The blockbuster heist that rocked the Deep Web
Before he gutted and nearly destroyed one of the most influential criminal markets on the Internet, a man using the nickname Boneless published a detailed guide on the art of disappearing.
“I have some experience in this area,” he wrote, detailing how fugitives should best go about buying phony passports, dodging cops, and keeping their stories straight.
The guide was just one of many contributions Boneless made to HackBB, a popular destination on the Deep Web, a group of sites that sit hidden behind walls of encryption and anonymity. Back in 2012, the forum was a top destination for buying stolen credit cards, skimming ATMs, and hacking anything from personal computers to server hardware. And thanks to Tor’s anonymizing software, members were shielded from the ire of law enforcement around the globe. It was one of the safest and most popular places on the Deep Web to break the law.
Then one day in March, HackBB simply vanished, its databases destroyed. One user likened the events to burning a city—its library, market, bank, and entire community—to the ground. It wasn’t hard to guess who’d done it. A few days earlier, Boneless had disappeared—and with him, a serious chunk of the market’s sizable hoards of money.
While many worry our private data has become an open book for the American government, easy-to-use anonymizing software such as Tor has successfully thwarted law enforcement for years. Domains on the Tor network, called .onions because the numerous layers of encryption that protect users, often host content that would lead to quick arrests on everyday hosting services.
For that reason, everyone from activists, whistleblowers, journalists, businesses, militaries, and everyday people use Tor to cover their tracks. Naturally, cybercriminals have flocked there, too.
Websites such as Silk Road and Atlantis famously use Tor’s software to build massive storefronts selling illegal drugs, forged documents, and weapons to a global audience. Child pornographers, money launderers, and more have made Tor their home in recent years. But while they’re immune from law enforcement, Tor sites are still vulnerable. All it takes is one internal betrayal.
Thanks to what seemed a tireless desire to better his criminal peers, Boneless had always stood out in the HackBB community. He wrote guides on everything from how to convert stolen credit cards to cash to the best ways to defraud online bookies. These were easy to read and informal, written with the tone of a young talent eager to help out his students and prove his own superiority. At the end of one, about turning stolen credit cards into cash, he told his readers: “Go shopping. See the girl with the big titties? Buy her a drink. You win.”
In total, his contributions over two years amounted to a textbook on how to become a better online criminal. Boneless was well rewarded.
HackBB’s founder, OptimusCrime, promoted Boneless to an administrator role in early 2012, giving him broad powers to ban users, edit posts, maintain the site, and access its sensitive backend. More than that, Boneless took over of the site’s escrow service around June 2012.
An escrow service allows two anonymous parties to exchange money by using a trusted independent third party (HackBB in this case) to hold onto cash until the deal is done. It’s a useful tool for anyone looking to make a deal with someone who can’t easily be trusted.
It's impossible to say how much money the forum’s escrow held at a given time, only that there was likely whole lot of it. HackBB’s service was famous and widely used in the hacker and online fraud world—thanks in part to Boneless’s expert management.
In March 2013, a large amount of money suddenly disappeared from the escrow.
Then, on March 22, 2013, the Boneless account accessed and partially destroyed HackBB’s database. There was no warning—no hint of motivation. He snooped on private messages and attempted to blackmail numerous members with the information he dug up.
OptimusCrime wrestled control back from Boneless, disabling the account. Shocked forum users returned to a hollowed out HackBB, void of the buzz and resources that had helped it become so successful.
On May 15, 2013, just as HackBB was attempting to reestablish its primacy, a second attack brought the forum to its knees. The attacker was thorough and deceptive in ways even these experienced hackers and criminals hadn’t expected. During the first attack, Boneless had used his admin powers to create other, hidden accounts under his control, then granted them administrator status. It was as if, before leaving, he had dropped a half-dozen secret keys around the property.
The famous drug market Silk Road employs an entire team of dedicated staffers. But at HackBB, only OptimusCrime stood in the way, and he was getting overwhelmed. Even after he finally purged the forum of all Boneless’s influence, the attacks didn’t stop.
Scammers caught the tell-tale scent of a dying beast and descended ferociously on the forum. They posed as OptimusCrime and other popular members in an attempt to take whatever they could from remaining users.
“This happens during moments of uncertainty,” wrote OptimusCrime. “Rippers know if they can cast doubt on management then users are more susceptible to pay directly”
It took months of long days and hard work from OptimusCrime and loyal administrators to continuously clear out and ban the scammers. Slowly but surely, they built up a core of trusted criminals that would bring HackBB back to life.
All business is inherently risky on the Deep Web. Escrow funds in particular require serious trust, which is itself a valuable commodity on the anonymous Web. The popular drug market Silk Road established a highly successful escrow service by building years of trust and name recognition.
Silk Road’s founder, Dread Pirate Roberts, is rumored to conduct thorough background checks on staff, an act that would require extraordinary trust, considering the immense illegality of Silk Road’s existence. Such a policy, though extremely difficult to enact, would severely diminish the chances of a staff betrayal. It would also create a delicate house of cards that could completely collapse if Dread Pirate Roberts were ever apprehended.
At HackBB, Boneless either shared no identifying details with OptimusCrime, or he was supremely confident in his ability to go away without getting caught. He did, after all, write the book on how to disappear completely.
Such was Boneless’s reputation that, after the attacks, many wondered if he was really even responsible in the first place. Forum members suggested Boneless actually sold his powerful administrator account to the highest bidder.
"Someone got a hold of his credentials somehow," wrote one HackBB moderator, "He probably sold them."
In the months since, OptimusCrime and a small team of HackBB moderators made a concentrated effort to clear out scammers and rebuild the valuable resources of the site. Several saved guides were posted to the wiki, including half a dozen by Boneless himself. After all, this guy obviously knew what he was talking about.
The HackBB brand was damaged. But hacking and fraud forums have always been vulnerable targets, and their users understand this. Old and new members slowly made their way back to the forum and started making good business again. By July, thousands of dollars was changing hands every week on the site, largely driven by credit card fraud. (One of the most popular credit card vendors on HackBB, Pking0, told the Daily Dot he makes upwards of $5,000 per week.)
Today, over 15,000 member accounts power a reinvigorated marketplace selling credit cards, bank accounts, forgeries and entire identities to willing buyers. Wanted ads for ATM thieves and vicious bounties are posted like they’re personal ads on Craigslist. The wiki library has been replenished to include guides to subjects such as phishing, hacking, carding, malware for phones, and how to deal with curious cops.
Over the past several months, OptimusCrime has launched an investigation into the attacks. He says he believes Boneless sold his account and even has a suspect for the buyer.
“Not that the details are even important,” he wrote. “The only detail that matters is preventing it from happening again.”
As the money flows, surely someone in OptimusCrime’s den of thieves is already planning the next grand heist on the Deep Web.