<http://www.wired.com/news/technology/1,72278-0.html> Wired News E-Gold Gets Tough on Crime By Kim Zetter 02:00 AM Dec, 11, 2006 The founder of PayPal competitor e-gold has grown tired of the government characterizing his business as a haven for money launderers, terrorists, child pornographers and credit card thieves. So a year after the Department of Justice raided his offices, Douglas Jackson, president of Gold and Silver Reserve, which operates e-gold, has been wading deep into his customer transaction logs to identify and fight back against people who misuse his system. In the last month, he's blocked about 2,000 accounts from his system, and he's voluntarily turned over detailed account and transaction histories to federal law enforcement. In the process, Jackson says he's exposed an illicit and previously invisible economic underground. "It's like discovering an undisturbed tomb in Egypt where you've got this archaeological thing," Jackson says about the wealth of data he's uncovered. "There will never be another crack like this one where all of these people have left their footprints with memos that sometimes give us clues as to what they're doing." E-gold is a privately issued digital currency backed by real gold and silver stored in banks in Europe and Dubai. Jackson says about 1,000 new e-gold accounts are opened daily, and the system processes between 50,000 and 100,000 transactions a day. With a value independent of any national legal tender, the electronic cash has cultivated a libertarian image over the years, while drawing the ire of law enforcement agencies who frequently condemn it publicly as an anonymous, untraceable criminal haven, inaccessible to police scrutiny. Jackson says the image is false. Although a user can open an account using a fraudulent name and a proxy server that shields his or her IP address, a permanent record of every transaction remains in the e-gold system, which can help law enforcement agencies track criminals. Jackson says he first became aware that credit card thieves were laundering money through e-gold from 2004 news stories about a Secret Service bust of Shadowcrew, a website where carders congregated. He contacted the Secret Service and pleaded with them to work with him to catch the carders, but the agency inexplicably rebuffed him. Last December, the Department of Justice raided the Melbourne, Florida, office of Gold and Silver Reserve, and seized more than 100 boxes of paper records in a move dubbed Operation Goldwire. "They basically raped our computers and also took us offline for 36 hours, took all the paper out of our office," Jackson says. The government also froze Gold and Silver's U.S. bank account. The company survived, Jackson says, only because its euro, pound and yen accounts are maintained outside the United States. Jackson says the criminal affidavit, filed under seal, accused Gold and Silver of aiding terrorists and child pornographers. But prosecutors later dropped the criminal claim, replacing it with a civil complaint charging Gold and Silver with operating as an unlicensed money-transmitting business. Jackson's lawyers say the charge is bogus because Gold and Silver isn't a money transmitter, since the company doesn't accept cash from customers, only wire transfers. That case is on hold until April, and a Justice Department spokeswoman declined to comment on the suit. Rather than attack him, Justice officials and the Secret Service should have been working with him, says Jackson. Because all the while they were trying to build a case against e-gold, he was gathering evidence that could help them battle the real criminals. Around the time of the Shadowcrew bust, Jackson's staff developed a method for doing global searches in e-gold transactions. So Jackson decided to see if he could find carders in his system by searching the "memo" field, where -- like the memo line on a check -- the sender can note the reason for the transaction. Jackson says some carders, apparently so convinced of their invisibility, don't try to hide the nature of their activity. He searched keywords from news articles about carders, such as "cvv," "dumps" and "cob." The first two terms refer to data encoded on the magnetic stripe of credit cards; the last one stands for "change of billing," referring to credit card accounts for which a crook has changed the billing address to a mail drop under his control. Jackson also searched the online nicknames of specific carders that law enforcement agents mentioned in news reports or at a cybercrime conference Jackson attended: names like Zoomer, Kayser Sose, Smash, Segvec, Jilsi, Ragoo and John Dillinger, a carder who described his crimes for Wired News earlier this year and who recently signed a plea agreement to cooperate with authorities. Jackson says some culprits that authorities deemed "unfindable" were easy to track through e-gold. One appeared to be a high school kid in Louisville, Ohio, judging from information gleaned from his transactions. Jackson tracked two others to Egypt after one of them converted e-gold to cash and had an intermediary load it onto a debit card sent to him by courier. Jackson identified a core group of accounts that appeared to involve carding, and made lists of accounts that exchanged e-gold with them. Patterns emerged. Beginning earlier this year, for example, one account-holder in New York purchased postal orders worth about $6,000 twice a month from three different post offices, exchanged them for e-gold and transferred the funds to an account-holder in the Ukraine. Altogether he purchased about 30 postal orders totaling more than $150,000. In other accounts he found a $17,000 transaction supposedly "for beer" and $10,000 for Louis Vuitton purses. Over two weeks last February, one account-holder moved $29,000 worth of e-gold to purchase Sony Vaio computers, followed two days later by $30,000 for more Sony Vaios, and $40,000 four days after that. The recipient of the funds accumulated more than $900,000 in e-gold over a brief period of time, more than half of which remained parked in his account. The timing of the transactions, last spring, corresponded with news articles reporting a serious wave of debit card breaches across the country that caused several banks to reissue compromised cards. By matching other data, like time stamps, IP addresses and hashes of passwords, Jackson could sometimes identify when one person controlled or used different accounts. "The good ones will have a different IP address every time they touch the internet," he says. "But every once in a while you get one of these bad guys on one of these accounts where ... he may use a fixed IP." Jackson decided that law enforcement needed to know about what he'd found. He'd received and complied with hundreds of subpoenas in the past -- from FBI, Secret Service, Drug Enforcement Agency and international law enforcement agencies. But this time he had trouble finding someone to work with him. Since the Secret Service had already dismissed him, he approached the FBI and U.S. Postal Inspection Service, but got the runaround. Jackson said one agency wanted his company to sign an agreement stating he wouldn't be immune from prosecution if authorities, in the process of obtaining information from him, found something that could incriminate e-gold. He refused to sign, but began assisting postal inspectors and other agents voluntarily. Jackson acknowledges some discomfort over the decision to give information to the feds without legal process -- a move that could save e-gold from further law enforcement aggression, while tarnishing its libertarian sheen. His lawyers aren't bothered by the move, however. They say agents repeatedly promised to provide Jackson with court orders since last February but have not come through. "You have a very strong documented relationship with these agents asking about particular people with the promise that they are going to be subpoenaing," says Jackson attorney Andrew Ittleman. "Just because they never ultimately gave him a subpoena doesn't put the fault on Jackson -- it's on the agents. He was acting in good faith." His lawyers also say that once the company discovered evidence of possible wrongdoing, it had no choice but to hand over information to the government. Jackson could even have been charged with aiding and abetting money launderers under federal statutes if he didn't report the suspicious activity. "E-gold, because of the way in which it operates, creates the potential for a misuse," says lead attorney Mitchell Fuerst. "And to the extent that that can happen, I think the company has an ethical and a legal obligation to prevent those crimes from being committed." But the company thinks it's unlikely that anyone involved in illicit activity would sue e-gold for blocking their account or giving their data to law enforcement. Kevin Bankston, staff attorney for the Electronic Frontier Foundation, says e-gold is violating its privacy policy, which states that the company won't hand over data except under court order. Its actions "could open it to liability under contract violation and false advertising and unfair competition claims," he says. In November, Jackson began running an automated script to blacklist accounts he identified as suspicious. The digital funds aren't frozen, and the account holder can conceivably get the money out by transferring it to another account he controls, or to a different e-gold customer. But then those accounts get blocked, too. "We're looking to make these people into vagabond zombies," he says. "They can log into the account and send payment to someone who's willing to accept payment from them, but at that other person's risk." But the aggressive policing is chafing some users, who say they did nothing wrong and were improperly banned. Cesar Carranza runs a business called uBuyWeRush selling liquidation and overstock merchandise online and from three California stores. He uses e-gold for some overseas customers because, unlike credit card and PayPal transactions, e-gold purchases are irreversible and there are no charge-backs to the merchant. "I am a reputable merchant," he says. "I am not a con artist or a thief." Carranza was arrested in 2004 but never charged with anything. At the time, he was selling MSR-206s through eBay -- devices used to encode data on the magnetic strip of credit cards. It's not illegal to sell them, but carders often use them to code stolen credit and debit card numbers onto blank cards. Carranza says police accused him of selling merchandise to terrorists. He's since sold the MSR part of his business. Last month, e-gold blocked two of his accounts containing about $19,000, providing little information about why. Carranza says the block hasn't hurt his business but he'll never use e-gold again and is considering legal action to get his funds. "I no longer trust the e-gold integrity," he says. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'