When they learned of Morgan Culbertson’s alleged involvement in malware marketplace Darkode, the accused’s fraternity brothers at first wondered, “What’s that?” Friends of the rising junior at Carnegie Mellon University were shocked to hear that the electrical-engineering student was allegedly juggling coursework with the creation and marketing of an internationally damaging computer virus.
The FBI’s probe of Darkode, an infamous malware forum, has culminated in the arrests of nearly 90 alleged cyber-criminals and the dismantling of the invitation-only marketplace.
“Of the roughly 800 criminal Internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world,” U.S. Attorney David Hickton said at a press conference yesterday. “Through this operation, we have dismantled a cyber hornets’ nest of criminal hackers, which was believed by many, including the hackers themselves, to be impenetrable.”
But one name on the list — CMU student Morgan Culbertson, of Churchill — has some people wondering how a young, talented and unassuming electrical-engineering major could be caught up in an international hacking investigation.
Morgan Culbertson's LinkedIn profile
At 20 years old, Culbertson is one of the youngest individuals being investigated. He
has been indicted
on charges related to his involvement with the malware marketplace and charged with conspiring to send malicious code.
Officials allege that Culbertson — using the alias "Android" — sold code for a malware program called “Dendroid.” The virus allows buyers to infect Android applications and gives hackers the ability to remotely control the functions of Android phones.
Once an Android user purchases the infected application, the virus allows hackers to place phone calls, intercept text messages, open applications, and delete call logs. Due to the intricacies of Dendroid, its buyers are able to sneak infected applications into the Google Play store.
Darkode members were able to purchase Dendroid for the Bitcoin equivalent of $300 before the site was dismantled.
According to a Darkode post
by "Android" in October 2013, the virus took “1.3 years to fully develop.” At the time of the creation of the malware, Culbertson was about 17 years old. He is a graduate of the private Winchester Thurston School, in Shadyside.
Though “Dendroid” was advertised on Darkode in October 2013, the virus did not draw concern from the security community until March 2014, when American tech company Symantec discovered the malware.
By late March, Dendroid had targeted Android users in India, warranting a security advisory from CERT-In, the Computer Emergency Response Team of India.
At the time the program began to wreak international havoc, Culbertson was busy adjusting to the demands of university life. His father, Robert Culbertson, is a retired CMU professor of entrepreneurship and the CEO and founder of two local tech businesses, including GetAbby, where Morgan Culbertson worked as a programmer for three months in 2012, according to his LinkedIn profile.
In the spring of 2015, Morgan Culbertson wrapped up his sophomore year at CMU. Culbertson’s level of involvement in campus activities, including his fraternity (Sigma Chi), has left many surprised at his alleged illegal Internet activity.
On Tuesday afternoon, City Paper
went to Culberston's fraternity, where some of its members spoke on condition of anonymity. They say Culbertson played a number of intramural sports, from squash to basketball. In addition to his athletic involvement, Morgan Culbertson is an active member of the fraternity and even lived at the fraternity house during the past school year.
Culbertson’s fraternity brothers portray him as a good-natured friend. “Silly. He’s always funny,” they say.
His friends received news of his alleged Darkode involvement with surprise. “It’s kind out of the blue actually,” a sophomore fraternity brother says.
Nevertheless, the fraternity brothers say they can't be too surprised considering Culbertson's choice of major.
“His entire major revolves around computers,” says a sophomore fraternity brother. “It would be wrong for us to say that it was alarming that he used his computer.”
What does elicit surprise, however, is the fact that Culbertson allegedly found the time to create and market such a widely damaging virus.
“The fact that he had time. I don’t know, I kind of doubt it a little bit,” says a junior fraternity brother and fellow electrical-engineering student. “We never have time. Me and him have been up until three in the morning working on school work.”
Culbertson's academic standing and computer programming ability have earned him summer internships at FireEye, a cybersecurity firm headquartered in Silicon Valley, including this summer. FireEye has publicly confirmed Culbertson’s internship.
“Mr. Culbertson’s internship has been suspended pending an internal review of his activities. As there are ongoing investigations by external parties and FireEye, we cannot provide any further comment on Mr. Culbertson and his activities,” said FireEye spokesperson Kyrk Storer in a statement.
The case has been assigned to Judge Maurice Cohill, but no date has been set for Culbertson's initial appearance.