Interview: A "malicious hacker" making over $10K a week

Interview: A "malicious hacker" making over $10K a week

Summary: An alleged Romanian scammer explains his simple techniques and stolen identity hustle that supposedly makes him over $10K a week via eBay.


It remains to be seen just how much actual hacking is to be had behind online ID theft and credit card scams - and the details in this story are likely to remain indefinitely unverifiable.


The results of one blogger's recent three-day IRC chat with an alleged Romanian credit card scammer give a peek into just how trivial the process could be.

Much like with the recent, now infamous "Epic Hack" of tech writer Mat Honan (where Amazon and Apple password reset were played off one another to gain account access), it appears that these techniques are performed by using available systems and playing their weaknesses off one another to get a desired result.

The methods are neither elegant nor particularly sophisticated. Still, the bar for entry isn't low enough to admit just anyone: it seems that some scammers will trade stolen identities or credit card information on IRC, but we're told that now most of this business looks to be conducted on a number of underground websites.

Freelance writer Patrick Lambert (Dendory) writes,

The purpose of writing this article isn't to incite anyone to do this, these acts are still obviously against the law, and any investigator that would have the resources and time to dedicate to catching these people could probably do it, but instead it's to show how incredibly widespread it is, and how trivial the whole process appears to be.

The interview underscores the notion that it's not all organized crime networks or malware coders doing the dirty ID deeds, but also fairly ordinary individuals who simply spend around 90% of their efforts in covering their tracks - and have no problem with breaking laws to make easy money.

Overall, the whole process for these people takes just minutes every day, and again, most of the time is spent covering their tracks by creating new accounts, switching to new VPNs, and going to anonymous cash sending and receiving stores, while the actual time spent doing any type of coding or interacting with other hackers is minimal. It's very easy to use, very tempting, and unfortunately, it still seems very low risk for them.

In IRC, Lambert met someone that identified themself as male, under 20, and Romanian who was willing to give select details about his alleged money making scams. 

Taking to "d0g" Lambert said,

While some of them will trade stolen identities or full CC info on IRC, now most of that business seems to be done on a large number of underground web sites. This one for example shows a never ending list of items that get sold for as little as $3 each, available to anyone who registers for an account.

"d0g" explained to Lambert that after getting cheap European access to IP's (or getting hooked up otherwise for covering his tracks), the next step was to get money online and into an account (to purchase credit card numbers), and then money can be transferred from reputable entities such as Western Union.

After that, it's simply a matter of buying CC numbers, and then posting items for sale on eBay using fake identities.

Then according to "d0g" it was a matter of online money laundering in a sort of "matchmaking" exchange for goods, but without divulging an address:

(...) The way I was explained is that all he has to do is post ads on eBay for popular items that he doesn't actually have. Then, when someone buys it, he turns around and buys that same item from some online store with the bought CC numbers, and puts the eBay buyer's address as the shipping location.

He makes those stores send the products directly to his buyers, and gets clean cash for them, which he can spend any way he wants. It's a type of online money laundering.

And apparently, the reason why these stolen numbers are sold so cheaply is because a vast majority of them are either already canceled, or maxed out.

The interview concludes before explaining how the money is finally extracted, so we are once again reminded that we'll never know how much of this is true.

Topics: Security, E-Commerce, Legal

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I don't buy it.

    Most credit card companies will only authorize transactions if the shipping address is the same as the billing address, especially for electronics.
    • Heh

      He's making $10k a day scamming it out of dim bloggers. =D
    • gifts

      never sent a gift to someone online? people do it all the time. if it happens over and over in a short time the credit card company will stop transactions, but the first few should go through just fine. this story is plausible.
      • 1 time

        If the shipping address doesn't match the billing address the credit card company will almost always decline and/or force verification. They don't wait until a card has "too many" suspicious transactions before getting involved. Especially for electronics purchased online.

        Lets just say they are stupid and allow this. Then there is the matter of the hacker conducting huge amounts of transactions on ebay and unless his scam works 100% of the time he will not be able to sustain a decent account.

        There is just so much that is flaky about this article that it doesn't pass a quick common sense check. The idea is clever, but still filled with holes. Especially at 10K a week.
        • Hmm...

          Now, I've never bought anything off eBay before, but if you now at all, then you should be well aware that you cam have as many addresses as you want and be able to send to them without any complications or confirmations
          Mitchell Foster
  • Hearsay

    "and the details in this story are likely to remain indefinitely unverifiable."

    So it is pure hearsay. Then why bother posting it? Do you have no journalistic integrity? This is Forbes Web Celeb, SF Appeal contributor, a high-profile tech personality and one of Wired's Faces of Innovation?

    I feel sorry for her employers.
  • BS

    Im Sorry But i hate this whole entire article from the start - I can tell you now for a fact the guy you are talking to Obviously has no idea what he is talking about

    If a Hacker is banking in around 10k$+ profit a week and goes to repeat himself as Sending stuff to Anonymous and that is how he is making his profit - Clearly someone doesnt know what the fuck is really going on.

    This is also HIGHLY bad on your part - You being a News Reporter Should have looked into this more instead of just talking with some random person that says he does this and that

    Im sure me and " YOU " both know what im talking about here.

    Also just pointing this out - Do u know how hackers now days learn?

    Its no longer them fucking with shit and figuring it out on there own - Its now all about some passed down Directions as to how to do this and that

    what you just done is allowed thousands of other morons to come by and read how to do this - Which will now influence the Script Kiddy scene by probably 10%+ of more morons thanks to this

    And someone such as you with high such respect in the IT Community - It is to be sure someone along the lines of a script kiddy will take this information and use it in bad way.

    oh and FYI - If ur looking to find ppl that makes big money

    Ill give you a hint

    You wont find them :)

    And if you do - its because the guy is a idiot and is in it for the fame and thats it

    • Education

      While I agree that this article has been presented with a lack of proof, your response certainly doesn't provide proof that you know what you're talking about either.

      First, if you expect people to take you seriously, you might try using real english. You're (not "ur") not gaining much support for your case when you're (not "ur") argument is spelled out in lame teenager texting / AIM abbreviations.

      Second, YOU do not represent everyone and how you suggest that how hackers learn is "all passed down directions" is complete, uneducated, crap. Script-kiddies (wannabe hackers) might learn from this. Real hackers and certainly anyone in the scene for any length of time must learn things on their own as well. Many hackers will share some details, but generally limit how much they share because it's generally deemed illegal. Compare this... do YOU brag to complete strangers, who could easily be FED's how much pot you grow in your mothers basement?

      Again, I agree with several of your points, but your full response was crash and burn to your credibility. The guy of the topic was likely a fraud and clearly not very bright. His explanation for how he conducts business invites legal action against him. His methods, such as use stolen CC and ship to customer is already preventable and most certainly very traceable back to whomever used the stolen CC.
      • Those who correct the grammar of others

        should first make sure their grammar is correct.

        [i]You're (not "ur") not gaining much support for your case when you're (not "ur") argument is spelled out in lame teenager texting / AIM abbreviations.[/i]

        You're losing credibility when your (not "you're") argument also uses the wrong words...
        • Those who have nothing new to add...

          First of all: English is NOT my native language, so please (!) excuse any grammar erros etc.

          Then to my point; NickNielsen: What you are doing, turning ct2193@'s argument around and accusing him/her of the same, is an infants reaction to criticism - and does not add anything but disrespect for your own opinions.

          Suggest you rethink your dialog technique ;-)

          Best regards
    • BS back at you

      First: Violet is summarizing someone else's work here. It's not her story, but is simply highlighting its existence. Two entirely different things.

      Second: If this Romanian who is supposedly divulging part of their operation is not giving factual information, then how is it supposed to lead to some script kiddy using it successfully? Choose one or the other, but you can't have it both ways - that's nonsensical.
  • Gotta agree with the critics in general...

    with fewer words and cursing - if many cc accounts are cancelled or maxed out, why would the legitimate internet stores even ship? I know that most are going to validate a cc transaction before shipping, so if flagged, shipping will be held up. Doesn't hold water for me.
  • Maybe that is possible in romania

    Where their online security policies are not as good. But I know that here most places wont ship to an address that is not on the card and many places require you to verify an address first.
  • Solution to this Problem is:

    The solution to this problem would be for online stores to stop shipment on any orders where billing and shipping do not match AND there has been a previous rejection of a card number.

    Online retailers should also attach IP addresses to online accounts, and if another account is set up with the same IP, to flag it as suspicious. Furthermore, if the old account had a rejection of a card, then the credit card company is notified immediately.

    Before processing flagged accounts the credit card company should be notified that it is suspicious and a call centre should be used to contact the card holder to confirm the transaction.
  • All thieves are liars!

    I'm passing on some wisdom from very some very experienced police detectives here:

    All thieves are liars. Petty and unsuccessful thieves often love to make false boasts about how they are big and successful thieves. If they can find somebody to believe them, they will make empty boasts for hours.

    So... If they can find a journalist who takes them seriously, they will happily stay online for days, and all they say will be b*llsh*t.
  • another ....

    .. crap Violet Blue blog
    Scarface Claw
  • very plausible
    SJ Laurencin
  • regarding billing and ship to address

    The guy has stolen CC info. He probably has the billing address. If you supply the correct billing address, you can supply any ship to address you want. No questions asked. No suspicion whatsoever. However, few transactions will go through using cards that are already cancelled or maxed.
  • You should be ashamed of yourself Voilet

    If you checked out the facts on Romania you'd realise what a load of rubbish this is. He's claiming to earn $0.5M a year in a country where the average wage is less than $7K a year and not drawn attention to himself? At best he's grossly over exagerating at worst its BS either way as a journalist you shouldn't indulge him by publishing these boasts.....
  • My CC was stolen twice in 18 months

    My CC info was stolen twice in 18 months in late 2011-2012. What I found out was that First National Bank of Ohmaha won't even go after the thieves unless the loss on your acct is over $10,000. I realize that they are looking at the "economics" of going after and prosecuting the thieves however, what message does this send to the theives? Steal the card and spend less than $10,000 and your home free. The dichotomy is that almost every time, the card issuer will absorb the loss meaning that you are not financially injured and therefore you have no recourse against the theives youself even if you can identify them. The CC issuer will not give you any information on the fraudulent transactions for you to use to persue them with local law enforcement. Next time I'm going to tell the CC issuer to pay the charges, then I'll have standing to track and prosecute them using local and federal law enforcement resources.