Wednesday, October 16, 2019

"Welcome to Video" raid leads to 337 arrests due to Bitcoin Exchanges that use strong KYC

The darkweb child sexual exploitation video site, "Welcome to Video", first came onto Law Enforcement's attention as a result of a case in the UK, where a geophysicist Matthew Falder was arrested.  When the National Crime Agency was looking into his hard drive, they found he had been a member of "Welcome to Video" which at the time used the dark web address mt3plrzdiyqf6jim .onion.  Anyone visiting that website recently would have seen this banner instead:


Law enforcement actually got the website through a silly webmaster error.  One of the webpages on the website linked some of its component files by the server's IP address instead of its onion URL address.  The IP address, 121.185.153.45, was a Korea Telecom address.  They got the owner's address details and were able to confirm his identity.

After establishing undercover addresses, searches on the website for some common child sexual exploitation searches, and received indications that there were THOUSANDS of matching videos.  I don't know that we should share the terms with our readers, but some search terms resulted in more than 7,000 or even 10,000 matching videos.  Searches for videos involving children as young as four years old or even two years old yielded 4,000 matching videos each.

 Anyone could view "thumbnails" on the site, but to download or view the related videos, you had to have Points.  You could buy points for bitcoin, or you could "earn" points by uploading a unique video, or having a friend sign up and use your referral code.

 On multiple occasions, including September 28, 2017 and February 23, 2018, federal agents made payments on the website, and within 48 hours, the money had been moved to another Bitcoin wallet.  That wallet turned out to be a Coinbase wallet.  When they asked Coinbase who paid for that Bitcoin account, it was Jong Woo Son. To be able to buy Coinbase from a bank account, Jong was required to provide KYC (Know Your Customer) information, so he provided and confirmed an email address and telephone number, both of which were found to belong to Jong.

That gave law enforcement enough to raid Jong's residence, where they found the server in his bedroom, containing 8 TB of child sexual exploitation images, and log files indicating that MORE THAN A MILLION videos had been downloaded from the site.  The raid was conducted by US IRS-CI, US HSI, UK NCA, and the South Korean National Police.  By comparing the hashes of these videos to the collection at NCMEC (The National Center for Missing and Exploited Children), they found that 45% of these videos had never been seen before.

MANY of the users of the site were "creating" videos by abusing children they had access to. The United States has indicted Jong Woo Son, but he is already serving time for charges brought in South Korea.  The indictment does provide a great deal of information about the case that helps us understand what happened:


(from the Jong Woo Son indictment)
We know from other sources that the "exchanger in the United States" is Coinbase (see below).  Every time Welcome To Video presented an opportunity for payment to a visitor, it generated a new potential Bitcoin wallet address.  Until someone makes a payment, however, it is more like a "potential" wallet.  If the visitor wasn't sure how to get Bitcoin, Jong's website recommended that an easy way was to set up a Coinbase account!
By tracing other addresses that also moved small payments to the same wallet that the undercover payments were moved to, they were able to identify a "cluster" of 221 frequently used bitcoin addresses that had been used to receive payments that were then sent to the website owner, Jong Woo Son.  Later, they asked Coinbase, and two other major Bitcoin Exchanges, to identify accounts that had sent payments to any of that pool of 221 bitcoin addresses.  Why so many?  To make sure which payment belongs to which user, when a user indicates they are about to make a payment, they are assigned a bitcoin address to use for their transaction.  This is fairly common practice on darkweb markets. To avoid conflicts, Jong had many such addresses that would receive the payment from a specific user, probably created at transaction time. Jong would consolidate these bitcoin "wallets" by moving the funds to his primary account, from which he sometimes withdrew funds directly to his bank account. Because transacting against a bitcoin address creates new addresses, those at least 7,300 small payments were paid to different addresses controlled by Jong over time.
This was really spelled out in detail as the prosecutor, and then the FBI agent, tried to explain bitcoin to the judge in the Gratowski case.   That was the Texas case involving former HSI Agent Richard Nikolai Gratowski.  Same thing.  He used his own USAA Credit card to pay Coinbase to buy his bitcoin.  I have the 100 page transcript of his court hearing, which was fascinating to read.  He was sentenced to 70 months (and has already appealed to the 5th circuit.)  Most of the court documents referred to "Bitcoin Exchange 1" -- but the transcript names Coinbase 84 times!  I think they deserve a lot of the credit for making this case possible through their strict KYC implementation!


Subpoenas asking for "who has been sending money to these 221 bitcoin wallets?" is where they got their hitlist of 337 site users who were arrested.  They including pedophiles residing in Alabama, Arkansas, California, Connecticut, Florida, Georgia, Kansas, Louisiana, Maryland, Massachusetts, Nebraska, New Jersey, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, South Carolina, Texas, Utah, Virginia, Washington State and Washington, D.C. as well as the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.  MOST of those users were identified because of the strict "Know Your Customer" rules that reputable bitcoin exchanges are now requiring of their customers. 

As a result of all of the investigations so far, at least 23 underage children were rescued in the US, UK, and Spain!

In ALL of the US cases I pulled court records for, that was the process.  Find a username on the seized server, prove that they had transacted bitcoin from a KYC-friendly exchange, such as Coinbase, then subpoena the bitcoin exchange to see who owned the account.  Coinbase and other reputable Bitcoin Exchanges, requires "strong Know Your Customer" as a means of reducing fraudulent or criminal behavior.  For Coinbase, that includes a drivers license scan, and a response to both an email and an SMS message to confirm that they know your real email and real telephone number.  For the accounts found, they could then check the Korean server to see which user had made a payment at that time and date, and how much activity they had on the server.  Then law enforcement would either confront the pedophile or conduct a search warrant to get confirmation of the evidence from the customer.  Priority was placed on anyone who seemed to be CREATING the content, or who had previous related charges.

Michael Ezeagbor was found to have used the identity "mikeexp1" on the site.  He had earned points by uploading 10 videos, and had downloaded 42 videos.  He paid 0.1 BTC on Jan 29, 2016 (which at the time was only $38.)  The Bitcoin exchange he used provided his DOB, SSN, address, and a Yahoo email account.  He had bought the bitcoin on the exchange using his A+ FCU account.

Eric Wagner paid 0.06 BTC on November 5, 2016 (about $43 at the time).  He had downloaded 40 videos and uploaded 84 videos.  His bitcoin exchange revealed his email was "wagnered@comcast.net" and he was using a DFCU debit card which matched the name, address, and SSN on file with the bitcoin exchange.

Brian James LaPrath was identified in the same way.  Because he had NOT uploaded, choosing just to pay, and had downloaded very little, he was allowed to plea to money laundering, although he is doing probation with sex offender style limitations in place.


The most troubling case I reviewed was that of Nicholas Stengel who had PREVIOUSLY been arrested for possession of child pornography and had served 41 months, followed by 36 months supervised release.  His supervised release included all of the above, and more.  He relapsed during that time, refusing to take his court ordered polygraph, and was charged with using a computer in violation of his parole to seek child pornography and with public masturbation.  In his first case he was charged with possessing 79,335 images and 230 videos.  When an HSI Cybercrime Special Agent hit his door with a warrant, Stengel's wife stalled the agents at the door while Stengel got into his bathtub with a knife and slit his own wrists and throat!  He was given emergency medical care, but now found to possess 805,457 images and 6,884 videos!
Stengel attempts suicide during his search warrant

Several others who were charged with PRODUCING child sexual exploitation imagery to upload to the site were listed in The Daily Mail's story on the case:

Paul Casey Whipple, 35, of Hondo, Texas, a U.S. Border Patrol Agent, was arrested in the Western District of Texas, on charges of sexual exploitation of children/minors, production, distribution, and possession of child pornography. Whipple remains in custody awaiting trial in San Antonio

Michael Lawson, 36, of Midland, Georgia, was arrested in the Middle District of Georgia on charges of attempted sexual exploitation of children and possession of child pornography. He was sentenced to serve 121 months in prison followed by 10 years of supervised release following his plea to a superseding information charging him with one count of receipt of child pornography

Nader Hamdi Ahmed, 29 of Jersey City, New Jersey, was arrested in the District of New Jersey, for sexual exploitation or other abuse of children. Ahmed pleaded guilty to an information charging him with one count of distribution of child pornography. He is scheduled to be sentenced Oct. 1, 2019

Jeffrey Lee Harris, 32, of Pickens, South Carolina, pleaded guilty in the District of South Carolina for producing, distributing, and possessing child pornography

Nikolas Bennion Bradshaw, 24, of Bountiful, Utah, was arrested in the State of Utah, and charged with five counts of sexual exploitation of a minor, and was sentenced to time served with 91 days in jail followed by probation;



Tuesday, October 15, 2019

18 Members of ATM Skimmer Gang Arrested -- Mostly Romanian

DOJ Press Release: 18 Members of International Fraud and Money Laundering Conspiracy
The Southern District of New York brought charges on 18 people for their involvement in an ATM Skimming ring that planted hundreds of skimming devices in at least 17 states and stole more than $20 Million dollars.  Those charged, from the DOJ Press Release about the ATM Skimming organization, are listed below.  The operation involved many cooperating agencies, including the FBI, Customs and Border Protection, the NYPD, the US Postal Inspection Service, INTERPOL-Rome, INTERPOL-Mexico City, and Mexico's Agencia de Investigación Criminal and Instituto Nacional de Migración.

What the press release does NOT make clear is the ties to Intercash, the largest Romanian ATM Skimming ring in history, and the primary reason that when you see "Skimming arrests" in the United States, they will almost always involve Romanians.

LIMBERATOS, COSTEA, LYMBERATOS, ELIOPOULOS, SAMOLIS, LAM, and MIHAILESCU were arrested in and around Manhattan on October 10, 2019.

M. CONSTANTINESCU, CALUGARU, I. CONSTANTINESCU, and SERBAN were arrested in Miami on October 10, 2019.

MARTIN (Pictured here as "Florian M") was arrested in Cabo San Lucas, Mexico.  Although he was the only one charged in the SDNY case, he was actually arrested as the leader of a group of 7 Romanians all arrested together in Mexico.  In Romanian news, he is described as "the brother of Rechinu".  Rechinu, which means "shark" in Romanian, is believed by the Romanians to be the big boss of an international skimmer ring, named Florian Tudor.  Brian Krebs, the world's leading investigative  security journalist, shared many more details about Rechinu's gang in April 2019, in a follow-up to his three part series about Instacash - a Romanian crime syndicate that dominates the skimming world. That KrebsOnSecurity story, "Alleged Chief of Romanian ATM Skimming Gang Arrested in Mexico" includes many details learned by interviewing the brother of a bodyguard that was assassinated by Tudor.

Romanian press says that Rechinu was also a human smuggler, helping "hundreds of Romanians" migrate to Mexico using counterfeit documents and then cross the border into the United States to participate in criminal activity.  Not only did Rechinu run an enormous international crime ring, but through shell companies, he was the owner of a company in Mexico that installed and maintained ATM machines for banks in Mexico!  Using the knowledge and access his employees gained by having "legitimate" access to such equipment, it is no wonder that InterCash dominated the skimming market!

Tudor Florian has managed his network, most of the time, in Mexico, under the screen of some companies that set up ATMs and ensure their maintenance! On the legally installed ATMs, skimming devices were mounted, which copied the cards of the people who were making money. 

"After fraudulently obtaining the computer data, teams were made up of other members of the group who traveled to other states such as USA, India, Paraguay, Indonesia, etc., from which they withdrew the existing amounts of money in the bank accounts related to electronic payment instruments. copied ”, claims DIICOT.  -- Translated from the Libertatea.ro story "DIICOT Release: The Shark Clan in Craiova had companies that legally set up ATMs in Mexico, where they later cloned the cards!"

(Libertatea - "Freedom!" - ran a month-long series of investigative reports about this crime family that they dub "the Shark Clan", including their long involvement with another Romanian crime family that sold them underage girls for sex trafficking)



VIDRASAN was arrested in Perugia, Italy.

PETRESCU, DIACONU, ANCA, and ULMANU were already in custody on other charges and will be later transferred to New York.

The charges were brought in three separate indictments.  Mircea CONSTANTINESCU, Nikolaos LIMBERATOS, Cristian COSTEA, Alin Hanes CALUGARU, Ionela CONSTANTINESCU, Theofrastos LYMBERATOS, Andrew ELIOPOULOS, Valentin PETRESCU, Peter SAMOLIS, Kelly Karki LAM, George SERBAN, Dragos DIACONU, Madlin Alexandru ANCA, Cristian ULMANU, and Iuliana MIHAILESCU were charged in the first indictment with:

  • 18 USC Sections 1029(a)(1), (a)(2), (a)(3), (a)(4), and (a)(5) - access device fraud 
  • 18 USC Section 1029(a)(1) producing and trafficking in counterfeit access devices
  • 18 USC Section 1029(a)(2) using a counterfeit access device to obtain a thing of value
  • 18 USC Section 1029(a)(3) aggravated identity theft (possessing with intent to obtain a thing of value more than 15 counterfeit access devices
  • 18 USC Section 1029(a)(4) producing, trafficking in, having custody and control of and possessing counterfeit access device-making equipment
  • 18 USC Section 1029(a)(5) conducting transactions with access devices issued to another person to receive payment exceeding $1,000 in a single year.  (Yep, $20M > $1,000)
  • 18 USC Section 1343  Bank Fraud , Wire Fraud, 
  • 18 USC Section 1349  obtaining money from FDIC insured institutions by means of false and fraudulent pretenses 
  • 18 USC Sections 1028(a)(1), (b), and 2.
  • 18 USC 1956(a)(1)(A)(i) conspiracy to commit wire fraud and bank fraud 
  • 18 USC  1956(a)(1)(B)(i)  conspiracy to commit access device fraud 
  • 18 USC  1957(a) conspiracy to commit wire fraud 
CONSTANTINESCU shipped a credit card point of sale terminal from Mt. Pocono, Pennsylvania to Veracruz, Mexico for the purpose of having a custom skimmer created for the terminal. SERBAN shipped skimmers from Miami to Tobyhanna, Pennsylvania.

Others installed skimmers in at least Babylon, NY (N. LIMBERATOS); Canterbury, CT (CALUGARU); Manchester, NH (T. LYMBERATOS); Glen Cover, Westbury, and Whitestone (ELIOPOULOS), NY; Boston, MA (PETRESCU); Queens, NY (SAMOLIS); Somerville, MA (ULMANU); Boston, Brookline, Sturbridge, Brighton, and Natick, MA (MIHAILESCU).

Others used cards to withdraw funds using counterfeit ATM cards coded with the magnetic stripes stolen by the gang's skimmers in at least New York City, NY (CONSTANTINESCU), Chattanooga and Ooltewah, TN (DIACONU,  ANCA); 

Others arranged the cash deposits and withdrawals to launder the funds (LAM)

A second indictment separately charges Raul Ionut VIDRASAN with many of the same charges.

A third indictment separately charges Florian Claudia MARTIN (and his host of aliases) and Alex DONATI. Specifically MARTIN is charged with installing a skimming device on an ATM in a hotel in Manhattan.  DONATI is charged with shipping a package containing two skimmers to Manhattan. 


Defendant
Age
Place of Residence
Nationality
FLORIAN CLAUDIU MARTIN,
a/k/a “Florin Claudiu,”
a/k/a “Johnny Ion,”
a/k/a “Jane Hotul,”
a/k/a “Petru Andrioaie,”
a/k/a “Petru Andrioane,”
44
Cabo San Lucas, Mexico
Romania
ALEX DONATI
51
Cabo San Lucas, Mexico
Romania
RAUL IONUT VIDRASAN,
a/k/a “Michu,” a/k/a “The Boy”
27
Perugia, Italy
Romania
MIRCEA CONSTANTINESCU, a/k/a “Sobo”
44
Cooper City, Florida
Romania
NIKOLAOS LIMBERATOS, a/k/a “Nicu Limberto”
53
Deer Park, New York
Greece
CRISTIAN COSTEA, a/k/a “Momo”
44
Queens, New York
Romania
ALIN HANES CALUGARU
39
Sunny Isles, Florida
Romania
IONELA CONSTANTINESCU, a/k/a “Pitica”
35
Cooper City, Florida
Romania
THEOFRASTOS LYMBERATOS
36
Queens, New York
United States
ANDREW ELIOPOULOS
34
Queens, New York
United States
VALENTIN PETRESCU, a/k/a “Gico Cosmin Giscan,” a/k/a “Zoltan Pruma”
32
Russellville, Arkansas
Romania
PETER SAMOLIS
30
Queens, New York
United States
KELLY KARKI LAM
42
New York, New York
United States
GEORGE SERBAN
32
Miami, Florida
Romania
DRAGOS DIACONU
41
Nashville, Tennessee
Romania
MADLIN ALEXANDRU ANCA, a/k/a “Mateo Fernandez Alejandro”
22
Nashville, Tennessee
Romania
CRISTIAN ULMANU, a/k/a “Boris Moravec”
54
Russellville, Arkansas
Romania
IULIANA MIHAILESCU
42
Queens, New York
Romania


Thursday, October 03, 2019

FBI Fraud Arrests by Field Office, 2018


Each year, crime data geeks look forward to the publication of the CJIS "Crime in the United States" report.  On September 30th, the FBI was able to share the Uniform Crime Report information for 2018, describing information about Violent Crime, Property Crime, Homicides, and Arrests gathered from most of the law enforcement agencies in the United States.  UCR is old news though.  Many short-comings in the system have led to changes which are adopted in the new NIBRS system, the National Incident-Based Reporting System.  For people like me, who care about cybercrime, hacking, malware, and fraud, this is great news!  Many budget decisions have been made over the years about how to allocate police resources based on UCR data, and NONE OF THE CATEGORIES I CARE ABOUT WERE PART of UCR!   But NIBRS has many of those things, rolled up under the category "fraud."

Fraud Offenses are called "26" offenses and have the following breakdown:
  • 26A = False Pretense / Swindle / Confidence Game 
  • 26B = Credit Card / ATM Fraud 
  • 26C = Impersonation 
  • 26D = Welfare Fraud
  • 26E = Wire Fraud
  • 26F = Identity Theft
  • 26G = Hacking / Computer Invasion
(The NIBRS User Manual has the complete list of codes for other offenses.)

Last year, students in my Criminal Justice 502 - Computer Forensics class at UAB (the University of Alabama at Birmingham) - attempted to study fraud statistics from the 2017 NIBRS data, and sadly, their conclusion was that they were dramatically under-reported, and if used at all, used only in a "rolled-up" capacity.  NIBRS is currently receiving data from 6,600 of 18,000 potential law enforcement agencies.  By 2021, all agencies should be using NIBRS instead of UCR.

With shame, I mention that Alabama is one of the states boycotting NIBRS, calling it an "unfunded mandate" and refusing to participate.  In the 2017 data, only the city of Hoover shared NIBRS-formatted crime statistics with the Department of Justice.  (Hopefully we will see an improvement in this process as Alabama is now one of the states receiving federal funding to improve their NIBRS participation in the form of an NCS-X Initiative Grant.  In October 2018, an additional $49 Million was released to encourage greater participation.   A sampling study was conducted by BJS to determine that if 400 additional agencies were added, it would have a marked improvement of the accuracy and usefulness of NIBRS data, and these agencies and their states are now targeted, for the fourth year in a row, with Federal funding to assist in implementation.  Eleven Alabama Law Enforcement agencies were among the 400 on the "List of NCS-X Sample Agencies as of August 2018" making them eligible to apply for funding.  Only four states have not received any funding to date - AK, AZ, MS, and NM. Sixteen states have fully implemented NIBRS, and four more have >80% participation.)

We are still looking forward to seeing the 2018 NIBRS data, which would normally have been released by now, but did get one early present from CJIS, in the form of FBI NIBRS data from each field office.

https://ucr.fbi.gov/ucr-statistics-their-proper-use

A caution before reading on, despite the FBI's repeated warning to not use crime data to rank jurisdictions, journalists repeatedly put out reports called things like "The Top Worst Cities for Murder" each year after the UCR is released.  In the table below, we have extracted the FBI data for Fraud Arrests for each of their 56 field offices.  This is intended to show how fraud arrests (including all of the categories above) are still a MINOR focus of law enforcement by proportion of arrests, so PLEASE don't use this data to rank.  (More reasons not to rank in the link above, which is labeled "Caution Against Ranking" on the Crime in the United States page.

As part of that caution, consider a couple numbers from the table below.  While the average for all field offices was that 10.9% of all FBI arrest in 2018 were for "Fraud" categories, the Los Angeles Field Office number was more than double that amount, at 27.6%.  Why?  Is it because there is more fraud in LA than most places?  Not really.  Their "Fraud Arrests per 100,000 population" is 1.4, nearly double the national average of 0.8. Los Angeles serves the largest population of any field office -- 19.5 million people -- allowing their office composition to contain specialized squads not found in smaller offices. One such squad includes agents dedicated to working "Business Email Compromise" and they have been doing an amazing job at that task.  Because of the STRATEGIC FOCUS of the Los Angeles office, many criminals are arrested and charged there even when the victims may come from across the United States and the World.

Similarly, the Miami, District of Columbia, and New York offices have significantly higher fraud arrest rates per 100,000 populations than other offices. This also reflects the composition of their offices. New York City FBI arrested 1,466 total people in 2018 -- nearly 500 more than any other office, and triple the number of the arrests in only slightly smaller Dallas, Boston, Atlanta, or Charlotte. As a global super power in the banking world, New York City has one of the largest cybercrime offices in the country, including many New York Police Department personnel who serve as Task Force Officers within the FBI's Cybercrime and Financial Crime Task Forces. In offices like NYC, many cases where a local prosecution may have been brought elsewhere by the police have been elevated to a federal level, taking advantage of the unique concentration of banks AND FEDERAL RESOURCES, to make possible their 268 fraud arrests in a field office serving 13.4 million people. Similar combined state/local/federal task forces raise their arrest rate in other categories, partly as a result of the unique partnerships found in New York as a result of the restructuring of the FBI following the terrorist attacks there on 9/11.
Other office numbers may be skewed by the presence of an extremely gifted or well-funded state or local law enforcement agencies, which may work many cases at the state/local level that in other offices may have become federal cases.  
So again, please don't use these numbers for "head-to-head rankings," but do enjoy seeing what is going on in YOUR FBI office!  We look forward to seeing the full NIBRS data soon, but in the meantime, found the data below a fascinating representation of how fraud is fought by the Federal Bureau of Investigation.
(Full FBI Arrestees by NIBRS Offense Code by FBI Field Office, 2018 available here)
(Crime rate per 100,000 is ((Arrests / Population) x 100,000), for example, in NYC, (268/13,464,042 = 0.000019904 * 100,000 = 1.99 (rounded to 2.0) per 100,000 population.)
Field OfficeFraud ArrestsTotal ArrestsPopulation% Fraud ArrestsFraud arrests per 100k population
Grand Total All Offices2,64524,174330,611,01610.9%0.8
Albany191933,959,1429.84%0.5
Albuquerque113682,095,4282.99%0.5
Anchorage3110737,4382.73%0.4
Atlanta 8663510,519,47513.54%0.8
Baltimore203977,009,8895.04%0.3
Birmingham 161532,885,67910.46%0.6
Boston 7851510,654,32615.15%0.7
Buffalo283182,745,3248.81%1.0
Charlotte 2254810,383,6204.01%0.2
Chicago723999,299,34218.05%0.8
Cincinnati 232575,973,0038.95%0.4
Cleveland 404265,716,4399.39%0.7
Columbia253135,084,1277.99%0.5
Dallas 4255610,937,8927.55%0.4
Denver 554006,273,30113.75%0.9
Detroit 1327629,995,91517.32%1.3
El Paso 132171,280,4005.99%1.0
Honolulu19921,420,49120.661.3
Houston 453488,739,89012.93%0.5
Indianapolis 635416,691,87811.65%0.9
Jackson 192302,986,5308.26%0.6
Jacksonville 421295,292,49132.56%0.8
Kansas City215726,107,8123.67%0.3
Knoxville 164132,634,7463.87%0.6
Las Vegas 132943,034,3924.42%0.4
Little Rock 112093,013,8255.26%0.4
Los Angeles 27097819,503,77827.61%1.4
Louisville 171774,468,4020.96%0.4
Memphis 352924,135,26411.99%0.8
Miami 24110487,101,5800.23%3.4
Milwaukee281805,813,56815.56%0.5
Minneapolis 356207,253,4915.65%0.5
Mobile141962,002,1927.14%0.7
New Haven243153,572,6657.62%0.7
New Orleans 132344,659,9785.56%0.3
New York 268146613,464,04218.28%2.0
Newark555338,055,34210.32%0.7
Norfolk 151081,759,48413.89%0.9
Oklahoma City 202523,943,0797.94%0.5
Omaha102945,085,4130.34%0.2
Philadelphia1067239,948,74514.66%1.1
Phoenix 347737,171,6460.44%0.5
Pittsburgh 405435,517,3257.37%0.7
Portland323034,190,71310.56%0.8
Richmond 101104,153,7059.09%0.2
Sacramento 332988,099,06811.07%0.4
Salt Lake City 536065,977,6188.75%0.9
St. Louis 264222,930,1456.16%0.9
San Antonio 368797,743,6630.41%0.5
San Diego 333843,529,0648.59%0.9
San Francisco713428,425,13520.76%0.8
San Juan1407163,443,5825.59%1.2
Seattle 343597,535,5919.47%0.5
Springfield121573,441,7387.64%0.3
Tampa 308008,905,2543.75%0.3
Washington, Dc766713,306,95111.33%2.3

Sunday, September 15, 2019

Operation ReWired arrests 281 Business Email Compromise criminals

Operation: ReWired announced on September 10, 2019
On September 10, 2019, the Department of Justice announced that 281 arrests related to Business Email Compromise had been made, with 74 of those arrested being in the United States.  It will take some time to track down the names of all of those arrested, as many of the arrests were overseas.  Twenty-three US Attorneys Offices participated in the Operation, although only five sets of arrests were discussed in the Department of Justice Press Release about Operation ReWired.  While we work to obtain the rest of the information, we'll go ahead and share some details from those already made public in the Press Release.

Chicago Business Email Compromise: Stokes & Ninalowo defraud Energy Company and Community College of Millions

The first case involves two major BEC scams that followed the same mold.  The FBI says that an "un-named Community College" with about 15,000 students was doing business with a construction company our of Minneapolis, Minnesota.  An employee of the university received an email from someone claiming to be "Yvonne Nguyen, a Group Accounting Manager" for the construction company, that said "Hi, please see attached for our new ACH details." The "unnamed company" (easily identifiable by clues in the indictment) boasts of their large catalog of university and college related construction projects, including several in the Chicago area with projected build costs exceeding $20 Million.   The attached form was one that the college traditionally uses to ask vendors for payment details.

Because the request was on their own form, and seemed to come from a company who was involved in a large construction project for them, the college updated the payment details.  "On or about June 20, 2016" the college approved a "routine payment" of $3,371,291 directed to a Bank of America account.  Because of the updated payment information, on June 29, 2016, the payment was made ... but to the new account specified by the criminals.  Almost immediately after deposit, several transactions were attempted from the account, which triggered fraud rules at Bank of America, who froze the account while an investigations was conducted.  The largest such check was for $398,220, made out to "Steno Logistics."  Steno Logistics became a corporation in Illinois one day before the first Yvonne Nguyen email was sent.  The registered agent creating the corporation was Brittney STOKES, who used her home address on the account.  At the time, Stokes was also working as an assistant to the manager of a Menards home improvement store.

The second scam conducted by STOKES and NINALOWO invlved a $1.7 Million payment sent from a Houston, Texas oil company to an energy exploration company in Irving, Texas.  In exactly the same method as the first scam, an email claiming to be from the Exploration company was sent to the Oil company with the subject "ACH Update." The email said "We recently received a payment from your company and noticed that payments are still being made to our old bank. We have switched banks.  I will be forwarding you updated banking details once I have your confirmation.  I have also attached our W9 for your perusal."

This exchange led to a $1.7 Million transfer from Energy Company B to "Fake Exploration Company" ... in this case, the corporate email account WAS BEING CONTROLLED BY THE SCAMMERS.  They confirmed the update with a bank account at TD Bank after also confirming other details, such as their physical mailing address.  This led to a series of payments.  On January 9, 2018 - $97,729.65.  On January 11, $239,563.134 and $164,754.84.

In this case, Chase Bank shows that they also had a newly opened bank account for "Steno Logistics", also listing Brittney STOKES as the president, and opened with STOKES' Illinois Drivers License as proof of identity.  Each time a payment was received by "Fake Exploration Company", a check was issued from the fake company to Steno Logistics.  Checks included:

  • $22,054.17 on January 26, 2018
  • $35,000 on January 30, 2018
  • $833,672.50 on February 2, 2018
  • $608,488.90 on February 6, 2018
  • $186,483.73 on February 8, 2018

Large transfers were then made from the Steno Logistics account to accounts such as "Yummy Bear Day Care", which was a Citibank account.  Yummy Bear Day Care was also registered in the State of Illinois by Brittney Stokes.

On many occasions thereafter, bank surveillance video showed NINALOWO making cash withdrawals from the Steno Logistics account.  On Feb 3, 2018, Feb 5, 2018., Feb 6, 2018.  Captured text messages between STOKES and NINALOWO also make clear that some of the checks written against the account, including one for $50,000, involved NINALOWO forging the signature of STOKES.  The phones were seized for inspection by Customs and Border Protection as STOKES and NINALOWO came through US Customs, returning from Lagos, Nigeria, via the Atlanta Airport.

When they were arrested, Law Enforcement officials seized a 2019 Range Rover Velar S from Stokes and $175,909.

Dallas Texas: Opeyemi Abidemi Adeoso and Benjamin Adeleke Ifebajo

In the Dallas case, an individual sent a series of wires totalling $504,660.52 to a Dallas based bank account in February 2018.  A second business, in March 2018, also wired $179,223.33 to another Dallas-based bank account.  Upon investigation, these funds were being disbursed to someone using an alias identity "Daniel Sammy Campbell" and the street address "9451 Wickersham Road, Apt 2075, Dallas, Texas.  ADEOSO was the current resident of that apartment at the time of the fraud.  His previous landlord, at 6808 Skillman Street, recognized ADEOSO, and also informed law enforcement that he had been referred to rent there by his friend IFEBAJO.  IFEBAJO was proven to have utilized many aliases, including Joseph Eric Johnson, Jeremiah Alex Malcolm, Tidwell Anthony Wilsom, and Andrew James Wilson.  ADEOSO also used many aliases, including Peter Kuffor, George Macharty, Nelson Johnson, Braheem Larke, Michael Albert, Michael Jaden Sean, Michael Jeff Brown, and Benjamin Zee Brown.  Each had many fraudulent foreign passports and other alias identities used to open numerous bank accounts in the Dallas Fort Worth area of Texas.

ADEOSO was married to Bukola Comfort ADEOSO, who moved to Dallas Texas shortly after arriving in the United States.  On numerous occasions, when ADEOSO made a large cash withdrawal, a matching deposit would show up in BUKOLA's account.

ADEOSO opened a LARGE number of bank accounts.   Just using the Peter KUFFOR alias, which had a counterfeit Great Britain passport, he opened: 

  • BB&T - June 9, 2015
  • Capital One - June 24, 2015
  • Wells Fargo - June 24, 2015
  • BBVA - July 3, 2015
  • Bank of America - July 30, 2015
  • First Convenience Bank - November 9, 2015
  • Chase Bank - November 24, 2015

This alias often used the Yahoo email flavorj1@yahoo.com - which was also used by the George MACHARTY alias.  Macharty, using a counterfeit Nigerian passport, opened:

  • Wells Fargo - Sep 3, 2015
  • Bank of America - Sep 8, 2015
  • First Convenience - Oct 5, 2015
  • BBVA - Oct 7, 2015
  • Capital One - Oct 6, 2015
  • Chase Bank - Oct 28, 2015
  • BB&T - Nov 24, 2015
Alias Johnson Nelson accounts used the flavorj1 email and also justonceacademy@gmail.com 
  • Bank of America - Oct 20, 2015
  • Capital One - Oct 21, 2015
  • BB&T - Oct 22, 2015
  • Woodforest Bank - Jan 6, 2016
His other aliases also opened many bank accounts.  Between July 2015 and March 2016 these accounts received $423,285 in wire fraud proceeds from victim companies.
Another whole set of accounts was created in 2018 and 2019 and also received a large number of wire frauds from victim companies all across the United States, including the largest transfer, a $433,714.31 transfer to a BBVA account.
At the time of the Criminal Complaint, not all of the victims had been identified: 

Cherria Davis was married to Adeoso on April 17, 2015.  Ifebajo listed Cherria Davis as his US point of contact when he came to the United States on a non-Immigrant Visa on July 3, 2015, using the email "benvicschools@gmail.com."  Customs and Border Patrol seized a DHL package containing fraudulent passports in the names of Chris Hammington and James Alexander that were destined to IFEBAJO's residence at 11911 Audelia Road in Dallas, Texas.  

IFEBAJO also opened many accounts in many aliases, but tended to use business names.  As Jeremiah Alex Malcolm he owned "Breakthrough Auto Links" with a fake Great Britain passport.  Surveillance video in BB&T confirms Malcolm to be IFEBAJO.  As Andrew James Williams, he ran "Williams Retails and Equipment" who had a BBVA bank account and a Bank of America bank account.  As Joseph Eric Johnson he ran "Reality Global Equipments" with a fake Namibian passport and an IRS Tax EID 83-2508382.  He had BBVA, BB&T, and Wells Fargo business accounts with that identity, and surveillance video at Chase, BB&T, and Wells Fargo showing IFEBAJO doing banking as "Johnson".

Like ADEOSO, linked by the ties to Cherria Davis, IFEBAJO also had many deposits to his accounts known to be from BEC fraud victims, including: 



NYC: Ashu, Eke, Ikejimba, Ironuah

According to the Indictment, Cyril ASHU, Ifeanyi EKE, Joshua IKEJIMBA, and Chinedu IRONUAH "and others known and unknown" engaged in a fraudulent business email compromise ("BEC") schemes against "various victims, including an intergovernmental organization headquartered in New York, New York" convincing the victims to wire payments to bank accounts controlled by the defendants instead of the intended beneficiaries.  As in the previous cases, the victims all received emails that seemed to be from companies with which they were genuinely engaged in business, but which deceived them into changing the destination accounts for business transactions.
After receiving the funds, they were quickly transferred, withdrawn, and laundered, either by withdrawing cash or writing cashier's checks, many of which were cashed out at check cashing facilities in Houston, Texas.  Altogether, the defendants in this case caused to be transferred more than $10 Million in fraudulently gained funds.  Two examples of the activities charged are listed in detail related to two bank accounts, one opened by EKE and the other by ASHU:

The "0131 Account":


  • On October 28, 2016 - IFEANYI EKE opened a Marietta, Georgia bank account ending in 0131 using his alias "Luthur Mulbah Doley"
  • On Feb 15, 2017, a foreign-based healthcare company wired him $41,495 to that account, through a correspondent bank in the Southern District of New York.
  • On Feb 16, 2017, EKE sent two cashier's checks totaling $25,000 to CYRIL ASHU, who cashed one of the checks the following day.
  • On Feb 27, 2017, "an intergovernmental organization based in NYC wired $188,815 to the 0131 account.  
  • On March 1, 2017, EKE transferred $100,000 from the account to another account in his true name.
  • On March 2, 2017, EKE wrote a cashier's check for $68,000 payable to "Curesos Innovation" 
  • On March 2, 2017, a foreign-based manufacturing company wired $123,895 tot the 0131 account. 
  • Between March 2 and March 4, EKE bought three more cashier's checks:
    • $48,000 to Curesos Innovation
    • $68,000 to Yiwu Offshore Limited
    • $96,000 to Yiwu Offshore Limited 
  • On March 3, 2017, IRONUAH cashed the Curesos checks in Houston, Texas.
  • On March 6, 2017 IKEJIMBA cashed the Yiwu checks at the same check-cashing facility in Houston, Texas.
The "7622 Account":
  • From October 25, 2017 through December 2017, ASHU used a stolen identity to open a bank account ending in 7622 and received $12,366 in fraud proceeds.

Georgia: Emmanuel Igomu and Jude Balogun steal $3.5 Million via a BEC fraud against a health-care provider


On July 2, 2018, Tanner Health Systems of Carrollton, Georgia was hit by a BEC fraud.  Someone impersonating a THS vendor, Bernie Buchanan, the Executive VP of Ra-Lin and Associates, caused a payment of $3,528,500.02 to be misdirected to a Bank of America account in the name of GARRETT, LLC.  The account had only one valid signator: Ishmael GARRETT of Newark, Delaware.

Two outbound payments were made from the account.  $797,291.14 was sent to a SunTrust Bank account in the name "Audi Atlanta, LLC, 361 Pharr Road NE, Atlanta, Georgia.  On the same day, $570,780 was sent to a JP Morgan Chase Bank account in the name Lucia Tech, LLC at 5456 Peachtree Industrial Boulevard, Suite 632, Atlanta, Georgia.

The Lucia Tech account had been opened with a fraudulent South Carolina driver's license in the name of Lucy Andrews.  The address actually corresponded to a UPS Store box in the name of Henry Dax.  Henry Dax used the telephone number 678-590-6197 and the email palaso@mail.com.  Logs from the mail.com provider showed regular logins from an IP address 24.99.101.32, which belonged to a Comcast account at the street address 2340 Cheshire Bridge Rd NE, Apartment 404, Atlanta, GA 30324.  Georgia Power records show that the electric bill for that apartment was in the name Emmanuel Igomu, which the telephone number 678-900-5328.  

The Atlanta Police Department showed that they had been dispatched to that address based on a complaint from IGOMU showing that he had lost his passport!  IGOMU gave his telephone number to the Atlanta police as 678-900-5328.

A search warrant served at the address revealed that IGOMU was residing there with Stephanie Gaspard, who IGOMU claimed was his wife.   Fraudulent driver's licenses with their photos but other names were found, along with credit cards in names other than the resident's.  IGOMU's cell phone was broken and it and its battery were found submerged in the tank of the toilet.  When asked why, IGOMU said he must have stepped on it in his confusion from being awoken by the FBI's early morning knock.  He wasn't able to explain why it was in the toilet tank.

One of the fraudulent South Carolina driver's licenses was in the name Henry Dax and was used to open the UPS Store used as the address for LUCIA TECH, LLC.



The James Clark identity was used to open a Fidelity Bank account in the name "JCEE CLARK, LLC"

IGOMU is a Nigerian national who entered the US on June 23, 2014 on a six month Visa which has never been extended.  He had previously been arrested (though not deported) by the Atlanta Police Department charged with having 2 fictitious driver's license, a fictitious UK passport, and six different bank cards in three different names.  On January 9, 2017, he was convicted of five felony accounts, but only sentenced to three years probation under the "First Offender Act."

Miami, Florida: Govantes and Tamayo

Yumeydi GOVANTES was the sole officer of "Yumeydi Quality Products" a Florida corporation claiming to do business at 1441 Sandpiper Boulevard, Homestead, Florida.  They were incorporated on November 14, 2016. Yamel Guevara TAMAYO was the sole officer of YGT Buying Inc" a Florida corporation claiming to do business at 4840 NW 7th Street, Apartment 305, Miami, Florida.  They were incorporated on November 17, 2016.

From November 2016 through June 2019, the defendants participated in a conspiracy to commit wire fraud, laundering money by receiving funds into their bank accounts and then transferring the funds out of the country, primarily to China, after dipping into the funds for their own personal gain.  Some of those transfers are shown below:

More Information, Please ? ? ?

We've shared above the cases that were specifically named in the DOJ Press Release about Operation: Rewired.  Yet these were only FIVE of the 23 districts that had arrests.  If you have details on additional information, please reach out to me on Twitter ( @GarWarner ) or in the Comments section below!

As we shared back in July, all of this information is just the tip of the iceberg with regards to BEC fraud.  According to analysis by the Financial Crimes Enforcement Network (FinCEN), BEC losses during calendar 2018 exceeded $300 Million per month in theft! https://garwarner.blogspot.com/2019/07/fincen-bec-far-worse-than-previously.html