12
Jun 12

Feds Arrest ‘Kurupt’ Carding Kingpin?

facebooktwittergoogle_plusredditpinterestlinkedinmail

The Justice Department on Monday trumpeted the arrest of a Dutch man wanted for coordinating the theft of roughly 44,000 credit card numbers. The government hasn’t released many details about the accused, but data from a variety of sources indicates he may have run a large, recently-shuttered forum dedicated to cyber fraud, and that he actively hacked into and absconded with stolen card data taken from other fraud forums.

This much the government is saying: David Benjamin Schrooten, 21, appeared in Seattle federal court on Monday and pleaded not guilty to charges of bank fraud, access device fraud and conspiracy. Schrooten was accused of running Web sites that sold stolen credit card numbers in bulk. Authorities said Schrooten was extradited to the United States after being arrested in Romania, and that another man — 21-year-old Christopher A. Schroebel of Maryland — was an accomplice and also was charged.

kurupt.su, before it was taken offline.

The government also mentioned one other detail: Schrooten was allegedly known in the hacking community as “Fortezza.” This last detail caught my attention, because for several months members of the cybercrime underground have been inquiring about Fortezza’s whereabouts, and what would become of his hacker forum — an exclusive English language “carding” site aptly named Kurupt.su.

I, too, was wondering where Fortezza had gone. And then, quite recently, the two-year-old Kurupt.su disappeared as well.

Late last fall, I received an interesting invitation from Fortezza to chat online. At the time, he was administrator (or at least one of the administrators) of Kurupt,  which required new members to be referred by an existing member, and to be personally vouched for by four other members.

To this day, I don’t know why Fortezza reached out to me. He claimed to be “quitting the scene,” but spoke often about finishing a project with which he seemed obsessed: to hack and plunder all of the other carding forums. In any case, he had my attention: I had just finished reading Kevin Poulsen‘s excellent book Kingpin, the true story of a very bright but conflicted hacker who took over many of the major carding forums at the time, and consolidated them into one megaforum that he alone controlled. Fortezza sought to “prove” his claim by creating brand-new test accounts for me on several forums that also typically require new members to be vetted and vouched.

At the time, Fortezza was boasting about having just hoovered up a chunk of stolen credit and debit card accounts from Kurupt.ru, a similarly named carding forum. This action may have been the beginning of his downfall: It wasn’t long before the hackers at Kurupt.ru struck back, posting what they believed was Fortezza’s real-life identity. In October 2011, Fortezza announced he was changing his nickname to “Xakep” (Cyrillic for “hacker”), but apparently the U.S. government already had reason to believe that the Kurupt.ru admins were right on the money about Fortezza.

kurupt.ru publishes alleged identity of “Fortezza”

As it happens, the last time I heard from Fortezza/Xakep was in mid-March, when he said he was getting ready to take a trip with his girlfriend to Romania to meet some fellow hackers. He still hadn’t told me much about himself, and he never answered me when I asked him about the data posted to Kurupt.ru, but he was somehow nervous about his personal safety while in Romania.

12:29:41 AM Xakep: Il be visiting [Romania] with 4 guys this week and my girl

12:29:42 AM Xakep: Yes

12:29:46 AM Xakep: Want to see it

12:30:11 AM Bk: i’m sure you’ll be fine

12:30:54 AM Xakep: Hahahaha

12:31:11 AM Xakep: I have jewish name

12:31:15 AM Xakep: Hope no racists

12:32:42 AM Xakep: Anyway

12:32:54 AM Xakep: I will make pictures of city for you

Authorities with Interpol arrested Schrooten in Cluj, Romania as he got off the plane there, according to Romanian news reports.

Dan Clements, a private consultant who runs cloudeyez.com, a company that monitors the hacker forums and recovers stolen card data and other property from underground forums, also has been following Fortezza’s activities for quite a while.

“I had conversations with him for a long time. He was a very interesting young man, and very complex,” Clements said.”His is a fascinating story.”

Clements said he often wondered whether Kurupt.su and/or Kurupt.ru were sting projects set up by federal agents, or if they really were just two separate crime forums with warring factions.

“If these were real hackers, would they really be taking risks of outing each other? Or are they just amateurs whose ego’s have run amok?” Clements wrote on his blog. “These name changes are interesting. Could they be different federal agents taking over a new nik? Or does the hacker remove some risk by starting a new nik and giving others access to it’s use?”

Clements said he went to visit Schrooten at the request of Schrooten’s lawyer while the young hacker was in prison in Romania awaiting extradition to the United States. But the authorities there refused to allow the visit. Romanian media reported that Schrooten subsequently tried to kill himself, twice.

“This young man is very intriguing and I feel for him,” Clements said. “The government will try to prove its case, but I don’t know if he has the strength to survive a trial.”

The strength of the government’s claims against Schrooten will likely rest on the testimony of his alleged partner — Schrobel — who was arrested in November 2011 and pleaded guilty last month. The government alleges that Schrooten and Schrobel victimized individuals and stores in the Seattle area.

According to the government’s indictment, Schroebel was an intravenous drug user who was supporting his habit with the help of stolen card numbers or “dumps,” that could be used to counterfeit credit and debit cards. Schroebel is scheduled to be sentenced in August.

A copy of Schrooten’s indictment is here (.PDF). The original complaint against him and the accompanying affidavit remain under seal. The complaint against Schrobel is at this link (.PDF).

11 comments

  1. “No honor among thieves” would appear to be the lesson here – as with the guys in Kingpin.

    Big surprise…not.

    Someone should tell him that Federal prison in the US is probably a lot better than a Romanian prison. Not by much, probably, but some. He can survive there if he doesn’t get a really long sentence.

    Thanks for the background info on this case. The basic Associated Press and other news articles give little info.

  2. “If these were real hackers, would they really be taking risks of outing each other? Or are they just amateurs whose ego’s have run amok?”

    Why does this have to be an either / or? The ego grows with perceived success.

    • bob: Agreed that ego grows with perceived success, but I think perceived is the key word here. Many studies have proven actual skill often has very different outcomes. Read paper “Unskilled and Unaware of It” for more info, but basically — there is a threshold to which we over-rate ourselves, but at some level people begin to underrate themselves.

      At that point, as famous saying goes — the more you know, the less you know you do not know — but also the less people will tell you you do not know, because challenging someone with high perceived power often ends up in precisely this sort of outcome.

      Perception of success feeds ego, though, yes — until one is confronted with somebody actually successful and skilled at which point person basically attempts to overcompensate and often winds up overcompensating themselves into a “war”.

      It is game theory, and if it was not fed-sponsored, then ultimately all parties lose (to save face?).

      Usually at this point people either get busted or get “better” — and often fall off the public radar.

  3. Anyone else remember that handle from the old days?
    http://en.wikipedia.org/wiki/John_Threat

    • Completely unrelated. Underground has had many variations of corrupt/kurupt/korrupt, etc.

  4. faithful reader

    Dear Brian,

    you state that Fortezza changed his nick in reaction to outing but dates in the screenshots contradict :

    – outing post : 12 dec 2011
    – new nick post : 10 oct 2011

  5. Let’s be honest – it was fairly obvious Fortezza had flipped, with all the drama over his absence/reappearance, and the hijacking/splitting off of Kurupt’s admins. When that drama first surfaced virtually everyone who was anyone left that site and considered it a sting or a joke. I too got contacted by Fortezza who wanted to give me a login for a carding site, and I had NEVER said two words to this guy, so I knew something was up – it had “cumbajohnny” written all over it – giving away something or chatting up people 24/7 (like he had no life other than to reach out to perfect strangers and try to suck them into the fold), I’m sorry but everything this guy did screamed “snitch”. Actually Cumbajohnny was a poor comparison, Fortezza was more like an El Mariachi.

    • “Actually Cumbajohnny was a poor comparison, Fortezza was more like an El Mariachi.”

      More and more El Mariachis out there every day.

  6. Fabulous read, Mr Krebs!

  7. Fortezza talked all the time about trust being more important than money yet him and his friend “Pathan”/”Khan”/”Don”/ “Archielles” ripped members off at cardingempire and fakacarda in 2009 for 30K

    Fortezza also operated a hosting service and proceeded to steal dump databases from his clients.

    Fortezza will be dobbing in all his friends soon if he hasn’t already.

    He thought he could hack and plunder all major carding forums and yet as soon as he strikes at a small public carding forum kurupt.ru he gets owned by a russian kid and has his details posted into the forum LOL.

    This foolish kid really is a El Mariachi.


Read previous post:
How Companies Can Beef Up Password Security

Separate password breaches last week at LinkedIn, eHarmony and Last.fm exposed millions of credentials, and once again raised the question...

Close