Thursday, February 17, 2011

How a Remote Town in Romania Has Become Cybercrime Central

From Wired Magazine




Photo: Nick Waplington
Râmnicu Vâlcea has only about 120,000 residents, but among law enforcement experts around the world, it has a nickname: Hackerville. The town is full of online crooks who cruise the streets in expensive European cars.
Photo: Nick Waplington
Three hours outside Bucharest, Romanian National Road 7 begins a gentle ascent into the foothills of the Transylvanian Alps. Meadowlands give way to crumbling houses with chickens in the front yard, laundry flapping on clotheslines. But you know you’ve arrived in the town of Râmnicu Vâlcea when you see the Mercedes-Benz dealership.
It’s in the middle of a grassy field, shiny sedans behind gleaming glass walls. Right next door is another luxury car dealership selling a variety of other high-end European rides. It’s as if the sheer magic of wealth has shimmered the glass-and-steel buildings into being.
In fact, expensive cars choke the streets of Râmnicu Vâlcea’s bustling city center—top-of-the-line BMWs, Audis, and Mercedes driven by twenty- and thirtysomething men sporting gold chains and fidgeting at red lights. I ask my cab driver if these men all have high-paying jobs, and he laughs. Then he holds up his hands, palms down, and wiggles his fingers as if typing on a keyboard. “They steal money on the Internet,” he says.
Among law enforcement officials around the world, the city of 120,000 has a nickname: Hackerville. It’s something of a misnomer; the town is indeed full of online crooks, but only a small percentage of them are actual hackers. Most specialize in ecommerce scams and malware attacks on businesses. According to authorities, these schemes have brought tens of millions of dollars into the area over the past decade, fueling the development of new apartment buildings, nightclubs, and shopping centers. Râmnicu Vâlcea is a town whose business is cybercrime, and business is booming.
At a restaurant in a neighborhood of apartment buildings and gated bungalows, I meet Bogdan Stoica and Alexandru Frunza, two of just four local cops on the digital beat. Stoica, 32, is square-shouldered and stocky, with a mustache and prominent stubble. His expression rarely changes. Frunza, 29, is tall and clean shaven. He’s the funny one. “My English will improve after I have a few beers,” he says. We sit at a table on the edge of a big courtyard, piped-in Romanian pop music blaring.
Stoica and Frunza grew up in Râmnicu Vâlcea. “The only cars on the streets were those made by Dacia,” Stoica says, referring to the venerable Romanian carmaker. Access to information was limited, too: Weekday television consisted of two hours of state-run programming, mostly devoted to covering the dictator, Nicolae Ceauşescu. “We had half an hour of cartoons on Sunday,” Stoica says.
In 1989, a revolution that began with anti-government riots ended with the execution of Ceauşescu and his wife, and the country began the switch to a market economy. By 1998, when Stoica finished high school and went off to the police academy in Bucharest, another revolution was beginning: the Internet. Râmnicu Vâlcea was better off than many towns in this relatively poor country—it had a decades-old chemical plant and a modest tourism industry. But many young men and women struggled to find work.
No one really knows how or why those kids started scamming people on the Internet. “If you find out, you let us know,” says Codruţ Olaru, head of Romania’s Directorate for Investigation on Organized Crime and Terrorism. Whatever the reason, online crime was widespread by 2002. Cybercafés offered cheap Internet access, and crooks in Râmnicu Vâlcea got busy posting fake ads on eBay and other auction sites to lure victims into remitting payments by wire transfer. Eventually, FBI agents in the US and Bucharest started to get interested.
In the early days, the perpetrators weren’t exactly geniuses. One of the first cases out of the region involved a team based in the neighboring town of Piteşti. One crook would post ads for cell phones; the other picked up the wired money for orders that would never ship. The two men had made a few hundred dollars from victims in the US, and the guy receiving the cash hadn’t even bothered to use a fake ID. “I found him sitting in an Internet café, chatting online,” says Costel Ion, a Piteşti cop who had been working the cybercrime beat. “He just confessed.”
But as in any business, the scammers innovated and adapted. One early advance was establishing fake escrow services: Victims would be asked to send payments to these supposedly trustworthy third parties, which had websites that made them look like legitimate companies. The scams got better over the years, too. To explain unbelievably low prices for used cars, for example, a crook would pose as a US soldier stationed abroad, with a vehicle in storage back home that he had to sell. (That tale also established a plausible US contact to receive the money, instead of someone in Romania.) In the early years, the thieves would simply ask for advance payment for the nonexistent vehicle. As word of the scam spread, the sellers began offering to send the cars for inspection—asking for no payment except “shipping.”
The con artists got even sneakier. “They learned to create scenarios,” says Michael Eubanks, an FBI agent in Bucharest. “We’ve seen email between criminals with instructions on how to respond to different questions.” The scammers started hiring English speakers to craft emails to US targets. Specialists emerged to occupy niches in the industry, designing fake websites or coordinating low-level confederates.
Photo: Nick Waplington
Internet scammers and their underlings have turned Râmnicu Vâlcea into a hub of international organized crime.
Photo: Nick Waplington
By 2005, Romania had become widely known as a haven for online fraud, and buyers became wary of sending money there. The swindlers adapted again, arranging for payments to be wired to other European countries, where accomplices picked up the cash. A new entry level evolved, people who’d act as couriers and money launderers for a cut of the take. These money mules were called arrows, and their existence elevated Râmnicu Vâlcea to a hub of international organized crime.
Many arrows were Romanians living in Western Europe and the US; some were youngsters from Râmnicu Vâlcea who had moved overseas expressly for the job. They’d go to wire transfer offices to collect remittances from victims, then turn around and wire that money—minus a commission—to Râmnicu Vâlcea or to other arrows in the network. The system served as a kind of firewall, making it much more difficult for law enforcement to track the masterminds.
Back home, the local police were starting to realize they needed people on the cybercrime beat full-time. Frunza, who’d studied informatics in high school before attending the police academy, was working drug cases in Bucharest when he decided to come home. He ended up joining Stoica on the hunt for online con artists. The two learned that suspects expect leniency from the police because their crimes target only foreigners. “The guys will often say, ‘I am not stealing from our countrymen,’” Frunza says. “But a crime is a crime. You have to pay for it.”
Nowadays, Stoica and Frunza occasionally find themselves investigating a childhood acquaintance or, conversely, running into known criminals in social situations. Frunza used to play on the same soccer team as a suspect who was under surveillance. Those connections have helped the two cops pose a formidable challenge to the industry.
A little after 11 pm, Stoica hushes our conversation and tells me to turn around and check out a table across the courtyard, where a small group of flashily dressed young men has just arrived with two blond women who seem barely out of their teens. The men are all under investigation. “It’s a small city,” Stoica says.
Photo: Nick Waplington
The sudden appearance of luxury car dealerships among the grass fields marks the entrance into Râmnicu Vâlcea.
Photo: Nick Waplington
Defining the town center of Râmnicu Vâlcea is a towering shopping mall that looks like a giant glass igloo. The streets are lined with gleaming storefronts—leather accessories, Italian fashions—serving a demand fueled by illegal income. Near the mall is a nightclub, now closed by police because its backers were shady. New construction grinds ahead on nearly every block. But what really stands out in Râmnicu Vâlcea are the money transfer offices. At least two dozen Western Union locations lie within a four-block area downtown, the company’s black-and-yellow signs proliferating like the Starbucks mermaid circa 2003.
Driving past a block of low-rise buildings with neatly trimmed hedges, Stoica notes a couple of apartments owned by people currently under investigation. “I don’t know if the people of Râmnicu Vâlcea are too smart or too stupid,” Stoica says grimly. “They talk a lot to each other. One guy learns the job from another. They ask their high school friends: ‘Hey, do you want to make some money? I want to use you as an arrow.’ Then the arrow learns to do the scams himself.”
It’s not so different from the forces that turn a neighborhood into, say, New York’s fashion district or the aerospace hub in southern California. “To the extent that some expertise is required, friends and family members of the original entrepreneurs are more likely to have access to those resources than would-be criminals in an isolated location,” says Michael Macy, a Cornell University sociologist who studies social networks. “There may also be local political resources that provide a degree of protection.”
Online thievery as a ticket to the good life spread from the early pioneers to scores of young men, infecting Râmnicu Vâlcea’s social fabric. The con artists were the ones with the nice cars and fancy clothes—the local kids made good. And just as in Silicon Valley, the clustering of operations in one place made it that much easier for more to get started. “There’s a high concentration of people offering the kinds of services you need to build a criminal scheme,” says Gary Dickson, an FBI agent who worked in Bucharest from 2005 to 2010. “If your specialty is auction frauds, you can find a money pick-up guy. If you’re a money pick-up guy, you can find a buyer for your services.”
Stoica and Frunza both complain that they’re fighting an unstoppable tide with limited resources. But they haven’t been entirely unsuccessful—in fact, the 2008 case that first revealed the anatomy of Râmnicu Vâlcea’s fraud networks stemmed from Stoica’s investigation of a young entrepreneur named Romeo Chita.
Stoica says Chita started out as an arrow in the UK, and he was good. He moved up the ranks and eventually hired a few friends to establish his own ring. The Romanian authorities began investigating him in 2006, when he started buying new cars every few months and going to clubs every night with no apparent source of legitimate income. Chita launched an Internet service provider called NetOne, which authorities believe he was using as a shelter for fraudulent activity. When cops wanted to identify his customers, Stoica says, Chita usually told them that NetOne didn’t keep records.
Photo: Nick Waplington
Western Union signs have multiplied downtown like the Starbucks mermaid circa 2003.
Photo: Nick Waplington
In January 2008, an informant gave Stoica the cell numbers of two men working for Chita. The police tapped the phones, and the next day one of the men sent Chita a text message with money transfer control numbers—unique numeric sequences required to pick up cash. Stoica and his team followed up with surveillance of Chita and his associates, which established what Stoica calls “the money circuit,” the route through which the funds flowed from victims in the US to Chita and others. Prosecutors now allege that the operation turned into something a little more sophisticated than the usual Râmnicu Vâlcea scam. For example, the case against them details a con known as spear phishing—sending email to US companies that appeared to be from the IRS, the Department of Justice, or some other agency. Through Trojan horses attached to these emails, Chita’s group could obtain the companies’ bank account numbers and passwords. Allegedly, they even hired people in Las Vegas—Stoica says some were homeless—to open fake corporate bank accounts and receive the money.
The same month that Stoica began pursuing Chita, a police officer stopped a car for speeding in the Westlake suburb of Cleveland, Ohio. About to write a ticket, the cop noticed some drug paraphernalia in the car and arrested the two men inside. A further search turned up eight cell phones, two computers, fake IDs, two dozen money transfer receipts, and $63,000 in cash. The pair turned out to be Romanian and eventually confessed to being arrows for an organization authorities traced back to Chita. They had spent most of January driving around the Midwest, picking up money from various Western Union and MoneyGram locations. Their confessions led to more wiretaps and surveillance in the US and Romania over the following months, uncovering a network of at least two dozen accomplices.
That summer, Romanian authorities and FBI agents conducted a series of raids on both sides of the Atlantic. Chita spent 14 months in custody before being granted a provisional release pending the completion of his trial, still pending. On an org chart filed in Stoica’s office, Chita’s photo remains at the top.
Class Café is an inviting coffee shop with a terrace that overlooks a quiet street. It’s nearly empty when I walk in—just the owner behind the counter and a young couple at a corner table.
Stoica discouraged me from attempting this meeting, but I wanted to know what an alleged kingpin looks like. I ask the owner if he knows where Chita is, and he offers to call him. After a brief phone conversation, he hangs up and tells me that Chita is in Bucharest. I remind him that Chita isn’t allowed to leave Râmnicu Vâlcea under the terms of his release, and the owner smiles. He spends a few more minutes on the phone, then hangs up again and asks me to sit. Chita is on his way.
I take a table on the terrace. During our tour of town, Stoica had pointed out Chita’s silver Mercedes on the road, so I ignore the green Jaguar that drives up until a man in Bermuda shorts, canvas shoes, and a white T-shirt climbs out, enters the café, and approaches my table. He introduces himself as Chita’s brother, Marian. He licks his lips nervously and fidgets with an iPhone. “Chita’s coming,” he says after lighting a cigarette and making some phone calls. “But he’s a little drunk.”
A few minutes later, Chita walks around the corner and ambles into the café. Boyish, dressed in shorts, a light-blue polo shirt, and flip-flops, he looks more like a college student than a criminal mastermind. Despite the reputation of Râmnicu Vâlcea’s underworld as relatively free of violence, he has brought along some muscle—a young man in dark glasses with a big tattoo on his arm. The bodyguard slams a beer bottle down on the table and flexes his hand, as if getting ready for a boxing match.
Chita shakes my hand dourly and sits down next to me, looking away. Two other men join us. The young couple from the corner comes over to greet Chita with fawning smiles and handshakes. They clearly recognize him, too. The café owner gets up and leaves. As he walks away, he looks at me gravely and says, “Good luck.”
Photo: Nick Waplington
Râmnicu Vâlcea has become the Silicon Valley of online thievery— a place where the clustering of operations makes boot-strapping a criminal start-up easier.
Photo: Nick Waplington
The tattooed man leans toward me ominously. “Were you sent by Barack Obama?” he asks. I say that I wasn’t, and everyone but me lights cigarettes. Marian, getting increasingly jumpy, demands to know my true agenda. Finally, I spell my name and tell him to search for my stories on his iPhone. He Googles me and shows the screen to his brother. Everybody relaxes a bit, and I silently give thanks for wireless broadband.
Marian asks the young couple to translate for Chita, and they agree to stay. Chita has them tell me to stand, then he pats me down, asking if I’m wearing a wire.
“What do you say to the charges against you?” I ask.
“They are fake,” Chita says, in English.
Marian adds, “It’s all bullshit.” For clarification.
Chita continues with his defense in Romanian, and the couple translates enthusiastically. “He doesn’t even know how to speak English, so it is impossible for him to post ads or exchange email with buyers,” the young woman says. “He doesn’t even have an email address,” she says. “How can he do fraud on the Internet?”
I press Chita about the wiretapped conversations, but his tattooed bodyguard interrupts loudly. “You go back to your hotel room, we send you some nice pussy,” he says, raising his hand for a high five that I feel obligated to meet. The two men beside him laugh, and Chita takes a final drag from his cigarette before rising from his chair. He’s in no mood to discuss the evidence. “This interview is over,” Marian says.
They saunter out of the café and onto the sidewalk, looking surprisingly banal for guys accused of organized cybercrime, enjoying the good life with little effort or risk. Officials have dismantled a few fraud rings in recent years—there were just 188 arrests in all of Romania in 2010—but scores remain in business.
I am left with the friendly couple that helped with the translating. The young man says he’s heard about Chita from his friends and has seen his name in the papers. He tells me he has just received a diploma in engineering from an institution in Bucharest and is now looking for a job here in Râmnicu Vâlcea, his hometown. “I haven’t found anything yet,” he says. Thinking about Marian’s Jag and Chita’s Mercedes, I wonder if he’ll consider a job as an arrow. It’s like Frunza told me at the restaurant: “You arrest two of them and 20 new ones take their place,” he said. “We are two police officers, and they are 2,000.”

Yudhijit Bhattacharjee (yudhijit@gmail.com) is a staff writer at Science. He wrote about decoding a spy’s messages in issue 18.02.

No comments:

Post a Comment