COLD OPEN
Dude, if you’re gonna be gone for more than a couple days, let me know, OK?
Charity Majors was slipping on her shoes in the foyer of the apartment she shared with her boyfriend, Max Butler.
No problem, babe. Max replied, tying his long black hair into a ponytail. This should only take two days, tops. He glanced out the window and saw a cab pull up. Gotta go.
Max gave Charity a kiss, then went out and got in the cab. Charity was right behind him. She locked up, got in her car, and started her commute through Bay Area traffic to her job, which was running a porn website in Nevada.
Charity didn’t know what Max did for a living, not exactly. He said he worked in cybersecurity, but he was vague on the details.
Charity’s car and Max’s cab diverged and went their separate ways. The six-foot-five Max stretched out in the back seat and endured his own commute. Morning rush hour was in full swing.
An eternity later, the cab pulled up in front of a convenience store in the Tenderloin. Workers were filing into their office buildings to begin the workday.
Max got out of the cab. He walked a few blocks until he came to the Post Street Towers, an apartment complex.
He took out his keys, opened the front door to the lobby, went inside, and got on the elevator, which he rode up to his other apartment.
Upstairs, Max looked over his shoulder to make sure he wasn’t followed. Then, he unlocked the front door to the small studio. It had just the bare essentials, not even a kitchen. It was crammed with computer equipment. Servers covered the floor. Monitors and cooling fans cluttered every available surface. A large, commercial-grade uni-directional antenna was aimed out the one small window.
All these electronics made the room a humid swamp. Max used so much electricity that the building’s landlord accused him of running a hydroponic weed growing operation.
In reality, it was home to a different criminal enterprise. The apartment was the nerve center of CardersMarket.com, an online gathering place where more than 1,000 people met to sell everything from credit card numbers to fake IDs to counterfeiting equipment.
But today, Max wasn’t here to sell credit card numbers or manage the website.
Today he had a plan.
Max looked over the whiteboard hanging on the wall of his studio. On it were written the names of CardersMarket’s four competitors: DarkMarket, The Vouched, ScandinavianCarding, and TalkCash.
Technically, CardersMarket had nine competitors. But these four were the only ones worth caring about. Altogether, their customer base was about four times the size of Max’s. To Max, these sites were redundant. They also had terrible security, which Max was about to prove.
On the whiteboard, Max had written copious notes about the security architecture for each of the four carding sites. He’d spent weeks studying them, probing their defenses, looking for weaknesses.
He didn’t really look at the whiteboard. He knew it all by heart. Max sat at his desk and began typing at his keyboard.
One by one, he broke into his four competitors’ websites. He downloaded user data, passwords, transaction histories, even forum posts, some that had nothing to do with carding. The data all went onto Max’s servers.
Max worked almost nonstop. When he needed a rest, he would crash on the studio’s fold-out bed for an hour or two, then resume hacking.
Finally, after 48 hours, Max had all the data he needed. As a final parting shot, Max wiped his competitors’ servers. Torching their illicit businesses to the ground.
It was time to go back to his girlfriend Charity. But Max had one more task.
Max logged onto CardersForum.com. He composed a mass email to his site’s thousands of new members, welcoming them to their new home.
Max signed the email with his CardersForum handle—Iceman. He hit send. Around the world, identity thieves, credit card cashers, organized criminals, and cops, were realizing that their places of business had been hijacked. It was a hostile takeover.
Now, everyone knew Iceman’s name.
But for Max, it was time to get some sleep.
On this episode: white hat hackers, black hat hackers, credit card cashers, identity thieves, and the dark underbelly of Silicon Valley. I’m Keith Korneluk and this is Modem Mischief.
You’re listening to Modem Mischief. In this series we explore the darkest reaches of the Internet. We’ll take you into the minds of the world’s most notorious hackers. We’ll also show you places won’t find on Google and what goes on down there. This is the story of Max Butler aka Iceman.
ACT ONE
Max looked out across the dark, empty parking lot. No moon was out tonight. If someone was approaching, he couldn’t tell until they were right on top of him. He could barely even see his friend John, who was right next to him.
You ready? Max said. John nodded.
Max walked up to the front entrance and slipped the master key into the lock, feeling the heavy metal tumblers fall into place with a satisfying thunk.
The door opened. Max and John were inside.
They looked across the lobby of Meridian High School. They tingled with the thrill of crossing a forbidden threshold. They had their whole school to themselves. They could do anything they wanted.
What should we do first? John asked.
Max opened a glass case and took out a fire extinguisher. He aimed the nozzle down the hallway and pulled the handle, spraying foam everywhere and laughing his ass off.
You try, Max said, handing the fire extinguisher to John. John took it and sprayed more foam all over the trophy case. Take that! John yelled with glee.
When the fire extinguisher was empty, John dropped it on the floor.
What now? John asked.
Max thought it over. They could bail now, before they got caught. The whole school would know about it tomorrow. But anyone could spray a few fire extinguishers. That wasn’t enough.
Come on, Max said. I have an idea.
John followed Max through the school to the chemistry lab. Inside, Max went right up to the storage closet that kept the chemicals. The master key opened that, too. He started piling bottles into a box. Iodine, bromine, pitric acid.
Uh…why are you taking that? John asked.
Because I can, Max said. No really, this shit’s worth a lot of money.
John looked at his friend. This didn’t feel like a prank any more. We should get out of here before we get caught, John said.
Max nodded and finished packing. They ran through the school, leaving the front door hanging open, and out to Max’s Nissan. Max chucked the box of chemicals in the back and drove John home.
The next morning, Max and his teenage brain realized that he’d have a pretty hard time selling the chemicals from a high school chemistry lab. But that was fine. For Max, it wasn’t really about the chemicals themselves. It was about the thrill of taking them. Now that the thrill wore off, they were useless bottles of liquid. He thought it would be hilarious to leave them on his friend Seth’s lawn, so that’s what he did.
By the time Seth’s Mom called the school, the custodians had already discovered the mess Max and John made. When police searched Max’s Nissan, they found an incriminating brownish yellow stain on the seat. Iodine.
If it had only been the trespassing and the fire extinguishers, Max might have gotten off easy. But the chemicals changed everything. Max was expelled.
Not that Max particularly liked high school.
Max Butler was born in Phoenix in 1972. When Max was in grade school, his family moved to Idaho. His father ran a computer store in Boise, and Max spent most of his time there, helping his Dad set up computers. By the time Max was eight, he could already program the shop’s Xerox 820, one of the first personal computers to hit the market.
Otherwise? Max hated Boise. He was a computer aficionado in the 1980’s, in a town where the popular kids wore cowboy boots and big belt buckles. The only thing that stopped bullies from messing with him was his above-average height.
Max’s parents split up when he was 14. In high school, Max gravitated towards his fellow misfits, the computer geeks and sci-fi/fantasy nerds. His people. In fact, that was the only thing that would suck about getting kicked out of school. He wouldn’t be seeing John, Seth, or his other friends as much.
The chemistry lab heist wasn’t Max’s first brush with the law. In his teens, Max discovered the Internet, and hacking. He was also an avid phone phreaker, which was a way of hacking into phone lines to make free telephone calls. If you’d like to hear more about phone phreaking, listen to Episode 3 where we cover Kevin Mitnick. We also did a bonus episode on Captain Crunch where we discover the origins of phreaking. Modem Mischief: your one stop shop into the world of phone phreaking.
SFX: Ding
One year before the heist, a man in a suit approached Max in a parking lot. He was from the Boise office of the Secret Service. Gently but firmly, he warned Max to knock off the phreaking.
But this time, Max wouldn’t be getting off with a warning. Meridian High pressed charges. Max pled guilty to malicious injury to property, first-degree burglary, and grand theft. He spent two weeks in a psychiatric center, where he was diagnosed bipolar.
Max got probation. He was sent to live with his dad in Boise. There, he enrolled in a Catholic high school. Away from his friends and distractions, and spending more time around computers all helped Max focus. He got his GED and enrolled at Boise State.
In college, the lanky, long-haired Max finally got to do what he loved: study computers. When he wasn’t pursuing his degree in computer science, (or hacking into the school’s brand-new email system), Max was spending time with Amy.
She was a fellow Boise State student, a year younger than Max. They’d met at the Zoo, a Boise dance club for underage kids. A fellow sci-fi/fantasy nerd, the two spent lots of time on TinyMUDs, a sort of online message board for D&D-style roleplaying games.
Amy was Max’s first real girlfriend. But soon, Max’s devotion turned to obsession. When she made friends on TinyMUDs, he became jealous. Online, he asked her to declare him love for him by agreeing to a mutual suicide pact.
Then, Amy met someone else. She told Max the news at his mother’s house.
What happened next is in dispute. According to Max, he only put his hands on Amy once or twice, and she was free to leave whenever she wanted. But according to Amy, Max put his hands around her throat and told her he was going to kill her.
The court agreed with Amy. At the time, Idaho state law allowed hands to be considered a deadly weapon. That meant Max got five years.
Max went to prison in 1991, during what would have been the spring of his freshman year in college. To pass the time, he used a prison typewriter to publish a cyberpunk ‘zine called Maximum Vision.
Outside the prison walls, the Internet was becoming more widely available, and the dot-com boom was just beginning. Max’s high school friends had all moved to Silicon Valley and gotten tech jobs. They called themselves “the Hungry Programmers.”
Max tried to stay positive. If he could just make it through his time, he could put everything behind him, and put his computer skills to good use.
He spent more than four years inside the Idaho State Penitentiary. When he got out, he knew he wouldn’t be going back to Boise. Instead, he moved in with his dad in Seattle and pursued jobs in the tech industry. Having a felony conviction didn’t help. He settled for temp gigs at places like CompuServe.
It was basic IT grunt bullshit. Way below Max’s capabilities. Max drifted back to the hacker forums he frequented in high school. He particularly enjoyed the warez scene, where hackers swapped pirated copies of stolen software.
One day, bored at work and surfing the web, Max found an unprotected FTP server for a Colorado-based Internet Service Provider. On it were copies of all kinds of useful software programs, like NetXray, Laplink, and Symantec. He downloaded them and passed them on to his new pals. He was an instant legend.
Unfortunately for Max, the Colorado ISP noticed and informed his employer.
So, there went Max’s job prospects in Seattle.
Max was running out of second chances. If he wanted to make it in the tech industry, he’d have to move to the center of the action: Silicon Valley.
Max Butler needed a fresh start. He also decided he needed a new name. He started going by Max Vision, after his prison ‘zine.
In ’96, Max Vision relocated to the Bay Area, and moved into a house with the Hungry Programmers.
Max fit right in. In Silicon Valley, nobody cared about Max Butler or what he’d done. Max Vision was a young, bright, highly skilled programmer for hire. He might not have a college degree, but he had the chops.
In the late 1990’s, the hacking scene was undergoing a shift. Joy-hacking from your parents’ basement was child’s play. Now, many former hackers were going corporate, using their skills to protect companies from the more malicious hackers out there.
They called themselves “white hat” hackers, after the western movie trope of the hero always wearing a white hat. They defended the Internet against “black hat” hackers, who broke into sites without permission, for glory and profit.
Soon, Max got a job working with one of these white hats, Matt Harrigan, who owned Microcosm Computer Solutions,
Matt was one of the first black hat hackers to figure out how to monetize his skills in a legitimate way. Companies hired Matt and his team to probe their systems for vulnerabilities. But Matt was always a hacker at heart. In his black hat days, Matt went by the handle “Digital Jesus.”
Max and Matt were fast friends. Neither saw much of a distinction between the two kinds of hackers. In fact, Max figured Matt still did a little black hat hacking on the side. It wasn’t about making money or damaging anything, it was about the challenge of the task, and the high of the win.
Max became one of Matt’s “penetration testers.” He was a natural, and he loved it. Soon, he was making $110/hour.
Max was even dating again. He met Kimi at a rave. She was a barista who wanted to be a special needs teacher. Max and Kimi quickly fell for each other and moved in together. They married in a traditional Korean ceremony, surrounded by their families and the Hungry Programmers.
The dotcom boom was booming, and Max had every reason to believe he would get his slice.
But while Max Vision was thriving, Max Butler’s past caught up to him.
The Colorado ISP he stole from contacted the Software Publishers Association. The SPA served Max with a $300,000 anti-piracy lawsuit. It was a first-of-its-kind case. The SPA wanted to make an example of him. The case even got written up in Wired.
Fortunately for Max, in Silicon Valley, few people realized Max Butler was also Max Vision. Eventually, Max and the SPA settled on a $3,500 fine and some free consulting.
But the lawsuit put Max on the FBI’s radar.
The Feds were impressed. The FBI was still beginning to understand how to combat cybercrime. They reached out to Max. They needed him to help detect and diagnose cybersecurity problems for the US government.
Max didn’t want to get his fellow hackers in trouble. He wouldn’t be ratting out actual hackers, not ones he knew anyway. Basically, he would be doing the same work he was already doing. Max saw it as a good opportunity, and he agreed. He officially joined the FBI’s Criminal Informant Program.
The feds gave him a codename: The Equalizer.
But Max soon learned that hacking for the government was a different animal than hacking for the private sector.
Two weeks after Max and Kimi’s wedding, researchers at Carnegie Mellon alerted the security community to a vulnerability.
In the ancient times of the 1990’s, the Internet was just becoming publicly available to consumers. For the average user, IP addresses needed to be converted into plain English. That way, instead of typing 64.12.96.0 into your web browser, you could just type AOL.com.
One of the computer programs that made this conversion was the Berkeley Internet Name Domain, or BIND.
Carnegie Mellon noticed a flaw in BIND. Most internet queries were short and simple. So, BIND didn’t automatically check the size of incoming queries. If a hacker submitted a deliberately overlong query, it would spill out into the computer’s memory. A careful hacker could then overload their way into a computer’s stack, essentially its processing center, and submit a command that would give them control over the entire system.
Max called up his contact at the FBI and alerted him to the problem. The fed agreed to send it up the flagpole.
That wasn’t good enough. Max knew that could take months. The flaw needed to be fixed now, and he had the means to do it.
Max thought the situation over. If nobody was going to do anything about it, he would.
Max quickly wrote a computer worm that exploited the BIND vulnerability. It was the exact kind of worm a hacker could use to inflict maximum damage, but Max made a few tweaks. His worm would direct the computer’s stack to install a patch that fixed the vulnerability.
If Max had just left it at that, he probably would have been fine. But Max couldn’t resist adding another command that gave him remote access to any server that installed his update. It was a secret backdoor passage that only he knew about. He promised himself he would only use it to issue further security updates. But he’d be lying if he said it didn’t also give him a thrill.
With his worm finished, Max logged onto the ‘net using a stolen Verio account, and began scanning for computers vulnerable to the BIND flaw.
He got dozens of hits. Soon, Max repaired vulnerabilities at the Pentagon, at army and Air Force bases, at defense contractors, and even on a computer in a cabinet secretary’s office.
After five days, Max was satisfied. He wrote a report on the BIND vulnerability and sent it off to the FBI, omitting the part about how he’d just committed one of the biggest government hacks in history.
Max was becoming a fixture in San Francisco’s white hat community. He launched a website, whitehat.com, and instantly it received thousands of visitors a day. He started an open-source archive of hacker exploits called arachNIDS, which became a trusted community-moderated resource. He’d even gotten a job offer at a new startup, Hiverworld.
But a month after the BIND hacks, Max got a knock on his door. It was an FBI agent, along with an Air Force officer. They knew he’d broken into the Pentagon.
Max apologized. He explained that his motives were pure. He was just fixing a problem. He even wrote out a full confession, to show he had nothing to hide.
The FBI wanted more. Instead of writing security reports, now they wanted him to actively inform on his fellow hackers. They even wanted him to wear a wire and set up, Matt Harrigan.
Max wasn’t about to betray his boss and friend, and he especially wasn’t about to help the feds stick nail someone for the kind of harmless, extracurricular hacking Matt enjoyed.
Fuck that. Max lawyered up.
And the Justice Department brought down the hammer.
The FBI came back to Max’s door on March 21, 2000. This time, they had a 15-count indictment.
The news blew up across San Francisco’s white hat community. Max was defiant. Online, he insisted he was innocent until proven guilty, and he lashed out at those who questioned him
But six months later, Max pleaded guilty. He was sentenced to 26 months and ordered to pay $154,000 in restitution. He was banned from using computers for five years, unless it was for work. As if anyone would ever hire him again.
Max was 29 years old, and whatever future he thought he had was gone.
ACT TWO
Max Vision walked into the lobby of the Holiday Inn in San Francisco’s Chinatown, carrying a heavy black case.
Two friends were with him. Chris was in his early 40’s, handsome, charismatic, and polished. Jeff looked like he was in his late 40’s, but his years of heavy drinking made his true age anyone’s guess.
The trio walked up to the counter.
We’d like to rent a room, please. Chris said, sliding a credit card and ID across the counter. Just one night.
The receptionist eyed them, and the black case. Three dudes, checking into a hotel in the middle of the day, with nothing but electronic equipment? Were they filming a porn or something? But, the credit card worked. So, she typed their info into the computer, processed the transaction, and handed them a room key
They rode the elevator up to the top of the 27-story hotel. Inside their room, Chris and Jeff took a seat while Max got to work. He opened the case, took out a two-foot wire-mesh parabola antenna, and aimed it out the window at the financial district. Then, he hooked it up to a laptop.
This area has dozens of unprotected WiFi networks to choose from. See? Max pulled up a list. Chris and Jeff looked over his shoulder. They didn’t really have any idea what he was talking about, but they went along like they did.
Max logged onto a WiFi network at random. Next, he pulled up a software program. This is called a vulnerability scanner. Max explained. It, uh, scans for vulnerable computers. Chris and Jeff dutifully nodded.
It was the same vulnerability scanner he’d used during his white hat days. Within minutes, Max got several hits. Banks. Financial institutions. E-commerce sites. Max could take his pick and hack into whichever one he wanted—and get all of the sensitive data inside. Credit card information, bank account numbers, even personal information like social security numbers.
Chris and Jeff could see dollar signs. Well, sort of. They didn’t really know what the hell to do with this information. But fortunately, they had Max for that.
Max’s second stint in the slammer had been much different than his first. The first time, he was 19 and had his whole life ahead of him. The second time, he was a decade older, and his crime had ruined his chance at a career. A legitimate one, anyway.
Max stayed at Taft Correctional Facility, the prison that dominates the tiny central California desert town of Taft. With no computers, the long months dragged on. Max began making friends with the professional criminals. That was how he met Jeff.
Then, while Max was still inside, Kimi asked for a divorce. Apparently, she’d met some guy at Burning Man. Fucking Burning Man. Max refused to sign the divorce papers.
Finally, after 18 months, Max was set free. He moved into a halfway house in the Bay Area. Part of his release required that he be gainfully employed. Problem was, his name was mud.
Max borrowed a laptop from one of the Hungry Programmers and wrote an email to San Francisco’s cybersecurity community.
I have been showing up at places that farm out manual labor, 5:30 a.m., and still haven’t found any work, he wrote. My situation is ridiculous.
Max was upfront about his felon status. He offered his services for minimum wage, at the time $6.75 an hour. For a guy who used to bill $110 hourly.
Finally, he got a nibble: a job assembling servers in a home office. This wasn’t even IT grunt work. It was the same thing he did in high school at his dad’s shop.
So, Max called his jailhouse friend Jeff, and Jeff introduced him to Chris
When he was in his 20’s, Chris Aragon was a bank robber. Briefly. He got caught just minutes after his only successful heist. After that, he spent the 90’s dabbling in credit card fraud and weed smuggling before trying to go straight. He owned a business that leased furniture and electronics to startup companies. But when the dotcom bubble burst, Chris’s business went bankrupt.
Shortly after that day at the Chinatown Holiday Inn, Jeff dropped out of the criminal startup, skipping town when the FBI caught on to his involvement in a real-estate scam.
Chris and Max decided to keep working together. Max moved out of the halfway house and into an apartment with a couple of the Hungry Programmers.
That was where he met Charity Majors. She was actually one of Max’s friend’s exes, but the breakup was amicable and they stayed roommates. Charity was a fellow Idaho misfit, like Max. She flourished once she moved to the Bay Area.
Once a month, Chris would either fly or drive up from his home in Irvine, California to downtown San Francisco, where he and Max rented hotel rooms and used unprotected WiFi to steal as much data as they could.
Now, Max always used someone else’s WiFi for his hacks. His experience with the BIND hacks taught him never to hack from home.
Max was particularly adept at stealing records of financial transactions, many of which had credit card information.
At first, Max and Chris were unsure how to monetize their stolen data. But a little Googling, and Max found his way onto carder forums.
This was 2003. By this point, companies and consumers had only been using credit cards online for a few years. Almost immediately, this attracted the attention of criminals, especially in Russia and Ukraine.
Soon, credit card fraudsters, identity thieves, ID forgers, and other criminals began congregating online. The first of these websites was a UK-based site called Counterfeiter’s Library.
When Max and Chris arrived on the scene, the top English-language site was Shadowcrew.com.
On sites like Counterfeiter’s Library and Shadowcrew, a thriving community of scammers met to share tips and techniques, to do business, or just to hang out and talk about their lives. It was like a combination of MySpace and Craigslist, but made just for scammers.
So, it was like MySpace and Craigslist.
All of this was done out in the open, too. This was four years before Tor browsers were introduced, so the dark web as we know it didn’t exist yet. Users banked on their anonymity to stay ahead of the law.
For Max, Shadowcrew.com was familiar territory. It reminded him of his days hanging out on the warez forums, swapping pirated software for internet street cred.
But the situation was also entirely different. Back then, Max was one hacker among many. Now, he sensed that few if any of Shadowcrew’s users were as computer savvy as he was. They were career criminals who started using computers. Max was a career computer hacker who was starting a life of crime.
On Shadowcrew, Max created an account impersonating a well-known credit card dumps vendor named Hummer911. Then, he made his first post. He titled it Free AmEx numbers!
In it, he explained that he had more raw credit card numbers than he could process, and was giving them away to anyone who wanted them. The post linked to a webpage containing hundreds of free American Express numbers.
It was horse shit. The numbers were randomly generated. The webpage contained an invisible code Max had written, which took advantage of a recent security exploit in Internet Explorer. The code installed a Bitfrost Trojan horse onto the infected computer, giving Max control.
Hundreds of Shadowcrew forum members clicked on Max’s link. This gave Max complete access to their computers, which, like he suspected, had little to no existing security measures.
Max stole thousands of credit card numbers. He rationalized it by remembering that the credit card numbers had already been stolen. Somebody was going to use them. Why not him?
Plus, the cards owners wouldn’t be stuck with the charges. They’d report them as fraudulent, and the banks would take the loss. To Max, it was a victimless crime except for the banks, and fuck the banks.
With Max’s trove of credit card numbers in hand, Chris rented a second apartment in Irvine and turned it into a workshop. He bought sheets of blank PVC and thousands of dollars worth of card printing equipment and began manufacturing fake credit cards, imprinting Max’s stolen card numbers onto their magnetic stripes.
If Chris did his job right, you couldn’t tell the difference between his cards and a real AmEx or Capital One.
Chris produced stacks and stacks of cards. Then, it was on to the next step. It was time for the Carder Girls.
There was Nancy, Lindsey, Adrian, Jamie, and twin sisters Liz and Michelle. All were college-aged. Chris hired them because he figured young women would be the least likely to attract suspicion.
On carding runs, Chris would drive the girls to the mall and hand out stacks of counterfeit credit cards. Then, they would go into department stores and buy big-ticket items, like $500 Coach bags. They would rack up thousands of dollars a pop.
At the end of the day, Chris would pay them 30% of the total retail value and take the goods to his wife, Clara, who would sell it all on eBay. Then, Max would get his cut.
Max was making thousands of dollars a month. But he wasn’t happy.
To Max, Chris’s process made no sense. Why so many steps, why involve so many people?
On top of that, cracks were beginning to show in Chris’s carefully manicured persona. He got a DUI. Then he got busted again for using their counterfeit cards at a W hotel. Then, he started dating an 18-year-old. When he got her pregnant, some of the Carding Girls quit.
It was time for Plan B. Instead of cashing cards, he would just sell card numbers directly on CardersMarket.
Max decided that instead of hacking big credit card companies, it would be much easier to hack small businesses that kept records of credit card transactions.
One day, while conducting a routine vulnerability scan, Max found an unprotected computer that belonged to a Vancouver-area restaurant called Pizza Schmizza.
The computer ran the whole restaurant, including recording all credit card transactions. Around 50 a day, going back months, and more coming in daily. It was a gold mine. And this was just one restaurant. There were thousands of them across the Internet just like it.
While continuing to provide Chris with fresh card numbers, Max also began selling them on Shadowcrew. At $20 a pop, he could clear a couple grand a day, easy.
But just when Max’s new side hustle was taking off, Shadowcrew went down.
It was the Feds. Apparently, a high-ranking member of the forums was an informant. Shadowcrew’s front page was replaced with a notice informing users that it was under the Secret Service’s control.
Fucking amateurs, Max thought. He was hardly surprised, given how easy it was for him to hack the site’s users.
Like mushrooms, new carding sites began popping up overnight, with names like DarkMarket, The Vouched, ScandinavianCarding, and TalkCash.
Max could simply join one of those and become just another anonymous seller in the community. But that wasn’t enough. He could run a carding website better than any of the chumps who already did.
Chris loved the idea. In June 2005, Max bought the domain name for CardersMarket.com.
Now, Max was becoming a legit player. Once again, he needed a new name. This time, he went with Iceman. It was a common handle for online criminals, and that was why he picked it.
Iceman would simply run the site. He wouldn’t sell credit card numbers. That was a job for Max’s other handle, Digits.
By running the site as Iceman, but openly not partaking in its criminal activities, Max could avoid legal jeopardy. As long as nobody found out he was also Digits, he’d be fine.
Soon, CardersMarket had 1,500 active users. Max recruited some of them to be his moderators. He was building a community, one with better security than ever before. Business resumed, better than before.
However, there were still those rival carding sites to consider. Sure, Max knew they were inferior. Their security was shit. The feds would probably infiltrate them, just like they did Shadowcrew. Max could just let nature take its course.
But why let some government hacker get all the glory of taking down DarkMarket, when Max could do something about it right now?
Max did some probing, and sure enough, his four leading competitors’ security was atrocious. All were vulnerable to a hack.
It was time for Max to show everyone exactly who they were dealing with.
Over two days in 2006, Max destroyed his four rival carding websites, and forced their 4,500 members to join CardersForum.
Max had declared war on his rival websites, and won. But peace would prove to be much more difficult.
Max’s hostile takeover enraged the carding community. One of the forum users even went to the goddamned media, tipping off USA Today. The nationwide newspaper published a full story about the takeover, and even named Iceman.
Max had created powerful enemies. And now the entire country knew Iceman’s name.
ACT THREE
In the weeks after his hostile takeover, Max didn’t sleep much, no matter how badly he might have needed it.
Chris was furious. Not only were Max’s carder wars a national news story, Chris learned Max had actually corresponded with the USA Today journalists in a moment of vanity. Chris thought Max was losing his mind.
Well, fuck Chris. It was Max who built CardersMarket. Max decided who Iceman could talk to. Chris should pay attention to his sordid little card cashing operation and his 18 year old baby momma.
The USA Today article was an unexpectedly good marketing tool. Hundreds of new criminals were applying for CardersMarket accounts daily, too much for Max to keep up with.
But it turned out Max didn’t actually destroy all four of his competitors. To Max’s surprise, a few days after the takeover, DarkMarket came back online. Its owner, a British Sri Lankan who went by the handle JiLsi, even boasted that it had better security than before. It was provided by a member of the carding community who went by the name Master Splyntyr. Yes, after the cartoon rat from the Ninja Turtles franchise—but “Splinter” is spelled with two “Ys”.
The feud was on.
Unable to wipe DarkMarket’s new Max-proof servers, Max repeatedly hit it with Denial of Service attacks. Occasionally, he would sneak past its defenses and delete user accounts at random, just to fuck with JiLsi. Once, he impersonated JiLsi on a Russian carding site and posted the message “I’m a fed” over and over.
But DarkMarket was stubbornly difficult to kill.
Then, one day Max got a message from one of his CardersMarket members named Silo.
Max didn’t really trust Silo. He had a bad habit of hacking his fellow forum members. But Silo was a veteran fraudster, and his information was usually legit.
I have reason to believe that Master Splyntyr isn’t who he says he is, Silo wrote.
Max knew Master Splyntyr. Splyntyr was a member of both DarkMarket and CardersMarket. Max and Splyntyr had even communicated directly a few times. Splyntyr claimed to be a spammer based in Poland.
But according to Silo, Splyntyr was actually located in Western Pennsylvania.
Max did some digging of his own. After once again hacking into DarkMarket, he pulled up the site’s login history and found Splyntyr’s IP address. Warrendale, PA. Twenty miles north of Pittsburgh. More importantly, it was the headquarters of the National Cyber Forensics and Training Alliance, a nonprofit that worked with the FBI.
Master Splyntyr was a fed.
A fed was running Max’s biggest competitor, and had infiltrated Max’s site, too.
Now, DarkMarket wasn’t just a nuisance. It was a threat.
But Master Splyntyr was tight with JiLsi. After all Max had done to destroy DarkMarket, it was unlikely JiLsi would listen to Max’s warning.
Instead, Max enlisted two of his lieutenants. One went by the handle Corrupt3d. The other was Silo, the one who had originally raised the alarm.
Corrupt3d and Silo contacted JiLsi and DarkMarket’s co-founder, Matrix001, over an encrypted messaging service. They presented the evidence Max had collected against Master Splyntyr. It was a carder trial.
True to form, Silo included a code in the evidence file that tried to backdoor its way into JiLsi and Matrix’s computers. Soon, the trial devolved to name calling. JiLsi and Matrix logged off, entirely unconvinced.
Which sucked for Max, because Master Splyntyr really was a cop. He was an FBI agent named J. Keith Mularski. He’d been running the Master Splyntyr identity for over a year. After realizing Max was onto him, Mularski managed to scrub the evidence from the web, and Master Splyntyr remained above suspicion.
Max was right. But his credibility was so shot that it didn’t matter.
By late 2006, Max knew the Feds were probably onto him. Now would be the right time to make a run for it. Problem was, Max didn’t have the cash. Altogether, he’d only earned about $750k from his cashing and hacking. He pissed most of it away, on rent for his two apartments, on cab fare for his daily commutes, on meals, even on stupid impulse purchases like a robotic dog.
Max decided it was time to retire Iceman. He formally passed control of the site onto Corrupt3d and set up a new handle for himself, Aphex.
He was running out of time. He needed to make as much money as he possibly could before the cops found him.
Max had been capable of hacking into banks for years, but it stopped there. Stealing credit cards and making fraudulent transactions was one thing. But stealing bank account numbers and transferring the funds? That was too much, even for Max.
Chris wasn’t much help. Chris had always wanted Max to steal a seven or eight figure sum to set them both up for life, but he’d never been able to pull it off.
Lately, however, Max’s time running the CardersMarket forum had put him in contact with a lot of interesting people. One of them went by Night Fox. He was an expert in offshore bank accounts. With Night Fox’s help, Max could pull off the big score that he and Chris never could.
Max created a fake webpage called FinancialEdge.com. It looked like a legitimate source for financial news. Then, he emailed dozens and dozens of employees at Fortune 500 companies, inviting them to comment on an article about cybercrime. Max included a link to a webpage that included malicious code that used an Internet Explorer exploit to crack into their systems.
More than a hundred finance people couldn’t resist clicking on Max’s link. Now, Max was looking at potentially millions of dollars. Enough for him and Charity to start a new life. Or just him, if Charity wouldn’t go along with it.
In Irvine, Chris Aragon was barely keeping his head above water. He and Max had a falling out over the USA Today article. His wife Clara knew about his many infidelities, and now their marriage was more like a business arrangement. At least his two young sons still looked up to him.
Since many of the Casher Girls had quit, Chris himself was forced to go on cashing runs. One day, Chris left a Bloomingdale’s with shopping bags full of merchandise. As he approached his car, a police car pulled up.
Chris was no stranger to arrest. But when the police brought him to the station, he wasn’t prepared for what was waiting.
One of Chris’s criminal associates, a Long Island cokehead named John Giannone, had been caught selling stolen credit card numbers. John had already fingered Chris. While Chris was in lockup, Orange County police officers were already searching the home he shared with Clara and the boys. They found piles of unsold merchandise. Hand bags, digital cameras, TomTom personal navigators, Palm Pilots, iPods, designer sunglasses.
Chris knew he only had one choice: give up everyone he knew.
Max watched Chris’s case closely. The Orange County newspapers reported on every detail. Still, Max thought he was safe enough. He’d relocated his safehouse from the Post Street Towers to nicer digs at the Oakwood Geary, a corporate-style apartment building in the Tenderloin.
On Wednesday, September 5, 2007, Max dropped Charity off at the post office, then had his cab driver take him to a CompUSA on Market Street, where he picked up a new cooling fan. Then, he walked to his apartment at the Oakwood Geary, stripped down, and collapsed on the bed for some sleep.
Suddenly, the door burst open. Put your hands where I can see them! someone shouted. Agents with guns swarmed into his apartment, pointing them at Max.
Max had always figured that if the FBI or Secret Service would break down his door, he’d still be able to wipe his servers before they could restrain him.
But when it actually happened, it was already over before Max had time to react.
The feds had Max Vision, and his equipment. But Max had one final hope to avoid jail time: his computers were encrypted.
ACT FOUR
Max spent the month after his arrest in the Santa Clara County Jail. While Max stewed, investigators combed over his hard drive.
Only Max knew the passphrase that would unlock the encryption. He figured the feds would never be able to crack it. Lawyers and judges would implore him to give up his password, but it’s not like they could force him to talk. Max knew he could wait them out. It would take a year at most.
But just two weeks after his arrest, Max was brought to court with his lawyers. There, a prosecutor handed Max’s lawyer a slip of paper. On it was written a message: “One man can make a difference!”
Max’s passphrase. They’d found it tucked away in his computer’s RAM. The lifelong hacker had been hacked.
The feds downloaded five terabytes of data from Max’s hard drives. Hacking tools. Phishing emails. Dossiers he’d kept on enemies and friends. Personal journals about his interests and hobbies. And 1.8 million stolen credit card numbers.
1.1 million came from hacking point of sale systems, like Pizza Schmizza. The rest had come from hacking other criminals.
Altogether, these stolen numbers had been used to generate $86 million in fraudulent charges.
Max was far from a millionaire. He estimated that he’d earned less than 1 million altogether, and he’d already spent most of it. The feds only found about 80 grand in his accounts.
But Max’s personal largesse, or lack of it, didn’t matter. The 86 mil did. Altogether, he was looking at 30 years to life.
By now, all of Max’s secrets were exposed. The defiance he’d shown at his earlier arrests was gone. The night his passphrase was found, he wept into his pillow.
Max’s arrest finally showed Charity who he really was. Mercifully, the feds allowed Max and Charity to talk on the phone while he was locked up. For the first time, Max could be truthful about what he’d done. But for Charity, things would never be the same. Max knew that no matter how much time he had to serve, Charity wouldn’t wait for him.
He started cooperating. After a year of negotiations, the judge handed him a 13 year sentence. At the time, it was the longest sentence ever handed out to a hacker. He’d also be responsible for $27.5 million in restitution. In 2009, Max pled guilty.
At his sentencing, Max read aloud from a prepared letter. He showed remorse and claimed he was a changed man. The judge, prosecutors, and cops all sympathized. Even they could admit he was a computer genius.
In prison, Max tried to put his past behind him. He joined a D&D group with his fellow inmates.
But as the years went by, the allure of making money was just too strong.
In 2014, Max allegedly got his hands on a myTouch T-Mobile Android phone and used it to access the internet. Once again, he started stealing credit card numbers. Soon, Max had a thriving cashing operation from behind bars. Allegedly.
Two years later, one of Max’s prison associates was released. From inside, Max allegedly had his associate purchase a remotely piloted drone. Then, Max’s associate began flying contraband like cell phones, tobacco, and drugs over the prison wall.
When the smuggling ring was finally caught in 2018, this time Max pleaded not guilty. The feds didn’t have enough evidence to tack more years onto his sentence.
Max was released from prison in 2021. He’s still under federal supervision for five years, and he’s barred from using computers unless it’s for work or education.
Max Butler bridged the gap between the anarchic and mischievous hackers of the 1980’s and 90’s, and the criminal hackers who came after them. Max is a highly skilled computer genius, but he’s too eager to prove it. Without legitimate career opportunities, Max saw crime as his only option.
Thousands of hackers around the world have a similar story.
Today, online credit card theft and identity theft remain ongoing problems, with hundreds of thousands of incidents happening each year. Using credit cards online has definitely made business more efficient and convenient, but it comes at a price. As long as there are hackers with high level skills and a lack of legitimate opportunities, fraud will be the cost of doing business.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app right now so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus monthly bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka he only uses credit cards for cocaine. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!