The chart on the screen looks like something out of a TV crime drama: an elaborate web of emails and phone numbers, some names and photos, all connected by a mesh of thin lines.
The man standing in front of the maze is an investigator. But if you met him at a bar, he'd probably tell you he's a software engineer. That's because his work is sensitive — but also, because he works for a tech company in Silicon Valley.
As more and more of our lives play out online, so do crimes. This has prompted major tech companies to start growing internal crime-fighting cyber teams, often staffing them with former law enforcement agents.
In this case, the man with the intense chart on his screen works for a security team called "the Paranoids" — a brand started almost 20 years ago by techies at Yahoo, now known as Oath after a merger with Verizon/AOL.
"This is basically a fraud ring that we identified out of South Africa," says the investigator. (He spoke anonymously to protect his work.)
"We" refers to the "threat investigations unit" at Oath — a team of about 20 people that hunts for fraudsters, identity thieves, child predators and other criminals who might be using Yahoo Mail, messengers, Flickr, Tumblr or other corporate platforms for their illicit acts.
About a third of this team came to Silicon Valley by way of law enforcement — including the man in charge, Sean Zadig. His path to security work began as a federal agent, investigating international cybercrime at the NASA Office of Inspector General, tracking down hackers who tried to hijack NASA computers.
This is an interesting trend: Silicon Valley has been slowly staffing up with former agents — from the FBI, the Secret Service, or in this case, NASA. The matter even came up at a recent congressional hearing on Russia's influence campaign on social media, where a Republican lawmaker asked a Facebook executive why his company needed staff with security clearances.
In a way, it's a reflection of modern crime. Criminals send emails, follow each other on Facebook, find victims on dating sites. Tech companies don't want to be used for criminal schemes, and hiring highly trained federal investigators helps.
But there's also something else.
"The government doesn't always have the birds-eye view anymore," says Tom Pageler, a former Secret Service agent, who's now also in the tech industry.
He says it used to be that the government had more of our data: Social Security numbers, driver's licenses, voter registration. Now, it's private companies that know where we go online, who we're talking to.
"I think that actually what is happening today is what we were hoping for back then," Pageler says, referring to his days in the Secret Service in the the early 2000s. There is now "a really good partnership, where well-trained individuals are going into the private industry and know how to investigate the case and package it properly for law enforcement to do what they need to do," he says.
Charts on the walls
I met the Zadig, the Oath threat investigations chief, at the company's Sunnyvale headquarters for essentially a super nerdy ride-along, which is how I found myself staring at that intense chart.
"The chart shows who did what to whom, where they are located, how they are connected to each other," he says.
His investigators can't see the content of emails — that's law enforcement warrant territory — but they can connect email accounts by seeing who's emailing whom, or whether the same phone number gets used to sign up. They can then scour the Web for social networks or other public digital trails connected to those emails and phone numbers — trying to put emails to names, faces and locations. Occasionally, they find the suspects on Facebook posing with wads of cash.
"We will print these charts out 2, 3 feet wide and they'll be longer than the conference room table," Zadig says. "And we'll often sit down with law enforcement prosecutors and walk them through: Here's how this account connects to this account, here's how we identified this person."
Sometimes, Zadig says, his team would return later for a follow-up "and we'll see these charts on the walls, law enforcement or prosecutors have marked on them, they've made new connections that we hadn't made." He says his team's work has led to more than 150 arrests in about three years.
Zadig's team usually comes in after something illegal already happened. This includes the giant hacks of Yahoo itself, which happened in 2013 and 2014 and were disclosed by the company in late 2016. The company has not been able to identify the 2013 hack, but for the 2014 breach, the Justice Department has indicted four people: a Canadian hacker, who has pleaded guilty, and three Russians, two of whom are accused as agents of the Russian government.
'We are a private company'
Not all investigations end up being shared with law enforcement. Some spammers might simply be shut down by the internal team. Jasdeep Singh Bhalla, a software developer on Zadig's team, showed me an automated search tool he's been building for months to dig up all accounts one spammer might create using bots, allowing the team to shut them down in one fell swoop.
"In a matter of 30 seconds, you've got 70 associated accounts," Singh Bhalla says, as a massive web of related accounts populates his screen. This is an extreme case: someone had created some 1,200 related accounts. "If you do this manually," Singh Bhalla says, "it would take you two months to search."
And here's an example of how a case that does end up resulting in arrests might develop inside a tech company.
A few years back, a bank alerted Yahoo that someone was hacking into accounts and switching associated email addresses to Yahoo emails. But when Zadig's team looked in, they found something else: subject lines indicating that numerous tax filings were being completed.
The bigger scheme was tax return fraud. Yahoo's investigators could see dozens of Yahoo accounts created to file tax returns with various tax providers, indicating that numerous refunds were being issued and cashed out. (Two guys were later arrested as part of a massive identity-theft sweep in the Miami area.)
For law enforcement, this kind of information is only available with a search warrant — for each email account. They might have never connected these particular dots, and definitely not this fast.
And this can be a touchy comparison.
Here's a point that Zadig made at least three times in two days: "We are not law enforcement; we work for a private company ... We don't want to be accused of being an agent of law enforcement, of doing things that would normally require a legal process."
When I asked Zadig and Pageler — who's now the chief risk and security officer at Neustar — why they'd left public service, both offered similar stories. Those had been dream jobs — Pageler even says he'd felt physically sick to leave the Secret Service. But the hours were extreme, the travel intense, the pay not as good — both men wanted a more family-friendly lifestyle.
When Pageler was a special agent, he established the San Francisco electronic crimes task force, meant to spur exactly what he says is happening now: better coordination and cooperation between the tech companies and the government. "It's really pretty awesome for me to see," he says. "I feel like we're on the path that I was working for and I think it's working very well."
RAY SUAREZ, HOST:
And I'm Ray Suarez with All Tech Considered.
(SOUNDBITE OF MUSIC)
SUAREZ: More and more of our lives play out online. We share where we live, work, eat, travel. Criminals, too, increasingly have migrated to the digital universe, attracted by all that data we share, so a growing number of tech companies have launched their own crime-fighting cyber teams. NPR's Alina Selyukh looks inside one of them.
ALINA SELYUKH, BYLINE: The day began with a plan for what I imagined would be a super nerdy ride-along following cyber investigators as they kick down cyber doors and expose cybercriminals. So I decided to prepare in the most stereotypical way I could think of - with a doughnut and a coffee. Except I'm in a cafeteria in Silicon Valley, so my donut became a fancy cronut and a coffee became...
UNIDENTIFIED WOMAN: Medium latte.
SELYUKH: ...A latte. Soon my guide for the day arrives.
SEAN ZADIG: Hi, how's it going?
SELYUKH: Nice to meet you.
SELYUKH: His name is Sean Zadig. I must say his healthy breakfast puts mine to shame. Zadig runs a team of about 20 people. It's called threat investigations. And it lives inside a security unit known as the Paranoids at a company formerly known as Yahoo, now known as Oath after a merger with Verizon. And the team essentially hunts for fraudsters or child predators who try to use Yahoo emails or other platforms for their crimes. We're making our way through the glass-covered buildings on the company campus to meet Zadig's team. But before I do, I learn something about Zadig that kind of intrigues me.
ZADIG: You know, we went to the same academy that Secret Service went to and Homeland Security.
SELYUKH: He's a former federal agent - used to do law enforcement at NASA, tracking down hackers preying on NASA computers.
ZADIG: After the academy, I spent seven years with them focusing almost exclusively on international cybercrime.
SELYUKH: What was the first moment where you were, like, no one's noticed this and this is going down?
ZADIG: So it was in 2006. There was a case of a NASA employee who had opened a virus that was sent to her by a guy living in Nigeria. And it was...
ZADIG: ...It was a romance deal. And he had convinced this woman that they were going to get together and they were going to get married. And he was really trying to steal her identity.
SELYUKH: These types of crimes are often anonymous. It's relatively rare for them to end up in court. But Zadig tells me the story of how he ended up tricking the scammer guy into accepting a package from the victim, which got him arrested in Nigeria. And then Zadig tracked down the scammer's big boss and got him into an American prison. And then he says something interesting.
ZADIG: I felt accomplished that, OK, we got this guy. We showed that it can be done and that law enforcement and private industry should consider doing those type of cases.
SELYUKH: Law enforcement and private industry should consider these cases. Think about this - I'm inside a tech company talking to a former federal investigator about his government work. This is an interesting trend. Silicon Valley has been slowly staffing up with former agents from the FBI, the Secret Service or NASA. In a way, it's a reflection of modern crime. Criminals send emails, follow each other on Facebook, find victims on dating sites. Tech companies don't want to be used for criminal schemes, and hiring highly trained federal investigators helps. But there's also something else.
TOM PAGELER: The government doesn't always have the bird's eye view anymore.
SELYUKH: Tom Pageler is a former Secret Service agent who's now also in the tech industry. He says it used to be that the government had our data - Social Security numbers, voter registration. But now it's private companies that know where we are, who we're talking to. And this shift was already happening in the early 2000s when he was a federal agent.
PAGELER: So I think that actually, what is happening today is what we were hoping for back then - a really good partnership where well-trained individuals are going in the private industry and know how to investigate a case and package it properly for law enforcement to do what they need to do.
SELYUKH: Here's how this process might work. Let's go back to Zadig's team.
What are we looking at?
UNIDENTIFIED MAN: OK, so this is basically a fraud ring that we identified out of South Africa.
SELYUKH: So essentially this looks like a digital version of, like, in the movies they have crazy photos and red threads running from photo to photo. Is that...
UNIDENTIFIED MAN: That's absolutely right.
SELYUKH: I won't name this man to protect his work, but his chart is intense.
UNIDENTIFIED MAN: We've got connections from, you know, victim accounts to suspect accounts based on phone numbers. And then we've ended up being able to locate actual Facebook profiles for our subjects based on IP logins and phone numbers and things like that.
SELYUKH: This is how Zadig's team tries to connect Internet crimes to real-life criminals. The team can't see the content of emails for user privacy, but they can connect sketchy accounts by seeing who's emailing whom, or did they use the same phone number to sign up? Then they scour the web for social networks or other public digital trails connected to those emails and phone numbers. Turns out criminals sometimes shamelessly flash wads of cash right on Facebook.
ZADIG: We will print these charts out 2 or 3 feet wide and they'll be longer than a conference room table. And we'll often sit down with law enforcement prosecutors and walk them through here's how this account connects to this account. Here's how we identified this person.
SELYUKH: Zadig says this is how their cases end up being prosecuted. They know how to build one. About a third of them used to work in law enforcement.
ZADIG: And then we've come back later to follow up on cases, and we'll see these charts on the walls. You know, law enforcement or prosecutors have marked on them. They've made new connections that we hadn't made.
SELYUKH: Zadig's team usually comes in after something illegal already happened. That includes the gigantic hacks of Yahoo itself. They happened in 2013 and 2014, though the company only disclosed them last year. In the 2014 case, a Canadian hacker has pleaded guilty and three Russians, including two government agents, have been indicted.
Another time I met Zadig, he told me about a case that shows how often the public might not even realize that an investigation began inside a tech company. This new case had started as a tip from a bank that hackers were breaking into bank accounts and switching them to Yahoo emails. But Zadig's team noticed something else.
ZADIG: We saw that they had created, you know, dozens of Yahoo accounts that were used to file tax returns. And, like, your normal person files one a year, right? And these folks were filing dozens of tax returns a year.
SELYUKH: Two guys were later arrested for this. The scheme was tax fraud. And Zadig's team spotted it by seeing email subject lines like congratulations, you've finished your tax return or your refund has been issued. For law enforcement, this kind of information is only available with a warrant for each email account. They might have never connected these particular dots, definitely not this fast. And there is a touchy side to this comparison. Here's something Zadig told me over and over.
ZADIG: We're not law enforcement, even though some of us come from that background. We take really great pains to make sure that we have a really clear line between what is a law enforcement job what is our job?
SELYUKH: And there's definitely enough crime on the Internet to keep them both busy. Alina Selyukh, NPR News, Sunnyvale, Calif.
(SOUNDBITE OF MINOTAUR SHOCK'S "MY BURR") Transcript provided by NPR, Copyright NPR.