By Kim Zetter
Jan, 31, 2007
David Thomas' entree to online crime came through the conventional world
of offline crime. He was born to a Texas oil family, but this
circumstance did little to grease his way through life. His parents
divorced when he was four, and his father, a geologist and oil
prospector, walked out of his life and died destitute in 1987, leaving
Thomas with nothing more than a small oil royalty on a barren tract of
Left to his own devices, Thomas gravitated to trouble. At 14, he stole a
car -- his first felony; by 30 he'd been arrested several times for
check fraud, forgery and burglary.
In the 1980s, it looked like things were turning around for him after he
married, had kids and caught the computing wave, launching a business
building PCs. But his climb up from crime didn't last long.
In 1993 he was working for a Texas company contracted to install
electronic key-card systems in Doubletree hotels when Thomas thought his
employer was mistreating Doubletree and convinced the hotel to give him
the $250,000-a-year contract instead. He was sure it would lead to other
contracts. But he'd also just bought a new home in a gated community and
needed money for the mortgage. So he bought cheap parts and overcharged
Doubletree to get quick cash -- a bad choice made worse by the fact that
the components were faulty.
He worked overtime to install the first system in Doubletree's Kansas
City hotel then turned his phone off to rest. As luck had it, those were
the days President Clinton's advance team were in town and staying at
the hotel. When the key system failed, they were locked out of their
rooms. Thomas turned his phone on a few days later to a series of shrill
messages from the hotel manager. "Where are you? The computers are
crashed, what are we going to do?!" Then: "You bastard! You son of a
bitch! You'll never work in this town again!"
Thomas lost his house and marriage, and over the next decade alternated
between legitimate and criminal work, none of it very successful. He got
a job installing databases, then got fired when the company discovered
he was on probation for check fraud. Then he smuggled marijuana across
the Mexican border. After that more check fraud followed.
In 1998, at 40, he met Bridget Trevino on an IRC channel -- she was 25
and living with her mother. They crisscrossed the country for a year,
living on money from relatives and forged checks. It was the perfect
match. "We never argued. We both liked the same exact kind of life --
you know, quiet, sedate, white-picket fence," he says with no hint of
Their vehicle broke down in the Midwest in November 1999, and two weeks
later Thomas got a phone call, and a rare lucky break. The Texas land
his father left him turned out to have oil and gas reserves beneath it.
Big royalty checks started rolling in -- first $2,000 a month, then
$6,000 and $8,000. Thomas vowed never to return to crime, and for a year
and a half the vow stuck. Then the oil flow slowed, and the checks
dropped back to $2,000 then $1,500.
Fearing the well was about to run dry, he sold his royalties on
Energynet.com, an auction site where the wealthy traded oil and gas
royalties, and got $70,000 -- enough for a down payment on a ranch
house. But after six months the money and house were gone. "I never
thought things would go south on me like they did. At that point I was
bitter," he says.
He turned to his old standby, check fraud; but with outstanding
warrants, he needed a new identity. That's how he found Counterfeit
Library, a British website where vendors sold "novelty" IDs -- fake IDs
that were the stock-in-trade of identity thieves. The site was "total
nirvana for a criminal," Thomas says, and a revelation.
Thomas had used fake IDs before, but they wouldn't stand up to scrutiny
in bright light. Counterfeit Library IDs, by contrast, were genius, with
holograms and magnetic stripes. For $150 you could buy any ID you wanted
-- military, federal employee, even the FBI or Secret Service. A little
more would get you the whole "rebirth package": birth certificate,
driver's license, passport, Social Security card, employee badge (name
your dream job), even utility bills to establish proof of residency.
There was also a service called PhantomInfo, which consisted of a script
that tapped into the computers of the ChoicePoint data broker. For $29 a
month you could send unlimited e-mails to firstname.lastname@example.org
containing the names of victims whose identity you wanted to steal; the
program would search ChoicePoint's database and reply with the victim's
Social Security number and current address.
"Today, it's just normal, everyday stuff," Thomas says. "But back then
it was the first that we had seen of that kind."
This was the start of something big. A small number of carders had long
exchanged stolen identity information and credit card numbers on
electronic bulletin boards and IRC channels. But websites like
Counterfeit Library launched a whole new era of white-collar crime,
lowering the entrance barrier for those who never would have found such
information otherwise, and creating a global market for trading in large
amounts of hacked data. For the first time, crooks could specialize in
criminal niches, and market that expertise to thousands of collaborators
In addition to fake IDs, Counterfeit Library had forums where members
traded in special deals. But to participate in the best deals you had to
be a senior member, and to be a senior member you had to have 1,000
posts to your name. So, adopting the online nickname "El Mariachi,"
Thomas set out to make 30 posts a day, aiming for senior status in five
Thomas wrote quality content that got him noticed. He wrote tutorials on
bank fraud -- "$30,000 on a $3,000 Investment" and "Payroll Checks for
Fun and Profit" -- as well as long, introspective pieces about a hard
life lived and lessons learned. The piece that got him the most
attention was a solemn meditation on karmic retribution, which he wrote
after he and Trevino found the windows of their Cadillac vandalized
while they were out passing bad checks. "We were out doing wrong
things," he says, "and it was our time to pay the price."
He developed a following on the boards among older members who
considered him a fellow traveler on the hard-luck path, and younger ones
who were glad to get a fatherly ear in the quiet hours after midnight.
The positive feedback was a drug to Thomas. He loved leaving the weak
David behind and taking on a new persona. Where David Thomas was
insecure, El Mariachi was confident and worldly. Where David was
unsuccessful at crime, El was a master con man. On the boards, all his
neuroses seemed to disappear.
"El is the key to the strength that I have," Thomas says. "I know it
sounds psychotic . . . but that is the boards. The characters are built
around people who have low self-esteem, and they're looking on the
boards for whatever they're missing in life."
But Counterfeit Library was soon supplanted by a new and vigorous type
of online criminal marketplace, led by the arrival of the Eastern
European fraud merchants.
Eastern Europe, particularly Russia, Ukraine and Romania, has become a
wellspring of internet crime in recent years -- a result of rampant
corruption, economic decline and too many young hackers with
sophisticated skills and a dearth of legitimate opportunity. (See
sidebar, "Tracking the Russians" ). Organized crime mobs from these
countries have joined forces with hackers and become adept at crafting
and carrying out online attacks of varying sophistication: from simple
phishing ruses to active database intrusions. "Because organized crime
is so well-entrenched there, and tolerated by authorities to some
extent, they're the one who are moving into it most aggressively," says
James Lewis, a senior fellow at the Center for Strategic and
It's only natural that the bank-card system would draw their attention.
"It was the Russians who ... brought plastic online," Thomas says. "They
had manufacturing facilities to manufacture credit card plastic and put
data on it, and guys on the English side were like, 'Whoa!'"
The "Russians" included two twenty-something Ukrainians named Dmitry
Golubov and Pavel Chistov who, according to law enforcement officials,
joined with 150 other Eastern European criminals in convening a summit
at an Odessa restaurant in the spring of 2001. The result was
CarderPlanet, a highly organized online carding and money-laundering
emporium that set the standard for all carding sites that followed.
According to Thomas, Golubov, aka "Script,"  was a spammer who
realized the potential for carding when he saw how easily people sent
their credit card numbers through e-mail to purchase the products he
hawked. His group of cohorts paid hackers $1,000 a day and more to crack
bank and card-processing databases to steal credit card numbers, which
they sold in "dumps" of hundreds of numbers online. They set up botnets
to spam out phishing lures, and even created a makeshift factory for
manufacturing blank plastic cards with magnetic stripes and holograms.
When Russian authorities eventually raided their workshop  in June
2003, they found 8,000 counterfeit credit cards, according to an article
CarderPlanet's how-to tutorials and message boards became a daily
must-read for criminals looking to make their mark in the burgeoning
field of cybercrime. As one Russian carder noted in a message on the
site: "Some people read 'Kommersant', others 'Pravda,' but we --
"They were advancing crime by leaps and bounds," Thomas says. "It was a
24/7 operation that never slept."
Where the Russians went, everyone else followed. Although CarderPlanet
was initially exclusive to Eastern Europeans, the site later added an
English-speaking forum to attract partners in the United States and
Britain who could cash out ATM cards and run drop addresses for stolen
The site eventually amassed 7,000 members, according to authorities,
about 450 of whom overlapped with an increasingly popular U.S. site
"When Shadowcrew first came up and people made a $5,000 score, people
were like 'Wow, you're big time,'" Thomas says. "But later on ... guys
were making $100,000 a day."
A former Irish carder who used the nick "ITR" told Wired News in an
e-mail that the amount of cash he pulled in from his carding days was,
at times, hard to keep up with. When asked how much he stole, he
replied, "Above the national average, and with some decent investment
life is good."
Thomas, of course, wanted in on the action. It wasn't long before he
hooked up with a Ukrainian man named "Big Buyer," one of the top Eastern
European carders, whose nick derived from his penchant for maxing out
stolen credit card numbers with big-ticket items, such as $30,000
watches. "If he had $50 left on the card, he'd go find another item to
max out the card," Thomas says. 
Thomas went to Seattle where he began laundering money and receiving and
selling merchandise for Big Buyer.
But carding wasn't his ultimate goal. Thomas had bigger plans in mind.
He was devising a scheme to defraud traders at Energynet.com, the
auction site where he'd sold his father's oil rights. He needed money
from the Big Buyer operations to establish himself as a player at
Energynet, where he planned to sell $5 million in oil and gas royalties
that didn't exist.
The "Rockford op," as he dubbed it in honor of James Garner's character
in The Rockford Files, would be his final scam, the swan song every
grifter dreams of that would allow him to retire from a 30-year mediocre
career in crime that he no longer had the stomach to pursue.
But it was not to happen. Thomas was on the carding sites only five
months before he and Taylor were arrested in Issaquah, Washington, and
he began his new role for the FBI.
"I'd like to screw this guy, but it's not my field," a carder using the
name "BoBaBc" wrote on CarderPlanet a few months after Thomas started
work for the FBI. "If you can help me set it up we'll split it."
Some aspects of online fraud are seasonal -- in December, consumers are
likely to receive malicious software crafted as electronic Christmas
cards, for example. In 2004, the upcoming national election was looming
large in America's consciousness, and cybercrooks like BoBaBc were
looking for ways to cash in.
BoBaBc told Thomas he'd planted Trojan horses on the home computer of
Darryl Tattrie, then a comptroller for the Kentucky Democratic Party.
The hacker found numerous financial files on the computer, among them a
spreadsheet listing donations to the party coffers, a list of bank
account numbers with the names of people authorized to use them, and
even a digital copy of Tattrie's signature for printing checks.
The fraudster had a plan to funnel $250,000 from the party's campaign
fund to an offshore bank account, and frame Tattrie for embezzlement.
But he was a newbie to wire transfers and needed Thomas' help. Thomas
tutored him for several days, and helped him compose a fax to the
party's bank. But, of course, he was working both sides. When BoBaBc's
anonymous cell phone broke, Thomas sent him a new one -- courtesy of the
FBI. Thomas assumes the phone was under surveillance.
It's unclear how BoBaBc's scheme played out in the end. Around the time
that BoBaBc intended to send the fax, he disappeared from the boards,
and Thomas never heard from him again.
Tattrie, who now works for the Arizona Democratic Party, said that
authorities spoke with him about the hack, but wouldn't elaborate on
what agency was involved or what was said. It appears, though, that
BoBaBc never made good on his embezzlement threat. Officials at the
Kentucky Democratic Party and the party's bank say they never received
the wire transfer request. 
BoBaBc wasn't completely idle, though. Around the time that he was
purportedly planning his attack on the party's coffers, Tattrie returned
from a trip to find that someone had transferred $6,000 from his
personal bank account. His ISP had also canceled his internet service on
grounds that someone had been using his account to distribute spam while
he was away.
The Kentucky Democratic Party wasn't the only political group targeted
by carders that year. As the presidential campaign heated up, there were
other schemes surfacing.
One carder using the nicks "Mesh" and "Nasa" decided to phish the Ralph
Nader campaign site . According to chat logs of his discussions with
Thomas, he paid a coder to create a phony Nader campaign page that
charged the donor's credit card and, cleverly, delivered the funds to
the campaign, while simultaneously sending the card info to him.
When the scammer told Thomas what he was doing, Thomas joked that he
should phish the Bush campaign site, too. So the scammer complied.
These were heady times for Thomas. He applied himself more diligently to
his new job for the FBI than he ever had to other jobs, or even to his
life of crime. In some ways it was the best of both worlds for him. He
could spend his days immersed in the activities of the community he
loved, scheming to commit crimes, without having to worry about being
arrested. Of course, he didn't make money from his capers, but the
thrill of being back in the game as El Mariachi and being in the know
about what was happening on the boards made up for that.
Then in December 2003, Thomas' online war with other carders crossed a
line and he found himself banned from some of the sites. That's when he
decided to launch TheGrifters.net and become his own site administrator.
The ban turned out to be a blessing: As the owner of his site, he now
had unfettered access to all communication on the board.
On the surface, it seems remarkable that the FBI would finance and run
an operation like TheGrifters, which facilitated crimes that inflicted
very real financial losses against innocent consumers, merchants and
banks. But Department of Justice guidelines (.pdf)  allow the bureau
to run long-term "criminal intelligence" investigations like the one
Thomas describes, with no specific arrests or prosecutions anticipated,
provided the target is a terrorist group or a "racketeering enterprise."
The latter could clearly describe the community that immediately began
gathering at TheGrifters.
Thomas had barely launched the site when he made his biggest catch, a
Russian spammer who used the nick "King Arthur" and was one of the
pioneers of phishing attacks. King kept a fairly low profile on the
boards and avoided much of the drama and fighting that American carders
were becoming known for. He had a much-coveted program for generating
bank algorithms that would authenticate debit and credit cards to an ATM
What he didn't have was language skills. He wanted to steal money from
customers of Minneapolis-based U.S. Bank, which boasts nearly 2,500
branches and 5,000 ATMs in 24 states. But he needed a native English
speaker to author a phishing e-mail that could fool Americans into
relinquishing their account and PIN numbers. That's where Thomas came
U.S. Bank was targeted because some of its accounts allowed $2,000 or
more in daily ATM withdrawals. A thief could withdraw two grand from an
account at 5:59 p.m. one day and get another two grand at 6:01 p.m. --
the time when U.S. Bank ATMs reset themselves for the next business day.
Butler approved the operation, Thomas says, because phishing attacks
were just coming onto the scene and he wanted to see how they operated.
Thomas also thinks Butler was hungry for a big scam.
"(Butler) never wanted to work small cases," Thomas says. "He said,
'Look, if I get involved in an investigation or doing an intelligence
deal and it's all simple time, I'd be working small time for the rest of
my life.... I'm only doing the big stuff.'"
Today, according to some published reports, phishing attacks average
17,000 a month, with no sign of abating. But in early 2004, most people
hadn't heard of phishing yet and were easily fooled by the scams. So
when King sent out his phishing attack, it wasn't long before account
and PIN numbers were rolling in, some with balances exceeding $100,000.
Thomas was in charge of finding cashers for those accounts who wouldn't
"rip." It was a common problem with ATM cashers. "You send a guy out to
an ATM, he's going to be honest the first time or two out, and then he's
going to start dipping in," Thomas says.
It was easy to claim that a card number hadn't worked, then pocket the
cash. That is, unless you worked with Russian carders, who often claimed
to have online access to the compromised bank accounts and knew exactly
how much money a casher withdrew.
Thomas sent the numbers to a guy who used the nick "Myth," who coded
them to blank cards and doled them out to 25 cashers across the country.
Their job was to move from city to city hitting ATMs. Among the cashers
were "Decep" and "John Dillinger," a carder who described his cashing
activities  to Wired News earlier this year before he was arrested
. Decep claimed to pull $11,600 from nine cards one night. Myth got
$90,000 in a few days, according to Thomas .
The cashers wired 80 percent of their take to King in Russia through
Western Union, while Thomas tracked card numbers and amounts on a
spreadsheet and kept copies of ATM receipts, which the cashers were
required to scan . As far as Thomas was concerned, it was all about
keeping King happy. If Thomas got labeled a ripper, King and others
wouldn't do business with him, and then he'd lose his value to the FBI.
Every six months Thomas says the FBI rebudgeted for his surveillance
work, and he was always worried that Butler would pull the plug if he
didn't prove his worth.
"The thing you have to fight, that you're always fighting, is the
diminishing value curve," Thomas says. "If you did really good last
month and this month you're shit, you're already a diminishing value."
Throughout all of this, Thomas actively participated in King Arthur's
schemes without FBI interference, despite the impact on banks and
consumers. Although federal law requires that banks absorb such fraud
losses, consumers are still left with the burden of reporting missing
funds in a timely manner and with proving that the transactions are
fraudulent -- which can be a time-consuming process.
While the cashers were draining bank accounts, U.S. Bank, one of the
financial institutions hit by King, was telling reporters that no
customers lost money .
Thomas doesn't know how much the King operation brought in altogether
because King had other cashers working other banks for him in the United
States and Europe, such as a 24-year-old Texan named Douglas Cade
Havard, who authorities said absconded with millions before being
arrested with a partner in the United Kingdom in 2004. British officials
said that Havard and a 25-year-old Scot named Lee Elwood stole about
$11.4 million over 18 months. They were caught only after an accomplice
was arrested in Austin, Texas, trying to board a plane carrying $30,000
in $20 bills .
As for King's operation with Thomas, the Russian was so happy with the
success of the U.S. Bank phish that Thomas authored for him, that he
decided to phish the Federal Trade Commission as well. He said he hated
President Bush and wanted to attack a government financial institution.
Thomas explained that it wasn't the FTC he wanted, but the Federal
Deposit Insurance Corporation. The phish, which Thomas helped write,
went to 40 million addresses in 24 hours, according to Thomas.
The mail told recipients that the FDIC had suspended federal deposit
insurance on their bank account due to suspicious activity that violated
the Patriot Act. The consumer could lift the ban at the FDIC's IDVerify
page (a bogus site hosted on a server in Pakistan) by providing their
debit card and PIN number for verification. Failure to comply could
result in a visit from the Department of Homeland Security.
But, tipped off to the phishing attack, the FDIC issued a special public
alert  about the scam, and few people fell for it. The agency also
phoned the Pakistani hosting company and persuaded it to take down the
fake site .
Things grew more harried with the King Arthur schemes, when money that
the U.S. Bank cashers wired to Russia suddenly stopped going through.
Thomas says the FBI allowed about $17,000 to find its way to Eastern
Europe before blocking the rest .
King wasn't pleased. He'd left Shadowcrew after proceeds from cashing
operations based there stopped flowing to him. Now the same thing was
happening at TheGrifters. He wanted the cashers to return to Western
Union and recover the blocked funds, which in some cases meant sending
cashers back to cities they'd left. "It was a ... nightmare," says
Thomas. "You knew there (wasn't) going to be any recovery ... because
the feds had locked that money up."
Then Myth started ripping. In Oregon, he had 100 bank accounts to cash
out one day, but claimed most of them didn't work . Things were
getting out of hand. As King pressed Thomas to come through with the
missing Western Union cash, one of Thomas' enemies at Shadowcrew
discovered that King was doing business with Thomas and sent a copy of
his old Issaquah police report to the Russian.
Butler had had enough.
"(Butler) calls me up and says, 'Shut it down, we're not doing it
anymore,'" Thomas says. And that was the end of the King operation. It
wouldn't be long before it was the end of TheGrifters, CarderPlanet and
Subscribe to InfoSec News