Inside a Credit Card Number Theft Operation

Have you ever wondered what happens to credit card information that is stolen online?  Sure the card numbers get resold on cyber-crime web sites and discussion boards, but a recent FBI sting operation has resulting in the arrest of 24 “carders” from the US and elsewhere, and provides a detailed look at the financial endgame of these cyber crooks.  You can read the entire story on Sophos, but I am quoting pieces of the article below.

“Charges against a few of the defendants shed some light on the specialization practiced in this underground ecosystem.

Michael Hogue (21), a/k/a "xVisceral", allegedly specialized in creating remote access Trojans (RATs) that enable attackers to take full control of victim PCs, including accessing web cams and keystrokes. He sold his RATs for $50 a piece on average. Hogue from Tuscon, Arizona faces up to 20 years in prison for his crimes if convicted.

Ali Hassan (22), a/k/a "Badoo", sold what are referred to as "fulls", which references that he not only had credit card numbers, but also names, addresses, Social Security Numbers, birth dates, mother’s maiden names, expiration dates and CVV codes. He bragged that he had obtained some of these details from a compromised online hotel booking site. Hassan faces 27 years in prison if convicted.

Mark Caparelli (20), a/k/a "Cubby", was a specialist in defrauding Apple product warranties. He obtained stolen credit cards and serial numbers from Apple products to defraud Apple by having them ship advance replacements for supposedly broken Apple products he didn’t own. He would use the stolen cards to "secure" the advanced shipments which he sold and traded. Caparelli faces 30 years if convicted.

Joshua Hicks (19), a/k/a/ "OxideDix", sold credit card dumps to an FBI agent for $250 and a DSLR camera. Agents met Hicks in person in New York City to provide him the camera according to Hicks’ indictment. Hicks faces up to 10 years in prison if convicted.

Mir Islam (18), a/k/a "JoshTheGod", is the most interesting of the arrests. In addition to being in possession of more than 50,000 stolen card details he was also a member of hacking group UGNazi and founder of a competitive card trading forum

After arresting Islam, the FBI also shutdown the websites of both UGNazi and UGNazi has been in the news recently claiming attacks against high-profile web businesses including Twitter. Islam faces 25 years in prison if convicted on all charges.”

So here is another story where crime DOES NOT pay.  Its good to see the FBI an other police organizations such as Interpol taking this type of crime seriously, and deploying their resources to shut these sites down and incarcerate the perpetrators.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.