For a man who built an empire in pixels, Paul Le Roux seemed like a digital phantom. After his name surfaced in the press in late 2014, I spent the better part of a year trying to understand him through the same means by which he’d directed his massive pharmacy business: the Internet. Late at night, I would open my laptop and plunge into an online wormhole, searching for clues about who Le Roux had been and what he became.
There I found another Paul Le Roux, from another time—one who’d left his trace in archived copies of long-dormant websites and message boards. This Le Roux had been famous among a small community of hackers and privacy geeks in the early 2000s as the author of an important piece of encryption software. Before encryption was a mainstream idea, before Apple defied a U.S. government request to unlock our phones, this Le Roux had written the underlying code of a program that, a decade and a half later, the National Security Agency still could not break.
The question was: Could the Le Roux who politely answered jargon- laden posts about encryption software be the same one who ordered ￼the murder of a real estate agent over a bad deal on a beach house? At first I thought I would never know. The former Paul Le Roux seemed to have disappeared from the Internet in 2004. Encryption experts I contacted had no idea what had become of that Le Roux, and there was no evidence linking him to the man known for drugs and gun running.
One night in October, I had been at the computer for hours when I finally found the missing link. It was a website once registered to the encryption Le Roux, in the early 2000s, and later transferred to a Philippine company controlled by the crime-boss Le Roux. My immediate reaction upon discovering this connection was a sudden and irrational fear: Le Roux was something new, a self-made cartel boss whose origins were not in family connections but in code. Not just any code, but encryption software that would play a role in world events a dozen years after he created it.
I stared at the address on the screen, a post-office box in Manila, left now with a still larger mystery: What had turned the earnest, brilliant programmer into an international criminal, with a trail of bodies in his wake?
One way that hackers and government agencies break into encrypted files and communications is through something called a brute-force attack. The process involves trying every possible combination of letters, numbers, and symbols that might make up a password. Brute-force attacks require enormous computing resources, and the strongest encryption renders them impossible simply by making the number of combinations so large that it would take lifetimes to find the correct one.
When I began my research into Le Roux, he struck me as a kind of encrypted mystery. A few scant details about his criminal existence had been reported in the media, mostly speculations about the mythological size and scope of his empire, but there was little about who he was or how he had built it.
At first I tried my own version of a brute-force attack. Le Roux’s name had surfaced in a court filing associated with the case of Joseph Hunter, his ex-enforcer, and another connected to RX Limited, his prescription-drug firm. I made a list of every name, company, and location in the documents of those cases and began looking them up online, separately and in combination.
Amid the vastness of the Internet, there were an almost infinite number of ways for me to search for evidence of his existence. I would start with a scrap of information—say Your-pills.com, one of the thousands of sites affiliated with RX Limited—and trace its connections. Who owned the site and when? Which mailing address was it registered to? Each of those formed a new starting point.
After months of rote data collection, I had amassed hundreds of thousands of pages of research. There were snippets from long-dead message boards from the early 2000s, Hong Kong legal databases, and obscure newsletters put out by the Australian Federal Police. Here was Le Roux listed as a director of a company in the UK called SSD Software in 2001. There was his name popping up in a 2008 FCC complaint regarding a company in Florida making a marketing call to someone on the National Do Not Call Registry.
The data points were tantalizing, but ultimately the mystery was too complex for brute force. Another way to crack encryption is called a back door. If a government can convince a software maker to create a secret way into a program, and to share that key only with the government, then the secrets protected by that software will reveal themselves.
I needed a back door into Paul Le Roux’s life. Then, two weeks ago, a key dropped into my inbox…