Saturday, June 30, 2018

Memphis BEC Scammers Arrested and At Large

The FBI announced another round of Business Email Compromise arrests this past week.  This time, a focus was in Memphis, Tennessee.  According to the Western District of Tennessee Press Release, "Eight Arrested in Africa-Based Cybercrime and Business Email Compromise Conspiracy", the individuals involved stole more than $15 Million!

The main indictment, originally filed in August 2017, charges 11 individuals with a variety of offenses related to their Business Email Compromise [BEC] crimes.


Count 1: 18 USC §1349.F - Attempt and Conspiracy to Commit Mail Fraud - penalties of up 20 years in prison and fines of up to $250,000, plus supervised release for up to 3 years.

Counts 2-8: 18 USC §1343.F - Fraud by Wire, Radio, or Television - penalties of up to 20 years in prison and fines of up to $250,000, plus supervised release for up to 3 years.

Count 9: 18 USC §§1956-4390.F - Money Laundering - Embezzlement, Other - penalties of up to 20 years in prison and fines of up to $500,000, plus supervised release for up to 3 years.

Count 10: 18 USC §371.F - Conspiracy to Defraud the United States - penalties of up to 5 years in prison and fines of up to $250,000, plus supervised release for up to 1 year.

Count 11-14: 18 USC §10288.A.F - Fraud with Identification Documents + Aggravated Identity Theft - 2 years incarceration consecutive to any other sentence imposed, plus fines of not more than $250,000.

1. Babatunde Martins (Counts 1,9,10,11)
2. Victor Daniel Fortune Okorhi (Counts 1,9,10)
3. Benard Emurhowhoariogho Okorkhi (Counts 1, 2, 3, 9, 10)
4. Maxwell Peter (Counts 1, 4, 6, 7, 8, 9, 10, 11, 14)
5. Dennis Miah - (Counts 1,9,10,11,13)
6. Sumaila Hardi Wumpini - (Counts 1,9,10)
7. Olufolajimi Abegunde (USM # 71343-019), (Counts 1,9,12)
8. Ayodeji Olumide Ojo (Counts 1,9,12)
9. Dana Brady (Counts 1,9)
10. James Dean (USM # 52637-076)  (Counts 1,9)
11. Javier Luis Ramos Alonso, 28,  (USM #24513-111) (Counts 1, 5, 9, 12)

In a separate indictment, Rashid Abdulai, was charged for much of the same, but with his key role being controlling five TD Bank accounts that were used to launder funds.

The primary victim in this case seems to be "Company A", a real estate company in Memphis, who is foolishly identified in the indictment through the carelessness of the author.  I've chosen to redact myself on that, but DAMN!  When you describe the company in such a way that there is exactly one such company on planet earth, you are failing to keep the faith of your victim companies.  Shame!

Fortunately, the indictment also shares a lot of details on the defendants:

RASHID ABDULAI, age 24
a citizen of Ghana, residing in Bronx, New York
controlled at least five TD Bank accounts

BABATUNDE MARTINS, age 62
email: papamart2000@yahoo.com
Company: Afriocean LTD
Nigerian citizen living in Ghana

VICTOR DANIEL FORTUNE OKORHI, age 35 -  *** STILL AT LARGE AND WANTED***
emails:  vicfoko@yahoo.com, VicdarycorriLTD@gmail.com, vicdarycomltd@icloud.com
Company: Vicdary Company LTD
Nigerian citizen living in Ghana

BENARD EMURHOWWHOARIOGHO OKORHI, age 39
emails: Marc.Richards@aol.com, benardokorhi@yahoo.com
Company: Coolben Royal Links LTD
Nigerian citizen living in Ghana

MAXWELL ATUGBA ABAYETA (AKA Peter Maxwell, AKA Maxwell Peter ), age 26
emails: petermaxwell200@gmail.com, sandarlin200@yahoo.com
social accounts: Facebook.com/maxwell.peter.5688
citizen of Ghana

DENNIS MIAH (aka Dennis Brown, AKA Dr. Den Brown), age 34 -  *** STILL AT LARGE AND WANTED***
 emails: JimRoyAirSeal1@yahoo.com, drdenbrown@yahoo.com
social accounts: Facebook.com/Oga.Bossson, Twitter.com/Oga.Bossson
citizen of Ghana

SUMAILA HARDI WUMPINI, age 29 - *** STILL AT LARGE AND WANTED***
email: hardi765_new@hotmail.com
social accounts: Facebook.com/Wumpini.Hardy
resident of Ghana

OLUFOLAJIMI ABEGUNDE, age 31
Nigerian citizen residing in Atlanta, Georgia

AYODEJI OLUMIDE OJO, age 35 -  *** STILL AT LARGE AND WANTED***
Nigerian citizen, lives with ABEGUNDE in Atlanta when in United States

DANA BRADY, aged 61
emails: bradydana50@gmail.com
US Citizen residing in Auburn, Washington

JAMES DEAN, aged 65
US Citizen, residing in Plainfield, Indiana

JAVIER LUIS RAMOS ALONSO, aged 28
Mexican citizen, residing in Seaside, California

D. G. -
emails: d2t2green696@gmail.com, d2t2green696@yahoo.com
US Citizen residing in Mississippi

J.R.
emails: LRIGNWM@yahoo.com
US Citizen residing in New Jersey

M.Z.
emails: CMIMIGO@aol.com
US Citizen residing in Utah

T.W. - US Citizen residing in Tennessee
J.B. - US Citizen residing in Alabama
C.M. - US Citizen residing in Tennessee (Western District)
C.W. - US Citizen residing in Tennessee
A.K. - US Citizen residing in Tennessee (Western District)
V.M. - US Citizen residing in Georgia

How It Worked

Martins, Maxwell, Bernard Okorhi, Victor Okorhi, and/or Miah would get the IP addresses of potentially vulnerable email servers and target them for intrusion.  Using US based IP addresses offered through VPN services, they would access a variety of websites, including credit card transaction processors and dating websites.  Their role in the conspiracy also included originating the spoofed emails that will be explained later.

Martins, both Okorhis, Maxwell, Miah, Wumpini, Brady, Dean, Ojo, and others would open bank accounts for receiving fraudulently-obtained funds and sending them to other accounts controlled by their co-conspirators.  

Because they had control of email accounts at Crye-Leike, they could tell when fund transfers related to real estate sales were scheduled to take place.  They would then spoof the email addresses of those involved in the transactions and send instructions causing the financial transfers to be redirected to accounts controlled by members of the conspiracy.

The funds were then laundered in a variety of ways, including using the funds to purchase goods, including construction materials, cell phones, and other electronics, and having those goods shipped to Ghana for use or resale to benefit the members of the conspiracy.

Maxwell, Miah, and both Okorhis created false identities and created dating profiles with false emails to correspond to their false dating profiles.  Through these, they lured victims into online romance scams, gold-buying scams, and a variety of advanced fee fraud scams.  These romance scam victims would carry out acts on behalf of the conspiracy, including forwarding counterfeit checks, receiving and shipping merchandice, and transferring proceeds via wire, US Mail, ocean freight, and express package delivery services.

Martins, Maxwell, Miah, and both Okorhis also purchased stolen PII, including credit card information, banking information, and IP addresses from underground forums specializing in the sale of such information.

By purchasing cell phones in the United State and activating Voice-over-IP (VOIP) accounts, the US telephone numbers could then be used by the conspirators in Africa, allowing them to appear to be making their calls in the United States.

Some of the activity in this case dates back to 2012, when MIAH was already using fraudulently purchased credit cards and remote desktop protocol (RDP) to make online purchases that appeared to be in the United States.  (Hackers compromise US computers and set them up to use RDP so that foreign criminals can use them to originate credit card purchases in places where the credit card was issued.  By having, say, a Memphis Tennessee IP address, purchases made by a Memphis Tennessee credit card do not seem as suspicious.)

Specific Acts

Some of their crimes were extremely bold.  For example:

"On or about December 13, 2016, MIAH caused construction materials to be purchased with fraudulently obtained funds, and caused a freight container of construction supplies to be sent to him in Ghana."  WHAT?!?!  That's bold!

The compromise of the email accounts at Company A was in play by June 30, 2016, when $33,495 was wired to the wrong location after a tip received from stolen emails.

In August 2016, OJO opened a new Wells Fargo bank account, after his previous account at Bank of America was shut down due to fraud.  He used ABEGUNDE's new address (presumably in Atlanta, Georgia) as the address for the new account.

He also opened a Wells Fargo account in the same address in October of 2016.

Benard Okorhi sent emails as "Marc.Richards@aol.com" directing C.M. to obtain cash advances from credit cards and send the proceeds to recipients in Ghana.  He also ordered C.M. to purchase five iPhones and ship them to Ghana.

Miah used the "DrDenBrown@yahoo.com" email to tell Okorhi (as Marc.Richards) to smooth things out on the phone with a romance scam victim, because Okorhi had a better American accent.

Some of the other interesting "acts" in the conspiracy included:

25JUL2016 - Javier Luis Ramos Alonso accepts a $154,371 wire from Company A into his Wells Fargo account ending in 7688 and then sends the funds to accounts controlled by OJO in Atlanta.

26MAY2017 - Maxwell Peters sends a WhatsApp message directing an undercover Memphis FBI agent to receive a $15,000 check on his behalf.  Ooops!

30MAY2017 - Maxwell Peters directs the FBI agent to send $5,000 of the proceeds to himself in Ghana.

02JUN2017 - Maxwell Peters directs the FBI agent to send a $15,000 check to himself in Ghana.

Although the indictment doesn't lay out more of the particular acts, the Press Release says that this group stole more than $15 Million altogether!

Some interesting images

"M.Z." has an interesting Amazon Wish List for a romance scammer involved in shipping electronics:

On December 8, 2017, Abdulai says is asked in one of his WhatsApp chats:  "Hope Maxwell case didn't put you into any problem."  He responded "FBI came to my house asking me stuff about those transactions that was coming into my account so I'm tryna stay out f this whatapp n stuff for a while cuz I feel like they tracking me."

You got that right, Abdulai!



Friday, June 15, 2018

Fake Malware Pop-up Example

I don't believe I've ever done a video blog, but I wanted to show you what it looks like when we look at a fake malware pop-up.  While I was prepping a lecture for a class I'm teaching by looking at something on Encyclopedia Britannica, I experienced a fake malware popup.

Here's what I saw:

"Serifed.Stream" malicious pop-up
The best way to explain this is to show it to you.  To do so, I've saved a little video of the what we saw.


In that walk through, you can see that the advertisement that led to the pop-up goes through a series of hops:

westerndigitalmeasure.com (192.241.254.144)  was the first site I hit, which had me do a POST to /j/pcl.php

(By the way, Westerndigitalmeasure.com is hosted at Cloudflare)

That PHP code sent me to "orgeles-hantests.com" (52.72.0.63) which immediately did a meta refresh to another page on orgeles-hantests.com which had a "redirect?target=(very long string here)"

That sent me to the host "redirect.orgeles-hantests.com" (54.89.11.221) which did another meta refresh to the site "server3.divinedessert.info" (67.207.82.78).

And divinedessert forwarded me to "serifed.stream" which is where we saw the fake Microsoft malware warning, which, by the way, captured and passed on my Internet service provider name and my home IP address in the URL.

We asked the URL scanner at VirusTotal check out "serifed.stream" and "serifed.stream/live/" but got the same result both ways.   0 of 68 URL reputation engines believe the site to be malicious.

Don't Worry, Be Happy, says 68 different URL Reputation Services

When we look by IP address, things aren't much better.  Of the hundreds of ".stream" addresses hosted on that same IP address, 185.44.65.141, which, by the way, is hosted in Iran, almost NOBODY found them to be malicious:



That last one shown, with 5 of 68 URL reputation services saying it might be bad, could also be interpreted as 63 out of 68 URL reputation services would have let your users see the bad content.  HOPEFULLY, they might have blocked a redirector somewhere in between, but honestly, I don't know . . . (this is the part where all of them will complain VirusTotal doesn't capture the totality of their user experience.  Yeah, yeah, yeah, cry me a river. I'm running AV and it happened to me!  Did you see the video?)



How to conclude?  I don't know.  Perhaps by just saying "the criminals are still ahead of us in this game, and this is why we can't have nice things."




Wednesday, June 13, 2018

Operation Wire Wire: the South Florida Cases Part 3

In the main DOJ Operation Wire Wire press release, the South Florida cases are described like this:

  • Following an investigation by the FBI and the U.S. Secret Service, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million from proceeds of BEC scams, including eight people charged in an indictment unsealed last week in Miami. These eight defendants are alleged to have conspired to launder proceeds from numerous BEC scams, totaling at least approximately $5 million, including approximately $1.4 million from a victim corporation in Seattle, as well as various title companies and a law firm.
In Part 1 we reviewed 17-CR-20748, the case against Destiny Asjee Rowland, Lourdes Washington, and Cynthia Rodriguez.  (See Operation Wire Wire: The South Florida Cases, Part 1 )

In Part 2 we reviewed 18-CR-20170, the case against Eliot Pereira, Natalie Armona, Melissa Rios, Bryant Ortega, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loayz.  (See Operation Wire Wire: The South Florida Cases, Part 2

Part 3 in our blog series focuses on those "eight people charged in an indictment unsealed last week in Miami", which refers to case 18-CR-20415, the case against Gustavo Gomez, Selene Joya, Jaremy Lucia Mena, Jose Brito Garcia, Jessica Hyde, Hillary Lee Williams, Juan Frias, and Ariel Champaign Edwards.

What links all of these cases together is that in each case, the ring leaders were recruited into their scam by the same individual: Roda Taher, who will be the focus of our next blog post "Operation Wire Wire: Who is Roda Taher?" 

The indictment begins with the statement:

"Roda Taher, aka Ressi, aka Rezi, hereinafter Taher, was the manager and supervisor of a criminal organization that engaged in money laundering by utilizing money mules and recruiters in the Southern District of Floirda, in other place in the United States, and in foreign commerce."

It then introduces our cast of characters.  As in South Florida case 1 and case 2, each of the players is recruited and instructed to set up a shell company, incorporating it in Florida, and establishing corresponding bank accounts with which to receive the proceeds of various Business Email Compromise and Spear Phishing attacks which fool company employees into wiring funds or transferring them via ACH, into the shell company accounts.

Defendant #1: Gustavo Gomez, b.1985, incorporated AG Universal Links in Hollywood, Florida.
Defendant #2: Selene Joya, b. 1990, incorporated Joya Star Life, Inc. in Miami Gardens, Florida.
Defendant #3: Jaremy Lucia Mena, b. 1992, incorporated Jaremy International, Inc. in North Miami, Florida.
Defendant #4: Jose Brito Garcia, b. 1981, incorporated Brito Commercial Products, Inc. in Hollywood, Florida.
Defendant #5: Jessica "Chuchi" Hyde, b.1987, incorporated Hyde Quality Inc. in Cutler Bay, Florida.
Defendant #6: Hillary Lee Williams, b. 1992, incorporated H Lee W Trade Group Inc. in Miami, Florida.
Defendant #7: Juan Frias, b. 1985, incorporated Ocean Surplus, Inc. in Miami, Florida.
Defendant #8: Ariel Champaign Edwards, b. 1991, incorporated Ariel Prime Trades Inc. in Miami, Florida.

Gustao Gomez worked closely with Roda Taher and other recruiters to recruit money mules and coach them in the manner in which they should set up their bank accounts.  According to the indictment:

"The recruiters would instruct money mules to open bank accounts in the name of their shell companies at various banks in the Southern District of Florida and elsewhere, and to falsely tell bank representatives that their shell company was a legitimate business engaged in the sale, import, or export of goods.  Taher and his recruiters gave different money mules a variety of false and fraudulent explanations regarding the nature of their businesses, including the sale, export, or import of textiles, furniture, electronics, or other goods.  However, the shell companies would not conduct any legitimate business."

"Once a money mule had opened a shell bank account in his or her shell company's name, those accounts would receive wire transfers of the proceeds of various fraudulent schemes.  The fraudulent schemes included, primarily, but were not limited to, email hacking or spoofing, also known as business email compromise and spearphishing scams.  Co-conspirators would hack into a victim's email account or otherwise take over that account without permission.  In a variation of this scheme, co-conspirators would "spoof" or create a fraudulent email account that was made to look like a victim's real email account.  The co-conspirators would then send email messages via the hacked or spoofed email accounts to individuals or corporations, instructing them to wire large sums of money to the money mules' shell bank accounts."

Roda Taher and the other recruiters would notify the mules when funds would be arriving into their accounts. These communications were primarily via the mobile phone encrypted messaging service WhatsApp.  They would be given instructions on what amounts would be received, where to wire the funds, and what commissions they were allowed to withdraw.  The commissions would be split with their recruiter, while the wires often sent the bulk of the money to China, Poland, and other destinations.

When banks closed the accounts, Taher would instruct the mules to open additional accounts at other banks.  Top performing mules were invited to become recruiters by inviting others to join the scheme as mules.  Recruiters received a percentage of the proceeds from the work of each mule they recruited.

The transactions particularly mentioned in the indictment are listed here. 

CountDateDefendantTransaction
202JUL2014Gustavo Gomez$48,500 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
318JUL2014Gustavo Gomez$192,000 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
419JUL2014Gustavo Gomez$4,500 from AG Universal Links' Wells Fargo Bank account to Zion Luxury Car Rental Inc.
501AUG2016Selene Joya$8,600 from Joya Star Life Inc's Bank of America Account
601AUG2016Selene Joya$5,500 from Joya Star Life Inc's Bank of America Account
701AUG2016Selene Joya$4,000 from Joya Star Life Inc's Bank of America Account
826JAN2017Jaremy Lucia Mena$78,902 from Jaremy International Inc's TD Bank account to Bella Tyre Co Ltd in China
926JAN2017Jaremy Lucia Mena$9,400 from Jaremy International Inc's TD Bank account
1013FEB2017Jose Brito Garcia$37,904 from Brito Commercial Products Inc's TD Bank account to Huge Elite Limited in Shanghai, China(*)
1117MAY2017Hillary Lee Williams$79,980 from H Lee W Trade Group's SunTrust Bank account to Redington Gulf FZE in Dubai, UAE
1206SEP2017Juan Frias$59,700 from Ocean Surplus Inc's TD Bank account to Zhejiang Oudi Machine Co. Ltd. in Zhejiang, China
1302NOV2017Ariel Champaign Edwards$8,200 from Ariel Prime Trade Inc's Wells Fargo account
1421NOV2017Ariel Champaign Edwards$700 from Ariel Prime Trade's Bank of America account

* - Worth noting that "Huge Elite Limited" in Shanghai, China was also the recipient of ill-gotten gains from Bryant Ortega in "Part 2."

This case is much "fresher" than some of the others.  The first arraignment in the case being Gustavo Gomez's appearance on May 31, 2018.  Gustavo just bonded out on June 11, 2018, for $50,000 posted by his girlfriend's brother.

Tuesday, June 12, 2018

Operation Wire Wire: the South Florida Cases Part 2

The Second South Florida case is linked to the first because this entire conspiracy also is part of the work of Roda Taher, AKA Ressi, AKA Rezi, the top recruiter in the first case.  However, in this 30 count indictment, the only one NOT named is Roda Taher.

Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.




Defendant #1:  Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.

This case starts off with a criminal complaint from the Miami office of the United States Secret Service.

It begins with his overview of the case, which is worth quoting here:

"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.

Different people played different roles in the scheme.  Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts.  Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.

Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts.  Several money mules progressed to recruiting and managing other mules."

Natalie Armona may have been a good choice for Melissa to recruit based on her work.  Here's a Facebook post of hers from last year!  But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.


Armona's TD Bank account 

The complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank.  She was the sole signatory, and used her true social security number on the account.  The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A).  After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.

On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person.  Three wires went out.  $288,301 to "Caplan Sp Zoo" in Warszawa, Poland.  $194,110 to the same.  $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China.  Armona paid herself twice more, once for $5,500 and once for $9400.  On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.

Armona's SunTrust Bank account 

On December 9, 2016, Armona Furniture opened a SunTrust Bank account.  On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company.  Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850.  On January 3, 2017, Armona withdrew $35,170.  On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.

ASC WorldWide

A collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank.  Among other activities, he used email-based scams to cause $80,000 to be wired.

After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam.  He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.

The Ortega Case 

Although Bryant is not credited with recruiting Natalie Armona, the two are Facebook friends.  Bryant's profile also suggests that he may have had access to Personal Information, as an agent at a Health Insurance organization.  His cover photo indicates he's a fan of money!


The same USSS agent who did Armona's case also swore out the affidavit of criminal complaint against Bryant Ortega.  Ortega opened a TD Bank account for his new corporation, Bryant Tech Deals, which matched his home address of 2160 NW 111 Avenue, Sunrise, Florida 33322.  Bryant Tech Deals also opened a SunTrust account.  Both accounts were opened on February 13, 2017 and on March 6, 2017 the SunTrust account received an inbound wire of $283,750.50.  On March 7th, three withdrawals were made.  $500 from an ATM, $5600 over-the-counter, and $8400, also over-the-counter.  Ortega's true Florida drivers license was shown as proof of identify for the in-person withdrawals. Also on March 7, 2017, $94,110 was wired to "Huge Elite Limited" in Shanghai, China. After paying himself three more times the following day ($400 ATM, $800 at the counter, and $6200 at the counter), another wire of $128,705 went to Huge Elite Limited.  On March 9, 2017, an additional  $33,000 was wired out to "Lofty Ease Limited" in Shanghai, China.
(Ortega was arrested Jan 25, 2018)

The Pereira Case 

The third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.)  Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated."   Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank.  The Middleman says that Pereira was working with an unknown male who he called "Rezi."  This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher.  Pereira and Rezi gave one of their mules an email os20technologies@gmail.com to use.


As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank,  TD Bank, and Wells Fargo Bank in September and October of 2016.  Pereira and his middleman communicated through WhatsApp and Email.  (954.554.5501 / bossmanweston@gmail.com / osflytechnologies@gmail.com )

The Big Picture 

Roda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere.  He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.

The case involves 30 distinct financial transactions:
CountDateDefendantTransaction
202SEP2016Eliot Pereira$89,630 from OS Fly Tech's Wells Fargo account to China
330NOV2016Melissa Rios$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile
423DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
423DEC2016Natalie Armona$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
523DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
623DEC2016Natalie Armona$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China
712JAN2017Natalie Armona$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China
807MAR2017Bryant Ortega$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
908MAR2017Bryant Ortega$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
1008MAR2017Bryant Ortega$6,200 from Bryant Tech Deal's SunTrust account
1128MAR2017Bryant Ortega$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China
1214APR2017Roberto Carlos Garcia$3,500 from RCG Deals Inc's Bank of America account
1317APR2017Roberto Carlos Garcia$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp
1417APR2017Roberto Carlos Garcia$7,000 from RCG Deals Inc's Bank of America account
1517APR2017Roberto Carlos Garcia$3,000 from RCG Deals Inc's Bank of America account
1628APR2017Jennifer Ruiz$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.
1728APR2017Jennifer Ruiz$3,400 from Josette Quality Inc's TD Bank account
1804MAY2017Roberto Carlos Garcia$100 from RCG Deals Inc's Bank of America account
1926OCT2017Angelo Santa Cruz$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.
2026OCT2017Angelo Santa Cruz$7,000 from ASC Worldwide's Chase Bank account
2101NOV2017Alexis Fernandez Cruz$8,600 from Alexis Universal Inc's TD Bank account
2207NOV2017Angelo Santa Cruz$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.
2307NOV2017Angelo Santa Cruz$8,500 from ASC Worldwide's TD Bank account
2409NOV2017Alexis Fernandez Cruz$8,500 from Alexis Universal Inc's SunTrust Bank account
2521NOV2017Yirielkys Pacheco Fernandez$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.
2606DEC2017Yirielkys Pacheco Fernandez$88,528 from YF Nationwide Inc's Chase Bank account
2730NOV2017Jose E. Rivera$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China
2830NOV2017Jose E. Rivera$6,100 from Rivera Worldwide Inc's Bank of America account
2903JAN2018Angeles De Jesus Angulo$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd
3003JAN2018Angeles De Jesus Angulo$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account

Altogether, this group is charged with laundering more than $5,000,000.

The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.

Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea.  Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!

Operation Wire Wire: The South Florida Cases, Part 1

Yesterday we started a series of posts about Operation Wire Wire, where the Department of Justice announced charges against 74 people for Business Email Compromise and related scams.

The South Florida cases are so huge, we're actually going to break them into three parts as well.  In part one, we'll look at the case against Cynthia Rodriguez, Destiny Asjee Rowland, and Lourdes Washington.


Defendant #1: Cynthia Rodriguez:
18:1349.F Conspiracy to Commit Wire Fraud
18:1956-3300.F Conspiracy to Commit Money Laundering
18:1956-3300.F Money Laundering and Forfeiture Count

Defendant #2: Destiny Asjee Rowland
18:1343 Wire Fraud
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956 Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

Defendant #3: Lourdes Washington
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

According to the indictment against Destiny Asjee Rowland, Rowland incorporated "Asjee Luxury Inc" in July 2017 and claimed to be a furniture merchant wholesaler at 3688 NW 83rd Lane in Sunrise, Florida.  The victim companies in her case were a company in Eau Claire, Wisconsin, a lumber company in Illinois, and an escrow company in Roseville, California that was selling property for two people called "KW" and "TW" in the indictment.

Asjee Luxury opened accounts at TD Bank and SunTrust Bank.  Using other people's names and email addresses, she convinced companies to transfer money to her account, including by falsely claiming to be the lumber company, where she sent "urgent audit" notices to the Wisconsin company demanding immediate wire transfers of payments owed to the lumber company.  That email came from an IP address in Nigeria on July 27, 2017.  By July 28th, a Bank of America account in Wisconsin had sent $1,651,699 to her TD Bank account in Florida.

 She also caused the escrow company to redirect payments intended for their clients KW and TW to accounts she controlled, receiving $451,759 from a City National Bank account in California into her SunTrust Bank account in Florida on July 31, 2017.

Cynthia Rodriguez and Loudes Washington have a ten page criminal complaint written by a US Secret Service agent to describe their case.  Washington created a new business, LW Nationwide Inc, at 9561 Fountainebleau Blvd, Apartment 402, Miami, Florida 33172, which coincidentally is also his driver's license address.  Then he opened a Bank of America account in that name.

A Real Estate attorney, BD, was handling the closing on several pieces of property.  On Feb 14, 2017, he receives an email from ***@themarstongroup.com informing him that he would receive a check for $37,225 via registered mail, along with a 1099 tax form.  The next day, an email from the same name ***@gmx.us said that he was leaving town unexpectedly and needed the funds sent via wire transfer instead.  Those funds were then directed to the BofA account of LW Nationwide.  Those funds were immediately RE-wired to a bank account in Zhejiang, China.  The same day, Washington withdrew funds from an ATM in Hialeah, Florida.  Three minutes later, at the same ATM machine, Cynthia Rodriguez withdrew funds from the LW Nationwide account, using the same debit card as Washington.   Bank of America's logs reveal that an IP address, 50.143.68.4 was used to access the account.  That IP address was Rodriguez's home Comcast Cable account at 2914 Funston Street, in Hollywood, Florida.  Rodriguez made additional withdrawals from the account, including from a drivethrough ATM whose cameras captured the license plate of her Nissan Quest, 520-TML, registered to Rodriguez.

Washington was later arrested (December 2017) as a result of an open warrant in Kentucky, and testified to opening the accounts, making the wire transfers, and doing the cash withdrawals "at the behest of her recruiter/manager" who she did not identify.

Meanwhile, the Eu Claire, Wisconsin business contacted the US Secret Service about the scam involving the fake invoices from the lumber company.   Records from the state of Florida revealed that Asjee Luxury only had one officer, and one signatory on their bank accounts. What seems to be a cooperating witness (Individual 1) in that case revealed that Rodriguez had recruited them to open several sham business accounts, including the TD Bank account belonging to Asjee Luxury!  Shortly after the California real estate company wired money into that account, ATM video footage showed Individual 1 withdrawing $8,000 cash from the account.  Individual 1 would then give half of the money to Rodriguez and keep the other half.  Individual 1 also opened a shell company called Wide Assure Trades Inc and a corresponding Bank of America account.

On October 27, 2017, Rodriguez notified Individual 1 that Wide Assure Trades was going to receive some money.  That account was logged into the same day from 76.18.27.6, the IP address that Comcast listed for Rodriguez's home address at 2914 Funston Street, Hollywood Florida at that time.  (DHCP addresses change from time to time.)

Later an additional document, not an indictment, but rather "Superseding Information" was filed



The Superseding Information reveals that Cynthia Rodriguez had incorporated "CR Elegant Trades" in September 2014 from her home address in Hialeah, Florida.  We already spoke of Washington's company, LW Nationwide, and Rowland's company, Asjee Luxury.  The superseding information speaks of (but does not give many details) an ongoing conspiracy from 2014 until 2018 that involved the creation of many shell companies and many fraudulent wire transfers. 

"It was the purpose of the conspiracy for the defendants and their co-conspirators to unlawfully enrich themselves by obtaining and misappropriating money from victims, by making materially false and fraudulent representations, and by the concealment of material facts, concerning, among other things, the true identify of the defendants and their co-conspirators and the purported need for victims to make payments to the defendants and their co-conspirators."

Lourdes Washington entered a plea agreement that included the fact that she may face 20 years in prison, 3 years supervised release, and a fine of $250,000 or double the pecuniary gain, as well as restitution, and acknowledging that they may be "denaturalized and removed" as a result of their crimes.  In other words, Washington had a public defender, as the only funds they tie to her are $37,225.  (It will be interesting to see what actually happens at sentencing on July 9, 2018.)

Cynthia Rodriguez also plead guilty, but in her case, she named her recruiter.  In the plea agreement, she agrees that she and her co-conspirators opened shell corporations and bank accounts for the purpose of receiving proceeds of wire fraud scams in exchange for a percentage of profits.  But then she says she was recruited to the scam by Roda TAHER.  Taher, AKA Res, AKA Rezi, AKA Ressi, recruited Rodriguez initially as a money mule, but advanced her to being a sub-recruiter, working to hire and manage additional money mules in the South Florida area. Rodriguez was responsible for providing corporate documents for her mules' shell companies, driving the money mules to banks, or ordering them to open certain accounts at certain banks, and accompanying them to withdraw funds.  She also provided directions to money mules on how to hide their schemes from banks, law enforcement and other individuals.

Rodriguez's plea agreement states that she knew the money was coming from wire fraud, and that she knew that business email compromise and spear phishing scams were used, including email account takeovers and "spoofed" email accounts making the victims believe they were making wire transfers to trusted partners, but instead depositing the funds into the accounts of the fraudsters.  Rodriguez says that she used the phone application "WhatsApp" to exchange encrypted messages with co-conspirators, including Taher, in order to evade detection by law enforcement.  Her plea confesses to laundering at least $4,760,669.80 between herself and the mules she recruited.

Like Washington, Rodriguez's plea states that she may do 20 years plus 3 supervised, and pay a fine of $250,000 or double the pecuniary gain, plus restitution, and that she may face denaturalization and removal.

Base Offense level for Washington was 8.  Increased by 18 levls due to the amount of laundered funds being between $3.5M and $9.5M.  +3 because she was a manager or supervisor in a scheme involving 5 of more participants.  +2 because of 18USC1956, and +2 because of the "sophisticated nature" of the laundering.  So, a level 33 offense.  They only decreased her 3 levels for "demonstrating acceptance of responsibility and assisting authorities in the investigation".  So she is still facing a level 30 offense.

"Furthermore, the Defendant stipulates that she owes restitution in the amount of $4,760,669.80!"

The plea agreement was signed May 23, 2018.  Rodriguez will be sentenced on July 11, 2018.

In Operation Wire Wire: The South Florida Cases Part 2, we'll look at 18-CR-20170, with defendants Eliot Pereira, Natalie Armona, Bryant Ortega, Melissa Rios, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loyaza.

Monday, June 11, 2018

74 (Mostly Nigerians) Arrested in Business Email Compromise Action

Operation Wire Wire Cases 

Operation Wire Wire was announced June 11, 2018 by the Department of Justice.  This Operation led to the arrest of 42 people in the United States and 29 others in Nigeria, Poland, Canada, Mauritius, Indonesia, and Malaysia.  Not all of the case details have been made public yet, so this will be the first of several Operation Wire Wire blog posts.  What they all have in common is that they are all based on Business Email Compromise scams.


Case One: Okolie and Aisosa

Gloria Okolie ( 1:2018cr00029 ) - indicted in Georgia, arrested in Northern District of Texas on June 7, 2018.  She and Paul Aisosa, both Nigerian nationals residing in Dallas, are accused of laundering $665,000 in illicit funds.

Gloria opened a BBVA Compass Bank account in Addison, Texas in the name G.C. Investments and Logistics, with a $100 deposit.

Paul Wilson Aisosa opened an account at First National Bank of Texas in his own name at a branch in Killeen, Texas.  Someone using the email account 1234trot5@gmail.com sent emails to an attorney in Augusta, Georgia, who wired money from a sale of property to Okolie's BBVA Compass Bank account.  Some of these funds were wired to Paul's account from Gloria's account.

(A Facebook account in the name of Paul Aisosa checked into Dallas in April 2016)


Case Two: Odofuye, Nwoke, and Adejumo 

Adeyemi Odofuye (3:2016cr00232) (AKA Micky, AKA Micky Bricks, AKA Yemi, AKA GMB, AKA Bawz, AKA Jefe), is charged with a seven-count indictment in Connecticut for causing losses of $2.6 million, including $440,000 from a single victim in Connecticut.  (We'll call him Micky.)  According to his Facebook page, and the indictment, he recently graduated with a Masters of Science in Information Systems Security from Sheffield Hallam University.  One of Micky's email accounts was angelmicky_g41@yahoo.com.





















He is indicted in Connecticut along with Stanley Hugochukwu Nwoke (AKA Stanley Banks, AKA Hugo Banks, AKA Banks, AKA Banky, AKA Jose Calderon), who was a student at ApTech Computer Education in Lagos, Nigeria.

The two used a variety of custom domains to conduct fraud against an Austrian company with offices in Connecticut, including: veteranboats.org, messidepot.com, secondtow.info.  With these emails, they requested wire transfers to Technix Trade SP and Weequahic Group Inc.  Some of the funds were transferred to an HSBC account in Hong Kong.

The third party in this case, Olumuyiwa Yahtrip Adejumo (AKA Slimwaco, ACO Waco Jamon, AKA Hade, AKA Hadey) resided at 506 Hampton Avenue in Toledo Ohio.  (We'll call him Slimwaco.)  Slimwaco used his slimwaco@yahoo.com email addresses to communicate with praxes123@gmail.com both by email and Google chat.  He also sent numerous fraudulent emails to a company in Connecticut posing as the CEO of that company and causing five wire transfers to be sent "by his authorization" totalling more than $500,000.  Other emails he controlled included slimwaco@yahoo.com, kkssus@gmail.com, waco4real82@yahoo.com, slimhade@yahoo.com.  According to his Facebook page (in the name Adeola Crown Adejumo), he was originally from Ibadan, Nigeria.

The New Haven-based FBI agent who wrote the criminal complaint describes in detail the types of communications between the accounts, as Slimwaco sent a list of the CFOs of 100 Ohio-based companies to one of his colleagues, and another with more than 100 Illinois-based CFOs.  In other exchange, Micky and Slimwaco chat and help each other build lists of officers from public webpages and corporate directories.

Odfuye (Micky) was extradicted from the UK.  Nwoke was extradicted from Mauritius, the first extradiction from there in 15 years!

Case 3:  Idris, Shitu, Nyamekye, Ibrahim, and Bolorunduro 

The Western District of Pennsylvania announced their own case as part of Operation Wire Wire, namely the arrest of Taiwo Musiliudeen Idris and four co-conspirators.  Idris was one of 29 scammers arrested in Nigeria as part of this operation.  Idris worked with Ismail Shitu, Nathanael Nyamekye, Adnan Ibrahim, and Akintayo Bolorunduro to launder over $411,000 in real estate settlements via BEC.  Their scam primarily targeted residential real estate sellers in Maryland. 

The indictment against these four, (Case 2:17-cr-00192-AJS) was filed October 5, 2017 in Pittsburgh and covers three distinct BEC Scams.

BEC Scam #1 - Rockville, Maryland.  A married couple who were selling a home were anticipating the receipt of a wire for $411,548.06 in proceeds.  However a fraudulent fax caused the funds to be redirected to an account at Citizens Bank in New York, controlled by Ismail Shitu, who resides in the Western District of Pennsylvania.

BEC Scam #2 - Hopkinton, Massachusetts.  A married couple waiting to receive $212,961.75 for the sale of a home had the same experience.  The attorney who was to handle the funds transfer received fraudulent correspondence directing him to send the funds to a Suntrust Bank account in Clinton, Maryland, also controlled by the criminals.

BEC Scam #3 - Charlotte, North Carolina.  A real estate developer sold four parcels of land for $235,058.53.  Once again, the lawyer handling the case received a fax, from the same number as the two cases above, (760) 297-5626, instructing him to send the money to a SunTrust Bank account in McDonough, Georgia.

These funds were then laundered by transfers of funds from $30,000 to $104,000 to various shell companies controlled by members of the conspiracy.   Companies such as "Remy Tire Mart" and "Salem's Market and Grill" and "Sea Gull Freight LLC" and "Stability Capital Group" all received transfers of the funds from BEC Scam #1.

Remy Tire Mart also received funds from BEC Scam #2.  BEC Scam #3 also sent funds to Miken Auto LLC, Labor of Love, and OOPS!  Nathanael Nyamekye, who took $5,000 in an account in his true name.

Case 4: South Florida

We'll continue the Operation Wire Wire reporting as more cases are made public.  In South Florida, 23 individuals have been charged with laundering at least $10 Million from BEC scam proceeds, including 8 from a new indictment unsealed in Miami last week.   Reviewing the three related federal cases will be our next blog topic.