Dave & Buster's store #32 in Islandia, New York—a restaurant and electronic funhouse for adults—seemed an unlikely target for an international credit card theft ring. Certainly no patron drinking beer and shooting miniature basketballs into a miniature hoop expected their credit card data to end up inside an encrypted Latvian server, waiting to be sold off to international criminals who would ring up more than $600,000 in charges on the cards. But that was because no patron knew anything about the Estonian hacker Aleksandr "JonnyHell" Suvorov.
On May 18, 2007, Suvorov electronically entered the point of sale (POS) server at store #32. Every Dave & Buster's has a POS server, which vacuums up all the credit card data collected by each store's credit card swipe terminals and relays it upstream to a payment processor for verification and approval of the transaction. With full access to the server, Suvorov had no trouble installing a customized bit of code called a packet sniffer, and the program promptly turned its digital nose upon all traffic flowing into and out of the server. The sniffer used this privileged position to find and extract from the data stream the key "track 2" data—numbers and expiration dates, but not names—from every credit card used in store #32, saving it to a local file creatively named "log" for later retrieval.
Suvorov didn't hack his way in, exactly—he actually had the proper credentials for the POS server. He had obtained them by hacking a bit further up the credit card food chain and breaking into servers run by Micros, maker of the POS system used at Dave & Buster's. Inside the Micros system, Suvorov had found a file which he hoped would make him rich: it contained access information for POS systems deployed at Micros client locations, including Dave & Buster's.
Even with easy access to Dave & Buster's POS servers, Suvorov ran into difficulties; the sniffer, it turned out, was not a perfect piece of code. The sniffer had come from a young Miami man, Albert Gonzalez, who was at the time running one of the largest commercial hacking crews in US history. Gonzalez provided a sniffer that he had used for other jobs, and Suvorov first deployed it in a test run at the Dave & Buster's location down the Eastern seaboard in Arundel, Maryland. It failed to capture any track 2 data at all. After getting the code fixed, Suvorov tried again and expanded to 11 Dave & Buster's in May 2007—including store #32.
This time, the sniffer worked, grabbing credit card data as intended, but it now showed another flaw: it failed to restart itself any time the POS server rebooted. Fixing the problem appears to have been too much trouble for Suvorov. Instead, he simply logged into the Dave & Buster's POS servers every few months, grabbed the existing "log" files, and moved them to an encrypted Latvian server. Then he manually restarted his sniffer.
By September, Suvorov had collected nearly 5,000 credit cards from store #32 alone—and many thousands of more card details from the other stores. He compiled the card numbers into a database and sold his list for $25,000. Easy profit.
Suvorov hailed from Sillamäe, a small resort town of just 16,000 on the northeastern border of Estonia. Only 23 years old, he had never been to college, but who needed college when profits could be had so easily? Suvorov was already a veteran at running card numbers. He had partnered with a Ukrainian named Maksym "Maksik" Yastremskiy, and the two became highly specialized middlemen: they bought up databases of stolen credit card numbers from people like Gonzalez for a few thousand dollars apiece, then found buyers before the numbers became useless. In later 2006, for instance, Suvorov and Yastremskiy tried to sell a list of 160,000 credit card numbers to a San Diego man who had approached them through the Internet's darker back alleys. In the end, the man only had the cash to buy 6,798 credit card details—for which Suvorov and Yastremskiy charged him $10,000.
The pair had done well for themselves; Yastremskiy alone was alleged to have earned $11 million in revenue from his card-fencing activities. But by virtue of doing well, they attracted the attention of some people they must have thought could never reach them: the US Secret Service. And the Secret Service was very interested. The agency had been running a three-year undercover operation called "Carder Kaos" to bag people like Gonzalez, Suvorov, and Yastremskiy, whose hacking and fencing had achieved record levels of US-based fraud. For instance, who was that San Diego man who paid $10,000 for the card numbers? A Secret Service agent.
Had Suvorov known about the pursuit, he might have considered a move to Russia, whose border was only a few miles from Sillamäe. (The Russian Constitution forbids the extradition of its citizens). But, flush with his earnings, Suvorov indulged in a March 2008 vacation to Indonesia, with a stopover in Germany. He was promptly arrested in Frankfurt by the German Federal Police acting on a US warrant.
Suvorov spent much of 2008 in a German jail, awaiting an extradition hearing, and he might well have spent his nights pondering just how many US government resources had been expended to track him down: Secret Service investigations, undercover agents, federal lawsuits, international warrants, extradition requests. But government resources go far deeper still, as his co-conspirator Yastremskiy found out the hard way.
A little "sneak-and-peek"
In 2006, the year before the Dave & Buster's break-ins began, a Secret Service team was already on Yastremskiy's tail, and they weren't about to let a little geography stop them. In June 2006 agents arrived in Dubai, where the peripatetic Yastremskiy had traveled. Yastremskiy himself was not the team's immediate goal—at the moment, they wanted only his Lamborghini-branded PC with a Cyrillic/English keyboard. On June 14, the Secret Service accompanied United Arab Emirates officials on what the US government would later call a "sneak-and-peek search" of Yastremskiy's hotel room.
Waiting until Yastremskiy was out, the team accessed his room and imaged his laptop's hard drive. The main contents of the drive were encrypted, however, hidden inside a container called "New PGP Disk1.pgd." The agents left with their disk image, restoring the laptop to the room and leaving no trace of their presence. They couldn't immediately make use of the encrypted image, but who knew what secrets it might spill down the road?
"The medical reports clearly state that no signs of physical harm have been detected on his body."
The investigation continued. Yastremskiy continued his work with Suvorov. The men sold their $10,000 in credit card numbers to an undercover agent, but the US government took no action. In 2007, apparently fed up with simply purchasing credit card numbers from hackers, Yastremskiy and Suvorov decided to acquire them more directly and the Dave & Buster's break-ins became their latest endeavor. As the group began exfiltrating the card data for sale, the Secret Service investigation had a reached a point at which the agency was ready to act. They obtained a provisional arrest warrant from a federal judge in southern California and took it to the Turkish National Police (TNP), since Yastremskiy had left Dubai for a visit to Turkey.
The TNP was happy to help. Secret Service agents arrived in Antalya, Turkey during late July 2007 and followed a protocol much like the one from Dubai. On July 25, TNP officials entered Yastremskiy's hotel room when he was out and snatched the Lamborghini computer, again. They took it across the hall to another room in which the Secret Service team waited. This time, instead of making a complete image, the agents opened the machine and snapped photos of its login screen, which displayed the username "Mars"—everything appeared identical to the machine they had "sneaked-and-peeked" at back in Dubai.
The next day, the TNP arrested Yastremskiy on the US warrant. What was Yastremskiy doing in Turkey in the first place? Secret Service agents had arranged the meeting there, convincing Yastremskiy they wanted to make a big buy.
But rather than extradite Yastremskiy, the Turks discovered an interest in his fraudulent ways and decided to prosecute him locally. (He had apparently gone after many Turkish banks.) This meant the existence of two parallel investigations into the man's activities, and that meant two parallel attempts to break into his laptop. On July 30, a TNP forensic examiner back in Ankara provided the Secret Service with a complete image of the laptop's hard drive—again, mostly made up of an encrypted volume—and each side went to work.
The Turks physically had Yastremskiy, so they decided to see if he might simply tell them the password—and he did, just days after his arrest. Why? Suvorov's lawyers would later claim darkly that the entire episode surrounding Yastremskiy's password revelation "shocked the conscience"—but this was speculation. US lawyers offered no opinion about why Yastremskiy had revealed his password except to note that US defendants also did so, usually as a way to reduce criminal sentences.
But security researcher Chris Soghoian talked to four people who listened to a private presentation by Howard Cox, a Department of Justice official, back in 2008. Cox allegedly joked that leaving a suspect alone with Turkish police for a week might be a good way to get them to reveal a password. The Turkish Embassy to the US eventually responded, saying that "Maksym Yastremskiy has not filed any complaint for being subject to ill-treatment or police violence or brutality. The medical reports issued by the Turkish forensic medicine clearly state that no signs of physical harm have been detected on his body."
However they acquired the 17-character password, the Turks and Americans took very different approaches to using it. The Americans went through a detailed forensic process on the drive image, with Secret Service Agent Stuart Van Buren needing an entire month "to undertake a lengthy and difficult process to make the Yastremskiy Image readable and searchable," due to the encryption.
The Turks simply turned on Yastremskiy's laptop and entered the password, then began viewing files. (Forensically, this might create all sorts of problems by altering "last accessed" dates and opening the entire laptop's evidence to charges that material had been planted). US lawyers were later diplomatic about the differences, calling it "a different approach than the USSS may have used." Yastremskiy's computer evidence eventually pointed to both Suvorov and Gonzalez as co-conspirators.
Despite a US extradition request, Yastremskiy was charged with a host of violations of Turkish law and sentenced to 30 years in prison there—where he remains today.
Now it was time to bring in Gonzalez.
reader comments
108