Busted: Entire List of AOL Users Sold to Online Gambling Spammer

24 June 2004

An online gambling operator is at the center of one of the largest spam controversies ever.

Late Wednesday afternoon, Jason Smathers, an AOL software engineer, and Sean Dunaway, the online gambling operator, were taken into federal custody after an investigation revealed that Smathers used a stolen ID code to obtain screen names and user data for nearly 30 million AOL users. He then sold the data to Dunaway who used it to promote his online casino and then resold it.

The two men face up to five years in prison and a $250,000 fine. The charges, filed yesterday in the Southern District of New York, are the first major indictments under the recently passed federal CAN-SPAM bill.

The law, enacted in January, is aimed at cutting back the amount of spam e-mail that is sent. Many ISPs claim that spam accounts for nearly 75 percent of all e-mail sent.

Dunaway, 21, appeared in a Las Vegas court and was given 30 days to appear before a judge in New York. Smathers, 24, was ordered held by an Alexandria, Va., court until a hearing scheduled for today in Manhattan.

Dunaway paid Smathers $152,000-–an initial payment of $52,000 and then a payment of $100,000--for an updated list. The two lists combined included 92 million AOL screen names.

Smathers got the information by using a co-worker's AOL user name, which granted him access to restricted areas in AOL's "Data Warehouse." He then applied special programming codes to run queries for all AOL users sorted by letters of the alphabet.

The lists were stored on CD-ROMS, and each letter was sold to Dunaway for $2,000. The initial list was obtained in May 2003, and Smathers provided Dunaway an updated list with an additional 18 million user names in early 2004. The indictment claims that Dunaway paid more for this second list because it had up-to-date information and a higher percentage of "valid" e-mail address.

Dunaway, who resides in Las Vegas, used the list to promote his gambling site, and then sold it to a person the government refers to as a "source," who used it to promote herbal penile-enlargement pills. The original list resold for $52,000; the updated list went for $32,500.

The complaint refers to Dunaway as an online gambling operator and spammer, but does not reference any particular gaming site. An employee reached at Dunaway's former employer said he was shocked to hear the news.

"I just can't believe that he would be involved in something like this," the former co-worker said. The two had worked together for an online marketing and design firm that went out of business about six months ago. It was the same company that Dunaway was working for when he was making the deals with Smathers.

The indictment claims that AOL officials became aware of the theft of the screen name that gave Smathers the higher-level access in March. The company launched an internal investigation that revealed correspondence between Smathers and Dunaway in which the software engineer said he was ready to grab the user names from the database, to which he had no legal access.

The indictment states that Smathers sent an e-mail to Dunaway informing him that he would be dividing the list up by the letters of the alphabet because there were so many users.

"I got it figured out," he allegedly wrote in the seized e-mail. "There are going to be millions of them so, [all errors sic] will take time to extract I will do them a chunk at a time . . . because 37 million accounts have up to seven screen names per account I'd expect there to be around 100 million active screen names, maybe more."

Smathers obtained screen names, zip codes and credit-card types (not credit-card numbers) of the company's 30 million customers. The charges were filed in New York, where more than 750,000 of the users have Manhattan zip codes.

AOL released a statement emphasizing its commitment to protecting its customers' privacy and stopping illegal spammers. The company did not disclose how it uncovered the username theft that set the foundation for Smathers' scheme.

"We deeply regret what has taken place and are thoroughly reviewing and strengthening our internal procedures as a result of this investigation and arrest," the company stated.

Nobody knows where Kevin Smith came from. He simply showed up one day and started writing articles for IGN. We liked him, so we decided to keep him. We think you'll like him too. Kevin can be reached at kevin@igamingnews.com.