Episode 3: How did a Usenet troll and encryption genius become a criminal mastermind?
He Always Had a Dark Side
For a man who built an empire in pixels, Paul Le Roux seemed like a digital phantom. After his name surfaced in the press in late 2014, I spent the better part of a year trying to understand him through the same means by which he’d directed his massive pharmacy business: the Internet. Late at night, I would open my laptop and plunge into an online wormhole, searching for clues about who Le Roux had been and what he became.
There I found another Paul Le Roux, from another time—one who’d left his trace in archived copies of long-dormant websites and message boards. This Le Roux had been famous among a small community of hackers and privacy geeks in the early 2000s as the author of an important piece of encryption software. Before encryption was a mainstream idea, before Apple defied a U.S. government request to provide a method to unlock our phones, this Le Roux had written the underlying code of a program that, a decade and a half later, the National Security Agency still could not break.
The question was: Could the Le Roux who politely answered jargon-laden posts about encryption software be the same one who ordered the murder of a real estate agent over a bad deal on a beach house? At first I thought I would never know. The former Paul Le Roux seemed to have disappeared from the Internet in 2004. Encryption experts I contacted had no idea what had become of that Le Roux, and there was no evidence linking him to the man known for drugs and gun running.
One night in October, I had been at the computer for hours when I finally found the missing link. It was a website once registered to the encryption Le Roux, in the early 2000s, and later transferred to a Philippine company controlled by the crime-boss Le Roux. My immediate reaction upon discovering this connection was a sudden and irrational fear: Le Roux was something new, a self-made cartel boss whose origins were not in family connections but in code. Not just any code, but encryption software that would play a role in world events a dozen years after he created it.
I stared at the address on the screen, a post-office box in Manila, left now with a still larger mystery: What had turned the earnest, brilliant programmer into an international criminal, with a trail of bodies in his wake?
One way that hackers and government agencies break into encrypted files and communications is through something called a brute-force attack. The process involves trying every possible combination of letters, numbers, and symbols that might make up a password. Brute-force attacks require enormous computing resources, and the strongest encryption renders them impossible simply by making the number of combinations so large that it would take lifetimes to find the correct one.
When I began my research into Le Roux, he struck me as a kind of encrypted mystery. A few scant details about his criminal existence had been reported in the media, mostly speculations about the mythological size and scope of his empire, but there was little about who he was or how he had built it.
At first I tried my own version of a brute-force attack. Le Roux’s name had surfaced in a court filing associated with the case of Joseph Hunter, his ex-enforcer, and another connected to RX Limited, his prescription-drug firm. I made a list of every name, company, and location in the documents of those cases and began looking them up online, separately and in combination.
Amid the vastness of the Internet, there were an almost infinite number of ways for me to search for evidence of his existence. I would start with a scrap of information—say Your-pills.com, one of the thousands of sites affiliated with RX Limited—and trace its connections. Who owned the site and when? Which mailing address was it registered to? Each of those formed a new starting point.
After months of rote data collection, I had amassed tens of thousands of pages of research. There were snippets from long-dead message boards from the early 2000s, Hong Kong legal databases, and obscure newsletters put out by the Australian Federal Police. Here was Le Roux listed as a director of a company in the UK called SSD Software in 2001. There was his name popping up in a 2008 FCC complaint regarding a company in Florida making a marketing call to someone on the National Do Not Call Registry.
The data points were tantalizing, but ultimately the mystery was too complex for brute force. Another way to crack encryption is called a back door. If a government can convince a software maker to create a secret way into a program, and to share that key only with the government, then the secrets protected by that software will reveal themselves.
I needed a back door into Paul Le Roux’s life. Then, two weeks ago, a key dropped into my inbox.
“Hi, interesting story on PLR.” The email began so mundanely that at first I ignored it. It arrived on March 10, from a Gmail address that included the name Lulu. “I look forward to reading your series.” Then came the part that made my hair stand up.
He also had a legitimate Congolese Diplomatic passport in his own name and a Bulgarian passport in another name. He is an interesting character.
For months I had been contacting people that my online searches hinted might have worked with, or even be related to, Paul Le Roux. I’d teamed up with Natalie Lampert, a young reporter in New York City, and together we’d sent emails and Facebook and LinkedIn messages to dozens of people seemingly connected with Le Roux—related companies and addresses, not to mention those with a Le Roux surname. The responses had been discouraging.
Something in Lulu’s email address reminded me of a person I had written to before. I sent that person another message and, a few hours later, got a response:
lol, no problem, please just let’s keep it to the other email.
That didn’t take you long at all
A few days after that email, at 4 p.m. on a Saturday my time—11 p.m. his—Lulu and I arranged to meet online for our first conversation. I was hunched over my laptop in a hotel lobby in Manhattan. When his handle lit up, we exchanged a few pleasantries, but I was eager to dive in. I asked him to start at the very beginning. “So do you know exactly where PLR grew up, what his family situation was?”
“Yeah, of course,” he said. “I am related.”
From there, Lulu and I started chattingevery few days. I can’t say how I’d figured out the connection between his anonymous email and the person I’d emailed previously. I can’t say what service we used to communicate, nor where Lulu lives, nor what he does. Where I was able to, I have confirmed what he told me through other sources—including key information that I verified with former law-enforcement officials with direct knowledge of Le Roux’s case. In a few instances, I have relied exclusively on his account. To corroborate his story, Lulu sent me documents that only someone very close to Le Roux would have, and he described Le Roux’s dealings with individuals whose connections to Le Roux have never been reported in the press. In the end, I came to trust what he told me, some of which was unflattering to Lulu himself.
Paul Le Roux was born on Christmas Eve, 1972, at Lady Rodwell Maternity Home in Bulawayo, the second-largest city in what was then called—by the white minority that governed it, at least— Rhodesia. His birth mother gave him up for adoption. On his birth certificate, a copy of which Lulu sent to me, his first name is listed as “UNKNOWN.” At the bottom, however, the newborn’s fate is outlined succinctly: “Child to be known in future as: Paul Calder Le Roux.”
In our chats, Lulu was genial and happy to talk. “Go for it, mate,” he’d say. “I’m in no rush, just ask.” He fielded any question I put to him, although he was rarely expansive in his replies. He was particularly protective of Le Roux’s birth mother, making me promise not to reveal her name. “Sad and interesting story,” he said. “His real mom’s mom is married to a U.S. Senator.” When I asked him who the Senator was, he said, “That I can’t say, mate. That’ll get me shot.” (I tried all sorts of strategies to figure out if this was true, but for now I’ve had to leave it unconfirmed, another legend following Le Roux.)
Le Roux was adopted by a family living in the asbestos-mining town of Mashava. “His adoptive parents were really nice,” Lulu said. “They loved him very much.” His father worked as an underground mining manager at the giant Gaths and Shabanie mines, which at one point produced 140,000 tons of asbestos a year. He had a younger sister and was well-loved by the extended Le Roux family. “All the cousins adored him,” Lulu told me.
In 1980, Robert Mugabe became prime minister of what would now be called Zimbabwe, ending minority white rule in the country. Four years later, when Le Roux was 12, the family relocated to South Africa, where Paul’s mother believed they would find better schools for their precociously smart son. Krugersdorp, their new home, was also a mining town. Le Roux’s father started a company that managed coal-mining operations, and the family was soon well-off.
Lulu recalled that Le Roux was tall, trim, and handsome as he grew into his teenage years, but never particularly social. In a culture where a kid of his size might have been expected to try his hand at rugby, “he hated sport,” Lulu told me, favoring video games played on a console hooked up to the family TV. As a teenager, Le Roux’s love for the game Wing Commander, in which the player pilots a spacecraft into battle, bordered on obsession.
Not long after the move, in exchange for washing his father’s car, Le Roux was given his first computer. After that, “he was completely anti-social,” Lulu explained. From his first glimpse at a computer screen, Le Roux became interested in creating his own worlds. “Every time we went there afterwards he was always holed up in his room,” Lulu said. “I remember going in and seeing lines and lines of numbers.”
I found this image of a teenaged Le Roux jarring. It wasn’t that I was surprised that he could have discovered his identity in computer code. It was that his story sounded more like that of a programmer turned entrepreneur like Bill Gates or Mark Zuckerberg than of a crime boss like John Gotti or Viktor Bout.
Lulu told me that when Le Roux was 15 or 16, in the late 1980s, the local police raided the family home and arrested Paul for selling pornography. (I’d heard rumors of this before, from an employee who worked closely with him.) The family was scandalized but managed to keep the story private. After, Le Roux turned even more inward. He was an excellent student but despised the idea of learning Afrikaans, compulsory in South African schools. “He said it was a dead language and he didn’t want to learn it,” Lulu said. At 16, he dropped out of high school and decided to follow his interest in computers, taking a local programming course. Family lore has it that after he spent one class explaining some technical fact to the teacher, he got a letter saying he no longer needed to attend. He then completed a year’s worth of material in eight weeks.
What propelled Le Roux out of his parents’ home at 17, Lulu told me, was a family trip to the U.S.—Disneyland, the whole works. When they returned to South Africa, “the moment he landed he said he was leaving.” Eight months later, Le Roux departed for the UK. At the airport, his bags proved too heavy to check. He ditched his clothes and boarded the plane with a suitcase full of programming books.
Once Le Roux left South Africa, his life became peripatetic. He moved from the UK to the U.S., where he lived in Virginia Beach. In the mid-1990s, he followed a girlfriend, Michelle, to Australia, then married her and obtained Australian citizenship. At this point in Le Roux’s story, Lulu’s account began to intersect with the faint digital trail I’d already stumbled across.
In an archive of old message boards from the 1990s, I had encountered a prolific and often abusive user from Australia posting under the name Paul Le Roux. In forums like aus.general and alt.religion.kibology (named after a parody religion—it’s a long story), he was often angry and sarcastic, writing extreme or offensive screeds in an attempt to rile up other users. He was, in other words, a troll: the kind of person you might find on Reddit or in a newspaper’s comment sections, getting high off the reactions of fellow posters to his deliberately provocative opinions.
Le Roux was a harsh critic of his adopted homeland. (I’m reproducing all messages verbatim, including errors, here.) “All of Australia could disappear into the Pacific and the only difference it would make to the World,” he wrote in a typical post, “is the Americans would have one less pussy country to protect.”
“As I recall, the genetic effects of human inbreding are not as desastrous as those of breding with animals,” Le Roux went on. “A lesson Australians have never learned.”
People who later worked for Le Roux, at his call centers and other businesses, had told me he was often openly racist. But it was still surprising to see the level of vitriol that Le Roux would attach to his real name. “People like you should be rounded up, castrated, then shot,” he wrote in response to someone who accused him of racism for asserting that Asians should be “screened out” of the country “for DNA defects.” He continued, “Whats more your sperm could be used to create the ultimate germ weapon. Simply impregnate a countries woman, and within 20 years, you will have a race of ‘people’, which by all accounts, are capable only of collecting the dole.”
Like much trolling on the Internet, Le Roux’s provocations worked. His posts so outraged the boards he was posting on that someone even changed their handle to firstname.lastname@example.org. After stirring the board into a rage, Le Roux would declare that his correspondents had fallen for his ploy. “Firstly let me say that Australians are easy to provoke, anyone says your country sucks and a whole bunch of you diggers jump up to defend it -Pathetic! Your postings (including 2 death threats, numerous flames, and one guy who swears he has my address & phone number) have provided me with hours of amusement.”
In a coup de grace, Le Roux penned a 30-part post on aus.general in which he laid out the “Advantages” and “Disadvantages” of Australia as a nation. He made a point to note that, “I am ZIMBABWEAN. I left Zimbabwe in 1984, and have since lived in several countries including the U.S & U.K.” The “Disadvantages” column included “Internet access is far to expensive,” “pornography laws in Australia are backward,” “banks report on everything you do,” and “movies are about 6 months behind the U.S.”
“Drug laws are primitive compared with Europe,” he wrote in closing. “The way to combat drugs is in fact to legalise them.”
Poring through these message boards was like the game Concentration. I would find one clue, stash it away, and hope to turn over another that matched it later on. Early in the process, I noticed that Paul Le Roux used four different email addresses in his posts. But two of them traced predominantly not to his trollish screeds but to highly technical encryption discussions on other boards. One of the emails, email@example.com, was connected to a software company called SW Professionals. That same address turned up in the documentation for the encryption software E4M, hosted on the now defunct website E4M.net. That site, in turn, was registered to another of the message-board emails, firstname.lastname@example.org, and to a company called World Away Pty.
In 1995, World Away’s corporate filing showed a Sydney address for Le Roux; it was one of the stranger coincidences of my research, since I was living just a few miles away from him at that time. More importantly, on the next page, the owner of World Away was listed as Paul Calder Le Roux, born in Zimbabwe on December 24, 1972.
Confident in the connection between the two Le Roux’s, I burrowed into the world of encryption. Le Roux, it seemed, had started building E4M—Encryption for the Masses—in 1997. It followed that a talented young man so absorbed with the challenges of code, one who had gotten himself into trouble with law enforcement in the past, would tackle a problem as technically knotty as digital privacy. Le Roux’s software allowed users to encrypt their entire hard drives—and to conceal the existence of encrypted files, so that prying eyes wouldn’t even know they were there. After two years of development, he released it to the world with a post to the alt.security.scramdisk board. According to his own account, the software was written “from scratch,” and “thousands of hours went into its development and testing.”
On the website for E4M, Le Roux posted a manifesto. “The battle for privacy has long since been lost in the real world. As more and more human activity becomes computerised, governments are scrambling to preserve and extend their powers,” he wrote. “Strong Encryption is the mechanism with which to combat these intrusions, preserve your rights, and guarantee your freedoms into the information age and beyond.”
In the spirit of the burgeoning open-source software movement in the late 1990s, Le Roux released E4M for free and made the code available for other people to improve. With no income from his two years of labor, he was struggling financially. His marriage fell apart—violently, both Lulu and a colleague of Le Roux’s told me, although it wasn’t clear what that violence entailed. According to Australian records, the couple divorced in Brisbane in 1999. Le Roux relocated first to Hong Kong, then to Rotterdam, in the Netherlands. He married a Dutch citizen named Lilian Cheung Yuen Pui, and they had a child.
In 2000, Le Roux launched SW Professionals, his software-development company, nominally based back in South Africa. Its motto was Excellence in Offshore Programming; its website claimed that the company had six employees. “I worked with him about six months,” his cousin Heath Jordaan told me after I found his name on an old staff page for the site. Le Roux, he said, was rarely in South Africa. “I think I saw him for about a week or so that entire time.”
One of Le Roux’s clients was an Italian telecommunications engineer named Wilfried Hafner, who had corresponded with Le Roux for several years about his encryption software. Hafner had founded a company to create a commercial encryption product that would combine some of the elements of E4M with another piece of software, Scramdisk. The new company would be called SecurStar, and its product DriveCrypt. Hafner hired Le Roux to build DriveCrypt’s underlying engine.
When I spoke to Hafner on the phone recently, he recalled that Le Roux was desperate for money at the time. He drove a beat-up car and worked out of a Rotterdam apartment small enough that, on the phone, Hafner could often hear a baby crying in the background. At the time, Hafner lived in the south of France, and he said that Le Roux openly coveted the kind of success that he imagined led to such a home. “He saw that these were rich places, and this was his dream,” Hafner told me. “He said, ‘I am ambitious, I want to have all this.’”
Both Hafner and Shaun Hollingworth, the inventor of Scramdisk, who still works for SecurStar today, told me that Le Roux was a gifted programmer. “He was always very smart,” Hafner said. “He came also with some, how do you say, interesting, innovative ideas. But at the same time, I felt he was a little bit… disingenuous.”
I asked him what he meant, and Hafner told me that in the middle of the development work for DriveCrypt, he discovered that Le Roux was still working on E4M and had incorporated some of his work for SecurStar into his personal project. Hafner was furious. Because E4M was an open-source product, the source code that Hafner had personally funded, he claimed, could now be used by anyone to develop an encryption product of their own. He confronted Le Roux, who he says apologized and asserted that it was all a mix-up. “He was very humble,” Hafner says. But the damage was done, and Hafner terminated Le Roux’s contract.
The two reconciled personally, however, and stayed in touch. Hafner told me that Le Roux was also building a gaming engine for an online casino that he planned to launch in Canada and Romania. To do so, he needed to learn a new programming language. “In one week, he was better than most of the programmers I know that program in that language,” Hafner says. “I know that in the casino industry there is a lot of money,” he continued. “But Paul is not a marketer. I didn’t see how he could bring in the gamers to play.” Around 2002, Hafner lost touch with Le Roux.
By October of that year, SW Professionals was defunct and Le Roux was openly soliciting for work on the alt.security.scramdisk forum.
Hi Guys, I’m looking for crypto/or other contract programming work, anybody out there have anything available? if your reading this group probably I don’t need any introduction but I can send my CV as needed.
Paul Le Roux.
It was around this same time, Lulu told me, that Le Roux received some news that “shattered his whole world”: He found out he was adopted. Although many family members had known for years, Le Roux’s parents had elected to keep him in the dark about it. But in 2002, Le Roux traveled to Zimbabwe to retrieve a copy of his birth certificate. On the trip, his aunt and uncle pulled him aside to tell him the truth. “It was the ‘unknown’ part that hurt him the most,” said Lulu.
Not long after, Le Roux appeared on another set of message boards, including alt.business.home and misc.entrepreneurs. He seemed to be launching some kind of moneymaking scheme that required opening a company based in the U.S.
WE ARE EUROPEAN BASED PRIVATE INVESTORS LOOKING FOR A U.S CITIZEN OR GREEN CARD HOLDER TO HELP US SETUP A NEW COMPANY BASED OUT OF FLORIDA, WE WILL DO ALL THE PAPER WORK WE NEED YOUR HELP TO COMPLY WITH U.S LAW. BUT WE KNOW NOTHING IN THIS WORLD IS FREE, SO WE WILL PAY YOU UP TO $500 TO HELP US. PLEASE ONLY GENUINE PEOPLE. NO TIME WASTERS.
In 2004, a group of anonymous developers did exactly what Hafner had feared: They released a new and powerful, free file-encryption program, called TrueCrypt, built on the code for E4M. “TrueCrypt is based on (and might be considered a sequel to)” E4M, a release announcement stated. The program combined security and convenience, giving users the ability to strongly encrypt files or entire disk drives while continuing to work with those files as they would a regular file on their computer.
Hafner and his SecurStar colleagues suspected that Le Roux was part of the TrueCrypt collective but couldn’t prove it. Indeed, even today the question of who launched the software remains unanswered. “The origin of TrueCrypt has always been very mysterious,” says Matthew Green, a computer-science professor at the Johns Hopkins Information Security Institute and an expert on TrueCrypt who led a security audit of the software in 2014. “It was written by anonymous folks; it could have been Paul Le Roux writing under an assumed name, or it could have been someone completely different.”
Hafner found an email address associated with the TrueCrypt programmers and sent a cease-and-desist letter, arguing that the software was based on stolen code. The developers did briefly stop additional development but soon started up again. The response of the free-software community could be summed up in an anonymous message-board response to Hafner’s demand: “FUCK YOU, SecurStar—we’ve got it already!”
For the next decade, that mysterious group of anonymous programmers maintained TrueCrypt, with funding from some equally opaque source. TrueCrypt came to be known as the most powerful and reliable encryption solution available. “They improved it, even did quite impressive work on top of it,” says Hafner, whose business was forced to compete with a free product. “Nevertheless, it’s built on our engine.”
In response to the controversy, in June 2004, Le Roux returned to the alt.security.scramdisk forum and posted a note defending his E4M work, adding that when it came to the controversy over TrueCrypt and E4M, “the pure speculation here (often stated as fact) is damaging and in some cases libelous.” After that post, he disappeared from the message boards for good.
Le Roux’s departure from the encryption world, at least under his own name, coincided with his entry into the Internet-pharmacy business. Lulu told me that Le Roux said he decided to switch to online pill selling after a lawyer in Costa Rica—where much of the online casino industry was based—suggested that he go into pharmacies instead. In 2005, Le Roux surfaced in Israeli documents registering IBS Systems, one of the companies that would evolve into the customer-service arm of his prescription-drug empire. Le Roux is listed at an address in Rotterdam, alongside a scanned image of his Australian passport. He had linked up with two Israeli brothers, Tomer and Boaz Taggart—according to one former employee, they met in an online forum—to create what would eventually be known in Israel as CSWW and as RX Limited to the U.S. government.
Before long he started on a project requiring advanced technical know-how: a seamless digital pipeline from American doctors to pharmacists to eager drug consumers. RX Limited played on human greed and vulnerability to recruit doctors and pharmacists, like Charles Schultz in Oshkosh, Wisconsin, into the network. But the business thrived on Le Roux’s complex infrastructure, which was able to process tens of thousands of customer questionnaires each week, direct them to doctors to write prescriptions, and then on to pharmacists to ship them.
By 2007, Le Roux had moved his family to Manila, operating out of a house in the upscale gated community of Dasmarinias. From my reconstruction of RX Limited’s digital machinations, I could see that he had evolved his technical acumen to suit his new business enterprises. But beyond that, I wanted to know what the flesh-and-blood Le Roux was like as his empire grew.
“The Fat Man. That’s what we called him.” This was the first thing Gil (not his real name), one of Paul Le Roux’s former associates, told me when I met him in Manila last December. It was a sunny day, and we sat down outside a Starbucks that he had selected in Makati City, Manila’s upscale business district. He had lit a cigarette and dropped the pack on the table, ready to procure another one. “People are still really scared, because there is a strong belief that there are operations still going on,” he told me. “Money talks in this country. For 5,000 pesos”—around $100—“you could have someone taken out.”
As his nickname implied, Le Roux’s appearance by this point was striking; in the early 2000s, he had been putting on weight, ballooning to 240 or 260 pounds, by Gil’s estimate. “He had a giant head,” another former associate told me when I asked him to describe Le Roux. His hair, generally kept somewhere between a buzz and a banker’s haircut, had by his forties gone from black to silver, framing a set of plump cheeks and small, slightly flared nostrils. Le Roux’s size could be imposing, although opinions varied as to whether he was truly physically intimidating. Many seemed to view him as a stereotypical nerd, a doughy loner with an adept technical mind but few social graces. “He was not a soft, gentle person,” one former associate said.
Like the more magnetic young man Lulu recalled from his childhood, however, Le Roux was not without charm, particularly when it came to newly hired employees, to whom he projected an easygoing image of power and success. “He was the nicest guy when you first met him,” Gil said. “He was always buying gifts for people. His representation of himself, as far as I am concerned, made him seem more legitimate.”
Those who rose within the ranks of what most just called the Company found Le Roux to have an alluring managerial style: He was receptive to suggestions and sent untested people into situations and responsibilities they never imagined. “He gave you space to maneuver,” said a former high-level Israeli employee of Le Roux’s who met me one afternoon at a mall café in Tel Aviv. “You could come to him with anything; you felt like you had an opportunity to do something you liked and make money doing it. That was before he got all twisted.”
As RX Limited earned hundreds of millions of dollars, Le Roux’s lifestyle changed in some ways but remained the same in others. He became known for bragging graphically to associates about his extramarital conquests. “He lived in expensive houses in exclusive areas, but he didn’t live extravagantly,” Gil said. “He would travel in flip-flops, shorts, just like a bum. Anywhere, he would look like that.” Lulu recalled that Le Roux told him that RX Limited was bringing in four or five million a month, but it didn’t show. “He was as tight as they come,” Lulu said. “I assume he was just hoarding it.”
By 2008, the Le Roux who once gleefully posted online under his own name was gone, replaced by a man obsessed with secrecy and holding a pocketful of identities. His activities were spread across dozens of shell companies registered all over the world, with names like Ajax Technology, Cycom, GX Port, and Southern Ace. Le Roux often used the identity John Bernard Bowlins and had a fake Zimbabwean birth certificate and passport to back it up. Some people called him Benny, others went with Boss or even Paul, if they knew his name at all. Le Roux had another fake Zimbabwean birth certificate for a Johan William Smit—it was an ironic alias, Lulu told me, because it’s a popular name in Afrikaans, the language Le Roux dropped out of school rather than learn. Another birth certificate listed his identity as William Vaughn.
“When I corresponded with him in the beginning, he used the name Alexander,” a South African who worked for one of his companies told me. “When I met him, he introduced himself as John. I only found out after more than a year that he is actually Paul Calder Le Roux. But then again, we all used pseudonyms in the Philippines.”
In his first email, Lulu had told me that Le Roux possessed a diplomatic passport from the Democratic Republic of the Congo, a document that helped him avoid customs. Lulu forwarded me a copy of it; the passport was issued in Le Roux’s own name.
Wealth seemed to begin to amplify Le Roux’s natural impulses—greed, impatience, a sense of superiority. Lulu told me that he thought that in 2008 or 2009, something in Le Roux snapped. “He changed at that point,” he said. “I think the money got to him. I personally saw $100 million in his office in Makati. Cash, bud. It was fucking ridiculous. It was in wicker baskets lined up on the side of the wall in his office.” One image in particular stuck with him: He remembered that the $100 U.S. bills were each stamped with a pink rabbit.
Like the Silicon Valley entrepreneur who sells a company for $100 million, only to start another one in hopes that it will sell for a billion, Le Roux made the pursuit of more money, and more power, an end in and of itself. But the kid who had once locked himself in his bedroom, losing himself in code, had gone as far as his technical skills could take him. He wanted to be a different kind of businessman, a lord of the real underworld, not just the virtual one. “He made money on the pharmacies, and then he decided that he wanted to make more money, fast,” the Israeli associate told me. Le Roux wanted to diversify, to be bigger, he said. “The only way to do that was illegal. He was living inside a movie, you could almost say. He always had a dark side, it just developed more with money.”
Sometime in 2008, Wilfried Hafner logged into his long-dormant chat account and noticed Le Roux’s handle was still active. He messaged Le Roux and the two exchanged greetings and caught up. Hafner mentioned that he was raising money for a new phone-encryption software project called PhoneCrypt. Le Roux remarked that he was now a wealthy man and would consider investing if Hafner sent along his business plan. Remembering how little money Le Roux had had back in the early 2000s, “the picture did not match,” Hafner said. “I didn’t take it seriously.”
“It’s a pity I didn’t believe it,” Hafner said, before stopping himself. “On the other hand, I could have gotten wrapped up in these stories.”
In the years since Le Roux disappeared from the encryption community, the ideas that drove him to develop E4M were slow to penetrate the public consciousness. As more of our lives became digitized, governments began peering into them. TrueCrypt, E4M’s progeny, had become one of the most popular disk-encryption programs, used by tens of millions of people. Yet the significance of encryption remained largely the province of privacy enthusiasts and libertarian hackers.
All of that was about to change. In November 2012, a man with the online handle Cincinnatus decided to throw a party in Hawaii. The idea arose out of an email exchange with Runa Sandvik, a developer and expert on the online software Tor, which allows its users to mask the physical location of their computers on the Internet. After she gave a Tor tutorial on Reddit, Cincinnatus sent Sandvik an encrypted message.
Cincinnatus told Sandvik that he lived in Hawaii. Sandvik mentioned that she would be there on vacation the following month and could give a talk on Tor. Cincinnatus suggested they host a “cryptoparty,” a phenomenon that had arisen around that time among technology- and privacy-conscious activists. Such events were a chance to “teach beginners how to use the commonly available tools that tap into the incredibly powerful technology of cryptography,” as Cincinnatus’s invitation would explain. The date was set for December 11. “I never imagined,” Sandvik later wrote in an account of the events published on Forbes.com, “that the innocuous emails we exchanged might one day be of interest to the U.S. Government.”
Unbeknownst to Sandvik, her fellow party planner was hatching a much more elaborate education scheme. Four days after he contacted Sandvik, Cincinnatus sent an email to the journalist Glenn Greenwald. “The security of people’s communications is very important to me,” he wrote. In a series of emails, he suggested that Greenwald set up an encrypted means by which sources could contact him.
Cincinnatus organized the cryptoparty at a hacker space called HiCapacity, located in the back of a furniture store in Honolulu. The event was well attended, with “a solid mix of age groups and genders,” as Cincinnatus later recounted. When Sandvik arrived around 6 p.m., Cincinnatus introduced himself as Ed and told her that he worked at the computer-hardware company Dell. Ed kicked off the evening by welcoming the attendees, then invited Sandvik to give her presentation on Tor.
When she was finished, Ed pulled out his laptop, plugged it into the projector, and began his own instructional talk about TrueCrypt. In Ed’s presentation, Sandvik later wrote, he “pointed out that while the only known name associated with TrueCrypt is someone in the Czech Republic, TrueCrypt is one of the best open-source solutions available.”
On a website for the party, Cincinnatus posted an “after-action report.” “I’m making a note here,” he summarized, “huge success.”
Six months later, in June 2013, Greenwald and filmmaker Laura Poitras published the first of a still-ongoing series of articles that grew out of their contact with Cincinnatus. In time they revealed that his full name was Edward Snowden, that he had worked in various capacities at the National Security Agency, and that he had downloaded and handed over a trove of documents from the NSA in an effort to blow the whistle on what he believed were egregious privacy encroachments by the U.S. government. Among them was a document revealing that TrueCrypt was one of a small number of encryption programs that had withstood the NSA’s efforts to crack it.
What Snowden and the rest of the world wouldn’t know for another two years was that Paul Le Roux, the man whose code formed the foundation of True Crypt, was at that very moment in the custody of the U.S. government. Le Roux was in a bind, facing the full force of a U.S. federal prosecution for any number of his extraordinary array of crimes. The only way out was to spill his secrets.