It was a soft play area for hackers, a place they could safely sharpen their knives before committing fraud, extortion or snooping exercises. But it wasn't run from an off-grid basement in Russia or China; the testing centre was set up in a smart semi-detached house in the Essex town of Colchester by a 20-year-old who lived with his in-laws.
While they slept, his reFUD.me website – thought to stand for "Fully Undetectable" – helped paying hackers test their wares against the toughest security software around, to make sure they didn't leave a trace.
The site was created by Goncalo Esteves, now 24, who advertised his services under the name KillMuvz through Hackforums.net – a message-board site known to be used by cyber criminals. Esteves was reckoned to have made a minimum of £32,000 helping hackers who wanted a dummy run before attacking individuals or businesses, though police estimate his total haul to be much higher, as many of his Bitcoin deals are untraceable.
Earlier this month Esteves was sentenced to two years in prison after admitting to two computer misuse charges and a charge for money laundering, with police claiming in court that he had laundered over £11,000.
During the day, Esteves would attend a computer course at Colchester University, running his operation as a sideline – one which kept him chained to his screen until the early hours of the morning. When a dozen police arrested an exhausted Esteves and seized three laptops, mobile phones and external hard drives, they had been monitoring over 300 hours worth of messages the young entrepreneur had been sending.
Clients of reFUD.me, they found, were varied: professional hackers looking to test a product before ripping off users or businesses; individuals wishing to take down a rival website; jealous boyfriends looking to spy on their girlfriends. Behind the site, Esteves also offered a kind of chop-shop where users could get their hacking items customised, typically so they could become "remote access", allowing hackers to control corrupted computers remotely.
Investigators found that Esteves would spend hours trying to teach hackers how to use malware, or adjust their software so they could operate remotely or go undetected. Esteves called his own homemade encryption tools Cryptex Reborn and Cryptex Lite, and sold them fairly cheaply as subscriptions – a month of Cryptex Life cost $7.99 (£5.78), while a lifetime licence for Cryptex Reborn cost $90 (£65) – but he amassed over 800 transactions.
His waking nightmare was one of his hackers triggering other anti-virus software, because the companies which ran it would then update their signatures, leaving him in a constant arms race to beat the system. Senior officer Steven Laval of the National Crime Agency's (NCA) Cyber Crime Unit spent months tracking Esteves. "He would try and give technical advice, but a lot of his customers weren’t prepared to read their technical instructions – they just wanted to click and go," he told me.
Users on Hackforums.net were troubled by Esteves' arrest. User agabajhn wrote, "I wish God can bless us with a pure heart like KillaMuvz. I will pray for him today. I really miss his service." Another, IntPtr, added, "I spoke to him a lot off-site a while ago. I’ve had about 10+ contacts caught for shit in the last 5 years. Either people are getting sloppy or the authorities are stepping up their game."
Whatever an average hacker might look like, Esteves was not it. "He didn’t fit that stereotype of the classic cyber criminal being sat in their room and never coming out," said Laval. "He was different – he was very social, he had a wife and went to university and had a normal life. But, at night, he was servicing these hackers who wanted to commit crimes. His in-laws knew he worked online, but didn't have much idea what he was doing."
Mike Hulett, head of operations at the NCA's National Cyber Crime Unit, said Esteves "made a fair bit of money, but he’d probably have made much more, and certainly for longer, if he’d pursued a legitimate career in cyber security".
Esteves argued in his police interviews that his site didn't break the law. He actually had signs on his website saying he didn’t support illegal behaviour and that – in a similar way to bong shops – he was only providing a product which had the potential to be used for illegal activity, rather than doing something illegal himself. He argued that if a supermarket sold a knife to someone and that person went on to kill, you wouldn’t go back and sue the supermarket.
Defending him unsuccessfully, his lawyer, Caroline Woodley, told the court, "He has a contract with his customers not to use his programmes for criminal purposes, and those who do are blocked. There are legitimate uses – some companies use it to test their programmes."
Laval countered: "In reality, he was not only showing his clients how to use tools properly, but also testing them on his own site to make sure they left no trace."
The main activity discussed on Esteves' site was RATs, otherwise known as Remote Access Tools – the kind an office IT department uses to fix your machine without coming to your desk. That potential is harnessed by many hackers, who use Trojan viruses to install RATs on your system, where they sit undetected, ready to steal personal information or carry out cyber attacks.
This month, a petrochemical site in Saudi Arabia was overrun with RATs, enabling unknown hackers to potentially blow up and poison a thousand-mile radius or commandeer the whole plant. The attack was only noticed when a tiny part of the hackers' malware interfered with the main server. "With something like that, you can create great danger to an oil rig, a refinery, a power station. In effect, you have built a bomb," says Brigadier General Danny Bren, the former commander of Israel’s cyber defence unit.
In the case of Esteves' website users, the RATs were more localised. "These RATs would be tested and then used for gathering data and public information, bank accounts being accessed or even switching people's webcams on without their knowledge, being filmed and then potentially being blackmailed further down the line," said Laval. "Hackers could demand Bitcoin from victims in order to get the pictures back."
Also being given a test run by hackers on reFUD.me were DDOS – distributed denial of services – an attack which deluges a website or company with useless material, causing it to either cease operations or run so slowly customers go elsewhere. One user on Esteves' site wanted to sabotage a company’s website and flood their server with demands and data, forcing that system offline. Other hackers tested key logger malware which would record the keystrokes a victim was making on their machine, allowing the hacker to steal personal information or gather material for blackmail.
This is illegal in the UK; in 2006, a law was passed that made DDOS attacks punishable by up to ten years in prison. However, Esteves believed he was far enough removed from the crimes being tested on his site – and it was this, plus his advertising on Hackforums.net and the overall success of reFUD.me, that eventually became his downfall.
"He knew what he was doing, but his code was described as being very messy by our technical guys," said Laval. "He was so visible because he didn’t believe he was doing anything wrong, and that made him very easy to find."