September 2, 2019

Federal prosecutors in California have filed criminal charges against four employees of Adconion Direct, an email advertising firm, alleging they unlawfully hijacked vast swaths of Internet addresses and used them in large-scale spam campaigns. KrebsOnSecurity has learned that the charges are likely just the opening salvo in a much larger, ongoing federal investigation into the company’s commercial email practices.

Prior to its acquisition, Adconion offered digital advertising solutions to some of the world’s biggest companies, including Adidas, AT&T, Fidelity, Honda, Kohl’s and T-Mobile. Amobee, the Redwood City, Calif. online ad firm that acquired Adconion in 2014, bills itself as the world’s leading independent advertising platform. The CEO of Amobee is Kim Perell, formerly CEO of Adconion.

In October 2018, prosecutors in the Southern District of California named four Adconion employees — Jacob Bychak, Mark ManoogianPetr Pacas, and Mohammed Abdul Qayyum —  in a ten-count indictment on charges of conspiracy, wire fraud, and electronic mail fraud. All four men have pleaded not guilty to the charges, which stem from a grand jury indictment handed down in June 2017.

‘COMPANY A’

The indictment and other court filings in this case refer to the employer of the four men only as “Company A.” However, LinkedIn profiles under the names of three of the accused show they each work(ed) for Adconion and/or Amobee.

Mark Manoogian is an attorney whose LinkedIn profile states that he is director of legal and business affairs at Amobee, and formerly was senior business development manager at Adconion Direct; Bychak is listed as director of operations at Adconion Direct; Quayyum’s LinkedIn page lists him as manager of technical operations at Adconion. A statement of facts filed by the government indicates Petr Pacas was at one point director of operations at Company A (Adconion).

According to the indictment, between December 2010 and September 2014 the defendants engaged in a conspiracy to identify or pay to identify blocks of Internet Protocol (IP) addresses that were registered to others but which were otherwise inactive.

The government alleges the men sent forged letters to an Internet hosting firm claiming they had been authorized by the registrants of the inactive IP addresses to use that space for their own purposes.

“Members of the conspiracy would use the fraudulently acquired IP addresses to send commercial email (‘spam’) messages,” the government charged.

HOSTING IN THE WIND

Prosecutors say the accused were able to spam from the purloined IP address blocks after tricking the owner of Hostwinds, an Oklahoma-based Internet hosting firm, into routing the fraudulently obtained IP addresses on their behalf.

Hostwinds owner Peter Holden was the subject of a 2015 KrebsOnSecurity story titled, “Like Cutting Off a Limb to Save the Body,” which described how he’d initially built a lucrative business catering mainly to spammers, only to later have a change of heart and aggressively work to keep spammers off of his network.

That a case of such potential import for the digital marketing industry has escaped any media attention for so long is unusual but not surprising given what’s at stake for the companies involved and for the government’s ongoing investigations.

Adconion’s parent Amobee manages ad campaigns for some of the world’s top brands, and has every reason not to call attention to charges that some of its key employees may have been involved in criminal activity.

Meanwhile, prosecutors are busy following up on evidence supplied by several cooperating witnesses in this and a related grand jury investigation, including a confidential informant who received information from an Adconion employee about the company’s internal operations.

THE BIGGER PICTURE

According to a memo jointly filed by the defendants, “this case spun off from a larger ongoing investigation into the commercial email practices of Company A.” Ironically, this memo appears to be the only one of several dozen documents related to the indictment that mentions Adconion by name (albeit only in a series of footnote references).

Prosecutors allege the four men bought hijacked IP address blocks from another man tied to this case who was charged separately. This individual, Daniel Dye, has a history of working with others to hijack IP addresses for use by spammers.

For many years, Dye was a system administrator for Optinrealbig, a Colorado company that relentlessly pimped all manner of junk email, from mortgage leads and adult-related services to counterfeit products and Viagra.

Optinrealbig’s CEO was the spam king Scott Richter, who later changed the name of the company to Media Breakaway after being successfully sued for spamming by AOL, MicrosoftMySpace, and the New York Attorney General Office, among others. In 2008, this author penned a column for The Washington Post detailing how Media Breakaway had hijacked tens of thousands of IP addresses from a defunct San Francisco company for use in its spamming operations.

Dye has been charged with violations of the CAN-SPAM Act. A review of the documents in his case suggest Dye accepted a guilty plea agreement in connection with the IP address thefts and is cooperating with the government’s ongoing investigation into Adconion’s email marketing practices, although the plea agreement itself remains under seal.

Lawyers for the four defendants in this case have asserted in court filings that the government’s confidential informant is an employee of Spamhaus.org, an organization that many Internet service providers around the world rely upon to help identify and block sources of malware and spam.

Interestingly, in 2014 Spamhaus was sued by Blackstar Media LLC, a bulk email marketing company and subsidiary of Adconion. Blackstar’s owners sued Spamhaus for defamation after Spamhaus included them at the top of its list of the Top 10 world’s worst spammers. Blackstar later dropped the lawsuit and agreed to paid Spamhaus’ legal costs.

Representatives for Spamhaus declined to comment for this story. Responding to questions about the indictment of Adconion employees, Amobee’s parent company SingTel referred comments to Amobee, which issued a brief statement saying, “Amobee has fully cooperated with the government’s investigation of this 2017 matter which pertains to alleged activities that occurred years prior to Amobee’s acquisition of the company.”

ONE OF THE LARGEST SPAMMERS IN HISTORY?

It appears the government has been investigating Adconion’s email practices since at least 2015, and possibly as early as 2013. The very first result in an online search for the words “Adconion” and “spam” returns a Microsoft Powerpoint document that was presented alongside this talk at an ARIN meeting in October 2016. ARIN stands for the American Registry for Internet Numbers, and it handles IP addresses allocations for entities in the United States, Canada and parts of the Caribbean.

As the screenshot above shows, that Powerpoint deck was originally named “Adconion – Arin,” but the file has since been renamed. That is, unless one downloads the file and looks at the metadata attached to it, which shows the original filename and that it was created in 2015 by someone at the U.S. Department of Justice.

Slide #8 in that Powerpoint document references a case example of an unnamed company (again, “Company A”), which the presenter said was “alleged to be one of the largest spammers in history,” that had hijacked “hundreds of thousands of IP addresses.”

A slide from an ARIN presentation in 2016 that referenced Adconion.

There are fewer than four billion IPv4 addresses available for use, but the vast majority of them have already been allocated. In recent years, this global shortage has turned IP addresses into a commodity wherein each IP can fetch between $15-$25 on the open market.

The dearth of available IP addresses has created boom times for those engaged in the acquisition and sale of IP address blocks. It also has emboldened scammers and spammers who specialize in absconding with and spamming from dormant IP address blocks without permission from the rightful owners.

In May, KrebsOnSecurity broke the news that Amir Golestan — the owner of a prominent Charleston, S.C. tech company called Micfo LLC — had been indicted on criminal charges of fraudulently obtaining more than 735,000 IP addresses from ARIN and reselling the space to others.

KrebsOnSecurity has since learned that for several years prior to 2014, Adconion was one of Golestan’s biggest clients. More on that in an upcoming story.


21 thoughts on “Feds Allege Adconion Employees Hijacked IP Addresses for Spamming

  1. The Sunshine State

    Every once in a while, I see Spamvertising websites hosted on you guessed it ,Hostwind (.)com

  2. Mikey Doesn't Like It

    Bryan, your link to the indictment actually goes to the defendants’ Motion for Discovery, not the indictment.

    Is the correct link available?

    TIA.

  3. Greg

    Haha, brilliant story.

    I’m going to whois a bunch of IPs in my spam email.
    Let’s see if I can get any reported for stealing IPs too.

  4. Belli H.

    Medium(s) and property rights/ownership?

    “Unused” medium and the road to “criminal offense which ends up on the highway of legitimacy??

    Anybody here old enough to remember the very early days of both radio and then TV? Time blocks/spots that were sold by broadcasting entities which remained unused to the point that they where those slots illegally ended up being re-sold (by both broadcasting entities and then more by resellers)? This was rampant at the birth of radio, then TV. To wit: the origins of NBCs and CBSs of the world are not so innocent as you might think.

    An interesting road to legitimacy……

    It’s happening here, again, in this “wild-west” digital age. You’ll see it if you can make your mind lift itself up to a high enough distant perspective where things become somewhat clearer.

    Anyhow, this story (thanks again for another great read, Brian!) strikes me as history repeating itself, sort of.

    1. IGoogledIt

      You got me interested in the NBC and CBS origin stories now. Any links you could provide would be greatly appreciated.

    2. somguy

      Or the origins of hollywood itself, started in California to get away from New York and Edison’s patent enforcers. As much as they are against piracy… they all started from it!

  5. Readership1

    There is no shortage of ipv4 addresses. It’s a myth perpetuated by the groups hoarding them, to increase their value and scarcity. Just like gold.

    As for the defendants, don’t assume what you read on LinkedIn is accurate. If it was, I’d actually be the CEO of several companies. Simultaneously.

    1. JBA

      The value of tinfoil goes up every time you post another inane conspiracy theory, too.

  6. George

    Telephone numbers are likely harvested by crooked employees as well.

  7. Mikey

    Starting the second paragraph with “Prior to its acquisition” made me think I had misread the first paragraph. And then later it turns out that Amobee may have bought Adconian but it isn’t the parent company, it is SingTel. This makes it confusing to me.

    1. BrianKrebs Post author

      Amobee bought Adconion in 2014. SingTel is the parent company of Amobee. What’s confusing there?

      1. Chris

        Prior to that, Adconion bought Frontline Direct, a huge email marketing company started by Kim Perrell, a few years earlier. Amobee hides the email portion of their biz well, but its very much in their DNA, and still bringing in the lion-share of Amobee’s revenue currently using 3rd party partners.

  8. Anonymous

    No surprise seeing the name Scott Richter pop up in this article. That dude has been spamming his entire life, literally one of the most OG American spammers still around including people like Alan Ralsky. Spammers gunna spam.

  9. NHunt

    Brian, I appreciate the article and insight. I wasn’t able to surmise if there was a recent update/event in this case/situation that caused you to write about it now. Did something new occur that I missed, or was it just the timing given the research and cycle times that led to your article now?

    1. BrianKrebs Post author

      You mean apart from the fact that no one had reported this lawsuit prior to my story? No other reason, except that it’s pretty remarkable that such a big story has been kept quiet this long.

      1. Norman

        Well, that answers that. I assumed, bad on me, that this was reported before, and I just missed it. It is amazing that this sat for so long. Great work as always Brian.

  10. Anonymous

    Check out idropnews.com; operates under the same employees . It’s also part of Amobee but they don’t advertise it as such. They are known for signing people up without their permission.

Comments are closed.