Sunday, August 12, 2012

Carder Christopher Schroebel gets Seven Years

21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conference back on June 11, 2012 "People think that cybercriminals cannot be found or apprehended.  Today we know that's not true.  You cannot hide in cyberspace.  We will find you.  We will charge you.  We will extradite you and we will prosecute you." (see: MSNBC: Feds Arrest Alleged Credit Card Fraud Kingpin.) 

Christopher A. Schroebel

Durkan seems to be standing true to her word.  Friday her office successfully sentenced Christopher A. Schroebel, a 21 year old man from Maryland, to seven years in prison. 

The "Official" complaint against Schroebel says that on a date before July 20, 2011 and continuing until August 3, 2011 Schroebel was stealing information from Mondello's Italian Restaurant,  specifically the data from credit cards belonging to K.H., K.W., J.H., V.D., S.J., and M.H..  That gives us the first charge - Obtaining Information From a Protected Computer.

An interview in the Seattle Times explains what Schroebel did, from the perspective of Corino Bonjrada, the owner of Modello Risorante Italiano.  Schroebel had planted spyware in the Point of Sale terminals of dozens of businesses.  Bonjrada told the Times "Some of my customers were saying they didn't know if they wanted to come back.  They were afraid."  Some of the customers were hit with fraudulent charges "within 10 minutes"of swiping out at his restaurant.  (See: Dutch man charged with stealing Washington credit cards.)
Schroebel was arrested last November possessing over 84,000 stolen or purchased credit card data stripes and made his first court appearance November 21, 2011.  At that time, he was sentenced to an inpatient substance abuse program, and was released from that program on December 26, 2011.   He was picked up and arrested again on a local warrant, and ordered detained as a flight risk January 24, 2012.  So, he has already been in prison nearly more than eight months at this point.  (Detention order is available at

Schroebel entered a plea agreement on May 15, 2012,  and was held pending his August 10, 2012 sentencing.  (See: PACER case number; 180519, Docket 2:2011-cr-00391-RSM.)

The Seattle Police Department describes it a bit better:

The SPD has been actively investigating unauthorized computer intrusions ("hacks") into the computer systems of small businesses located in the Western District of Washington (including Mondello's Italian Restaurant in Magnolia and Seattle Restaurant Store in Shoreline).

The person/s responsible for the hacks installed malicious software ("malware") on the computer systems of the victim businesses.  The malware was designed to, and has collected credit card account numbers belonging to customers/clients of the victim businesses.  The stolen credit card account numbers were then transmitted over the Internet to a computer server under the control of the hacker/s and/or their associations.

USSS ECTF/NCFI Success Story

That's from the affidavit of a SPD Computer Forensics Detective, David Dunn.  He is a member of the USSS Electronic Crimes Task Force, Seattle Field Office.  The Secret Service partners with local police departments all across the country to share their Computer Forensics capability in the form of free training and expertise to help work these cases.  Part of that training is right here in Hoover, Alabama at the National Computer Forensics Institute.  (David actually responded to this post, giving permission to share his name, and confirming that he took AFT (Advanced Forensics Training) and NITRO (Network Intrusion Response) courses at the National Computer Forensics Institute in Hoover.)

Listen to the training and experience this guy got by being a local law enforcement part of the USSS Electronic Crimes Task Force.

In April of 2005, I was transferred to the Seattle Police Department Fraud unit as a Computer Forensic Detective.  I am currently, and since October of 2006 have been assigned as a full time member of the USSS Electronic Crimes Task Force, Seattle Field Office.  I hold a Special Deputation appointment through the United States Marshals Service that permits me to seek and execute arrest and search warrants supporting a federal task force.  As a member of the Seattle USSS E-Crimes Task Force, I investigate violations of federal law in the state of Washington that fall under the responsibility of the USSS, with an emphasis on crimes involving computers, the Internet, and electronic communications.

(...Many local training courses listed, and then... )
My training and experience also specifically includes training and experience regarding computer and network intrusions, commonly known as "hacking."  This includes completion of the 40 hour "Incident Handling and Response" course on network intrusions and incident response through the Department of Homeland Security.  I have experience with packet analysis, malware, and viruses.  I am a Certified Ethical Hacker.  I have attended 104 hours of training in Network Intrusion Response at the National Computer Forensic Institute.  I hold the following certifications: EnCase Certified Examiner, Access Data Certified Examiner, IACIS Computer Forensic Certified Examiner.  I have received advanced training in both network intrusion forensics as well as Point of Sale forensic investigations.

As a member of the USSS ECrimes Task Force, I have worked on numerous computer and network intrusion cases.  These cases have involved a range of hacker techniques and modus operandi, including social engineering, SQL injection attacks, botnet attacks, malware infections and various other menas of computer infection and attack.  I have examined myriad server logs and volumes of  IP address information as part of my investigation of various hacking cases.  I have also created and examined forensic images of dozens of infected and hacked computers and servers.  I have investigated cyber cases involving both national and international victims and suspects.  As a result, I am familiar with schemes involving large scale Internet crimes and network atacks.

(Here's a picture with my summer students from the National Science Foundation Research Experience for Undergraduates at the NCFI - sorry - shameless plug - I think this place is great!)

Back to the Hacking Charges

The Complaint then says that "knowingly and with the intent to defraud, trafficked in and used credit card track data from credit card accounts belonging to (the above) without their knowledge or consent, and by such conduct obtained profits aggregating $1,000 or more, said trafficking affecting interstate and foreign commerce, in that the credit card account numbers that were so trafficked and used by Schroebel and others to make fraudulent purchases in states outside the State of Washington."  That's the second charge - Access Device Fraud.

When Schroebel was arrested, he was in possession of 84,000 credit card numbers that he had stolen or bought from other hackers.

When the SPD investigated the charges made on the cards used by the customers at Mondello's they led them to California. One of the cards, belonging to K.H. was used at Home Depot, Wal-Mart, Jack-n-the-Box, and several other locations.  V.D. and S.J. dined together at Mondello's on July 30, 2011, and BOTH had their cards being used for fraudulent purchases in Southern California on July 31, 2011.

That's where we get to the next interesting member of our trio, GUERILLA BLACK.


(click for press release)

The Indictment of Guerilla Black fills in the California end of the story.

Guerilla Black is described as a "B.I.G. look-alike" (or some would say imitator).  Apparently the record sales needed a bit of supplement to help him live the private jets and limos image he attempted to maintain in his youTube videos.  (Shown above is the track "Compton".)

From at least January 2011 credit cards stolen by Schroebel were showing up in California, being used by Guerilla Black and his crew.  Black's indictment shows many entries such as:

19. On or about February 9, 2011, the coconspirator who hacked the point of sale computer system at the Shoreline, WA business sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least one credit card number that had been issued by Boeing Employees' Credit Union.


32. On or about July 31, 2011, the coconspirator who hacked the point of sale computer system at the Seattle, WA restaurant sent an e-mail to CHARLES TONY WILLIAMSON, that contained multiple customer credit card numbers that were stolen through the hack of that business, including at least two credit card numbers that had been issued by Boeing Employees' Credit Union.

 (Gee, which two would those be?)

The indictment lays out that Williamson "expressed his preference and desire to coconspirators to buy 'dumps' of stolen credit card numbers 'in bulk,' that is, in lots of at least 100, or 500, or more."  and that he "expressed his preference and obtain credit card numbers that were 'freshly' stolen through 'point of sale system' computer network intrusions rather than card numbers that were skimmed or stolen from credit card databases compiled by others, because the 'fresh' card numbers stolen from point of sale system hacks could be used more successfully for fraudulent transactions."

Williamson "redistributed the stolen card numbers to a network of criminal associates, with the intente and the expectation that these associates would then use the stolen credit card numbers for fraudulent transactions."

But Williamson wasn't the only one Schroebel was selling to . . .

Schrooten / Fortezza

As it turns out, Schroebel would sell the cards he acquired from these POS terminals to another 21 year old, Dutch national David Benjamin Schrooten, who ran a website that sold credit cards to others for their use.

Schrooten will be well-known under his hacker name "Fortezza" to anyone who follows the excellent blog  Krebs story Feds Arrest Kurupt Carding Kingpin tells us more about the English language carding site run by Fortezza called  According to Krebs, Fortezza gained many of his cards by breaking in to a competing carding site.  In retaliation, THOSE carders posted a message announcing that Fortezza "needs to learn not to fuck with Russians !!!" and providing his information, including real name, city, home address, shipping address, telephone number, and fax number.

Krebs has a screen shot of the post on his blog:

Schrooten was arrested as he got off a plane in Romania, and later extradicted to the United States.  He will be tried in September in Seattle.

(click for press release)

According to the Schrooten indictment (also from KrebsOnSecurity) Schrooten is charged with Conspiracy to Commit Access Device Fraud and Bank Fraud, 2 counts of Access Device Fraud, 5 counts of Bank Fraud, 1 count of Intentional Damage to a Protected Computer, and 5 counts of Aggravated Identity Theft.

As we've discussed before, one of the ways our judicial system is not geared up for handling international cybercrime is that wherever these cases are tried, they address only the charges LOCAL TO THAT JURISDICTION.  So, in this case, the trial is in Seattle, which means the only victims who can be named are those with a connection to the Western District of Washington.  Particularly this trio of cases focuses on the charge that the Boeing Employees' Credit Union, and members of the credit union who reside in the Western District of Washington, had money stolen by these criminals.  So, the counts of Bank Fraud against Schrooten specifically refer to transactions on April 25, 2011, August 20, 2011, December 21, 2011, and two on February 1, 2012, where the account holder was a BECU customer who lived within the jurisdiction of this court.

There will likely be more arrests, and more sentences, in this case in the near future.  I wanted to share it now though because it is a great example of what happens when a smart local detective partners with the USSS Electronic Crimes Task Force, and runs down a local crime, along with its international implications.