to catch (and prosecute) a spammer: a case study of united states v. alan ralsky, et al. terrence...
TRANSCRIPT
To Catch (and Prosecute) a Spammer: A Case Study of United States v. Alan Ralsky, et al.
Terrence BergUnited States AttorneyEastern District of Michigan
The “Godfather of Spam”?•From USA TODAY 6/25/2003
article, by Jon Swartz:
“Given all the crap that's going on with spam, it's probably not wise to have a high profile,” says Alan Ralsky, 58, who calls himself “the Godfather of spam.” The gruff West Bloomfield, Mich., resident says he sends 30 million e-mails abroad each day peddling jewelry and vacation giveaways.
“I’ll never quit”
• November 22, 2002 Detroit Free Press article by Mike Wendland:
“I've gone overseas,” [Ralsky] said. “I now send most of my mail from other countries. And that's a shame. I pay a fortune to providers to do this, and I'd much rather have it go to American companies. But I have to stay in business, and if I have to go out of the country, then so be it.” “I'll never quit,” said the 57-year-old master of spam. “I like what I do. This is the greatest business in the world.”
• CAN-SPAM Act effective January 1, 2004, 18 U.S.C. § 1037.
What was made illegal by CAN-SPAM?• (1) intentionally falsifying header
information; (2) registering domains using false info; (3) unauthorized use of proxies to deceive: or (4) accessing another’s computer without authorization . . .
•And intentionally initiating “multiple commercial email messages”
•“multiple” = > 100 in 24 hours; > 1,000 in 30 days; or > 10,000 in 1 year.
Penalties under CAN-SPAM• 5-year felony if
▫Committed in furtherance of a felony▫Defendant has § 1030 or state spam prior
• 3-year felony if▫Use of another’s computer to spam▫False registration involving > 20 emails or
online user account registrations or 10 or > domain registrations
▫Volume email = > 2500 in 24 hours; > 25,000 in 30 days; > 250,000 in 1 year
▫Offense caused $5000 or > in loss in 1 year• 1-year misdemeanor otherwise.
Who’d have thought?
•MS referral v. ultimate charges: leads, trap accts, tunneling, link charts v. Chinese penny stock pump and dump/ outsourced spamming/ botnet.
•Couldn’t commit crime without Internet and computers but couldn’t prove crime with Internet and computers either.
•Complexity of scheme v. simple tools to solve it
Milestones on Road to Prosecution•Daniel Lin, first CAN-SPAM defendant
(4/04), turned out to have worked for Ralsky.•MS referral (9/04) FBI and USPIS
▫Alan Ralsky, Scott Bradley, Judy Devenow▫Brazil▫Link chart from heqq
•September 2004 – May 2005▫Reviewing materials▫GJ investigation
•MS referral II (5/05): focus on potentially false domain registrations.
Milestones•Many sources of info:
▫ Public source (SPAMHAUS)▫ Domain registration info▫ Trap account emails▫ Bank records▫ Internet connectivity records▫ SW on e-mail accounts
•Showed:▫ Bradley is paying to have over 1000 domain names
registered, some domains registered with false name/address, high volumes spam from these domains
▫ Devenow co. registered a /21 block of IP numbers▫ Connectivity for block paid for by Bradley▫ Computers are in L.A. and Fresno at “GDC Layer One”
Take-down•Five simultaneous SWs on September 1, 2005
▫Residences of Ralsky, Bradley,(W. Bloomfield) Devenow (E. Lansing)
▫GDC Layer One in L.A. and Fresno – roll-over SW Colo and sys admin for mailing operation: John
Bown and William Neil•64 computers from LA•15 computers from MI residences•11 computers from Fresno•Boxes of paper records, free HDs, CDs, floppys
Now comes the hard part
•Need to review and understand 90+ computers as well as records, etc.
•Other records from GJ subpoenas too.•Importance of old-fashioned detective
work, evidence▫Handwritten notes in Scott Bradley’s house
are tally sheets of stock ticker symbols, and amounts, seem to divide in “shares”.
▫Need for witnesses/insiders to tell what was going on
Emails and Chat
•The stored emails and chat on SB and AR computers told the story▫Paying for proxies▫Paying for spammers
2 spammers and 1 colo guy cooperate, testify - crucial
Records show in-house spamming too▫“Frankie” = Frank Tribble▫“Hui” = John Hui▫Outlines of pump and dump scheme start to
take shape
Need for Real People as Witnesses to Spamming Operation• Identified 2 low-level spammers and 1 colo guy•Approach and interview•Contract spammers admit
▫Ralsky and Bradley were aware of proxies being used
▫Identified certain stocks as ones they spammed▫Authenticated chats and e-mails
•Colo guy admits▫Use of software to spam – phony header info ▫Aware of connection to China
The Role of Spamming Software•“Dark Mailer” ; “Nexus”•Defs use several kinds•Updates for Nexus reference “Proxy
Scanner” – intended to find and connect to proxies
•Owner and Developer of Nexus admits his role in creating software for purpose of spamming
•Lightspeed Marketing and Dave Patton
Overview of Evidence of Stock Manipulation Scheme•E-mails, chats, and other communications
among co-conspirators•Sample e-mails from Bradley’s seed
account• Internal financial records•Analysis of wire transfers, timed with spam
campaigns and internal e-mails•Analysis of trading activity and market
prices•Testimony of co-conspirators/insiders
15
What we see from evidence seized•Appears to be a pump-and-dump.
▫Approximately 50 Ticker Symbols▫Chinese corporations▫Shell companies▫At least three brokerage firms▫Need to consult with SEC
•Many domestic and international mailers being hired to mail via proxies and botnets, or whatever means available. Hard to trace/track/identify.
Post-SW, the operation continues•We learn they are attempting to set up a
bot-net to spam•We pursue several investigative avenues
that are unsuccessful•Examples of evidence
Steps in the Pump and Dump Scam•Shares of Chinese penny stock companies are
issued to “straw” purchasers in China▫Trading accounts opened at same broker over
short period of time in names of numerous foreign S/H
▫Immediate deposit of large (200K plus) shares into newly opened accounts
•Spammers are provided with “news” – ad copy▫Spam mail blasted out touting stock▫Sales in tens of thousands of shares/day
17
Return path: <phony [email protected] To: <phone name@phoney domainDelivered To: <phony name@phony domainReceived from: <false IP/proxy/bogon/ botnet>
PR Newswire: Major Financial News Released Today: CWTD continues to climb after launching new product/acquisition/announcing major contract. CWTD has more than doubled over the last 8 weeks. We strongly urge you to watch this stock first thing on Monday morning.Current Price: $0.757-day projection: $5.50
E.g., INTERNET IPO!E.g., INTERNET IPO!
Day 1. Hui/Tribble deposit large blocks of “CWTD” shares into “straw man” brokerage accounts of dozens of phony accountholders
Day 2. Ralsky/Bradley & mailers send spam touting CWTD
Proxies and Bots
Overview of Stock Spam Pump and Dump Scheme
False headers/ IPs thru proxies/botnets
False touts and no disclaimers
Spam recipients buy CWTD stock, “pumping” up price
Day 3.
Day 4. Hui/Tribble sell/”dump” shares of CWTD at inflated prices, price falls
Stock proceeds wired from U.S. brokerage to Hong Kong bank back to Superior Distributing to be dispersed to Ralsky, Hui, Tribble
$0.00
$2.00
$4.00
$6.00
Phony Brokerage Accountholders
Activity Behind the Scenes
•Numerous wire transactions and communications between members of the conspiracy.
•Reimbursement is based upon daily average stock price
•Negotiation for deals w/new companies
19
20
Scope of Scheme•Potentially three brokerage firms being used.
•>$20 Million to China from ONE firm.
•email4u (Ralsky) says: 20% to us 20% to u 20% to frank and 40% to the client is that right
•Evidence from searches has split being at least 50/50 and as much as 60/40.
•50 Ticker Symbols
•>20 accounts at one brokerage firm.
Following the money•John Hui – Hong Kong CEO of CWTD, has
connection with Chinese companies issuing penny stocks
•Frank Tribble – prior SEC investigation for spamming stock, seems to be directing the trades in these shares
•Money from the sale of shares in these stocks is being sent to Scott Bradley’s bank account
•Tribble is in LA County Jail on manslaughter case
Indictment Near, but Need Witnesses on Pump and Dump•Feds come calling in LA County Jail 12/07•No progress at first•On advice of counsel, Tribble cooperates•Opens up the stock pump and dump
▫Chinese straw owners▫Use of shell companies▫Goal of manipulating the market▫Who’s who re: John Hui, Chinese companies,
etc.•Now we have witnesses for spamming and for
pump and dump
IT HAPPENS!
GJ returns Indictment under seal on 12-14-07
John Hui arrested @ 1/08/08 entering US at JFK Airport, indictment unsealed.
Unusual Challenges
•Volume of discovery▫3 separate 1 TB portable drives used to
store discovery▫Took longer than normal to produce to defs
•Explaining the case to defendants and defense counsel▫41 Counts/ 11 Defendants▫The role of plea negotiations ▫Value of expertise – CCIPS, SEC, MS,
others
Dam begins to break, becomes torrent• Judy Devenow cooperates and pleads guilty,
October 18, 2008• John Hui cooperates and pleads guilty,
December 16, 2008•“Reverse proffers” begin – Ralsky et al. throw
in the towel• June 22, 2009: Ralsky, Bradley, Bown, Neil
and Fite plead guilty•Patton pleads guilty July 7•Bragg is fugitive, apprehended and pleads
guilty Aug 20
ExposureDefendant Plea Agreement
Ralsky Up to 43 months if cooperates
Bradley Up to 39 months if cooperates
Devenow Up to 21 months if cooperates
Bown Up to 46 months if cooperates
Neil Up to 37 months if cooperates
Bragg Up to 30 months if cooperates
Fite Up to 24 months if cooperates
Hui Up to 39 months if cooperates
Tribble Up to 54 months if cooperates
Patton Up to 16 months if cooperates
Sentencing Dates Set
•November 23 and 24(Happy Thanksgiving!)
•Court has discretion to fashion appropriate sentences regardless of plea agreements.
•Court will weigh relative culpability of defendants; factors relating to the history and nature of each defendant and role.
•Investigation not yet closed . . .
Lessons
•Get their computers•Good luck dealing with so many
computers•Records (emails, chat, etc.) likely to be
incriminating, but•Get witnesses who can “tell the story” of
what they were doing•Bring in as much expertise as possible
Thanks
Questions?
Terrence BergU.S. AttorneyE.D. Michigan