Police in Wales have arrested Curador, a hacker suspected of stealing thousands of
credit cards from nine e-commerce sites and posted many of them on the Web.
The FBI’s National
Infrastructure Protection Center confirmed Friday that Welsh police have
taken into custody two 18-year-old men, both residents of Dyfed-Powsys,
Wales and presumed to be Curador and his associate. The names of the men
have not yet been released.
Curador and his accomplice are expected to be charged under Britain’s
Computer Misuse Act for the theft of more than 26,000 credit card numbers.
The two also will be charged for fraudulent use of the cards. Curador and
his accomplice allegedly rang up several dozen online purchases using stolen
cards, many of the charges exceeding $2,000. Details of the possible
sentences facing the suspects were not immediately available. The two men
may also face prosecution in the United States.
As first reported by InternetNews.com, Curador hit his first victim, an
online shop called shoppingthailand.com, in late January. Shortly
thereafter, he posted 1,000 credit card numbers and other customer data at a
personal Web site at Xoom.com, the Web homesteading site. Curador, who
called himself “the custodian of ecommerce,” claimed to have taken 5,000
cards from the etailer, and boasted that he had exploited insecurities
in Microsoft’s Web server software. A mirror of that site is available here.
In subsequent weeks, Curador broke into eight other small online sites around
the world, and each time posted some of the stolen cards at a series of
personal sites. The victims, in order, include promobility.net,
ltamedia.com, ascp.org, ntd.co.uk, visioncomputers.com, salesgate.com, and
feelgoodfalls.com. Losses to the sites are estimated to exceed $3 million.
According to Chris Davis, a security expert with consulting firm, TygerTeam which investigated the
break-ins on behalf of some of the victims, Curador apparently used a
homemade script to scan the Internet looking for sites which were vulnerable
to two widely-known security holes in Microsoft’s Internet Information
server. After finding a vulnerable site, Curador would browse the site’s
database files to see if it was storing credit cards and other customer
records unencrypted on its Web server — a practice frowned upon by security
Last month, Curador apparently used one of the stolen credit cards to
register the domain and set up a site at e-crackerce.com, where he displayed
the stolen cards and posted rants about the poor state of security at
e-commerce sites. After that site was shut down by the ISP, Curador set up
shop at free-creditcards.com, also apparently registered using a stolen
In an interview with
InternetNews Radio on March 8th, Curador revealed that he also registered
the domain curador.com and displayed the stolen cards there. A look-up on
that domain revealed that it was registered to a company called Fibres
Solutions in Swansea, Wales.
During the interview, Curador taunted police, saying he didn’t think they
would be ever able to catch him.
In an interview with InternetNews Friday, Michael Vatis, director of the
FBI’s NPIC, said, “Computer crime investigations are difficult and resource
intensive, but anyone who underestimates the skills and tenacity of our
agents does so at his own peril.”
Vatis said law enforcement officials from the US and Canada also contributed
to the arrest, as did security consulting firms.
“This case demonstrates that cyber criminals can not hide behind
international boundaries to escape justice,” said Vatis.
The FBI has come under fire recently for its difficulties tracking down the
e recent denial of service attacks on Yahoo, eBay, and
other major Web sites. The Bureau’s prompt arrest of Curador and his
accomplice is likely to be a point of pride for the FBI, which wants to
prove that it can effectively deal with cybercrime.