How two technology consultants helped drug traffickers hack the Port of Antwerp
By Jordan Robertson and Michael Riley
Illustrations by Ray Jones
July 7, 2015 |
From Bloom berg Business Reports
As Davy Van De Moere steered his Subaru along a back road at the Port of Antwerp, he was sure he was being followed. It was a warm day in August 2012, and the city’s industrial skyline stretched into the distance, mile after mile of towering dockside cranes. Unable to find his tail amid the rail lines and mountains of shipping containers, Van De Moere continued to his target: a squat office building whose parking lot was half-filled with workers taking cigarette breaks and napping in their cars.
Van De Moere parked, popped the hood on his battered Impreza, and connected the battery to an antenna, a white plastic rod about 6 inches long. The device began searching for a secret network inside DP World, a Dubai-based port operator with offices on the third floor of the building.
A few days earlier, small USB drives had been inserted into the company’s computers. They were programmed to intercept the nine-digit PINs that controlled access to DP World’s shipping containers. Besides fruit, metals, and other legitimate cargo, some of these containers carried millions of euros in heroin and cocaine. To get their drugs out of the port, often traffickers use low-tech methods: They hire runners to jump fences, break open containers, and sprint away before guards can catch them, earning as much as €10,000 ($11,200) a trip. Stealing PIN codes is more elegant and less risky. Whoever has the codes can pull into the terminal, enter the PIN into a keypad, wait as robot-controlled loaders put the container on their truck, and drive off—sometimes minutes ahead of the cargo’s legitimate owner.
As the minutes ticked by, Van De Moere could hardly believe what he was doing. He didn’t think of himself as a criminal. A year ago, Van De Moere—short, ponytailed, perpetually cheery—had been an ordinary information technology consultant in his native Belgium, earning a comfortable salary setting up digital voice networks for corporations. Now he was working with a Dutch drug-trafficking gang, deep into an audacious hacking scheme that authorities say smuggled tons of cocaine and heroin through the port and into cities across the continent. If the antenna worked and he got the codes, he had a chance to get his normal life back. If he screwed up, he could end up in prison or in a coffin.
The Wi-Fi antenna failed. The traffickers would be angry. Van De Moere closed the Subaru’s hood and drove away. He had only himself to blame. Himself, and his best friend, Filip Maertens.
Maertens and Van De Moere grew up five miles apart in small towns in western Belgium, Maertens in Tielt and Van De Moere in Ardooie. Born in 1978, they favored computers and music over soccer, which made them outsiders. They met at 14, when Maertens hacked Van De Moere’s online bulletin board, Bad Habit, named after a song by the Offspring. Van De Moere angrily challenged Maertens to settle their differences in the schoolyard. He backed down when he saw that Maertens was two heads taller than he. They talked instead. Maertens, who was confident, charming, and moody, described the bug he exploited to hack the site. They became friends, meeting regularly to discuss PCs, swap books on programming, and fumble their way through Metallica guitar solos in Maertens’s garage.
By 18, they’d founded an Internet Relay Chat channel called Securax, which became a popular home for Belgium’s fledgling hacker community, at one point boasting almost 100,000 subscribers. As their fame grew, Van De Moere and Maertens became sought-after commentators for Belgian media, and they were eventually hired by Ernst & Young to audit computer networks.
Their careers went in different directions, with Van De Moere building Internet voice networks and Maertens getting into security consulting, but they stayed close and helped each other out of jams. When Maertens double-booked meetings, Van De Moere gave presentations for him—even sometimes as him. When Van De Moere’s startup, Attractel, got in financial trouble, Maertens quit his job, became chief executive officer, and helped raise money. (The company folded during the 2008 financial crisis.) The pair literally trusted their lives to each other during rock-climbing and extreme mountaineering expeditions.
By the middle of 2011, each was living comfortably. Van De Moere was chief technology officer of Mondial Telecom, a Belgian mobile software company, making €12,000 a month. Maertens was making €20,000 a month consulting, including a project to help ING, the Dutch bank, build a mobile banking platform. Then he got an itch that would end the peaceful part of their lives.
According to prosecutors in the Netherlands and Belgium, what happened next transformed the pair into masterminds of one of the biggest drug-smuggling operations in Europe. The case, detailed in thousands of pages of police reports and court records, allegedly shows how mobsters and hackers teamed up to commit sophisticated crime, manipulating global logistical and transportation networks for huge gain. The hackers’ version of events, which they laid out as they wait for their fate to be determined later this year by Belgian authorities, differs sharply: a story of two men who became pawns of a violent group through coercion and a series of very bad decisions.
That summer, Maertens had an idea for a smartphone data-mining startup and began cold-calling potential investors. A friend put him in touch with Orhan Adibelli, a businessman in the Netherlands with an interest in technology. Their first meetings were in the lobby of a fashionable hotel near Rotterdam, where Adibelli, a stylish Turk in his 40s, ran an import-export company called Ogear Trading. It was based in the suburb of Barendrecht. Favoring a brown leather vest, expensive jeans, and button-up shirts, the mustachioed Adibelli hand-rolled cigarettes with astonishing dexterity and was cavalier about money. He didn’t blink when Maertens said he was looking for an investment of more than €1 million. That would have valued Maertens’s untested company, Argus Labs, at more than €5 million, which other potential investors thought too high.
Maertens was eager to prove his business skills. When Adibelli said he was building an office, Maertens offered to help procure and install computer equipment. When Adibelli said he wanted to invest in the cement industry, Maertens introduced him to two CEOs in the field. As the courtship deepened, Maertens visited the investor’s Rotterdam apartment, and they scouted office space for Argus Labs at an Antwerp high-rise, according to police records.
After months of negotiations, Adibelli abruptly called the deal off in December 2011, but not before introducing Maertens to an associate. Stocky and built like a street fighter, Ahmet Okul was a Turkish national who ran the Euro Spyshop, a store full of eavesdropping gear in the Dutch town of Arnhem. He told Maertens he was Adibelli’s technical adviser. For geek cred, Okul wore a T-shirt from Def Con, a popular hacking conference in Las Vegas, and he and Maertens hit it off discussing interception equipment. Okul loved to talk about hacking. He grilled Maertens about penetration testing, where companies pay white-hat hackers to break into their own networks, and about “pwnie” devices, which are minicomputers disguised as power strips and Internet routers that can go unnoticed in an office while intercepting network data. Pronounced pony, the name is a play on the hacker slang of “pwning,” or owning, someone else’s device.
Aside from his consulting job with ING and his Argus startup, Maertens had another gig, occasionally giving classes on hacking techniques to clients that included the Belgian government’s computer crime squad. Still hopeful that Adibelli might eventually invest in his company, he began giving Okul private hacking lessons, charging him at least €1,000 a class, according to police.
One day, Okul said he wanted to obtain a pwnie for a client. Maertens demurred. A week later, Adibelli called. Get to Barendrecht for a meeting, he told Maertens. Immediately.
By the time they understood what they were involved in, they were already implicated.
Adibelli’s office, located next to a coroner on a quiet street, was sparsely decorated. The first floor held a handful of desks where during the day employees discussed fruit shipments. The export-import company’s name appeared nowhere. The sole decoration was a poster of a dozen varieties of mangoes. Visitors and employees had to leave their cell phones before going upstairs.
There, Maertens found Adibelli, Okul, and two men with greasy hair and powerful builds.
Maertens was told he’d failed to answer several urgent calls from Okul, costing his customers—presumably the two unnamed men—a lot of money. Scared and befuddled, Maertens denied the accusation and got up to go. Okul threw him against the wall, and Adibelli punched him repeatedly in the chest and stomach. He hobbled away with dark purple and red bruising across his torso. Driving home, Maertens called his best friend and asked for help.
He and Van De Moere discussed going to the police. They later explained they dismissed the idea out of fear. These were clearly men who didn’t resolve disagreements with the usual conference call or attorney’s letter. Calling the authorities would anger them more. They decided the prudent course was to let the whole bizarre incident go and hope Maertens never heard from them again.
But Adibelli phoned a week later. He was chatty and friendly, asking how Maertens’s New Year’s celebrations were. And he requested another meeting in Barendrecht. Scared to say no, Maertens went, bringing Van De Moere along as his wheelman in case he had to escape quickly.
Upstairs, Okul got right to the point: He said he was sending malware by e-mail and that too many of his messages failed. Van De Moere had planned to stay out of sight, but Adibelli and Okul noticed the conspicuous whine of his Subaru driving up and down the street. Maertens admitted it was his friend and motioned out the second-floor window for him to come up. Van De Moere took a long time to think before he rang the buzzer.
Over coffee and cigarettes, Adibelli and Okul were disarmingly casual. They kept discussing hacking and pwnies as if Van De Moere—a stranger to them—hadn’t entered the room. Okul said he needed a new way to intercept e-mail, and he asked Maertens to build him a pwnie that could be ready in a few weeks.
On the drive back to Belgium, Van De Moere and Maertens sized up their dilemma. Kids in Antwerp grow up inundated with news stories about shady shipping companies pushing narcotics through the port, and the friends now had little doubt that Adibelli and Okul were somehow involved in the drug trade. They’d already decided that going to the police wasn’t an option, they later explained, so they rationalized. Building pwnies isn’t itself a crime; anyone can buy a version on the Internet. As long as they were only supplying a device and not operating it for whatever scheme Adibelli and Okul had in mind, the pair concluded they wouldn’t be breaking the law.
The device they built looked like a European version of a power strip. Tucked inside a 15-by-5-inch casing was a tiny Linux computer running powerful hacking software called Metasploit. The pwnie sent out data via cellular networks, which meant they could be accessed from anywhere.
Several weeks after delivery, Okul couldn’t get the device to work. Maertens and Van De Moere were summoned to Barendrecht, and this time Adibelli flashed a holstered handgun. He pointed to a newspaper story about a murder, the latest in a spasm of trafficking violence engulfing Belgium and the Netherlands. “You don’t know who you’re f---ing with,” Adibelli said. “If you don’t do what we want, there will be casualties.” Adibelli pushed a white plastic bag across the table and instructed the pair to try again. He assured them that what was inside would motivate them to make the pwnie work. On the drive home, they found €25,000 in small bills.
Adibelli was clever, recruiting Van De Moere and Maertens the way a spymaster develops a double agent. By the time they understood what they were involved in, they were already implicated. But as it became clear they weren’t about to be let go, they devised an ambitious plot of their own, hoping to dodge the mobsters and police alike. Was it so crazy to think it might work? After all, they figured, the criminals had hired them for their brains.
Maertens was desperate. He shaved his head, claiming he'd been diagnosed with a brain tumor.
For all of Okul’s hacker talk, his technical expertise was thin. At one meeting, he showed off a device meant to block nearby cell signals and thwart eavesdropping. It worked for about five minutes, then the signals popped back up. The friends had a flash of inspiration: Okul screwed up all the time, and he wasn’t dead. Failure, Maertens and Van De Moere realized, was an option.
The pair decided to bluff. By misconfiguring devices or making other small sabotages, they thought, they could look like they were cooperating without doing much harm, and the mobsters would eventually fire them and move on.
Over the next several months, they built more pwnies, all deficient in small ways. One would trigger security alerts when placed on any network protected by antivirus software. Another would reboot automatically anytime someone accessed it. When Okul asked to use Wi-Fi instead of 3G, Van De Moere lied and said there wasn’t enough capacity.
By June 2012, what was supposed to be a one-off deal had turned into almost full-time work. Maertens and Van De Moere were finding it difficult to meet the demands of their day jobs and Okul’s escalating needs. Okul called and texted constantly, peppering the pair with technical questions over special encrypted phones he’d provided.
One day, Van De Moere and Maertens were told to take an improved pwnie to a chic harborside bar in Antwerp called Hangar 41, where they were met by two men in mirrored aviators and expensive suits. The men showed off their lock-picking tools and bragged that they could enter any building unnoticed. They seemed to be the ones responsible for installing pwnies inside the shipping company offices. The men asked where the devices should be connected to capture the most data. Maertens and Van De Moere lied and said the printer.
The sabotage plan wasn’t working. Okul was relentless, assigning Van De Moere to teach the installers how to use pwnies and drive around picking up SIM cards and other equipment. The pair were increasingly desperate to get out. Van De Moere stopped answering texts; Maertens shaved his head, telling Adibelli he’d been diagnosed with a brain tumor.
One day in July, a muscled man in shorts and flip-flops came to the Argus Labs office and demanded Maertens come with him to meet Okul at Hangar 41. He issued the same order to Van De Moere by phone. Van De Moere lost his cool and started taunting the man. The caller responded by reciting the addresses of Van De Moere’s family members as well as Van De Moere’s own address, a remote farmhouse outside of Bruges where his wife was often alone.
Van De Moere floored it to Antwerp, making the hourlong drive in half the time, zooming past the flashes of freeway speed cameras. Okul got his start in organized crime as a “taxi driver”—an enforcer who transported people who’d fallen out of favor or behind on a debt to whatever fate awaited them, usually in the trunk of his car. At Hangar 41, he told Maertens and Van De Moere they were coming to Barendrecht to talk to Adibelli—and they could either follow him or ride in the trunk. They followed.
Once in Barendrecht, Adibelli threatened to put a bullet between Van De Moere’s eyes if he ignored Okul again. And then Okul gave Van De Moere a new job: He was to drive to specific office buildings to make sure the implanted devices were working properly.
Adibelli came to the attention of Dutch authorities in the fall of 2011, when his apartment in Rotterdam was burglarized. Someone called the police; a search turned up signal-jamming devices, keylogging software, and eavesdropping equipment. Investigators also found a bill of lading for a shipping container from South America that had been loaded with cocaine and seized by police, as well as notes of a meeting with Maertens that referenced DP World and other shipping companies. Clues continued to pile up, but it would be more than a year before police began to connect Adibelli to the various tentacles of a vast trafficking operation at the port.
A breakthrough came in July 2012, when criminals took a container of zinc thought to hold Colombian cocaine to an industrial area south of Rotterdam, where they stopped for 10 minutes. According to court records, the address was a distribution hub for a Dutch drug-smuggling ring led by Frits Becker—aka “Mango” and the “man met de snor,” which translates as the “man with the mustache”—whom police had been trying to bring down for years. Then on July 30, port authorities seized more than 250 kilograms of cocaine inside a container, a discovery that led them down an unexpected path. They noticed a pattern of containers destined for a German company called South America Trading. It was a front. According to police records, the company was taking shipments of supposedly legitimate goods—towels and caustic soda from Pakistan, beans and nuts from Mozambique—and selling them to a company from the Netherlands called Ogear Trading, owned by Orhan Adibelli.
The Port of Antwerp handles 200 million metric tons of cargo a year. As the No. 1 transit point for South American fruit, it’s Europe’s largest port of entry for Colombian cocaine. Traditionally, the best way to get the drugs out was to bribe port officials, but a recent crackdown had proved effective. When containers began to show up outside the port abandoned, the drugs they presumably contained long gone, authorities started to suspect the smugglers had found a way around the port’s security system, which assigns each container the unique code available only to the proper shipper. Investigators were stumped until the fall of 2012, when employees of Mediterranean Shipping (MSC), a large Swiss shipper, began complaining about slow computers. Typed words were taking too long to appear on the screen.
Technicians found a bunch of surveillance devices on the network. There were two pwnies and a number of Wi-Fi keyloggers—small devices installed in USB ports of computers to record keystrokes—that the hackers were using as backups to the pwnies. MSC hired a private investigator, who called PricewaterhouseCoopers’ digital forensics team, which learned that computer hackers were intercepting network traffic to steal PIN codes and hijack MSC’s containers.
Police quietly reached out to other big port companies and found they’d been hit in the same way. One pwnie had been installed at MSC in June 2012, showed up at the Chilean shipper CSAV three weeks later, and placed back at MSC three weeks after that, according to police. MSC confirmed that its container-tracking systems were breached and that the company hired PwC to investigate and secure the network. The other shipping companies and port operators didn’t respond to requests for comment. DP World investigated an Aug. 15 break-in and found Wi-Fi keyloggers there as well. Surveillance video taken a few days later showed a man behaving strangely in the parking lot, an antenna hooked up to the battery of his Subaru. It was Van De Moere, wondering whether he was going to get out of this mess alive.
“Obviously, you know we’re not in a legal business. So if you talk to anyone, we know where you and your family live.”
Prosecutors’ theory of the case is that Adibelli was an intelligence broker who sold PIN codes to Becker’s group and smuggled drugs on the side. Phone taps and financial records show drivers were paid as much as €5,000 per theft and would spend hours, sometimes a full day, waiting along the A58 highway for word that shipments had come in. Cell phone records reveal a passenger in Becker’s car texting and calling the drivers to give them the PIN codes.
In this view, Maertens and Van De Moere masterminded the hacking operation with Okul to make some quick money. Cell phone records show Maertens and Van De Moere meeting numerous times in Antwerp to drop off pwnies to the men who later the same nights would break into the shipping companies. The pair were caught on a phone tap discussing an antenna they ordered from China that never arrived. (Customs officials had intercepted it.) In late September 2012, investigators attached a tracking device to Van De Moere’s car, but they were foiled by an emergency engine repair that left the Subaru in the shop for a month.
When the hacking didn’t work, things ended badly. In one case, cocaine was hidden inside two containers of artichokes from Peru that were picked up by the rightful owner before the smugglers could get there with their stolen PIN. The truck driver was chased down the highway by attackers in Audis shooting Kalashnikovs.
By fall, Maertens and Van De Moere found themselves with little to do. The most plausible explanation is that the scheme had been exposed and port companies had removed the hacking tools from their networks. In September 2012, Adibelli summoned them to Barendrecht for another meeting.
In Belgium, guns were impossible for two IT consultants to get on short notice. So Van De Moere and Maertens each bought low-power commercial Tasers for protection. The night before the meeting, they practiced quick-drawing the Tasers in front of a mirror.
They drove the next day to the Netherlands and parked in the lot of the chic hotel where Maertens first met Adibelli. They cracked open two Jupiler beers in the car. Maertens was already drunk. They had both said cryptic goodbyes to their families.
When they arrived at the Barendrecht offices, Adibelli took Maertens downstairs.
Maertens begged for his life.
“This is really bad—this isn’t who we are—please leave us alone,” he said.
To his surprise, Adibelli agreed. “If you wanted out, why didn’t you let us know?” he said. Maertens was too scared to bring up the beating and the kidnapping and death threats. “Obviously, you know we’re not in a legal business,” Adibelli added. “So if you talk to anyone, we know where you and your family live.”
Adibelli brought Van De Moere down next and asked him if he wanted out, too. Van De Moere said yes.
There was only one condition of the release: Van De Moere had to give Okul an intensive training session on Linux, the operating system on which Metasploit, the hacking software, is based. A few weeks later, according to police and interviews, he did so over one weekend at a Holiday Inn in Ghent. In November, Van De Moere returned two antennas and had a couple of beers with Okul. That was the last either man would see of the Turks.
With the PIN code operation blown, investigators were having an easier time disrupting Becker and Adibelli’s operations. On Nov. 21, 2012, a driver tried to pick up a refrigerated container of mussels at the Antwerp port but didn’t have the right PIN. Instead, he presented a forged purchase order. Customs officers searched the container and found 190 kilograms of cocaine—another case that authorities have linked to Becker and Adibelli, according to police records.
On June 11, 2013, Van De Moere awoke just after dawn to find a dozen cops surrounding his farmhouse. Maertens was on vacation in the south of France with his girlfriend, celebrating a new round of funding for his company. He got a frantic call from his house-sitting brother, who was surrounded by armed officers and a drug-sniffing dog, and immediately returned to Belgium.
At the same time, Dutch police arrived at Adibelli’s home to discover he’d returned to Turkey a few days earlier. In his bedroom, they found a pistol under the mattress and two in the closet. In another bedroom, they found a bag with a machine gun, bullets, and a silencer, and elsewhere a suitcase filled with €1.1 million and a bulletproof vest. At his office, they found signal jammers and documents linking Maertens and Van De Moere to the attacks on DP World, CSAV, and MSC. Adibelli had left in a hurry, ahead of his family. Authorities believe he may have been tipped off.
Okul left for Turkey, too. He recently posted a Facebook picture of himself on a jet ski.
The Dutch portion of the case is expected to go to trial in November and involve at least 22 people, including Becker, who authorities say has been charged with drug-trafficking offenses as the alleged leader of the smuggling ring. Becker’s lawyer didn’t return calls. Adibelli has been charged in absentia with organized crime and drug offenses. His lawyer, Pol Vandemeulebroucke, says his client denies all blame. Belgian prosecutors handling the hacking case declined to comment on their plans for Adibelli and Okul, who are both formally suspects there. Okul, who now operates a spy shop in Turkey, didn’t respond to requests for comment through the shop and via Facebook. His lawyer, Alper Cinar, declined to comment. In the Netherlands and Belgium, targets of an investigation are considered under suspicion until the investigation is formally closed and the case moves to the trial stage.
That leaves Van De Moere and Maertens. The Belgian case, code-named Ocean’s 13, has them being investigated on suspicion of hacking into the Antwerp offices of DP World, CSAV, and MSC. Maertens and Van De Moere were adamant in police interrogations that they were unwilling accomplices, forced to hack under threat of violence. They insist their sabotage made the pwnies useless and that if Okul stole PIN codes they must have come from his phishing e-mails. Van De Moere says that when he parked at DP World, he intentionally was far enough away that he couldn’t get a good signal.
Authorities say Maertens and Van De Moere played a more central role. Police found evidence that when Maertens and Adibelli visited the Antwerp high-rise in November 2011 to scout out offices for Argus Labs, the offices they visited were above and below CSAV, where a pwnie was later discovered.
In February 2013, months after Van De Moere and Maertens say they last saw the mobsters, CSAV, DP World, MSC, and another port operator called PSA Antwerp were targeted by a new round of malware-laden e-mails. The messages were sent from a cellular tower in Wuustwezel, near a location where Maertens kept a computer server, according to police records. Asked about the e-mails during his initial interrogation, Maertens said he couldn’t explain it, but he wasn’t involved.
What the police don’t have is much of a money trail, adding credence to the hackers’ claim that they were coerced. Even though Maertens and Van De Moere were cast in the local press as major figures responsible for the smuggling of hundreds of millions of euros in illicit drugs, police later released seized assets related to Maertens’s company after they were unable to link them to the caper.
In June, as he awaited trial, Van De Moere sent Bloomberg Businessweek an e-mail looking back at his ordeal. “Towards Filip, I’m not the type of guy which easily gets angry,” he wrote in English. “Of course we’ve went over and over how Filip could or couldn’t have seen/figured out these guys were no good, but the conclusion each time was they are masters in manipulation.” Adibelli and Okul had tried the “divide and conquer” trick on them, Van De Moere said. “Our best move to get out of a bad situation was to stick together. We could only get out as a front.”
—With reporting by Elco Van Groningen and Ercan Ersoy