By Kim Zetter
Feb, 01, 2007
It was mid-March 2004, and David Thomas was chatting online with a young
hacker who went by the nickname "Ethics," when the latter suddenly asked
him: "btw, you know anyone who would pay to get celebs private cell
phone numbers? or any other number's from t-mobile's database?"
Thomas replied, "hehehehehe oh man that would be so fuking cool."
Ethics, aka Nicolas Jacobsen, did little on the boards but talk, Thomas
says. He once discussed building a miniature submarine with carder
middleman "Myth" to run cocaine from Colombia. But mostly he
procrastinated and disappeared when it came time to do any jobs. So when
Ethics told Thomas he'd hacked a T-Mobile server and had access to
billing information and passwords for the company's 14 million
customers, Thomas was skeptical. That is, until Jacobsen sent him Paris
Hilton's Social Security number and password , as well as the
security question and answer to her T-Mobile account and photos from her
Thomas didn't know it, but Ethics also had the password for the T-Mobile
account of a Secret Service special agent named Peter Cavicchia who
worked in the agency's cybercrime division. Sifting through the agent's
e-mail, Ethics found documents related to a Secret Service sting
operation, including, incredibly enough, evidence that the Secret
Service was monitoring Ethics' own ICQ chats.
Ethics had stumbled into the most organized and ambitious operation
against online scammers in U.S. history. While Thomas had been working
on the West Coast for the FBI, the Secret Service's New Jersey office
had infiltrated Shadowcrew separately, with the help of a confidential
informant, and begun gathering evidence against carders on that site.
The sting known as "Operation Firewall" began when police arrested a top
administrator of the Shadowcrew site in the summer of 2003 and called in
the Secret Service.
Secret Service agent Larry Johnson says his agency didn't initially
realize the value of their catch. Once they did, they quickly flipped
the suspect and sent him back to Shadowcrew to avoid suspicion that he'd
With the informant's help, they set up a private, encrypted computer
network where Shadowcrew members could, ostensibly, communicate in
secret. In reality, the network was run from the Secret Service's office
in New Jersey, where communications were recorded and IP addresses
The Secret Service won't discuss the identity of its informant, but
today Thomas and other carders believe it was a scammer known as
"Cumbajohnny," or "CJ", who appeared on Shadowcrew in the summer of
2003. When Shadowcrew's Kim "Macgyver" Taylor was jailed in Colorado
around that time, CJ assumed control of the site.
Though Thomas wasn't privy to the Secret Service operation, he suspected
early that CJ had flipped. It was CJ, he says, who, in February 2004,
invited Shadowcrew members to join the VPN that turned out to be under
surveillance. Thomas says CJ also tried to sell members $150 AT&T
calling cards that would allow them to make $1,000 to $7,000 in calls.
Thomas thinks the cards were set up to allow authorities to trace the
Thomas became more suspicious of CJ when, in March 2004, Dmitry Golubov,
aka "Script," disappeared from CarderPlanet, and CJ assumed a role on
that board, too. It was CJ who had sent "King Arthur" Thomas' arrest
report discussing federal agents and the Russians in an attempt to
sabotage his dealings with King. Thomas sent CJ a note taunting him with
his own accusations. "hey cumbacop ... so you're running (CarderPlanet)
now eh ... did you bust script? ... so I guess your shiny badge is real
It was 1 a.m. and the message was barely gone before Thomas' handler,
Seattle FBI Agent Steve Butler, called him. "What are you doing? Who
were you just talking to?" Butler demanded to know. When Thomas
mentioned Cumbajohnny, the FBI agent grew angry. "These guys over there
can shut you down in an instant," Butler said. "Don't you ever talk to
"I knew right then that Cumbajohnny wasn't kosher," Thomas says.
The ongoing turf battles between TheGrifters and Shadowcrew
administrators highlight a problem inherent in law enforcement agencies
employing criminals in their operations. Such operatives come to the
task bearing grudges and ego issues that can easily derail an
investigation if not carefully managed. If Cumbajohnny was the Secret
Service's informant, it meant that agents for the FBI and Secret Service
were essentially battling to blow each other's covers.
Regardless of Butler's warning to stay away from CJ, Thomas continued to
taunt the carder and other members online. His enemies stepped up their
attacks against him as well, tracing him to Seattle and attempting to
locate his apartment to post pictures of it on the board. For the first
time, Thomas began to fear for his safety.
Then things started to change.
Butler had been warning Thomas to stay away from CarderPlanet --
implying that events were about to converge on the Russian carding site.
In July, Douglas Havard was arrested in the United Kingdom; shortly
afterward, CarderPlanet suddenly shut down. King Arthur had taken
control of the board by then, and, according to authorities, he and
other senior members of the site decided it was time to take their
operation deeper underground to make it harder for police to track them.
In a note explaining the decision, King wrote: "This forum made them
(LE) smarter and kept them in the loop of happening.... Now, everything
will be the same, but (they) will not know where the wind is blowing
from or what to do."
In September, Butler announced he was leaving the cybercrimes task force
for a new assignment with the Joint Terrorism Task Force and abruptly
pulled the plug on TheGrifters . Thomas says he was caught off-guard.
"I thought it was going to be a long-term job that would last for five
to 10 years," he says.
The other shoe dropped at 9 p.m. EST Oct. 26, 2004, when police and
federal agents swooped in on more than a dozen Shadowcrew members in
several states and Canada in a coordinated bust. The Shadowcrew admins
had told the members to convene online at the appointed hour for a
mandatory discussion, ensuring they'd all be caught at their computers
at the same time.
Authorities nabbed 19 people in the bust, among them Kim Taylor, Thomas'
former partner, who'd been released from jail a few months earlier.
Ethics was nabbed separately. Cumbajohnny was the only major Shadowcrew
admin whose nick did not appear on the indictment.
Taylor pleaded guilty to one count of access-device fraud (another
charge was dropped) and was sentenced to 30 months in jail and three
years' probation. He's scheduled to be released from federal prison at
the end of March.
His lawyer, Bruce Rosen, says, "He did something, and he deserved to go
to jail," but that the charges against his client were exaggerated.
Taylor maintains he was only a forum moderator on Shadowcrew, not an
administrator as authorities made him out to be, and that the title was
in name only -- he never engaged in an active role as a moderator.
The Shadowcrew bust was touted as a major success by law enforcement.
Since the initial action, subsequent arrests in Operation Firewall have
brought the total number of carders nabbed to 38 globally. Authorities
say the suspects trafficked in more than 1.5 million stolen credit card
numbers, resulting in losses estimated to be at least $4 million. The
sting also netted more than 8.5 terabytes of forensic evidence -- the
equivalent of 2.2 billion pieces of paper -- and involved more than a
dozen criminal task forces in the United States and elsewhere.
But the long-term effects of the operation on curbing criminal activity
have proven to be almost nil. It wasn't long after Shadowcrew went down
before new carding sites, such as CardersMarket and the International
Association for the Advancement of Criminal Activity, or IAACA, popped
up to take its place. And the bust opened the way for new problems as
Amir Orad, executive vice president of security company Cyota (now owned
by RSA Security), which has a command center in Israel from where
researchers monitor the carding boards, says Operation Firewall made it
more difficult for law enforcement to track carders. Once Shadowcrew
went down, the community morphed from a small number of large carding
sites to a larger number of small sites that have become harder to trace
and infiltrate. And many of the most serious criminals have disappeared
from the boards altogether, taking their activities further underground.
"What we see clearly is that taking down ... one group doesn't solve the
problem, it creates multiple small problems," Orad says. "(We) haven't
seen a major impact of those arrests besides maybe the publicity and the
awareness that this whole crime costs."
Others have also disputed law enforcement's characterization of the
significance of Shadowcrew's role in cybercrime, saying the website was
more a sandbox for kiddie criminals than a virtual Cosa Nostra, and that
those who were arrested were mostly low-hanging fruit.
Attorney Rosen said in a statement to the New Jersey court that although
his client Taylor acknowledged that many of the activities on Shadowcrew
were illegal or nefarious, the site was really just "a highly
unorganized, inefficient message board frequented by immature geeks and
It's two years since Thomas says the FBI ended his work with them, and
he and I are walking on a Midwest college campus where he now lives in
student housing. After the FBI dropped him, he enrolled in the college's
journalism program to keep from returning to a life of crime and to
write his life story. As we stroll the campus pathways, clear-eyed
students pass by, their futures still in front of them.
"I want their lives," Thomas says with the envy of someone who's halfway
through his life and knows that his options are running out.
The campus is surrounded by snow-capped mountains, but the fresh air and
scenery are lost on a digital animal like Thomas, who rarely leaves his
apartment. Though he no longer works for the FBI he still wakes early
before classes to jump on the boards and see what's happening and stays
online after school until late in the evening. The draw of the boards,
when he has little to take their place, is too strong.
He's more than a little bitter about the way the FBI dropped him. After
Butler pulled the plug on TheGrifters, Thomas says they discussed
building a similar site to attract terrorists for the Joint Terrorism
Task Force. But after Thomas developed a site, Butler failed to get
approval for the project and cut Thomas loose.
For a time, Thomas kept TheGrifters online and turned it into an
"anti-carding site" with a few associates, including "John Dillinger."
They spent hours building dossiers on carders and tracking arrests, and
amassed a large database of information, including part of the
Shadowcrew database that someone copied after the bust. Thomas hoped to
turn it into a resource for law enforcement and use it as a platform to
warn kids away from crime, but it hasn't worked out that way.
"Crime is often harder work than a regular job," he says. "Every time
I've done something -- it doesn't matter what it is, counterfeiting or
whatever -- it's always been more work than a regular job would have
been. And I would have much rather had a real job than be involved in a
criminal act because it's less ... stress."
Of his associates from TheGrifters, only Dillinger knows about his work
for the FBI. Thomas wanted to tell the others, he says, but some of them
defended him when his enemies accused him of working for the feds, and
it's hard for him to explain to them why he did what he did. He realizes
that this article will likely make him a pariah in the community.
"The people on the fringes of society are the only ones who ever
accepted me," he says. "Now I feel I've destroyed that for what I did
for the government." Thomas' job with the government also cost him his
relationship with Bridget Trevino, who left him about four months before
the work ended because of his obsession with the boards.
"I became so unhappy because I never got to spend any time with him
anymore," she says. "Even though we were in the same room together, I
Thomas says the FBI has threatened him with imprisonment in Texas, where
he has an outstanding warrant for check fraud, if he talks to the press
about what he did for them. "They don't want me discussing what the
government was allowing to happen. They don't like the fact that people
were authorized to do major crimes like that," he says .
There's a touch of self-destruction to his decision to talk now. He
wants to leave the boards behind but lacks the willpower to do so. He
knows that once this story is public, he'll have to close the chapter on
"El Mariachi" and just be David Thomas again. "And maybe that's what I
want," he says. "I want to get on with my life."
For years he's had no offline friends and now is having to get used to
being around other people again. Last spring, when the winter thaw was
gone and people at his college were starting to emerge outdoors again,
he walked the campus green looking at students and teachers lounging on
the grass in the sun and thought to himself, "God, this is just so
"I feel like I've been locked up for years and years and years and I've
just gotten parole," he says.
But that's only during the day. At night, he's back in a dark room,
surfing the boards.
Subscribe to InfoSec News