The Justice Department on Monday trumpeted the arrest of a Dutch man wanted for coordinating the theft of roughly 44,000 credit card numbers. The government hasn’t released many details about the accused, but data from a variety of sources indicates he may have run a large, recently-shuttered forum dedicated to cyber fraud, and that he actively hacked into and absconded with stolen card data taken from other fraud forums.
This much the government is saying: David Benjamin Schrooten, 21, appeared in Seattle federal court on Monday and pleaded not guilty to charges of bank fraud, access device fraud and conspiracy. Schrooten was accused of running Web sites that sold stolen credit card numbers in bulk. Authorities said Schrooten was extradited to the United States after being arrested in Romania, and that another man — 21-year-old Christopher A. Schroebel of Maryland — was an accomplice and also was charged.
The government also mentioned one other detail: Schrooten was allegedly known in the hacking community as “Fortezza.” This last detail caught my attention, because for several months members of the cybercrime underground have been inquiring about Fortezza’s whereabouts, and what would become of his hacker forum — an exclusive English language “carding” site aptly named Kurupt.su.
I, too, was wondering where Fortezza had gone. And then, quite recently, the two-year-old Kurupt.su disappeared as well.
Late last fall, I received an interesting invitation from Fortezza to chat online. At the time, he was administrator (or at least one of the administrators) of Kurupt, which required new members to be referred by an existing member, and to be personally vouched for by four other members.
To this day, I don’t know why Fortezza reached out to me. He claimed to be “quitting the scene,” but spoke often about finishing a project with which he seemed obsessed: to hack and plunder all of the other carding forums. In any case, he had my attention: I had just finished reading Kevin Poulsen‘s excellent book Kingpin, the true story of a very bright but conflicted hacker who took over many of the major carding forums at the time, and consolidated them into one megaforum that he alone controlled. Fortezza sought to “prove” his claim by creating brand-new test accounts for me on several forums that also typically require new members to be vetted and vouched.
At the time, Fortezza was boasting about having just hoovered up a chunk of stolen credit and debit card accounts from Kurupt.ru, a similarly named carding forum. This action may have been the beginning of his downfall: It wasn’t long before the hackers at Kurupt.ru struck back, posting what they believed was Fortezza’s real-life identity. In October 2011, Fortezza announced he was changing his nickname to “Xakep” (Cyrillic for “hacker”), but apparently the U.S. government already had reason to believe that the Kurupt.ru admins were right on the money about Fortezza.
As it happens, the last time I heard from Fortezza/Xakep was in mid-March, when he said he was getting ready to take a trip with his girlfriend to Romania to meet some fellow hackers. He still hadn’t told me much about himself, and he never answered me when I asked him about the data posted to Kurupt.ru, but he was somehow nervous about his personal safety while in Romania.
12:29:41 AM Xakep: Il be visiting [Romania] with 4 guys this week and my girl
12:29:42 AM Xakep: Yes
12:29:46 AM Xakep: Want to see it
12:30:11 AM Bk: i’m sure you’ll be fine
12:30:54 AM Xakep: Hahahaha
12:31:11 AM Xakep: I have jewish name
12:31:15 AM Xakep: Hope no racists
12:32:42 AM Xakep: Anyway
12:32:54 AM Xakep: I will make pictures of city for you
Authorities with Interpol arrested Schrooten in Cluj, Romania as he got off the plane there, according to Romanian news reports.
Dan Clements, a private consultant who runs cloudeyez.com, a company that monitors the hacker forums and recovers stolen card data and other property from underground forums, also has been following Fortezza’s activities for quite a while.
“I had conversations with him for a long time. He was a very interesting young man, and very complex,” Clements said.”His is a fascinating story.”
Clements said he often wondered whether Kurupt.su and/or Kurupt.ru were sting projects set up by federal agents, or if they really were just two separate crime forums with warring factions.
“If these were real hackers, would they really be taking risks of outing each other? Or are they just amateurs whose ego’s have run amok?” Clements wrote on his blog. “These name changes are interesting. Could they be different federal agents taking over a new nik? Or does the hacker remove some risk by starting a new nik and giving others access to it’s use?”
Clements said he went to visit Schrooten at the request of Schrooten’s lawyer while the young hacker was in prison in Romania awaiting extradition to the United States. But the authorities there refused to allow the visit. Romanian media reported that Schrooten subsequently tried to kill himself, twice.
“This young man is very intriguing and I feel for him,” Clements said. “The government will try to prove its case, but I don’t know if he has the strength to survive a trial.”
The strength of the government’s claims against Schrooten will likely rest on the testimony of his alleged partner — Schrobel — who was arrested in November 2011 and pleaded guilty last month. The government alleges that Schrooten and Schrobel victimized individuals and stores in the Seattle area.
According to the government’s indictment, Schroebel was an intravenous drug user who was supporting his habit with the help of stolen card numbers or “dumps,” that could be used to counterfeit credit and debit cards. Schroebel is scheduled to be sentenced in August.
A copy of Schrooten’s indictment is here (.PDF). The original complaint against him and the accompanying affidavit remain under seal. The complaint against Schrobel is at this link (.PDF).