Feds Arrest 24 in Global Carding Ring Bust

Photo: Jim Merithew/Wired

Two dozen people were arrested around the globe on Tuesday in what authorities are calling a “breathtaking spectrum of cyber schemes and scams” that involved buying and selling bank card details, stolen identities, counterfeit documents, and sophisticated hacking tools on an FBI undercover forum.

Among those arrested is a purported member of the noisy hacking group UGNazi, which has claimed responsibility for various recent hacks — including last week’s outage at Twitter.

The two-year investigation dubbed “Operation Card Shop” began in June 2010 when the FBI set up an online carding forum called Carder Profit.

The FBI monitored and recorded communications on the forum as well as private messages sent through the site between registered users. The FBI also recorded IP addresses of users who accessed the forum.

The operation resulted in arrests of 11 individuals in the U.S. and 13 people abroad as well as the execution of more than 30 search warrants, according to an announcement (.pdf) from the U.S. Attorney’s office for the southern district of New York.

Authorities say they notified credit card providers of more than 411,000 compromised credit and debit cards, and also notified 47 companies, government entities, and educational institutions that their networks had been hacked. Authorities did not, say, however, the amount of losses that were incurred from the activity of the suspects.

Mir Islam, aka “JoshTheGod,” one of the suspects arrested, claimed to be a founder of the online carding forum Carders.org as well as a member of the hacking group UGNazi. The latter group claimed credit for hacking the cloud services company CloudFlare recently in order to redirect visitors to the 4Chan website to UGNazi’s Twitter page. The group also claimed credit for knocking Twitter offline last week, though Twitter denied the claim, attributing the outage instead to a “cascading bug.”

Islam was “dox’d” last week after someone posted his name, address and other details on Pastebin. Doxing someone occurs when hackers obtain the private details of someone, usually of another hacker or someone they deem an enemy, and post them online.

Islam was arrested Monday evening as he met with an undercover Fed in Manhattan, who was posing as another carder, according to authorities. He was taken into custody after he attempted so to use a fraudulent bank card to withdraw money from an ATM. The FBI said the agency seized the web server for UGNazi.com, as well as the domain name of Carders.org.

Another suspect allegedly sold a $50 remote access tool that recorded keystrokes, turned on a computer’s web cam to allow an attacker to spy on the victim and siphoned bank account credentials. A third suspect allegedly hacked databases at a bank, hotel, and various online retailers, and then sold the information to others.

Other suspects are accused of a host of smallish crimes. One allegedly engaged in an Apple call-in scheme, in which he obtained serial numbers of Apple products he didn’t own, then called Apple claiming the product was defective and demanded a replacement product. He then sold some of the devices, including four iPhone 4s, to an undercover FBI agent.

The suspects arrested in the U.S. include:

Christian Cangeopol, aka “404myth,” who was arrested today in Lawrenceville, Georgia;
Mark Caparelli, aka “Cubby,” who was arrested in San Diego, California;
Sean Harper, aka “Kabraxis314,” who was arrested in Albuquerque, New Mexico;
Alex Hatala, aka “kool+kake,” who was arrested in Jacksonville, Florida;
Joshua Hicks, aka “OxideDox,” who was arrested in Bronx, New York;
Michael Hogue, aka “xVisceral,” who was arrested in Tucson, Arizona;
Mir Islam, aka “JoshTheGod,” who was arrested in Manhattan, New York;
Peter Ketchum, aka “IwearaMAGNUM,” who was arrested in Pittsfield, Massachusetts;
Steven Hansen, aka “theboner1,” who was arrested in Wisconsin, where he is currently serving a prison sentence on state charges.

In addition, two minors, whose names were withheld, were arrested in Long Beach and Sacramento, California.

In order to access Carder Profit, which was taken offline last month, was limited to registered members and required a username and password to gain entry. “Various membership requirements were imposed from time to time to restrict site membership to individuals with established knowledge of carding techniques or interest in criminal activity,” according to authorities. “For example, at times, new users were prevented from joining the site unless they were recommended by two existing users who had registered with the site, or unless they paid a registration fee.”

New users were also required to provide a valid e-mail address to register, which was collected by the FBI.

A spokeswoman for the U.S. Attorney’s office insisted that the FBI carding forum was not a sting operation because undercover agents did not initiate the criminal activity.

“All they did was set up a carding forum and then people who allegedly committed this criminal activity came to the forum,” said spokeswoman Ellen Davis.