Story

The Ringleader: Kim (Owner Megaupload) involved in calling card fraud investigation in the nineties

Playing the numbers, a Triad computer nerd turns employee theft into an international crime wave. 

It's past 9 a.m., and Knight Shadow is late for the interview. It's not his fault. The federal prison camp at Seymour Johnson Air Force Base is on lockdown for a surprise head count. That happens once or twice a week, in addition to check-ins every two hours. 

 Knight Shadow, a k a Ivy James Lay, is one of the most notorious. He was the center of an international crime ring peddling stolen calling-card numbers. Its reach spanned from Los Angeles to Germany, Spain and beyond. Lay was the supplier, his light fingers tapping into a computer to steal up to 100,000 card numbers from MCI's switching station near Greensboro, where he worked as a night-shift technician. He distributed them on-line through his middlemen, guys like "Killer" and "Legend." They found a ready market in European hackers and software pirates, who used them mostly to call bulletin boards to chat or download stolen programs. 

MCI called it the largest fraud of its kind, and it went on for more than a year. The volume of calls was so great it forced AT&T to add overseas capacity so callers wouldn't get "all circuits busy" signals. Fraud complaints doubled at some phone companies, which had to beef up their staffs to handle them. MCI had five investigators on the case full-time for nine months. 

The scheme came crashing down in September 1994 when Secret Service agents raided Lay's Haw River home. By then, early estimates said, more than $50 million in fraudulent long-distance calls had been racked up. One card alone had $99,000. 

GTE lost so much money on this and a similar scheme, it did away with international calling on its cards for a while. MCI, AT&T and others installed new security systems to sniff out fraud quicker. One AT&T investigator claimed the inflated flow of international calls may have affected the balance of trade. 

Lay is part of modern-crime mythology - elevated to that status partly by the public's fear of a technology it doesn't fully understand. He was No. 8 on the Pittsburgh Post-Gazette's Internet's Most Wanted list, alongside such techno-hooligans as Kevin Mitnick, the fugitive hacker nabbed in Raleigh in 1995. 

Lay pleaded guilty to federal credit-card fraud and got 38 months. He's been doing time since May 1995 at the Goldsboro prison camp (which, though housed on base, has no direct tie to the Air Force). It's a minimum-security facility, holding only nonviolent criminals. Seventy percent of the 460 are here on drug convictions; the rest, white-collar, mostly fraud. 

Encircled by pine trees, the eight one-story barracks sport peach and pink concrete block, with cream columns in front and triangular orange roofs. It looks like a nouveau-Aztec middlebrow retirement center. Inside, though, the barracks are spartan. Rows of 8-by-10-foot cells with 5-foot rose-colored concrete walls form a maze of institutional cubicles. Each cell has a plain metal bunk bed, desk and two lockers. But no bars. 

There are no armed guards, either only "counselors" and "custody officers." Outside, no fences, just bright-red signs on the perimeter that read "Out of Bounds." Escapes are rare. "We had one walk away last year," public information officer Rodney Tabron says. Make no mistake, this is prison. The barriers might be imaginary, but the confinement is real. 

At 20 past 9, Jim Lay shuffles into the visitors center, dressed in green prison garb and white tennis shoes. His shoulders are rounded, his black hair plopped to one side. He wears tintedoversized glasses. Though 6-1 and 215 pounds, he's unassuming. That's no shock if you've seen photos of the nerdy Kevin Mitnick. 

The two visiting areas are taken up by horticulture and drug classes for inmates, so Tabron puts us in a concrete-block room just big enough for two people and a small round table. He sits outside the open door. 

Soft-spoken yet chatty, Lay, 31, is anxious to tell his story for the first time. (MCI security officials, through a spokesperson, declined to talk about the case, saying they'd rather put the incident behind them and that disclosing details on their investigation might aid hackers.) He's curious, too, about what's happened to the eight others charged in the scheme, most of whom were sentenced after he went in. They range from the 25-year-old son of a Beverly Hills developer to a 58-year-old retired steelworker in Blaine, Minn. Lay has met only one in person. Five got jail or community-center time, though not as much as he did. Two got probation. One is facing similar charges in Germany. 

"We never looked at it to the point of going to jail. If we had considered that, it wouldn't have been worth the risk," Lay says. "That's how we looked at it: There's no big-time crime here. I knew I would lose my job - let's put it that way." 

For all the money he cost phone companies - calculated eventually at $23 million to $38 million - Lay figures he made only $50,000. The irony is that unlike Mitnick, who stole for sport, Lay did it for the money. He used the dough to fix up the house, buy a truck, take his wife and three stepchildren on vacation to Denver, stuff like that. "I wasn't planning on going where I went with it," says Lay, whose MCI gig paid $29,300 a year. "I wasn't looking at saying, 'I want to be the world's largest calling-card supplier.' I was looking at making $2,000 to take care of some things we needed. But when you get one small amount of money, you find other things you need. You're just never satisfied." 

Stripped of the hype, Jim Lay is no different from the employee who pilfers office supplies or dips into the petty-cash drawer. Like most employee thefts, his was a crime of opportunity, fueled by greed and resentment. His just had bigger consequences. 

Lay got his first computer when he was 15, not long after his parents divorced. He was living in Tampa with his mom, a Waffle House district manager, and talked her into buying him a Commodore 64. It came with a modem, which he used to call bulletin boards. But it wasn't until after he joined the Air Force at 19 that he got heavy into the pirate community. 

He served five years at Langley Air Force Base in Virginia, working.as a communications technician on an "alert" aircraft. If the United States were attacked, the plane could issue launch commands to nuclear subs at sea. Lay spent much of his spare time chatting on the boards. He went by the handle Knight Shadow, which he borrowed from a computer-game character. "It was really a big friendship-type thing. I'd get in there and talk to guys in Britain. We'd chat for sometimes hours at a time." 

Eventually, he stumbled across the pirate boards, distribution points for illegally copied commercial software. Stolen credit-card and calling-card numbers were posted there, too. "You probably at any one time had over a thousand pirate boards, plus overseas boards," he says. 

These boards earned their reputations by how fast they got new software. Ten minutes after a program hit store shelves, some board would have it cracked and uploaded. "You'd get back from the store, and I'd already have it," Lay says. "Anything that came out that they could get their hands on, it was on the boards. Games, financial software, word-processing software. There were $10,000 CAD systems put out there." The faster and bigger the board, the tougher it was to get on. "They're very picky on who they allow in." He started out with small boards, but as he met more people, he got on better and better ones. 

When Lay left active duty in 1989, he got a job at Eastern Airlines' overhaul base in Miami. There he met his future wife, Judy, a mechanic and divorced mother of three. The couple found themselves unemployed when the airline folded in January 1991. 

That's when Lay had his first run-in with the law. Out of work for six months, "we were at the end of our rope," he says. His cousin in Columbia, S.C., told him about a Subway Sandwiches manager in town who carried out his deposit at night. Lay could grab the cash and run. It didn't work out that way. "I never got within 20 feet of him," Lay says. "He saw me and started screaming." Lay took off running, and the police picked him up quickly. He got five years' probation for attempted robbery. 

"What was so bad was, four days later I got a call from MCI. If I had just waited." The application asked Lay only if he had been convicted of a felony. Since he hadn't been convicted at that point, he checked "no." 

That September, he began working at the Greensboro switching station, an isolated cinder-block building outside the city limits, southwest of the airport. Calls in and out of North and South Carolina are routed through the switches there so they'll travel the fastest paths. He worked the 11:30 p.m. to 7 a.m. shift with three other technicians. His job was to maintain the switches. That meant replacing backup tapes, getting rid of static on the lines, debugging programs and other trouble-shooting. 

By then, he was active in three or four pirate boards and entrenched in the underground communities that revolved around them. "It was a world to its own - a whole new community, a whole new lifestyle. Most people, you'd never know they were involved in this other world." Everyone had a role. Some were crackers. They broke new programs. Some supplied calling-card numbers so members could call boards for free. Lay was a courier. He'd copy software off one board and load it onto others. 

He did this at work, where he could call for free, and used a maintenance line so it wouldn't generate a record. Each night when he got in, he'd set up his computer to download, then let it run while he worked. Two hours later, he'd start an upload to another board, keeping a copy of the programs for himself. "I was downloading a good 40, 50 megs of software a week," he says. Later, he figured out a way to patch into MCI's PBX system, setting up a line so he could make calls from home for free. 

People on the boards who knew he worked for MCI were always asking him for calling-card numbers, but he assumed he couldn't get them. Then one night in December 1992, he was working on the station's high-speed switch, where call data is transferred. Among the reams of data rambling across the monitor, he noticed the 10-digit card numbers and their four-digit personal identification numbers. "I said, 'Shoot, I'll have to remember this.'" 

Later, he jotted down 1,000 and gave them to cyberpal Oliver Bilak, the Beverly Hills developer's son. Bilak, a University of Southern California student, was going to Germany with his family for Christmas and knew a big buyer there. "Something happened, and he never got up with him," Lay recalls. Over the next several months, Bilak sold the numbers piecemeal via the boards. He found little demand. "MCI cards at that time, they weren't as attractive as AT&T," Lay explains. "AT&T you could oversiege. You talked to one operator one time, and then you could keep making phone calls. With MCI, you had to talk to an operator each time. These guys didn't like that." 

But by August 1993, AT&T had clamped down on fraud with new security systems that spotted compromised cards quickly. "AT&T cards were dying really fast, so MCI's were looking more attractive." 

After demand picked up, Lay knew he couldn't keep writing down numbers by hand. He figured a way to download them to a file, doing it by remote control from his office, and put filters on the switch's software to weed out unwanted data. 

He set up two distributors in the Los Angeles area to find buyers. One was Bilak, who used the handle "Killer;" the other, Josh Freifield, or "Legend," then an 18-year-old professor's son and computer-science major at the University of California-Irvine. Both lived with their parents. "I was using them as front men, so that if anything happened, I wanted myself as far away as possible," Lay explains. They knew each other, but didn't know Lay was supplying both. "I didn't want them going back and forth on things." 

Each had his own deal. Bilak kept half of what he sold, then sent Lay the rest in cash by Federal Express. "He took all the risk," Lay says. "I said, 'You handle everything. I don't want to talk with people, I don't want to get money from the people, I don't want to deal with them.'" Freifield got only 25%. That's because he didn't want to handle payments directly. They went to Lay, who sent Freifield his cut through money orders. 

They ran it like a business, giving volume discounts and guaranteeing replacements on bad cards. They used the bulletin boards to distribute the numbers. "We started out selling them for about $2.50," Lay says. "We were getting as high as probably $4 or $5 at one point. Toward the end it was about a buck seventy-five." 

That fall, Freifield tapped into a big San Francisco buyer who was reselling the numbers overseas. "He started buying like 3,000 cards a month." But the market dried up in December when the buyer was busted for copying Sega games. Bilak, meanwhile, found a team of distributors, "Killerette" and "Phone Stud," to help him move cards to overseas resellers. Killerette turned out to be Michelle Goodzuk, a chunky, bespectacled 25-year-old from Kirkland, Wash. Phone Stud is Enoch "Sonny" White, a legally blind 55-year-old shut-in from Philadelphia who's on a dialysis machine. 

By the time the cards reached the end users, after passing through several layers of middlemen, the price was $20 or more. Nearly all the buyers were in Europe, where analog phones are harder to trace than the digital ones here. Most used them to call boards in other countries and in the United States. But some used them for money-making schemes. Lay knows of two who would call their own chat lines in Singapore, where they got a cut of long-distance charges from the phone company. They'd leave the phone off the hook for hours, racking up thousands of dollars a month. 

To help collect money from overseas resellers, Lay enlisted a friend, Ron Stanton, then a 20-year-old Wingate College criminal-justice major from Cary. Stanton, who met Lay on the boards, would get the cash through Western Union or Moneygram and bring it to him every couple of weeks or so. Lay gave him $50 or $100 each time. "He was another layer between them and me," Lay explains. Stanton had a friend rent a private PO box in Greensboro under another name so Lay could pick up some payments himself. Sometimes, the money came stuffed in the pages of a magazine. "One time they opened a VCR tape, put $3,000 in there and closed it back up," Lay says. 

Bilak and Freifield got involved with the cards partly for on-line prestige. But Lay's interest was strictly business. He made sure no one outside his inner circle knew he was the source. "I was about as low-key as you can get." Bilak and Freifield floated stories that they were getting the numbers from an AT&T employee in California. 

By the end of 1993, Lay was starting to worry about Bilak. "He got totally out of balance. He got a big head over this, just a lot of boasting. He's the kind of person who was going to get caught." Besides, Lay suspected he was selling on the side. "I just wanted to get rid of him." So in January 1994, he squeezed Bilak out by hooking Freifield up with his two key distributors. 

Lay's cautiousness was bordering on paranoia. At work, he'd check the ceiling tiles for hidden cameras. And he bought a shredder. "I shredded everything - receipts for buying stuff, messages I printed out. I got rid of all of them." There would be scares when he'd hear about someone getting busted with numbers. He'd get rid of all his files, lay low for a couple of weeks, then start up again. 

Afraid that inflating his checking account would tip police, he kept cash in his night stand. "I probably had five, six, seven thousand dollars in there at a time. I'd have stacks of money this thick," he says, holding his fingers several inches apart, "because it wouldn't come in hundreds - it came in twenties, tens and fives. We'd pay cash for groceries, pay cash for gas, everything. If you wanted to go somewhere, just grab some money and go." It wasn't enough to start living large, but "it took care of a lot." He bought a used Ford Ranger for $14,000 and spent $2,000 to build a fence to keep in his dogs. He had some land cleared out and paid off a new heating system. 

In Lay's mind, he had the money coming to him. When he started with MCI, employees were getting 10% annual raises, he says. And he was counting on a promotion in six months for another 5% bump. "Then they came out and said, 'We can't give you these raises.' They said it was because of their money situation. Well, that year was their record-breaking year in sales - I mean, they made more money than they ever did. So that kind of killed some loyalty because I saw how the company just lied to keep money for themselves. I'm sure it went through my mind at some point that I could make up some of the money I lost." 

He and his partners figured they would get just a wrist-slap if caught. They had heard about others who got nabbed with numbers and got off easy. Besides, they figured, they weren't doing much harm. These were just unpaid charges the phone companies would write off. "It's not like you go over and take $10,000 cash from them," Lay says. "Everybody looked at it like, 'It's all on paper. It's not real.'" 

But the losses were real. U.S. long-distance carriers have to pay foreign phone companies to use their networks on international calls. That can run 50% to 70% of the charge. Plus, the carriers had to hire extra people to handle the flood of fraud complaints. MCI wasn't the only one hit. Many of the numbers Lay stole were from cards issued by Baby Bells. They use long-distance carriers like MCI to relay calls outside their regions. AT&T got hammered, too, because it leased lines from MCI. 

After German police picked up Kim Schmitz, a hacker who Lay says bought cards from him, in March 1994, Lay decided to get out of the racket. "I was worried that sooner or later, it was going to happen to me. Your luck only lasts for so long." But he knew he'd never be out of it as long as he remained at the Greensboro station. "If I stayed there, someone sooner or later would find out I'm the one who was supplying and blackmail me." So that spring he asked for and got a transfer to MCI's national network management center in Cary. 

Before he left, he downloaded a batch of numbers for one last score. "I knew if I was going to take that job there were things I had to take care of to sell my house. We had to get the place fixed up, I had to have the money for a down payment on the other house. So I was in a thing where I had to keep doing it to get rid of it. I said, 'I'll get all this money, take care of it, and then I'll be out of it totally.'" 

He made that sale in May to a Frenchman living in Spain named Max Louarn, a well-known on-line grifter. Louarn wired the $1,000 to Lay's bank account. "He's the only person I did that with. He didn't want to pay the fees to Western Union." He unloaded a handful of numbers he had left over on Bilak in June. 

By then, he had started his new job as a lower-grade engineer in Cary and moved his family to a ranch house in rural Haw River, east of Burlington. He destroyed all the disks he stored numbers on - except for one he lost in the move. He stayed away from the boards, calling just once in a while to chat. "And when I went to work I was doing straight work. I was out of it. I was looking at it as something that was behind me." 

The knock on the door came on a Saturday evening in late September. It was about 6 p.m., and Lay had just lain down for a nap. His wife answered it. She was greeted by a sheriff's deputy, four Secret Service agents and three phone-company officials. They had a search warrant. 

Schmitz, the German arrested in March, had given up Goodzuk, the Kirkland, Wash., distributor. Phone-company and Secret Service investigators had used phone records to track down Lay as the source. "They came in and said, 'You don't have to say anything. We got you already,'" Lay recalls. 

A week earlier, he had found the disk he lost during the move, the one with the numbers. He hadn't gotten around to destroying it. The investigators spotted it on his night stand. "When they had that, I knew I was gone. There was no getting out of that," Lay says. "And so I, uh, I, you know, I - I did what I had to do at that point." 

That was to spill his guts. He made a full statement, naming names and giving details on the entire operation. "I don't think they knew the extent of what was going on," he says. "I don't think they really realized all of what I had done and how I was doing it. I was the only one who could tell them." 

They had Lay call Bilak as they listened in. "I called him on the premise of what did he ever do with that bunch of cards I gave him. And then he started talking all for himself." Over the next three days, agents executed search warrants on the houses of seven other suspects in the case. They had Lay call Freifield to make sure he was home when they came knocking. 

Lay was not arrested immediately, but MCI fired him that Monday. It kept the incident quiet, and Lay was able to keep the news from his family. By Thursday, he had gotten a job with BTI in Raleigh. The company didn't ask about felonies. 

Then on Sept. 28 he was arrested and released on his own recognizance. Six days later, MCI issued a press release headlined "MCI employee charged in $50 million fraud." It named Lay. "That's when it hit the papers," he says. The biggies had it - the Los Angeles TimesChicago Tribune, The New York Times - and many of the locals. A Raleigh TV station camped out in front of his house. He was on the front page of USA Today. "One of my wife's relatives in Denver was sitting there and opened it up and said, 'Holy Cow!'" BTI saw it, too. He was told not to bother starting work. 

His truck was confiscated. So was his computer equipment. He had to give up the house because he couldn't afford the mortgage. 

Of the nine indicted, eight pleaded guilty. Though time was knocked off for cooperation, Lay's sentence was the longest because of his central role and previous conviction. Stanton, the gofer, got a year, split between a Petersburg, Va., prison and a Raleigh halfway house. He was released last June. Freifield got 27 months in a "shock-incarceration program," a boot camp for young offenders, in Lewisburg, Pa. Bilak is serving six months in a Lompoc, Calif., prison, and Goodzuk got 15 months in Dublin, Calif. 

Lay thinks - and is probably right - that authorities made an example of him, eager to show their low tolerance for computer crime. "They're doing this more and more to other people. There's a guy in here for hacking into the Internet. He got a couple of years, in fact." Assuming time off for good behavior, Lay will finish his sentence next February. He could get released to a halfway house as early as August. Since he has no money to pay restitution, he'll do 100 hours of community service each of the three years he's on probation. 

Lay, who makes 17 cents an hour as the camp chaplain's clerk, is not allowed access to a computer. No inmate is. "That's just one of their security policies. Most of my friends were on bulletin boards, so when I came in here, that was gone. And part of my pastime was playing games on the computer." 

So what's the worst part of prison life? "Well, one of the things is the separation from the family." He pauses to think, then as something else occurs to him, he chuckles and grins. "Not being able to mess with a computer." 

RELATED ARTICLE: To catch a thief  

Bob Myers looks like a Secret Service agent. With his trench coat and no-nonsense scowl, all the burly, balding 48-year-old lacks is an earplug. The man who caught Jim Lay has had plenty of practice. The Sparta native was an agent for 21 years before retiring last September to become a corporate-security investigator with NationsBank in Charlotte, specializing in internal theft. 

His Secret Service posts included the Queen City, Birmingham, Ala., and New York. He guarded visiting dignitaries, from Fidel Castro to Pope John Paul and every president from Nixon on. In the early 1980s, he spent three years assigned to Lady Bird Johnson in Austin, Texas. "I tell people it's somewhere between Guarding Tess and In the Line of Fire," he says. 

As a Treasury Department agency, the Secret Service investigates financial crime such as counterfeiting and credit-card fraud. Cracking the calling-card case was one of the biggest feathers in Myers' cap. "The Service calculated the fraud loss at $50 million, so that's a good-size case in anybody's career." 

He got involved in May 1994, when security officials from AT&T, MCI and four other phone companies met with agents in Washington, D.C. The companies figured the numbers were being stolen from the Greensboro switching station and, through phone records, had a good idea who was involved. But it was up to the Secret Service to nail Lay and his ring. Based nearby in Charlotte, Myers became the lead agent. 

Through a device called a dial-number recorder, agents monitored the suspects' phones, logging numbers they called. The agents would track as, say, Lay called Josh Freifield in California, then Freifield called Michelle Goodzuk in Washington state. "Then you'd start seeing codes coming up on Goodzuk's phone," Myers says. She was testing the numbers. "Then this code would just light up. You'd see calls going to all the other people, using this one code." 

By September, they had enough to get search warrants. "We were going to have one consolidated warrant for all the premises, hit them simultaneously to keep someone from going out and destroying information," Myers says. "But we weren't quite ready to do it." 

Secret Service agents in Washington nabbed Frenchman Max Louarn in a sting for another calling-card scheme. They didn't know until they caught him that he had bought cards from Lay. Worried Louarn's arrest would alert Lay, Myers scrambled back from an assignment in Florida to execute a warrant on Lay's home. "We moved as quickly as we could in each district, vs. coordinating it all as one." 

Speed was essential since word travels fast in the hacker community. "I've had other cases where it's the same thing," Myers says. "Within hours of the first arrest, it's all over the bulletin boards." When Freifield lost contact with two boards that had been shut down by agents, he quickly erased his files, dismantled his computer system and moved it to a friend's house. 

Some evidence was lost as a result, but the admissions of those involved provided ample ammunition for prosecutors. "Everyone basically was cooperative once the agents showed up with warrants," Myers says. 

He describes the ring members as "your typical geeks. Shake them up in a bag and they're all going to fall out about the same." But that's not the way they portrayed themselves on-line - which made for some shattered myths once the ring was exposed. "They all lived in this fantasy world to an extent. They were constantly blowing smoke to each other. Some were literally terrified of Bilak - 'He's so bad.' And Jim, they thought he was The Bruiser. He'd track them down - and kill them, for that matter. There was, of course, no truth to it. It was all persona." 

One of the toughest aspects of the case was collecting evidence. One board operator had six PCs linked to a Commodore Amiga 3000 computer. "He was running like 10 gigs of hard-drive daisy chain," Myers says. It took four agents, working eight hours a day, about three weeks to sort through his files. "And that was just hitting the high spots." 

The case had some serious ripple effects, Myers says. "It made the companies realize their vulnerability to losses that could affect their whole operations." But the fraud may have been the last of its kind. That's because of the rise of the Internet. Now that users can pay a local provider $19.95 a month for unlimited worldwide access, the demand for stolen calling cards is not what it once was. 

What does Myers think finally tripped Lay up? "Just the volume of calls. If he had not tried to flood the market - I think that was it." The sheer size of the fraud made it impossible for phone companies to ignore. "And with the volume of numbers they were stealing, it made it easier to track." 

The shame, he says, is that Lay was a talented technician. "He was the most intelligent of the group. He had a lot of potential." Still, Myers has little sympathy for the man he helped put behind bars. "If you act like a criminal, you get treated like a criminal."

Source: http://www.thefreelibrary.com/The+ring+leader.-a019474647