Mark Hagen was a 21-year-old resident of Hillside County. He at-Hillside Technical Community College but had not completed his studies. Mark worked at the Hyland Steakhouse as a take-out window employee. He was on probation for speeding to elude police and was known to have a history of break-ins and drug abuse. As a deputy sheriff, I had become acquainted with Mark during a fraud examination earlier that year that resulted in his arrest. When I spoke to Hagen's father, he told me he had bailed him out of trouble on many occasions and he was no longer welcome at home because Mark had assaulted him. Mr. Hagen told me to have the courts throw the book at his own son.
Jerry Settles was a 22-year-old transient and friend of Mark Hagen. In December, he was sleeping on the couch in the apartment that Hagen shared with a housemate, Ginger Taylor. Settles had a small child with an ex-girlfriend, but the child and the ex-girlfriend lived in a town on the coast. Settles had some previous run-ins with the law in a nearby county. He made a difficult living on a cash basis as a tattoo artist and kept the tools of his trade in Mark's apartment.
I never thought to ask Paula Searcy why she chose 3:00 one morning in the first week of September to do some online banking. In any event, she did — and discovered that a fraudulent purchase for $110 was charged against her account to purchase something from a Web site called Euro Parts. The transaction posted only two hours earlier. She immediately contacted Euro Parts and spoke with Georg Lindemans about the unauthorized transaction. He was very cooperative and gave her a description of the car accessories ordered and the address of where the goods were supposed to be shipped. Due to the prompt discovery of the fraud, the order was stopped. She notified her bank and filed a police report with the Hillside County sheriff's office.
I happened to be receiving incoming fraud reports at the sheriff's office that week. I classified Paula's case as workable because the shipping address was a house just down the street from hers. At the time, I was tracking a series of cases in which victims reported receiving packages they did not order. The packages contained consumer electronics, such as digital cameras, cell phones and computer gear — all billed to the victims' credit or debit card accounts. After tracking Internet protocol (IP) traffic patterns used by the perpetrators in Paula's case, I concluded the offenders were either war driving (seeking out unsecured wireless networks to use for anonymous Internet access to commit crimes) or placing orders from another state or country. This type of crime makes sense only if the fraudster is local, mobile, and able to intercept packages, or if he has a coconspirator who can intercept the packages. This local offender can either place the order himself or instruct others to place it for him. In a local case such as Paula's, when there is no relationship between the victim and suspect, the victim's identity has usually been stolen locally as well. This mystery offender was worth hunting despite the low value of the attempted fraud and the stopped shipment.
I contacted Georg at Euro Parts and asked him to e-mail me details about Paula's order and to confirm the IP origination data. Georg was highly cooperative and told me he was happy to see someone in law enforcement trying to track this sort of crime. The fraudster had ordered three novelty European-style vehicle registration plates and had requested unique names for each plate. Georg forwarded several e-mails sent to Euro Parts by the offender. Georg even strung the offender along about the order, drawing out more e-mail IP traffic and evidence of the attempted wire fraud. The IP data we were able to gather included dates, timestamps and time zones. The offender was using the e-mail address [email protected]. The use of admin@ was unusual because most fraudulent e-mail accounts involve anonymous services such as Yahoo! or Hotmail.
Using www.geobytes.com/ipLocator.htm, I confirmed that the Cable Com sub-IP address used by the perpetrator was local. Next I used the Whois tool on www.arin.net and found out that Cable Com was also the Internet service provider (ISP) for the originating e-mail order. Whois is a function that lists Web site registrant data, technical contact information, date of registration and hosting server data. Most Whois data is provided on an honor-system basis and cannot be taken strictly at face value. I ran the novelty plate names, looking for nicknames in my agency database, Face-book and MySpace, but found nothing. I next went to www.eurore-searchltd.com and found this:
There was no other information on the homepage regarding what customers buy or do there. The explicit warnings and instructions seemed designed to warn off casual visitors.
Using the Firefox browser toolbar, I clicked view, then page source. This function electronically decodes a Web site into text format and displays the underlying code used to construct the page. I was looking for hidden content, metatags and true e-mail/hyperlink paths. Meta tags are used to hide webpage construction code the page's author does not wish to display on the open page. Occasionally, a meta tag reveals an author's name. Other meta tags hide keywords used to snag the interest of search engines. I noted a meta tag identifying the Web site as "your local source for fine chemicals." I took this to be a weak euphemism for illegal drug distribution and sales.
I conducted a Whois search on www.register.com to see who was responsible for the Euro Research Web site and discovered that the registrant was an entity called Streaming Power. Whois also showed that the record was created via a domain registration service in March. Domain servers were also on Streaming Power. I noticed the use of admin as the contact for www.euroresearchltd.com, which implied that the user was the administrator and controller of the Web site. The members' click here link led to a sub-Web site hosted at Streaming Power, which indicated the Streaming Power servers and hosting were integral to operation of the Euro Research Web site. The source code revealed that clicking on the contact the admin link led to [email protected], the same e-mail account used by the suspect in the original crime.
Based on this preliminary investigation, I obtained court orders signed by a superior court judge to compel Streaming Power and Cable Com to identify customer and user account data. I served these on the companies in late September. By November, I had heard nothing and resubmitted the orders Thanksgiving week. This time, Streaming Power's corporate attorney contacted me right away and sent the compliance data disk overnight.
Around this time, I came down with an illness that kept me out of work for nearly three weeks. I took the disk from Streaming Power and my case file home. While recovering, I had plenty of time to conduct an electronic investigation, reach out to others for information, and eventually type the drafts of search warrants and arrest warrants on the suspect.
I reviewed the data from Streaming Power and found that the creator of www.euroresearchltd.com used the e-mail address [email protected] to create the Web site. From this brazen name, standing for "credit card lifter," I formed a working hypothesis that the Web site was used for trafficking drugs and stolen identity data. (Note that a hypothesis is only that — it could be correct or incorrect; but at least it is something to work with.) I checked the e-mail hosting service and found it to be a service that incorporates encrypted messaging. I also found the following residual e-mail content (excerpted):
From: yhrtvui Service <[email protected]> To: euroresltd <[email protected]> Message-Id: <redacted>@yhrtvui.com> Date: <redacted> 12:54:32 −0700 (PDT) <redacted> has made a comment on BMW 328i new muffler zound: i can't believe you missed crushing that camera.
I immediately was struck by the BMW reference. Earlier that year, I charged Mark Hagen with three fraud felonies that involved making false statements to victims. He would sell them BMW parts and accessories, take their money, and never ship the goods. He met the victims on a BMW aficionados' Web site. At the time, Hagen's MySpace page had a reference to a BMW 328i. The three victims who filed complaints were from out of state.
Based on this recovered e-mail content, it appeared that somebody had opened an account on YouTube using the name "euroresltd" and the e-mail address [email protected]. Euroresltd posted a video clip, another person with a YouTube account commented on it, and YouTube automatically sent the comment to [email protected]. Euro-resltd appeared to be an abbreviation for Euro Research Limited.
I went to YouTube to look at the BMW video and saw that it was the only video this euroresltd had posted. The BMW in the video appeared to be black. It drove over the camera, turned around, and a hand picked up the camera before the video clip ended.
The compliance data from Streaming Power included the following e-mail sent by a euroresearchltd.com sub-account:
From: <[email protected]> To: beth@<redacted> Subject: remember me!? Reply-To: [email protected] Date: <redacted>14:35:10 −0700 hello beth, my name is mark, i ordered from you a couple of times, you may recall me as [email protected] that email service sucks so i am trying again from my new one. If you're still in the business, i'd like to do a new order from you, can you verify if the price is still right? i'd like to order 5 grams of "2c-i" and 5 grams of "DOI" to make a total of 10 grams...in the past this was $980 and we did this thru moneygram. if it's cool, let me know what name you want me to send the money to and where. also can you send me a new price list.
This appeared to be an uncoded message to a narcotics source to tell Beth that he was contacting her from an e-mail address she was not familiar with and showing his credentials by providing his old e-mail address and his first name. I conducted a little Internet research on 2C-I and DOI; I discovered they are exotic, rare designer drugs that have hallucinogenic and psychedelic effects. 2C-I is considered an analogue of 2C-B, another psychedelic that is on my state's controlled-substances list. The e-mail sender identified himself as Mark, which strengthened my suspicions it was Mark Hagen. I also noticed that the [email protected] e-mail address was added to www.euroresearchltd.com as a user on the same date that the e-mail was sent. I added the solicitation to purchase drugs to my working hypothesis.
During my previous investigation, I found user names and nicknames for Mark Hagen, including the name "marksman," on MySpace and the BMW fan Web site. I went to MySpace's "friend finder" service, searched for marksman, and quickly located Hagen's MySpace page. The thumbnail view featured a photo I knew to be of Mark Hagen.
I ran a Google search on euroresltd and was led to a blog maintained by www.thedopehead.com. I ran a query in the blog on euroresltd and pulled up numerous postings and posting strings. One of the posters on the Web site made the following statement:
Re: idiots & a****les smok6e on <redacted> Oct 23, <redacted> 5:27 pm whoa, i looked up marksman and euroresltd dude they post from the same IP dude whut u think we're smokin . . . .
My query on euroresltd also provided a detailed photo essay from October 2008 and a list of items he ordered or bought, including variants of psilocybe mushrooms — a Schedule-I controlled substance. He was quite proud of his accomplishments and posted photos of his equipment and his growing operation. He even posted a photo of his bedroom. Manufacturing and growing Schedule-I controlled substances expanded the scope of my case. Further perusal of blog threads revealed that euroresltd had angered others, including smok6e who went to the trouble to link marksman and euroresltd by IP address. I made a separate query on marksman and found numerous postings going back a long time, including one that said, "you can also find him on a bunch of other forums by typing 'research chemicals' into google." I did just that and located some useful posts, one of which led me to this entry:
Marksman wannabe (guest) IP: Logged Jul 07 <redacted, previous year> at 7:48pm Botanical exploration Anyone looking for any botanical products, if you don't see them on the inventory i can usu ally find them from someplace, i got super ebayer rating just email [email protected]
The e-mail address was the same one in the e-mail to Beth.
In early December, I finally received the compliance material from Cable Com and traced the IP address to Ginger Taylor, with a North Hillside apartment as the service address. A second IP address in the documents was associated with an apartment in the same building. Taylor's account was canceled in late October.
One of my colleagues told me that Mark Hagen was currently living with Ginger Taylor in the same apartment on the Cable Com documentation.
I drove by the apartment and saw Hagen's black BMW 328i parked in front. DMV records showed the car was registered to Hagen's father.
I had one of my crime analysts pull employment records on Hagen and discovered he was working at Hyland Steakhouse in North Hillside. I formed an additional working hypothesis that he obtained stolen bank and credit card information from his job. I checked the restaurant's hours; they serve lunch and dinner only, from 11:00 AM to 10:00 PM I figured Hagen would most likely be a late sleeper, and that a visit around 8:00 AM should catch him at home. On the strength of my experience raiding scores of identity theft locations, I thought Hagen would have considerable evidence of his crimes stashed in his "safe house" base. I also thought that Hagen would have additional evidence in his car because he had to be mobile when harvesting packages off other people's porches.
Based on the confluence of evidence and data I had found up to that point, I believed that there existed a strong likelihood and probable cause that the unknown suspect behind the euroresearchltd mask and Mark Hagen were one and the same. A magistrate judge agreed with me, signing search warrants for Hagen's apartment and car. He also signed felony arrest warrants for the original crimes; one count was for identity theft, reflecting Paula Searcy as a victim, and the other count was obtaining property by false pretenses, reflecting Euro Parts as a victim.
The next morning, I met with other raid participants, including the Hillside police department fraud and forgery unit, since its officers would have interest in an identity thief operating in their city. Hillside's cyber crimes unit came out to help with collection of computer gear. I was also joined by a few other sheriff's office investigators, a supervisor who would serve as the officer in charge, and a Hillside uniformed patrol officer. It is always good practice in search warrant operations to have a uniformed officer with you at the front door. We also brought a federal agent with us for his electronic crimes expertise. It is a separate crime to lie to a federal agent, a great advantage for us if the apartment occupants gave statements.
At the apartment, we knocked on the front door and not-so-subtly announced our office and purpose: "POLICE! SEARCH WARRANT! OPEN THE DOOR!" A young man opened the door. He was not Mark Hagen. We entered and began to secure the apartment. Ginger Taylor was in the shower. Hagen's room was locked. We called out to him to open the door, and when he finally did, he was groggy from being awakened. We got everyone calmed down and secured. We identified the man who opened the door as Jerry Settles. I went over the details and scope of the search warrant with Settles, Hagen and Taylor and gave them a copy to read while we commenced the search. The Hillside uniformed officer kept watch over the apartment occupants.
At this stage, my practice is to conduct a walkthrough of the premises, take photos detailing the condition of the place, and assess which areas would most likely yield the evidence. I zeroed in on Hagen's bedroom and the living room. Evidence was packaged and identified based on where it was found and collected. Hagen's bedroom looked just like the photos I'd seen on the Dopehead forum on the Web. We sent a team to search Hagen's car. Hillside's cyber crimes unit worked on documenting and collecting the computer equipment, and we seized several computers and hard drives. No fraud evidence was found in the BMW.
During the search, I looked through the bottom bureau drawer in Hagen's room and discovered five Hyland Steakhouse triplicate order slips with imprints of the fronts of credit and debit cards, including card numbers, expiration dates and names. I found a printed private MySpace message from a person using a nickname that exactly matched one of the novelty license plates ordered with Paula Searcy's card. I found numerous pay stubs for Mark Hagen showing he worked at Hyland Steakhouse.
We also found a considerable amount of marijuana-related drug paraphernalia scattered in plain sight in Hagen's bedroom and on the dining table. Hagen acknowledged the paraphernalia on the table in the common area was his. I showed Hagen the bankcard imprints and asked him why he had them. He said he got them a few months ago and never used them.
The cyber crimes unit supervisor scanned computer networks in the area and found there were at least four unsecured wireless networks within range of the Taylor-Hagen apartment. This showed how easy it would be for Hagen to piggyback on other people's accounts.
Jerry Settles asked to speak with me in private. He told me he suspected that Hagen ordered something with one of the card numbers but had the item shipped in Settles's name to the apartment. I found a cell phone on the floor near the dining table, and Settles claimed it as his. I wrote down the phone number and returned it to Settles at the end of the search. I found a Pyrex container full of marijuana in Settles's box of tattoo equipment, which he initially blamed on one of his clients but later claimed responsibility for. Hillside police charged him with drug possession.
When we were finished with the search, I gave Taylor a copy of the inventory we seized and informed Hagen that he was under arrest and would be going to jail. On the drive downtown, Hagen asked me to explain the charges to him. I went over the elements of the crimes and told him the five credit card imprints were each separate, additional fraud felonies. I told him that because he had so many charges, his punishment grade would be beefed up to a more serious fraud felony level.
I'll never forget Hagen's next statement: "These are felonies?"
When I came into his holding cell to inform him of his additional misdemeanor charge of possession of drug paraphernalia, he told me he suspected Settles had gotten into his room and used one of the card numbers to order glass marijuana pipes and bongs. Hagen told me the lock he had on his bedroom door was to keep his housemates out of his room and his stuff. He also asked if he could call his job to let them know he would be late that evening.
After booking him, I sent off inquiries to my crime analyst and bank fraud investigator contacts to try to identify the cardholders. I made an appointment to meet Hagen's boss, Marie Bass, the proprietor of the Hyland Steakhouse. I went to the restaurant that evening and showed her copies of the card imprints. She told me she recently saw video surveillance of Hagen suspiciously leaning over something in the take-out area, his workspace. Bass said she searched his area and found some crayons that looked like they had been used sideways, as if to make imprints. Bass wanted Hagen prosecuted for stealing the card numbers. She also wanted to make an example to other employees that such behavior is intolerable.
The next day, I was able to identify and interview the cardholders. All wanted to prosecute. Each victim had paid with credit or debit cards at the Hyland Steakhouse take-out window. One victim identified more than $300 in fraudulent charges on her card in late November to Media Town, a site that sells downloadable music and movies. Another card number was used to make purchases at two Web sites, Glass Bowls and Groovy Glass. I looked at the Web sites and identified their wares as obvious marijuana pipes. Another card was used to make a fraudulent purchase at Cell-Tel, a cell-phone service provider. I later tracked another transaction to Shroom Haus, a Midwest supplier of psychedelic spores and grow equipment. I spoke to Hagen's neighbor, whose Cable Com account Hagen had piggybacked, and he also wanted to prosecute. I did not contact, nor charge on behalf of, Glass Bowls, Groovy Glass, or Shroom Haus.
My contact at Cell-Tel sent me data showing the stolen card number was used and declined to try to make an $80.07 payment on a prepaid wireless phone account. The phone number was Jerry Settles's. Settles neglected to mention this payment to me in our conversation. I called Settles on his cell phone and asked about the Media Town transactions. He denied them but said Hagen had a lot of music on his computer and did a lot of downloading. I spoke with him about the use of one of the stolen card numbers to pay his cell-phone bill. He claimed that he gave Hagen cash because Hagen wanted to pay the bill with his credit card.
I charged Hagen with six additional counts of identity theft for the five cardholders and the piggybacked neighbor. I charged him with another count of obtaining property by false pretenses for the Media Town fraud, and finally decided that felony common law forgery was the best charge to file on behalf of his employer. This charge described Hagen's acts of forging the card numbers onto the triplicate forms he took with him. When I served the new warrants upon Hagen, he insisted that Settles had committed the Media Town fraud and that I needed to look at his iPod. I also obtained felony fraud warrants against Settles for the prepaid phone payment and the Media Town purchases.
Mark Hagen pleaded guilty to seven counts of identity theft, two counts of obtaining property by false pretenses, and one count of common law forgery, all felonies. He spent four months in jail and was released to a term of probation. Settles and Hagen kept pointing the finger at one another. With the stronger case against Hagen disposed of, the prosecutor eventually dismissed the charges against Jerry Settles. Ginger Taylor was not charged.
Note
Lessons Learned
Identity thieves can be found! There is an infrastructure to electronic crimes and nearly all frauds. This infrastructure of communications, phones, computers, safe houses, transportation, food, utilities, employment and other purchases and activities is laced with weak seams. My method is to go where I expect to find the seams, probe for those weak points and then rigorously exploit any mistakes made by the offender and hunt him or her down. Hit the offender with the best charges you can make and move on. The Mark Hagen case was an excellent example of how to identify places likely to have weak seams. His crimes were both high and low tech. Such a mix is not uncommon, even in highly complex fraud schemes.
Forming working hypotheses is a good approach for shaping an investigation; the key is to know when to change or abandon a hypothesis. The hypothesis that Hagen was trading identities for illegal drugs never completely came together. I was unable to link Hagen to any more of the mail drop incidents, but those hypotheses, nevertheless, provided valuable information and helped my case progress.
Al Sternberg, CFE, graduated from UNC-Chapel Hill with a BS in Criminal Justice Administration and Psychology, and then joined Wake County Sheriff's Office. He became a Certified Fraud Examiner and an investigator specializing in a number of fraud crimes. He is currently assigned to the homicide/major crimes department as a senior investigator. He trains fellow officers on advanced methods of fraud investigations at Wake Technical Community College.