Security Expert & Former Secret Service Agent Discusses Cyber-Crime

'TF7' Guest Explains Experiences In Fraud, Cyber-Intel

Add bookmark

Dan Gunderman


The Sept. 24 episode of “Task Force 7 Radio,” hosted by George Rettas, was a fast-moving survey of cyber-crime from the 1990s to today, with featured guest Robert Villanueva, former Secret Service Agent and current Executive Vice President of Q6 Cyber.

Rettas was also joined by frequent collaborators and co-hosts, Tom Pageler, CSO, BitGo, and Paul Jackson, Managing Director, Kroll’s Asia Pacific Cyber Risk practice. Topics of discussion included South American sting operations, early credit card fraud, malware deployment and the state of today’s Dark Web.

Villanueva began the show by discussing his 25 years in the Secret Service, based out of Miami, Fla. Starting his career with the Service back in 1990, he initially had a focus in drug trafficking and cartel activity in South Florida. He’d work with the Drug Enforcement Administration (DEA), the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and local police agencies to build cases against prosperous local criminals. Villanueva made it known that the Service’s mandate, via statute, however, is also to investigate financial crime, much of that having to do with computer networks.

Counterfeit Operations

The “TF7 Radio” guest said that in the 1990s, people were printing counterfeit credit cards and distributing them worldwide, and oftentimes they would come through Miami, a known port of entry to the U.S. So, he would work with local law enforcement to investigate and penetrate criminal organizations. Much of the work was done in conjunction with the U.S. embassy in the respective country, Villanueva said.

Some of the cases, he added, were multi-month-long campaigns, sometimes lasting a year or even two, depending on the sophistication of the organization. The radio show guest suggested that at the time, 75% of counterfeit currency produced in the world came out of Colombia, with secretive operations and even expert printers.

The Secret Service opened a full-time presence in Colombia in the ’90s and Villanueva was asked to head field operations. Here, he moved from undercover to supervisory work.

See Related: Hong Kong-Based Security Expert Talks Early Cyber-Crime, Career Path

‘Anti-Western’ Activities?

Asked whether proceeds from these operations were used to fund illicit terrorist or anti-Western activities, Villanueva provided anecdotal evidence, saying that a tri-border region between Paraguay, Brazil and Argentina – a “no man’s land” of some anarchy – was a particular hub of terrorist activity. Back then, funding for some worldwide operations came from the region.

[Photo: Leonard Zhukovsky/]

Cyber Intelligence

Villanueva was soon tasked with heading the Cyber Intelligence Section at the Secret Service headquarters. He described the move as a sort of logical progression, as he’d held interest in technology, and research into some activity on early mobile phones. He was also charged with establishing task forces needed to coordinate cases that were developing in the cyber space.

Then, in the 2000s, amid a wave of malware proliferation, viruses and hacker activity, cases demanded even more coordination. Seen as a good fit to spearhead the unit, Villanueva began his work in cyber-crime, with a focus on analysis – including both exploitation and attribution. He hired “intelligent individuals” with backgrounds in computer science and formed an operational unit with the aim of pursuing attribution for cyber-crimes, and identifying, locating, prosecuting and potentially extraditing the criminals. It was an important stage in cyber-defense, the “TF7 Radio” guest said, because it proved to criminals that they were not untouchable and could not just infiltrate U.S. financial institutions and infrastructure with little consequence.

Here, Pageler added that he worked with Villanueva, as he ran the Electronic Crimes Task Force from the San Francisco field office.

After mentioning his previous work on what was nicknamed the “cave case,” which found a Colombian counterfeiter operating from an underground bunker for 15 years, the “TF7 Radio” guest pivoted toward cyber-crime investigations, namely Operation Firewall and the ShadowCrew.

Villanueva said in around 2003, the Service began targeting a notorious website called ShadowCrew, which hosted about 4,000 individuals dedicated to cyber-crime. It had a large presence with Eastern European criminals – who would steal credit cards, initiate breaches, hack into infrastructure, etc. The Newark field office apprehended an individual who had been cashing out at ATMs. A multi-month investigation led to the infiltration of the website, along with the identification of its key players around the world. Twenty-eight individuals were arrested around the world, which “put a major dent in cyber-crime,” Villanueva described, adding that it was the first time that an online criminal network was infiltrated by U.S. law enforcement.

See Related: Security Execs Talk Facebook CSO, 'Single Pane' & Strategy

T.J. Maxx Breach

The conversation shifted to notorious hacker Albert Gonzalez, who had been a part of the ShadowCrew investigation. Villanueva called the black hat a “smart individual” who was self-taught with computer science and knew the Internet well, as well as its criminal underground. As an informant, Gonzalez had a chance to resurrect his life, but eventually opted to return to South Florida and continue his illicit dealings. Gonzalez targeted wireless infrastructure using packet sniffers and other tools to steal credit card data (not encrypted at the time). His victims included T.J. Maxx and Dave & Busters. Ultimately he was apprehended by the Secret Service for his sophisticated criminal empire (he reportedly stole as many as 170 million credentials, which were resold back into the Dark Web). He is now serving a 20-year prison sentence. Villanueva likened the move back into crime a sign of pure greed.

‘Maksik’ Case

Another notorious case involved a cyber-criminal and Gonzalez buyer who went by “Maksik.” While traveling to Turkey and staying at a lavish resort, he was being monitored by the Secret Service, specifically agents from the San Diego office.

He was supposed to be arrested onsite and extradited, but he opted to hack into a Turkish financial institution while in-state; the police soon found him and he served time in Turkish prison. Villanueva said, “Justice was served.”

Current Climate & Focus

In the show’s final segment, Villanueva assessed the current threat landscape, saying it is “alive and well” due to an increase in credential-stealing malware and sophisticated phishing campaigns to inject that payload. Once the malware has taken hold, it harvests information, IP addresses and sessions, and uses botnets to communicate with command and control servers overseas. There is a sharp increase in account takeover performed through malware, he said, and also a continuation of data breaches for resale on the Dark Web in private and public forums.

Villanueva stated that new malware variants are emerging every day, meaning antivirus companies are “a little behind” as they try to hunt new strains.

In his current role, Villanueva heads operations and business development – with a team of analysts, engineers, etc. – to build actionable threat intelligence. He monitors various forums and channels in real time to stop fraud before it occurs, for Q6 Cyber clients.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Connect with Villanueva on LinkedIn, here.

Be Sure To Check Out: Onfido CTO Discusses Identity Verification, Blockchain, ML