The South African drug kingpin and tech genius who is in an American jail

A real-life James Bond villain. Hacker, self-made cartel boss, and encryption genius. A talented coder who struggled to monetise his work and couldn’t keep a job.

Murderer. Gun runner. Drug lord.

These are all some of the labels applied to Paul Calder le Roux, a South African citizen who built a criminal empire in the early Internet.

Fortunately for law enforcement, Le Roux’s success bred overconfidence. He was arrested in 2012 after a years-long investigation and immediately turned state witness.

For two years, U.S. law enforcement was able to conduct sting operations without Le Roux’s former associates knowing he had been caught.

The first reports of his arrest only emerged in 2014, and the first full account of his exploits was only published in 2016 by journalist and author Evan Ratliff for his own publication, Atavist Magazine.

Le Roux was born on 24 December 1972 at Lady Rodwell Maternity Home in Bulawayo, Zimbabwe — then part of the unrecognised Republic of Rhodesia — to be put up for adoption.

Ratliff reported that Le Roux’s birth certificate gave his first name as “unknown” and did not mention his father. The source providing the information did so on condition the mother’s name was not disclosed.

His adoptive parents gave him his name.

Le Roux completed his primary schooling in the mining town of Mashava but moved to South Africa following the political events of 1980, which ended the Rhodesian Bush War and led to Robert Mugabe’s assumption of power.

His family relocated to Krugersdorp in 1984, where Le Roux remained until he was 18 years old.

He reportedly resented having to learn Afrikaans in school, calling it a dead language. Despite his intelligence, Le Roux dropped out of school at 16.

Le Roux decided to emigrate after taking a trip with his family to Disneyland in the United States.

He moved to the UK, then to the U.S., then followed a girlfriend, Michelle, to Australia in 1995 where they married and he obtained citizenship.

From Australia, he launched a company, World Away, and tried to solicit programming work.

Ratliff pieced together parts of Le Roux’s early life through Usenet posts and other online activity.

Usenet is a precursor to modern web forums — a distributed discussion system that predates the World Wide Web.

In addition to revealing Le Roux’s technical skill and deep knowledge of encryption, he was also a troll who frequently posted racist comments.

Information from sources close to Le Roux later corroborated that he was an unrepentant racist and would often aim slurs at employees.

The Snowden connection

Through the clues Le Roux left in his message board postings, Ratliff connected him to an open-source project called Encryption for the Masses (E4M) — which he began developing in 1997 and launched in 1998.

By 1999, he was divorced from his wife and desperate for money having earned no income on the two years of labour he had dedicated to E4M.

He relocated to Hong Kong, then to Rotterdam, where he married a Dutch citizen with whom he had a son.

To monetise E4M, he launched SW Professionals in 2000 in South Africa.

“I have set up a company in South Africa, and am offering good-quality programming services at excellent developing-country rates,” he said on the old E4M web page.

“South Africa is a good choice for offshore programming because there are many skilled programmers, and salaries are cost effective.”

In 2001, he was approached by SecurStar founder Wilfried Hafner to work on their encryption software which was based on E4M and another product, Scramdisk.

He was dismissed in 2002 when SecurStar found that Le Roux had continued to work on E4M, apparently incorporating features he had worked on into his own project.

By October 2002, his company was defunct, and he asked for contract programming work on a Scramdisk-related security forum.

Two years later, freeware disk encryption utility TrueCrypt was released by anonymous developers.

Although built on E4M’s code, little was known about the people developing or funding the software.

Le Roux’s former colleagues at SecurStar suspected he was part of the TrueCrypt team but couldn’t prove it.

He has also denied any involvement in TrueCrypt.

In 2012, under the handle “Cincinnatus”, Edward Snowden arranged a cryptoparty in Hawaii to which he invited journalist Glenn Greenwald.

There, Snowden taught attendees how to use TrueCrypt, one of a few encryption programs that had resisted the NSA’s attempts to crack it.

“What Snowden and the rest of the world wouldn’t know for another two years was that Paul le Roux, the man whose code formed the foundation of True Crypt, was at that very moment in the custody of the U.S. government,” Ratliff reported.

Drug-fuelled empire

In 2003, after failing to monetise a gaming engine for online casinos, Le Roux launched what would become RX Limited — a network for selling illegal prescription drugs.

As with his previous endeavours, it began with a message posted to several Usenet groups. This one solicited business contacts in the United States:

We are European based private investors looking for a U.S citizen or green card holder to help us setup a new company based out of Florida, we will do all the paper work we need your help to comply with U.S law. But we know nothing in this world is free, so we will pay you up to $500 to help us. Please only genuine people. No time wasters.

The system was intricate, with many employees and pharmacists under the impression that the business operated in a legal grey area.

To place an order, customers completed questionnaires about their medical history and symptoms.

Behind the scenes, the questionnaires were forwarded to doctors in the U.S., who wrote prescriptions for the drugs ordered despite never having examined the patient in person.

The prescription and the customer’s order would go to a pharmacy in the U.S., which would then ship the drug.

Everyone in the chain — the doctor and the pharmacy — received commissions on every order.

RX Limited soon set up call centres to check orders and handle customer complaints.

In 2007, U.S. authorities began investigating RX Limited, and Le Roux relocated his family to an upscale gated community in Manila, the Philippines.

Breaking Bad

It is around this time that Le Roux’s story takes a dark turn.

Two managers of one call centre casually discussed the possibility of opening their own pharmacy in the U.S. in late 2008.

A few months later, one of the two managers was dispatched to the Philippines for what he believed to be a business meeting.

He was accused of stealing from Le Roux, thrown off a yacht, and shot at by one of the newly-minted drug kingpin’s associates.

When the manager explained he had merely discussed plans that could have benefitted both parties, he was pulled back on board.

Le Roux warned him that he would be killed if he tried to leave or if he were even suspected of stealing.

Brazil and arrest

Fearing betrayal, Le Roux started covering his tracks through several shell companies and false identities.

Beginning in 2011, he also started disappearing for long periods with none of his employees knowing his whereabouts.

With U.S. law enforcement closing in, Le Roux had begun exploring moving to Rio de Janeiro.

During his travels, he had a son with a Brazilian lover in Rio, giving him additional protection from extradition under Brazilian law.

Sometimes known as the “Ronnie Biggs defence” for the British train robber who avoided extradition to his home country by fathering a Brazilian child, the country’s courts have subsequently found that this alone is not enough to prevent extradition.

However, having a child in Brazil does open several legal avenues for people to oppose extradition.

Regardless, Le Roux permanently relocated to Rio de Janeiro on 19 May 2012 with his girlfriend at the time and their daughter, posing as tourists.

Three of his associates would oversee his operations during his absence.

Despite his hypervigilance, Le Roux was arrested on 26 September 2012 after being lured into a trap by the U.S. Drug Enforcement Agency (DEA).

One of Le Roux’s associates approached him about a Colombian cartel representative who wanted to build a methamphetamine operation in Liberia.

However, the Colombian cartel representatives were actually DEA agents.

They convinced Le Roux to fly to Liberia to meet the cartel representative and finalise the deal.

He was arrested for conspiracy to import narcotics into the United States and immediately agreed to cooperate with authorities in exchange for a lesser sentence and immunity to any crimes he might admit to later.

Besides the seven murders he admitted to, Le Roux pleaded guilty to trafficking arms to Iran, fraud, and bribery.

A 2014 court document claimed Le Roux dealt with the Iranian government between 2009 and 2012. One of the items he supplied was believed to be a missile guidance system.

There are at least three assassinations linked to Le Roux where no arrests or confessions have been made.

Le Roux’s cooperation with U.S. authorities likely saved him from receiving the death penalty.

“The scope and severity of Mr Le Roux’s criminal conduct is nothing short of breathtaking,” said the judge presiding over his sentencing, Ronnie Abrams.

“I have before me a man who has engaged in conduct in keeping with the villain in a James Bond movie.”

Although Le Roux’s deal prevents further prosecution in the United States, it allows him to be extradited to face charges elsewhere.

The Philippines’ National Bureau of Investigation announced that they will seek Le Roux’s extradition and charge him with the crimes he committed under their jurisdiction.

Satoshi Nakamoto candidate

In his 2019 book The Mastermind: Drugs. Empire. Murder. Betrayal, Ratliff wrote that a former employee of Le Roux’s, who was serving time in prison, believed Le Roux was the pseudonymous creator of Bitcoin, Satoshi Nakamoto.

He noted that Le Roux’s arrest and Satoshi Nakamoto’s last posts to the original Bitcoin repository occurred around the same time.