Thursday, July 23, 2020

Chinese "COVID-19" Hackers indicted after 11 year hacking spree



On July 7, 2020, a Grand Jury in Seattle was presented with evidence about the eleven year campaign of Computer Network Intrusion being conducted by two former classmates who hacked for personal profit and the benefit of the Chinese Ministry of State Security. Li Xiaoyu 李啸宇 and Dong Jiazhi 董家志.  The pair met when they were studying Computer Application Technologies at the University of Electronic Science and Technology ("UEST") in Chengdu, China.  UEST has as its motto:  求实求真 大气大为  -- "To Seek Facts and Truth, To Be Noble and Ambitious."  This pair certainly "sought facts" and were "ambitious," though not in a way that many would consider "Noble."  The University was admitted into Project 985 in 2001, a project that supported 34 top universities encouraging each to become a global leader in their chosen specialty, and incidentally kicking off a new ambitious era of global cyber espionage to help them gain competitive advantage.

Or maybe it was exactly the plan.  In 2007, likely the year that Dong would have started his college experience at UEST, the School of Software boasted that as part of the 11th Five Year Plan, their textbook, 计算机病毒技术 (Computer Virus Technology), received national acclaim.  The following year, they announced the completion of their Information Technology textbook series of 8 books, adding "Network and System Attack Technology" and "Network and System Defense Technology" to the series.  In the United States, "Network and System Attack Technology" ( 网络与系统攻击技术)  is mostly taught in the military and intelligence communities, not in undergrad computer science courses.  In 2017 the course was taught by Li Hongwei (李洪伟), whose slides are online.  In 2019 the instructors were 李洪伟 and 吴立军.
Network and System Attack Technology - Cao Yue and Yu Shengji 
An example slide from a previous version of the course which bother of our hackers would have taken:  (Lecture 2, "Information Retrieval")

The text explains one of the tools from the "experimental" portion of the class, "MS06040Scanner": 

The working principle of MS06040Scanner is to first obtain the operating system type and open ports through port scanning and operating system scanning. If it is a windows2000 system, TCP 139 or TCP 445 port is opened, and the returned data packet matches the definition in the vulnerability library. It means that the host may have MS06040 vulnerabilities, we can use MS06040 exploit programs to carry out remote overflow attacks on it

The second slide demonstrates the "X-Scan" tool which would be used to find vulnerabilities allowing data exfiltration.

The Attacks 

According to the Department of Justice Indictment, Dong was the one who researched victims and means of exploiting them while Li primarily did the hacking. 

美国司法部对34岁的李晓宇(音译)和31岁的董佳芝(音译)提出11项指控称,称他们侵入了数百家公司、政府机构以及持不同政见者和神职人员的电脑系统。

Here's how the indictment describes the "Manner and Means of the Conspiracy" -- 

"The defendants research and identified victims possessing information of interest, including trade secrets, confidential business information, information concerning defense products and programs, and personal identifying information ("PII") of victim employees, customers, and others, using various sources of information including business news websites, consulting firm websites, and a variety of search websites.

The defendants then gained unauthorized access to victims possessing the information sought by the conspiracy.  They stole source code from software companies, information about drugs under development, including chemical designs, from pharmaceutical firms; students' PII from an education company; and weapon designs and testing data from defense contractors.

The defendants usually gained initial access to victim networks using publicly known software vulnerabilities in popular products.  Those vulnerabilities were sometimes newly announced, meaning that many users would not have installed patches to correct the vulnerability. ... They also targeted insecure default configurations in common applications."

The defendants used their initial access to place a "web shell" on the victim network, allowing remote execution of commands on a computer.  The most frequently deployed was the "China Chopper" web shell.  They most frequently did so by hiding the file with the name "p.jsp" in an obscure directory on a public-facing website.  (They also sometimes named their webshell's "tst.jsp", "i.jsp", or "/SQLTrace/i.jsp".) The indictment includes a screenshot of China Chopper which is lifted from the FireEye blog post "Breaking down the China Chopper" ... if you are interested, you should also read the Talos Blog post: "China Chopper still active 9 years later

(FireEye explains China Chopper)


They would then plant software for stealing passwords, identifying computer users with Administrator access, and then studying the network for useful data.  The data was compressed as a .RAR file, but then often renamed as a ".jpg" file and placed in the victim's recycle bin until it could be retrieved.

The Victims 

The indictment makes clear that there were "hundreds" of victims between September of 2009 and early 2020, not only the ones listed in this indictment. To characterize the range of victims, they list types of companies, date ranges, amount of data stolen, and type of data gathered. 

Victim 1: California-based technology and defense firm
Dec 2014-Jan 2015
200GB "Radio, laser, and antennae technology; circuit board and related algorithms designs for advanced antennae; testing mechanisms and results."

Victim 2: Maryland-based technology and manufacturing firm - 64GB 

Victim 3: Hanford Site, Department of Energy, Washington State - information about network and personnel, including lists of authorized users and administrator accounts

Victim 4: Texas: 27GB of space and satellite application data 

Victim 5: Virginia Federal Defense contractor - 140GB of project files, drawings and documents related to Air Force and FBI investigations.  PII on 300+ employees

There were many more victims detailed, including:

 a US Educational Software company with "millions of students and teachers' PII." breached from Nov 2018 to Feb 2019, 

 a California pharmaceutical company - 105GB of data in Feb and March 2019 

 a Massachusetts medical device company - 83 GB of source code just as the victim was engaging in a contract with a Chinese firm to produce some of their components.

Other victims were listed in other places, including a large electronics firm in the Netherlands, a Swedish online gaming company (169GB of files including source code and player usernames and passwords), a Lithuanian gaming company, and other companies in Germany, Belgium, the Netherlands, an Australian defense contractor (320GB of data!), a South Korean shipbuilding company, an Australian solar energy company, a Spanish defense firm, and a UK AI firm focused on cancer research.

The Hackers' MSS Connection

The DOJ indictment mentions the Ministry of State Security 19 times, specifically referring to an unnamed "MSS Officer 1." 

"After stealing data and information from their victims and bringing that data and information back to China, Defendants then sold it for profit, or provided it to the MSS, including MSS Officer 1." 

"Li and Dong did not just hack for themselves. While in some instances they were stealing business and other information for their own profit, in others they were stealing information of obvious interest to the PRC Government's Ministry of STate Security ("MSS"). LI and DONG worked with, were assisted by, and operated with the acquiescence of the MSS, including MSS Officer 1, who was assigned to the Guangdong regional division of the MSS (the Guangdong State Security Department, "GSSD"). 

"When stealing information of interest to the MSS, LI and DONG in most instances obtained that data through computer fraud against corporations and research institutions. For example, from victims including defense contractors in the US and abroad, they stole information regarding: military satellite programs; military wireless networks and communications systems; high powered microwave and laser systems; a counter-chemical weapons system; and ship-to-helicopter integration systems. 

In other instances, the Defendants provide the MSS with personal data, such as the passwords for personal email accounts belonging to individual Chinese dissidents including: 
  • a Hong Kong community organizer
  • the pastor of a Christian church in Xi'an
  • a dissident and former Tiananmen Square protestor
  • emails to and from the office of the Dalai Lama
  • emails belonging to Chinese Christian "house" church pastor in Chengdu (who was later arrested)
  • emails form a US professor and organizer
  • two Canadian residents who advocate for freedom and democracy in Hong Kong
MSS Officer 1 assisted LI and other hackers.  When LI had difficulty compromising the mail server of a Burmese human rights group, MSS Officer 1 provided him with 0day malware for a popular browser which exploited a bug not known to the software vendor or security researchers.

MSS Officer 1 claimed to be a researcher at the "Guangdong Province International Affairs Research Center" but in fact was an intelligence officer working for the GSSD at Number 5, 6th Crossroad, Upper Nonglin Road, Yuexiu Distring, Guangzhou.

Example Tools and Techniques 

In several attacks, the attackers (in 2018) targeted ColdFusion vulnerabilities published in 2018 (CVE-2018-15961) attempting to gain access to CKEditor and the associated FileManager, using a ColdFusion web shell program named "cfm backdoor by ufo."  (This tool was actually used in a cool Canadian Government Training on APT groups, although in their training it was an Iranian hacker group using the tool.) 

In some cases, the hackers were clearly operating for personal profit.  Sometimes sending emails with subjects like "Source Code To Be Leaked!" and demanding a ransom payment to prevent publication of their software.

COVID-19 Targeting

On January 25 and 27, 2020, Li searched for vulnerabilities at a Maryland biotech firm who had publicly announced their role in researching a potential COVID-19 vaccine.

On February 1, 2020, Li searched for vulnerabilities in the network of a California biotech firm that had announced the previous day they were researching antiviral drugs to treat COVID-19. 

On May 12, 2020, Li searched for vulnerabilities in the network of a California diagnostics company publicly known to be developing COVID-19 testing kits. 

On June 13, 2020, Li conducted reconnaisance related to a Virginia defense and cybersecurity contractor, Hong Kong protestors, a UK Messaging app used by HK protestors, a Webmail provider used by HK protestors, a Massachusetts biotech firm, and a California space flight firm.


Sunday, July 05, 2020

Hushpuppi and Mr.Woodbery, BEC scammers: Welcome to Chicago!

There are quite a few West African scammers who try to explain away their wealth by claiming they are a "bitcoin entrepreneur" or "real estate investor" when in fact they conduct Business Email Compromise scams against American companies, and Romance Scams against vulnerable women, and steal their money.  Back in October, one such criminal, Ismaila Mustapha, who went by the Instagram nickname Mompha, was arrested and I mentioned it in a tweet:

https://twitter.com/GarWarner/status/1186816176019648513

Replying to my own tweet, I said "Maybe they'll get his friend #Hushpuppi next ??" and linked to his Instagram account, tagging @officialEFCC in the post.  My posts received the most attention of anything I had ever shared on Twitter, which I learned was because of some headlines in Nigerian media such as these:

Mompha is a Top 10 BEC Scammer
With all of the attention of 4,000+ new Nigerian Twitter followers, I have to admit it felt a bit prophetic when we learned of Hushpuppi's arrest on June 10th.  I shared these images from their respective Instagram accounts that day.




Ever since their arrest by Dubai Police on June 10, 2020 in the UAE, Nigerian media has been going crazy with theories on what was going to happen to Hushpuppi and Mr.Woodbery.  The original posts said that Hushpuppi was arrested in the UAE "by Interpol" (who has no arresting authority) for his role in a $35 Million ventilator scam.  Other versions say he was involved in "fraud and money laundering of over $100million which was supposed to be given to Native Americans during the Coronavirus Pandemic.  More recently, Nigerian media claimed that the pair were already in the United States in Moshannon prison and that Woodbery had fallen sick there.

The EFCC, Nigeria's government anti-corruption agency, put out a thread of Tweets on June 18th confirming that they were cooperating with the FBI to try to identify additional victims and to investigate parts of his money laundering empire that are still in Nigeria.  In the thread they called him "Nigerian most-wanted hacker, Ramoni Igbalode, alias Ray Hushpuppy."

The Dubai police called their case against Hushpuppi "Operation Fox Hunt 2"-- in the video they mention seizing 21 laptops, 47 phones, 15 USB drives, 5 hard drives, 119,580 files, and 13 cars!

An English version of the Fox Hunt 2 video is available on Vimeo here (click to play):

The video also makes clear that while only two "celebrity-level" hackers were arrested, there were actually at least twelve other people arrested in Dubai that night during six raids.  The video claims that they had information on 1,926,400 victims!


Who knows their names?  Please answer in the comments below ...

Hushpuppi and MrWoodbery Charged in the United States

In the United States when charges are brought, the charges are made for victims within the jurisdiction where the charges are brought.  Rather than listing every possible crime, the staff of the top prosecutor in that district, known as Assistant United States Attorneys, brings charges for crimes where the victims or the activities occurred within their jurisdiction.  Because of the prominence of these case, a cybercrime special prosecutor from the Cyber and Intellectual Property Crimes Section of the Department of Justice is assisting in prosecuting these cases.  In these cases, Hushpuppi is being charged in Los Angeles, California, and Mr. Woodberry (Jacob Olalekan Ponle) is being charged in Chicago, Illinois.  Both men arrived in Chicago, on 02JUL2020 after being expelled from the United Arab Emirates.

Click to read Northern District of Illinois Press Release

Click to read Central District of California Press Release

Chicago Case vs. Mr.Woodbery 

In the Chicago case, there are two primary victims that establish venue there.  Victim Company A lost $2,300,000 USD.  Victim Company K lost $15,268,000 USD.  Jacob Olalekan, who the FBI refers to as "PONLE" says that in the latter operation Ponle received at least 1494 Bitcoins from that case, which at the time would have had a value of $6,599,499 USD!

In their investigation, they found that Ponle used US-based "money mules" -- criminals who are paid to open bank accounts on behalf of a scammer.  One of these mules said that he received his instructions from someone that he knew as "Mark Kain."  Mark Kain used a voice over IP telephone number that was issued from the company Dingtone.  Since Dingtone fully cooperates with law enforcement, they were able to quickly learn that this number was paid for by someone using the South African telephone number +27 793 837 890.

The Money Mule also indicated that he made transfers to a Bitpay bitcoin account with the wallet id 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn.  Bitpay, who also cooperated with law enforcement, was able to show this account was created in September 2015 and that the account owner used the email address "hustleandbustle@gmail.com."

The next step in the investigation was to ask Apple about those telephone numbers and email addresses.  Apple, who can provide law enforcement with all information about any iPhone, shared with the FBI that the telephone number +27 793 837 890 belonged to Jacob Olalekan, who used the hustleandbustle email while logged in from that telephone.  Apple was also able to provide a photo of a Nigerian passport in the name "Olalekan Jacob Ponle" born May 1991 in Lagos, Nigeria, and also a photo of a UAE Visa and a UAE Resident Identity Card in the same name.


Ponle Nigerian
Passport

Ponle UAE
Resident Card

Ponle USA
Visa

The FBI has contents of many WhatsApp chats that Ponle had with various scammers and money mules he worked with. 

In addition to Ponle's Chicago crimes, he also committed many others that are documented in his case:
- 16JAN2019 - $188,000 fraud against a company in Des Moines, Iowa.
 - 04MAR2019 - $415,000 fraud against a company in Great Bend, Kansas.
- June 2019 - attempted $19,292,690.30 wire for a company - stopped by JP Morgan Chase!
- September 2019 - the FBI took over the accounts of one of the former money mules and received instructions from Ponle to open a new bank account.  The FBI opened the account, but stopped a $1.2 million fraudulent transaction from occurring.  

These details and more can be found in the Criminal Complaint against Olalekan Jacob Ponle.

MoneyLaundering via LocalBitcoins

The big Chicago case happened on 11FEB2019 - $2,300,000 fraud against a Chicago company. In that case, the money was sent to a six-month old Personal Checking Account opened by the money mule.  He then moved $2.1 million into a SilverGate bank account belonging to Gemini Trust, a cryptocurrency exchange.  The mule then tells Ponle that the funds will be moved to him $500,000 USD at a time, and asks him for his bitcoin account.  The mule says we are sending you 340 bitcoins and the rest is coming.

All of this is easy to confirm by looking at the blockchain.  I use CipherTrace for Bitcoin analysis.  This shows that over the lifetime of this Bitcoin address, 3,798.20832689 BTC were received by the account Ponle claims as his own, in 434 different transactions.  (At current Bitcoin values, that would be $34,315,216 USD!)  You can clearly see the 340 Bitcoin transaction being received from Gemini.com on 15FEB2019:

MrWoodbery/Ponle Bitcoin account receiving stolen funds
Right after this transaction, you can see that MrWoodbery sent 611 Bitcoin (currently worth $5,522,495 USD!) to Bitcoin wallet 15go6kCncrhkt6z2ziQr6W39SVpyZ52tpM, from which the funds were sold off bit by bit in LocalBitcoins.com transactions.

40 BTC on 16FEB via LocalBitcoins.com 
15.7 BTC on 16FEB via LocalBitcoins.com 
5 BTC on 17FEB2019 via Luno.com 
56 BTC on 17FEB2019 via LocalBitcoins.com 
23 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 18FEB2019 via LocalBitcoins.com 
15 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 19FEB2019 via LocalBitcoins.com 
29 BTC on 19FEB2019 via LocalBitcoins.com 
22 BTC on 19FEB2019 via LocalBitcoins.com 
etc. 
Along the way some smaller transactions were made, such as spending 0.03 BTC at UniCC, a stolen credit card shop.
the BTC transactions to Local Bitcoins stay small 1-3 BTC per transaction, until 09MAR2019 when he sells 35.9884 BTC on LocalBitcoins.com 

By June of 2019, the funds which had not been converted to cash via LocalBitcoins were primarily deposited at HuboiGlobal, a cryptocurrency exchange originally founded in China, but now with offices in Singapore, Hong Kong, Korea, Japan, and oh yes, the United States!  

The Los Angeles Case Against HushPuppi

At first it may not be obvious why the HushPuppi case is in Los Angeles, as one of the largest victims is a New York based company, from which Raymon Abbas (aka Hushpuppi) is accused of stealing $922,857 USD from in a Business Email Compromise scam.  The Los Angeles FBI came to have possession of an iPhone which contained many communications between the owner of that phone and Abbas.  During the laundering of the funds from the New York based company, at least $396,050 were laundered by a second money mule, who opened bank accounts in Los Angeles, giving the Los Angeles FBI venue on the case.  

The iPhone showed many communications to the Dubai-based number +971 543 777 711.  This phone was listed in the iPhone contacts under the name "Hush" ... there was also a Snapchat contact with this number under the name "hushpuppi5" whose account called himself "the Billionaire Gucci Master!!!"   The FBI's review of Hushpuppi's Instagram account found a post where he listed his own Snapchat account as "Hushpuppi5."  

Instagram, who fully cooperates with law enforcement, provided to the FBI that the Instagram account used the email "rayhushpuppi@gmail.com" and the phone number +971 502 818 689.  The account was created October 10, 2012 and had many logins from the UAE.

Snapchat, also a US based company who fully cooperates with law enforcement, provided that the Hushpuppi5 account used the same email as the Instagram account, rayhushpuppi@gmail.com and a different UAE telephone number +971 565 505 984.  

The Gmail account, (Google is a US based company who fully cooperates with law enforcement) revealed that an Apple Account was created on 29MAR2014 in the name Ray Hushpuppi, and used both the gmail account and the account "rayhushpuppi@icloud.com" and another gmail account.

The other Apple account found used the name Godisgood Godson and the gmail account "godisgoodallthetime0007@gmail.com" but often used the name "Ramon Abbas" in account records, giving the mailing address "1706 Palazzo Versace, Dubai, UAE."  The rayhushpuppi@gmail.com account was used to lease that property from 04APR2020 through 03MAY2021.  

Through a combination of IP address login records and telephone login records, all of the above accounts could be clearly shown to belong to the same individual.

The emails also contained things such as copies of Abbas's Nigerian passport and UAE Resident card which further confirm these accounts were under his personal control.  Receipts for wire transfers of large volumes, including $250,000 and $2,397,000 were found in the emails, linking Abbas in the latter case to the Chicago Mr.Woodbery case above.




Other indicators included proof that Abbas picked up wire transfers from Western Union in the UAE in 2018 and MoneyGram transactions in the UAE, all using his UAE Resident card. 

Malta Bank Job

In addition to the New York law firm case, Abbas also discussed a foreign financial institution case where €13 million was stolen ($14.7 Million USD) and the co-Conspirator in Los Angeles asked for accounts which could receive "5m euro" which Abbas provided by sending information for a Romanian bank account.  Abbas communicates with the group who is trying to laudner the money, and confirms receipt of  €500,000

Although it is not stated in the FBI paperwork, this was the Bank of Valetta, mentioned in the headlines of the Times of Malta.  The hackers boast that the bank had not yet noticed their activity and that they were going to hit it more the following day. 

ToshiTimes
The Prime Minister of Malta issued a statement to the public that although "Hackers sought to make international transfers to banks in the UK, US, Czech Republic and Hong Kong. The transfers were blocked within 30 minutes and the banks alerted." A follow-up report a week later in the Times of Malta detailed how a bank employee believed he was responding to an email from a French government stock market regulator, but the attached Word document actually planted malware on the banking system, allowing the hack to move forward.  The Times of Malta said the attack was thought to be part of a hacking group called "EmpireMonkey" which has been linked by other cybercrime researchers to CobaltGoblin and even the Carbanak group.  (See for example this Kaspersky article:  FIN7.5: the infamous cybercrime rig continues its activities.

https://timesofmalta.com/articles/view/how-bov-hackers-got-away-with-13-million.702800
This last example illustrates that once someone begins to operate on the level as Hushpuppi, they are often most useful as someone who has the network to establish bank accounts to receive stolen funds.  It is extremely unlikely that Hushpuppi has the hacking skills to pull off a Bank of Malta attack -- however he had the reputation as being someone who could provide accounts capable of receiving 5 million Euro transactions, so criminals reach out to him to fulfill that need. 






Thursday, July 02, 2020

Nigerian Scam Spree stopped by Alert Bank Employees



If you watch criminal press releases you may be noticing the same trend we are -- career criminals are getting busted when they mess with COVID-19 Fraud.  Consider the case of Nosayamen Iyalekhue and Esogie Osawaru. Iyalekhue had an insider's knowledge of the banking indeustry, as he was a teller at TD Bank.  From at least 2016 the pair participated in a series of frauds, but it wasn't until they started having unemployment benefits deposited into their account on May 21, 2020 that someone stopped their crime spree!

The investigator on the case believes there are violations of:
18 USC section 371 (Conspiracy)
1028 (Identification Fraud)
1030 (Computer Fraud)
1343 (Wire Fraud)
1344 (Bank Frau)
1546 (Passport Fraud)
1956 (Money Laundering)
and 1957 (Unlawful Monetary Transactions)

The Thieves

Nosa Iyalekhue (the name he used on his LinkedIn account) worked at TD Bank in Norwood, Massachusetts from 13AUG2018 to 12AUG2019.  He got fired when the bank became aware he was accessing the accounts of customers when they were not present.  In particular, TD Global Security shared with the FBI that he had accessed accounts belonging to Jude Ekanem, Milk Anthony, and Franklin Edward.

Nosa had a curious habit of having his photograph show up on other people's Passports.  On the right is his Massachusetts Driver's License photo.  On the left is a Liberian passport in the name of Mathew Lungelo.  Mr. Lungelo used that passport to open bank accounts at Santander Bank (an account ending in 1157), Bank of America (2816), and Eastern Bank (4974), however DHS records show that no one has ever entered the country with a matching identity.


Lungelo used the same email address and address for each of these accounts:

jennyrbts11@outlook.com with the address 49 Dana Ave, #2, Hyde Park, MA.

Another passport with Iyalekhue's photo on it was that of Ofo Jude Ekanem, supposedly from Accra Ghana.  This passport was used to open bank accounts at TD Bank (0535), Bank of America (9968), and Santander Bank (2284) in the name of Jude Ekanem.  The same email, jennyrbts11@outlook.com, was used to open all three accounts, but this time with the address 11 Wilcock St., Dorchester Center, MA.  The Santander account was opened in August 2017, the same month as the BofA account.  The TD account was opened six months later, in February 2018.


His next round of accounts were opened using a South African passport in the name of Howard Bhekani.  The Bhekani passport also was never used to enter the United States.  It was used to open a Santander Bank account (5621) in October 2018, a Bank of America account (2614) also October 2018, a Rockland Trust account (1824) in May 2019. and a Citizen's Bank account (3368) in July 2019.  For the last one, he used the 49 Dana Avenue address again, and continued to use the jennyrbts11@outlook.com account.


When TD Bank looked into the other accounts that Nosa was accessing, they found that two of the other account holders seemed to be the same person.  Franklin Edward, and Milk Anthony looked the same, sometimes appeared on surveillance with the same clothes, and in particular, had a distinctive cross-shaped earing.

Franklin Edward had accounts at both TD Bank (7048) and Bank of America (9385) opened in 2018.  Both were opened using a UK Passport in the name Franklin Edward -- again, the passport had no matching travel records or Visa records.  The BOA account used the same street address as the Jude Ekahem account above -- 11 Wilcock St., Dorchester Center, MA.

The person withdrawing funds from the TD Bank account of Franklin Edward seems to be a facial match (and an earring match) for Esogie Osawaru.

Osawaru also turned out to be "Milk Anthony" who had accounts at TD Bank (9224), Citizen's Bank (4264) and Santander Bank (1949) all opened in 2019.  The Milk Anthony accounts were all opened using a Nigerian passport (A02308508).

"Milk Anthony" has the same earrings as Osawaru also . . .
The Milk Anthony accounts were opened using the 49 Dana Avenue address previously associated with the Howard Bhekani and Mathew Lungelo accounts.

The Scam Victims

There were 12 victims of this pair named in the FBI report.

Victim 1 received an email that she believed came from a high school friend.  The friend said he now ran a very successful company and that he wished her to help him distribute funds for philanthropic purposes.  She should keep 5% of the funds for her efforts.  She believed she was working for a non-profit.  Checks were received by Victim 1, who deposited them and wired the money (minus her commission) to the Bank of America and Santander accounts of Matthew Lungelo.  She deposited $240,000. Withdrawals were made at least six times from the BofA account, totaling $11,900, and five times from the Santander account, totaling $22,400.

Victim 2 was a 64 year old woman from Panna Maria, Texas.  She was involved in an online only relationship from 2016 to 2020 with a man from South Africa, and regularly sent him money to assist him with legal fees and other personal needs.  She wired money to both Mathew Lungelo and Jude Ekanem at the direction of her online boyfriend.  $11,000 and $9,000 in November and December of 2019.  Prior to that, however, she had sent over $125,000 between September of 2017 and January of 2019!


Victim 3 was from Wyandotte, Michigan.  She met a man online while playing a game in 2018.  They developed a relationship.  Believing that her boyfriend was living on an oilrig, Victim 3 sent him over $100,000 between 2018 and 2019, including $83,900 the Edward TD Bank account. TD Bank questioned "Edwards" about the large transactions, and he claimed to be in the automobile export business, buying cars here, and selling them in Africa.

TD was able to get a license plate number from his vehicle, which turned out to be registered to the brother of Esogie Osawaru, who lived at 49 Dana Ave, Hyde Park, Massachusetts!

Victim 3 also reported that she had mailed cash to that address.

Victim 4 lived in Long Beach, California  She was recruited via email for an online job and believed she would be reviewing documents related to interior design.  Victim 4 ended up wiring two deposits to Bhekani's Citizen's Bank account, totaling more than $34,000.  

Victim 5, from Alabama, believed that she was in a relationship with a soldier who she met on an online dating site.  Her family members told the FBI that she had sent more than $150,000 to various people at the request of her online boyfriend.  At least $45,000 of those funds were sent to the Edward account.

Victim 6, from Canton, Ohio, met a man on Facebook who claimed to be a soldier working on a United Nations mission in Syria.  When she told her online boyfriend that she was about to have a surgery and had no one to care for her afterwards, the "soldier" said that he had arranged that she could buy out his contract from the United Nations and he could fly home to help her recuperate.  In June 2019, she sent $20,000 of a total $60,000 to the Milk Anthony Santander account.   

Victim 7, from Newbury, Oregon,  was also a romance scam victim, who was previously identified in another FBI case.  the man she had met had asked her on six separate occasions to send $1,000 money orders to the address 1055 Southern Artery, Apt 707, Quincy, Mass, where Osawaru was living at the time.  In December 2019 those money orders were deposited into Osawuru's personal Santander account (7080).  

Victim 8, from Jamaica, New York, met a man on Facebook named "Peter Loblock."  Loblock promised her he could help her complete her immigration paperwork to become a citizen.  She wired him $1,280 to a Rockland Trust account (5027) in the name of "Esogie Osawaru.

The REAL Peter Loblack (I believe there is a mis-spelling in the Affidavit) actually posted a warning on his Facebook page on May 27, 2020, warning people of a fake Peter Loblack pretending to be an Immigration Attorney who had stolen his likeness from social media posts:

https://www.facebook.com/PeterLoblack/posts/10158290616113077
Victim 9, an elderly woman from Scurry, Texas, banked with BBVA USA.  When a cashier's check for $20,800 was deposited into the Eastern Bank account of Mathew Lungelo, the Eastern Bank investigator reached back to BBVA, concerned about the source of funds.  The BBVA Investigator spoke to the victim and confirmed to Eastern Bank that it seemed to be a scam.  Eastern put a hold on the account.  The person claiming to be Lungelo became concerned about the availability of the funds, and was informed by Eastern Bank that the funds would likely be available on 24FEB2020.  

When Iyalekhue showed up at the bank, he claimed to be a construction worker and said the funds were for a job he had completed in Texas.  When questioned about his identity, he provided the Mathew Lungelo name and the birthdate from the Lungelo Liberian passport.  Eastern Bank had the Dedham Police on site and he was interrogated by the Dedham PD in the bank's offices and eventually confessed and provided his true identity.


Iyalekhue was held while officers sought a warrant for his white Mercedes (Mass 7CK325) and found several additional identity documents both on his person and in his vehicle, including documents in the name of Mathew Lungelo.  

Victim-9 was also approached by a "Charlie Clifford" who played the classic "I have a box of valuables but its stuck in customs" ruse on her. She says she sent the cashier's check to Lungelo at Clifford's direction.

Even after Iyalekhue got arrested, Osawaru kept going.  On 10APR2020, he opened an account in his own name, and on 18MAY2020, received a check for $9,200 from Victim 10 - a 76-year old women living in Puerto Rico.  Surveillance shows that the car that was driven to make the deposit was registered to Osawaru's brother, at the 49 Dana Avenue address.  Three days later, a stop payment was placed on the check.

Victim 10 told the FBI she had been in an online relationship with a US Army soldier for 2 years and 4 months, and that he had been deployed overseas and was in financial need.  They had met on Facebook.  Since at least early 2018, she had sent over $71,000 to the "Franklin Edward" accounts at BofA and TD, as well as wiring money to Nigeria.  She also sent a $9,500 check to a Walgreens in Rhode Island.  The package was delivered and signed for by "E. Osawaru" on 15MAY2020.  He tried to use Mobile Deposit to deposit the check, but Eastern Bank denied the deposit, which was attempted from an AT&T IP address. 

Victim 11 was a resident of Washington State.  A Washington State unemployment insurance check was deposited into Osawaru's Eastern Bank account on 19MAY2020.  Victim 11 had never applied for unemployment and had no idea how his check was sent to Osawaru.  

Victim 12 was a resident of Pennsylvania.  That victim also had an unemployment insurance check in their name deposited to Osawaru's account.  

Osawaru attempted to withdraw the funds, but learned a hold had been placed on them.  The Dedham Police were again called, and he was arrested for "Uttering False or Forged Records" and "Attempted Larceny over $1,200."  He posted a $5,000 bond and was released the same day.

The two were arrested by the FBI on 12JUN2020 and charged with all of the above scams.

https://www.justice.gov/usao-ma/pr/two-nigerian-nationals-charged-defrauding-victims-using-online-scams