Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:06 AM

Is Mob-Busting RICO Overkill For Combating Cybercrime?

The milestone conviction of 22-year-old David Camez for his participation in a Russian-run "carder" forum raises legitimate questions about the role of RICO in taking down cybercrime.

Fans of The Sopranos -- or any other TV show or movie about the mob -- have probably heard of the Racketeer Influenced and Corrupt Organizations (RICO) Act, which allows federal prosecutors to bring charges against anyone who's part of a vast criminal enterprise. But should RICO be employed to take down members of a cybercrime enterprise?

That came to pass recently, when -- for the first time – a federal jury returned a guilty verdict against David Ray Camez (aka "Bad Man," "doctorsex"), 22, for his participation in the Russian-run forum Carder.su, which has been likened to an eBay for stolen identity information. Camez now faces up to 40 years in prison and a fine of up to $250,000.

Prosecutors argued that the site lead to $50 million in losses. "It is difficult to fathom the enormity and complexity of the Carder.su racketeering organization and its far-reaching tentacles across international borders," Daniel Bogden, the US attorney for Nevada, said in a statement. "The Internet has provided sophisticated international criminals access to the United States and its citizens, and the ability and means to harm us."

But, according to his defense attorney Chris Rasmussen, Camez was only 17 when he bought his first fake ID from an undercover Secret Service agent known as "Celtic," and had nothing to do with running or operating Carder.su.

All of which begs the question: Was RICO properly applied in this case? "Prosecutors love the RICO statute in part because it's a huge hammer," Ifrah Law white collar crime attorney David B. Deitch told me in an interview. "The statute was written to go after what we think of as mobsters, the mafia, organized crime."

Shades of Aaron Swartz?
In some computer-related crimes cases of late, prosecutors have gone too far. Many legislators, information security and privacy experts, and legal experts slammed Justice Department prosecutors for apparently attempting to score political points -- at the expense of dispensing appropriate justice -- after they threatened Reddit co-founder Aaron Swartz with 35 years in jail, simply for downloading millions of academic articles from the JSTOR academic database.

Swartz was protesting JSTOR charging for articles, when many had been supported by government funding. Ultimately, Swartz committed suicide. Later, federal prosecutors said that despite threatening Swartz with a number of charges, including violating the Computer Fraud and Abuse Act, they only would have recommended a seven-year sentence for Swartz. Given that Swartz returned all of the JSTOR articles he'd downloaded, and JSTOR officials requested that the government not prosecute Swartz -- and later began offering many of its articles for free -- even seven years seemed draconian.

Of course, Swartz had other options available to him. For starters, he could have pleaded to lesser charges -- and the same applied to Camez. "Just because you're charged with RICO doesn't mean you have to plea to RICO," attorney Mark Rasch, a former federal computer crime prosecutor based in Bethesda, Md., tells me by phone.

Camez chose to fight the two racketeering charges filed against him. "He's always insisted that although he may have been guilty of the charges, he was not responsible for the $50 million in loss that the government alleged," his attorney told the Las Vegas Review-Journal after the guilty verdict was announced.

A "great experiment" by prosecutors
During the trial, the newspaper reported, Rasmussen stood close to Camez, telling the jury: "This case isn't about this young man right here." Rather, he said it was a "great experiment" by prosecutors to try to establish that a website is a racketeering organization. "The government is on trial in this case just as much as David Camez," he said.

Notably, the judge in the Camez case allowed the RICO charges to proceed, and a jury, after deliberating for less than two hours, returned a guilty verdict.

A more common charge in this type of online crime case, according to Deitch, would have been conspiracy, which refers to two or more people agreeing to commit a crime, and which carries a maximum sentence of five years in prison. With RICO, however, "you can be sent to prison for 20 years -- so it's a big difference," says Deitch. That also hints at why prosecutors want to use RICO: It lets them bring greater penalties against suspects, including longer recommended jail times, as well as the prospect of their forfeiting ill-gotten gains.

"Like conspiracy, RICO allows you to get at a whole bunch of what you might call tangential or incidental conduct, and make it part of the enterprise," Rasch says. "What's different here is that at sentencing you're supposed to consider a person's role in the enterprise, and if they're a major participant or a minor participant in it. The problem is that even having a minor role in a $50 million case is pretty steep."

What's required to gain a RICO conviction? "This is over-simplifying a complex statute, but there are really two parts to it: you have to show a pattern of activity, meaning it's not just a one-off thing, and you have to show an enterprise, which is an organization with structure," Deitch says. The definition of "enterprise," however, remains amorphous. "Many thousands of trees have died in the service of case law trying to describe what an enterprise is," he said.

Despite the successful use of RICO in this case, Deitch says RICO-related cybercrime trials will remain rare “because the proof has to be very complicated" to make a RICO charge stick. At the same, he argues that the bar for allowing RICO to be used should remain high, to avoid any potential misuse by overzealous prosecutors. 

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Brian Bartlett
Brian Bartlett,
User Rank: Apprentice
12/23/2013 | 3:31:53 AM
It doesn't matter...
whether you are a lieutenant, capo, bagman or enforcer. The organization, and it was definitely a group with  specific (illegal) shared goals, really is corrupt. Rackateers? Yes, they were engaging in a racket. All the elements are there, you'd need a lawyer to disect the theology needed to contradict the facts.

As for the age, this society recognizes that there are adult-size consequences to adult-size criminal acts. I understand the Aaron Schwartz analogy and it is far from the mark. No member of society was damaged save the owner of the repository and they forgave that.

As an aside: I've yet to scratch the surface of a US Attorney that din't have future higher office as a goal, which is why the statutes are heiniously applied. In this one case, where in my NSHO RICO was applied correctly, the US Attorney got the golden ring (look that up, youngsters ;). OTOH, I expect the Aaron Schwartz case is sticking to that lawyers shoes even today.

User Rank: Apprentice
12/18/2013 | 12:57:28 AM
Other Side of the Story
I love the media. I have seen several articles like this, some more biased than others, but all with the same slant that the government is being overly abusive with its use of the RICO statute. However, in each article I seem to see only the portions of the story that paint Camez as a some poor kid who at 17 got wrapped up in some "ebay for criminals".

I followed this trial closely and what I don't see in the articles is any mention of the portions of the trial where Camez was trading guns for counterfeit credit cards or the portion of the trial where one of his codefendants testified that Camez advice to him after he got in trouble at a Walmart was to next time punch the cashier in the mouth or statements Camez made about his own crew beating up a cashier. 

What I think is telling, and only gets a cursory mention, is that the jury only deliberated for 2 hours (which actually included their lunch break). The trial lasted over 3 weeks and had dozens of witnesses. Often quoted experts say that RICO is an incredibly complex statute. Yet 12 people, who arent judges or lawyers, understood the law as it applied here and made a unanimous decision in less than 2 hours. That tells me that it wasn't much of a "government experiment" at all, but instead a way to deal with the new face of organized crime.


Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/17/2013 | 12:30:33 PM
Re: Guilty?
The appeal will be worth following, I'm also curious to see of Camez' attorneys will argue the appeal based on the inappropriateness (of lack of ) of the Rico statute. 
User Rank: Apprentice
12/17/2013 | 11:24:36 AM
Re: Guilty?
Thanks for your comment. What's notable here is that Camez never pleaded guilty. Rather, he was convicted, which makes this the first time that RICO was succesfully used in a cybercrime case that resulted in a guilty verdict. 

At first blush, I agree that using RICO to take down criminals seems like a no-brainer. But the case also raises a number of interesting legal questions. For starters, is a 17-year-old customer of an underground forum -- that's been likened to an eBay for ID thieves -- part of a "criminal enterprise"? Or is he just a thief who buys stolen IDs, and who might be succesfully rehabilitated after doing a bit of time?

Because he was convicted on the RICO front, this guy can be sent down for a much, much longer period of time (max 20 years) -- and be on the hook for the entire amount of money stolen by members of that eBay-like ID theft site -- than if he'd been convicted of a non-RICO charge (max 5 years). 

That's why Deitch was arguing that judges need to be careful about how they handle these kinds of cases. Prosecutors will always throw the biggest book (if you will) that they have at a suspect. But I'd argue that the time should fit the crime.

All that said, I think it will be interesting to see what kind of sentence Camez gets, and also if the RICO conviction holds up on appeal.
User Rank: Apprentice
12/17/2013 | 7:40:55 AM
If an individual admits to being guilty of the charges, what is a jury expected to do? I don't know if he admitted guilt during the trial, or as an aside afterwards. But I can't blame the government for going after the harsher choice, though they could have asked for a lesser penalty in this particular case. Should cyber crime be prosecuted under RICO? Sure! There are networks of criminals doing this. Estimates have been that cyber crime costs us billions a year. Crime is crime.
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
A stack-based buffer overflow vulnerability has been reported to affect QNAP NAS devices running Surveillance Station. If exploited, this vulnerability allows attackers to execute arbitrary code. QNAP have already fixed this vulnerability in the following versions: Surveillance Station (an...
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.50.3, there is an optimization for joining strings that can cause uninitialized bytes to be exposed (or the program to crash) if the borrowed string changes after its length is checked.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.53.0, a double free can occur in the Vec::from_iter function if freeing the element panics.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.19.0, there is a synchronization problem in the MutexGuard object. MutexGuards can be used across threads with any types, allowing for memory safety issues through race conditions.
PUBLISHED: 2021-04-14
In the standard library in Rust before 1.29.0, there is weak synchronization in the Arc::get_mut method. This synchronization issue can be lead to memory safety issues through race conditions.