A hacker’s race to build the Amazon.com of stolen credit cards

December 21, 2012 — 11 Comments

hackbblong

The rise of Errata’s Shop.

Whatever else they might have to say about it today, no one can deny that Errata’s Shop was good at what it did. Errata himself was the consummate online startup CEO: ambitious, affable, attractive to new customers, community-oriented, charismatic and smart enough to think he could get away with running a massively illegal and mightily profitable enterprise.

On Sunday, September 23, 2012, Errata created a thread on the HackBB.onion forums to promote his new business: he sold working American credit card numbers to anyone willing to pay. In the same way that a legal startup might create a thread on a large site like reddit or Hacker News, Errata skillfully placed his slick new product in the face of customers who wanted it badly.

HackBB (pictured above) is a public forum that helps facilitate and support a number of black markets. The relevant market here is fraudulent finances. That includes credit card fraud, Paypal fraud, ATM skimming and a variety of other crimes.

Being public and popular, HackBB is often the subject of scorn, scoffed at as full of scammers and relative immature amateurs compared to private forums and other less-than-public carding communities. One look at the HackBB forums shows the truth in those statements — see the adolescent-level aggression, flames and occasional outright naivete. But that story leaves out an important fact: HackBB is full of money ready to be spent. That alone is enough to keep it worthwhile for its visitors.

Once an entrepreneur like Errata has a service or market he’d like to promote, all he has to do is post about it on HackBB to attract attention. Once enough users and, ultimately, the site’s administrators use the service successfully, it is declared verified. This new status can open the floodgates to many more customers, money and people of all stripes who want to see what’s being offered.

Over the past decade, there have been many attempts to build sustainable, professional-quality online storefronts for stolen credit cards, a necessarily fragmented criminal industry that costs American businesses $190 billion per year according to Forbes. This 2011 report surveys more than a dozen different shops available just one year ago.

If you’re in the market for stolen cards, the problem you’ll immediately notice with the 2011 report is that many of the shops are now closed up. It’s often unclear just who shuts the door on these services. Carding shops and dealers come and go quickly, most often without a note to the customers. The holy grail of carding is a steady, reliable and, if you’re lucky, quick source. If you find one, you stick to it. When Errata came around in September, there were thousands of carders searching for just that.

Here’s how Errata first pitched his new credit card shop:

Tired of waiting days for cards? Not knowing if you will get a refund for dead cards?

We present to you Errata Shop. An automated CVV onion site with built in checker for auto refund of dead cards.

Features:
Automatic bitcoin payments available 24/7.
Fresh stock added every day.
Listings include many infos like BIN, ZIP so can buy only what you need exactly.
Automated checker for instant refund of invalid cards.
Cheapest prices and even more discounts on cards expiring soon.
Fast and professional support.
More products coming soon.

Registration is open. If no deposit in 24hours after register, account will be deleted and you have to register again.

Please read site instructions in Help/FAQ section. Any other questions you can contact me.

Email Support: Errata@tormail.org

The pitch linked to Errata’s shop.
errata's shop front

No one bit immediately. With no response for three hours after posting his thread, Errata decided to light the fires by tempting his first customers in with an offer they couldn’t resist. He gave them something for nothing.

“Free $10 credit available to 2 or 3 trusted members to test,” he wrote.

Finally, five hours later, user TheSyndicate118 took him up on his offer.

“I’ll take that $10 if you dont mind! In fact, just one cvv to save yourself the money.”

Errata asked only for public feedback in return.

Other users began asking about the service, wondering if anyone had used it yet.

The next day, HackBB moderator l0v3h8 wrote the first review:

Site works as advertised. Bought some cards and they worked, checked some cards and the checker also worked as far as I tried. Overall good site, no waiting around for cards literally instant once you have money in your account.

When it comes to carding, this is high praise. Smooth transactions, working products and no wasted time make for an excellent business. Soon, TheSyndicate118 chimed in positively as well.

Errata’s shop was simple and effective. The customer registered and deposited money. A listing of cards came up sorted by card type, owner, location, price, owner’s data (e.g. date of birth and social security number) and other defining factors. The customer decided what they wanted and, within a few clicks, they made their purchase as easily as though they were on Amazon.

Anywhere from seconds (as designed) to a couple of hours (on particularly slow days) later, the credit card information would show up in the customer’s account. They would then run the cards through Errata’s own card checker that would spend a small amount of money on the card to make sure it was working correctly. If everything gave green lights, presto: the buyer was then the proud owner of a working credit card that they could use as they saw fit. If there were any problems, a refund was issued.

erfr2

A day or so into the operation, new features were already being turned out. In addition to working American credit card numbers with minimal accompanying data, the shop began offering “fullz”, cards complete with social security numbers and dates of birth. Errata soon added European cards as well. This greatly expanded the places in which buyers could use their newly purchased credit cards, making Errata’s shop that much more of a prime destination.

The shop was very well put together, said excited new customers, and it was working exactly as advertised. They loved it. This simple positivity is a ringing endorsement in a world where shops and people often do not work nearly as advertised.

When one would-be customer had trouble with registration, Errata was quick to give out his ICQ and email to help one-on-one. In fact, everyone who encountered a bump in the road during this time would eventually come back to praise Errata’s “lightning fast” support.

Errata knew what he was doing. Building a large marketplace required repeat customers and positive word of mouth. Like Amazon, he fought to retain customers with excellent service, good products and exciting events. It was working.

Errata knew that special offers drove word of mouth and sales up, up, up. On September 27, he launched an end-of-month deal that illustrates well just what he was offering:

*****SPECIAL OFFER UNTIL END OF MONTH*****

50% Deposit Bonus if you make a deposit by the end of the month.
(Example: You deposit $100 and get $50 free!)

New cards added every day, including USA Fullz for only $15 !!

USA Fullz come with:

CC Number
Expiry Month
Expiry Year
CVV2
First Name
Last Name
Address
City
State
ZIP
Country
Phone
SSN
DoB

The more business Errata did, the more positive reviews came in. There wasn’t a single negative review to be seen in the shop’s first week of action. On September 29, User IAmSomeone wrote:

Here’s my promised rating:

Two days ago I first contacted him for a small deposit (1btc) and I must say that despite the GREAT idea for a tor-automated-ccstore , he is very kind and serious. I received the money + 50% bonus as promised. Got a US full and worked flawlessly.
Today I added more to my balance for future shopping. My main interest are the EU cc’s and he said that in the future will be more.

I think that when the auto-deposit feature is finished, ErrataShop will be the principal source for ccs on deepnet.
Great service, mister. Keep up the good work!

Regards, Someone

That’s no exaggeration. In the space of a week, Errata’s Shop was becoming one of the most well-regarded carding shops online.

Other successful public credit card markets are generally limited in certain ways. For comparison, one of most prolific and longest lasting credit card markets around, run by a fellow named freefox, sells Visa Debit Cards and bank account numbers manually — meaning that each sale requires freefox’s personal attention. Errata sold a far wider variety of products and did it on an automated storefront on par with Steam, a service where several of his customers used the credit cards they bought.

Errata was becoming one of the most well-trafficked markets online. Although many great salesmen have wished they could separate the two, money and eyeballs were coming to Errata’s shop in ever increasing numbers.

Later that day, doitforlulz wrote:

This is probably the best CC service on Tor.

Support is extremely fast and friendly. All of the CCs I’ve bought have worked perfectly. Errata is one of the cheapest CC services I’ve seen on Tor. I recommend this service for all.

Errata’s operation had hiccups. User nowatch360 reported that of the three cards he’d purchased, one was outright invalid and two used 3-D Secure, an additional layer of online credit card security designed by Visa to combat fraud. 3-D doesn’t eliminate carding but it does make it more difficult.

Errata responded to nowatch360’s complaints:

As for 3DS, the shop is designed to give customer all the information before purchase to make informed decisions. The first 6 numbers of the card are not shown to look pretty, but is the Bank Identification Number. If you have up to date BIN lists you can avoid 3DS even for EU cards. Like i said in FAQ, this service isnt specifically geared towards newbies but are free to use of course. I just don’t have time to spend hours on ICQ teaching and explaining everything. People who know what they are doing and those willing to put a bit of effort in will get consistently better results, like everything else in life.

Errata began limiting manual refunds to 30 minutes after purchase, an indication that refunds for invalid cards were being abused by “many stupid kids and cheaters,” he wrote, who would buy the card, use it and then kill it in short order. “30 mins is more than enough time to test your card in webshop.”

The shop master soon extended the time to one hour at the request of a number of customers. This was indicative of the sort of relationship he was trying hard to build with his customer base — over ICQ, TorMail, TorChat, private messages and more, Errata dealt deftly with a clientele that was rewarding him handsomely for it.

“Just WOW!,” wrote user arrowman. “Wasnt expecting much from cheap standard cards but cashed out $1k on 2/3 cards.”

Within a few days, the card checker and refunds were back down to 30 minutes due to more cheaters. To combat those who would defraud his fraud shop, Errata implemented “a voucher system” in which a users had to be referred by an existing member to register for the shop. Errata then cleaned house, deleting accounts that had no balance.

The latter move affected users such as wabad, who was such an active customer that he had spent his whole balance a few days prior.

“I can understand the voucher option due to cheaters/scammers,” wrote wabad, “but I think it’s a bit unfair to legit customers. I have my account, and today when I went to load my account with btcs , I notice it was deleted, and the registrations are now closed :| Typical case when the righteous pay for the sinners.”

The irony that some frauds would call themselves righteous was lost on no one. There may or may not be honor among thieves but there is at least occasional self-awareness.

The voucher system was immediately unpopular. Within a day, Errata opened up registration once again but required a deposit within 24 hours to keep an active account.

Errata had sold thousands of credit cards by October 29, a month after launch. He was selling at least several hundred cards per day, netting him tens of thousands of dollars in one month as a conservative estimate. It’s difficult to pin down numbers when it comes to income on a credit card shop but one can make some guesses based on the level of activity of his customers on HackBB and outside of it as well as going by statements made by Errata himself. It’s perfectly plausible that he took in a comfortable six figures during his opening month.

That’s a decent income no matter where you live.

Errata’s second month was rougher.

One customer going by the username zavii found an unspecified problem in the automatic payment system on November 1st resulting in there being no way to pay for cards. Shortly thereafter, the shop went down for maintenance that went unexplained the customers.

When hours of downtime turned into a day and dragged on, customers became scared. On the web and off, disappearing acts like this one (and, for instance, Tony76) had taken the money from quite a few people who would much rather be taking than getting taken. One anonymous poster said that he had $800 on the site, while others said they knew “a lot of people with money tied up on his site.”

It was a big if rare public relations gaffe in an industry built on reputation.

“Please be patient,” Errata eventually responded. “Site will be back soon, when some work is finished. It is not nearly 2 days yet but longer than i hope. I am not on ICQ because people asking same questions is slowing me down and not helping, i cant tell you more than is noticed on website.

You do not have $800 on site, most anyone has is half of this. Maybe you have $8, this is kids who complain loudest. I dont know why you are worried after this short time, some vendor will take 1 week just to answer email. I guess you never have run sites before – things dont work always perfectly, designs have to change, improvements made etc”

The site came back online on November 2nd. Despite the outage, Errata’s shop was becoming extremely popular. Users flooded back onto the market like addicts whose dealer had been out of town.

With greater popularity, more and more cards turned up as invalids as the database expanded to include a diverse set of cards and documents from around the world.

User cefalu posted this feedback:

Low prices mean you get what you pay for. The auto-checker/auto-refund is also inaccurate.

Errata shop is a cool idea in concept and execution and it’s great you can manually top up the acct via BTC yourself, but like all things has its room for improvement (or maybe I’m just having bad luck!)

Within a week, Errata wrote back that he’d rebuilt the card checker to be 100% accurate. Soon, Cefalu posted praise of the shop master after a chat between the two ended “with a refund and little explanation. Thank you for the good customer service!”

On Friday, November 23, the shop was compromised by a security exploit and went down again. This time, Errata reported the problems — albeit, vaguely — to his worried customer, many of whom still had hundreds of dollars of deposits sitting in their accounts. They were were told that the deposits were separate and safe. Most customers sent only encouraging words to the Errata. The vast majority of users just wanted their credit card megastore back online as soon as possible.

Even after Errata rebuilt his card checker, an occasional user would pop up and say that it had failed, that they were now the proud owners of useless cards with no possibility of refunds.

“Im getting very tired of defending checker system,” replied Errata. “It works fine. This is one you are complaining about? The one i just charged for $178? Quit messing me around kid.”

“Not trying to mess you around buddy,” wrote one complainant. “Far from it im a grown man about square business.”

The irony of credit card frauds calling each other out over doing “square business” seems to have been lost on a number of people this time around.

By December 9, the site was down again. Errata suddenly ceased all communication with customers around the same time.

No communication,disappeared…

How many of u guys got ripped from Errata?
I have more than 2 BTC [roughly $30] and I guess Im not the only one…

Several others reported hundreds of dollars in limbo with the site.

By December 15, the consensus was that Errata had stolen all the deposits and disappeared.

Yeah I think he just jacked the accounts and ran, he would have definitly replied by now.

Most of the customers simply wrote their losses of to the inevitable cost of doing business in the carding scene. They were resigned to the idea that the money was stolen by Errata and there was nothing they could do about it now.

There are several possible reasons why a big carding site might shut down.

Perhaps the police shut the site down. There may have been arrests made or, if the owner of the site felt closed in on, he may have walked away.

Perhaps the entire thing was meant to be a scam from the beginning. If the owner builds a site and gains enough customers and trust, he can reach a predetermined threshold — say, $100,000 in deposits on the site at one time — and pack up. There’s nothing preventing a site owner from doing this repeatedly if he can throw his customers and the police off the scent.

The last possibility seems to have been rarely considered by Errata’s customers. What if Errata was destroyed by another carder? What if the site and all the numbers, documents and emails were simply snatched by a hacker who found a vulnerability in Errata’s shop and exploited it? Wired’s Kevin Poulsen wrote that most card hackers are “all teeth and no shell”, meaning they know how to steal a card and perhaps even set up a good shop but they don’t know how to protect it all half as well.

In 2006, hacker Max Butler did just that. An excessively talented man, Butler infiltrated at least four major carder marketplaces, stole their cards, users and data and then destroyed them, leaving little for the previous owner to do.

A 2008 Wired article chronicles Butler’s takeover:

And then he decimated them, wiping out the databases with the ease of an arsonist flicking a match. He worked for two straight days; when he tired, he crashed out on the apartment’s foldaway bed for an hour or two, then got up and went back at it. Butler sent an email under the handle Iceman to all the thieves whose accounts he had usurped. Whether they liked it or not, he wrote, they were now members of his own site, CardersMarket.com. In one bold stroke, Butler had erected one of the largest criminal marketplaces the Internet had ever seen, 6,000 users strong.

In the days to come, his vanquished competitors raged against the forced merger, fought to regain their users, and staged limp counterattacks. If Butler was at all intimidated by the forces mobilized against him, he didn’t show it. “Basically,” he wrote later, the consolidation “was long overdue.”

Butler went on to build the most successful carding site on the net before a sophisticated federal operation put him in jail. He’s due out in 2019.

On December 16, Errata’s customers began receiving emails inviting them a new shop strikingly similar to Errata’s but boasting much lower prices:

> VERIFIED CREDIT CARD CVV FULLZ SHOP
> BEST VALID RATES AND PRICES
> FRESH CARDS ADDED DAILY – 90% VALID RATE
> DEAD CARDS REPLACED BY CHECKER
>
> HTTP://CARDERSPLANET.EU
> HTTP://FULLZ.BIZ
>
> USA CVVS – $3
> USA FULLZ (Cvv/SSN/Dob) – $5
>
>
> Minimum Deposit:
> 10$ LR
> or
> 2 Bitcoins
>
> ICQ Support: 615813058

An anonymous user posted the email to HackBB.

“So i’ve decided to join with false data just to check, and, what the fuck, webpage is a fucking copy paste from Errata site,” wrote the user. “Yeah, lol, try by yourself, they didn’t even changed the background color or minimum deposit. i’ve decided to register with my last username, to see if my user was still there with balance, but with no luck”

User AlwaysWinCarder criticized HackBB’s management, specifically calling out HackBB administrator and the man who verifies credit card marketplaces like Errata’s, OptimusCrime.

“this site is bullshit OC is a fucknut and this site is full of scammers, glad yall fools got shit end of the stick. ive got my vendor and im sticking with him fuck what all the kiddys are saying, OC your a fucking idiot, this site sucks. You can’t even tell who is who.”

User cefalu, who had posted such positive feedback in Errata’s thread only weeks prior, took a more measured approach in responding to AlwaysWinCarder.

How long have you been carding? This scene has always been full of people who operate, scam, and disappear. It’s a lot more profitable than just operating and disappearing. OC has nothing to do with it. This kind of shit happens everywhere on every forum with vendors of all sorts.

We’ve all had to take a loss at some point. You’re working with self-admitted criminals. What do you expect? Not everyone is out to scam, but you’ve got to be smart. Play or get played, muthafucka

It’s all in the game, yo.

Zavii, who had complained about Errata’s payment system and then watched him fix it in short order just weeks prior, defended the shop master.

“Errata wouldn’t scam you all,” he wrote. “There is obviously something up outside of the internet, which is preventing him to come on. There is NO WAY Errata would EVER deal on the clearnet. In my honest opinion; I think he was caught by having his site compromised originally and has been tracked down; just my opinion. Do not tarnish his name, I am sure he will be back soon.”

Was Errata caught and arrested or had he stolen many thousands of dollars in deposits? Was he taken by another carder whose day had come?

It’s a tough case to make. Errata seems to have fallen completely out of contact with all of his former customers. There have been no explanations, apologies or attempts to win back his customers. Who sent the message to Errata’s entire email list inviting them to CardersPlanet.eu? Who thought setting up a clone of Errata’s shop would attract his old scorned customers?

If Errata had been beaten by a hacker, would he have told his customers? Or would he have decided it was time to hit the restart button completely? Is it a cop setting up a lazy trap?

Whether it was the cops, a fellow con, the criminal himself or a car accident (hey, never say never) that closed Errata’s shop down and separated thousands of carders from their cash, the customers were quickly focused less on the “Why?” and much more on the “What next?”

Errata’s shop went down on December 9. By December 11, another major automated site popped up in its place. In its first week, Cyberia Shop saw ups and downs, dealing with both positive and negative reviews off the bat.

cyberia

Compared to Errata, Cyberia has been a poor operation thus far. There are fewer products and far less variety on a less easily navigable website. A significant percentage of the cards bought haven’t worked and it’s not clear that the support system provides refunds when warranted. All of these issues have been brought up on HackBB and elsewhere. On occasion, complaints have been met with poorly spelled insults from Cyberia’s moody owner, a figure far from the patient and personable Errata of just a few months ago.

On top of that, there exists general distrust of automated shops (as opposed to manual shops like freefox’s) that has grown since Errata disappeared.

One user posted their thoughts in Cyberia’s feedback thread:

Not another automated shop. There all garbage. There only good for about 3 months then when the owner has enough cash in the site he turns ripper and leaves with your bitcoins. Look at errata…
Amid of torrent of discontent over site outages and invalid credit cards, several positive reviews were submitted by users created only minutes before. It’s hard to think of a more transparently artificial move, one made either by Cyberia themselves or by someone who wants to make them look foolish.
Cyberia has been up and down even in the past three days, furthering confusion and discontent.

Weirder Web has a free newsletter. You can get new posts delivered to your inbox. Pretty cool. Sign up.