Thursday, January 05, 2023

SIM Swapping, Crypto Theft, and Sentencing in the United States

As you know from the title of my blog, "CyberCrime & Doing Time," I'm very interested in cybercrime and the criminal justice system. This week I've been looking at SIM Swapping cases and wanted to share what I learned from reading the sentencing memos sentencing transcript for Ricky Handschumacher.

Ricky was one of the members of "The Community" - a group of six OGUsers/HackForums punks who decided to go into the crypto theft business. They haunted crypto community forums gathering data on people who over-shared about their crypto earnings and then did the social media intelligence (SOCMINT) work to id their target, assess their holdings, get their online credentials, and then pay a phone company contractor or employee to SIM Swap their device and steal their crypto.

They stole over $50 Million dollars.

Ricky was the last guy to get sentenced.  The other members of the group (not their phone store patsies, but the core group) were: 

  • Conor Freeman, 20, of Dublin, Ireland.  Conor was sentenced to three years in Ireland.
  • Colton Jurisic, 20, of Dubuque, Iowa. He was sentenced to 42 months and restitution in the amount of $9,517,129.
  • Reyad Gafar Abbas, 19, of Rochester, New York.  He was sentenced to 24 months and restitution in the amount of $310,791.
  • Garrett Endicott, 21, of Warrensburg, Missouri.  He was sentenced to 10 months and restitution in the amount of $121,549.
  • Ryan Stevenson, 26, of West Haven, Connecticut.  He got two years probation.  Minor player.

Ricky pleads guilty to a single count of "18 USC § 1349 - Conspiracy to Commit Wire Fraud" and in exchange the court agrees to drop several additional charges of: 
18 USC §§ 1343 and 2 - Wire Fraud, Aiding and Abetting 
18 USC §§ 1028A(a)(1) and 2 - Aggravated Identity Theft, Aiding and Abetting

Anyway, Guilty plea is received, family all lines up to say what a good boy Ricky is, blah blah blah, and how he was such a good boy while he was out on bond.

Sentencing Guidelines 

Here's how our sentencing Guidelines work ...

The base crimes each have a number of "sentencing points" that they are assigned.  Then there are a whole host of modifications that can be applied based on other factors.  This score is then further modified by how many prior criminal convictions the individuals have.

Conspiracy to Commit Wire Fraud has a base score of 7.  With no criminal history, that would give a sentence of 0-6 months. But that would be a crime with no victims, no losses, and the most basic conspiracy.  All of the other factors add points. 

The following modifications are then applied.

+2 - the number of victims matter.  In this case, they are charging "ten or more victims." 

Ricky's score is now a 9.  Sentencing guideline: 4-10 months.

+2 - sophisticated means. Because this was a high-tech crime with a lot of technology and a lot of moving parts.

Ricky's score is now an 11.  Sentencing guideline: 8-14 months. 

+2 illicit authentication.  To curb identity theft and the flippant use of stolen credentials, crimes that involve stolen identities get an automatic +2. 

Ricky's score is now a 13.  Sentencing guideline: 12-18 months.

+18 - Theft of between $3.5 million and $9.5 million.  The two greatest "adjustments" in the sentencing world are Number of Victims, and Amount Stolen. This is a huge modification, however, they stole a lot of money!  Many victims lined up to say they lost 100% of their life savings.  One of them even appeared at the Sentencing hearing and said so.  He told the court he had lost everything, and had been waiting FOUR YEARS for justice to be served.  It definitely needs consideration.  

Ricky's score is suddenly a 31.  108-135 months.  That's 9 to 11 years.

-3 - Because Ricky was cooperative and accepted responsibility for his crimes, apologizing to the court and to the victims, his sentencing guideline score is dropped by three points.  That's huge, actually.

Ricky's score is now 28.  78-97 months. 

In their sentencing memo, the prosecution says they would be happy to accept the "mid-point" of that range and asks for an 88 month sentence.

The Judge Speaks

The judge in this case is The Honorable Denise Page Hood in the Eastern District of Michigan.  I appreciate that she puts a great deal of explanation in before rendering her verdict.  She shares with us each of the things she is charged with considering as she builds her decision on what sentence to impose.  All of the following is quoted from the Sentencing Transcript available on PACER, although the emphasis added is mine.  

1. "The factors I'm supposed to consider are these: The nature and circumstances of the offense and the history and characteristics of the Defendant, and I'm satisfied that, while I don't think that -- well, I think the age of the other individuals involved really didn't have anything to do with you. What it really has to do with is whether or not you were a more mature person and maybe should have had some other indication of this wrongdoing and made a better judgment than someone who perhaps is still young and a bit naive might be. Like I know one of the people, I was convinced that person was much more naive than other individuals involved in this. You, however, aren't one of those.

"I have here also that I think that the nature and circumstances the offense are serious, because there's a lot of money stolen, and it's stolen from individuals who, number one, are unsuspecting, and, number two, some of them are like Mr. S.S., who is here in court today, that this was not, you know, some organization or anything. It was an individual and their personal money, their, as he describes it, his life savings that were involved, and I think that makes it a little bit different than stealing from a company that might have some other means of recovering that than an individual. I'm also satisfied that it seemed like kind of a we're going to go out there and just do these things. We're just going to hack. We don't have any sense of caring very much, until it's over, about people who might be involved in this and where the money might be coming from and where it might go, and so, to some extent, on the part of everybody involved, it seemed like it was kind of a relaxed look at what you were doing and just kind of like a greed thing. I mean it wasn't -- particularly in your case, it wasn't that you were destitute or anything. You had some education, and you had the ability to have a job. So it wasn't that you couldn't go out and make money on your own, and that is kind of the nature of these kind of things, but I think it's a very serious offense in this particular scheme of things.

2. I'm also to look at the history and characteristics of the Defendant, and, for that, I would note that in the scheme of people who come into court,  you're on the young end of that. You may not think you are, but you really are on the young end of those people who commit crimes within our system.

I'm satisfied that you had a decent childhood. I had some notes here that you were and athlete and well-integrated into your experiences as a youth, and, also, that, unlike some other people, you did not seem to be someone who was just, you know, isolating themselves and unliked by others and, therefore, kind of a person who might reach out to do something like this because of a bad situation that they were in. Not that that excuses that behavior, which is exactly what I told them, that it doesn't excuse that behavior.

I'm also satisfied that -- I don't know whether it's better or worse that there are hackers out there that don't know one another, and maybe that adds a little bit to the frivolousness and the unaccountability of it relative to one another. Otherwise, I don't think there's anything in your history or characteristics that is a negative to you. I had one thing I wanted to note here. Okay, I wanted to note that it does not appear that you have any physical problems or that you have any mental health diagnosis or received any mental health treatment. It does not appear that you have any substance abuse problems.

It appears that you graduated from high school and that you were able to have some employment, including an employment from July of 2019, on Paragraph 44, until – at least at the time that this report was written, and that prior to that, that you have worked -- you had been unemployed for a time but that you were also employed by the city of Port Richey, and, prior to that, in a grocery store, and for the short period of time that you've been an adult, that's a significant amount, as far as I'm concerned, of employment.

The other thing I want to say is thatI'm to consider whether or not the sentence that I'm going to craft will reflect the seriousness of the offense. I've already spoken to that. Promotes respect for the law and provides just punishment, and I'm sure that you're aware now of the seriousness of the offense. That may be enough to promote respect for the law. I don't know that. You know, I don't know that in these particular kind of instances whether people look at it and say, you know, I've been involved in this. It was easy. I just happened to get caught. I'm never going to get caught again because of the nature of how this is done and how hard it is to investigate and to find out what each person involved in it is doing. So I don't know that my sentence will promote respect for the law, but at least I have taken it into consideration.

I'm also to fashion a sentence that provides just punishment, and I know that in all of the cases during the pandemic, where people have been on bond, they have noted I've been, you know, really good, in quotes, on pretrial release, and that shows that I am rehabilitated, and, to some extent, that may be true. To the other extent, the opportunity was that you would not be on pretrial release and you would be in custody where everyone else is attempting to get out of custody because of Covid-19. So I see that people would be, to a very great extent, well-behaved on pretrial release at this time, especially when they don't want to be incarcerated. So I don't give that a lot of weight. I know it's a long time to wait, but I'm sure it is far less onerous conditions than if you were waiting in jail to be able to proceed.

5. I'm also to consider whether or not I will afford adequate deterrence to criminal conduct, and I recognize that this may have been an opportunistic crime, but it's still illegal. You still have to answer for it, and some of it, the deterrence, I think, is not only deterring yourself, meaning that something happens to you that makes you not want to do this ever again even if you think the opportunity to be caught is very small, and it's going to become less small. The Government is going to get better at uncovering this type of crime and uncovering it earlier, but I also think that we deter others by letting them know that we're not going to just let this kind of crime go unaddressed

6. I'm also to fashion a sentence that protects the public from the further crimes of the  Defendant, and I will do that in this case by requiring, since it's your first contact with law enforcement, and to some extent the presentence report indicates it's a deviation from your otherwise law-abiding life, that you will have to participate in the Computer Internet Monitoring Program for the entire time that you're connected to the Court by being incarcerated, if you're put in a halfway house, or while you're on supervised release, and you'll have to abide by that agreement, which addresses all of the computers to which you would have any contact, okay, and it allows them to not only search but at reasonable times and places, but to also be for you to provide other people using the computers with the understanding if you're using their computer, it's subject to search as well.

7. I'm to fashion a sentence that provides you with needed education and vocational training, medical care, or other correctional treatment in the most effective manner, and it does not appear that you're unhealthy, or, as I said, have any mental health or substance abuse concerns. I know you have a high school diploma, and you have had some employment that's consistent with that, and so I would note that you should have the opportunity to engage in any programs that you think are beneficial to you to enhance that, but I don't have any that I'm going to particularly point out.

8. I also have to consider the kinds of sentences available, and that is the 78 to 97 months of incarceration, and that it will be followed by a term of supervised release, and I'm also to consider the need to avoid unwarranted sentencing disparities among defendants with similar records having been found guilty of similar kinds of conduct, and I have these other codefendants, all of whom seem to have various roles in conducting this conspiracy, and I think that my sentence will reflect how I think the various roles and the history and characteristics and other factors have impacted those people, all of whom, so far, have received a sentence that is below the guideline range. 

9. I'm also to consider the need to provide restitution to any victims of the offense, and I am going to order a restitution against you relative to this. I will also recommend that the amount that you're forfeiting go against the restitution, but, you know, part of it is that, you know, the amount of restitution is really high, and I think it's really difficult for anybody, although you're a young person and so are the others, to pay back seven-and-a-half-million dollars. That's a tremendous amount of money, and the amount that it is apparent that you're forfeiting doesn't really approach that. It doesn't approach $7 million, and so, you know, the Court is always wondering what happened to the money that was stolen away from people and whether or not people have spent it or they hid it away, especially if there's nothing really apparent. There is, in some cases, something apparent to show for it, but I have considered that as well.

I've said in the other sentences, because in the other instances, people also ask for  noncustodial sentences, that I don't think that a noncustodial sentence is appropriate in these cases. I mean we think, kind of like we do in other kinds of cyber crimes, that you don't see what's happening. It's not done with some -- it's not like you went in and robbed a place where some people were standing there and you had to deal with the actual people that you might be stealing the money from, or had to confront an actual bank teller who might be afraid or anything like this. This is kind of done on your own on the computer. You don't really have any real people in front of you. It's not maybe very -- it does not seem very personal to the people committing the crime, but it's really personal against the people that the crime is committed, and so I don't think that a noncustodial sentence is appropriate.  Even with the halfway house and the like, I don't think it's appropriate, and I think you can tell that from the other sentences that I've imposed.

The Sentence

And, therefore -- but I should also say that I think the 78 to 97 months is driven, as many as of these monetary crimes are, by the amounts of loss, and I think, in this particular instance, where I have people before me and you who don't have prior serious offenses or any offenses at all, that I give credit for that in most other instances of fashioning a sentence, and the credit for it actually goes to the amount of time that you have to be incarcerated usually, and I don't see any reason why I shouldn't do that in this particular instance. In all of these instances, I think I have before me people who have the ability to do one of two things. They can grow and become productive members of society and attempt to pay back the victims the money that was, you know, secretly stolen from them and computers used to do that, and, therefore, I think that a sentence within the guideline range is too much for the charges that I'm presented with here for the reasons that I've stated.

And, therefore, with respect to Count 1 of the indictment, pursuant to the Sentencing Reform Act of 1984, the Court, having considered the advisory guidelines and the factors contained in 18 U.S.C. §3553(a), commits the Defendant to the custody of the Bureau of Prisons for a term of 48 months. And, upon release from imprisonment, the Defendant will be placed on supervised release for a term of three years. 

... I'm ordering that you pay that restitution to the clerk of the court for disbursement to the victims identified below in the amounts below for a combined restitution order of $7,681,570.03, which is due immediately. While on supervised release, payments must be made at a rate and schedule determined by the probation department, approved by the Court, and they are going to these victims:
Victim with initials D.M. in the amount of $116,387.12;
Mr. S.S. in the amount of $1,967,146.57;
And S.B. in the amount of $5,598,036.34.

Thoughts on Sentencing 

I am always frustrated when judges choose to depart from the recommended sentence, especially in a way that I feel does not take cybercrime seriously.  As we look at the rationale behind the sentence though, I think it boils down to this:

In the world of Big Crypto and with the pathetic security in place that means a kid in a phone shop can facilitate a $5.5 Million theft, how do we balance the trivial means of stealing that money with the fact that someone's life savings have been destroyed?

In this case, restitution will start with the fact that Ricky is giving up 38 BTC and 900 Ethereum from what he stole.  At the time of this writing that is about $1.8 Million.  How is a kid with a high school degree and a criminal record going to pay back the other $5.8 Million?  He's not.  The parole board will come up with a garnishment of future wages, but if he ends up in a minimum wage job, that is likely to be repaid at a rate of $100 per month, so the victims will get the rest of their money slowly over the next four thousand eight hundred years or so.

I would really like to hear your thoughts on this.  Feel free to comment below.  Thank you!

Monday, September 19, 2022

The new DOJ Law Enforcement Crypto Reports (TL;DR)

TL;DR? Good news!  I read them for you! 

 On 15SEP2022, the Department of Justice released their report "The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (66 pages).  The first of the nine reports ordered by President Biden's Executive Order 14067 "Ensuring Responsible Development of Digital Assets" was also released by the DOJ back on 06JUN2022, "How To Strengthen International Law Enforcement Cooperation for Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (58 pages). 

Since then, we have seen the Department of Treasury release three reports:

Treasury also provided to the White House in July a "Framework for International Engagement on Digital Assets" which is described in their press release, but not provided to the public. 

Earlier this month, the Department of Commerce released their report:
 "Responsible Advancement of US Competitiveness in Digital Assets" (19 pages). 

The Office of Science & Technology Policy also released three reports:
In this blog post, we'll focus on the two DOJ reports, which we will address in the reverse order of  their release, as it seems that it is required to define the role of law enforcement in digital assets before discussing the international cooperation one would seek in this area.

The Role of Law Enforcement in Digital Assets

Despite the Executive Order, it is important to note that the Department of Justice did not need the urging of the White House to establish procedures for addressing Cryptocurrency.  The department created the Attorney General's Cyber-Digital Task Force in 2018, which produced their original report, published in October 2020, titled the CryptoCurrency Enforcement Framework (83 pages).  That original report characterized the illicit uses of cryptocurrency into three broad categories of criminality: 
  1. financial transactions associated with the commission of crimes, such as buying and selling drugs or weapons, leasing servers used in the commission of cybercrime, soliciting funds to support terrorist activity, or ransom, blackmail and extortion. 
  2. money laundering and the shielding of legitimate activity from tax, reporting, sanctions, or other legal requirements, including operating unlicensed, unregistered, or non-compliant exchanges. 
  3. crimes, such as theft, directly implicating the cryptocurrency marketplace itself, such as stealing cryptocurrency from exchanges or defrauding unwitting investors. 
The original report listed many case studies involving indictments, seizures, and arrests in the scenarios above, including SamSam ransomware, Welcome to Video and DarkScandals child sexual abuse services, terrorist funding both through direct donation and via sales of fake medical equipment (PPE during COVID), the Bitcoin Maven case (Theresa Tetley), BTC-e, Operation DisrupTOR (Wall Street Market), DeepDotWeb, DreamMarket, the Lazarus group hacks, HeroCoin ATMs, the Helix mixer, and others. 

The new report points out something that I've recently been mentioning as well.  Bitcoin and other block-chain-based crypto currencies are neither the first digital currency, nor the first one that has facilitated a great deal of criminal trade.  The report mentions E-Gold (1996) and Liberty Reserve (2006) as "pre-crypto" examples of digital currencies, but could have as easily mentioned Webmoney (1998) or PerfectMoney (2007). Many of the points of the new report echo of those of the prior, although the cases have been updated, such as  Bitfinex, Helix, and Hydra Market, estimated at one point to perform 80% of all darknet market-place transactions, and Garantex, the Estonia-based Exchange that laundered more than $100 million of the funds associated with darknet markets. The Colonial Pipeline ransomware and the use by indicted GRU agents of bitcoin, the theft of $600 Million by Lazarus Group hackers in March 2022 are all used to update the original report. 

Two significant additions are the section on the Growth of Decentralized Finance (DeFi) and Non-Fungible Tokens (NFTs). In this area, the discussion of "Decentralized Autonomous Organizations" as opposed to a traditional corporate structure, and the insider trading, money laundering, and tax evasion aspects of NFT trading are discussed.  (Examples of Nathaniel Chastain of OpenSea and Ishan Wahi of Coinbase are provided as insider examples.) 

Section II of the report discusses DOJ efforts such as the National Crypto Enforcement Team (NCET) and its predecessors such as the Money Laundering and Asset Recovery Section's Digital Currency Initiative, and the Internation Virtual Currency Initiative. A few interesting statistics from the FBI, including that as of July 2022, the FBI had worked 1,100 separate investigations across 100 investigative program categories that involved a digital assets nexus. Since their first digital assets seizure in 2014, the FBI has seized $427 million in virtual assets (as valued at time of seizure.)  In February 2022, the FBI created the Virtual Assets Unit.  The Department of Justice has also created a Digital Asset Coordinators Network which is composed of designated prosecutors in U.S. Attorney's Offices across the country who work closely with CCIPS, MLARS, and NCET.  The program is based on the successful CHIP Network (Computer Hacking and Intellectual Property) and the National Security Cyber Specialist (NSCS) Network which each designate prosecutors in every field office to be specially trained and equipped to handle the relevant case types for their office. 

Cryptocurrency fraud investigations are listed as well, including the Baller Ape Club NFT rug pull case, the EmpiresX crypto Ponzi case, the Circle Society crypto commodities case, and the Titanium Blockchain Infrastructure Services Initial Coin Offering case. The Bitqyck case and the $2.4 Billion BitConnect Ponzi scheme case serve as an example of an IRS Cyber tax evasion cases, with the latter also being charged civilly by the SEC. 

The DEA's Cyber Support Section is described as performing cryptocurrency analysis related to the use of cryptocurrency to facilite drug trafficking, while the US Marshals Service is the group manages and liquidates seized crypto funds. HSI has been a key player in many crypto cases, with at least 500 currently active investigations, especially via their Financial Crimes Unit, Cyber Crimes Center, and Asset Forfeiture Unit. The US Secret Service is also involved, with 302 cases involving digital assets and at least 535 seizures of digital assets valued at more than $113 Million at time of seizure.  The US Secret Service is also a top trainer of state and local law enforcement via the National Computer Forensics Institute (NCFI) headquartered here in Hoover, Alabama! They also operate a Digital Assets Awareness Hub to educate the public on crypto risks. 

Regulatory Agencies also play their part, with FinCEN working to enforce Bank Secrecy Act (BSA) guidelines and regulations related to Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) requirements. Treasury manages the OFAC office, which includes sanctioning mixer and state-sponsored crypto hackers. The SEC regulates crypto scams that are structured as "investment contracts, such as BlockFi Lending LLC or the DeFi Money Market. The Commodity Futures Trading Commission (CFTC) regulates the trade of commodities in interstate commerce. They have brought 50+ enforcement actions against organizations such as Coinbase, Payward Ventures (Kraken), Blockratize (Polymarket).  BitMEX is one cryptocurrency derivatives exchange targeted for CFTC enforcement, after $209 Million in darknet market transactions were cashed out via BitMEX, who paid a $100 Million fine, with three co-founders pleading guilty to criminal charges and paying a $10 million fine. 

One last organization of note is IVAN, the Illicit Virtual Asset Notification platform, being built by FinCEN and the FBI's National Cyber Investigative Joint Task Force. The goal of IVAN is to be a public-private information exchange to allow industry to collaborate on timely detection and disruption of the use of virtual assets in furtherance of illicit activity. 

Requests for Legislation 

The Justice report does make several requests for additional legislation, in five categories: 

  1. extend the prohibition against disclosing subpoenas (currently in effect for financial institutions) to VASPs (Virtual Asset Service Providers), strengthen the laws against operating an unlicensed money transmitting business, and extend the statutes of limitations from 5 to 10 years for certain crimes. 
  2. support for initiatives that would aid investigators in gathering evidence
  3. strengthening sentencing guidelines for certain BSA violations
  4. extend BSA record keeping rules to VASPs 
  5. ensuring that law enforcement has resources to conduct and staff sophisticated digital asset-related investigations. 
The details for this legislative proposals are in section IV of the report, LEGISLATIVE AND REGULATORY ACTIONS THAT COULD ENHANCE EFFORTS TO DISRUPT, INVESTIGATE,

International Considerations 

One of the main observations of the report on International Law Enforcement Cooperation is the standard complaint that the Mutual Legal Assistance treaties are too slow, and that faster methods of international law enforcement cooperation, such as the "24-7 Network" often do not have a standard way of sharing requests regarding Virtual Asset Service Providers. (VASPs). 

Next, while the western-friendly nations of the world have largely standardized cybercrime laws under the Budapest Convention on Cybercrime, the way in which the nations of the world define, regulate, and enforce actions against VASPs are varied and inconsistent.  Under the concept of Dual Criminality, where one nation may only ask another to enforce laws which are similar in both countries, much of crypto-crime enforcement lacks such standards. 

While the Cybercrime laws may not have caught up, the International body that deals with Anti-Money Laundering, FATF or the Financial Action Task Force, are clear thought leaders on the Virtual Assets guidelines. (We wrote about FATF in 2019, please see: Money Laundering and Counter-Terrorist Financing: What is FATF? ) Unfortunately, as of July 2021, only 35 participating nations had implemented the FATF suggestions regarding virtual assets and VASPs into their national laws. 

My favorite part of the "Strengthening International Law Enforcement" report is Annex B: "Examples of Successful Cross-Border Collaboration on Digital Asset Investigations." 

Liberty Reserve
Silk Road 
Operation Bayonet (AlphaBay and Hansa)
Dream Market
Wall Street Market 
Welcome To Video 
Operation DisrupTOR
Hydra Market 
Twitter hack 
Sodinokibi/REvil Ransomware 
NetWalker Ransomware 

For each example above, details are shared about which international law enforcement agencies partnered with which US agencies in order to reach the successful resolution.  Inspiring reading! 

Monday, September 12, 2022

Chidozie Collins Obasi - COVID Fraud & Work at Home Scams

On September 9, 2022, the FBI's Philadelphia office asked for help locating Chidozie Collins Obasi.  OBASI is charged with being part of a conspiracy to steal more than $30 Million related to COVID Fraud out of New York.  How did the scam work? Much of it goes back to a typical model = a fake job offer and a counterfeit check.  But in this case, there was much more!

During the COVID-19 crisis, the New York State Department of Health was responsible for buying and allocating ventilators to hospitals in the State of New York.  Two of their hospitals will be relevant in this case. Guthrie, a non-profit health care system based in Sayre, Pennsylvania, but operating two hospitals in New York, and Northwell Health, another non-profit healthcare network at that time the largest provider of rehab and nursing facilities also providing urgent care, hospice care, and home health services. 

Part of the scam conducted by OBASI was to offer for sale three ventilator products sold by the German company Draeger, Inc, with a U.S. headquarters in Telford, Pennsylvania.  Their three most popular ventilators for sale in the US were the Evita 300 ($15,000), the Savina 300 ($17,000) and the Evita V500 ($21,000).  

A few websites were used as part of this scam.  Tawada Healthcare in Indonesia (, MedWOW Ltd. Global, of Cyprus (, Zhejiang Tiansong Medical Instrument Company ( 

Members of OBASI's conspiracy opened bank accounts at foreign banks in China, United Arab Emirates, and Indonesia. They then registered look-alike domain names that appeared to be the domains for Tawada Healthcare, MedWOW, and Tiansong Medical. OBASI and team then made false identities and claimed to be employees in the spoofed companies, including Luiz Alfredo, Marc Alfredo, and others. 

OBASI used a spam-sending service based in the Ukraine ( and VOIP accounts created via TextMe and TextNow to allow them to use French and US-based virtual telephone numbers that would route to their real devices. 


OBASI then sent thousands of emails to job seekers in the United States offering them employment at one of the spoofed companies. They explained that because their companies were overseas and had no US bank presence, they needed to hire them to accept payments on behalf of their North American customers. The new "employees" were thus duped into acting as money mules for the scammers, opening up bank accounts or allowing their own accounts to be used to receive funds, for which they would receive a commission in addition to their "salaries." 

The new employees would received counterfeit checks being sent from a co-conspirator in Canada and were instructed to deposit the checks into their personal accounts. The checks were delivered via companies such as DHL and FedEx. The funds from these checks, which the employees believed were payments for ventilator sales, were then instructed to be wired to the international bank accounts OBASI and others maintained overseas.  The employees received more than $11 million in such checks although only $1,005,227 was forwarded to OBASI's crew. The work-from-home scam aspect ran from approximately September 2018 through March 2020.


Beginning in March 2020, OBASI's crew noticed the shortage of ventilators and determined that they might make more money by claiming to have a large supply of Draeger ventilators for sale to US companies.  Their next round of work-from-home scams were to recruit medical sales professionals to act as their agents to sell the ventilators, which this class of employees believed were held in large numbers by Tawada Healthcare. OBASI took the role of researching how such ventilators were normally sold, using false identities to reach out to Draeger asking questions about their ventilators. He then created price quotes and sales contracts, along with letters of guarantee, claiming that Tawada Healthcare (who he represented as "Marc Alfredo") had the ventilators in stock and were ready to sell them. 

The French TextNow telephone number was listed as a reference account of a happy French customer who had worked with Marc Alfredo and had been pleased with the ventilators he had purchased. American customers purchased the ventilators from OBASI's "work-from-home" sales crew who received payments and then wired the money forward, less their commission, to OBASI's bank accounts in Hong Kong. 

Between March 2020 and April 2020, they prepared offer letters for $286,800,000 worth of Draeger ventilators!  $30,689,560 were actually sent to OBASI and his crew, solely by the State of New York!

SBA's COVID-19 EID Loan Program 

The third phase of OBASI's crimes was to steal the identities of American citizens, which they had in abundance because of all of the "job applications" that they had received.  Using this information, OBASI's crew then applied for money from the US Small Business Administration's EID Loan Program. The loan processor, based in Des Moines, Iowa, sent the funds to the "employee's" bank accounts, however the employees believed that these were also payments for Draeger ventilators being purchased from Tawada Healthcare, who they believed was their employer.  These funds were then forwarded to bank accounts operated by OBASI and others via Western Union or wire transfer to a bank account in Tangerang, Indonesia. 

55 fraudulent SBA COVID-19 EID Loan applications were paid out, each to a different stolen identity, totalling an additional $455,300 in fraud, of which $277,400 was successfully transferred to Indonesia. 

Domains used: 

mailzj-tainsong[.]com - used to spoof Tiansong Medican 

mailmedwowglobal[.]com = used to spoof MedWOW = (the Luiz Alfredo account) 

emailthc[.]com = used to spoof Tawada Healthcare 

863-855-3342 = a TextMe VOIP number (the "Alfredo Phone") 
marcalfredo@emailthc[.]com = the fake Marc Alfredo's email 
marca@emailthc[.]com = another fake Marc Alfredo email = spam accounts used to hire and interact with employees = a fake account of "Bill Cartu" posing as a MedWOW customer = a fake company "Albert Scott Breese / Black Diamond Investment Company of Santa Monica, CA" = John Albin was an alias used by the Canadian Co-conspirator to communicate with "Marc Alfredo" regarding where checks should be sent. = used to fraudulently imitate the FBI

More Technical Details 

An example of the use of Snov[.]io was an email on 15MAR2020 sent to 162 US persons from asking "Hi, I'm wondering if you're getting my email regarding a contract position." 

If they replied, they would then received emails from "marcalfredo@emailthc[.]com" explaining more about the job at Tawada Helathcare, offering a 5% commission on any sales, and their role in receiving payments from North American customers. 

In order for the quotes being sent to look realistic, OBASI interacted with the real Tawada Healthcare, claiming to be "Dr. Collins" from the University of Rochester and asking for an Urgent quote for Evita 300 and Savina 300 ventilators. 

OBASI also contacted Draeger to get quote information, using the name "Collins Obasi" in the quote request and claiming to be an employee of Northwell Hospital.  In response to questions received from potential customers, he asked several more technical questions in future correspondence, 

Using these quotes as a template, OBASI crafted false quotes for among other things: 

20 ventilators to GUTHRIE for $340,000 
70 ventilators to GUTHRIE for $1,190,000 
35 ventilators to GUTHRIE for $595,000 
100 ventilators to NORTHWELL for $1,600,000 
500 ventilators to State of New York for $19,000,000 

KeyBank was one that challenged an outbound wire to the Bank of China HK LTD that was going to "Hong Kong Murphy Trading Co Limited." 

They received a reply stating: 

"I Surya Darma, accounts officer for Tawada Healthcare lakarta, Indonesia authorize that we did request funding of $12,637,660.00 to be wired to the Bank of China HK LTD for a beneficiary named Hong Kong Murphy Trading Co Limited. These funds are for a purchase order for ventilators by New York State Department of Health as delivery is of the utmost important due to the Covidl9 crisis. Please kindly expedite the wire urgently."

and .... they sent the money. (April 1, 2020) 

That same day "marcalfredo@emailthc[.]com" emailed an employee of the State of New York a signed purchase order for 2,000 Draeger ventilators from Tawada Healthcare for $38,004,000 and asked for a 50% deposit to be sent from the State of New York's KeyBank account (ending in 0026) to an "employee" account at KeyBank ending in 4326. 

A wire was sent by that employee on 02APR2020 to Bank of China HK LTD for $18,051,900 - the $19,002,000 requested minus the "employee's" 5% commission. 

Things get really crazy then when OBASI has one of his team make up an FBI Special Agent named Terrence Andrews, of the "International Funds Transfer Monitoring" department of the Albany Field Office asking him to call him back on OBASI's TextOne number to discuss "recent transactions and dealings with a foreign company.  That email came from "" 

Another co-conspirator then became "FBI Special Agent S.N. of Philadelphia" and instructed that they should only discuss the charges by reaching him at 267-792-1272 using passcode "Operation Covid19" and that they should not speak to anyone else at the FBI except him.