Going Price
The hacker used bank-account information scraped from more than 25,000 victims' computers, in some cases renting other cyberthieves' networks of infected computers. He created counterfeit checks with banking data and mailed them to money mules throughout the United States. They cashed them, then forwarded the funds untraceably to Russia. He even used stolen credit card numbers vacuumed from the victims' hard drives to buy pre-paid postal-service labels for the packages.
"From start to finish, this guy leveraged every bit of data," said Alex Cox, an investigator for Netwitness, a cybersecurity division of EMC Corp., which has also been tracking Soldier's activities.
The most remarkable thing about the theft -- and this is, to experts in the field, the most worrisome development of the past few months -- was that Soldier didn't need any special expertise with computers. All he needed was a shopping list.
"He's not a lone hacker," said Trend Micro's David Perry. "He didn't write any code."
Shopping List
Strom said the FBI is also tracking Soldier and is confident they'll get him. "These guys are very sophisticated, but often times they slip up," Strom said.
Strom and other investigators have one significant advantage: The hackers have a habit of turning their skills on one another. The FBI's DarkMarket sting started with a hacker war between a hacker, calling himself Iceman, who ran CardersMarket, and JiLsi, the DarkMarket administrator, whose real name was Renukanth Subramaniam, the FBI said.
"We took advantage of that animosity," Strom said, eventually persuading JiLsi to turn over the site to the FBI and giving the bureau control over all communications involving DarkMarket's 2,500 members. As a result, Subramaniam was sentenced to more than four years in prison in the U.K.
Maza, the elite Russian forum, was recently hacked and its database dumped online. It presented a priceless opportunity for law enforcement. The forum's database held membership lists, e- mail addresses, IP addresses, and passwords -- the kind of information the world's top cyber thieves try very hard to keep secret. The main suspect in the Maza attack is the administrator of a rival site, Hex Nightmare said.
Learned A Lot