Meet the Hackers Who Drive the Porsches You Paid For
Ferraris, Porsches, and briefcases full of money show a booming cybercrime industry.
Image: Steven Depolo/Flickr
At the foot of the Carpathian mountains, in Romania, lies the small town of Râmnicu Vâlcea. InfoSec people called it Hackerville or Cybercrime Central, but its moniker could also be BMW City. German cars with lots of horsepower squeal and screech and spin when the lights go out.
Once a proud industrial town, Râmnicu Vâlcea hasn't got many jobs to offer. "There is only one shopping center, [which] people call The Museum. Those who aren't involved in cybercrime only go there to watch. They can't afford to buy anything," Râmnicu Vâlcea native blogger Mihai Vasilescu told me in Romanian. "A local saying goes: if it weren't for the hackers, the whole city would had been long dead".
"[The Hackerville guys] gained reputation as a result of their desire to make a splash," Romanian cybersecurity researcher Stefan Tanase from Kaspersky Lab told me.
Those lads don't possess exceptional skills. They are merely low-level crooks who send bricks instead of iPhones to unsuspecting eBay shoppers, or simply apply Russian-made tools for ATM skimming.
Worldwide, cybercrime comes with a generous return of investment. With just $5,900 in malicious software, including exploit kits or ransomware, hackers generate an average of $84,100 in net revenue. The phenomenon crosses borders, challenges law systems and seems unstoppable. It might reach $2.1 trillion by 2019, the current size of Italy's GDP.
Kaspersky Lab's Stefan Tanase has followed several Eastern European luxury gangs over the past decade.
"A very good and recent case study about the lifestyle of cybercriminals is Roman Seleznev," he said. The Russian hacker, who sometimes went by the name of "2pac," often posed with rapper-style heavy jewelry, a Dodge Challenger SRT, or with piles of cash. He was taken by US authorities while in the Maldives, enjoying his vacation at a $1,470 per night resort, in July 2014. When he was taken into custody, his laptop contained more than 1.7 million stolen credit card numbers. Prosecutors said he had made millions of dollars selling stolen credit card numbers on the black market. Seleznev, who was convicted in August and will be sentenced this December, is the son of a member of the Russian parliament.
Another epic story involves the Russian gang Koobface, which Tanase investigated a few years back.
"They loved to wake up to the sound of money. Every morning, each member of the gang would receive an SMS telling them how much money they made in the previous 24 hours," he said.
All of them got the messages at 9AM or 10AM, except for the boss, who didn't enjoy waking up early, so his was delivered at noon.
The Russian gang was intensively active in 2010 and made $10,000 a day. Its members indulged in luxury vacations in places like Monte Carlo and Bali.
Koobface spread a worm on Facebook and pushed fake antivirus scams to the more than 400,000 computers part of their botnet. They even ran operations just like a real business, renting an office in St. Petersburg, Russia.
Cybercrime CEOs not only spoil themselves, but also use luxury as a marketing tool to motivate partners and to hire some of the best and brightest. Worldwide, about 80 percent of black hat hackers work as part of an organized crime group.
An Eastern European cybercrime boss offered a Ferrari in 2014 to the hacker who could come up with a brand new profitable scam. The prize was announced in a video featuring a Ferrari, a Porsche, and hot female assistants. Apparently, the kingpin received lots of emails, author Marc Goodman wrote in his book, Future Crimes.
The Montenegro KlikVIP scareware gang had a similar luxury trick. In 2008 they "offered a large briefcase full of euros to the affiliate who infected the greatest number of machines," according to Goodman.
A recruiting ad for affiliates, posted by another hacker group, promised huge amounts of money that "could solve all your problems."
Thieves know the rules of business and try to keep their clients happy. Ransomware gangs, for instance, offer discounts and outstanding customer support, teaching customers how to use Bitcoin. The most successful crooks even claim honesty is a vital part of their business, according to an FSecure report.
Some hackers are in for the money, and once they're in, they can't go out. Their jobs are better rewarded compared to those of legitimate software companies, which pay taxes and follow laws.
Many black hats come from "countries that have very good educational systems, especially when it comes to math and computer science, but the realities of the local economies don't offer much opportunity," said Kaspersky Lab's Stefan Tanase.
While most of the hackers do it thinking of Porsches and Rolexes, there are some for whom cybercrime appears to be the only way to make a good living, Sean Sullivan, Security Advisor at FSecure in Helsinki, told me.
At some point, he came across a hacker in Australia that had an abandoned command and control server. "[It] appeared to be of a guy that needed some seed money in order to start a legitimate PC repair business," Sullivan said.
He also remembers investigating an Android spy tool made by an Indian developer. The hacker left his name visible on some of his web server's WHOIS details. This intrigued the researcher who followed the trail to a Facebook page advertising a consulting business. "There wasn't much activity," said Sullivan. "He wasn't making much from the legitimate business and so he went down the path of writing Android spyware."
The FSecure expert sees cybercrime going hand in hand with corruption. "In some countries, it's nearly impossible to build a legitimate business without graft getting in the way," he said. People there value the display of luxury of others, rarely questioning how someone got the money. Hackerville's mayor, for instance, was reelected this year, despite serving time in jail for bribery.
"I've come across SEO forums in the past where participants are discussing the need to do a little bit of black hat SEO in order to make enough to move up to grey hat, and then to white hat," Sullivan added.
However, those who follow the black hat path might find it difficult to start a legitimate career as an employee for a cybersecurity company. Kaspersky Lab and FSecure run background checks on the experts they hire. A known black hat hacker has zero chances of getting a job.
From thick-skinned crooks to highly skilled professionals or business gurus, the Fortune 100 of cybercriminals keeps expanding. Luxury is, to some of them, a second language. Until they get caught.
Luxury Week is a series about our evolving views of what constitutes luxury. Follow along here.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.