The certainty of guilt aside - I applaud this calculated risk as the alternative relegates the perpetrators to anonymous status ("russian hackers") which negates the gravity of their actions.
Personalizing the scammers makes this situation "real" and while it may not lead to an arrest, it will at least give a precedent for how to handle (or maybe not?) those deemed "above the law" because of their nationality or physical location (outside the US).
Ok so wait, in response to getting scammed you hacked into this guys accounts to gather information? And then admit to it publicly? And then dox the guy? Unprofessional doesn't even begin...
I don't see any admission or indication of "hacking".
Unprofessional? - if "professional" means keeping quiet, reporting it authorities (who don't care and can't do anything about it) and riding quietly into the sunset call me unprofessional any day.
Hacking is what a person does in violation of Computer Fraud and Abuse Act of 1986[1]. Which doesn't discuss needing to actively try to break encryption or exploit a security vulnerability but rather talks about accessing something to which you do not have permission.
I stand corrected - although my comment was tailored for a community (HN) that usually get's all worked up about the use of the term "hacking" (and others) when it comes to computer crime.
If this was an article about the US Government convicting or charging people for "hacking" we'd most likely see numerous comments and complaints here about the improper use of the word.
I would never under any circumstances ever share personal information with a company that behaved as you have documented.
You believe this guy has scammed you so you went through his personal artifacts and shared communications to get vigilante justice. Fair enough as a person I dont blame you and find it funny, as a business you just cannot be trusted with personal information.
In the grand scheme of things, all you really illustrated is that for 25K empireflippers is willing to 'hack' someone who as you say yourself hasnt been established guilty beyond a reasonable doubt, but who you have 'good enough' info on.
'Professional' means operating by a business driven code of behavior. You let this issue become 'Personal', and as such took steps to get 'revenge'. You literally committed crimes during the course of getting revenge, and you 'transparently' confessed to these crimes in writing on a public forum that is tied to your 'professional' endeavor. You should have consulted a lawyer both before you took these steps, and before you confessed to taking this steps.
I can appreciate where you're coming from here, I really can.
I will say that we did consult our lawyer before writing this post, actually.
Additionally - business is done on trust. Some will read this and (like you) not trust us and won't do business with us. Others will appreciate it and do business with us. No worries either way.
Keep in mind he didn't vet the ACTUAL post before I pushed it live.
In reading it back, I wouldn't say he was enthusiastically pushing it or anything:
"I think you guys have your minds made up. The reality is the risk is probably low. Truth is an absolute defense to defamation. It's unlikely a couple Russians would try to sue you, but you never know. My boring attorney answer is try not to go too far to minimize any risk. Stick to the verifiable facts."
Honestly, you might seriously want to consider getting a new lawyer. No good lawyer would ever tell you that it's ok to publicly admit to a felony just because it's unlikely that you'll get sued.
To be honest, if this stops these guys from scamming someone else I'd call it a win. The internet is still a bit of a wild wild west, especially when dealing with people from foreign countries. If someone robs you or breaks into your house, you have the right to defend yourself.
> If someone robs you or breaks into your house, you have the right to defend yourself.
Yes, that's why in the non-internet world, when someone breaks into my house, I now have the right to commit identity fraud, make false statements, and commit arson of their neighbor's property.
>>> in response to getting scammed you hacked into this guys accounts to gather information?
Not really hacking when they gave you the passwords already. That's like me accusing you of breaking into my house after I gave you a key to the lock.
>>>> And then admit to it publicly?
I agree this probably isn't the best thing, but considering the targets are in eastern Europe, and they are criminals, I doubt they're going to press charges.
>>>> And then dox the guy?
This is their own fault for having poor opsec. The fact he got busted and now his information is public is not the responsibility of those he scammed. IF they didn't want their shit exposed and on the internet, they should have done a better job of covering their tracks.
>> Not really hacking when they gave you the passwords already. That's like me accusing you of breaking into my house after I gave you a key to the lock.
If you lend me keys to your house for a specific purpose, am I also legally entitled to rifle through your drawers until I've found your car keys and then have a drive around in that? They used the word "password hacking" in the email, and using a password somebody has stupidly shared with you for a specific purpose to also access their email accounts and eBay, Namecheap is undisputably hacking of the illegal variety, even if the targets in this instance are particularly obnoxious criminals themselves as well as incredibly slack when it comes to security.
I can understand why someone might feel entitled to abuse the password they'd been given in order to see whether it helps them to recover their property, but to then boast about the felony they've committed on a corporate blog?
>> but to then boast about the felony they've committed on a corporate blog?
You must have missed the part in my original post where I said bragging about it probably isn't the best thing they did. It also means as a hacker, if you fuck with someone's business, be advised, you might end up getting the horns.
I think to a degree, it helps put people on notice these guys don't take this stuff lying down and if you commit fraud on their watch, they're not just going to write it off. It probably also helps potential clients feel safer, knowing they don't just write off their losses, they actually do something about it - regardless of how the general public interpret it.
Also, by your standards, then do you believe what Andrew "weev" Auernheimer did was illegal as well?
As a potential client I'd feel safer if they admitted that fraud had occurred and said what steps they were taking to avoid fraud in future, but considerably less safe from the revelation the fraudsters were rank amateurs and that the website operator might be prepared to use hacking and doxing as a means of redressing grievances.
I haven't payed particularly close attention to weev's trial but IIRC, the main points in his defence were that the "hacked" data was actually accessible via the public internet with no real subterfuge or misuse of private information required, and they'd tried to disclose it through appropriate channels. Neither seem to apply here, even if Russian hackers don't particularly deserve the Feds rushing to their aid.
It might be unprofessional, but considering their options in this situation, I'd say it was a good call. Hopefully it can help someone else down the road.
Someone stole a laptop from me a few years ago and gave/sold it to someone else. I ssh'd into it, installed keyloggers and screen capture programs so I could figure out who they were. I was able to get their email, Facebook, and eBay passwords which I used to find out who they were and where they were staying so I could give that info to the police. Unfortunately, I still didn't get my computer back.
Not really. We definitely discussed with our attorney but, due to the small amount of money in the fraud ($25K) it wasn't worth the hassle of litigation.
Someone else mentioned we should go after them in Russia but, even if we won, I doubt it would be worth the hassle or distraction.
Exactly this. I reply here because it applies to most of the other replies so far. Breaking the law is not justified even if you »only« affect someone who also broke the law and affected you with that. In the real world as on the internet. Period. Sometimes the world is unfair, suck it up, but don't become criminal yourself.
The only thing I'd do differently is I probably wouldn't write a blog about it. This idealist world you're living in sounds lovely but I'm not going to sit and risk my livelihood by "sucking it up" and accepting "the world is unfair".
If you want to base your moral code on laws made by old white guys, go for it. I'm going to live my life based on what I believe to be just. That's really how change comes about, challenging legal authority. Think about the historical figures you respect - rosa parks, mlk, snowden (maybe?). The world would be a worst place if they didn't break the law. To me that is contributing to the good of the world.
I'm going to live my life based on what I believe to be just.
Exactly this is the problem. There is nothing fundamentally wrong with frontier justice, the only problem is that people don't act rationally in general. What if it is not some lost money but if someone got badly hurt, raped or killed? Can you hold back your emotions? Make sure that you are not targeting the wrong person? And even in the case of this story, what if those two guys are themselves just victims of the real scammer hiding behind their identities? You just publicly stigmatized two innocent people as scammers.
"Because we helped with the website migration, we also had one of his passwords. As it turns out, he likes to use this password for his email address and other accounts as well.
We ended up with access to multiple private email accounts, one of his registrar accounts (NameCheap), his eBay account, SitePoint account and more."
That's as sketchy as it gets.
Go clean out your support tickets with customers passwords in now.
I think scammers deserve to be exposed. The truth is if more people shared this kind of information publicly then there would be less scammers. The reason many scammers can do what they do for a long time is because the victims never speak out and warn others against them.
In the case of criminal activity, the syndicate is there to promote, and engage in, organized crime, that is, organizations which run common illegal businesses on a large, national, or international scale. The subunit of the syndicate is a crime family or clan, organized by blood relationships, as seen in the Italian Mafia and the Italian American Mafia crime families (the Five Families dominating New York City crime, namely, the Gambino crime family, Genovese crime family, Lucchese crime family, Bonanno crime family, and the Colombo crime family).
"We could submit a DMCA takedown request via GoDaddy and Media Temple. Starting with a broad request to see if that works, and then lay out the details if we get any pushback from the companies."
Awesome. More DMCA abuse. And this is why we need penalties against bad actors who knowingly file fraudulent takedown requests.
Does empireflippers know they are also the bad guys in this story?
I'm sure the transfer deal when you buy the site will include an IP provision, whereby, if you reverse the charge, or don't pay in some way, you don't own the copyright to the site and its contents. That sounds like a valid case of a DMCA complaint being made.
I remember the story of a client who got an agency to do a load of branding work. Said he didn't like it, and would be going elsewhere, having only paid the deposit - that's fine, it's part of the terms and conditions ... however, said client then went and used that exact branding.
Last I heard, a DMCA claim took the website down and he came crawling back to pay the balance at he had a regional advertising campaign about to go live.
I really don't find anything they did to be morally reprehensible. They didn't use a DMCA, but even if they did this isn't some idealist fantasy world. Not to mention that there's a legitimate use to DMCA. I'd consider it too.
If you're talking about the fact that they logged in to the scammers accounts, I'm not going to fault them for that. I'd do it too if I had the chance. I'm not going to sit by and let that happen to me. There's no legal recourse that can help you, the laws and enforcement agencies are too far behind. Hell, in the US we have people that don't use email dictating laws on internet regulations.
Why don't they add a bitcoin option as well?
it would cost them anything to accept bitcoin via bitpay (0% fee) and they completely eliminate their chargeback risk
webmasters are a fairly tech literate lot and I am sure alot of them already use or know of bitcoin
Wait Empire Flippers don't even bother to vet their buyers?
It's not great getting scammed either but I'm sure it's also illegal to use customer information to get into someone's account and then post their information online.
I would think that publicly displaying doxxed information was against the rules... not a matter of censorship. But I'm new around here. I just find it odd that it's allowed. Also think it's tasteless.
I agree with your sentiment. I'm just not a fan of censorship. Perhaps this company should be punished but blocking the link from HN would mean we couldn't have this discussion.
No. Amazing value because those sites combined were earning close to $1,200 per month in profit. $5K for that is an absolute steal, so Nate was just happy he got an amazing deal. (And didn't know the sites were stolen)
Quarter way through the article and it's clear this is a story of chargeback fraud.
People love to tout the beauty of chargebacks but the fact is that for a lot of business to consumer ecommerce, the buyer has a lower risk profile than the seller. It's the buyer who knows he is dealing with Amazon. The seller hasn't a clue who he is dealing with. Are the odds that Amazon will take your payment, not ship a product and say FU, or are the odds a buyer will do that, either with his own creditcard or stolen credentials?
Obviously there are exceptions here. But to me it makes a lot more sense to have no chargebacks inherently. That way businesses are protected from chargeback fraud, and as there is less fraud, payment processors have fewer losses as do merchants, which positively influences pricing both of products and creditcards in a small manner (say 1%).
Does a user still want the ability to chargeback? Fine, but it'll cost 1% in costs, from which fraudulent cases are paid for. And it's only possible if the merchant accepts it. Why is it so crazy for a merchant to be able to say 'no chargebacks possible if you use your card with me'? Of course, if it's a new kid on the block in a shady location with a weird website and no phone number, he's not allowed by the payment processor to disable chargebacks, and customers will avoid him anyway. But if he's a large retailer like Amazon, or a vetted SME like these guys with a business registration, phone number, a track record, hell perhaps even a surety bond if necessary, do you really want to force them to expose themselves to chargeback fraud or not take payments at all?
That seems pretty obvious. They still accept wire, without chargeback risks. And customers still use them. In other words, there's a market for easy and fast payment processing without chargeback protection both from the merchant and consumer side, that's faster and easier than wiring money. In the Netherlands for example we have this, it's called iDeal, wiring money that arrives seconds later without chargeback fraud, cheap and fast. Internationally the equivalent is using bitcoin with a USD wallet at e.g. Circle or Bitreserve by the founders of ColdFusion and CNET respectively.
Don't get me wrong, chargeback protection has its place. But payment processing without it, does, too.
You bring up some interesting points regarding chargebacks but, in this instance, chargeback protection actually saved the credit card holders from becoming victims as well, no?
I'm pretty sure these were stolen credit cards and that the credit card owners had the cards used without their permission. That's why, after the first chargeback, we didn't fight it - we didn't want the credit card owners to get screwed if we WERE to win.
That's a good point. I guess creditcard are just horribly unsecure right now. They're literally pieces of paper (plastic) with a password (credentials) written on them. Usually without any form of 2FA.
Anyway, have you spoken to some other company's about this? It's a very common issue of course, you'll usually have an part of an entire department dedicated to it at larger company's like AirBnb. For shipping there's usually a pretty decent flagging process (check IP, compare shipping address vs creditcard address, flag certain countries as high risk, flag first-buyers for high-price items as high risk etc etc. Once something is flagged you follow up with a phonecall. If someone is spending $30k or $100k and has to wait days to wire it, usually a phone call or an ID selfie (getting popular) isn't such a big deal to arrange everything within 24h.
Anyway, I guess the most important question right now is... did you see bounce rates spike once you started showing people the 'wire only' page? Very curious!
Btw, I generally condone posting information of the scammer on the condition the scammer was warned of the fact the information would get posted and that if he complies, even years later, and returns the money, the info is removed. And on the condition the information was publicly available. And part of that could have been done just fine without illegal access to his email. I sympathise (was scammed two months ago) and in all honesty I'm 99% sure I would've entered the email accounts if I got scammed, but that doesn't mean it's right. At the very least I'd strongly consider taking down those facts, not just for your own protection but also because it glorifies something illegal. Criminals are not alienated from their right to privacy, particularly not at the hands of citizens, as much as it sucks.
You just nuked your service in my opinion. Not sure who's going to appreciate this posting except very very small guys, anyone serious will not want to do business with you.
I seriously doubt you're right, but I guess we'll see. Those that do appreciate it will be our customers and that might be a bigger pool than you'd think. Appreciate the comment, though.
70 comments
[ 3.2 ms ] story [ 145 ms ] threadPersonalizing the scammers makes this situation "real" and while it may not lead to an arrest, it will at least give a precedent for how to handle (or maybe not?) those deemed "above the law" because of their nationality or physical location (outside the US).
Unprofessional? - if "professional" means keeping quiet, reporting it authorities (who don't care and can't do anything about it) and riding quietly into the sunset call me unprofessional any day.
[1] http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
If this was an article about the US Government convicting or charging people for "hacking" we'd most likely see numerous comments and complaints here about the improper use of the word.
I would never under any circumstances ever share personal information with a company that behaved as you have documented.
You believe this guy has scammed you so you went through his personal artifacts and shared communications to get vigilante justice. Fair enough as a person I dont blame you and find it funny, as a business you just cannot be trusted with personal information.
In the grand scheme of things, all you really illustrated is that for 25K empireflippers is willing to 'hack' someone who as you say yourself hasnt been established guilty beyond a reasonable doubt, but who you have 'good enough' info on.
'Professional' means operating by a business driven code of behavior. You let this issue become 'Personal', and as such took steps to get 'revenge'. You literally committed crimes during the course of getting revenge, and you 'transparently' confessed to these crimes in writing on a public forum that is tied to your 'professional' endeavor. You should have consulted a lawyer both before you took these steps, and before you confessed to taking this steps.
I will say that we did consult our lawyer before writing this post, actually.
Additionally - business is done on trust. Some will read this and (like you) not trust us and won't do business with us. Others will appreciate it and do business with us. No worries either way.
In reading it back, I wouldn't say he was enthusiastically pushing it or anything:
"I think you guys have your minds made up. The reality is the risk is probably low. Truth is an absolute defense to defamation. It's unlikely a couple Russians would try to sue you, but you never know. My boring attorney answer is try not to go too far to minimize any risk. Stick to the verifiable facts."
Yes, that's why in the non-internet world, when someone breaks into my house, I now have the right to commit identity fraud, make false statements, and commit arson of their neighbor's property.
Not really hacking when they gave you the passwords already. That's like me accusing you of breaking into my house after I gave you a key to the lock.
>>>> And then admit to it publicly?
I agree this probably isn't the best thing, but considering the targets are in eastern Europe, and they are criminals, I doubt they're going to press charges.
>>>> And then dox the guy?
This is their own fault for having poor opsec. The fact he got busted and now his information is public is not the responsibility of those he scammed. IF they didn't want their shit exposed and on the internet, they should have done a better job of covering their tracks.
If you lend me keys to your house for a specific purpose, am I also legally entitled to rifle through your drawers until I've found your car keys and then have a drive around in that? They used the word "password hacking" in the email, and using a password somebody has stupidly shared with you for a specific purpose to also access their email accounts and eBay, Namecheap is undisputably hacking of the illegal variety, even if the targets in this instance are particularly obnoxious criminals themselves as well as incredibly slack when it comes to security.
I can understand why someone might feel entitled to abuse the password they'd been given in order to see whether it helps them to recover their property, but to then boast about the felony they've committed on a corporate blog?
You must have missed the part in my original post where I said bragging about it probably isn't the best thing they did. It also means as a hacker, if you fuck with someone's business, be advised, you might end up getting the horns.
I think to a degree, it helps put people on notice these guys don't take this stuff lying down and if you commit fraud on their watch, they're not just going to write it off. It probably also helps potential clients feel safer, knowing they don't just write off their losses, they actually do something about it - regardless of how the general public interpret it.
Also, by your standards, then do you believe what Andrew "weev" Auernheimer did was illegal as well?
Just curious. . .
I haven't payed particularly close attention to weev's trial but IIRC, the main points in his defence were that the "hacked" data was actually accessible via the public internet with no real subterfuge or misuse of private information required, and they'd tried to disclose it through appropriate channels. Neither seem to apply here, even if Russian hackers don't particularly deserve the Feds rushing to their aid.
Considering it's international in nature, did they have any other option or recourse?
Someone else mentioned we should go after them in Russia but, even if we won, I doubt it would be worth the hassle or distraction.
If you want to base your moral code on laws made by old white guys, go for it. I'm going to live my life based on what I believe to be just. That's really how change comes about, challenging legal authority. Think about the historical figures you respect - rosa parks, mlk, snowden (maybe?). The world would be a worst place if they didn't break the law. To me that is contributing to the good of the world.
Exactly this is the problem. There is nothing fundamentally wrong with frontier justice, the only problem is that people don't act rationally in general. What if it is not some lost money but if someone got badly hurt, raped or killed? Can you hold back your emotions? Make sure that you are not targeting the wrong person? And even in the case of this story, what if those two guys are themselves just victims of the real scammer hiding behind their identities? You just publicly stigmatized two innocent people as scammers.
I get what you're saying, but I still do not agree that I should never disobey the law when I feel it is morally justified.
We ended up with access to multiple private email accounts, one of his registrar accounts (NameCheap), his eBay account, SitePoint account and more."
That's as sketchy as it gets.
Go clean out your support tickets with customers passwords in now.
Crime syndicates
In the case of criminal activity, the syndicate is there to promote, and engage in, organized crime, that is, organizations which run common illegal businesses on a large, national, or international scale. The subunit of the syndicate is a crime family or clan, organized by blood relationships, as seen in the Italian Mafia and the Italian American Mafia crime families (the Five Families dominating New York City crime, namely, the Gambino crime family, Genovese crime family, Lucchese crime family, Bonanno crime family, and the Colombo crime family).
Awesome. More DMCA abuse. And this is why we need penalties against bad actors who knowingly file fraudulent takedown requests.
Does empireflippers know they are also the bad guys in this story?
I'm sure the transfer deal when you buy the site will include an IP provision, whereby, if you reverse the charge, or don't pay in some way, you don't own the copyright to the site and its contents. That sounds like a valid case of a DMCA complaint being made.
I remember the story of a client who got an agency to do a load of branding work. Said he didn't like it, and would be going elsewhere, having only paid the deposit - that's fine, it's part of the terms and conditions ... however, said client then went and used that exact branding.
Last I heard, a DMCA claim took the website down and he came crawling back to pay the balance at he had a regional advertising campaign about to go live.
If you're talking about the fact that they logged in to the scammers accounts, I'm not going to fault them for that. I'd do it too if I had the chance. I'm not going to sit by and let that happen to me. There's no legal recourse that can help you, the laws and enforcement agencies are too far behind. Hell, in the US we have people that don't use email dictating laws on internet regulations.
webmasters are a fairly tech literate lot and I am sure alot of them already use or know of bitcoin
It's not great getting scammed either but I'm sure it's also illegal to use customer information to get into someone's account and then post their information online.
You couldn't pay me to use these website brokers.
Sorry, but you should not have your customers plaintext passwords, so very unprofessional.
Time to submit Empireflippers to plaintext offenders list?
Really, is that how you decide that something is an amazing value?
People love to tout the beauty of chargebacks but the fact is that for a lot of business to consumer ecommerce, the buyer has a lower risk profile than the seller. It's the buyer who knows he is dealing with Amazon. The seller hasn't a clue who he is dealing with. Are the odds that Amazon will take your payment, not ship a product and say FU, or are the odds a buyer will do that, either with his own creditcard or stolen credentials?
Obviously there are exceptions here. But to me it makes a lot more sense to have no chargebacks inherently. That way businesses are protected from chargeback fraud, and as there is less fraud, payment processors have fewer losses as do merchants, which positively influences pricing both of products and creditcards in a small manner (say 1%).
Does a user still want the ability to chargeback? Fine, but it'll cost 1% in costs, from which fraudulent cases are paid for. And it's only possible if the merchant accepts it. Why is it so crazy for a merchant to be able to say 'no chargebacks possible if you use your card with me'? Of course, if it's a new kid on the block in a shady location with a weird website and no phone number, he's not allowed by the payment processor to disable chargebacks, and customers will avoid him anyway. But if he's a large retailer like Amazon, or a vetted SME like these guys with a business registration, phone number, a track record, hell perhaps even a surety bond if necessary, do you really want to force them to expose themselves to chargeback fraud or not take payments at all?
That seems pretty obvious. They still accept wire, without chargeback risks. And customers still use them. In other words, there's a market for easy and fast payment processing without chargeback protection both from the merchant and consumer side, that's faster and easier than wiring money. In the Netherlands for example we have this, it's called iDeal, wiring money that arrives seconds later without chargeback fraud, cheap and fast. Internationally the equivalent is using bitcoin with a USD wallet at e.g. Circle or Bitreserve by the founders of ColdFusion and CNET respectively.
Don't get me wrong, chargeback protection has its place. But payment processing without it, does, too.
I'm pretty sure these were stolen credit cards and that the credit card owners had the cards used without their permission. That's why, after the first chargeback, we didn't fight it - we didn't want the credit card owners to get screwed if we WERE to win.
Anyway, have you spoken to some other company's about this? It's a very common issue of course, you'll usually have an part of an entire department dedicated to it at larger company's like AirBnb. For shipping there's usually a pretty decent flagging process (check IP, compare shipping address vs creditcard address, flag certain countries as high risk, flag first-buyers for high-price items as high risk etc etc. Once something is flagged you follow up with a phonecall. If someone is spending $30k or $100k and has to wait days to wire it, usually a phone call or an ID selfie (getting popular) isn't such a big deal to arrange everything within 24h.
Anyway, I guess the most important question right now is... did you see bounce rates spike once you started showing people the 'wire only' page? Very curious!
Btw, I generally condone posting information of the scammer on the condition the scammer was warned of the fact the information would get posted and that if he complies, even years later, and returns the money, the info is removed. And on the condition the information was publicly available. And part of that could have been done just fine without illegal access to his email. I sympathise (was scammed two months ago) and in all honesty I'm 99% sure I would've entered the email accounts if I got scammed, but that doesn't mean it's right. At the very least I'd strongly consider taking down those facts, not just for your own protection but also because it glorifies something illegal. Criminals are not alienated from their right to privacy, particularly not at the hands of citizens, as much as it sucks.
When you gaze long into the abyss, the abyss gazes also into you. I hope next thing you do won't be looking for a hitman on the dark web :)
I understand where you're coming from, but I really think we'll have plenty of support.