On September 10, 2019, the Department of Justice announced that 281 arrests related to Business Email Compromise had been made, with 74 of those arrested being in the United States. It will take some time to track down the names of all of those arrested, as many of the arrests were overseas. Twenty-three US Attorneys Offices participated in the Operation, although only five sets of arrests were discussed in the Department of Justice Press Release about Operation ReWired. While we work to obtain the rest of the information, we'll go ahead and share some details from those already made public in the Press Release.
Chicago Business Email Compromise: Stokes & Ninalowo defraud Energy Company and Community College of Millions
The first case involves two major BEC scams that followed the same mold. The FBI says that an "un-named Community College" with about 15,000 students was doing business with a construction company our of Minneapolis, Minnesota. An employee of the university received an email from someone claiming to be "Yvonne Nguyen, a Group Accounting Manager" for the construction company, that said "Hi, please see attached for our new ACH details." The "unnamed company" (easily identifiable by clues in the indictment) boasts of their large catalog of university and college related construction projects, including several in the Chicago area with projected build costs exceeding $20 Million. The attached form was one that the college traditionally uses to ask vendors for payment details.Because the request was on their own form, and seemed to come from a company who was involved in a large construction project for them, the college updated the payment details. "On or about June 20, 2016" the college approved a "routine payment" of $3,371,291 directed to a Bank of America account. Because of the updated payment information, on June 29, 2016, the payment was made ... but to the new account specified by the criminals. Almost immediately after deposit, several transactions were attempted from the account, which triggered fraud rules at Bank of America, who froze the account while an investigations was conducted. The largest such check was for $398,220, made out to "Steno Logistics." Steno Logistics became a corporation in Illinois one day before the first Yvonne Nguyen email was sent. The registered agent creating the corporation was Brittney STOKES, who used her home address on the account. At the time, Stokes was also working as an assistant to the manager of a Menards home improvement store.
The second scam conducted by STOKES and NINALOWO invlved a $1.7 Million payment sent from a Houston, Texas oil company to an energy exploration company in Irving, Texas. In exactly the same method as the first scam, an email claiming to be from the Exploration company was sent to the Oil company with the subject "ACH Update." The email said "We recently received a payment from your company and noticed that payments are still being made to our old bank. We have switched banks. I will be forwarding you updated banking details once I have your confirmation. I have also attached our W9 for your perusal."
This exchange led to a $1.7 Million transfer from Energy Company B to "Fake Exploration Company" ... in this case, the corporate email account WAS BEING CONTROLLED BY THE SCAMMERS. They confirmed the update with a bank account at TD Bank after also confirming other details, such as their physical mailing address. This led to a series of payments. On January 9, 2018 - $97,729.65. On January 11, $239,563.134 and $164,754.84.
In this case, Chase Bank shows that they also had a newly opened bank account for "Steno Logistics", also listing Brittney STOKES as the president, and opened with STOKES' Illinois Drivers License as proof of identity. Each time a payment was received by "Fake Exploration Company", a check was issued from the fake company to Steno Logistics. Checks included:
- $22,054.17 on January 26, 2018
- $35,000 on January 30, 2018
- $833,672.50 on February 2, 2018
- $608,488.90 on February 6, 2018
- $186,483.73 on February 8, 2018
Large transfers were then made from the Steno Logistics account to accounts such as "Yummy Bear Day Care", which was a Citibank account. Yummy Bear Day Care was also registered in the State of Illinois by Brittney Stokes.
On many occasions thereafter, bank surveillance video showed NINALOWO making cash withdrawals from the Steno Logistics account. On Feb 3, 2018, Feb 5, 2018., Feb 6, 2018. Captured text messages between STOKES and NINALOWO also make clear that some of the checks written against the account, including one for $50,000, involved NINALOWO forging the signature of STOKES. The phones were seized for inspection by Customs and Border Protection as STOKES and NINALOWO came through US Customs, returning from Lagos, Nigeria, via the Atlanta Airport.
When they were arrested, Law Enforcement officials seized a 2019 Range Rover Velar S from Stokes and $175,909.
Dallas Texas: Opeyemi Abidemi Adeoso and Benjamin Adeleke Ifebajo
In the Dallas case, an individual sent a series of wires totalling $504,660.52 to a Dallas based bank account in February 2018. A second business, in March 2018, also wired $179,223.33 to another Dallas-based bank account. Upon investigation, these funds were being disbursed to someone using an alias identity "Daniel Sammy Campbell" and the street address "9451 Wickersham Road, Apt 2075, Dallas, Texas. ADEOSO was the current resident of that apartment at the time of the fraud. His previous landlord, at 6808 Skillman Street, recognized ADEOSO, and also informed law enforcement that he had been referred to rent there by his friend IFEBAJO. IFEBAJO was proven to have utilized many aliases, including Joseph Eric Johnson, Jeremiah Alex Malcolm, Tidwell Anthony Wilsom, and Andrew James Wilson. ADEOSO also used many aliases, including Peter Kuffor, George Macharty, Nelson Johnson, Braheem Larke, Michael Albert, Michael Jaden Sean, Michael Jeff Brown, and Benjamin Zee Brown. Each had many fraudulent foreign passports and other alias identities used to open numerous bank accounts in the Dallas Fort Worth area of Texas.
ADEOSO was married to Bukola Comfort ADEOSO, who moved to Dallas Texas shortly after arriving in the United States. On numerous occasions, when ADEOSO made a large cash withdrawal, a matching deposit would show up in BUKOLA's account.
ADEOSO opened a LARGE number of bank accounts. Just using the Peter KUFFOR alias, which had a counterfeit Great Britain passport, he opened:
- BB&T - June 9, 2015
- Capital One - June 24, 2015
- Wells Fargo - June 24, 2015
- BBVA - July 3, 2015
- Bank of America - July 30, 2015
- First Convenience Bank - November 9, 2015
- Chase Bank - November 24, 2015
This alias often used the Yahoo email flavorj1@yahoo.com - which was also used by the George MACHARTY alias. Macharty, using a counterfeit Nigerian passport, opened:
- Wells Fargo - Sep 3, 2015
- Bank of America - Sep 8, 2015
- First Convenience - Oct 5, 2015
- BBVA - Oct 7, 2015
- Capital One - Oct 6, 2015
- Chase Bank - Oct 28, 2015
- BB&T - Nov 24, 2015
- Bank of America - Oct 20, 2015
- Capital One - Oct 21, 2015
- BB&T - Oct 22, 2015
- Woodforest Bank - Jan 6, 2016
NYC: Ashu, Eke, Ikejimba, Ironuah
According to the Indictment, Cyril ASHU, Ifeanyi EKE, Joshua IKEJIMBA, and Chinedu IRONUAH "and others known and unknown" engaged in a fraudulent business email compromise ("BEC") schemes against "various victims, including an intergovernmental organization headquartered in New York, New York" convincing the victims to wire payments to bank accounts controlled by the defendants instead of the intended beneficiaries. As in the previous cases, the victims all received emails that seemed to be from companies with which they were genuinely engaged in business, but which deceived them into changing the destination accounts for business transactions.
After receiving the funds, they were quickly transferred, withdrawn, and laundered, either by withdrawing cash or writing cashier's checks, many of which were cashed out at check cashing facilities in Houston, Texas. Altogether, the defendants in this case caused to be transferred more than $10 Million in fraudulently gained funds. Two examples of the activities charged are listed in detail related to two bank accounts, one opened by EKE and the other by ASHU:
The "0131 Account":
- On October 28, 2016 - IFEANYI EKE opened a Marietta, Georgia bank account ending in 0131 using his alias "Luthur Mulbah Doley"
- On Feb 15, 2017, a foreign-based healthcare company wired him $41,495 to that account, through a correspondent bank in the Southern District of New York.
- On Feb 16, 2017, EKE sent two cashier's checks totaling $25,000 to CYRIL ASHU, who cashed one of the checks the following day.
- On Feb 27, 2017, "an intergovernmental organization based in NYC wired $188,815 to the 0131 account.
- On March 1, 2017, EKE transferred $100,000 from the account to another account in his true name.
- On March 2, 2017, EKE wrote a cashier's check for $68,000 payable to "Curesos Innovation"
- On March 2, 2017, a foreign-based manufacturing company wired $123,895 tot the 0131 account.
- Between March 2 and March 4, EKE bought three more cashier's checks:
- $48,000 to Curesos Innovation
- $68,000 to Yiwu Offshore Limited
- $96,000 to Yiwu Offshore Limited
- On March 3, 2017, IRONUAH cashed the Curesos checks in Houston, Texas.
- On March 6, 2017 IKEJIMBA cashed the Yiwu checks at the same check-cashing facility in Houston, Texas.
- From October 25, 2017 through December 2017, ASHU used a stolen identity to open a bank account ending in 7622 and received $12,366 in fraud proceeds.
Georgia: Emmanuel Igomu and Jude Balogun steal $3.5 Million via a BEC fraud against a health-care provider
Two outbound payments were made from the account. $797,291.14 was sent to a SunTrust Bank account in the name "Audi Atlanta, LLC, 361 Pharr Road NE, Atlanta, Georgia. On the same day, $570,780 was sent to a JP Morgan Chase Bank account in the name Lucia Tech, LLC at 5456 Peachtree Industrial Boulevard, Suite 632, Atlanta, Georgia.
The James Clark identity was used to open a Fidelity Bank account in the name "JCEE CLARK, LLC"
IGOMU is a Nigerian national who entered the US on June 23, 2014 on a six month Visa which has never been extended. He had previously been arrested (though not deported) by the Atlanta Police Department charged with having 2 fictitious driver's license, a fictitious UK passport, and six different bank cards in three different names. On January 9, 2017, he was convicted of five felony accounts, but only sentenced to three years probation under the "First Offender Act."
Miami, Florida: Govantes and Tamayo
Yumeydi GOVANTES was the sole officer of "Yumeydi Quality Products" a Florida corporation claiming to do business at 1441 Sandpiper Boulevard, Homestead, Florida. They were incorporated on November 14, 2016. Yamel Guevara TAMAYO was the sole officer of YGT Buying Inc" a Florida corporation claiming to do business at 4840 NW 7th Street, Apartment 305, Miami, Florida. They were incorporated on November 17, 2016.From November 2016 through June 2019, the defendants participated in a conspiracy to commit wire fraud, laundering money by receiving funds into their bank accounts and then transferring the funds out of the country, primarily to China, after dipping into the funds for their own personal gain. Some of those transfers are shown below:
More Information, Please ? ? ?
We've shared above the cases that were specifically named in the DOJ Press Release about Operation: Rewired. Yet these were only FIVE of the 23 districts that had arrests. If you have details on additional information, please reach out to me on Twitter ( @GarWarner ) or in the Comments section below!As we shared back in July, all of this information is just the tip of the iceberg with regards to BEC fraud. According to analysis by the Financial Crimes Enforcement Network (FinCEN), BEC losses during calendar 2018 exceeded $300 Million per month in theft! https://garwarner.blogspot.com/2019/07/fincen-bec-far-worse-than-previously.html
No comments:
Post a Comment
Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.