On Friday, August 25, a Macedonian citizen pleaded guilty to operating an online store front for stolen credit cards, debit cards, and identification documents. Djevair Ametovski, the 30-year-old defendant, operated “Codeshop.su” between 2011 and 2014. In 2014, Slovenian law enforcement arrested a co-conspirator with personal knowledge of the site’s owner. The co-conspirator gave agents everything they needed to catch Ametovski.
Ametovski used the pseudonyms “xhevo,” “sindrom” and “sindromx”, according to the formerly sealed court documents. He changed names to avoid law enforcement attention, Christian Wilson, SA Secret Service wrote in the Criminal Complaint. He also changed URLs for similar reasons. None of the sites were darknet hidden services; every site was clearnet accessible, as with many of today’s carder forums. Law enforcement evasion being one. Avoiding attacks from competition being the other. One archived page of the Codeshop site is that of an offline notice and ddos warning.
Despite his name changes and security measures, the Secret Service ultimately caught the hacker/fraudster/phisher/carder. With help. The United States Secret Service, the Slovenian Ministry of the Interior, the Slovenian Ministry of Justice, the United States Marshals Service, and the U.S. Department of State’s Diplomatic Security Service investigated, provided services, or otherwise contributed to the case.
Regarding hackers and extradition, also read:
- Czech Court Approves Extradition Of LinkedIn Hacker: But To The US Or Russia?
- Russia And US Compete For Czech Extradition Of LinkedIn Hacker
- US Indicts Suspected Kelihos Botnet Creator
The Secret Service turned the investigation in their favor once they discovered two things: that a co-conspirator had made his connection to Ametovski known and that Slovenian police had an ongoing investigation into the site. The Secret Service provided the information to Slovenian authorities who then arrested the co-defendant.
According to Christian Wilson in the Criminal Complaint:
“Thereafter, the Co-Conspirator began cooperating with Slovenian law enforcement officials and provided information about the defendant Ametovski and his card shop activities. Specifically, the Co-Conspirator advised law enforcement that the Codeshop website was run by the defendant Djevair Ametovski, who used [a carder’s email address with ‘codeshop’ in the name] the Codeshop12 account.”
After determining that the co-conspirator’s information was valid, Slovenian officials continued the investigation from their end. Authorities found documents at a casino in Slovenia that further verified the information from the former business partner turned informant. The documents included a picture of Ametovski and the unidentified informant. Said informant also gave law enforcement the details of Ametovski’s girlfriend’s Facebook account that also pictured the 30-year-old defendant.
The defendant himself stole the credit card information of at least 18,000 understudying victims through phishing schemes. He then sold this information on Codeshop. He created the site so that customers could search through a fully indexed list of targets. It “allowed users to search through databases of stolen data by bank identification number, financial institution, country, state and card brand to find the precise data that they wished to buy.”
Over the course of the operation, Ametovski sold 1.3 million cards. He provided cards through his own operations and had bought them from so-called “important suppliers.” One of those important suppliers was the co-conspirator who gave Ametovski to law enforcement. Slovenian Authorities arrested the man in January 2014. He was extradited to the US in May 2016. He pleaded guilty to access device fraud and aggravated identity theft and received a maximum of 17 years in prison. He stole a significant number of cards, but other hackers have served far less prison time for similar crimes.