Monday, January 27, 2014

Roman Vega (CarderPlanet's Boa) Gets His Sentence!

For some time now I have been following with anticipation the case of Roman Vega, the hacker who went by the pseudonym BOA and ran the notorious BOAFactory website prior to helping spear-head the creation of Carder Planet, a specialty site created by and for credit card thieves that at its peak was servicing more than 6,000 members who brokered, bartered and sold their stolen cards.

In December 2013 it appeared that Vega, who had been in custody since 2003, was finally about to be sentenced. Vega was originally arrested while traveling in Cyprus and is said to have had in possession at the time of his arrest information on more than 500,000 credit card accounts. The New York court sentenced him December 18, 2013, but then it was time to find out what would happen in California.

On January 22, 2014, the Honorable Charles R. Breyer, Senior United States District Judge accepted Vega's plea bargain and in exchange for pleading guilty to 18 USC 1343 and 2, "Wire Fraud, Aiding and Abetting" (Counts 1-20), Counts 21-40 of his original charges were dismissed.

Boa was sentenced (by this Judgement Against Roman Vega document) to serve forty-six (46) months on counts one through twenty, all counts to be served concurrently, and also to be served concurrently with Docket #07-CR-707 (ARR) from the Eastern District of New York.

Vega will also have to pay restitution as follows:

  • Bank of America - $23,371.86
  • Bank of Cyprus - $92.63
  • Canadian Imperial Bank of Commerce - $681.56
  • Capital One - $15,039.56
  • Chase Bank - $16,223.74
  • Citibank - $29,284.42
  • Fla Card Services - $7,695.04
  • JP Morgan Chase - $1,849.27
  • Merrill Lynch Fraud Control - $6,118.54
  • National City Card Services - $614.84
  • PNC Bank - $3,144.92
  • Royal Bank of Canada - $488.49
  • USAA Federal Savings Bank - $89,294.75
  • Wachovia Bank - $13,303.35
  • Washington Mutual Bank - $12,525.60
With some fees, he is ordered to make a lump sum payment of $221,728.57 (including all the above) to the court.

The early court documents in the Boa case, including this Roman Vega Criminal Complaint from 2007 (25 page PDF) make fascinating reading, walking through how a dispute on the ShadowCrew Carding Site between Boa and others on the site that lead Boa to spawn his own website, www.boafactory.to. Boa worked closely with other famous carders, including Gollum and Script.

Roman Vega (Boa) was arrested February 26, 2003 in Nicosia, Cyprus. his laptop was imaged and shared with the US Secret Service and the US Postal Inspection Service, which revealed hundreds of email messages and thousands of pages of ICQ chats. The laptop also had 500,000 credit cards issued by 7,000 different financial institutions! Vega was flown from Cyprus to Minneapolis, Minnesota on June 3, 2004. He plead guilty in November 2006 to twenty counts of wire fraud in the Northern District of California. One of the especially interesting chats was between ICQ 107711 (Vega) and ICQ 100630 (Script) where Vega claims his "boys" have cracked a database containing 2 million credit card accounts in the United States. Script and RyDen said that was too large a volume for them to handle. Later Script sent an article about the hack to Vega about a breach against Data Processors International (DPI).

Although the court documents do not specify which article it was, it may have been this CNN article Hacker hits up to 8M credit cards. Vega confesses to Script that the article is wrong - they actually got 14 million cards, including 450,000 just from Capital One!

Boa was arrested after a large number of cards from the breach were found to be used at a particular POS terminal in Cyprus.

Now, if you'll forgive me, we'll go back to the New York case. Things did not go well for BOA in New York. He insisted on dismissing his counsel, who he did not trust, and defending himself, which did not go well. Vega had a limited command of English and his defense seemed to be a mix of magazine articles, things other prisoners told him and watching too much television. Here's one example transcript from a hearing where he is trying to say that he wants access to thirty boxes worth of notes and files, including everything the government found on his hard drive.

According to the sentencing memorandum from the US, Script was Dimitry Golubov, the Godfather of CarderPlanet. But Boa played a key role in making CarderPlanet the "go to place" for cards. It was Boa who instituted the "Card Review" process by which vendors had to ensure that their cards were original and had not been previously sold. The vendor ranking system, copied to so many other boards today, originated on CarderPlanet, and it was Boa's key contribution to the new system.

More than half of the sentencing memo from the US lists the many ways in which Vega misbehaved and violated his agreements to cooperate with the US in exchange for leniency. These include:

  • having a letter sent from Italy to the private unlisted address of a government analyst that insulted Vega by saying he no longer had contact or influence in the criminal world.
  • sending money to his girlfriend and then "not being able to recall" anything about that when asked repeatedly by the government.
  • consulting on Misha Glenny's book "Dark Market: Cyberthieves, CyberCops and You".
  • withdrawing his guilty plea
  • having a powerful cell phone antenna in his cell. Although no phone was ever found, Vega was somehow
  • able to maintain several blogs about his life in prison, despite theoretically having no access to computers or phones.
Some of CarderPlanet's top customers were Cumbajonny AKA Albert Gonzalez, now serving twenty years. Maksim Yastremskiey (Maksik) sentenced to 30 years for hacking by the Turkish police. Cesar Carranza, a money launderer to the carders, now serving six years in New York for laundering $2.5 million.

Here is the sentencing "point calculator" used in the case:

Base Offense Level 2B1.1(a)(2) 6
Loss between $200 and $400 Million 2B1.1 (b)(1)(O) 28
Stolen Property Business 2B1.1(b)(4) 2
Fraud from Outside US and Sophisticated Means 2B1.1(b)(9) 2
Use of Device Making Equipment 2B1.1(1) 2
Organizer and Leader of 5 or more Participants 3B1.1(a) 4
Adjusted Offense Level for Count One 44
Base Offense Level 2S1.1(a)(1)
See also 1B1.5(b)(1)
40
Specific Offense Characteristic
USC 1956
2S1.1(b)(2)(B) 2
Organizer and Leader of 5 or more Participants 3B1.1(a) 4
Adjusted Offense Level for Count Two 46

To show consistency with the sentence, the New York Sentencing Memo (10MB PDF) also lists previously sentenced carders and hackers and their respective sentences as a means of justifying the requested sentence:

1. Albert Gonzalez - 20 years (sentenced September 11, 2009)

2. Edwin Pena - 10 years and $1M restitution (sentenced September 24, 2010)

3. Lin Mun Poo - 10 years (sentenced November 4, 2011)

4. Tony Perez - 14 years (sentenced September 9, 2011)

5. Jonathan Oliveras - 12 years (sentenced December 9, 2011)

6. Adriann-Tiberiu Oprea - 15 years (sentenced for hacking into 800 US Merchants' systems resulting in $17.5 million in unauthorized charges on more than 100,000 cards.) Oprea was known as "the Subway Hacker" for stealing card data from hundreds of Subway restaurants.

(to read about other famous hackers and their sentences, see Major Achievements in the Courtroom.)

In New York 1:07-cr-00707-ARR, Vega was sentenced to 216 months for Count One and 90 months on Count two, to run concurrently for a total of 216 months or 18 years. Since that is longer than the California sentence, he'll pay the California restitution and serve the 18 years courtesy of the Bureau of Prisons in Lompoc.

2 comments:

  1. Mr. Warner,

    Brett Johnson here of www.shadowcrewsecurity.com. On ShadowCrew I was known as GOllumfun. Read your post and find it quite good. I was close friends with BOA, Script, and Bigbuyer. In fact, at one time I was the sole USA seller of BOA's cards stateside. I was one of the founders or ShadowCrew and later also an Admin on CarderPlanet.

    I think your post is pretty accurate except where you talk about the review process. Certainly CarderPlanet had a review process and a vendor ranking process. The genesis of that started at ShadowCrew, however. I know because I am the one who created the review process. It was published and took hold pretty quick.

    The particular review process grew out of what was going on over at Counterfeit Library and became solidified once we moved to the ShadowCrew domain and I published the official review system. The ranking system spawned from that and happened almost simultaneously between CarderPlanet and ShadowCrew. Hard to say who started ranking vendors first, but I would say it was ShadowCrew.

    If you would like to discuss more in depth, let me know. email addy is anglersec@gmail.com

    Also, I am soon moving to the Bham area. Perhaps we can get together as I am starting to develop my own cyber security consulting business.

    THanks much,
    Brett
    GOllum

    ReplyDelete
  2. Brett Johnson--GOllumfun--here. Read over your post. Very informative. I was close friends with Boa, Script, and Bigbuyer.

    I thought your post was quite good and pretty accurate except where stated that CarderPLanet started the vendor ranking system. Not really the way it happened.

    Vendor reviews started with me on Counterfeit Library. As that forum grew, more reviewers were added. BY the time Myself, Kim Taylor, and Seth Sanders built Shadowcrew there was an unwritten review system in place.

    I was the one to write and publish the official review process for vendors on ShadowCrew. The Vendor Ranking system was a natural progression of that. Initially, vendors were simply labled as "verified". We soon allowed vendors to name their own tag--within reason. Shortly thereafter a more concrete ranking system was in place.

    CarderPLanet's ranking system, while not a mirror of the ShadowCrew system, was certainly influenced by it.

    On another note, Im impressed by the Malcovery system. Seems to be a fine piece of tech. If you would care to touch base with me my email is anglersec@gmail.com . Also, I am soon moving to the Birmingham area. Perhaps we could touch base.

    THanks Much,
    Brett
    GOllum

    ReplyDelete

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.