Justia White Collar Crime Opinion Summaries

Articles Posted in Internet Law
by
A Romanian organization, the Alexandria Online Auction Fraud Network (AOAF), used fraudulent online advertisements on websites like eBay, Craigslist, and Amazon to convince unknowing U.S. purchasers to send payments for high-value items that did not actually exist. After receiving the payments through vehicles like gift cards and prepaid debit cards, AOAF money launderers in the U.S., including Brown, converted the payments into Bitcoin currency, which was then transferred back to Romania. Foreign Bitcoin exchange businesses including RG, Iossifov’s Bulgaria-based business, then transferred the Bitcoin balances to cash on behalf of AOAF fraudsters. About 900 victims never received the items for which they paid. The government learned about the scheme in 2014 when it discovered that an American citizen living in Kentucky was laundering funds on behalf of an online fraud organization; the individual became a confidential source.The Sixth Circuit affirmed Iossifov and Brown’s convictions and sentences under the Racketeer Influenced and Corrupt Organizations Act (RICO), 18 U.S.C. 1962(d), and Iossifov’s additional conviction for conspiring to launder money 18 U.S.C. 1956(h). The court rejected venue, jurisdiction, and Due Process claims, a contention that Bitcoin does not fall under the money laundering statute, and challenges to sentencing enhancements and evidentiary rulings. View "United States v. Iossifov" on Justia Law

by
Smith, a software engineer, obtained the coordinates of artificial fishing reefs in the Gulf of Mexico from a website owned by StrikeLines, a Florida business. Smith remained in Mobile, Alabama while posting information about the reef coordinates on Facebook. Smith initially agreed to remove the posts and to assist Strikelines with its security issues in exchange for additional coordinates but communications broke down. StrikeLines contacted law enforcement. Officers executed a search warrant and found StrikeLines’s coordinates and other customer and sales data on Smith’s devices. Smith was charged in the Northern District of Florida with violation of the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2)(C), (c)(2)(B)(iii), theft of trade secrets, and transmitting a threat through interstate commerce with intent to extort. Smith argued that venue was improper because all the prohibited conduct occurred in the Alabama and the data that was accessed and obtained was in the Middle District of Florida.Smith was convicted on the trade secrets and extortion counts in the Northern District of Florida. The Eleventh Circuit vacated Smith’s trade secrets conviction and related sentencing enhancements for lack of venue, affirmed the extortion conviction and related sentencing enhancements, and remanded. Smith never committed any essential conduct for the trade secrets conviction in the Northern District of Florida. Sufficient evidence supported the extortion conviction. View "United States v. Smith" on Justia Law

by
Nicolescu, Miclaus, and coconspirators posted fake eBay car auctions. Operating from Romania, they concealed their IP addresses, and employed US-based “money mules,” to collect payments from unsuspecting buyers, taking in $3.5-$4.5 million. In 2014, a virus created by Nicolescu was embedded in the eBay auctions and in spam emails to collect more than 70,000 account credentials, including 25,000 stolen credit-card numbers. Their network of virus-infected computers “mined” for cryptocurrency, reaping $10,000–$40,000 per month, 2014-2016. The FBI and Romanian police executed a search warrant on members’ residences and retrieved electronic devices. Nicolescu and Miclaus were convicted of conspiracy to commit wire fraud, 12 counts of wire fraud, conspiracy to commit computer fraud, conspiracy to traffic in counterfeit service marks, five counts of aggravated identity theft, and conspiracy to commit money laundering.The district court added 18 levels to their Guidelines calculation (U.S.S.G. 2B1.1(b)(1)(J)) for causing a loss of $3.5-$9.5 million, two levels (2B1.1(b)(4)) for being in the business of receiving and selling stolen property, two levels (2B1.1(b)(11)(B)(i)) for trafficking unauthorized access devices, four levels (2B1.1(b)(19)(A)(ii)) for being convicted under 18 U.S.C. 1030(a)(5)(A), and four levels (3B1.1(a)) for being an organizer or leader. They were sentenced to 216 and 240 months’ imprisonment.The Sixth Circuit affirmed the convictions, rejecting challenges to the sufficiency of the evidence and to jury instructions, but vacated the sentences. The court upheld the loss calculation and leadership enhancement. The court erred in applying the stolen property enhancement and in applying a 2B1.1(b)(19)(A)(ii) enhancement because the men were convicted of conspiracy, not a substantive section 1030(a)(5)(A) offense. View "United States v. Miclaus" on Justia Law

by
Jereno Kinslow's felony conviction for computer trespass was premised on evidence that Kinslow altered his employer’s computer network settings so that e-mail messages meant for Kinslow’s boss would also be copied and forwarded to Kinslow’s personal e-mail account. The Court of Appeals affirmed Kinslow’s conviction, and the Georgia Supreme Court granted Kinslow’s petition for certiorari, posing the question of whether Kinslow’s conduct constituted a violation of OCGA 16-9-93 (b)(2). The Court found that although the statute in general was extremely broad, the portion of (b)(2) on which the State exclusively relied did not reach Kinslow’s conduct. Accordingly, the Supreme Court concluded the evidence presented at Kinslow’s trial was insufficient to support his conviction under Jackson v. Virginia, 443 U.S. 307 (1979), and thus reversed. View "Kinslow v. Georgia" on Justia Law

by
Former Georgia police sergeant Van Buren used his credentials on a patrol-car computer to access a law enforcement database to retrieve license plate information in exchange for money. His conduct violated a department policy against obtaining database information for non-law-enforcement purposes. The Eleventh Circuit upheld Van Buren's conviction for a felony violation of the Computer Fraud and Abuse Act of 1986 (CFAA), which covers anyone who “intentionally accesses a computer without authorization or exceeds authorized access,” 18 U.S.C. 1030(a)(2), defined to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”The Supreme Court reversed. An individual “exceeds authorized access” when he accesses a computer with authorization but then obtains information located in particular areas of the computer (files, folders, databases) that are off-limits to him. Van Buren “access[ed] a computer with authorization” and “obtain[ed] . . . information in the computer.” The phrase “is not entitled so to obtain” refers to information one is not allowed to obtain by using a computer that he is authorized to access.“Without authorization” protects computers themselves from outside hackers; the “exceeds authorized access” clause protects certain information within computers from "inside hackers." One either can or cannot access a computer system, and one either can or cannot access certain areas within the system. The Act’s precursor to the “exceeds authorized access” language covered any person who, “having accessed a computer with authorization, uses the opportunity such access provides for purposes to which such authorization does not extend.” Congress removed any reference to “purpose” in the CFAA. On the government’s reading, an employee who sends a personal e-mail or reads the news using a work computer may have violated the CFAA. View "Van Buren v. United States" on Justia Law

by
In 2012, Rad and others were charged with acquiring penny stocks, “pumping” the prices of those stocks by bombarding investors with misleading spam emails, and then “dumping” their shares at a profit. Rad was convicted of conspiring to commit false header spamming and false domain name spamming under the Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM), 15 U.S.C. 7701(a)(2), which addresses unsolicited commercial email. The PSR recommended raising Rad’s offense level to reflect the losses inflicted on investors, estimating that Rad realized about $2.9 million in “illicit gains” while acknowledging that because “countless victims” purchased stocks, the losses stemming from Rad’s conduct could not “reasonabl[y] be determined.” Rad emphasized the absence of evidence that any person lost anything. Rad was sentenced to 71 months’ imprisonment. The record is silent as to how the court analyzed the victim loss issue. The Third Circuit affirmed. DHS initiated removal proceedings under 8 U.S.C. 1227(a)(2)(A)(iii), which renders an alien removable for any crime that “involves fraud or deceit” “in which the loss to the victim or victims exceeds $10,000.” The IJ and the BIA found Rad removable.The Third Circuit remanded. Rad’s convictions for CAN-SPAM conspiracy necessarily entail deceit under 8 U.S.C. 1101(a)(43)(M)(i). The second element, requiring victim losses over $10,000, however, was not adequately addressed. The court noted that intended losses, not just actual ones, may meet the requirement. View "Rad v. Attorney General United States" on Justia Law

by
Starting in 2008, Sunmola carried out an online romance scheme from South Africa, targeting middle-aged women in Georgia and Illinois. Sunmola often used pictures of men in U.S. military uniforms in his online profile to gain the victims' trust; they made electronic fund transfers after his false claims of financial distress. Sunmola secretly recorded some victims in sexually suggestive positions, then sent extortion demands. Authorities also discovered evidence of credit card fraud affecting businesses. He was charged with conspiracy, mail fraud, wire fraud, and interstate extortion. Authorities arrested Sunmola in London and transferred him to U.S. custody. Three days into his trial, Sunmola openly pleaded guilty to all counts, admitting to the essential elements of each offense. The judge accepted the pleas without a plea agreement. Applying several enhancements and considering other section 3553(a) factors, the district court sentenced Sunmola to 324 months in jail with an adjusted restitution payment of $1,669,050.98. The Seventh Circuit affirmed, rejecting challenges to a four-level “substantial financial hardship” sentencing enhancement, a two-level “vulnerable victim” adjustment, a two-level enhancement for acting on behalf of a government agency, and a four-level adjustment for acting as the organizer or leader. The court upheld the restitution calculation and application of general deterrence in his final sentencing. View "United States v. Sunmola" on Justia Law

by
Musacchio resigned as president of ETS in 2004, but with help from the former head of ETS’s information-technology department, he accessed ETS’s computer system without authorization through early 2006. In 2010, Musacchio was indicted under 18 U.S.C. 1030(a)(2)(C), which makes it a crime if a person “intentionally accesses a computer without authorization or exceeds authorized access” and thereby “obtains . . . information from any protected computer.” A 2012 superseding indictment changed the access date to “[o]n or about” November 23–25, 2005. Musacchio never raised the 5-year statute of limitations. The government did not object to jury instructions referring to: “intentionally access a computer without authorization and exceed authorized access” although the conjunction “and” added an additional element. The jury found Musacchio guilty. In affirming his conviction, the Fifth Circuit assessed Musacchio’s sufficiency challenge against the charged elements of the conspiracy count rather than against the heightened jury instruction, and concluded that he had waived his statute-of-limitations defense. The Supreme Court affirmed. A sufficiency challenge should be assessed against the elements of the charged crime, not against the elements set forth in an erroneous jury instruction. Sufficiency review essentially addresses whether the case was strong enough to reach the jury. Musacchio did not dispute that he was properly charged with conspiracy to obtain unauthorized access or that the evidence was sufficient to convict him of the charged crime. A defendant cannot successfully raise section 3282(a)’s statute-of-limitations bar for the first time on appeal. The history of section 3282(a)’s limitations bar confirms that the provision does not impose a jurisdictional limit. View "Musacchio v. United States" on Justia Law

by
Apple introduced the iPad in 2010. To send and receive data over cellular networks (3G), customers had to purchase a data contract from AT&T and register on an AT&T website. AT&T prepopulated the user ID field on the login screen with customers’ email addresses by programming servers to search for the user’s Integrated Circuit Card Identifier to reduce the time to log into an account. Spitler discovered this “shortcut” and wrote a program, the “account slurper,” to repeatedly access the AT&T website, each time changing the ICC-ID by one digit. If an email address appeared in the login box, the program would save that address. Spitler shared this discovery with Auernheimer, who helped him to refine the account slurper, which collected 114,000 email addresses. Auernheimer emailed the media to publicize their exploits. AT&T fixed the breach. Auernheimer shared the list of email addresses with Tate, who published a story that mentioned some names of those whose email addresses were obtained, but published only redacted email addresses and ICC-IDs. Spitler was in California. Auernheimer was in Arkansas. The servers t were physically located in Texas and Georgia. Despite the absence of any connection to New Jersey, a Newark grand jury indicted Auernheimer for conspiracy to violate the Computer Fraud and Abuse Act, 18 U.S.C. 1030(a)(2)(C) and (c)(2)(B)(ii), and identity fraud under 18 U.S.C. 1028(a)(7). The Third Circuit vacated his conviction. Venue in criminal cases is more than a technicality; it involves “matters that touch closely the fair administration of criminal justice and public confidence in it.”View "United States v. Auernheimer" on Justia Law

by
Tragas bought information that is encoded in the magnetic strip on the back of credit and debit cards from overseas suppliers and re-sold the information to the Hunter brothers, who created “clone” gift and credit cards with which they purchased goods and bona fide gift cards. Tragas and the Hunters communicated online. Police discovered records of their conversations on the Hunters’ computer. Transcripts of the conversations were read at trial. Although the parties did not use names, a picture of Tragas appeared on the account and Tragas made purchases with card information exchanged during the conversations. Tragas purchased a house in Florida after a conversation about buying a house in Florida. As a result of the scheme, credit and debit card users and their financial institutions lost $2.18 million. Tragas was convicted of conspiracy to commit access device fraud offenses, 18 U.S.C. 1029(b); aiding and abetting unlawful activity under the Travel Act, 18 U.S.C. 1952(a); bank fraud, 18 U.S.C. § 1344; and wire fraud, 18 U.S.C. 1343, and sentenced to 300 months’ imprisonment. The Sixth Circuit affirmed the convictions, rejecting claims that the prosecutor improperly read evidence aloud, that the court should have given the jury a specific unanimity instruction, that the Travel Act convictions were not supported by sufficient evidence, and that her Vienna Convention rights were violated. The court remanded the sentence; the court used an incorrect version of the Guidelines. View "United States v. Tragas" on Justia Law