Show Notes
Cold Open
A quick note before we get started. This is part three of a four-part series, which charts how China built one of the world’s most advanced cyberwarfare programs. You don’t necessarily have to listen to these episodes in order, but you’ll get more out of it if you do. And now…on with the show.
The following presentation is not suitable for young children. Listener discretion is advised.
Brendan Cullen blinked and tried to stay awake.
The thirtysomething federal investigator and former football player was sitting in an airport lounge at Saipan International Airport, the transportation hub that serves the island of about 43,000 people.
Cullen and his team had just flown 14 hours to get here. It was just past 4 a.m., and the airport was nearly deserted.
Should be any minute now, Cullen thought.
Finally, an airplane pulled up to the terminal, and dozens of passengers streamed out. Most of them were from China. Cullen scanned the crowd.
Suddenly, he spotted their target: Xiang Li, the $100 million software pirate and owner of CRACK99. If everything went according to plan, tomorrow he would be in handcuffs.
Xiang Li was a pudgy man in a Hawaiian shirt. He was also a young father and a devoted family man. In fact, Cullen could see that Li had brought a middle-aged woman and a young boy with him.
Shit, Cullen thought. He brought his mother-in-law and the kid?
Cullen quickly sent a text to his supervisor, Mike Ronayne, letting them know he had eyes on Li. Ronayne was waiting in a parked car with his supervisor, Assistant US Attorney for the District of Delaware, David Hall. Ronayne and Hall watched Xiang Li and his family exit the airport and board a bus.
Ronayne and Hall followed the bus, which took Xiang Li and his family to their hotel, the Saipan World Resort, where more undercover agents were waiting. Those agents watched Xiang Li and his family enter the hotel and take their luggage up to their hotel room.
Let’s make sure he’s put to bed, Ronayne said. By now it was past sunrise. Xiang Li and his family had just taken a redeye flight. They figured that Li and his family would take a nap.
Nope.
Soon, Hall got a phone call from one of their undercover agents. Xiang Li was on the move. He’d rented a jeep and was driving it around the island.
Cullen and Ronayne took off after him. This wasn’t part of the plan. Was Xiang Li having an undisclosed meeting? Maybe with Chinese intelligence? Was he planning to double cross them? They knew so little about him.
They followed Xiang Li’s jeep through beaches and hills, and past the ruins left over from Saipan’s World War II battle.
Finally, Xiang Li turned onto a rural road. The agents followed—but a cow and two shirtless guys blocked their path. They lost him.
Did Xiang Li notice their tail and shake them off? They didn’t know. For now, all there was to do but wait for Xiang Li’s call—if he hadn’t already been spooked—and hope their investigation hadn’t gone up in flames.
On this episode: software pirates, esoteric industrial software, undercover operations, and China’s criminal hacking community. This is the story of CRACK99.
I’m Keith Korneluk and you’re listening to Modem Mischief.
You're listening to Modem Mischief. In this series we explore the darkest reaches of the internet. We'll take you into the minds of the world's most notorious hackers and the lives affected by them. We'll also show you places you won't find on Google and what goes on down there. This is the story of CRACK99 and part three of our series on Chinese hacking.
Act One
Around noon, the missile blasts off from a launch site near Pyeongyang. It’s a Hwasong-17 ICBM, with a 2,000 pound thermonuclear warhead—that’s like 17 Hiroshimas. Once it enters Earth’s orbit, it makes a massive arc towards the southwest.
America has tons of satellites in orbit watching for these missiles. But here’s the thing—the North Koreans have American satellite positioning software that tells them where all the satellites are. And the launch of this missile has been timed so that it passes through the satellite network undetected.
US Pacific Command doesn’t notice that a nuclear warhead is flying right at Honolulu. The people of Honolulu don’t get text alerts from the Hawaii Emergency Management Agency, warning them to take shelter. But that doesn’t matter because Honolulu doesn’t have fallout shelters anymore anyway. This is the 21st century. The Cold War is over.
The Hwasong-17 explodes about 1.5 kilometers above the city. In the streets below, the people look up at the mushroom cloud blossoming in the sky.
Some try to call their loved ones. Some get out of their cars and crawl under them. Some parents push their kids into storm drains. But it’s no use. The explosion and the fallout kill 158,000 people and injure another 170,000 more—out of 350,000. That adds up to 94% of the population.
Or, at least that’s what happens in my simulation, anyway.
Cullen eyed the software engineer.
Take me back to the part where the missile avoids all the satellites.
Cullen was sitting in a conference room inside a corporate park near Exton, Pennsylvania. This was the headquarters of Analytical Graphics Incorporated, a defense contractor that sold software to the Pentagon.
The software engineer turned the slideshow back a few slides.
Right. So that satellite positioning software I mentioned the North Koreans having? We make it. It’s called Satellite Tool Kit, or STK. Theoretically, if a threat actor like North Korea got access to STK, they could guide a missile through the gaps in our satellite network and hit Honolulu. And that’s just one scenario. Imagine if China got a hold of it, or Iran, or Russia.
And you’re saying this software is being sold online for pennies on the dollar?
The software engineer pulled up a website called CRACK99. It was a jumbled mess of fluorescent colors and multiple fonts. At the top of the page was a message, clearly written by someone whose first language wasn’t English:
Faced with so many customers, friend said to me: Thank you very much! I feel that my duty and responsibility to all the friends Provide in an accurate, fast, and reliable service! We have already done, will prove that we will do better! Trust www.crack99.com professional site!
Then the engineer pulled up CRACK99’s sales page. There were thousands of software programs available.
Here’s Satellite Tool Kit version 8.0. Normally it sells for 150 grand. On here it’s available for $1,000. To anyone.
As a Homeland Security Investigator, Cullen knew that there was a list of countries forbidden from purchasing software from companies like AGI. He also knew that so much of America’s military and defense network ran on technology made by companies like AGI. If someone could figure out how to exploit the flaws in that software, it could be disastrous.
So yeah, yeah, this seemed like a problem.
Cullen’s visit to AGI in December 2009 started out as a routine courtesy—he was there to brief AGI about the hazards of software theft, and to solicit help for future investigations. Instead, this software engineer had just given Cullen his first big case in his new job.
After starting in narcotics, Cullen recently transferred over to counter-proliferation. In counter-proliferations, it was his job to fight arms trafficking, weapons smuggling, and any other misuses of American technology—like someone stealing American military software and selling it online. Cullen was no expert in software or military tech, but he was learning quickly.
Cullen informed his supervisor, Mike Ronayne, about AGI’s problem. Ronayne was bald, with scars covering his scalp from many fights and mishaps while growing up in Boston. Ronayne had spent more than ten years in counter-proliferation, locking up arms dealers from places like Iran and South Africa.
Ronayne agreed that the CRACK99 situation was a problem, and the two brought it to the man they hoped would prosecute the case: Assistant US Attorney for the District of Delaware David Hall.
Like Ronayne, Hall was bald. He was a former naval intelligence officer who’d been a government prosecutor for more than 20 years. He was about to retire. During his retirement, he was already planning to write about his most unusual cases–some reporter had already beaten him to the punch and written about his last big arrest, of the Iranian arms dealer Amir Ardebili.
With CRACK99, Hall knew he was sitting on bookworthy case—but he also knew it would be tricky to prosecute.
The site’s owner directed customers to contact them at an email address, china9981@gmail.com. So either CRACK99’s owner was Chinese or pretending to be.
This made the case particularly urgent. Hall knew China was waging an ongoing cyberwar against the United States, trying to steal as much of America’s technology as possible–the exact sort of technology that was available on CRACK99.
Could CRACK99 be affiliated with the Chinese government somehow?
Maybe a Chinese government hacker had gone rogue and started selling his pilfered wares online.
Or, maybe CRACK99’S owner was just a civilian criminal. If so, the Chinese government was certainly turning a blind eye toward CRACK99’s activities. There was no way the Chinese government didn’t know about it–like in other authoritarian countries, the Chinese internet is heavily censored and monitored by tools with names like “The Great Firewall.”
Hall knew that investigating this case could pit him against the Chinese government–and possibly cause a diplomatic incident.
Problem was…the software pirate was most likely in China. That made it nearly impossible for him to prosecute. This was early 2010. The United States government was aware of China’s ongoing cyberattacks, but it hadn’t yet filed charges against any individual Chinese hackers—much less actually arrest any. The Titan Rain indictments wouldn’t come for another four years.
Even if CRACK99’s owner had no affiliation with the government, China would still never willingly hand over one of its citizens. It was unlikely the Chinese government would even cooperate with the investigation. Hall’s only real play was to try to lure the site’s owner somewhere the United States had criminal jurisdiction.
And the only way to do that was an undercover operation. So, the team brought in an undercover operative from the Defense Criminal Investigative Service named Robert–his last name has never been published.
Robert’s first move was to verify that CRACK99 truly was selling stolen software. Since they already had a relationship with Analytical Graphics Incorporated, the maker of Satellite Tool Kit and many other fine products, Robert decided to buy the version of STK listed on CRACK99 for $1,000.
Cullen and Ronayne requisitioned an apartment that the Homeland Security Department kept in Philadelphia for use in undercover operations—they couldn’t be contacting CRACK99 from a government IP address, after all. There, Robert sent an email to china9981@gmail.com, inquiring about purchasing the software.
Soon, they had an enthusiastic response:
I will give you a registration document. This is the perfect sure! Trust from our services.
The email was signed with a name: Xiang Li.
This was a clue. They didn’t know if Xiang Li was the name of CRACK99’s real owner, or an alias. They didn’t know if Xiang Li was one person, or several people. But it was the first name they could attach to the website.
Next, Xiang Li sent them instructions on how to pay for STK 8.0. They were to wire the money via Western Union to Chengdu, China. By now, it was almost certain that CRACK99 was Chinese.
There was also a document containing Xiang Li’s Resident ID Number, along with that of a woman: Chun Yan Li. She would be receiving the money. But who was this woman? She had the same surname as Xiang. Was this his wife? Sister? Another alias? Who knew?
Cullen and Robert drove to the nearest Western Union inside a grocery store and wired the money to Chengdu. They had no idea if they were actually going to receive the software or if they were about to be ripped off.
But soon, Xiang Li replied with several links to an FTP site where Robert could download STK 8.0, along with detailed instructions for how to install it. AGI confirmed that it was authentic—even if it was missing a few components.
This verified that Xiang Li was indeed selling stolen software on CRACK99. But Hall needed more than one sale to build his case.
So, Robert made another purchase. This time, he selected software called QUARTUS II v9, which was made by the Altera Corporation. It’s headquartered in San Jose, California and specializes in semiconductors. QUARTUS II is a software program that creates programmable logic devices…the military uses it for communications, radar, and missile guidance. Normally, QUARTUS II sold for tens of thousands of dollars. Robert purchased it for $340.
After two sales, the agents still didn’t know whether Li was hacking and cracking these software programs himself, or whether he was a middleman. So they came up with a test.
Robert noticed that Xiang Li listed a software program called “Hypersizer.” Made by the Collier Research Corporation, Hypersizer performed stress tests on aircraft and spacecraft—yet another potential national security hazard.
The latest version was Hypersizer 5.8. But CRACK99 only listed Hypersizer 5.3. Robert emailed Xiang Li and asked if he could provide the latest version. He got another quick reply:
Sorry, no 5.8.
Another clue. Whoever Xiang Li was, they didn’t appear to be an elite hacker capable of breaking into secure networks and stealing the latest software. Most likely, they had connections to other hackers who could do that.
Even so, Xiang Li was happy to provide the investigators with Hypersizer 5.3. Normally it retailed for $50,000, but investigators bought it for $200.
These three sales were enough to secure a search warrant for Xiang’s email. Cullen brought the warrant to Google, which provided the investigators with access to the contents of Xiang Li’s inbox.
What they found shocked them.
There were over 12,000 emails dating back to 2008—hundreds of messages a day. All correspondence between Xiang Li and buyers around the globe.
Li proved willing to sell to anyone anywhere in the world so long as they paid.
About half of Li’s customers were in the US. More were from friendly countries like Germany, the UK, Canada, and Australia. But Cullen also discovered several customers in countries that were forbidden from doing business with the US, like China, Syria and Iran. Could the Chinese government be one of Xiang Li’s customers?
In one case, they discovered a sale to a man called “Nasir”—not his real name. He was using a Ukrainian IP address, but that was a proxy. Nasir was actually located in Syria, and he claimed to be working for the Syrian government.
I’m looking to purchase software called Ansoft Simplorer. I attempted to purchase it from the vendor, ANSYS, but they said they can’t sell to Syrians. They wouldn’t even sell me the student version! Can you help?
Ansoft Simplorer was engineering design software that could simulate the performance of electronic equipment—like that used in military hardware.
For Hall, this was alarming. The United States has labeled Syria as a sponsor of terrorism since 1979. It supports many different terrorist organizations, like the Lebanese militant group Hezbollah.
During its war with Israel in 2006, just four years earlier, Hezbollah launched thousands of rockets at 12 Israeli towns whose names we’re not going to ask Keith to pronounce, killing 43 civilians and 12 soldiers and injuring thousands more. Those particular rockets couldn’t be aimed with any precision; they were just fired indiscriminately.
Hall knew that someone like Nasir could funnel his stolen technology to the Syrian government, which could then give it to Hezbollah, which could use it to make its missiles and rockets even more effective. And those missiles could be used on Israelis, or even American troops across the border in Iraq.
And Nasir was just one example. Xiang Li had conducted more than 500 sales in 60 countries—and counting.
There was still much they didn’t know. Where was Xiang Li getting his software? Was he involved with the Chinese government? Was he even a real person? But one thing was clear: American software was out in the wild. Xiang Li had to be stopped before people got hurt.
Act Two
A few weeks later in late 2010, Robert the undercover agent was sitting in the Philadelphia safe house when he pulled up Skype and dialed a phone number in Chengdu, China.
Xiang Li answered. For the first time, Robert saw the Chinese software pirate in person. He was pudgy with soft features, like someone who spent a lot of time in front of the computer.
They exchanged pleasantries. Li wasn’t using a translator, but he could mostly follow along. Robert got down to business.
Mr. Li, did you know that the software you’re selling on CRACK99 usually sells for a much higher price?
Li was surprised, but that wasn’t a surprise. Most of the companies that made CRACK99’s stolen software kept their prices a secret, to maintain their competitive edge.
So I have a business proposition. I know many customers who would pay top dollar for the software you sell on CRACK99. I’d like to sell it to them at a higher price. For example, I can sell QUARTUS II for $5,000. In such a case, we would give you a 50% kickback. That means you will get $2,500.”
That’s fine. That’s fine. Let me ask you a question. It’s that…I will keep it confidential. How will that be done?
That’s not a problem. Each sale will be private.
But Li didn’t seem satisfied.
I need to ask you another question. What’s going to happen when there are differences in price? That means my price will be…different from the price you guys have given the customer. Will he find out my price is cheaper than what you guys have given him?
Indeed, why would Robert’s American customers would want to pay a higher price for software when they could buy it on CRACK99 for much cheaper? It was a reasonable question, and it revealed the flaw in the investigators’ plan.
Robert had an answer ready:
Because they prefer to buy through a trusted seller, like me. Again, you’ll be getting 50% of the proceeds.
The money was just too good to resist. Li agreed to go into business with Robert.
This was all part of a larger strategy. Robert wanted to become one of Xiang Li’s biggest customers and eventually his business partner—hopefully important enough for Xiang Li to agree to meet in person.
After the Skype call, they offered to purchase 15 software programs from Xiang Li, which they could then sell to their American buyers. Xiang Li valued the list at $1,630, but he knocked off about $150 for a discount—a good sign. Xiang Li wanted to keep his customer happy.
The agents wired the money, and soon they had yet another batch of stolen software, This was enough for Hall to secure an indictment.
Xiang Li seemed more and more eager to do business. Next, he offered to provide Robert with counterfeit packaging—Robert could sell the software on CDs in what looked like authentic packaging material. This way, the customers would be less likely to connect the stolen software to CRACK99. He asked for $1500, but agreed to $1350.
The agents agreed. But before they could send the money, Xiang Li sent another email:
More pleasant surprises. I can gather some valuable information. 20 gigabytes. If you are interested, cost $3000. This is confidential. I do not have to sell to other customers. ONLY FOR YOU.
What the hell was Xiang Li up to?
On another Skype call, Xiang Li explained. He’d come into possession of 20 gigabytes of proprietary data from an American defense contractor. The company developed engineering modeling software for the US military—but this wasn’t software. This was internal company data.
This was yet another clue: Xiang Li was either a hacker, or he had access to hackers.
This also gave credence to the idea that Xiang Li might be involved with the Chinese government–maybe a government hacker, maybe a civilian hacker who contracted for the government. Internal data from a defense contractor was exactly the sort of thing that the Chinese government had stolen hundreds of times before.
The agents wired Xiang Li $4,350 for the packaging and the data. But this time, Xiang Li didn’t send the materials. Had Xiang Li taken the money and run? Was their lengthy, expensive investigation all for nothing?
Months went by. Robert and Xiang Li continued messaging. Robert wanted to know why their purchases hadn’t shown up. Li said he was worried that shipping them internationally would raise suspicion.
Robert suggested he and Li meet in person. At first, Li didn’t think this was necessary. But Robert was persistent.
The meeting had to be at a location where Robert and the agents could arrest Li. Obviously China wasn’t an option. They considered the Philippines or Thailand. But they weren’t certain that the Philippines would agree to extradite Li. As for Thailand, that country recently refused to extradite the Russian arms dealer Viktor Bout, who among other things was accused of conspiring to kill American citizens, and of selling weapons to the Colombian terrorist group FARC. No guarantee there, either.
Hall was looking at map of the South Pacific when he finally landed on it: Saipan.
It’s an island of 44 square miles. Hall was familiar with it. In 1944, his father was one of 71,000 marines who landed on Saipan to take it from the Japanese. Brutal fighting lasted three weeks. When it was clear the battle was lost, Hall’s father watched in horror as thousands of Japanese soldiers and civilians jumped to their deaths to avoid capture.
Today, Saipan is American territory—which meant that it was within Hall’s jurisdiction. Most importantly, Chinese nationals didn’t need a visa to travel to the island.
By April 2011, Xiang Li still hadn’t sent the materials. He was worried about sending them through the mail. He thought it was safer to hand it over in person. So, he agreed to meet in Saipan.
There was just one catch: Robert had to pay for Xiang Li’s travel, as well as for his family’s travel.
It seemed strange that Xiang Li would bring his family to an illegal business meeting–and it seemed to undermine the idea that Xiang Li was a master spy or government hacker.
But Robert didn’t ask questions. The US government wired Xiang Li another $5,000, and the meeting was set for June.
So, Robert, Hall, and their team traveled to Saipan in June, having no idea if Xiang Li would actually show up—or, if he did, what would happen. Again, it was entirely possible Xiang Li had ties to Chinese intelligence.
They arrived a few days early and set up shop at their hotel, where they planned for the upcoming meeting with Xiang Li. The agents were staying at the Fiesta Hotel. Their tech team wired Robert’s hotel room for sound and video.
Xiang Li, his mother-in-law, and his five-year-old son arrived early on the morning of June 5th, 2011. Cullen was waiting in the airport’s customs area. He alerted Hall and Ronayne, who were waiting in the parking lot. The agents followed Li and his family to their hotel, the Saipan World Resort.
The Lis arrived around sunrise. Hall assumed they would go to sleep after their long flight. Not so. The agents were surprised to see Li emerge from the hotel, get into a rented jeep, and drive off. Where was he going?
Cullen and Ronayne took off after them. But tailing someone on a small island is difficult without giving yourself away. Eventually, Cullen and Ronayne gave up and returned to the hotel.
Then, Robert sent Li an email.
Are you in Saipan? I am at the Fiesta Hotel room 871. Please meet at 9am tomorrow. Call my cellphone when arriving.
No response. Nothing to do but wait.
Hall and his team considered the possibilities. Was Li meeting with his handler from Chinese intelligence? Had Li spotted the Americans? Or, was he just being a businessman, trying to control the terms of the meeting?
Hours later, Robert finally received a brief reply from Li:
OK. I see.
And the meeting was set.
The next morning, Robert was preparing to receive Li at his hotel when he got another call from Li.
Can you pick me up?
Strange. They knew Li had a jeep. Why did he need a ride? Not wanting to scare Li off, they agreed. Their tech agent, Brian, switched off all the recording devices in Robert’s room to save batteries.
Robert drove to Li’s hotel with another agent, a female investigator who spoke Mandarin. There, they got another surprise: Li was waiting with his mother-in-law and son, who was wearing a swimsuit and pool floaties.
My son would like to go swimming. Your hotel has a nicer pool. Can I bring him along? My mother-in-law will watch him.
Robert thought on his feet.
Uh…non-guests can’t use the pool. I saw some kids get kicked out of the pool yesterday.
Satisfied, Li bid his family goodbye, got in the car, and rode back to the Fiesta Hotel with Robert and his interpreter.
There, Brian the tech guy slipped into Room 871 and began turning on all the equipment to record the meeting. But nobody thought to tell Brian that Robert, Li, and the interpreter were already back at the hotel.
Brian heard the hotel room door open, and saw the trio enter.
A former special forces operator, Brian didn’t panic. He tiptoed into the bathroom, shut the door behind him, and emailed Ronayne:
Do not shit yourself, but I am still in the room. All is well. Please start the recording.
Ronayne relayed the message to Robert. He prayed Li wouldn’t have to go to the bathroom.
To kick things off, Robert and Li exchanged gifts. Li brought an assortment of Chinese foods for his new American friend to try, like tea and seasoned tofu. There was also chocolate, but that was for Li’s son. With a sinking feeling, Robert realized Li’s son wouldn’t be getting the chocolate.
Then, Li brought out his wares—first, the counterfeit packaging materials they could use to sell the 15 software programs they’d recently purchased. Then there were the 20 gigabytes of incriminating data, spread across several disks.
So, now they had him on tape committing a crime. Now, they needed to get him to admit to as much incriminating behavior as they could.
Li gave them tips on how to smuggle the contraband back to the states—split it up and have multiple people carry it. If asked, they can just say it was study materials.
He also gave them advice on how to sell his software without getting caught—only sell to trusted, reliable customers.
The products are pretty, um…like confidential, he said. Don’t go and tell other people.
Then, Li promised that he could get Robert more software and more counterfeit packaging material.
This interested Robert. He pressed Li on the point.
Do you have to ask someone else for this software?
Some of them yes, some of them no.
Li was being vague.
At this point, the Mandarin interpreter said she had to use the bathroom. Robert tensed. Would she stumble on the tech agent? Thankfully the hotel room had two bathrooms, and she picked the unoccupied one. But before she entered, she turned back to Li.
There’s another restroom if you need to use it.
But Li shook his head.
When she returned, Li turned to Robert.
Do you have anything scheduled after this? We can go and hang out together.
Robert decided he’d extracted as much as he could out of Li. So, he uttered the code phrase:
Our business in Saipan is concluded.
Cullen and Ronayne burst into the room in body armor, guns drawn, followed by several more Homeland Security agents.
On the ground now!
A terrified Li complied. Cullen handcuffed him.
They now had Xiang Li in custody, but their journey was far from over. Hall and his agents had to get Li back to the United States without causing a diplomatic incident with China. Once they did, they’d still have to prove their case against Li, and there was no guarantee he would cooperate.
Act Three
You have the right to remain silent. Anything you say can and will be used against you in a court of law. You have the right to an attorney...
Xiang Li listened as the Mandarin interpreter relayed all of this to him. It was a few minutes later, and he was sitting across a table from Cullen.
Cullen doubted that Xiang Li understood exactly what he was saying—the American legal system is entirely different than China’s. Li didn’t ask for his lawyer, and he agreed to be questioned. He also agreed to let agents search his room at the Saipan World Resort.
Cullen handled the questioning. Li answered via the interpreter.
Tell us about yourself.
My name is Xiang Li. I live in Chengdu with my wife Chun Yan, plus my mother in law and son. We also have another baby on the way.
Do you operate the website CRACK99?
Yes.
Is Chun Yan involved in the site?
She only handles the money.
Does she have access to the email account China 9981@gmail.com?
Only I do.
Finally, Cullen asked the big question.
Where do you get your software?
I find the software online.
How?
Search engines. Hackers post this stuff on forums all the time for free. But nobody knows where to find them or how to install them. That’s why I created CRACK99.
Where are these forums?
Mostly China and Russia.
So, you don’t hack yourself.
No.
Do you have access to hackers, though?
No.
Cullen knew this wasn’t true. While perusing the china9981@gmail inbox, Cullen had seen Li’s conversations with hackers.
I only have a couple more questions, Mr. Li. If I might ask, why did you use a Gmail account? Surely you knew Gmail is an American company.
I needed an email that was recognizable and universal. My customers are all over the world. People don’t trust Chinese email addresses.
I see. And what were you doing yesterday when you were driving around the island?
Sightseeing.
So, Xiang Li was trying to squeeze a vacation into his business trip.
Cullen decided that was enough questioning for the day.
Meanwhile, Hall and Ronayne led another team of agents to search Li’s hotel room—where Li’s mother-in-law and son were waiting.
She wasn’t surprised to hear that her son-in-law was arrested. She only had one question for the agents:
What about my airline ticket? Can we still fly home?
They assured her that wouldn’t be a problem.
Hall didn’t want to search the hotel room in front of Li’s kid, so he took him to the resort’s lobby and bought him an ice cream cone. Upstairs, Ronayne and the agents found copies of everything Li had given Robert, plus other stolen software.
Next, the agents brought Li to the local Homeland Security Office. It had just a single jail cell, where they’d keep Li overnight.
They offered to get him Chinese food, but he declined. They got McDonald’s, and he refused that, too.
For Li, the shock of the arrest had worn off, and the gravity of the situation sunk in. Had it been a good idea to tell the agents to much about his business? Would he ever see his wife and son again? Could he even face them?
That night, Hall braced for a response from the Chinese government–an outraged statement from the president, or a government minister, demanding Xiang Li’s release. Then, threats to undo any diplomatic goodwill between China and the US, followed by pressure from his government to drop the case. The faster he could get Xiang Li off Saipan, the better.
The next morning, it was time for Li’s judicial hearing…as a foreign national, Li was entitled to both a detention hearing and a removal hearing—both of which could drag this process out for weeks. Meanwhile, the Chinese government could easily protest Li’s arrest.
At the hearing, Li finally got a lawyer, a local public defender. Li waived his right to the hearings. Hall hoped Li would be willing to give a more detailed statement on the flight home to Delaware, but Li’s lawyer wouldn’t agree, wanting to leave Li’s options open—one wonders what would have happened if Li had spoken to this lawyer before his questioning.
Li’s lawyer told him not to answer any questions, so, Hall and company couldn’t question him. But now, it was time to fly home.
Li spent most of the flight in silence, although he did ask one question:
Where going?
Delaware.
Li looked confused.
It’s a state.
Li still looked confused.
Cullen quickly drew a map of the United States and showed it to Li, indicating where Delaware is.
I want talk.
Not until we get to Delaware.
…what is Delaware?
Cullen showed Li the map again, while Hall gave Li a quick lecture on federalism and the 50 United States.
I want talk.
Not until we’re in Delaware.
They spent the rest of the flight in silence. After a brief stopover in Honolulu, they continued on to Delaware.
Li continued to refuse food. They’d even gone to Philadelphia’s Chinatown and purchased food from Li’s home Sichuan province, but he had no appetite. They also offered to let him call his wife and son back home in Chengdu, but he refused.
In Delaware, Hall and his team of lawyers negotiated with Li, who now had a federally appointed attorney.
Overall, Li was facing up to 100 years in jail time. Hall offered him a deal to plead guilty in exchange for a reduced sentence, provided he cooperated. Li agreed.
But on the day of his plea hearing, Li had a change of heart. An angry, defiant Li fired his lawyer and retained the services of an expensive New York lawyer—to Hall, this was suspicious, and pointed to the possible involvement of the Chinese government. But again, he had no proof.
Li was no longer interested in a deal. His new lawyer made Hall an offer: the US government would drop all charges against Li, and in exchange Li would leave the country and never return.
Hall declined. Instead, he upped the ante by issuing a superseding indictment. The previous indictment covered Li’s illegal activity up until November 2010. The new one covered Li’s illegal activity from then until Li’s arrest in June 2011.
Finally, Li agreed to plead guilty. Now, all that was left to do was sentence him.
In an interview with a probation officer, Li tried to put his actions in context. In China, it was culturally acceptable to hack American and other western companies and steal their software—not just for military hackers or government contractors, but for everyday civilian hackers. Or, even hacker-adjacent people like Li. Overall, he estimated that there were ten million people in China doing illegal things with software–and the Chinese government looked the other way.
The judge was unpersuaded. So at his sentencing hearing, Li tried a different tactic.
I didn’t have an evil intention to violate the law in the United States, he said. All I hope is to be able to return to China to reunite with my family. I believe if I have to stay a long time in the jail in the United States, my family will fall apart. I will only see a broken family. My wife and kids, they will be hurt. I’m sorry. I’m not a bad person.
Li’s lawyer asked for time served–two years. The judge gave him 12 years.
Hall and his team had done their jobs. The software pirate was behind bars. This was the biggest successful cyber copyright infringement case ever.
But there was still more to do. After all, Li had dozens of customers.
And there were still more questions to answer—like how exactly did Xiang Li get his software?
Act Four
Around sunrise, Wronald Scott Best pulled into the parking lot at his workplace, MPD, where he was employed as the chief scientist.
About the name. He spells it with a “W.” Literally W-R-O-N-A-L-D. To Wronald, this is the correct way to spell the name “Ronald,” and everyone else is wrong.
Wronald liked getting to the office early. MPD, Inc was a defense contractor. Among other things, MPD developed radar technology and other electronics for military helicopters. These included the US military’s Black Hawk attack helicopter and Marine One, the helicopter that transports the president.
Wronald himself had worked on redesigning the cathode for the Black Hawk. He’d also worked on the company’s magnetron line of products, on components for Patriot missiles, and even on breathalyzer equipment for law enforcement.
Just as Wronald settled into his desk with a cup of coffee, there was a knock at the door. Then the door opened. It was the facilities manager, along with several federal agents and Kentucky police officers. At the front of the group was Homeland Security Investigator Brendan Cullen.
Do you know why we’re here, Mr. Best?
I do.
We also have a warrant to search your home. Would you like to accompany us?
I would.
Cullen’s team confiscated everything from Wronald’s office. Then, everyone traveled to Wronald’s home. There, they seized four computers, four external hard drives, a server, a flash drive, and 179 CDs and DVDs.
On them, investigators discovered that Wronald had ten cracked software programs purchased from CRACK99, which would’ve been worth $500,000 had he paid full price for them.
Wronald explained that he only used the products for his job. He just used them to work on projects from home.
But Cullen and his team already knew all of this. They’d already searched Wronald’s email account, mrpeabody.1@gmail.com. There, they’d discovered more than 250 messages between Wronald and Xiang Li. Not only was he an enthusiastic customer, he also provided Li with instruction manuals for how to install the software—for free.
On top of that, Wronald was found to have discussions with a Russian software cracker. Thanks to this relationship, Wronald was able to help Xiang Li obtain the latest versions of many of his software products.
Like Li, Wronald Best tried to claim that he was just one among many people who purchased cracked software, and that he only did it for work-related reasons. He got one year in prison.
Up next was Cosburn Wedderburn. He was an electrical engineer for NASA. He purchased 12 programs from Xiang Li with a retail value of $1 million. Like Best, he only used them for his job. Thanks to his cooperation with the government, he was sentenced to probation.
Altogether, the investigation into CRACK99 led to just three arrests. But what about Xiang Li’s assertion that pirating software is not just socially acceptable in China, but common?
It wasn’t far off.
In 2012, the Business Software Alliance reported that 77% of software used in China the previous year was stolen. That added up to $9 billion in lost sales. As of 2021, China was still the world leader in software piracy.
Given that China is one of the most authoritarian countries in the world, one that heavily monitors its Internet, there’s no way China is unaware of CRACK99’s existence, and the software on it.
Xiang Li never did confirm whether he had direct ties to the Chinese government, but he did have contacts with Chinese hackers, and it’s likely they had some sort of relationship with it. As we’ve seen before, the Chinese government condons cybercrime committed by hackers as long as it doesn’t harm Chinese interests.
In fact, when considered in context, China’s hands-off approach makes too much sense. Since 1999, the Chinese government has been actively encouraging its soldiers AND its civilians to steal as much technology as possible to help their country catch up.
Over the past three episodes, we’ve covered this theft in detail. Now the question is, what is China going to do with all of this new technology? In the next episode, China’s unrestricted cyberwarfare accelerates China’s development into a technological superpower.
I’m Keith Korneluk and you’re listening to Modem Mischief.
CREDITS
Thanks for listening to Modem Mischief. Don’t forget to hit the subscribe or follow button in your favorite podcast app so you don’t miss an episode. This show is an independent production and is wholly supported by you, our listeners and the best way to support the show is to share it. And another way to support us is on Patreon or as a paid subscription on Apple Podcasts. For as little as $5 a month you’ll receive an ad-free version of the show plus bonus episodes exclusive to subscribers. Modem Mischief is brought to you by Mad Dragon Productions and is created, produced and hosted by me: Keith Korneluk. This episode is written and researched by Jim Rowley. Edited, mixed and mastered by Greg Bernhard aka crack is what you’d have to smoke to get with him. The theme song “You Are Digital” is composed by Computerbandit. Sources for this episode are available on our website at modemmischief.com. And don’t forget to follow us on social media at @modemmischief. Thanks for listening!