Update: This post had some effect in the world, including the disappearance of a bunch of websites. Sorry for dead links. More follow-up here.
Derwick Associates is a
Bahamas Bermuda*-based electricity contractor that has had great success selling power plants to Venezuelan state-owned enterprises. Those efforts have attracted attention from the press and, most recently, from former US ambassador to Venezuela Otto Reich, who sued two principals of Derwick for alleged interference with business and racketeering, also accusing them of bribery in Venezuela.
Derwick is the beneficiary of an aggressive on-line reputation management campaign. If you search the internet for terms associated with the company, such as the names of the two principals Reich accused, “Pedro Trebbau Lopez” and “Leopoldo Alejandro Betancourt Lopez,” you will find very few news articles about them. Some search engines, including Bing and DuckDuckGo, give an entire first page of spurious results (see image in upper left). Most of the results are for pages obviously designed to obfuscate, throwing banal dust into the eyes of the search engine and leaving a casual searcher with the incorrect impression that there’s nothing to see here. On Google, the first six results are such fluff. Ironically, one of the first serious articles to appear in these searches is an exposé by blogger Alek Boyd about Derwick’s reputation management.
Everyone has a right to protect reputation online. And I don’t much care if someone wants to spend time and money filling websites with celebrity gossip, sex advice or technology news interspersed with the names of Derwick’s newsmakers. Sure, I could join in the existential pondering about the future of knowledge and the internet itself (and that is a very good article!), but the 3,000 words in this post need no padding. Instead, I invite you to follow me down a maze of on-line clues that for the first time connect a host of Venezuela corruption scandals and hint at the possibility that a highly regarded Venezuelan security consultant may be connected to an online defamation campaign and even to a pair of denial-of-service attacks on blogs.
Start at the beginning. Whoever is running Derwick’s protection campaign uses a broad range of websites, most of which are untraceable without a government warrant. The person puts the names of Trebbau, Betancourt and other Derwick leaders onto accounts on Facebook, Bligoo, Slideshare, Google+, Webeden, Twitpic, WordPress.com, Apsense, Skyrock, even the long-forgotten Tripod and the progressive petition site Change.org. He then fills those pages with banalities that sometimes include search terms like PDVSA or electricity, but never link back to the serious news articles about Derwick.
But the protector let slip his anonymity when he registered domain names related to characters in the Derwick drama. The first I noticed were these rather obvious ones, registered 17 January 2012:
Internet domain names are commercial products, and a buyer has to provide a working e-mail address. Mailing address and phone number don’t matter, but the e-mail address has to work, or the domain registration won’t go through.
Today, the domains are registered anonymously through GoDaddy, a wholesaler in Arizona. But until just a couple weeks ago, they were registered to
Domaincustodial.com itself is anonymously registered. Another site, DominioEnCustodia.com, was taken down in the past two weeks (here’s a version rescued from Google Cache). It identified a bunch of other pages, most of which were also registered to
So we have two Derwick pages and these random unused domains named for wealthy or famous Venezuelans on dominioencustodia.com. But there are more. All of these Derwick-related names were registered to the same e-mail address on the same day, according to records downloaded from DomainTools.com:
domingoguzmanlopez.com, .org, .net edgardromero.com, .net, .info leopoldoalejandrobetancourtlopez.com, .org, .net pedrotrebbaulopez.org, .net, .com
Whoever is behind that e-mail address is quite likely the person who is running this whole reputation management campaign.
But it wasn’t just Derwick. DomainTools makes it easy to find all domains registered to an e-mail address. Back in May, I got the list, with about 100 domain names. All were registered to the names of people or companies that have been in the news in Venezuela and who might want reputation protection. Some examples are pages related to Nervis Villalobos, Venezuela’s former deputy minister of energy. His name appeared in Cesar Batiz’s article, “La historia íntima de Derwick”. In that story, Batiz said Villalobos had flown alone on a jet belonging to Derwick. Reich, in his lawsuit, accused Villalobos of carrying a bribe offer from Derwick to Energy Minister Rafael Ramírez.
firstname.lastname@example.org registered sites related to his name, such as:
nervisgerardovillaloboscardenas.com, .org, .net, .info villaloboscardenasnervis.com, .net, .org, .info nervisvillalobos.com, .net, .org, .info
When we spoke a couple weeks ago, Villalobos denied having anyone doing reputation protection and denied any knowledge of websites related to his name.
There are a bunch of domain names related to scandals in the Venezuelan state of Bolivar. There were interrelated scams going on there. You can read about them in “English” here. Some domain names related to these cases were registered to
email@example.com on March 1 of this year:
elyernodelgobernadordelestadobolivar.info, org, net, com luissalvadorvelasquezrosas.com, net, org, info luisvelasquezcabillas.com, net, org, info luisvelazquezcabillas.com, net, org, info rodrigogonzalespiazza.com, net, org, info rodrigogonzalezpiazza.com, net, org, info
In addition, sites related to the name Carlos Rodrigo Gonzalez Piazza were created in June, again registered to
I previously had no idea that “El Yerno del Gobernador del Estado Bolivar” (the son-in-law of the Bolivar state governor) was somehow mixed up in these affairs. But for whatever reason, the person at DomainCustodial registered them all together. Not exactly what you want from a reputation management consultant, linking your name to other scandals.
Same thing with Gianfranco Rondon. Never heard of the guy, but there he is.
gianfrancorondon.com, .net, .org, .info, .biz
Now, it gets even stranger. The name on all these domain registrations was Carlos Díaz. Months earlier, I was trying to look up Roberto Enrique Rincón, owner of Tradequip Services & Marine in Houston, and noticed a bunch of reputation management sites related to his name.
(FYI here’s what he really looks like.)
By coincidence, those domain records were also registered to someone named Carlos Díaz, but with a different address:
The following domains were all registered to that address on 20 July 2012:
humbertorobertobravozambrano.com, .info, .net, .org joseberti.com, .info, .net, .org joserobertorincon.com, .info, .net, .org ottaviocautilli.com ,.info, .net, .org ovarbindustrial.co, .info, .net, .org reliableprocessinstruments.com, .info, .net, .org robertoenriquerincon.com, .info, .net, .org robertorincon.com, .info, .net, .org saracurphy.com, .info, .net, .org tradequipca.com, .info, .net, .org tradequipservicesmarine.com, .info, .net, .org
Ovarb Industrial is a Texas-registered company that made hundreds of millions of dollars of sales to PDVSA, Venezuela’s state oil company in 2010, during the first phase of Venezuela’s ongoing electricity crisis. Ovarb is a sister company of Tradequip Services & Marine, a company based in the northern suburbs of Houston that makes a majority of its sales to PDVSA. Tradequip has a Venezuelan company too, Tradequip CA.
Tradequip, Ovarb and Reliable Process and Instruments, along with a host of other companies, are controlled by the family of Roberto Enrique Rincón Fernández, a Venezuelan with a mansion in The Woodlands, Texas. His son, Jose Enrique Rincón Bravo is also a major player in the company. (Ovarb is Bravo backwards.) His son-in-law, Ottavio Cautilli, used to control Ovarb-related domain names. I think Humberto Roberto Bravo is Roberto’s brother-in-law.
Back in 2010, Ovarb’s company registration was in the name of a woman named Sara Curphy. She was listed as President on some legal documents and on the website. César Batiz, a reporter at El Mundo and Últimas Noticias in Caracas, pointed out Ovarb a couple years ago in his now-famous article, “PDVSA compró con sobreprecio.”) Another name in his article was Michael Baker, husband of Curphy, whose name also appeared in legal and corporate documents associated with some of the Rincóns’ companies. José Berti founded a company with José Roberto Rincón (and according to the now-defunct newspaper 6to Poder, Berti was also mixed up in some interesting business on his own).
So you see, those domain names, all registered the same day, all contain the names of people who know one other. If you map their relationships, you’ll see that they all pass through Roberto Rincon.
But wait, there’s more. On 27 August 2012,
CarlosDomains1902@gmail.com registered domains related to Abraham Shiera. Shiera is a Venezuelan-Floridian businessman who runs companies that sell materials to PDVSA. (He also appears in that photo with Roberto Enrique Rincón.) He hasn’t been in the press much, other than kvetching about a rain delay at a tennis match. But there he is, along with his main companies, populating the list of Carlos Díaz’s domains:
abrahamshiera.com, .info, .net, .org issglobalnet.biz, .co, .info, .net, .org lamgroup.biz, .co, .info, .net northlandautomation.biz, .co, .info, .net, .org
CarlosDomains1902@gmail.com, we’re talking about 468 domains, according to domain DomainTools.com. (Feel free to donate the $299 so I can buy the whole list. Button is up there on the right.)
I hope you don’t mind if I go on. This thing is a sort of Rosetta stone of Venezuela weirdness.
A couple years ago, a Venezuelan company was accused of having handled kickbacks in a military procurement deal in Spain. The company was called Rebazve Holdings and was run by Juan Rafael Carvallo and Pedro Enrique Malave. Among Carlos’s domains:
juanrafaelcarvallo.co, .com, .info, .me, .mobi, .net, .biz, .org pedroenriquemalave.co, .com, .info, .me, .mobi, .net, .biz, .org rebazveholding.co, .com, .info, .mobi, .net, .biz, .org rebazveholdinglimited.co, .com, .mobi, .net, .biz, .org
And there’s Ramiro Helmeyer, convicted of murder and terrorism for his role in the 1993 “yuppie gang” bombings in Caracas. Others involved in the scheme always maintained there was some sort of framing involved, maybe involving drug traffickers. It would be an interesting story for someone to dig into. Anyway he was freed by Pres. Hugo Chávez — maybe pardoned, maybe paroled, hard to say, as someone has deleted all of his case records from the Venezuelan court website (quite a reputation management trick in itself). Carlos Díaz domains include:
ramirofranciscohelmeyerquevedo.com, .info, .mobi, .net, .org ramirohellmeyer.com, .info, .mobi, .net, .org, .me ramirohelmeyer.info, .me, .mobi, .org
At RamiroHelmeyer.net, you can see his declaration, alongside a photo of a Spanish consultant that is labeled “Ramiro Helmeyer.” He says, “I committed an error in the past, for which I took responsibility and I paid, while the truly guilty were never tried thanks to their accomplices in power at that moment in history. I am completely dedicated to remaking my life, without harming anyone. Take that as you will, it’s the truth.”
Mock these efforts if you like — damning news articles are still the first hits for the guy on Google. But over at Bing and other search engines, Helmeyer remains protected.
The list goes on, mostly minor newsmakers, mostly people who have been accused in the press but never tried or much less convicted of anything, and also some who, as far as I can tell, were victims of crime and probably got tired of having one nightmare night of violence take over their Google reputation forever.
I wondered, who is Carlos Díaz, and why is he doing this? There are several clues.
First of all, these protected names show up in the content of other sites registered to Carlos Díaz.
Look at BairesToday, a blog that just started posting in July, covering Buenos Aires news. Mixed in with the news and photos of pretty girls are these same names. Again here. (Update 29 August: Don’t bother clicking, site is gone)
You can barely see it at the bottom of that screenshot, but look at the Beyonce article — for no particular reason, it says “Pedro Trebbau Lopez.” Here, go see the original. (Update 29 August: Don’t bother clicking, site is gone)
Or go click around on any of the other related pages (Update 29 August: Don’t bother clicking, sites are all gone): pornonomia.com, fustigado.com, modaenvenezuela.com, santosocorro.com, tomalaruta.com, pulcrolimpio.com, reparandoelcarro.com, teteracaliente.com, vientosdeboda.com. (And yes, there are more.)
These pages are designed to produce spurious hits for internet searches on the term “Pedro Trebbau Lopez.” And not just him. A bunch of names show up, and most of the names overlap with the list of domain names registered to Carlos Díaz. (The two names that appear most, however, are of women who don’t seem to have anything to do with anything. I suspect they work for the reputation protection company and probably don’t know much about the people they are protecting. Please don’t make their lives miserable.) An example of these pages being used for reputation protection:
How does this hint at Carlos Díaz’s real identity? Well, first, there are several Venezuelan sites that are part of this whole charade:
mueretedelarisa.com.ve tipseguridad.com.ve appvenezuela.com.ve bebesano.com.ve miralabelleza.com.ve comoanilloaldedo.com.ve elttdehoy.com.ve comegatos.com.ve comersano.com.ve mientrasdormia.com.ve modelosvenezuela.com.ve
They are all registered to Eduardo Aponte, with a phone number that’s almost identical to the non-functioning Caracas number of Carlos Díaz. (637-5494 x0212, rather than +58-212-637-5494). (Keep that name in mind — Eduardo Aponte.)
And then the clincher: I made a spreadsheet of all the domains that a month ago were registered to Domain Custodial. I sorted by creation date and saw that the oldest was first registered way back on 24 April 2009. The domain was CleanPerception.com.
Clean Perception is a Caracas-based reputation management company. Clean Perception promises:
We promote positive content and diminish negative information. We create positive content to position it in the [search] results. We strengthen existing positive and neutral information using the techniques of Search Engine Optimization Engineering. We promote the positioning of personal and corporate on-line assets such as blogs, forums, profiles, websites, etc.
It also promises clients it will keep their data private.
Clean Perception is respected. Its principal, Rafael Núñez, spoke to the Venezuelan-American Chamber of Commerce (VenAmCham) 28 September 2012, three days after he was extensively quoted by BBC Mundo.
Núñez’s full name is Rafael Eladio Núñez Aponte. His second name and second last name are awfully similar to Eduardo Aponte, who registered the .ve domains. And yes, if you search these domains, you may find scattered references to Rafael Núñez and his Enfoque Seguro website.
(“Rafa” also ran the hyperactive @enfoqueseguro Twitter stream until August 24, when it suddenly disappeared. I learned a lot about digital security from that stream and am sorry to see it go. UPDATE evening of 27 August, the Twitter stream is back with all its tweets. Good to see.)
Also, DomainCustodial had registered names related to principals of Clean Perception:
rafaelnunez.com rafahacker.com ivanhernandezvila.com
Ivan Hernandez Vila is, according to LinkedIn, the COO of Clean Perception. There is also a page on Slideshare that refers to him as president of Clean Perception.
Núñez used to be known as “RaFa,” a notorious hacker. He was arrested in the US in 2005 for having hacked an Air Force computer four years earlier. He pleaded guilty, was sentenced to time served and deported. His arrest report if you want it.
Núñez denies any connection to Derwick or these websites. We spoke by phone August 5. Asked directly if he did any work for Derwick, he said no. Asked about Nervis Villalobos, he said, “Nerwis? Nerwis, quién es?”
“We work mostly with banks, the private sector,” he said. “We barely work with individuals, more with companies.” He said the company runs a compliance check on its clients to ensure that they appear on no “international lists.” “We don’t have links to people who don’t pass compliance check,” he said.
He says Clean Perception works with communications departments and offers strategies, but that his company lacks the manpower to run social media strategies for clients. “We do coaching, training,” he said.
“We have no connection with this Domain Custodial company,” he said, and asked what Domain Custodial was. I explained to him that his site,
CleanPerception.com, was registered to Domain Custodial. He said that the technology department, “my technical guy,” was in charge of that and he didn’t know about it. He said he would look into it.
We spoke again the next day, and he said that Carlos Díaz was a web designer that Clean Perception had contracted to work on the site, and “we have nothing to do with him.” A person who worked at Clean Perception had a relation with him, but that person no longer works there. “No tengo ningún idea quien es este carajo.” The sites rafahacker and rafaelnunez? “Those domains aren’t mine,” he said. “Strange, no?” He asked me to send him screenshots of the domain registrations, and then said it was time for lunch and he would call me later. He didn’t. The next day, he deleted me from his Skype contacts. I e-mailed and asked for Díaz’s contact info and he sent an e-mail address and phone number. The phone didn’t connect and no one replied to e-mails sent to Díaz’s various addresses.
I find the denials implausible. Núñez is a recognized expert in digital security. I don’t believe he would give control over his company’s domain to someone he had never met. Redirecting a website to a new e-mail address generally requires approval from the old registrant. I wrote him with detailed questions explaining that I didn’t believe him. I said I think he is Carlos Díaz and Eduardo Aponte and that he is running reputation campaigns for Derwick and others. I asked once more how his company’s domain got into the hands of this Díaz person. He didn’t respond at all.
In a remarkable coincidence, in the weeks since I spoke with Núñez, dozens of “Carlos Díaz” domains have been re-registered to anonymous registration at GoDaddy.
Now, in case this situation isn’t already weird enough, let’s go further down the rabbit hole.
Derwick Associates sued a bank and a couple people in a $300 million Florida defamation case last year. One of the subjects of that suit was Rafael Alfonzo Hernández, a conservative Venezuelan writer and activist.
Interesting coincidence. Núñez has for years been heavily involved in the online fight against child porn. (He registered the domains for the Child Pornography Investigative Unit at cpiu.us and cpiu.es.) This reputation takedown tried to link its subject to pedophilia. No proof of anything here, just an interesting coincidence.
I reached Alfonzo and he said he couldn’t say anything at all about the lawsuit and that while there had been a defamation campaign, it was short-term, that after letters to websites it all disappeared, and he didn’t want to revisit the situation.
Aside from black-hat reputation management and black-hat reputation destruction, there’s also the possibility that Carlos Díaz has been involved in denial-of-service attacks.
A few weeks ago, I reported on Reich’s lawsuit. Alek Boyd, Derwick’s most persistent English-language critic, had at the time just opened a new website, infodio.com. He posted a bit about the new lawsuit. Then, his site was knocked offline by a distributed denial-of-service attack (DDoS).
When I mentioned to Núñez that this had happened, he immediately said that one couldn’t mount such an attack from Venezuela because of slow connections. Nice when people deny things before one can even ask a question. He also said he knows Boyd; Boyd denies this. I asked Núñez directly about the DDoS attacks in my follow-up e-mail August 11. As I said before, he didn’t respond.
Boyd has plenty of enemies and it may just be coincidence that the site was knocked offline that week. But then there’s this. His old site, vcrisis.org, was also once taken down by a DDoS attack. That happened after he refused to take down criticisms of Venezuelan businessman Majed Khalil. Wouldn’t you know, look at a few sites previously registered to
majedkhalil.mobi, .me, .org, .info
(Speaking of Boyd, he has also been a long-time critic of Antonio Mugica, CEO of voting machine maker Smartmatic. Yes, DomainCustodial:
antoniomugica.net, .org, .info, .biz
Also, Carlos Diaz used to have his name on
smartmatic.biz, which was used in this little bit of dirty-trickery.)
To sum up, we have a reputation-management company sharing a domain registration e-mail with a whole bunch of reputation-management websites. Most of those sites appear to exist to protect people who have appeared in news articles about possible scandals. Critics of those same people have faced an on-line defamation campaign and at least two denial-of-service attacks. The person who runs the reputation management company is a convicted hacker who claims to have changed his ways. He declines to explain why he entrusted his company’s domain to someone he had never met. He also declines to explain why similar reputation-management websites are registered to Eduardo Aponte, a rare enough last name to make it a remarkable coincidence that it’s also his last name.
At the least, Núñez should probably clear the air. It’s possible that Carlos Díaz really exists. If so, Núñez (and/or Hernández) made a rookie error of digital security. But that would be the lesser error. Put me on the phone with Carlos. And if Clean Perception really is Carlos Díaz, why would Núñez put at risk his reputation, and that of his company?
Clean Perception has a slogan on its website: “Cuidamos tu reputación en linea como si fuera la nuestra.” Is it a promise or a warning?
I wasn’t really expecting a reply to my e-mail, and I don’t expect a reply to this post. I leave you with this quote from the 2002 book The Hacker Diaries:
*I will never get these two straight in my head. Sorry.