"Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent."
Not really the sharpest knife in the drawer, to do things like this and then to go holidaying in the USA with incriminating stuff on your person...
Story time:
A guy I met who did stuff that may have come to the attention of US authorities was on a plane that got diverted to the USA for a medical emergency. The guy obviously got very upset and needed to go to the bathroom, urgently, on the way there he spotted a mate of his. They didn't like each other much but got to talk for a while and they both agreed that this was the end of the line. They both expected to be arrested upon landing because the passenger manifest was shared with the US authorities because of the overflight. The one remarked to the other: 'spending the rest of my life in jail is bad enough, but now I'm going to have to spend it with you and that is so much worse'.
The person who had the medical emergency was taken off the plane to go to hospital, the flight continued on its way, no disembarkation, no checks, nothing.
>“In an attempt to retrieve his items, Coelho called the lead FBI case agent on or around August 2, 2018, and used the email address unrivalled@pm.me to email the agent,” the government’s affidavit states. Investigators found this same address was used to register rf.ws and raid.lol, which Omnipotent announced on the forum would serve as alternative domain names for RaidForums in case the site’s primary domain was seized.
I'm not surprised at all, though. These people tend not to be the brightest. If they were, they'd generally find legitimate employment, where they can still make very good money while also not constantly fearing arrest and imprisonment. Most of the people who operate and use these sites often don't have the ability to get even an entry-level infosec job.
> These people tend not to be the brightest. If they were, they'd generally find legitimate employment,
A bit of survivorship bias at work here.
Criminal activity is more so a function of risk tolerance than intelligence. However getting caught is certainly a function of intelligence.
So your impression is that most criminals you read about being apprehended are people that seem to make many stupid mistakes. But this stupidity is heavily correlated with being caught, not necessarily with being a criminal.
That said there's probably also a (negative) correlation between extreme tolerance for risk and intelligence.
I'd further add to that, that in this case the criminal was only 21 years old. To be honest it is to be expected to mess up at some point with this much pressure at that age.
I think this is one of those "knowing what you don't know" problems.
Most 21 year old kids will not know enough about opsec to understand that they don't know shit about opsec. If you know a little bit you might think "if I just do X, Y, and Z I'll be safe". I suspect once you learn a bit more about the area you will quite quickly decide that it's not actually possible to get away with this kind of thing once the cops are onto you.
Proving the truth of the old adage again: it's luck not skill if you're getting out of an impossible situation - the skill is to never get into such a situation to begin with.
Applying that to this scenario: evading/postponing arrest after the cops started to look into you is luck, never giving them reason to look for/into you is what could be considered skill.
Or even more specific: it became luck as soon as it became clear that there was an admin. A lot of criminals that get caught want to be notorious however and build their "street creds".
There’s millions of high iq poor people who would very much like to not be poor. Intelligence helps you to achieve financial success, but a bunch of other personality traits are also important.
I’m not sure it would still be true. Your hypothesis that smart people can still make good money without unnecessarily doing illegal things sounds logical, but people with high risk tolerance sometimes do things simply _because_ they’re high risk.
The book “The Mastermind” was about a guy who operated a nearly legal business that broke open the telemedicine industry, only to use the proceeds to fund wet works, piracy (not digital, like actually killing people and taking over vessels) and general shady stuff.
I think if you get a person who is motivated by money and power to a certain degree, they may actually prefer illegal business because there won’t be as much competition.
>Legitimite employment might not give them the needed liberty to do what they see fit.
That's true; that's why I tried to qualify it with "generally". There certainly are some very intelligent, skilled people who are capable of finding legitimate employment and instead choose to immerse themselves in the criminal underworld, for various personal reasons. In practice, though, I've found them to be pretty rare.
Even among the ones who do have a desire for ultimate liberty and who see themselves as above the law, most feel like the risks greatly outweigh the rewards. Some temporary liberty in exchange for likely many years of zero liberty in a prison cell isn't a great deal. Especially when it's so easy for them to get a comfortable, high-paying legitimate job. (Admittedly, this trade-off may differ in places outside the US, where good jobs may be scarce and criminal activity may pay very well and almost always go unpunished. Assuming one has no ethical compunction, at least. Or feels certain illegal actions are ethically justifiable, like how many hacktivists feel.)
I'll also add as a note that another potential explanation could be a criminal record. Someone may have all the necessary skills and experience, but may not be able to get one due to past criminal convictions.
I imagine a lot of people think that just because they've used a WHOIS anonymization service through their registrar, domain registration isn't traceable back to their account. On the contrary, registrars make this incredibly straightforward for law enforcement to do: for instance, see https://www.godaddy.com/legal/agreements/subpoena-policy. It's a remarkably silly way to get busted.
Some context for those that do not know. I believe some time ago raidforums.com was transferred from NameCheap to Cloudflare registrar (pre-seizure) and it was under data redaction with an address in the territory of Cyprus in Whois data. Some sort of attempt at P.O box or shell company voodoo is my guess.
With Cloudflare registrar I would not be surprised if they were a cooperating party in this case.
WHOIS redaction is extremely useful for shielding personal information from non-governmental entities! But US government entities have full access to any data the registrar has on file, regardless of whether they provide redaction services.
It's required for legal purposes. If legal notices are served on the domain, the registrars need to know where to send them. Using fake details are fine until you need to prove ownership for some reason or a legal notice is given.
Easy way to get a domain seized is to have it not be responding to legal notices.
in the case of raidforums, was the admin going to respond to legal notices? probably not because what they were doing was not legal anyways so why bother.
>Easy way to get a domain seized is to have it not be responding to legal notices.
for such a website, seizure is ultimately going to happen regardless of response so why put themselves at more risk?
There was a big thread there of people trying to hack the EU-DCC using a leaked "signing key". The key was one of the example keys I've been giving non-technical people who are working on it and want to run the software locally.
It was the blind leading the blind but a lot of fun to watch.
Well, for those that are bright, you don't hear anything at all. So it's hard to characterize all of them.
I hear something similar on shows like Dateline about how not-bright the murderers are. Yet only about half of homicides are solved in the US every year.
Yeah, absolutely this. There's a bias towards the low end of the skill/intelligence curve as those guys get caught doing really stupid shit and end up in the news as a result.
I was looking over Wikipedia articles on software piracy groups of the 1980s/90s the other day and it was really interesting how many of them died to either a blatantly stupid move on the part of one of their members/leadership resulting in the whole group dropping like dominoes, or a political split when the leadership could not agree on policy (especially during a leadership changeover)
It was particularly interesting to see at least one major group collapse due to leadership getting nailed on phreaking charges, which spilled over to the entire group getting nabbed on the piracy.
A few of the brightest in the scene got out when they found an opportune time, then disappeared. At least one or two of them are CEOs in big business, if the articles are to be believed. I bet one or more are reading this now, even!
We had one running for president just a couple years back. Sadly, I don't like him much, nor do many from his home state. But it's kind of cool that he went from hacker to political candidate.
My initial reaction to that is just that he likely was too green and not groomed enough. We expect normal people to not know everything already and be willing to change their stance on something when new information comes to light (even if it's just new to them). When that happens to someone in power, we're upset because how could they not already have thought deeply about all the specific aspects anyone could bring up about that topic, as well as the 20,000 other things that might be asked of them randomly.
And the only thing that's worse for them than changing their mind is when they admit they haven't come to a decision on that yet, which is just admitting up front that they don't know as much as they should and are fallible.
It's not just that we don't expect politicians to by truthful, we disincentivize and sometimes outright punish any natural and truthful behavior that we would expect in a normal person, and force them into the mold we so like to criticize.
I think that goes to the matter of leadership. Politicans aren't normal people. They're supposed to be the best people, who surround themselves with the other kinda-best people. We expect them to be better than us. We want them to be better than us. We want elites. And then we ask them to not make us feel bad about it by pretending to be the same as the rest of us. But it's pretend. It's a game we play. At the end of the day, elites are supposed to act like elites, and that means knowing what they're talking about, and making us feel like someone competent is at the wheel and everything is going to be okay.
You only need to be slightly more intelligent than the people trying to track you in order to not get caught. I heard and read enough true crime stories to noticed that successful serial killers and incompetent law enforcement tend to go hand-in-hand.
>You only need to be slightly more intelligent than the people trying to track you in order to not get caught. I heard and read enough true crime stories to noticed that successful serial killers and incompetent law enforcement tend to go hand-in-hand.
There is a caveat to this. As the perpetrator of a crime (what and how stuff is defined as a "crime" is a different discussion), no matter how smart you (think) you are, you have to get it right every single time, in perpetuity
For law "enforcement", they only need to get it right once.
No, you have to be more intelligent than anyone who is ever going to investigate you, because any traces you left behind at any point could lead back to you.
When you're doing low-level crime barely on anyone's radar, this matters little. But if you ever scale up, any mistake you may have made in the past could be used against you in the future.
I would guess that things like search history, email records, cell phone records and security cameras are a huge crutch for police these days. So avoiding those things probably gets you most of the way there.
Yes, so often you will hear the testimony of investigators like "if he hadn't [done single mistake], we never would have caught him". You can hear it in every true crime show like that.
I'm not so sure about it. Did you listen to the interview of Lex Fridman with Brett Johnson? He seems like an intelligent person who could easily get an infosec job and be extremely good at it from UX/social engineering point of view, but he was socialized from being a kid to disregard authority and steal from other people in every possible way.
I'm sure he wouldn't let Coinbase get away with SMS 2nd factor authentication, something I can never forgive a company to do when there's big money on the line.
>I'm not so sure about it. Did you listen to the interview of Lex Fridman with Brett Johnson?
I did. Excellent, captivating interview, but he repeatedly acknowledged he didn't know much about the tech stuff, and he said several incorrect technical things towards the end. I stand by my statement: I think it would've been difficult for him to get a (technical) infosec job at the time of his arrest, or now (assuming a world where he didn't have a criminal record). While listening to it, I actually thought he perfectly fit the archetype of cybercrime forum operators I'm used to coming across.
He's certainly a great social engineer, and many other technically unskilled people in the cybercrime space also are. I'm definitely not discounting that ability. A lot of it comes down to brazenness; e.g. being confident and shameless enough to impersonate a law enforcement officer over the phone. There's still a lot of skill involved in being a con artist even then - you need affability and the gift of gab and all that - but it's not necessarily the kind of skill that's transferrable to technical expertise. There are many people with expertise in both areas, but also many who are exclusive to one.
> I'm not so sure about it. Did you listen to the interview of Lex Fridman with Brett Johnson? He seems like an intelligent person who could easily get an infosec job and be extremely good at it from UX/social engineering point of view, but he was socialized from being a kid to disregard authority and steal from other people in every possible way.
Be very careful about taking infosec celebrities at face value.
Social engineering is and always has been a core feature of black hat activities. When these people graduate from criminal activities to being keynote speakers and consultants, they take their social engineering skills and use them to build a personal brand.
His story is interesting and you can't deny that he's become a great storyteller. But even he admitted that he wasn't the strongest on the technical side of things.
I always feel like the people who are involved in these illegal forums would have better OpsSec. The fact the feds got all of his electronic devices and within a few hours had plenty of damning information is always kind of shocking to me.
I guess that's the difference between the real criminals who never get caught and others who get greedy or too lazy in covering their tracks.
Proper OpSec is a pain in the ass and requires constant vigilance as being correct 99% of the time is not good enough.
If I got a magic gift of $10 million in crypto but I had to start doing proper OpSec to hide everything on my devices and digital life, that would be a huge downgrade in my quality of life; it's not worth it.
I don’t exactly disagree with this point, but in mitigation, being constantly vigilant must be exhausting, and even bright people with strong executive function are going to slip up once in a while. It’s just too hard to keep your guard up 100% or the time.
Most deceptions, even comically absurd ones like “dude who has two families in different cities” do not require perfect vigilance, whereas running a cybercrime forum does. I bet success at this stuff comes from having an unusually fastidious personality more than anything else.
While you’d think bright people would be smart enough to recognize these risks and the comparatively safe, lucrative alternatives available to them, I know plenty of genuinely bright people who’ve made systematically poor decisions about how to run their lives or who have personality defects that otherwise impair their ability to succeed. And that’s even despite my social circles being heavily weighted toward people who went to good universities and hold down good jobs.
I’m sure that the ability to make sound, rational, forward-thinking life choices is correlated with intelligence, but I’m not sure how strongly.
Yeah, "never slipping up" is a high bar. But there's slipping up once, and then there's continuing to commit crimes using an account for at least two years after you've personally told the US federal government that it belongs to you.
It's only that hard if the person in question is dumb enough to be using a pseudonym instead of opting for anonymity, since having a name opens up your attack surface and chance to fail. Hosting a site or some kind of infrastructure that you have to actively interface with also counts towards this.
The point of my comment was that, if [actor] is not using any pseudonym but is instead nameless, then there is almost no active way to pursue that actor, aside from its adversary running malware on every machine in the world and scanning the disk/memory for relevant data- and even then, the machine can be encrypted/wiped and airgapped. An action can be taken and then once completed, as long as it was properly anonymized on a technical level (easier) and social level (harder) against a given adversary, there is no more heat.
The actor never needs to interface with anything related to their activity ever again in any way, and can only screw themselves if they deliberately tell people what they did. And even if a nameless actor does 1000 things and gets caught for only 1, because they had no name/common set of characteristics, those 1000 things cannot be tied together. They're just caught for the one thing.
So opsec is hard... if you have a big huge ego or want to maintain some kind of central infrastructure.
No you don't seem to understand. I am saying that using a pseudonym is NOT helpful to anonymity. It only hurts your anonymity to use any common set of characteristics, like a name, timezone, linguistic quirks, etc. I am saying that even using a name like we do here on HN is bad for someone who is trying to be anonymous, because it ties multiple actions together under a particular identity, and could easily expose more attack surface than necessary, allowing adversaries to target you.
Anyway, yes, I know there is more to it- considering who your adversary is, the limitations of your tools, and what configurations of tools are required to raise the cost of retroactive deanonymization above the capacity of your adversary. Every adversary that exists can be outwitted with some effort, if we're talking in terms of the internet and not physical security. Then there's the can of worm that is security. . .
They could find legitimate work, yes, but you're forgetting that they do it for the thrill.
Just like people can be passionated for their careers, so can a black hat hacker or a scammer also find pleasure in his craft. Not saying it's the right thing, but I understand the appeal.
>Legitimite employment might not give them the needed liberty to do what they see fit.
That's true; that's why I tried to qualify it with "generally". There certainly are some very intelligent, skilled people who are capable of finding legitimate employment and instead choose to immerse themselves in the criminal underworld, for various personal reasons. In practice, though, I've found them to be pretty rare.
Even among the ones who do have a desire for ultimate liberty and who see themselves as above the law, most feel like the risks greatly outweigh the rewards. Some temporary liberty in exchange for likely many years of zero liberty in a prison cell isn't a great deal. Especially when it's so easy for them to get a comfortable, high-paying legitimate job. (Admittedly, this trade-off may differ in places outside the US, where good jobs may be scarce and criminal activity may pay very well and almost always go unpunished. Assuming one has no ethical compunction, at least. Or feels certain illegal actions are ethically justifiable, like how many hacktivists feel.)
having the ability to get an infosec job isnt = intelligence. tbh most of the people ive met in the last 5 years who were working corprate infosec / cyber are not particularly skilled or creative just good at filling out reports doing the greyface suit thing.
Absolutely. I'm definitely not saying ability to get an infosec job implies intelligence. But what do you think is implied when someone (with a clean record) is unable to even get jobs like the ones you describe?
> Coelho landed on the radar of U.S. authorities in June 2018, when he tried to enter the United States at the Hartsfield-Jackson International Airport in Atlanta. The government obtained a warrant to search the electronic devices Coelho had in his luggage and found text messages, files and emails showing he was the RaidForums administrator Omnipotent
I called complete, total and utter bullshit. That's a parallel construction if I ever saw one. Very few people get their devices searched (I know maybe one in 100) and, oh-the-coincidence, this guy happens to be that "Omnipotent" admin of a cybercrime forum?
I think you may have just read the timeline of events incorrectly as what was said makes perfect sense?
This was a multi-country investigation. The USA were likely already aware of Coelho so when he entered the US, he was then arrested by US authorities upon landing. It doesn't say his devices were searched there and then. It said a warrant was obtained to search his device, so they would needed to have a valid reason to apply for that warrant.
You seem to be reading it as if they had no idea who he was and they randomly searched someone's electronic devices and just happened to be this guy. That's not what they're saying happened?
> Very few people get their devices searched (I know maybe one in 100) and, oh-the-coincidence, this guy happens to be that "Omnipotent" admin of a cybercrime forum?
That’s not what the text really suggests. It very clearly states:
> The government obtained a warrant
Which obviously means that he wasn’t randomly searched at the border, but the government knew who he was.
It’s not parallel construction, just poor wording by Krebs.
speaking of parallel construction, did you hear about the mass shooter on the brooklyn subway today? they said they ID'd him because he left his credit card at the scene.
Did they? I'd only heard they were considering the card name a person of interest, which would make sense if they'd either accounted for everyone else at the scene but the name on the card, or are looking for witnesses who might have more info.
Edit: Breaking news is that the card is indeed believed to be from the attacker. Aside from photos on social media, the suspect also left behind a bag of other weapons and a key to a U-Haul van. I'm guessing the card may have been in said bag. I'm not really sure there is much to suspect parallel construction here.
That seems believable. You buy something with your credit card, but it into a pocket because you are distracted and it falls out.
Unless they meant he left it as a calling card, which I don't think they did, I don't see why that is suspicious, just another example of not having to make a single mistake.
The middleman service used his personal, verified, Coinbase account. The raidforums domains were his customer service website and contact emails for Coinbase, Kraken, and PayPal. His personal gmail used recovery@raidforums.
I am always surprised at how often people who know each other randomly run into each other in an airport.
I mean, what are the odds?
I only had it happen once, but it was nuts. A guy from my previous company I ran into randomly in Frankfurt while I was on my way to India. He lives in California, I live in Chicago. We were on the same flight to Bangalore. Our trips had nothing to do with each other, other than we both work in tech and were visiting tech companies. Neither of us traveled internationally all that often.
I knew a half dozen folks with crazy "what are the odds" stories like that.
Hub-and-spoke routing + "it's not a small world, it's a small social class/industry/demographic/what-have-you" + the tendency for industries to cluster geographically.
And what are the odds people meet in the first place? Those exact same factors are what make folks run into each other again later. It would actually be weird if you never ran into people you know.
>…Bangalore. Our trips had nothing to do with each other, other than we both work in tech and were visiting tech companies.
Bangalore is a tech city, and you both worked in tech. That's how you ran into each other.
> I am always surprised at how often people who know each other randomly run into each other in an airport.
I'm surprised at how few times I've run into people I know when out and about shopping or doing other normal daily activities.
I live and work in a town with a population of around 11k. Coworkers live in that town, or one about 9 miles away with a population of around 22k, or one with a population of about 41k that is about 20 miles away in the same direction as that second town so the second town is in the middle.
This area has one Best Buy, one Target, one Barnes and Noble, one Walmart Supercenter, one Office Max, one Staples, and one mall all located in the middle town except the Walmart Supercenter which is in the 11k town. There are a few movie theaters but the quality varies a lot and most people I know only go to 2 of them.
In ~20 years these are the only times I've run into people I know which out doing ordinary things:
1. Two times I ran into a coworkers or former coworker at Best Buy.
2. One time at a gas station I saw a coworker getting gas at the same time.
3. One time I ran into a coworker while grocery shopping.
4. One time I ran into my dental hygienist while grocery shopping.
5. One time my doctor was having lunch at the same sandwich shop as me.
I would have thought that in 20 years, with a pool of 2 or 3 dozen coworkers or former coworkers living in the area, I'd run into people I know a lot more often.
From what I read once, the chance is significantly higher than you expect, something like if you are in a major airport, there's a 50% chance someone you know is also at the same airport.
This is because the group of people who travel often is surprisingly small, and so overlap will happen much more likely than you think.
We can see the full paradox at work here. The parent clearly states:
> how often people who know each other randomly run into each other in an airport.
> I mean, what are the odds?
This is explicitly stating "any two people" (and it's at an airport not a plane, so more people). But then follows up with changing the framing of question they're asking:
> I only had it happen once, but it was nuts.
The birthday paradox is only a paradox because we tend to think of birthdays in a very personal manner. So when we think of "any two people sharing a birthday" we immediately change this to "someone having my birthday", without realizing we've fundamentally changes the question we're asking.
The OP however isn’t surprised by the actual odds of any two people randomly running into each other, but by the fact that it happened to them or acquaintances. They actually don’t know what the odds would be for the whole airport or plane. With the birthday paradox, on the other hand, the thing that people are surprised about is not how often it happens to them, but the actual odds for a given group size of people.
Yes, but if it happened to someone else, that person might be on here expressing surprise and OP would be amusedly reading it.
I was in two classes where the birthday paradox was discussed, at different universities. Both times it was my birthday that was shared with someone else. What are the odds?
I ran into someone who had interviewed at my company, we were bot on an inter-airport shuttle in I think Berlin. He was based in CA, I was in MA, and we weren't really in the same industry (his knowledge base was tangent to what we did, thus the interview), and not traveling for the same event.
Have had a handful of similar scenarios, seeing someone I know when we are in a far-away random place. I think it had to do a lot with I was traveling frequently at the time (200K miles/year), to all kinds of random places.
So I know this particular guy named X; naturally I'm astonished to bump into him randomly on a specific flight from Y airport.
But I know 200 people, and I take ten flights a year, there are about 200 travellers on each flight, and such random bumpings don't happen more than once a decade. It's rather unlikely that I won't randomly bump into someone I know, on some flight, sooner or later.
I actually ran many times into people that I know, in different parts of the world. The weirdest one was running into some French dude I had met skiing in France on a boat in Thailand. It's a small world.
> Not really the sharpest knife in the drawer, to do things like this and then to go holidaying in the USA with incriminating stuff on your person...
The US could have gone after him any time it wanted in nearly any country, including his home in Portugal. They actually arrested him in the UK.
This issue with the warrant when he entered was a procedural thing that appeared out of convenience. They could have cooperated with Portugal to get the equivalent done there. They just saw this low hanging fruit flagged on a flight manifest and was like "sure why not".
I don't care about the US perspective, I care about his perspective, and for the life of me I can't imagine someone so incredibly convinced of their own ability to hide their tracks that they'd be involved in a multi-year effort like that and think it's smart to go visit the United States. It's not like that would be the first time someone got arrested on entry. If it can happen to the CEO of a large multinational it can happen to Joe Random Hacker at least as easily. The interesting thing is they didn't arrest him on the spot, but they might well have.
He was running one of the most 'successful' illegal forums for what 7 years? When you get away with something for so long, especially in an 'industry' where you know every law enforcement in the world is after you, I can see why you would easily think you're invincible and never getting caught.
He was incredibly convinced of his own ability to hide his tracks because technically up to that point, his ability to hide his tracks was good. A self fulfilling prophecy of sorts.
Either that or he was spotted long ago, judged to be untouchable because he was still a minor and they let it go until they could charge him as an adult.
The indictment documents a pretty lengthy sting operation.
I don't know if Portugal is like that too, but e.g. France doesn't extradite French citizens ( that's why Polanski run away here). Also i think it's a general EU rule not to extradite to countries with risk of torture and execution, and the US are experts at that. So it might not be as simple.
This guy was under the impression that what he was doing wasn’t illegal.
IANAL but the fact that he is being charged with access device fraud might suggest that DOJ had to engage in some mental gymnastics in order to charge this. E: I’ll take that back since I actually read the indictment now, besides the usual raidforums fare he was also selling credit card data which would very much tend to attract access device fraud charges.
He knew what he was doing was illegal. You don't go through all the steps he did to stop authorities taking down the website without knowing what you're doing is illegal.
What steps were those? How are they distinguishable from the steps you would take to protect your website from being taken down because of abuse reports from upset people?
Trading in hacked data might not be illegal unless it’s credit card information, but your average hosting provider probably isn’t going to care about such nuances.
They focus on payment information as those are the most serious crimes and would provide the harshest sentence. Trading hacked emails does not carry the same weight as trading hacked credit card details.
If trading hacked emails wasn't illegal, you'd have legitimate and big businesses trading them. You don't see any businesses like that because it is infact illegal.
As someone else mentioned, an 'access device' actually refers to many things, including emails. You have an extremely poor understanding of the law if you even remotely think that trading hacked emails would somehow be legal.
> If trading hacked emails wasn't illegal, you'd have legitimate and big businesses trading them.
But there are in fact big infosec businesses trading them. They just brand it as “data leak monitoring” or “darknet intelligence” or whatever. Equifax does this, NortonLifeLock does this as do many others. There are also products aimed specifically for pentesters.
> As someone else mentioned, an 'access device' actually refers to many things, including emails
>”Access device" is defined at 18 U.S.C. § 1029(e)(1). Instead of using the term "credit card," or "debit/credit instrument," the term "access device" is used in the statute and is defined broadly as any "card, plate, code, account number, electronic serial number, mobile identification number, personal identification number, or other telecommunications service, equipment, or instrument identifier, or other means of account access that can be used, alone or in conjunction with another access device, to obtain money, goods, services, or any other thing of value, or that can be used to initiate a transfer of funds...." The only limitation, i.e., "other than a transfer originated solely by paper instrument," excludes activities such as passing forged checks.
What he was doing might very well have been legal had he just avoided payment information and stuck to stolen databases containing emails, phone numbers, passwords. That was the bulk of the trade on raidforums anyway.
But yeah, definitely not the sharpest knife in the drawer.
If this sticks he will be gone for a long, long time, and, crucially, he handed over the the evidence himself so no amount of 'it wasn't me' is going to help here.
> Whoever, knowing that an offense against the United States has been committed, receives, relieves, comforts or assists the offender in order to hinder or prevent his apprehension, trial or punishment, is an accessory after the fact.
It’s not obvious at all that selling e.g. the leaked Linkedin database would be illegal in any way. You wouldn’t retroactively become an accessory to the original crime.
Of course, that stopped mattering the moment he started trafficking in stolen payment card information…
Also important to keep in mind he ( most likely ) wasn’t aware of US law. Not sure how Portugal classifies businesses such as these, but we know how e.g. Russia differs in this regard.
Yes, true, but that's exactly why if you aren't aware of something or unsure of something you play it safe. The number of people that got busted like this is large enough that I'm 100% sure that he was aware that this wasn't a legal operation, in fact he went to some length to hide his identity, which shows at least minimal awareness of this.
When I was a teen I did lots of stupid stuff but generally I was aware of where the line was and if and when it was crossed I was pretty careful about it (mostly: experimenting with 'modulated high frequency sine wave generation').
Not uncommon with these types. Some former lulzsec dude got into EVE then very publicly threatened my corp with hacking/claimed he’d hacked us. Of course, he was on some kind of probation IRL that banned him even using computers/the internet. Our IT lead called the FBI and he got picked up again.
Indeed. But that doesn't really matter in the eyes of the law, he's no longer a minor. If he had been a bit more clever he would have stopped doing any of that the day he turned 18.
It is not about law enforcement either. It's about debating whether he's the sharpest tool in the shed or not. I contend that running such a criminal enterprise is no easy feat for a teenager despite the rookie mistakes he committed.
It's not easy: that's why he got caught. And he got caught primarily because he started a criminal enterprise, which makes him not the sharpest tool in the shed, if he would have been he would have turned his talents to something both more lucrative and legal.
You probably won't. But 0.5 M at 21 through illegal means is easy: just rob a money transport and call it a day, after all: who cares if you are going to be a criminal anyway.
How you are going to legally come up with money is the question and there are no real shortcuts there other than to get lucky. But with his skills properly applied he would have a much better chance at a nice life than he has today. Money doesn't really matter much if you're in a jail cell.
So they even need a warrant? I was under the impression that no US constitutional protections apply to foreigners, and when entering the country you need a visa or equivalent preauthorisation, and there you certainly agree they can do whatever they want with you.
I think many constitutional protections do apply in case the USA is prosecuting an individual, eg even as a non American you could take the 5th if an American court was trying to convict you.
However, when you're asking to enter the country as a non US citizen your options are essentially to do whatever the border services agents ask you to do or turn around and go home.
According to another article they arrested / detained several other people during this bust. I am guessing an inside agent got them to meet up. Only Coelho was stupid enough to have his devices unlocked / easily scoured. Using his admin email didn't help. Who even does that? Even my 75 year old mom knew to use her trash email for signing up for crap.
I think that's because these people are on the business side of exploits, not the technical side. So really the most important quality to have is a lack of scruples, not any kind of insane technical talent which might inform proper infosec.
Not all of those undercover buys went as planned. One incident described in an affidavit by prosecutors (PDF) appears related to the sale of tens of millions of consumer records stolen last year from T-Mobile, although the government refers to the victim only as a major telecommunications company and wireless network operator in the United States.
[...]
The government says the victim firm hired a third-party to purchase the database and prevent it from being sold to cybercriminals. That third-party ultimately paid approximately $200,000 worth of bitcoin to the seller, with the agreement that the data would be destroyed after sale. “However, it appears the co-conspirators continued to attempt to sell the databases after the third-party’s purchase,” the affidavit alleges.
---
T-mobile paid 200k and got precisely nothing from it.
Interesting tweet here[0] saying the site was used to phish credentials since late February this year.
Also, who was hosting these guys? I remember in early 2000s (back when milw0rm was a thing) - a lot of sites like this struggled to stay online because nobody wanted to host them.
Anyways, that's a pretty stupid way to go out. And, not just because he is at fault or whatever, it sounds like they turned that site into a capitalist enterprise and that's going to hurt more than the fact that he engaged in illegal activity in the first place.
I reckon the move to automated deployments in the cloud, must have made it relatively easy to cycle through accounts.
Any mid-size hosting companies these days has an api, so you write scripts to deploy your (pretty simple) services on Host A with account A, and when the ban happens, move to Host B with account A, then back to Host A with account B, then host B with account B, then host A with account C, etc etc.
Amazing how the perp started the website at 14 and gradually turned it into the top data leaks site in the world. To be able to build a multi million dollar illegal marketplace and not get caught for 7 years was quite an achievement in itself. Alas you just have to slip once and the party's over.
not really. unless it involves contraband, terrorism, or kid porn, the feds will not care that much. they will get to it eventually but it is not a top priority. Also they need many years to built an airtight case.
This is pure speculation but if I were the Feds, I'd let insecure, incompetently run forums to keep operating and shut down any secure, tightly run forums.
The insecure forum can simply be hacked and basically become honeypots.
One is not like the other two. To be honest I didn't know the Feds cared that much (comparatively speaking) about contraband. Is it because of some pressure coming from higher-up? (i.e. affected companies pressure the politicians they support => the politicians pressure the higher-ups in the FBI => those higher-ups pressure the regular agents).
Funny how there are so many logos on the seizure notice . they should have put a McDonald's logo too or maybe a service where a company can pay to have their logo put on there given how much traffic the sized domain probably got
What are the legal implications of having registered on this forum once with a personal email account but not having ever engaged in any transaction or downloading any leaked data, just lurking a few threads of nothing interesting at most.
Such lists can be queried by those that are properly connected, typically LE/three (and in some countries four) letter agencies if your name ever turns up in some other context and then it might be given some weight, but other than that I wouldn't expect anything to come of it assuming that you are telling the truth. Such inter-service requests for information on particular individuals are pretty regular but someone first has to ask for you by name, and in a country with proper privacy protections typically a judge would have to sign off on such a broad request, but these mechanisms are not always perfect.
Reading threads isn't a crime, but hanging out in places where lots of criminals hang out doesn't help you in the association department.
Hard to say, but rest assured that countless "white hat" infosec companies have also signed up and probably purchased stolen databases in furtherance of their own business activities.
According to the DOJ, that early activity included ‘raiding‘...
— and ‘swatting,’ the practice of making false reports to public safety agencies of situations that would necessitate a significant, and immediate armed law enforcement response.”
If he did swatting they need to lock him up for attempted murder. People die from that "prank".
This forum kinda reminds me of HackForums[1], but the owner of that forum co-operates with law enforcement and makes good money while staying above board on things. At one point, he even directed members interested in certain blackhat activities (carding, mainly) to a site that later ended up to be an FBI setup.
Stories like this make me wonder how well full disk encryption really holds up. Maybe LUKS is good, but I don't have 100% confidence that FileVault or BitWarden aren't backdoored. Of course in the UK, refusing to give the password is a crime, so some jurisdictions have you either way.
Also, in this day of the internet, why would you need to travel with your laptop if you store the compromising data on a secure server, and then download it on a fresh computer when you get where you are going.
I swear Hackforums is an FBI honeypot for especially stupid criminals. Nothing happens there (remember back in the day someone was talking about stealing from a gamestop and a bunch of people called the store to warn them lol), and anyways anyone who does anything remotely illegal immediately gets arrested.
> an extremely popular English-language cybercrime forum that sold access to more than 10 billion consumer records stolen in some of the world’s largest data breaches since 2015. The DOJ also charged the alleged administrator of RaidForums — 21-year-old Diogo Santos Coelho, of Portugal — with six criminal counts, including conspiracy, access device fraud and aggravated identity theft.
I wonder how far in advance of the actual seizure do they get these graphics ready. Or, perhaps they JIT them and delay the seizure until the final graphic is finished and signed off?
Idea for a HN contest: design a better DOJ domain seizure graphic. Bonus points for features like "enter personal identifying information here to be notified when your favorite illegal site is back online".
...although I guess they did that last part for a while before they changed the graphic.
If I didn't read the news first, I'd never guessed that the image is actually made by a law enforcement agency. It looks like some script-kiddie's prank from 20 years ago.
Not really the sharpest knife in the drawer, to do things like this and then to go holidaying in the USA with incriminating stuff on your person...
Story time:
A guy I met who did stuff that may have come to the attention of US authorities was on a plane that got diverted to the USA for a medical emergency. The guy obviously got very upset and needed to go to the bathroom, urgently, on the way there he spotted a mate of his. They didn't like each other much but got to talk for a while and they both agreed that this was the end of the line. They both expected to be arrested upon landing because the passenger manifest was shared with the US authorities because of the overflight. The one remarked to the other: 'spending the rest of my life in jail is bad enough, but now I'm going to have to spend it with you and that is so much worse'.
The person who had the medical emergency was taken off the plane to go to hospital, the flight continued on its way, no disembarkation, no checks, nothing.