DOJ Prosecutes Operators of Pump and Dump Securities Scheme Under CAN-SPAM and CFAA

January 3, 2008. The U.S. District Court (EDMich) unsealed an indictment that charges Alan M. Ralsky and ten other persons with violation of criminal prohibitions of the federal CAN SPAM Act (18 U.S.C. § 1037), violation of the federal Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030), and other federal crimes, but not any federal securities laws, in connection with the operation of a pump and dump securities fraud operation.

The most significant aspect of this matter is that the defendants are alleged to have operated a pump and dump securities fraud scheme from which they profited, and investors were harmed, in the millions of dollars. Yet, the indictment does not charge securities fraud.

Rather, it charges that the pumping of stocks by sending fraudulent bulk unsolicited commercial e-mail violates the federal anti-spam statute. It also charges that the pumping of stocks was accomplished in violation of the federal computer hacking statute by a result of the use of botnet distribution of e-mail messages.

The Department of Justice (DOJ) stated in a release that the defendants operated "a sophisticated and extensive spamming operation that ... largely focused on running a stock ``pump and dump´´ scheme, whereby the defendants sent spam touting thinly traded Chinese penny stocks, drove up their stock price, and reaped profits by selling the stock at artificially inflated prices."

It adds that "the defendants used various illegal methods in order to maximize the amount of spam that evaded spam- blocking devices and tricked recipients into opening, and acting on, the advertisements in the spam. These included using falsified ``headers´´ in the email messages, using proxy computers to relay the spam, using falsely registered domain names to send the spam, as well as making misrepresentations in the advertising content of some of the underlying email messages."

False E-Mail Header Information. The indictment alleges the use of forged header information in e-mail messages. Section 1037(a)(3) provides that "Whoever, in or affecting interstate or foreign commerce, knowingly ... materially falsifies header information in multiple commercial electronic mail messages and intentionally initiates the transmission of such messages ... or conspires to do so, shall be punished ..."

Fraudulent Domain Name Registration. The indictment also alleges the fraudulent registration of domain names. Section 1037(a)(4) provides that whoever knowingly "registers, using information that materially falsifies the identity of the actual registrant, for five or more electronic mail accounts or online user accounts or two or more domain names, and intentionally initiates the transmission of multiple commercial electronic mail messages from any combination of such accounts or domain names" shall be punished.

Use of a Botnet. The indictment also alleges the use of a botnet. Botnet is a slang term of recent origin derived from the words robot network. It is used to describe a collection of software robots that reside on a collection of compromised computers, almost always without the authority or knowledge of the owners or operators, that are controlled remotely for various nefarious purposes. The compromised computers are often referred to as zombies. The purposes for forming botnets include sending spam, running denial of service attacks, committing click fraud, and spyware. In the present case, the indictment alleges the use of a botnet to send the spam messages that pumped stocks.

The indictment states that a botnet "is a network of computers infected with malicious software that allows a third party to control the entire computer network without the knowledge or consent of the computer owners. Each of the infected computers is referred to as a "bot". A botnet can be used by spammers to send spam through the network of infected bot computers, using each of the infected computers to transmit the spam e-mail, in order to hide the true origin of the spam and helping the spammer to remain anonymous, and evade anti-spam filters and other blocking techniques."

The indictment alleges violation of three statutory sections. First, it alleges violation of Section 1037(a)(1), which provides that whoever knowingly "accesses a protected computer without authorization, and intentionally initiates the transmission of multiple commercial electronic mail messages from or through such computer" shall be punished. Second, it alleges violation of Section 1037(a)(2), which provides that whoever knowingly "uses a protected computer to relay or retransmit multiple commercial electronic mail messages, with the intent to deceive or mislead recipients, or any Internet access service, as to the origin of such messages" shall be punished.

Third, it alleges violation of Section 1030(a)(5)(A)(i) and 1030(a)(5)(B)(i), which provide that whoever "knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer" and thereby causes "loss to 1 or more persons during any 1-year period ... aggregating at least $5,000 in value" shall be punished.

While the DOJ has obtained an indictment under three statutory sections in connection with the use of botnets, various tech sector trade groups and members of Congress are arguing for amendment of Section 1030 on the grounds that it does not adequately enable prosecutors and private litigants to pursue botnet creators, operators and users.

For example, on May 14, 2007, Rep. Adam Schiff (D-CA), Rep. Steve Chabot (R-OH) and others introduced HR 2290, [LOC | WW], the "Cyber-Security Enhancement Act of 2007" to, among other things, address the problems associated with botnets.

The broadest prohibition of Section 1030 is found in 1030(a)(5). The present indictment charges violation of 1030(a)(5). 1030(a)(5)(A) lists three types of criminal acts. Then, 1030(a)(5)(B) enumerates five types of damage that are sufficient to sustain a prosecution. Several are specialized types of damage (government or health care computers, resulting in physical injury, or creating a threat to public safety). The fifth type of damage is broad, but requires a minimum loss of $5,000. The present indictment relies upon the $5,000 in damages item.

Rep. Schiff's bill would add a sixth type of damage, "damage affecting ten or more protected computers during any 1-year period". The damage could be of any kind. The damage need not have any minimum monetary value. This would extend the reach of 1030(a)(5) to anyone who creates, herds, or takes over even the smallest of botnets.

See also, story titled "Rep. Schiff and Rep. Chabot Introduce Bill to Expand § 1030" in TLJ Daily E-Mail Alert No. 1,583, May 18, 2007.

Other Charges. The indictment also alleges criminal conspiracy (18 U.S.C. § 371), criminal fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), money laundering (18 U.S.C. § 1956 and 18 U.S.C. § 1957), and lying to federal agents (18 U.S.C. § 1001). The indictment also seeks forfeiture.

The indictment does not charge violation of the federal Racketeering Influenced and Corrupt Organizations (RICO) statute, which is codified at 18 U.S.C. § 1961, et seq. It could not. Neither the CAN-SPAM Act nor the CFAA are predicate offenses for RICO prosecutions. However, HR 2290 would make Section 1030 a predicate offense.

The DOJ release lists other agencies that worked with the DOJ in this case. It does not list the Securities and Exchange Commission (SEC). The SEC does not have criminal enforcement authority. However, it works with the DOJ, which brings criminal securities cases. The SEC also often brings parallel civil actions. The SEC has not announced any action action Ralsky. TLJ spoke with a SEC spokesman who said that the SEC does not talk about cases that it has not brought.

The DOJ did not promptly return a phone call from TLJ.