Tuesday, June 25, 2024

$50 Million in BEC Losses

The Eastern District of New York has announced charges against four men for their roles in a Business Email Compromise (BEC) and romance scams. 


The US Attorney's Office press release states: 

Defendants Allegedly Participated in Fraudulent Schemes That Resulted in More Than $50 Million in Losses by Victims in New York City and Across the Country

Today, indictments were unsealed in federal court in Brooklyn charging four defendants for their participation in a series of fraudulent business email compromise (BEC) schemes and related romance schemes that resulted in more than $50 million in losses by individuals and small businesses located within the Eastern District of New York and throughout the United States. 

The first defendant, Animashaun Adebo, also known as Kazeem and Kazeem Animashaun, was arrested in Chicago and posted $1 million in bail on the surety of three co-signers, including Toyosi Abdul who appeared in person on 20JUN2024.  He is charged in an indictment along with Idowu Ademoroti, with five unnamed co-conspirators -- three from Nigeria (one living in the US), one from Cameroon (living in the US), and one from Germany (living in the US.)  ADEMOROTI is described as being 31 and living in Milwaukee, Wisconsin and Atlanta, Georgia. 

Adebo and Ademoroti are charged with operating an illegal money transmitting business and receiving and laundering funds from BEC and Romance Scams, including real estate transactions.  One example is from a July 2021 real estate deal where a home was being purchased in Brooklyn, New York.  A wire for $450,000 was misdirected after fraudulent emails told the buyer to wire the funds to the wrong location.  The funds were then used to write three cashier's checks payable to Q&A LLC, a corporation registered to ADEMOROTI. 

Wisconsin.gov: Q&A LLC Entity ID: Q005966, created 31JUL2020

A second example followed the same model, with $1,319,669 being wired to the wrong location for the purchase of construction equipment. Some of those funds were used to purchase three luxury wrist watches for $319,000 which were provided to ADEBO.  

In a third example, a worker in a veterinarian clinic was convinced to send pharmaceutical payments to the wrong bank account, and made payments of $459,453 (around 24MAY2021) and $1,117,036 (around 03JUN2021) to the wrong address.  Those funds went to a bank account belonging to a romance scam victim! The victim believed he was in love with a "Nicole Newton" who was using a variety of schemes to extract money from him. These funds were used to send wires, write checks, and purchase and transfer cryptocurrency.  Two of those checks, for $137,500 and $157,300, were sent to Q&A LLC, at a Chicago address and deposited into accounts controlled by ADEMOROTI. 

In a fourth example, a California title insurance company was convinced to wire $3,920,275 to a fake escrow attorney related to a legal settlement between two companies. Some of these funds were also sent, at ADEBO's direction, to Q&A LLC in Chicago.  Many of these funds were converted to Naira and deposited into bank accounts in Nigeria. 

Nigerian Co-Conspirators Unveiled

Noguan Marvellous Eboigbe, who used aliases Randall Olson, Martin Roberto, and Carlos Eduardo, lived in Nigeria and was the one who conducted the email scams mentioned above.  In once case he posed as the lawyer Randall Olson, with email randallolson648@gmail.com to give the false information for the payment of construction equipment.  In another, he used the email olsonrandalls@aol.com to send an additional $500,000, also for construction equipment.  Using the email mroberto@martirosoft.com and the name Martin Roberto, he caused $1.2 Million to be misdirected.  Using the email "c.eduardo@carsotecnologia.com" he caused a $3.9 Million payment to be misdirected.  In interactions with six victim law firms, EBOIGBE cause more than $10 Million to be sent to the wrong bank accounts, some of which flowed into the accounts of the other co-conspirators. 

Nelson Ojeriakhi used aliases Ojeey Mami and Oba Millie to conduct BEC scams, claiming to be a lawyer and using the email closingoffices@gmail.com, OJERIAKHI caused a New York based couple to wire $450,000 to the wrong account.  The indictment demonstrates that at some point OJERIAKHI or his co-conspirators were able to access the real estate broker's email account and add mail rules causing any emails from the legitimate parties in the transaction to be deleted. 

The indictment against OJERIAKHI shows several additional examples with victims being tricked into misdirecting funds including another $690,000, $114,000, and $120,000. 

Strange Co-Conspirator: the 79 Year Old Woman from Germany 

The German co-conspirator charged in this case was Franziska Von Greve-Dierfeld, who was 79 years old.  In April 2021, Franziska created a Chicago-area bank baccount for a company called Enbro LLC, claiming she was in the business of wholesale fabrics and furniture.  The accont received multiple deposits, none of which were related to the stated business purpose.   $360,000 from an attorney in Seattle, Washington, $340,000 more from the same attorney.  $996,240 from an organization in Philadelphia.  Franziska created additional businesses and opened accounts at aditional banks, also receiving, for example, two wires totaling $2,277,090.99 from a grocery store in Iowa; $910,000 from a jewelry store in Queens, New York, and $93,700 in a cashier's check.  She was arrested on 25MAY2022 in Pennsvylvania and released 23AUG2023 with the sentence of "time served" and a forfeiture order for $2.3 Million before being "Judicially Removed" from the United States and sent home to Germany. 

I anticipate that as this case moves forward, we'll find Franziska was a Romance Scam victim who got caught up in the conspiracy. 

Monday, June 24, 2024

Millions and Millions of Fraud Domains: China attacks Illegal Gambling and Telecom Fraud

Last week I was reviewing a publication by the United Nation Office on Drugs and Crime published in January 2024, titled "Casinos, Money Laundering, Underground Banking, and Transnational Organized Crime in East and Southeast Asia: A Hidden and Accelerating Threat."

(URL to the UNODC report: UNODC: Casinos, Money Laundering, Underground Banking ... full report)

(URL to the USIP report: https://www.usip.org/node/160386 )

The reason I was looking into the report is that this 106 page report is about how Chinese organized crime has planted themselves in Casino complexes across Cambodia, Indonesia, Lao PDR, the Philippine, Thailand, and Viet Nam. The same modus operandi that we associate with the crypto investment scams that use the horrible name "pig butchering" to describe the financial grooming that leads to the complete financial devastation of so many Americans. In fact, I discovered the UN report, only by seeing it quoted in he report by the United States Institute of Peace, "Transnational Crime in Southeast Asia: A Growing Threat to Global Peace and Security" where it was mentioned in a footnote.

Examining Chinese Ministry of Public Security reports

The UNODC report shares statistics from a Ministry of Public Security of China note, without providing a URL, that "between January to November 2023, authorities in the country successfully resolved 391,000 cases related to telecommunications and network fraud, totaling the arrest of 79,000 suspects, including 263 'backbone members or paymasters' of cyberfraud groups" (in the countries mentioned above.) This included:

  • interception of 2.75 BILLION fraud calls
  • interception of 2.28 BILLION fraud messages
  • the removal of 8.36 million fraud-related domain names
  • and 328.8 billion yuan (US $46 billion) in funds related to fraud cases.
Since I am working on a project that we call "Twenty Targets for Takedown" that is attempting to shut own illicit websites by terminating their domain registrations and hosting arrangements, the number "8.36 million fraud-related domains" made me shudder. I am fortunate to count among my network some of the leading experts in domain-name related fraud and abuse, the number seemed overwhelmingly high, and I asked my colleagues from CAUCE, the Coalition Against Unsolicited Commercial Email, for assistance in looking into it. One quick opinion was that this could include a definition of domain name that would be more akin to a hostname, similar to what we have on Blogspot. "garwarner.blogspot.com" is a hostname on the domain "blogspot.com" ... but some would call it a "fully qualified domain name" and consider it a separate FQDN than other xyz.blogspot.com or abc.blogspot.com "domains." John Levine helped me solve the "did they really mean millions, or is this possibly a bad translation" by helping me find the Ministry of Public Security site where the article was coming from and share several updated versions of these statistics.

18 Million Websites! 

The latest article we can find, dated 31MAY2024, quotes Li Guozhong ( 李国中 ) the Spokesman for China's Ministry of Pubic Security describing their successes over the past five years.  In 2021, they established a National Anti-Fraud Center which sent out 660 million notices and were able to help stop fraud against 18.44 million people. This most recent article, which is focused on fraud and doesn't mention gambling at all, says that they have "handled 18 million domain names and websites."  That's a machine translation of ( 处置涉案域名网址1800万个 ).  I can confirm the 18 million ... written as 1800 ten thousands - 1800万个.  Handled is perhaps better rendered "disposed of" 处置  (Chǔzhì).  Still unsure how to interpret 域名 ( Yùmíng - Domain name) 网址 (Wǎngzhǐ - website), but I think for now, I'm going to assume it means "URLs" or "FQDNs" as opposed to only registered domains 

The Anti-Fraud Center has intercepted 6.99 billion fraud calls and 6.84 billion text messages and intercepted 1.1 trillion yuan of funds. At current exchange rates, that would be around $151 Billion US Dollars!   

Just since July 2023, 49,000 cyber fraud suspects have been transferred to China from northern Myanmar. 82,000 criminal suspect have been arrested, including 426 key "financial backers" behind the fraud groups.  

Several maps help to demonstrate what's going on in Southeast Asia: 
(Source: Figure 1 from the afore-mentioned USIP report) 

Source: afore-mentioned UNODC report -- note the Myanmar/China border, which is where most of the Chinese rescues and raids have been conducted.

How Much Fraud? $64 Billion to $157 Billion per year!

The US Institute of Peace report estimates that there are as many as 500,000 scammers deployed in the region, earning potentially $64 Billion per year in fraud. The methodology they used for this calculation came from the UNODC report above. On p. 55 of that report, the UN said that they estimated each scammer was earning between $300 and 400 per day, and that they believed there were 80,000 to 100,000 scammers working six days per week in one unnamed Mekong country.  Using that estimate, they gave a "range" of $7.5 Billion to $12.5 billion in scam revenue for that country.  These numbers were calculated consistently with a Chinese MPS report about an initiative they called "Operation Chain Break" which estimated that scam compounds, including gambling and cyber scams, were generating $157 Billion per year. 

China's Ministry of Public Security is actively conducting military style raids to help recover these fraud suspects from northern Myanmar, where China shares a long border with the country, which remains deeply embroiled in a state of civil war. MPS is also working collectively with other Southeast Asian countries and says it has "destroyed 37 overseas fraud dens." 

China Launches Month of National Anti-Fraud Action

Today (24JUN2024) China launched a new month-long "National Anti-Fraud Action" with a nation-wide campaign that declares "Beware of new fraud methods and don't be a tool for telecom fraud."  The campaign uses what China calls a "Five-In" approach, meaning that Chinese citizens will see and spread anti-fraud messages in Communities, Rural Areas, Families, Schools, and Businesses.  Students will be provided materials to share with their families, Employees will be encouraged to share anti-fraud messages and materials with their families and communities, and Chinese Communist Party offices in rural areas and civic organizations will make sure the message is spread in those areas as well. The materials being prepared will be written separately to address the awareness needs of merchants, accounting personnel, minors, and the elderly, describing each fraud typology and helping to describe methods to safeguard from these typologies. A major objective will also be to help understand how to avoid becoming a "tool" or an "accomplice" of these fraud rings, who prey on the financially vulnerable to help them launder the proceeds of their crime.  The Ministry of Public Security will jointly publish the "Overseas Telecom Network Fraud Prevention Handbook with the Ministry of Foreign Affairs and the Ministry of Education to help improve prevention awareness especially for overseas students and diaspora Chinese communities. Major news media and new media platforms will continuously feature anti-fraud reports to strengthen and educate the public on fraud prevention and "continue to set off a new wave of anti-fraud among the whole people the whole society." 

Gee, doesn't that sound like REACT's Erin West and Operation Shamrock -- but with the full cooperation of the Government and Society? 

The announcement of the month of National Anti-Fraud Action concludes with some more recent statistics about the work of the National Anti-Fraud Center.  Just since 2023, today's report says that they have: 
  • pushed out 420 million warning and dissuasion instructions
  • met with 14.77 million people face-to-face to give warnings 
  • made 310 million phone calls to warn vitims 
  • sent 230 million dissuasion text messages
  • intercepted 3.7 billion fraud calls 
  • intercepted 2.96 billion fraud-related text messages
  • blocked 11.619 million fraud-related domain names -- BLOCKED - this may mean "prevented access via Chinese Internet -- which may mean the sites are still available to victimize foreigners
  • intercepted 452.9 billion yuan of funds ($62 Billion USD) 
What does this mean to those of us in the United States?  If China is doing an all-hands "Five-In" awareness campaign and deploying police for face-to-face dissuasion, the fraudsters may very realistically need to INCREASE their targeting of overseas victims to make up for the projected revenue hit this new effort may create. 

To quote Director Easterly at CISA: SHIELDS UP! 

Tuesday, March 26, 2024

BEC Scammers Adventures on the Run

 Last week the case of Valentine FOMBE was finally brought to a close. FOMBE was sentenced to 144 months in Federal prison and ordered to pay $325,856 in restitution to victims of Business Email Compromise scams that he conducted from 2016 to 2018.  The various court documents present nearly as many puzzles as the sentence answers. Chief among them, what happened to the co-conspirators? and why have they not also been sentenced? 

The indictment against FOMBE, OWOLABI, and ADEOYE demonstrates that they conducted Business Email Compromise #BEC scams against businesses in California, Tennessee, Michigan, Hawaii, Illinois, and California, as well as Check fraud against the Home Equity Line of Credit #HLOC accounts of some residents of Florida, Hawaii, and California.

The scams ran from 2016 until 2019 using many shell accounts established by FOMBE and his crew. FOMBE is from Cameroon and came to the US in 2013. In May 2016 he began conspiring with Bernadette ATTIA and Gbenga OWOLABI to conduct BEC scams. Homeland Security Investigations stated that the attempted losses were $2,036,064 from at least 22 victims and actual losses were $547,310.23 to 11 victim individuals and businesses, with many other identity theft victims.

The indicment and assorted court documents are full of communications between the parties such as this one, where an unnamed co-conspirator and FOMBE discuss opening a new PayPal account and a "Sunny" (which is a SunTrust bank account.) 

OWOLABI shares an invoice for $49,671.90 via Whatsapp and receives directions for how to wire the funds to an account in the name JBS Holding at Woodforest bank. Another JBS Holding account was at SunTrust and received $86,116.51 from another BEC victim. 

ADEOYE is listed in the indictment as having opened a mailbox at a store in Lutherville, Maryland in the name of one of the Ohio BEC victim companies, and on the same day, opening a Bank of America business checking account in the company's name.  ADEOYE sent those details to OWOLABI via WhatsApp and one week later a $96,000 check from one of the victims was deposited into the account. He did the same for Ohio Company 2, and that BofA account soon received a $57,000 wire from another victim and later $50,500 from yet another victim. 

The shell companies created by FOMBE and his crew included:

  • ABC Auto & Credit Solutions - $80,450.89 intended loss - $15,801.18 actual
    (bank accounts at Capital One and SunTrust)
  • Stars S. Peoples Republik LLC - $262,580 intended loss - $$9,257.34 actual 
    (bank accounts at SunTrust) 
  • Swift Transfer LLC - $248,400.62 intended loss - $98,555.16 actual 
    (bank accounts at BB&T and SunTrust) 
  • Best Alter Solutions - $8,034.86 actual loss 
    (bank accounts at PNC Bank and TD Bank) 
  • Bianka Ventures - $128,765 actual loss 
    (bank accounts at SunTrust)
  • Xena Ventures - $290,662.27 intended loss ( $0 actual as funds recovered) 
    (bank accounts at SunTrust) 
  • Mbi Fuo B. Attia - $66,019 intended loss - $50,000 actual loss 
    (bank accounts at SunTrust)
  • JBS Holding LLC - $417,752.36 intended loss - $81,151.47 actual 
    (Bank accounts at Woodforest National Bank and SunTrust) 
  • Vincent's Mass Gutters - $386,100 intended loss - $90,745.22 actual 
    (bank accounts t Bank of America) 
  • PSP Holdings - $130,750 intended loss - $65,000 actual 
    (bank accounts at SunTrust)

(BEC intended losses - many wires were reversed/recovered - actual losses $490,559.19)

(Check fraud intended losses - Actual losses was $56,751.04)

The total actual losses for the case were $547,310.23, of which FOMBE would be held responsible for $325,856 in his eventual sentencing. 

FOMBE: A Bad Place To Park

The case actually started when FOMBE was stopped by the U.S. Park Police while idling along the BWI highway in a car with Texas Buyer temporary plates that were altered. FOMBE had 18 credit and debit cards in a variety of names, as well as driver's licenses with his photo and two other names (Mark Johnson and William Adewale). This led to Attia's apartment being searched, who was also found to have documents and cards in other names, including a fake passport with her photo and another's name. 

There was prior history, however. In the government's sentencing memo they describe it as 
"The Defendant's fraudulent conduct did not stop with this wire fraud and money laundering conspiracy. Every ounce of the Defendant's existence was fraudulent.

While FOMBE was living in the Arbors at Arundel Preserve, his landlord accused him of fraud and terminated his lease.  He had claimed to have a $6,000 monthly income from ABC Auto & Credit Solutions, which was false, and paid his rent with credit cards that were not in his name. He abandoned the property leaving behind two fake ids and ten bank cards all in the names of others, as well as bank statements for numerous accounts related to his fraud. 

After purchasing a Porsche for $40,000 with ill-gotten funds, he traveled to North Carolina and rented a car where he staged an accident to try to total the Porsche and claim insurance. He was charged with insurance fraud in North Carolina.

While living at Avalon Russett apartment in Laurel, Maryland, FOMBE was again going to be evicted and again abandoned the property, this time leaving behind 50 blank credit cards, two mag-stripe readers and a credit card writing machine. The land lord also found multiple credit cards in the names of people not on the lease. 

 On 25SEP2019, when the police came to execute a warrant at FOMBE's house, his wife, Ossele Massaba, texted him "the police here" and he fled the country. When Fombe's wife was returning to the US in May 2022, her phone was searched and was found to have a photo of Fombe on a Honduran passport in the name "Rosnell Eduardo Martinez Garcia." This was used to find that "Rosnell Garcia" was living in the UK, where he was arrested 06AUG2022.

During that time abroad, FOMBE lived in Mexico, Honduras, and the UK, and conducted an additional $1.7 Million in fraud against the US Government through an Unemployment Insurance scam. He sent instructions and identities to Massaba, who filed 88 claims in Maryland using the email Email6543@yahoo.com and received $535,172 in UI benefits. They filed an additional 108 claims using Mail9850@yahoo.com. Altogether, Maryland paid them $1,708,256.  (These fraud filings are not part of the current case.)

Zack Abolaji Adeoye

Zack Adeoye was already known to Maryland police before this case came up. 

In March 2019, the local newspaper "Trib Live" shared the headline "Maryland man arrested in Hempfield in $112k computer sting." According to that article, Adeoye, "a native of Nigeria who now lives in Upper Marlboro, MD" went to a FedEx facility to pick up a shipment of 28 MacBook Pro laptops valued at $112,454.  He was arrested and held in the Westmoreland County Prison after failing to post $100,000 bail. Undercover state troopers had been tipped off that Adeoye had set up a bogus line of credit claiming to be the CFO of an Illionois firm that had ordered the laptops. He had already successfully gotten away with 30 laptops, but undercover agents were in place when he went to pick up the second shipment. Adeoye entered the facility by showing a fake FedEx employee badge. State Trooper spokesperson Steven Papuga told the Trib that Adeoye had a previous record for Identity Theft in the state. 

ADEOYE first appeared in court related to the current case on 11OCT2019 and was released on 15OCT2019 with electronic monitoring and an order not to use the Internet and that all Internet-capable devices must be removed from the home. He was arraigned on 12NOV2019 and entered a NOT GUILTY plea. His conditions of release were modified to allow him to leave the home for religious services.

On 02OCT2020 "superseding information" was filed by the court detailing more actions of his crimes and he changed his plea to Guilty.  He was scheduled to be sentenced on 21MAY2021. And 19JAN2022. And 19APR2022. And 02DEC2022. As of this writing, he has not been sentenced. 

Just after his guilty plea, a photo of ADEOYE was posted greeting him on his 50th birthday using his full name, Abdulrasak (from which, Zack) Adeoye "Zacophonic" and praising him for his "fatherly role on your brothers."  

Even after his guilty plea, Zack continued in business, creating a new corporation, "Zacophonic Home Inc" on 12JUL2022 using his Upper Marlboro, MD address. 


The third party in this case, Gbenga Owolabi, barely appears in the court record after the indictment.  There is no record of him appearing in court or having been arraigned.  On 18NOV2019, the court mentions that some $13,055 in U.S. currency was seized from his apartment at 1624 Bluestone Street, Apartment E, in Hanover, Maryland following a search conducted on 25SEP2019. 

As is often the case, it is difficult to tell what occurred when Owolabi fled to Nigeria. 

According to local media OWOLABI had moved to Canada where he studied Information Systems at Humber College in Toronto.  He later moved to Maryland where he worked as a Financial Analyst for Alpharma Inc before moving to Cyhosting Corporation, which he founded in May 2000. He also ran Tanatek Inc, a website design company, and according to the Nigerian press, served as its CEO until his death.
A profile of Olugbenga Owolabi ran in Neusroom in his hometown.

In 2016, OWOLABI started building a hotel called Tana Suites in Abaa, Oyo State, Nigeria, which was completed and opened in December 2021.  He returned to Nigeria on 20JUL2022 and when he arrived at his hotel on 28JUL2022, he and a 21-year old female employee were kidnapped. There were two other abductions close in time to this date.  On 16JUL2022, a farm supervisor, Christopher Bakare was kidnapped and released after paying a ₦5 million ransom, then 22JUL2022, the owner of Titilayo Hospital was abducted and released on 26JUL2022 after also paying a ransom. 

OWOLABI's brother led the negotiations and eventually raised ₦5m ransom, although the kidnappers were demanding ₦50m ransom, believing OWOLABI to be a wealthy American. 
As a sign of how the Nigerian economy has crashed recently, 50 Million Naira in August of 2022 would have been $120,000 USD.  Today it would be $36,000.

The Alabaa of Abaa (a local tribal authority) found a volunteer to deliver the ransom on motorcycle. When he arrived, the gunmen killed the driver as well as Gbenga Owolabi and his hotel emplooyee Racheal Opadele.  The autopsy showed that Owolabi had been extensively tortured before being killed. 

The U.S. government received permission to attend the autopsy at LAUTECH Teaching Hospital and identify the body, and escorted the body back to Maryland for burial, where it was first also re-identified at the Delaware State Military Hospital.

Olugbenga David OWOLABI was kidnapped on 28JUL2022 and killed 02AUG2022. While the Nigerian police originally charged his brother, Femi Owolabi, with the kidnapping and murder, who confessed to the deed.  Later, the family helped him to recant of his confession, and the crime has instead been assigned to "Fulani herdsman" - a favorite boogie man of Nigerian culture. 

Monday, February 19, 2024

Maryland Busts $9.5 Million #BEC Money Laundering Ring


Three indictments have been unsealed in Maryland that document an extensive network of shell companies that were used to wash at least $9.5 Million in funds from at least fifteen #BEC (Business Email Compromise) cases across the country.  

In the first indictment, those charged (with an example address from their respective shell companies): 

  • Adanegbe Gift Osemwenkhae - 8304 DEBORAH ST, CLINTON, MD 20735 (this property is listed as owned by Kat Osemwenkhae, who uses the email  kateivie@yahoo. Adanegbe is also listed as  controlling "Ivie LLC"  from the same address.) 
  • Faizou Gnora - 12825 LOCBURY CIR, #B, GERMANTOWN, MD 20874
  • Emily Gil Arias - 4107 DAHILL RD, SILVER SPRING, MD 20906
  • Fatoumata Boiro - 16202 PENTERRA WAY, BOWIE, MD 20716
  • Lawrence Ogunsanwo - 308 WILLOW HILL PLACE, HYATTSVILLE, MD 20785
  • Lakeisha Parker - 2044 NORTH BENTALOU ST, BALTIMORE, MD 21216
  • Martin Ogisi - 8405 CHEVY CHASE LAKE TERR, 701 CHEVY CHASE, MD 20815
  • Blondel Ndjouandjouaka-* - 3323 TEAGARDEN CIRCLE, APT. 202, SILVER SPRING, MD 20904
  • Kevin Colon - 8714 HAYSHED LANE, APT 302, COLUMBIA, MD 21045
  • Lorena Perez Herrera - 9466 GEORGIA AVE #1277, SILVER SPRING, MD 20910

* - Blondel is my favorite of this gang, claiming both Computer Science and Criminal Justice degrees and claiming to work in Cybersecurity including as a Phishing Analyst. 

  • Yahya Sowe - 1012 Good Hope Dr, Silver Spring, MD 20905
  • Victor Killen - 28 Capricorn Ct, Derwood, MD 20855
  • Areal El-Lovieta Harris - 29219 Middleham Ct, Hanover, MD 21076 
  • Gedeon Agbeyome - 25 years old, also mentioned in the case, was arrested in 2020 possessing a credit card skimmer and many cards. Like several others in the case, he studied Computer Science at Montgomery College, Maryland. He was also arrested in Alabama in April 2023) 

We didn't see the alias "Papa Kwam" in use, but his Facebook account is in the name "Don Kwame." 

All three cases make reference to one another, with the exception that Gedeon's 2-page indictment for Aggravated Identity Theft is stand-alone.  While he is not named as a defendant in case #2, he is referred to throughout that case.

Victim Organizations  (many/most are Business Email Compromise)

a) an environmental Trust 
b) an urban redevelopment program 
c) a Medical Center 
d) a transportation company 
e) an apartment complex company 
f) a K-12 school district in Montana
g) a private liberal arts college 
h) the Delaware River & Bay Authority 
i) a Colorado real estate agency 
j) Larimer County, Colorado 
k) an RV dealership 
l) a health care center with 17 locations 
m) a real estate / property management firm 
n) a real estate company in Texas 
o) Vigo County, Indiana 

The indictment makes clear that the defendants' Shell Companies DID NOT:
- have physical operations
- have business premises 
- engage in legitimate business activities 
- earn gross revenues
- incur cost of goods sold 
- incur administrative expenses associated with business operations 
- report wages for employees to the State of Maryland 
- have significant numbers of employees 

A little hint for those who screen business accounts.  If one runs an Automobile Dealership from a residential neighborhood and has never purchased a car and has no employees, it is unlikely to be a thriving business that you would want to bank! 

The Shell companies listed in the indictments include: 
Gifted LLC; Blue Skye Realty; Faiz Automobiles LLC; First Realty Management LLC; FB Morgan LLC; Smart Logistics LLC; Parker Transports LLC; Blaxstone Enterprises LLC; Satisfied Health Care LLC; KC All Pro HVAC Service LLC; Colon Enterprise LLC; Lorena Perez Herrerra LLC; YS Estate and Properties; Victor's Trucking and Pull LLC; Vieta Collection; The Justin Company LLC; [ID-theft victim] Company LLC

That list of companies is not the full extent of the shell corporations operated by the accused.  As an example, Faizou Gnora had many businesses: 

- First Realty Management LLC, 12825 Locbury Cir, #B, Germantown, MD 20874 
- Faiz Express Trucking LLC, 369 W. Side Dr, 102, Gaithersburg, MD 20878 
- Gnora Capital LLC, 6800 Wisconsin Ave #1086, Chevy Chase, MD 20815 
- Premier Strength Training LLC, 12825 Locbury Cir, Apt B, Germantown, MD 20874 
- Faiz Automobiles  LLC,  12825 Locbury Cir, Suite B, Germantown, MD 20874
- Faiz Express Trucking LLC, 225 S Whiting St Apt 307, Alexandria, VA 22304-7132 

Her "Faiz Express Trucking" company is listed with the Department of Transportation, which gives the Alexandria address for the company, but notes Faizou's Gathersburg address for the point of contact. 

The companies listed in the indictment had the following accounts use for money laundering:  

Bank of America - 3 accounts
Capital One Bank - 6 accounts 
Citibank - 6 accounts 
JPMorgan Chase - 3 accounts 
PNC Bank - 7 accounts 
M&T Bank Corporation - 2 accounts 
Navy Federal Credit Union - 2 accounts 
SunTrust/Truist - 6 accounts 
Wells Fargo - 5 accounts 
Woodforest Bank - 6 accounts 

As a further example of how tightly connected these cases are, all of the bank accounts listed in the second indictment are also found in the first indictment.  Based on the charges in the two indictments, between 17NOV2020 and 21OCT2022, the crew moved at least $7.2 Million between their shell companies as described below. 

The big unanswered question to me is - THEN WHERE DID THE MONEY GO?  Based on the seizures, very few of the funds were still in the possession of the laundering crew.  So who recruited them?  And where did the funds go when they left their control?  We MUST keep pulling the string and find out! 

I was curious why DCIS was one of the investigating agencies here.   The DOJ Press release says that: "As a result of a law enforcement operation on February 7, 2024, 10 defendants were arrested at locations throughout Maryland and three search warrants were executed related to an alleged money laundering conspiracy involving more than $9.5 million in proceeds from fraud schemes. Law enforcement agents from the Homeland Security Investigations Mid-Atlantic El-Dorado Task Force, the Environmental Protection Agency Office of Inspector General, IRS Criminal Investigation, and the Defense Criminal Investigative Service participated in yesterday’s searches and arrests. Additional defendants are currently fugitives."

The only person among the defendants that I see is military so far is Areal Harris: 

Saturday, February 10, 2024

Identification Documents: an Obsolete Fraud Countermeasure

When I'm talking to bankers and other fraud fighters, I often mention how easy it is for a criminal to obtain a Drivers License bearing any information they desire. I was reminded of this again as I saw the sentencing of Desmond Nkwenya from Brookhaven, Georgia this week. The DOJ press release from the Eastern District of Virginia released 09FEB2024 was entitled "Four Members of Bank Fraud Ring Sentenced." When I read the press release, my eyes went immediately to Desmond Nkwenya, because I was already familiar with that name from a larger case in the Northern District of Georgia that had been announced as "10 charged in business email compromise and money laundering schemes targeting Medicare, Medicaid, and others."

When VoyageATL magazine interviewed Desmond Nkwenya the story was about the young man from Cameroon who was making it in Atlanta under his recording label "Danyvails Entertainment." But since 2016, Nkwenya had actually been making it under another business: Creating counterfeit driver's licenses to enable a multitude of romance frauds and scams.

(photo from VoyageATL)

Anyone who is using the presentation of a Drivers License as a proof of identity theft needs to understand just how simple it is to purchase a D/L online with the photo, name, and address of the purchasers choosing.

In the new case, Brianna Mills, a 28-year old bank teller in Loganville, Georgia would pass bank information to her boyfriend Stanley Desirade, of Lanham, Maryland. Desirade would use the customer information to order drivers licenses from 37-year old Desmond Nkwenya. Desirade would then give the driver's licenses to Terrell Hale, of Rockville, Maryland, who had provided Desirade with photographs of his walk-in crew. At least 25 customers data was used to create at least 100 fake identification documents which were then used to steal $660,082 from the bank customers. They attempted also to steal an additional $1,008,134 but those additional transactions were denied. Desirade was sentenced to six years in prison on 29SEP2023. Mills got an 18 month sentence on 25AUG2023. Hale was sentenced to four years in prison on 21JUL2023.

On 09FEB2024, Nkwenya was sentenced to 30 months in prison, 3 years supervised release, and ordered to pay restitution in the amount of $325,080.

Nkwenya started advertising his ability to create counterfeit drivers licenses in or before 2016. Desirade actually found him through an ad he placed on Craigslist (using another alias.) Nkwenya was not only creating the counterfeit driver's licenses. He also was able to create Mastercard debit cards that appeared to have been issued by the abnk where Brianna Mills was employed.

That other case, which included defendants in South Carolina and Georgia, was related to stealing $4.7 million from Medicare, Medicaid, and private health insurers, and $6.4 million from private and individuals, in a variety of Business Email Compromise and Romance Scam scenarios. Desmond's primary role in this case was also to create identity documents to be used in a variety of frauds.

Desmond Anu Nkwenya of Brookehaven, Georgia was arrested in Texas on his first BEC/Fake ID case on 17NOV2022.In that earlier case, Nkwenya opened shell companies in Georgia in the names JBS Commercial LLC, Raissen Group LLC, and Danyvails Entertainment LLC. He then opened bank accounts at Bank of America, Wells Fargo Bank, PNC Bank using fake drivers licenses, including one in the name Jada Kingston and a Georgia Driver's License in the name Harold Ball. In one example BEC case, $2,328,842 was stolen from the victim by tricking them into send funds to the wrong accounts. $308,650 of those funds were deposited into one of Nkwenya's accounts at Wells Fargo, followed by an additional $57,000 on 01JUL2021 and another $25,000 on 12JUL2021. Desmond also caused his fake "Danyvails Entertainment" account to receive a PPP loan of $47,950 after claiming to have nine employees. He also received a $119,875 PPP loan for another company and their imaginary employees.

Biliamin Fagbewesa of South Carolina - used a stolen identity to open bank accounts in the name of his shell company, Matadam Medical Equipments, and receive $1.4 Million in proceeds from Medicaid. He had a Delaware driver's license with his likeness and a stolen identity's data which he used to open accounts at First Citizens, Truist, Wells Fargo, and TD Bank, and used those accounts to receive both Medicaid fraud funds, and Business Email Compromise funds.

Patrick Ndong-Bike of Atlanta, Georgia - used false Tennessee driver's licenses in the names and contact details of John Arino, Kendrick Odom, and Michael Pulliam, but bearing his image, to open shell companies and then bank accounts for those companies at Regions Bank, Bank of America, Wells Fargo Bank, JPMorgan Chase Bank, and Truist. He used these accounts to receive at least $2,400,000 from multiple Medicare fraud and Business Email Compromise fraud victims. These included a BEC scheme against a hospital in Ohio where a $754,136 Medicare payment was redirected to Ndong-Bike's accounts instead.

Cory Smith of Atlanta, Georgia - opened bank accounts using false identities and received and laundered at least $57,000 in funds from a BEC scheme against a private company.

Chisom Okonkwo of Atlanta, Georgia - received at least $830,000 in BEC fraud schemes, withdrawing at least $535,000 and laundering it through a variety of methods, as well as purchasing herself a luxury automobile with some of the funds. Okonkwo was sentenced on 24JAN2024 to 3 years in prison and ordered to pay $478,538 in restitution. She created alias identities in the names Patrician Young, Desirey Aguilar, Stacy Jack, Lisa Larkin, and Janice Peck, as well as stealing the identities of two real individuals from New Jersey and California and using false driver's licenses to access their accounts. In one case she provided the New Jersey victims name, date of birth, social security number, and a driver's license using her image but the victim's data, in order to purchase a $51,562 Mercedes Benz after acquiring credit in the name of her victim. She did the same with another identity theft victim, acquiring a lease at an the Roxboro in Georgia in the name of the California resident. She lived in the building using the stolen identity from 28NOV2020 through 23MAY2022 before abandoning the apartment owing $15,246 in back rent and fees. She created several shell companies, based in Lawrenceville, Georgia, including A[]Jewelry and Crystals, Young Interior Design, and Larkin Interior Innovation and opened bank account in the names of her aliases and companies at Truist, SunTrust, and Regions Bank. These accounts were used to receive the proceeds of multiple BEC victims, including an automative company in Texas whose payments were diverted to Okonkwo's accounts on three occasions for $268,868, $100,000, and $45,000. Okonkwo also applied for and received Economic Injury Disaster Loans from the Small Business Administration claiming that her company, Larkin Interior Innovation, had five employees and gross revenues of $150,000, none of which was true.

Olugbenga Abu of Atlanta, Georgia - used false identities including in the name "Kingsley Perete" to open bank accounts that received $95,000 in BEC fraud proceeds. Also received $341,000 in a real estate mortgage loan based on patently false information and forged documents, including false W-2 documents and false bank statements. Abu was sentenced to 24 months in prison and ordered to pay $105,500 in restitution.

Trion Thomas of Stone Mountain, Georgia - used false identities to open bank accounts which were used to received $93,000 in Medicare payments that were diverted in a BEC fraud scheme.

Malachi Mullings of Sandy Springs, Georgia - used false identities to create companies and open bank accounts which were used to receive and launder millions of dollars from BEC and Romance Scam programs, including BEC schemes against two state Medicaid programs. In one situation, a Romance Scam victim sent a $200,000 Cashier's Check to Mullings which was then used as part of the payment for a 2017 Ferrari 488 Spider which Mullings purchased in Atlanta. Another Romance Scam victim sent payments of $28,369, $12,000, $20,000, $15,000, $30,000, and $17,000 to Mullings.

Adewale Adesanya of Jonesboro, Georgia - used false identities, including a fake Nigerian passport in the name "Timi Graig" to open a shell company, Blue Springs, and then to open bank accounts at Bank of America, BBVA, JPMorgan Chase, Wells Fargo, Truist (then BB/T), Regions Bank, and Navy Federal Credit Union. These accounts were used to receive funds from BEC Scams, including scams against Medicaid and Medicare, as well as funds from Romance Scam victims. He was eventually sentenced to 48 months and ordered to pay $1,582,510 in restitution. He used some of these funds to purchase two Lexus LX 570s and a Mercedes GLE 350.

Sauveur Blanchard of Richmond, Virginia - used false identities to create multiple shell companies to receive funds stolen from Medicaid programs via BEC schemes. Mr. Blanchard was acquitted of all charged by Judge Robert Payne on 10AUG2023, and I can't wait to read the transcripts to understand why!

Sunday, January 21, 2024

Classic Baggie: Part Three - the Romance Scam Victims

 If you are just joining us, we are reviewing the court transcripts of a Business Email Compromise / Romance Scam Money Laundering case.  Part One reveals "Classic Baggie: A Delaware BEC Case calls him the leader of an International Criminal Organization" and Part Two was called "Classic Baggie: Part 2 - How to run a Money Laundering Operation."

Today, we'll share the stories of three of the romance scam victims in this case. I would normally address them by their surnames as Mr. X or Mrs. Y out of respect, but to help protect their anonymity, I'm using only their first names.

Sally From Ohio

Sally was a 74-year old Ohio woman. Her husband of 42 years passed away in February of 2016. Three years later, Sally joined several online dating websites, including Match.com. In August 2019, she received a message from "Harry Oppenheimer" who was a 79-year old man living in Chicago, a dual citizen of the US and Switzerland, and a semi-retired aeronautical engineer. They talked daily by phone, text, or email and Sally believed she would spend the rest of her days with him.

In September 2019, Mr. Oppenheimer began to ask Sally for financial favors. He claimed he was selected as an independent contractor to rebuild a fleet of airplanes for KLM Royal Dutch Airlines, who had wired him $3.5 Million Euros into his Swiss bank account at Neue Privat Bank. His attorney, Phillip Richardson, said that he had to fly to Switzerland to unfreeze the funds. He provided Sally with a bank statement showing his account held 5,239,800.38 Euros.

In order to unfreeze the account, his attorney needed him to bring a "refundable deposit" of $240,000.

The Email from the attorney read:

"I really abhor putting your hopes up, but I can guarantee we can resolve this muddle amicably by resulting into making the payment of the refundable $240,000 security deposit. This will help in securing the money laundering certificate, as well as qualify Harry Oppenheimer to be cleared by anti-terrorist and money laundering departments. It will also hasting up the process of the funds release. Please be advised that this is a mere suggestion as I still need to contact authorities involved in this, those Harry worked with/for, to get all necessary documentation in place. I also need to get in touch with the IMF money laundering department to be fully guaranteed that."

A second request came on 04DEC2019 after Sally had sent the $240,000, stating that an additional $511,000 was also needed,and included a promisary note that Sally "will be refunded and paid" once Harry was able to gain full access to his funds "in the amount of $5,239,800 in NPB."

On 13MAR2020, a new document came from the "International Monetary Fund."

"Per your last request, having thoroughly examined the situation on ground, the board has decided that we will not be held responsible in any way for the misconduct of your former attorney, Phillip Richardson. You solely appointed him your representative with all parties involved granting him full power of attorney. In conclusion, the contractor's funds that were initially set to be released on the 16th of January 2020, shall now be rescheduled for April 2nd, 2020, provided that Harry Oppenheimer completes the final payment of $200,000 before the deadline."

Sally wired $511,000 on or about 06DEC2019 to "Debbie" who Mr. Oppenheimer represented was the wife of an attorney named Charles Schneider. (This wire was recalled by the bank.)

Sally also wired $261,000 on 13DEC2019 from a Navy Federal Credit Union account in the name of Top Slope Ventures, LLC. (We saw in Part 2 that Top Slope Ventures is the name of Michael Hermann's watch-selling business.)

She also wired $150,000 on 26MAR2020 to a Citibank account in the name of KLAM Properties.

She was also instructed by "Attorney Phillip Richardson" to wire funds to a bank account associated with the Mullings Group LLC at Delta Community Credit Union.

Richard From Delaware

Richard is a 66-year old man who lives in Delaware, married, but separated from his spouse for four years. He worked selling medical devices in 2019 and 2020, the period of interest for this case.

Richard met Samantha Smith online in October 2019, on the dating website Silver Singles. Samantha was a Gemologist who had a degree in the same from the University of New Zealand. She was currently living in Istanbul, Turkey, where she was working on a project related to mining precious stones, but her permanent residence was Norfolk, Virginia.

They began talking regularly through text message and email. She sent photos of herself to Richard via email, and he received a video of her describing her project in Istanbul. Samantha had an attorney named Sousa Darius, who began calling him on the phone several times a week. To validate his identiy, Sousa Darius sent Richard a copy of his Turkish passport.

Samantha had claimed that her project was a success and that tshe had been able to mine a quantity of Tanzanite stones. In order to sell them, however, she had to receive a certificate of completion from the Turkish government, and later had to pay taxes on the stones, prior to selling them.

Richard had to go to an M&T Bank branch near his home to arrange for wire transfers, which he refused to do until he had a notarized contract from Sousa, proving he would get the money back.

In the contract, Richard commits to transfer 22,000 Euros to a bank account designated by Samantha Smith, and that in return, he would receive 8% of the gross funds, or 144,000 Euros from the "Project Bank Account."

Richard produced bank statements that showed he had wired $25,000 (the equivalent at that time to 22,000 Euros) to "Delores R. Shawhan" based on the instructions he received from Attorney Sousa. Richard also transfered $26,624.37 from his pension account at Chase Bank to himself to cover that wire.

A second contract was for Richard to send Samantha $40,000, for which he would receive 1.5% of the gem sales, or 270,000 Euros (from the supposed sale of 1.8 Million Euros for the Tanzanite.) This $40,000 was also sent to Delores R. Shawhan. (Richard transferred himself another $41,514.37 from his Chase Bank retirement account to cover that wire.)

A third request came, promising him he would receive 455,000 Euros from the "total contract sum" if he would send $100,000. He did the wires, again to Delores R. Shawhan, and again moved funds from his Chase Pension account (this time $127,738.) Part of these funds, $30,000, were sent via wire to Baines Properties.

At one point, Attorney Sousa informed Richard that Samantha was imprisoned, and needed additional funds, again. When Richard pushed back, Sousa drew up a Power of Attorney and promised Richard that he would be given the ability to draw funds to repay himself directly from a Trust Fund that Samantha Smith's father had set up for her at Europa Off Shore Bank.

To cover these additional payments, Attorney Sousa modified their contract so that it now promised 9 40,000 Euros from the "total contract sum" if he would pay $166,000. [this analyst's understanding is that the $166,000 was cumulative, including previous payments sent.] Which he did. He sent an international wire transfer for $33,000 to "Charles Globe Teskitil Tecaret Sirketi Limited" which was who Attorney Sousa told him to send the funds to.

Later he received documents from Europa Off Shore Bank via email proving that the funds were really available and providing him a PIN that he could use to confirm this himself. When he logged in to the Europa Off Shore Bank, he could see that more than $9 million were in the balance of the account but there wasn't a way that he could find to transfer any of the funds to himself.

When he contacted Europa Off Shore Bank's Customer Support via email, he was told that he could not withdraw the funds because there were fees that had to be paid first. Dormant Account Fees totaling $88,950, Reactivation Fees totaling $52,000, and a Tracking Code fee of $45.

To help cover these fees, he sent a cashier's check in the amount of $42,500 which the Europa Off Shore Bank had agreed would be enough to allow them to open the account. After receiving the check, Europa Off Shore Bank informed him that there were still issues which must be resolved in person, and that he needed to fly to Amsterdam to do so.

To wrap up Richard's testimony ... he made six payments, totaling $205,500, which he says he would not have made had he known the gem mining project did not exist and that there was no Europa Off Shore Bank.

(The next witness is a Financial Crimes Examiner, Thomas Michael Trusty, from JP Morgan Chase ... who testifies about deposits being made to Mr. Lawal's account that he was asked by Bank of America to review)

Frank from California

This story may sound rather familiar. Frank is a 75-year old man from California. He and his wife separated after 33 years in 2017. In 2020, Frank made a profile on Silver Singles and was approached by a woman who wanted to develop a relationship with him. Samantha Hope Smith was a gemologist from New Zealand. Her moniker on the site was "Pretty Gorgeous" and they met on the platform in March 2020, but she quickly asked to move their conversation off the dating website. She claimed that unseemly individuals were contacting her on Silver Singles and that she was canceling her subscription but wanted to stay in touch with him.

Samantha was from New Zealand. In one of her first emails she explains:

"I have a mixed upbringing, my papa is from Florida, and my mom is from New Zealand. I was born in Florida. In my teen years, we lived in New Zealand. We lived in the best side of town, a nice house in Wellington by the lake. I grew up with mountains, creeks, hills, and basically nature at its finest."

She would later send a copy of her Florida drivers license to Frank.

For 16 days, from March 8, 2020 until March 24, 2020, they had "long very emotional sort of conversations telling each other about ourselves, trying to find common ground, and many of the emails were very, very lengthy." He was romantically interested in her.

Frank says that Samantha was in Istanbul, Turkey where she was mining Zultanite. But it turns out, she needed a Zultanite gemstone certificate from the Turkish government, and they were expensive. It was going to cost $316,500 to process the certificate.

About the same time, Samantha decided to fly to Reno and sent her itinerary to Frank. He was supposed to meet her there at the airport.

Turns out Samantha the Zultanite miner had something else in common with Samantha the Tanzanite miner. She had an online bank account that she wanted Frank to access for her. "AffinityAllied[.]com" with the account number 1867364926. She had $2 million in the account and needed Frank to send her $300,000 from that account to help cover the Gem Certificate.

There were other asks for funds as well. The court read into evidence this email from Samantha to Frank:

"Good morning, Frank. I had a restless night. I wish you were around to make me feel much better. I appreciate your concerns and your suggestions yesterday towards me, and I can't wait to be back home and get to know more about you. Loan or no loan, I still want to meet and be with you. I understand you not being comfortable in loaning me over $16,000 when you haven't met personally, I may not feel the same way too, but I think I would help if I were to be in your shoes. I want you to know that this project means a lot to me, as I have invested so much of my money and time. I am almost done before this happened. I did plan for extra expenses, I have to utilize the money I was meant to use to pay for the fee in the past, due to extra expenses, that is why I asked you to help me transfer money from my account, again thanks for helping me out. I still have about 5,000 in my balance as you know."

He decided to send her the money. He received "very specific instructions" to send the money to Samantha's relative who had an account at Huntington National Bank in the name "Luxe Logistics Transportation LLC."

He wired the money from his Charles Schwab account. Before the transfer was made an employee of Charles Schwab called him and "her last words to me," Frank says, were "are you sure you know these people do you really want to send this in that there are a lot of fraudulent schemes out there." Frank says the second he got off the phone with the Schwab agent, he was on the Internet looking for Luxe Logistics and he found them in Los Angeles.

About this time, Frank received an email from Samantha informing him that she had her Zultanite professionally appraised and that it was valued at $17,650,000.

But Frank had already determined that Luxe Logistics was a fraud and he cut off communications. He made five phone calls to Charles Schwab that same night and was able to get the wire stopped.

(Stay tuned for Part Four! We still have two more days of testimony to review! )