Facebook 'Spam King' allegedly broke into a half million user accounts

A Las Vegas man faces 11 federal criminal counts related to 27 million unsolicited spam messages authorities say he launched via Facebook servers. Sanford Wallace received “substantial revenue” for the scheme, which involved compromising the accounts of nearly 500,000 users of the popular social network, according to the Federal Bureau of Investigation.

Mr. Wallace turned himself into authorities Thursday. He pleaded not guilty and is free on a $100,000 unsecured bond. He faces more than 40 years in prison.

According to the indictment filed in San Jose, Calif., Wallace manipulated Facebook servers to send users bogus messages from unsuspecting friends, encouraging them to visit third party websites. Once users clicked on the links, their information was exposed and collected, including friend lists, which allowed the spam manipulation to spread widely.

The operation took place between November 2008 and March 2009, prosecutors said.

This is not Wallace’s first clash with Facebook, the leading online social-network site, based in Palo Alto, Calif. The company successfully sued him in 2009 for compromising their servers. The judge issued a $711 million judgment against him and barred him from accessing Facebook. The current indictment says he violated that order.

Facebook lawyer Chris Sonderby released a statement Thursday saying the website “will continue to pursue and support both civil and criminal consequences for spammers and others” who attempt to harm its users.

The 11 counts leveled against Wallace include fraud, intentional damage to a protected computer, and criminal contempt for violating previous orders to stay off Facebook and MySpace.

Wallace’s history with online spam dates back to the mid-1990s, when he headed a company called Cyber Promotions, which developed unsolicited e-mail marketing techniques.

In 2006, the Federal Trade Commission issued a $4 million fine for infecting computers with spyware – software designed to infiltrate hard drives and servers with the intent to collect information without user knowledge.

Wallace was banned from the social-networking site MySpace in 2007 by a federal judge after the company sued him for creating more than 10,000 fake profiles engineered to redirect legitimate users to third-party websites. The following year the judge issued a default judgment of $230 million.

Although Wallace was nicknamed the “Spam King,” he is not the only one to hold that title. Last December, federal authorities arrested Oleg Nikolaenko, a Moscow man, for sending as many as 10 billion spam e-mails per day in what was described as a global spamming network. Mr. Nikolaenko is awaiting trial in Milwaukee. The criminal complaint says Nikolaenko advertised goods such as counterfeit Viagra or Rolex watches.

Efforts to combat spam may be shifting from the “spam kings” themselves to the financial institutions that support their transactions.

According to a study released in May by researchers at the Universities of California at Berkley and San Diego, 95 percent of all credit-card transactions for spam-related goods are handled by just three banks: one in Azerbaijan, one in Denmark, and one on the West Indies island of Nevis. They suggest that targeting banks that handle merchant accounts controlled by spamming operations may be a more effective away to deter their activities.