Southern District of California
Assistant United States Attorney
San Diego, California 94102
Tel: (619) 557-5558
Creator and Four Users of Loverspy Spyware Program Indicted
NEWS RELEASE SUMMARY – August 26, 2005
United States Attorney Carol C. Lam of the Southern District of California and John C. Richter, Acting Assistant Attorney General for the Criminal Division, U.S. Department of Justice, announced today the indictments of Carlos Enrique Perez-Melara — the creator and marketer of a spyware program called “Loverspy” – and four others who used Loverspy illegally to break into the computers and illegally intercept the electronic communications of others.
According to the indictment, which was returned on July 21, 2005, and recently unsealed, Loverspy was a computer program designed and marketed by Mr. Perez for people to use to spy on others. Prospective purchasers, after paying $89 through a web site in Texas, were electronically redirected to Perez’s computers in San Diego, where the “members” area of Loverspy was located. Purchasers would then select from a menu an electronic greeting card to send to up to five different victims or email addresses. The purchaser would draft an email sending the card and use a true or fake email address for the sender. Unbeknownst to the victims, once the email greeting card was opened, Loverspy secretly installed itself on their computer. From that point on, all activities on the computer, including emails sent and received, web sites visited, and passwords entered were intercepted, collected and sent to the purchaser directly or through Mr. Perez’s computers in San Diego. Loverspy also gave the purchaser the ability remotely to control the victim’s computer, including accessing, changing and deleting files, and turning on web-enabled cameras connected to the victim computers. Over 1,000 purchasers from the United States and the rest of the world purchased Loverspy and used it against more than 2,000 victims. Mr. Perez’s operations were shut down by a federal search warrant executed in October 2003.
The indictment charges Mr. Perez with: creating a surreptitious interception device, (i.e., the Loverspy program); sending the program, concealed in an innocuous-appearing electronic greeting card, to victims; advertising the program; advertising the surreptitious use of the program; illegal wiretapping; disclosing illegally intercepted communications; and obtaining unauthorized access to the victim computers. Each count of the 35-count indictment carries a maximum penalty of five years in prison and a maximum fine of $250,000 per count.
In addition to the indictment of Mr. Perez, the federal grand jury sitting in San Diego handed up separate, two-count indictments charging John J. Gannitto of Laguna Beach, CA; Kevin B. Powell of Long Beach, CA; Laura Selway of Irvine, CA; and, Cheryl Ann Young of Ashland, PA., with illegal computer hacking, through utilization of Loverspy, in furtherance of other criminal activity and with illegally intercepting the electronic communications of their victims. Each of the two counts carries a maximum penalty of up to five years in prison and a maximum fine of up to $250,000.
“This federal indictment — one of the first in the country to target a manufacturer of ‘spyware’ computer software — is particularly important because of the damage done to people’s privacy by these insidious programs,” said Acting Assistant Attorney General John C. Richter of the Criminal Division. “Programs such as Loverspy exist solely to latch onto computer equipment for the purpose of stealing personal and financial information. Law enforcement must continue to take action against the manufacturers of these programs to protect unsuspecting victims and seek punishment for those responsible for wreaking havoc online.”
United States Attorney Carol C. Lam said, “What the promoters of Loverspy didn’t know was that while they were watching their victims, law enforcement was watching them.”
Daniel R. Dzwilewski, Special Agent in Charge of the San Diego Office of the Federal Bureau of Investigation, stated: “The Internet must remain a safe place for all to enjoy without fear of identity theft and/or loss of privacy and, therefore, the FBI will continue to aggressively pursue those who compromise the privacy of innocent victims through the utilization of ‘Spyware’.”
Other Loverspy purchasers have been prosecuted by federal authorities in Charlotte, NC; Dallas, TX; and, Honolulu, HI and are being prosecuted in Kansas City, MO and Houston, TX. U.S. Attorney Lam expressed her appreciation for the continuing support and assistance of the Computer Crime and Intellectual Property Section of the U. S. Department of Justice. A concerted effort to identify, investigate and prosecute Loverspy purchasers is being conducted by the United States Attorney’s Office and Federal Bureau of Investigation in San Diego. This case was investigated by Special Agents of the San Diego Division of the Federal Bureau of Investigation. The Loverspy operation was dismantled by the execution of a federal search warrant upon Perez’s residence by the FBI on October 10, 2003. All known Loverspy victims have been notified by electronic mail that the program was launched against them.
Carlos Enrique Perez-Melara
Case Number: 05CR1264LAB
John J. Gannitto
Case Number: 05CR1486LAB
Kevin B. Powell
Case Number: 05CR1487LAB
Laura F. Selway aka Laura Shay Selway
Case Number: 05CR1488LAB
Cheryl Ann Young
Case Number: 05CR1485LAB
SUMMARY OF CHARGES Charges
Against Mr. Perez:
Count 1: Manufacturing a Surreptitious Interception Device 3 Title 18, United States Code, Section 2512(1)(b)
Count 2: Sending a Surreptitious Interception Device Title 18, United States Code, Section 2512(1)(a)
Count 3: Advertising a Surreptitious Interception Device Title 18, United States Code, Section 2512(1)(c)(i)
Count 4: Advertising the Surreptitious Use of an Interception Device Title 18, United States Code, Section 2512(1)(c)(ii)
Counts 5-14: Unlawfully Intercepting Electronic Communications Title 18, United States Code, Section 2511(1)(a)
Counts 15-24: Disclosing Unlawfully Intercepted Electronic Communications Title 18, United States Code, Section 2511(1)(c)
Counts 25-35: Unauthorized Access to Protected Computers for Financial Gain Title 18, United States Code, Sections1030(a)(2)(C) and (c)(2)(B)(I)
Each of the two counts carries a maximum penalty of up to five years in prison and a maximum fine of up to $250,000.
Federal Bureau of Investigation
An indictment itself is not evidence that the defendants committed the crimes charged. The defendants are presumed innocent until the Government meets its burden in court of proving guilt beyond a reasonable doubt.