'

After riches and jail, Belarusian ex-hacker's life lesson? 'Don't steal from Americans. Ever'

ZDNet talks to a former infamous hacker whose "mostly true" book offers a glimpse into the minds of Eastern Europe's cybercriminals.

Notorious hacker Sergey Pavlovich, who was charged with stealing credit-card data from Boston Market, Barnes & Noble, and Forever 21 in 2008, has recently published the English version of his book, How to steal a million: The memoirs of a Russian hacker.

He spent a total of 10 years in prison in Belarus following several investigations conducted by US agents. "The total losses from my fraudulent activity for US banks was over $36m," he tells ZDNet.

Pavlovich, who's now based in Moscow, Russia, and tries to make money by selling handmade boxes in the shape of US dollars, was known as PoliceDog, panther[757], Fallen Angel, and diplomaticos, back in the day.

He says, strictly speaking, he wasn't a hacker, not even a skilled technology professional, but a journalism student who learned how to "turn stolen credit-card information into money," using information he found on forums.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Pavlovich sold credit-card dumps, produced counterfeit credit cards and used cash mules to withdraw money. He also sold fake documents such as driver's licenses, IDs, and passports.

In his book, he tries to make peace with his past and put his wrongdoings into context. He says the events depicted are real, and so are the people who appear in his book.

However, he admits he has changed a few names and removed others. "I've softened some things and embellished others. It's something all authors do."

Who is Sergey Pavlovich?

Sergey Pavlovich was born in 1983, eight years before the collapse of the Soviet Union, in the village of Vyaz'ye, in the center of Belarus. He spent the first six years of his life in the care of his maternal grandparents, before moving to the capital, Minsk.

"My grandfather worked his whole life as a forester and loved hunting. My grandmother was an accountant for the local farm," his memoirs read.

His parents divorced when he was two months old. At some point, his mother remarried a former soldier who was able to make a living, but his stepfather became a heavy drinker.

"He used to bully and beat my mother... I was always protecting her... Several times I had to spend the night with neighbors to hide from him," he wrote in his book.

The 1990s, when Pavlovich was a teenager, were confusing and challenging times in Eastern Europe, he argues. "Old moral values had been rejected and new ones hadn't yet appeared... Everyone around us was stealing, from civil servants to businessmen: and almost everyone got away with it. Why couldn't we do the same?"

He wrote that he and his friends became cybercriminals because it seemed like the easiest way to make money. "Our parents were working two or three jobs to make ends meet, and we, the kids, were left on our own."

While a teenager, Pavlovich often went to computer cafes to play Counter-Strike and escape his home, where his parents were always fighting. That is where he discovered the internet, in the early 2000s.

Soon, he learned about the world's first famous carding forum, Carder.org, and later he upgraded his knowledge logging into CarderPlanet.com, a community that gathered carders, hackers, spammers, computer virus writers, and other cybercriminals.

"I must have felt what Ali Baba felt when he stumbled upon a cave full of treasures," Pavlovich writes.

"Every section of the forum contained information on how to get terribly rich without leaving your desk. It was too big a temptation for a young man who could only hope for a monthly salary of $200 if he wanted to do things the legal way."

At his peak, Pavlovich was making $100,000 a month through illicit activities. "A regular carder's income was about $3,000 to $5,000. Mine was much more," he tells ZDNet. He was 20 years old.

"[CarderPlanet] was a carder fraternity of sorts where everyone helped and supported each other. Aspiring to imitate mafia clans, the creators of the forum called each other family."

The forum had plenty of opportunities for an aspiring cybercriminal: from learning from the best in the business to buying all sorts of data, such as credit card numbers or PayPal credentials. There were also bits of advice on how to remain safe, including using VPNs.

"Planet gave carders everything they wanted: information, instruments and services. It's not surprising it became a home from home for many of us," he writes.

"Programs for spamming, selling counterfeit documents and bank cards provided a stable stream of newcomers. From time to time, people shared nice little trinkets for free."

Selling dumps using the regular carding forums proved to be difficult, because the owners of such forums made most from the transactions, leaving people like Pavlovich with few "opportunities". He decided to create his own website, DumpsMarket.

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

Like most hackers based in the Russian-speaking world, he preferred to steal from US citizens. His logic? Americans have insurance for bank deposits and are well off, whereas Russians and other Eastern Europeans struggle. "We felt bad for them," he says.

"We numbed our feeling of guilt with the idea [that] we weren't targeting anyone personally, only large companies and governments, that we were a band of merry Robin Hoods. Someone even came up with the term 'economic guerillas': we steal in the West and spend at home," Pavlovich writes. "Psychologically it's not hard to convince yourself that you're not doing anything wrong."

According to Pavlovich, carders usually specialize in only one or two carding schemes.

"I was involved in almost all activities, such as credit-cards numbers selling, dumps selling, dumps with pins, equipment for counterfeit cards, producing skimmers for ATMs, cashout, hacking, phishing, selling counterfeit IDs, and so on," he says.

At the age of 21 years, Pavlovich was jailed for the first time in Belarus, after the police raided a rural house he and his friends were staying in.

"I had thought about a possible arrest umpteen times to frighten myself. It's the same as imagining your mum has died and feeling sorry for yourself. It's nice to know you can pinch yourself at any time and make the nightmare go away. But that day everything was real," he writes. He claims the Belarusian penal system has changed little since the collapse of the Soviet Union.

Pavlovich's Russian-speaking gang

During his days as a carder, Pavlovich interacted with hundreds of cybercriminals from Russia, Ukraine, Belarus, and other Russian-speaking countries.

In his opinion, the best hackers come from the north of Russia and Siberia, from cities like Chelyabinsk, Zlatoust, Novosibirsk, and Syktyvkar.

"They have long winters and short sunny days, so [they] spend all [their] time in front of their PCs," he tells ZDNet. They often work in small groups of three or four members.

According to Pavlovich, hackers in Russia thrive because the police don't have enough resources to fight them. Therefore, when local cybercriminals are caught, it's often the work of a European agency or the FBI, he argues.

"Russian cybercriminals look and behave like bandits, they're like wannabe gangsters: they socialize with criminal authorities and listen to prison songs," Pavlovich writes.

US criminal defense attorney Arkady Bukh, who represented several Russian-speaking cybercriminals in the US and has briefly consulted Pavlovich on a few occasions, backs his claim.

"I hear from many, many hackers and carders that they are often approached by Russian agents asking for various fees in exchange for keeping their eyes shut on their operations against the West, with a certain presumption not to attack Russia," Bukh tells ZDNet. "Sometimes [Russian agents] simply ask for their credit-card numbers."

When caught by the local police, some hackers might attempt to escape justice. "They will likely try to bribe the judges, the investigators. Most likely, [the judges] will dismiss all the charges," Bukh says.

"That's why the US government doesn't prosecute those cases in Russia, because it's a waste of time."

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Bukh, who was born in Baku, Azerbaijan, in 1972, but moved to the US in the early 1990s, says hackers have told him that even today in Russia, there are still agents who take bribes, from "the highway police, to [those] protecting oligarchs".

"Because of this culture being widespread... we are in a situation [in which the] government supports criminal activity," Bukh argues. "Russians want to keep their hackers near. They want cooperation, advice. They want to promote their own goals."

Most of the hackers Bukh has met are less than 27 years old. "They are young gentlemen born in the former Soviet Union... Highly educated people with pretty low life standards."

He says some of them began their career at the age of 13 or 14 years out of curiosity. As they grew up, they became more business-oriented. "They want to grow and have some cash, and engage in various criminal activities."

Having humble beginnings, but fierce aspirations, many cybercriminals spend money on luxury items, muscle cars, expensive trips -- Pavlovich took his girlfriend to the Maldives -- prostitutes and drugs.

But the shopping sprees are soon over, and they find themselves penniless once more. "In a few months, the money will be over and they will be back to the computers," Arkady Bukh says.

At the end of the day, Eastern European hackers such as Sergey Pavlovich, are just criminals, not tech gurus, and not at all real-life Robin Hoods, says Bitdefender's cybersecurity researcher Catalin Cosoi.

"Even though you would expect these people to have some technical skills, they are still just thieves who learned the skill from some other colleague and decided to make money risk free," he says.

However, Pavlovich is hoping for a second chance. He begins the epilog of his book by writing: "Unfortunately, we don't make rough drafts for life. You can't edit it, leaving out lines you don't like."

The Russian-speaking hacker tells ZDNet that readers should remember three things after reading his book: "Money is much harder to keep and spend cleverly than it is to get. Don't steal from the Americans. Ever. America doesn't forgive. Better do legal business and sleep well. The legal business will give you much more. But not so fast."

howtostealamillion4.jpg

Sergey Pavlovich spent a total of 10 years in prison in Belarus following several investigations conducted by US agents.

Image: Sergey Pavlovich

Previous and related coverage

Can Russian hackers be stopped? Here's why it might take 20 years TechRepublic

Deterring hackers is almost impossible when the rewards are so great and the risks are so low. Can anything stop them?

Avalanche botnet mastermind? Wanted cybercrime suspect has just been arrested

Gennadiy Kapkanov, suspected of running one of the world's largest malware networks, nabbed in Ukraine.

North Korea claims hacker responsible for WannaCry outbreak does not exist

The country insists the indictment of the hacker is nothing more than a smear campaign.

They've got your money and your data. Now hackers are coming to destroy your trust

Nation-state attackers are attempting to undermine trust in critical services -- so how do we go about stopping them?

Hacker Adrian Lamo dies at 37

The coroner confirmed Lamo's death, but the circumstances of his passing are not yet known.

FBI nabs alleged hackers in theft of 15M credit cards from Chipotle, others CNET

The bureau says the three Ukrainian nationals are behind breaches that hit Arby's, Chili's and other restaurants.