As word of Ant City filtered through the bureau, Hilbert began fielding requests from other FBI offices to look into specific hacks. February 2003 saw the biggest yet: an intrusion into the credit card payment processor Data Processing International that had exposed 8 million cards. Popov began asking around about DPI, and one of his contacts, a 21-year-old Russian student called “RES,” volunteered that he knew the three hackers responsible and could broker a deal.

One thing Popov had always known about Eastern European hackers: All they really wanted was a job.

Popov boldly declared that he intended to buy all 8 million cards for $200,000, but he wanted a small sample first. The sample would let Hilbert confirm that the cards really came from the DPI breach. But RES scoffed at the offer. Popov’s relatively small purchases up to that point had offered no evidence that he had $200,000 in his bank account.

Hilbert came up with a solution. Popov dressed in street clothes and, with an entourage of FBI agents for security, was shuttled to a nearby bank that had agreed to cooperate. In a back room, bank workers brought out $200,000 in hundred-dollar bills from the vault and arranged it on a table. Hilbert uncuffed Popov and shot a video of the hacker from the neck down as he riffled through the wads of cash.

“So look, I am showing the dough,” Popov said in Russian. “The dough is fucking real, no fucking blathering. I’ll be transferring it to my account.” He snatched a bill from a stack and held it close to the camera. “All the fucking watermarks, all the shit is here. I am showing it to you at point-blank range.” He tossed the bill disdainfully to the table. “So call your mob, and let us settle this fucking business.”

The video satisfied the Russian. Identifying RES was even easier. Popov mentioned to the hacker that some of his money came from a day job he held with a company called HermesPlast that was in the credit card printing business. Suggesting that the Russian apply for work there himself, he pointed RES to the company’s website and shared the email address of his purported boss, “Anatoly Feldman.”

RES sent Feldman an application the same day, with a copy of his résumé and a scan of his Russian national ID card.

HermesPlast, of course, was a fake company set up by Hilbert and Popov. Now the FBI had RES’ real name, date of birth, and address. It was a surprisingly simple ploy that would work again and again. One thing Popov had always known about Eastern European hackers: All they really wanted was a job.

O

On April 8, 2003, Popov was brought out of the Santa Ana Jail for sentencing in front of US district judge David Carter. For eight months he’d been spending his days on Ant City and his nights behind bars. On the government’s recommendation, Carter sentenced Popov to time served and three years of court supervision. He then immediately ordered that all records of the sentencing be sealed.

Twenty-eight months after he had boarded a flight to the US, Popov was set free in the middle of Orange County, California, 8 miles from Disneyland and a world away from Zhytomyr. But his immigration status was complicated. He had no green card or Social Security number and no way to get a legitimate job or a driver’s license. Hilbert arranged for the FBI to rent Popov an apartment near the beach and pay him a $1,000-a-month stipend to continue working on Ant City. But Popov couldn’t adjust to life in a suburban swelter of freeways and strip malls. In July he was waiting at a bus stop near his probation office when a man walked up to him, drunk and angry and talking shit. Popov hit the guy hard enough to knock him to the pavement. He called the FBI in a panic, already imagining his return to prison. If he got out of this, he decided, he was going home.

Popov got permission from Judge Carter to visit Ukraine, provided he return to California by August 18 to serve out the remainder of his three years of supervised release. Hilbert drove him to the airport and said good-bye, knowing full well he wouldn’t see Popov again.

Ant City closed down for good. By Hilbert’s count, the operation had taken some 400,000 stolen credit cards off the black market and alerted over 700 companies that they’d been breached by Eastern European hackers. Ten suspects would eventually be charged, including Script, but none extradited.

H

Hilbert stayed in touch after the hacker’s return to Ukraine. Popov started a cybersecurity business he called Cybercrime Monitoring Systems, or Cycmos. As Popov described it, Cycmos spied on the underground, selling intelligence to the companies that were being targeted. Hilbert approved. It sounded like Popov was turning the skills he’d acquired from Ant City into a legitimate enterprise. Popov began feeding Hilbert a steady stream of tips for old time’s sake.

On New Year’s Eve 2004, Hilbert’s cell phone rang. “Hey, you know what?” Popov said in his smooth, tumbling accent. “I got something new here.” There had been a big breach, he explained. And, remarkably, the FBI itself was a victim.

Popov had been monitoring a Russian hacker gang that specialized in a pre-Internet networking technology called X.25, which had powered the first public packet-switched networks in the ’70s and ’80s. By 2004, X.25 was the Betamax to the Internet’s VHS, but the legacy networks were still running and thousands of corporations and government agencies around the world were still connected.

The Russians were spelunking in these ancient networks and burrowing into US companies left and right. But one target was particularly alarming. Hackers had breached an AT&T data center in New Jersey where the telecom ran, under contract, the email servers for a number of US government agencies. One of these was the FBI’s, giving the Russians access to the email of every agent with an FBI.gov address.

Hilbert hung up and called his boss. Soon he was on a plane to Washington, DC, to lead the investigation. Hilbert arranged for the FBI to pay Cycmos $10,000 to retrieve any stolen material and identify the hackers involved. Popov came through, handing over two documents he said were plucked from an FBI inbox: a confidential 11-page dossier the government had compiled on a CarderPlanet kingpin called King Arthur and a spreadsheet of FBI and Secret Service cybercrime targets, broken down by jurisdiction.

The target list was dated six months earlier and marked “Law Enforcement Sensitive” and “Do not transmit over the Internet.” It was a potential gold mine to the underground, containing the handles—and in some cases the real names—of over 100 hackers in the government’s crosshairs, with a smattering of notes like “top-level target” or “currently cooperating with the government.” The White House was notified, raising the stakes even higher. Hilbert asked Popov for more.

Then Popov got a scoop. He directed Hilbert to an underground chat room where he could find the Russian leader of the X.25 gang. Hilbert was soon conversing with Leonid “Eadle” Sokolov, an engineering student in Saint Petersburg, Russia. Under Hilbert’s questioning, Sokolov admitted to the AT&T intrusion and the document theft. Hilbert had him. It would be the biggest case of his career.