The chart on the screen looks like something out of a TV crime drama: an elaborate web of emails and phone numbers, some names and photos, all connected by a mesh of thin lines.
The man standing in front of the maze is an investigator. But if you met him at a bar, he’d probably tell you he’s a software engineer. That’s because his work is sensitive — but also, because he works for a tech company in Silicon Valley.
As more and more of our lives play out online, so do crimes. This has prompted major tech companies to start growing internal crime-fighting cyber teams, often staffing them with former law enforcement agents.
In this case, the man with the intense chart on his screen works for a security team called “the Paranoids” — a brand started almost 20 years ago by techies at Yahoo, now known as Oath after a merger with Verizon/AOL.
“This is basically a fraud ring that we identified out of South Africa,” says the investigator. (He spoke anonymously to protect his work.)
“We” refers to the “threat investigations unit” at Oath — a team of about 20 people that hunts for fraudsters, identity thieves, child predators and other criminals who might be using Yahoo Mail, messengers, Flickr, Tumblr or other corporate platforms for their illicit acts.
About a third of this team came to Silicon Valley by way of law enforcement — including the man in charge, Sean Zadig. His path to security work began as a federal agent, investigating international cybercrime at the NASA Office of Inspector General, tracking down hackers who tried to hijack NASA computers.
This is an interesting trend: Silicon Valley has been slowly staffing up with former agents — from the FBI, the Secret Service, or in this case, NASA. The matter even came up at a recent congressional hearing on Russia’s influence campaign on social media, where a Republican lawmaker asked a Facebook executive why his company needed staff with security clearances.
In a way, it’s a reflection of modern crime. Criminals send emails, follow each other on Facebook, find victims on dating sites. Tech companies don’t want to be used for criminal schemes, and hiring highly trained federal investigators helps.
But there’s also something else.
“The government doesn’t always have the birds-eye view anymore,” says Tom Pageler, a former Secret Service agent, who’s now also in the tech industry.
He says it used to be that the government had more of our data: Social Security numbers, driver’s licenses, voter registration. Now, it’s private companies that know where we go online, who we’re talking to.
“I think that actually what is happening today is what we were hoping for back then,” Pageler says, referring to his days in the Secret Service in the the early 2000s. There is now “a really good partnership, where well-trained individuals are going into the private industry and know how to investigate the case and package it properly for law enforcement to do what they need to do,” he says.
Charts on the Walls
I met the Zadig, the Oath threat investigations chief, at the company’s Sunnyvale headquarters for essentially a super nerdy ride-along, which is how I found myself staring at that intense chart.
“The chart shows who did what to whom, where they are located, how they are connected to each other,” he says.
His investigators can’t see the content of emails — that’s law enforcement warrant territory — but they can connect email accounts by seeing who’s emailing whom, or whether the same phone number gets used to sign up. They can then scour the Web for social networks or other public digital trails connected to those emails and phone numbers — trying to put emails to names, faces and locations. Occasionally, they find the suspects on Facebook posing with wads of cash.
“We will print these charts out 2, 3 feet wide and they’ll be longer than the conference room table,” Zadig says. “And we’ll often sit down with law enforcement prosecutors and walk them through: Here’s how this account connects to this account, here’s how we identified this person.”
Sometimes, Zadig says, his team would return later for a follow-up “and we’ll see these charts on the walls, law enforcement or prosecutors have marked on them, they’ve made new connections that we hadn’t made.” He says his team’s work has led to more than 150 arrests in about three years.
Zadig’s team usually comes in after something illegal already happened. This includes the giant hacks of Yahoo itself, which happened in 2013 and 2014 and were disclosed by the company in late 2016. The company has not been able to identify the 2013 hack, but for the 2014 breach, the Justice Department has indicted four people: a Canadian hacker, who has pleaded guilty, and three Russians, two of whom are accused as agents of the Russian government.
‘We are a private company’
Not all investigations end up being shared with law enforcement. Some spammers might simply be shut down by the internal team. Jasdeep Singh Bhalla, a software developer on Zadig’s team, showed me an automated search tool he’s been building for months to dig up all accounts one spammer might create using bots, allowing the team to shut them down in one fell swoop.
“In a matter of 30 seconds, you’ve got 70 associated accounts,” Singh Bhalla says, as a massive web of related accounts populates his screen. This is an extreme case: someone had created some 1,200 related accounts. “If you do this manually,” Singh Bhalla says, “it would take you two months to search.”
And here’s an example of how a case that does end up resulting in arrests might develop inside a tech company.
A few years back, a bank alerted Yahoo that someone was hacking into accounts and switching associated email addresses to Yahoo emails. But when Zadig’s team looked in, they found something else: subject lines indicating that numerous tax filings were being completed.
The bigger scheme was tax return fraud. Yahoo’s investigators could see dozens of Yahoo accounts created to file tax returns with various tax providers, indicating that numerous refunds were being issued and cashed out. (Two guys were later arrested as part of a massive identity-theft sweep in the Miami area.)
For law enforcement, this kind of information is only available with a search warrant — for each email account. They might have never connected these particular dots, and definitely not this fast.
And this can be a touchy comparison.
Here’s a point that Zadig made at least three times in two days: “We are not law enforcement; we work for a private company … We don’t want to be accused of being an agent of law enforcement, of doing things that would normally require a legal process.”
When I asked Zadig and Pageler — who’s now the chief risk and security officer at Neustar — why they’d left public service, both offered similar stories. Those had been dream jobs — Pageler even says he’d felt physically sick to leave the Secret Service. But the hours were extreme, the travel intense, the pay not as good — both men wanted a more family-friendly lifestyle.
When Pageler was a special agent, he established the San Francisco electronic crimes task force, meant to spur exactly what he says is happening now: better coordination and cooperation between the tech companies and the government. “It’s really pretty awesome for me to see,” he says. “I feel like we’re on the path that I was working for and I think it’s working very well.”