One day in May 2001, a group of Russian-speaking hackers met at a restaurant in Odessa and created the credit card forum CarderPlanet, which quickly became an infamous shop for cybercriminal tools and services. For the first time, anyone who wanted to be filthy rich had everything they needed, from credit card data to malware, to community support.
This forum, which democratized carding, was shut down in 2004, but its effects are still felt today. Eastern Europe continues to be a hotspot for financial cybercrimes, although the tools have changed.
Skimmers, who steal money from ATMs by placing hidden electronic devices, rarely make headlines. These days, more advanced techniques are in place. A few months ago, for instance, Kaspersky published its findings on Genesis, an online shop that traded 60,000 digital identities. This is data on user behavior and device specs that anti-fraud systems analyze when trying to see if the person entering their credentials on an online shop is indeed them.
Moreover, attacks against financial organizations originating in the region, such as those launched by the Carbanak group, have multiplied, and have increased in complexity.
The gap between today’s cybercriminals and those operating in the 2000s is colossal, security researcher Sergey Lozhkin tells me.
The decline of carding
Lozhkin started his career as a police officer in the city of Omsk, Siberia, in the early 2000s. As he was a tech-savvy young man, he was assigned to the Cybercrime Investigative Unit, where he worked on credit card fraud, but also on hacker attacks, and illegal access to private networks.
At that moment, most countries in Eastern Europe were struggling. In the 1990s and early 2000s, economies in the former Soviet Bloc stagnated or deteriorated following the dissolution of the Soviet Union, and citizens failed to make ends meet. For some young people, having access to money became a survival skill but also a measure of success in life, so carding flourished.
Lozhkin was a police detective for two years, and then he switched to the private sector, working as a pen tester and malware analyst. These jobs allowed him to pursue his passion for security and keep a close eye on carding gangs.
He argues that the number of typical carders has decreased tenfold compared to 15 years ago, as some of those who committed financial crimes have started families or have “put their black money into legitimate businesses.”
In the early 2000s, carders thought of themselves as some modern version of Robin Hood or “economic guerrillas,” stealing money from people from rich countries like the U.S., Canada or those in Western Europe, to spend it at home, in Russia, Ukraine, Belarus, Romania or Moldova. Today, there’s less of that ideology, Lozhkin says. “Today, carding is less romantic. It has no soul. It’s a mechanical process, a typical routine job you don’t need a brain for.”
Back in the day, cybercriminals would attack online shops to get credit card databases, but today, most websites don’t collect such information anymore. So, they hack online stores and insert JavaScript sniffers, a type of malware that skims credit card information. Sniffers simply intercept all the data coming through a website, including cards numbers and other banking data the user inputs. Once collected, the information can end up on underground shops where it’s sold.
“The price for one credit card usually starts at $10,” Lozhkin says. “It can vary between $7 and $15, depending on the [type of] card. Someone can like steal $200 from a card they buy at just $10.”
The researcher, who has been following criminal gangs for almost two decades, says the level of sophistication financial malware has currently reached nothing to do with the techniques carders used in the naive early days. He argues that criminals doing financial crimes are now tough-minded and mature, and gives the Carbanak group as an example. This Russian-speaking gang stole over $1 billion over the past few years by targeting over 100 banks, financial institutions, and e-payment systems in 40 countries.
The group has had several ways of stealing money. It used the SWIFT network to transfer funds to the criminals’ accounts. It also tricked ATMs in precise locations to dispense cash at certain times, when the money mules were ready to collect it. Europol arrested several suspects in Spain and Ukraine last year.
In some Eastern European countries, such as Romania, few veterans are still in the business. “More than 90% of the people who do carding are new guys,” the researcher says.
In it for the thrill
Some years ago, Romania was quite known for its carders, but today there isn’t much activity going on in this area, Liviu Arsene, senior e-threat analyst at Bitdefender, tells me. The Romanian expert has been following gangs in his country for more than a decade.
“Most of the carders who were active back in the day now have normal jobs, in completely different industries,” he tells me. “Some ended up working in sales, while others embraced more artistic professions. A few became sysadmins.”
Arsene says they could choose any profession they wanted, as they lacked criminal records. Hacking only became illegal in 2004 in Romania, and before that, those involved in such dubious activities didn’t face the consequences. As soon as the legislation came into effect, many stopped what they were doing. “It became too risky,” Arsene says.
The internet cafe culture, which fueled the carding industry a long time ago, touched enthusiasts of all ages and all walks of life. “There were kids aged 10, but also people in their 30s. Many got into the business not for the money, but out of curiosity.”
Recognition and thrill made hacking cool to them. “They were very young; they lacked mentors,” Arsene tells me. “And when one of them did something before anyone else, he was seen as a hero.”
At times, Romanian carders got pretty ingenious, the Bitdefender researcher says. He remembers that one day, a gang wanted to transport stolen credit card information across the Bulgarian border on subway passes. “They used those tiny magnetic strips to store banking information. The Border Patrol was like: ‘Why do you guys have so many subway passes with you?’ An investigation followed.”
Today, law enforcement agencies from different countries find it easier to work together, and often hacking group masterminds are extradited to the U.S. where they are tried and sentenced. New York-based criminal defense attorney Arkady Bukh has defended a few of them.
Following the money
Bukh has defended many carders and other Russian-speaking cybercriminals extradited to the U.S., including Vladislav Horohorin, aka BadB, one of the founders of CarderPlanet.
Yet, Bukh says that he hasn’t defended many typical carders lately. “In my opinion, carding is actually dying,” he tells me. “Most people who got apprehended [at some point], to my knowledge, don’t engage in criminal activity.”
Today, Bukh says, he has more cases related to ransomware than to carding. “[As a hacker,] you can get much more money this way,” he tells me. “I handle ransom negotiations all the time for large companies.”
Although he considers many former carders to be opportunistic, he doesn’t think that they have continued to operate and became part of the new gangs, such as Carbanak. (Bukh also defended Fedir Oleksiyovych Hladyr, a 34-year-old from Ukraine accused of being part of the Carbanak group.)
Criminal defense attorney Arkady Bukh says financially driven cybercrime will continue to grow in the years to come, regardless of the shape it takes. While money is a big part of Eastern European hackers’ motivation, he believes there could be more to it than that. “To some of these guys, hurting Europe or the United States is a matter of pride.”