Darknet Diaries - Ep 23: Vladimir Levin
Episode Date: October 1, 2018When banks started coming online, they almost immediately started being targeted by hackers. Vladimir Levin was one of the first ever known hacker to try to rob a bank. He succeeded a little,... and failed a lot. Vladimir would go down in the history books as one of the most notorious hackers of all time because of his attempted online bank robberies.
Transcript
Discussion (0)
For over 200 years, bank robberies have stayed relatively the same.
You'd have to go into the bank itself, demand the cash, often with violence,
grab what you can, and get out of there.
But as banks started coming online and being digitally connected to each other,
a whole new way to rob a bank started happening.
This is the story of the first online bank robbery.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive, it's endless.
And it's not a fair fight. But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers websites and continuously works to keep it off.
Data brokers hate them
because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes
to my privacy. Take control of your data and keep your private life private by signing up for
Delete.me. Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code darknet at checkout. That's join, delete me.com slash darknet diaries.
Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there and I can vouch they do very good work. If you want to improve the security of your
organization, give them a call. I'm sure they can help. But the founder of the company, John Strand,
is a teacher and he's made it a mission to make Black Hills Information Security world-class
in security training. You can learn things like penetration testing, securing the cloud,
breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing
your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com
to learn more about what services they offer and find links to their webcasts to get some
world-class training. That's BlackHillsInfosec. dot com. Blackhillsinfosec.com.
In the early days of the internet, there were a few different competing internets.
There was ARPANET, TELANET, TIMNET, and some others.
Each one of these networks spoke a completely different protocol.
People, machines, and computers on TELANET could not talk to people, machines, and computers on the internet.
They both kind of had their own ecosystem. machines and computers on Telenet could not talk to people, machines, and computers on the internet.
They both kind of had their own ecosystem. There might be a few computers that could connect to both networks at once, but those bridges and connections were rare. One of these early
competing networks was Telenet. This is different than Telnet. Telenet was a full-blown network,
kind of like its own internet. And it used a completely different protocol than the internet.
It used what's known as the X25 protocol to communicate between two systems. The internet
at first was only available to governments to connect to. The Telenet was the first public
available network, so it began picking up in popularity. By 1980, Telenet was available in
seven major cities, and U.S. phone companies had set up over 1,000 network switches to route packets around the US. Another reason why this X25 protocol became popular was because it was
free to connect to this network. All you needed was a modem and a phone line. You didn't have
to pay any ISP fees. Just dial into one of the switches and away you go. From there,
you can get to any system that's also on the Telenet network. Large companies started connecting
to this network to be able to communicate between branches.
Companies such as Apple, Dun & Bradstreet,
Westinghouse, Boeing, and Sprint
were all connected to this network.
In fact, Sprint saw a big future in Telenet
and actually acquired it themselves,
renaming the whole network from Telenet to Sprintnet.
And Sprintnet continued to grow in popularity,
connecting a dozen more states by the 1990s. Getting around on Sprintnet. And SprintNet continued to grow in popularity, connecting a dozen more states by the
1990s. Getting around on SprintNet was not as easy as just googling and finding what you're
looking for. It was mostly bulletin boards. You would read about a certain bulletin board in a
magazine or from a friend, dial into SprintNet, set your parameters on your modem, and type in
some numbers and commands at the command prompt, and if you're lucky, you'd get to the bulletin
board. Which is kind of like an online forum. It was a simple and crude way to exchange information across the country.
SprintNet was not user-friendly. It took a lot of practice and patience to not only connect to it,
but then also find anything remotely interesting once there. The internet today has billions of
users and millions of websites, but SprintNet in the 90s only had a few thousand servers connected
to it. It was kind of a ghost yards only had a few thousand servers connected to it.
It was kind of a ghost yard, unless you had something specific you needed to do.
Going around at that time was an online magazine called Frack. By 1993, there were already 41 issues released, and each issue outlined numerous new hacking techniques and helpful information
for hackers. Frack is the longest running online hacker magazine
and still is kind of releasing issues today.
In March of 1993, issue 42 of Frack was released.
And in this issue, there was a massive listing
of all known SprintNet numbers.
There were details on how to connect to all of them
and what each system might be.
It broke it down into sections of states
or companies connected to SprintNet,
such as numbers to dial into Apple, Westinghouse, and a bunch of numbers to connect into Citibank.
Citibank is a major bank in the U.S. and headquartered in New York City. This issue
of Fract told you the online location of 363 different Citibank computers. Citibank used
SprintNet to communicate between their major offices and other banks that
were connected to it. The Citibank offices were in Singapore, Manila, Tokyo, New York, Milan, Paris,
and they were all connected over SprintNet. And these systems were Unix systems, Vax computers,
Dex servers, mail servers, and more. And Frack had just unveiled the addresses of all these systems
at Citibank. It kind of looked like a phone book or
a directory listing. It was the area code and then a one to four digit number, which was the network
address. This was just a map of what was out there, and it didn't actually tell you how to hack into
any of it. So a couple of hackers in St. Petersburg, Russia took notice of all these Citibank systems
and began dialing into them. Their goal was simply to find
if any of the Citibank computers were connected to the internet so they could go through Citibank
to get onto the internet. Because at that time, it cost to connect to the internet, but it was free
to connect to Sprintnet. So the hackers just wanted to find a free way to get on the internet.
The two hackers spent a lot of time scouring the Citibank's network, connecting to one number after
another,
learning what's there and seeing what you can do once you get there.
For over a year, they kind of poked at it, but didn't really find anything interesting.
Most connections simply wouldn't let you do anything at all or were password protected.
But these two Russian hackers kept at it,
connecting to these nodes over and over, trying to see if there's anything new there.
One day, one of the systems that normally asked them for a password was wide open.
Someone had used that computer and forgot to log out.
On these old systems, you could sort of ride in on other people's logins.
A hacker quickly tried to see if their access would allow them to see the password.
And sure enough, it did.
Sitting there in the config file was the username and password in clear text.
There wasn't great security in 1994, so this was something you'd see sometimes.
But once the hacker got one known password, they were able to get more passwords.
They scanned all 363 Citibank nodes to see which ones they could log in with,
with these new passwords.
Before long, these two hackers had gained access to numerous Citibank devices.
And from there, they were able to map out a large portion of the Citibank network.
And eventually, the hacker found a device in Chile that was connected to the internet.
They were now able to dial into that system and get to the internet for free,
without having to pay for America Online or CompuServe or whatever it was at the time.
This satisfied one of these Russian hackers, but the other dug deeper. And his name was Bakazoid. Bakazoid was fascinated with all
the access they gained to Citibank's network and couldn't let it go. He would connect to some and
watch what people did on there and try to take a guess at what each of the computers was for.
He eventually found his way onto a computer that looked like it was used to transfer money.
Operators of this machine would log in, type in the bank, a bank account number,
the amount to transfer, and away the money would go.
This was amazing.
Buccazoid had discovered the exact place and commands and logins needed to transfer money
from one bank to another.
But he also noticed this computer logged everything.
Every command, every connection, and every transfer that was done.
And he believed these logs would probably have been printed out every day and put on
a shelf for long-term reference.
At that time, Citibank was processing half a trillion dollars a day through these systems.
Even though there was a lot of logs, a rogue transfer might go undetected.
But Buccazoid and his hacker friend did not take that chance.
Instead he told another computer guy in St. Petersburg named Vladimir Levin what he found. Vladimir was very interested
in what Buccazoid found and gave him $100 for all the information on how to connect,
usernames and passwords, which systems to connect to, and how to do the bank transfer.
This kind of freaked out Buccazoid and his hacker friend, so they disappeared from the
Citibank network, thinking it was too risky to hang out there now that Vladimir knew their secret.
The story of Buccazoid and his hacker friend in St. Petersburg may not be true. These hackers have
never been found, and hackers like this don't like telling their stories, but there was one
Russian blog post about this, and so that's all I'm going by. But this story makes a lot of sense
to me because it matches a lot of other details that were going on at the time. Like I confirmed the Citibank codes were
actually published in the Frack Magazine at that time and a few other things. But what we do know
for sure is that by that summer of 1994, Vladimir Levin in St. Petersburg, Russia, had everything he
needed to make a rogue money transfer out of Citibank.
Vladimir was 30 years old, living in St. Petersburg, Russia, and he was really into computers.
PCs were just becoming a thing at this time, and Vladimir would put computers together for people and deal with computer parts. He also had a day job where he'd work for a software company,
but he had a bit of a dark side to him. Perhaps it was because of growing up and seeing the lawless side of Russia. Whatever it was, he wasn't afraid of hanging out
with some rough guys or stealing some stuff. Vladimir checked his access to the Citibank
computer. He went to work, where the good computers are. He dialed in to SprintNet.
He logged in to the Citibank cash management system and confirmed he could type commands
in it. All he would need to do is
type a few keystrokes, hit enter, and the money would be transferred to wherever he wanted.
He knew this was a big deal and didn't want to transfer the money to himself right there in
St. Petersburg. So he met up with a friend who agreed to go to Finland and they'd send the money
there. The friend arrived in Finland and stood by waiting for Vladimir. Vladimir went to work, fired up his computer, dialed in a sprint net,
logged into the Citibank computer, and typed in the commands to transfer some money to Finland.
And hit enter. The computer accepted the commands and the transfer was complete.
Vladimir called his friend in Finland and told him to withdraw the money. The friend went to the bank and sure enough there was a brand new $400,000 in his account. He withdrew
all $400,000 and got out of the country. The excitement of stealing this much money gave
Vladimir wild dreams. This was easy. This was way too easy. He wanted to do it again and again
and started thinking up ways to conduct the next one.
But on the other side of the globe, in New York City, this transaction raised alarms.
The Citibank IT staff noticed this, but they were too slow to react to stop the transfer.
The VAX computer that their cash management system was on logged every transaction,
and this one triggered an alert. This was a lot of money, so Citibank quickly called the FBI.
I called the FBI too, so we can get the inside scoop to this story.
I'm Steve Garfinkel. back home from a summer trip.
He had a long drive on his hands.
He was willing to talk to me on this car ride.
We talked about podcasts we listened to.
And computer problems.
But of course, I was fascinated you know, Citibank.
When I started this, the FBI definitely did not have a cyber division.
You know, there were no computer squads.
So, yeah, so I was not a computer expert by any means.
You know, for me, it was a lot of, you know, on-the-job training.
You know, my role was not so much as to figure out the kind of the bits and the bytes as to what happened, but to, you
know, what every FBI agent does, which is you gather evidence that's going to be used in a
prosecution. The technical parts to this were all handled by Citibank. They had an IT department
with a great system in place for detecting fraudulent transactions.
And they would give this information to Steve at the FBI.
They were basically monitoring their system and they knew when a bad transfer was happening.
Citibank's ears were perked up, waiting for the next alert.
They knew exactly how to detect a bad transfer.
And now they were ready to call the FBI the moment they detected it.
So what we started doing at that point was kind of trying to,
you want to kind of identify who the bad bennies are,
because the bad guys are going to want to take the money out.
A bad benny or beneficiary is a receiving bank that the money is fraudulently sent to.
The FBI was poised and ready for this to happen again.
Back in St. Petersburg, Vladimir had a friend who was a neurosurgeon, but this guy found out he could make more money as a computer
distributor than a brain surgeon, so he switched to doing that instead. And Vladimir knew this
neurosurgeon computer distributor and told him about the money transfer that he knew how to do.
The neurosurgeon was connected to some shady guys and knew just who
could help. He introduced Vladimir to a few guys from the Tambov gang. Now this is a gang out of
Tambov, Russia, who are ex-wrestlers and they turned into regular street thugs.
The gang was rough. Picture your average mafia style gang. They'd go into businesses and threaten
the owner with violence unless they'd pay the gang a commission. And in exchange, the gang would watch over the businesses to make sure nobody else would rob the place.
This is known as a protection racket, and the gang was making a name for itself,
clashing with other gangs, taking over new territories, and leaving a trail of blood wherever it would go.
Vladimir met up with this Tambov gang, asking for help to go around the world and collect money from these bank transfers.
Tambov gang agreed to this plan and would finance the people to fly to foreign countries,
set up bank accounts there, and collect the money and fly back. The plan was in place,
and the next chapter was about to begin. The Tambov gang sent someone to Argentina,
opened a bank account there, and gave Vladimir the bank account number. Vladimir went to work, turned on his computer, connected to SprintNet,
logged into the Citibank computer, and typed in the commands to make the transfer.
And the money was deposited in the bank account in Argentina.
But Citibank caught this transaction immediately.
The bank was monitoring their system.
We knew that there was a bad transfer going to this bank.
And the FBI was able to notify the bank in time to freeze the account. When that member of the Tambov gang went to withdraw the funds, the account was frozen and he couldn't get it out,
so he quickly left the bank. It all happened too fast for the Argentina police to catch them.
The mission was a failure for Vladimir and a success for Citibank. But this wouldn't slow
him down at all.
Vladimir quickly set up another attempt with the Tambov gang.
This time in Israel, Vladimir went to work.
And transferred a large amount of money to this accomplice in Israel.
Citibank detected this bad transfer right away and notified the FBI.
And the Israeli cops arrested a guy by the name of
Alexei Lashmanov. Another failed transfer for Vladimir. Vladimir wasn't sure how these banks
were detecting this. He thought he just caught a couple bad breaks. by SpyCloud. With major breaches and cyber attacks making the news daily, taking action on your
company's exposure is more important than ever. I recently visited spycloud.com to check my dark
net exposure and was surprised by just how much stolen identity data criminals have at their
disposal. From credentials to cookies to PII. Knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account Thank you. about your company's exposure from third-party breaches, successful phishes, or infostealer infections,
get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Vladimir worked with the gang to coordinate another attempt.
This time, a guy named Yevgeny Korlikhov would travel with his wife to San Francisco
and open up numerous bank accounts there.
The plan was to do multiple bank transfers to see if any of them would go through.
Yevgeny set up five bank accounts in San Francisco and was ready for the transfers.
But for some reason, he wasn't able to wait around.
He left the country and went back to Russia.
But he left his young wife,
Katerina, behind to withdraw the money. Vladimir got the bank account numbers and went to work.
The transfer was complete and they notified Katerina.
She went to the bank to withdraw the money.
At that point, you know, the bank was monitoring their system. We knew that there was a bad transfer going to this, one of the, I think it was Sumitomo Bank in San Francisco.
She came in to make a withdrawal and they said, oh, something's not right.
You'll have to come back tomorrow to pick up the money.
We make the withdrawal. And when she came back the following day,
FBI San Francisco office was waiting for her and arrested her.
When the FBI agents searched her apartment in San Francisco,
her bags were already packed and there was a one-way plane ticket to Russia.
But instead of going back to Russia, she took a one-way trip to New York City,
where she would sit in a jail and await her trial.
She was going to go to trial.
Just before trial, she agrees to cooperate.
She calls her husband in Russia.
She apparently was really mad at her husband for leaving her behind and getting her in jail.
And she demanded he come back
to help get her out.
One FBI agent said
that she practically read him
the riot act over the phone.
And we convinced her husband
to, over the phone,
to cooperate with us.
This was a stroke of luck
for the FBI.
The guy who got arrested in Israel
got a nice private lawyer,
but Katarina had a public defendant. so her husband got real mad about this and wanted to
come out and help her. But once Evgeny agreed to cooperate, the FBI was able to convince him
to call Vladimir Levin on the phone. We convinced him, this is all over the phone,
New York to Russia, to call Levin while we're listening to the call. It's a three-way call.
Levin doesn't know this, but... So Korokov and Levin speak,
and, you know, we basically get Levin admitting to the whole scheme.
So now the FBI has their proof of who is behind this case
with a name and location.
This would be enough evidence to begin going after Vladimir.
But we get an arrest warrant for Levin. But we have no extradition agreement,
you know, with the Russians. The Russians aren't going to arrest Levin.
You have Jenny Korlakov flies from Russia to New York to come help his wife and to turn himself in.
Steve and the FBI team were waiting for him at the airport. As soon as he boards the plane,
the FBI move in to arrest him,
but he has something that totally surprises the FBI.
He brought his six-year-old daughter.
So he shows up at the airport with the girl,
and I'm like, what the f...
Nobody said anything about them having a daughter.
The FBI is totally flabbergasted on what to do about this girl.
But to top that off, the immigration officer is refusing to allow Korolikov and his him into the country. And I'm standing there in immigration. They couldn't care less.
Me being an FBI agent, and this is a witness.
And then I look at the guy's name tag,
the immigration guy.
It's a guy I went to summer camp with
when I was a kid.
And he's like, oh, Steve!
Yeah! No problem!
He's like, yeah, he can come in the country.
Yeah, it was nuts! So Yevgeny and
Katerina both get locked up in jail. Steve took the six-year-old daughter around with him until
he could figure out what to do with her. We weren't in the office, really. She was in the office,
I think, for a short amount of time. We were just kind of driving. And then at some point,
the kid got car sick and she puked in the back of my brown Vic. That's another couple of hours Eventually, Steve got the mother out on bail
and got some informant funds to help them out.
The mother couldn't leave the country
because she was needed to cooperate with the case,
but because of this kid, Steve helped them out. Getting an apartment? Not only that, I got an apartment. Plus, I got it registered in
school and a vaccine. Well, they won't register the kid unless they have vaccine. I mean,
I should have gotten an award for being a social worker that day. It was crazy.
At this point, Vladimir strikes again, this time transferring $1.5 million to a bank in
Rotterdam in the Netherlands.
Quickly, Citibank called the FBI.
I mean, the first thing they did is call the bank, say, hey, you got a million and a half
dollars going there.
It's a bad transfer.
You know, and they at the same time were calling the cops and getting everyone on board.
The Dutch police arrested the name Anatoly Lysenko,
the guy who was arrested in Holland picking up money.
He thought he was going to pick up $1.5 million in a bank in Holland.
And he got to the bank, and the Dutch cops were waiting for him.
And they locked him up I traveled
to Holland, I interviewed him
while I was there and
you know he denied everything
made up some story, he was picking up
some money for somebody
he didn't know it was stolen funds
anyway we end up, he waves
extradition, waves extradition came to the US and then when we end up, he waves the expedition, waves the expedition, came to the U.S.,
and then when we went to interview him in the U.S., he said, well, first of all, my name is not
Anatoly Lysenko. My name is Vladimir Voronin. And then he kind of tells us the whole story.
Back in St. Petersburg, Vladimir Levin continued to attempt to do money transfers.
In the course of the next six months, he conducted dozens of transfer attempts,
totaling over $10 million.
All attempts were foiled by Citibank and the FBI.
The FBI was getting closer to finding Vladimir, but because he was in Russia,
the police there wouldn't cooperate entirely with the FBI to arrest him.
But the FBI did tell the Russian police they're looking for him.
It turned out when we did that phone call
between Karloff and Levin
and we were kind of listening in,
the Russian cops were listening in too.
The Russian police were tracking the Tambov gang,
which led them to Vladimir.
So they were listening in on a call,
looking for information on what the next crime
might be committed in Russia.
So they tipped us off when Levin was leaving the country.
Levin was flying from St. Petersburg to Holland.
I'm not sure if it was where in Holland, Amsterdam or Rotterdam, probably.
But he was, he had to change planes in London.
And he was flying through Stansted Airport.
When Steve and the FBI got this tip, they immediately called the UK police,
who were able to quickly go to the airport and find Vladimir waiting in the lounge and arrested him.
Vladimir was held in UK police custody and put in jail.
But Vladimir was denying the involvement in the whole thing,
saying he had nothing to do with the hacking and claiming complete innocence.
This made the FBI wonder a little if they had the right guy.
The only evidence they had was a phone call between Korolikov and Vladimir,
where Vladimir was admitting to it.
The Russian cops arrested a bunch of people who were kind of part of this Tambov gang, and they seized
a bunch of computers from Levin that were from that business.
I went to Russia, and we did a search of those computers.
I went over there with a guy who was an FBI agent who was a forensic examiner.
We basically found the smoking gun stuff on that computer.
So we know that was the computer they were using
to kind of hack into the bank.
And then when we found that kind of smoking gun stuff
on the computer,
it was in the police headquarters in St. Petersburg,
and it was about 11 in the morning,
and that precipitated
a big celebration.
I have to say, at the end of that day, I don't think before that day or after that day, I
have never drank as much vodka, and it was a huge celebration. We were drinking vodka, eating pickles.
It was actually a very crazy day.
We ended up going to a party somewhere that night.
It was really, nobody answered the bell the following morning,
to put it that way.
So now the FBI felt confident they completely busted this crew up. They arrested the
main hacker involved, seized the computers that were used to do this with, and arrested four
members of this gang. And Vladimir Levin was still being held in a jail in the UK. At some point,
I actually, we went to England, I went to London, we had an extradition hearing.
After being held for 30 months in UK jails,
Vladimir Levin was extradited to the U.S.
During his trial in the U.S., after he saw the amount of evidence they had against him,
he pled guilty and explained and admitted to everything.
Vladimir Levin attempted 40 fraudulent money transfers,
totaling $10 million.
He was able to successfully steal $400,000, and that was before the FBI got involved.
And neither Citibank or the FBI could recover that $400,000.
It's believed that money was used to purchase guns and weapons.
Vladimir was sentenced to three years in prison.
But the 30 months that he was being held in UK jails
counted towards this
so he only had to serve less than a year in US prison
and he was also sentenced to pay back $240,000 in restitution
I have no idea what happened to him
I heard at one point that he went to
he was in Eastern Europe
not in Russia
he was in Prague
and I had heard he had been killed I don't know if any of that's true He was in Eastern Europe, not in Russia. He was in Prague.
And I had heard he had been killed.
I don't know if any of that's true.
I have no, I'd be kind of curious as to whatever really happened to him.
I wasn't able to track down what he's up to either. He probably changed his name after this because Vladimir Levin went down in the history books as one of the most notorious hackers of all time. And that's because he was the first
known online bank robber. Vladimir didn't use a gun or a mask or even a note. He did the whole
thing from across the world. So in 1994, this was a really big deal. And being the first in something
like this will often make you famous. Since this incident, the world changed.
More crimes started being conducted online.
About a year, year and a half later, the FBI formed its first kind of computer crime squad.
There was one in San Francisco, there was one in D.C., and we formed one in New York.
And I ended up on that squad.
You know, every crime now, digital forensics are involved.
I mean, even if you talk to any kind of homicide investigator,
both homicides now are key evidence found in a digital form.
And that's really the, I think, a huge change in law enforcement.
You look at any kind of crime out there, any kind,
and it involves digital forensics.
It's amazing to witness firsthand the digital transformation
our world went through in the last 30 years.
And we were here for it.
Generations from now, we'll look back on the 1980s
and think it was just so primitive and crude.
Computers and the internet have changed every one of our lives
in almost every way.
How we meet friends, how we order food, and how we go to school,
and how we solve crimes, and even how some people rob banks.
You've been listening to Darknet Diaries.
Please consider donating to help support this show by visiting darknetdiaries.com slash donate.
It really helps a lot.
The show is made by me, the Karate Skid, Jack Recider.
And the theme music is made by the Masked Breakmaster Cylinder.