TribLIVE exclusive: How FBI Pittsburgh led takedown of Darkode thieves
Assistant U.S. Attorney Jimmy Kitchen and two FBI agents from Pittsburgh sat two weeks ago around a large square table inside the ultramodern, glass-walled offices of Europol, Europe's leading law enforcement agency.
The Pittsburghers were joined by top prosecutors and police officers from 20 nations. Some were familiar from FBI training they had done in Pittsburgh, and others had become friendly during the previous six months as they worked together to take down Darkode, a private online black market for hackers and criminals.
“It was like we were the United Nations,” Kitchen told the Tribune-Review in an exclusive interview. “We had our little placard in front of us that said, the United States, and every country had its own.”
By Wednesday, agents running Operation Shrouded Horizon had made 28 arrests and executed 37 search warrants around the world since starting the takedown at 10 p.m. Monday. In all, the investigation involved 70 criminals from Serbia and Slovenia to Brazil and Pakistan.
It led to indictments against a Carnegie Mellon University student accused of selling software that allowed criminals to take over victims' cell phones, and against a Wisconsin man accused of developing the Darkode forum. Of seven defendants charged in Pittsburgh, five in the United States have agreed to face charges in federal court, and two remain at large in Sweden and Pakistan.
The FBI disabled Darkode, a forum where criminals met to broker stolen credit card and personal data, to trade software used to commit crimes, and occasionally to sell narcotics.
“This platform of Internet crime is the challenge of our age,” David Hickton, the U.S. Attorney for Western Pennsylvania, told reporters. “There is really no limit in what these individuals did in their principled and very, very productive criminal activities. But the Darkode forum was their safe place, where they came together.”
All manner of online crime took place on the forum, agents said. Unlike Tor, an anonymous public network established by the federal government and manipulated by criminals, Darkode was a private forum in which new members could join only if a current member vouched for them.
“Nowadays with the click of a mouse, these criminals across the jurisdictions and across the oceans are coming and stealing,” said Scott Smith, the FBI's special agent in charge of the Pittsburgh field office. “… They're stealing our ingenuity, they're stealing our ideas and they're stealing our personal information, and they're using it to carry out schemes and criminal acts.”
A Tribune-Review reporter and photographer spent time with FBI agents Tuesday as they were taking down Darkode, and several agents talked exclusively with the newspaper Wednesday. Several undercover agents asked to remain anonymous.
When the June meeting started at the Hague in the Netherlands, the Pittsburgh investigators led the discussion because they had been working the case for more than 18 months. It started when an unnamed industry partner sought help from the FBI, said J. Keith Mularski, the FBI's supervisory special agent for cyber crime in the Pittsburgh office.
“We were then able to pull the thread and leverage the access that we got from that investigation into being able to infiltrate the forum,” Mularski said.
The investigators had convened a first international meeting at the Hague in January and a second in May. By June, Serbian officers had found a fraudulent passport ring, the Brazilians had identified hackers operating on Darkode, and the Slovenians had cracked a malware ring.
“These [Pittsburgh] guys led the meeting, but it was more like a discussion,” Kitchen said. “‘What's going on with your guy?' ‘We've got some information for you.' They'd pass this information back. That sort of thing. It was formal but informal and meant to be so because that's different agencies working together for a common result.”
The hardest part was agreeing on a time to start the operation across multiple time zones.
Back in Pittsburgh, the FBI agents worked primarily out of their South Side offices, using undercover aliases to interact with the online criminals. That meant thinking like the hackers and finding ways to interact on their level.
“You're just like them,” an undercover agent told the Trib. “You learn as you go. There's no textbook to tell you how to do this. No instruction manual.”
It also meant odd hours, waking at midnight for conference calls with European colleagues. Agents drank Red Bull and other energy drinks to stay awake. They dressed for comfort, with one agent sporting a black Penguins polo shirt after staying up all night to execute the operation.
Occasionally, online fights would break out among the criminal users of Darkode, and the agents found themselves refereeing the ongoing soap operas whenever the disputes threatened to derail the case.
When Darkode users warned against using the Tor forum because there were too many undercover police lurking there, the FBI agents chuckled to themselves.
By the time Hickton announced the sting, the agents already had met some of their online targets in person. They were surprised to find among them not only organized criminals, but young people trying to pay off college tuition and computer experts moonlighting to make extra money.
They are still waiting to meet others.
“It will be interesting to see from their online personas how they portray themselves to actually be able to see the true person behind that, to see what their true background is, what their story is,” an agent said.
Agents share an adage that the end of the case is really the beginning. Hickton referred to the case as an ongoing investigation, and work to bring the defendants to justice while mining the information for other leads could take years, Mularski said.
“I'm just getting used to cranking out big cases with these guys because they're so good,” Kitchen said. “We have something good here in Pittsburgh right now.”
Andrew Conte is a member of Trib Total Media's investigations team. He can be reached at 412-320-7835 or [email protected].