Before they built an international underworld empire — before they weaseled their way onto millions of computers, before their online enterprise was bringing in hundreds of millions of dollars a year, before they were fugitives wanted by Interpol — Sam Jain, now 41, and Daniel Sundin, 33, were just a couple of garden-variety Internet hustlers. The two, who met around 2001, started out with a series of relatively modest scams and come-ons. Capitalizing on post-9/11 paranoia, Jain sold anti-anthrax gas masks. Exploiting the anxieties of aspiring non-English-speaking immigrants, he helped run a green card lottery site that tricked applicants into paying for an INS form that the government provides for free. Together, the two men sold gray-market or counterfeit versions of popular software. They marketed all these dodgy ventures with a mix of hyperaggressive tactics, including classic black hat tricks like “browser hijacking” and “typo-squatting.” But Jain and Sundin weren’t technological wizards; they didn’t break into their marks’ computers or steal their credit card numbers. Instead, they were masters of social engineering who got people to hand over their money willingly. The work was lucrative enough that Jain and Sundin could afford to hire programmers, designers, and emarketers. Still, their approach was unfocused — and exhausting.

Then, in August 2003, Jain and Sundin had a breakthrough thanks to the arrival of the so-called Blaster worm. Blaster quickly compromised hundreds of thousands of machines, making it one of the fastest-spreading pieces of malware ever. The worm also prompted an unprecedented consumer panic: Some 40,000 computer users called Microsoft for support during the first four days of the epidemic. Jain and Sundin had built a small empire dedicated to exploiting people’s fears — of bioterrorism, for instance, or deportation. Here was a threat that menaced almost everyone with a PC, which meant a vast potential audience for their manipulative online ad campaigns. Jain and Sundin — now working through a company they called Innovative Marketing Inc., or IMI — merely had to use the fear of computer viruses to sell antivirus software.

Coincidentally, Sundin had already written some firewall software called Computershield. It wasn’t as effective as mainstream antivirus programs, but it didn’t have to be; the genius would be in the sales pitch. After rebranding it WinAntiVirus, IMI began buying pop-up ads that blared fake alerts about problems on users’ hard drives — for example, “You have 284 severe system threats.” These ads prompted customers to download a free trial or pay $39.95 and up for IMI’s subpar software. Once installed, the trial versions pumped yet more ads into the user’s web browser, pestering people to shell out the full price. It was a deeply ironic scheme: Jain and Sundin planned to exploit consumer fears of viruses in order to spread what was, in effect, another virus — and the victims would pay for the privilege.

THE NUMBER OF PHONY ANTIVIRUS PROGRAMS HAS EXPLODED WORLDWIDE Source: Panda Security

The plan worked. People were so spooked by the Blaster worm, a coworker would later recall, that Jain boasted he could be selling “a block of ice” and still make money. Soon, IMI was pulling in $1 million a month. Jain and Sundin quickly turned their attention away from their other, lesser scams and concentrated on their new cash cow. IMI had found its killer app.

Over the next few years, imitators sprang up. Soon, computer users were besieged by terrifying alerts from all kinds of purported antivirus software vendors. This genre of software, widely called scareware, has become the Internet’s most virulent scourge. By 2009, an average of 35 million computers were being infected by scareware every month, according to a study by software developer Panda Security. “Scareware is still the most promising way of turning compromised machines into cash,” says Dirk Kollberg, a senior threat researcher at security firm Sophos. And until recently, IMI was the Google of scareware, exploding over just a few years from a small group of housebound hackers into an international juggernaut, a sophisticated enterprise with hundreds of employees and offices on four continents. It had telephone support centers in Ohio, Argentina, and India and marketed its products under more than 1,000 different brands and in at least nine languages. From 2002 to 2008, IMI brought in hundreds of millions of dollars in profit.

IMI employees didn’t know each other’s real names — everyone just went by an online nickname.

Unlike other young Internet entrepreneurs who built big businesses at the start of the new millennium, the story of Sam Jain and Daniel Sundin hasn’t been told in fawning profiles or books or in movies directed by David Fincher. Yet in a perverse way, IMI could be considered one of the most remarkable startups of the past decade. This duo’s knack for social engineering has been as brilliant as anything Facebook ever rolled out, and IMI’s nimble, iterative approach to software development and marketing produced innovation on an almost weekly basis. The IMI story apparently isn’t one that its two founders are eager to tell, though; in fact, their whereabouts are unknown and both have warrants out for their arrest. But thanks to a series of lawsuits and criminal complaints filed over the past several years, combined with interviews with former company insiders, it’s possible to reconstruct a picture of how scareware gets made — and how it made multimillionaires out of two misanthropic hucksters.

When Shaileshkumar “Sam” Jain moved to Silicon Valley in 1991 after graduating from Penn State in just three years, his elastic attitude toward ethics quickly became apparent. Three months after his arrival, Jain was arrested after he used a fake ID while trying to open a checking account under the name Christopher Rubio. His father, an engineer with Westinghouse in Pittsburgh, wrote a pleading letter to the judge, attesting that his son had never been in trouble before and calling the situation “a nightmare … for myself and my wife.” Two coworkers at a ticket-kiosk startup where Jain later worked remember him finagling a free laptop by deliberately scorching his own thigh with a cigarette lighter and blaming the burn on a faulty computer.

Slight of build, Jain was insecure about his appearance, former colleagues say, pursing his lips to conceal the retainer he wore and talking about undergoing corrective eye surgery so he wouldn’t have to wear glasses. He was a loner, distant from his family. In addition to a relationship with a much-younger blond Idahoan named Kristy Ross, he sought female companionship from strippers and escorts. Jack Palladino, a prominent San Francisco private investigator and attorney who worked with IMI starting in 2006 and came to consider Jain a friend, takes a more sympathetic view of his personality. He sees Jain as an eccentric genius whose brusqueness stems from his difficulty connecting with people. Regardless of the underlying reasons, Jain struck those around him as having a zero-sum worldview: Screw or be screwed.

By the time the dotcom bubble started to burst, Jain had staked out a career for himself on the shady boundary between Internet marketing and outright fraud. In 2000, apparently with money he won in Las Vegas by betting on football games, Jain cofounded a company called eFront, which purchased dozens of niche content sites and sold ads across the network. The concept was ahead of its time, and the Costa Mesa, California, company was quickly listed among the highfliers of the fading boom; analytics firm Media Metrix declared it one of the web’s 20 most trafficked networks. Less than a year later, eFront imploded after it was revealed that someone had submitted bogus data to Media Metrix. (Several coworkers say that Jain was the culprit, though he denied this at the time.) By spring 2001, eFront had shut its doors and Jain had moved to Hawaii to regroup.

It was around this time that Ross introduced Jain to Daniel Sundin, and the two quickly joined forces. Sundin had dropped out of school at 16 and then left his native Sweden for Arizona, where he made a living developing traffic-tracking software for porn websites. Tall and rail thin, Sundin suffered from a gastrointestinal disorder called bacterial overgrowth syndrome, which made it hard for him to gain weight. Like Jain, Sundin was happy to stay in his apartment and was most comfortable interacting with people through machines — though he could be persnickety online, too, correcting others’ spelling and deeming certain ideas “moronic.” He also loved porn, amassing an enormous personal library. (“He had a 7-terabyte storage system,” a former colleague recalls.)

Jain and Sundin shared an arrogance verging on contempt for others — as well as an interest in the more shadowy precincts of ecommerce.

Although Jain and Sundin’s partnership was almost always virtual — Sundin moved to Seattle, while Jain left Hawaii for Las Vegas — the two grew close. They shared an arrogance verging on contempt for others, as well as an interest in the more shadowy precincts of ecommerce. Sundin had launched a number of his own porn sites and made money spamming. Jain was also drawn to his friend’s business acumen: Sundin had been among the first to recognize the benefits of outsourcing, and by late 2001 he was farming out coding and interface-design work to Argentina, India, and Ukraine. Jain saw that the software infrastructure Sundin was creating could be used to build something much bigger.

In its early days, IMI’s staff consisted of a loose-knit confederation of young marketers and programmers scattered around the country. These included Jain’s ex-girlfriend, Ross, who handled ad placement; a Boston College law student named Marc D’Souza, who helped establish relationships with credit card processing firms; and a Cincinnati programming whiz named James Reno, who was still in high school and sometimes had to end his IM sessions with Jain because his mother was telling him it was time for bed. Everyone communicated by instant message and e-mail, with almost no face-to-face meetings. The letters on Ross’ keyboard were entirely worn away from constant use. D’Souza, who after graduating split his time between Toronto and Bahrain, met with Jain only once during the six years they worked together. By the end of 2001, IMI did have a central office — in Ukraine, to draw on that country’s cheap programming labor.

Over time, IMI transformed itself into an engine of innovation. The team was constantly experimenting, tweaking its security software packages — which ranged from antivirus programs to registry cleaners to firewall software — and marketing them under new names, like WinFixer, ErrorSafe, and DriveCleaner. The company tirelessly refined its marketing, sending customers ads for a variety of products and then conducting sophisticated statistical analyses to see which approach was most effective. One huge leap forward was the so-called scanner method, which IMI started using in mid-2005. A pop-up ad would offer a “free scan” of a user’s supposedly infected drive. Once the phony scanner announced its results — always bad — it provided a link to IMI’s software. It was an effective bit of social hacking: Because potential customers had already invested time in the “scan” and been duly frightened by it, they were much more likely to purchase the software.

IMI also used a series of tactics to make sure its advertisements were displayed on as many screens as possible. Soon after the Blaster worm made IMI a fortune, a former company executive says, Sundin paid roughly $3 million to buy a Costa Rica-based adult dating site, granting Sundin access to its millions of users worldwide. One challenge IMI faced was dodging angry customers demanding their money back. The goal was to avoid giving a refund while keeping the customers from calling their credit card companies, which would endanger IMI’s banking relationships. The problem wasn’t that the company’s software was ineffective — most customers had no way of knowing that. But in many cases, their existing antivirus software would flag the IMI apps as malware, which made them difficult to install and slowed computer speeds to a crawl. The company set up call centers to provide support in multiple languages, usually instructing customers to uninstall their other antivirus software. This trick seemed to mollify callers; it allowed IMI’s software untrammeled access, bringing the computer’s speed back to normal. The IMI program still did little or nothing, but those upsetting warnings stopped showing up, leaving nervous customers with the impression that their new purchase had done its job.

As a result, the business experienced an almost uninterrupted growth spurt. Between 2004 and 2006, annual gross revenue climbed from $11 million to $53 million. In January 2004, IMI’s Ukraine office had 70 employees; four years later, more than 600 people worked there. The headquarters took on all the trappings of a standard-issue cubicle farm. There was an HR department. English lessons were offered. Every Friday, the company brought in kegs of beer. There were bowling outings and birthday parties, and there was even a small gym. For a bunch of twentysomething Ukrainian software geeks who’d never had a job before, it was a fun place to work.

Yet in other ways, it was nothing like the average company. Former employees say they didn’t know each other’s real names; instead, everyone went by an online nickname. The main corporate website was cagey, revealing nothing about the people behind IMI. Contracts, according to a former recruiter, were “very strange,” devoid of the normal corporate stamps and CEO signatures. Employees were paid with cash in envelopes. Salaries, according to an e-mail written by one of IMI’s Ukrainian managers and published in court documents, “were hidden as much as possible from the tax organs, police, anybody. Instead of a contract with the ISP provider, the money was simply wired to its hidden offshore account. This let us [save] 20 percent of the potential tax expenses.”

Some employees, spooked by IMI’s methods, left. But a surprising number stayed. “It seems normal in our country to be hiding, from tax service or anything else,” an IMI alumnus says. Ex-employees didn’t hesitate to put their IMI stints on their résumés. Some went on to work for blue-chip international companies, including Barclays and Microsoft.

Meanwhile, thousands of miles away, Jain and Sundin were distracted by an onslaught of legal problems. Jain had been sued by Symantec, stemming from earlier sales of gray-market software that Symantec alleged was counterfeit. His green card site, which masqueraded as the official INS website to trick immigrants, finally drew the attention of customs officials; when they stopped Jain on his way into the US in December 2003 and seized his laptop, he was carrying an undeclared check for $1 million. He soon left for Brazil, where he shuttled between Rio, São Paulo, and Florianópolis, evidently living in hotels. His parents told attorneys they were uncertain of his whereabouts. Several of Jain and Sundin’s employees quit after being called in for questioning by the FBI and Royal Canadian Mounted Police. Sundin began moving around too, first to Canada and then, abruptly, back to his native Sweden, abandoning his new BMW M3 in Vancouver.

But those troubles didn’t do much to stifle IMI’s scare campaign. Starting around 2007, the company cranked up both its aggression and its ingenuity. Leading advertising networks had banned IMI, so the company set up a series of fake online ad agencies that placed banners on popular websites, including those of The Economist , eHarmony, and Major League Baseball. IMI embedded the ads with hidden code, so if someone from inside the hosting site’s offices looked at them, they saw appeals from mainstream companies like Travelocity, Priceline, and Weight Watchers. But if regular users viewed the ads, they saw quickie come-ons for used cars or diet pills. When consumers clicked on an ad, it would redirect their browser to a site selling antivirus software or, worse, trigger an auto-download. All the while, IMI was engaged in an arms race against established antivirus companies, continually tweaking its software to make it unrecognizable to the databases of known threats.

To turbocharge sales, IMI made its scareware scarier. Now, instead of just being told that there were system errors, a user might see the message “A remote computer has gained access to your computer.” Worse, pop-up ads would announce that “Illegal porn content” had been “found on your PC” and display a gallery of thumbnail images purportedly discovered on the hard drive, a list of sites (Gayanalsex.com, Asianteens .net) supposedly visited and detected on the computer, or a warning of “high risk to your career and marriage” — unless, of course, you coughed up money for drive-cleaning software. Now that the initial panic about the Blaster worm had subsided, IMI resorted to exploiting fears of divorce, job loss, and even prison.

Jack Palladino, the private investigator and friend of Jain’s, says that the two cofounders weren’t responsible for the worst excesses. Instead, he blames rogue affiliates, overzealous middle managers, and the pressures of hypergrowth. “This wasn’t them riding the tiger,” Palladino says. “The tiger was riding them.”

In any case, the extreme measures yielded results: According to security expert Kollberg, IMI took in roughly $180 million in 2008 from its “security” software (it was also involved in porn and other businesses). But soon it was IMI’s founders, not customers, who faced the prospect of landing behind bars.

In the spring of 2008, after Jain was indicted in California in connection with the earlier Symantec case, he returned to the U.S., moving into a condo in San Francisco. He prepared to defend himself, hiring expensive, high-powered attorneys. But Jain apparently reconsidered his strategy after the pressure began to mount. In December, the Federal Trade Commission, having received more than 1,300 consumer complaints about IMI and its products, filed suit against the company and its principals. Jain failed to show up for a January 2009 hearing in San Jose, stopped communicating with his lawyers, and eventually disappeared altogether. A bench warrant was issued for his arrest, but he has not been heard from since. In April 2009, Ukraine’s secret police, wearing masks and toting machine guns, raided IMI’s old offices in Kiev. By the end of last year, Sundin had joined Jain on Interpol’s fugitive list. In the founders’ absence, the FTC has obtained default judgments against Jain and Sundin. Marc D’Souza and his father, Maurice, who helped set up IMI’s merchant accounts, settled with the FTC for $8.2 million. Code jockey James Reno has paid the commission nearly $18,000 and faces a suspended judgment of $1.9 million. The case against Kristy Ross is ongoing.

Palladino sees a tragic dimension in the IMI story. “It’s such a waste,” he says. “These are good, young, talented people who got derailed.” Looking back at the rise and fall of Jain and Sundin’s empire, it’s hard not to see his point of view. Using nothing but pop-up ads and their own online distribution, Jain and Sundin succeeded in selling $40 software to untold millions of users. Over the better part of a decade, they built and then ran an organization to write and market that software. Had they marshaled these skills in support of software that was actually worth installing, they might be admired figures today; instead they’re on the lam. Sundin is believed to be back in Sweden, which has strong laws protecting its citizens from extradition. Jain is said to like warm weather, so perhaps he has returned to Brazil. But no one who knows them thinks either man is kicking back and drinking piña coladas. When Palladino last saw Jain, soon before he disappeared, he was dazzled by Jain’s vision for revolutionizing the medical-device industry. (“I almost hesitate to tell you that,” Palladino says. “Now the FBI will be looking for a little brown guy at health care conferences.”)

With IMI apparently out of action, a new generation of Sundins and Jains is feverishly at work on creative scareware schemes. The most promising frontier is social networking, where misleading posts on Facebook and Twitter can snare users. Other recent scareware campaigns have stalked Google search results, disguising themselves as posts about the royal wedding, showtimes for Twilight, even a way to watch the killing of Osama bin Laden. That’s the insidious thing about social engineering: There isn’t any patch to fix the system threats in our gullible brains.

Benjamin Wallace (benwallace@me.com) is the author of The Billionaire’s Vinegar: The Mystery of the World’s Most Expensive Bottle of Wine.