Wednesday, July 28, 2021

Hushpuppi Pleads Guilty: Sentence Estimate? 11-14 Years

On July 27, 2021, Ramon Olorunwa Abbas, also known as Hushpuppi, decided that his best plan would be to avoid spending the rest of his life in prison was to plead guilty.  I've actually never seen a plea agreement with so much redacting, but we can still see SOME of what he is pleading to in the 29 page plea agreement that was posted today on PACER, the Public Access to Court Electronic Records.

"Beginning no later than or about January 18, 2019 through on or about June 9, 2020, defendant knowingly combined, agreed, and conspired with multiple other persons ("coconspirators") to conduct financial transactions into, within, and outside the United States involving property that represented the proceeds of wire fraud.   ... The coconspirators targeted multiple victims and laundered and/or attempted to launder funds fraudulently obtained, and attempted to be fraudulently obtained, through bank cyber-heists, business email compromise ("BEC") frauds, and other fraud schemes."

In particular, he admits that he helped launder the money:
  •  stolen from a bank in Malta (which we know is the Bank of Valetta from public news sources which was hacked by North Korean hackers) and 
  • the BEC funds stolen from a law firm in New York State, 
  • and the funds stolen from two companies located in the UK. (one of which was likely an English Premier League Club, from previous court filings.)

"Defendant admits" that he conspired to launder the funds, and that he knew they were funds that were the proceeds of fraud.  "Defendant also admits the truth of the allegations in Overt Acts 1 to 17."

Overt Acts 1 to 17

What were these Overt Acts 1 to 17?  These are from a previous court filing.  The first set, Overt Acts 1 - 12, all make reference to "UIUC-1" who we now believe is Ghaleb Alaumary, then age 37, from Mississauga, Canada.

Overt Act No. 1 - 18JAN2019 - ABBAS provides bank account information for a bank in Romania to be used to receive a 5 Million Euro wire transfer

Overt Act No. 2 - 18JAN2019 - ABBAS confirms via electronic message that the Romanian bank account is "for large amounts" 

Overt Act 3 - 18JAN2019 - ABBAS confirms that he will clear the funds from the Romanian account right away.

Overt Act 4 - 10FEB2019 - ABBAS provides another bank account, this time in Bulgaria, to receive an additional 5 million Euros.

Overt Act 5 - 12FEB2019 - ABBAS is informed the first 500,000 Euros have been deposited to Romania and confirms he will let his people know.

Overt Act 6 - 12FEB2019 - ABBAS confirms he is ready to receive more funds in the Romanian account. "Yes please"

Overt Act 7 - 12FEB2019 - ABBAS sends a screenshot of the Romanian Bank account to UICC-1, showing the IBAN numbers, Account numbers, and account balance for the account.

Overt Act 8 - 13FEB2019 - ABBAS sends a new screenshot of the Romanian Bank account to UICC-1.

Overt Act 9 - 10MAR2019 - UICC-1 asks for a bank account in Dubai that can receive "5m" saying "Brother I need it now or we will lose our chance pls."  ABBAS sends him the information for a Dubai bank account.

Overt Act 10 - 08MAY2019 - UICC-1 asks for an account that can "handle millions and not block" and Hushpuppi gives him the details of a bank account in Mexico.

Overt Act 11 - 13MAY2019 - UICC-1 tells ABBAS that the Mexican bank account will receive 100 Million pounds from an English Premier League Club and 200 Million pounds from a victim UK company and wants to know if he can proceed.  Abbas seems to express concern here, saying these accounts "cost a lot of money now to open." 

Overt Act 12 - 13MAY2019 - UICC-1 tells ABBAS that he has "10 more to do" after the Premier League Club job and says he will need to use each bank account for 2 contracts. 

Overt Act 13 - 15OCT2019 - Abbas "or a coconspirator" induce the Victim Law Firm to send $922,857.76 from their Quontic Bank account in New York to a Chase Account.

Overt Act 14 - 17OCT2019 - ABBAS sends a screenshot to UICC-1 showing a wire transfer of $396,050 from the Chase Account to a CIBC account in the name of UICC-2. 

Overt Act 15 - 17OCT2019 - UICC-2 was in California and informed by UICC-1 to look for the wire transfer to the CIBC Account

Overt Act 16 - 17OCT2019 - UICC-2 confirmed they had received the funds

Overt Act 17 - 17OCT2019 - UICC-1 told ABBAS that they $396,050 from the Chase account had been received into the CIBC account.

The Qatari Scam and the Watch

Hushpuppi also admits that he conspired to defraud a Qatari construction company that was seeking funds to build an international school.  Hushpuppi used the alias "Malik" and offered to help them open a bank account in the United States where a $15 Million loan could be deposited.  He arranged for a coconspirator to open a Wells Fargo bank account in Canoga Park, California, after creating a fictitious company with the Los Angeles County Registrar.  Then another coconspirator in Nigeria created a false "power of attorney" document and sent that information to Wells Fargo in December of 2019.  The victim was convinced that he needed to deposit funds into the account in order to secure the $15 Million loan.  However, after depositing $330,000, Hushpuppi and his colleagues stole the money, sending $230,000 to a Wells Fargo account belonging to a luxury watch seller and $100,000 to a Capital One bank account belonging to another co-conspirator.  

That's how Hushpuppi came to have a Richard Mille RM11-03 watch (co-created by Richard Mille Engineer Fabrice Namura and McLaren Automotive design director Rob Melville).  The watch was picked up in New York by one person, then flown from JFK Airport in New York to the UAE by another person, who delivered the watch to Hush on January 4, 2020, who immediately posted it on Instagram, calling it a New Year's present to himself.

Hushpuppi boasted on Instagram: "Quarter a million dollar watch as New Years gift to they self #RichardMille #RM1103 #EpainThem

As for the $100,000 that went to "Coconspirator D?"  Hush instructed them to send two cashier's checks one for $40,000 and one for $10,000 and use them to buy Hush a St. Kitts passport and a Nevis citizenship and passport.  He received his passport in February 2020.  The rest of the funds were converted to Naira.

Later, Hush and his coconspirators made another play at the Qatari businessman and convinced him that he had to pay "taxes" on the $15,000,000 imaginary loan in order to receive it.  To pay his taxes, the Qatari victim sent $299,983.58 into a bank account in Kenya. 

The Penalties of Crime

Altogether, in the Plea Agreement Hush agrees that he and his co-conspirators stole: 
  • $14,700,000 from a Foreign Financial Institution
  • $7,740,000 from UK victim companies
  • $922,857.76 from the New York Law Firm
  • and $809,983.58 from the Qatari victims.
"Defendant admits that all of the money laundering described above was sophisticated, extensive, and involved multiple persons." 

In the United States there are Sentencing Guidelines that are supposed to be used by the judge to ensure that sentences are standardized and consistent across different courts.  These sentencing guidelines are explained in the U.S. laws and each judge and prosecutor in Federal Courts is well aware of these guidelines.

The defendant agrees that these are fair interpretations of how to determine a sentence:
  • Underlying Offense Level:  7 Points 
  • Fraud Scheme outside the U.S. using Sophisticated Means:  +2 Points 
  • Conviction under 18 USC § 1956 (which is the law on Money Laundering):  + 2 Points 
  • Sophisticated Money Laundering: +2 Points 
  • Financial Losses between $9.5 Million and $25 Million:  +20 points 
Total Sentencing Guideline Points: 33 Points

According to the Sentencing Guidelines Table available on the United States Sentencing Commission website, a 33 Point offense with no previous criminal history SHOULD indicate a sentence of between 135 and 168 months, or 11 1/4 to 14 years.

Hushpuppi and his lawyer both understand this and have signed the plea agreement anyway.  While there may be extenuating circumstances lying behind some of the redacted pages, here is Hushpuppi's signature to these terms:

However, who is to say what else may be stated in the plea agreement behind all of the Redaction markings? Seven pages of the 29 page document look like this!  

For comparison, Ghaleb Alaumary, in many ways the man who HushPuppi was working for, pled guilty to his crimes in November 17, 2020.  The sentencing guidelines were similar, however Alaumary received a stiffer penalty for the amount of money stolen.  He has not yet been sentenced, but under the sentencing guidelines, Alaumary has a "35 offense level" which makes the recommendation 14 to 17.5 years in prison.  Alaumary had previous criminal convictions, however those were in Canada, and I am unsure whether they would alter the sentencing guidelines in a U.S. court.

Alaumary's Guilty Plea Sentencing Guidelines calculation

Wednesday, July 21, 2021

Levashov Walks. Russian Spam King gets slap on the wrist

The US government and the White House like to talk tough on Ransomware.  If you listen to Joe Biden, fighting Ransomware is a top priority of the US Government.  He's spent time convincing the G7, NATO, and the EU to take pledges about how earnestly they want to fight Ransomware, a judge in Connecticut has decided that spammers who distribute Ransomware should walk free.

Brian Krebs, the journalist behind KrebsOnSecurity, posted a long piece about the travesty of Justice that this case represents => "Spam Kingpin Peter Levashov Gets Time Served."

From 2007 until 2012, I ran a project called the UAB Spam Data Mine.  The top spammer for the first several years was Peter Levashov, who first ran the Storm Worm and then the Waledac botnet. We regularly blogged about his spam campaigns. Here's some examples: 

15OCT2007 - "Is Your Fifth Grader Smarter Than a Laughing Cat?"

17NOV2007 - "Private Detective Spam"

26DEC2007 - "A Stormy Christmas and a Botnet New Year

16JAN2008 - "Storm Loves You!"

06JUN2008 - "A Romantic June Storm"

01JUL2008 - "July Storm Worm gives us some Love

03JUL2008 - "Storm Worm Salutes Our Nation on the 4th!"

22JUL2008 - "Amero to Replace Dollar? Could Storm Worm Be Right?"

29JUL2008 - "FBI & Facebook: Storm Worm gets it all wrong!"

03JAN2009 - "Happy New Year! Here's a Virus! (New Year's Postcard Malware)"

25FEB2009 - "Money Tight? Watch out for Coupon Offers from CyberCriminals

16MAR2009 - "Waledac: Fake Dirty Bomb in Your City"

18MAR2009 - "Carders do battle through spam -

09APR2009 - "Is There a Conficker E? Waledac makes a move..."

15APR2009 - "Waledac shifts to SMS Spy Program

29APR2009 - "Waledac Moving on to . . . Canadian Pharmacy?"

03MAR2010 - "Spamming Botnets - Strategies welcome

03JUL2009 - "Are You Ready for Independence Day Fireworks? Waledac Is!"

31DEC2009 - "New Year's Waledac Card

In 2008, Levashov was secretly indicted for his spamming and Federal agents were deployed to Moscow to ask for Levashov.  I actually created a Google Map showing that every city in Russia had thousands of infected IP addresses that were being used to send the spam. Despite a mountain of evidence, he was protected.  He kept on spamming, but honestly, I gave up on there being any hope he would be captured.

After others tried to take down the Kelihos botnet, it re-emerged in the form of a Spam Campaign taking advantage of the Boston Marathon Bombing.  I attempted to get law enforcement interest in him again at that time. Surely a criminal who would use the Boston Marathon attack to relaunch the new version of his botnet would be worth interest.  Nothing.  I was reminded of 2009 and told "The Russians are protecting him."

10APR2013 - "New Spam Attack accounts for 62% of our spam!"

17APR2013 - "Boston Marathon explosion spam leads to Malware

18APR2013 - "Boston Explosion Spammer shifts to Texas Fertilizer Plant Explosion

TrendMicro confirmed this was Kelihos as well in their post: 

16APR2013 - "Kelihos Worm Emerges, Takes Advantage of Boston Marathon Blast

In 2016, we decided to try again, with the "Kelihos Must Die" task force.  We provided regular updates of the bad things Kelihos was doing.  Students in my lab, led by my friend (now) Dr. Arsh Arora, produced daily documentation of the behavior of the botnet, and we were starting to get excited that something might actually happen this time.  We believed that Kelihos was sending FOUR BILLION SPAM MESSAGES PER DAY, and took the time to prove it was delivering ransomware attacks, banking trojan attacks, and phishing attacks.  Levashov would send spam to deliver any payload you paid him to deliver.  

09JUL2016 - "Kelihos botnet delivering Dutch WildFire Ransomware"

04AUG2016 - "American Airlines spam from Kelihos delivers Ransomware"

12AUG2016 - "Kelihos botnet sending Panda Zeus to German and UK Banking Customers"

16AUG2016 - "Kelihos botnet sending geo-targeted Desjardins Phish to Canadians"

30AUG2016 - "Amazon Gift Card from Kelihos!"

14SEP2016 - "Long-Lived Pill Spam from Kelihos"

09NOV2016 - "Kronos Banking Trojan and Geo-Targeting from Kelihos"

30NOV2016 - "NoMoreRansom aka Troldesh Ransomware Delivered by Kelihos"

01FEB2017 - "Kelihos infection spreading by Thumb Drive and continues geo-targeting

And then on April 20, 2017, it was over!  

Spanish authorities arrested Levashov in Barcelona and he was sent to the United States to stand trial. 

After initially pleading not guilty, he changed his plea to guilty on 12SEP2018.  He admitted controlling and operating Storm, Waledac, and Kelihos, and to disseminating spam that distributed other malware, including banking trojans and ransomware.  He admitted that he actively advertised the Kelihos botnet and his ability to deliver spam and malware and that he did so in order to enrich himself.  He admitted to stealing identities and credit cards and buying and selling them.

The US Prosecutor in the case filed this Sentencing Memo as he told the Judge what the Department of Justice thought should be done in this case: 

And just to make things clear, they used the Sentencing Guidelines and included this helpful (required by law) recommendation of sentence in the Sentencing Memo to help the judge understand what the law said should be done: 
The judge decided instead that he would ignore the recommendation of the Department of Justice and that based on nothing but his own intuition, (as reported by Brian Krebs:) 

"the total offense level does overstate the seriousness of Mr. Levashov's criminal culpability" and said he believed Levashov was unlikely to offend again.  "I believe you have a lot to offer and hope that you will do your best to be a positive and contributing member of society." -- Judge Robert Chatigny of Connecticut

And with that, a single judge in Connecticut decided that this CAREER CRIMINAL was "unlikely to offend again" and that he felt that the charges were overstated AND LET HIM GO.

So much for the government's priority on stopping Ransomware.

The message this incompetent judge has just delivered to the criminal community is this: 

"Spam as much as you want, as long as you have a good lawyer and an incompetent judge, spam clearly doesn't matter to the United States." 

Monday, July 19, 2021

Nations come together to condemn China: APT31 and APT40

 On Monday (19JUL2021) President Biden announced that the US and its allies were joining together to condemn and expose that China was behind a set of unprecedented attacks exploiting vulnerabilities in Microsoft Exchange servers conducted earlier this year.  The White House press release was titled: "The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People's Republic of China." 

After praising recent actions by world governments to condemn Russian ransomware attacks, today's memo goes on the offensive against China, reminding the world that the PRC intelligence enterprise hires contract hackers who operate both for the state and for their own profits.  Biden reminds us of charges brought against PRC Ministry of State Security (MSS) hackers in October 2018, July 2020, and September 2020 and says they have "engaged in ransomware attacks, cyber enabled extortion, crypto-jacking, and rank theft." Today additional charges were brought against additional MSS hackers.

While many court cases, agreements and foreign government statement were mentioned in the article, we thought it would be helpful to have all the links in one place.  In this article, we share links to the mentioned charges against MSS-sponsored hackers, indicators and characteristics of the APT40 attacks, including advisories from CISA and NSA, links to foreign government statements joining in condemning China's cyber attacks, and lastly, policy statements from G7, NATO, and EU supporting new Ransomware policy initiatives. Previous Charges Against Chinese MSS-supported Hackers

The previous incidents referred to by the White House can be found on the website at the links below: 

30OCT2018 - "Chinese Intelligence Officers and their Recruited Hackers and Insiders conspired to steal sensitive commercial aviation and technological data for years

Zha Rong and Chai Meng were intelligence officers in the Jiangsu Province office of the Ministry of State Security (MSS).  Their hacking team included Zhang Zhang-Gui, Liu Chunliang, Gao Hong Kun, Zhuang Xiaowei, and Ma Zhiqi and insiders of a French aviation company, Gu Gen and Tian Xi.  Their cyber attacks went back to at least 08JAN2010.  The indictment of these Chinese hackers which provides several aliases including leanov, Cobain, sxpdlcl, Fangshou, mer4en7y, jpxxav, zhuan86, and Sam Gu is available.

21JUL2020 - "Two Chinese Hackers working with the Ministry of State Security charged with Global Computer Intrusion Campaign targeting Intellectual Property and Confidential Business Information, including COVID-19 Research

LI Xiaoyu (李啸宇)and DONG Jiazhi (董家志).  The 27-page indictment of these Chinese hackers, which reveals Li's hacker handle of "Oro0lxy" and the fact they worked for Guangdong State Security Department, is also available from DOJ.

16SEP2020 - "Seven International Cyber Defendants, including 'APT41' actors, charged in connection with Computer Intrusion Campaigns against more than 100 victims globally."

Jiang Lizhi (蒋立志), Qian Chuan (钱川), and Fu Qiang (付强) operated Chengdu 404 Network Technology.   Zhang Haoran (张浩然) and Tan Dailin (谭戴林) of China were part of a conspiracy targeting the video gaming industry, along with Wong Ong Hua and Ling Yang Ching of Malaysia  who operated through Sea Gamer Mall.  A transcript of the press conference about these three indictments of Chinese hackers is available. Newly revealed Charges

19JUL2021 - "Four Chinese Nationals Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including Infectious Disease Research"

The current case charges that the Hainan state Security Department set up a shell company, Hainan Xiandun Technology Development Company (海南仙盾).  Three HSSD Intelligence officers, Ding Xiaoyang (丁晓阳), Cheng Qingmin (程庆民) and Zhu Yunmin (朱允敏), interacted with a lead hacker at Hainan Xiandun, Wu Shurong (吴淑荣).  Working with his team, Wu and his hackers attacked universities and research facilities across the United States and the world, planting malware and stealing intellectual property.  The indictment against Ding, Cheng, Zhu, and Wu, which also uses the aliases Ding Hao, Manager Chen, Manager Cheng, Zhu Rong, and gives Wu Shurong's hacker aliases as goodperson and ha0r3n is available from 

Many research groups have referred to them and their malware by a variety of names, including APT40, Bronze, Mohawk, Feverdream, Goo65, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, Mudcarp, Periscope, Temp.Periscope, and Temp.Jumper.   A few reports on these would include: has released an APT40 TTP Advisory, available as "Alert (AA21-200A) Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department"

The Malware families and malicious tools named in the CISA advisory (with links to MITRE tool description pages) are:

  • BADFLICK/Greencrash
  • China Chopper [S0020]
  • Cobalt Strike [S0154]
  • Derusbi/PHOTO [S0021]
  • Gh0stRAT [S0032]
  • GreenRAT
  • jjdoor/Transporter
  • jumpkick
  • Murkytop (mt.exe) [S0233]
  • NanHaiShu [S0228]
  • Orz/AirBreak [S0229]
  • PowerShell Empire [S0363]
  • PowerSploit [S0194]
  • Server software component: Web Shell [TA1505.003]

NSA Advisory on Chinese State-Sponsored Cyber Operations

The National Security Agency, working with and the FBI, also released an advisory today, detailing in 31 pages more details about observed Tactics, Techniques, and Procedures (TTPs) used by Chinese hacking groups.  Their description, provides Tactics, Threat Actor Techniques, Threat Actor Procedures, and Defensive Tactics and Techniques using the MITRE ATT&CK and D3FEND models. Detailed Detection and Mitigation Recommendations are also shared for each tactic.

Just to share one example ... here is the way "TA0004" is described in the report.

That level of detailed explanation goes on for 14 pages of the report!  Please see the full report for more details by visiting "CSA Chinese State-Sponsored Cyber TTPs." 

International Coalition Joining In

The White House Press Secretary, Jen Psaki, mentions that the condemnation of Chinese hacking was joined by the European Union, the United Kingdom, Australia, Canada, New Zealand, Japan, and NATO!

The UK's National Cyber Security Centre issued this release: UK and allies hold Chinese state responsible for pervasive pattern of hacking while the UK's Foreign Secretary Dominic Raab issued a matching release. 

Canada's Minister for Foreign Affairs, the Honourable Marc Garneau, issued this statement: "Statement on China's Cyber Campaigns

New Zealand's GCSB (Government Communications Security Bureau) issued this release: New Zealand condemns malicious cyber activity by Chinese state-sponsored actors

ENISA, the European Union Agency for Cybersecurity, actually put out technical guidance on addressing Microsoft Exchange Vulnerabilities back in March, mentioning the LemonDuck cryptocurrency mining botnet, and DearCry Ransomware being delivered via these methods. At that time they referred to the first broad attackers using this technique as "Hafnium" (based on Microsoft's reporting of Hafnium Targeting Exchange Servers.)

NATO Press Release: Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise

Previous Ransomware Actions

The White House memo makes reference to three recent advances in international communications about cyber security, from the G7, NATO, and the EU.

In June, the G7 Summit Communique specifically called out Russia's inattention to Ransomware issues:

51. We reiterate our interest in stable and predictable relations with Russia, and will continue to engage where there are areas of mutual interest. We reaffirm our call on Russia to stop its destabilising behaviour and malign activities, including its interference in other countries’ democratic systems, and to fulfil its international human rights obligations and commitments. In particular, we call on Russia to urgently investigate and credibly explain the use of a chemical weapon on its soil, to end its systematic crackdown on independent civil society and media, and to identify, disrupt, and hold to account those within its borders who conduct ransomware attacks, abuse virtual currency to launder ransoms, and other cybercrimes.

Also in June, the NATO Brussels Summit Communique reaffirmed the NATO Cyber Defence Pledge and again called out Russia's behavior:

12. In addition to its military activities, Russia has also intensified its hybrid actions against NATO Allies and partners, including through proxies.  This includes attempted interference in Allied elections and democratic processes; political and economic pressure and intimidation; widespread disinformation campaigns; malicious cyber activities; and turning a blind eye to cyber criminals operating from its territory, including those who target and disrupt critical infrastructure in NATO countries.  It also includes illegal and destructive activities by Russian Intelligence Services on Allied territory, some of which have claimed lives of citizens and caused widespread material damage.  We stand in full solidarity with the Czech Republic and other Allies that have been affected in this way.

32.         Cyber threats to the security of the Alliance are complex, destructive, coercive, and becoming ever more frequent.  This has been recently illustrated by ransomware incidents and other malicious cyber activity targeting our critical infrastructure and democratic institutions, which might have systemic effects and cause significant harm.  To face this evolving challenge, we have today endorsed NATO’s Comprehensive Cyber Defence Policy, which will support NATO’s three core tasks and overall deterrence and defence posture, and further enhance our resilience.  Reaffirming NATO’s defensive mandate, the Alliance is determined to employ the full range of capabilities at all times to actively deter, defend against, and counter the full spectrum of cyber threats, including those conducted as part of hybrid campaigns, in accordance with international law.  We reaffirm that a decision as to when a cyber attack would lead to the invocation of Article 5 would be taken by the North Atlantic Council on a case-by-case basis.  Allies recognise that the impact of significant malicious cumulative cyber activities might, in certain circumstances, be considered as amounting to an armed attack. ( ... ) If necessary, we will impose costs on those who harm us.  Our response need not be restricted to the cyber domain.  We will enhance our situational awareness to support NATO’s decision-making.  Resilience and the ability to detect, prevent, mitigate, and respond to vulnerabilities and intrusions is critical, as demonstrated by malicious cyber actors’ exploitation of the COVID-19 pandemic.  NATO as an organisation will therefore continue to adapt and improve its cyber defences.  ...

The European Union held their US-EU Justice and Home Affairs summit on 21-22JUN2021.  European Commissioner Ylva Johansson, and US Secretary of Homeland Security Alejandro Mayorkas met along with the European External Actions Service, Europol, Eurojust, and others agreed to create a new U.S.-EU working group dedicated to fighting against ransomware.  DHS reporting of the event can be found as "Readout of Secretary Mayorkas’s Trip to Portugal."  The EU's reporting of the same event can be found as "Joint EU-US statement following the EU-US Justice and Home Affairs Ministerial Meeting."

6. The United States and the European Union acknowledged the need to cooperate and shape a digital future based on our shared democratic values. The United States and the European Union acknowledged the potential benefits and risks of using Artificial Intelligence technologies for law enforcement and the judiciary. They also reaffirmed their dedication to develop and use such technologies in a trustworthy manner in conformity with human rights obligations. They further exchanged views on current and upcoming European Union efforts on tackling illegal content online, including the need to improve the cooperation between the authorities and online platforms to detect ongoing criminal activity. The United States and the European Union commit to continue to work together on how law enforcement and judicial authorities can most effectively exercise their lawful powers to combat serious crime both online and offline. They agreed on the importance of together combating ransomware including through law enforcement action, raising public awareness on how to protect networks as well as the risk of paying the criminals responsible, and to encourage those states that turn a blind eye to this crime to arrest and extradite or effectively prosecute criminals on their territory.

Friday, July 02, 2021

Operation Skein: The Irish Garda Target Nigerian BEC Criminals

It seems nearly every week that the Garda National Economic Crime Bureau (the GNECB) announces a new arrest in Operation SKEIN.  In a newly released featured interview, Ireland's "The Journal" had Detective Chief Superintendent Pat Lordan, and Superintendent Michael Cryan of the Garda National Economic Bureau discuss what they described as "a pandemic boom in scams." 

Chief Supt Lordan says "fraud has changed from a cottage industry to a global organized crime epidemic." 

Det Supt Michael Cryan and Det Chief Supt Pat Lordan lead the GNECB
(photo from The Journal, click image for full story)

"The GNECB now believes, and arrests have proven this, that financial fraudsters, particularly an organised crime group with origins in West Africa are operating in Ireland."

Cryan says: "It is at the highest level of scams. At the bottom of the ladder you have the money mule, a boy or girl letting money be laundered through their account.  Then there's the mule herder, who we have found in Ireland -- they are the next level up, acting as a handler for the mules.  There is a next level up then, managing operations across the region.  From examining phones we've seized we found messages from West Africa set to people in various countries. They send out a message to the herder looking for an account, for example, that can manage two or three thousand euro." 

Lordan says they have managed to recover more than 25 million Euros by freezing accounts before the full amount could be withdrawn, including $500,000 stolen from an American company based in Ireland.

The Egmont Group, a partnership of 166 financial intelligence agencies around the world, including the GNECB, has been a great help in recovering funds.  The group within Europol has also been helpful in making contact with other police financial intelligence units.

Cryan says "the money is coming victims across the globe" citing an example of a €3.8 million transfer from Lebanon or Syria into an Irish account.  He claims at least €15 million from businesses in Chile, Russia, China, and Palestine are flowing into the country, but the directions for how to receive and handle the money? Those are coming from messages on the phones sent from West Africa.

Targeting The Young (Mules)

In an interview with the Independent, (See "They put 10k in my bank account and I had to get it out. Now!")  Det Chief Super Lordan said they were currently running at least 40 investigations into online fraud, but was gravely concerned about young money mules.  He relayed the story of an arrest in Kerry where the 18 year old subject was running a network of 51 money mules from his home!  He had received over €70,000 in the proceeds of international invoice redirection fraud that had moved through those accounts, and the amount being moved each time was increasing.  The mules were between the ages of 16 and 24 and all knew their recruiter.  Many were recruited via Snapchat or other social media through advertisements offering to pay €300 or €400 for the use of their account.

The young lady whose story is the headline says she and her friend were walking in Ballyfermot and a local guy she knew approached them. He had a friend trying to send him money and his account wasn't available.  Could he use hers? He only needed it for five minutes.  He instructed her to hand over her card and he sent the details to his colleague.  Minutes later there was  €10,000 in her account and she began to realize she was in trouble. He dragged her all about town trying to withdraw the funds via ATM and in person counter transactions. She was told to withdraw the cash from the teller window in pounds rather than Euros, but she could only get  €2000 from the teller and the ATMs only let her take  €500 per transaction.  Soon her card was blocked. The men disappeared and she called the Garda.

Operation Skein

The current focus of the Irish Garda is called Operation Skein.  The operation focuses on a form of international Business Email Compromise (BEC) that begins with Invoice re-direction fraud and ends with money being laundered through bank accounts first in Ireland and then around the world.  Operation SKEIN was launched in June of 2020.  The name is possibly based on the word used in Knitting.  A Skein of yarn (like these from an Irish knitting shop) is arranged so that when you pull the string, it just keeps feeding the knitter. High praise to the gardaí for continuing to pull the string and achieving arrest after arrest!

Three Skeins of yarn from
Three Skeins of Irish Yarn (

Earlier and parallel operations include Operation Joggle and Operation Boxplot.  Both also involve Invoice Redirection Fraud, the preferred Garda term for what we would call BEC in the USA.   By reviewing Irish press and Garda Press Releases, we can learn just how extensive these on-going investigations have been.

A Long Skein of Arrests 

31JUL2020 - Operation Joggle - a man in his 30s arrested in relation to international invoice redirection frauds totaling  €110,000 in West-African directed fraud

21AUG2020 - Operation Joggle - a fourth arrest in Operation Joggle involving two international invoice redirection frauds totaling  €36,000. So far Operation Joggle has led to searches of fifteen premises in Dublin, Louth, Meath, Kildare, and Laois going back to September 2018.

#3/#4 - 14OCT2020 - two men, one in his teens and the other in his 40s were arrested after searches in Dundalk, Tralee, and Dublin.  At this time, over  €4,000,000 has been laundered through bank accounts in Ireland.  

29OCT2020 - a man in his 20s arrested as part of Operation Skein investigating invoice redirect fraud has now been charged. He was held at Tallaght Garda station

29NOV2020 - Operation Joggle - a man and woman arrested for trade-based money laundering as part of an ongoing investigation into a West African organised crime gang involved in trade-based money laundering worth €14.6 million over two years!)

#5/#6/#7 - 08DEC2020 - three men arrested after searches in Dublin 2 and Dublin 8.  All three are in their 20s.  

#9/#10 - 03FEB2021 -  a 37 year-old man and a 37 year-old woman were arrested (and the female released without charges) and "a large amount of stolen property was recovered" after searches in Dublin 9 and Dublin 12.  The property was purchased via the proceeds of Business Email Compromise / Invoice Re-Direct Frauds which occurred in Asia during December 2020.  Purchases were made in Dublin over the Christmas period in 2020.  (At this time, Operation Skein had identified €6,000,000 stolen worldwide of which €5,000,000 was laundered through accounts in Ireland.  90 suspects have been identified throughout the country!) Reporting in The Independent revealed that the man arrested in Crumlin was a Nigerian, and that the woman, arrested in the Santry area of Dublin, was from Ghana.  They were arrested after victim funds from Dubai and Hong Kong were duped in separate invoice redirect frauds.  Ireland's The Sun says the man, from Nigeria, is suspected of being a leader of the organised crime gang. Just in December, he moved €55,000 through one of his accounts. 

The two spend €33,000 in Grafton Street, Dublin, between St Stephen's Day and December 31.
(photo from, click for their story)

More seizure photos from (click for story)

#11 - 25FEB2021 - a woman in her early 40s arrested after a search in Monaghen.

#15 -  15MAR2021 - The 15th individual arrested in Operation SKEIN was described as "extremely significant" by gardai speaking to Ken Foy of the Irish Independent.  Detectives found a number of fake ID documents at his home in Naas and said "this Nigerian national has played a key role in the international crime gang involved in the massive fraud operation.  He can be described as money management in that he is suspected of recruiting money mules and then managing their accounts. He decides what goes in and what goes out of the bank accounts and is deeply involved in the coordination of where the money goes."  He had been arrested two years earlier opening a bank account with his real name but a fake passport, and is believed to have been continuously involved in fraudulent finances since that time. He is closely tied to arrest #9 above, the 37 year old living in south Dublin "considered one of the main players in the mob." The investigation also revealed that the gang is using Irish-based women from Ghana and Zimbabwe in their schemes.

#16 - 19MAR2021 - a male juvenile arrested after searches in Tallaght, County Dublin

#17 - 07APR2021 - a 29 year-old woman arrested in Dublin. (The Garda Press Office actually called her #16, but we already had #16 and the next pair "bring to 19 the number arrested" so ...)

#18-19 - 15APR2021 - a man and woman in their late teens, arrested in Longford as part of both Operation BOXPLOT and Operation SKEIN were released without charges. 

15APR2021 - four men, ages 23 to 35, were arrested after searches in Cork, Tipperary, and Roscommon.  Three were arrested as part of Operation BOXPLOT, which targets a Criminal Organization based in the North Cork area, believed to be laundering the proceeds of international invoice re-direct (BEC) fraud through bank accounts in Ireland.  The fourth was arrested under Operation SKEIN, which targets a Criminal Organization based in Ireland involved in similar international criminal activity.  Later in the day, a fifth person was also arrested as part of BOXPLOT in County Westmeath.  

Reporting in the Sunday World (See "Five Men arrested in operation targeting multi million euro fraud") revealed that four of the men were Romanian and one was Nigerian.  Atttention was drawn to the group when a female associate was arrested in County Tipperary late last year when she attempted to withdraw €31,000.  The money was suspected of being the proceeds of an Invoice Redirect Fraud (BEC) where a Hungarian company was targeted by criminals in Ireland. "Senior sources" called the arrest of the Nigerian "highly significant" as he has close links to the main garda target of the operation which targets multi-million euro fraud.  Sunday World's source went on "What is unusual about this case is that it has shown that Romanian and Nigerian crime gangs are working together in Ireland in relation to a huge money laundering conspiracy.

According to The Journal, €65,000 was frozen in 14 bank accounts controlled by the Romanians, along with €31,000 in cash and €3,000 worth of alcohol.  The group was charged with laundering €1.5 million with funds from a variety of sources, including cyber fraud, organized prostitution, and theft. 

#WhoKnows - 16APR2021 - two additional people, another man and woman in their late teens, were also arrested in Longford as part of both Operation BOXPLOT and Operation SKEIN.  I give up on counting because this release says 5 people were arrested on 15APR and two more on 16APR "which brings to 19 the number of persons arrested."

18APR2021 - a man arrested in his 20s after a search in Clondalkin.

23APR2021 - a man in his 20s arrested after searches in Ennis, County Clare

02JUN2021 - Balbriggan, County Dublin - a 32 year-old man arrested who is said be the 3rd leader arrested in Operation SKEIN.  The criminal organization to which he belongs is said to have "stolen over €14 million worldwide in invoice redirect frauds/BEC frauds with at least €8 - €9 million laundered through the bank accounts of gang members and money mules all over Ireland." This man is described as a leader because of his role in recruiting money mules and directing the laundering of the proceeds of crime through multiple bank accounts.  A large amount of potential evidence was seized, including phones, laptops, bank cards, and other documents.  According to the Independent, the arrested man "is suspected of having links to the feared Nigerian crime organization called Black Axe." They continue, "The detained man is an expert computer programmer who works for a company who is contracted to a major multinational corporation based in Dublin." He is tied to >€10,000 in Smishing profits,  €60,000 in an Invoice Redirection fraud against an Irish company, and  €250,000 in fraud against an Irish bank. €120,000 in funds in another of his accounts may be linked to the proceeds of a major fraud in Germany in which there were five victims.  He is one of 30 arrested so far in 2021 as part of Operation SKEIN. 

18JUN2021 - a man in his 30s arrested after searches in Milltown area of Dublin 14

24JUN2021 - Limerick - a suspect in his late teens was detained for laundering  €139,211 through his bank account, sending invoice redirection fraud funds to Russia, Slovakia, Taiwan, India, and South Korea. The funds were then forwarded on, primarily to Turkey and Germany.

More Details From Court

American audiences may not understand that in Ireland and much of Europe, the name of an arrested person cannot be shared until the person is charged before a prosecutor, so in many cases, we do not yet know the names in the cases above.  But there are exceptions.

Steven Sylvester, aged 27, claimed asylum from Nigeria six years ago and has since married a woman from Dublin and had a child with her.  He continues to draw welfare from the state, living at The Alley Apartments, Fairgreen Street, in Naas, County Kildare. He faces five counts of money laundering, four charges of handling stolen ID cards, and one count of using a false passport to open bank accounts.  He was charged with receiving €190,000 in funds from invoice redirection fraud targeting businesses in Hong Kong, Finland, and the United States. The GNECB showed that he had used four stolen foreign ID cards to open bank accounts. He was released on €5,000 bail despite the protests of the GNECB.