After months of working directly and proactively with the FBI and indirectly (through the FBI) with Dutch authorities, we were able to announce today that critical evidence provided by us has resulted in the continued pretrial detainment of an individual in the Netherlands who controlled a massive botnet and used it, or part of it, to distribute our software and who knows what else. While we are still somewhat constrained from talking about all the nitty gritty details, we thought it would be interesting to provide a bit more color to the whole story.
In early 2005, one of the now-arrested botnet suspects signed a distribution agreement with us using our www.LOUDcash.com, an automated portal for web publishers to enter into distribution partnerships with us. (Incidentally, we are transitioning all LOUDCash partners to our new automated platform, www.zangocash.com. This transition will be complete by November 30th.) At the time he signed up, he was running a games website (with an “.nl” suffix) that offered free access to premium content if the user installed the 180search Assistant. In short, he signed up with us like any other webmaster. We verified that the website existed and that the contact and payment information he provided to us was accurate.
At some point after signing up, the suspect decided he would leverage part of what turned out to be a massive botnet of 1.5 million PCs to illegally distribute the 180search Assistant. We discovered something was wrong right away because his conversion rates began spiking to much higher levels than they had been historically. In other words, his site was generating far more installations of our search assistant than it had been doing previously. This triggered an investigation and, quickly thereafter, a suspension of his account. We also proactively alerted the Seattle FBI office about the situation. We discovered that those who had received the 180search Assistant through this botnet likely did so without the proper notification and consent. Fortunately, we stopped it quickly enough that we believe only a relatively small number of people received the 180search Assistant in this fraudulent manner.
After being shut off, the suspect contacted us in early August threatening a distributed denial of service (DDoS) attack if we did not pay him what he believed was “owed” him (for fraudulently procured installations). While we can’t disclose the amount demanded, suffice it to say it was surprisingly small. We refused to pay the ransom and, in early August, the promised DDoS attack on http://partners.loudcash.com ensued.
Fortunately, the attack didn’t last very long. After a certain period of time, and again as promised, the attack stopped, and the suspect then engaged in a series of electronic communications with us basically taunting us and reminding us that he was in control and that we should meet his monetary demands. The mountain of evidence grew, and grew, and grew. The suspect even provided his bank account information to which he wanted the wire transmission of the ransom to go! While we already had that information because he was a prior partner, it was interesting he would give us that kind of information, particularly in an electronic format.
Behind the scenes, it appears that the Dutch authorities were already hot on the heels of the suspect and couple of his cohorts. As widely reported, in early October the Dutch arrested the three botnet suspects despite apparently being unaware of our evidence as forwarded to the FBI. Two and two came together and the Dutch authorities got that evidence, which provided them the missing link to the extortion charges and a reason under Dutch legal procedures to keep these guys locked up pretrial as long as possible. Suffice it to say, we are thrilled this guy is in custody and it sends a clear message that the private sector and law enforcement can work together to combat the growing threat of online crime.
In the coming days, we’ll talk about what we learned from this experience and how we’ve changed our technology to minimize the possibility of such crimes and maximize enforcement, prosecution and recovery if they do occur.