Wednesday, December 04, 2019

Air Peace CEO charged with millions in money laundering re-buying planes he already owns

The Department of Justice announced last week that they were indicting the CEO of Air Peace for bank fraud and money laundering.

I had some difficulty finding the indictments for this case on PACER.  It turns out I couldn't find it in PACER because the court system decided that "Allen Ifechukwu Athan Onyema" should be listed in PACER with the last name "Athan Onyema", not "Onyema."

A friend shared a copy of the indictment from, which has had some interesting articles, such as this one:

Why we ain’t castigating Allen Onyema, by militant group

which says in part "We expect Allen Onyema to put up a good defence for himself. So far, no American bank has accused him of defrauding or absconding with its money. He is innocent until proven guilty." ... which just shows that the Joint Revolutionary Council's spokesperson also didn't read the court documents, because that is EXACTLY what he is accused of!

Onyema is well-loved by many, earning wide admiration and praise for recently using his planes to repatriate many Nigerians who found themselves being shunned by xenophobia in South Africa, as was described in this BBC Pidgin article:
(from @flyairpeace's Instagram account)
Reading the indictment was VERY interesting.  I had previously suggested on Twitter that Onyema was buying imaginary airplanes, but that was NOT the case!  The airplanes are REAL and various plane spotter types have the planes with those Manufacturer numbers listed as now being property of Air Peace, which boasts a growing fleet of planes, which are listed here:

The problem was that fake Lines of Credit, fake Appraisals, and fake Purchase documents all claimed Onyema was buying these planes from Springfield Aviation, when in fact, he had ALREADY BOUGHT THEM FROM OTHER OWNERS!  He basically bought all the planes TWICE and then bonused the money back to himself from Springfield.  He paid Springfield over $20M for the planes he already owned, and then over the course of many months, Springfield sent him back $15M of the same money.

It seems that Onyema lived for a while in Atlanta, Georgia.  In January 2016, he closed a Bank of America account and moved $4,000,396.43 via cashier's check to a pair of Wells Fargo accounts, opened in person in Atlanta, Georgia.

A LOT of money was then moved into that account, mostly from charities in Nigeria that Onyema controlled, including "All-Time Peace Media Communications" and "Foundation for Ethnic Harmony."

Onyema used the money to go shopping.  Prada, Neiman Marcus, Macy's, Louis Vuitton, the Apple store, a $180,000 Rolls Royce, a $88,500 Mercedes.  Over the course of eight years, $44.9 million was transferred from foreign accounts into Onyema's personal accounts at Bank of America, Wells fargo, and JP Morgan Chase.  Mostly from the "charities" that he was running back in Africa, including Foundation for Ethnic Harmony, International Center for Non-Violence and Peace Development, All-Time Peace Media Communications Limited, and Every Child Limited.

In July 2016, Onyema opened a Wells Fargo checking account in Atlanta (WF 8621) in the name Springfield Aviation Company, LLC.  He regularly spent money from that account for personal expenses, including grocery shopping at Publix, shopping at Macy's, DSW, staying at the Ritz Carlton, and eating at various restaurants.

In November 2017, Onyema opened new bank accounts in the name of "Springfield Aviation Company, LLC" but he was the sole authorized signatory.

The stories of his double-purchased planes are told in six "Letters of Credit" scenarios in the indictment.

Letter of Credit One: FB16TLL000 for Boeing MSN: 28721

On or about February 10, 2017, Wells Fargo transferred $1,982,228.46 into Springfield Aviation’s Wells Fargo account, WF 8621.  According to the court documents, however, the plane he was purchasing was already owned by Air Peace! Planespotters shows that it was registered to Air Peace  (new registration: 5N-BUJ ... and that the previous owner was Aurora, a Russian airline, who used the Registration number RA-73013, but notes they stored the plane at an airport in Tallin until 09JUN2016.)

The plane, as painted by the previous owner ...

The plane, while being repainted as Air Peace (note the tail is not yet reattached)

Both of those photos were taken in Tallin, Estonia, where the previous owner stored the plane before selling it to Air Peace.

Letter of Credit Two - LCITF-17-00414 for Boeing MSN: 27910

The court documents say the second plane was purchased by Air Peace from AerSale Inc on April 25, 2017 for $3,751,460 USD.  This is consistent with the history of that plane, which was previously sold by AerSale to Air Nigeria, and afterwards leased several times before being sold to Air Peace:

Wells Fargo received a credit request from Fidelity Bank of Nigeria saying that Air Peace was going to buy the plane for $4,750,000 from Springfield Aviation.  BUT SPRINGFIELD NEVER OWNED THE PLANE!  A company with no history of aviation, JMI LLC, provided a "full aircraft appraisal" saying the plane was worth $5,500,000 and Wells Fargo transferred $4,750,000 from Onyema's accounts into Springfield Aviation's Wells Fargo account, WF 8621, on April 25, 2017.

Letter of Credit Three - ILCCOCBG1702932 - Boeing MSN: 28561 and Boeing MSN: 28562

These two planes were bought from Texas based Jetran, LLC on May 18, 2017.  $3,600,000 was the purchase price for the pair of planes. The wire transfer was sent from WF 8020 on May 15, 2017.

On October 2017, Wells received another letter of credit request, asking for $3,480,000 to be paid to Springfield Aviation's WF 8621 bank account.  JMI again provided an appraisal, claiming that just the 28561 plane was being sold and that it appraised by itself for $5,400,000.

On November 29, 2017, Well Fargo transferred $4,899,690 to Springfield Aviation's Wells Fargo account WF 8621 FOR A PLANE THAT HAD ALREADY BEEN PURCHASED FROM JETRAN nine months earlier!

Letter of Credit Four - LCITF-17-00555 - Boeing MSN: 28660

In January 2017, Onyema bought another Boeing 737-300, MSN: 28660, from Oklahoma-based Aero Acquisition.  He paid $2,315,000 for the plane on January 9, 2017, wiring the money from his Wells 8020 account.

In April 2017, Wells received ANOTHER letter of credit request FOR THE SAME PLANE, but this time, claiming it would be purchased for $4,500,000 from Springfield Aviation.  On June 19, 2017, Wells Fargo transferred $4,499,900 to Springfield Aviation's Wells Fargo 8621 account, FOR A PLANE THAT SPRINGFIELD NEVER OWNED and that Onyema had already purchased from Aero Acquisition SIX MONTHS EARLIER!

None of the plane spotter photos of this plane are the Air Peace version...but its also a very real plane.

Letter of Credit Five - FB17ILC00561C - Boeing MSN: 28562

This is the second plane previously mentioned having been purchased in May 2017 from Jetran, LLC.  Again, a new letter of credit arrives, this time to JPMorgan Chase Bank.

On Feb 20, 2018, JPMorgan Chase transferred $4,087,028 to Springfield Aviation's JPMC 5512 bank account, FOR A PLANE THAT Onyema had already bought 9 months earlier from Jetran!

The plane was photographed with its Air Peace paint job and registration 5N-BUL in February 2018:

Many previous photos as the Meridiana plane and as the Air Italy plane have been taken of the same airframe

After being paid $20,218,846 for planes it never owned, what happened next?
Springfield began sending the money back to Onyema.  All of the transfers listed below were sent from the Springfield Aviation bank accounts back to Onyema's personal accounts.
  • 3/22/2017 - $1M
  • 3/23/2017 - $1M
  • 5/7/2017 - $500,000
  • 5/7/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $100,000
  • 5/15/2017 - $500,000
  • 5/15/2017 - $150,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 6/19/2017 - $500,000
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $1M
  • 11/29/2017 - $890,000

After sending back to Onyema $15,140,000, Onyema then tries to get the money out of the United States.  In August 2018, Onyema created Bluestream Aero Services and Springfield Aviation Company in Ontario, Canada.  He opened accounts for the companies at Bank of Montreal and sent $10 Million (in November 2018) from his personal Wells Fargo account to those bank accounts in Canada.

Based on the timing of the court documents, moving $10 Million out of the country is likely to be what triggered the investigation.  While the original Criminal Complaint is still "sealed", it was filed one month after the wire transfers to Canada.  So, while the indictments and arrest warrants were only issued on November 19, 2019, the court case began in December of 2018 with the "magistrate complaint."

As my many Nigerian Twitter followers are reminding me, everyone is Innocent until proven Guilty, but what I have learned through many years of watching the American Justice system, they don't unseal federal indictments until their evidence is rock solid!  When you cause charities you control to send you $44 Million dollars, and then you create fraudulent documents to pay a company you control $20 Million US Dollars for airplanes that you already own, and then send most of that money back to your private banking accounts, and then try to get that money out of the United States into Canada, I think it is plain to see crimes have been committed.

Of course this doesn't stop the Nigerian media from running stories stating that "the allegations of financial misdeeds against [Onyema] as a deliberate attempt to kill Air Peace and deepen the unemployement crisis in the country."

I'm sure the facts won't matter to the Concerned Diaspora Citizens, but I hope reasonable people will understand that the US Government is not persecuting businessmen.  They are charging criminals with crimes.

Monday, November 18, 2019

Facebook's Transparency Report: (Expert) Supervised Machine Learning Works!

Last summer the BBC technology program "Click" came to visit the lab for a special called "Can Technology Solve the Opioid Crisis?"  One of the points we stressed with @NickKwek was that when we report opiods and fentanyl-related posts to Facebook the objective is not to take down THAT POST, but rather to help Facebook's automated tools update their models of what offensive drug sales content looks like.

Last week we had an opportunity to see what that looks like in action as Facebook released their transparency report for Q3 2019.  Facebook's Transparency report is divided into two major sections which each have two subsections. "Enforcement of our Standards" covers "Community Standards Enforcement" and "Intellectual Property Infringement."  The other major section, "Legal Requests" is divided into "Government Requests for User Data" and "Content Restrictions Based on Local Law."

The November 2019 transparency report for Community Standards looks at ten categories of content on Facebook and four categories of content on Instagram.

In this post, we'll look primarily at the statistics for "Regulated Goods: Drugs and Firearms" but the other categories on Facebook are:

  • Adult Nudity and Sexual Activity
  • Bullying and Harassment
  • Child Nudity and Sexual Exploitation of Children
  • Fake Accounts
  • Hate Speech
  • Spam
  • Terrorist Propaganda
  • Violent and Graphic Content
  • Suicide and Self-injury
On Instagram, the other categories are:
  • Child Nudity and Sexual Exploitation of Children
  • Suicide and Self-injury
  • Terrorist Propaganda
Facebook has shared previously about our work to reduce terrorist content on their platform.  See their "Hard Questions" blog post -- "Are We Winning the War on Terrorism Online."  In this most recent report, they share that "Our proactive rate for detecting content related to al-Qaeda, ISIS and their affiliates remained above 99% in Q2 and Q3 2019, while our proactive rate for all terrorist organizations in Q2 and Q3 2019 is above 98%."

What does that mean?  It means that through the power of machine learning, when someone posts content trying to "express support or praise for groups, leaders, or individuals involved in terrorist activities" the content is removed automagically without the need for anyone to report it 98-99% of the time!

They've also previously discussed our relationship regarding the Opioid Crisis.  See their post "Supporting Our Community in the Face of the Opioid Epidemic." 

As Facebook has focused on identifying drug-related content, the number of detections has risen.  That's likely from two reasons -- one, they are now discovering content that previously would have remained unreported in the past; but also two, frustrated users are attempting to post their drug sales information in more ways trying to get past the blocks -- and largely failing to do so.

Drug related posts actioned:
  • 572,400 posts in Q4 2018
  • 841,200 posts in Q1 2019 
  • 2,600,000 posts in Q2 2019 
  • 4,400,000 posts in Q3 2019
When I attended Facebook's Faculty Summit all the way back in 2016  they had me hooked from the very beginning of the day when Facebook's Engineering Director Joaquin Quinonero Candela gave his opening keynote.  All of this amazing machine learning technology that people like Dr. Candela had created to help improve online ad delivery were ALSO being used to make the platform as safe as possible against a wide variety of threats. I was especially excited to learn about the work of Wendy Mu. At the time Wendy's bio said "Wendy is an engineering manager on Care Machine Learning, which leverages machine learning to remove abusive content from the site.  Over the last three years at Facebook, she has also worked on Site Integrity, Product Infrastructure, and Privacy."  Wendy and her team are inventing and patenting new ways of applying machine learning to this problem space.  Nektarios Leontiadis "a research scientist on the Threats Infrastructure Team" with a PhD in online crime modeling and prevention from Carnegie Mellon and Jen Weedon, previously at FireEye, were some of the other folks I met there that made such a profound impression on me!  Since then, the UAB Computer Forensics Research Lab has partnered with Facebook on many projects, but quite a few have taken the form of "what would a human expert label as offending content in this threat space?"

This is where "supervised machine learning" comes into play.  

The simplest version of Supervised Machine Learning is the "I am not a Robot" testing that Google uses to label the world.  You may be old enough to remember when Google perfected their Google Books project by asking us to human label all of the unreadable words that their scanner lifted from old books, but which were not properly recognized by their OCR algorithm.  Then we were asked to label the address numbers found on buildings and mailboxes and then later to choose cars, bicycles, traffic lights, and more recently cross walks as it seems we are not teaching future self-driving cars how to not drive over pedestrians.

This works well for "general knowledge" types of supervised learning.  Anyone over the age of three can fairly reliably tell the difference between a Cat and a Dog.  When people talk about supervised machine learning, that is the most common example, which comes from the concept of "Convolutional Neural Networks".  Do a search on "machine learning cat dog" and you'll find ten thousand example articles, such as this image from Booz Allen Hamilton.

Booz Allen Hamilton infographic 

We're working on something slightly different, in that the labeling requires more specialized knowledge than "Cat vs. not Cat".   Is this chemical formula a Fentanyl variant?  Is the person in this picture the leader of a terrorist organization?  What hashtags are opioid sellers using to communicate with one another once their 100 favorite search terms are being blocked by Facebook and Instagram?

Facebook Research has a nice set of videos that explain some of the basics of Machine Learning that are shared as part of the "Machine Learning Academy" series:

In this chart, the data provided by UAB is primarily part of that "Data Gathering" section ... by bringing forensic drug chemists into the lab, we're able to provide a more sophisticated set of "labelers" than the general public.  Part of our "Accuracy testing" then comes in on the other end.  After the model built from our data (and the data from other reporters) is put into play, does it become more difficult for our experts to find such content online?

Looking at the Transparency Report's Community Standards section, the results are looking really great!  

In the fourth quarter of 2018, only 78.6% of the offending drug content at Facebook was being removed by automation.  22% of it didn't get deleted until a user reported it, by clicking through the content reporting buttons.  By the 3rd Quarter of 2019, 97.6% of offending drug content was removed at Facebook by applying automation!

In Q4 2018, 122,493 pieces of drug content were "manually reported" while 449,906 pieces were "machine identified."

In Q3 2019, 105,600 pieces of drug content were "manually reported", but now about 4.3 million pieces were "machine identified."  

Terror Data

Twitter also produces a Transparency report and also shares information about content violations, but in most categories lags far behind Facebook on automation.  Twitter's latest transparency report says that "more than 50% of Tweets we take action on for abuse are now being surfaced using technology. This compares to just 20% a year ago."  The one category where they seem to be doing much better than that is terrorism.  Their last report covered the period January to June 2019.  Twitter does not share statistics about drug sales content, but does have Terrorism information.  During this period, 115,861 accounts were suspended for violations related to the promotion of terrorism.  87% of those accounts were identified through internal tools.  

Facebook doesn't share these numbers by unique accounts, but rather by the POSTS that have been actioned.  In the Q3 2019 data, Twitter actioned 5.2 million pieces of terror content.  98.5% of those posts were machine identified.

Tuesday, November 12, 2019

'Tis the Season for SCAMS!

A recent project that DarkTower worked on was related to fraudulent marketplaces offering too-good-to-be-true deals on electronics.  DarkTower's CEO Robin Pugh took those lessons and applied them to a recent online shopping experience ... I asked her to write it up for our blog:

As I was browsing some of my favorite Instagrammers this morning, one of them posted about a great coffee system that was on price rollback at for $99 – nearly half off the list price of $179.99.  As a coffee lover AND a bargain lover, I was immediately interested and began searching for more information.  Since I wasn’t familiar with how this particular coffee system worked, I typed the model name in my google search bar, intending to find some YouTube videos on how it worked, but since I left my search term fairly broad, some interesting sites popped up in my search results.
RED FLAG #1: Prices that are TOO good

WOW!  An even BIGGER BARGAIN… more than $10 less than the price?!  But on a site I’ve never heard of “Juli Shop,” so I began to take a closer look at the site, since we all know a) it’s hard to beat a Walmart price and b) if it’s too good to be true….  Well, you can finish that sentence.  (Other kitchen appliances on the site also had crazy discounts.  The "DeLonghi Dedica EC680 15 Bar Stainless Steel Slim Espresso" machine is only $160.99 at Juli Shop, but $299.99 at Bed Bath & Beyond and BestBuy, and $241 at

RED FLAG  #2:  Same Day delivery

Among the things I notice about Juli Shop, in the list of things they promote about their site is “Same Day Delivery.”  Really?  Same Day? So where are they located that they can promise same day delivery?
They purport to be in Citronelle, Alabama, with a local phone number; so I looked up the address on Google Maps and found that it’s a lovely 2 BR/2 BA brick ranch home that’s not currently for sale. The phone number – brace yourself – is disconnected. But they’ll definitely get me my Ninja Coffee Bar System today.

RED FLAG #3: Spelling Errors
I also notice in the menu bar that they want to tell me “Abouts Us”. Other sections of the menu are labeled "INFOMATION" and "CUSTORMER." Well, spelling errors are often a hallmark of scam sites and phishing emails, so I click to learn more “Abouts” them.
RED FLAG #4:  Information clearly copied from another site
Oddly, their About Us page has no mention of Juli Shop.  It is 100% about a fashion apparel company called Madison Island, and Juli Shop has no apparel merchandise at all.  Let’s check out Madison Island to see if it’s an affiliate, or maybe a parent company.

A quick search for Madison Island reveals that it is a fictitious demo store used to test Magento, a popular shopping cart processing plug-in, which Juli Shop uses to process its credit card transactions. By the way, Magento is targeted by one of the most prevalent malware families called Magecart.  Magecart is specifically to steal credit card credentials.  So let’s think of the possibilities here:  a scam site that takes your money and never delivers the promised item AND steals your credit card information at the same time.  That’s quite a criminal enterprise!

RED FLAG #5:  Sanity check
At this point, all signs point toward a scam site, and I’m pretty sure I’m going to be paying $10 more for my Ninja Coffee Bar; but before I move on, I check out
They give Juli Shop a 66% “TrustScore”, which puts it squarely in the “green” zone; but after reading the negative/positive comments, I’m not sure I agree.  First, the website was established 21 days ago.  The server is used by multiple websites, which isn’t uncommon for a small site, but they are offering items and services that are not typical of a small site.  Additionally, and quite concerning, the set up involves both the US and Vietnam.  A multi-country set-up is not common for a small site, and somehow Vietnam doesn’t jive with Citronelle, Alabama.

Further review of the data shows conflicting information around the site’s infrastructure, but also shows that there are no comments or reviews on typical review sites like Sitejabber and Trustpilot. The absence of this information is quite telling.

Scamadviser may give this site a 66% trust rating.  I’m giving it a 100% SCAM rating.

As the Christmas cyber shopping season is upon us, before you shop at a new online store, take the time to thoroughly review the site.  As demonstrated above, a few key checks and paying attention to red flags can quickly reveal whether you should be entering your credit card information there, and whether it may leave Santa with an empty sack on Christmas eve.