Saturday, July 16, 2016

Hacking, Carding, SWATting and OCD: The Case of Mir Islam

There can be no argument that Mir Islam is a hideous Internet Troll.  Part of a group of hackers who participated in elaborate scams that combined social engineering, hacking, and gaining credit reports under false pretenses to expose the personally identifiable information of "at least 50 celebrities" on the website "exposed.su."

On July 11, 2016, Islam was given a 2-year sentence for "SWATting and Doxing" Arizona victims.  On the Justice.gov website press release of the sentence (see: https://www.justice.gov/usao-dc/pr/new-york-man-sentenced-24-months-prison-internet-offenses-including-doxing-swatting ) it mentions that his false 9-1-1 calls to summon SWAT teams unnecessarily involved cases against at least 20 celebrities and state and federal officials, including an Assistant United States Attorney and a Congressman from Michigan.

The world's top cybersecurity journalist, Brian Krebs, was among the victims of Islam's group after revealing on his blog the methods used by the group to dox celebrities including Arnold Schwartzenegger, Ashton Kutcher, and Jay Z, and government officials including FBI Directory Robert Mueller, CIA Director John Brennan, and First Lady Michelle Obama.  Krebs revealed the methods at KrebsOnSecurity in 2013 -- Credit Reports Sold for Cheap in the Underweb.

JoshTheGod's prior Experience as a Credit Card Thief

Like so many other young cyber criminals,  Mir Islam had been active in the carding scene, stealing and selling credit card information, and after his arrest tried to work a deal to be an informant. And like Albert Gonzalez, Max Vision, and so many other cybercriminals, was a disaster as an informant.  Under the Alias of JoshTheGod, "Josh" had been previously arrested, tried, convicted, and sentenced for Attempted Access Device Fraud, Conspiracy to Commit Access Device Fraud, Aggravated Identity Theft, and Conspiracy to Commit Computer Intrusion.   He was a member of a group called "UGNazi" and admitted to being a co-founder of the credit card trading website "Carders.org."

He was arrested as part of  a massive action announced on June 26, 2012, that also included 404myth (Christian Cangeopol of Georgia), Cubby (Mark Caparelli of San Diego, CA), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, NY), xVisceral (Michael Hogue of Tucson, AZ), IwearaMAGNUM (Peter Ketchum of Pittsfield, MA), theboner1 (Steven Hansen of Wisconsin) (and two minors). The case also involved 13 other arrests overseas.

FBI Press Release (Click to open)

 What were those charges based on?   Here's some from the charging document, filed May 28, 2013:

"From at least in or about 2009, through at least in or about June 2012, [the defendant and others] did willfully and knowingly did combine, conspire, confederate, and agree together and with each other to commit offenses under Title 18, United States Code Section 1029(a) to . . . "
  • (in 2010) Purchase at least 20 computer servers over the Internet using stolen credit card information belonging to other individuals
  • (in 2011) establish an Internet forum for other co-conspirators to buy, sell, and exchange stolen credit card information
  • (in Feb 2012) possess stolen credit card information belonging to OVER 50,000 OTHER INDIVIDUALS
  • use stolen bank account numbers to fraudulently make purchases
  • launch coordinated attacks on computer systems for the purpose of disabling those systems including (Jan 2012 - DDOS attacks against the Ultimate Fighting Championship; DDOS attacks against Coach, Inc; June 2012 - DDOS attacks against the Wounded Warrior Project

The FBI Press Release also projected what charges Mr. Islam may be facing:







10 years for Access Device Fraud and 15 years for Affecting Transactions with unauthorized devices.


Aggravated Identity Theft

Under the law, identity theft is considered a FELONY if the perpetrator is found to have been involved in "the production or transfer of MORE THAN FIVE identification documents."

Quick math check.  50,000 credit cards > 5.  Ok, we're good.

Despite the fact that the criminal code, 18 U.S. Code § 1028A -- Aggravated Identity Theft, was SPECIFICALLY CREATED via the "Identity Theft Penalty Enhancement Act of 2004" to give a MANDATORY SENTENCE of 2 years imprisonment in addition to any other sentence received, Mir Islam was convicted of Aggravated Identity Theft and sentenced to ONE DAY imprisonment and three years supervised release.  Wait!?!?!  How did we get from "probably 10-15 years" to ONE DAY?

Did I mention that the two year sentence is MANDATORY?  Let's make that even more clear:
(b) CONSECUTIVE SENTENCE -- Notwithstanding any other provision of law -- 
(1) a court SHALL NOT PLACE ON PROBATION any person convicted of a violation of this section.
(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony during with the means of identification was transferred, possessed, or used; 
(3) in determining any term of imprisonment to be imposed for the felony during which the means of identification was transferred, possessed, or used, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section;
Gee!  It almost sounds like a person who commits Aggravated Identity Theft is not supposed to get Probation or a Reduced Sentence!   In fact, in 2015, the Congressional Research Service was specifically asked to examine this statute.  Their conclusion was that "More than half of the judges responding to the United States Sentencing Commission sruvey felt that the two-year mandatory minimum penalty was generally appropriate."  While they fell short of wildly praising the statute, they summarized their report as being "mildly complimentary of the provision." (see "Mandatory Minimum Sentencing: Federal Aggravated Identity Theft")

Unfortunately, in order for the Mandatory term to be considered in effect, the corresponding Felony has to receive a sentence of "greater than one year" (which is why we see so many sentences of "a year and a day".)  As part of a plea agreement, he agreed to the dramatically reduced sentence of ONE DAY for the carding charges, in exchange for cooperating in good faith with the Southern District of New York's office to cooperate to try to identify further co-conspirators in his case.  Because it was the desire of law enforcement to use Mr. Islam as a source, he was given a sentence of ONE DAY for the carding charges, meaning that the intention of the legislators was entirely thwarted.  Rather than cooperating, the Prosecution's sentencing memo indicates that Islam was "toying with his FBI handlers, and continued his criminal activity in the Exposed conspiracy and his cyber-stalking." 

One of the conditions of his supervised release was set as "No Use of Computer or Internet Access without the Permission of the Parole Officer," which condition Mir Islam agreed to and swore to obey before a judge on June 26, 2012.   

JoshTheGod Re-Offends

On June 10, 2013, US District Judge approved that the defendant's bail be modified to include mandatory mental health treatment, and that the defendant BE ALLOWED TO PROCESS CREDIT CARD TRANSACTIONS AT HIS PLACE OF EMPLOYMENT and be allowed to possess a computer and access the Internet under the supervision of a case agent. (See PACER -- Case 1:12-cr-00810-KMW Document 26)

Great idea. Let's give a convicted credit card criminal permission to process credit cards at work.  After all, it's been more than a year since he was arrested for STEALING FIFTY THOUSAND CREDIT CARDS and running a forum for selling them on the Internet.

He didn't quite make it 90 days.  He was re-arrested on September 4, 2013. 

His new case, (1:15-cr-00067-RDM) opens up with charges of Violations of 18 USC Section 371 (Conspiracy) 18 USC Section 844(e) (Threatening and Conveying False Information Concerning Use of Explosive), and 18 USC Section 2261A(2) (Stalking).

The Conspiracy charges include that he was still doing identity theft  and wire fraud (18 USC Sections 1343, 1030(a)(2), 1028(a)(7), 1028(b)(2)(B), and that once again it was "Aggravated Identity Theft" level -- "15 or more devices which are unauthorized access devices, to wit, social security numbers" -- 1029(a)(3) and 1029(c)(1)(A)(i). And that he used those SSNs to obtain a thing of value - 42USC Section 408(a)(7)(B), and that he accessed a computer without authorization (18 USC 1030(a)(2)(A) and 1030(c)(2)(A), and that he "devised a scheme to defraud and obtain property by means of materially false and fraudulent pretenses" (18 USC Section 1343) and that he used a "deadly or dangerous weapon to assault, impede, intimidate or interfere with an officer of empoyee of hte US Government" -- 18 USC Section 111(a), 111(b), and thta he transmitted a threat to injure the person of another via interstate commerce -- 18 USC Section 875c.

Some of the particulars from this second round of charges include:
  • March 2013 - purchasing stolen credit reports for US and State government officials and public celebrities from Exposed.su
  • March 22, 2013 - began stalking "A.R.T" (the Arizona cheerleader) via email, Facebook, Instagram, Text message, and telephone calls, and making false Twitter accounts in A.R.T's name.
  • March 23, 2013 - called in bomb threats to University of Arizona
  • March 31, 2013 - "Swatting" a US Government employee in Massachusetts
  • April 2013 - buying more credit reports for US and State government officials and public celebrities from "exposed.re"
  • April 19, 2013 - "Swatting" T.L. a state government official in California
  • April 27, 2013 - "Swatting" M.R. (that would be Mike Rogers, Congressman of Michigan)
  • July 22, 2013, bought more credit reports from "exposed.ws" 
  • August 12, 2013 - uploaded many sets of "Dox" to "exposed.ws" on a server in Washington DC

Mental Illness and Reducing Sentence

This week the sentence finally came down on Mir Islam.  He was sentenced to 24 months in prison to be followed by 36 months of supervised release, during which he will be required to participate in Education/Vocational training approved by Probations, participate in a Mental Health Treatment program, and consent to disclosing a list of all computer systems and internet capable devices and allowing them to be forensically searched or to have computer/internet monitoring program installed.

Why?   Partly because of an amazing 82 page "Defendant's Memorandum in Aid of Sentencing" that begins with:

Mr. Islam has matured immensely during his 34 months of incarceration and has taken great strides to atone for his behavior and overcome the mental health issues that contributed to it.  Accordingly, it is respectfully submitted that a sentence of time served and 36 months of supervised release would represent a sentence that is sufficient, but not greater than necessary to meet the purposes of sentencing reflected in 18 USC Section § 3353(a).  Such as sentence would be longer than many if not most sentences in similar cases, and would adequately punish conduct by an immature and mentally-ill teenager who, by the government's own admission, has earned a departure from the applicable guidelines range.
The memo then goes on to talk about his "Good Time Served" (meaning he was a model prisoner, which is not unexpected, given lack of access to a computer or telephone).  He then argues that the "doxing" was not really so bad, since "The Secret Files" were only accessible during three short periods, for 8 days, 20 days, and 20 days.

(Click to visit KrebsOnSecurity, source of this image)
He also claims that "Doxing" is not illegal (citing this The Daily Beast article, where all good legal theories should come from) and that we should consider the "veneer of legality, especially as perceived by the immature minds of the teenage co-conspirators."  He goes on to say that we should consider the "misguided but public-minded spirit and desire for attention not uncommon among teenagers."  Would that be the "public-minded spirit" that caused so many SWAT teams to waste their time and place innocent people in danger?   Just in the University of Arizona case, testimony was given that FIFTY-FOUR OFFICERS were involved in searching for the non-existent bomb while classes were canceled and students, staff and faculty faced the fear (and inconvenience) of potential death during the ensuing lockdown.

While the defense admits that swatting was "extremely traumatic and dangerous" he claims that "in the online gaming communities in which Islam practically lived and breathed, swatting was an unfortunately common tactic used by competitive gamers to harass their opponents."  Because of this we are to understand that this would have been considered "normal" behavior by "teenagers immersed in this new online world."

In the case of the swatting of an Assistant US Attorney, the government provides a transcript of the 9-1-1 call:
"Hello my wife is dead.  I shot her and now she's dead.  I don't know what to do.
I'm having thoughts of hurting people and I don't know what to do.  If anyone comes in my house I might shoot them.  I am just letting you know now if I see any police outside my house I will start shooting.  I will not be taken alive.  Mark my words. I am not going to prison for the rest of my life.  I will not.  Don't worry about where I am at in the house. If any cops are outside in my yard or on the street I will start shooting.  By the way I have a police scanner right next to me and I can hear everything and you guys  think I'm joking.  I will shoot anyone who comes near my property.  I see cars outside my house I swear I will shoot.  I am not playing.  I am not fucking around. I will shot them.  You know I work with the police a lot but I am not afraid to shoot them."
Youthful prank, right?

The defense then moves on to address the cyberstalking of A.R.T., which he admits "subjected her to emotional distress, anxiety, and fear for her safety" and was "extremely serious."  HOWEVER, he goes on, "Islam was suffering from untreated obsessive-compulsive disorder (OCD) which fueled his obsession for A.R.T. and drove him to try to contact her through any and all means."  Islam "believed at the time that he had communicated and developed a relationship with A.R.T. through weeks of online conversations, causing him extreme confusion and anxiety with her refusal to interact with him in the non-virtual world."

The document then goes on to explain Islam's life, immigrating at age six from Bangladesh to Bronx, New York. They say he had untreated bipolar disorder, chronic depression, OCD, and ADHD, which led to him dropping out of high school to spend 15-18 hours per day online without interruption or parental intervention.  They then go on to explain his "carding" as a "seductive playground that allowed them to purchase food and electronics with stolen credit card numbers" and that Islam viewed these activities as "adolescent pranks."

Next we turn to his prison hardships, including the fact that he was denied a lower bunk even though he was a restless sleeper (which the defense says led to a herniated disc, nerve damage, and chronic pain after falling from a top bunk.)  He also claims he was given "vitamins contaminated by mold" that damaged his cartilage in his wrists and knees, discolored his skin, and exacerbated his chronic pain.  That is some mighty powerful Vitamin Mold!  Islam also filed charges against the prison for denying him Kosher food.  (These examples are to use the sentencing reduction of "Harsh conditions of confinement."  Not sure if "denied lower bunk" and "given moldy vitamins" are what that the term "Harsh conditions" normally means.)

CyberCrime: The World Where Sentencing Guidelines Don't Matter At All

The strongest and most unforgivable argument the defense makes is that Section 3553(a) directs courts to consider the need to avoid unwarranted sentencing disparities.  In the government's sentencing memo they had made the assertion that they were "unaware of any individuals sentenced for conduct similar to Islam's."  The defense jumps on that and waves it in their faces!  The defense  argues that because Hector "Sabu" Monsegur of Lulzsec got RIDICULOUS [my term] sentencing departures (a 97% reduction in the minimum sentencing) and that Sabu and JoshTheGod were both people who violated their release conditions and were remanded back into custody for very similar crimes, the Federal Government themselves had basically established precedence that hacker sentencing guidelines are worthless and not to be taken at face value.


The defense also argues "The need to avoid unwarranted sectencing disparities" with regard to other swatting cases.  They cite Tollis (1 year and 1 day for numerous swattings of schools and universities) and James Eli Shiffer (15 months for multiple doxing, swatting, and cyberstalking incidents.)  That argument is strengthened even more by the government's failure to observer proper sentencing for many of those arrested at the same time as Islam.  The defense gives examples  including Christian Cangeopol (3 years probation), Harper (time served), Joshua Hicks (2 years probation), Michael Hogue (5 years probation) and Peter Ketchum (2 years probation).  The LulzSec slap-on-the-wrist cases were also used in the Defense's argument - Cody Krestsinger (1 year imprisonment, 1 year home detention), Raynoldo Rivera (1 year and 1 day, 13 months home detention), Matthew Flannery (15 months home detention) and Hector Xavier Monsegur, already mentioned, (7 months.)

 Part of the Defendant's package was a letter to the judge praising Mir Islam for being a successful graduate of The Focus Forward class, where he studied the book A Long Way Gone and learned public speaking, conflict resolution, and resume writing skills.  He brought "light-hearted humor and laughter to class discussions" and "displayed humility, opening up to the group about the frustration and disappointment he felt about finding himself in this situation."  

Would that be the same "light-hearted humor" that he used when telling University of Arizona police that he was holding a rifle to the head of a woman that he was planning to kill if he did not receive $50,000 in ransom, and that he had placed explosives in eight campus buildings and was going to blow them up and start shooting?

Mir himself wrote a letter to the judge about how he wants to make a project "similar to PayPal" to help the members of my society stop getting ripped off.  Excuse me.  You can read his letter while I go get a tissue:


Chance of Re-offending?

Really?   This letter comes from the kid who arranged a ONE DAY sentence for all of his credit card crimes in exchange for giving his "Full Cooperation" to the SDNY FBI Office. Despite the prosecution's Sentencing Memo pointing out that "Based on Islam's duplicity in his SNY case, any expression of remorse or contrition by Islam should be viewed with a great deal of skepticism" the judge chose to ignore this and issue Yet Another Slap On The Wrist.

 Anyone taking bets on how many months it takes for Mir Islam to re-offend when he is released?  Put me down for "thirty-days or less."


2 comments:

  1. Great synopsis, Gary, thanks. -Bk

    ReplyDelete
  2. I was apart of one of the gaming communities this degenerate claimed to be from. His practices were by no means common or used by anyone else but him and a friend he had in Canada. Both were exiled from the community and that is when they started doxxing, ddosing, and swatting members.

    Luckily the community was worldwide so many members could not be attacked. He tried doxxing me but pulled the wrong information, he also attempted to send malware (RATs, keyloggers) and other such things. I don't know what this judge was thinking but I have no doubt he'll go back to prison soon and hopefully be given a real sentence. I took part in helping the organizer of the community and hopefully the FBI gain real direction towards his real person.

    I even laughed at the transcript he had with the FBI member who he thought was his friend, "we'll never have to work again, the money is good at least $4-5000 a month." While maybe inappropriate, I hope he has a horrible time in the fed and meets someone who might stretch him out a good bit.

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.