John Dillinger was a bank robber whose tool of trade was a machine gun. But in today's cybercrime era, the weapon of choice for "John Dillinger" is an MSR206, a card-writing machine used for encoding bank account numbers and other data onto the magnetic stripe of bank credit and debit cards.
John Dillinger is the online nick of a 44-year-old bank card thief who says he's stolen about $150,000 in the last two years using debit-account and PIN numbers obtained through hacking and phishing scams.
In March, he was one of many thieves who struck Bank of America, Citibank, Wells Fargo and other banks and credit unions in a cash-out operation that made national headlines and involved stolen debit-account and PIN numbers taken from a hacked database.
According to Dillinger, he obtained at least 450 numbers from a Russian hacker he met online, then used them to withdraw thousands of dollars from ATM machines before banks canceled the cards and issued new ones to customers.
Dillinger, a drug addict and former prostitute in Southern California, was arrested last month on charges unrelated to the cash-out operation. It's unclear whether he'll be charged for the cashing, although he's spoken openly about his activities with many people.
Authorities arrested Dillinger while he was driving with a friend who had an outstanding warrant. Police were after the friend but found a briefcase in the car containing a stash of credit cards and driver's licenses with Dillinger's photo and various names. He's been charged with 10 counts of identity theft and nine counts of possession of a forged driver's license. He's being held on $1 million bail.
A police investigator told Wired News that federal authorities were interested in Dillinger, but the prosecutor handling his case said federal officials haven't contacted him and he has no knowledge of Dillinger's cashing activities. Wired News spoke with Dillinger by phone several weeks before his arrest and agreed then to identify him only by his online handle. (Because he hasn't been charged with the bank crimes, Wired News is upholding the original anonymity agreement with him.)
Dillinger typifies the thieves who are carving out a living on the bottom rung of the growing international cybercrime industry. Congregating on members-only web forums, where they take assignments from more technically sophisticated criminals, many have only moderate computer skills.
They are the mules of electronic fraud, filling a vital role at the intersection of the virtual and the real: converting stolen account information into cold, hard cash.
Most are young males in their teens and early 20s who are lured by the prospect of making big bucks in an environment that offers them relative anonymity. Others are longtime bank and identity thieves in the offline world who have become acquainted with the riches that carding sites promise to even unsophisticated scammers like Dillinger.
At the top of the pyramid are sophisticated hackers -- many of them East Europeans -- with the technical skills to hack databases and online bank accounts. It's the latter who have helped turn carding into a multibillion-dollar worldwide crime.
One of eight children, six of whom are step-siblings, Dillinger has lived a peripatetic life -- in stark contrast to the stable existence of his only full sibling, a brother who works as a contract mechanic for the military and who confirmed the biographical details Dillinger gave Wired News.
Dillinger says he began smoking pot at age 10 and advanced to speed and other drugs after getting into prostitution in his teens. He's been arrested several times for receiving stolen property, grand theft auto, various drug charges and check fraud.
It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, "a big-time eBay seller," sent him a link to Counterfeit Library, a website that catered to fraud artists.
"She knew I was into that stuff," Dillinger says. "I used to send her these huge $150 gift baskets every Mother's Day (paid for) with someone else's credit-card number. So she pointed this (site) out to me."
The site included forums where thieves traded digital templates for forging driver's licenses and discussed the best methods for stealing and using credit-card numbers.
"I was absolutely amazed," Dillinger says. "It was like if you go to jail ... and you meet all of these other criminals and everyone is trading ideas."
Counterfeit Library went down shortly thereafter, but Dillinger found other sites such as Shadowcrew and Carderplanet where Russian thieves sold large caches of stolen credit- and debit-card numbers obtained through phishing scams and database hacking.
Dillinger got several stolen credit-card numbers and spent two months traveling California with a partner, buying high-end laptops and reselling them. He'd never had disposable income, and got a rush from entering a store with a credit card stamped with someone else's account and walking out with expensive products.
After a few close calls, however, he abandoned the retail operation. Then in 2004, he got involved in a scam against US Bank. A Russian spammer sent out millions of phishing e-mails purporting to be from the institution and asking customers for their debit-account and PIN numbers. Phishing scams were relatively new then, so it wasn't difficult to find credulous victims.
The spammer collected hundreds of account numbers, then distributed them to Dillinger and other "cashers" who encoded them onto blank plastic cards with an MSR206 and fanned out to hit ATMs. In two days, Dillinger says he collected $20,000 using the counterfeit cards and stolen PINs.
He wired the money, minus his take, to the Russian via Western Union. The operation lasted only a couple of weeks, though, before Western Union started blocking the money transfers.
It was long enough, however, for Dillinger to garner a solid reputation in the online criminal fraternity as a reliable worker. Shortly thereafter, three Romanian phishers contacted Dillinger looking for partners to cash more US Bank accounts. Dillinger put together a ring of cashers who worked for him.
"I would divvy out the numbers and they would send me my share after they cashed out," Dillinger says. "I was making around $10,000 a week.... One night I made $11,000 just for myself."
The US Bank scheme lasted about six months before the bank changed an algorithm associated with its card, making it more difficult for thieves to use its account numbers. Dillinger claims he made more than $80,000 before the operation stopped.
U.S. Postal Inspector Greg Crabb confirmed that Dillinger was involved in cashing, though he and other investigators Wired News spoke with consider him relatively small-time compared to other cashers who made hundreds of thousands of dollars. This could explain why authorities didn't arrest Dillinger in 2004 when the Secret Service nabbed dozens of carders and identity thieves in a yearlong sting operation that targeted Shadowcrew and other carding sites.
After the US Bank operation ended, Dillinger went legitimate for a while. He was working a construction job for $10 an hour when a friend told him in March about another Russian hacker who was distributing stolen card numbers. Dillinger says it was too hard watching his online friends make thousands of dollars while he ate Top Ramen every night for dinner. So he obtained some numbers from the Russian and within a week says he made $17,000.
Dillinger says the numbers came from a database hack, but doesn't know any more than this. News reports at the time suggested the database belonged either to a retailer or a third-party card processor.
He traveled around several states cashing out at ATMs, at one point staying at the home of his brother, Gary, who was working for the military in Iraq. Gary says Dillinger would occasionally tell him what he was up to, but "I didn't want to know anything about it. That's not my life and it was boring to me so I'd always change the subject and talk about something else."
The Russian-born cashing operation had been going on for three months when Dillinger came on board, so many of the numbers he received had already been canceled as banks issued new cards to customers. Dillinger's own bank, in fact, reissued a card for his Wells Fargo account.
At the time Wired News interviewed Dillinger he'd been cashing for a couple of weeks and had withdrawn about $43,000. He converted the money to e-gold, kept 30 percent for himself and transferred the remainder to the Russian hacker's e-gold account.
The money disappeared quickly, though. He spent $16,000 on dental work, and gave some of the cash to a relative who has a daughter with a rare blood disease. "They were having a horrible time trying to pay their hospital bills. I gave them 10 percent of what I got so they could have some money," he says. The rest he spent on merchandise.
He figures he got about $700 from each account he bilked, all of which belonged to Bank of America. Wired News showed some of Dillinger's stolen account numbers to Bank of America but bank spokeswoman Betty Riess wouldn't confirm that they were issued by the bank, or that any of its accounts were compromised.
Dillinger said weeks before he was arrested that he was tired of cashing. "It's hard. It's scary," he said. "I don't want to get arrested. You go to ATMs, your picture's being took. You always have to look over your shoulder. Even when you're done with it, for the rest of your life pretty much you've got to look over your shoulder."
He may be able to stop looking now.
John Dillinger is the online nick of a 44-year-old bank card thief who says he's stolen about $150,000 in the last two years using debit-account and PIN numbers obtained through hacking and phishing scams.
In March, he was one of many thieves who struck Bank of America, Citibank, Wells Fargo and other banks and credit unions in a cash-out operation that made national headlines and involved stolen debit-account and PIN numbers taken from a hacked database.
According to Dillinger, he obtained at least 450 numbers from a Russian hacker he met online, then used them to withdraw thousands of dollars from ATM machines before banks canceled the cards and issued new ones to customers.
Dillinger, a drug addict and former prostitute in Southern California, was arrested last month on charges unrelated to the cash-out operation. It's unclear whether he'll be charged for the cashing, although he's spoken openly about his activities with many people.
Authorities arrested Dillinger while he was driving with a friend who had an outstanding warrant. Police were after the friend but found a briefcase in the car containing a stash of credit cards and driver's licenses with Dillinger's photo and various names. He's been charged with 10 counts of identity theft and nine counts of possession of a forged driver's license. He's being held on $1 million bail.
A police investigator told Wired News that federal authorities were interested in Dillinger, but the prosecutor handling his case said federal officials haven't contacted him and he has no knowledge of Dillinger's cashing activities. Wired News spoke with Dillinger by phone several weeks before his arrest and agreed then to identify him only by his online handle. (Because he hasn't been charged with the bank crimes, Wired News is upholding the original anonymity agreement with him.)
Dillinger typifies the thieves who are carving out a living on the bottom rung of the growing international cybercrime industry. Congregating on members-only web forums, where they take assignments from more technically sophisticated criminals, many have only moderate computer skills.
They are the mules of electronic fraud, filling a vital role at the intersection of the virtual and the real: converting stolen account information into cold, hard cash.
Most are young males in their teens and early 20s who are lured by the prospect of making big bucks in an environment that offers them relative anonymity. Others are longtime bank and identity thieves in the offline world who have become acquainted with the riches that carding sites promise to even unsophisticated scammers like Dillinger.
At the top of the pyramid are sophisticated hackers -- many of them East Europeans -- with the technical skills to hack databases and online bank accounts. It's the latter who have helped turn carding into a multibillion-dollar worldwide crime.
One of eight children, six of whom are step-siblings, Dillinger has lived a peripatetic life -- in stark contrast to the stable existence of his only full sibling, a brother who works as a contract mechanic for the military and who confirmed the biographical details Dillinger gave Wired News.
Dillinger says he began smoking pot at age 10 and advanced to speed and other drugs after getting into prostitution in his teens. He's been arrested several times for receiving stolen property, grand theft auto, various drug charges and check fraud.
It was his mother who introduced him to the online world of card thieves. In 2002, after completing a stint in drug rehab, his mother, "a big-time eBay seller," sent him a link to Counterfeit Library, a website that catered to fraud artists.
"She knew I was into that stuff," Dillinger says. "I used to send her these huge $150 gift baskets every Mother's Day (paid for) with someone else's credit-card number. So she pointed this (site) out to me."
The site included forums where thieves traded digital templates for forging driver's licenses and discussed the best methods for stealing and using credit-card numbers.
"I was absolutely amazed," Dillinger says. "It was like if you go to jail ... and you meet all of these other criminals and everyone is trading ideas."
Counterfeit Library went down shortly thereafter, but Dillinger found other sites such as Shadowcrew and Carderplanet where Russian thieves sold large caches of stolen credit- and debit-card numbers obtained through phishing scams and database hacking.
Dillinger got several stolen credit-card numbers and spent two months traveling California with a partner, buying high-end laptops and reselling them. He'd never had disposable income, and got a rush from entering a store with a credit card stamped with someone else's account and walking out with expensive products.
After a few close calls, however, he abandoned the retail operation. Then in 2004, he got involved in a scam against US Bank. A Russian spammer sent out millions of phishing e-mails purporting to be from the institution and asking customers for their debit-account and PIN numbers. Phishing scams were relatively new then, so it wasn't difficult to find credulous victims.
The spammer collected hundreds of account numbers, then distributed them to Dillinger and other "cashers" who encoded them onto blank plastic cards with an MSR206 and fanned out to hit ATMs. In two days, Dillinger says he collected $20,000 using the counterfeit cards and stolen PINs.
He wired the money, minus his take, to the Russian via Western Union. The operation lasted only a couple of weeks, though, before Western Union started blocking the money transfers.
It was long enough, however, for Dillinger to garner a solid reputation in the online criminal fraternity as a reliable worker. Shortly thereafter, three Romanian phishers contacted Dillinger looking for partners to cash more US Bank accounts. Dillinger put together a ring of cashers who worked for him.
"I would divvy out the numbers and they would send me my share after they cashed out," Dillinger says. "I was making around $10,000 a week.... One night I made $11,000 just for myself."
The US Bank scheme lasted about six months before the bank changed an algorithm associated with its card, making it more difficult for thieves to use its account numbers. Dillinger claims he made more than $80,000 before the operation stopped.
U.S. Postal Inspector Greg Crabb confirmed that Dillinger was involved in cashing, though he and other investigators Wired News spoke with consider him relatively small-time compared to other cashers who made hundreds of thousands of dollars. This could explain why authorities didn't arrest Dillinger in 2004 when the Secret Service nabbed dozens of carders and identity thieves in a yearlong sting operation that targeted Shadowcrew and other carding sites.
After the US Bank operation ended, Dillinger went legitimate for a while. He was working a construction job for $10 an hour when a friend told him in March about another Russian hacker who was distributing stolen card numbers. Dillinger says it was too hard watching his online friends make thousands of dollars while he ate Top Ramen every night for dinner. So he obtained some numbers from the Russian and within a week says he made $17,000.
Dillinger says the numbers came from a database hack, but doesn't know any more than this. News reports at the time suggested the database belonged either to a retailer or a third-party card processor.
He traveled around several states cashing out at ATMs, at one point staying at the home of his brother, Gary, who was working for the military in Iraq. Gary says Dillinger would occasionally tell him what he was up to, but "I didn't want to know anything about it. That's not my life and it was boring to me so I'd always change the subject and talk about something else."
The Russian-born cashing operation had been going on for three months when Dillinger came on board, so many of the numbers he received had already been canceled as banks issued new cards to customers. Dillinger's own bank, in fact, reissued a card for his Wells Fargo account.
At the time Wired News interviewed Dillinger he'd been cashing for a couple of weeks and had withdrawn about $43,000. He converted the money to e-gold, kept 30 percent for himself and transferred the remainder to the Russian hacker's e-gold account.
The money disappeared quickly, though. He spent $16,000 on dental work, and gave some of the cash to a relative who has a daughter with a rare blood disease. "They were having a horrible time trying to pay their hospital bills. I gave them 10 percent of what I got so they could have some money," he says. The rest he spent on merchandise.
He figures he got about $700 from each account he bilked, all of which belonged to Bank of America. Wired News showed some of Dillinger's stolen account numbers to Bank of America but bank spokeswoman Betty Riess wouldn't confirm that they were issued by the bank, or that any of its accounts were compromised.
Dillinger said weeks before he was arrested that he was tired of cashing. "It's hard. It's scary," he said. "I don't want to get arrested. You go to ATMs, your picture's being took. You always have to look over your shoulder. Even when you're done with it, for the rest of your life pretty much you've got to look over your shoulder."
He may be able to stop looking now.
Facebook
Twitter
Instagram