Wired: The Seven Best Capers of 2008

[Pat McCotter]

The Seven Best Capers of 2008

It was a bad year for the economy, the Republican party and gay rights. But 2008 was a banner year for technology-aided crime. Competition was tough, but after an exhaustive search, Threat Level has produced this authoritative list of the best capers of the year.

But we're leaving the award of the grand prize, the coveted Lex Luthor Award for Best Caper of 2008, in your hands. Vote up or down as you see fit. We'll send the winner, or his attorney, a t-shirt he can wear to announce his prize-winning status to his underworld cohorts. Voting closes on Jan. 7.

If you're a criminal that didn't make this year's rogues gallery, take heart. There's always 2009.


The Snohomish Smokescreen

In September, a robber disguised as a gardener pepper-sprayed an armored car driver using a pesticide sprayer and ran off with a bag stuffed with $400,000 in cash. When police arrived seconds later, they found the sidewalk crowded with dozens of men decked out in the same attire as the perp: blue shirt, Day-Glo vest, safety mask and glasses. While the cops hacked through a forest of suspects, the real perp fled to a nearby creek and escaped in a waiting inner tube.

Turns out the unwitting decoys had been lured to the crime scene by a Craigslist ad that promised construction work to those showing up in a "yellow vest, safety goggles, a respirator mask ... and, if possible, a blue shirt." A month later, following a lead from a homeless man who witnessed the preparation for the Brinks job, police arrested 28-year-old Anthony Curcio fresh from a Las Vegas vacation. Curcio is now charged with "Interference with commerce by threats or violence," because "Pulling the most awesome robbery ever" isn't listed in the U.S. code.
   

The Plumas Lake Penny Pinch

If you've ever linked up your checking account to an online brokerage house or digital payment service, you may have noticed that the company automatically initiates one or two small deposits -- typically less than a dollar each -- for verification purposes. If you're hard up for cash, or just really bored, you might have thought, "if only there was a way to make real money off this ..."

Twenty-two-year-old Michael Largent of Plumas Lake, California allegedly figured out a way: Volume! Prosecutors say Largent wrote a script that rapidly opened about 60,000 new accounts under aliases like Johnny Blaze and Hank Hill, then linked them all to a handful of bank accounts under his control. Largent allegedly accumulated some $58,000 in nickels and dimes from Schwab.com, E-Trade, and Google Checkout, and transferred the free money to pre-paid debit cards before the companies could renege on their generosity. The venture was ultimately thwarted by bank reporting regulations, and Largent is now facing federal computer and wire fraud charges.
   

The Reverse Philly

Not every brilliant caper is masterminded by a criminal. For two years, a mysterious Eastern European cyber crook known as "Master Splynter" ran a flourishing cyber crime supersite called DarkMarket.ws. Brazen and defiant, Splynter boasted of turning his nefarious site into "the premier English-speaking forum for conducting business" -- i.e., buying and selling stolen identity information and hacked credit card numbers. And he took particular delight in spitting bile on the federal agents trying to take him down.

In September, following the arrest of another DarkMarket administrator in Turkey, Splynter announced he was getting out while the getting was good. A month after he shuttered the site, which boasted 2,500 members at its peak, DarkMarket's displaced denizens learned the truth: the site was a sting operation, and their buddy Master Splynter was Pittsburgh FBI agent J. Keith Mularski. The FBI says the long con netted 56 arrests worldwide, and prevented $70 million in fraud losses. Threat Level thinks Mularski would make a damn fine criminal if he weren't one of the good guys.
   

The Washington-Jackson Switcheroo

First spotted in 2005, this caper takes advantage of retail ATM owners and operators who leave the administrative passcodes on their Tranax and Triton cash machines set to the defaults published in easily-obtained service manuals. Armed with the passcodes, fast-fingered swindlers reprogram the ATMs to think they're loaded with $1.00 bills instead of $20s, so a withdrawal of twenty bucks (say, on an anonymous, pre-paid debit card) nets the thief $380 in free cash.

Last August, Lobo's City Mex in Lincoln, Nebraska, was the scene of the first known arrest for the long-running ATM hack. Manager Raul Omar Lobo held two purported PIN-pad perps at gunpoint after they allegedly showed up to add to the $1,400 they'd already plundered from the restaurant's Tranax MiniBank. Local prosecutors charged Jordan Eske and Nicolas Foster, both 21, with four counts of theft by deception, and one count of computer fraud, for allegedly stealing a total of $13,600 from Lincoln-area ATMs.
   

The Big Gulp

You're a Russian hacker who's just managed to crack a server that processes transactions from Citibank ATMs at 7-Eleven convenience stores. No fool, you suck down thousands of Citibank customers' account numbers and PIN codes. Only one problem remains: How best to monetize your hacking haul.

The solution: offshore it, of course. The hacker, identity unknown, farmed out the stolen data to confederates in America, who traveled from as far as Missouri to converge on the Citibank ATM supercluster known as New York City. Using blank cards programmed with the hacked account numbers, the gang managed to steal at least $2 million from Citibank accounts, sending 70% of the take back to mother Russia, before a lucky traffic stop unraveled the scheme. In the end, the FBI made ten arrests, including two Ukrainian immigrates with more than $800,000 each stashed in their closets. That's a lot of Slurpees.
   

The Big Rig

How do you run a profitable interstate trucking company without all the hassle of driving trucks? Step one: Visit the online "load boards" where brokers advertise cargo in need of transport and negotiate a deal to, for example, haul a load from California to Maryland for $3,500. Step two: hack into the Department of Transportation website that maintains the master list of licensed trucking companies, and change the contact information for a legitimate firm to an address and phone number you control.

Step three: Profit! Posing as the company whose identity you just stole, outsource your job to another trucking firm for whatever price it wants; when the load is delivered, collect your $3,500, leaving the company that actually drove the truck trying in vain to invoice the company you hijacked. Step four: Get a lawyer. In October, federal prosecutors charged Russian immigrants Nicholas Lakes and Viachelav Berkovich with computer fraud for allegedly pulling this scam over-and-over again, to the tune of $500,000.
   

The Cold Call

When 18-year-old Matthew Weigman's telephone line was disconnected, the legally-blind phone phreak didn't just get mad; he got royally pissed. First, the FBI says, he social engineered the phone company into reconnecting the line -- take that, phone cops. Then he made another pretext call to obtain the unlisted phone number and home address of William Smith, the Verizon security agent who got him disconnected.

Armed with the information, Weigman allegedly began calling Smith and berating him over the phone. To ensure that Smith answered the calls and took his punishment like a man, Weigman social engineered the phone company into giving him near real-time access to Smith's billing data, then repeatedly used Caller ID spoofing to make the harried security official think people were returning his own calls: when Smith phoned a travel agent to book a flight, his phone would ring a few minutes later, displaying the number of the travel agency he'd just called. It wasn't until Weigman took his vendetta into meat space and showed up at Smith's New Hampshire home with his burly older brother that he was arrested. He now faces federal charges of intimidating a witness.