To Catch (and Prosecute) a Spammer: A Case Study of United States v. Alan Ralsky, et al. Terrence Berg United States Attorney Eastern District of Michigan The “Godfather of Spam”? • From USA TODAY 6/25/2003 article, by Jon Swartz: “Given all the crap that's going on with spam, it's probably not wise to have a high profile,” says Alan Ralsky, 58, who calls himself “the Godfather of spam.” The gruff West Bloomfield, Mich., resident says he sends 30 million e-mails abroad each day peddling jewelry and vacation giveaways. “I’ll never quit” • November 22, 2002 Detroit Free Press article by Mike Wendland: “I've gone overseas,” [Ralsky] said. “I now send most of my mail from other countries. And that's a shame. I pay a fortune to providers to do this, and I'd much rather have it go to American companies. But I have to stay in business, and if I have to go out of the country, then so be it.” “I'll never quit,” said the 57-year-old master of spam. “I like what I do. This is the greatest business in the world.” • CAN-SPAM Act effective January 1, 2004, 18 U.S.C. § 1037. What was made illegal by CAN-SPAM? • (1) intentionally falsifying header information; (2) registering domains using false info; (3) unauthorized use of proxies to deceive: or (4) accessing another’s computer without authorization . . . • And intentionally initiating “multiple commercial email messages” • “multiple” = > 100 in 24 hours; > 1,000 in 30 days; or > 10,000 in 1 year. Penalties under CAN-SPAM • 5-year felony if ▫ Committed in furtherance of a felony ▫ Defendant has § 1030 or state spam prior • 3-year felony if ▫ Use of another’s computer to spam ▫ False registration involving > 20 emails or online user account registrations or 10 or > domain registrations ▫ Volume email = > 2500 in 24 hours; > 25,000 in 30 days; > 250,000 in 1 year ▫ Offense caused $5000 or > in loss in 1 year • 1-year misdemeanor otherwise. Who’d have thought? • MS referral v. ultimate charges: leads, trap accts, tunneling, link charts v. Chinese penny stock pump and dump/ outsourced spamming/ botnet. • Couldn’t commit crime without Internet and computers but couldn’t prove crime with Internet and computers either. • Complexity of scheme v. simple tools to solve it Milestones on Road to Prosecution • Daniel Lin, first CAN-SPAM defendant (4/04), turned out to have worked for Ralsky. • MS referral (9/04) FBI and USPIS ▫ Alan Ralsky, Scott Bradley, Judy Devenow ▫ Brazil ▫ Link chart from heqq • September 2004 – May 2005 ▫ Reviewing materials ▫ GJ investigation • MS referral II (5/05): focus on potentially false domain registrations. Milestones • Many sources of info: ▫ ▫ ▫ ▫ ▫ ▫ Public source (SPAMHAUS) Domain registration info Trap account emails Bank records Internet connectivity records SW on e-mail accounts • Showed: ▫ Bradley is paying to have over 1000 domain names registered, some domains registered with false name/address, high volumes spam from these domains ▫ Devenow co. registered a /21 block of IP numbers ▫ Connectivity for block paid for by Bradley ▫ Computers are in L.A. and Fresno at “GDC Layer One” Take-down • Five simultaneous SWs on September 1, 2005 ▫ Residences of Ralsky, Bradley,(W. Bloomfield) Devenow (E. Lansing) ▫ GDC Layer One in L.A. and Fresno – roll-over SW Colo and sys admin for mailing operation: John Bown and William Neil • • • • 64 computers from LA 15 computers from MI residences 11 computers from Fresno Boxes of paper records, free HDs, CDs, floppys Now comes the hard part • Need to review and understand 90+ computers as well as records, etc. • Other records from GJ subpoenas too. • Importance of old-fashioned detective work, evidence ▫ Handwritten notes in Scott Bradley’s house are tally sheets of stock ticker symbols, and amounts, seem to divide in “shares”. ▫ Need for witnesses/insiders to tell what was going on Emails and Chat • The stored emails and chat on SB and AR computers told the story ▫ Paying for proxies ▫ Paying for spammers 2 spammers and 1 colo guy cooperate, testify crucial Records show in-house spamming too ▫ “Frankie” = Frank Tribble ▫ “Hui” = John Hui ▫ Outlines of pump and dump scheme start to take shape Need for Real People as Witnesses to Spamming Operation • Identified 2 low-level spammers and 1 colo guy • Approach and interview • Contract spammers admit ▫ Ralsky and Bradley were aware of proxies being used ▫ Identified certain stocks as ones they spammed ▫ Authenticated chats and e-mails • Colo guy admits ▫ Use of software to spam – phony header info ▫ Aware of connection to China The Role of Spamming Software • “Dark Mailer” ; “Nexus” • Defs use several kinds • Updates for Nexus reference “Proxy Scanner” – intended to find and connect to proxies • Owner and Developer of Nexus admits his role in creating software for purpose of spamming • Lightspeed Marketing and Dave Patton Overview of Evidence of Stock Manipulation Scheme • E-mails, chats, and other communications among co-conspirators • Sample e-mails from Bradley’s seed account • Internal financial records • Analysis of wire transfers, timed with spam campaigns and internal e-mails • Analysis of trading activity and market prices • Testimony of co-conspirators/insiders 15 What we see from evidence seized • Appears to be a pump-and-dump. ▫ ▫ ▫ ▫ ▫ Approximately 50 Ticker Symbols Chinese corporations Shell companies At least three brokerage firms Need to consult with SEC • Many domestic and international mailers being hired to mail via proxies and botnets, or whatever means available. Hard to trace/track/identify. Post-SW, the operation continues • We learn they are attempting to set up a bot-net to spam • We pursue several investigative avenues that are unsuccessful • Examples of evidence 17 Steps in the Pump and Dump Scam • Shares of Chinese penny stock companies are issued to “straw” purchasers in China ▫ Trading accounts opened at same broker over short period of time in names of numerous foreign S/H ▫ Immediate deposit of large (200K plus) shares into newly opened accounts • Spammers are provided with “news” – ad copy ▫ Spam mail blasted out touting stock ▫ Sales in tens of thousands of shares/day Overview of Stock Spam Pump and Dump Scheme deposit large Day 1. Hui/Tribble blocks of “CWTD” shares into “straw man” brokerage accounts of dozens of phony accountholders Day 2. Ralsky/Bradley & mailers send spam touting CWTD False headers/ IPs thru proxies/botnets Proxies and Bots False touts and no disclaimers Return path: <phony name@phonydomain.com X-Original To: <phone name@phoney domain Delivered To: <phony name@phony domain Received from: <false IP/proxy/bogon/ botnet> PR Newswire: Major Financial News Released Today: CWTD continues to climb after launching new product/acquisition/announcing major contract. CWTD has more than doubled over the last 8 weeks. We strongly urge you to watch this stock first thing on Monday morning. Current Price: $0.75 7-day projection: $5.50 E.g., INTERNET IPO! Phony Brokerage Accountholders Day 3. Day 4. $6.00 $4.00 $2.00 $0.00 Hui/Tribble sell/”dump” shares of CWTD at inflated prices, price falls Stock proceeds wired from U.S. brokerage to Hong Kong bank back to Superior Distributing to be dispersed to Ralsky, Hui, Tribble Spam recipients buy CWTD stock, “pumping” up price 19 Activity Behind the Scenes • Numerous wire transactions and communications between members of the conspiracy. • Reimbursement is based upon daily average stock price • Negotiation for deals w/new companies 20 Scope of Scheme • Potentially three brokerage firms being used. • >$20 Million to China from ONE firm. • email4u (Ralsky) says: 20% to us 20% to u 20% to frank and 40% to the client is that right • Evidence from searches has split being at least 50/50 and as much as 60/40. • 50 Ticker Symbols • >20 accounts at one brokerage firm. Following the money • John Hui – Hong Kong CEO of CWTD, has connection with Chinese companies issuing penny stocks • Frank Tribble – prior SEC investigation for spamming stock, seems to be directing the trades in these shares • Money from the sale of shares in these stocks is being sent to Scott Bradley’s bank account • Tribble is in LA County Jail on manslaughter case Indictment Near, but Need Witnesses on Pump and Dump • • • • Feds come calling in LA County Jail 12/07 No progress at first On advice of counsel, Tribble cooperates Opens up the stock pump and dump ▫ ▫ ▫ ▫ Chinese straw owners Use of shell companies Goal of manipulating the market Who’s who re: John Hui, Chinese companies, etc. • Now we have witnesses for spamming and for pump and dump IT HAPPENS! GJ returns Indictment under seal on 12-14-07 John Hui arrested @ 1/08/08 entering US at JFK Airport, indictment unsealed. Unusual Challenges • Volume of discovery ▫ 3 separate 1 TB portable drives used to store discovery ▫ Took longer than normal to produce to defs • Explaining the case to defendants and defense counsel ▫ 41 Counts/ 11 Defendants ▫ The role of plea negotiations ▫ Value of expertise – CCIPS, SEC, MS, others Dam begins to break, becomes torrent • Judy Devenow cooperates and pleads guilty, October 18, 2008 • John Hui cooperates and pleads guilty, December 16, 2008 • “Reverse proffers” begin – Ralsky et al. throw in the towel • June 22, 2009: Ralsky, Bradley, Bown, Neil and Fite plead guilty • Patton pleads guilty July 7 • Bragg is fugitive, apprehended and pleads guilty Aug 20 Exposure Defendant Plea Agreement Ralsky Up to 43 months if cooperates Bradley Up to 39 months if cooperates Devenow Up to 21 months if cooperates Bown Up to 46 months if cooperates Neil Up to 37 months if cooperates Bragg Up to 30 months if cooperates Fite Up to 24 months if cooperates Hui Up to 39 months if cooperates Tribble Up to 54 months if cooperates Patton Up to 16 months if cooperates Sentencing Dates Set • November 23 and 24(Happy Thanksgiving!) • Court has discretion to fashion appropriate sentences regardless of plea agreements. • Court will weigh relative culpability of defendants; factors relating to the history and nature of each defendant and role. • Investigation not yet closed . . . Lessons • Get their computers • Good luck dealing with so many computers • Records (emails, chat, etc.) likely to be incriminating, but • Get witnesses who can “tell the story” of what they were doing • Bring in as much expertise as possible Thanks Questions? Terrence Berg U.S. Attorney E.D. Michigan