Beyond the operation’s scale, the striking picture that emerges from the indictment is the degree to which Infraud operated very much like a dark-web cousin of major commercial marketplace sites.
The group’s leadership imposed a rigid hierarchy to maintain order on the site, delegated authority to system administrators and other associates who held roles of varying responsibility ranging from “Moderators” to “Super Moderators” to “Administrators.” It also relied on a system of strictly enforced rules and user-generated feedback to maintain quality control. Longstanding site members were promoted to “VIP Member” status to honor their contributions and solicited advice on the “In Fraud We Trust” discussion forum.
Given Infraud’s worldwide membership, U.S. law enforcement needed to partner with others across the world to effectuate the arrest and to send a meaningful warning to wrongdoers in the future: The unsealing of the indictment followed the arrests of 13 individuals in the United States and six other countries (Australia, the United Kingdom, France, Italy, Kosovo, and Serbia).
In its public statement, the Justice Department offered thanks to a long list of cooperating law enforcement agencies around the world without whom “[t]he international operation to dismantle the Infraud Organization would have been impossible.”
Conspicuously absent from the list is Russia, even as the indictment gives indications that the site itself was being hosted in Russia. Among other things, the indictment alleges that in 2011 the site’s founder issued a decree that banned the buying and selling of contraband involving Russian victims, a tactic experts noted is used to discourage Russian law enforcement from taking down a Russian-hosted server.
While these types of multi-jurisdiction arrest sweeps are intended to send a message to cyber-criminals, the most important message in the near term is for the public: In today’s environment, companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise.
A new report from the White House Council of Economic Advisers estimated that malicious cyber activity cost the U.S. economy as much as $109 billion in 2016 and emphasized that even though “government can help address some elements of cyber protection issues, the most direct actions in cybersecurity are in the hands of the private sector.”
Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat. Companies and individuals should invest now in protections against these kinds of threats and begin planning for scenarios in which their systems are breached and their information finds its way to these kinds of dark corners of the internet.
Commentary by John P. Carlin and David Newman. Carlin was the assistant attorney general for the U.S. Department of Justice’s National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller, III, where he helped lead the FBI’s evolution to meet growing and changing national security threats, including cyber threats. He currently chairs Morrison & Foerster’s global risk and crisis management group and co-chairs its national security group. He is also the chair of the Aspen Institute’s Cybersecurity & Technology Program and a CNBC contributor.
Newman is a former special assistant to President Barack Obama, associate White House counsel, and director on the National Security Council staff. He is currently counsel at Morrison & Foerster LLP, where he represents clients in a wide variety of national security and global risk and crisis management issues.
For more insight from CNBC contributors, follow