How to Steal a Million: The Memoirs of a Russian Hacker

As a University researcher specializing in cybercrime, I've had the opportunity to watch the Russian carding market closely and write about it frequently on my blog "Cybercrime & Doing Time."  Sometimes this leads to interactions with the various criminals that I have written about, which was the case with Sergey.  I was surprised last January to be contacted and to learn that he had completed a ten year prison sentence and had written a book.   I have to say, I wasn't expecting much.  This was actually the third time a cybercriminal had tried to get my interest in a book they had written, and the first two were both horrible and self-promotional.  I agreed to read his first English draft, which he sent me in January 2017.

I was absolutely hooked from page 1.  As I have told dozens of friends since then, his story-telling vehicle is quite good.  The book starts with him already in prison, and in order to teach the reader about carding and cybercrime, a lawyer visits him periodically in prison, providing the perfect foil  needed to explain key concepts to the uninitiated, such as interrupting one of Sergey's stories to ask "Wait.  What is a white card?"

My copy of the book!

As someone who has studied cybercrime for more than 20 years, I was probably more excited than the average reader will be to see so many names and criminal forums and card shops that I recognized -- CarderPlanet, and card shop runners such as Vladislav Khorokhorin AKA BadB, Roman Vega AKA Boa, and data breach and hacking specialists like Albert Gonzalez and Vladimir Drinkman who served as the source of the cards that they were all selling.  These and many of the other characters in this book appeared regularly in this blog.  (A list is at the bottom of this article)

Whether these names are familiar to the reader or not, one can't help but be drawn into this story of intrigue, friendship, and deception as Pavlovich and his friends detect and respond to the various security techniques that shopkeepers, card issuers, and the law enforcement world are using to try to stop them.  Sergey shows how a criminal can rise quickly in the Russian cybercrime world by the face-to-face networking that a $100,000 per month income can provide, jet-setting the world with his fellow criminals and using business air travel, penthouse hotel suites, cocaine and women to loosen the lips of his peers so he can learn their secrets., but he also shows how quickly these business relationships can shatter in the face of law enforcement pressure.

The alternating chapters of the book serve as a stark reminder of where such life choices lead, as Sergey reveals the harsh realities of life in a Russian prison.  Even these are fascinating, as the smooth-talking criminal does his best to learn the social structure of Russian prison and find a safe place for himself on the inside.  The bone-crushing beatings, deprivation of food and privacy, and the fear of never knowing which inmate or prison guard will snap next in a way that could seriously harm or kill him is a constant reminder that eventually everyone gets caught and when they do, the consequences are extreme.

Sergey's original English manuscript has been greatly improved with the help of feedback from pre-readers and some great editors. After my original read, I told Sergey "I LOVE the story delivery mechanism, and there are fascinating stories here, but there are a few areas that really need some work."  It's clear that he took feedback like this seriously.  The new book, released in May 2018, is markedly improved without taking anything away from the brilliant story-telling of a fascinating criminal career ending with a harsh encounter with criminal justice.

A purchase link to get the book from Amazon: How to Steal a Million: The Memoirs of a Russian Hacker

The book was extremely revealing to me, helping me to understand just how closely linked the various Russian criminals are to each other, as well as revealing that some brilliant minds, trained in Computer Science and Engineering, and left morally adrift in a land where corruption is a way of life and with little chance of gainful employment, will apply those brilliant minds to stealing our money.

I seriously debated whether I should support this book.  Many so-called "reformed" criminals have reached out to me in the past, asking me to help them with a new career by meeting with them, recommending their services, or helping them find a job.  It is a moral dilemma.  Do I lend assistance to a many who stole millions of dollars from thousands of Americans?  Read the book.  To me, the value of this book is that it is the story of a criminal at the top of his game, betrayed by his colleagues and getting to face the reality of ten years in a Russian prison.  I think the book has value as a warning -- "a few months or even a couple years of the high life is not worth the price you will pay when it all comes crashing down."

Links to selected blog articles that feature Pavlovich's cast of characters:

May 12, 2008 TJX and Dave and Busters - Maksym Yastremskiy (Maksik) Aleksandr Suvorov (JonnyHell) and Albert Gonzales (Segvec) and their role in the TJX Data Breach.

August 5, 2008 TJX Reminder: We Will Arrest You and We Will Send You To Jail - some of the legal aftermath of the case above.

August 8, 2008 TJX: the San Diego Indictments where the US government indicts:

• SERGEY ALEXANDROVICH PAVLOVICH, aka Panther, aka Diplomaticos, aka PoL1Ce Dog, aka Fallen Angel, aka Panther757
• DZMITRY VALERYEVICH BURAK, aka Leon, aka Graph, aka Wolf
• SERGEY VALERYEVICH STORCHAK, aka Fidel

and charges them with violation of "18 USC Section 1029(b)(2) Conspiracy to Traffic Unauthorized Access Devices"

May 9, 2013 ATM Cashers in 26 Countries Steal $40M talks about BadB's role in "Unlimited" ATM cash-out schemes, and his arrest in 2010 and sentencing to 88 months in 2013.

Jan 14, 2014 Target Breach Considered in Light of Drinkman/Gonzalez Data Breach Gang talked about Albert Gonzales, Vladimir Drinkman, and how there seemed to be such a strong pattern of behavior - a script if you will - to how criminals were conducting the major data breaches of that time.

Jan 27, 2014 Roman Vega (CarderPlanet's BOA) Finally Gets His Sentence addressed the plight of Roman Vega, who had been drifting around in the American criminal justice system, unsentenced, from 2003 until 2013! Dmitry Golubov AKA Script, the "godfather of CarderPlanet" is also discussed in this post.

Drinkman and Smilianets Sentenced: The End to Our Longest Databreach Saga?

On Thursday, February 15, 2018, we may have finally reached the end of the Albert Gonzalez Databreach Saga.  Vladimir Drinkman, age 37, was sentenced to 144 months in prison, after pleading guilty before U.S. District Judge Jerome Simandle in New Jersey.  His colleague, Dmitriy Smilianets, age 34, had also pleased guilty and was sentenced to 51 months and 21 days in prison (which is basically "time served", so he'll walk immediately).  The pair were actually arrested in the Netherlands on June 28, 2012, and the guilty pleas had happened in September 2015th after they were extradited to New Jersey.

Those who follow data breaches will certainly be familiar with Albert Gonzalez, but may not realize how far back his criminal career goes.

On July 24, 2003, the NYPD arrested Gonzalez in front of a Chase Bank ATM at 2219 Broadway found Gonzalez in possession of 15 counterfeit Chase ATM cards and $3,000 in cash. (See case 1:09-cr-00626-JBS).  After that arrest, Gonzalez was taken under the wing of a pair of Secret Service agents, David Esposito and Steve Ward.  Gonzalez describes some of the activities he engaged in during his time as a CI in his 53 page appeal that he files March 24, 2011 from his prison cell in Milan, Michigan.

At one point, he claims that he explained to Agent Ward that he owed a Russian criminal $5,000 and he couldn't afford to pay it.  According to his appeal, he claims Ward told him to "Go do your thing, just don't get caught" and that Agent Ward later asked him if he had "handled it." Because of this, Gonzalez (who again, according to his own sentencing memo, likely has Asperger's) claims he believed that he had permission to hack, as long as he didn't get caught.

Over Christmas 2007, Gonzalez and his crew hacked Heartland Payments Systems and stole around 130 million credit and debit cards.  He was also charged with hacking 7-Eleven (August 2007), Hannaford Brothers (November 2007) where he stole 4.2 million credit and debit cards. Two additional data breaches against "Company A" and "Company B" were also listed as victims.  In Gonzalez's indictment, it refers to "HACKER 1 who resided in or near Russia" and "HACKER 2 who resided in or near Russia."  Another co-conspirator "PT" was later identified as Patrick Toey, a resident of Virginia Beach, VA.  (Patrick Toey's sentencing memorandum is a fascinating document that describes his first "Cash out trip" working for Albert Gonzalez in 2003. Toey describes being a high school drop out who smoked marijuana and drank heavily who was "put on a bus to New York" by his mother to do the cash out run because she needed rent money.  Toey later moved in with Gonzalez in Miami, where he describes hacking Forever 21 "for Gonzalez" among other hacks.

Gonzalez's extracurricular activities caught up with him when Maksym Yastremskiy (AKA Maksik) was arrested in Turkey.  Another point of Gonzalez's appeal was to say that Maksik was tortured by Turkish police, and that without said torture, he never would have confessed, which would have meant that Gonzalez (then acting online as "Segvec") would never have been identified or arrested.  Gonzalez claims that he suffered from an inadequate defense, because his lawyer should have objected to the evidence "obtained under torture."  These charges against Gonzalez were tried in the Eastern District of New York (2:08-cr-00160-SJF-AKT) and proved that Gonzalez was part of the Dave & Buster's data breach

On December 15, 2009, Gonzalez tried to shrug off some of his federal charges by filing a sentencing memo claiming that he lacked the "capacity to knowingly evaluate the wrongfulness of his actions" and asserting that his criminal behavior "was consistent with description of the Asperger's discorder" and that he exhibited characteristics of "Internet addiction."  Two weeks later, after fighting that the court could not conduct their own psychological exam, Gonzalez signed a guilty plea, agreeing that the prosecutor would try to limit his sentence to 17 years. He is currently imprisoned in Yazoo, Mississippi (FBOP # 25702-050) scheduled to be released October 29, 2025.

Eventually "HACKER 1" and "HACKER 2" were indicted themselves in April 2012, with an arrest warrant issued in July 2012, but due to criminals still at large, the indictment was not unsealed until December 18, 2013. HACKER 1 was Drinkman.  HACKER 2 was Alexandr Kalinin, who was also indicted with Drinkman and Smilianets.

Shortly after the Target Data Breach, I created a presentation called "Target Data Breach: Lessons Learned" which drew heavily on the history of Drinkman and Smilianets. Some of their documented data breaches included:

Victim	Date	Damages
NASDAQ	May 2007	loss of control
7-ELEVEN	August 2007
Carrefour	October 2007	2 million cards
JCPenney	October 2007
Hannaford	November 2007	4.2 million cards
Wet Seal	January 2008
Commidea	November 2008	30 million cards
Dexia Bank Belgium	Feb'08-Feb'09
Jet Blue	Jan'08 to Feb '11
Dow Jones	2009
EuroNet	Jul '10 to Oct '11	2 million cards
Visa Jordan	Feb-Mar '11	800,000 cards
Global Payments Systems	Jan '11 to Mar '12
Diners Club Singapore	Jun '11
Ingenicard	Mar '12 to Dec '12

During the time of these attacks, Dimitry Smilianets was also leading the video game world.  His team, The Moscow 5, were the "Intel Extreme Masters" champions in the first League of Legends championship, also placing in the CounterStrike category.   Smilianets turned out not to be the hacker, but rather specialized in selling the credit cards that the other team members stole.  Steal a few hundred million credit cards and you can buy a nice gaming rig!

Smilianets with his World Champion League of Legends team in 2012

 How did these databreaches work?

Lockheed Martin's famous paper "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" laid out the phases of an attack like this:

But my friend Daniel Clemens had explained these same phases to me when he was teaching me the basics of Penetration Testing years before when he was first starting Packet Ninjas!

1. External Recon - Gonzalez and his crew scan for Internet-facing SQL servers
2. Attack (Dan calls this "Establishing a Foothold") - using common SQL configuration weaknesses, they caused a set of additional tools to be downloaded from the Internet
3. Internal Recon - these tools included a Password Dumper, Password Cracker, Port Scanner,  and tools for bulk exporting data
4. Expand (Dan calls this "Creating a Stronghold")  - usually this consisted with monitoring the network until they found a Domain Admin userid and password.  (for example, in the Heartland Payments attack, the VERITAS userid was found to have the password "BACKUP" which unlocked every server on the network!
5. Dominate - Gonzalez' crew would then schedule an SQL script to run a nightly dump their card data
6. Exfiltrate - data sent to remote servers via an outbound FTP.

In Rolling Stone, Gonzalez claims he compromised more than 250 networks

In the Rolling Stone article, "Sex, Drugs, and the Biggest Cybercrime of All Time" , Steven Watt, who was charged in Massachusetts for providing attack tools to Gonzalez in October 2008.  Watt's tools were used in breaches, including BJ's Wholesale Club, Boston Market, Barnes & Noble, Sports Authority, Forever 21, DSW, and OfficeMax.  As part of his sentencing, Watt was ordered to repay $171.5 Million dollars.

Almost all of those databreaches followed the same model ... scan, SQL Inject, download tools, plant a foothold, convert it to a stronghold by becoming a domain admin, dominate the network, and exfiltrate the data. 

How did the TARGET Data breach happen, by the way?  Target is still listed as being "Unsolved" ...   but let's review.  An SQL injection led to downloaded tools, (including NetCat, PSExec, QuarksPWDump, ElcomSoft's Proactive Password Auditor, SomarSoft's DumpSec, Angry IP Scanner (for finding database servers), and Microsoft's OSQL and BCP (Bulk Copy)), a Domain Admin password was found (in Target's case, a BMC server monitoring tool running the default password), the POS Malware was installed, and data exfiltration begun. 

Sound familiar???

Justice?

With most of Gonzalez's crew in prison by 2010, the data breaches kept right on coming, thanks to Drinkman and Smilianets. 

Drinkman, the hacker, was sentenced to 144 months in prison.
Smilianets, the card broker, was sentenced to 51 months and 21 days, which was basically "time served" -- he was extradited to the US on September 7, 2012, so he'll basically walk.

Will Smilianets return to video gaming? to money laundering? or perhaps choose to go straight?

Meanwhile, Alexandr Kalinin, of St. Petersburg, Russia; Mikhail Rytikov, of Odessa, Ukraine; and Roman Kotov, of Moscow, Russia, are all still at large.  Have they learned from the fate of their co-conspirators? or are they in all likelihood, scanning networks for SQL servers, injecting them, dropping tools, planting footholds, creating strongholds, and exfiltrating credit card data from American companies every day?

Kalinin (AKA Grig, AKA "g", AKA "tempo") is wanted for hacking NASDAQ and planting malware that ran on the NASDAQ networks from 2008 to 2010.  (See the indictment in the Southern District of New York, filed 24JUL2013 ==> 1:13-cr-00548-ALC )

Mykhailo Sergiyovych Rytikov is wanted in the Western District of Pennsylvania for his role in a major Zeus malware case.  Rytikov leased servers to other malware operators.  Rytikov is also indicted in the Eastern District of Virginia along with Andriy DERKACH for running a "Dumps Checking Service" that processed at least 1.8 million credit cards in the first half of 2009 and that directly led to more than $12M in fraud.  ( 1:12-cr-00522-AJT filed 08AUG2013.)  Rytikov did have a New York attorney presenting a defense in the case -- Arkady Bukh argues that while Rytikov is definitely involved in web-hosting, he isn't responsible for what happens on the websites he hosts.

Roman Kotov, and Rytikov and Kalinin, are still wanted in New Jersey as part of the case 1:09-cr-00626-JBS (Chief Judge Jerome B. Simandle ). This is the same case Drinkman and Smilianets were just sentenced under.

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18

Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky

The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.

Image from Europol

Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud

The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013

This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-police-swoops/ ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.

Hacking, Carding, SWATting and OCD: The Case of Mir Islam

There can be no argument that Mir Islam is a hideous Internet Troll.  Part of a group of hackers who participated in elaborate scams that combined social engineering, hacking, and gaining credit reports under false pretenses to expose the personally identifiable information of "at least 50 celebrities" on the website "exposed.su."

On July 11, 2016, Islam was given a 2-year sentence for "SWATting and Doxing" Arizona victims.  On the Justice.gov website press release of the sentence (see: https://www.justice.gov/usao-dc/pr/new-york-man-sentenced-24-months-prison-internet-offenses-including-doxing-swatting ) it mentions that his false 9-1-1 calls to summon SWAT teams unnecessarily involved cases against at least 20 celebrities and state and federal officials, including an Assistant United States Attorney and a Congressman from Michigan.

The world's top cybersecurity journalist, Brian Krebs, was among the victims of Islam's group after revealing on his blog the methods used by the group to dox celebrities including Arnold Schwartzenegger, Ashton Kutcher, and Jay Z, and government officials including FBI Directory Robert Mueller, CIA Director John Brennan, and First Lady Michelle Obama.  Krebs revealed the methods at KrebsOnSecurity in 2013 -- Credit Reports Sold for Cheap in the Underweb.

JoshTheGod's prior Experience as a Credit Card Thief

Like so many other young cyber criminals,  Mir Islam had been active in the carding scene, stealing and selling credit card information, and after his arrest tried to work a deal to be an informant. And like Albert Gonzalez, Max Vision, and so many other cybercriminals, was a disaster as an informant.  Under the Alias of JoshTheGod, "Josh" had been previously arrested, tried, convicted, and sentenced for Attempted Access Device Fraud, Conspiracy to Commit Access Device Fraud, Aggravated Identity Theft, and Conspiracy to Commit Computer Intrusion.   He was a member of a group called "UGNazi" and admitted to being a co-founder of the credit card trading website "Carders.org."

He was arrested as part of  a massive action announced on June 26, 2012, that also included 404myth (Christian Cangeopol of Georgia), Cubby (Mark Caparelli of San Diego, CA), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, NY), xVisceral (Michael Hogue of Tucson, AZ), IwearaMAGNUM (Peter Ketchum of Pittsfield, MA), theboner1 (Steven Hansen of Wisconsin) (and two minors). The case also involved 13 other arrests overseas.

FBI Press Release (Click to open)

 What were those charges based on?   Here's some from the charging document, filed May 28, 2013:

"From at least in or about 2009, through at least in or about June 2012, [the defendant and others] did willfully and knowingly did combine, conspire, confederate, and agree together and with each other to commit offenses under Title 18, United States Code Section 1029(a) to . . . "

• (in 2010) Purchase at least 20 computer servers over the Internet using stolen credit card information belonging to other individuals
• (in 2011) establish an Internet forum for other co-conspirators to buy, sell, and exchange stolen credit card information
• (in Feb 2012) possess stolen credit card information belonging to OVER 50,000 OTHER INDIVIDUALS
• use stolen bank account numbers to fraudulently make purchases
• launch coordinated attacks on computer systems for the purpose of disabling those systems including (Jan 2012 - DDOS attacks against the Ultimate Fighting Championship; DDOS attacks against Coach, Inc; June 2012 - DDOS attacks against the Wounded Warrior Project

The FBI Press Release also projected what charges Mr. Islam may be facing:

10 years for Access Device Fraud and 15 years for Affecting Transactions with unauthorized devices.

Aggravated Identity Theft

Under the law, identity theft is considered a FELONY if the perpetrator is found to have been involved in "the production or transfer of MORE THAN FIVE identification documents."

Quick math check.  50,000 credit cards > 5.  Ok, we're good.

Despite the fact that the criminal code, 18 U.S. Code § 1028A -- Aggravated Identity Theft, was SPECIFICALLY CREATED via the "Identity Theft Penalty Enhancement Act of 2004" to give a MANDATORY SENTENCE of 2 years imprisonment in addition to any other sentence received, Mir Islam was convicted of Aggravated Identity Theft and sentenced to ONE DAY imprisonment and three years supervised release.  Wait!?!?!  How did we get from "probably 10-15 years" to ONE DAY?

Did I mention that the two year sentence is MANDATORY?  Let's make that even more clear:

(b) CONSECUTIVE SENTENCE -- Notwithstanding any other provision of law -- 

(1) a court SHALL NOT PLACE ON PROBATION any person convicted of a violation of this section.

(2) except as provided in paragraph (4), no term of imprisonment imposed on a person under this section shall run concurrently with any other term of imprisonment imposed on the person under any other provision of law, including any term of imprisonment imposed for the felony during with the means of identification was transferred, possessed, or used; 

(3) in determining any term of imprisonment to be imposed for the felony during which the means of identification was transferred, possessed, or used, a court shall not in any way reduce the term to be imposed for such crime so as to compensate for, or otherwise take into account, any separate term of imprisonment imposed or to be imposed for a violation of this section;

Gee!  It almost sounds like a person who commits Aggravated Identity Theft is not supposed to get Probation or a Reduced Sentence!   In fact, in 2015, the Congressional Research Service was specifically asked to examine this statute.  Their conclusion was that "More than half of the judges responding to the United States Sentencing Commission sruvey felt that the two-year mandatory minimum penalty was generally appropriate."  While they fell short of wildly praising the statute, they summarized their report as being "mildly complimentary of the provision." (see "Mandatory Minimum Sentencing: Federal Aggravated Identity Theft")

Unfortunately, in order for the Mandatory term to be considered in effect, the corresponding Felony has to receive a sentence of "greater than one year" (which is why we see so many sentences of "a year and a day".)  As part of a plea agreement, he agreed to the dramatically reduced sentence of ONE DAY for the carding charges, in exchange for cooperating in good faith with the Southern District of New York's office to cooperate to try to identify further co-conspirators in his case.  Because it was the desire of law enforcement to use Mr. Islam as a source, he was given a sentence of ONE DAY for the carding charges, meaning that the intention of the legislators was entirely thwarted.  Rather than cooperating, the Prosecution's sentencing memo indicates that Islam was "toying with his FBI handlers, and continued his criminal activity in the Exposed conspiracy and his cyber-stalking." 

One of the conditions of his supervised release was set as "No Use of Computer or Internet Access without the Permission of the Parole Officer," which condition Mir Islam agreed to and swore to obey before a judge on June 26, 2012.   

JoshTheGod Re-Offends

On June 10, 2013, US District Judge approved that the defendant's bail be modified to include mandatory mental health treatment, and that the defendant BE ALLOWED TO PROCESS CREDIT CARD TRANSACTIONS AT HIS PLACE OF EMPLOYMENT and be allowed to possess a computer and access the Internet under the supervision of a case agent. (See PACER -- Case 1:12-cr-00810-KMW Document 26)

Great idea. Let's give a convicted credit card criminal permission to process credit cards at work.  After all, it's been more than a year since he was arrested for STEALING FIFTY THOUSAND CREDIT CARDS and running a forum for selling them on the Internet.

He didn't quite make it 90 days.  He was re-arrested on September 4, 2013. 

His new case, (1:15-cr-00067-RDM) opens up with charges of Violations of 18 USC Section 371 (Conspiracy) 18 USC Section 844(e) (Threatening and Conveying False Information Concerning Use of Explosive), and 18 USC Section 2261A(2) (Stalking).

The Conspiracy charges include that he was still doing identity theft  and wire fraud (18 USC Sections 1343, 1030(a)(2), 1028(a)(7), 1028(b)(2)(B), and that once again it was "Aggravated Identity Theft" level -- "15 or more devices which are unauthorized access devices, to wit, social security numbers" -- 1029(a)(3) and 1029(c)(1)(A)(i). And that he used those SSNs to obtain a thing of value - 42USC Section 408(a)(7)(B), and that he accessed a computer without authorization (18 USC 1030(a)(2)(A) and 1030(c)(2)(A), and that he "devised a scheme to defraud and obtain property by means of materially false and fraudulent pretenses" (18 USC Section 1343) and that he used a "deadly or dangerous weapon to assault, impede, intimidate or interfere with an officer of empoyee of hte US Government" -- 18 USC Section 111(a), 111(b), and thta he transmitted a threat to injure the person of another via interstate commerce -- 18 USC Section 875c.

Some of the particulars from this second round of charges include:

• March 2013 - purchasing stolen credit reports for US and State government officials and public celebrities from Exposed.su
• March 22, 2013 - began stalking "A.R.T" (the Arizona cheerleader) via email, Facebook, Instagram, Text message, and telephone calls, and making false Twitter accounts in A.R.T's name.
• March 23, 2013 - called in bomb threats to University of Arizona
• March 31, 2013 - "Swatting" a US Government employee in Massachusetts
• April 2013 - buying more credit reports for US and State government officials and public celebrities from "exposed.re"
• April 19, 2013 - "Swatting" T.L. a state government official in California
• April 27, 2013 - "Swatting" M.R. (that would be Mike Rogers, Congressman of Michigan)
• July 22, 2013, bought more credit reports from "exposed.ws" 
• August 12, 2013 - uploaded many sets of "Dox" to "exposed.ws" on a server in Washington DC

Mental Illness and Reducing Sentence

This week the sentence finally came down on Mir Islam.  He was sentenced to 24 months in prison to be followed by 36 months of supervised release, during which he will be required to participate in Education/Vocational training approved by Probations, participate in a Mental Health Treatment program, and consent to disclosing a list of all computer systems and internet capable devices and allowing them to be forensically searched or to have computer/internet monitoring program installed.

Why?   Partly because of an amazing 82 page "Defendant's Memorandum in Aid of Sentencing" that begins with:

Mr. Islam has matured immensely during his 34 months of incarceration and has taken great strides to atone for his behavior and overcome the mental health issues that contributed to it.  Accordingly, it is respectfully submitted that a sentence of time served and 36 months of supervised release would represent a sentence that is sufficient, but not greater than necessary to meet the purposes of sentencing reflected in 18 USC Section § 3353(a).  Such as sentence would be longer than many if not most sentences in similar cases, and would adequately punish conduct by an immature and mentally-ill teenager who, by the government's own admission, has earned a departure from the applicable guidelines range.

The memo then goes on to talk about his "Good Time Served" (meaning he was a model prisoner, which is not unexpected, given lack of access to a computer or telephone).  He then argues that the "doxing" was not really so bad, since "The Secret Files" were only accessible during three short periods, for 8 days, 20 days, and 20 days.

(Click to visit KrebsOnSecurity, source of this image)

He also claims that "Doxing" is not illegal (citing this The Daily Beast article, where all good legal theories should come from) and that we should consider the "veneer of legality, especially as perceived by the immature minds of the teenage co-conspirators."  He goes on to say that we should consider the "misguided but public-minded spirit and desire for attention not uncommon among teenagers."  Would that be the "public-minded spirit" that caused so many SWAT teams to waste their time and place innocent people in danger?   Just in the University of Arizona case, testimony was given that FIFTY-FOUR OFFICERS were involved in searching for the non-existent bomb while classes were canceled and students, staff and faculty faced the fear (and inconvenience) of potential death during the ensuing lockdown.

While the defense admits that swatting was "extremely traumatic and dangerous" he claims that "in the online gaming communities in which Islam practically lived and breathed, swatting was an unfortunately common tactic used by competitive gamers to harass their opponents."  Because of this we are to understand that this would have been considered "normal" behavior by "teenagers immersed in this new online world."

In the case of the swatting of an Assistant US Attorney, the government provides a transcript of the 9-1-1 call:

"Hello my wife is dead.  I shot her and now she's dead.  I don't know what to do.
I'm having thoughts of hurting people and I don't know what to do.  If anyone comes in my house I might shoot them.  I am just letting you know now if I see any police outside my house I will start shooting.  I will not be taken alive.  Mark my words. I am not going to prison for the rest of my life.  I will not.  Don't worry about where I am at in the house. If any cops are outside in my yard or on the street I will start shooting.  By the way I have a police scanner right next to me and I can hear everything and you guys  think I'm joking.  I will shoot anyone who comes near my property.  I see cars outside my house I swear I will shoot.  I am not playing.  I am not fucking around. I will shot them.  You know I work with the police a lot but I am not afraid to shoot them."

Youthful prank, right?

The defense then moves on to address the cyberstalking of A.R.T., which he admits "subjected her to emotional distress, anxiety, and fear for her safety" and was "extremely serious."  HOWEVER, he goes on, "Islam was suffering from untreated obsessive-compulsive disorder (OCD) which fueled his obsession for A.R.T. and drove him to try to contact her through any and all means."  Islam "believed at the time that he had communicated and developed a relationship with A.R.T. through weeks of online conversations, causing him extreme confusion and anxiety with her refusal to interact with him in the non-virtual world."

The document then goes on to explain Islam's life, immigrating at age six from Bangladesh to Bronx, New York. They say he had untreated bipolar disorder, chronic depression, OCD, and ADHD, which led to him dropping out of high school to spend 15-18 hours per day online without interruption or parental intervention.  They then go on to explain his "carding" as a "seductive playground that allowed them to purchase food and electronics with stolen credit card numbers" and that Islam viewed these activities as "adolescent pranks."

Next we turn to his prison hardships, including the fact that he was denied a lower bunk even though he was a restless sleeper (which the defense says led to a herniated disc, nerve damage, and chronic pain after falling from a top bunk.)  He also claims he was given "vitamins contaminated by mold" that damaged his cartilage in his wrists and knees, discolored his skin, and exacerbated his chronic pain.  That is some mighty powerful Vitamin Mold!  Islam also filed charges against the prison for denying him Kosher food.  (These examples are to use the sentencing reduction of "Harsh conditions of confinement."  Not sure if "denied lower bunk" and "given moldy vitamins" are what that the term "Harsh conditions" normally means.)

CyberCrime: The World Where Sentencing Guidelines Don't Matter At All

The strongest and most unforgivable argument the defense makes is that Section 3553(a) directs courts to consider the need to avoid unwarranted sentencing disparities.  In the government's sentencing memo they had made the assertion that they were "unaware of any individuals sentenced for conduct similar to Islam's."  The defense jumps on that and waves it in their faces!  The defense  argues that because Hector "Sabu" Monsegur of Lulzsec got RIDICULOUS [my term] sentencing departures (a 97% reduction in the minimum sentencing) and that Sabu and JoshTheGod were both people who violated their release conditions and were remanded back into custody for very similar crimes, the Federal Government themselves had basically established precedence that hacker sentencing guidelines are worthless and not to be taken at face value.

The defense also argues "The need to avoid unwarranted sectencing disparities" with regard to other swatting cases.  They cite Tollis (1 year and 1 day for numerous swattings of schools and universities) and James Eli Shiffer (15 months for multiple doxing, swatting, and cyberstalking incidents.)  That argument is strengthened even more by the government's failure to observer proper sentencing for many of those arrested at the same time as Islam.  The defense gives examples  including Christian Cangeopol (3 years probation), Harper (time served), Joshua Hicks (2 years probation), Michael Hogue (5 years probation) and Peter Ketchum (2 years probation).  The LulzSec slap-on-the-wrist cases were also used in the Defense's argument - Cody Krestsinger (1 year imprisonment, 1 year home detention), Raynoldo Rivera (1 year and 1 day, 13 months home detention), Matthew Flannery (15 months home detention) and Hector Xavier Monsegur, already mentioned, (7 months.)

 Part of the Defendant's package was a letter to the judge praising Mir Islam for being a successful graduate of The Focus Forward class, where he studied the book A Long Way Gone and learned public speaking, conflict resolution, and resume writing skills.  He brought "light-hearted humor and laughter to class discussions" and "displayed humility, opening up to the group about the frustration and disappointment he felt about finding himself in this situation."  

Would that be the same "light-hearted humor" that he used when telling University of Arizona police that he was holding a rifle to the head of a woman that he was planning to kill if he did not receive $50,000 in ransom, and that he had placed explosives in eight campus buildings and was going to blow them up and start shooting?

Mir himself wrote a letter to the judge about how he wants to make a project "similar to PayPal" to help the members of my society stop getting ripped off.  Excuse me.  You can read his letter while I go get a tissue:

Chance of Re-offending?

Really?   This letter comes from the kid who arranged a ONE DAY sentence for all of his credit card crimes in exchange for giving his "Full Cooperation" to the SDNY FBI Office. Despite the prosecution's Sentencing Memo pointing out that "Based on Islam's duplicity in his SNY case, any expression of remorse or contrition by Islam should be viewed with a great deal of skepticism" the judge chose to ignore this and issue Yet Another Slap On The Wrist.

 Anyone taking bets on how many months it takes for Mir Islam to re-offend when he is released?  Put me down for "thirty-days or less."