Sunday, September 15, 2019

Operation ReWired arrests 281 Business Email Compromise criminals

Operation: ReWired announced on September 10, 2019
On September 10, 2019, the Department of Justice announced that 281 arrests related to Business Email Compromise had been made, with 74 of those arrested being in the United States.  It will take some time to track down the names of all of those arrested, as many of the arrests were overseas.  Twenty-three US Attorneys Offices participated in the Operation, although only five sets of arrests were discussed in the Department of Justice Press Release about Operation ReWired.  While we work to obtain the rest of the information, we'll go ahead and share some details from those already made public in the Press Release.

Chicago Business Email Compromise: Stokes & Ninalowo defraud Energy Company and Community College of Millions

The first case involves two major BEC scams that followed the same mold.  The FBI says that an "un-named Community College" with about 15,000 students was doing business with a construction company our of Minneapolis, Minnesota.  An employee of the university received an email from someone claiming to be "Yvonne Nguyen, a Group Accounting Manager" for the construction company, that said "Hi, please see attached for our new ACH details." The "unnamed company" (easily identifiable by clues in the indictment) boasts of their large catalog of university and college related construction projects, including several in the Chicago area with projected build costs exceeding $20 Million.   The attached form was one that the college traditionally uses to ask vendors for payment details.

Because the request was on their own form, and seemed to come from a company who was involved in a large construction project for them, the college updated the payment details.  "On or about June 20, 2016" the college approved a "routine payment" of $3,371,291 directed to a Bank of America account.  Because of the updated payment information, on June 29, 2016, the payment was made ... but to the new account specified by the criminals.  Almost immediately after deposit, several transactions were attempted from the account, which triggered fraud rules at Bank of America, who froze the account while an investigations was conducted.  The largest such check was for $398,220, made out to "Steno Logistics."  Steno Logistics became a corporation in Illinois one day before the first Yvonne Nguyen email was sent.  The registered agent creating the corporation was Brittney STOKES, who used her home address on the account.  At the time, Stokes was also working as an assistant to the manager of a Menards home improvement store.

The second scam conducted by STOKES and NINALOWO invlved a $1.7 Million payment sent from a Houston, Texas oil company to an energy exploration company in Irving, Texas.  In exactly the same method as the first scam, an email claiming to be from the Exploration company was sent to the Oil company with the subject "ACH Update." The email said "We recently received a payment from your company and noticed that payments are still being made to our old bank. We have switched banks.  I will be forwarding you updated banking details once I have your confirmation.  I have also attached our W9 for your perusal."

This exchange led to a $1.7 Million transfer from Energy Company B to "Fake Exploration Company" ... in this case, the corporate email account WAS BEING CONTROLLED BY THE SCAMMERS.  They confirmed the update with a bank account at TD Bank after also confirming other details, such as their physical mailing address.  This led to a series of payments.  On January 9, 2018 - $97,729.65.  On January 11, $239,563.134 and $164,754.84.

In this case, Chase Bank shows that they also had a newly opened bank account for "Steno Logistics", also listing Brittney STOKES as the president, and opened with STOKES' Illinois Drivers License as proof of identity.  Each time a payment was received by "Fake Exploration Company", a check was issued from the fake company to Steno Logistics.  Checks included:

  • $22,054.17 on January 26, 2018
  • $35,000 on January 30, 2018
  • $833,672.50 on February 2, 2018
  • $608,488.90 on February 6, 2018
  • $186,483.73 on February 8, 2018

Large transfers were then made from the Steno Logistics account to accounts such as "Yummy Bear Day Care", which was a Citibank account.  Yummy Bear Day Care was also registered in the State of Illinois by Brittney Stokes.

On many occasions thereafter, bank surveillance video showed NINALOWO making cash withdrawals from the Steno Logistics account.  On Feb 3, 2018, Feb 5, 2018., Feb 6, 2018.  Captured text messages between STOKES and NINALOWO also make clear that some of the checks written against the account, including one for $50,000, involved NINALOWO forging the signature of STOKES.  The phones were seized for inspection by Customs and Border Protection as STOKES and NINALOWO came through US Customs, returning from Lagos, Nigeria, via the Atlanta Airport.

When they were arrested, Law Enforcement officials seized a 2019 Range Rover Velar S from Stokes and $175,909.

Dallas Texas: Opeyemi Abidemi Adeoso and Benjamin Adeleke Ifebajo

In the Dallas case, an individual sent a series of wires totalling $504,660.52 to a Dallas based bank account in February 2018.  A second business, in March 2018, also wired $179,223.33 to another Dallas-based bank account.  Upon investigation, these funds were being disbursed to someone using an alias identity "Daniel Sammy Campbell" and the street address "9451 Wickersham Road, Apt 2075, Dallas, Texas.  ADEOSO was the current resident of that apartment at the time of the fraud.  His previous landlord, at 6808 Skillman Street, recognized ADEOSO, and also informed law enforcement that he had been referred to rent there by his friend IFEBAJO.  IFEBAJO was proven to have utilized many aliases, including Joseph Eric Johnson, Jeremiah Alex Malcolm, Tidwell Anthony Wilsom, and Andrew James Wilson.  ADEOSO also used many aliases, including Peter Kuffor, George Macharty, Nelson Johnson, Braheem Larke, Michael Albert, Michael Jaden Sean, Michael Jeff Brown, and Benjamin Zee Brown.  Each had many fraudulent foreign passports and other alias identities used to open numerous bank accounts in the Dallas Fort Worth area of Texas.

ADEOSO was married to Bukola Comfort ADEOSO, who moved to Dallas Texas shortly after arriving in the United States.  On numerous occasions, when ADEOSO made a large cash withdrawal, a matching deposit would show up in BUKOLA's account.

ADEOSO opened a LARGE number of bank accounts.   Just using the Peter KUFFOR alias, which had a counterfeit Great Britain passport, he opened: 

  • BB&T - June 9, 2015
  • Capital One - June 24, 2015
  • Wells Fargo - June 24, 2015
  • BBVA - July 3, 2015
  • Bank of America - July 30, 2015
  • First Convenience Bank - November 9, 2015
  • Chase Bank - November 24, 2015

This alias often used the Yahoo email flavorj1@yahoo.com - which was also used by the George MACHARTY alias.  Macharty, using a counterfeit Nigerian passport, opened:

  • Wells Fargo - Sep 3, 2015
  • Bank of America - Sep 8, 2015
  • First Convenience - Oct 5, 2015
  • BBVA - Oct 7, 2015
  • Capital One - Oct 6, 2015
  • Chase Bank - Oct 28, 2015
  • BB&T - Nov 24, 2015
Alias Johnson Nelson accounts used the flavorj1 email and also justonceacademy@gmail.com 
  • Bank of America - Oct 20, 2015
  • Capital One - Oct 21, 2015
  • BB&T - Oct 22, 2015
  • Woodforest Bank - Jan 6, 2016
His other aliases also opened many bank accounts.  Between July 2015 and March 2016 these accounts received $423,285 in wire fraud proceeds from victim companies.
Another whole set of accounts was created in 2018 and 2019 and also received a large number of wire frauds from victim companies all across the United States, including the largest transfer, a $433,714.31 transfer to a BBVA account.
At the time of the Criminal Complaint, not all of the victims had been identified: 

Cherria Davis was married to Adeoso on April 17, 2015.  Ifebajo listed Cherria Davis as his US point of contact when he came to the United States on a non-Immigrant Visa on July 3, 2015, using the email "benvicschools@gmail.com."  Customs and Border Patrol seized a DHL package containing fraudulent passports in the names of Chris Hammington and James Alexander that were destined to IFEBAJO's residence at 11911 Audelia Road in Dallas, Texas.  

IFEBAJO also opened many accounts in many aliases, but tended to use business names.  As Jeremiah Alex Malcolm he owned "Breakthrough Auto Links" with a fake Great Britain passport.  Surveillance video in BB&T confirms Malcolm to be IFEBAJO.  As Andrew James Williams, he ran "Williams Retails and Equipment" who had a BBVA bank account and a Bank of America bank account.  As Joseph Eric Johnson he ran "Reality Global Equipments" with a fake Namibian passport and an IRS Tax EID 83-2508382.  He had BBVA, BB&T, and Wells Fargo business accounts with that identity, and surveillance video at Chase, BB&T, and Wells Fargo showing IFEBAJO doing banking as "Johnson".

Like ADEOSO, linked by the ties to Cherria Davis, IFEBAJO also had many deposits to his accounts known to be from BEC fraud victims, including: 



NYC: Ashu, Eke, Ikejimba, Ironuah

According to the Indictment, Cyril ASHU, Ifeanyi EKE, Joshua IKEJIMBA, and Chinedu IRONUAH "and others known and unknown" engaged in a fraudulent business email compromise ("BEC") schemes against "various victims, including an intergovernmental organization headquartered in New York, New York" convincing the victims to wire payments to bank accounts controlled by the defendants instead of the intended beneficiaries.  As in the previous cases, the victims all received emails that seemed to be from companies with which they were genuinely engaged in business, but which deceived them into changing the destination accounts for business transactions.
After receiving the funds, they were quickly transferred, withdrawn, and laundered, either by withdrawing cash or writing cashier's checks, many of which were cashed out at check cashing facilities in Houston, Texas.  Altogether, the defendants in this case caused to be transferred more than $10 Million in fraudulently gained funds.  Two examples of the activities charged are listed in detail related to two bank accounts, one opened by EKE and the other by ASHU:

The "0131 Account":


  • On October 28, 2016 - IFEANYI EKE opened a Marietta, Georgia bank account ending in 0131 using his alias "Luthur Mulbah Doley"
  • On Feb 15, 2017, a foreign-based healthcare company wired him $41,495 to that account, through a correspondent bank in the Southern District of New York.
  • On Feb 16, 2017, EKE sent two cashier's checks totaling $25,000 to CYRIL ASHU, who cashed one of the checks the following day.
  • On Feb 27, 2017, "an intergovernmental organization based in NYC wired $188,815 to the 0131 account.  
  • On March 1, 2017, EKE transferred $100,000 from the account to another account in his true name.
  • On March 2, 2017, EKE wrote a cashier's check for $68,000 payable to "Curesos Innovation" 
  • On March 2, 2017, a foreign-based manufacturing company wired $123,895 tot the 0131 account. 
  • Between March 2 and March 4, EKE bought three more cashier's checks:
    • $48,000 to Curesos Innovation
    • $68,000 to Yiwu Offshore Limited
    • $96,000 to Yiwu Offshore Limited 
  • On March 3, 2017, IRONUAH cashed the Curesos checks in Houston, Texas.
  • On March 6, 2017 IKEJIMBA cashed the Yiwu checks at the same check-cashing facility in Houston, Texas.
The "7622 Account":
  • From October 25, 2017 through December 2017, ASHU used a stolen identity to open a bank account ending in 7622 and received $12,366 in fraud proceeds.

Georgia: Emmanuel Igomu and Jude Balogun steal $3.5 Million via a BEC fraud against a health-care provider


On July 2, 2018, Tanner Health Systems of Carrollton, Georgia was hit by a BEC fraud.  Someone impersonating a THS vendor, Bernie Buchanan, the Executive VP of Ra-Lin and Associates, caused a payment of $3,528,500.02 to be misdirected to a Bank of America account in the name of GARRETT, LLC.  The account had only one valid signator: Ishmael GARRETT of Newark, Delaware.

Two outbound payments were made from the account.  $797,291.14 was sent to a SunTrust Bank account in the name "Audi Atlanta, LLC, 361 Pharr Road NE, Atlanta, Georgia.  On the same day, $570,780 was sent to a JP Morgan Chase Bank account in the name Lucia Tech, LLC at 5456 Peachtree Industrial Boulevard, Suite 632, Atlanta, Georgia.

The Lucia Tech account had been opened with a fraudulent South Carolina driver's license in the name of Lucy Andrews.  The address actually corresponded to a UPS Store box in the name of Henry Dax.  Henry Dax used the telephone number 678-590-6197 and the email palaso@mail.com.  Logs from the mail.com provider showed regular logins from an IP address 24.99.101.32, which belonged to a Comcast account at the street address 2340 Cheshire Bridge Rd NE, Apartment 404, Atlanta, GA 30324.  Georgia Power records show that the electric bill for that apartment was in the name Emmanuel Igomu, which the telephone number 678-900-5328.  

The Atlanta Police Department showed that they had been dispatched to that address based on a complaint from IGOMU showing that he had lost his passport!  IGOMU gave his telephone number to the Atlanta police as 678-900-5328.

A search warrant served at the address revealed that IGOMU was residing there with Stephanie Gaspard, who IGOMU claimed was his wife.   Fraudulent driver's licenses with their photos but other names were found, along with credit cards in names other than the resident's.  IGOMU's cell phone was broken and it and its battery were found submerged in the tank of the toilet.  When asked why, IGOMU said he must have stepped on it in his confusion from being awoken by the FBI's early morning knock.  He wasn't able to explain why it was in the toilet tank.

One of the fraudulent South Carolina driver's licenses was in the name Henry Dax and was used to open the UPS Store used as the address for LUCIA TECH, LLC.



The James Clark identity was used to open a Fidelity Bank account in the name "JCEE CLARK, LLC"

IGOMU is a Nigerian national who entered the US on June 23, 2014 on a six month Visa which has never been extended.  He had previously been arrested (though not deported) by the Atlanta Police Department charged with having 2 fictitious driver's license, a fictitious UK passport, and six different bank cards in three different names.  On January 9, 2017, he was convicted of five felony accounts, but only sentenced to three years probation under the "First Offender Act."

Miami, Florida: Govantes and Tamayo

Yumeydi GOVANTES was the sole officer of "Yumeydi Quality Products" a Florida corporation claiming to do business at 1441 Sandpiper Boulevard, Homestead, Florida.  They were incorporated on November 14, 2016. Yamel Guevara TAMAYO was the sole officer of YGT Buying Inc" a Florida corporation claiming to do business at 4840 NW 7th Street, Apartment 305, Miami, Florida.  They were incorporated on November 17, 2016.

From November 2016 through June 2019, the defendants participated in a conspiracy to commit wire fraud, laundering money by receiving funds into their bank accounts and then transferring the funds out of the country, primarily to China, after dipping into the funds for their own personal gain.  Some of those transfers are shown below:

More Information, Please ? ? ?

We've shared above the cases that were specifically named in the DOJ Press Release about Operation: Rewired.  Yet these were only FIVE of the 23 districts that had arrests.  If you have details on additional information, please reach out to me on Twitter ( @GarWarner ) or in the Comments section below!

As we shared back in July, all of this information is just the tip of the iceberg with regards to BEC fraud.  According to analysis by the Financial Crimes Enforcement Network (FinCEN), BEC losses during calendar 2018 exceeded $300 Million per month in theft! https://garwarner.blogspot.com/2019/07/fincen-bec-far-worse-than-previously.html

Tuesday, August 27, 2019

Los Angeles: Stories of the BEC Victims (part 2)

In my last blog post, Los Angeles Court charges 80 Nigerians with BEC and Romance Scam Crimes, we laid out the background of a major BEC investigation and telling the stories of six victims, but the court documents shared the details from thirty cases.


Footage from CBS Los Angeles of the arrests
In our previous post about this Los Angeles-based BEC Fraud Ring, we shared that the primary defendants, Valentine IRO and Chukwudi IGBOKWE had their phones seized in a search warrant.  The forensics evidence from their phones helped to identify their army of co-defendants who ran the scams using bank accounts established by IRO and IGBOKWE to launder the money.

Victim Company 3 - December 2016 BEC Fraud 

VC3 is a small landscaping services company in Oklahoma.  On 19DEC2016, they wired $18,457.13 from their Chase bank account to a US Bank account (2982). They received an email with wiring instructions for purchasing some equipment.  The next day, a fraudster sent NEW wiring instructions, claiming to be a correction to the previous day's communications.  The receiving US Bank account had a balance of -$408.51 when the transfer arrived.  Two ATM withdrawals were made the following day for $300 and $500, and a cash withdrawal of $8,500 was made from a teller at a bank branch the same day.  On December 27, 2016, US Bank sent the remaining funds back to the originating Chase bank account after the fraud was discovered.

In chats between MANSBANGURA and IGBOKWE the two reviewed which of their receiving accounts were "strong" and which were "under review."  The US Bank account was discussed, with IGBOKWE saying "Pls do not used XXX's us bank for any transaction. If u put money there It will get stuck. Never come out ... There is a restriction on d account."

The same US Bank account (2982) was also provided to several other romance scammers and BEC co-conspirators between November 21, 2016 and March 1, 2017.

Personal Victim B.Z. - Elder Fraud Victim

B.Z. is an 86-year old man with dementia and Alzheimer's who was repeatedly a victim of financial scams.  His son met with the FBI and explained the range of scams he had fallen for.  In 2013, his father joined a dating site and was scammed by a 37-year old Ghanaian woman who convinced him to invest $100,000 to purchase an apartment complex.  Later the woman was kidnapped and shot at the airport as she was bringing him a gold bar to repay him.  The man insisted on flying to Ghana to help her, but the family intervened.  In the current scam, Federal Reserve Chairman Ben Bernake and US Treasury Secretary Steven Mnuchin had let him know he was about to receive $107 Million.  He sent $11,900 to a Chase account (7605) that belonged to "T and F Enterprises."

March 14, 2017 - ONUWA told IGBOKWE that he wanted to use the Chase 7605 account for this scam.  He replied "OK"
March 16, 2017 - B.Z. transfers $11,900 from his Chemical Bank account in Michigan to the Chase 7605 account.
March 16, 2017 - ONUWA sends a photo of the application and agreement for wire transfer to IGBOKWE.
March 22, 2017 - ONUWA and IGBOKWE discuss how defendants IGBOKWE and MANSBANGURA would withdraw the funds from B.Z.'s wire transfer.
March 24, 2017 - IGBOKWE tells ONUWA the funds are "out" and ONUWA provides IGBOKWE his Nigerian bank account number.
March 27, 2017 - MANSBANGURA cashes a check for $4,000 from the Chase (7605) account. Memo: Rent
April 4, 2017 - IGBOKWE provides ONUWA his Nigerian bank account number with instructions to pay 3,123,000 naira (about $8500 current value).
April 6, 2017 - IGBOKWE provides ONUWA's name and Nigerian bank account number to IRO, with the request to pay 1,000,000 naira to the account (from IGBOKWE's telephone number: +1.213.425.8827).
April 6, 2017 - IRO provides ONUWA's name and Nigerian bank account to another unindicted co-conspirator with directions to pay the 1,000,000 naira.

Victim Company 4  - March 2017 BEC Fraud

Victim Company 4 was a dry food products company in Michigan that imports grains for resale.  Employees of VC4 believed they were communicating with another Michigan Company, when in fact they were communicating with fraudsters who had hacked Michigan Company's email accounts, implementing forwarding rules that caused their emails to be sent to the fraudsters.  FBI agents interviewed personnel at both companies and learned that on March 29, 2017, VC4 was tricked into wiring $29,679.17 to a Wells Fargo bank account (7245) believing it was the Michigan Company, when in fact it was a company opened in Whittier, California, under the name "Danisha Beauty Sales" on January 5, 2017.

The day the wire was made, the starting balance on Wells (7245) was $3.60.  After the funds arrived, they were used to make a $1,419.73 purchase at a Best Buy in Hawthorne, California, and a $300 cash withdrawal.  On March 31, 2017, the Wells (7245) account received an additional wire of $27,464.89, this time from a South American tour company (likely also a BEC victim).  Two checks were paid out from the account that day.

March 21, 2017 - VC4 receives fake email requesting $29,679.17 payment.
March 22, 2017 - $29,679.17 - VC4 wired to Wells (7245) from a BBVA account in Colombia  belonging to VC4.
March 22, 2017 - Best Buy shopping ($1,419)
March 27, 2017 - IGBOKWE sends to UMEJESI the Wells (7245) account info with text "Prefer make u use this one becaue the money wey dey enter too much)
March 29, 2017 - IGBOKWE sends UMEJESI a screenshit of the VC4 Wire Transfer confirmation.

March 29, 2017 - IGBOKWE sends the wire receipt to UMEJESI.  UMEJESI forwards it to IRO's Samsung phone.  IRO replies "Who gave you this slip.  Tell me his name."  UMEJESI replies "Kudon" (a nickname for IGBOKWE). "Because I gave him this ulo ako 4months ago and I'm surprised him sending me this."  IRO then reaches out to UMEJESI.  He responds "Mine is 29175 and 26." Apparently there was confusion over which scammers were to be using this account.

March 31, 2017 - $27,464.89 - SouthAmericanTourCo wired to Wells (7245)
March 31, 2017 - $11,160 check to UMEJESI 
March 31, 2017 - $16,520 check to OJIMBA (Ojimba Collins) 
(those checks deposited by the defendants into two separate Chase bank accounts -- (Chase 7290) and (Chase 1767) both in Inglewood, California.  UMEJESI sent IGBOKWE the userid and password information for the account holder's Wells (7245) account.  The account owner, a female, was walked into the bank by UMEJESI according to the text messages between UMEJESI and IGBOKWE. IGBOKWE later texts the Chase deposit slips to UMEJESI.)
April 1, 2017 - $4,000 cash withdrawn
April 1, 2017 - IGBOKWE sends messages to UMEJESI explaining the breakdown of funds -- "Our money is 11,840. There own money is 17,760.  $29,600 * 40% = 11,840" -- indicating that they were receiving a 40% commission for doing the money laundering on someone else's BEC scam.
April 20, 2017 - Wells Fargo seizes the remaining $23,531

Victim Company 5 - April and June 2017 

This Victim Company had someone attempt to steal their entire corporate coffers!  At IRO's direction, a fraudulent company was opened in the name of VC5 with papers filed in Los Angeles County to create the corporation.  Those papers were then used to set up a Chase bank account.

Feb 17, 2017 - IRO tells IGBOKWE to have MANSBANGURA take one of her mules to open a bank account in the name of VC5.
Feb 22, 2017 - MANSBANGURA causes her mule to open the account (Chase 5027).
March 20, 2017 - IGBOKWE sends IRO the account information, with account and routing number.
March 27, 2017 - IRO provides the account details to OGUNGBE in request for "an aza for 3m$ from Philippines today".  (An "aza" is Nigerian slang for a bank account - he needs an account that could credibly receive $3M, and IRO provides this one.) 
April 4, 2017 - Wells receives a counterfeit letter "from" VC5, notarized and with the forged signature of VC5's CEO, requesting that his Wells Fargo account be closed and all funds transfered to  (Chase 5027) -- a balance of $17,300,844.58! 
April 4, 2017 - a caller to Wells, pretending to be from VC5 asks them to confirm receipt and closure of the account
June 5, 2017 - Wells Fargo receives via US Mail a second letter, again requesting that the Wells account of VC5 be closed and that all funds be sent to (Chase 5027) -- a balance of $12,760,922.93!

Both of those account takeovers failed because they were detected by bank rules.

Personal Victim A.V. - April and May 2017 Elder Fraud Victim

A.V., an 87-year old woman whose property is now under guardianship by the county Department of Health and Human Services, lost $555,013.26 to fraud in less than a year, and at least $75,000 prior to that.  Related to the current charges, A.V. sent two wires of $8,035 to Wells (1147) and two wires of $6,060 to Chase (5027).  On interview, A.V. said she had sent the Chase wires from her Capital One account to assist her first cousin who had gotten married and moved to Thailand.

IGBOKWE and CHILAKA were involved in these scams.

April 10, 2017 - IGBOKWE and CHILAKA discuss funds they are anticipating will be deposited into Wells (1147).
April 11, 2017 - A.V. wires $8,035 from her Capital One account in Maryland to Wells (1147).
April 11, 2017 - CHILAKA sends IGBOKWE a copy of the wire transfer requests.
April 17, 2017 - IGBOKWE sends CHILAKA info for a Bank of America account (3037) after being asked "Give another without Nija name".  CHILAKA then asks "Can this be used f Ali?" --  ("Ali" is the term that the Nigerian scammers use when referring to BEC scams.) .  IGBOKWE replies "No." and then "If u need aza for Ali let me know."  ("aza for Ali" would mean "a bank account to be used in BEC wire transfers.)
April 27, 2017 - A.V. wires $2,700 from her Capital One account to Chase (5027).
May 8, 2017 - IGBOKWE and MANSBANGURA are discussing the A.V. fraud and mention "we cannot use that account for any transactions from Capital One anymore." MANSBANGURA says "Chase said they will force the money back to sender. Once it posted, Chase put a hard hold on it because they want to make sure it is NOT A FRAUD money."  MANSBANGURA told IGBOKWE "No more Capital one transactions to Chase."
June 2, 2017 - CHILAKA sends IGBOKWE a voicemail from A.V. "for Mr. Davis" explaining that she has instructed her Chase banker to release the $3,360 wire. 
June 2, 2017 - IGBOKWE sends CHILAKA an audio recording of MANSBANGURA calling Chase Bank asking about the status of the wire.

Personal Victims Je.F. and Jo.F. - April 2017 Escrow Fraud

The "F Family" lived in Illinois and were purchasing land in Texas.  As they were discussing how to fund the purchase, it is clear that fraudsters were intercepting their emails and injecting themselves into the conversations.  In particular, the F Family received emails that used the same email userid as the escrow company's email, but used the domain "mail.com" instead.  The same fraudsters were also sending email TO the escrow company, imitating the "F Family"'s real gmail account, using a slightly different gmail address.

April 9, 2017 - Je.F. receives instructions to wie funds to a Chase (6217) account opened by a money mule in Los Angeles.  EKECHUKWU managed this mule, who opened the account at the request of IRO.  A nearly identical account had been previously opened by CATHEY at the request of IRO in the state of Georgia earlier in April 2017.)
April 17, 2017 - Je.F. sends $135,800.72 from their BMO Harris Bank account in Illinois to the Chase (6217), believing they are paying for the Texas real estate and closing costs.
April 18, 2017 - EKECHUKWU asked IRO "anything coming in the warehouse?"  ("Warehouse" was one of the code words the crew used to refer to a bank account that should be receiving funds from one of their scams.) IRO gives the details for Chase (6217) saying "Check this. Something is inside" the following day.
April 19-20, 2017 - IRO discusses the F Family fraud with ANOZIE and AZUBUIKE.
April 19, 2017 - IRO complained to EKECHUKWU that Chase called the account holder wanting the money back.

We still have 18 more BEC Victim and Romance Scam Victim stories JUST FROM THIS CASE, so we'll continue this blog, probably in three more parts.  


Saturday, August 24, 2019

Los Angeles Court charges 80 Nigerians with BEC and Romance Scam Crimes


Bank of America, BBVA Compass, CalCom FCU, Capital One, Citibank, Citizens Bank, Comerica, Chase Bank, PNC Bank, Regions Bank, SunTrust, TD Bank, US Bank, and Wells Fargo Bank were among the financial institutions who were scammed by the 80 Nigerian criminals named in a Los Angeles indictment unsealed this week.  In this blog post, we'll introduce the case and share the first six of thirty victim stories that we'll continue over the next several posts.

FBI Los Angeles Technology Enabled Crime Task Force
In a press conference on August 22, 2019, the FBI Los Angeles Technology Enabled Crime Task Force shared a poster of the 16 Los Angeles residents charged in the case, 14 of which have already been captured.  Others residing in the US named in the case included residents of Houston, Texas, Orlando, Florida, Sacramento, California, Boston, Massachusetts, and Atlanta, Georgia.

According to the indictment, between October 7, 2014 through May 2, 2018 the 26 criminals charged in Los Angeles participated in mail fraud, bank fraud, and wire fraud by "transporting, transmitting, and transfering funds from place in the United States to a place outside the United States,"  "conducting and attempting to conduct, financial transactions, affecting interstate and foreign commerce," and ... "knowing that the property involved in the financial activity represented the proceeds of unlawful activity, and knowing the transactions were designed in whole and in part to conceal and disguise the nature, location, source, ownership, and control of the proceeds." They are also charged with "engaging and attempting to engage in monetary transactions involving criminally derived property of a value greater than $10,000, affecting interstate and foreign commerce."

Title 18 Section 1343 (wire fraud)
Title 18 Section 1341 (mail fraud)
Title 18 Section 1344(2) (bank fraud)

There are SO MANY STORIES to be told out of this indictment and the corresponding criminal complaint that it might take several days to get through them all.  The criminal complaint shares the details of thirty separate scams that are all connected, primarily via the two primary defendants, Valentine IRO and Chukwudi IGBOKWE.  Because of that, let's start with their first formal encounter with Law Enforcement on this case.

The July 19, 2017 Search Warrant (IRO, IGBOKWE, EROHA)

On July 19, 2017, the FBI served a search warrant at the residence of Valentine IRO's apartment. Having received no answer to their repeated loud knocking, they opened the door with a key provided by the landlord.  The reason no one was answering the door was because the residents were busy trying to destroy evidence.  Chukwudi IGBOKWE slid one window open and threw two phones (a gold iPhone 7 Plus (+1.323.509.0012) and a silver/white Samsung Galaxy Note 5 (+1.213.425.8827)) as far as he could, landing on the curb of the driveway to the apartment.  Meanwhile Chuks EROHA was throwing another cell phone (a black iPhone 7 Plus, +1.310.406.9386) into the yard of a neighboring property through another window.  While they were throwing phones out windows, someone else was trying to destroy a gold Samsung Galaxy (+1.424.2887.9250), which was found hidden under IRO's bed, bent nearly in half with a shattered screen, and damaged circuit boards and battery.  Other phones (a blue Samsung, +1.424.368.0611 and a sliver iPhone 6S Plus (+1.310.626.7033 / WhatsApp +234.816.165.6787) and tablet computers were also found in the search.

During the ensuing interview, IRO admitted to using the email accounts "enterpriseiro@gmail.com" and "valentino_q2000@yahoo.com" as well as controlling the bank accounts of the fraudulent companies "VOI Enterprises" at Chase Bank and "Irva Auto Sales" at Wells Fargo.  He claimed to have broken the phone after a fight with his wife, who he said was angry about him video-chatting with another woman.  This was one of several provable lies in the interviews. Data from IRO's broken phone was forensically recovered by the FBI Laboratory in Quantico, Virginia, which must have been quite a challenge, but was successfully accomplished!  The phone was used to receive messages 38 seconds and 39 seconds after the FBI hit the front door, which proves he had not destroyed it the previous day, as claimed.   EROHA also swore he had not thrown any phones.  IGBOKWE claimed he did not know anything about the fraud but that he did help his "wife", Tityaye MANSBANGURA, with her business of buying and selling cars.

(IRO was previously interviewed by the FBI on October 26, 2016 and November 23, 2016 about a wire transfer of $100,083.45 that was sent by a German victim company to his Chase VOI Enterprises account.)

A key finding in the phone reviews was that these guys NEVER DELETE DATA!  Three phones retrieved in the search warrant in contained Facebook Messenger messages dating back to March 2014, April 2012, and even 2010!  WhatsApp messages on one phone were as old as July 2015.

The ring-leader defendants, all found in the same apartment that morning in July 2017, IRO, IGBOKWE, and EROHA  would provide bank accounts to most of the others charged in this case, including: UMEJESI, OGUNGBE, EKECHUKWU, XPLORA G, OCHIAGHA, N. DURU, OFORKA, MARK CHUKWUOCHA, NNAMDI, CHILAKA, OHAJIMKPO, UCHE, ODIONYENMA, OGBONNA, ONWUASOANYA, MACWILLIAM CHUKWUOCHA, UZOKA, AWAK, EGWUMBA, EZIRIM, OKAFOR, SAM MAL, MBA, IKEWESI, OGANDU, ANYANWU, AZUBUIKE, NWACHUKWU, IZUNWANNE, OSUJI, ONYEKA, ANUNOBI, OKOLO, ONUWA, ISAMADE, MADUFOR, NNEBEDUM, OKEREKE, ODIMARA, ONUDOROGU, NZENWAH, OBASI, AGUBE, OKORIE, OHIRI, UGWU, AGWUEGBO, CHUKWU, MEGWA, IWU, CHIKA, MEZIENWA, AGUH, ESHIMBU, ANOZIE, AGUNWA, G. DIKE, UKACHUKWU, OSMUND, NWANGWU, AJAH, EJIOFOR, UBASINEKE, IBETO, NWANEGWO, E. DIKE, EKI, IWUOHA, C. DURU, and IHEJIUREME "into which they could fraudulently induce a victim to deposit funds from a BEC fraud, escrow fraud, romance scam, or other fraudulent scheme."

 UMEJESI, CATHEY, MANSBANGURA, AJAEZE, EKECHUKWU, OJIMBA, ISAMADE, and P. DURU, played roles in "opening or causing to be opened" new bank accounts.

 To do so, they would first file a "false and fraudulent Fictitious Business Name Statement" with the Los Angeles County Registrar-Recorder at the County Clerk's Office.

The list of 80 charged individuals is at the end of this post, but for now, let's jump straight to some of the stories of Business Email Compromise and Romance Scams that brought together this international gang of thieves.

Victim Company 1 - September 2014

A San Diego County distributor of clothes was communicating with a Chinese vendor about an order of men's shirts.  By hacking an email account at one of the companies, a fraudster implemented mail rules to block the real emails and injected himself into the middle of the communications.  The scammer caused the payment account for an invoice to be changed, resulting in a wire of $45,783.97 going to an HSBC Bank account (6100) controlled by scammers.

IRO (valentino_q2000@yahoo.com) and ONWUASOANYA (samuelnnamdi@rocketmail.com) communicated via Yahoo instant messenger about their roles in the chat, including sending a "cut and paste" email Onwuasoanya could use to forward to the victim company.

Personal Romance Scam Victim #1: M.S. 

M.S. a 61-year old woman in Monterey Park, California fell victim to a Romance scam on Facebook.  In May 2015, she met "Dennis Hunt" (his Facebook name) who claimed to live in London and work in real estate construction.  He communicated with M.S. via Facebook messenger and two +44 (UK) telephone numbers.  M.S. loaned "Dennis Hunt" money for a new project, which totaled $111,200.  $91,200 was sent to IRO's Chase account in the name "VOI Enterprises" which attempted to disguise the money by claiming to be dealing in used automobiles.

 Sep 3, 2015: OI ENTERPRISES acccount opened: Chase 9837
 Sep 3, 2015: $23,000 sent from MS BOA Account to IRO's Chase 9837
 Sep 4: 2015: $14,000 withdrawn from Chase 9837 memo "for Lexus RX330 and RX300"
 Sep 4, 2015: $1500 sent to relative from Chase 9837 memo "2002 Nissan Optima"
 Sep 8, 2015: $46,500 sent from MS BOA account to Chase 9837 account
 Sep 8, 2015: $8,000 withdrawn from Chase 9837 memo "Mercedes 2011 and Lexis RX 350 2008"
 Sep 10, 2015: $30,000 withdrawn from Chase 9837 memo "for Acura MDX 2007"
 Sep 10, 2015: $9,000 withdrawn from Chase 9837
 Sep 10, 2015: $4,700 sent from MS BOA Account to IRO's Chase 9837
 Sep 11, 2015: $7,700 check sent from Chase 9837 to a friend memo "Camry 207 and Camry 05"
 Sep 14, 2015: IRO sends OGBANNA instructions to have MS wire a payment "Invoice number: VOI00462 R MODEL 89"
 Sep 14, 2015: $17,000 sent from MS BOA to Chase 9837 memo "Invoice number: VOI 00462 R MODEL 89"
 Sep 17, 2015: $10,000 withdrawn from Chase 9837
 Sep 17, 2015: $20,000 withdrawn from Chase 9837
 Sep 17, 2015: $5,000 withdrawn from Chase 9837

 Victim Company 2 - February 2016 BEC Fraud

A company in Texas was tricked into sending $186,686 from its account at UBA to IRO's Chase VOI Enterprises account.  The company had ordered some oil extraction equipment and was sent bank account information as to where to send the funds.  A few hours later, the Texas company received new communications, indicating the previous banking details were incorrect and providing new account information.  (The new email's headers reveal they were sent from Nigerian IP addresses.)

 Feb 12, 2016 $186,686 from United Bank of Africa account to IRO's Chase 9837 Account
Feb 16, 2016 $132,950 wired from that account to Wells Fargo "Irva Auto Sales Account" memo "Mack Rd Model 2010 X"
Feb 16, 2016 $50,000 send from Wells Irva Auto to BOA account 1824 "Bernards International"
Feb 18, 2016 IRO withdrew $50,000 cash from BOA 1824.
Feb 18, 2016 IRO wires $30,500 to Chase 1279.
Feb 16, 2016 $28,670 wired to CalCom FCU account 3017 memo "Menhien Auction on Wednesday"

(The Texas company recovered $55,593.18 of that amount, but only after spending $50,000 in legal fees pursuing the matter with Chase.)

Personal Romance Scam Victim 2 - R.B. 

R.B. was a 48 year old woman living in Panama City Beach, Florida who was recently widowed.  She began an online romantic relationship with a doctor in the US Military, stationed in Libya, who was a widower.  He claimed to have a five year old daughter and that his parents were killed in the Twin Towers attacks on 9/11.

R.B. sent three wires from her Wells Fargo account
Mar 31, 2016 - $18,000 to the Comerica account 2663 of IRVA Auto Sales
Apr 4, 2016 - $39,000
Apr 7, 2016 - $30,000

Several cash withdrawals were made from Nashville, Tennessee from the Comerica account.  $55,024.19 of the total amount was frozen by Comerica and returned to R.B., who reports that she considered suicide when learning she ahd been scammed.

IRO discussed his fraud against R.B. using his email enterprisesiro@gmail.com.  AWAK created false invoices to help launder the funds from the Auto Sales account.  ODIONYENMA emailed IRO a photograph of the wire transfer, including R.B.'s transfer request and her Florida driver's license number, address, phone number, and Wells Fargo bank account details.  AWAK also communicated about laundering these funds using the name "HANOI BATTERY JSC" and the email ccs03h@gmail.com.  AWAK also used the name "Kwee Tin Law" with that email address.  He provided invoices for IRO to use, one of which used IRO's residential street address (412 Gina Dr., Carson, California) with the name "IRVA Auto Sales Equipment Broker LLC."

Personal Romance Scam Victim 3 - F.K. 

F.K. was a Japanese woman who became involved in a 10-month online romance scam. She believed she was "dating" Terry Garcia, a US Army captain stationed in Syria.  They met on "InterPals" and communicated almost daily via Garcia's Yahoo email address.  They communicated in English, which F.K. used Google Translate to assist with.  Eventually, Garcia was wounded in Syria, but his friend Collins Coster, a Red Cross employee, had been given a box of diamonds with instructions that Garcia wished them to be sent to F.K.  Owen Blair, the shipping consignment officer, contacted F.K. to arrange the payments for the customs fees for the box of diamonds.  Unfortunately, another fee was required for the diamonds to enter customs in Japan.  Diplomat Romain Kaufman helped her arrange, via gmail, her "diplomatic consignment tax" of $28,750.  F.K. continued to make various payments as the crazy scheme escalated.  She received emails as often as ten to fifteen times per day, and made "35 to 40 payments" which caused her to need to borrow many from friends, her older sister, her ex-husband, and even a bank loan.

F.K. paid:
April 11, 2016 - Western Union of $2000 sent to Turkey for "customs non-inspection fee"
April 11, 2016 - Western Union of $6,200 sent for "final accreditation fee"
late April - bank transfer of $28,750 sent to a bank in Turkey for "diplomatic consignment tax"
May 30, 2016 - Wire of $6,824.00 to Chase account 1577
July 13, 2016 - Wire of $33,128.26 to Chase account 0655

 Not only did she send $200,000 to the scammers, to bank accounts controlled by IGBOKWE and MANSBANGURA, she was also lured to Los Angeles for the purpose of convincing a bank to unfreeze her wire transfer!  She was told that a Russian bank manager in Los Angeles had embezzled the funds.  Defendants ANUNOBI was also involved in arranging some of this scam.
On October 13, 2016, MANSBANGURA took photos of F.K. after meeting her at the airport and sent them to IGBOKWE saying "This is her" and later "I just drop her off. I'm not doing this again."

Personal BEC Victim 4 - J.G. 

J.G. was an attorney from Nevada.  A potential client "Frank Moss" claimed to have a construction company in Omaha, Nebraska, and needed J.G.'s help purchasing some equipment.  Moss said that he didn't want to make the purchase directly and needed the help of a lawyer to make the purchase.  Moss sent a check for $30,750 to J.G., who wired $30,000 to a US Bank account (2669) in the name M&F Enterprise.  Because J.G. had over $100,000 in his account, he didn't wait for the check to clear, which had a hold on it because it appeared to come from a Canadian bank.  Defendants MANSBANGURA and IGBOKWE were in control of the receiving account.

Oct 26, 2016 - $30,000 wired to US Bank 2669.
Oct 27, 2016 - $5,500 from that account paid to MANSBANGURA
Oct 27, 2016 - $7,850 from that account paid to an unindicted co-conspirator
Oct 28, 2016 - $8,845 from that account paid to an unindicted co-conspirator
Oct 31, 2016 - $7,500 from that account paid to MANSBANGURA

IGBOKWE sent several text messages from his iPhone 6S and Samsung phone sharing account details of the US Bank 2669 account to allow others to use it as well.

BEC Criminals Indicted in Los Angeles

In total, 80 individuals were charged.  In the list below, we've indicated those in the United States by placing *asterisks* around their number.  Many of the individuals in the Los Angeles area were brought into the case by exploring the chat logs and emails recovered from the phones on that initial search warrant and "spidering out" from there with additional records checks at Uber, Lyft, Google, Apple, Facebook, Microsoft, and Instagram.
  • *1*. VALENTINE IRO, aka “Iro Enterprises,” aka “Valentine Obinna Iro ,” aka ” Obinna Iro ,” aka ” Obinna Nassa,” - 424.287.9250 / 412 Gina Drive, Carson, California.
  • *2*. CHUKWUDI CHRI STOGUNUS IGBOKWE, aka ” Christogunus C. Igbokwe,” aka ” Chris Kudon ,” aka “Atete ,” aka “Still Kudon ,”
  • *3*. JERRY ELO IKOGHO , aka “J Man,” +1.323.308.0042 - in Valentine IRO's address book as "J.Man" - Confirmed via T-Mobile records, showing address 17630 Crabapple Way, Carson, CA 90746 - confirmed also by DMV records.  ikoghojerry@gmail.com also was registered to this telephone number, with recovery email ikoghojerry@yahoo.com.  The gmail and telephone were also used for accounts at Facebook, Uber, and Lyft.  Other numbers:  +1.646.651.6077.  Invited IRO to his 4th of July barbecue in 2017.
  • *4*. IZUCHUKWU KINGSLEY UMEJESI, +1.323.209.9682.  In IRO's Samsung address book as "Armenian Man".  In IGBOKWE's iPhone address book as "Kingsley LA".  In EROHA's phone as "Izuking Aka Aku."  Financial records give his address as 2319 W. Florence Ave, Los Angeles, CA.  Records tied to that number list his birthday, driver's license, and Nigerian passport number.  He also filed a police report using that name, telephone, and address after his Dodge Charger was broken into.  The number was also used by Uber, Lyft, Yahoo, and Facebook accounts.
  • *5*. ADEGOKE MOSES OGUNGBE.   IRO's Samsug gives +1.310.756.5633 as P&P Motors.  IRO also listed +1.310.773.8266 as "Pp." T-Mobile says OGUNGBE used the first number since April 3, 2012 at the street address 17260 Farwell St., Fontana, California.  His silver Lexus, registered to P/P Motors, LLC, was observed at that address.  That number was used in WHOIS data to register pandpmotorsllc with GoDaddy.com with the email adegoke101@gmail.com.  Google used the name "Moses Ogungbe" for that user, with the 5633 telephone.  The Instagram account "pandpmotors" used "Adegoke Moses Ogungbe" as the registered user.  Uber and Facebook also tie this user to the 5633 phone.  T-Mobile lists the 8266 number as his from Feb 6, 2016 to June 12, 2018.   P&P and PP both chat with IRO about personal matters, including referring from one phone number as saying "Na my second phone dey  my hand."
  • 6. ALBERT LEWIS CATHEY.  IRO's Samsung has three numbers for CATHEY.  +1.323.359.5052 ("Alb"), +1.310.484.3117 ("Albert Jag"), and +1.310.242.0179 ("Al").  The 5052 number ties CATHEY to the phone in Inglewood, California from Oct 15, 2012 to June 28, 2017. His DMV records and Sprint records also tie him to the address.  His iTunes account gives his email as "ac.lu@aol.com" with the same Inglewood address.  His Apple account was later linked to "blueheaven3223@gmail.com" which he used to communicate with IRO.  "Albert Jag" and IRO spoke almost daily from Feb 17, 2017 to March 31, 2017, with less frequent comms starting in September 2016.   They discussed bank accounts in both India and China used in frauds.  The "0179" number was registered to CATHEY's girlfriend, with her addresses in Lawndale and San Pedro, California.  CATHEY opened a business bank account for a fictitious Ghanaian oil company for IRO, linked to the "3117" number.  The "0179" number is also used to open  two business accounts at Comerica Bank.
  • *7*. TITYAYE MARINA MANSBANGURA, aka “Tityaye Igbokwe ,” aka “Marina Mansour,” aka “Marina Mansaray,” aka “Marina Tityaye Mans Bangura."  MANSBANGURA used at least sixteen different telephone numbers to communicate with IRO, IGBOKWE, and EROHA between October 2016 and July 2017.  +1.310.279.0880, +1.310.527.1235, +1.310.806.3646, +1.310.904.3858, +1.310.904.8073, +1.310.920.7285, +1.310.920.8666, +1.310.447.4893, +1.424.376.4052, +1.424.376.7261, +1.424.376.7260, +1.424.305.9393, +1.310.954.6109, +1.424.376.9179, +1.424.376.9219, and +1.424.376.8558.   At one point when she began having trouble opening bank accounts ("All the banks have blocked me.") IGBOKWE told her that IRO knew someone who could get her a new passport and social security card "in four days."
  • *8*. CHUKWUDI COLLINS AJAEZE, +234.818.517.4075 was in IRO's phone as “Thank You Jesus.”  Tango, a messaging app, ties that phone to "Collins Eze 2" and the email "ajaeze@gmail.com".  Google records for that subscriber gave the name "Chuckwudi Collins Ajaeze" with the telephone +1.424.227.0030 and the recovery email "tm.haily10@yahoo.com".  That US telephone number is tied to many bank accounts, including a Chase account (0038) and a Wells Fargo account (1849).  Facebook, Uber, and Lyft all link the email to Ajaeze as well.  At least six bank accounts opened by AJAEZE list IRO's apartment as the address.  (Wells Fargo accounts 3087, 7748, 912, and 1849), Bank of America account (5957) and Chase account (0038).
  • *9*. EKENE AUGUSTINE EKECHUKWU.  +1.562.328.9622 was listed in IRO's phone as "Power" and in IGBOKWE's phone as "Ogedi Power."  IRO and Ogedi Power discussed problems with a wire transfer in a March 2017 chat.  ("What's your name? Ekenne Williams?" No. Ekene Ekechukwu.  "Ohhh! I gave them Ekenne Williams ... I made a mistake on your name!")  A Facebook account (Austine Dee) and an Instagram account (Austine) tie to the same number.  Uber and Lyft accounts for that number give the email "fatherkee@hotmail.com." Microsoft says that email belongs to "Augustine Ekechukwu."
  • 10. CHUKS EROHA, aka “Chuks Nassa Iro,” aka “Nassa,” aka “Prince Chuddy,” aka “Nurse Chuddy,”
  • 11. COLLINS NNAEMEKA OJIMBA, aka “Collins Emeka Ojimba,” aka “Ojimba Collins." IRO had +1.323.317.7383 in his Samsung phone listed as “Charly.Africa."  That number was in T-Mobile's records belonging to OJIMBA since June 4, 2011, with a Hawthorne, California address.  OJIMBA opened multiple bank accounts for IRO, including US Bank (1837) and Wells Fargo (7776), the latter in the name of "C and K Business Enerprise" [sic, "t" missing].
  • 12. FNU LNU, aka “Xplora G,”
  • 13. UCHENNA OCHIAGHA, aka “Urch Agu,” aka “Advanced Mega Plus Ltd,”
  • 14. NNAMDI THEOJOSEPH DURU, aka “Duru Theo Joseph Nnamdi,” aka “Williams High School,” aka “Ifytyns,”
  • 15. ERICSON UCHE OFORKA, aka “Oforka,” aka “Eric Oforka,”
  • 16. MARK IFEANYI CHUKWUOCHA, aka “Mark Iheanyi Chukwuocha,” aka “Chukwu Mark,” aka “Markife,”
  • 17. AUGUSTINE NNAMDI, aka “Nnamdi Augustine,” aka “Jazz,”
  • 18. CHIEMEZIE CHRISTOPHER CHILAKA, aka “Fanta,”
  • 19. CHARLES OHAJIMKPO, aka “Giggs,” aka “Ryan Giggs,” aka “Charles,”
  • 20. STANLEY UGOCHUKWU UCHE, aka “Ugo Law,” aka “Uche Stanley,” aka “He is risen.Happy Easter!,”
  • 21. CHIKA AUGUSTINE ODIONYENMA, aka “Tony Augustin Odionyenma,” aka “Chika Tony,” aka “CTA Finance Source Intl,”
  • 22. PASCHAL CHIMA OGBONNA, aka “Chima,” aka “Paschal,”
  • 23. SAMUEL NNAMDI ONWUASOANYA, aka “Sammy Lee Nnamdi,” aka “Onwuasoanya Samuel Nnamdi."  Sammy was in IRO's phone as “Enugu Ogo" with the number +234.816.505.6552.  Sammy's website was discovered which listed his birthdate and email "samuelnnamdi@rocketmail.com."  Yahoo (who owns RocketMail) lists Mr. Samuel Nnamdi as that account holder.  IRO's enterprisesiro@gmail.com corresponded with Nnamdi at that address, including wire transfer information and proofs of payment.  "Sammy Lee Nnamdi" was also listed in IRO's and EROHA's phones with the same number.
  • *24*. MACWILLIAM CHINONSO CHUKWUOCHA, corresponded with IGBOKWE using the name “ChiBoy" from the phone +1.407.233.7717.  He said he was in Orlando, Florida, when chatting from the same number to IRO.  He used his true name when opening an Orlando, Florida Wells Fargo account (5736).  T-Mobile indicates the number belonged to "Amcwilliam Chukwuocha" from November 25, 2016 to March 20, 2017.  IGBOKWE's other phone listed this number in its contacts as "Macwilliam" in his "imo" messaging application.  "imo" shows the account to use the email "macwilliam123chukwuocha@gmail.com" and the same telephone number.
  • 25. EMMANUEL ONYEKA UZOKA.  IGBOKWE's phone listed UZOKA as "Mansion" (+1.470.338.6848) and also  “Son of God” (+1.646.457.6954). aka “Ezirim Uzoma").  IGBOKWE texted UZOKA and mentioned visiting Atlanta.  UZOKA provided his home address, 1405 Station Club Dr. SW, Marietta, Georgia 30060, which matches his driver's license address.  They discussed a $52,000 transfer in one chat.  T-Mobile ties the 6848 number to UZOKA at the same address.  UZOKA's Facebook and Instagram pages have photos matching ones he sent to IGBOKWE.
  • 26. JOSHUA ANIEFIOK AWAK.  IRO's Samsung lists +234.808.0265.5259 as "Joe Awk".  He provided a Nigerian Guaranty Trust Bank account to IRO via chat, confirming he received a transfer.  The same number was on a business card AWAK provided to CBP when entering LAX airport following an inbound flight.  He told CBP he would be visiting IRO and provided two of IRO's telephone numbers to them, including the primary (+1.424.287.9250.)  Google has that number listed for "awak.joshua@gmail.com" with a recovery address of "joshuaawak@icloud.com."  Yahoo lists him as "joshuaawak@yahoo.com" with many telephone numbers and additional email addresses, including "ccs03h@gmail.com" which supplied the fraudulent invoice for victim R.B. above.  A Chase Bank investigator also provided the telephone number +1.786.872.2885 that linked AWAK to the email awak.joshua@gmail.com in their records.
  • *27*. GEORGE UGOCHUKWU EGWUMBA. IRO listed "George Ugo" as +1.714.916.1760, while EROHA had the same number as "Ugo Aunty Scholar."  Facebook ties the number to a "George Egwumba" account with the emails smillinggeorgeconsult@yahoo.com and egwumbag@yahoo.com.  Apple ties the number to the latter address, as well as "wingaldnigeria.ent@gmail.com".  A Nigerian telephone number, +234.803.374.3079, is also used in both Apple IDs.  The Yahoo id confirms the Nigerian telephone number, but also gives the name "Mr. George Bent."
  • 28. UCHECHUKWU SOLOMON EZIRIM, aka “Uche Nwanne,” aka “Uche Ezirim,”
  • 29. AUGUSTINE IFEANYI OKAFOR, aka “Zero,” aka “St.Austine,” aka “Austine,” aka “Ifeanyichukwu Okafor,”
  • 30. FNU LNU, aka “Okay Sam Mal,”
  • 31. LESLIE N. MBA, aka “Mystical,” aka “Nwachinemere Leslie,”
  • 32. OGOCHUKWU INNOCENT IKEWESI, aka “Ogoo UK,” aka “Innocent Ikewesi,”
  • 33. EMMANUEL UZOMA OGANDU, aka “Nwachinaemere,” aka “Uzoma,”
  • 34. AMARACHUKWU HARLEY ANYANWU, aka “GodisGod,” aka “War B,”
  • 35. BRIGHT IFEANYI AZUBUIKE, aka “Bright Bauer Azubuike,” aka “Ifeanyi Jnr,”
  • 36. EMEKA MOSES NWACHUKWU, aka “All Man,” aka “Omalitoto,”
  • 37. FNU LNU, aka “Donatus Izunwanne,” aka “Izunwanne Donatus Chibuikem,” aka “Deworlddonmax,”
  • 38. CHINWENDU KENNETH OSUJI, aka “Father,”
  • 39. EUSEBIUS UGOCHUKWU ONYEKA, aka “Ugo UK,” aka “sly19 sly,”
  • 40. CHIDI ANUNOBI, aka “Anunobi Chidi,” aka “Chidioo,”
  • 41. ANTHONY NWABUNWANNE OKOLO, aka “Eric West,” aka “Erci West,” aka “Code,”
  • 42. OBINNA CHRISTIAN ONUWA, aka “Papa Chukwuezugo,” aka “Obinna Onuwa Abala,” aka “Obyno Abala,”
  • 43.  CHIJIOKE CHUKWUMA ISAMADE, aka “Mr CJ,” aka “CJ,”  IRO's broken phone listed +1.415.530.9429 as "Cj" and had communicated with +1.707.490.1571.  The 9429 number was in IGBOKWE's phone as "Mr CJ." who was also listed as "Mr. CJ" with the Nigerian phone number +234.809.115.3589.  AT&T links the 9429 number to "Chijioke Isamade" in Sugar Land, Texas. He used the email "princeisamadecj@outlook.com" and "mrpincecj@icloud.com on two Uber accounts tied to the 1571 telephone number.
  • 44. LINUS NNAMDI MADUFOR, aka “Madufor Nnamdi,”
  • 45. CHRYSAUGONUS NNEBEDUM, aka “Cris,”
  • 46. UGOCHUKWU OKEREKE, aka “Blade,” aka “Kingsly Cris,” aka “Okereke Ugochukwu,”
  • *47*. FIDEL LEON ODIMARA.  IGBOKWE listed +1.713.366.6633 variously as "Ndaa", "Fidel Odimara", "Dee Dutchman", "dutchman dee", "Ndaa USA", and "amusan olubunmi" in his various devices.   The T-Mobile records for the number tie it to "Fidel Odimara" at 10555 Turtlewood Court, Houston, TX 77072 since 21OCT2015.  Wallis State Bank had all of the same information listed for a business bank account in the name "General Auto USA."   Uber tied the phone number to fidelleo2005@yahoo.com, which Yahoo listed as "Mr. fidelo Jackson" with an alternate email of "generalegroup@yahoo.com."  That email had in turn the alternate email "generaloilservices@yahoo.com" in the name "Fidel Odimara."Instagram listed his account name as "De Dutchman" with the vanity URL /dedutchman, tied to the generalegroup@yahoo.com email address.
  • 48. KINGSLEY CHINEDU ONUDOROGU, aka “OBJ,”
  • 49. DESSI NZENWAH, aka “Desmond Sage,” aka “Des Nzenwa,” aka “Saga Lounge,”
  • 50. CHIMAROKE OBASI, aka “Chima Russia”
  • 51. JAMES CHIGOZIE AGUBE, aka “Smart,” aka “Smart Agube,” aka “Smart Chigozie Agube”
  • 52. CHIMAOBI UZOZIE OKORIE, aka “Omaobi,” aka “Mobility,”
  • 53. OGOCHUKWU OHIRI, aka “Ogomegbulam Ohiri,” aka “Ologbo,”
  • *54*. KENNEDY CHIBUEZE UGWU, aka “Kennedy David,” was listed in IGBOKWE's phone as 1.781.654.5154, with additional numbers of +1.781.654.5154 and +1.347.393.1600, using the named "Kennedy", "Kennedy USA", and "Kennedy Ugwu."  The 5154 number was used in chats discussing payments with IGBOKWE, who stated that he lived in Brockton or Boston Massachusetts.  These phone numbers also were tied to the Facebook account for "Kennedy David."  "Northeast Security Inc" confirms that Ugwu was an employee and used a Brockton, MA street address, the 5154 telephone, and the email "kennedyugwu22@gmail.com" in his employment records.  his Facebook vanity URL was "kennedy.ugwu.7" and the same email given by his employer.
  • *55*. IFEANYICHUKWU OLUWADAMILARE AGWUEGBO.  IGBOKWE had AGWUEGBO in his phone as “B😎😎$$ IFF¥” with the number +1.401.536.0073.  A Wells Fargo investigator shows him using that number with the street address 8907 Deer Meadow Dr., Houston, TX 77071 to open an account ending in 2016.  He conducted at least five financial transactions related to this case, all using the same telephone and street address, including some using a Bank of America account (1769).
  • *56*. VICTOR IFEANYI CHUKWU. +1.323.237.4383 was listed in IGBOKWE's phone as "Vic," "Vic Chux", and "Anyi LA," in IRO's phone as “Ifeannyi Soccer,” and in EROHA's phone as "Ifeanyi."   In a text to IRO he says "my name is victor chukwu and I live in Los Angeles, California."  Chuckwu was interviewed by the FBI and provided an email "ifydiddy@yahoo.com" listed as belonging to Mr. Ifeanyi Chukwu, with the same phone.  Uber listed him as a driver, using that phone and the email "vic.chukwu@yahoo.com".  Lyft shows him as ifydiddy@yahoo.com.
  • *57*. CHIDI EMMANUEL MEGWA.  IGBOKWE calls 1.754.213.6149 "Cantr,” in his contacts on one phone and "Canta Jr." with the number +1.682.414.1984 on another phone.  His Facebook account links him to emails "jaz_y2004@yahoo.com," "megwaemmanuel@yahoo.com," and "kodioluvsu@yahoo.com." Lyft has him listed as "Chidi Emmanuel" with the email "megwachidi@gmail.com" and after the 6149 number, also +1.682.347.0113.  His DMV photo matches images of him shared by SMS picturing him at a club with IGBOKWE and EROHA.
  • *58*. PRINCEWILL ARINZE DURU.  IGBOKWE had the number +1.916.997.9097 listed for DURU.  The two traded information about a Chase Bank account (2101), which Chase confirmed with this telephone number and the email princeeznira@gmail.com.  Sprint lists him as "Princewill Duru" in Carmichael, California.  Bank of America account (4859) in the name "PD Enterprise" showed DURU as the account holder with emails pdenterprise2017@gmail.com and princeduru22@yahoo.com.  Google lists a backup address for princeeznira as princeduru22@yahoo.com (in the name "King Eznira", which is "Arinze" spelled backwards, but also a pun on making "easy naira" (the currency of Nigeria.)
  • 59. ESMOND IWU, aka “Desmond Chigozie Iwu,” aka “Lalaw,” aka “Odo Desmond,”
  • 60. YEKA VINCENT CHIKA, aka “Chyco,” aka “Chika Ejima,” aka “Vincent Chika Onyeka,”
  • 61. FEANYI KINGSLEY MEZIENWA, aka “Ifeanyi Ali,” aka “Ifeanyichukwu Mezienwa,”
  • 62. VICTOR UCHENNA AGUH, aka “Orch Sod,” aka “Uche SP,” aka “Rich Homie Urch,”
  • 63. KEVIN AMARACHI ESHIMBU, aka “Humble,” aka “Humble Amarachukwu,” aka “Dato Humble,”
  • 64. VITALIS KELECHI ANOZIE, aka “Kelechi Vitalis Anozie,” aka “Kelechi Anozieh,” aka “Pastor Kel Anozie,” aka “Pastor Kc,” aka “Choice,”
  • 65. WILLIAMS OBIORA AGUNWA, aka “Don Williams,”
  • 66. GEORGE CHIMEZIE DIKE, aka “Chimekros,” aka “Slim Dad…No…1,”
  • *67*. MUNACHISO KYRIAN UKACHUKWU.  IGBOKWE's phones list +1.510.417.7578 as "Muna" and in his "imo" messaging app as "Muna Ukachukwu."  Twitter and imo give the email "munaukachukwu@gmail.com" and confirm the telephone number for Twitter accounts @Munachiso18 and @MunaUkachukwu.  The same information is used for a Skype account.  T-Mobile places him at 366 Ohio Ave, Richmond, California and a previous address, also on Ohio Avenue, matches his California DMV record.  He was a Lyft driver as well, using the same phone and email munac_2000@yahoo.com.
  • *68*. NWANNEBUIKE OSMUND.  +1.424.672.0859 is in IGBOKWE's phone as "Olivite" while EROHA lists him as "Nikky Bros." and IRO as "Nikky Bro."  T-Mobile places him in Carson, California, as does the DMV.  Yahoo ties that phone to nwannebuikeosmund@yahoo.com.
  • 69 CHIDIEBERE FRANKLIN NWANGWU, aka “Frank Chidi,” aka “Franklin Nwangwu,” aka “Agogo,”
  • 70. DAMIAN UCHECHUKWU AJAH, aka “Uche Ajah,” aka “Ajah Damian Uchechukwu,” aka “Uchechukwu Demian Ajah,”
  • 71. MEKA P. EJIOFOR, aka “Ejiofor Emeka,”
  • 72. LAWRENCE CHUKWUMA UBASINEKE, aka “Ubasineke Chuks,” aka “Chukwuma Ubasineke,”
  • 73. CHINEDU BRIGHT IBETO, aka “Doggy,” aka “Doggy Lucino,”
  • 74. VALENTINE AMARACHI NWANEGWO, aka “Satis,” aka “Satis Amarachi Satis,”
  • 75. EMMANUEL CHIDIEBERE DIKE, aka “Emmanet,”
  • 76. JEREMIAH UTIEYIN EKI, aka “Uti,”
  • 77. CHINAKA DAVIDSON IWUOHA, aka “Tmrw Afrika Will Wake Up,” aka “Cookie,” aka “All Africa Media Network,”
  • 78. CHIMA DARLINGTON DURU, aka “Kajad,” aka “Kajad Jesus,”
  • 79. IKENNA CHRISTIAN IHEJIUREME, aka “Piper,” aka “Am Happy!,”
  • 80. OBI ONYEDIKA MADEKWE.  +234.703.472.4857 is in IRO and IGBOKWE's phones as  “Odu Invest" and "Obi LA."  +1.310.658.4080 is also in IRO's phone as "Obi Soccer."   Madekwe introduced himself by name in chat, and opened a Wells Fargo account (1223) in his own name.  He used the email omadekwe1@gmail.com and the 4080 telephone number.  Google links that email to the +234 phone.  IRO complains that his "Main Exchanger" has gone to Nigeria in April and May of 2017.  DHS confirms MADEKWE traveled to Nigeria in April 2017.