DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

UK: Prison for Four Who Ran Ghostmarket.net

Posted on March 4, 2011 by Dissent

Jeremy Kirk reports the final chapter in a case first noted on this blog last August and updated in November:

Four men who ran what U.K. police say was the largest English-language criminal forum for selling stolen credit card numbers and the tools to steal data were imprisoned for a combined total of more than 15 years, according to the Metropolitan Police.

The GhostMarket forum had more than 8,000 members and was a marketplace for everything from the famous Zeus online banking malware to recipes for making crystal meth and even bombs, police said.

Ringleader Nicholas Webber, 19, of Southsea, and Gary Paul Kelly, 21, of Manchester, were arrested at Gatwick Airport in January 2010, after they’d been living in an apartment in Port d’Andratx, Majorca.

They pleaded guilty to computer misuse and fraud charges and were sentenced Wednesday in Southwark Crown Court in London. They both received five-year prison sentences.

Also sentenced were Ryan Thomas, 18, of Beaconsfield, Hertforshire, to four years, and Shakira Ricardo, 21, of Swansea to 18 months. A fifth defendant, Samantha Worley, of Swansea, pleaded guilty in December to acquiring criminal property and was sentenced to community service.

Read more on CIO.

In a press release, the Metropolitan Police explain:

During an eleven month investigation detectives uncovered evidence that the defendants were directly involved in the global forum (used by over 8,000 members) which promoted and facilitated the electronic theft of personal information; credit and debit card fraud; buying and selling of personal information (including passwords and PIN numbers); the creation and exchange of malicious computer programs (malware); the establishment and maintenance of networks of infected personal computers (BotNets);and tutorials offering advice on how to commit such offences, including how to evade and frustrate law enforcement activity and the exchange of details of vulnerable commercial sites and servers.

Founder of the forum was Webber. Having established a web site named ‘www.GhostMarket.net’, he acted as ‘administrator’ and had overall control of the site (meaning he was able to allow/ban members, remove or edit their posts, and alter their status on the forum.)

An examination of the rebuilt forum and its database revealed many thousands of data entries relating to individuals’ personal details including names, dates of birth, bank details, passwords, PayPal accounts and social security numbers. Site members are believed to have traded in compromised databases containing thousands of personal details including bank account numbers, PIN numbers, passwords and malware including the Zeus Trojan and other types of criminal software, including credit card verification programs.

The forum included such topics as: ‘Phishing kits (post free phishing kits and sell them)’; ‘Show off (show us your skills here)’; ‘Tutorials (post some useful info here)’; and ‘Cardable (post sites you’ve carded here)’. There was also advice and tutorials on various methods of evading law enforcement, how to encode blank plastic with credit card data, and how to hack into sites, and even recipes for controlled drugs (crystal meth) and a tutorial on bomb making.

Members of the site communicated anonymously by the use of screen nicknames. They were able to post messages in various forum topics on the website and send/receive private secure messages to/from other site members.

During the investigation detectives recovered from the defendants’ computers more than 130,000 compromised credit card numbers, which at an estimated industry loss of £120 per card, is a potential £15.8 million financial loss in relation to card numbers alone.

On 3 November 2009 detectives arrested Kelly after executing a search warrant at his home address. A full search of the property was conducted, with a number of computers and mobile phones removed from the address for examination.

It was established that Kelly had independently constructed and distributed across the web a sophisticated Zeus malicious computer programme which enabled him to infect and compromise over 15,000 computers in over 150 countries, harvesting from them over 4 million lines of data – including huge quantities of credit card numbers and other confidential, personal information.

Having been provided with relevant passwords by Kelly, detectives were able to rebuild the GhostMarket forum and its database using files from his PC.

Prior to this, on 12 October Webber and Thomas were arrested at a five star central London hotel for using stolen credit card details to pay for accommodation in the penthouse suite. They claimed to have responded to an online advert, saying they had paid money to an anonymous individual.

Bailed to return whilst officers conducted further inquiries, items including their laptops were seized. In addition they were found to be in possession of business cards brandishing the ‘GhostMarket’ logo, advertising it as “A new era in virtual marketing” with the by-line “I’m a carder, ask about me…”

The duo’s involvement in the ‘GhostMarket’ criminal forum was soon established and inquiries were made to trace them after they fail to return on bail in relation to the stolen credit card offence.

It was later discovered that on 31 October the pair had flown out to Palma, Majorca, where they had been living in a rented flat in Port D’andrax.

On 29 January 2010 they were arrested at Gatwick Airport as they flew in from Palma.

The following day a search of Webber’s home address revealed a computer containing a series of files outlining a step-by-step guide to committing various criminal offences.

Owing to the volume of evidence to be examined and the complexities of the case, the pair were released on police bail to return at a later date.

Officers subsequently travelled to Spain and, accompanied by Spanish Police, attended the flat Thomas and Webber had rented out. The property was empty, but local enquiries established that the contents had been posted back to their UK addresses.

Those items, as well as additional computer equipment, were subsequently recovered.

Through the forensic examination of seized computers and other digital storage devices, as well as evidence secured through the rebuilt Ghostmarket site, officers identified Ricardo, a trusted member of the forum, and she was traced to Swansea, South Wales. Initially joining the site as a complete novice, over time Ricardo had progressed to become directly engaged in card fraud and computer malware activity.

Financial enquiries identified a payment made from Ricardo into her partner Worley’s bank account, incriminating her in the fraud.

Detective Inspector Colin Wetherill from PCeU said: “These defendants were accomplished cyber criminals, engaged in the systematic mass infection of computers in homes and businesses in the UK and overseas.

“They unlawfully harvested personal and financial information from their victims to be exploited for financial gain.

“The GhostMarket crime forum was used by thousands of computer criminals and fraudsters operating worldwide.

“Through it the defendants built an extensive criminal network to facilitate the wholesale trade of compromised credit card details, confidential financial and personal information, malicious computer programmes, and other sophisticated tools and criminal services.

“The arrest, prosecution and conviction of these individuals represents a significant step forward in our efforts to tackle cyber crime and reduce the harm it causes.”

A full financial investigation into all four defendants is underway.

Category: Breach IncidentsID TheftNon-U.S.Of Note

Post navigation

← Kr: Customers’ Information of Five-Star Hotel Exposed on Google
Univ. of South Carolina warns 31,000 that personal info was exposed on the Web →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Lower Merion School District says a data breach was caused by a computer glitch
  • After $1 Million Ransom Demand, Virgin Islands Lottery Restores Operations Without Paying Hackers
  • Junior Defence Contractor Arrested For Leaking Indian Naval Secrets To Suspected Pakistani Spies
  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.