Reading recent reports, one might conclude that criminals are outpacing law enforcement in cyberspace. Malware strains are increasing at unprecedented rates, and many experts see growing ties between cybercrime and organized criminal groups.

Fighting cybercrime is now the FBI’s third largest priority, after terrorism and espionage, said Shawn Henry, assistant director for the agency’s Cyber Division, speaking at the RSA conference. The FBI currently has full-time cybercrime agents working in about 60 countries, he added. One of the agents was also recently stationed in Russia, which does not have a long tradition of cooperation with U.S. law enforcement and is notorious for its cybercrime underground.

Another FBI official, supervisory agent J. Keith Mularski, gave a rare inside account of an undercover sting operation that reflected both the need for international legal cooperation and the perseverance that is necessary to arrest criminal groups.

For two years, Mularski operated as a member of an online criminal marketplace, DarkMarket.ws, which had up to 2,500 participants. By the time the site was shut down in October 2008, Mularski had been able to gain the criminals’ trust and had risen to the top of the group’s hierarchy.

Vendors wanting to sell on the site typically had to have their wares tested by a moderator or site administrator, said Mularski, who went by the tag “Master Splinter.” Sometimes vendors would pay higher-ups for the chance to sell. Once approved, vendors could start a thread in one of the site’s forums. DarkMarket trafficked in goods ranging from credit card data to Social Security numbers to passport forgery kits, “anything needed to conduct fraud or identity theft,” said Mularski.

Sometimes spending 18 hours a day online, Mularski probably spent only a couple of days off the site throughout the two years. One reason was that others might begin to worry that he had been arrested. The operation did not have a set timeline, which Mularski says helped in his efforts to build rapport and establish credibility. He had spent time in central Europe and was able to use this knowledge to develop relationships.

The origin of his Internet traffic was masked, he said, through the use of European-based proxy servers. Other participants also used proxies, said Mularski, but not always consistently, which helped narrow down suspects’ locations.

One catalyst that helped spring Mularski to the top of the network occurred in 2008, when DarkMarket was hit with a denial-of-service attack by a competitor. Saying he had experience in server security, he moved the whole operation onto Bureau-owned servers. His new role as administrator also gave him a chance to sample new products and learn about data breaches, information he would share with law enforcement and relevant companies.

One of the last major arrests, of Cagatay Evyapan, in Turkey, occurred in late 2008. Before his capture, however, the suspect was allegedly able to kidnap and torture another DarkMarket member he suspected of betrayal. Such incidents reflect how traditional organized crime’s violence may be seeping into the cyber arena, Mularski said.

Normally, the FBI would not be as open about such a sting operation, said Henry. But after a European reporter learned of Mularski’s true identity through court papers and wrote about it, secrecy became less critical.

Mularski said his unmasking did not significantly hinder the operation, however. Shortly after his identity was exposed, numerous planned arrests were carried out.

In total, the operation recovered up to $70 million in potential economic damage, he said. Data from more than 100,000 bank cards were recovered. In one arrest in Turkey, about 1,000 card skimming devices, which the suspect said were about to be shipped to the United States, were found. Individual skimming devices typically cost banks about $33,000 in losses, said Mularski.

Also netted were: six complete malware packages, which were passed on to the Pittsburgh-based CERT Coordination Center, a federally funded cyber research organization, as well as antimalware vendors. More than 300,000 chat conversations were also recorded. 

The operation involved unprecedented international cooperation, involving law enforcement from countries ranging from Ukraine to Turkey to Romania to France. Sixty arrests have been made so far.

Mularski is frequently asked to say whether he thinks that law enforcement is winning or losing the battle against cybercrime. His answer is along the lines of the glass being not quite half empty: “I’m not certain,” he says, “but if we are losing, we may not be that far behind.”