Hack Me If You Can, Part 1: The Making of a Russian Hacker – The Journal. – WSJ Podcasts – The Wall Street Journal

This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.

Ryan Knutzen: Hey, it's Ryan. One of the hosts of The Journal. In our feed today, we're bringing you a new series. It's about hacking. Our colleague, Bob McMillan, is going to tell this story. He knows a lot about hacking. He's been reporting on it for almost two decades. Pretty much anytime there's a major hack, whether it's of Twitter, a hospital, or the US government, we call Bob and asked him to explain it to us. A few months ago, Bob reached out to us and said he had a story he wanted to tell for the podcast. A story that Bob says is key to understanding how Russia produced a generation of cyber criminals. It's the story of one Russian hacker. Here's Bob.

Bob McMillan: Dmitriy Smilianets has had a long career.

Dmitriy Smilianets: I had to hustle. I sold unlicensed software. Then, I was building and managing a website for large factory. They were building equipment for producing milk, yogurts and stuff. So I was building a website for them.

Bob McMillan: Okay. You left one thing off your resume though.

Dmitriy Smilianets: Right. That was being manager of the largest hacking group ever prosecuted in the United States.

Bob McMillan: I've written about Russian hackers for years, but Dmitriy is the first one that I met in person. In the early 2000s, he led a team that broke into companies across America. They spend a year quietly pulling off what is still one of the biggest hacks in US history, which caught the attention of the government. Here's a federal prosecutor talking about Dmitriy's crew.

Speaker 4: They would probe, and test, and penetrate, until they would actually get in. And once they got in, they would use custom designed malware, malicious computer programs, that were their unique burglary tools to gain access to different parts of a company's networks.

Bob McMillan: I'll told the feds say that Dmitriy's gang cost its victims more than $300 million dollars in damages.

Speaker 5: And the good news is, it wasn't passed on to the consumer. The bad news is, in the end, it always is, because the companies have to make up that loss somewhere.

Bob McMillan: I knew of Dmitriy's work before I knew his name. But where I found Dmitriy, well, it wasn't where I expected. He wasn't in some bunker in Moscow or a maximum security prison. He was living in a gated community in New Jersey.

Speaker 6: Good morning. Where are you guys heading?

Speaker 7: We're here to see Dmitriy Smilianets.

Bob McMillan: With an immaculate lawn. Yeah. With a big American flag on it. That's it. And a dog. Dmitriy comes out to meet me. Dmitriy. He's wearing sweatpants, and has a bodybuilder's physique. Although he looks tough, he's warm and welcoming. We walk around his home, which, by my count, has six American flags.Okay. So you got your classic backyard setup here.

Dmitriy Smilianets: Yeah. A classic American dream backyard, with barbecue, with fire pit, with a table where we can sit together as a family after I grilled some meat.

Bob McMillan: And I even got to meet his parrot.

Dmitriy Smilianets: His name is Jerome. One night, he landed on my desk, and destroyed my keyboard. He picked all the keys. So I'm (inaudible) post no fly zone, and he's restricted to his cage right now.

Bob McMillan: How Dmitriy ended up here, is the story of how Russia became a criminal hacking superpower. How teenagers schooled in a collapsing empire, went from piloting video games, to stealing hundreds of millions of dollars. And how a cat and mouse game that stretched across continents, would end up with Dmitriy, here in New Jersey, living a double life. From The Journal, this is Hack Me If You Can, the story of a Russian cyber criminal who went to the other side. I'm Bob McMillan. Coming up, part one. The making of a Russian hacker. In the early 90s, when Dmitriy was eight years old, two very important things happened. Computers became widely available, and the Soviet Union collapsed.

Speaker 8: In Moscow, the hammer and sickle is lured for the last time. And an era comes to an end.

Bob McMillan: Dmitriy was an only child living in Moscow, and he remembers the violence and the upheaval rot by the breakup of the USSR.

Speaker 9: Mingling with the rush hour traffic, Red Army armored personnel carriers on the streets of Moscow this morning, heading to the Kremlin.

Dmitriy Smilianets: I remember tanks shooting at the parliament building. I remember people with guns, running on the streets shooting. I remember chaos. I remember there was no law. I was raised in a vacuum of the law. Russia, there was a wind of change. They knew Russia is not the Russia we see today. That Russia was freedom. It was unlimited freedom.

Bob McMillan: Dmitriy's going to tell most of this story, but I've spoken to a lot of people about it. I've examined documents and video evidence to confirm it. To piece together the details, I've also talked to his friends, associates, even the people who would later investigate him. And I swapped emails with his dad, a former criminal investigator with the Moscow police. When Dmitriy was growing up, his mom was a school teacher. She wanted him to join the FSB, which was Russia's security agency. Dmitriy had other ideas.

Dmitriy Smilianets: I saw my father was in government, and I saw him coming with a lot of cases, with a lot of documents. Investigations, right? But I didn't see him bringing a lot of bags, fruits, juice, candies. So he worked a lot, but there was not enough results for us to see the value in his work.

Bob McMillan: So you felt he was underpaid?

Speaker 12: Absolutely.

Bob McMillan: Yeah.

Dmitriy Smilianets: And I was like, "I don't want to be that guy."

Bob McMillan: What did you want to be when you grew up, at that age?

Dmitriy Smilianets: I knew that computers industry will grow. And I knew it, I will be very close tied to the computers.

Bob McMillan: Dmitriy new computers would be the future. So he started learning everything he could about them. He got his first one in fifth grade. And by the age of 13, he says he was selling counterfeit software at a Moscow flea market. He was part of an emerging generation of young hackers in the late 90s in Russia. Their Bible, a magazine called Hacker. You can still buy copies of it today. I went and dug out the first edition. And on the outside, it looks like a kid's comic with cartoon characters on the cover. But the articles inside reveal it to be a very practical guide to becoming a criminal hacker. You can get tips on how to hack computers, how to hack answering machines, even how to steal credit card numbers. It was this magazine that taught Dmitriy about counterfeit software, and how to carry out his first hack, which helped him access something he couldn't afford. The internet.

Dmitriy Smilianets: Internet was extremely expensive in Russian. It was $10 for one hour. I had to collect money, save money, to buy one hour, then use it. And I was like, "How can I stay longer?"

Bob McMillan: An article Dmitriy read in Hacker Magazine, explained how to steal people's internet passwords. At first, he says he and a friend stole them from other internet users. But soon, his victims noticed that their bills were going up a lot.So you had used some passwords that were but were a consumer, but then they would stop working after a while.

Dmitriy Smilianets: Yeah, because they also had to pay for this super expensive-

Bob McMillan: You would get a bill-

Dmitriy Smilianets: ... I drained their accounts very fast. Right. So-

Bob McMillan: ... So what, how many hours are you on the internet with this, at $10 an hour with these consumer passwords?

Dmitriy Smilianets: I don't remember, but enough.

Bob McMillan: And then, one day, Dmitriy was with his friend, when his friend got a call.

Dmitriy Smilianets: So he said, "Hello." And it's like, "Excuse me. You've been using my account for a while, and you drained my account. Please don't do it ever again or I will go to the police. And we're like, "Oh, shit. How did they discover my phone number? So we've had to stop.

Bob McMillan: How old were you when you did this?

Dmitriy Smilianets: I was like 12, 13.

Bob McMillan: Dmitriy may have dabbled in hacks like this, but he wanted a legitimate job in computer science. At 18, he signed up for a degree at a prestigious university in Moscow.What did you think about your prospects, looking at your dad who clearly wasn't being paid what he was worth. What did you think your prospects were for your future then?

Dmitriy Smilianets: They changed. So I was very excited when I started going to college, I picked the most promising specialty. Information security. Information assurance. But getting closer to graduation, I saw no future for myself. I wasn't given opportunity. I wasn't given interviews with my future employers. That never happened.

Bob McMillan: Then, in his third year of college, Dmitriy's future was decided very suddenly.

Dmitriy Smilianets: I had a very good friend. We went to celebrate something. We both got drunk. I already had driver license. He was younger. He did not have a driver license, but he had a very expensive car. So he said, "Dmitriy, we have better chances with you driving, because we both are drunk. It was very slippery. It was raining. And it was very sharp turn. I overestimated my skills. So we got thrown out of the road, and I hit the concrete pole.

Bob McMillan: They both survived. But the car, a Mercedes E-Class worth about $50,000, was totaled. And Dmitriy says he was on the hook for it.What was your plan to pay back the money?

Dmitriy Smilianets: There was no plan.

Bob McMillan: Dmitriy didn't have tens of thousands of dollars lying around, and neither did his parents. So he got in touch with some friends he'd made online.

Dmitriy Smilianets: I was just given an advice that there is a place in internet that you could go and discover, and find ways to make a lot of money, very fast. It was website called Carderplanet.

Bob McMillan: Imagine an online marketplace like eBay, except this isn't where you come to buy an antique. This is Carderplanet, a marketplace for stolen credit cards, with thousands of users.

Dmitriy Smilianets: I went there. I studied it. I read every single post. Sometimes I have to reread to comprehend. But in a week, I became very knowledgeable in cybercrime. I knew what was carding, credit card fraud. I knew where to find data. I knew who's selling it. I knew what people do with this data.

Bob McMillan: What Dmitriy had stumbled across was carding, as in stealing credit cards. And it works like this. That black strip on the back of your credit card contains a digital version of your credit card number, along with the expiration date and a security code. That's what the hackers want to steal. Once they have it, they can make a counterfeit of your card and ship it to associates, who then use that counterfeit to empty ATMs and buy products that they sell online. Dmitriy knew he wanted in, but he wasn't sure what his role would be in this criminal operation.

Dmitriy Smilianets: I only had to find a place for myself in this ecosystem, because I wasn't a great hacker. So I found a place as a middleman, between the guy who gets data, and the guys who are using this data. And I became very successful at that.

Bob McMillan: Hackers can't do everything on their own. So when they get good, they work in teams. Dmitriy joined one as a deal maker. His role was to sell the card data they stole. And like a lot of people in sales, he still remembers his first deal.

Dmitriy Smilianets: My first deal, I remember I received $190. And 140 of them, I had to pay for the data to my vendor. So I have $50 and this $50, I also have to receive them somehow. So I hired the person to do this and I split my 50 bucks with him first. That was my first deal.

Bob McMillan: By the time Dmitriy had paid the guy who sold him the data, and the guy who picked up his cash, Dmitriy says he made about 25 bucks from that first deal. That doesn't sound great. But what the sale actually gave him, was something far more valuable. A good reputation.

Dmitriy Smilianets: He left a positive review, and I started getting two, three, deals a day. There were small. But together, they meant something. And I felt a difference.

Bob McMillan: Within months, Dmitriy says he went from $25 deals, to sales worth tens of thousands of dollars.

Dmitriy Smilianets: In a month, I paid my debt. I paid my debt for the Mercedes. And then, in the second month, I bought myself an Audi.

Bob McMillan: That's pretty good.

Dmitriy Smilianets: I go to the restaurant, buy clothes I wanted, and I have money. I have cash to afford all my dreams. So it was great in the moment. And then, I was upset because it's too easy. I had that feeling that everything is affordable right now, and I need to set maybe bigger goals. I got hooked. I couldn't stop.

Bob McMillan: If the car accident hadn't have happened, would you have gone into cybercrime?

Dmitriy Smilianets: Never. I would never join cybercrime. I had to do it. I had to find this money. I had to find $50,000. I know it sounds like I'm making an excuse for my actions, but for a 20 year old boy getting into this situation, and I could have started selling drugs. I could have started doing something even worse. I think I got lucky that I got involved just in cybercrime.

Bob McMillan: But this was just the beginning, because Dmitriy would go on to become a carding king, and lead a team that would pull off one of the biggest acts in US history. That's next.2003 was a big year for Dmitriy. He was halfway through college, and he had met the woman he would go on to marry. And he had even tried working a legitimate job, running a website for a company called Momash, that made, of all things, cow milking machines. But Dmitriy never stopped hacking. Over the next few years, he made big money on Carderplanet. Much more than a legit job would ever pay. After he graduated from college in 2006, Dmitriy told his family and his girlfriend that he was making money from web development in real estate work. But really, he was hacking full time. It was illegal, but Dmitriy and the other users of Carderplanet, weren't worried about the law or their victims. Dmitriy read an article in Hacker Magazine, which explained that stealing American credit card details didn't actually hurt anyone. Nearly 20 years later, he still remembers what it said.

Dmitriy Smilianets: Carding is not a crime. It's a victimless action. There is no guilt, because even if the money were stolen from a card holder, the bank will replenish the money. The insurance will cover losses for the bank. The treasury will print more cash and cover insurance. So at the end, as I was explained and told, there is no victim.

Bob McMillan: So you believed that.

Dmitriy Smilianets: I wanted to believe that, because I already saw how profitable this is. So I just needed justification. And that came right in place.

Bob McMillan: What would your dad have said about that?

Dmitriy Smilianets: Oh, if I ever shared with him what I was doing, he'd probably smack me first, and then explained me that I'm going to jail for these actions. He never knew.

Bob McMillan: Dmitriy wasn't worried about being arrested in Russia. He was hacking companies outside the country, and Russia didn't extradite, which meant that Russia's hacking into US networks were almost never arrested. So hackers like Dmitriy were able to hone their skills on Carderplanet, all in relative security.

Dmitriy Smilianets: We were pioneers, and we shared real stories right there on the forums. Sometimes with photos. Sometimes people didn't even hide their true identity. We thought we are very close family. Three, 4,000 people knew each other. We did not expect that someone is watching us, especially not in Russian, Ukraine. The cybercrime did not exist. So it was very trusted in close community.

Bob McMillan: This meant that Dmitriy and the hackers on Carderplanet had the time to get good. Really good. And in Dmitriy's case, time to build a great hacking team. First, he needed an exceptionally talented hacker. And after a few months on Carderplanet, he discovered one of the best. Who is Vladimir Drinkman?

Dmitriy Smilianets: Mr. Drinkman is the most gifted hacker in the world. Super gifted. His way of thinking about networks, his way of seeing things is different than what I have. We immediately became friends in real life, spending time together. At some point, we even lived together. We just liked to hang out together, spend as much time as we could together.

Bob McMillan: And what would you talk about?

Dmitriy Smilianets: Everything? Girls, life, business, appliances in the house, cars, new technology things.

Bob McMillan: Dmitriy saw in Drinkman, the deep technical skills that he lacked. And Drinkman, well, he saw something in Dmitriy too.

Dmitriy Smilianets: He saw potential, and he needed a person to handle all this, because it's impossible to focus on hacking and monetizing at the same time. You need to split your day, split your way of thinking. And it was easier to find another person to move data. And that was me.

Bob McMillan: So you were complimentary in your skills, basically.

Dmitriy Smilianets: That's correct.

Bob McMillan: They decided to work together. Drinkman would find new and innovative ways to steal data, and Dmitriy would make the money.

Dmitriy Smilianets: So at first, it was me and him. Then, it grew up to a bigger, larger group, because he needed more people for very specific tasks.

Bob McMillan: Tasks, such as?

Dmitriy Smilianets: Someone is hacking into, someone is literally moving through the network. Someone is harvesting the data. Someone is supplying bulletproof servers. Someone is monetizing the data. So everyone has a very specific role. It's like Ocean's Eleven. You can imagine.

Bob McMillan: The roles went like this. Dmitriy was the CEO. He would do the deals, and sell the credit card dumps. Drinkman was effectively chief technology officer. He was responsible for breaking into networks, and moving within them, searching for the places to hide and pull the data out. He was assisted by a man called Alexander Kalinin. Let's call him head of business development. Then, there was Roman Kotov, who was really the chief data officer, a master at mining networks to steal data. And the final member of the team, was Mikel Ritikov. He was responsible for building a bulletproof server. That server, it was hidden in a rundown shack in Ukraine, that was filled with debris. There was a secret button on the floor of one of the shack's junk filled rooms. If you pushed it, the floor would drop, revealing an underground bunker.This is where Dmitriy's team hid everything they stole. There's a video of that bunker, and it's totally bonkers. It shows a secret stairway you walk down to get into the room itself. You open a door, and bam, there's a room stacked with blinking server towers, cooling fans. The hum is overwhelming. And tucked away in the corner, there's Ritikov's desk. The man responsible for keeping the bulletproof servers running. I was pretty impressed with the team's security. It's not every day you see a server hidden in a bunker. But when I asked Dmitriy about that video, he had a different take.

Dmitriy Smilianets: But did you look at his desk?

Bob McMillan: No.

Dmitriy Smilianets: You should revisit that video.

Bob McMillan: Yeah.

Dmitriy Smilianets: His desk is a mess. And when I saw that desk, I messaged the guys like, "Bro, you disappoint me with this. Why is that?" And he never replied.

Bob McMillan: You keep a tidy desk.

Dmitriy Smilianets: Yes. I feel like if your desk is organized, your mind is organized.

Bob McMillan: Ritikov's lawyer says his client denies any wrongdoing. Dmitriy's all star team of hackers had big targets. They were going to focus on hacking the computer networks of retailers and financial companies, because they held millions of payment card details. Many of the companies were American, and they were unprepared for the matchup against Dmitriy's crack team. This was in the early 2000s, when the huge threat posed by hackers was only just starting to be understood. And investing in cybersecurity, well, that was expensive. Dmitriy's team went on to hack a lot of companies. Companies like 7-Eleven, JetBlue, and Dow Jones, the company I work for, which publishes the Wall Street Journal.

Dmitriy Smilianets: We only were paying attention to financial crimes, because we knew how to monetize those crimes. With this knowledge, expertise, and skill, we could do anything. If there was an order to look at the dark side of the moon, we would get that.

Bob McMillan: Were you consider yourself to be the best hacking team in the world, then?

Dmitriy Smilianets: Yes.

Bob McMillan: These hacks made Dmitriy a lot of money. And what does a 20 something do with that kind of money? He spends it.

Dmitriy Smilianets: We are young. We don't care about money. We spend them. Fancy cars, renting boats, spending on luxury alcohol. The money flew away very quickly.

Bob McMillan: He hung out a lot with Drinkman, his best friend and partner in crime. When they weren't hacking, they liked to party.

Dmitriy Smilianets: We went to Sochi a lot, many times. Nightclubs, of course. All the top clubs in Moscow.

See the rest here:

Hack Me If You Can, Part 1: The Making of a Russian Hacker - The Journal. - WSJ Podcasts - The Wall Street Journal