The rise and fall of a suburban hacker.
Daniel Placek was just old enough to buy a beer when the FBI knocked on the door to his parents’ house in Bayside, where he was living, and seized his computer. Placek, a 21-year-old self-taught computer programmer, confessed most everything to the agents: He was, essentially, a “black-hat” hacker, a bad guy. He’d grown up in an upstanding family, active in their local Catholic church, his father a licensed HAM radio operator who worked for Verizon. But somehow, as an isolated coder, he’d gone far astray.
His penance was five years of cooperation with the FBI, who, in examining his PC after the 2010 raid, found evidence of a kid dabbling in everything from “botnets” and spamming software to “false phishing” sites and “root access” penetrations, like a self-directed survey course in nefarious computing.
Placek’s specialty was coded-to-order “credential-sniffing” programs capable of plucking credit card information from otherwise secure streams of Internet traffic. Snug in his parents’ North Shore ranch home, he’d been making deals with cybercriminals from all over the world, first passing their money through an “ePassporte” account in the Caribbean before sliding it into a local bank account, both of which were registered to his real name and address.
No points for guessing this is how the FBI caught him.
He met the undercover agent who identified these accounts through darkode.com, the underground hacking forum he’d helped to found in 2008 at the age of 19. According to web-hosting records, Darkode was registered in March of that year under the auspices of EstDomains, a now-defunct Eastern European Web company known for hosting shadowy websites. Placek’s alleged partner in launching the forum was a Slovenian college student and hacker, Matjaz Skorjanc, who went on to become the site’s first serious administrator.
Darkode evolved over the years but operated from the beginning as a place for talented black-hat coders to sell their labors to assorted identity thieves and scammers at prices ranging from $50 a program to $500. Botnets were the central concern. Members traded control of them and the software needed to infect new bot-networks of computers – everyday PCs quietly taking orders, unbeknownst to their owners, from a hacker’s central command server. Botnets can be used to fake Internet traffic for pay, covertly record keystrokes, or launch crippling attacks on servers (and then ransom the owners of said servers for money).
According to court records, Skorjanc was behind the modified “butterfly bot” software used to build the notorious “Mariposa” botnet, one of the largest ever devised. Placek, meanwhile, seems to have drifted away from the forum not long after helping to found it, judging by the fruits of a “white-hat” hack by a security researcher known as Xylitol, a software cracker living in France. Xylitol infiltrated Darkode in 2013 and leaked many of its contents, including several messages by “Dethan78,” the account used by an undercover FBI agent to track down Placek. Registered in late 2009 and consigned to the lowest classification level of “Fresh Fish,” Dethan78 would post periodic comments to the site, sometimes in jest (“your cracking me!”). Included in the leaks is a thread from the forum’s “Hall of Shame” section accusing “Nocen,” one of Placek’s usernames, of reneging on a $3,000 “project.” By this time – a few months before the FBI visited Bayside – Nocen was no longer an admin, and his account had been deleted.
[quote align=’left’]”It’s a bizarre feeling when commercially available applications are programmed less well than the malware deployed against them.”[/quote]Making a living as a hacker is very difficult, according to Xylitol, and many black hats resort to scamming each other. The secretive researcher says he individually hacked members of Darkode in 2013, deduced their login information, and leaked the forum’s contents after one Darkoder in particular used his handle, “Xylitol,” he says, “on his domains for illegal activities.” To end the war, the real Xylitol brokered a “peace pact” with the forum’s top admin at the time, the hacker Sp3cial1st – an aggressive moderator who avoided arrest during this summer’s international roundup of 60-some Darkode-connected hackers. Xylitol ended the leaks and tweeted that he had been “finally banned” from the site and didn’t care about it anymore. In exchange, he says Sp3cial1st offered him some “juicy stuff, informations.”
After the arrests, Sp3cial1st posted to a short-lived site, darkode.cc, that the forum would reconstitute itself as a site on the Tor network, a daisy chain of computers designed to make Internet traffic impossible to track. Xylitol says he’s not sure if Darkode has re-emerged yet, and suspicions were heavy this fall on other hacker forums that the FBI remained in control of Darkode and wanted to reopen it as a “honeypot” to ensnare more bad guys.
Some even suspected that Sp3cial1st himself was an FBI agent, as the agency had infiltrated the top leadership of a similar forum called Dark Market in the mid-2000s. In fact, as conspiracy theorists noted, the same Pittsburgh-based agent who lorded over Dark Market as “Master Splyntr” for about two years, J. Keith Mularski, was the same supervisory agent who headed up the Darkode investigation.
George Ledin, a computer science professor at Sonoma State University in California, and a noted tracker of malware, says most cybercrime forums aim to “serve their purpose without being overtly accessible or visible to too many. Darkode exceeded that sweet spot.”
Paying his small part of the price, Placek pleaded guilty in August to a misdemeanor hacking charge in federal court and is scheduled to be sentenced in November. This fall, he was living in a Glendale apartment and working for Swick Technologies, an IT provider in New Berlin, as a network engineer.
Ledin says it’s not unusual for former black hats to find legitimate employment, and there’s even a usefulness to understanding the dark side of software. “It’s a bizarre feeling,” he says, “when commercially available operating systems and applications are programmed less well than the malware deployed against them.”
Tune in to WUWM’s “Lake Effect” Oct. 26 at 10 a.m. to hear more about the story.