Home » Articles » Evolution Market Background: Carding Forums, Ponzi Schemes & LE

Evolution Market Background: Carding Forums, Ponzi Schemes & LE

Another artice in the #Evoscam series – I have known this thread since it was posted originally by /u/the_avid in some private forum – but never wanted to stir any drama regarding Evolution marketplace, so i never posted it, but now seems like a good time to repost this and remind everyone where evolution cam from and why this scam wasn’t such a big surprise to many people, some details were added by Gwern, so here we go:

On 15 March 2014, /u/the_avid posted a writeup of the historical background of English-speaking carding (fraud) forums and law enforcement’s practice of infiltrating, running, and after a long period, busting them, due to the Evolution black-market’s origins in an English-speaking carding forum. I thought it was a decent writeup and encouraged him to post it publicly, but he wanted to improve it. I pinged him several times after that, but it never happened, and he has not responded for several months at this point, so I’m taking it upon myself to repost it (which is ironic in part because Evolution staffers threatened to dox me if I wouldn’t tell them what the_avid had written; well, here you go guys, I hope you think it was worth the trouble).

Evolution Market is starting to get some traction. I first submitted the URL to /r/DNM around 2 months ago. There is a bit of background here that people should know, in terms of who is behind the site and where it came from.

Evolution originates from an online carding forum know as Tor Carding Forum (TCF). This forum is part of the ‘carding’ scene – forums that operate much in the same way as DNM’s do except they run on forum software rather than dedicated market software.

Users would join up and be able to discuss everything to do with carding – how to steal cards, how to clone cards, how to cash out cards, how to hack websites, how to sell cards, how to setup and use drop addresses, buying fake ID, stealing personal information (known as fullz).

The other section of the forum would be the market. To setup as a vendor you would send two samples of your products to the admin and they would ‘vouch’ for you. Once you were vouched you were allowed to sell your wares in the market section of the forum. Common items for sale were credit card dumps (1 for $5, 10 for $40, up to bulk), cloning machines, ATM skimmers, etc.

The Russian crime groups were the innovators here – all of the hard core stuff happens on the Russian forums (in Russian language) that are invitation only. You would have to be vouched just to get access to the forum, let alone becoming a vendor on the forums.

In the late 90s some enterprising Americans who couldn’t get access to the Russian networks decided to setup their own carding forums that were English language and based in the US tailored for English language users.

There were a large number of small sites on the net then, most of them turning out to be scams or having copies of tutorials that were 10 years old and would never work. The first big site that managed to aggregate everybody into one place was ShadowCrew. All the big name carders who would make a name for themselves a decade later were there.

The problem was that while they adopted the Russian model of using forums for carding trading they didn’t adopt the network invitation model, so the site was infiltrated by the Secret Service. There are a lot of parallels here with what could happen with DNM’s, and people who talk about how you should always assume that a DNM has been compromised.

One of the members of ShadowCrew was seen by a police officer in New York to be making multiple ATM withdrawals using a stack of ATM cards he had in his pocket all from one ATM. The police officer approached him, found a dozen blank ATM cards that had been programmed with stolen card info and around $10k in cash. The Secret Service flipped this guy and got admin level access to the carding forums for their undercover aliases. One of these handles being run by the Secret Service ended up becoming one of the top vendors.

This was before the time of Tor – the anonymity method then was to use a VPN, and one of the new admins being a Secret Service agent setup a cheap VPN service for board members to use. This was a honeypot. They had ingrained themselves into the community so much that when one of the agents accidentally logged in from their real office IP address which showed that they were accessing the site from a Secret Service office in Virginia – members refused to believe it, and accepted the explanation that the user had ‘hacked’ a government server and was showing off.

Over 2 years the Secret Service took over hosting the server, running the admins and flipped users one by one. Via the VPN service they were running they obtained the real dox to over a hundred users – and at the end of the operation there were world-wide arrests where the entire network was taken down.

One of the guys who got away was Max Butler. He is the subject of a great Kevin Poulsen book called Kingpin which tells the tale of ShadowCrew and what Max Butler did next. He setup the next forum: Carders Market. He consolidated the market again by hacking all the small competing sites, taking their databases and dumping them all into Carders Market then redirecting the sites. The users of the other sites could login to Carders Market and see all their old posts and info, now all centralized.

One of the biggest users on the new Carders Market was Alberto Gonzales, aka SoupNazi. He was the kid that was caught by the police officer in New York making the ATM withdrawals and flipped into a Secret Service cooperator. At the time he was still on the books at the Secret Service, earning $100k a year for providing information. He was also one of the most successful hackers in history – his crew hacked dozens of sites over a span of 5-6 years and stole hundreds of millions of credit cards.

There is a great profile of Alberto Gonzales in the NYTimes magazine from a few years ago. The way he was caught is a brilliant lesson in OPSec. Alberto was wholesaling his cards to a guy in the Ukraine called Maksik. The network in the USA simply wasn’t large enough to absorb all the cards and info Alberto had stolen so Maksik was his bridge to the Russian networks. In Russia these crews run with impunity – the deal there is that the Russian government lets them be as long as they do not target Russian banks or institutions. This is why you often find that the Russian carders boast that they are carders in their social media profiles, posting pictures of their Porsche’s, new apartments, wads of US cash, etc. They even go as far as use their real names in Western Union transfers.

The US government finally figured out who Maksik was and lured him to Turkey. While he was out by the pool US agents broke into his hotel room and backdoored his laptop so that it would store chat logs. His drive was encrypted yet they still managed to backdoor it via hardware. They saw him speaking to a guy in the USA by the name of SoupNazi, who was Alberto, and they saw that he was buying a lot of cards from this guy. Some of these cards matched up to some of the largest unsolved hack attacks in the USA – the type of hacks that were mainstream news at the time like Subway and TJMax. Alberto and Maxim spoke for hours at a time each day, and it was a single slipup that identified Gonzales – Maksik referred to him by an old alias from Gonzales’ ShadowCrew days. The secret service then immediately knew that this big mysterious hacker who they had been chasing for years was on their own payroll.

They built a case up against Maksik and had him held in Turkey. They picked up all of Gonzalez’s associates – a crew of 4 or so who were breaking into networks by wardriving (where you place a large antenna on a car and find open or breakable corporate WiFi networks). Half the associates flipped against Alberto and he ended up going to trial on federal conspiracy charges, getting 25 to life.

At the same time the Secret Service again infiltrated Carders Market and tracked down Max Butler (the DPR of his time) to a small unit in San Francisco. He was arrested and the Secret Service took over running Carders Market. Over a year or so they again built up profiles of all the users and again conducted large-scale arrests which saw dozens around the world arrested.

Two of the largest underground carding sites both infiltrated and exploited by the Secret Service leading to multiple arrests, all in less than a decade.

With Carders Market gone a whole new slate of small sites and forums sprung up. There was an entirely new generation of carders who would hear about credit card fraud on the news, hear about the riches involved and then do a Google search and find the nearest English language carding forum. This new generation was running forums as Tor hidden services. When the hidden services first came to popularity most of the sites were carding sites. The more popular one of these was Tor Carding Forum (TCF).

The problem with the new generation of sites is much like what we are seeing now: a lot of new sites taking advantage of the popularity of the market but no site admins who were like Gonzales or Butler – guys who ran very efficient multi-hundreds of million dollar operations for years. The new generation were all younger kids who were more interested in quick ways to make money and would stop at nothing.

They were all ill suited to run carding forums and bought an entirely new level of naivety. The reason why the Russians are so successful and are still operating the same networks today 20 years later is not just because of their deal with the government, but because their crews consist of the best security guys, the best ID guys, the best money launderers, the best accountants, the best lawyers, the best hackers, etc. TCF and similar English language forums were letting anybody in as a member, were not cooperating as crews and were mostly lone wolf type hackers who would join the forum, get ripped off for $100 by being sold a tutorial that was 10 years out of date and then being sold card data for $50 each that the Russians would sell for $2 each.

This new generation was 16 to 24 year old kids living with their parents and carding a few hundred dollars worth of goods per month and thinking they were on top of the world – the best hackers in the world because they figured out you could get a free Netflix or porn site subscription.

There were a few things these guys weren’t prepared for. First is that to the government it doesn’t matter if you are a kid messing about with a dozen cards or if you are Alberto Gonzales, the federal conspiracy charge is the same and the amount of time you will serve is the same. They are absolutely no match for the combined efforts of the federal law enforcement agencies, even now with the benefit of Tor and hidden services. Second they were not prepared to take on the Russian crews. TCF and its market would be regularly infiltrated by Russian hackers who would extract anything of value running on the forums.

TCF was hacked for the last time in January. The database was leaked and a lot of the users ended up getting hacked themselves. By this point the admins of the site were getting bored and tired of the carding scene and had started to hear about the new big way to earn money on the darknets: underground drug markets. Months before TCF was hacked for the last time some of the admins got together and decided that they would expand TCF into an underground drug market. That drug market launched just after the last TCF hack and is what we know today as Evolution.

I’ve been hanging out in this sector for a long time so I was on TCF before the hack and as this market was being discussed. The difference between the level of conversation and general skills on display at TCF and the Russian markets is heaven and earth. The Russian forums have entire sections of their forums dedicated to discussions where ATM’s are disassembled, exploits are developed for Adobe Flash or Acrobat (exploits that the members find themselves and don’t report – otherwise known as 0day), sections where the latest holograms and credit card security features are discussed.

In contrast on the TCF forum the average thread is someone begging to be given a free card dump, someone else selling an old tutorial or someone asking for the one thousandth time how to get started. There are one or two legit members but most of the forum is a shit show of incompetence and kids who are lining up to be sent away for long club fed time.

TCF reached a low point earlier this year, and I just happen to be in the middle of the story. A popular scheme over the past few years on forums has been a very simple Ponzi scheme aimed at members of gaming forums, hardware acceleration forums, etc. There was a user on TCF who was semi-known and semi-reputable. He posted a scheme that looked something like this (original post gone) on the forum:

I’ve been involved in a lot of penny stock trading recently on the London OTC exchange after meeting a banker in a bar who told me about how to manipulate the market. I’ve made over £10,000 this month. He taught me how to read the markets and how to know what is going on. Here are some of my trades that I earned on this month:

[shows trades in the past with stock increasing 100%+]

I’m now prepared to scale up this scheme and invite a select group of users to invest along side me and realize the same sort of returns I am. I am offering two investment packages:

Option 1. Minimum investment £5000. 5 slots available. I will send you a link to signup for a brokerage account and every few days I will send you a stock to buy and then notify you when to sell it. You don’t pass me the money, you invest yourself. In return I get 20% of your profits.

Option 2. Minimum investment £100. I invest your money for you and you join my fund and I guarantee you a 14% return per week. 20 slots available (3 sold!)

Users would normally be skeptical, but the fears would be allayed by sock puppet accounts who would talk about the returns on Option 1. “Hey, try option 1 if you are nervous”. Option 1 is just a distraction from the real Ponzi scheme – which is option 2. Over the next few days he will post updated trades from option 1 showing their returns, with sockpuppet accounts talking up how much they made. Since option 1 then ‘sells out’ (but hey, we have a waiting list!) most users then signup for option 2, a little at first then bit by bit more and more.

Here is the ultimate irony of this Ponzi scheme. Were you to go to the section of TCF where all those shitty tutorials are for sale (just as they are now on Evolution market) one of the tutorials for sale for a few hundred dollars was ‘How to make $10,000 per month’. The tutorial was an exact description of how to run this Ponzi scheme, word-for-word pasted in introduction section, the terms to use to make it appear like you know what you are talking about with trading (the guy who ran this scheme on TCF was an unemployed web designer) how to find the ‘winning’ stocks for Option 1, how to convince people to part with their money etc.

There is a brilliant writeup on WeirderWeb about the exact same scheme taking hold on the BlackHatSEO forums, the original article is down but the mirror on archive.org is still available and it really is worth a read.

Had anybody on TCF bothered to check their own tutorials they would have seen this. Worse yet, had anybody bothered to copy that original message and paste it into a search engine they would see hundreds of hits for the exact same original message on thousands of forums around the web. In 99% of those cases the thread is ignored, someone replies with ‘scam!’ or a moderator removes the thread.

But not on TCF. Not only were there plenty of people who bought into the scheme, the administrators of the site ‘vouched’ for option 1 as a legitimate offer. This is a rubber stamp meaning that the offer is safe. All throughout the forum thread whenever there was a doubter pointing out the obvious ponzi scheme elements of the scheme they would always be shouted down with ‘but it is vouched!’.

The guy running the scheme would make some payouts, but he would setup the scheme with capacity slots, and if you withdrew money you would go back into the queue. The number of people actually invested was 25 times larger than the number of people he said were invested. The amount of money invested was around 100 times larger than the revealed amount of money invested.

The OP of the thread was late on payments just as TCF was shutdown for the last time and everybody was migrated to the new Evolution forums. At this time with the migration to Evolution, TCF had been down from their hack for a couple of weeks and nobody had heard from Samuraiprint – the guy running the ponzi scheme (or ‘investment opportunity’, in TCF parlance).

The old thread is lost, but here is a link to the new thread where the scheme continued on Evolution (http://i25c62nvu4cgeqyz.onion/viewtopic.php?id=124) (thread title changed when it was realized that it was a scam):

Title: Samuraiprint/TCF topic: Invest and Multiply your money and be scammed

Hi all,

Anyone tried this ?

I took option 2.

The 1 st payment and communication with Samuraiprint were perfect, but from last saturday and tcf down, it seems that it’s not even the same person behind his icq.

Brief history : Saturday : On icq, he told me he will pay at 3PM, nothing… Same time, I registered to hbb, find that he had an old topic there under the pseudo stocktrading, and send him a pm. Pm was read but never answered. On icq, he told me to check at 9PM, nothing… All of that using some words that don’t go with Samuraiprint usual language. Sunday : No icq cnx. The name of his tread on hbb was modified to fit the same exact tcf’s one. Some posts from the op were also modified. Monday : I received an add from another icq # 653196796, telling me his other account got hacked and to give him 24 hrs to fix everything. He was able to give me the amount I invested to identify himself…but that could maybe be found in the history of the other icq… Today: He was online on icq but doesn’t answer to me. Now he doesn’t stop login and logout just few seconds after… Something wrong with Samuraiprint. 1/ He got hacked for real or 2/ It’s a pretty scam. Who said : “what is too good to be true…” ?

reply 1:

MrMouse Member

Sounds like a scam.

reply 2:

well.. his thread at TCF actually in verified section. i did chat with him yesterday thou.. hes basically saying want to get rid of some members from option1, especially who doesnt have knowledge in stock market, probably impatient client or some sort he did tell me his icq acc and including email is hacked. so i ask him several questions,etc.. he got it right thou.. so i assumed his new icq account is not impostor. ive asked him if he will register here, he said no.. dont > have time for that, and registration already closed for new member long time ago anyway

reply 3:

I also invested with Samurai for option 2. This last weekend was supposed to be my first payout and pretty much what you said happened.

reply 5:

I know what you mean. Nothing about him pointed to being a scammer and he definitely knows his stuff. I really do hope this is just a speed bump and I receive the rest of my payouts and on time.

Samuraiprint shows up at reply #25, apologetic:

{image missing}

and so on .. the thread continues with “investors” not wanting to give up on the dream of untold riches, despite all the obvious clues. There are some sock puppet accounts that talk about being paid. It drags on for 7 pages, and eventually some users figure out that this guy has taken them for hundreds of thousands of dollars.

The guys who signed up to a carding forum with dreams of becoming rich with credit card fraud had been scammed themselves by the simplest of ponzi schemes. Like most ponzi schemes there are still victims who in the end refuse to believe they were scammed – it must be because samuraiprint was taken by the Mafia, or arrested for insider trading, or perhaps the Russians got to him.

On around the 25th of January the thread starts fading out. The admins come back in and post that it isn’t their fault users got scammed with option 2 – they had only verified option 1! They also accepted no blame for not banning the user, and one admin admits that he himself had money tied up in the scheme.

What happens next takes this story from a crazy ironic incidents where amateur scammers got scammed to something that is borderline sheer lunacy. There was a semi-known user on the forums called ‘Gold’. He was the type of user who would reply to almost any thread, just to get noticed and build up his post count. In 3 months he went from a nobody to being known on the forum, he sold stolen card data in the markets.

This is what he posted on the 31st of January, about a week after the last ponzi scheme collapsed: