Tuesday, September 08, 2020

RoboCallers Hit with Permanent Injunction by Courts

The Eastern District of New York has ruled in the case "United States v. Nicholas Palumbo, et al" effectively putting TollFreeDeals.com and SIPRetail.com out of business.  These are the "Voice Over IP" companies that have allowed millions of overseas calls per day to be routed to Americans, often for the purposes of facilitating fraud, often by imitating either the Social Security Administration or the IRS.  The case, originally filed 28JAN2020 ( 1:2020cv00473) announced their final "permanent injunction" ruling on 26AUG2020, as conveyed by the Office of the Inspector General of the Social Security Administration.  

In the 62-page criminal complaint against the two companies, the government explains that the major fraud types facilitated by the Palumbos were: 

a. Social Security Administration ("SSA") Imposters

b. Internal Revenue Service ("IRS") Imposters 

c. United States Citizenship and Immigration Services ("USCIS") Imposters 

d. Tech Support Imposters -- often claiming to be Apple or Microsoft 

e. Loan Approval Scams

Through the use of the Palumbos' companies, the callers were able to spoof their caller ID to seem to originate from a U.S. Federal government agency, local police department, or technical support organization. 

From October 1, 2018 to September 30, 2019, the SSA received more than 465,000 complaint related to these types of calls and documented losses of more than $14 million.  The Federal Trade Commission's Consumer Sentinel Database documented 166,000 such calls with losses of $37 million just in calendar 2019.  When all types of government impersonation calls were included, the FTC Consumer Sentinel reported 255,223 complaints causing $128 Million in fraud losses in 2018 and 389,563 complaints resulting in $152 Million in fraud losses in 2019!

The Social Security Calls

According to the government's complaint one such robocall, sent to millions of American telephone numbers in early 2019 used this text: 

"Hello this call is from Department of Social Security Administration the reason you have received this phone call from our department is to inform you that there is a legal enforcement actions filed on your social security number for fraudulent activities so when you get this message kindly call back at the earliest possible on our number before we begin the legal proceedings that is 619-XXX-XXXX. I repeat 619-XXX-XXXX.  Thank you."

The Technology 

How does the technology work?  The foreign call center uses Voice Over IP (VoIP) to connect via broadband Internet to a U.S. based telecommunications company called a "gateway carrier."  The gateway carrier then routes the call to a "common carrier" such as AT&T or Verizon.  Because of the need to bill for these services, both the gateway carrier and the common carrier keep logs of these calls. Part of the service provided by the Gateway Carrier is to perform "least-cost routing" - basically real-time auctioning the call so that the call is routed to the cheapest bidder. 

These logs provide: 
timestamp => destination consumer # => gateway carrier => caller-id presented (often spoofed) => downstream customer (usually the foreign call center) .   

In just 23 days in May and June of 2019, TollFreeDeals transmitted more than SEVEN HUNDRED TWENTY MILLION calls!  (720,000,000 calls!!!!)  425 million of these calls lasted less than one second.  More than 24 million of these calls were placed to residents of the Eastern District of New York.

182 Million of these TollFreeDeals calls were originated from a single India-based VoIP carrier co-conspirator in the United States.  One thousand different source numbers accounted for 90% of these calls.  79% of these 1,000 numbers were listed as fraudulent robocall numbers by a robocall blocking company (YouMail).  Of these 143 million calls, 20% were Social Security imposter calls, 35% were loan approval scams, and 14% were Microsoft refund calls. Other calls imitated the IRS, the U.S. Treasury, and additional tech support scams.

In May 2017, Nicholas Palumbo was notified by AT&T and others that his company was routing fraud government imposter calls.  Palumbo promised to block two particular telephone numbers, but continued to allow the others.  

In February 2019, AT&T notified Palumbo that calls spoofing the USCIS and attempting to extort money had been traced to his company.  Again, Palumbo blamed his India-based VoIP carrier customer, even though this was the same company for which he had already received many warnings.  

A telecommunications industry trade association, USTelecom, provided an additional 144 notifications of fraudulent call origination to the Palumbos' companies from May 2019 to January 2020, including 83 SSA Imposter fraud call cases, 24 Tech Support imposter fraud cases, 10 IRS imposter fraud cases, and 1 USCIS impersonation fraud calls.  USTelecom's notices estimated that TollFreeDeals was placing "more than 1 million fraudulent calls per day."  Palumbo logged in to the USTelecom portal and repeatedly indicated the calls had been placed by the same India-based customers of TollFreeDeals.

USTelecom also formally notified SIP Retail of similar traffic, including 35 traceback investigations from August 2019 to January 2020, including 19 SSA Impersonation cases, 3 Tech Support impersonation cases, and 1 USCIS Impersonation case.

Elder Fraud Task Force Reports

To put a human face on the crimes, a Postal Inspector working for the Elder Fraud Task Force in the Consumer Protection Branch of the Department of Justice investigated many example calls facilitated via the Palumbos' companies.

Palumbo received at least nineteen large cash deposits into Wells Fargo Bank accounts that he controlled from May 28, 2019 to September 11, 2019, totalling $130,250.  The deposits were made in Minnesota, South Carolina, Florida, Alabama, and New Jersey.  After each cash deposit, Palumbo would move the funds to his Ecommerce National LLC accounts at JP Morgan Chase. These activities are characterized by the Postal Inspector as "Interstate Funnel Account" transactions, a form of laundering money.

Some of the victims interviewed by the Postal Inspector included: 

J.K - an 84 year old veteran of the US Marine Corps from Belle Harbor, NY.  He received a call claiming to be from the U.S. Marshals Service with a wrarant for his arrest.  He then was told by a "SSA Employee" that someone had used his SSN to rent a car in Texas and that the car was used in drug trafficking and money laundering.  The "SSA Employee" then forced J.K to wire all of the money in his bank accounts to him - $9,800. 

C.E. - a 36 year old man who was a brand-new U.S. citizen.  He was told be "George" from SSA that he was being investigated for money laundering.  He was told to drive to a Best Buy in Queens, NY and buy $700 worth of Hotels.com gift cards. 

L.U. - a man in his 40s from Roosevelt, NY lost $2,200 in an SSA Imposter scam 

More on Call Routing

Another Affidavit related to this case was the Declaration of a Special Agent of the Social Security Administration's Office of the Inspector General, who provided the diagram above to explain the complication of Least-Call Routing Tracebacks. 

From 2016 to 2020, TollFreeDeals.com was offering VoIP termination services specializing in servicing foreign call center call originators.  Their website specifically stated: 

"TollFreeDeals.com is your premier connection for call center and dialer termination.  We are always looking for the best call center routes in the telecom industry.  We specialize in short call duration traffic or call center traffic.  We understand there is a need for it and we want to help you find all the channels you need!" 

They were proud of the number of call minutes they had "terminated" (which means, facilitated the call from VoIP to a Common Carrier call completion.)  As of January 23, 2020, they boasted that they had helped to completed 10,491,500,323 minutes of calls!  That's TEN BILLION MINUTES of mostly fraud calls! 

archive.org's WayBack machine - Jan 10, 2020

One of the calls documented by the SSA OIG Special Agent stated: 

"We have been forced to suspend your social security number with immediate effect.  Due to this, all your social benefits will be cancelled until further clearance. In case you feel this is due to an error you may connect with legal [unintelligible] Social Security Administration. In order to connect with a Social Security Administration office, press One now.  In case we do not hear from you, your social will be blocked permanently. To connect with an officer now, press One and you will automatically be connected with the concern departments. We did not receive any input. Dear citizen, in order to speak with Social Security personnel regarding your social security, press One and this automated system will connect you with the officials." 

This affiant establishes that those 1,000 top phone numbers identified by YouMail and confirmed as fraud based on complaints in the FTC Consumer Sentinel database came from 29 unique TollFreeDeals customers.

Many Additional Details 

There were many rounds of filings by the Palumbos' lawyers, all soundly rebutted by the Department of Justice and their investigators, often with the help of industry experts.  One in particular addresses the behavior of "Yodel" ... in a single day, January 20, 2020, Yodel sent more than 6.5 million robocalls through the Palumbos' services.  5.2 million of these calls use "Neighbor Spoofing" which is the practice of assigning a caller id to the call which seems to originate from someone in the same area code and with the same prefix.  

Thursday, July 23, 2020

Chinese "COVID-19" Hackers indicted after 11 year hacking spree

On July 7, 2020, a Grand Jury in Seattle was presented with evidence about the eleven year campaign of Computer Network Intrusion being conducted by two former classmates who hacked for personal profit and the benefit of the Chinese Ministry of State Security. Li Xiaoyu 李啸宇 and Dong Jiazhi 董家志.  The pair met when they were studying Computer Application Technologies at the University of Electronic Science and Technology ("UEST") in Chengdu, China.  UEST has as its motto:  求实求真 大气大为  -- "To Seek Facts and Truth, To Be Noble and Ambitious."  This pair certainly "sought facts" and were "ambitious," though not in a way that many would consider "Noble."  The University was admitted into Project 985 in 2001, a project that supported 34 top universities encouraging each to become a global leader in their chosen specialty, and incidentally kicking off a new ambitious era of global cyber espionage to help them gain competitive advantage.

Or maybe it was exactly the plan.  In 2007, likely the year that Dong would have started his college experience at UEST, the School of Software boasted that as part of the 11th Five Year Plan, their textbook, 计算机病毒技术 (Computer Virus Technology), received national acclaim.  The following year, they announced the completion of their Information Technology textbook series of 8 books, adding "Network and System Attack Technology" and "Network and System Defense Technology" to the series.  In the United States, "Network and System Attack Technology" ( 网络与系统攻击技术)  is mostly taught in the military and intelligence communities, not in undergrad computer science courses.  In 2017 the course was taught by Li Hongwei (李洪伟), whose slides are online.  In 2019 the instructors were 李洪伟 and 吴立军.
Network and System Attack Technology - Cao Yue and Yu Shengji 
An example slide from a previous version of the course which bother of our hackers would have taken:  (Lecture 2, "Information Retrieval")

The text explains one of the tools from the "experimental" portion of the class, "MS06040Scanner": 

The working principle of MS06040Scanner is to first obtain the operating system type and open ports through port scanning and operating system scanning. If it is a windows2000 system, TCP 139 or TCP 445 port is opened, and the returned data packet matches the definition in the vulnerability library. It means that the host may have MS06040 vulnerabilities, we can use MS06040 exploit programs to carry out remote overflow attacks on it

The second slide demonstrates the "X-Scan" tool which would be used to find vulnerabilities allowing data exfiltration.

The Attacks 

According to the Department of Justice Indictment, Dong was the one who researched victims and means of exploiting them while Li primarily did the hacking. 


Here's how the indictment describes the "Manner and Means of the Conspiracy" -- 

"The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information ("PII") of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.

The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy.  They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students' PII from an education company; and weapon designs and testing data from defense contractors.

The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products.  Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. ... They also targeted insecure default configurations in common applications."

The defendants used their initial access to place a "web shell" on the victim network, allowing remote execution of commands on a computer.  The most frequently deployed was the "China Chopper" web shell.  They most frequently did so by hiding the file with the name "p.jsp" in an obscure directory on a public-facing website.  (They also sometimes named their webshell's "tst.jsp", "i.jsp", or "/SQLTrace/i.jsp".) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post "Breaking down the China Chopper" ... if you are interested, you should also read the Talos Blog post: "China Chopper still active 9 years later

(FireEye explains China Chopper)

They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data.  The data was compressed as a .RAR file, but then often renamed as a ".jpg" file and placed in the victim's recycle bin until it could be retrieved.

The Victims 

The indictment makes clear that there were "hundreds" of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered. 

Victim 1: California-based technology and defense firm
Dec 2014-Jan 2015
200GB "Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results."

Victim 2: Maryland-based technology and manufacturing firm - 64GB 

Victim 3: Hanford Site, Department of Energy, Washington State - information about network and personnel, including lists of authorized users and administrator accounts

Victim 4: Texas: 27GB of space and satellite application data 

Victim 5: Virginia Federal Defense contractor - 140GB of project files, drawings and documents related to Air Force and FBI investigations.  PII on 300+ employees

There were many more victims detailed, including:

 a US Educational Software company with "millions of students and teachers' PII." breached from Nov 2018 to Feb 2019, 

 a California pharmaceutical company - 105GB of data in Feb and March 2019 

 a Massachusetts medical device company - 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.

Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.

The Hackers' MSS Connection

The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed "MSS Officer 1." 

"After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1." 

"Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government's Ministry of STate Security ("MSS"). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, "GSSD"). 

"When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems. 

In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including: 
  • a Hong Kong community organizer
  • the pastor of a Christian church in Xi'an
  • a dissident and former Tiananmen Square protestor
  • emails to and from the office of the Dalai Lama
  • emails belonging to Chinese Christian "house" church pastor in Chengdu (who was later arrested)
  • emails form a US professor and organizer
  • two Canadian residents who advocate for freedom and democracy in Hong Kong
MSS Officer 1 assisted LI and other hackers.  When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.

MSS Officer 1 claimed to be a researcher at the "Guangdong Province International Affairs Research Center" but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.

Example Tools and Techniques 

In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named "cfm backdoor by ufo."  (This tool was actually used in a cool Canadian Government Training on APT groups, although in their training it was an Iranian hacker group using the tool.) 

In some cases, the hackers were clearly operating for personal profit.  Sometimes sending emails with subjects like "Source Code To Be Leaked!" and demanding a ransom payment to prevent publication of their software.

COVID-19 Targeting

On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.

On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19. 

On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits. 

On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.

Sunday, July 05, 2020

Hushpuppi and Mr.Woodbery, BEC scammers: Welcome to Chicago!

There are quite a few West African scammers who try to explain away their wealth by claiming they are a "bitcoin entrepreneur" or "real estate investor" when in fact they conduct Business Email Compromise scams against American companies, and Romance Scams against vulnerable women, and steal their money.  Back in October, one such criminal, Ismaila Mustapha, who went by the Instagram nickname Mompha, was arrested and I mentioned it in a tweet:


Replying to my own tweet, I said "Maybe they'll get his friend #Hushpuppi next ??" and linked to his Instagram account, tagging @officialEFCC in the post.  My posts received the most attention of anything I had ever shared on Twitter, which I learned was because of some headlines in Nigerian media such as these:

Mompha is a Top 10 BEC Scammer
With all of the attention of 4,000+ new Nigerian Twitter followers, I have to admit it felt a bit prophetic when we learned of Hushpuppi's arrest on June 10th.  I shared these images from their respective Instagram accounts that day.

Ever since their arrest by Dubai Police on June 10, 2020 in the UAE, Nigerian media has been going crazy with theories on what was going to happen to Hushpuppi and Mr.Woodbery.  The original posts said that Hushpuppi was arrested in the UAE "by Interpol" (who has no arresting authority) for his role in a $35 Million ventilator scam.  Other versions say he was involved in "fraud and money laundering of over $100million which was supposed to be given to Native Americans during the Coronavirus Pandemic.  More recently, Nigerian media claimed that the pair were already in the United States in Moshannon prison and that Woodbery had fallen sick there.

The EFCC, Nigeria's government anti-corruption agency, put out a thread of Tweets on June 18th confirming that they were cooperating with the FBI to try to identify additional victims and to investigate parts of his money laundering empire that are still in Nigeria.  In the thread they called him "Nigerian most-wanted hacker, Ramoni Igbalode, alias Ray Hushpuppy."

The Dubai police called their case against Hushpuppi "Operation Fox Hunt 2"-- in the video they mention seizing 21 laptops, 47 phones, 15 USB drives, 5 hard drives, 119,580 files, and 13 cars!

An English version of the Fox Hunt 2 video is available on Vimeo here (click to play):

The video also makes clear that while only two "celebrity-level" hackers were arrested, there were actually at least twelve other people arrested in Dubai that night during six raids.  The video claims that they had information on 1,926,400 victims!

Who knows their names?  Please answer in the comments below ...

Hushpuppi and MrWoodbery Charged in the United States

In the United States when charges are brought, the charges are made for victims within the jurisdiction where the charges are brought.  Rather than listing every possible crime, the staff of the top prosecutor in that district, known as Assistant United States Attorneys, brings charges for crimes where the victims or the activities occurred within their jurisdiction.  Because of the prominence of these case, a cybercrime special prosecutor from the Cyber and Intellectual Property Crimes Section of the Department of Justice is assisting in prosecuting these cases.  In these cases, Hushpuppi is being charged in Los Angeles, California, and Mr. Woodberry (Jacob Olalekan Ponle) is being charged in Chicago, Illinois.  Both men arrived in Chicago, on 02JUL2020 after being expelled from the United Arab Emirates.

Click to read Northern District of Illinois Press Release

Click to read Central District of California Press Release

Chicago Case vs. Mr.Woodbery 

In the Chicago case, there are two primary victims that establish venue there.  Victim Company A lost $2,300,000 USD.  Victim Company K lost $15,268,000 USD.  Jacob Olalekan, who the FBI refers to as "PONLE" says that in the latter operation Ponle received at least 1494 Bitcoins from that case, which at the time would have had a value of $6,599,499 USD!

In their investigation, they found that Ponle used US-based "money mules" -- criminals who are paid to open bank accounts on behalf of a scammer.  One of these mules said that he received his instructions from someone that he knew as "Mark Kain."  Mark Kain used a voice over IP telephone number that was issued from the company Dingtone.  Since Dingtone fully cooperates with law enforcement, they were able to quickly learn that this number was paid for by someone using the South African telephone number +27 793 837 890.

The Money Mule also indicated that he made transfers to a Bitpay bitcoin account with the wallet id 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn.  Bitpay, who also cooperated with law enforcement, was able to show this account was created in September 2015 and that the account owner used the email address "hustleandbustle@gmail.com."

The next step in the investigation was to ask Apple about those telephone numbers and email addresses.  Apple, who can provide law enforcement with all information about any iPhone, shared with the FBI that the telephone number +27 793 837 890 belonged to Jacob Olalekan, who used the hustleandbustle email while logged in from that telephone.  Apple was also able to provide a photo of a Nigerian passport in the name "Olalekan Jacob Ponle" born May 1991 in Lagos, Nigeria, and also a photo of a UAE Visa and a UAE Resident Identity Card in the same name.

Ponle Nigerian

Ponle UAE
Resident Card

Ponle USA

The FBI has contents of many WhatsApp chats that Ponle had with various scammers and money mules he worked with. 

In addition to Ponle's Chicago crimes, he also committed many others that are documented in his case:
- 16JAN2019 - $188,000 fraud against a company in Des Moines, Iowa.
 - 04MAR2019 - $415,000 fraud against a company in Great Bend, Kansas.
- June 2019 - attempted $19,292,690.30 wire for a company - stopped by JP Morgan Chase!
- September 2019 - the FBI took over the accounts of one of the former money mules and received instructions from Ponle to open a new bank account.  The FBI opened the account, but stopped a $1.2 million fraudulent transaction from occurring.  

These details and more can be found in the Criminal Complaint against Olalekan Jacob Ponle.

MoneyLaundering via LocalBitcoins

The big Chicago case happened on 11FEB2019 - $2,300,000 fraud against a Chicago company. In that case, the money was sent to a six-month old Personal Checking Account opened by the money mule.  He then moved $2.1 million into a SilverGate bank account belonging to Gemini Trust, a cryptocurrency exchange.  The mule then tells Ponle that the funds will be moved to him $500,000 USD at a time, and asks him for his bitcoin account.  The mule says we are sending you 340 bitcoins and the rest is coming.

All of this is easy to confirm by looking at the blockchain.  I use CipherTrace for Bitcoin analysis.  This shows that over the lifetime of this Bitcoin address, 3,798.20832689 BTC were received by the account Ponle claims as his own, in 434 different transactions.  (At current Bitcoin values, that would be $34,315,216 USD!)  You can clearly see the 340 Bitcoin transaction being received from Gemini.com on 15FEB2019:

MrWoodbery/Ponle Bitcoin account receiving stolen funds
Right after this transaction, you can see that MrWoodbery sent 611 Bitcoin (currently worth $5,522,495 USD!) to Bitcoin wallet 15go6kCncrhkt6z2ziQr6W39SVpyZ52tpM, from which the funds were sold off bit by bit in LocalBitcoins.com transactions.

40 BTC on 16FEB via LocalBitcoins.com 
15.7 BTC on 16FEB via LocalBitcoins.com 
5 BTC on 17FEB2019 via Luno.com 
56 BTC on 17FEB2019 via LocalBitcoins.com 
23 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 18FEB2019 via LocalBitcoins.com 
15 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 19FEB2019 via LocalBitcoins.com 
29 BTC on 19FEB2019 via LocalBitcoins.com 
22 BTC on 19FEB2019 via LocalBitcoins.com 
Along the way some smaller transactions were made, such as spending 0.03 BTC at UniCC, a stolen credit card shop.
the BTC transactions to Local Bitcoins stay small 1-3 BTC per transaction, until 09MAR2019 when he sells 35.9884 BTC on LocalBitcoins.com 

By June of 2019, the funds which had not been converted to cash via LocalBitcoins were primarily deposited at HuboiGlobal, a cryptocurrency exchange originally founded in China, but now with offices in Singapore, Hong Kong, Korea, Japan, and oh yes, the United States!  

The Los Angeles Case Against HushPuppi

At first it may not be obvious why the HushPuppi case is in Los Angeles, as one of the largest victims is a New York based company, from which Raymon Abbas (aka Hushpuppi) is accused of stealing $922,857 USD from in a Business Email Compromise scam.  The Los Angeles FBI came to have possession of an iPhone which contained many communications between the owner of that phone and Abbas.  During the laundering of the funds from the New York based company, at least $396,050 were laundered by a second money mule, who opened bank accounts in Los Angeles, giving the Los Angeles FBI venue on the case.  

The iPhone showed many communications to the Dubai-based number +971 543 777 711.  This phone was listed in the iPhone contacts under the name "Hush" ... there was also a Snapchat contact with this number under the name "hushpuppi5" whose account called himself "the Billionaire Gucci Master!!!"   The FBI's review of Hushpuppi's Instagram account found a post where he listed his own Snapchat account as "Hushpuppi5."  

Instagram, who fully cooperates with law enforcement, provided to the FBI that the Instagram account used the email "rayhushpuppi@gmail.com" and the phone number +971 502 818 689.  The account was created October 10, 2012 and had many logins from the UAE.

Snapchat, also a US based company who fully cooperates with law enforcement, provided that the Hushpuppi5 account used the same email as the Instagram account, rayhushpuppi@gmail.com and a different UAE telephone number +971 565 505 984.  

The Gmail account, (Google is a US based company who fully cooperates with law enforcement) revealed that an Apple Account was created on 29MAR2014 in the name Ray Hushpuppi, and used both the gmail account and the account "rayhushpuppi@icloud.com" and another gmail account.

The other Apple account found used the name Godisgood Godson and the gmail account "godisgoodallthetime0007@gmail.com" but often used the name "Ramon Abbas" in account records, giving the mailing address "1706 Palazzo Versace, Dubai, UAE."  The rayhushpuppi@gmail.com account was used to lease that property from 04APR2020 through 03MAY2021.  

Through a combination of IP address login records and telephone login records, all of the above accounts could be clearly shown to belong to the same individual.

The emails also contained things such as copies of Abbas's Nigerian passport and UAE Resident card which further confirm these accounts were under his personal control.  Receipts for wire transfers of large volumes, including $250,000 and $2,397,000 were found in the emails, linking Abbas in the latter case to the Chicago Mr.Woodbery case above.

Other indicators included proof that Abbas picked up wire transfers from Western Union in the UAE in 2018 and MoneyGram transactions in the UAE, all using his UAE Resident card. 

Malta Bank Job

In addition to the New York law firm case, Abbas also discussed a foreign financial institution case where €13 million was stolen ($14.7 Million USD) and the co-Conspirator in Los Angeles asked for accounts which could receive "5m euro" which Abbas provided by sending information for a Romanian bank account.  Abbas communicates with the group who is trying to laudner the money, and confirms receipt of  €500,000

Although it is not stated in the FBI paperwork, this was the Bank of Valetta, mentioned in the headlines of the Times of Malta.  The hackers boast that the bank had not yet noticed their activity and that they were going to hit it more the following day. 

The Prime Minister of Malta issued a statement to the public that although "Hackers sought to make international transfers to banks in the UK, US, Czech Republic and Hong Kong. The transfers were blocked within 30 minutes and the banks alerted." A follow-up report a week later in the Times of Malta detailed how a bank employee believed he was responding to an email from a French government stock market regulator, but the attached Word document actually planted malware on the banking system, allowing the hack to move forward.  The Times of Malta said the attack was thought to be part of a hacking group called "EmpireMonkey" which has been linked by other cybercrime researchers to CobaltGoblin and even the Carbanak group.  (See for example this Kaspersky article:  FIN7.5: the infamous cybercrime rig continues its activities.

This last example illustrates that once someone begins to operate on the level as Hushpuppi, they are often most useful as someone who has the network to establish bank accounts to receive stolen funds.  It is extremely unlikely that Hushpuppi has the hacking skills to pull off a Bank of Malta attack -- however he had the reputation as being someone who could provide accounts capable of receiving 5 million Euro transactions, so criminals reach out to him to fulfill that need.