Secret Service Sting Targets Web Con Artists

Written by Evan Schuman
April 4th, 2006

In sharing information about an undercover federal investigation of Web frauds involving credit cards and stolen tax refunds, the Secret Service demonstrated that it can adapt with the times.

The seven initial arrests stemming from what the Secret Service has dubbed “Operation Rolling Stone” show that federal investigators have started to learn how to crack through deceptive IP addresses and encrypted IM communications.

“Cyber-crime has evolved significantly over the last two years, from dumpster diving and credit card skimming to full-fledged online bazaars full of stolen personal and financial information,” Assistant Director Brian Nagel of the U.S. Secret Service’s Office of Investigations said in a statement.

“We continue to adapt our investigative techniques to progressively combat emerging threats to our nation’s financial infrastructure,” Nagel said.

Of the seven announced arrests, five are being prosecuted by the U.S. Attorney’s office covering the Buffalo/Rochester New York area, one is being handled by the Los Angeles District Attorney’s office and one is apparently being handled by the U.S. Attorney’s office in Nashville.

The Los Angeles arrest was Shawn Mimbs, 27, said Deputy Los Angeles District Attorney Jeff McGrath.

The Buffalo/Rochester arrests were: Mohammad Dolah, 34, of Brooklyn, N.Y.; Benjamin Wade Pinkston, 24, unknown address; Elvis Berrios, 28, of Washington; Larry Hardiman, 52, of Toronto; and Bradley Robert Sokol, 19, of Selinsgrove, Pa., according to federal affidavits filed with the U.S. District Court’s Western District. Those documents were sealed the afternoon of April 4.

No information was available on the arrests being handled by Nashville, said Deb Phillips, senior counsel to that office’s U.S. Attorney. Authorities said the Nashville arrests might still be sealed.

Although these cases were all investigated by the Secret Service, one official involved in the prosecution, who did not want to be identified, said these were multiple unrelated investigations and that the Secret Service created the Rolling Stone code name afterwards to group them together.

The investigative details of the cases given in interviews and court documents support the suggestion that these cases were indeed unrelated and were not part of a single undercover operation. That said, the investigators still employed very similar tactics aimed at piercing the Web-enabled secrecy of the identify-theft and credit-card stealing rings.

In Los Angeles, prosecutors have accused Mimbs of grand theft of U.S. property. Specifically, officials are charging that he went to public libraries and Internet cafes and used their Web access to visit the H&R Block tax return service Web site, McGrath said.

Once on the H&R Block site, he used stolen Social Security numbers and addresses?often from dead people?to file bogus tax returns and request that the tax refunds be wired to bank cash cards that he could access, McGrath said.

Mimbs “found loopholes in the system,” the prosecutor said, describing him as just “another thief using the Internet.” Among the exploited loopholes, McGrath said, was that the IRS system didn’t match its records with death certificates.

McGrath said Mimbs?who was the sole defendant in the 14-count criminal complaint filed in Los Angeles?was discovered when some of the names he used for the tax returns were tied with people who were alive and who then tried filing for real tax returns. The IRS said they had already filed, the real taxpayers complained and the Secret Service started to investigate, he said.

The five cases being prosecuted federally in Buffalo/Rochester do not involve tax returns and mostly dealt with the manufacturing of bogus credit cards and the selling of identity information.

Sites that cropped up in several of the New York state cases include, and, which federal affidavits described as “three organized criminal Web sites dedicated to promoting malicious computer hacking.”

Another site mentioned in a few of the cases is, which court papers identify as standing for the International Association for the Advancement of Criminal Activity.

The documents weigh deep into the slang of the underground world of identity thieves, including “banging out ATMs” (counterfeit ATM card use), “carding” (counterfeit credit cards), “in-store carding” (where the thief must be physically inside the store when making the fraudulent purchase) and “novelty” (bogus identification documents).

In addition to gaining familiarity with the terminology of cyber-crime, investigators also grappled with the workings of the Internet, which abounds in ways to obscure a thief’s identity.

Sokol, for example, is accused of selling stolen identities?including name, address, Social Security number and date of birth?for between $3 and $5 each.

According to the affidavits, an undercover Secret Service agent started chatting with Sokol using the ICQ instant messaging service. When the undercover agent tried to buy some of the identities, Sokol wanted to be paid with PayPal, the documents said, but the agent said PayPal was “malfunctioning” and asked to use Western Union as a means of payment.

Western Union offers a means of anonymously transferring funds, using a question-and-answer authentication system, but Sokol asked for it in his name, the affidavit said, which pierced the Internet mask of anonymity.

In Hardiman’s case, agents traced the IP address to a particular ISP in Canada. Using the exact timestamps of the messages, they were able to identify subscriber information and get a tentative identification, the documents said; agents then started searching eBay and found someone using a very similar alias who was purchasing equipment?including a laminating machine and specialty printers?that would be useful in credit card fabrication. eBay was then subpoenaed.

In the case of Pinkston, according to the documents, an agent told the suspect that some bogus Old Navy and Gap credit cards were not working, prompting him to send more cards in the names of other people. Investigators then reviewed the online applications for all of the cards, paying particular attention to IP addresses.

“A Whois query of the IP addresses exposed through the three credit card applications showed it resolving back to a Virginia Tech University account,” one affidavit said.

A credit card company investigator then searched for any applications from that IP address or other accounts using the same drop addresses or e-mails and identified 37 more accounts, for a total of 44.

Microsoft then helped identify the suspect through an MSN account that he had used. Secret Service forensic analysis also discovered multiple fingerprints that matched on several of the cards, the documents said.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.