In 2012, LegitScript estimated that at least half of the rogue online pharmacies in the world were registered through ABSystems, a registrar operated by criminal mastermind Paul Le Roux. This massive network of online pharmacies, which fell under the umbrella of an operation called RX Limited, facilitated the sale of prescription drugs to US customers without a valid prescription.
Le Roux's foray into the illicit sale of pharmaceuticals online was only the first endeavor in his criminal empire. The rest - including money laundering, black market gold sales, illicit drug trafficking, and suspected murder - is detailed by award-winning journalist Evan Ratliff in his new book The Mastermind: Drugs, Empire, Murder, Betrayal. In the following Q&A with LegitScript, Ratliff discusses cybercrime, technological innovation, and questions about Le Roux he'd still love answered.
What did you know about the internet pharmacy market before you started your research on RX Limited? Were you surprised by what you found?
I had some general knowledge about online pharmacies, but I'd never reported on it specifically before, so I understood very little in the way of specifics about how rogue pharmacies and networks operated - or even any sense of the size of the issue. The realities of both very much surprised me: first, just how many shipments were moving through something like RX Limited. The number was way beyond what I might have estimated. And then how it operated, the cleverness with which each piece - the doctors, the pharmacists, the domain names, the affiliates - fit together with each other under the scheme. It was, in its way, brilliant.
In light of the creation of ABSystems, what are your thoughts on registrars and ICANN, and on how this system functions?
Clearly there were two enormous gaps in the system that Paul Le Roux, in particular, was able to exploit. The first was the domain registrar certification, which he was able to obtain for ABSystems in the Philippines and then maintain for years on end, allowing him to generate domain names at will. The second was the lack of any organized international approach to figuring out who the bad actors were. Operating out of the Philippines, with call centers in Israel, banking in Hong Kong, and doctors, pharmacists, and customers in the US, served Le Roux as a kind of additional layer of protection, because unraveling in his network required local US investigators pulling threads from their end all the way to the source, rather than having some coordinated approach to grappling with the whole network from different sides.
In a story as fantastic and complex as this one, what surprised you most about Paul Le Roux or his criminal enterprise?
Many things, but I think ultimately it was the ease with which he was able to transition from the pharmacy business, operating almost entirely online, into the blood-and-flesh world of international narcotics and arms.
Are there any questions you'd like to ask Le Roux that you haven't had answered?
Certainly. He was questioned on the witness stand in court for many hours, and many of the lawyers' questions did overlap with what I wanted to know. But more than any particular fact, I'm interested in the whys: Why did he make certain choices, like the turn to darker crime, at certain points? Why did he choose online pharmaceuticals over other ventures? Why not quit while he was ahead? I'm not certain even he knows the answers to some of those, or could articulate them. But I'd love to ask.
Le Roux tried to erase himself from the internet, and you've had your own experience in trying to disappear in your "Vanish" experiment. Do you think it's possible for people to erase themselves from the internet these days?
It's theoretically possible, and it really all depends on the footprint you have to begin with. (If you don't use the internet much, there isn't much to erase.) But in a general sense no, I don't think so, not without tremendous effort. If you've bought property in the US, for example, you are going to have a very hard time unless you want to move as part of your effort to erase yourself. And while a lot of what we voluntarily post online can theoretically be deleted, much of it can't, and the best you can do is try to bury it in search results. Even if you do that, you aren't getting into the databases underlying it all, which hold information you can never really get to, even if it isn't on the open internet.
Is Paul Le Roux unique, or is there destined to be another cybercriminal of his magnitude? Are there some right now?
I do tend to think that he's unique, in his combination of technical skills, criminal ambition, and success. His kind of global, tech-driven approach is basically unprecedented in the history of organized crime. I imagine there will be more Le Rouxs to come, and maybe some even operating now, although it's always hard to see them before they get so big as to become a target for law enforcement.
You've been covering technology for about 20 years; what do you see as some of the future trends in cybercrime?
My experience has been that basically everything that is happening to all of us - the increased digitization of our lives, tastes, consumption, banking - happens to criminal networks in parallel. And that often the dark side gets out ahead of things; we saw that with DDoS extortion for instance, which nobody had any idea how to deal with when it first happened. Then you saw it with the dark web, and now you are seeing it with cryptocurrency money laundering. When there are markets to be "disrupted" on the legitimate side of technology, there are often mirror images of that disruption that move even faster. Just off the top of my head, I feel like there is going to be some new form of scam that emerges out of some current trends. Phishing still works, but it's been around for a long time now and it feels like we are overdue for an entirely new creative scammer idea.
Between the dark web and surface web, do you see cybercrime migrating to one portion of the internet or another?
I personally tend to think that the most significant avenues in cybercrime are those happening on the surface/open web. Partly just because the dark web, while obviously useful for conducting all kinds of transactions, also gives law enforcement the kind of point of entry they love, and the anonymity to infiltrate them (which we've seen with several of the biggest dark web markets). Plus the fact that your illicit customer base, for now at least, is a bit confined to the more tech-literate who can navigate their way to it. That, of course, is getting easier, with encrypted apps and so on. But I just think there's maybe a somewhat limited utility there. Whereas if a cybercrime organization can find ways to operate on the open web, like Le Roux did, the upside is always going to be so much higher.
What are you working on next?
I'm genuinely not sure! I'm currently germinating a number of ideas trying to figure out which one could grow into a bigger project. Here's hoping at least one does, but Paul Le Roux's and RX Limited's definitely don't come along every day (or year).