Sunday, September 15, 2019

Operation ReWired arrests 281 Business Email Compromise criminals

Operation: ReWired announced on September 10, 2019
On September 10, 2019, the Department of Justice announced that 281 arrests related to Business Email Compromise had been made, with 74 of those arrested being in the United States.  It will take some time to track down the names of all of those arrested, as many of the arrests were overseas.  Twenty-three US Attorneys Offices participated in the Operation, although only five sets of arrests were discussed in the Department of Justice Press Release about Operation ReWired.  While we work to obtain the rest of the information, we'll go ahead and share some details from those already made public in the Press Release.

Chicago Business Email Compromise: Stokes & Ninalowo defraud Energy Company and Community College of Millions

The first case involves two major BEC scams that followed the same mold.  The FBI says that an "un-named Community College" with about 15,000 students was doing business with a construction company our of Minneapolis, Minnesota.  An employee of the university received an email from someone claiming to be "Yvonne Nguyen, a Group Accounting Manager" for the construction company, that said "Hi, please see attached for our new ACH details." The "unnamed company" (easily identifiable by clues in the indictment) boasts of their large catalog of university and college related construction projects, including several in the Chicago area with projected build costs exceeding $20 Million.   The attached form was one that the college traditionally uses to ask vendors for payment details.

Because the request was on their own form, and seemed to come from a company who was involved in a large construction project for them, the college updated the payment details.  "On or about June 20, 2016" the college approved a "routine payment" of $3,371,291 directed to a Bank of America account.  Because of the updated payment information, on June 29, 2016, the payment was made ... but to the new account specified by the criminals.  Almost immediately after deposit, several transactions were attempted from the account, which triggered fraud rules at Bank of America, who froze the account while an investigations was conducted.  The largest such check was for $398,220, made out to "Steno Logistics."  Steno Logistics became a corporation in Illinois one day before the first Yvonne Nguyen email was sent.  The registered agent creating the corporation was Brittney STOKES, who used her home address on the account.  At the time, Stokes was also working as an assistant to the manager of a Menards home improvement store.

The second scam conducted by STOKES and NINALOWO invlved a $1.7 Million payment sent from a Houston, Texas oil company to an energy exploration company in Irving, Texas.  In exactly the same method as the first scam, an email claiming to be from the Exploration company was sent to the Oil company with the subject "ACH Update." The email said "We recently received a payment from your company and noticed that payments are still being made to our old bank. We have switched banks.  I will be forwarding you updated banking details once I have your confirmation.  I have also attached our W9 for your perusal."

This exchange led to a $1.7 Million transfer from Energy Company B to "Fake Exploration Company" ... in this case, the corporate email account WAS BEING CONTROLLED BY THE SCAMMERS.  They confirmed the update with a bank account at TD Bank after also confirming other details, such as their physical mailing address.  This led to a series of payments.  On January 9, 2018 - $97,729.65.  On January 11, $239,563.134 and $164,754.84.

In this case, Chase Bank shows that they also had a newly opened bank account for "Steno Logistics", also listing Brittney STOKES as the president, and opened with STOKES' Illinois Drivers License as proof of identity.  Each time a payment was received by "Fake Exploration Company", a check was issued from the fake company to Steno Logistics.  Checks included:

  • $22,054.17 on January 26, 2018
  • $35,000 on January 30, 2018
  • $833,672.50 on February 2, 2018
  • $608,488.90 on February 6, 2018
  • $186,483.73 on February 8, 2018

Large transfers were then made from the Steno Logistics account to accounts such as "Yummy Bear Day Care", which was a Citibank account.  Yummy Bear Day Care was also registered in the State of Illinois by Brittney Stokes.

On many occasions thereafter, bank surveillance video showed NINALOWO making cash withdrawals from the Steno Logistics account.  On Feb 3, 2018, Feb 5, 2018., Feb 6, 2018.  Captured text messages between STOKES and NINALOWO also make clear that some of the checks written against the account, including one for $50,000, involved NINALOWO forging the signature of STOKES.  The phones were seized for inspection by Customs and Border Protection as STOKES and NINALOWO came through US Customs, returning from Lagos, Nigeria, via the Atlanta Airport.

When they were arrested, Law Enforcement officials seized a 2019 Range Rover Velar S from Stokes and $175,909.

Dallas Texas: Opeyemi Abidemi Adeoso and Benjamin Adeleke Ifebajo

In the Dallas case, an individual sent a series of wires totalling $504,660.52 to a Dallas based bank account in February 2018.  A second business, in March 2018, also wired $179,223.33 to another Dallas-based bank account.  Upon investigation, these funds were being disbursed to someone using an alias identity "Daniel Sammy Campbell" and the street address "9451 Wickersham Road, Apt 2075, Dallas, Texas.  ADEOSO was the current resident of that apartment at the time of the fraud.  His previous landlord, at 6808 Skillman Street, recognized ADEOSO, and also informed law enforcement that he had been referred to rent there by his friend IFEBAJO.  IFEBAJO was proven to have utilized many aliases, including Joseph Eric Johnson, Jeremiah Alex Malcolm, Tidwell Anthony Wilsom, and Andrew James Wilson.  ADEOSO also used many aliases, including Peter Kuffor, George Macharty, Nelson Johnson, Braheem Larke, Michael Albert, Michael Jaden Sean, Michael Jeff Brown, and Benjamin Zee Brown.  Each had many fraudulent foreign passports and other alias identities used to open numerous bank accounts in the Dallas Fort Worth area of Texas.

ADEOSO was married to Bukola Comfort ADEOSO, who moved to Dallas Texas shortly after arriving in the United States.  On numerous occasions, when ADEOSO made a large cash withdrawal, a matching deposit would show up in BUKOLA's account.

ADEOSO opened a LARGE number of bank accounts.   Just using the Peter KUFFOR alias, which had a counterfeit Great Britain passport, he opened: 

  • BB&T - June 9, 2015
  • Capital One - June 24, 2015
  • Wells Fargo - June 24, 2015
  • BBVA - July 3, 2015
  • Bank of America - July 30, 2015
  • First Convenience Bank - November 9, 2015
  • Chase Bank - November 24, 2015

This alias often used the Yahoo email - which was also used by the George MACHARTY alias.  Macharty, using a counterfeit Nigerian passport, opened:

  • Wells Fargo - Sep 3, 2015
  • Bank of America - Sep 8, 2015
  • First Convenience - Oct 5, 2015
  • BBVA - Oct 7, 2015
  • Capital One - Oct 6, 2015
  • Chase Bank - Oct 28, 2015
  • BB&T - Nov 24, 2015
Alias Johnson Nelson accounts used the flavorj1 email and also 
  • Bank of America - Oct 20, 2015
  • Capital One - Oct 21, 2015
  • BB&T - Oct 22, 2015
  • Woodforest Bank - Jan 6, 2016
His other aliases also opened many bank accounts.  Between July 2015 and March 2016 these accounts received $423,285 in wire fraud proceeds from victim companies.
Another whole set of accounts was created in 2018 and 2019 and also received a large number of wire frauds from victim companies all across the United States, including the largest transfer, a $433,714.31 transfer to a BBVA account.
At the time of the Criminal Complaint, not all of the victims had been identified: 

Cherria Davis was married to Adeoso on April 17, 2015.  Ifebajo listed Cherria Davis as his US point of contact when he came to the United States on a non-Immigrant Visa on July 3, 2015, using the email ""  Customs and Border Patrol seized a DHL package containing fraudulent passports in the names of Chris Hammington and James Alexander that were destined to IFEBAJO's residence at 11911 Audelia Road in Dallas, Texas.  

IFEBAJO also opened many accounts in many aliases, but tended to use business names.  As Jeremiah Alex Malcolm he owned "Breakthrough Auto Links" with a fake Great Britain passport.  Surveillance video in BB&T confirms Malcolm to be IFEBAJO.  As Andrew James Williams, he ran "Williams Retails and Equipment" who had a BBVA bank account and a Bank of America bank account.  As Joseph Eric Johnson he ran "Reality Global Equipments" with a fake Namibian passport and an IRS Tax EID 83-2508382.  He had BBVA, BB&T, and Wells Fargo business accounts with that identity, and surveillance video at Chase, BB&T, and Wells Fargo showing IFEBAJO doing banking as "Johnson".

Like ADEOSO, linked by the ties to Cherria Davis, IFEBAJO also had many deposits to his accounts known to be from BEC fraud victims, including: 

NYC: Ashu, Eke, Ikejimba, Ironuah

According to the Indictment, Cyril ASHU, Ifeanyi EKE, Joshua IKEJIMBA, and Chinedu IRONUAH "and others known and unknown" engaged in a fraudulent business email compromise ("BEC") schemes against "various victims, including an intergovernmental organization headquartered in New York, New York" convincing the victims to wire payments to bank accounts controlled by the defendants instead of the intended beneficiaries.  As in the previous cases, the victims all received emails that seemed to be from companies with which they were genuinely engaged in business, but which deceived them into changing the destination accounts for business transactions.
After receiving the funds, they were quickly transferred, withdrawn, and laundered, either by withdrawing cash or writing cashier's checks, many of which were cashed out at check cashing facilities in Houston, Texas.  Altogether, the defendants in this case caused to be transferred more than $10 Million in fraudulently gained funds.  Two examples of the activities charged are listed in detail related to two bank accounts, one opened by EKE and the other by ASHU:

The "0131 Account":

  • On October 28, 2016 - IFEANYI EKE opened a Marietta, Georgia bank account ending in 0131 using his alias "Luthur Mulbah Doley"
  • On Feb 15, 2017, a foreign-based healthcare company wired him $41,495 to that account, through a correspondent bank in the Southern District of New York.
  • On Feb 16, 2017, EKE sent two cashier's checks totaling $25,000 to CYRIL ASHU, who cashed one of the checks the following day.
  • On Feb 27, 2017, "an intergovernmental organization based in NYC wired $188,815 to the 0131 account.  
  • On March 1, 2017, EKE transferred $100,000 from the account to another account in his true name.
  • On March 2, 2017, EKE wrote a cashier's check for $68,000 payable to "Curesos Innovation" 
  • On March 2, 2017, a foreign-based manufacturing company wired $123,895 tot the 0131 account. 
  • Between March 2 and March 4, EKE bought three more cashier's checks:
    • $48,000 to Curesos Innovation
    • $68,000 to Yiwu Offshore Limited
    • $96,000 to Yiwu Offshore Limited 
  • On March 3, 2017, IRONUAH cashed the Curesos checks in Houston, Texas.
  • On March 6, 2017 IKEJIMBA cashed the Yiwu checks at the same check-cashing facility in Houston, Texas.
The "7622 Account":
  • From October 25, 2017 through December 2017, ASHU used a stolen identity to open a bank account ending in 7622 and received $12,366 in fraud proceeds.

Georgia: Emmanuel Igomu and Jude Balogun steal $3.5 Million via a BEC fraud against a health-care provider

On July 2, 2018, Tanner Health Systems of Carrollton, Georgia was hit by a BEC fraud.  Someone impersonating a THS vendor, Bernie Buchanan, the Executive VP of Ra-Lin and Associates, caused a payment of $3,528,500.02 to be misdirected to a Bank of America account in the name of GARRETT, LLC.  The account had only one valid signator: Ishmael GARRETT of Newark, Delaware.

Two outbound payments were made from the account.  $797,291.14 was sent to a SunTrust Bank account in the name "Audi Atlanta, LLC, 361 Pharr Road NE, Atlanta, Georgia.  On the same day, $570,780 was sent to a JP Morgan Chase Bank account in the name Lucia Tech, LLC at 5456 Peachtree Industrial Boulevard, Suite 632, Atlanta, Georgia.

The Lucia Tech account had been opened with a fraudulent South Carolina driver's license in the name of Lucy Andrews.  The address actually corresponded to a UPS Store box in the name of Henry Dax.  Henry Dax used the telephone number 678-590-6197 and the email  Logs from the provider showed regular logins from an IP address, which belonged to a Comcast account at the street address 2340 Cheshire Bridge Rd NE, Apartment 404, Atlanta, GA 30324.  Georgia Power records show that the electric bill for that apartment was in the name Emmanuel Igomu, which the telephone number 678-900-5328.  

The Atlanta Police Department showed that they had been dispatched to that address based on a complaint from IGOMU showing that he had lost his passport!  IGOMU gave his telephone number to the Atlanta police as 678-900-5328.

A search warrant served at the address revealed that IGOMU was residing there with Stephanie Gaspard, who IGOMU claimed was his wife.   Fraudulent driver's licenses with their photos but other names were found, along with credit cards in names other than the resident's.  IGOMU's cell phone was broken and it and its battery were found submerged in the tank of the toilet.  When asked why, IGOMU said he must have stepped on it in his confusion from being awoken by the FBI's early morning knock.  He wasn't able to explain why it was in the toilet tank.

One of the fraudulent South Carolina driver's licenses was in the name Henry Dax and was used to open the UPS Store used as the address for LUCIA TECH, LLC.

The James Clark identity was used to open a Fidelity Bank account in the name "JCEE CLARK, LLC"

IGOMU is a Nigerian national who entered the US on June 23, 2014 on a six month Visa which has never been extended.  He had previously been arrested (though not deported) by the Atlanta Police Department charged with having 2 fictitious driver's license, a fictitious UK passport, and six different bank cards in three different names.  On January 9, 2017, he was convicted of five felony accounts, but only sentenced to three years probation under the "First Offender Act."

Miami, Florida: Govantes and Tamayo

Yumeydi GOVANTES was the sole officer of "Yumeydi Quality Products" a Florida corporation claiming to do business at 1441 Sandpiper Boulevard, Homestead, Florida.  They were incorporated on November 14, 2016. Yamel Guevara TAMAYO was the sole officer of YGT Buying Inc" a Florida corporation claiming to do business at 4840 NW 7th Street, Apartment 305, Miami, Florida.  They were incorporated on November 17, 2016.

From November 2016 through June 2019, the defendants participated in a conspiracy to commit wire fraud, laundering money by receiving funds into their bank accounts and then transferring the funds out of the country, primarily to China, after dipping into the funds for their own personal gain.  Some of those transfers are shown below:

More Information, Please ? ? ?

We've shared above the cases that were specifically named in the DOJ Press Release about Operation: Rewired.  Yet these were only FIVE of the 23 districts that had arrests.  If you have details on additional information, please reach out to me on Twitter ( @GarWarner ) or in the Comments section below!

As we shared back in July, all of this information is just the tip of the iceberg with regards to BEC fraud.  According to analysis by the Financial Crimes Enforcement Network (FinCEN), BEC losses during calendar 2018 exceeded $300 Million per month in theft!