For E.F.O.
INTRODUCTION
WHEN I FIRST MET BARRETT LYON in 2004, I was covering Internet security for the Los AngelesTimes from an office in San Francisco. His story was so good—and met a journalistic need so deep—that I had a hard time believing it was true.
For more than a year, I had been grappling with an onslaught of urgent but complicated stories. Seemingly every week brought a new computer virus that shot around the world. Many had real impact, shutting down large company networks or overstuffing mailboxes with spam until they started rejecting legitimate messages. Even so, the problems could be hard to explain before the deadline for the next day’s newspaper—especially if the viruses took advantage of obscure software holes in ways researchers were still struggling to understand.
It wasn’t just that the technical explications were tricky. There were few heroes, except for a handful of almost unquotably nerdy researchers. The villains were usually shadows. When someone did get caught in those days, it was typically a maladjusted teenager.
Yet something important was happening. As the world connected to more computers and depended on them for more things, the bad guys were wreaking havoc. Worse, the viruses unleashed for mischief’s sake were getting supplanted by those that were about making money.
Then came a new series of Internet attacks, much easier to understand technologically, that illustrated the new thuggery in bold strokes. Assailants unknown simply overwhelmed business websites with so much bogus traffic that the sites failed. To stop, they wanted $30,000 or more wired to countries in Eastern Europe.
I called around to the victimized companies, looking in part for something to make the tale even better, so that any reader could follow along and learn. I quickly heard about cyber defender Barrett Lyon.
He was young and unassuming, yet enormously bright and articulate. He had actually chatted with the attackers. Yes, he knew some of their names. He didn’t happen to have a record of those chats, did he? Sure he did. Don’t suppose the cops had taken much interest in the case, since they normally throw up their hands at cybercrime? Why, yes, they had—the FBI, the Secret Service, and the national authorities in the U.K. and Russia. The saga grew until it gave a panoramic view of organized crime’s brazen new initiative.
Of course, the sort of attack that Barrett specialized in warding off was merely one dramatic aspect of a bigger and rapidly metastasizing problem—technology advances that were helping criminals even more than they were helping consumers. Online scams and identity theft soared, and an entire underground industry grew. Enormous data heists from such places as the information broker ChoicePoint and retailer T.J. Maxx generated plenty of headlines.
By 2009, 30 percent of Americans had become identity theft victims, companies and individuals were losing an estimated $1 trillion a year to Internet criminals, and confidence in the electronic economy and the stability of the information infrastructure was fraying. Now it wasn’t only about cash, but about international politics and cyberwarfare as well.
Even if someone were dedicated to sorting out what was going on and where it was leading, there wasn’t much help to be found. Few with any knowledge had an incentive to talk. Not Microsoft or the other software companies, whose flawed products made penetration by criminals so easy; not most security firms, whose services were falling farther behind; and not law enforcement agencies, which were catching less than 1 percent of the bad guys.
Private researchers could explain how one virus differed from previous versions, law enforcement could complain about how the trails from identity theft crimes went overseas and grew cold, and a handful of academics could hold forth on the politics of Eastern Europe. But even as fears rose to the point that President Barack Obama devoted a speech to the vast dangers of cybercrime, cyberspying, and cyberwar, almost no one could give a full picture.
Once more, Barrett Lyon could. By then, I learned, he had penetrated not just the Russian mob but the American mob as well, and had gone undercover again, this time wearing a wire for the FBI. Only now does that work become public.
In turn, he and I also met British agent Andy Crocker, who followed his leads and plunged deeper than any previous Westerner into hacking in the former Soviet Union—and whose adventures have never been recounted. Together we retraced the greatest international cybercrime prosecution in history, as an officer from the Russian MVD put it to us in a vodka toast.
Their combined stories shine by far the brightest light yet into a shadow economy that is worth several times more than the illegal drug trade, that has already disrupted national governments, and that has the potential to undermine Western affluence and security. This book is about the triumph of two men who went where none like them had gone before.
But it is also a warning about disaster well along in the making. By mid-2009, word had spread far enough in secretive government circles about the exploits of Barrett Lyon and Andy Crocker that they were flown to Washington to lecture more than a hundred top spies for the U.S. and its allies. Yet those officials still weren’t getting the most important message. And both heroes had quit working for their governments.
Cybercrime is too important to be left to the professionals. Read this book and understand why.
PART ONE
1
WARGAMES
FLYING DOWN TO COSTA RICA, Barrett Lyon couldn’t wait to meet his new clients in the flesh. It was two days after Christmas 2003, and the twenty-five-year-old computer whiz from near California’s Lake Tahoe figured to be welcomed like a conquering hero. The early-morning flight banked away from San Francisco International Airport, piercing the winter clouds as it gained altitude. Barrett looked over at the pretty brunette by his side and felt he was on the cusp of a new and better phase in his life. BetCRIS—short for Bet Costa Rica International Sports—was not only treating him to the trip, it was paying for his girlfriend, Rachelle Sterling, to come along. It was their first plane journey together, and her first outside the country. He hoped it would go a long way toward easing the tensions of the past six weeks.
Barrett now realized he must have seemed irrationally obsessed with BetCRIS, defending an unseen company in Costa Rica against invisible enemies in yet another country. Most of the time all Rachelle saw was Barrett’s six-foot, two-inch frame hunched over the boomerang-shaped desk in their cramped Sacramento condo. For twenty or more hours a day Barrett stared blearily into the computer screens he used to track electronic assaults. He even blew off the family Thanksgiving he had promised her so he could try to get his programs and configurations working better. He had been too focused to thank her for bringing him the leftover turkey, let alone to explain everything he was doing.
To Barrett it was a battle for the ages, one that reminded him of WarGames, the 1983 movie memorialized in the poster on his wall. In the film, a bright but unschooled teen looking to play games online stumbles into a government supercomputer, nearly launching World War III. Barrett thought he had skipped the initial blunder and gone straight to the fun stuff, trying to short-circuit a cyberbattle that was costing real people their jobs and fortunes.
BetCRIS took in hundreds of millions of dollars every year in sports bets, making it one of the largest gambling houses and among the first to seek a legal haven offshore while catering to U.S. customers. But a vicious attack kept crashing the website during the peak season, keeping bettors away and costing BetCRIS as much as $5 million a day in lost business. Barrett didn’t know if the technologically savvy thugs had been hired by the sportsbook’s competitors or were operating on their own. In either case, they were trying to extract money from the company in exchange for going away—a perfect protection racket for the cyber age. If the bad guys succeeded at BetCRIS, they would be fools not to attack hundreds of other companies.
The previous spring, the first hint of a problem with the BetCRIS website hadn’t been enough to worry the company’s general manager, Mickey Richardson. Inside the seven-story building in Costa Rica’s capital, San Jose, behind the black glass that kept out the heat and the gazes of the curious, the phones were ringing as usual. But bets placed over the 800 number were a minority of the business. For more than a year now, most of the money had come in over the Web, placed by bettors in their homes and office buildings. Over that spring week, however, BetCRIS began hearing complaints that the Web pages were sluggish. “What the hell’s wrong with the site?” barked Mickey, who was usually nice when his money wasn’t involved. Technician Glenn Lebumfacil checked the logs and saw that while there was a crush of visitors to the website, they weren’t real customers. Personal computers from around the world were coming to BetCRIS.com and immediately leaving again. As to why, Glenn had no idea. The mysterious slowdown continued for days.
Checking his email one morning, Mickey got the surprising explanation—along with an extortion demand. An anonymous hacker crowed that he was subjecting Mickey’s site to a denial-of-service attack, in which a deluge of fake requests for information overwhelms a Web page. Unlike the teen hackers who had shut down the likes of Yahoo! and eBay during the dot-com boom for bragging rights, the emailer didn’t want attention. He just wanted $500 pronto, via the online payment service e-Gold.
“Big deal,” Mickey said aloud. He could spend that much on a good night at the local sushi bar. Mickey paid. That was a cheap wake-up call, he thought. The next time might be more expensive. So Mickey phoned the most tech-savvy people he knew and asked where they turned for defense. When he got to top oddsmaker Don Best Sports in Las Vegas, his business allies there couldn’t say enough good things about the kid from California who had saved them from a similar assault a year earlier—an intense but affable surfer named Barrett Lyon.
Mickey called Barrett and ran through what had happened. Since the problem wasn’t dire—BetCRIS was up and running—Barrett gave him some free advice. He told Mickey to buy a couple of machines from a Massachusetts company that specialized in thwarting unfriendly Web traffic, Top Layer. Mickey paid $20,000 for the equipment, and Barrett talked Glenn through setting it up. If this ever happens again, we won’t have a problem, Mickey thought. Some months later, Mickey began hearing rumors from his cronies. New computer attacks were hitting the competition, and after some initial defiance, most of the offshore bookies were paying up. “These fucks are brutal,” one warned. “There’s no way to stop them.” A few sites that didn’t pay got shut down for nearly a month. Their bank balances were pummeled as gamblers turned elsewhere and revenue vanished. A couple of sites never opened again, leaving angry bettors with no way to recover the money from their accounts and howling about fraud.
Now the extortionists wanted $30,000 or more for a year’s freedom from attacks. Mickey chuckled to himself, thinking it had cost him only $500 and the new gear. Then his turn came around again. The Saturday before Thanksgiving, an email arrived just before 8 A.M. “Your site is under attack,” it said, demanding $40,000 by the following noon in exchange for one year of peace. One of the biggest betting weeks of the year was about to begin, boasting special professional and college football games, with basketball to boot. “If you choose not to pay for our help, then you will probably not be in business much longer, as you will be under attack each weekend for the next 20 weeks,” the author wrote.
Mickey asked Glenn if the Top Layer gear was up to the challenge. “We should be safe,” his technician said. “I think our network is nice and tight.” Glenn had no idea how exponentially more powerful the bad guys had gotten in the past half-year. They had taken over hundreds or thousands of PCs for a “distributed” denial-of-service, or DDoS, so that the malicious traffic came from everywhere at once. Once they were turned into zombies, under the control of an unseen master, the computers could attack in multiple ways. Top Layer’s equipment was designed to stop only a few basic methods. After Mickey failed to answer the attacker’s first email, a massive denial-of-service attack wiped out the Top Layer machines in just ten minutes, crashing the BetCRIS site. The onslaught also wiped out Digital Solutions, the Internet service provider for BetCRIS and about half the other gambling companies in Costa Rica. Digital Solutions soon had no choice but to drop BetCRIS from its network, temporarily dumping the site into oblivion.
Glenn felt sick to his stomach. Another email came in from the attacker, this one offering a scant hour to pay before the price of safety went up. Mickey begged for more time, inventing a family emergency. As an old-school expatriate tough guy in an industry full of tough guys, Mickey had already decided to fight back. “I’m stubborn,” he told his deputies. “I want to be the guy that says, ‘I didn’t pay, and I beat them.’”
Going to the U.S. authorities wasn’t an attractive option. The feds wouldn’t have any jurisdiction unless BetCRIS had operations in the U.S.—and if BetCRIS had operations in the U.S., the feds would want to shut the company down themselves for violating American gambling law. Mickey tracked down Barrett, who was already working on behalf of some BetCRIS rivals. Barrett was in the Arizona desert, laying down the digital equivalent of a firebreak at a satellite-based Internet service provider that was the chief alternative to Digital Solutions in Costa Rica. This one had the grand-sounding name of the Phoenix International Teleport. Most customers called it the PIT, and that was a lot more fitting. It consisted mainly of a server farm inside a trailer on an Indian reservation. The PIT hoped that tribal sovereignty would protect it from any legal complications that might arise from letting gambling transactions flow through the trailer’s machines and the enormous satellite dish parked outside up to the sky, then back down to Earth in Costa Rica.
Barrett told Mickey to call Top Layer, which he did to no avail. Mickey’s attacker, meanwhile, warned that Mickey had better wire the protection money fast—and now the price was $60,000. “Sorry moron but I am just having so much fun fucking with you,” he wrote. Mickey called Barrett again on Sunday, more desperate now. “Some advice you gave me,” Mickey complained. “They’re killing me. If I don’t get this fixed, I’m going to have to lay everybody off. Do you have any idea how many families depend on this place?”
This time, Barrett felt he couldn’t say no. He had seen similar assaults before, even before Don Best, but on a much smaller scale. While still in high school, Barrett had created his own company, TheShell.com. It hosted a form of group conversation known as Internet Relay Chat. Long the preferred method of communication for hardcore technology enthusiasts, IRC “channels” could nonetheless degenerate into popularity contests as geeks tried to impress one another. A quirk of the format was that if a channel stopped running and was emptied out, a rival could start it up elsewhere under the same name and take control. Likewise, a hacker annoyed with another user could usurp that user’s nickname, causing all kinds of havoc. The way to stop a channel from running and seize power was to shut it down with a denial-of-service attack. By necessity, Barrett figured out how to fend off such attacks while still a teenager, well before temporary shutdowns of big-name sites made national news. After those dot-com assaults, the blue-chip firms providing the fattest targets for thrill-seekers paid dearly to improve their defenses. Smaller companies with fewer resources remained exposed.
The dark art’s advances stunned Barrett. Instead of relying on a few machines, the cutting-edge extortion gangs such as the one assaulting BetCRIS had thousands and thousands. They had begun weaving together the networks in 2003, when they or their business associates released computer viruses of a previously unseen strength and sophistication to take control of unsecured computers. With little public attention, viruses were morphing from an occasional annoyance to a key criminal tool. Usually without the knowledge of victimized PC owners, the viruses marshaled armies of machines for broad-based denial-of-service attacks, spamming, and whatever else the underworld marketplace found profitable.
Barrett saw this as an enticing contest of wits and brawn, a chance to match his expertise and technology against enormous might. There was also an ethical appeal. Barrett figured that since BetCRIS and its peers were legal in the countries where they were based—and since bookmaking companies in England were publicly traded on the stock market—they all were aboveboard. Their enemies, on the other hand, were cartoonishly thuggish. “In a case if you refuse our offer, your site will be attacked still long time,” one wrote. It sounded so much like a joke that Barrett read the message out loud in the voice of Boris Badenov. But he knew that BetCRIS wasn’t smiling. For a libertarian-leaning philosophy major, helping the gambling site was an easy call.
From his work at the Phoenix International Teleport and from talking to Costa Rica companies by phone, Barrett figured that he had a real challenge on his hands. Both the PIT and Digital Solutions were small Internet service providers, and the opposition had already displayed enough firepower to knock them out. He would have to assemble enough bandwidth that he could function like an ISP himself—and that was just to get in the game. He called PureGig, a powerhouse service provider that was also based in Phoenix. PureGig weighed the risk of getting pummeled against the benefit of learning how to handle denial-of-service attacks on customers. It promised to help.
As BetCRIS went up and down, Barrett threw together what he could with the gambling firm’s hardware and what was at PureGig, along with programming he wrote on the fly. His code diverted some of the bogus traffic, and he hunted by eye for suspect clusters of Internet addresses that he could block. But the hackers randomized the locations that their queries appeared to be coming from. They went after specialized computers at BetCRIS, including the routers and Web servers. And they acted more like real customers would, using software to download data-rich images that clogged the pipes while being harder to filter out.
Now the lead attacker knew that Mickey had been stringing him along, and he was genuinely angry. “I don’t care how long I have to destroy your business,” he wrote. If the grammar was poor, the message was clear. The day before Thanksgiving, the attacker turned up the volume well past what Barrett or PureGig had expected. When PureGig’s other customers started suffering, the company took down Barrett’s operation so they both could recalibrate. The enemy went after Digital Solutions as well, knocking off even the bookies who had paid up. Those firms leaned hard on Mickey to pay and stop bleeding them for his pride.
The surge left Barrett battling for thirty-six hours without rest until he brought the website back up. It was slow, but it was up. “Shit, I think this is working,” Barrett shouted in Sacramento. He called Mickey. “Check the site,” Barrett told him. “Yeah?” Mickey said. “Hold on.... Yeah, it’s loading!” Mickey said, clicking around as a customer might, then yelling into the next room. “Hey, guys, we’re back up!” Soon BetCRIS was full of happy men giving each other high fives. Then an underling couldn’t get past the page he was on. “Uh, Mickey?” he said.
Mickey could barely speak. “I know you guys are trying,” he told Glenn Lebumfacil and Dayton Turner, who normally ran the computer networks at another firm in the BetCRIS building. “I don’t want to yell at you guys. But I have to yell at somebody.”
Mickey’s other employees started to slip away from the meeting. “This isn’t worth it,” one muttered. “We must have paid six figures, for what? My clients are gone, and they might not come back.” Mickey knew what they were thinking, and he called together the staff of two hundred for a pep talk. “I know this seems pointless,” he told them. “But we have to do it this way. If we pay these assholes off, they’ll be back for more later. We don’t answer to anyone!”
Instead of spending Thanksgiving on the couch watching football, Mickey stayed in the office, his wife’s dinner uneaten. “Just tell me,” Mickey pleaded with Barrett, “do you really think you’ll be able to fix this? Because otherwise, I’m out of business.” Barrett said he could do it. He kept slogging away, looking for patterns in the attacks. There were only so many ways that the zombies could move, and he programmed his machines to stop them all. Though it went back and forth for more than two weeks, the attacks finally stopped crippling BetCRIS.
By the time of Barrett’s trip south in late December, the site was up most of the time. One of Mickey’s tormentors sent a final email, mocking him for losing so much business during the fight and spending an additional $1 million fending them off—more than they had sought in the first place. “I bet you feel real stupid,” he wrote. Factoring in equipment, bandwidth, and fees to Barrett’s small company, Network Presence, the estimate was on the money, Mickey acknowledged to himself. The intensity of the experience bonded all of the defenders together sight unseen, and Barrett felt that he really knew the guys at BetCRIS, that they were friends.
COSTA RICA WAS STILL WARM when Barrett and Rachelle landed in San Jose. Glenn met them at the airport and took them to the Hotel Corobici. The balconies jutted out over an angled internal courtyard with hanging plants—not bad for the Third World. There was a decent-sized pool and a casino, which reminded Barrett that gambling was perfectly legitimate in the country. Then Glenn escorted them to the BetCRIS building, San Jose’s tallest. Nicknamed the Hive, it sat across from a park with a large lake and a fountain, stands of bamboo, and jogging paths. Barrett noticed the armed man in a suit posted outside the Hive’s front door but said nothing to Rachelle.
Every company inside was connected to gambling in some way. BetCRIS owned the building and occupied the top two floors, with a pit that made Barrett think of a stock exchange. Instead of computer monitors showing stock trades, though, the area was lined with banks of televisions tuned to every conceivable sporting event. Native Costa Ricans and fast-talking expatriate employees with New York, New Jersey, and Philadelphia accents were constantly taking bets over the phone or tending to the wagers over the Web. “There he is!” Mickey shouted as soon as he saw Barrett. “Goddamn, you’re young! What are you, in high school?” Mickey himself was still in his thirties, though his bad teeth and the extra weight he carried under his Hawaiian shirts made him look older, a bit like an overfed Jay Leno.
He put his arm around Barrett and introduced him around. Barrett had talked to the members of the core group by phone several times daily during the onslaught. Canadian Dayton was about the same age as Glenn and Barrett, and like the others self-taught. Dayton was less serious than Glenn, sarcastic, and a bit of an adventurer. Barrett liked him right away.
On the phone, the head of BetCRIS’s beleaguered Internet service provider, Brian Green, had been all business, with a barky voice and an alpha-male personality kept barely in check. The Digital Solutions CEO was a major figure at the Hive, and Mickey called him his partner. Brian was short and overweight, a Danny DeVito with gold chains.
Brian asked Barrett and Rachelle if there was anything they wanted to do while they were in Costa Rica, which did a brisk business in tourism. When he mentioned deep-sea fishing in the Pacific, the couple said that sounded like fun, and Brian said he’d be glad to take them. The next morning, he and his bodyguard-driver, Leo, picked them up, and they drove for hours to Los Sueños, a posh coastal resort with palm trees, azure-blue swimming pools, and rooms with enormous flat-screen televisions. They met Brian’s regular choice for boat charters, the captain of the good ship Spanish Fly. The fishing was terrific. Rachelle snapped photos of Barrett hoisting a sailfish so big he needed help to hold it. They also caught marlin and tuna, which the boat captain, Bimi, turned into sushi on the spot.
As they sailed and fished, Barrett got to know a bit about the others on board. Bimi’s past profession, it emerged, was cocaine smuggling. He’d done time in jail, but the government hadn’t found all his money. That evening, Barrett couldn’t help but notice the scars on both of the bodyguard Leo’s knees. “Pistola,” Leo explained, his crooked forefinger pulling an invisible trigger. With Barrett’s rusty Spanish, it took a while for him to work out the basics of what had happened. Leo had been a bank security guard in Panama. A robber came in, the shooting started, and the robber didn’t go out. Leo had killed the man. Barrett took in the story with awe.
Two days later, Dayton took Barrett and Rachelle on a bus journey into the rain forest, followed by a boat trip down a river, and finally a long ride on horseback. Then they took breathtaking runs down a zip-line through the rain forest canopy. That night Mickey took everyone out to a steak dinner served with an Opus One caber-net sauvignon blend. Barrett grew so sick with food poisoning he had to leave halfway through.