A Short History of Law Enforcement and Cyber Crime

Threat Intel’s ‘History of…’ series will look at the origins and evolution of notable developments in cybersecurity

The advent of cyber crime created a lot of headaches for police forces. Over a very short space of time, an entirely new form of criminality emerged. There were no fingerprints, no witnesses, and often the victim and the perpetrator were continents apart.

It’s debatable who exactly the first hacker to be jailed was. But certainly one contender for the moniker is Captain Crunch, or John Draper to his friends and family. Draper, now 75, served in the U.S. Air Force before working as an engineer in Silicon Valley in the early 1970s. However, in his spare time, he was involved in phone phreaking. What’s phreaking? Essentially it’s the telecoms equivalent of hacking, using in-depth knowledge of how the telephone system works to get free phone calls. At the time, phone phreakers were underground celebrities and it was that celebrity that led the police to his door.

In 1971, he did an interview with Esquire magazine in which he made a thinly veiled admission to phone phreaking. Not surprisingly, this drew the attention of the authorities and he was promptly arrested, convicted of toll fraud and given five years’ probation. Coming to the attention of the authorities didn’t deter Draper and he was jailed twice more for phone fraud, in 1976 and 1978.

Draper’s activities were a precursor of what was to come as authorities adapted to deal with the nascent field of cyber crime. In the early years, hacking often wasn’t about financial gain. Instead it was usually about demonstrating your skills, gaining recognition from fellow hackers and, sometimes, thumbing your nose at authority. That desire to be noticed was often what allowed the police to identify hackers.

Hacking sprees

One of the first to get caught was Kevin Mitnick, who began breaking into computer networks as a teenager in the late ’70s and by the late 1980s had embarked on a prolific hacking career. Law enforcement finally caught up with him in 1988 when he was convicted of breaking into computer maker Digital’s network and stealing their software. Mitnick was jailed for a year and was then meant to do three years of supervised release but, near the end of the term, he was caught hacking Pacific Bell and a warrant was issued for his arrest.

Facing a return to jail, Mitnick opted to go on the run. Mitnick didn’t lie low and instead went on a hacking spree. Over the next three years he hacked into and stole information from dozens of organizations. The FBI launched what it termed an “electronic manhunt”. Ironically, one of the steps Mitnick took to cover his tracks would eventually lead to his downfall.

Mitnick figured that using a cellular phone to go online would be harder to trace than a landline, which in many ways was true, but he managed to raise some flags while doing so. One of the mistakes he made was pilfering some cellphone software from a developer called Tsutomu Shimomura. Shimomura took the theft personally and threw himself into helping the authorities track Mitnick down. Working with a technician from cellular operator Sprint, he helped track Mitnick down to an apartment building in Raleigh, North Carolina. From there, the FBI was able to do its work, deploying the Triggerfish cellular direction finder in order to pinpoint Mitnick’s exact location and arrest him on February 15, 1995.

Mitnick spent four-and-a -half years in jail before his case was heard, including eight months in solitary after officials expressed fears that he could even mount attacks using just a pay phone. When his case was heard in 1999 he pleaded guilty to four counts of wire fraud, two of computer fraud and one of intercepting a wire communication and was sentenced to five years in prison. Taking into account the time he’d served already, he was released in 2000.

Cyber crime gets serious

While Mitnick was elusive for several years, he was at least in the US, which made it easy for the FBI to bring him to justice once he’d been located. However, within a very short space of time, two new complications for law enforcement when it came to cyber crime became very apparent. The first was that the old school hacker was rapidly eclipsed by a new breed of cyber criminal who was in it for the money. These people had no interest in publicly demonstrating their prowess and, aside from some who were a little too careless in flaunting their ill-gotten gains, maintained a very low profile.

The other complication lay in the fact that international borders mattered very little to cyber criminals and it was often as easy for them to attack a target on the other side of the world as it was to hit one on the other side of the street. The globalization of cyber crime meant that law enforcement had to not only identify who the perpetrators were but also find a way of bringing them to justice, either by seeking extradition or providing information to the authorities in the attacker’s home country to ensure a successful prosecution there.

In 1994, while the FBI was still hunting Mitnick, a number of corporate bank customers discovered that their accounts had been raided to the tune of $400,000. An FBI investigation established that the attackers had compromised the bank’s cash management systems. The attackers were siphoning off money into overseas bank accounts and had already stolen up to $10 million.

The bank in question managed to get the overseas accounts frozen before any more money could be withdrawn, while the FBI turned its attention to the sole account used by the attackers that was located in the US. It’s owners were a Russian couple who had previously lived in the US. When the wife flew to the US to withdraw more money, the FBI arrested her and persuaded her and her husband to cooperate.

From them, the FBI learned the mastermind behind the operation was a Russian man called Vladimir Levin. Working with Russian authorities, the FBI gathered evidence and built its case against Levin. In March 1995, Levin was arrested while he was visiting London, allowing the U.S. to request his extradition. He was eventually convicted in 1998 and sentenced to three years in jail.

International takedowns

Levin’s arrest illustrated another issue in pursuing international cyber criminals — you can only extradite someone from a country you have an extradition treaty with. Once a suspect is identified, authorities will often wait until they travel to a country they can extradite from and request their arrest. Since Levin’s London arrest, a steady stream of suspects have ended up in custody after they got on a plane thinking they were going on holidays.

One of the most prominent examples of this was Aleksandr Panin, aka “Gribodemon”, the brains behind the SpyEye financial Trojan. Panin was the main developer and, starting in 2009, he sold it to other cyber criminals online who used it to target more than one million banking customers.

Based in the Russian city of Tver, Panin may have thought he was beyond the reach of US authorities. However, things began to unravel for him when, in 2011, the FBI seized a SpyEye command and control (C&C) server in Atlanta Georgia, which was being operated by one of his associates, Algeria-based Hamza Bendelladj. Later that year, unbeknownst to him, Panin sold undercover agents a copy of SpyEye online. While they still didn’t have a name, the FBI was closing in on Panin and secured an indictment against their as-yet-unnamed suspect. A short while later, the FBI found evidence that tied Panin with his online alias Gribodemon, but the indictment remained sealed in order to avoid tipping off Panin that US authorities were on to him.

The opportunity for law enforcement came just over a year later. First Bendelladj was arrested in Bangkok airport in January 2013, while he was in transit between Malaysia and Algeria. He was later extradited to the U.S. Six months later, Panin made the mistake of flying through the U.S. and was arrested in Atlanta airport. In 2016, the pair were sentenced to a combined 24 years, six months in prison.

Over time, law enforcement agencies have adapted and improved their response to cyber crime. Whereas once international operations were unusual, today they’re the norm and it’s not unusual to see police forces from several different countries involved in a single operation. International law enforcement organizations such as Interpol and Europol often play a central role. The goal is no longer just arrests (although arrests remain the main objective). Infrastructure, in the form of servers and domains is often seized, meaning that even if some or all of the suspects behind a particular operation remain at large, the group’s operations are disrupted.

Putting the squeeze on

Takedowns not involving arrests are sometimes criticized as being ineffective or tokenistic, but this is often far from the case. The takedown of the Gameover Zeus is a classic case in point. Just under four years ago, the FBI, the UK’s National Crime Agency, a number of other police forces, along with cyber security companies including Symantec teamed up to tackle the financial Trojan which, at the time, was one of the most prolific and dangerous financial online threats.

Gameover Zeus doubled up as a botnet and at its height had hundreds of thousands of computers in its sway. It was difficult to disrupt because it didn’t have any centralized C&C infrastructure and instead used a peer-to-peer network and domain generation algorithm (DGA) for (C&C) purposes. Its most recent refinement was the addition of a low level driver, to prevent the malware from being easily uninstalled. Prior to the 2014 operation, Gameover Zeus had already weathered two takedown attempts.

This time around, key nodes on the peer network were disabled by law enforcement, along with the domains generated by the DGA. One of Symantec’s contributions to the operation was to release a new tool that bypassed countermeasures and removed the malware, along with the additional Gameover Zeus components.

It wasn’t third time lucky for Gameover Zeus and, this time, the takedown seemed to do serious damage to the group’s operations, with activity surrounding the malware dropping off considerably in the aftermath of the raids and never recovering.

Of course, often when one major cyber crime group is broken up, others emerge to take its place. However, there are some signs that the balance may be shifting. The pace of law enforcement takedowns in recent years has picked up, with several major banking Trojan and ransomware gangs being hit. To some extent, we believe that this is one of the factors behind the sudden and dramatic take off of malicious coin mining in late 2017. Because the loss to the victim is indirect and less obvious, cyber criminals may feel that there’s less risk of law enforcement action around coinminers. Whether this turns out to be a long term trend remains to be seen.

Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.

Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.