5.2.1 From Fraud to Data Breaches

Fraud, of course, is nothing new, but it has evolved dramatically with the shift to online business activities and the emergence of the dark web. In the late twentieth century, criminals focused on stealing valuable data locally, from consumers or businesses, and typically resold it to contacts who were physically nearby. As the Internet blossomed, it opened up new avenues for fraud and led to the emergence of data breaches on a massive scale.

“ConMan” was one such criminal. Today, ConMan is a respected security professional at a major corporation—but as a teenager on Long Island in the 1990s, he made money stealing new, unsigned credit cards out of people’s mailboxes and selling them to his mafia contacts for a fraction of the card limit.

Since ConMan’s uncle was a computer programmer, he was exposed to the Internet early on. This gave him a “great business idea”: If he could break into the credit card companies online, he would be able to steal or create as many cards as he wanted. There would be no need to physically steal mail at all.

With guidance from his friends on Bulletin-Board Systems, ConMan eventually broke into a credit card company via a modem, gaining access to a database that enabled him to read details on existing cards or create new credit cards with arbitrary names and numbers. He then mailed these to abandoned homes in Long Island and ultimately sold them to his mafia contacts.

“I’d go to my mafia contact and sell this $5k card for $500 dollars,” ConMan explained. “I would take 10% and they would say ‘absolutely!’ and they would go out and use it. I never used one myself.”

Wisely, ConMan never used his home Internet connection to break into the credit card company. Instead, he co-opted his neighbors’ Internet connections. (Long before the days of stealing wireless connectivity, ConMan “stole wired.”) “I had a laptop—well, it was actually giant and ridiculous in the late 90s—and I took this beast of a machine along the side of a house somewhere and hook up, [so I could] actually get online,” he explained. “I’d just unscrew the box, and I’d hook the wire to the house, I’d run it across the lawn. I was using their line to dial out in the middle of the night . . . or I’d ride my bike 4 blocks over and I’d do it from some [random] house where there was an abandoned house next door. Every once in a while your connection would drop because somebody in the house picked up the phone.”

ConMan wasn’t alone. During the 1990s, many early hackers “aged out” of mischievous activities and began to focus more on criminal activities for profit, essentially becoming professional black-hat hackers. For example, teenage hacker Albert Gonzalez (or “soupnazi” to his online friends) led a group called the “Keebler Elves” that was known for defacing websites. However, Albert and his cohorts soon discovered that breaking into a website gave them easy access to databases of credit card numbers, SSNs, identification information, and more.

Hackers who started off as innocent explorers turned to crime, and criminals turned to hackers for data. “Black hats” like Albert became less interested in defacing websites and more interested in quietly harvesting valuable data. “I’ve told the Keebler members that I’m not a big fan of defacing pages,” Albert went on to say. “I’d rather have root [complete access] to someone’s account.”⁷

7. Robert Lemos, “Does the Media Provoke Hacking?” ZD Net, July 6, 1999, http://www.zdnet.com/article/does-the-media-provoke-hacking.

Albert leveraged his access to quietly steal credit card numbers, identification data, and other information that he could monetize. “[Albert] was . . . purchasing clothing and CDs online with stolen credit-card numbers,” reported the New York Times, years later. “He ordered the merchandise delivered to empty houses in Miami, and then had a friend drive him to pick it up during lunch period.”⁸ Much like ConMan, Albert learned to leverage abandoned houses for delivery of ill-gotten goods.

8. James Verini, “The Great Cyberheist,” New York Times Magazine, November 10, 2010, http://www.nytimes.com/2010/11/14/magazine/14Hacker-t.html.

5.3.1 Selling Stolen Data

The turn of the twenty-first century brought with it a wave of criminal discussion forums, howto guides for committing fraud, and tools for counterfeiters. The Counterfeit Library, which came out in 2000, was an early site that was popular with identification thieves and carders (payment card thieves). Thousands of contributers primarily from the English-speaking world joined in the conversations, swapping detailed information about identity theft, credit card fraud, fake degrees, doctors’ letters, and many other forms of document fraud and theft.⁹

9. Kevin Poulsen, Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground (New York: Crown, 2011), 74.

By 2001, the Russian-speaking criminal world had established CarderPlanet.com, which facilitated the exchange of stolen digital goods, from credit card numbers to “fullz” (a collection of information about a person, such as the victim’s name, address, Social Security number, driver’s license number, mother’s maiden name, and potentially other details that would be useful for a fraudster). The site also sold physical products to support fraud, such as blank plastic cards with magnetic stripes (for copying stolen card numbers onto).¹⁰

10. Poulsen, Kingpin, 75.

Payment card data was no longer simply a tool to be used for converting credit to cash. Instead, it had become a product. The same was true for identification details and other personal data. Sites like CarderPlanet created an efficient and widely accessible marketplace for these products and, in the process, gave hackers around the world new incentive—and tools—to break into networks and steal the data.

5.3.1.1 Shadowcrew

The English-speaking world wanted in on the action. In 2002, the “Shadowcrew” site was established by a former mortgage broker in New Jersey and a part-time student in Arizona. Shadowcrew was an “archetypal criminal cyberbazaar” that brought the sophisticated features of CarderPlanet to the English-speaking world.¹¹ Figure 5-2 is a screenshot of the Shadowcrew home page, as of October 2004.

11. Verini, “Great Cyberheist.”

Thousands of users flocked to Shadowcrew in order to read tutorials on everything from “how to use a stolen credit card number, forge a driver’s license, defeat a burglar alarm, or silence a gun.” The site’s forums and tutorials helped to perpetuate knowledge about hacking, typically for the purposes of stealing credit and debit card numbers and other valuable data. Shadowcrew also provided a marketplace for buying and selling credit and debit card “dumps”: files containing data from cards’ magstripes, typically sold in dumps with tens, hundreds, or even thousands of records. The dumps were purchased by criminals who would resell the data or convert it to cash or goods, typically by overwriting the magnetic stripe on gift cards or card blanks with the stolen data using a magnetic strip encoder (also available on Shadowcrew) or by using the stolen data for card-not-present (CNP) transactions with retailers.¹²

12. Brad Stone, “Global Trail of an Online Crime Ring,” New York Times, August 11, 2008, http://www.nytimes.com/2008/08/12/technology/12theft.html.

Vendors from around the world applied to sell their goods and, once approved, provided “a dizzying array of illicit products and services: credit reports, hacked online bank accounts, and names, birth dates, and Social Security numbers of potential identity theft targets.”¹³ Vendors wishing to sell their products on Shadowcrew were required to go through a formal vetting process. The prospective vendor would send a sample of his or her product to a designated Shadowcrew member, who would evaluate it and write a review. Vendors who scammed members were shunned and could be punished. In one case, Shadowcrew organizers punished a “scamming bastard” known as “CCSupplier” by publishing his real name, home address, and phone number on the site.¹⁴ One federal prosecutor later referred to Shadowcrew as “an eBay, Monster.com and MySpace for cybercrime.”¹⁵

13. Poulsen, Kingpin.

14. Sarah Hilley, “Case Analysis: Shadowcrew Carding Gang,” Bank Info Security, April 3, 2006, http://www.bankinfosecurity.com/case-analysis-shadowcrew-carding-gang-a-136.

15. Stone, “Global Trail.”

Shadowcrew was easily accessible to anyone who could type the easy-to-remember URL “shadowcrew.com.” (The dark web of the modern world didn’t yet exist.) On the one hand, this low barrier to entry made it easy for Shadowcrew to attract new buyers and sellers. On the other hand, it also enabled law enforcement to easily visit the site, apply for accounts, set up sting operations, and track down the administrators—ultimately leading to Shadowcrew’s demise.

5.3.1.2 Shadowcrew Takedown

As Shadowcrew and similar sites expanded, credit card fraud rose quickly. In the United States, federal investigators struggled to track down the perpetrators. They got their lucky break one night when hacker Albert Gonzalez was nabbed “cashing out” stolen payment card data at an ATM in New York.

Busted!

Cybercriminal Albert Gonzalez carefully glued on a costume nose ring, donned a long, scraggly women’s wig, and packed his pockets full of more than 75 debit cards. It was a warm summer night in New York. Shortly before midnight, the 22-year-old Cuban-born hacker walked into a Chase Manhattan ATM on the Upper West Side of the city. He had timed his visit carefully. Pulling a debit card out of his pocket, he fed it into the ATM and collected the cash. Then he pulled out another and did the same. And another. As soon as the clock struck midnight, the withdrawal limits on the debit cards would reset, and he planned to do the same thing all over again. Albert was “cashing out.”

There was another person in the Chase ATM that night, watching him closely. Unbeknownst to Albert, a plainclothes NYPD detective had followed him into the ATM that night. The detective was on the hunt for car thieves in the area and thought Albert looked suspicious. Watching Albert feed card after card into the ATM, the detective concluded that, although Albert wasn’t stealing cars, he was probably “stealing something.”¹⁶ He arrested Albert and brought him into custody.

16. James Verini, “The Hacker Who Went into the Cold,” New York Times Magazine, November 14, 2010, 44–51, 60, 62–63.

No one knew it at the time, but Albert’s arrest would ultimately lead to the downfall of the Shadowcrew site. It was also just the beginning of Albert’s incredible career as one the greatest data thieves the world has ever seen—all the more shocking given that, at the same time, he was employed by the U.S. Secret Service.

When Albert Gonzalez was caught in July 2003, the New York/New Jersey Secret Service was knee-deep in investigating carders—particularly those “cashing out” in the area—without much success. Although the Secret Service is perhaps best known for protecting the president of the United States, the agency is also responsible for investigating financial crimes. Due to the increasing technical sophistication of financial fraud rings, the agency created the New York Electronic Crimes Task Force (ECTF) in 1995. It was expanded to a national program in 2001 as part of the U.S. Patriot Act.

Albert, they found, was exactly what they needed—polite, smart, and deeply embedded in criminal card fraud rings. Under the nickname of “Cumbajohnny,” Gonzalez was a moderator and “rising star” on the online carder marketplace, Shadowcrew. After his arrest, law enforcement discovered millions of card numbers on his home computer in New Jersey and offered him a deal: If he helped the Secret Service take down other fraudsters, it wouldn’t prosecute him.¹⁷

17. Verini, “Great Cyberheist.”

Albert agreed. He was the thread that would ultimately unravel Shadowcrew and lead to the indictment of 19 of the site’s members—but oddly enough, for Albert, it was just the beginning of his career as a cybercriminal mastermind. First a double agent and then eventually a double-double agent, Gonzalez helped Secret Service operatives infiltrate the carding underground forums and take down his fellow carders—while at the same time stealing millions of payment card numbers from retailers and managing an international money-laundering ring.

“In the beginning, he was quiet and reserved, but then he started opening up. He started to trust us,” said a Secret Service agent who worked closely with Albert.¹⁸ Albert not only shared details about how Shadowcrew and card fraud worked—he also became the “lynchpin” of “Operation Firewall,” the Secret Service’s year-long investigation and takedown of the Shadowcrew organization. In exchange, the Secret Service paid him an annual salary of $75,000/year (cash, so as to not create a paper trail).¹⁹

18. Verini, “Hacker Who Went into the Cold,” 44–51, 60, 62–63.

19. Kim Zetter, “Secret Service Paid TJX Hacker $75,000 a Year,” Wired, March 22, 2010, https://www.wired.com/

“Gonzalez worked alongside the agents, sometimes all day and into the night, for months on end. Most called him Albert. A couple of them who especially liked him called him Soup, after his old screen-name soupnazi.”²⁰ Working out of an Army garage in Jersey City, Albert slowly gained the trust of Shadowcrew’s leadership and rose in their ranks.

20. Verini, “Great Cyberheist.”

By the spring of 2004, Albert had convinced the Shadowcrew leadership to move their communications over to a virtual private network (VPN) that he maintained. The VPN offered Shadowcrew leaders assurance that their emails, instant messages, and other communications would be encrypted and kept safe from the prying eyes of Internet service provider (ISP) security teams or law enforcement. Secretly, the Secret Service monitored all of the VPN traffic and collected detailed evidence of Shadowcrew members’ illegal activities. As described later in the book, Kingpin:

There were deals every day and every night, with a weekly surge in trading Sunday evenings. The transactions ranged from the petty to the gargantuan. On May 19, agents watched Scarface transfer 115,695 credit card numbers to another member; in July, APK moved a counterfeit UK passport; in August, Mintfloss sold a fake New York driver’s license, an Empire Blue Cross health insurance card, and a City University of New York student ID card to a member in need of a full identification portfolio.

On the night of October 26, 2004, Albert sat at a keyboard at Secret Service Headquarters in Washington, D.C. His job: to lure the unsuspecting targets of Operation Firewall into chat sessions before Secret Service agents busted them. The timing was carefully coordinated: agents placed in more than eight U.S. states and six countries barged down doors beginning at 9 p.m. The goal was to arrest as many targets as quickly as possible before Shadowcrew members had time to alert each other. Getting the members to converse in a chat session as the arrests occurred provided key evidence connecting their real-life identities with their online personas.

The New York Times later reported that “it was by some estimates the most successful cybercrime case the government had ever carried out.”²¹ Nineteen people were indicted, and many more were spooked. Figure 5-3 shows the Shadowcrew home page after the Secret Service takedown. A note at the bottom of the page urged members to “CONTACT YOUR LOCAL UNITED STATES SECRET SERVICE FIELD OFFICE....BEFORE WE CONTACT YOU!!”

21. Verini, “Great Cyberheist.”

Shadowcrew’s demise taught cybercriminals a lesson: They needed to carefully protect the anonymity of buyers, sellers, and site administrators.

5.3.2 Asymmetric Cryptography

Asymmetric cryptography, popularly known as public key cryptography, is a fundamental security concept used both by defenders to protect their data and attackers to evade detection and identification. Asymmetric cryptography is the foundation of both onion routing and cryptocurrency, two important technologies that we will study in the next sections. Asymmetric cryptography can be used for good: for example, to keep emails secure even after a hacker has broken into your inbox. It can also be used by cybercriminals to facilitate quick and anonymous ransom payments or to keep buyers and sellers on the dark web anonymous. And it can be used for so much more.

Every professional involved in data breach prevention, preparation, response, or investigation should be familiar with the fundamental principles of asymmetric cryptography because it is a factor in almost every modern data breach. Here are the most important technical concepts:

Encryption is the process of scrambling information so it cannot be accessed by anyone except authorized parties. There are two basic types of encryption: symmetric and asymmetric encryption. (A “key” is simply a long, randomized string of numbers, typically stored in a file, which is used as input when you encrypt or decrypt a file.) With symmetric key encryption, the same key is required to encrypt or decrypt the message. This means that the person who has the key can scramble or recover the original message, but no one else can. Symmetric encryption is useful when you want to, say, encrypt a laptop so that a thief could not access the contents.

With asymmetric (also known as public key) encryption, there are two different keys, which together form a key pair. What one key encrypts, the other key decrypts. Among other benefits, this makes it easy to send and receive confidential messages over the Internet. Each person publishes one key so the whole world can view it (the public key) and keeps the corresponding private key hidden. To send a confidential message, you would look up the recipient’s public key and encrypt the message with it. Only the private key can decrypt the message, so you can happily send the message across the big wide Internet, knowing that only the person with the corresponding private key (the recipient) will be able to decrypt the message. This concept is also fundamental to onion routing, as we will see.

Let’s say you want to verify that a specific person really did send a message and the message was not altered in transit. Asymmetric key cryptography can also be used for this purpose. The sender would use his or her private key, plus the message, as input to a mathematical algorithm that then produces a digital signature. The digital signature is appended to the message when it is sent. The recipient can then look up the sender’s public key and feed this plus the message itself into a signature verifying algorithm, which is designed to produce a result that indicates whether the sender and message combination is authentic.

The effectiveness of asymmetric cryptography relies upon the secrecy of the private key. For this reason, private keys have become a common target of data breaches. Criminals routinely break into computers and specifically scan for private keys used for cryptocurrency, file encryption, communications security, and more. These data elements, too, can be bought and sold for a profit on the dark web. With this in mind, let’s examine how asymmetric encryption facilitated the creation of the dark web in the first place.

5.3.3 Onion Routing

Onion routing, a technique for anonymizing network traffic, is the core technology that now defines the dark web. The concept of onion routing was invented in the mid-1990s by scientists at the U.S. Naval Research Laboratory, further developed by Defense Advanced Research Projects Agency (DARPA), and then popularized in the early 2000s. Onion routing is also used for making anonymous submissions to sites like WikiLeaks, which are used to expose leaked data (we will discuss this more in Chapter 10, “Exposure and Weaponization”).

To understand how onion routing works, let’s first look at an ordinary visit to an Internet website. Normally, a user’s web traffic is sent to a web server, and the web server receives the source IP address of the requesting computer along with the content of the request. Any intermediary (such as an ISP) that can view a web server’s traffic can gather a list of its visitors (again, based on the source IP address). Law enforcement can work with ISPs to map IP addresses to customer names and addresses. This can be tricky, of course, when cybercriminals are spread out across the globe, but today, it is done routinely.

Onion routing protects users’ traffic by wrapping their messages in layers of encryption, so that the ultimate source and destination cannot be seen by anyone. To understand how onion routing works, imagine a network of computers, each of which can pass along messages from other computers. When a user wants to anonymously surf to a website, his or her computer selects a route through the network and encrypts the message route information in layers. Each layer of encryption can be opened only by the corresponding computer along the path (because it is encrypted using that computer’s public key) and when decrypted, reveals the address of the next computer in the path.

As the message travels through the network, each computer decrypts the current layer of encryption, reads the address of the next computer, peels off the current layer, and passes the remaining message to the next computer in the path. This next computer similarly decrypts the current layer of encryption, reads the address of the next computer, peels off the current layer, and passes the remaining message along. This process continues until the message reaches its final destination.

In this manner, messages can be transferred through the network, but no intermediary ever sees both the source and destination addresses. Onion routing is based on the principle of minimal privilege, meaning that it reveals only the information necessary to get the message where it needs to be. Each computer can know the address of the previous computer in the path and the address of the next computer, but that’s it.

Tor is one popular example of onion routing software, which was developed by scientists Paul Syverson, Roger Dingledine, and Nick Mathewson. Tor has many different uses: Law enforcement uses it to collect evidence from dark websites anonymously; intelligence agents use it to hide their communications in foreign countries; cybercriminals use it to conceal their identities; and everyday people use it to preserve their privacy on the web. Dingledine smiles when he points out that Tor is perhaps the only project funded by both the Department of Defense and the Electronic Frontier Foundation (EFF). “The United States government can’t simply run an anonymity system for everybody and then use it themselves only,” he explains. “Because then every time a connection came from it people would say, ‘Oh, it’s another CIA agent.’ If those are the only people using the network.”²²

22. Yasha Levine, “Almost Everyone Involved in Developing Tor was (or is) Funded by the US Government,” Pando, July 16, 2014, https://pando.com/2014/07/16/tor-spooks.

Importantly, Tor includes a way for users to offer “onion services” (also known as “hidden services,”) such as websites and chat rooms. Anyone wishing to offer a service can register in the Tor network and obtain an “onion service descriptor,” which is a 16-character name followed by “.onion”. Visitors can access the service by typing the onion service descriptor into a Tor browser. (There are also Tor plug-ins for popular web browsers.) They are then routed via preconfigured paths to the service. Note that unlike ordinary web services, hidden services can be hosted behind a firewall because the server’s IP address does not need to be publicly routable.

Today, carding shops and other dark websites are often set up as hidden services in Tor, where sellers peddle stolen data and buyers browse the myriad of offerings.

5.3.4 Dark E-Commerce Sites

As Tor grew in popularity, cybercriminals discovered that they could use it to market stolen goods over a network that inherently protected the anonymity of buyers and sellers and was not accessible to the general public. This dramatically reduced the risk of selling illegal data, drugs, and other wares online. Hidden services on Tor expanded, fueling trade in stolen data and incentivizing criminals to hack. The result? More data breaches.

But early dark web e-commerce sites still had a problem: payment. Onion routing made it difficult to trace buyers and sellers using network forensics. Law enforcement still had another ace up their sleeves, and that was the lack of a truly anonymous digital payment method. Buyers on the dark web had some options for paying for stolen goods. For example, buyers could physically mail cash, but there was always the risk that it would get stolen in transit, and of course physical packages could be inspected and traced by law enforcement. Checks and credit cards were far too easily tracked, and sellers did not want to worry about payments being reversed or seized by legitimate banking institutions. In the early days of the dark web, PayPal was popular, as were fast money transfer services such as Western Union. Services such as Libery Reserve (a “digital currency” backed by gold) sprang up, offering criminals a method for transferring funds with relative anonymity—but these services were often shady and would on occasion disappear, along with everyone’s money.²³ Law enforcement had multiple avenues for tracing payments through any of these systems, which typically required the user to provide an email address, at minimum.

23. “Liberty Reserve Digital Money Service Forced Offline,” BBC News, May 27, 2013, https://www.bbc.co.uk/news/technology-22680297.

The Farmer’s Market was an example of a popular early dark e-commerce site that ultimately was shut down due to the lack of anonymous payment and linked email accounts. Like legitimate e-commerce sites of the time, it had a user-friendly web order form and features such as discussion forums, vendor screening, and customer support. The site supported a variety of payment systems, including cash, Western Union, PayPal, iGolder, and Pecunix.²⁴“The Farmer’s Market . . . was like an Amazon for consumers of controlled substances,” wrote Dan Goodin for Ars Technica, which reported that the market had approximately 3,000 customers in 35 countries.²⁵

24. Kim Zetter, “8 Suspects Arrested in Online Drugs Market Sting,” Wired, April 16, 2012, https://www.wired.com/2012/04/online-drug-market-takedown.

25. Dan Goodin, “Feds Shutter Online Narcotics Store That Used TOR to Hide Its Tracks,” Ars Technica, April 12, 2016, https://arstechnica.com/tech-policy/2012/04/feds-shutter-online-narcotics-store-that-used-tor-to-hide-its-tracks.

Onion routing wasn’t enough to protect the ringleaders of the Farmer’s Market from arrest and takedown. In 2012, the U.S. federal government unsealed an indictment of eight people involved in the Farmer’s Market, including both site administrators and customers. Based on evidence presented in the indictment, law enforcement agents appeared to have traced electronic payments through financial services vendors such as PayPal and Western Union.²⁶

26. United States v. Marc Peter Willems, CR-11-01137 (C.D. Cal. 2011), https://www.wired.com/images_blogs/threatlevel/2012/04/WILLEMSIndictment-FILED.045.pdf.

5.3.5 Cryptocurrency

In order for cybercriminals to truly obtain anonymity, they needed a more secure payment system. This was delivered, modestly and precisely, on Halloween in 2008. On this day, an unidentified person (or group of individuals) that went by the name “Satoshi Nakamoto” sent an email that would change the world. “I’ve been working on a new electronic cash system that’s fully peer-to-peer, with no trusted third party,” began the email, which was sent to a popular cryptography mailing list. The message included a link to the author’s new paper, “Bitcoin: A Peer-to-Peer Electronic Cash System.”²⁷

27. Email in author’s inbox, received on October 31, 2008, via the mailing list “[email protected]”.

Initially scrutinized by academics, Bitcoin changed the dark web—and the field of data breaches—within a few short years. Dark web e-commerce sites such as the Silk Road relied upon it for transactions. Bitcoin and other cryptocurrencies have several features that are important for buyers and sellers on the dark web:

• Anonymous payments

• No middleman

• Nonreversible

In traditional online payment systems brokered by financial institutions, suspicious or disputed transactions can be traced or reversed by the intermediary financial institutions. Bitcoin’s invention and subsequent global adoption gave cybercriminals, for the first time, the ability to conduct anonymous, irreversible financial transactions, outside the scrutiny of the legitimate banking infrastructure. This dramatically reduced risk to buyers and sellers, paving the way for a dramatic expansion of the dark markets.

Data breach responders and security professionals should know, at a fundamental level, how cryptocurrency works since the technology facilitates the sale of stolen data and is used in ransomware and extortion cases, cryptojacking, and other cases. Here are a few important things to know about cryptocurrency.

• Cryptocurrency is a digital asset, in which cryptography is used to regulate the creation of new units and transfer funds. (Bitcoin was the first cryptocurrency.)

• Transactions are recorded in a distributed digital ledger known as the blockchain.

• The blockchain is just a collection of files, which anyone in the world can download or share with others.

• Users have “public/private key pairs” that are stored in a wallet. These are used to faciliate funds transfers and verify transactions. (See section 5.3.2 for a summary of asymmetric key encryption.)

• Wallets do not store coins. They store public/private key pairs.

• To send cryptocurrency to another person, you create a message that contains (among other things) the amount you are sending, the public key of the recipient, and a digital signature that you create using your own private key. Then you send that out to all the other computers in the cryptocurrency network. Every other computer can use your corresponding public key to verify that your payment message is authentic.

• “Miners” are computers that earn cryptocurrency either by processing other people’s transactions or by discovering a brand new block in the blockchain. Both of these activities require significant computing power, which represents an investment in equipment, electricity, and time.

• To discover a new block, a miner must guess the answer to a very hard math puzzle. When a miner finds a valid answer, it places it in a message that is digitally signed with its private key and sends that to the cryptocurrency network. The first miner to discover a new block is rewarded with a specific, predetermined amount of cryptocurrency, and a new block that includes the answer, the amount, and the successful miner’s public key is added to the blockchain.

• In most types of cryptocurrency, the blockchain is public, meaning that anyone can view the sender address, recipient address, and amount of any transaction. (Monero is a notable exception, since it obfuscates much of the public transactional data.) However, public/private key pairs do not need to be linked to a specific person’s identity, and so it is possible to conduct transactions anonymously.²⁸

  28. Studies have shown that it is possible to analyze the public Bitcoin ledger and derive information about the relationships between wallet addresses, which can potentially lead to identification. See Dorit Ron and Adi Shamir, “Quantitative Analysis of the Full Bitcoin Transaction Graph,” Department of Computer Science and Applied Mathematics, Weizmann Institute of Science, Israel, 2012, https://pdfs.semanticscholar.org/93ba/e7155092c8ba1ae1c4ad9f30ae1b7c829dd7.pdf.

• Since there is no central bank and no one organization controls the blockchain, it is not possible for a third party to reverse a transaction.

Cybercriminals routinely use cryptocurrency to buy and sell stolen data on the dark web. Cryptocurrency also plays an important role in cyber extortion cases (which are often data breaches), as discussed in Chapter 11, “Extortion.” Extortionists threaten to hold data hostage or expose it to the world unless paid in cryptocurrency. Cryptocurrency enables criminals to demand quick, anonymous payments over the Internet. At the same time, criminals are protected because the ransom payments are difficult if not impossible to trace or reverse.

Since cryptocurrency is a digital asset, it has also become a target of data breaches. New strains of malware now scan an infected host for cryptocurrency, steal it, and delete it. As cryptomining operations multiply and financial institutions begin to experiment with using cryptocurrency for interbank transfer,²⁹ data breaches involving cryptocurrency are likely to become increasingly common.

29. Anthony Coggin, “Singapore Central Bank to Use Blockchain Tech for New Payment Transfer Project,” Cointel-graph, June 9, 2017, https://cointelegraph.com/news/singapore-central-bank-to-use-blockchain-tech-for-new-payment-transfer-project.

Finally, cryptojacking is a new type of cyberthreat that often results in a legally declared data breach (regardless of whether any data was actually stolen). Cryptojacking is a breach where an attacker gains unauthorized access to a computer and installs cryptocurrency mining software. In this way, criminals can reap the rewards of cryptocurrency mining, without the investment in equipment or electricity.

5.3.6 Modern Dark Data Brokers

The emergence of onion routing and cryptocurrency changed the game for cybercriminals. Suddenly, anyone in the world could buy and sell stolen data online, with relatively little risk of being tracked down if they were careful. E-commerce sites quickly sprang up on the dark web, offering many of the same features as mainstream e-commerce sites: user-friendly interfaces, payment escrow, vendor feedback, and more.

The Silk Road was the first darknet market to leverage both Tor and Bitcoin. Launched by self-taught programmer Ross Ulbricht (later known as “Dread Pirate Roberts”) in early 2011, the site eventually grew to include nearly a million users, facilitating more than $1 billion of sales.³⁰

30. Joshuah Bearman, “The Rise & Fall of Silk Road,” Wired, May 2015, https://www.wired.com/2015/04/silk-road-1.

“Silk Road has emerged as the most sophisticated and extensive criminal marketplace on the Internet today,” explained FBI Special Agent Christopher Tarbell, in a criminal complaint against Ulbricht filed on September 27, 2013. “The site has sought to make conducting illegal transactions on the Internet as easy and frictionless as shopping online at mainstream e-commerce websites.”³¹

31. United States v. Ross William Ulbricht, 13-MAG-2328 (S.D.N.Y. 2013), https://krebsonsecurity.com/wp-content/uploads/2013/10/UlbrichtCriminalComplaint.pdf.

The cutting-edge marketplace featured a Bitcoin escrow system, as well as a Bitcoin “tumbler” to provide extra transaction security for users. The tumbler “sends all payments through a complex, semi-random series of dummy transactions, . . . making it nearly impossible to link your payment with any coins leaving the site.”³² This means that even if both the buyer’s and seller’s Bitcoin addresses are known, they are not directly linked to a shared transaction in the blockchain, which makes it very difficult to follow the money.

32. United States v. Ross William Ulbricht.

The Silk Road also featured a popular discusson forum, as well as a private messaging system, so that users would not have to rely on third-party communications systems such as Hushmail, which had been the downfall of many cybercriminals. Like legitimate e-commerce enterprises, the site was supported by a team of administrators who received regular Bitcoin payments ranging from $1,000 to $2,000 per week. It was shut down in October 2013, in a dramatic FBI raid that led to Ulbricht’s arrest. Less than a month later, Silk Road 2.0 was launched (though it, too, shut down in November 2014). As of the time of this writing, Silk Road 3.1 is currently operational and offers a dizzying array of stolen data dumps, hacking tools, drugs, and other contraband.

Modern darknet markets provide a clear path for exchanging—and therefore quickly monetizing—stolen data. As a result, specialized roles have emerged in the hacker economy. For example, different criminals might:

• Launch phishing attacks and build “botnets” for resale

• Scan compromised “bots” for potentially valuable data and then harvest, sort, and resell it

• Create hacker tools such as exploit kits that other criminals use to hack efficiently

• Run a “darknet market” used to exchange stolen data, tools, and other contraband

There are many other specialized roles in the hacker economy, and new roles constantly develop as technology evolves.

5.4.1 Personally Identifiable Information

Stolen identities have been exchanged online for decades. “Personally identifiable information” (PII), such as names, addresses, birth dates, and SSNs, are valuable because they’re useful for committing identity theft and financial fraud. Today, criminals often bundle stolen personal information and sell it as a package called “fullz,” which typically sell for around $30 per record. Prices can vary, with higher prices reserved for victims who have strong credit scores or higher credit card balances. ³³

33. Keith Collins, “Here’s What Your Stolen Identity Goes for on the Internet’s Black Market,” Quartz, July 23, 2015, https://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-black-market; Brian Stack, “Here’s How Much Your Personal Information Is Selling For on the Dark Web,” Experian, December 6, 2017, https://web.archive.org/web/20180220093122/ https://www.experian.com/blogs/ask-experian/heres-how-much-your-personal-information-is-selling-for-on-the-dark-web/.

5.4.2 Payment Card Numbers

Payment card numbers are widely sought after—and supplied. Stolen payment card numbers typically sold for $10 to $20 per record in 2019, according to Gemini Advisory, a firm that monitors the dark web.³⁴

34. Brian Krebs, “Data: E-Retail Hacks More Lucrative Than Ever,” Krebs on Security (blog), April 30, 2019, https://krebsonsecurity.com/2019/04/data-e-retail-hacks-more-lucrative-than-ever/.

5.4.3 Data Laundering

The dark web isn’t the only place where stolen data can be sold. Certain types of stolen data—such as PII, health information, behavioral analytics, and more are commonly traded in legitimate markets, as discussed in Chapter 2, “Hazardous Material.” While reputable firms typically do not intentionally purchase data from criminals, the lack of transparency and regulation has made it possible for stolen information to flow into legitimate markets, which can in turn incentive breaches.

Stolen data can reenter the legitimate supply chain through a complex web of data brokers. In 2014, the Federal Trade Commission (FTC) conducted a survey of nine major data brokers and found that they “obtain most of their data from other data brokers rather than directly from an original source. Some of those data brokers may in turn have obtained the information from other data brokers. Seven of the nine data brokers in the Commission’s study provide data to each other.” Legitimate data brokers are reticent to reveal their sources. In response to an inquiry by the Senate Committee on Commerce, Science, and Transportation, three major data brokers (Acxiom, Experian, and Epsilon) refused to reveal their data sources (or customers, for that matter). “[A] number of the queried brokers perpetuate this secrecy by contractually limiting customers from disclosing their data sources,” the committee reported.⁴⁸

48. U.S. Senate Comm. on Commerce, Science, and Transportation, A Review of the Data Broker Industry (Washington, DC: U.S. Senate, 2013), 6, http://educationnewyork.com/files/rockefeller_databroker.pdf.

The complexity of the data brokerage marketplace, as well as the lack of oversight and transparency, increases the risk that stolen data can reenter the legitimate data market.⁴⁹ Many types of stolen data are not easily traceable, like unmarked cash. For example, SSNs may be issued centrally by the federal government, but from that point on there is no central organization that tracks their proliferation and use. It’s likely that SSNs have been breached, sold, and resold so many times that a single number may have been stolen from many different places and passed through many unauthorized hands. Similarly, health information, prescription data, web surfing, and GPS location data can be collected in many different ways and from many different places—sometimes legally and sometimes not.

49. Rob O’Neil, “Cybercriminals Boost Sales Through ‘Data Laundering’,” ZD Net, March 16, 2015, http://www.zdnet.com/article/cyber-criminals-boost-sales-through-data-laundering.

The result is that criminals can steal virtually any kind of data today and find a buyer who will not ask too many questions. As legitimate data analytics and brokerage firms continue to invent new data products, they drive the market for raw data sources. Absent careful vetting, that can include stolen data, further fueling the data breach epidemic.