The Tale of an Accused Hacker

What a Suspect in a Fraud Scheme Told an Undercover Cop
The Tale of an Accused Hacker

Jarand Moen Romtveit thought John Leo Jr. was the site administrator of a carding forum when the accused 25-year-old hacker from Norway shared his computer screen with the FBI undercover agent last Feb. 9 to demonstrate a program he claimed to have developed to decrypt databases.

See Also: What FSIs Need to Know About Breaches That Compromise Customer Data

Leo saw multiple open windows on Romtveit's screen, including one with the name Jarand Moen. "Upon ending his demonstration of the program, the defendant said in the chat, 'Well, that's it tho, you got a small snippit (sic) ... + my real name if you looked close lol,'" Leo said in a sworn affidavit. Moments later, Romtveit furnished Leo with the link to his Facebook page.

Romtveit, who authorities accuse of exploiting the online weaknesses of others to profit from cybercrime, ironically created his own vulnerabilities by sharing his identity with someone he thought he could trust.

Leo's sworn statement appears in a criminal complaint filed before a federal magistrate in New York on June 20 and made public less than a week later when authorities arrested Romtveit and 23 others for trading stolen credit cards in what American law enforcement officials characterize as the largest coordinated international law enforcement action in history directed at carding crimes [see 24 Busted in Int'l Card Fraud Sting]. Officials at the U.S. Attorney's Office and the FBI declined to discuss the case beyond their published statements.

Romtveit was charged only with credit card-related fraud and not hacking specific sites, according to the criminal complaint. But in online chats with Leo he explained how he went about hacking into databases of a major U.S. bank and retailers (none identified by name), sometimes successfully, sometimes not. Still, the criminal complaint provides valuable insight to those employed to protect IT systems on how a hacker works.

That Fateful Day in 2010

Leo first became aware of Romtveit on Sept. 12, 2010, when the Norwegian registered under the username zer0iq on the undercover carding forum, an online community where stolen credit card numbers are traded and sold.

Three months later, in an online chat, Romtveit told Leo that he used SpyEye, a commercial tool kit that crates customized Trojans to steal banking login credentials, to hack into a major American bank and pilfer 40 credit cards in four days. A half year later, Romtveit informed the undercover agent that he injected malware into the pages of a bank's website to demonstrate that he had successfully obtained unauthorized access to confidential bank customer information, including the customer's name, e-mail address, password and security question and answer to access the account. Because Romtveit didn't provide the name of the bank and account number, Leo said he couldn't verify whether the account was compromised.

In a Feb. 8, 2012, online chat, Romtveit said it had been four months since he last ran a botnet, a group of secretly compromised PCs used to attack other computers. Leo asked Romtveit, What he's been doing? "Nothing much, just carding and hacking mostly," Romtveit responded. "Grabbed 3K CC's but without cvv2." The 3,000 credit cards Romtveit claims he stole did not have the card verification value numbers, the three- or four-digit security code often found on the back of credit cards. He said he used some of the credit cards to purchase online games through Amazon. Shortly later, he produced account information on three credit cards, including the security codes, which Leo eventually confirmed were stolen.

The next day, Romtveit said he had pilfered credit cards from 10 to 12 sites "worldwide." He said he used the cards for purchases on Amazon for about $100, but purchases using stolen cards on were canceled.

On Feb. 9, Romtveit explained how a program he demonstrated exploits websites and enables users to copy the contents, including any databases and passwords associated with the sites, into files for later access. Leo said he watched in real time as Romtveit, using the program, identified certain websites, entered their databases and stole what appeared to be account information for at least 33 credit cards, copying that information into separate files to be accessed later. "Done! Counted 33 card infoz out of 36 entries! Saved to file," Romtveit said. But was Romtveit just showing off? "Based on my subsequent review of the stolen account information," Leo said, "I determined it did not include any complete credit card numbers, and therefore did not give Romtveit access to fully identifiable credit card numbers."

Not much is known about Romtveit, except for what the authorities have alleged. His Facebook page shows he has nearly 1,000 friends, is a fan of the TV show South Park and weight training and "hates" a Lithuanian man who was charged with tossing his dog off a bridge. Romtveit seems like a normal 25 year old, but if he's guilty of what authorities claim, he's the face of a growing cyberthreat.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.