Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground

by Kevin Poulsen

The true story of Max Butler, the master hacker who ran a billion dollar cyber crime network.

The word spread through the hacking underground like some unstoppable new virus: an audacious crook had staged a hostile takeover of an online criminal network that siphoned billions of dollars from the US economy.

The culprit was a brilliant programmer with a hippie ethic and a supervillain's double identity. Max 'Vision' Butler was a white-hat hacker and a celebrity throughout the programming world, even serving as a consultant to the FBI. But there was another side to Max. As the black-hat 'Iceman', he'd seen the fraudsters around him squabble, their ranks riddled with infiltrators, their methods inefficient, and in their dysfunction was the ultimate challenge: he would stage a coup and steal their ill-gotten gains from right under their noses.

Through the story of Max Butler's remarkable rise, KINGPIN lays bare the workings of a silent crime wave affecting millions worldwide. It exposes vast online-fraud supermarkets stocked with credit card numbers, counterfeit cheques, hacked bank accounts and fake passports. Thanks to Kevin Poulsen's remarkable access to both cops and criminals, we step inside the quiet,desperate battle that law enforcement fights against these scammers. And learn that the boy next door may not be all he seems.

Genres: Nonfiction, Biography, Technology, Crime, True Crime, History, Computers

288 pages, Hardcover

First published February 22, 2011

About the author

Mr. Poulson is a former hacker turned technology journalist, focusing on computer security.

From Wikipedia:

"Poulsen has reinvented himself as a journalist since his release from prison, and sought to distance himself from his criminal past.

Poulsen served in a number of journalistic capacities at California-based security research firm SecurityFocus, where he began writing security and hacking news in early 2000.

Despite a late arrival to a market saturated with technology media, SecurityFocus News became a well-known name in the tech news world during Poulsen's tenure with the company and was acquired by Symantec.

His original investigative reporting was frequently picked up by the mainstream press. Poulsen left SecurityFocus in 2005 to freelance and pursue independent writing projects.

He became a senior editor for Wired News in June 2005, which hosts his recent (as of 2006) blog, 27BStroke6 which has since been renamed Threat Level."

Reviews

[Rob · Rating 4 out of 5]

Executive Summary: A fascinating and terrifying look at the darker underbelly of the internet and identity theft.

Full Review
I consider myself fairly knowledgeable about computers and the internet. Computer Security has never really been my thing though. Yet for whatever reason I find reading books about computer crime fascinating.

This book is no different. Kevin Poulsen has turned himself from one-time hacker into a leader in covering computer security. I occasionally read some of his articles on Wired. I like getting the take of someone whose been there before on things. It seems like he's good about not just presenting the facts, but the reasons behind them. He really gets into Max Butler's head a little and presents a more complete picture than you might get from a different author.

I had read a little here and there about carding over the years, and I had vague recollections about the Dark Market, but I never really knew any of the details behind that bust. When comparing law enforcement in this book to that of The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage it's like night and day. Of course 20 years have passed, but they really had some clever approaches to tracking and eventually capturing some big players in the cyber crime world.

It's scary to learn just how easy it was and continues to be for people to steal your credit card information, and that the credit industry in the US refuses to change magnetic strips simply because of the upfront cost to replace the machines is so high they prefer to deal with the cost associated with the theft instead. I don't know what it will take to finally force a change, but meanwhile innocent consumers continue to have their lives upended by it.

I didn't find this book too technical, though given my background, I'm usually a bad judge of these things. I think anyone who understands the basics of the internet would be able to follow along. It's really more a character study of Max Butler and others than it is a detailed account of how he did it.

Overall another fascinating read.

[Sergey Pavlov · Rating 5 out of 5]

В книге рассказывается, как из обычного гика молодой парень превратился в матерого преступника(давайте называть вещи своими именами) в сфере компьютерных систем.

Это относительно новый тип преступника, сейчас их пруд пруди, и Макс о котором идет речь в книге, лишь один из них. Отличительная черта этого типа преступников - то что они неглупые, и вполне могли бы реализовать себя в легальных видах деятельности, но по тем или иным причинам они выбрали путь криминала. Как так получается? Об этом и рассказывает книга.

На мой взгляд, история Макса скорее грустная, нежели поучительная. Но по мере развития событий на полях книги описывается: развитие технологий, становление преступного сообщества, его взаимодействие с правоохранительными органами, и собственно методы работы правоохранительных органов.

Я неоднократно задавался вопросом, на чей стороне сам автор книги? Он очень старается казаться непредвзятым, но по тому, как он пытается описать Макса как некого заигравшегося ребенка, автор все-таки на стороне Макса.

Что касается правоохранительных органов, несмотря на беспристрастность автора, фразы типа: "через две недели в турецкой тюрьме, он выдавил из себя двадцати семи символьный пароль", не должны ни кого вводить в заблуждение.

С точки зрения технологий, книга безнадежно устарела после откровений Эдварда, но из нее все равно можно почерпнуть множество исторических деталей.

Книга на полные пять звезд. "Must read" для всех причастных.

[Nick Black · Rating 5 out of 5]

still too pissed off about my lost hour reviewing Hitch-22 to properly write; suffice to say that this is the best true hax0r crime book written as of April 2011 -- yes, i have read them all (previous title holder: The Hacker Crackdown. it pleases me to no longer need praise anything by confirmed mountebank Bruce Sterling, though he's been replaced by charlatan Kevin Poulsen....whom I think I must reassess).

so much nostalgia. i knew two characters, peripheral but named, personally, and half-expected to see my first, favorite and most successful startup mentioned on any page. poulsen gets it all right (ahh, the MSR206, how many lives did you change for better and worse?), from details historial to cultural to psychological. great book, save that game time's no more than about one hour.

---------
http://garwarner.blogspot.com/2011/03... very solid review here, and i dig poulsen's "THREAT LEVEL" blog on wired. it's always amusing if nothing else. poulsen might be a big douchebag (see The Fugitive Game), but he did give us this awesomeness:

[Jacques Bezuidenhout · Rating 3 out of 5]

This would be 3.5 Stars.

Although I really enjoyed the book, they seemed to have over simplified some things.

I'm not sure if it was the narrator or the biography form of the book, but the way it was told didn't quite grab and keep my attention, I found myself drifting away a lot.

Some things getting explained in the book like the Bind hack that didn't have a checksum and you could append extra bytes to the end of you post to run code, and the way they explained SQL injection was really well written. Short paragraphs explaining the just of the technicalities.

But then on the flip side they made it seem like anyone can order a card printer and some blank cards over the internet and start printing fake credit cards, with fake ID/Drivers licenses to accompany it.


It was interesting to see that it doesn't really matter how secure/safe you try be with your own cards, the bridge in security will most likely not happen on your side, or with your online usage.
It goes down to the level of buying take-aways and the P.O.S. storing your credit card details locally on a computer full of security loop-holes (like VNC with no encryption)

Some of the hacking also seemed over simplified, although some of the initial phases of security probably was that easy to compromise.
It seemed like you can buy a big antenna, and go walk around finding all these open WiFi hotspots from where you can could just hack a bank or the FBI

I liked some of the white-hat initiatives of warning people about security loop holes before publishing it.

This book really makes you think whether you are doing enough to safeguard your own data, and keeping up to date with security.


The Hacker underground seems very interesting in the fact that although they work together, they don't mind stealing from each other, or sinking each other. Each one for himself.

It seems that some of the biggest fish get all their crime charges dropped by helping the FBI in capturing even higher profile criminals. In the end they even get paid for their crimes.

It is also scary how a hacker can make the FBI seem like n00b5. He was always a step ahead until he got split by his "partner"


All in all a worth while read.

[Katherine Tomlinson · Rating 3 out of 5]

Poulsen’s name may be familiar to those who follow cyber-crime. He was a notorious hacker in his own right before serving time and emerging a WIRED correspondent. He knows the sub-culture of hacking, and that really makes this story feel “inside.” This is not the most “active” story, but it is one, like SOCIAL NETWORK, that takes us inside the minds of some brilliant people; introduces us to an intriguing world; and plays out cops and robbers in an entirely new way. And in a time of wikileaks, the story is totally current.

[Asen · Rating 5 out of 5]

good book

[Greg]

Inside look at the cybercrime underworld, specifically carders (people who steal credit card information). Book is really well written and hard to put down, and additionally it actually manages to cover the technical parts in enough detail to be interesting without being boring. Book follows the life of Max Burton and how he came to rule the carding world. Interestingly, he started out with light stuff, got in trouble, and went white hat for a while. But when the FBI wanted him to inform on one of his friends, he refused and got put in the slammer. It was there that he turned black hat once more, and once out of jail started getting into carding.

It was surprising how technically inept the supposed other hackers who made up the carding population were. Most were running skimming operations (stealing magstripe data by literally swiping cards, usually with an inside person at a restaurant), but otherwise were not skilled at computers. Max was able to easily hack those people and steal their card information before they could resell it. Even the guys who were running the carding forums where all these people met were no better. After Max was able to hack into some of their computers/accounts, it was pretty easy for him to take over their forums as well. In fact, of all the characters in the book, only a couple of people, Max included, actually sounded like they could legitimately break into other peoples computers.

It was also pretty alarming how widespread this kind of crime seems. There are break-ins and thefts of credit card data all the time. The people who buy the stolen credit card information then buy lots of goods at stores, and resell them on eBay in order to make a profit. Their favorite items are things like expensive handbags and electronics - basically big ticket items. So now I wonder how many outrageous deals I see on Craigslist or eBay are actually just carded goods. It’s also sad how many break-ins and thefts of credit card data happen. Most of it is just due to how poorly secured most corporations are (even some big ones), that once you break into their corporate network (and many have B&M branches that are wired into that network) it’s possible to steal credit card data. I guess it’s just insane to me that they have credit card data in the clear, stored on their network. That should never happen.

But it was due to poor security practices that Max was able to find most of his card data. The main exploit the book details is how small restaurants like pizza places, who really can’t afford to hire anyone technical, use a POS that stores credit card information accumulated during the day, and waits to transmit it all at night to the processing center. The full magstripe data is stored in the clear in text files on those computers. Many of them also do not delete old text files after they’re no longer needed. Max was able to find and break into these computers, giving him lots of fresh card information. Part of the exploit detailed was a VNC vulnerability that sounds so silly it’s hard to believe anyone could be so incompetent to actually have implemented it. Basically, the handshake between a VNC server and client involves the server telling the client what protocols it wants, and the client picking one of those protocols to actually use. However, the implementation used on most of the POS’s (VNC was installed to allow remote administration) didn’t check that the protocol the client passed back was actually on its list of accepted protocols. Therefore, you could hack a client to pass back protocol 1, which requires no authentication, and the server would gladly open a password-less connection.

One other thing from the book that stood out to me was how vulnerable client machines are to being hacked. There were multiple exploits detailed in the book, mostly on old Windows software, that would allow an attacker to take control of a machine, and all that was required was that it visit a compromised webpage.

There are lots more details in the book about Max’s multiple identities, different vulnerabilities, and just loads more detail, but it’d be too much to try and capture here. Needless to say, this was an easy read and a really enjoyable book.

[Tom Lee · Rating 4 out of 5]

4 stars for its descriptions of how hackers work, and of the techniques they use -- this book explains what SQL injection is, for instance, and manages to do it in just a couple of extremely clear paragraphs. Really a marvelous achievement from that perspective.

But as a psychological portrait of a hacker, I don't think it achieves the heights it's aiming for. I can relate to some of the obsessive traits that seem to have driven Max. But I don't understand them any better for having read this.

[Jacobi · Rating 4 out of 5]

This book is a fascinating chronicle of the rise, fall, rise, fall, rise, and then final fall of hacker Max Vision. Even though this book is a true account of Max's exploits, it reads like a fictional story in large parts. It's just riveting stuff to learn how Max moved from being a young punk hacker, to running massive identity and credit card theft schemes. Poulsen's writing is very clear and easy to follow. He isn't trying to be Truman Copete here, he's just relaying the story as he knows it, with very little in the way of sprucing up. I appreciated that.

[Quinton (Ron) · Rating 4 out of 5]

Good read. Gives you insight into how fragile the swipe system of credit cards is. The USA was the only country left using it - because the cost of changing the system his higher than the losses in fraud. Thank you American banks - please may I have another. The US has finally moved to chip and sign. Hopefully, they will move to chip and pin soon to help further protect its citizens from identity and financial theft. Then again - the US is still on Imperial measurements...

[Jim Crocker · Rating 5 out of 5]

This was a real compulsive non-stop read for me. I am fascinated by computer geeky stuff to begin with. However, Kevin Poulsen's writing is pretty smooth. The book focuses on the exploits of ace-hacker Max Vision. After serving nine years in prison, Max will be getting out just before Christmas 2018, which is right around the corner. Now maybe he's already out now. I don't know. But that was what I read in the book.

My opinion is that all these hackers have pretty much destroyed the Internet, which many claim to love, with their dirty deals and dirty tricks. Why they think they are being so cute certainly beats me. Computers and the Internet offered me a great time working on database development projects all over the US and the UK. Now I build websites for fun and write books, all thanks to computers and the Internet. Otherwise, I have no idea what I would have been doing. Probably nothing good.

This book should be a real eye-opener for those who don't understand the extent to which the Internet has been corrupted. Most recently, Net Neutrality has gone down the tubes. Policing and use restrictions will become the future and folks will gripe and complain about that.

Thank a hacker! What a shame and waste of talent and perseverance, just to show the world that you are a smart-ass.

[Dmitry · Rating 5 out of 5]

Unlike the "Kingpin" about Silk Road (by a different author), this is the book that I can recommend.

Yes, it is fictionalized, but fictionalization is not in-your-face, the author does not supply tons of dialogues or monologues to "help build the character", and best of all - book is decently sourced and comes with per-chapter references.

Yes, it does not go deep into technical details, but technical details are there - "zero-day RealVNC exploit" will be called just that, and there would be a reference to read more if you like.

Maybe this is just nostalgia - I've heard names and saw sites mentioned here back when it all happened - but I enjoyed the book.

[Janet MacIntyre (Yeilding) · Rating 3 out of 5]

Well written, with accessible explanations of technical concepts (SQL injection was described especially well) but this was hard to get into. I like hacker narratives when the protagonist is antiauthority and mischievous but still has a moral code, and Max wasn’t someone I was rooting for. I enjoyed Kevin Mitnick’s book a lot more

[Ryan · Rating 5 out of 5]

Great account of some of the carder underground, big carder sites, and scene drama. Particularly good because the author is from the underground and is now a journalist. Interesting too since I know a lot of the people and sites/systems involved.

[Rick Wilson · Rating 3 out of 5]

Fascinating view into early online cyber crime, the world of credit cards scammers, and the feds who stalk them.

There’s a great balance of not pulling technical punches with things like encryption, but also not getting bogged down with overly technical details.

Entertaining and informative read.

[Luis · Rating 4 out of 5]

This is a quick read and it is really interesting to follow this guys story. Max Vision is fascinating to learn about, but equally interesting is learning about this huge intricate story that took place in our lives that we never knew anything about. I learned a ton about internet security through this book. It is a quick and interesting read.

[Agne · Rating 5 out of 5]

A fascinating tale that captivates from page one. It's very well-written, especially considering how complex the whole thing is and how many actors there were.

[Reyna · Rating 3 out of 5]

I don't know much about computers or computer security but I was drawn into this investigation. Max Vision's story on how he went from young hacker into the mastermind of running an identity theft scheme blew my mind. It was scary to read about the hacking culture and how they are constantly evolving to obtain our private information.

[Joe · Rating 3 out of 5]

This book explores part of the world of modern cybercriminals.

I tend to think of the "old school" of computer "criminals" as mostly people that were interested in technology, wanted to explore, and just didn't care laws -- but generally not interested in directly stealing money from people. At worst, they would profit by doing things that they didn't consider stealing: for example, taking over a radio station's phone lines to guarantee that they would win a call-in prize.

The newer versions of cybercriminals really are just interested in stealing money: getting lists of credit cards, and turning those into actual dollars. People have been abusing credit cards for as long as they've existed, but recently the criminal activity surrounding them -- stealing the numbers, producing fake credit cards, buying products, turning that into laundered money -- has become very organized.

And thus, this book: it describes some of the central players that helped set of some of the largest discussion forums and computer-based credit card fraud marketplaces: people could buy or sell cards, equipment, and services.

The book theoretically focuses on one, or a few, characters ("how one hacker took over...") but in reality, many of the people involved in organizing smaller criminals knew each other, and interacted on a regular basis, and this book describes many of them.

The topic is pretty incredible: the way that the criminals would wait for a new security flaw to be discovered, and then take a shotgun approach to snagging as many people as possible. If virtually all of the potential targets evaded the attack, no matter -- the net was cast so wide, a few would get taken in. Then, it's sort of fascinating to see how the people would operate: given that their career was theft, it's not surprising that they would turn on one another, but they do it so quickly -- even going so far as to attack each other's computers.

The book itself is not bad, but it does seem a little disorganized. The author was involved in the computer underground previously, and recently involved himself in the computer deception that eventually caused Bradley Manning to be arrested for involvement with Wikileaks, so he's got the right background -- I just wish the book itself had a little more focus.

[Peter · Rating 3 out of 5]

If you're interested in cyber crime, hacking, online and banking security, this is definitely an interesting read. It mostly tries to be a biography of one of the more prominent hackers who ended up organizing a large group of cyber criminals. So if you enjoy biographies, this is also a quite well written one in my opinion. However, if you're like me, who doesn't enjoy biographies much and is only moderately interested in cyber crime, then it's just a decent book that tells a decent story with some cool anecdotes here and there.

The biographical nature of the book makes sense, since it allows the reader to have an anchor while traversing the three decades worth of cyber crime. So it kind of irked me that towards the end, it started going all over the place, detailing exploits of numerous other cyber criminals that only loosely connected to the main character. I think the inconsistency was more of an issue than the actual content, since I actually preferred the latter part of the book.

On the technical side, the writing was solid and the length was spot on: not too long that it felt boring and not too short that you were left wanting more. The story was quite predictable, but it's hard to be too critical of that since it is a true story after all. I didn't really care about any of the characters and their problems, but that might also be a personal bias since the stuff they do is quite annoying to most people. I also felt the book was a tad biased towards law enforcement and a bit naive in general on the state of cyber crime which I felt was a bit dishonest.

Overall, it was a good book that I generally enjoyed and which had only minor, mostly nit picky issues. If you like biographies and cyber crime themed books, this will probably earn a higher rating from you, but I don't, so it gets a fair three stars from me.

[♥Xeni♥ · Rating 5 out of 5]

Wow... what a powerful book! I noticed this on my friend's book update feed yesterday, searched around for an ebook, found one, started reading, and practically didn't even stop for much else. (Although there was a 16 hour break in between reading there :P)

Normally I don't like nonfiction books: they are dry, not engaging and just don't deal with subject matter in an interesting way that I can absorb readily. This book reads more like an action novel filled with tons of real life tidbits. I think the tidbits are what I enjoyed most. Travelling through the decades of hacking took me back to my own misbegotten youth (especially when Back Orifice was mentioned being released at DefCon!) but it was also a bit of a look into the movie Hackers, Hackers 2 and so forth. Just that this book continued up until right now (it even included a footnote at the very very end about the recent Wikileaks hack.)

All in all, this is a great book for learning about the huge world carding scams out there (descriptive enough to make you never want to use a credit card in America again until they change the system), about the main hackers on the scene and in between filling in your tech knowledge gaps (for instance, it explained SQL in a few short, very easy to understand paragraphs. Anyone want to change the Wikipedia article to make more sense??)

All in all, a very well written book, that I felt really covered the whole area of hacking while still maintaining a somewhat unbiased point of view. I thoroughly enjoyed it!

[Celeste Peterson · Rating 4 out of 5]

My mom passed this book to me, along with numerous others about computer espionage and hacking. This one was a quick and fascinating read - on that nearly made by blood boil to learn how easy software companies made it to hack our personal computers and gain our credit card numbers as far back as the 1980s. It details the effort of an amazing FBI man to bring down a brilliant cyber criminal Max "Vision" Butler, also known as Iceman online. It's a fascinating look at how mag-wipe credit cards were first stolen, how the process evolved, and the first criminals to sell mass lists of data. While Europe and nearly every other country on the planet has moved past the easy to compromise mag-swipe credit cards to the highly secure pin and chip credits cards, the United States has not. Last Christmas my credit card info was hacked by the infamous Target breach. Sadly, the same month I read this book, I learned that it was compromised again by Home Depot. I called to complain loudly with my credit card company to move them to fight the cause and they sent me a pin and chip card. If every consumer called someone to complain maybe we could move the corporate giants to push forward the necessary reforms.

[Oleksiy Kovyrin · Rating 5 out of 5]

Terrifying read... I've never realized how close the early years of my career as a systems administrator and developer took me to the crazy world of underground computer crime that was unfolding around us.

I've spent the past week wondering if doing what Max and other people in this story did is the result of an innate personality trait or just a set of coincidences, a bad hand the life deals a computer specialist, turning them into a criminal. For many people working in this industry, it is always about the craft, the challenge of building systems (just like the bind hack was for Max) and I am not sure there is a point in one's career when you make a conscious decision to become a criminal. Unfortunately, even after finishing the book I don't have an answer to this question.

Even if you are not an Eastern European-born computer science professional, the book is still a fascinating primer on the effects of bad and the need for good security in today's computerized society and I'd highly recommend it to everybody working with computers on a daily basis.

[Doug · Rating 4 out of 5]

On one hand you have a brilliant self taught programmer/hacker. On the other hand you have a relative child. And they are both the same person. At least that's how it appeared to me. Relatively few social skills and a need to prove himself, an absolutely brilliant flair for finding holes in computer security = lots of offended people and jail time. Still I quite enjoyed the story/history. In the end I was left wondering - obviously there were quite a few security holes out there in the emerging computer world and just as obviously there were quite a few people looking for, finding and exploiting these holes. Where was the ethical/moral training to come into play? I don't quite know how to characterize it, but it's frustrating nonetheless to see the billions of dollars of fraud (that ends up getting paid for by others in one way or another -- see higher usage fees, etc) enacted by the new computer criminals.

[Sam · Rating 4 out of 5]

Fairly intersting book. The work done by Kevin Poulsen to find all the necessary materials for the basis of the book is really impressive. He tells about fraudulent life, which takes place right in front of common user's life - on the screens of our PCs. There is no classical war between mafia or gangs in this book. Instead, we see how hackers keep doing their dirty deeds simply sitting in front of the screen. Nonetheless, the effects of this deeds sometimes cost much more than any others. In addition, the style of the book looks similar to another investigation by Wired - the one about the Silk Road (https://www.wired.com/2015/04/silk-ro...) - which took place a few years after the events, described in this book.

[Anthony · Rating 5 out of 5]

A fast paced, easy, and interesting look at one of the largest credit card thieves and credit card theft forum operators around. Gives a good overview of how credit card breaches have happened, what businesses need to do to help prevent them, and how the feds have set up some pretty complicated stings to take down some of the people who perpetrate them. It may help that I have a tech background, but I found the book easy to read and follow, the technical explanations very good, and the book overall interesting.

I also have to say that while reading this, I found a sudden urge to run Windows Update and patch 3rd-party apps on the couple Windows machines that I keep around my house...

[Jamie Coldhill · Rating 4 out of 5]

Only the Paranoid survive.
Every system or even encryption has a security loophole, you just have to know how to find it, exploit it and cover your tracks.

This is not a book for the paranoid or Internet Newbie. It will most likely scare the be-jesus out of them with regard to shopping with a credit card, especially online.

Recent IT Issues within Australian regarding the National Australia Bank and Commonwealth Bank will leave you deeply suspicious after reading this book. Buy gold and hide it under the bed before its not too late !!! :-)

[Jeffrey · Rating 4 out of 5]

I really enjoyed this true crime book about the cat and mouse game of hackers who steal credit card numbers and resell them online. One thing I learned is that online companies do a better job of protecting your data. Most of the cards stolen were from brick and mortar stores with insecure point of sale machines.

[Ralph · Rating 5 out of 5]

An engaging and very well written true story, Kingpin immerses the reader into the world of Max Butler, his associates and adversaries, white and black hat hacking, and the billion dollar credit card fraud perpetrated against the financial institutions. Author Kevin Poulsen knows well his subject area and draws the reader into an absolutely fascinating narrative.

[Raymond · Rating 4 out of 5]

I would have loved to give it 4.5 star rating, very informative an interesting read, if you have ever wondered as I have how cyber crime works and what is actually done. Then this book is for you.

Thank you.