Monday, September 19, 2022

The new DOJ Law Enforcement Crypto Reports (TL;DR)

TL;DR? Good news!  I read them for you! 

 On 15SEP2022, the Department of Justice released their report "The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (66 pages).  The first of the nine reports ordered by President Biden's Executive Order 14067 "Ensuring Responsible Development of Digital Assets" was also released by the DOJ back on 06JUN2022, "How To Strengthen International Law Enforcement Cooperation for Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (58 pages). 

Since then, we have seen the Department of Treasury release three reports:

Treasury also provided to the White House in July a "Framework for International Engagement on Digital Assets" which is described in their press release, but not provided to the public. 

Earlier this month, the Department of Commerce released their report:
 "Responsible Advancement of US Competitiveness in Digital Assets" (19 pages). 

The Office of Science & Technology Policy also released three reports:
In this blog post, we'll focus on the two DOJ reports, which we will address in the reverse order of  their release, as it seems that it is required to define the role of law enforcement in digital assets before discussing the international cooperation one would seek in this area.

The Role of Law Enforcement in Digital Assets

Despite the Executive Order, it is important to note that the Department of Justice did not need the urging of the White House to establish procedures for addressing Cryptocurrency.  The department created the Attorney General's Cyber-Digital Task Force in 2018, which produced their original report, published in October 2020, titled the CryptoCurrency Enforcement Framework (83 pages).  That original report characterized the illicit uses of cryptocurrency into three broad categories of criminality: 
  1. financial transactions associated with the commission of crimes, such as buying and selling drugs or weapons, leasing servers used in the commission of cybercrime, soliciting funds to support terrorist activity, or ransom, blackmail and extortion. 
  2. money laundering and the shielding of legitimate activity from tax, reporting, sanctions, or other legal requirements, including operating unlicensed, unregistered, or non-compliant exchanges. 
  3. crimes, such as theft, directly implicating the cryptocurrency marketplace itself, such as stealing cryptocurrency from exchanges or defrauding unwitting investors. 
The original report listed many case studies involving indictments, seizures, and arrests in the scenarios above, including SamSam ransomware, Welcome to Video and DarkScandals child sexual abuse services, terrorist funding both through direct donation and via sales of fake medical equipment (PPE during COVID), the Bitcoin Maven case (Theresa Tetley), BTC-e, Operation DisrupTOR (Wall Street Market), DeepDotWeb, DreamMarket, the Lazarus group hacks, HeroCoin ATMs, the Helix mixer, and others. 

The new report points out something that I've recently been mentioning as well.  Bitcoin and other block-chain-based crypto currencies are neither the first digital currency, nor the first one that has facilitated a great deal of criminal trade.  The report mentions E-Gold (1996) and Liberty Reserve (2006) as "pre-crypto" examples of digital currencies, but could have as easily mentioned Webmoney (1998) or PerfectMoney (2007). Many of the points of the new report echo of those of the prior, although the cases have been updated, such as  Bitfinex, Helix, and Hydra Market, estimated at one point to perform 80% of all darknet market-place transactions, and Garantex, the Estonia-based Exchange that laundered more than $100 million of the funds associated with darknet markets. The Colonial Pipeline ransomware and the use by indicted GRU agents of bitcoin, the theft of $600 Million by Lazarus Group hackers in March 2022 are all used to update the original report. 

Two significant additions are the section on the Growth of Decentralized Finance (DeFi) and Non-Fungible Tokens (NFTs). In this area, the discussion of "Decentralized Autonomous Organizations" as opposed to a traditional corporate structure, and the insider trading, money laundering, and tax evasion aspects of NFT trading are discussed.  (Examples of Nathaniel Chastain of OpenSea and Ishan Wahi of Coinbase are provided as insider examples.) 

Section II of the report discusses DOJ efforts such as the National Crypto Enforcement Team (NCET) and its predecessors such as the Money Laundering and Asset Recovery Section's Digital Currency Initiative, and the Internation Virtual Currency Initiative. A few interesting statistics from the FBI, including that as of July 2022, the FBI had worked 1,100 separate investigations across 100 investigative program categories that involved a digital assets nexus. Since their first digital assets seizure in 2014, the FBI has seized $427 million in virtual assets (as valued at time of seizure.)  In February 2022, the FBI created the Virtual Assets Unit.  The Department of Justice has also created a Digital Asset Coordinators Network which is composed of designated prosecutors in U.S. Attorney's Offices across the country who work closely with CCIPS, MLARS, and NCET.  The program is based on the successful CHIP Network (Computer Hacking and Intellectual Property) and the National Security Cyber Specialist (NSCS) Network which each designate prosecutors in every field office to be specially trained and equipped to handle the relevant case types for their office. 

Cryptocurrency fraud investigations are listed as well, including the Baller Ape Club NFT rug pull case, the EmpiresX crypto Ponzi case, the Circle Society crypto commodities case, and the Titanium Blockchain Infrastructure Services Initial Coin Offering case. The Bitqyck case and the $2.4 Billion BitConnect Ponzi scheme case serve as an example of an IRS Cyber tax evasion cases, with the latter also being charged civilly by the SEC. 

The DEA's Cyber Support Section is described as performing cryptocurrency analysis related to the use of cryptocurrency to facilite drug trafficking, while the US Marshals Service is the group manages and liquidates seized crypto funds. HSI has been a key player in many crypto cases, with at least 500 currently active investigations, especially via their Financial Crimes Unit, Cyber Crimes Center, and Asset Forfeiture Unit. The US Secret Service is also involved, with 302 cases involving digital assets and at least 535 seizures of digital assets valued at more than $113 Million at time of seizure.  The US Secret Service is also a top trainer of state and local law enforcement via the National Computer Forensics Institute (NCFI) headquartered here in Hoover, Alabama! They also operate a Digital Assets Awareness Hub to educate the public on crypto risks. 

Regulatory Agencies also play their part, with FinCEN working to enforce Bank Secrecy Act (BSA) guidelines and regulations related to Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) requirements. Treasury manages the OFAC office, which includes sanctioning mixer and state-sponsored crypto hackers. The SEC regulates crypto scams that are structured as "investment contracts, such as BlockFi Lending LLC or the DeFi Money Market. The Commodity Futures Trading Commission (CFTC) regulates the trade of commodities in interstate commerce. They have brought 50+ enforcement actions against organizations such as Coinbase, Payward Ventures (Kraken), Blockratize (Polymarket).  BitMEX is one cryptocurrency derivatives exchange targeted for CFTC enforcement, after $209 Million in darknet market transactions were cashed out via BitMEX, who paid a $100 Million fine, with three co-founders pleading guilty to criminal charges and paying a $10 million fine. 

One last organization of note is IVAN, the Illicit Virtual Asset Notification platform, being built by FinCEN and the FBI's National Cyber Investigative Joint Task Force. The goal of IVAN is to be a public-private information exchange to allow industry to collaborate on timely detection and disruption of the use of virtual assets in furtherance of illicit activity. 

Requests for Legislation 

The Justice report does make several requests for additional legislation, in five categories: 

  1. extend the prohibition against disclosing subpoenas (currently in effect for financial institutions) to VASPs (Virtual Asset Service Providers), strengthen the laws against operating an unlicensed money transmitting business, and extend the statutes of limitations from 5 to 10 years for certain crimes. 
  2. support for initiatives that would aid investigators in gathering evidence
  3. strengthening sentencing guidelines for certain BSA violations
  4. extend BSA record keeping rules to VASPs 
  5. ensuring that law enforcement has resources to conduct and staff sophisticated digital asset-related investigations. 
The details for this legislative proposals are in section IV of the report, LEGISLATIVE AND REGULATORY ACTIONS THAT COULD ENHANCE EFFORTS TO DISRUPT, INVESTIGATE,

International Considerations 

One of the main observations of the report on International Law Enforcement Cooperation is the standard complaint that the Mutual Legal Assistance treaties are too slow, and that faster methods of international law enforcement cooperation, such as the "24-7 Network" often do not have a standard way of sharing requests regarding Virtual Asset Service Providers. (VASPs). 

Next, while the western-friendly nations of the world have largely standardized cybercrime laws under the Budapest Convention on Cybercrime, the way in which the nations of the world define, regulate, and enforce actions against VASPs are varied and inconsistent.  Under the concept of Dual Criminality, where one nation may only ask another to enforce laws which are similar in both countries, much of crypto-crime enforcement lacks such standards. 

While the Cybercrime laws may not have caught up, the International body that deals with Anti-Money Laundering, FATF or the Financial Action Task Force, are clear thought leaders on the Virtual Assets guidelines. (We wrote about FATF in 2019, please see: Money Laundering and Counter-Terrorist Financing: What is FATF? ) Unfortunately, as of July 2021, only 35 participating nations had implemented the FATF suggestions regarding virtual assets and VASPs into their national laws. 

My favorite part of the "Strengthening International Law Enforcement" report is Annex B: "Examples of Successful Cross-Border Collaboration on Digital Asset Investigations." 

Liberty Reserve
Silk Road 
Operation Bayonet (AlphaBay and Hansa)
Dream Market
Wall Street Market 
Welcome To Video 
Operation DisrupTOR
Hydra Market 
Twitter hack 
Sodinokibi/REvil Ransomware 
NetWalker Ransomware 

For each example above, details are shared about which international law enforcement agencies partnered with which US agencies in order to reach the successful resolution.  Inspiring reading! 

Monday, September 12, 2022

Chidozie Collins Obasi - COVID Fraud & Work at Home Scams

On September 9, 2022, the FBI's Philadelphia office asked for help locating Chidozie Collins Obasi.  OBASI is charged with being part of a conspiracy to steal more than $30 Million related to COVID Fraud out of New York.  How did the scam work? Much of it goes back to a typical model = a fake job offer and a counterfeit check.  But in this case, there was much more!

During the COVID-19 crisis, the New York State Department of Health was responsible for buying and allocating ventilators to hospitals in the State of New York.  Two of their hospitals will be relevant in this case. Guthrie, a non-profit health care system based in Sayre, Pennsylvania, but operating two hospitals in New York, and Northwell Health, another non-profit healthcare network at that time the largest provider of rehab and nursing facilities also providing urgent care, hospice care, and home health services. 

Part of the scam conducted by OBASI was to offer for sale three ventilator products sold by the German company Draeger, Inc, with a U.S. headquarters in Telford, Pennsylvania.  Their three most popular ventilators for sale in the US were the Evita 300 ($15,000), the Savina 300 ($17,000) and the Evita V500 ($21,000).  

A few websites were used as part of this scam.  Tawada Healthcare in Indonesia (, MedWOW Ltd. Global, of Cyprus (, Zhejiang Tiansong Medical Instrument Company ( 

Members of OBASI's conspiracy opened bank accounts at foreign banks in China, United Arab Emirates, and Indonesia. They then registered look-alike domain names that appeared to be the domains for Tawada Healthcare, MedWOW, and Tiansong Medical. OBASI and team then made false identities and claimed to be employees in the spoofed companies, including Luiz Alfredo, Marc Alfredo, and others. 

OBASI used a spam-sending service based in the Ukraine ( and VOIP accounts created via TextMe and TextNow to allow them to use French and US-based virtual telephone numbers that would route to their real devices. 


OBASI then sent thousands of emails to job seekers in the United States offering them employment at one of the spoofed companies. They explained that because their companies were overseas and had no US bank presence, they needed to hire them to accept payments on behalf of their North American customers. The new "employees" were thus duped into acting as money mules for the scammers, opening up bank accounts or allowing their own accounts to be used to receive funds, for which they would receive a commission in addition to their "salaries." 

The new employees would received counterfeit checks being sent from a co-conspirator in Canada and were instructed to deposit the checks into their personal accounts. The checks were delivered via companies such as DHL and FedEx. The funds from these checks, which the employees believed were payments for ventilator sales, were then instructed to be wired to the international bank accounts OBASI and others maintained overseas.  The employees received more than $11 million in such checks although only $1,005,227 was forwarded to OBASI's crew. The work-from-home scam aspect ran from approximately September 2018 through March 2020.


Beginning in March 2020, OBASI's crew noticed the shortage of ventilators and determined that they might make more money by claiming to have a large supply of Draeger ventilators for sale to US companies.  Their next round of work-from-home scams were to recruit medical sales professionals to act as their agents to sell the ventilators, which this class of employees believed were held in large numbers by Tawada Healthcare. OBASI took the role of researching how such ventilators were normally sold, using false identities to reach out to Draeger asking questions about their ventilators. He then created price quotes and sales contracts, along with letters of guarantee, claiming that Tawada Healthcare (who he represented as "Marc Alfredo") had the ventilators in stock and were ready to sell them. 

The French TextNow telephone number was listed as a reference account of a happy French customer who had worked with Marc Alfredo and had been pleased with the ventilators he had purchased. American customers purchased the ventilators from OBASI's "work-from-home" sales crew who received payments and then wired the money forward, less their commission, to OBASI's bank accounts in Hong Kong. 

Between March 2020 and April 2020, they prepared offer letters for $286,800,000 worth of Draeger ventilators!  $30,689,560 were actually sent to OBASI and his crew, solely by the State of New York!

SBA's COVID-19 EID Loan Program 

The third phase of OBASI's crimes was to steal the identities of American citizens, which they had in abundance because of all of the "job applications" that they had received.  Using this information, OBASI's crew then applied for money from the US Small Business Administration's EID Loan Program. The loan processor, based in Des Moines, Iowa, sent the funds to the "employee's" bank accounts, however the employees believed that these were also payments for Draeger ventilators being purchased from Tawada Healthcare, who they believed was their employer.  These funds were then forwarded to bank accounts operated by OBASI and others via Western Union or wire transfer to a bank account in Tangerang, Indonesia. 

55 fraudulent SBA COVID-19 EID Loan applications were paid out, each to a different stolen identity, totalling an additional $455,300 in fraud, of which $277,400 was successfully transferred to Indonesia. 

Domains used: 

mailzj-tainsong[.]com - used to spoof Tiansong Medican 

mailmedwowglobal[.]com = used to spoof MedWOW = (the Luiz Alfredo account) 

emailthc[.]com = used to spoof Tawada Healthcare 

863-855-3342 = a TextMe VOIP number (the "Alfredo Phone") 
marcalfredo@emailthc[.]com = the fake Marc Alfredo's email 
marca@emailthc[.]com = another fake Marc Alfredo email = spam accounts used to hire and interact with employees = a fake account of "Bill Cartu" posing as a MedWOW customer = a fake company "Albert Scott Breese / Black Diamond Investment Company of Santa Monica, CA" = John Albin was an alias used by the Canadian Co-conspirator to communicate with "Marc Alfredo" regarding where checks should be sent. = used to fraudulently imitate the FBI

More Technical Details 

An example of the use of Snov[.]io was an email on 15MAR2020 sent to 162 US persons from asking "Hi, I'm wondering if you're getting my email regarding a contract position." 

If they replied, they would then received emails from "marcalfredo@emailthc[.]com" explaining more about the job at Tawada Helathcare, offering a 5% commission on any sales, and their role in receiving payments from North American customers. 

In order for the quotes being sent to look realistic, OBASI interacted with the real Tawada Healthcare, claiming to be "Dr. Collins" from the University of Rochester and asking for an Urgent quote for Evita 300 and Savina 300 ventilators. 

OBASI also contacted Draeger to get quote information, using the name "Collins Obasi" in the quote request and claiming to be an employee of Northwell Hospital.  In response to questions received from potential customers, he asked several more technical questions in future correspondence, 

Using these quotes as a template, OBASI crafted false quotes for among other things: 

20 ventilators to GUTHRIE for $340,000 
70 ventilators to GUTHRIE for $1,190,000 
35 ventilators to GUTHRIE for $595,000 
100 ventilators to NORTHWELL for $1,600,000 
500 ventilators to State of New York for $19,000,000 

KeyBank was one that challenged an outbound wire to the Bank of China HK LTD that was going to "Hong Kong Murphy Trading Co Limited." 

They received a reply stating: 

"I Surya Darma, accounts officer for Tawada Healthcare lakarta, Indonesia authorize that we did request funding of $12,637,660.00 to be wired to the Bank of China HK LTD for a beneficiary named Hong Kong Murphy Trading Co Limited. These funds are for a purchase order for ventilators by New York State Department of Health as delivery is of the utmost important due to the Covidl9 crisis. Please kindly expedite the wire urgently."

and .... they sent the money. (April 1, 2020) 

That same day "marcalfredo@emailthc[.]com" emailed an employee of the State of New York a signed purchase order for 2,000 Draeger ventilators from Tawada Healthcare for $38,004,000 and asked for a 50% deposit to be sent from the State of New York's KeyBank account (ending in 0026) to an "employee" account at KeyBank ending in 4326. 

A wire was sent by that employee on 02APR2020 to Bank of China HK LTD for $18,051,900 - the $19,002,000 requested minus the "employee's" 5% commission. 

Things get really crazy then when OBASI has one of his team make up an FBI Special Agent named Terrence Andrews, of the "International Funds Transfer Monitoring" department of the Albany Field Office asking him to call him back on OBASI's TextOne number to discuss "recent transactions and dealings with a foreign company.  That email came from "" 

Another co-conspirator then became "FBI Special Agent S.N. of Philadelphia" and instructed that they should only discuss the charges by reaching him at 267-792-1272 using passcode "Operation Covid19" and that they should not speak to anyone else at the FBI except him. 


Thursday, August 11, 2022

Three UK-based Nigerian BEC Scammers Used Construction Intelligence Service to Target Victims

 On 10AUG2022 three Nigerians were extradited from the UK to the US to face charges related to their roles in conducting Business Email Compromise (BEC) attacks against a number of US-based businesses.

43-year old Oludayo Kolawole John Adeagbo, 40-year old Donald Ikenna Echeazu, and 42-year old Olabanji Egbinola were brought to North Carolina to face their charges, although some of their crimes were also charged in Texas and their victims are across the United States and the world. 

The three were linked together by exchanging data related to construction companies who were involved in multi-million dollar building projects, and whose emails they were able to acquire through phishing attacks against targets they had purchased from a commercial intelligence service intended to be used by potential sub-contractors. 

BEC's through Look-alike Domains

Victim A notified the FBI that someone was spoofing Victim B, by sending emails from the address "" (The real company, Lucas Construction, in League City, Texas, uses the domain "".)  In one email, a victim received an appropriate form that their company used for updating banking information.  The email sender was clearly familiar with their processes, as the email said: 

Please find attached our completed ACH form and a copy of a voided check as requested. Kindly let us know once updated. 

After processing the change of banking information, Victim A sent the next construction payment of $525,282.39 to a SunTrust bank account rather than to Lucas Construction!

Victim C, a community college in the Houston, Texas area, had a similar experience, resulting in sending $1,995,168.64 to a PNC Bank account controlled by criminals after receiving a similar request to update their records from ""  The real domain (Victim D) should have been, a four generation family owned construction and concrete company in Houston.  

Victim E, a county government in Texas, sent $888,009.40 to a JPMorgan Chase account after being asked to update the banking records via an email from "" 

All three of those domains were registered by NameCheap by "Daniel Roberts" who used three different email addresses for the domains.,, and  Additional domains, including,, and were also created by the criminal -- close imitations of the real domains,,, and These domains were used to target additional victims with BEC attempts via bank record "update" requests.

The Texas FBI investigators learned that danielroberts604 was also linked to an investigation being led by FBI Charlotte, North Carolina, where he had used the domain to do a similar scam, as well as another Texas scam using the domain to steal funds from a school system in Dallas, Texas. 

North Carolina was able to add another victim to the case - Appalachian State University, from which ADEAGBO and ECHEAZU were able to steal $1,959,925.02 using a similar methodology.  The two recruited a money mule in Los Angeles, California, Ho Shin Lee, who agreed to register a company "Royce Hub Trading" and open a JPMorgan Chase bank account in the same name. Funds stolen by imitating North Carolina based "Rodgers Builders" were stolen after sending emails from "" to change the banking information.  (The real company uses the domain 

Construction Market Data

The scammers had subscribed to a service operated by Construction Market Data (CMD), which provided contact information related to "hundreds of thousands" of commercial and civil construction projects. 

CMD allows a contractor to request a list of new projects being built in their area and provides contact details for decision makers who may want to hire various specialty sub-contractors and who have recently been awarded large contracts.  Although it is not specified in the court documents, it is likely that the scammers sent phishing emails to construction companies listed as being involved in multi-million dollar projects and then created look-alike domains for those targets where they were able to begin monitoring the victim's email messages for opportunities to introduce themselves into a mail stream from one of their "look-alike domains."  This may be accomplished by planting malware, but is often accomplished through adding "email forwarding rules" to the victim's account which sends financially relevant emails back to the criminal.

CMD provided data to the FBI, indicating that the relevant records had been requested by one John Edwards who listed both a US and UK address: 

  • 1270 Hasen Hurst Drive, Apt 12, West Hollywood, CA 90046
  • 14 College Gardens, London, GB e47ALG

and who used the email  The associated telephone number +44 797.335.9482 belonged to ADEAGBO.  JohnEdwards79 was actually an alias to the email account 

Adeagbo was found to possess three passports, a Nigerian and British passport in his true name, listing the birthday 06APR1979, and a second UK passport in the name "John Edwards" b. Nigeria on 06APR1979. 

Prior to his involvement in BEC, the BBC reported that ADEAGBO was part of a car-theft ring that used stolen identities to allow them to drive off in Jaguars, Mercedes, BMW's and Porsches. Calling themselves "the iPod Crew" Adeagbo's car theft ring stole 70 luxury automobiles worth $1.8 million over a ten month period in 2001.  Adeagbo told the BBC in 2004 that he served a 2.5 year prison sentence during which he "found God" and that he was "trading crime for Christianity." 

JohnEdwards and DanielRoberts were both found to have used the same IP addresses to access a variety of online accounts which all provided IP history to the FBI, including Apple, Yahoo,, and Namecheap. also had bank statements in true name for his Santander bank accounts. 

The CoinBase account for JohnEdwards79, was actually confirmed to a different person!  Donald Echeazu, who used the email and phone 7837887959.  Although Coinbase had two photos on file for JohnEdwards which were consistent with Adeagbo, the third photo matched the UK Passport of ECHEAZU. 

Homeland Security Investigations (HSI) and Customs and Border Patrol (CBP) learned more when they searched the phone of another co-conspirator as he entered the country.  In that phone, he chatted with ADEAGBO's known UK telephone number, labeled "John Dayo" in his contacts, about bank accounts which he was providing. ADEAGBO instructed him to open up a JPMorgan Chase account in order to receive funds.  They discussed a bank transfer where they had expected to received 12 Million (currency unspecified) but were only able to take 8 million.   

Photos that were shared in the account, showing ADEAGBO in a Porsche, were found to match a car that he was driving when he was ticketed in London (a black Porsche.) 

Another chat in the phone showed a Bank of America account (#32508061285) in the name "Oludayo Kolawole John Adeagdo" using the address 1270 Havenhurst dr Apt 12, West Hollywood, CA 90046. 

The Bank of America account had been used to pay $4,510 in several payments in order to receive business information for individuals in North American construction companies from the aforementioned CMD. 

Olabanji Egbinola

The final party in the group of extradited scammers, Olabanji Oladotun Egbinola, was tripped up in exactly the same way.  Having likely received construction data from the same source (CMD), Olabanji used the email address "" to imitate the real Richmond, Virginia-based company Kjellstrom and Lee.  Using the name "Rachel Moore" Olabanji interacted with the University's Treasury department acting as if a payment was missed and then providing new bank details to fix the problem.  As a result they wired the next construction payment of $469,819.49 to the new bank account at the Bank of Hope. 

The bogus domain was registered at NameCheap by "bridgetclark" who also registered more than 50 other domains with namecheap, each "deceptively similar to the Internet domain names associated with legitimate construction companies." Because "bridgetclark" was using a TOR-based cryptocurrency wallet to obscure his true location, the FBI pursued a Rule 41(b)(6)(A) search warrant.  Rule 41(b) allows a search warrant to be issued from any US jurisdiction if the location of the target has been obscured using technology and to use technology to seize data from such a targeted computer.   In the FBI's case, this is referred to as a NIT, or a Network Investigative Technique. After receiving the court's authority, the FBI sent a NIT-laden email message to, which was used to determine the account was being operate from a computer at the IP address, a British Telecom IP in the UK. BT was then able to provide UK law enforcement with the subscriber identification of that IP address and it was found that subscriber Samiat Egbinola in Essex shared the residence with OLABANJI OLADOTUN EGBINOLA. 

Egbinola had been previously arrested in 2008 for money laundering in the UK and had previously traveled to Los Angeles, California, when he used the email address for his point of contact going through customs. A review of the email account, which had been active since 2008, showed that he was in regular communications with the scammers listed above on their addresses. 

Monday, August 01, 2022

Please stop calling all Crypto Scams "Pig Butchering!"

 Lately there has been a media-driven craze in the fraud community to call every crypto-investment scam "Pig Butchering."  I hope you will join me in canceling that term after you read this article.

The term "Pig Butchering" comes from the Chinese term 杀猪盘 (Shā zhū pán or "butchering plate.") While the term has been used in Chinese media since at least 2018, it really became famous after the courageous actions of a human trafficking victim who was caught up in the game.

Hao Zhendong (郝振东) was recently divorced and had lost custody of his daughter as he was facing personal financial challenges and could not care for her.  During his time of desperation, he received a message from his uncle.  The uncle told him that he should come to Myanmar and join him at his work.  He claimed that Zhendong would be able to easily earn 60,000 to 70,000 yuan per month. 

Image from "Talking to Strangers" interview 

Late in 2020, Zhendong traveled to the Yunnan province of China where he paid smugglers to help him cross in to Myanmar.  After traveling with them for several days, he was forced to march through the jungle and up a steep hill for six hours.  When he arrived, he found he was in a work camp.  In his words, he says he realized he had "fallen into a wolf pit." The work camp was an industrial park where various call center employees worked scams. 

The northern region of Myanmar has four special zones, including "Wa State." So many Chinese people have moved to Wa State that Chinese is actually one of the official languages.  The corrupt local government, having no natural resources, opened their arms wide and welcomed criminal enterprises, which they call "foreign investors" to set up call centers. Under local law in Wa State, Myanmar, telecommunications fraud is not a crime. So many scammers have moved to the region that the government has even "rented" entire schools to be used as scam call centers.  The Myanmar government estimates that there are 140,000 Chinese living in the region, and that most of them are engaged in telecommunications fraud.  Similar to other forms of human trafficking, the men are only allowed to leave if they pay back the "investment" that their controllers have made in them.  The fee to leave ranges from 50,000 to 120,000 depending on how long you have worked. If you can't pay the fee after three months, you have six months added to your stay, with armed guards preventing you from leaving the work camp.  Many do go back to China, and enough go back with money for houses, cars, and a wife, that others are tempted into following in their footsteps.

Zhendong says that he often considered attempting to flee, but northern Myanmar is an "extrajudicial land" and Chinese people are regularly kidnapped and killed there with no consequence to their attackers.  One man who attempted to flee was forcibly returned to the camp, with the fingers on one hand amputated. 

In the work camp where Zhendong was enslaved, there were three buildings.  Two were dormitories and the call center was housed in the "Science and Technology Building." Each team was assigned to different topics.  Some worked lottery scams, others foreign currency exchange scams, naked chat / extortion scams, pornography scams, etc.  But Zhengdong was assigned to a "pig-killing gang." 

He was provided a manual which described his role.  His job was to target victims on the Internet and use emotions to convince them to invest their entire net worth in illegal online gambling.  His job as a "recruiter" for these scams was referred to in the manual as a "dog pusher" (“狗推” Gǒu tuī.)

He was provided three mobile phones and three "love story" script books.  His job was to find wealthy single or divorced women on social networks, and add at least two to his chat each day and build a romantic relationship with them online.  Once they were suitably "hooked" into his romance, he was supposed to turn them over to his team leader, who had 30-40 "dog pushers" under him to "kill." If the victim provided more than a million dollars, there was a celebration and the dog pusher was rewarded extravagantly. 

While he was learning the role, "the company" became very excited about a successful scam that one of the other dog pushers had accomplished.  He had convinced a young woman in Shanghai to invest her entire life savings - 2.92 million yuan - and when she realized she had been scammed, she committed suicide by jumping off a roof.  Another woman was convinced to sell her car and her house in order to invest more.  While the company thought these were great examples to emulate, Zhendong's spirit died.  He realized that he had to try to do something about this. 

On one point, his uncle had been telling the truth.  The company used cash bonuses as incentives, and each month they would spread millions of yuan on the table and pay out bonuses.  Some made the equivalent of hundreds of thousands of dollars in bonuses.  But Zhendong couldn't do it. 

He began sneaking up on the roof, using a stolen phone, and messaging his victims - explaining to them that he was enslaved and being forced to scam them.  Because he was failing to earn, his controllers were becoming very angry with him and his life was actually in danger. 

A potential victim, Yang Yu, changed things for him.  When he called Yang Yu to warn him, Yang Yu asked him "How can I help you get home?" In order to protect Zhendong, Yang Yu passed him money that he could give to his controllers as proof that he was working. Then Zhendong stole a list of victims from the company and urged Yang Yu to take it to the police. 

In February 2021, she took a list of 18 victims to the Anti-Fraud Center of Nanchang Public Security Bureau. 

Tao Jiangjiang, the leader of an Electronic Fraud task force who helped Zhendong get home

Tao Jiangjiang began to communicate with Zhendong and a rescue mission was arranged through the Yunnan police, working with an informant in Myanmar.  Despite being advised not to take any risks by Tao Jiangjiang, Zhendong felt that he could not leave empty-handed.  He worked to observe the password his Pig Killer boss used to log in to the company server and late one night logged in and wrote down as many names as he could.  When he arrived back in China, he had a list of 105 additional victims with him who were contacted and assisted by the Chinese police. 

There was a dramatic event at the China-Myanmar Nansha Port when Zhendong recognized a man from the company chasing after him.  When armed Chinese police took custody of Zhendong, the company man backed off. After this, Zhendong did many media interviews, some alongside the Electronic Fraud police, which helped to popularize the term "Pig Butchering." 

While there are definitely "Dog Pushers" and "Pig Killers" who are targeting the Chinese ex-patriat community, unless your scammer is speaking Chinese from a call center in Myanmar, you may be a fraud victim, but you are not a victim of "Pig Butchering." 

The main sources for this story were the Chinese versions of Zhendong's misadventure, especially these two: 

荐见 | 反水、救赎、卧底:逃出缅北“杀猪盘”

(Rebellion, redemption, and undercover work: escape from the "pig killing" center in northern Myanmar - an article by “荐见美学” ) 



("After accidentally entering the pig killing gang, he stole a list of 105 victims" in the TenCent column, "Talking to Strangers" - if you speak Chinese there is a great interview here!) 

Wednesday, July 20, 2022

Nigerian Money Transfer Company Linked to Romance Scam Money Laundering

On July 7, 2022, the US Attorney for the Northern District of Texas announced that Ping Express had been found guilty. Prior to this, their CEO Anslem Oshionebo*, their COO Opeyemi Odeyale (now imprisoned at the Danbury Federal Correctional Institute, 60177-177), their IT Manager Aleoghena Okhumale (now imprisoned at the Fort Worth FMC), and Olufemi Sadiq (now imprisoned at the Pollock FCI) were arrested on March 10, 2020.

What was Ping Express? Ping was a small business, never having more than ten employees, which operated from 8585 N. Stemmons Freeway, Dallas, Texas. Their CEO was Anslem Oshionebo and their COO was Opeyemi Odeyale. Ping had a smart phone app and a website and advertised that its users could easily send money to Nigeria for a small fee. It operated by having money on deposit in Nigeria. When a US-based client requested a transfer, a hold was placed on the customer's bank account (similar to a hold placed when one rents a car or stays in a hotel.) Then Ping would transfer funds from its Africa-based wallet to the recipient's Africa-based bank account. When the transfer was completed, Ping would then request payment from the sender's bank account.

While this post is about the US-based aspects of Ping Express and their crimes, the company's Instagram page continues to advertise that individuals in many places can use their services, including the UK, Canada, and Europe.

During a three-year period examined in this case, Ping transferred more than 300,000 payments totaling $167 Million USD. During this time it did not file a single Suspicious Activity Report, although they did make some batches of reports under section 5318(g) in 2015, 2016, and 2019.

To maintain a business license in Texas, they were required to file a detailed business plan, including their statements regarding how they would comply with BSA/AML laws (Bank Secrecy Act and Anti-Money Laundering Act, including CFT, Countering Financing Terrorism). Among the rules that Ping established and conveyed to the state of Texas, they agreed to the following:

  • All first-time customer transactions are limited to $499.
  • Total monthly transactions cannot exceed $4500.
  • Further transactions are limited to $1800 each, with a $3000 daily maximum.

They also claimed that they had "automated velocity checks" and the ability to "track and block IP addresses" to help prevent violations.

The court records include a "Factual Resume" "in support of Ping Express US LLC's plea of guilty to the offense in Counts 1 and 2 of the Superseding Information."

Count One - "failure to maintain an effective anti-money laundering program" was proven by demonstrating the defendant acted willfully in failing to develop, implement, and maintain an effective anti-money laundering program.

Count Two - "operating an Unlicensed Money Transmitting Business"

In the Factual Resume, the Count One requirements which they failed to implement are stated as:

An "effective anti-money laundering program" which is required by law, requires that Ping Express establish one or more of the following minimal requirements set forth by regulations of the Secretary of the Treasury. The Guilty Plea confirms that they failed to do so:

a. Effective written policies, procedures and internal controls for one or more of the following:
i. Verifying customer identification
ii. Filing reports, such as suspicious activity reports
iii. Creating and retaining records

b. Designating a person to assure day-to-day compliance with the anti-money laundering program, including assuring that:
i. Ping properly filed reports, created and retained records, in accordance with applicable requirements, such as suspicious activity reports
ii. the [AML] program was updated as necessary to reflect new requirements

c. Provide education and/or training of appropriate personnel concerning their responsibilities.

Examples of AML Failures

Many specific examples are then listed, demonstrating the failures of Count One enforcement, in the Factual Resumes for Ping itself, and also for its CEO and COO who have also both pled guilty:
  • Fatai Okunola, a first-time customer, sent $1800 in January 2018
  • Raman Saliu, a first-time customer, sent $1800 in October 2017
  • Jeffersonking Anyanwu, a first-time customer, sent $1400 in March 2018

Between April 1, 2016 and June 30, 2018, 1500 different customers violated the maximum monthly transfer rules.

Okunola sent more than $6700 his first month, and broke the $4500 rule every month from January 2018 to November 2018. He sent $80,000 just in August 2018!

Anyanwu paid $17,000 through Ping, and broke the maximum monthly rule six times between March and November 2018, paying more than $10,000 in a month four times.

Another customer broke the rule six times from October 2016 through June 2018.

Okhumale, who worked for Ping as their IT and Technical Support Manager, broke the monthly rule three times, paying $25,000 just in October 2018.

The daily rule was also largely ignored. Okunola violated the $3000 daily limit 45 times, and sent more than $5000 in a day 20 times! Okhumale, the Ping employee, sent on three consecutive days in October 2018 $4600, $5200, and $3600! Collins Orogun sent more than $3000 per day 60 times between November 2018 and December 2019, totaling more than $300,000!

Although Ping claimed that they used the IP address of the customer to ensure that they lived in a state where Ping was licensed to do business, and required customers to submit a utility bill from a company where they were licensed to do business as proof of residency in that state, they frequently ignored this rule. Ping was only licensed to do business in Georgia, Maryland, Texas, Washington State, and Washington D.C.

  • Joseph Kadiri, a Ping customer, sent $216,000 claiming to be in Texas or Maryland, when in fact he resided in New York and Michigan where Ping is not licensed. He violated the daily limit 20 times and the monthly limit twice.
  • Isaac Omohake, a Florida resident, sent $469,000 through Ping, which is not licensed in Florida. He violated the daily limit repeatedly, and in November 2018 sent $78,000 in one month.
  • Taiwo Akinsanmiju, an Indiana resident, started sending funds at age 17 (a violation) and sent $220,000 to 85 different named individuals!
  • Ayodeji Jegede, an Ohio resident, sent $468,000 through Ping, violating the first transaction rule, the monthly rule (twelve times from June 2018 to June 2019) and in May 2019 sent $69,000 in a single month!

Investigators found that Ping's top 100 customers sent $19,400,000 from March 2016 through September 2019, and that 2/3rds of these customers were from "unlicensed" jurisdictions. Ping was fully aware that these customers lived in unlicensed states. When the Ping offices were search on March 9, 2020, 130 customer shipping labels were found for statements being sent to unlicensed states. Just those customer's transactions were $4,000,000!

The laws in this area are United States Federal Code Title 18 Section 1956, the Anti-Money Laundering Law, and Title 18 Section 1960, the Prohibition of Unlicensed Money Transmitting Business Law. The first states that you may not process funds that you know or should know are derived from certain specified criminal activities. (There are 200 such illegal activities specified in the law.) It specifically states that you cannot allow yourself to be "Willfully blind" to the source of funds. Detailed guidance, often called "Know Your Customer" or KYC, is provided for how to recognize and report suspicious activities.

As examples of transactions from unlicensed states, Ping processed for residents of:
  • Nevada: $476,000
  • New Jersey: $234,000
  • Utah: $1,500,000
  • West Virginia: $507,000
  • Connecticut: $626,000

When a customer entered their street address at registration, Ping willfully chose to not include the City, State, or ZIP code in their records if the customer was not in a licensed location, storing only their street address.

Ping's Execs and Investors

Ping's Chief Operating Officer, Opeyemi Odeyale, was well aware of US banking law. Prior to Ping, Odeyale earned an MBA from Edinburgh School of Business and held jobs at Pricewaterhouse Coopers, JPMorgan Chase, Oceanic Capital, BNP Paribas, and Barclay's Bank.

During the time he was running Ping Express in the United States, he also served as a director in the British firm "PayZen Limited" from 25JUN2013 through 03DEC2020 (recall he was arrested in March 2020.) His fellow officers at PayZen included Adekanmi Olaolu Adedire and Anslem Oshionebo (Financial Consultant), his CEO at Ping. Notably, Payzen was originally incorporated as Fiem Ltd but changed its name on 10FEB2020. Texas records also indicate that Ping Express originally operated as Fiem Group, LLC, and bank accounts in the name of Fiem Group are on the Forfeitures list below! On 01FEB2017 Opeyemi Odeyale filed papers with Companies House indicated that his nationality had changed to "British." When the British company was first incorporated (as Clicks FX Limited), he had given his date of birth as 14FEB1979 and his nationality as Nigerian.

Ping's Chief Executive Officer, Anslem Oshionebo, began his career with an MBA from Seton Hall University's Stillman School of Business. His LinkedIn page says he worked at PriceWaterhouse Coopers for 14 years, working his way from Senior Associate to Manager, and then Senior Manager, at least partially in Los Angeles. He then worked at Riveron Consulting as a Principal in the Dallas/Fort Worth area before co-founding Ping Express in 2014. His Crunchbase profile says that his areas of practice at PWS included "Compliance regulations and financial forensics!" Anslem's domain "" has articles he has written on philanthropy and diversity, while his page has articles about what books Entrepreneurs should read and a five part series called "Challeges of an Immigrant" (which were mostly written AFTER he was arrested!)

In April of 2017, Synergy Capital Managers, a Mauritius-based private equity firm, made an investment in Northstar Finance Services Limited, "a financial services platform providing solutions across the financial service value chain in select countries across West Africa." Northstar was said to be managed by Obafami Alonge and Bolanle Oduyale, In Synergy's announcement, Northstar's CEO said that with this investment the company now had a "majority stake" in Safetrust Nigeria, Northstar Home Finance, Avance Insurance, Ping Express Inc., and Fast Credit Limited. PWC, where Oshionebo worked for so long, was said to be the advisor to Synergy Capital "on Financials and Tax due diligence."

This comes to play in that if Ping had "foreign investors" they are required to disclose those.  When the Texas Director of Banking gave the license, they claimed to be based entirely in Texas.

Top Customer: Collins Orogun, Romance Scammer and Money Launderer

Collins Orogun, a Texas resident, paid Ping more than $800,000 which included $220,000 in wire transfers during a six-month period in 2019. Ping only reported $292,500 of these transmissions. (Collins was released from prison on 12MAR2020 for prior charges but has another sentencing hearing in October 2022 for the current charges.) In his guilty plea, Orogun admitted that he received funds from people "all across the United States" in forms including cash, money orders and checks. He then deposited those funds into his accounts, including at JPMorgan Chase, both in his true name and as "Collins Enterprise", at Navy Federal Credit Union, at Wells Fargo Bank, both in his true name and as Orogun Enterprises, and at BBVA.

His JPMC accounts received $120,000 in funds, which he sent out through Ping in 13 transactions. In another example, he received $26,500 "in currency and money orders" between November 29, 219 and December 31, 2019. He sent these funds out via Ping in six $5,000 transactions. In his Navy FCU account, he received $530,500 in "currency and money orders" and sent a wire transfer of $218,500 out. He also sent $192,600 via Ping in 68 transactions. His first Wells account received $87,171 in deposits, sending $65,610.56 of those out via Ping. His second Wells account received $157,578 in deposits, of which he sent $82,367 out via Ping. His BBVA account received $144,808 in deposits, of which $140,000 was sent out via Ping.

Some of his Romance Scam victims included:

$40,000 into BBVA that came from "D.M." a senior citizen in California who sent the money to facilitate the sale of an estate in Nigeria. He believed that he was helping to repair an estate which would be then sold for $570,000,000, and that he would receive a large repayment when the estate was sold.

"P.L" from Indiana believed her $6,309 was sent to "Thomas Ken" an Irish sea captain with whom she had a romantic online relationship. The funds were supposed to be used to repair his ship. She took out a title loan against her vehicle and wired the money to Orogun Enterprises. The captain immediately asked for more funds afterwards.

"D.N." a 59 year old in Indiana sent $2300 to the BBVA acount, believing that "Carson Steve Jacks" an oil roughneck working in the Gulf of Mexico needed the funds because he had contracted malaria and couldn't work. He later asked for an additional $15,000. The couple "fell in love" via Google Hangouts.

These three had all agreed to testify at trial, prior to Collins changing his plea to Guilty on June 28, 2022.

Additional Factors Violating Texas Department of Banking License

The Texas Department of Banking found many more reasons for considering revoking Ping's business license, including:
  • Ping stated that they had no "authorized delegates or agents" yet Nimerex claims to be Ping's agent and has Ping letterhead documentation appointing them as Ping's agent.
  • Ping claimed to have no foreign affiliates, but had received $160,000 from a Mauritius-based account in the name "Ping Express (Mauritius) Ltd." "for the benefit of Fiem Group LLC" and a $280,000 wire from a British account in the name Ping Express CM.
  • Ping claimed to be sending "small remittances" back to Nigeria, but had sent $1,600,000 in large round number wire transfers to business bank accounts in Nigeria (at First City Monument Bank and Wema) for "marketing" and "consulting" payments.
  • Ping received $49,000 in wire transfers from the company "Date2Marry LLC" and an individual connected with that LLC.

These details came out during a search of Olufenwi's phone as he returned to California from England. The phone also documented a five year "currency exchange partnership" between Ping and "Wilfobs Bureau De Exchange Limited" in Nigeria involving multiple foreign bank accounts for Ping. Ping had disclosed in previous reporting to the Texas Department of Banking that they had no bank accounts outside U.S. borders and thus were not required to file a Foreign Bank Account Report.

Chats on Odeyale's phone made it clear he was trying to avoid AML and Suspicious Activity detection as he received foreign funds. An example:

Forfeitures ordered by the Court

Forfeiture Notice:
  1. Approximately $10,601.52 in funds seized from the JPMorgan Chase Bank account with number ending in 2885 in the name of Collins Ogaga Orogun.
  2. Approximately $3,679.78 in funds seized from the JPMorgan Chase Bank account with number ending in 8900 in the name of Collins Ogaga Orogun dba Collins Enterprise.
  3. Approximately $42,873.96 in funds seized from the JPMorgan Chase Bank account with number ending in 1223 in the name of Ping Express LLC.
  4. Approximately $1,385.13 in funds seized from the JPMorgan Chase Bank account with number ending in 2686 in the name of Ping Express LLC.
  5. Approximately $13,269.69 in funds seized from the JPMorgan Chase Bank account with number ending in 5397 in the name of Crusaders Health and Wellness LLC.
  6. Approximately $3,010.72 in funds seized from the Navy Federal account with number ending in 2248 in the name of Collins O Orogun.
  7. Approximately $8,307.53 in funds seized from the Wells Fargo Bank account with number ending in 4593 in the name of Anslem Oshionebo.
  8. Approximately $369.82 in funds seized from the Wells Fargo Bank account with number ending in 4437 in the name of Blackbit LLC.
  9. Approximately $8,364.86 in funds seized from the Kasasa Tunes 0031 account at Neighborhood Credit Union for member number XXXX5691.
  10. Approximately $55,235.41 in funds seized from the Soho Business Checking account at Resource One Credit Union for member XXX1450 in the name of Fiem Group LLC.
  11. Approximately $37.40 in funds seized from the Bank of America account with number ending in 3918 in the name of Deyks LLC.
  12. Approximately $9.91 in funds seized from the Bank of America account with number ending in 3921 in the name of Deyks LLC.
  13. Approximately $14.15 in funds seized from the Bank of America account with number ending in 3947 in the name of Deyks LLC.
  14. Approximately $11.52 in funds seized from the Bank of America account with number ending in 3692 in the name of Deyks LLC.
  15. Approximately $29,198.23 in funds seized from the Capital One account with number ending in 2957 in the name of Aleoghena Okhumale.
  16. All funds seized from the account with number ending in 1891 at Silvergate Bank in the name of Wyre Payments Inc. deposited after February 19, 2020 from “5/3 BANKCARD SYS DEPOSIT; 5/3 BANKCARD; or WORLDPAY”. 
* - (Although Anslem was to surrender to be imprisoned on July 12, 2022, the Federal Bureau of Prisons Inmate Locator indicates he is not currently in custody.)

Friday, June 03, 2022

That Job Your Co-Worker Emailed You About? Yeah ... No.

My niece, Anna, is a school teacher in the Birmingham Public School system.

Another teacher in the system got phished and the phisher sent an email to a bunch of other teachers, offering them a summer job as an administrative assistant, earning $500 weekly for working only 8 hours.  Tempting?  

The email had a link to a Google Form with the job application.

The form goes on to ask her Full Name, Email: [Not School Email!], Alternative Email, and Phone Number, as well as Current Occupation, Age, Sex, and Available Time.

Why does it say "Not School Email!" -- because this exact scam is being conducted by phishing people in schools all across the country! 

Her new boss, Dr. Reinn, hit her up on text, from the phone number (904) 297-8521, got her resume, reviewed it, and offered her the job on the spot!

She got hired and was EMAILED a set of duties and responsibilities.

Her duties were basically:

  • DONATE to three foster homes a month
  • book TRAVEL ARRANGEMENTS for her boss and his associates 
  • manage RETURNS and errands such as shopping, POST OFFICE 
  • send birthday cards and GIFTS to clients, family, and friends

Her first assignment would be to make a donation to a local orphanage.  

So he emails her an IMAGE of a check that she was supposed to mobile deposit to herself and then send $4800 of the $4950 via ZELLE to a second scammer email:

I'm not sure why she would think this check is not TOTALLY LEGITIMATE, right?  And why wouldn't donations to an orphanage be sent to someone's Zelle account named "Look At The Pudding?"

Clearly Anna's name and the amount have been laid on top of the check on another piece of paper and then photographed.  Who writes a check like that?  Oh!  Someone who has STOLEN a check and needs to re-use it but is too lazy or stupid to wash it properly.

She wisely did NOT deposit the check, which revealed that she knows this is a scam.  

Unfortunately, during the job application process she was required to provide referrals.  Now the scammer is calling and messaging her references asking for her whereabouts and claiming that she stole $4,950 from his company and he was trying to find her to have her arrested.  He also called her current employer at least three times.

Friday, March 25, 2022

Russia's Invasion of Ukraine and CISA/FBI's New Era of Transparency

BLUF: Bottom Line Up Front

I want to start this post with the most important thing right up top:

The page starts with this statement.  PLEASE take it seriously, and escalate to your top management:

"Russia’s invasion of Ukraine could impact organizations both within and beyond the region, to include malicious cyber activity against the U.S. homeland, including as a response to the unprecedented economic costs imposed on Russia by the U.S. and our allies and partners. Evolving intelligence indicates that the Russian Government is exploring options for potential cyberattacks. Every organization—large and small—must be prepared to respond to disruptive cyber incidents. As the nation’s cyber defense agency, CISA stands ready to help organizations prepare for, respond to, and mitigate the impact of cyberattacks. When cyber incidents are reported quickly, we can use this information to render assistance and as warning to prevent other organizations and entities from falling victim to a similar attack."

Organizations should report anomalous cyber activity and/or cyber incidents 24/7 to or (888) 282-0870.

Second "Bottom Line Up Front" BLUF point:  CISA has released TTP's of Russian threat actors known to attack US Critical Infrastructure.  If you work there, skip this blog and go read their report first!
"Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."

CISA/FBI and the New Era of Transparency

 Anyone who has seen one of my presentations recently knows that I am a huge cheerleader for, the Cybersecurity & Infrastructure Security Agency at DHS, which replaced the National Protection and Programs Directorate (NPPD) that previously led private sector engagement and interaction for DHS.

Previously, I've asked people to make sure someone in their organizations was watching four critical information sharing pages at CISA.  

I had already said publicly many times that they are doing a PHENOMENAL job of sharing information - unprecedented in my 22 years of working with the government on Critical Infrastructure Protection, from Ron Dick and the NIPC (National Infrastructure Protection Center), serving on the national boards of InfraGard and the Energy ISAC, and interacting with FS-ISAC (Financial Services), H-ISAC (Healthcare), and REN-ISAC (Research and Education).  But now CISA (and the FBI) has taken Information Sharing to a whole new level.

The White House on Russian Cyber Threats

It started with the White House.  On March 21st, President Biden stated that there was "evolving intelligence that the Russian Government is exploring options for potential cyberattacks." Based on this new intelligence, the administration gave the order that thing that were not previously shared needed to be shared at an even higher level of detail and specificity, including things that were previously deemed too sensitive to share in an unclassified environment. 

That same day, Press Secretary Jen Psaki brought in Anne Neuberger, the Deputy National Security Advisor over Cyber and Emerging Technologies.  She stated that in the past week, CISA and the FBI had held meetings with 100+ Critical Infrastructure Companies to determine a best course forward in helping to protect critical infrastructure, including encouraging them to participate in the CISA Shields-Up! program. 

  • Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
  • Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
  • Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
  • Back up your data and ensure you have offline backups beyond the reach of malicious actors;
  • Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
  • Encrypt your data so it cannot be used if it is stolen;
  • Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
  • Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.
After this set of announcements,'s director, Jen Easterly, convened a meeting that was attended by more than 13,000 Critical Infrastructure stakeholders from all across the United States, including every sector and every size. A recording of the CISA CALL WITH CRITICAL INFRASTRUCTURE PARTNERS ON POTENTIAL RUSSIAN CYBER ATTACKS AGAINST THE UNITED STATES has been shared on their YouTube page!

During the call, which included FBI Deputy Assistant Director for Cyber, Tonya Ugoretz, and CISA Deputy Executive Assistant Director for Cyber, Matt Hartman,  Director Easterly committed to push to have even more sensitive data released to the public if it would possibly help protect American Critical Infrastructure.  And today, we see a great example of that!

Documentation of Two Historical Hacking Campaigns Against Critical Infrastructure

The FBI and the Department of Justice released the legal side, in the form of an extremely detailed press release about Russian hacking campaigns targeting Critical Infrastructure at hundreds of companies in 135 countries.

The Press Release was accompanied by two indictments: 

The first, "USA v. Evgeny Viktorovich Gladkikh," (17-page indictment) details the origins, creation, and distribution of the "TRITON" malware.  This attack framework was described in great depth in December 2017 by Mandiant in their report "Attackers Deploy New ICS Attack Framework 'Triton' and Cause Operational Disruption to Critical Infrastructure." While Mandiant described the malware as "an attack framework built to interact with Triconex Safety Instrumented System controllers," they could only say they believed it was "activity consistent with a nation state preparing for an attack." 

Through the new transparency we are seeing, the full details of the indictment are now unsealed and we learn the attacks were conceived and executed from the Russian Ministry of Defense, Federal Service for Technical and Expert Control, in a lab known as the Applied Development Center, which was in turn part of TsNIIKhM, the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics.  

The second indictment, "USA v. Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov," (36 page indictment) is targeted at members of the Federal Security Service (FSB)'s "Military Unit 71330" also known as "Center 16." Members of this lab are better known by their flamboyant APT Designations:  Dragonfly, Berzerk Bear, Energetic Bear, and Crouching Yeti.  In particular, this indictment addresses their attacks in 2017 which attempted to target and compromise critical infrastructure and energy companies worldwide, including in the USA generally, and in Kansas in particular (the home office of the indictment.) 

Again, the new transparency shows us that these attacks, also known as Dragonfly, Havex, and Dragonfly 2.0, were supply chain attacks, where various ICS/SCADA system manufacturers had their software manipulated to include malicious backdoors which would be downloaded by unsuspecting customers. Through this campaign, at least 17,000 unique devices in the US and elsewhere were compromised, including ICS/SCADA controllers used by power and energy companies. In 2.0, malware was delivered via Spear-phishing attacks and Watering hole attacks targeting employees of such companies. At least 3,300 systems were compromised using this methodology as well. 

Some of the groups attacked in this way included the Nuclear Regulatory Commission, WolfCreek Nuclear Operation Corporation in Burlington, Kansas, Westar Energy, in Topeka, Kansas, and the Kansas Electric Power Cooperative. 

Again, Havex was known to the security community.  Trend Micro wrote about it in their report "HAVEX Targets Industrial Control Systems" back in July 2014, and in more detail in their white paper "Who's Really Attacking Your ICS Equipment?"  Dragonfly 2.0 was similarly discussed, for example by Symantec, in their report "Dragonfly: Western energy sector targeted by sophisticated attack group" in October 2017.  WIRED magazine also wrote about the group Berzerk Bear in October 2020 in their article "The Russian Hackers Playing Chekov's Gun with US Infrastructure." 

But now, in a coordinated Information Sharing To Protect Our Nation blitz, CISA, working with the FBI and the Department of Energy, have released "Alert (AA22-083A):  Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector."