.

“It was like we were the United Nations,” Kitchen told the Tribune-Review in an exclusive interview. “We had our little placard in front of us that said, the United States, and every country had its own.”

By Wednesday, agents running Operation Shrouded Horizon had made 28 arrests and executed 37 search warrants around the world since starting the takedown at 10 p.m. Monday. In all, the investigation involved 70 criminals from Serbia and Slovenia to Brazil and Pakistan.

It led to indictments against a Carnegie Mellon University student accused of selling software that allowed criminals to take over victims' cell phones, and against a Wisconsin man accused of developing the Darkode forum. Of seven defendants charged in Pittsburgh, five in the United States have agreed to face charges in federal court, and two remain at large in Sweden and Pakistan.

The FBI disabled Darkode, a forum where criminals met to broker stolen credit card and personal data, to trade software used to commit crimes, and occasionally to sell narcotics.

“This platform of Internet crime is the challenge of our age,” David Hickton, the U.S. Attorney for Western Pennsylvania, told reporters. “There is really no limit in what these individuals did in their principled and very, very productive criminal activities. But the Darkode forum was their safe place, where they came together.”

All manner of online crime took place on the forum, agents said. Unlike Tor, an anonymous public network established by the federal government and manipulated by criminals, Darkode was a private forum in which new members could join only if a current member vouched for them.

“Nowadays with the click of a mouse, these criminals across the jurisdictions and across the oceans are coming and stealing,” said Scott Smith, the FBI's special agent in charge of the Pittsburgh field office. “… They're stealing our ingenuity, they're stealing our ideas and they're stealing our personal information, and they're using it to carry out schemes and criminal acts.”

A Tribune-Review reporter and photographer spent time with FBI agents Tuesday as they were taking down Darkode, and several agents talked exclusively with the newspaper Wednesday. Several undercover agents asked to remain anonymous.

When the June meeting started at the Hague in the Netherlands, the Pittsburgh investigators led the discussion because they had been working the case for more than 18 months. It started when an unnamed industry partner sought help from the FBI, said J. Keith Mularski, the FBI's supervisory special agent for cyber crime in the Pittsburgh office.

“We were then able to pull the thread and leverage the access that we got from that investigation into being able to infiltrate the forum,” Mularski said.

The investigators had convened a first international meeting at the Hague in January and a second in May. By June, Serbian officers had found a fraudulent passport ring, the Brazilians had identified hackers operating on Darkode, and the Slovenians had cracked a malware ring.

“These [Pittsburgh] guys led the meeting, but it was more like a discussion,” Kitchen said. “‘What's going on with your guy?' ‘We've got some information for you.' They'd pass this information back. That sort of thing. It was formal but informal and meant to be so because that's different agencies working together for a common result.”

The hardest part was agreeing on a time to start the operation across multiple time zones.

Back in Pittsburgh, the FBI agents worked primarily out of their South Side offices, using undercover aliases to interact with the online criminals. That meant thinking like the hackers and finding ways to interact on their level.

“You're just like them,” an undercover agent told the Trib. “You learn as you go. There's no textbook to tell you how to do this. No instruction manual.”

It also meant odd hours, waking at midnight for conference calls with European colleagues. Agents drank Red Bull and other energy drinks to stay awake. They dressed for comfort, with one agent sporting a black Penguins polo shirt after staying up all night to execute the operation.

Occasionally, online fights would break out among the criminal users of Darkode, and the agents found themselves refereeing the ongoing soap operas whenever the disputes threatened to derail the case.

When Darkode users warned against using the Tor forum because there were too many undercover police lurking there, the FBI agents chuckled to themselves.

By the time Hickton announced the sting, the agents already had met some of their online targets in person. They were surprised to find among them not only organized criminals, but young people trying to pay off college tuition and computer experts moonlighting to make extra money.

They are still waiting to meet others.

“It will be interesting to see from their online personas how they portray themselves to actually be able to see the true person behind that, to see what their true background is, what their story is,” an agent said.

Agents share an adage that the end of the case is really the beginning. Hickton referred to the case as an ongoing investigation, and work to bring the defendants to justice while mining the information for other leads could take years, Mularski said.

“I'm just getting used to cranking out big cases with these guys because they're so good,” Kitchen said. “We have something good here in Pittsburgh right now.”

Andrew Conte is a member of Trib Total Media's investigations team. He can be reached at 412-320-7835 or [email protected].


TribLIVE commenting policy

You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.