Download high-resolution image Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00

DarkMarket

How Hackers Became the New Mafia

Look inside
Listen to a clip from the audiobook
audio play button
0:00
0:00
In this fascinating and compelling book—a must-read for anyone who owns a computer—Misha Glenny exposes our governments’ multi-billion-dollar war against an ever-morphing, super smart new breed of criminal: the hacker.

The benefits of living in a digital, globalized society are enormous; so too are the dangers. We bank online, shop online, date, learn, work, and live online, but have the institutions that keep us safe on the streets learned to protect us from the deadly “new mafia” of cybercriminals? To answer this question, Glenny offers a vivid examination of the rise of the criminal hacking website DarkMarket and its ultimate fall. Along the way, he presents alarming and illuminating stories about both the shadowy individuals behind its scenes and the organizations tasked with bringing them to justice.

“[An] engaging tale of cops and robbers in cyberspace.” —San Francisco Chronicle

“An eminently readable, witty narrative that sustains suspense until the very last pages.” —The Wall Street Journal

“Misha Glenny tells us that cyber crime is right here and has been for years—hiding in plain sight. . . . Required reading.” —The New Yorker

“A truly remarkable story. . . . Magnificent.” —Financial Times

“This extraordinarily powerful book demonstrates how utterly we lack the shared supranational tools needed to fight cybercrime.” —Roberto Saviano, author of Gomorrah
1
AN INSPECTOR CALLS

Yorkshire, England, March 2008

The Reverend Andrew Arun John was in a minor state of shock one morning in early March 2008. Hard to blame him. Not only had he just survived the long journey from Delhi in cattle class, but it was two weeks before the opening of Heathrow’s new Terminal 5, and the world’s busiest international airport was exploring new standards in passenger misery. His fl ight had left India around three o’clock in the morning and, after negotiating passport control and the baggage mayhem, he still had to face a four-hour drive north to Yorkshire.

Switching on his mobile phone, Reverend John saw he had an inordinate number of missed calls from his wife. And before he’d had time to call back to ask her what the fuss was about, she was ringing again. She told him that the police had telephoned several times and were desperate to get in touch with him. Taken aback and confused, the Reverend replied sharply to his wife, saying that she was talking nonsense – though he regretted his tone almost immediately.

His wife, happily, chose to ignore his grumpiness. Clearly and calmly, she explained that the police had wanted to alert him to the fact that somebody had broken into his bank account, that this was a matter of urgency and that he should ring the number she had for the offi cer in charge as soon as possible.

His wife’s call unsettled the Reverend still further and his weary brain went into overdrive. ‘Who has broken into my account?’ he wondered. ‘What account? My Barclays here?’ he speculated. ‘My Standard Bank account in South Africa? Or my ICICI one in India?
Or maybe all three?’ Even more puzzling: what did she actually mean? ‘How have they broken into my account?’

Coming so soon after his exhausting flight, the whole affair made the Reverend anxious and edgy. ‘I’ll deal with this later when I get to Bradford and after I’ve rested,’ he muttered to himself.

Bradford is 200 miles north of Heathrow Airport. Sixty miles due east of the city lies Scunthorpe, where Detective Sergeant Chris Dawson’s small team was nervously awaiting the Reverend John’s phone call. The officer began to feel he was sinking in the quicksand of a case that he suspected was very big, and which presented him with one seemingly insuperable problem – he couldn’t get his head round it. The evidence gathered so far included hundreds of thousands of computer files, some of which were large enough to hold the complete works of Shakespeare 350 times over. Inside these documents lay a planetary library of numbers and messages in a language that was effectively indecipherable to all but a tiny elite around the world who are trained in the arcane terminology of cybercrime. DS Dawson may have known nothing about that novel and particularly rarefied branch of criminal investigation, but he was a first-class homicide officer with many years of service behind him. He could detect among the endless lists and number strings an agglomeration of sensitive data, which should not be in the possession of a single individual.

Yet as police offi cers in many parts of the world were discovering in the first decade of the twenty-first century, it was one thing to stumble across an information trove like this. It was quite another attempting to link it to a specific crime.

If DS Dawson were to persuade a magistrate in the sleepy town of Scunthorpe on the Humber estuary to place his suspect on remand, then he needed to show crystal-clear evidence of a specific crime. Furthermore, there was always a fair chance that he would be presenting said evidence to a doddery old circuit judge who might have diffi culty using a TV remote, let alone accessing email. Convincing wasn’t sufficient – the case had to be watertight and simple enough for anyone to understand.

Time was dribbling away. The suspect could only be held for three days and two of those had already passed. Among the files, figures, weblogs, chatlogs and who-knows-what-else, Dawson had only one tiny scrap of evidence.

He stared at the fi fty words on a sheet of A4. These included an account number, 75377983; the date the account was opened, 24/02/2006, along with the account balance, £4,022.81. But there was also a name on it: Mr A A John; an email address: STPAULS@LEGEND. CO.UK; a physical address: 63 St Paul’s Road, Manningham, Bradford; a corporate sign-on ID and, crucially, a corporate sign-on password: 252931.

If he could just confi rm the account holder’s identity, and if that man were to state that he had never knowingly divulged his password, then Dawson would probably be able to persuade the judge to send the accused for trial and refuse bail. And that might just buy enough time for the Detective Sergeant to comprehend exactly what he was dealing with.

When Dawson had tried to contact Mr A.A. John he had learned that he was a minister of the Church of England who was taking a group of underprivileged children on holiday around India. He was also told that he would not be contactable until his return from Delhi. The Reverend was scheduled to arrive a few hours before the suspect had to be released. If he failed to come through, then the quicksand of this case would swallow up the ocean of data upon which Dawson had stumbled. Along with the data, the suspect would doubtless fade back into the anonymity of his virtual alter ego. It was Dawson’s misfortune that the Reverend John was suffi ciently unsettled by the telephone conversation with his wife that he resolved to deal with the matter only once he had arrived in his parish, Manningham. Indeed, he had turned off his mobile phone and concentrated instead on his long drive from the airport.

So why was he so upset?

Short and compact, the Reverend John was by temperament a jovial man. Born on the edge of the Thar Desert in Rajasthan, his slightly hexagonal face was usually all sunshine, radiating from behind his professorial glasses. He was born into the minority-faith community of India’s Christians and joined the priesthood to work for the Anglican Church of India in Delhi for fi fteen years.

But in 1996 he was approached by the Church of the Province of South Africa to take charge of a parish in the Indian township of Lenasia, three miles south of Soweto, during the transition from apartheid to multi-party rule.

It was a challenging move for anybody, as these were testing times for his new home. The joy that greeted the end of the racist regime was tempered by the knowledge of how deep the resentments ran that had accumulated over the previous 200 years. Outsiders like the Reverend John required sophisticated political and social skills to understand the meaning of those tensions and how he might help to reduce them.

His successful work in South Africa was noticed further up the Anglican Church’s hierarchy and, after eight years, the Bishop of Bradford in the English county of West Yorkshire urged him to consider an equally challenging post in Manningham, a residential district on the edge of Bradford city centre. The Reverend John was reluctant – England had always struck him as a rather gloomy place, with its miserable weather and urban sprawl.

Equally, he knew that Manningham was no bed of roses. Many Britons regarded Bradford, and Manningham in particular, as a symbol of their country’s failing attempts to integrate its many ethnic and confessional groups. More malignant types saw in Manningham an opportunity to ratchet up the mistrust between those communities.

In July 2001 this district exploded into brief but violent riots that reflected a deepening division between the city’s large Asian constituency and its white population. Even earlier, Manningham had experienced the phenomenon of white fl ight and, by the time the Reverend John arrived, three years after the riots, 75 percent of the population were Muslims whose origins lay largely in the rural districts of northeastern Pakistan. ‘The remaining twenty-five per cent are Christians, although only about fi ve per cent of those are church-going. The white community here looks and feels like the minority it is,’ said the Reverend John. Although its climate, architecture and culture bore no resemblance to the townships of Jo’burg, in other ways Manningham felt uncannily like South Africa.

This was a hardship posting. When the clouds gathered or the snow fell, there was little that appealed in streets lined by sombre neo-Gothic buildings. Yet a little more than a century ago Manningham had been a most desirable area in which to live. This was during the period, now forgotten to the outside world, when Bradford was hailed as ‘the wool capital of the world’, acting as a mighty engine of Britain’s Industrial Revolution.

By the beginning of the twenty-first century, however, Manningham had been in a state of decay for many years. Employment and prosperity, once flourishing, had moved away long before. Drug abuse, domestic violence, property crime and prostitution had taken their place. The Reverend John cared for more people in his drop-in centre, all trying to escape the traps of poverty and criminality, than attended his church on Sundays.

With the ever-present threat that latent violence could break through the surface, the Reverend John’s work was on the front line of Britain’s class, cultural and social wars. Not easily scared, he maintained a readiness to chuckle in most circumstances. Given the challenges of his daily work, he wondered why the news of his compromised bank account unsettled him to such a degree. Above all, he wanted to talk to his sons, who understood about computer things. And then he decided that he needed to talk to the police quickly, to find out exactly what was going on. ‘Above all,’ he resolved, ‘I want this thing to be sorted out and put to bed as soon as possible.’

The Reverend’s nervous reaction is not uncommon. The psychological response on learning that one has become a victim of cybercrime is similar to that experienced on being burgled. Even though the act is confined to cyberspace, a world of accumulated tiny electronic impulses, it still feels like a physical violation. For if one’s bank account has been hacked into, what else might the thieves have discovered in the privacy of your computer?

Have they, perhaps, stolen your passport details, which some criminal or intelligence agent is now using as a fake travel document? Could they even, as you read this, be examining your emails, with confidential information about a colleague or employee? Might they have stumbled across some dangerously fl irtatious emails or other indiscretion that you wrote or received? Is there any part of your life they could not explore, with access to your computer?

Now quite determined, the Reverend John called the police offi cer in the neighbouring county of Lincolnshire as soon as he arrived at the pleasant little cottage next to the imposing spire of his church in Manningham.

That this case should fall into the lap of Chris Dawson, a Scunthorpe-based policeman in early middle age, was especially unusual. Most cases of cybercrime in Britain are picked up by specialist units allied to three forces – the Metropolitan Police, the City of London Police and the Serious Organised Crime Agency (SOCA), also based in the capital. Untrained offi cers would mostly miss such cases because of their esoteric nature. But Dawson was unusual: he was an instinctive copper with a sharp eye. He also possessed a quiet charm, but was frank in a typical northern English fashion that contributed to his methodical and precise approach to policing. This attention to detail would serve him well in the coming months.

If Manningham was associated with ethnic tension and precipitous economic decline, nearby Scunthorpe (population 75,000), lying south of the Humber estuary, was more often regarded either as an English nowheresville or as the butt of jokes provoked both by its name and the perennially poor performances of its soccer team. (In fairness, one should add that at least it did not inherit its original Scandinavian name, Skumtorp, and until its relegation in May 2011 Scunthorpe United FC had been punching above its weight in the second tier of English football.) As far as one can establish, the town has never been cited in connection with large-scale organised criminal activity.

A mere four days before the Reverend John’s return from his charitable work in India, DS Dawson had been working happily at Scunthorpe’s central police station. He was watching the Command and Control log, a computer screen that relays information and crime reports phoned in by the public. The standard fare would include drunken fracas, the occasional domestic, and a kitten getting stuck up a tree. But on that Wednesday afternoon at 1.30 p.m. a message ran across the log that aroused the Detective Sergeant’s curiosity. It was very much out of the ordinary. He turned to his colleague and in his lilting Lincolnshire brogue said gently, ‘Come on then. We’d best go take a look. Seems like there’s something rather fishy going on at Grimley Smith.’
MISHA GLENNY is an award-winning British journalist who specializes in central and eastern Europe, global organized crime, and cybersecurity. He covered the Balkan Wars during the 1990s and is the auhor of numerous books, including The Fall of Yugoslavia and DarkMarket: How Hackers Became the New Mafia. View titles by Misha Glenny

About

In this fascinating and compelling book—a must-read for anyone who owns a computer—Misha Glenny exposes our governments’ multi-billion-dollar war against an ever-morphing, super smart new breed of criminal: the hacker.

The benefits of living in a digital, globalized society are enormous; so too are the dangers. We bank online, shop online, date, learn, work, and live online, but have the institutions that keep us safe on the streets learned to protect us from the deadly “new mafia” of cybercriminals? To answer this question, Glenny offers a vivid examination of the rise of the criminal hacking website DarkMarket and its ultimate fall. Along the way, he presents alarming and illuminating stories about both the shadowy individuals behind its scenes and the organizations tasked with bringing them to justice.

“[An] engaging tale of cops and robbers in cyberspace.” —San Francisco Chronicle

“An eminently readable, witty narrative that sustains suspense until the very last pages.” —The Wall Street Journal

“Misha Glenny tells us that cyber crime is right here and has been for years—hiding in plain sight. . . . Required reading.” —The New Yorker

“A truly remarkable story. . . . Magnificent.” —Financial Times

“This extraordinarily powerful book demonstrates how utterly we lack the shared supranational tools needed to fight cybercrime.” —Roberto Saviano, author of Gomorrah

Excerpt

1
AN INSPECTOR CALLS

Yorkshire, England, March 2008

The Reverend Andrew Arun John was in a minor state of shock one morning in early March 2008. Hard to blame him. Not only had he just survived the long journey from Delhi in cattle class, but it was two weeks before the opening of Heathrow’s new Terminal 5, and the world’s busiest international airport was exploring new standards in passenger misery. His fl ight had left India around three o’clock in the morning and, after negotiating passport control and the baggage mayhem, he still had to face a four-hour drive north to Yorkshire.

Switching on his mobile phone, Reverend John saw he had an inordinate number of missed calls from his wife. And before he’d had time to call back to ask her what the fuss was about, she was ringing again. She told him that the police had telephoned several times and were desperate to get in touch with him. Taken aback and confused, the Reverend replied sharply to his wife, saying that she was talking nonsense – though he regretted his tone almost immediately.

His wife, happily, chose to ignore his grumpiness. Clearly and calmly, she explained that the police had wanted to alert him to the fact that somebody had broken into his bank account, that this was a matter of urgency and that he should ring the number she had for the offi cer in charge as soon as possible.

His wife’s call unsettled the Reverend still further and his weary brain went into overdrive. ‘Who has broken into my account?’ he wondered. ‘What account? My Barclays here?’ he speculated. ‘My Standard Bank account in South Africa? Or my ICICI one in India?
Or maybe all three?’ Even more puzzling: what did she actually mean? ‘How have they broken into my account?’

Coming so soon after his exhausting flight, the whole affair made the Reverend anxious and edgy. ‘I’ll deal with this later when I get to Bradford and after I’ve rested,’ he muttered to himself.

Bradford is 200 miles north of Heathrow Airport. Sixty miles due east of the city lies Scunthorpe, where Detective Sergeant Chris Dawson’s small team was nervously awaiting the Reverend John’s phone call. The officer began to feel he was sinking in the quicksand of a case that he suspected was very big, and which presented him with one seemingly insuperable problem – he couldn’t get his head round it. The evidence gathered so far included hundreds of thousands of computer files, some of which were large enough to hold the complete works of Shakespeare 350 times over. Inside these documents lay a planetary library of numbers and messages in a language that was effectively indecipherable to all but a tiny elite around the world who are trained in the arcane terminology of cybercrime. DS Dawson may have known nothing about that novel and particularly rarefied branch of criminal investigation, but he was a first-class homicide officer with many years of service behind him. He could detect among the endless lists and number strings an agglomeration of sensitive data, which should not be in the possession of a single individual.

Yet as police offi cers in many parts of the world were discovering in the first decade of the twenty-first century, it was one thing to stumble across an information trove like this. It was quite another attempting to link it to a specific crime.

If DS Dawson were to persuade a magistrate in the sleepy town of Scunthorpe on the Humber estuary to place his suspect on remand, then he needed to show crystal-clear evidence of a specific crime. Furthermore, there was always a fair chance that he would be presenting said evidence to a doddery old circuit judge who might have diffi culty using a TV remote, let alone accessing email. Convincing wasn’t sufficient – the case had to be watertight and simple enough for anyone to understand.

Time was dribbling away. The suspect could only be held for three days and two of those had already passed. Among the files, figures, weblogs, chatlogs and who-knows-what-else, Dawson had only one tiny scrap of evidence.

He stared at the fi fty words on a sheet of A4. These included an account number, 75377983; the date the account was opened, 24/02/2006, along with the account balance, £4,022.81. But there was also a name on it: Mr A A John; an email address: STPAULS@LEGEND. CO.UK; a physical address: 63 St Paul’s Road, Manningham, Bradford; a corporate sign-on ID and, crucially, a corporate sign-on password: 252931.

If he could just confi rm the account holder’s identity, and if that man were to state that he had never knowingly divulged his password, then Dawson would probably be able to persuade the judge to send the accused for trial and refuse bail. And that might just buy enough time for the Detective Sergeant to comprehend exactly what he was dealing with.

When Dawson had tried to contact Mr A.A. John he had learned that he was a minister of the Church of England who was taking a group of underprivileged children on holiday around India. He was also told that he would not be contactable until his return from Delhi. The Reverend was scheduled to arrive a few hours before the suspect had to be released. If he failed to come through, then the quicksand of this case would swallow up the ocean of data upon which Dawson had stumbled. Along with the data, the suspect would doubtless fade back into the anonymity of his virtual alter ego. It was Dawson’s misfortune that the Reverend John was suffi ciently unsettled by the telephone conversation with his wife that he resolved to deal with the matter only once he had arrived in his parish, Manningham. Indeed, he had turned off his mobile phone and concentrated instead on his long drive from the airport.

So why was he so upset?

Short and compact, the Reverend John was by temperament a jovial man. Born on the edge of the Thar Desert in Rajasthan, his slightly hexagonal face was usually all sunshine, radiating from behind his professorial glasses. He was born into the minority-faith community of India’s Christians and joined the priesthood to work for the Anglican Church of India in Delhi for fi fteen years.

But in 1996 he was approached by the Church of the Province of South Africa to take charge of a parish in the Indian township of Lenasia, three miles south of Soweto, during the transition from apartheid to multi-party rule.

It was a challenging move for anybody, as these were testing times for his new home. The joy that greeted the end of the racist regime was tempered by the knowledge of how deep the resentments ran that had accumulated over the previous 200 years. Outsiders like the Reverend John required sophisticated political and social skills to understand the meaning of those tensions and how he might help to reduce them.

His successful work in South Africa was noticed further up the Anglican Church’s hierarchy and, after eight years, the Bishop of Bradford in the English county of West Yorkshire urged him to consider an equally challenging post in Manningham, a residential district on the edge of Bradford city centre. The Reverend John was reluctant – England had always struck him as a rather gloomy place, with its miserable weather and urban sprawl.

Equally, he knew that Manningham was no bed of roses. Many Britons regarded Bradford, and Manningham in particular, as a symbol of their country’s failing attempts to integrate its many ethnic and confessional groups. More malignant types saw in Manningham an opportunity to ratchet up the mistrust between those communities.

In July 2001 this district exploded into brief but violent riots that reflected a deepening division between the city’s large Asian constituency and its white population. Even earlier, Manningham had experienced the phenomenon of white fl ight and, by the time the Reverend John arrived, three years after the riots, 75 percent of the population were Muslims whose origins lay largely in the rural districts of northeastern Pakistan. ‘The remaining twenty-five per cent are Christians, although only about fi ve per cent of those are church-going. The white community here looks and feels like the minority it is,’ said the Reverend John. Although its climate, architecture and culture bore no resemblance to the townships of Jo’burg, in other ways Manningham felt uncannily like South Africa.

This was a hardship posting. When the clouds gathered or the snow fell, there was little that appealed in streets lined by sombre neo-Gothic buildings. Yet a little more than a century ago Manningham had been a most desirable area in which to live. This was during the period, now forgotten to the outside world, when Bradford was hailed as ‘the wool capital of the world’, acting as a mighty engine of Britain’s Industrial Revolution.

By the beginning of the twenty-first century, however, Manningham had been in a state of decay for many years. Employment and prosperity, once flourishing, had moved away long before. Drug abuse, domestic violence, property crime and prostitution had taken their place. The Reverend John cared for more people in his drop-in centre, all trying to escape the traps of poverty and criminality, than attended his church on Sundays.

With the ever-present threat that latent violence could break through the surface, the Reverend John’s work was on the front line of Britain’s class, cultural and social wars. Not easily scared, he maintained a readiness to chuckle in most circumstances. Given the challenges of his daily work, he wondered why the news of his compromised bank account unsettled him to such a degree. Above all, he wanted to talk to his sons, who understood about computer things. And then he decided that he needed to talk to the police quickly, to find out exactly what was going on. ‘Above all,’ he resolved, ‘I want this thing to be sorted out and put to bed as soon as possible.’

The Reverend’s nervous reaction is not uncommon. The psychological response on learning that one has become a victim of cybercrime is similar to that experienced on being burgled. Even though the act is confined to cyberspace, a world of accumulated tiny electronic impulses, it still feels like a physical violation. For if one’s bank account has been hacked into, what else might the thieves have discovered in the privacy of your computer?

Have they, perhaps, stolen your passport details, which some criminal or intelligence agent is now using as a fake travel document? Could they even, as you read this, be examining your emails, with confidential information about a colleague or employee? Might they have stumbled across some dangerously fl irtatious emails or other indiscretion that you wrote or received? Is there any part of your life they could not explore, with access to your computer?

Now quite determined, the Reverend John called the police offi cer in the neighbouring county of Lincolnshire as soon as he arrived at the pleasant little cottage next to the imposing spire of his church in Manningham.

That this case should fall into the lap of Chris Dawson, a Scunthorpe-based policeman in early middle age, was especially unusual. Most cases of cybercrime in Britain are picked up by specialist units allied to three forces – the Metropolitan Police, the City of London Police and the Serious Organised Crime Agency (SOCA), also based in the capital. Untrained offi cers would mostly miss such cases because of their esoteric nature. But Dawson was unusual: he was an instinctive copper with a sharp eye. He also possessed a quiet charm, but was frank in a typical northern English fashion that contributed to his methodical and precise approach to policing. This attention to detail would serve him well in the coming months.

If Manningham was associated with ethnic tension and precipitous economic decline, nearby Scunthorpe (population 75,000), lying south of the Humber estuary, was more often regarded either as an English nowheresville or as the butt of jokes provoked both by its name and the perennially poor performances of its soccer team. (In fairness, one should add that at least it did not inherit its original Scandinavian name, Skumtorp, and until its relegation in May 2011 Scunthorpe United FC had been punching above its weight in the second tier of English football.) As far as one can establish, the town has never been cited in connection with large-scale organised criminal activity.

A mere four days before the Reverend John’s return from his charitable work in India, DS Dawson had been working happily at Scunthorpe’s central police station. He was watching the Command and Control log, a computer screen that relays information and crime reports phoned in by the public. The standard fare would include drunken fracas, the occasional domestic, and a kitten getting stuck up a tree. But on that Wednesday afternoon at 1.30 p.m. a message ran across the log that aroused the Detective Sergeant’s curiosity. It was very much out of the ordinary. He turned to his colleague and in his lilting Lincolnshire brogue said gently, ‘Come on then. We’d best go take a look. Seems like there’s something rather fishy going on at Grimley Smith.’

Author

MISHA GLENNY is an award-winning British journalist who specializes in central and eastern Europe, global organized crime, and cybersecurity. He covered the Balkan Wars during the 1990s and is the auhor of numerous books, including The Fall of Yugoslavia and DarkMarket: How Hackers Became the New Mafia. View titles by Misha Glenny