Ralsky Case Study SUMIT 09 10-20-09

advertisement
To Catch (and Prosecute) a
Spammer: A Case Study of United
States v. Alan Ralsky, et al.
Terrence Berg
United States Attorney
Eastern District of Michigan
The “Godfather of
Spam”?
• From USA TODAY 6/25/2003
article, by Jon Swartz:
“Given all the crap that's going on with spam, it's probably not
wise to have a high profile,” says Alan Ralsky, 58, who calls
himself “the Godfather of spam.” The gruff West Bloomfield,
Mich., resident says he sends 30 million e-mails abroad each day
peddling jewelry and vacation giveaways.
“I’ll never quit”
• November 22, 2002 Detroit Free Press article by
Mike Wendland:
“I've gone overseas,” [Ralsky] said. “I now send most of my mail from
other countries. And that's a shame. I pay a fortune to providers to do
this, and I'd much rather have it go to American companies. But I have
to stay in business, and if I have to go out of the country, then so be it.”
“I'll never quit,” said the 57-year-old master of spam. “I like what I do.
This is the greatest business in the world.”
• CAN-SPAM Act effective January 1, 2004, 18 U.S.C.
§ 1037.
What was made illegal by CAN-SPAM?
• (1) intentionally falsifying header information;
(2) registering domains using false info;
(3) unauthorized use of proxies to deceive: or
(4) accessing another’s computer without
authorization . . .
• And intentionally initiating “multiple
commercial email messages”
• “multiple” = > 100 in 24 hours; > 1,000 in 30
days; or > 10,000 in 1 year.
Penalties under CAN-SPAM
• 5-year felony if
▫ Committed in furtherance of a felony
▫ Defendant has § 1030 or state spam prior
• 3-year felony if
▫ Use of another’s computer to spam
▫ False registration involving > 20 emails or online user
account registrations or 10 or > domain registrations
▫ Volume email = > 2500 in 24 hours; > 25,000 in 30
days; > 250,000 in 1 year
▫ Offense caused $5000 or > in loss in 1 year
• 1-year misdemeanor otherwise.
Who’d have thought?
• MS referral v. ultimate charges: leads, trap
accts, tunneling, link charts v. Chinese penny
stock pump and dump/ outsourced spamming/
botnet.
• Couldn’t commit crime without Internet and
computers but couldn’t prove crime with
Internet and computers either.
• Complexity of scheme v. simple tools to solve it
Milestones on Road to Prosecution
• Daniel Lin, first CAN-SPAM defendant (4/04),
turned out to have worked for Ralsky.
• MS referral (9/04) FBI and USPIS
▫ Alan Ralsky, Scott Bradley, Judy Devenow
▫ Brazil
▫ Link chart from heqq
• September 2004 – May 2005
▫ Reviewing materials
▫ GJ investigation
• MS referral II (5/05): focus on potentially false
domain registrations.
Milestones
• Many sources of info:
▫
▫
▫
▫
▫
▫
Public source (SPAMHAUS)
Domain registration info
Trap account emails
Bank records
Internet connectivity records
SW on e-mail accounts
• Showed:
▫ Bradley is paying to have over 1000 domain names
registered, some domains registered with false
name/address, high volumes spam from these domains
▫ Devenow co. registered a /21 block of IP numbers
▫ Connectivity for block paid for by Bradley
▫ Computers are in L.A. and Fresno at “GDC Layer One”
Take-down
• Five simultaneous SWs on September 1, 2005
▫ Residences of Ralsky, Bradley,(W. Bloomfield)
Devenow (E. Lansing)
▫ GDC Layer One in L.A. and Fresno – roll-over SW
 Colo and sys admin for mailing operation: John
Bown and William Neil
•
•
•
•
64 computers from LA
15 computers from MI residences
11 computers from Fresno
Boxes of paper records, free HDs, CDs, floppys
Now comes the hard part
• Need to review and understand 90+ computers
as well as records, etc.
• Other records from GJ subpoenas too.
• Importance of old-fashioned detective work,
evidence
▫ Handwritten notes in Scott Bradley’s house are
tally sheets of stock ticker symbols, and amounts,
seem to divide in “shares”.
▫ Need for witnesses/insiders to tell what was going
on
Emails and Chat
• The stored emails and chat on SB and AR
computers told the story
▫ Paying for proxies
▫ Paying for spammers
 2 spammers and 1 colo guy cooperate, testify crucial
 Records show in-house spamming too
▫ “Frankie” = Frank Tribble
▫ “Hui” = John Hui
▫ Outlines of pump and dump scheme start to take
shape
Need for Real People as Witnesses
to Spamming Operation
• Identified 2 low-level spammers and 1 colo guy
• Approach and interview
• Contract spammers admit
▫ Ralsky and Bradley were aware of proxies being
used
▫ Identified certain stocks as ones they spammed
▫ Authenticated chats and e-mails
• Colo guy admits
▫ Use of software to spam – phony header info
▫ Aware of connection to China
The Role of Spamming Software
• “Dark Mailer” ; “Nexus”
• Defs use several kinds
• Updates for Nexus reference “Proxy Scanner” –
intended to find and connect to proxies
• Owner and Developer of Nexus admits his role
in creating software for purpose of spamming
• Lightspeed Marketing and Dave Patton
Overview of Evidence of Stock
Manipulation Scheme
• E-mails, chats, and other communications
among co-conspirators
• Sample e-mails from Bradley’s seed account
• Internal financial records
• Analysis of wire transfers, timed with spam
campaigns and internal e-mails
• Analysis of trading activity and market prices
• Testimony of co-conspirators/insiders
15
What we see from evidence seized
• Appears to be a pump-and-dump.
▫
▫
▫
▫
▫
Approximately 50 Ticker Symbols
Chinese corporations
Shell companies
At least three brokerage firms
Need to consult with SEC
• Many domestic and international mailers being
hired to mail via proxies and botnets, or
whatever means available. Hard to
trace/track/identify.
Post-SW, the operation continues
• We learn they are attempting to set up a bot-net
to spam
• We pursue several investigative avenues that are
unsuccessful
• Examples of evidence
17
Steps in the Pump and Dump Scam
• Shares of Chinese penny stock companies are
issued to “straw” purchasers in China
▫ Trading accounts opened at same broker over
short period of time in names of numerous foreign
S/H
▫ Immediate deposit of large (200K plus) shares
into newly opened accounts
• Spammers are provided with “news” – ad copy
▫ Spam mail blasted out touting stock
▫ Sales in tens of thousands of shares/day
Overview of Stock Spam Pump and Dump Scheme
deposit large
Day 1. Hui/Tribble
blocks of “CWTD” shares into
“straw man” brokerage
accounts of dozens of phony
accountholders
Day 2.
Ralsky/Bradley &
mailers send spam
touting CWTD
False headers/
IPs thru
proxies/botnets
Proxies and Bots
False touts
and no
disclaimers
Return path: <phony name@phonydomain.com
X-Original To: <phone name@phoney domain
Delivered To: <phony name@phony domain
Received from: <false IP/proxy/bogon/ botnet>
PR Newswire: Major Financial News Released
Today: CWTD continues to climb after launching new
product/acquisition/announcing major contract.
CWTD has more than doubled over the last 8 weeks.
We strongly urge you to watch this stock first thing on
Monday morning.
Current Price: $0.75
7-day projection: $5.50
E.g., INTERNET IPO!
Phony Brokerage Accountholders
Day 3.
Day 4.
$6.00
$4.00
$2.00
$0.00
Hui/Tribble sell/”dump” shares of
CWTD at inflated prices, price falls
Stock proceeds wired from U.S.
brokerage to Hong Kong bank back
to Superior Distributing to be
dispersed to Ralsky, Hui, Tribble
Spam recipients buy
CWTD stock, “pumping”
up price
19
Activity Behind the Scenes
• Numerous wire transactions and
communications between members of the
conspiracy.
• Reimbursement is based upon daily average
stock price
• Negotiation for deals w/new companies
20
Scope of Scheme
• Potentially three brokerage firms being used.
• >$20 Million to China from ONE firm.
• email4u (Ralsky) says: 20% to us 20% to u 20%
to frank and 40% to the client is that right
• Evidence from searches has split being at least
50/50 and as much as 60/40.
• 50 Ticker Symbols
• >20 accounts at one brokerage firm.
Following the money
• John Hui – Hong Kong CEO of CWTD, has
connection with Chinese companies issuing
penny stocks
• Frank Tribble – prior SEC investigation for
spamming stock, seems to be directing the
trades in these shares
• Money from the sale of shares in these stocks is
being sent to Scott Bradley’s bank account
• Tribble is in LA County Jail on manslaughter
case
Indictment Near, but Need
Witnesses on Pump and Dump
•
•
•
•
Feds come calling in LA County Jail 12/07
No progress at first
On advice of counsel, Tribble cooperates
Opens up the stock pump and dump
▫
▫
▫
▫
Chinese straw owners
Use of shell companies
Goal of manipulating the market
Who’s who re: John Hui, Chinese companies, etc.
• Now we have witnesses for spamming and for
pump and dump
IT HAPPENS!
GJ returns Indictment
under seal on 12-14-07
John Hui arrested @
1/08/08 entering US at
JFK Airport, indictment
unsealed.
Unusual Challenges
• Volume of discovery
▫ 3 separate 1 TB portable drives used to store
discovery
▫ Took longer than normal to produce to defs
• Explaining the case to defendants and defense
counsel
▫ 41 Counts/ 11 Defendants
▫ The role of plea negotiations
▫ Value of expertise – CCIPS, SEC, MS, others
Dam begins to break, becomes
torrent
• Judy Devenow cooperates and pleads guilty,
October 18, 2008
• John Hui cooperates and pleads guilty,
December 16, 2008
• “Reverse proffers” begin – Ralsky et al. throw in
the towel
• June 22, 2009: Ralsky, Bradley, Bown, Neil and
Fite plead guilty
• Patton pleads guilty July 7
• Bragg is fugitive, apprehended and pleads guilty
Aug 20
Exposure
Defendant
Plea Agreement
Ralsky
Up to 43 months if cooperates
Bradley
Up to 39 months if cooperates
Devenow
Up to 21 months if cooperates
Bown
Up to 46 months if cooperates
Neil
Up to 37 months if cooperates
Bragg
Up to 30 months if cooperates
Fite
Up to 24 months if cooperates
Hui
Up to 39 months if cooperates
Tribble
Up to 54 months if cooperates
Patton
Up to 16 months if cooperates
Sentencing Dates Set
• November 23 and 24(Happy Thanksgiving!)
• Court has discretion to fashion appropriate
sentences regardless of plea agreements.
• Court will weigh relative culpability of
defendants; factors relating to the history and
nature of each defendant and role.
• Investigation not yet closed . . .
Lessons
• Get their computers
• Good luck dealing with so many computers
• Records (emails, chat, etc.) likely to be
incriminating, but
• Get witnesses who can “tell the story” of what
they were doing
• Bring in as much expertise as possible
Thanks
Questions?
Terrence Berg
U.S. Attorney
E.D. Michigan
Download