Darknet Diaries - 85: Cam the Carder
Episode Date: February 16, 2021This is the story of Cam Harrison, aka “kilobit” and his rise and fall as a prominent carder.SponsorsSupport for this show comes from IT Pro TV. Get 65 hours of free training by visiting... ITPro.tv/darknet. And use promo code DARKNET25.Support for this episode comes from Oracle for Startups. Oracle for Startups delivers enterprise cloud at a startup price tag, with free cloud credits and 70% off industry-leading cloud services to help you reel in the big fish—confidently. To learn more, visit Oracle.com/goto/darknet.View all active sponsors.Sources https://www.justice.gov/opa/pr/member-organized-cybercrime-ring-responsible-50-million-online-identity-theft-sentenced-115 https://nakedsecurity.sophos.com/2014/11/14/carder-su-fraudster-jailed-for-9-years-and-ordered-to-pay-50-8m/ https://www.justice.gov/usao-nv/operation-open-market
Transcript
Discussion (0)
I have this theory that if you ever go to Western Union or use a Western Union,
you probably have an interesting story as to why.
Here's my Western Union story.
This one time I had a job, and while working there, I got to be friends with a co-worker.
His name was Billy Ray.
Billy Ray was a wild, crazy, older guy who had so many stories that I didn't even know if they were true or made up or what.
I would sometimes hang out with Billy Ray after work. He had an unusual way of looking at the
world. He was pretty suspicious and didn't trust anyone. He had a lot of street smarts too,
and he always made sure to keep an eye on me to help me stay out of trouble too.
One day after work, which was payday, Billy Ray asked if I could drive him home. I said,
sure. We hop in my car. He says, hey, on the way home,
can we stop by Western Union? I said, Billy Ray, there's nothing good for you at Western Union.
Trust me. Don't want to go there. He said, no, no, no, no. I have to send money back home to my
ma in Milwaukee. I said, fine. So we drive to Western Union. I park on the street right in
front. I tell him, listen, I'm going to wait here in the car until you get out. He gets out and goes in. Now, my car was a little weird. The back license plate was my legal normal license plate,
but the state I lived in didn't require a front license plate. So I'm like, well, you know what?
I'm going to put a novelty plate on the front if it's not required. So I put on this license plate
that said Area 51, and it looked like it was from the state of Nevada. Well, while I was parked there, a cop drove by, saw my Area 51 plate and laughed. And then as he
went by, he looked back and saw a different plate on the back. Well, the cop didn't like this and
swung back around and parked right behind me on the street in front of Western Union. He gets out,
comes to my car, asks about my two different license plate. I said, oh yeah, one's just a fake plate because I don't need that one on the front.
He said, look, that's just wrong.
Don't put a fake license plate on your car.
I told him, okay, as soon as I get home, I'll take it off.
So he takes my license and registration back to his police car to check if I was wanted for anything.
Well, at this point, Billy Ray comes out of Western Union and comes into my car and says, all right, let's go.
I said, well, I got to wait a minute.
He asks, why?
I said, well, there's a cop behind us.
He's like, did you do something wrong?
He looks back and sees the cop coming to the car.
Billy Ray starts flipping out.
He starts shouting nonsense like, I knew you were a criminal.
I knew from the first minute when I saw you.
What are you, an ex-murderer?
What did you do?
I said, Billy Ray, why did you get in the car when there was a cop behind me? Didn't you look first? He was upset. He got all
fidgety and didn't know what to do. He asked me, should I run? How bad is this? I said, calm down,
I'll sort this out. I can hear him start to hyperventilate. The cop comes up to the window,
hands me my license and registration and says, have a good day. I started to drive off. I explained
to Billy that I had a novelty plate that the cop didn't like. And from then on, Billy Ray never asked me for a ride home
again. These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash Darknet Diaries and use promo code Darknet at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash Darknet Diaries and enter code Darknet at checkout.
That's JoinDeleteMe.com slash Darknet Diaries.
Use code Darknet.
Support for this show comes from Black Hills Information Security. Thank you. Give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive. And they are trying to break down barriers to get more people into the security field. Thank you. blackhillsinfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com, blackhillsinfosec.com.
A real quick warning before we get started. This episode has some strong language and may
not be appropriate for all listeners.
If you're sensitive to explicit language, you may want to skip this one.
So it's fairly common that when I post an episode, there seems to always be someone who messages me afterwards saying,
Hey, I'm familiar with that story. They say something like, Oh, I used to work there or I knew that guy.
It's wild, but I love hearing any extra bits of detail that I might have missed. And that's how I met this guy, our guest today. After publishing episode 32, titled The Carter,
I got a message from a guy named Cameron. And Cam told me I actually got some of the details
wrong in that story. And I said, how do you know? He said, because he was part of that operation.
This led us to some phone calls to discuss more.
It's kind of a weird situation, you know, where I'm at and everything.
And the more I talked with Cam, the more I learned how crazy his story was.
But I'm kind of weird about it anyway, just talking in general with a bunch of people around.
And then on top of that, like I was saying with the cameras and everything,
it just kind of sketches me out a little bit. it feels comfortable what you're in the yard of a
halfway house is that what it is yeah i'm actually at a halfway house um i did about a little over
right at about eight years in prison oh well uh i guess you know the ending now eight years in
prison currently in a halfway house which is where we talked over the phone.
Now we have this train about to terrorize us.
I hear it.
You heard it?
Yeah.
It's coming closer.
Yeah, you hear it, huh?
You hear that thing all night long?
Yes.
God.
They choose the worst fucking property that they can buy, I guess.
You know, it's like the cheapest.
It's always all the jails.
And it seems like almost every jail, every fine establishment like this place is usually next to a train track.
I just wanted to mention this train part because if you're driving and you hear like a train go by, it might be from this podcast. So after having chats with him and going back and
forth with phone calls, I looked through his indictment and tried to piece together exactly
what he did and who he was. And I'll be honest, Cam wasn't who I was expecting. Yeah, it's
interesting hearing from you because I wasn't sure if you were going to have a Russian accent or where you're from.
I grew up in Augusta, Georgia.
Let's start at the beginning, or at least back to high school.
His first experience with this side of the internet came when Cam was a teenager.
Cam was selling stuff on eBay to make a little money, and his eBay account got hacked.
Someone sent him a phishing email, and he fell for it.
He entered his password on the hacker's website and not on eBay's. The hackers then used his password and logged into
his eBay account and quickly changed his password and email so he couldn't get in. He saw that
someone listed some fake laptops for sale on his account. Then I couldn't actually understand at
the time for the life of me why anyone would do that. In high school, Cam was into computers and
would download some pirated movies too.
One day he realized
he could put his computer skills
to use at school.
Cam was falling behind at school
and wanted to change his grades.
He couldn't actually figure out
how to hack into his grades,
but he did hack into the school's website
and messed around a lot.
He made a mistake
by telling some people
about this prank
and that got him suspended.
I learned a quick lesson to watch who you talk to, Connor.
That wasn't the last time Cam hacked his school, though.
Cam took a CAD class in high school,
and he spent the whole class messing around with his friend.
Since he wasn't doing his assignments,
he came up with an idea, steal someone else's work.
He used Sub7, which is a Trojan,
to attack the guy's computer in front of
him. He got the guy's IP, logged in, took all his work, and then just changed his name on the work
and printed it out and turned it in and got an A for the class. Cam made fake report cards too.
He would use Photoshop, design it up, write whatever grades he wanted, make it look official,
and then sell it to other students. These Photoshop skills would prove to be pretty useful later on,
because Cam was about to enter the world of fake IDs.
Do you, the listener, remember when you were 17 or 20,
just one year away from being able to buy cigarettes or alcohol or do some adult-age thing?
That wait is very hard for some people, including Cam.
So he went online and found a place to buy a fake ID.
He ordered one. And to make a fake ID look right, you have to send your real photo in.
So he sent a photo of himself and got it in the mail. And it was kind of crappy looking.
The cuts around the corners were off and it just didn't look right. But he thought,
what the heck, I'll try it. And he gave it a shot. So one day he went to the store to try to use his fake ID to buy a pack of cigarettes.
But the store didn't buy it and confiscated his fake ID.
The plan failed.
But by this point, Cam had really analyzed what an ID should look like
and researched how all this was done and decided he could probably make a better fake ID himself.
And this was the decision that sent him on a new trajectory in life.
I, you know, told myself that, you know, I'm not going to buy another piece of crap ID.
I'm just going to make one.
If you're wondering how a high school kid could just decide to make a decent fake ID,
you should know that Cam wasn't just an ordinary high school kid.
He was deep into computers, and he started hanging around some pretty shady forums and chat rooms. He became
a regular on Counterfeit Library, and that's a place that could teach people how to make fake
diplomas and IDs. Counterfeit Library was like a precursor to Shadow Crew or Quarter Planet or any
of those forums around then. Oh oh the guys from shadow crew i'll
have to do a whole episode on shadow crew one day because that's a crazy story all by itself but
basically shadow crew was a website a chat room a forum and on the forum you could trade illegal
things picture a typical darknet marketplace but before the darknet existed and before bitcoin
existed on shadow crew you could buy fake degrees and fake diplomas and stolen credit card numbers
and fake ids cam wasn credit card numbers and fake IDs.
Cam wasn't on that website yet because that website didn't exist,
but he was in the chat rooms with the people who would later go on to make Shadow Crew.
Cam started learning how to make fake IDs through this chat room,
and he downloaded templates and learned about materials.
He eventually figured out a process that worked and made his own fake ID.
So eventually, he was producing some pretty convincing cards for himself. His picture was on it, but with a fake name and a
fake address. And they looked pretty good. Better than the one he ordered, at least. Cam was living
with his dad at the time. As a teenager, Cam wanted cool stuff to, you know, show off at school or
something. Clothes, shoes, when I became old enough to drive a car.
He realized to buy this stuff, he would need to find a way to make money.
So Cam came up with an idea.
He could sell fake IDs to kids at school.
He got a fellow student to be his front man, and his friends would make deals, and Cam would make the cards.
You'd fill a cartridge up with an adhesive, like a glue sort of adhesive,
and you could print with the templates onto the laminates
the design for the hologram it would print basically the glue for the design of the
hologram and then you'd have the right mixture of these powders for different whatever state
would be a different mixture of gold and silver or whatever and then you'd sprinkle it on there
with stated adhesive and now that was your your your holo pouch now those laminates would have a
mag stripe on them too for california or for texas you know for the states that it applied to or
whatever his local business was going well but cam wanted to sell more cards and make more money
so he took his business online and started selling the fake ids on internet forums and something
strange started happening people were buying lots of
fake IDs. Like one guy would buy dozens of fake IDs with the same picture, just lots of different
names and addresses. This would be like $1,000 worth of fake IDs. Kim couldn't figure out why,
but he just kind of shrugged and made them and shipped them and let the mystery go.
But then one day he got a clue.
One day a guy ordering a bunch of fake IDs from him made an intriguing offer. He said, I can either pay you $1,000 or I can send you 2,000 carded Western Union.
Which would you prefer?
So, of course, I've been hearing and reading about, you know,
people carding Western Union and things like that.
But I didn't realize it was the first interaction with somebody that was actually doing it, I guess.
Cam put the pieces together. This guy was carding. Carding is when you use stolen credit card details
to buy something, either digitally or by counterfeiting a physical version of the card.
You can use these for anything, shopping online, cashing out at ATMs,
or sending money to someone through Western Union. What this guy was offering is he would send Cam
$2,000 through Western Union, but it would be from a stolen credit card. This is more risky for Cam
because it's illegal to receive money that you know is stolen. So he had to make the choice,
$1,000 in clean money or $2,000 in stolen money.
I was just really curious and kind of, I guess, fascinated by all the stuff that people were
talking about on there. You know, it just kind of, but at the time it was really all through,
I didn't really believe for sure that a lot of people were really doing all this stuff. You
know what I mean? Like it kind of just seemed like, okay, for real, are they actually doing
this? And it was a whole different, it was a whole different ballgame back then. I mean, like, it kind of just seemed like, okay, for real, are they actually doing this? And it was a whole different ballgame back then.
I mean, things were pretty much wide open.
Cam had known about carding before, or at least he'd heard of it.
But when did he found physical evidence of it?
He was at an ATM, and near the ATM was a plastic credit card on the ground, and he picked it up and noticed something strange.
The text on it was black and blurry, and the embossed numbers
just didn't look right. Cam thought for sure this was a counterfeit credit card. So I was just kind
of like, wow, you know, it kind of made me think, okay, so I guess some of this stuff really is
going on, you know, if I just found one of these on there. So out of, you know, curiosity, I just
kind of kept it, held on to it. Cam dabbled with trying to make fake credit cards himself. While
making these fake IDs, he got a hold of an MSR, which is a mag stripe encoder,
or you can think of it as a device that writes information to a credit card.
The reason I needed one at the time was for coding IDs.
That was my only interest at that time.
You know, I wanted my IDs to scan.
So it was Texas and California were two states I was making and I needed them to scan so I wanted an MSR.
But at the time they cost like $600 or $700.
So I brought it up in the channel and somebody mentioned, man, just card it.
That kind of sparked my interest where I messaged him like, what do you mean card it?
This really sparked Cam's interest.
He wasn't sure what they meant by just card it,
but he looked into it and was able to get his hands on a full.
It's basically a CVV, a card with the CVV, the expiration,
but also the name, address, phone number, date of birth,
mother's maiden name, social security number.
So it's a full info.
So not just track two, gotcha.
Yeah.
So it's actually the dumps, you know, you have the tracks of data.
This is just for online purchases or over the phone or whatever.
It's the account information, but also included is the mother's maiden name,
social security number, date of birth.
So they call it a full, a full info.
He was naive at the time and thought by just having a full,
it would allow him to buy whatever he wanted.
So he gave it a shot, tried to buy something, but the transactions never went through.
He tried a few times, but this full didn't work at all for some reason.
So Cam wasn't sure if carding was real or not until this guy offered to send him some cash through Western Union using a stolen credit card.
Now, looking back, the risk probably should have been a little more concerning, but I was just excited to do it. So of course I took the $2,000 of the card at Western
Union. That meant Cam had to pick up the money in person. Now Western Union is a way to transfer
money from one person to another. You can call them on the phone, give your credit card details
to them and tell them who's going to pick up the money and they'll take the money out of the credit card, and when the person comes in and presents proper ID,
then Western Union will give them the money.
There are official Western Union shops out there, but this is such a popular service
that it's often seen in grocery stores and gas stations in the U.S. and around the world.
So he makes a fake ID, puts a picture of himself in it, but uses a fake name and address and everything,
and then tells the guy to send money to this fake name he just invented so the guy calls up western union gives
them the stolen credit card numbers and sends two thousand dollars to this fake name that cam gave
and western union took the money out of the credit cards and held it for cam to come get
cam gets word the money is there but he didn't have a car so his friend's girlfriend drove him
to western union he goes in fills out the form gives that id to the lady at the counter and the Cam gets word the money is there, but he didn't have a car. So his friend's girlfriend drove him to Western Union.
He goes in, fills out the form, gives that ID to the lady at the counter,
and the lady picks up the ID and looks at it and looks at Cam.
Cam starts to get nervous.
He's committing fraud, and he knows it. And any mistake could get him caught and in trouble.
Since he made the ID himself, he knew just how many mistakes it had.
But she doesn't notice any problems.
She counts out the money, hands him the cash, and he walks out of the store $2,000 richer.
It was kind of a, I guess a rush or whatever you want to call it.
It was kind of an odd feeling.
You know, it was like, it was kind of a thrill.
The guy Cam was working with online was impressed at how well the transaction had gone.
He wanted to keep buying fake IDs from Cam, but he had another proposal.
He's like, hey, I want to keep buying them from you.
But also he's like, hey, matter of fact, do you just want to start picking up transfers for me?
Because you're like the perfect drop guy.
You make the IDs yourself.
Cam was the perfect guy to do this.
A rebellious teenager, good at computers,
good at making counterfeit IDs,
and who's interested in the whole carding scene.
He could quickly whip up a new ID
whenever he needed to go drive and pick up some cash.
And then his job was to act like someone else for five minutes,
hand them the fake ID, and wait for them to give him cash.
So he agreed to this plan.
And all of a sudden, something clicked in Cam's head.
And now he understood why people needed multiple IDs with the same picture. They weren't 16-year-olds
buying fake IDs to drink and smoke. They were using IDs to card. Cam was no longer peering
into the dark world of carding. He realized he was already living in it.
So I took the offer. You know, I said, yeah, actually, no problem.
So they start working together.
Cam would make a few fake IDs for himself
and tell the guy what info was on the ID.
And the guy would call Western Union,
give them stolen credit card details,
and tell Cam it's ready.
Cam would then go down to any Western Union
and pick up the cash.
The plan was actually working pretty well.
Cam started making some real money from this.
Every day he worked with the guy, he made about $5,000.
And that's a lot for anyone, but especially a high schooler.
I was making obviously more money than I've ever made in my life
because I was only in high school at the time, making thousands of dollars a day.
Now, I will say that he was a little older than me, so he was more disciplined.
And so he actually understood that it was something that probably wasn't going to last forever.
Then Cam and the guy had a falling out.
Their agreement just fizzled out somehow.
And all of a sudden, Cam was back to where he started.
But now he had a taste of the dark life.
Cam liked the money that was coming in and he was still selling fake IDs.
But those $5,000 days were gone.
Cam didn't like being cut off from this,
so he decided to take what he learned and go into business of his own.
The only problem was, Cam didn't have the skills to card yet.
He understood the idea and the concepts of it,
but wasn't sure about the means and methods to actually do it.
He could make fake IDs and pick out the money,
but his partner had always
acquired the stolen cards and made the money transfers. He needed to get some stolen cards.
He needed more credit card information. He needed help. So he turned to the place that always helped
him before, the forums and the chat rooms of Counterfeit Library, which was now just about
forming into Shadow Crew. And he had the skills and ability to
withdraw money from a stolen credit card but he didn't have the stolen credit cards he turned to
the forum to figure that out and there's an option of buying them or becoming a cashier but the
problem is people in these forums were not always very trusting they were hesitant to work with cam
and actually i kind of faked it i faked it till till I made it. I just kind of said that I know how to do this.
I had a general idea of what the guy was doing
that I was working with.
But of course, I hadn't done it.
I didn't have any experience.
So I know just from reading guides and tutorials
and stuff on Shadow Crew and whatnot,
that I know kind of what he's doing,
but I haven't done it.
So I just kind of bullshit my way through it
until I started advertising in the channel
that I know how to do it.
Cam found a couple of guys from Kosovo, a country in Southeast Europe.
These guys were looking for someone like him.
They had acquired a lot of stolen credit cards.
Who knows where they got them, but they were looking for anyone online who was willing to be a cashier.
Someone to take these stolen credit cards and figure out a way to pull money out of them
and then keep half of that and send the other half back to the guys in Kosovo.
So somebody hits me up.
Like, hey, look, we want to try you out.
The Kosovo guys give him a test.
They send him the full details of five stolen credit cards.
The plan was that Cam would cash out on these cards and send half the money back to the guys in Kosovo.
Cam did some research on the best way to try to charge these cards and gave it a shot. His plan was to call Western Union and give them the
credit card details over the phone and try to send money to one of his fake identities. He tried to
get cash from the first card, but that card was declined. Shoot, he hung up the phone, waited a
while, and called back and tried another card.
But that card was declined too. The third card was declined, and the fourth card declined too.
Shoot, this wasn't working. He was worried that if all five of the cards were no good,
then it might make him look bad. Because what do you tell the Kosovo guys? That all the cards were
bad? Would they even believe you? Or would they say, no way, we gave you good cards, man.
You must have just cashed them out and kept the money.
And they could ruin his reputation.
Cam wanted to work with these guys, but their cards were not working.
He crossed his fingers and tried the fifth card.
And to his surprise, it went through.
He was able to send $500 through Western Union to one of his fake names.
I went, picked up the $500 myself, and made a decision just to send all of it to them and say
that kind of that was actually for two orders. You know what I mean? I kind of bullshitting away a
little bit saying that two of them had worked out, one failed, or whatever it was. I didn't know that somebody actually being straight up and legit with them, period,
was a huge valuable...
Having somebody in the United States obviously grabbed their attention
because back then there was a huge problem, especially on these IRC networks, with ripping.
It's just people just running out.
You know, they just say they're going to do this, they never do it.
So obviously these people anticipated that.
They thought that was what was going to happen.
Finding good cashers is hard. Some cashers suck at what they're doing. Others take the credit card
numbers and cash out and just keep the money. It's hard to build trust in these circles. People with
huge amounts of stolen credit cards need a large network of cashers, but they don't want to send
a ton of cards to the first person willing to do it. They need to find people who are smart at getting money out of the cards and are honest about
sending back their cut of it. And so when the Kosovo guys saw money coming back from this first
round, this made them happy and were willing to send Cam some more cards. And so Cam would continue
to cash out on the new cards and send back half the money to the Kosovo guys. And the Kosovo guys
became really happy with Cam. So now they're going to flood me with whatever I want. So it was a good decision on my part because
now I have absolutely no problem with getting cards because they give me literally whatever
the hell I asked for. Once Cam would get the cash out of the cards, he would send half back to the
guys in Kosovo. To do this, he used a service called eGold. This is basically sending money
through the internet.
Because Bitcoin wasn't a thing yet, so this was an anonymous way to send money.
Kem's business was starting to shape up.
He was getting tons of card details from the Kosovo guys and cashing out stolen cards as much as he wanted all day long.
He pretty much had an unlimited supply of cards,
and he could keep half of whatever he took out.
He became so successful, he started expanding that business.
Soon he had people doing pickups for him,
and he was learning new techniques,
and he figured out ways to social engineer some of the banks connected to the cards.
And he would call the bank, and he would pose as the actual cardholder
and get the bank to switch phone numbers to his burner phone.
His trick was to use the address of abandoned houses
and switch the address and phone number to that.
This way, if any potential fraudulent charges were flagged,
the bank would call his number to confirm,
did you make this charge?
And he would say, yep, and the money would go through.
But nowadays, this wouldn't work.
Nowadays, they've got flags for an address being changed
within 30 days or, you know, things like that.
I think that's because someone ruined it.
Right. Somebody, you know, I don't know who the hell.
Now, all this time, Cam was still doing all this through Western Union. He would call them on the
phone, give them the card details, and they would charge it and make it ready for him to pick up
with his fake ID. And he would sometimes go to the same place to pick up his money a few times.
And he did try to go out to different places, which meant sometimes taking a road trip and visiting Western unions far away.
But Cam knew it was also possible to take money from these cards by just using an ATM to withdraw
money. The only problem was he didn't know how to do that. To start, the ATMs require a physical
plastic card. Cam had dabbled with this in the past, but never did figure out how to get these cards working right. So how do you get the card details printed on a physical card? At the
time, there weren't very good tutorials on how to do that. The people who taught him seemed to just
be guessing on how to do it, and it's really quite difficult. See, on a credit card, there are
multiple pieces of information. A card has track one data and track two data, and in these tracks
is the information that machines need to process the card.
Then on top of that, there's CVV1 and CVV2 data on a credit card.
Now, one of these is only in the mag stripe data.
And so the only way to get it is to actually scan the card and see what's there.
So unless you have that, this gets really hard.
But not impossible.
This track data is obfuscated and confusing to figure out.
It's encoded in a weird way, and it has lots of extra bits and characters which mean different things.
So even though he had the credit card data, he needed to figure out how to encode it properly
to be functioning track 1 and track 2 data when it gets swiped.
I mean, just to give you an idea how weird this is,
track 2 data uses a 5-bit scheme. 4 data bits plus 1 parity bit. Now, with 4 data bits, you have 16
possible characters, right? But it's not hexadecimal. 0 through 9 are valid characters,
but then it uses colon, semicolon, greater than, less than, equal, question mark, and dot.
So yeah, figuring out how to get these characters written into the card properly is tricky.
But Cam wanted to figure it out.
So he started getting supplies.
Getting the blank credit cards
and the card reader is easy.
Anyone can buy this stuff on eBay
and even Amazon sells it today.
But the expensive and tricky part
is the software used to write the cards properly.
So Cam spent hours trying to turn his blank cards
into real usable credit cards. He'd
try a few different cards and write stuff on them and then drive to an ATM and swipe them,
but none were valid. And so he'd go home and try some different methods of writing the data to it
and then drive to the ATMs and try again. But it never worked. Machines always gave him errors.
Cam was getting pretty discouraged
about this and was about to give up.
Until one day, he put his
card in the machine and it recognized
it. And it asked him how much money
he wanted. And he asked for the
max amount of money and it just shot
out at him. It worked.
I used to always remember the kid off the movie
Terminator 2. Remember him pulling money
out of the ATM machine or whatever?
Draw three, zero, zero.
Bucks.
Come on, baby.
Come on, come on, come on.
Yes.
And some 20s flew out in the little tray.
So, I mean, the first time that happened, it was like, holy shit.
You're taking some numbers that basically just came off the internet.
You know what I'm saying?
From then on, cashing ATMs became a regular part of his routine.
But it didn't always work for him.
The encoding was still not right.
Something wasn't perfect.
When you go to do these pickups at Western Union and this one at the ATM,
are you wearing disguises or do you do it at night?
Do you have a trick?
No, I mean, no.
I would obviously wear like a hat and, you know, some basic stuff like that. But what I learned actually over the time is the cameras don't
really matter that much, especially if you're out of town. Now, the reason I say that is because
surprisingly, a lot of the times, I guess it's never reported. It's like how I was saying,
I'd go back to the same Western Union a lot. And the guy still to the day, at least right before
I got locked up, would still say, Hey to me, hey to me how you doing you know how's business going stuff like that and i mean over years
i picked up and also sent god knows how many like i used to send a lot of money to you know adam but
also pick up a lot of my so i don't know how many times i picked up and then with different names
all sorts of different names and ids and shit i mean he he still recognized me and would still
say hey how you
doing you know i mean it was but if you go to the same western union shop every day and pick up a
thousand dollars do they get suspicious no yeah right now no obviously you can't do that but i
will say this i went to tons of them over and over again and i would for whatever reason never hear
anything about it there was one in particular and i always thought it was funny because i've been in there with so many different ids so many different names
i had some bullshit story you know what i would throw it in there while i'm doing it you know to
kind of make it a little easier like you know to kind of smooth it over a little bit so it didn't
seem suspicious as to why i'm getting all this money a lot of it was like stories about outsourcing
web development to kosovo. It's bullshit.
Cam keeps getting cards from the guys in Kosovo,
but at this point he's experimenting with buying his own dumps.
But then he got his hands on one thing that would open up all kinds of new opportunities.
Actually, somebody came along on IRC and made a deal to me.
It turned out it was, I guess,
I don't know if you'd call it a scam,
but it was somebody being pretty slick.
Okay, they were selling a program,
and the program was called DC.exe.
Now, DC.exe was just a real simple little script that looking back at it,
I mean, it was compiled.
It wasn't a script,
but I mean, all it did was
had a couple simple functions, apparently,
to read an input file,
you know, and spit out an output file.
This was the magic software used to format the data so the MSR could write the track data to the card properly.
Kemp found out later it wasn't so magical.
But at that time, this was the missing element to his operation.
This would allow him to write stolen credit card data onto blank credit cards more effectively.
All it did was just do a couple little operations to the track.
You know, it added the tracks.
It automated the process, basically.
But at the time, everybody thought it came with a bin list of all the known bins to work with that program.
You know what I mean?
So you could put in the infile.
You could put a list of fish cards with the expirations.
And you'd run it on the outf file would be the generated track data, right?
Now, this dude offered to sell this to me for $1,500.
Hmm, tough call, huh?
Shady guy on an internet forum is offering to sell Cam a program called DCR.exe for $1,500?
I don't think I would buy that.
But Cam?
Well, I guess he thought in for a penny, in for a pound.
So he bought it.
And the software worked.
It encoded the track data onto the cards perfectly.
Now he's unlocked the next level.
He doesn't have to go to Western Union every time he wants to take money out of these cards.
Now he can just print some new cards out
and go to any ATM and get some money out that way. And there's so many more ATMs than there are Western unions
in the world. Not to mention, you don't have to interact with anyone at an ATM. It's just a
machine. And so there's no one that can detect you or spot your fake ID or anything. His possibilities
just exploded. And Cam rode that explosion. He printed up fresh stolen cards and would drive around to different ATMs,
just taking money out wherever he wanted.
It was kind of magical.
You weren't growing more nervous.
You were actually getting more confident and brave.
Right.
That's kind of what happened.
I guess just because you get a little more...
Like I said, man, it's nothing I really am proud of doing.
It's not something like bragging about or nothing,
but it's just kind of how it plays out.
And also there's kind of an element to it where on the forums and your
reputation on the forums and online and stuff to where you've got this
brand name,
you get to where you keep pushing it more and more because you want your
reputation better.
You know what I mean?
Or you don't want to let somebody down
that you're dealing with or whatever.
It got deeper and deeper
and drugs didn't really help.
He was now deep into the carding scene,
buying thousands of card details at a time,
printing them out on cards
and cashing them out at ATMs.
He had some people he knew
help him do some of the cash outs too.
He started buying his own card dumps online
so he wouldn't have to send half back to the guys in Kosovo. And actually, he just stopped dealing with the guys in Kosovo
altogether. He was getting involved with so many different things and trying to learn how to make
more money and be more efficient all at the same time. This was turning out to be a really profitable
little operation. At 18, Cam bought a new Jeep Cherokee. But one night he partied too hard,
got really wasted, and tried to drive home.
He ran off the road and wrecked it. He hardly remembers anything from that night. But soon
after that, he bought a BMW, and then later on he bought a Mercedes. He was riding high,
standing tall. At this point in the operation, Cam's system was pretty dialed in. He would buy
card details in bulk online and use different methods to cash them out. He was pretty self-sufficient.
But not all dumps are the same.
Good ones are harder to find.
So he decided to start stealing credit cards himself.
He found someone who would teach him how to fish.
And I mean fish as in P-H-I-S-H.
The guy was teaching him to send phishing emails
and getting people to click links
that they shouldn't be clicking.
And he gave Cam a list of people involved
in spamming and phishing.
It was like an instant messenger buddy list or something.
I mean, with a goldmine of contacts now.
If you were phishing,
this was the ultimate contact list
because basically it's got all the people
selling all the lists of email addresses, you know, targeted email lists, proxies for spamming, spamming tools, spamming software.
You know, I mean, everybody that's really serious into spamming, this is a good contact list for it, right?
Cam's phishing scam was to tell people they needed to update their account details on PayPal. The link would take them to Cam's website, which looked exactly like PayPal,
starting with the login screen,
and then it would ask users to update everything
in their account details.
First name, last name, address, phone number,
credit card number, expiration date,
and heck, you'd even ask for a date of birth
or a social security number sometimes too.
And then when they'd hit enter,
this little PHP script would save all those details
and send it to Cam,
but then redirect the user to the real PayPal website. So Cam was working with spammers and phishers to send
out tons of emails telling people they need to come check their account or their auction is ending
soon. Anything to get them to log in. And a certain percentage of people would open the email and
click on the link and go to Cam's fake site and enter their username and password. And with that, Cam would
have their logins to PayPal and eBay. Now, to run a scam like this, you need a web server to host
your fake website. And Cam had a clever trick for getting a website that wasn't linked to his name.
We'd just find some popular public exploit at the time from Apache or whatever it was,
and scan a bunch of ip ranges until we found some
automatically just exploit a bunch of little web servers or whatever that were just some
bullshit server somewhere that wasn't doing anything so it's interesting that you use
someone else's uh hacked server to do all that that's kind of a brilliant step basically
i had a little better edge on it and uh able to do a little better. And especially when we targeted some of the ISPs and stuff like that,
here comes this fucking train again.
You don't really know.
Jeez, man.
That thing to it.
Cam learned how to improve his phishing emails to get past spam filters and get a higher click rate.
He wrote a little program to randomize certain parts of the email to get them past filters.
But at this time, people in the carding scene didn't really know that much about fishing,
and people in the fishing scene didn't know that much about carding,
except Cam, who started learning both worlds.
I was killing it. I had a deal with a dude who was helping me spam.
At one point, I had like 10 dedicated servers pushing out like 700-something thousand emails an hour.
700,000 emails an hour?
Even if 1% of those people clicked the link,
that's 7,000 credentials he could get in an hour.
Kim felt invincible until the cops got involved.
Kim was in a little town in South Carolina,
on his way to meet his friends for a St. Patrick's Day parade.
He decided to work a bit before the parade.
He started going around to a few ATMs and cashing out.
Then Cam walked into a Circle K gas station wearing a hat and sunglasses.
He takes out one of his cards and puts it in the ATM at the gas station.
Out of the corner of his eye, he sees a cop walk in the door.
He sticks his stuff in his pocket and starts to leave.
I gotta leave. He's like, hey,
are you just gonna leave all
those receipts over there? There's a bunch of
ATM receipts sitting on the machine, but they weren't
Cam's, though. So I said, no,
but I'll, you know, I'll throw them away.
They're not mine. I'll throw them away. So I go throw them away
and go to leave again. He's like, no, hold on a minute.
He's like, hey, what are you doing?
You know, what are you doing?
Who are you or something? You know, he asked you doing? Like, who are you or something?
You know, he asked for an ID.
I gave him a fake ID.
Cam pulls out a Virginia ID.
And remember, they're in South Carolina.
The policeman starts telling Cam some story about how there'd been robberies in the area.
But as he's talking to me, I can see outside the door in the window,
there's a bunch of more cop cars pulling up.
So I'm already thinking, oh, shit, you know, this isn't good.
The cop keeps questioning him. or whatever, but I go to visit, go to my bank. I'm trying to find my bank because my friend told me my bank was over here.
I didn't want to pay the fee.
He told me there was a branch over here.
I got over here.
There's not.
So I just use this one.
He's like, well, where do you bank at?
I told him Fifth Third because I knew that there was no Fifth Third banks over there.
And he's like, no, they're not here.
You know what?
Anyway, I must say he was convinced apparently because he ended up telling me, all right,
we'll just get out of here.
Cam gets out of the store, but he's shook.
Instead of walking towards his car, he walks the opposite direction and just tries to get out of sight quickly.
He's just so paranoid that the police will follow him if he drives off.
So he leaves his car in the parking lot, chills out for a while, and then comes back for it later when the coast was clear.
He gets in his car and drives straight home, which was hours away.
He gets home and gets rid of anything that could connect him to criminal activity,
holograms, ID-making materials, and the MSR card writer.
Kem lays low for a while and just chills out.
And so we'll take a quick break right here.
But don't go away, because this story is only half over. security has never been more critical or more complex. And that's where Vanta comes in. Businesses use Vanta to establish trust
by automating compliance needs across over 35 frameworks
like SOC 2 and ISO 27001,
centralized security workflows,
complete questionnaires up to five times faster,
and proactively manage vendor risk.
Vanta helps you start or scale your security program
by connecting you with auditors and experts
to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform, Vanta gives you time back so you can focus on building your company.
Join over 9,000 global companies like Atlassian, Quora, and Factory who use Vanta to manage risk and prove security in real time.
For a limited time, listeners get $1,000 off Vanta at vanta.com
slash darknet. That's spelled V-A-N-T-A, vanta.com slash darknet for $1,000 off.
Months go by and Cam lays low. Nothing happens though. Cam convinces himself it must have just
been a coincidence that that cop walked into that store. But that wasn't the end of Cam's legal problems. It's amazing to me what
actually got him into trouble next. Because even though he was engaged in serious criminal activity,
making fake IDs, it was a dumb teenage crime that got him. Underage drinking. When Cam was 18,
he got caught at a bar with a fake ID,
which gave him some legal trouble. This was the first time he had to go to court because of
something related to his carding and ID business. While he was handling his underage drinking
charge, local investigators were also trying to figure out who was cashing out on stolen credit cards at ATMs.
And some of the ATMs Cam used were at gas stations.
And one of the cashiers at a gas station saw the video footage of Cam taking money out of the ATM and remembered his face.
And later on, that cashier saw Cam in his car at a different part of town.
And so the cashier wrote Cam's license plate down and sent it to the police.
Cam didn't know it at the time, but an investigator had been on to him.
But that was in another state.
Since Cam was in Georgia at the time, the police couldn't cross lines to arrest him.
So they just kind of waited for Cam to make another mistake.
But Cam getting caught for underage drinking was the perfect opportunity for the police.
They showed up at court with a warrant for Cam, knowing that he'd be there.
And that dude was so pissed off.
That local investigator was so mad that cop let me go that day.
Like, he was pissed off.
He's like, dude, I almost had him fired for that. You know, he was yelling at me about it and stuff. They searched his house for evidence and found a few things that he didn't clean up.
How much did they think that you did?
How much did they...
They thought it was just what they found in my house and stuff.
They didn't think...
They found a bunch of receipts.
They found some more cash.
They found some more cards. And they didn't think anybody else was involved. You know
what I mean? They just thought it was me. And they never really got into where it was coming from
or anything. They just ended up indicting me for all the stuff they found basically at my house.
So while he had actually been carding thousands of cards, phishing millions of people, and robbing
banks all over the country, the police had only uncovered a very small part of the operation.
And so he was charged with financial card forgery
and had to serve 10 months in a county jail.
How devastated were you when you heard that sentence
that you were going to go to jail for 10 months?
It actually was a long time.
It seemed like forever then, you know?
Still, Cam was lucky because the police didn't find a lot of evidence
of what he had done
and only charged him with cashing out a few cards.
Compared to what he could have gotten in trouble with,
if the police only knew what he had been up to, 10 months was nothing.
The police thought he was just working alone, skimming a few credit cards.
And he was able to get out on bond pretty quick, actually.
But would this be enough of a slap on the wrist
to keep Cam out of the scene for good? Yeah, it was. At least for a little while.
But then he'd sometimes get reminded of the thrill of it all. He missed being able to buy drugs and
throw parties. He missed the lifestyle that his old money brought him. And so he got
back into it. I didn't quit. I didn't learn my lesson like an idiot, but I guess you could say
kind of hooked on it. When Cam got out of jail, he had nothing, no equipment, no cards, no numbers,
no computer, no money. The police seized everything. They even froze his bank account.
So one of the first things Cam did when he got out of jail was go straight to an internet cafe.
Remember his phishing operation before where he had hacked someone else's websites
and staged a fake PayPal login to capture victims' credentials?
Yeah, well, he remembered the FTP password to that site.
So he sat down and tried to log in.
His password worked that site. So he sat down and tried to log in. His password worked first try.
He was in the server and he looked around for the data. And sure enough, there were a lot of victim
usernames and passwords. Bingo. This would be all that Cam needed to get going again.
He'd use these people's PayPal and eBay logins to buy whatever he needed on eBay.
I carted some cheap web hosting, put the scam page on it, even carded an email list from
some other marketing supply company or something like that.
Carded some hosting for a PHP mailer, put it on there, spam some, got a few more cards.
Anyway, I came all the way back up from scratch from a fucking FTP login that I remember to
PayPal scam page.
Did a couple Western Unions, got a couple,
some more money back in my pocket.
All from, well, I got to say, a friend loaned me a couple cards
and I had that scam page.
Turned it into more cards and back,
all the way back into doing dumb shit, you know?
Kim used stolen information to get a new laptop,
a card writer, fake ID printer,
and went straight back to his old habits.
But I will remember
I ended up having all the
several, a bunch of the computers that were at
the cyber cafe.
I turned, I had
Darkmailer installed on all of them and were blasting
out spam. And I remember there were some kids
that would come play Counter-Strike
there. And
while I'm sitting there configuring,
Darkmailer on a couple of them
because I would just hide the process.
I remember hearing a couple of them
complaining about it lagging pretty bad.
So it's kind of funny
because it's probably because all the machines
were sitting there blasting out spam.
But hey, look, I think I got to right now uh because um i was supposed to be in
by eight but i just noticed i think it might be 7 30 sometimes depending on who's working and
nobody's out there yeah no problem all right so let's pick this up again next weekend like i said
i've had so many long conversations with cam to try to understand this whole story and to be honest
this story took me a long time to process and understand. In between our calls, I would read
through court documents and call up other people who knew him and look through the Wayback Machine
at some of the websites he told me about. As far as I can tell, this story checks out just as he
tells it. Hello? Hey. Were you standing in the yard again?
Yeah.
This train could still come back around.
Yeah, it will.
I'm sure of it.
Yeah.
How hot is it out there?
It's like 91 degrees.
Oh, man.
I hope we find some shade.
I don't really remember where we left off.
So you got arrested.
You lost everything.
Yeah.
And you had an FTP server.
And you were able to get into that.
So, I mean, here's the thing I don't get.
Is you just, I mean, you just freshly got arrested, freshly got out.
Why didn't this teach you a lesson?
Why didn't you stop then and say, okay, yeah, that's too dangerous.
I don't want to go back to prison.
You know, I'd already been living on my own,
and at the time, I needed some more money.
So it was just something I could do immediately
to kind of solve that problem.
And also, I was just young and pretty dumb.
You know, I mean, I didn't realize exactly
the extent of trouble that I was really getting myself into, I guess.
You know, also, I was doing a lot of drugs at the time, to be honest.
So, I mean, and also another thing is kind of like,
once you kind of make some of those connections, you know,
kind of like your reputation online, I guess,
that'll kind of draw you back too sometimes.
You know, it's like you don't want to let that reputation go or something.
I don't really know how to explain it, but I definitely wish that I didn't.
Cam had fully established himself once again. He was buying cards, cashing them out, and
making money right and left. He even took it further than he did before.
Now, at that time, I wasn't doing a whole lot of it myself. I had some other people
involved. I still would do things a little bit myself from time to time. You get to make
more of the money if you do it yourself, but also I guess it was kind of a excitement to it or something like that that kind of goes along with it.
Cam remembered how his old operation was going well. He was able to make fake IDs and get stolen
credit card data, but didn't like having to split the money he cashed out with people who gave him
the stolen cards. So this time, he wanted to figure out a way to steal the credit card data himself.
This would allow him to close the entire loop of his operation and maximize his profits.
And Cam was figuring out new techniques. He had a goal. He wanted to steal credit card information
directly from businesses who processed credit cards for customers. He had watched how others
had done it before him and jumped into the game. First is to identify businesses who process credit cards. Now, he didn't want to target big businesses because
they're typically more secure. If you want to keep your site from getting hacked, one thing you can
do is just make it harder for criminals like Cam. It's kind of like being chased by a bear, right?
You don't need to be faster than the bear. You just need to be faster than the other person who
you're running with. So Cam didn't even try big businesses. Too hard, he thought. But what about small
businesses, locally owned restaurants, barbershops, coffee shops, bakeries, stuff like that? They might
not have done a thing to secure their network. So targeting them might be easy, like grabbing
low-hanging fruit. He would drive around and find potential targets and go in and see if they had free Wi-Fi.
And if so, he'd sit down and connect to it.
One thing I'd do is we'd have somebody go to a business
and get the public IP address if they had free Wi-Fi or something like that.
Now I know that either that system or something close to it
might be their processing system, you know what I mean?
So now that IP, I'm going to scan that whole range.
Some small shops didn't separate their guest Wi-Fi traffic and their cash register system.
So while inside the shop, he could scan around for all the computers on the network,
find a machine that might be a cash register, and try to get into it.
Once we found like an IP range, use Nmap or something to scan
and find out what open ports were there.
Now one port in particular he was hoping that was open
was 3389 RDP.
That's the remote desktop port.
If this port was open,
it meant that cache register allowed remote connections to it.
Probably so someone can remotely connect to it
in case there's a problem with the cache register.
It's a lot easier to fix it if someone can just get into it remotely
versus having to send someone on site to take a look.
So this is what Cam was looking for, RDP open on cash registers.
And after visiting a bunch of stores, trying over and over,
eventually he got into one at a barbershop.
He found the computer that processed credit card transactions,
then accessed the software that handled those transactions,
and he grabbed all the credit card data that he could find
and started copying it over to his computer.
You know, it's a pretty exciting feeling.
It's kind of just a thrill, I guess.
You get on, your heart actually starting to beat a little fast or whatever,
you get a little nervous.
There's RDP brooding tools, so you could put in, actually starting to beat a little fast or whatever get a little nervous there's rdp
brooding tools so you could put in i can't remember there's like uh i think hydra was one of them
ah right hydra as a defender i hated hydra it was persistent relentless and scary here's what it
does hydra is a brute force password guessing tool it's free you can search for it on google
and download it and start using it in minutes. It'll try combinations of usernames and passwords to try to log into something.
But on top of that, it's able to do this on remote websites or computers. So you can tell it, hey,
try all the usernames and passwords on this website and see if you can get in. And Hydra
will try tons of combinations of usernames and passwords on that website and then tell you if it had any
successful logins. But it can also try logging into computers through RDP, the Remote Desktop
Protocol, which is exactly what Cam was doing. Once he got into a shop's network and identified
the cash register and found it had RDP open, he would unleash Hydra on it and try tons of
different passwords to try to log in. The default username on a lot of Windows computers is administrator.
So he was trying that username first with tons of different passwords.
In case you were wondering how to protect against Hydra, there are a few things.
First is to lock down who can access that computer over RDP.
It's never a good idea for it to be open to the whole internet.
Second, make sure passwords can't be easily guessed by using long, complex passwords.
Third, enable some kind of lockout mechanism or CAPTCHA to slow down or stop Hydra from being able to try a password again and again and again and again.
Well, as you can imagine, this worked on the barbershop that Cam had access to.
Hydra tried a bunch of passwords and eventually found one that worked.
Cam used that password to log into the cash register computer of a barbershop.
Then he started looking around for the credit card details of the customers.
It'd be set up to rerun the point-of-sale software in like a debugger.
So that way they can get, you know, scan through the memory address ranges and also look for something that matched Lund's algorithm.
That's a way to identify a credit card number.
Oh, this is interesting.
Lund's algorithm, spelled L-U-H-N,
is a way to check if a string or number is a credit card number or not.
Now, you might be wondering,
isn't the credit card software in the database where the cards are kept secure?
Like, isn't all that encrypted?
Well, yeah, sure, it is.
But Cam found a way around that.
See, for computers to process the card data, it has to read the card data. So in
the computer's memory is the credit card details unencrypted. You just have to know where to look
in the RAM to find it. Cam used a debugger to search the RAM, looking for strings that matched
Lund's algorithm. And if he found a hit, then he'd grab that, thinking it might be credit card
details. So if he found something in some of those memory ranges that it was, that particular
software was known to use or whatever, then it matched Lund's formula or Lund's algorithm
or whatever, then it would grab the rest of the track.
And, you know, the track data has a certain format.
So it begins with, I believe, a question mark, either blend.
No, it begins with a semicolon and ends with a question mark.
So basically anything in between that would be your track two.
So Cam set up a little program on the cash register computer to constantly look for new cards and then once an hour send them to his server.
So he was getting bunches of freshly stolen cards every hour.
Now, there was nothing that would really work as good as your own fresh stuff.
It was about the same as going and buying a base from somebody, but also
you have the added benefit of knowing exactly where it's at.
A base is a database
of stolen cards. But yeah, buying your
cards from other people, who knows how long
ago those cards were stolen, or how many other
people have used those cards illegally since then.
Having his own fresh database
that only he used was definitely
more profitable for Cam. Not only
were the cards more
valid on this list, but it cost him nothing to acquire them except his own time. So he might get
a few thousand cards by breaking into a small shop and stealing them. Okay, but actually driving
around trying to find open Wi-Fi's for shops and trying to break into their cash registers
was a tedious and time-consuming process. Cam asked around online what others
were doing, and someone handed him a special list. He got a list of IP addresses, which were
supposedly small shops like this. The list had thousands and thousands of IPs, all belonging to
small businesses. And the theory was that these shops had to be online to process credit card
transactions, right?
And it was probably a regular Windows computer which ran the software to process the cards.
But what happens if someone has to fix a problem on one of those computers?
They would need to either go on site to the shop and use the computer or set the computer up so that it's remotely controllable.
So Cam scanned the list of IPs
he got and found a lot of them were actually running RDP, the protocol that allows remote
connections to it. Now, I've already said don't do this. Don't stick a computer right on the
internet and open it up for remote connections using RDP. It just welcomes people like Cam to
start hammering on it, to try to get into it and pillage whatever's on there.
RDP should only be open to computers on a trusted network,
not from anyone in the world.
So now that Cam has this list of small business IPs with RDP running,
he then points Hydra to them.
And Hydra starts trying to crack the password
by trying thousands of different passwords.
But there was also a list he got with the default usernames and passwords for each of these point of sale systems, just in case they didn't bother changing it from the default.
He would point Hydra at one of these computers with RDP running and just let it run all night trying different passwords.
And remember, he's now doing this remotely over the internet.
He's not on their local Wi-Fi anymore.
And to do this, he's still coming from servers that he hacked into,
and they weren't even registered in his names.
So it would make it harder for authorities to track it back to him.
So with the combination of this magic list of IPs of small businesses,
finding which IPs were running RDP,
and then pointing Hydra at all those computers,
he was able to automate his hacking.
And so he'd check the server in the morning and see that Hydra had successfully found
passwords to a few systems.
And then he would remotely connect into that computer with the password he found.
And bingo, he's in a computer which is processing credit cards for a coffee shop, a restaurant,
a bar, a bakery.
And he'd find the software which was handling the credit card data, download all the credit
card data that was stored on it,
and then close the connection, and he just got a few thousand more cards to cash out with.
This was a big turning point in the whole operation.
He's now able to get tons of credit card details himself without having to buy them.
And when he pulls cash from them, he doesn't have to split it with anyone.
And now he's able to do this at scale at this point
cam goes full throttle and turns this into a 24 7 operation that would go two three four days
without sleep sometimes just monitoring different servers and making sure that i'm still passing
filters and things like that tweaking different messages and macros, you know, so that would wear you out.
And then also, believe it or not, obviously with the ATM stuff, you have to,
obviously you got to keep, you got to move around. You can't really just be in one spot.
All this work resulted in a ton of plastic credit cards that he could use at ATMs and
withdraw money. But to do this, he has to continuously keep on the move. Pulling a bunch of money from the same spot was too suspicious. So he would often go on a weekend
road trip to another state and do it a bunch of times and then drive back. And he'd sometimes even
fly out of town to do this work. He'd make a hotel reservation under a fake name and then ship his
equipment there. Then he'd fly out and spend a few days on the job hitting up dozens of atms all over town pulling
money out with credit cards i've got a stack of fresh ones in my left pocket now as i'm working
them i'm putting them in i'm running now usually i try to stick to certain machines even because
after a while you get to learn the different makes and models and you get to realize which
ones are on like a network or which ones are on a dial up and then also machines themselves have a limit so you're trying to do as much as possible
as quick as possible so you obviously prefer the network machines and you prefer uh the biggest
limit you can get on on the machine but also i didn't i wasn't a big fan of the ones that
were actually at banks so i would try to stick somewhere in between there so some of the smaller
private ones that are inside stores or you know different locations or whatever there was usually some
cheaper ones that were dial up and they're slower and they have maybe like a two or three hundred
dollar limit or there was some faster ones that had a five hundred or a thousand dollar limit so
you were able to kind of maneuver a little quicker. All right now you obviously can't stand at one
machine for like 20 minutes or 30 minutes or nothing right i mean that just it's pretty common sense but you want to be able to do the most in
the shortest amount of time i'd have a pocket full of them usually like i'd have like when i'd go up
to the machine i got maybe at least 10 of them on me now you know not all of them are going to work
you know especially as time went on that became the number that became a lot more and more of them were working, you know. But I'm going to put all, start with all in one pocket.
If one of them didn't work, I'd usually put that in a back pocket.
And if one did work, I'd usually take the receipt and the cash that came off of it,
wrap it around the card and put it in my right pocket.
How many ATMs do you think you would hit in a busy day?
Well, it's like, i guess some of it doesn't
really matter now which is like i get kind of paranoid like okay we don't have to get into it
but no it's it's cool like okay i'd say this doesn't really matter at this point because okay
the most we're talking pulling like 100 100 and some something thousand a day. You know what I mean? But you got to figure it got to where that's like 20% is my number.
Cash withdrawal limits restarted at midnight.
So he'd usually be up till then.
So he could cash out on that ATM twice.
And then he'd go back to his hotel, dump out all his cash on the bed and reorganize.
I usually spend two or three days at least doing it.
And then by the end of the third day or whatever, I've made a nice chunk of money,
but also I'm pretty worn out and sketched out and tired of, you know, dodging everything that comes along with that.
There's something hypnotizing about a large amount of money.
I can just picture Cam sitting on one of the beds in his hotel room,
staring at this pile of money on the other bed,
where the slow reality hits him that he did it.
The money is his, and it's real, and all the things he could buy with that.
But then the sudden jolt back to reality,
whenever he heard someone talking in the hall,
or a car door slam outside in the parking lot.
There's a lot of anxiety and stress that came with stealing a lot of cash like this.
How many cameras saw him on that trip?
Did anyone notice his face around town?
Were a trail of his fingerprints going to lead back to him at any moment?
The duality of simultaneously feeling rich and in fear gets to a person.
I did a lot of partying.
I did a pretty good bit of traveling, which some of it was to do with business, you know, or whatever, as far as this goes.
And drugs. I pretty much lived at four or five star hotels for a little while.
As far as different places, I was bouncing around between and cars, clothes.
What kind of cars did you have whatever um i've
had a couple mercedes i had a pretty nice bmw i've had some regular just like the trucks i told you
about you know just kind of like a regular day-to-day little truck or whatever um you know
different things like that but my favorite car was my bmw alpina it was a 2008 Alpina. It was a 2008 Alpina, which is like the B7.
It's like a special edition 745.
Tell me about the parties.
You know, it was...
What were some of the more exciting parties?
I had a New Year's Eve party
at the Intercontinental Hotel.
Basically, everybody I knew,
criminally or otherwise,
was there.
This is a suite that you rented? Yeah. This is like a presidential suite Everybody I knew, criminally or otherwise, was there.
This is a suite that you rented?
Yeah.
This is like a presidential suite at the Intercontinental.
There's a lot of drugs, drinking, and fun.
And a lot of girls.
Yeah.
Did you have like a DJ?
No, I didn't have a DJ there.
Can you take a guess how much you spent on that party?
Yeah, I spent about $15,000, $17,000, I think, on that party.
So, I mean, at that moment of your life, that was probably the peak of, peak excitement of it all, right?
You had the cars, you had the parties, you had everything you wanted.
What was life like for you? Were you totally, like, happy and satisfied?
No, you know what? To be honest with you, I couldn't say I really was, man. It was a lot of stress. There was times that it was great, you know, but also, like I said, I got pretty deep
off into some of the drugs and it kind of went up and down. It was really stressful, man. It's
not something I really want to go back to. Like, I guess it was kind of the only thing I knew for a while. I really just wish I had went a legitimate
route somehow in the opposite direction or something, you know, something that was something
that I could get the same thrill out of it, but in a different way where it wouldn't put me in
prison for 10 years or whatever. To be honest with you, it wasn't as much about money for me a lot of
times. I mean, that was like a good byproduct to begin with.
Money wasn't really my main concern or motivation.
It was partly, you know, obviously I needed to make some money,
but it was more about is this going to work and seeing if this would work
and, you know, actually seeing it work
and just kind of the thrill that came along with that
and just the excitement, I guess.
Also advancing up, like I said, the reputation thing.
For some reason, that was a big part of it as far as online goes.
But anytime, it seemed like almost every time something really good came along,
something came along that messed it up.
The beginning of the end for Cam started when he found a new forum, carter.su.
This was basically a marketplace for carters.
You could buy stolen credit card data here, track 2 data, fulls, bases, you name it.
You can connect with cashers, or you can ask questions and learn how to card.
It was kind of like a loosely based criminal eBay.
As it turned out, the feds had an eye on Carter.su, but the website
itself was bulletproof, meaning the server was hosted by a company somewhere in the world which
just didn't want to listen to U.S. law enforcement. So the feds couldn't seize it or shut it down.
So they had to wait. And they got lucky when the person who was running Carter.su moved the server.
For some reason, the people running the site were moving hosting providers. And so for a few days during this transition, Carter.su was moved into a server
in Dallas, Texas. And that's when the feds got a warrant for that website hosting provider in
Dallas. And they took a snapshot of the server, which gave them a list of all the users in the
database. The feds were able to go through the user database and look up email
addresses. Lots of people had signed up to the site using their normal email. Like, I bet the
police were just able to search LinkedIn with these email addresses and find a bunch of people
that way. In fact, a lot of people did get arrested from this carter.su bust. And I talk about carter.su
in episode 32 called The Carter, which is what Cam originally reached out to me correcting me on
a few things. But Cam had been careful on Carter SU. He registered as the user Kilobit, which he
didn't associate to his real name anywhere. It didn't seem like the feds had any leads on catching
Cam from this bust. Cam made an unrelated mistake, though. He partied too hard one night at a
Doubletree Hotel in Alabama.
He was staying there with a friend, and they were smoking weed in the hotel room,
but someone called to complain about the smoke. Cam got a knock on the door, and his friend
opened it. It was the police, and they made their way into the room.
Were you thinking like, oh shit, oh shit, oh shit?
Yeah, of course.
The police asked for their IDs, and Cam gave them a fake one, of course.
The one he actually used to reserve the runway.
I was pretty worried, but I mean, it kind of was like, you know, all of a sudden,
they were thinking I was the guy on the fake ID.
And when one of them found my real ID, they're kind of like, you know, who is this?
So I'm telling him, oh, that's me.
So they still haven't connected the two until he hears the other one calling a warrant check on the fake name.
He's like, well, if that's him, who's he?
You know, who's this?
Cam gets arrested and the Secret Service interviews him.
Now, you might be thinking, what the heck does the Secret Service have to do with this?
Aren't they supposed to be protecting the president?
Well, they do that.
But they also investigate financial crimes, too, like stolen credit cards.
And for some reason, they had a hunch that Cam was into more than just fake IDs.
This is the second time being arrested with a fake ID and the time before he was busted doing stolen credit card stuff.
So they investigated him further to try to figure out more.
One of them made a comment that, yeah, we talked to Washington and they know who you are.
Now, at the time, I'm thinking that, you know, they're just trying to scare me or something like that.
But it wasn't a bluff.
The police had confiscated Cam's computer and they found something very interesting on it.
When they booted it up, Kilobit appeared on the screen.
Cam had named his computer Kilobit.
And this was the same name he used on the Carter SU forums.
And the police knew about Kilibet for years.
The Secret Service in Las Vegas had been submitting reports about the alias, trying to figure out who was behind the name.
One of the things that kind of got me in a little more trouble was helping out a lot more in a lot of people's questions and advice.
You know, a lot of things like that.
I think that kind of made me more like a relevant person on that forum, in their eyes anyway.
And then just being around for a long time and people knowing generally who I was.
But Cam didn't know that then.
In his mind, he had just been caught with some fake IDs.
And he got out on bail.
And he was thinking he might get lucky a second time and just get away with a slap on the wrist.
But that fantasy started to crumble one day when he got a call from his brother. My brother calls me and tells me that Secret Service and Homeland Security had just left his house.
So I'm like, man, what?
I'm thinking, okay, they're looking for you, but they wouldn't tell me what it was about.
Cam was getting worried.
Now they're investigating his brother.
Now they have Homeland Security involved.
Cam had two phones, a normal one and a burner one for shady activity.
He noticed that he'd lost his burner phone.
So later that morning, he called a friend thinking he might have left his phone at his friend's house.
I'm like, hey, man, I think I left my phone at your house.
And he's like, yeah, you definitely did because Secret Service and Homeland Security was here this morning looking for you.
So, you know, now I'm starting to realize, well, it's kind of weird.
You know, they're not only in one city, but they're in another city several hours away.
Cam doesn't know what to make of this.
He starts getting nervous.
A few days pass and he keeps hearing about the indictment related to Carter SU.
But he convinces himself that he's clean and there's no connection between him and Carter SU that he left behind. Then, while reading a blog, he comes across a copy of the indictment with his name on it.
Kem calls his lawyer.
Now I call him, and I'm like, hey man, I'm indicted by the feds for the RICO Act in Las Vegas.
And he's like, well, how do you know that?
I'm like, because I'm reading about it on a blog.
He's like, well, you know, I'm like, there's a reading about it on a blog. He's like, well, you know,
I'm like, there's a copy of the indictment on the guy's blog, man. Do you want me to send it to you?
He's like, yeah, send it to me and I'll call you back. So I email it to him. He calls me back and he's like, yeah, if you go to court, they're probably going to be there to arrest you. So,
so I didn't go.
Cam gets a new ID, a new car, a new phone, and splits.
Well, I'm not going to officially say I went on the run.
For a month, he holds up in an apartment, too afraid to go out. He feels like the walls are
closing in on him and there's no place to go. Finally, he can't take it anymore. He goes outside
to get a haircut. On that day, some local cops pull him over.
Cam can tell right away that this isn't just some traffic stop.
They tell him to get out of the car and put his hands on his back.
And he gives the cop a fake ID.
They pat him down and put him in the back of the police car.
They ask him if he knows who Cameron Harrison is. I told him no.
I told him no.
You know, but, you know, I was just, you know, scared, obviously.
I didn't really know exactly what to do.
An unmarked car pulls up by the police car.
The police talk to the man in the unmarked car who comes over to Cam, holding a big, blown-up photo of Cam.
And they know exactly who I was.
I mean, from the minute I was in the back of the car, he asked, you know, who Cameron Harrison is.
And that was the end for Cam.
He went directly to jail, did not pass go,
and stayed there. They had quite a lot of evidence on him. They knew about all his activity on
carter.su because they had his computer too and all the equipment from his house. The prosecutors
knew he had broken the law, but they were trying to figure out exactly what he had done and how
bad it was. Helping criminals on forums is not that bad, but breaking into small businesses, stealing credit cards, printing them, and going town to town draining every ATM in sight certainly is.
Would the feds be able to figure out that he had stolen all these credit cards himself and done all that work?
You wonder just how much the courts knew about him.
Do you know how much you may have made from all this illegal activity?
Like in total, did you make a million dollars or more?
I mean, that's kind of a topic that isn't something I like to say a whole lot,
like, you know, in public or whatever.
But I guess you could say I did pretty well.
I lived very nicely for many, many years, which with no worries, I guess you could say.
I don't really want to put a whole number on it like that.
It was really hard for the police to sort out what they were dealing with here.
The roll-up of Carter.su identified a lot of criminals,
so Cam's indictment had 39 other people on it, including him.
Tons of people on that site were trafficking and cashing out on stolen credit cards.
Tracking every card, trying to figure out how much was stolen was a mammoth task for law enforcement.
But they came up with a number and decided that everyone on the indictment has to pay $50 million in restitution.
Because the feds claimed everyone was responsible for the group's activity.
How are you going to pay $50 million off?
That's a good question, man.
The $50 million was determined because the courts decided the entire group of 39 people had stolen
$50 million from credit cards. Because some of the people in the indictment were stealing the cards,
and some of the people were selling the cards, and some of the people were cashing out of the cards.
And that's why there's a lot of overlap. It's hard to determine how much this person did or that person did when really
it's when they got together collectively is when they were able to steal the most. The sentence
came down for Cam. They found him guilty of RICO. That's participating in racketeering influence and
corrupt organization. Because Cam had cashers himself and was making fake IDs for people to use
to pick up money at Western unions and ATMs, it meant he was organizing some of this, which means
harsher penalties compared to just taking part. He was found guilty and the judge sentenced him
to 115 months, which is nine years, seven months. He was able to get out after eight years and then
go to a halfway house.
And he still has to pay back that $50 million in restitution.
Prison gave Cam a lot of time to think about what he did.
At the end, I would have been a lot happier
probably doing something legitimate.
It wouldn't have been too much trouble
and I wouldn't have kind of tarnished my chances
of any of that as bad as I have now. I also wouldn't have been too much trouble and I wouldn't have kind of tarnished my chances of any of that as bad as I have now.
I also wouldn't have put a lot of people through a lot of stress that I wish I had as far as family and stuff like that goes.
Now at the time, you don't think about that as much when you're that young, I guess.
And also when you're in the middle of doing things like that.
But when you're sitting in prison for several years, you definitely do.
Cam went to prison in 2012 and he spent eight years in there.
Now he's out, or at least halfway out.
I called him while he was at a halfway house, but now he's living in his own apartment.
What are your future plans?
Well, I'm still working on that, but I'm hoping I can actually do something to kind of, you know know have more of a positive role the ultimate goal would
be you know and like the dream kind of outcome would be to somehow be able to use you know a
lot of the bullshit that i've accumulated over time a lot of different knowledge to something
beneficial in some sort of way but obviously i can understand trust would be an issue and i kind of
i guess um makes you realize how much of a waste
a lot of the quick money was you know it wasn't really it doesn't equal to happiness
a big thank you to Cameron Harrison aka Killab, for coming on the show and telling us your story. You can follow Cam on Twitter.
His name there is Cam Says This.
This show is made by me, Jack Recyder, where the only cards I trade are Magic the Gathering cards.
This episode is produced by Alana Strauss, who's always checking her shutter speed.
Sound design by the marvelous Andrew Merriweather.
Editing help this episode by the mini-boss, Damien.
Our theme music is by the space traveler
Breakmaster Cylinder. And even though I keep getting in trouble for placing realistic plastic
snakes under the data center floor tiles, this is Darknet Diaries. We'll be right back.