On Wednesday, the U.S. Justice Department announced that it had obtained convictions against a cybercrime gang that committed securities fraud through the use of botnets and spam. Oddly enough, none of the botmasters or spammers who assisted in the scheme were brought to justice or identified beyond their hacker handles. This blog post may change that.
The defendants who pleaded or were found guilty in this case were convicted of orchestrating “pump-and-dump” stock scams. These are schemes in which fraudsters buy up low-priced stock, blast out millions of spam e-mails touting the stock as a hot buy and then dump their shares as soon as the share price ticks up from all of the spam respondents buying into the scam.
A press release from the U.S. Attorney for the District of New Jersey noted that ringleader of the scam, 44-year-old Christopher Rad, of Cedar Park, Texas, communicated with the spammers via Skype, addressing them by their hacker aliases, such as “breg,” “ega,” “billybob6001” and “be3ez12”. But something in my memory clicked when I saw that last nickname.
So I had a look at the data on the top spammers who worked for SpamIt, a cybercrime organization that paid spammers to promote rogue Internet pharmacies. Sure enough, it turns out that a SpamIt affiliate who used the screen name “be3ez12” made more than USD $186,000 blasting junk email for SpamIt between 2007 and 2010. Be3ez12 registered with SpamIt using the email address firstname.lastname@example.org, which has a rich history dating back to at least 2003. A hacker using the nickname “be3ez12” also spammed for a competing rogue online pharmacy program — Rx-Promotion — although I don’t have earnings data for that account (for more on how I acquired the SpamIt and Rx-Promotion data, see my Pharma Wars series).
In 2003, prior to the creation of either pharmacy program, a user named Rahul123 registered with that email@example.com address on the (NSFW) adult Webmaster forum gofuckyourself.com. Over the course of the next year or so, Rahul123 posted at least 40 discussion threads blatantly offering to spam just about anything for anyone who would hire his services.
It’s not clear yet what botnet or other method Rahul/be3ez12 used to blast out his spam during the time he allegedly aided in these stock scams, but there are some intriguing clues about his identity in real life. The firstname.lastname@example.org address is tied to a single Facebook account, which features the identity of a Rahul Sachdeva, a 26-year-old currently living in Deer Park, NY. Further searching on this individual shows that he is the owner of a company in Deer Park called Online Business Marketing Management Inc.
Granted, this could all be a hoax or a strange coincidence. To my knowledge, Mr. Sachdeva has not been charged with any crime. Nobody answered at the phone numbers assigned to Sachdeva or his company, and requests for comment sent to the email@example.com address went unanswered.