Thursday, August 11, 2022

Three UK-based Nigerian BEC Scammers Used Construction Intelligence Service to Target Victims

 On 10AUG2022 three Nigerians were extradited from the UK to the US to face charges related to their roles in conducting Business Email Compromise (BEC) attacks against a number of US-based businesses.

43-year old Oludayo Kolawole John Adeagbo, 40-year old Donald Ikenna Echeazu, and 42-year old Olabanji Egbinola were brought to North Carolina to face their charges, although some of their crimes were also charged in Texas and their victims are across the United States and the world. 

The three were linked together by exchanging data related to construction companies who were involved in multi-million dollar building projects, and whose emails they were able to acquire through phishing attacks against targets they had purchased from a commercial intelligence service intended to be used by potential sub-contractors. 

BEC's through Look-alike Domains

Victim A notified the FBI that someone was spoofing Victim B, by sending emails from the address "accounts@lucasconstruct.com." (The real company, Lucas Construction, in League City, Texas, uses the domain "lucasconst.com".)  In one email, a victim received an appropriate form that their company used for updating banking information.  The email sender was clearly familiar with their processes, as the email said: 

Please find attached our completed ACH form and a copy of a voided check as requested. Kindly let us know once updated. 

After processing the change of banking information, Victim A sent the next construction payment of $525,282.39 to a SunTrust bank account rather than to Lucas Construction!

Victim C, a community college in the Houston, Texas area, had a similar experience, resulting in sending $1,995,168.64 to a PNC Bank account controlled by criminals after receiving a similar request to update their records from "accounts@tellepsengroup.com."  The real domain (Victim D) should have been tellepsen.com, a four generation family owned construction and concrete company in Houston.  

Victim E, a county government in Texas, sent $888,009.40 to a JPMorgan Chase account after being asked to update the banking records via an email from "accounts@dwcontractorsgroup.com." 

All three of those domains were registered by NameCheap by "Daniel Roberts" who used three different email addresses for the domains.  danielroberts604@mail.com, danielroberts605@mail.com, and danielroberts606@mail.com.  Additional domains, including TellepsenGroup.com, D1construct.com, and SouthWoodBuilding.com were also created by the criminal -- close imitations of the real domains, tellepsen.com, d1construction.com, and southwoodbuilders.com. These domains were used to target additional victims with BEC attempts via bank record "update" requests.

The Texas FBI investigators learned that danielroberts604 was also linked to an investigation being led by FBI Charlotte, North Carolina, where he had used the domain rodgersbuildersinc.com to do a similar scam, as well as another Texas scam using the domain leelewisusa.com to steal funds from a school system in Dallas, Texas. 

North Carolina was able to add another victim to the case - Appalachian State University, from which ADEAGBO and ECHEAZU were able to steal $1,959,925.02 using a similar methodology.  The two recruited a money mule in Los Angeles, California, Ho Shin Lee, who agreed to register a company "Royce Hub Trading" and open a JPMorgan Chase bank account in the same name. Funds stolen by imitating North Carolina based "Rodgers Builders" were stolen after sending emails from "accounts@rodgersbuildersinc.com" to change the banking information.  (The real company uses the domain rodgersbuilders.com.) 

Construction Market Data

The scammers had subscribed to a service operated by Construction Market Data (CMD), which provided contact information related to "hundreds of thousands" of commercial and civil construction projects. 

CMDGroup.com 

CMD allows a contractor to request a list of new projects being built in their area and provides contact details for decision makers who may want to hire various specialty sub-contractors and who have recently been awarded large contracts.  Although it is not specified in the court documents, it is likely that the scammers sent phishing emails to construction companies listed as being involved in multi-million dollar projects and then created look-alike domains for those targets where they were able to begin monitoring the victim's email messages for opportunities to introduce themselves into a mail stream from one of their "look-alike domains."  This may be accomplished by planting malware, but is often accomplished through adding "email forwarding rules" to the victim's account which sends financially relevant emails back to the criminal.

CMD provided data to the FBI, indicating that the relevant records had been requested by one John Edwards who listed both a US and UK address: 

  • 1270 Hasen Hurst Drive, Apt 12, West Hollywood, CA 90046
  • 14 College Gardens, London, GB e47ALG

and who used the email JohnEdwards79@yahoo.co.uk.  The associated telephone number +44 797.335.9482 belonged to ADEAGBO.  JohnEdwards79 was actually an alias to the email account OludayoAdeagbo@yahoo.co.uk. 

Adeagbo was found to possess three passports, a Nigerian and British passport in his true name, listing the birthday 06APR1979, and a second UK passport in the name "John Edwards" b. Nigeria on 06APR1979. 

Prior to his involvement in BEC, the BBC reported that ADEAGBO was part of a car-theft ring that used stolen identities to allow them to drive off in Jaguars, Mercedes, BMW's and Porsches. Calling themselves "the iPod Crew" Adeagbo's car theft ring stole 70 luxury automobiles worth $1.8 million over a ten month period in 2001.  Adeagbo told the BBC in 2004 that he served a 2.5 year prison sentence during which he "found God" and that he was "trading crime for Christianity." 

JohnEdwards and DanielRoberts were both found to have used the same IP addresses to access a variety of online accounts which all provided IP history to the FBI, including Apple, Yahoo, LocalBitcoins.com, and Namecheap. OludayoAdeagbo@yahoo.co.uk also had bank statements in true name for his Santander bank accounts. 

The CoinBase account for JohnEdwards79, was actually confirmed to a different person!  Donald Echeazu, who used the email diecheazu@yahoo.co.uk and phone 7837887959.  Although Coinbase had two photos on file for JohnEdwards which were consistent with Adeagbo, the third photo matched the UK Passport of ECHEAZU. 

Homeland Security Investigations (HSI) and Customs and Border Patrol (CBP) learned more when they searched the phone of another co-conspirator as he entered the country.  In that phone, he chatted with ADEAGBO's known UK telephone number, labeled "John Dayo" in his contacts, about bank accounts which he was providing. ADEAGBO instructed him to open up a JPMorgan Chase account in order to receive funds.  They discussed a bank transfer where they had expected to received 12 Million (currency unspecified) but were only able to take 8 million.   

Photos that were shared in the account, showing ADEAGBO in a Porsche, were found to match a car that he was driving when he was ticketed in London (a black Porsche.) 

Another chat in the phone showed a Bank of America account (#32508061285) in the name "Oludayo Kolawole John Adeagdo" using the address 1270 Havenhurst dr Apt 12, West Hollywood, CA 90046. 

The Bank of America account had been used to pay $4,510 in several payments in order to receive business information for individuals in North American construction companies from the aforementioned CMD. 

Olabanji Egbinola

The final party in the group of extradited scammers, Olabanji Oladotun Egbinola, was tripped up in exactly the same way.  Having likely received construction data from the same source (CMD), Olabanji used the email address "accounts@kjellstromleegroup.com" to imitate the real Richmond, Virginia-based company Kjellstrom and Lee.  Using the name "Rachel Moore" Olabanji interacted with the University's Treasury department acting as if a payment was missed and then providing new bank details to fix the problem.  As a result they wired the next construction payment of $469,819.49 to the new bank account at the Bank of Hope. 

The bogus domain was registered at NameCheap by "bridgetclark" who also registered more than 50 other domains with namecheap, each "deceptively similar to the Internet domain names associated with legitimate construction companies." Because "bridgetclark" was using a TOR-based cryptocurrency wallet to obscure his true location, the FBI pursued a Rule 41(b)(6)(A) search warrant.  Rule 41(b) allows a search warrant to be issued from any US jurisdiction if the location of the target has been obscured using technology and to use technology to seize data from such a targeted computer.   In the FBI's case, this is referred to as a NIT, or a Network Investigative Technique. After receiving the court's authority, the FBI sent a NIT-laden email message to accounts@kjellstromleegroup.com, which was used to determine the account was being operate from a computer at the IP address 86.191.189.88, a British Telecom IP in the UK. BT was then able to provide UK law enforcement with the subscriber identification of that IP address and it was found that subscriber Samiat Egbinola in Essex shared the residence with OLABANJI OLADOTUN EGBINOLA. 

Egbinola had been previously arrested in 2008 for money laundering in the UK and had previously traveled to Los Angeles, California, when he used the email address aegbinola@gmail.com for his point of contact going through customs. A review of the email account, which had been active since 2008, showed that he was in regular communications with the scammers listed above on their yahoo.co.uk addresses. 



Monday, August 01, 2022

Please stop calling all Crypto Scams "Pig Butchering!"

 Lately there has been a media-driven craze in the fraud community to call every crypto-investment scam "Pig Butchering."  I hope you will join me in canceling that term after you read this article.

The term "Pig Butchering" comes from the Chinese term 杀猪盘 (Shā zhū pán or "butchering plate.") While the term has been used in Chinese media since at least 2018, it really became famous after the courageous actions of a human trafficking victim who was caught up in the game.

Hao Zhendong (郝振东) was recently divorced and had lost custody of his daughter as he was facing personal financial challenges and could not care for her.  During his time of desperation, he received a message from his uncle.  The uncle told him that he should come to Myanmar and join him at his work.  He claimed that Zhendong would be able to easily earn 60,000 to 70,000 yuan per month. 

Image from "Talking to Strangers" interview 

Late in 2020, Zhendong traveled to the Yunnan province of China where he paid smugglers to help him cross in to Myanmar.  After traveling with them for several days, he was forced to march through the jungle and up a steep hill for six hours.  When he arrived, he found he was in a work camp.  In his words, he says he realized he had "fallen into a wolf pit." The work camp was an industrial park where various call center employees worked scams. 

The northern region of Myanmar has four special zones, including "Wa State." So many Chinese people have moved to Wa State that Chinese is actually one of the official languages.  The corrupt local government, having no natural resources, opened their arms wide and welcomed criminal enterprises, which they call "foreign investors" to set up call centers. Under local law in Wa State, Myanmar, telecommunications fraud is not a crime. So many scammers have moved to the region that the government has even "rented" entire schools to be used as scam call centers.  The Myanmar government estimates that there are 140,000 Chinese living in the region, and that most of them are engaged in telecommunications fraud.  Similar to other forms of human trafficking, the men are only allowed to leave if they pay back the "investment" that their controllers have made in them.  The fee to leave ranges from 50,000 to 120,000 depending on how long you have worked. If you can't pay the fee after three months, you have six months added to your stay, with armed guards preventing you from leaving the work camp.  Many do go back to China, and enough go back with money for houses, cars, and a wife, that others are tempted into following in their footsteps.

Zhendong says that he often considered attempting to flee, but northern Myanmar is an "extrajudicial land" and Chinese people are regularly kidnapped and killed there with no consequence to their attackers.  One man who attempted to flee was forcibly returned to the camp, with the fingers on one hand amputated. 

In the work camp where Zhendong was enslaved, there were three buildings.  Two were dormitories and the call center was housed in the "Science and Technology Building." Each team was assigned to different topics.  Some worked lottery scams, others foreign currency exchange scams, naked chat / extortion scams, pornography scams, etc.  But Zhengdong was assigned to a "pig-killing gang." 

He was provided a manual which described his role.  His job was to target victims on the Internet and use emotions to convince them to invest their entire net worth in illegal online gambling.  His job as a "recruiter" for these scams was referred to in the manual as a "dog pusher" (“狗推” Gǒu tuī.)

He was provided three mobile phones and three "love story" script books.  His job was to find wealthy single or divorced women on social networks, and add at least two to his chat each day and build a romantic relationship with them online.  Once they were suitably "hooked" into his romance, he was supposed to turn them over to his team leader, who had 30-40 "dog pushers" under him to "kill." If the victim provided more than a million dollars, there was a celebration and the dog pusher was rewarded extravagantly. 

While he was learning the role, "the company" became very excited about a successful scam that one of the other dog pushers had accomplished.  He had convinced a young woman in Shanghai to invest her entire life savings - 2.92 million yuan - and when she realized she had been scammed, she committed suicide by jumping off a roof.  Another woman was convinced to sell her car and her house in order to invest more.  While the company thought these were great examples to emulate, Zhendong's spirit died.  He realized that he had to try to do something about this. 

On one point, his uncle had been telling the truth.  The company used cash bonuses as incentives, and each month they would spread millions of yuan on the table and pay out bonuses.  Some made the equivalent of hundreds of thousands of dollars in bonuses.  But Zhendong couldn't do it. 

He began sneaking up on the roof, using a stolen phone, and messaging his victims - explaining to them that he was enslaved and being forced to scam them.  Because he was failing to earn, his controllers were becoming very angry with him and his life was actually in danger. 

A potential victim, Yang Yu, changed things for him.  When he called Yang Yu to warn him, Yang Yu asked him "How can I help you get home?" In order to protect Zhendong, Yang Yu passed him money that he could give to his controllers as proof that he was working. Then Zhendong stole a list of victims from the company and urged Yang Yu to take it to the police. 

In February 2021, she took a list of 18 victims to the Anti-Fraud Center of Nanchang Public Security Bureau. 

Tao Jiangjiang, the leader of an Electronic Fraud task force who helped Zhendong get home

Tao Jiangjiang began to communicate with Zhendong and a rescue mission was arranged through the Yunnan police, working with an informant in Myanmar.  Despite being advised not to take any risks by Tao Jiangjiang, Zhendong felt that he could not leave empty-handed.  He worked to observe the password his Pig Killer boss used to log in to the company server and late one night logged in and wrote down as many names as he could.  When he arrived back in China, he had a list of 105 additional victims with him who were contacted and assisted by the Chinese police. 

There was a dramatic event at the China-Myanmar Nansha Port when Zhendong recognized a man from the company chasing after him.  When armed Chinese police took custody of Zhendong, the company man backed off. After this, Zhendong did many media interviews, some alongside the Electronic Fraud police, which helped to popularize the term "Pig Butchering." 

While there are definitely "Dog Pushers" and "Pig Killers" who are targeting the Chinese ex-patriat community, unless your scammer is speaking Chinese from a call center in Myanmar, you may be a fraud victim, but you are not a victim of "Pig Butchering." 



The main sources for this story were the Chinese versions of Zhendong's misadventure, especially these two: 

荐见 | 反水、救赎、卧底:逃出缅北“杀猪盘”

(Rebellion, redemption, and undercover work: escape from the "pig killing" center in northern Myanmar - an article by “荐见美学” ) 

and

误入杀猪盘团伙后,他偷出了105名受害者名单丨和陌生人说话

("After accidentally entering the pig killing gang, he stole a list of 105 victims" in the TenCent column, "Talking to Strangers" - if you speak Chinese there is a great interview here!) 




Wednesday, July 20, 2022

Nigerian Money Transfer Company Linked to Romance Scam Money Laundering

On July 7, 2022, the US Attorney for the Northern District of Texas announced that Ping Express had been found guilty. Prior to this, their CEO Anslem Oshionebo*, their COO Opeyemi Odeyale (now imprisoned at the Danbury Federal Correctional Institute, 60177-177), their IT Manager Aleoghena Okhumale (now imprisoned at the Fort Worth FMC), and Olufemi Sadiq (now imprisoned at the Pollock FCI) were arrested on March 10, 2020.

What was Ping Express? Ping was a small business, never having more than ten employees, which operated from 8585 N. Stemmons Freeway, Dallas, Texas. Their CEO was Anslem Oshionebo and their COO was Opeyemi Odeyale. Ping had a smart phone app and a website and advertised that its users could easily send money to Nigeria for a small fee. It operated by having money on deposit in Nigeria. When a US-based client requested a transfer, a hold was placed on the customer's bank account (similar to a hold placed when one rents a car or stays in a hotel.) Then Ping would transfer funds from its Africa-based wallet to the recipient's Africa-based bank account. When the transfer was completed, Ping would then request payment from the sender's bank account.

While this post is about the US-based aspects of Ping Express and their crimes, the company's Instagram page continues to advertise that individuals in many places can use their services, including the UK, Canada, and Europe.

During a three-year period examined in this case, Ping transferred more than 300,000 payments totaling $167 Million USD. During this time it did not file a single Suspicious Activity Report, although they did make some batches of reports under section 5318(g) in 2015, 2016, and 2019.

To maintain a business license in Texas, they were required to file a detailed business plan, including their statements regarding how they would comply with BSA/AML laws (Bank Secrecy Act and Anti-Money Laundering Act, including CFT, Countering Financing Terrorism). Among the rules that Ping established and conveyed to the state of Texas, they agreed to the following:

  • All first-time customer transactions are limited to $499.
  • Total monthly transactions cannot exceed $4500.
  • Further transactions are limited to $1800 each, with a $3000 daily maximum.

They also claimed that they had "automated velocity checks" and the ability to "track and block IP addresses" to help prevent violations.

The court records include a "Factual Resume" "in support of Ping Express US LLC's plea of guilty to the offense in Counts 1 and 2 of the Superseding Information."

Count One - "failure to maintain an effective anti-money laundering program" was proven by demonstrating the defendant acted willfully in failing to develop, implement, and maintain an effective anti-money laundering program.

Count Two - "operating an Unlicensed Money Transmitting Business"


In the Factual Resume, the Count One requirements which they failed to implement are stated as:

An "effective anti-money laundering program" which is required by law, requires that Ping Express establish one or more of the following minimal requirements set forth by regulations of the Secretary of the Treasury. The Guilty Plea confirms that they failed to do so:

a. Effective written policies, procedures and internal controls for one or more of the following:
i. Verifying customer identification
ii. Filing reports, such as suspicious activity reports
iii. Creating and retaining records

b. Designating a person to assure day-to-day compliance with the anti-money laundering program, including assuring that:
i. Ping properly filed reports, created and retained records, in accordance with applicable requirements, such as suspicious activity reports
ii. the [AML] program was updated as necessary to reflect new requirements

c. Provide education and/or training of appropriate personnel concerning their responsibilities.

Examples of AML Failures

Many specific examples are then listed, demonstrating the failures of Count One enforcement, in the Factual Resumes for Ping itself, and also for its CEO and COO who have also both pled guilty:
  • Fatai Okunola, a first-time customer, sent $1800 in January 2018
  • Raman Saliu, a first-time customer, sent $1800 in October 2017
  • Jeffersonking Anyanwu, a first-time customer, sent $1400 in March 2018

Between April 1, 2016 and June 30, 2018, 1500 different customers violated the maximum monthly transfer rules.

Okunola sent more than $6700 his first month, and broke the $4500 rule every month from January 2018 to November 2018. He sent $80,000 just in August 2018!

Anyanwu paid $17,000 through Ping, and broke the maximum monthly rule six times between March and November 2018, paying more than $10,000 in a month four times.

Another customer broke the rule six times from October 2016 through June 2018.

Okhumale, who worked for Ping as their IT and Technical Support Manager, broke the monthly rule three times, paying $25,000 just in October 2018.

The daily rule was also largely ignored. Okunola violated the $3000 daily limit 45 times, and sent more than $5000 in a day 20 times! Okhumale, the Ping employee, sent on three consecutive days in October 2018 $4600, $5200, and $3600! Collins Orogun sent more than $3000 per day 60 times between November 2018 and December 2019, totaling more than $300,000!

Although Ping claimed that they used the IP address of the customer to ensure that they lived in a state where Ping was licensed to do business, and required customers to submit a utility bill from a company where they were licensed to do business as proof of residency in that state, they frequently ignored this rule. Ping was only licensed to do business in Georgia, Maryland, Texas, Washington State, and Washington D.C.

  • Joseph Kadiri, a Ping customer, sent $216,000 claiming to be in Texas or Maryland, when in fact he resided in New York and Michigan where Ping is not licensed. He violated the daily limit 20 times and the monthly limit twice.
  • Isaac Omohake, a Florida resident, sent $469,000 through Ping, which is not licensed in Florida. He violated the daily limit repeatedly, and in November 2018 sent $78,000 in one month.
  • Taiwo Akinsanmiju, an Indiana resident, started sending funds at age 17 (a violation) and sent $220,000 to 85 different named individuals!
  • Ayodeji Jegede, an Ohio resident, sent $468,000 through Ping, violating the first transaction rule, the monthly rule (twelve times from June 2018 to June 2019) and in May 2019 sent $69,000 in a single month!

Investigators found that Ping's top 100 customers sent $19,400,000 from March 2016 through September 2019, and that 2/3rds of these customers were from "unlicensed" jurisdictions. Ping was fully aware that these customers lived in unlicensed states. When the Ping offices were search on March 9, 2020, 130 customer shipping labels were found for statements being sent to unlicensed states. Just those customer's transactions were $4,000,000!

The laws in this area are United States Federal Code Title 18 Section 1956, the Anti-Money Laundering Law, and Title 18 Section 1960, the Prohibition of Unlicensed Money Transmitting Business Law. The first states that you may not process funds that you know or should know are derived from certain specified criminal activities. (There are 200 such illegal activities specified in the law.) It specifically states that you cannot allow yourself to be "Willfully blind" to the source of funds. Detailed guidance, often called "Know Your Customer" or KYC, is provided for how to recognize and report suspicious activities.

As examples of transactions from unlicensed states, Ping processed for residents of:
  • Nevada: $476,000
  • New Jersey: $234,000
  • Utah: $1,500,000
  • West Virginia: $507,000
  • Connecticut: $626,000

When a customer entered their street address at registration, Ping willfully chose to not include the City, State, or ZIP code in their records if the customer was not in a licensed location, storing only their street address.

Ping's Execs and Investors

Ping's Chief Operating Officer, Opeyemi Odeyale, was well aware of US banking law. Prior to Ping, Odeyale earned an MBA from Edinburgh School of Business and held jobs at Pricewaterhouse Coopers, JPMorgan Chase, Oceanic Capital, BNP Paribas, and Barclay's Bank.

During the time he was running Ping Express in the United States, he also served as a director in the British firm "PayZen Limited" from 25JUN2013 through 03DEC2020 (recall he was arrested in March 2020.) His fellow officers at PayZen included Adekanmi Olaolu Adedire, Robert Aghadiuno (IT Consultant), and Anslem Oshionebo (Financial Consultant), his CEO at Ping. Notably, Payzen was originally incorporated as Fiem Ltd but changed its name on 10FEB2020. Texas records also indicate that Ping Express originally operated as Fiem Group, LLC, and bank accounts in the name of Fiem Group are on the Forfeitures list below! On 01FEB2017 Opeyemi Odeyale filed papers with Companies House indicated that his nationality had changed to "British." When the British company was first incorporated (as Clicks FX Limited), he had given his date of birth as 14FEB1979 and his nationality as Nigerian.

Ping's Chief Executive Officer, Anslem Oshionebo, began his career with an MBA from Seton Hall University's Stillman School of Business. His LinkedIn page says he worked at PriceWaterhouse Coopers for 14 years, working his way from Senior Associate to Manager, and then Senior Manager, at least partially in Los Angeles. He then worked at Riveron Consulting as a Principal in the Dallas/Fort Worth area before co-founding Ping Express in 2014. His Crunchbase profile says that his areas of practice at PWS included "Compliance regulations and financial forensics!" Anslem's domain "anslemoshionebo.net" has articles he has written on philanthropy and diversity, while his anslemoshionebo.medium.com page has articles about what books Entrepreneurs should read and a five part series called "Challeges of an Immigrant" (which were mostly written AFTER he was arrested!)

In April of 2017, Synergy Capital Managers, a Mauritius-based private equity firm, made an investment in Northstar Finance Services Limited, "a financial services platform providing solutions across the financial service value chain in select countries across West Africa." Northstar was said to be managed by Obafami Alonge and Bolanle Oduyale, In Synergy's announcement, Northstar's CEO said that with this investment the company now had a "majority stake" in Safetrust Nigeria, Northstar Home Finance, Avance Insurance, Ping Express Inc., and Fast Credit Limited. PWC, where Oshionebo worked for so long, was said to be the advisor to Synergy Capital "on Financials and Tax due diligence."

This comes to play in that if Ping had "foreign investors" they are required to disclose those.  When the Texas Director of Banking gave the license, they claimed to be based entirely in Texas.

Top Customer: Collins Orogun, Romance Scammer and Money Launderer

Collins Orogun, a Texas resident, paid Ping more than $800,000 which included $220,000 in wire transfers during a six-month period in 2019. Ping only reported $292,500 of these transmissions. (Collins was released from prison on 12MAR2020 for prior charges but has another sentencing hearing in October 2022 for the current charges.) In his guilty plea, Orogun admitted that he received funds from people "all across the United States" in forms including cash, money orders and checks. He then deposited those funds into his accounts, including at JPMorgan Chase, both in his true name and as "Collins Enterprise", at Navy Federal Credit Union, at Wells Fargo Bank, both in his true name and as Orogun Enterprises, and at BBVA.

His JPMC accounts received $120,000 in funds, which he sent out through Ping in 13 transactions. In another example, he received $26,500 "in currency and money orders" between November 29, 219 and December 31, 2019. He sent these funds out via Ping in six $5,000 transactions. In his Navy FCU account, he received $530,500 in "currency and money orders" and sent a wire transfer of $218,500 out. He also sent $192,600 via Ping in 68 transactions. His first Wells account received $87,171 in deposits, sending $65,610.56 of those out via Ping. His second Wells account received $157,578 in deposits, of which he sent $82,367 out via Ping. His BBVA account received $144,808 in deposits, of which $140,000 was sent out via Ping.

Some of his Romance Scam victims included:

$40,000 into BBVA that came from "D.M." a senior citizen in California who sent the money to facilitate the sale of an estate in Nigeria. He believed that he was helping to repair an estate which would be then sold for $570,000,000, and that he would receive a large repayment when the estate was sold.

"P.L" from Indiana believed her $6,309 was sent to "Thomas Ken" an Irish sea captain with whom she had a romantic online relationship. The funds were supposed to be used to repair his ship. She took out a title loan against her vehicle and wired the money to Orogun Enterprises. The captain immediately asked for more funds afterwards.

"D.N." a 59 year old in Indiana sent $2300 to the BBVA acount, believing that "Carson Steve Jacks" an oil roughneck working in the Gulf of Mexico needed the funds because he had contracted malaria and couldn't work. He later asked for an additional $15,000. The couple "fell in love" via Google Hangouts.

These three had all agreed to testify at trial, prior to Collins changing his plea to Guilty on June 28, 2022.

Additional Factors Violating Texas Department of Banking License

The Texas Department of Banking found many more reasons for considering revoking Ping's business license, including:
  • Ping stated that they had no "authorized delegates or agents" yet Nimerex claims to be Ping's agent and has Ping letterhead documentation appointing them as Ping's agent.
  • Ping claimed to have no foreign affiliates, but had received $160,000 from a Mauritius-based account in the name "Ping Express (Mauritius) Ltd." "for the benefit of Fiem Group LLC" and a $280,000 wire from a British account in the name Ping Express CM.
  • Ping claimed to be sending "small remittances" back to Nigeria, but had sent $1,600,000 in large round number wire transfers to business bank accounts in Nigeria (at First City Monument Bank and Wema) for "marketing" and "consulting" payments.
  • Ping received $49,000 in wire transfers from the company "Date2Marry LLC" and an individual connected with that LLC.

These details came out during a search of Olufenwi's phone as he returned to California from England. The phone also documented a five year "currency exchange partnership" between Ping and "Wilfobs Bureau De Exchange Limited" in Nigeria involving multiple foreign bank accounts for Ping. Ping had disclosed in previous reporting to the Texas Department of Banking that they had no bank accounts outside U.S. borders and thus were not required to file a Foreign Bank Account Report.

Chats on Odeyale's phone made it clear he was trying to avoid AML and Suspicious Activity detection as he received foreign funds. An example:

Forfeitures ordered by the Court

Forfeiture Notice:
  1. Approximately $10,601.52 in funds seized from the JPMorgan Chase Bank account with number ending in 2885 in the name of Collins Ogaga Orogun.
  2. Approximately $3,679.78 in funds seized from the JPMorgan Chase Bank account with number ending in 8900 in the name of Collins Ogaga Orogun dba Collins Enterprise.
  3. Approximately $42,873.96 in funds seized from the JPMorgan Chase Bank account with number ending in 1223 in the name of Ping Express LLC.
  4. Approximately $1,385.13 in funds seized from the JPMorgan Chase Bank account with number ending in 2686 in the name of Ping Express LLC.
  5. Approximately $13,269.69 in funds seized from the JPMorgan Chase Bank account with number ending in 5397 in the name of Crusaders Health and Wellness LLC.
  6. Approximately $3,010.72 in funds seized from the Navy Federal account with number ending in 2248 in the name of Collins O Orogun.
  7. Approximately $8,307.53 in funds seized from the Wells Fargo Bank account with number ending in 4593 in the name of Anslem Oshionebo.
  8. Approximately $369.82 in funds seized from the Wells Fargo Bank account with number ending in 4437 in the name of Blackbit LLC.
  9. Approximately $8,364.86 in funds seized from the Kasasa Tunes 0031 account at Neighborhood Credit Union for member number XXXX5691.
  10. Approximately $55,235.41 in funds seized from the Soho Business Checking account at Resource One Credit Union for member XXX1450 in the name of Fiem Group LLC.
  11. Approximately $37.40 in funds seized from the Bank of America account with number ending in 3918 in the name of Deyks LLC.
  12. Approximately $9.91 in funds seized from the Bank of America account with number ending in 3921 in the name of Deyks LLC.
  13. Approximately $14.15 in funds seized from the Bank of America account with number ending in 3947 in the name of Deyks LLC.
  14. Approximately $11.52 in funds seized from the Bank of America account with number ending in 3692 in the name of Deyks LLC.
  15. Approximately $29,198.23 in funds seized from the Capital One account with number ending in 2957 in the name of Aleoghena Okhumale.
  16. All funds seized from the account with number ending in 1891 at Silvergate Bank in the name of Wyre Payments Inc. deposited after February 19, 2020 from “5/3 BANKCARD SYS DEPOSIT; 5/3 BANKCARD; or WORLDPAY”. 
* - (Although Anslem was to surrender to be imprisoned on July 12, 2022, the Federal Bureau of Prisons Inmate Locator indicates he is not currently in custody.)