Tuesday, June 25, 2024

$50 Million in BEC Losses

The Eastern District of New York has announced charges against four men for their roles in a Business Email Compromise (BEC) and romance scams. 

https://www.justice.gov/usao-edny/pr/four-individuals-charged-connection-business-email-compromise-schemes-and-related-0

The US Attorney's Office press release states: 

Defendants Allegedly Participated in Fraudulent Schemes That Resulted in More Than $50 Million in Losses by Victims in New York City and Across the Country

Today, indictments were unsealed in federal court in Brooklyn charging four defendants for their participation in a series of fraudulent business email compromise (BEC) schemes and related romance schemes that resulted in more than $50 million in losses by individuals and small businesses located within the Eastern District of New York and throughout the United States. 

The first defendant, Animashaun Adebo, also known as Kazeem and Kazeem Animashaun, was arrested in Chicago and posted $1 million in bail on the surety of three co-signers, including Toyosi Abdul who appeared in person on 20JUN2024.  He is charged in an indictment along with Idowu Ademoroti, with five unnamed co-conspirators -- three from Nigeria (one living in the US), one from Cameroon (living in the US), and one from Germany (living in the US.)  ADEMOROTI is described as being 31 and living in Milwaukee, Wisconsin and Atlanta, Georgia. 

Adebo and Ademoroti are charged with operating an illegal money transmitting business and receiving and laundering funds from BEC and Romance Scams, including real estate transactions.  One example is from a July 2021 real estate deal where a home was being purchased in Brooklyn, New York.  A wire for $450,000 was misdirected after fraudulent emails told the buyer to wire the funds to the wrong location.  The funds were then used to write three cashier's checks payable to Q&A LLC, a corporation registered to ADEMOROTI. 

Wisconsin.gov: Q&A LLC Entity ID: Q005966, created 31JUL2020


A second example followed the same model, with $1,319,669 being wired to the wrong location for the purchase of construction equipment. Some of those funds were used to purchase three luxury wrist watches for $319,000 which were provided to ADEBO.  

In a third example, a worker in a veterinarian clinic was convinced to send pharmaceutical payments to the wrong bank account, and made payments of $459,453 (around 24MAY2021) and $1,117,036 (around 03JUN2021) to the wrong address.  Those funds went to a bank account belonging to a romance scam victim! The victim believed he was in love with a "Nicole Newton" who was using a variety of schemes to extract money from him. These funds were used to send wires, write checks, and purchase and transfer cryptocurrency.  Two of those checks, for $137,500 and $157,300, were sent to Q&A LLC, at a Chicago address and deposited into accounts controlled by ADEMOROTI. 

In a fourth example, a California title insurance company was convinced to wire $3,920,275 to a fake escrow attorney related to a legal settlement between two companies. Some of these funds were also sent, at ADEBO's direction, to Q&A LLC in Chicago.  Many of these funds were converted to Naira and deposited into bank accounts in Nigeria. 

Nigerian Co-Conspirators Unveiled

Noguan Marvellous Eboigbe, who used aliases Randall Olson, Martin Roberto, and Carlos Eduardo, lived in Nigeria and was the one who conducted the email scams mentioned above.  In once case he posed as the lawyer Randall Olson, with email randallolson648@gmail.com to give the false information for the payment of construction equipment.  In another, he used the email olsonrandalls@aol.com to send an additional $500,000, also for construction equipment.  Using the email mroberto@martirosoft.com and the name Martin Roberto, he caused $1.2 Million to be misdirected.  Using the email "c.eduardo@carsotecnologia.com" he caused a $3.9 Million payment to be misdirected.  In interactions with six victim law firms, EBOIGBE cause more than $10 Million to be sent to the wrong bank accounts, some of which flowed into the accounts of the other co-conspirators. 

Nelson Ojeriakhi used aliases Ojeey Mami and Oba Millie to conduct BEC scams, claiming to be a lawyer and using the email closingoffices@gmail.com, OJERIAKHI caused a New York based couple to wire $450,000 to the wrong account.  The indictment demonstrates that at some point OJERIAKHI or his co-conspirators were able to access the real estate broker's email account and add mail rules causing any emails from the legitimate parties in the transaction to be deleted. 


The indictment against OJERIAKHI shows several additional examples with victims being tricked into misdirecting funds including another $690,000, $114,000, and $120,000. 

Strange Co-Conspirator: the 79 Year Old Woman from Germany 

The German co-conspirator charged in this case was Franziska Von Greve-Dierfeld, who was 79 years old.  In April 2021, Franziska created a Chicago-area bank baccount for a company called Enbro LLC, claiming she was in the business of wholesale fabrics and furniture.  The accont received multiple deposits, none of which were related to the stated business purpose.   $360,000 from an attorney in Seattle, Washington, $340,000 more from the same attorney.  $996,240 from an organization in Philadelphia.  Franziska created additional businesses and opened accounts at aditional banks, also receiving, for example, two wires totaling $2,277,090.99 from a grocery store in Iowa; $910,000 from a jewelry store in Queens, New York, and $93,700 in a cashier's check.  She was arrested on 25MAY2022 in Pennsvylvania and released 23AUG2023 with the sentence of "time served" and a forfeiture order for $2.3 Million before being "Judicially Removed" from the United States and sent home to Germany. 

I anticipate that as this case moves forward, we'll find Franziska was a Romance Scam victim who got caught up in the conspiracy. 



Monday, June 24, 2024

Millions and Millions of Fraud Domains: China attacks Illegal Gambling and Telecom Fraud

Last week I was reviewing a publication by the United Nation Office on Drugs and Crime published in January 2024, titled "Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat."

(URL to the UNODC report: UNODC: Casinos, Money Laundering, Underground Banking ... full report)

(URL to the USIP report: https://www.usip.org/node/160386 )


The reason I was looking into the report is that this 106 page report is about how Chinese organized crime has planted themselves in Casino complexes across Cambodia, Indonesia, Lao PDR, the Philippine, Thailand, and Viet Nam. The same modus operandi that we associate with the crypto investment scams that use the horrible name "pig butchering" to describe the financial grooming that leads to the complete financial devastation of so many Americans. In fact, I discovered the UN report, only by seeing it quoted in he report by the United States Institute of Peace, "Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security" where it was mentioned in a footnote.


Examining Chinese Ministry of Public Security reports

The UNODC report shares statistics from a Ministry of Public Security of China note, without providing a URL, that "between January to November 2023, authorities in the country successfully resolved 391,000 cases related to telecommunications and network fraud, totaling the arrest of 79,000 suspects, including 263 'backbone members or paymasters' of cyberfraud groups" (in the countries mentioned above.) This included:

  • interception of 2.75 BILLION fraud calls
  • interception of 2.28 BILLION fraud messages
  • the removal of 8.36 million fraud-related domain names
  • and 328.8 billion yuan (US $46 billion) in funds related to fraud cases.
Since I am working on a project that we call "Twenty Targets for Takedown" that is attempting to shut own illicit websites by terminating their domain registrations and hosting arrangements, the number "8.36 million fraud-related domains" made me shudder. I am fortunate to count among my network some of the leading experts in domain-name related fraud and abuse, the number seemed overwhelmingly high, and I asked my colleagues from CAUCE, the Coalition Against Unsolicited Commercial Email, for assistance in looking into it. One quick opinion was that this could include a definition of domain name that would be more akin to a hostname, similar to what we have on Blogspot. "garwarner.blogspot.com" is a hostname on the domain "blogspot.com" ... but some would call it a "fully qualified domain name" and consider it a separate FQDN than other xyz.blogspot.com or abc.blogspot.com "domains." John Levine helped me solve the "did they really mean millions, or is this possibly a bad translation" by helping me find the Ministry of Public Security site where the article was coming from and share several updated versions of these statistics.


18 Million Websites! 

The latest article we can find, dated 31MAY2024, quotes Li Guozhong ( 李国中 ) the Spokesman for China's Ministry of Pubic Security describing their successes over the past five years.  In 2021, they established a National Anti-Fraud Center which sent out 660 million notices and were able to help stop fraud against 18.44 million people. This most recent article, which is focused on fraud and doesn't mention gambling at all, says that they have "handled 18 million domain names and websites."  That's a machine translation of ( 处置涉案域名网址1800万个 ).  I can confirm the 18 million ... written as 1800 ten thousands - 1800万个.  Handled is perhaps better rendered "disposed of" 处置  (Chǔzhì).  Still unsure how to interpret 域名 ( Yùmíng - Domain name) 网址 (Wǎngzhǐ - website), but I think for now, I'm going to assume it means "URLs" or "FQDNs" as opposed to only registered domains 

The Anti-Fraud Center has intercepted 6.99 billion fraud calls and 6.84 billion text messages and intercepted 1.1 trillion yuan of funds. At current exchange rates, that would be around $151 Billion US Dollars!   

Just since July 2023, 49,000 cyber fraud suspects have been transferred to China from northern Myanmar. 82,000 criminal suspect have been arrested, including 426 key "financial backers" behind the fraud groups.  

Several maps help to demonstrate what's going on in Southeast Asia: 
(Source: Figure 1 from the afore-mentioned USIP report) 

Source: afore-mentioned UNODC report -- note the Myanmar/China border, which is where most of the Chinese rescues and raids have been conducted.

How Much Fraud? $64 Billion to $157 Billion per year!


The US Institute of Peace report estimates that there are as many as 500,000 scammers deployed in the region, earning potentially $64 Billion per year in fraud. The methodology they used for this calculation came from the UNODC report above. On p. 55 of that report, the UN said that they estimated each scammer was earning between $300 and 400 per day, and that they believed there were 80,000 to 100,000 scammers working six days per week in one unnamed Mekong country.  Using that estimate, they gave a "range" of $7.5 Billion to $12.5 billion in scam revenue for that country.  These numbers were calculated consistently with a Chinese MPS report about an initiative they called "Operation Chain Break" which estimated that scam compounds, including gambling and cyber scams, were generating $157 Billion per year. 

China's Ministry of Public Security is actively conducting military style raids to help recover these fraud suspects from northern Myanmar, where China shares a long border with the country, which remains deeply embroiled in a state of civil war. MPS is also working collectively with other Southeast Asian countries and says it has "destroyed 37 overseas fraud dens." 

China Launches Month of National Anti-Fraud Action

Today (24JUN2024) China launched a new month-long "National Anti-Fraud Action" with a nation-wide campaign that declares "Beware of new fraud methods and don't be a tool for telecom fraud."  The campaign uses what China calls a "Five-In" approach, meaning that Chinese citizens will see and spread anti-fraud messages in Communities, Rural Areas, Families, Schools, and Businesses.  Students will be provided materials to share with their families, Employees will be encouraged to share anti-fraud messages and materials with their families and communities, and Chinese Communist Party offices in rural areas and civic organizations will make sure the message is spread in those areas as well. The materials being prepared will be written separately to address the awareness needs of merchants, accounting personnel, minors, and the elderly, describing each fraud typology and helping to describe methods to safeguard from these typologies. A major objective will also be to help understand how to avoid becoming a "tool" or an "accomplice" of these fraud rings, who prey on the financially vulnerable to help them launder the proceeds of their crime.  The Ministry of Public Security will jointly publish the "Overseas Telecom Network Fraud Prevention Handbook with the Ministry of Foreign Affairs and the Ministry of Education to help improve prevention awareness especially for overseas students and diaspora Chinese communities. Major news media and new media platforms will continuously feature anti-fraud reports to strengthen and educate the public on fraud prevention and "continue to set off a new wave of anti-fraud among the whole people the whole society." 

Gee, doesn't that sound like REACT's Erin West and Operation Shamrock -- but with the full cooperation of the Government and Society? 

The announcement of the month of National Anti-Fraud Action concludes with some more recent statistics about the work of the National Anti-Fraud Center.  Just since 2023, today's report says that they have: 
  • pushed out 420 million warning and dissuasion instructions
  • met with 14.77 million people face-to-face to give warnings 
  • made 310 million phone calls to warn vitims 
  • sent 230 million dissuasion text messages
  • intercepted 3.7 billion fraud calls 
  • intercepted 2.96 billion fraud-related text messages
  • blocked 11.619 million fraud-related domain names -- BLOCKED - this may mean "prevented access via Chinese Internet -- which may mean the sites are still available to victimize foreigners
  • intercepted 452.9 billion yuan of funds ($62 Billion USD) 
What does this mean to those of us in the United States?  If China is doing an all-hands "Five-In" awareness campaign and deploying police for face-to-face dissuasion, the fraudsters may very realistically need to INCREASE their targeting of overseas victims to make up for the projected revenue hit this new effort may create. 

To quote Director Easterly at CISA: SHIELDS UP! 

Tuesday, March 26, 2024

BEC Scammers Adventures on the Run

 Last week the case of Valentine FOMBE was finally brought to a close. FOMBE was sentenced to 144 months in Federal prison and ordered to pay $325,856 in restitution to victims of Business Email Compromise scams that he conducted from 2016 to 2018.  The various court documents present nearly as many puzzles as the sentence answers. Chief among them, what happened to the co-conspirators? and why have they not also been sentenced? 


The indictment against FOMBE, OWOLABI, and ADEOYE demonstrates that they conducted Business Email Compromise #BEC scams against businesses in California, Tennessee, Michigan, Hawaii, Illinois, and California, as well as Check fraud against the Home Equity Line of Credit #HLOC accounts of some residents of Florida, Hawaii, and California.

The scams ran from 2016 until 2019 using many shell accounts established by FOMBE and his crew. FOMBE is from Cameroon and came to the US in 2013. In May 2016 he began conspiring with Bernadette ATTIA and Gbenga OWOLABI to conduct BEC scams. Homeland Security Investigations stated that the attempted losses were $2,036,064 from at least 22 victims and actual losses were $547,310.23 to 11 victim individuals and businesses, with many other identity theft victims.


The indicment and assorted court documents are full of communications between the parties such as this one, where an unnamed co-conspirator and FOMBE discuss opening a new PayPal account and a "Sunny" (which is a SunTrust bank account.) 


OWOLABI shares an invoice for $49,671.90 via Whatsapp and receives directions for how to wire the funds to an account in the name JBS Holding at Woodforest bank. Another JBS Holding account was at SunTrust and received $86,116.51 from another BEC victim. 


ADEOYE is listed in the indictment as having opened a mailbox at a store in Lutherville, Maryland in the name of one of the Ohio BEC victim companies, and on the same day, opening a Bank of America business checking account in the company's name.  ADEOYE sent those details to OWOLABI via WhatsApp and one week later a $96,000 check from one of the victims was deposited into the account. He did the same for Ohio Company 2, and that BofA account soon received a $57,000 wire from another victim and later $50,500 from yet another victim. 


The shell companies created by FOMBE and his crew included:

  • ABC Auto & Credit Solutions - $80,450.89 intended loss - $15,801.18 actual
    (bank accounts at Capital One and SunTrust)
  • Stars S. Peoples Republik LLC - $262,580 intended loss - $$9,257.34 actual 
    (bank accounts at SunTrust) 
  • Swift Transfer LLC - $248,400.62 intended loss - $98,555.16 actual 
    (bank accounts at BB&T and SunTrust) 
  • Best Alter Solutions - $8,034.86 actual loss 
    (bank accounts at PNC Bank and TD Bank) 
  • Bianka Ventures - $128,765 actual loss 
    (bank accounts at SunTrust)
  • Xena Ventures - $290,662.27 intended loss ( $0 actual as funds recovered) 
    (bank accounts at SunTrust) 
  • Mbi Fuo B. Attia - $66,019 intended loss - $50,000 actual loss 
    (bank accounts at SunTrust)
  • JBS Holding LLC - $417,752.36 intended loss - $81,151.47 actual 
    (Bank accounts at Woodforest National Bank and SunTrust) 
  • Vincent's Mass Gutters - $386,100 intended loss - $90,745.22 actual 
    (bank accounts t Bank of America) 
  • PSP Holdings - $130,750 intended loss - $65,000 actual 
    (bank accounts at SunTrust)

(BEC intended losses - many wires were reversed/recovered - actual losses $490,559.19)

    
(Check fraud intended losses - Actual losses was $56,751.04)

The total actual losses for the case were $547,310.23, of which FOMBE would be held responsible for $325,856 in his eventual sentencing. 

FOMBE: A Bad Place To Park

The case actually started when FOMBE was stopped by the U.S. Park Police while idling along the BWI highway in a car with Texas Buyer temporary plates that were altered. FOMBE had 18 credit and debit cards in a variety of names, as well as driver's licenses with his photo and two other names (Mark Johnson and William Adewale). This led to Attia's apartment being searched, who was also found to have documents and cards in other names, including a fake passport with her photo and another's name. 

There was prior history, however. In the government's sentencing memo they describe it as 
"The Defendant's fraudulent conduct did not stop with this wire fraud and money laundering conspiracy. Every ounce of the Defendant's existence was fraudulent.

While FOMBE was living in the Arbors at Arundel Preserve, his landlord accused him of fraud and terminated his lease.  He had claimed to have a $6,000 monthly income from ABC Auto & Credit Solutions, which was false, and paid his rent with credit cards that were not in his name. He abandoned the property leaving behind two fake ids and ten bank cards all in the names of others, as well as bank statements for numerous accounts related to his fraud. 


After purchasing a Porsche for $40,000 with ill-gotten funds, he traveled to North Carolina and rented a car where he staged an accident to try to total the Porsche and claim insurance. He was charged with insurance fraud in North Carolina.

While living at Avalon Russett apartment in Laurel, Maryland, FOMBE was again going to be evicted and again abandoned the property, this time leaving behind 50 blank credit cards, two mag-stripe readers and a credit card writing machine. The land lord also found multiple credit cards in the names of people not on the lease. 

 On 25SEP2019, when the police came to execute a warrant at FOMBE's house, his wife, Ossele Massaba, texted him "the police here" and he fled the country. When Fombe's wife was returning to the US in May 2022, her phone was searched and was found to have a photo of Fombe on a Honduran passport in the name "Rosnell Eduardo Martinez Garcia." This was used to find that "Rosnell Garcia" was living in the UK, where he was arrested 06AUG2022.



During that time abroad, FOMBE lived in Mexico, Honduras, and the UK, and conducted an additional $1.7 Million in fraud against the US Government through an Unemployment Insurance scam. He sent instructions and identities to Massaba, who filed 88 claims in Maryland using the email Email6543@yahoo.com and received $535,172 in UI benefits. They filed an additional 108 claims using Mail9850@yahoo.com. Altogether, Maryland paid them $1,708,256.  (These fraud filings are not part of the current case.)

Zack Abolaji Adeoye

Zack Adeoye was already known to Maryland police before this case came up. 

In March 2019, the local newspaper "Trib Live" shared the headline "Maryland man arrested in Hempfield in $112k computer sting." According to that article, Adeoye, "a native of Nigeria who now lives in Upper Marlboro, MD" went to a FedEx facility to pick up a shipment of 28 MacBook Pro laptops valued at $112,454.  He was arrested and held in the Westmoreland County Prison after failing to post $100,000 bail. Undercover state troopers had been tipped off that Adeoye had set up a bogus line of credit claiming to be the CFO of an Illionois firm that had ordered the laptops. He had already successfully gotten away with 30 laptops, but undercover agents were in place when he went to pick up the second shipment. Adeoye entered the facility by showing a fake FedEx employee badge. State Trooper spokesperson Steven Papuga told the Trib that Adeoye had a previous record for Identity Theft in the state. 


ADEOYE first appeared in court related to the current case on 11OCT2019 and was released on 15OCT2019 with electronic monitoring and an order not to use the Internet and that all Internet-capable devices must be removed from the home. He was arraigned on 12NOV2019 and entered a NOT GUILTY plea. His conditions of release were modified to allow him to leave the home for religious services.

On 02OCT2020 "superseding information" was filed by the court detailing more actions of his crimes and he changed his plea to Guilty.  He was scheduled to be sentenced on 21MAY2021. And 19JAN2022. And 19APR2022. And 02DEC2022. As of this writing, he has not been sentenced. 

Just after his guilty plea, a photo of ADEOYE was posted greeting him on his 50th birthday using his full name, Abdulrasak (from which, Zack) Adeoye "Zacophonic" and praising him for his "fatherly role on your brothers."  

Even after his guilty plea, Zack continued in business, creating a new corporation, "Zacophonic Home Inc" on 12JUL2022 using his Upper Marlboro, MD address. 

The Tragedy of GBENGA OWOLABI

The third party in this case, Gbenga Owolabi, barely appears in the court record after the indictment.  There is no record of him appearing in court or having been arraigned.  On 18NOV2019, the court mentions that some $13,055 in U.S. currency was seized from his apartment at 1624 Bluestone Street, Apartment E, in Hanover, Maryland following a search conducted on 25SEP2019. 

As is often the case, it is difficult to tell what occurred when Owolabi fled to Nigeria. 

According to local media OWOLABI had moved to Canada where he studied Information Systems at Humber College in Toronto.  He later moved to Maryland where he worked as a Financial Analyst for Alpharma Inc before moving to Cyhosting Corporation, which he founded in May 2000. He also ran Tanatek Inc, a website design company, and according to the Nigerian press, served as its CEO until his death.
A profile of Olugbenga Owolabi ran in Neusroom in his hometown.

In 2016, OWOLABI started building a hotel called Tana Suites in Abaa, Oyo State, Nigeria, which was completed and opened in December 2021.  He returned to Nigeria on 20JUL2022 and when he arrived at his hotel on 28JUL2022, he and a 21-year old female employee were kidnapped. There were two other abductions close in time to this date.  On 16JUL2022, a farm supervisor, Christopher Bakare was kidnapped and released after paying a ₦5 million ransom, then 22JUL2022, the owner of Titilayo Hospital was abducted and released on 26JUL2022 after also paying a ransom. 

OWOLABI's brother led the negotiations and eventually raised ₦5m ransom, although the kidnappers were demanding ₦50m ransom, believing OWOLABI to be a wealthy American. 
As a sign of how the Nigerian economy has crashed recently, 50 Million Naira in August of 2022 would have been $120,000 USD.  Today it would be $36,000.

The Alabaa of Abaa (a local tribal authority) found a volunteer to deliver the ransom on motorcycle. When he arrived, the gunmen killed the driver as well as Gbenga Owolabi and his hotel emplooyee Racheal Opadele.  The autopsy showed that Owolabi had been extensively tortured before being killed. 

The U.S. government received permission to attend the autopsy at LAUTECH Teaching Hospital and identify the body, and escorted the body back to Maryland for burial, where it was first also re-identified at the Delaware State Military Hospital.

Olugbenga David OWOLABI was kidnapped on 28JUL2022 and killed 02AUG2022. While the Nigerian police originally charged his brother, Femi Owolabi, with the kidnapping and murder, who confessed to the deed.  Later, the family helped him to recant of his confession, and the crime has instead been assigned to "Fulani herdsman" - a favorite boogie man of Nigerian culture.