Chao was the brain behind Crime Enforcers, a busy assembly line of ATM and Point of Sale card skimmers. For eight years he ascended the criminal underground ladder, until he became a name every cyber criminal recognised.
When it comes to online fraudsters, he always stood out as “exceptional”. His instructional videos, explaining how to install the ATM skimming devices he manufactured and sold in the cyber crime underground, were darkly humorous. Check this one example.
His banner ads promoting his wares were always crowd pleasers to fraudsters, rebellious, highly imaginative, with “adult” pictures.
So, when Chao got arrested, online fraudsters got scared for the first time in many years.
I already talked about one aspect of Chao's arrest: the famed DarkMarket operation. I'll just briefly mention that DarkMarket had several moderators: one of them was Chao himself, and the other was none other than FBI agent Keith Mularski, known in the fraud underground as Master Splynter. It was a brilliant undercover sting operation in which dozens of careless, overly confident cyber criminals - such as Chao himself - got arrested.
Monitoring DarkMarket helped law enforcement find him – Istanbul, Turkey. The next step was locating Chao and building a strong case against him and his crew. This part took clever police work, and last month I met the officer who put Chao behind bars.
Let me tell you: there are some good people working in law enforcement. The team who arrested Chao consisted of some brilliant detectives in the Turkish National Police (TNP). Sources in the TNP talking under condition of anonymity confirmed the details below:
Chao was arrested in September. Despite his Italian accent and look in his educational videos, Chao is a Turkish citizen whose real name is Cagatay Evyapan. This wasn't his first arrest: he was arrested before in the Turkish town of Izmir, and never returned from jail holiday. The police considered him a fugitive, but for a long while his whereabouts were unknown.
The Turkish National Police cooperated with several law enforcement organisations, including the FBI.
After learning about Chao's activities in the cyber crime world, the TNP analysed his operation and found a weak link in his supply chain: thousands of his ATM skimmers had to be shipped out of Istanbul to multiple destinations around the world. That is massive.
TNP detectives went to talk to several international shipping companies. They explained about Chao's operation and contents of his deliveries. This paid off in spades: at some point the TNP was informed by one of the shipping companies that one of Chao's partners tried to send skimming devices to a certain European country.
This eventually led to pinpointing Chao himself.
Chao didn't go down silently. In August 2008 the Turkish media reported that he kidnapped a hacker known as Kier whom he suspected as a police informant. Several weeks later he felt the noose tightening, and made arrangements to leave Turkey.
By this time TNP knew exactly where Chao operated. They located him in the outskirts of Istanbul, the Turkish metropolis linking Europe to Asia. They put him under surveillance and discovered that his apartment was used as a huge assembly line for card skimming devices.
When it was clear Chao might leave town, TNP moved in to arrest him. Later on it became apparent that he was not completely set to leave Turkey: he thought he could fool the cops for a little longer.
TNP arrested several of Chao's associates: some of the criminals who helped him with the skimming device manufacturing; his cashier; and other members of his group – altogether seven "Crime Enforcers" gangsters were arrested in September and October last year.
The raid on Chao's apartment provided evidence to the mass scale of his production line. At the time of his arrest, TNP apprehended over 1,000 ATM skimming devices, 2,000 fake PIN pads, and a large amount of fake Point of Sale devices such as the ones you can find in restaurants and gas stations, as seen in the picture below from the Turkish website Haber. You can also see Chao's himself, led by Turkish policemen.
To conclude this report, let’s do some quick maths. A single ATM skimmer can easily record one hundred withdrawals per day. One thousand ATM skimming devices can capture 100,000 cards per day. Using a very conservative estimate of one thousand dollars per compromised card, we're talking about a potential damage of 100 million dollars per day. A device will be discovered sooner or later – lets assume an average of 10 days before it's been discovered – and then we reach the staggering figure of one billion dollars of potential fraud that the ATM skimming devices captured in Chao's lab could have inflicted on our ailing industry.
Chao was eventually caught, but others have already taken his place. The war on crime continues.
Uri Rivner is head of new technologies at RSA Security