International investigation of worldwide hackers' marketplace is rife with Pittsburgh ties | Pittsburgh City Paper

International investigation of worldwide hackers' marketplace is rife with Pittsburgh ties

"Pittsburgh is a mecca for cyber-law enforcement."

It was a password-protected international forum for cybercriminals in more than 20 countries. Its users have been responsible for some of the most dangerous threats to cyber security across the globe.

But last week, after a two-year investigation, the network known as Darkode was dismantled right here in Pittsburgh.

"Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world, and was the most sophisticated English-speaking forum for criminal computer hackers in the world," U.S. Attorney David Hickton said in a press conference last week.

In conjunction with bureaus across the U.S., the Pittsburgh FBI cyber squad's investigation has led to criminal charges against 70 accused cybercriminals. And for one of them — Churchill native Morgan Culbertson — alleged involvement in the international malware marketplace Darkode begins and ends in Pittsburgh.

At 20 years old, Culbertson is one of the youngest individuals being investigated. He has been charged with conspiring to send malicious code.

"The Pittsburgh office of the FBI, which has two cyber squads, is at the center of law enforcement for cyber crime," Hickton told City Paper last week. "Pittsburgh is a mecca for cyber-law enforcement. We brought a series of very large cases over the past couple of years since we first started doing this."

International investigation of worldwide hackers' marketplace is rife with Pittsburgh ties
Morgan Culbertson from his LinkedIn profile

Hickton said the collaboration and resources required to successfully dismantle Darkode were extensive.

"These cases take a long time to do," said Hickton. "Internet crime is done by clever criminals who hide behind the anonymity of the Internet, and the evidence we're dealing with is sometimes evaporated."

The investigation involved 20 countries and the Carnegie Mellon University-based Computer Emergency Response Team (CERT) facility. Founded in 1988 as part of CMU's Software Engineering Institute, it was the first team of its kind.

In this case, however, authorities say CMU has ties to both the attack and the defense.

Culbertson is currently enrolled as a sophomore in the electrical-engineering program at Carnegie Mellon. His father, Robert Culbertson, is a former professor at the university.

Morgan Culbertson's alleged involvement surprised his close friends from CMU, who were unaware that their classmate, the charging document alleges, spent his free time creating and marketing a computer virus with international reach.

On July 14, CP went to Culberson's fraternity, where some of its members spoke about the charges but asked not to be identified.

"It's kind of out-of-the-blue, actually," says a sophomore from Culbertson's fraternity, Sigma Chi.

"The fact that he had time. I don't know, I kind of doubt it a little bit," says a junior fraternity brother and fellow electrical-engineering student. "We never have time. Me and him have been up until 3 in the morning working on school work."

While Culbertson's fraternity brothers are amazed that their housemate had the time to develop such a complicated program between classes and fraternity activities, the nature of the allegations against him surprises them less.

"His entire major revolves around computers," says another sophomore. "It would be wrong for us to say that it was alarming that he used his computer."

Officials claim that Culbertson wrote the code for a virus called "Dendroid" and sold access to the malware-creation kit on Darkode under the alias "Android." Dendroid gives hackers the ability to remotely access and control Android phones by infecting applications with the virus.

When an Android user downloads an infected application, hackers are able to delete call logs, access data, intercept text messages and place phone calls. Through Dendroid, its buyers can even listen to and record phone calls.

"It is a complete invasion of privacy for the person who owns the phone," said Hickton.

The complexity of Dendroid allows hackers to sneak infected applications into the Google Play platform. Before the site was dismantled, members of Darkode could purchase Dendroid for the Bitcoin equivalent of $300.

A user named "Android" posted an advertisement for Dendroid on Darkode in October 2013. Android details that the virus took "1.3 years to fully develop." If this estimate is true, Culbertson was about 17 years old at the beginning of Dendroid's creation. At that time, he was attending Winchester Thurston, a private school in Shadyside.

Culbertson got into computer programming at an early age. According to a story on Winchester Thurston's website, Culbertson participated in a 2011 High School Mathematical Contest in Modeling where students solved problems with a variety of methods, including developing computer programs.

His father, Robert Culbertson, founded two local tech businesses, including GetAbby, where Morgan Culbertson worked as a programmer for three months in 2012 (according to his LinkedIn profile).

In the fall of 2013, Culbertson entered CMU. During Culbertson's transition to college, Dendroid was advertised on Darkode. In March 2014 the virus began to draw concern from the security community, when American tech company Symantec discovered it. Soon after, Dendroid targeted Android users in India, warranting a security advisory from CERT-In, India's Computer Emergency Response Team.

Since the alleged creation and marketing of Dendroid, Culbertson continued to enrich his knowledge of cyber security, most notably through an internship at FireEye, a cyber-security firm headquartered in the Silicon Valley. He had been working at the company when he was charged. FireEye has publicly confirmed Culbertson's internship.

In a statement, a FireEye spokesperson said, "Mr. Culbertson's internship has been suspended pending an internal review of his activities. As there are ongoing investigations by external parties and FireEye, we cannot provide any further comment on Mr. Culbertson and his activities."

Staff writer Rebecca Nuttall contributed to this report.