A federal jury in Nevada recently convicted 22-year-old David Ray Camez of violating the Racketeering Influenced and Corrupt Organizations Act (“RICO”) for his association with a “carder” website, Carder.su. The Department of Justice is touting this conviction as the first RICO conviction arising from computer-related crimes, and we anticipate that RICO will become an effective tool for prosecutors and private businesses to use in combatting cybercrime going forward.
RICO (18 U.S.C. §§ 1961-1968) was enacted in 1970 to assist federal law enforcement in prosecuting organized crime. Section 1962 is the heart of the statute, and § 1962(c) makes it “unlawful for any person employed by or associated with any enterprise engaged in or the activities of which affect, interstate or foreign commerce, to conduct or participate, directly or indirectly, in the conduct of such enterprise’s affairs through a pattern of racketeering activity.” The definition of “racketeering activity” includes dozens of predicate acts based on both state and federal law, and a “pattern of racketeering activity” is defined as “at least two acts of racketeering activity . . . the last of which occurred within ten years after the commission of a prior act of racketeering activity.” Section 1962(d) makes it unlawful for anyone to conspire to violate RICO.
Camez, who was known online as “Bad Man,” was indicted for his participation in a “carder” website known as Carder.su. Prosecutors alleged that Carder.su, like many carder websites, was an online forum consisting of thousands of members – alleged fraudsters who bought and sold counterfeit identification cards, credit and debit cards, credit card dumps, botnets for rent, and the materials needed to manufacture counterfeit access devices, including financial payment cards. According to the indictment, Carder.su’s membership included “leaders” who controlled the day-to-day management of the website, devised strategies for the enterprise, and admitted, disciplined, and expelled members. “Moderators” carried out the orders of the “leaders,” “reviewers” examined and tested the contraband sold on the forum, and “vendors” offered the contraband for sale. Finally, “members” were users of the forum who purchased the contraband available on the site.
Camez was allegedly a “member” of Carder.su. He is one of more than 50 individuals indicted for participating in the enterprise, which allegedly resulted in more than $50 million in losses to victims. Authorities alleged that Camez purchased counterfeit identification cards and possessed equipment to make access devices, conduct in violation of 18 U.S.C. § 1028 (fraud in connection with identification documents) and 18 U.S.C. § 1029 (access device fraud), respectively. These predicate acts were the basis for the government’s substantive RICO charges against Camez. He was also charged with conspiring to violate RICO. Following a three-week trial and a brief jury deliberation (reportedly less than two hours), Camez was convicted on both the substantive and the conspiracy counts. He is scheduled to be sentenced in April 2014. Several other defendants in the case have pled guilty, and more are scheduled for trial on similar charges in February 2014. Many other defendants remain at large.
Camez’s conviction has far-reaching implications for future cybercrime prosecutions. RICO provides several key advantages to prosecutors that may not be available under more traditional computer crime statutes (such as the Computer Fraud and Abuse Act (“CFAA”)). First, the statute provides stiffer penalties, including 20 years to life in prison (depending on the nature of the predicate offense), consecutive sentencing for RICO substantive and conspiracy convictions or multiple RICO substantive convictions, and forfeiture of proceeds of racketeering activity on a joint and several basis. These stiffer penalties often result in guilty pleas prior to trial. Second, RICO allows prosecutors to obtain a pre-trial restraining order preserving assets that may be subject to forfeiture following conviction. Prosecutors can use this provision to preclude targets from using racketeering-derived assets to fund their defense. Finally, a RICO conspiracy charge allows prosecutors to hold one defendant responsible for the conduct of the enterprise (even if he did not commit a substantive RICO offense) and provides more flexibility with regard to the statute of limitations. So long as the defendant knowingly agreed to facilitate the enterprise’s scheme, he can be held responsible for any resulting substantive RICO violations under 18 U.S.C. § 1962(d). Moreover, the limitations period for such a charge does not begin to run until the conspiracy has ended or the defendant has withdrawn from the conspiracy, meaning a defendant could be convicted for his role in a RICO conspiracy even if a prosecution based on his individual conduct would be time-barred.
Camez’s conviction may also provide another tool for private companies that have been victimized by organized cybercrime organizations. Section 1964 provides a private right of action to “any person injured in his business or property by reason of a violation of section 1962” and allows recovery of treble damages, costs, and attorney’s fees. In addition to more traditional avenues of recovery (such as the CFAA and theft of trade secrets statutes), private businesses may find a RICO claim to be an effective tool in recovering losses resulting from computer-related crime.