The seven initial arrests stemming from what the Secret Service has dubbed "Operation Rolling Stone" show that federal investigators have started to learn how to crack through deceptive IP addresses and encrypted IM communications.
"Cyber-crime has evolved significantly over the last two years, from dumpster diving and credit card skimming to full-fledged online bazaars full of stolen personal and financial information," Assistant Director Brian Nagel of the U.S. Secret Service's Office of Investigations said in a statement.
"We continue to adapt our investigative techniques to progressively combat emerging threats to our nation's financial infrastructure," Nagel said.
Of the seven announced arrests, five are being prosecuted by the U.S. Attorney's office covering the Buffalo/Rochester New York area, one is being handled by the Los Angeles District Attorney's office and one is apparently being handled by the U.S. Attorney's office in Nashville.
The Los Angeles arrest was Shawn Mimbs, 27, said Deputy Los Angeles District Attorney Jeff McGrath.
The Buffalo/Rochester arrests were: Mohammad Dolah, 34, of Brooklyn, N.Y.; Benjamin Wade Pinkston, 24, unknown address; Elvis Berrios, 28, of Washington; Larry Hardiman, 52, of Toronto; and Bradley Robert Sokol, 19, of Selinsgrove, Pa., according to federal affidavits filed with the U.S. District Court's Western District. Those documents were sealed the afternoon of April 4.
No information was available on the arrests being handled by Nashville, said Deb Phillips, senior counsel to that office's U.S. Attorney. Authorities said the Nashville arrests might still be sealed.
Although these cases were all investigated by the Secret Service, one official involved in the prosecution, who did not want to be identified, said these were multiple unrelated investigations and that the Secret Service created the Rolling Stone code name afterwards to group them together.
The investigative details of the cases given in interviews and court documents support the suggestion that these cases were indeed unrelated and were not part of a single undercover operation. That said, the investigators still employed very similar tactics aimed at piercing the Web-enabled secrecy of the identify-theft and credit-card stealing rings.
In Los Angeles, prosecutors have accused Mimbs of grand theft of U.S. property. Specifically, officials are charging that he went to public libraries and Internet cafes and used their Web access to visit the H&R Block tax return service Web site, McGrath said.
Once on the H&R Block site, he used stolen Social Security numbers and addresses?often from dead people?to file bogus tax returns and request that the tax refunds be wired to bank cash cards that he could access, McGrath said.
Mimbs "found loopholes in the system," the prosecutor said, describing him as just "another thief using the Internet." Among the exploited loopholes, McGrath said, was that the IRS system didn't match its records with death certificates.
McGrath said Mimbs?who was the sole defendant in the 14-count criminal complaint filed in Los Angeles?was discovered when some of the names he used for the tax returns were tied with people who were alive and who then tried filing for real tax returns. The IRS said they had already filed, the real taxpayers complained and the Secret Service started to investigate, he said.
The five cases being prosecuted federally in Buffalo/Rochester do not involve tax returns and mostly dealt with the manufacturing of bogus credit cards and the selling of identity information.
Sites that cropped up in several of the New York state cases include www.scandinaviancarding.com, www.theftservices.com and www.ccpowerforums.com, which federal affidavits described as "three organized criminal Web sites dedicated to promoting malicious computer hacking."
Another site mentioned in a few of the cases is www.iaaca.com, which court papers identify as standing for the International Association for the Advancement of Criminal Activity.
The documents weigh deep into the slang of the underground world of identity thieves, including "banging out ATMs" (counterfeit ATM card use), "carding" (counterfeit credit cards), "in-store carding" (where the thief must be physically inside the store when making the fraudulent purchase) and "novelty" (bogus identification documents).
In addition to gaining familiarity with the terminology of cyber-crime, investigators also grappled with the workings of the Internet, which abounds in ways to obscure a thief's identity.
Sokol, for example, is accused of selling stolen identities?including name, address, Social Security number and date of birth?for between $3 and $5 each.
According to the affidavits, an undercover Secret Service agent started chatting with Sokol using the ICQ instant messaging service. When the undercover agent tried to buy some of the identities, Sokol wanted to be paid with PayPal, the documents said, but the agent said PayPal was "malfunctioning" and asked to use Western Union as a means of payment.
Western Union offers a means of anonymously transferring funds, using a question-and-answer authentication system, but Sokol asked for it in his name, the affidavit said, which pierced the Internet mask of anonymity.
In Hardiman's case, agents traced the IP address to a particular ISP in Canada. Using the exact timestamps of the messages, they were able to identify subscriber information and get a tentative identification, the documents said; agents then started searching eBay and found someone using a very similar alias who was purchasing equipment?including a laminating machine and specialty printers?that would be useful in credit card fabrication. eBay was then subpoenaed.
In the case of Pinkston, according to the documents, an agent told the suspect that some bogus Old Navy and Gap credit cards were not working, prompting him to send more cards in the names of other people. Investigators then reviewed the online applications for all of the cards, paying particular attention to IP addresses.
"A Whois query of the IP addresses exposed through the three credit card applications showed it resolving back to a Virginia Tech University account," one affidavit said.
A credit card company investigator then searched for any applications from that IP address or other accounts using the same drop addresses or e-mails and identified 37 more accounts, for a total of 44.
Microsoft then helped identify the suspect through an MSN account that he had used. Secret Service forensic analysis also discovered multiple fingerprints that matched on several of the cards, the documents said.