The new DOJ Law Enforcement Crypto Reports (TL;DR)

TL;DR? Good news!  I read them for you! 

 On 15SEP2022, the Department of Justice released their report "The Role of Law Enforcement in Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (66 pages).  The first of the nine reports ordered by President Biden's Executive Order 14067 "Ensuring Responsible Development of Digital Assets" was also released by the DOJ back on 06JUN2022, "How To Strengthen International Law Enforcement Cooperation for Detecting, Investigating, and Prosecuting Criminal Activity Related to Digital Assets" (58 pages). 

Since then, we have seen the Department of Treasury release three reports:

•  "Action Plan to Address Illicit Financing Risks of Digital Assets" (20 pages),
•  "Crypto-Assets: Implications for Consumers, Investors, and Businesses" (58 pages),
•  "The Future of Money and Payments" (56 pages)

Treasury also provided to the White House in July a "Framework for International Engagement on Digital Assets" which is described in their press release, but not provided to the public. 

Earlier this month, the Department of Commerce released their report:
 "Responsible Advancement of US Competitiveness in Digital Assets" (19 pages). 

The Office of Science & Technology Policy also released three reports:

•  "Technical Evaluation for a US Central Bank Digital Currency System" (58 pages)
•  "Climate and Energy Implications of Crypto-Assets in the United States" (46 pages)
•  "Technical Design Choices for a US Central Bank Digital Currency System" (33 pages).  
  

In this blog post, we'll focus on the two DOJ reports, which we will address in the reverse order of  their release, as it seems that it is required to define the role of law enforcement in digital assets before discussing the international cooperation one would seek in this area.

The Role of Law Enforcement in Digital Assets

Despite the Executive Order, it is important to note that the Department of Justice did not need the urging of the White House to establish procedures for addressing Cryptocurrency.  The department created the Attorney General's Cyber-Digital Task Force in 2018, which produced their original report, published in October 2020, titled the CryptoCurrency Enforcement Framework (83 pages).  That original report characterized the illicit uses of cryptocurrency into three broad categories of criminality: 

1. financial transactions associated with the commission of crimes, such as buying and selling drugs or weapons, leasing servers used in the commission of cybercrime, soliciting funds to support terrorist activity, or ransom, blackmail and extortion. 
2. money laundering and the shielding of legitimate activity from tax, reporting, sanctions, or other legal requirements, including operating unlicensed, unregistered, or non-compliant exchanges. 
3. crimes, such as theft, directly implicating the cryptocurrency marketplace itself, such as stealing cryptocurrency from exchanges or defrauding unwitting investors. 

The original report listed many case studies involving indictments, seizures, and arrests in the scenarios above, including SamSam ransomware, Welcome to Video and DarkScandals child sexual abuse services, terrorist funding both through direct donation and via sales of fake medical equipment (PPE during COVID), the Bitcoin Maven case (Theresa Tetley), BTC-e, Operation DisrupTOR (Wall Street Market), DeepDotWeb, DreamMarket, the Lazarus group hacks, HeroCoin ATMs, the Helix mixer, and others. 

The new report points out something that I've recently been mentioning as well.  Bitcoin and other block-chain-based crypto currencies are neither the first digital currency, nor the first one that has facilitated a great deal of criminal trade.  The report mentions E-Gold (1996) and Liberty Reserve (2006) as "pre-crypto" examples of digital currencies, but could have as easily mentioned Webmoney (1998) or PerfectMoney (2007). Many of the points of the new report echo of those of the prior, although the cases have been updated, such as  Bitfinex, Helix, and Hydra Market, estimated at one point to perform 80% of all darknet market-place transactions, and Garantex, the Estonia-based Exchange that laundered more than $100 million of the funds associated with darknet markets. The Colonial Pipeline ransomware and the use by indicted GRU agents of bitcoin, the theft of $600 Million by Lazarus Group hackers in March 2022 are all used to update the original report. 

Two significant additions are the section on the Growth of Decentralized Finance (DeFi) and Non-Fungible Tokens (NFTs). In this area, the discussion of "Decentralized Autonomous Organizations" as opposed to a traditional corporate structure, and the insider trading, money laundering, and tax evasion aspects of NFT trading are discussed.  (Examples of Nathaniel Chastain of OpenSea and Ishan Wahi of Coinbase are provided as insider examples.) 

Section II of the report discusses DOJ efforts such as the National Crypto Enforcement Team (NCET) and its predecessors such as the Money Laundering and Asset Recovery Section's Digital Currency Initiative, and the Internation Virtual Currency Initiative. A few interesting statistics from the FBI, including that as of July 2022, the FBI had worked 1,100 separate investigations across 100 investigative program categories that involved a digital assets nexus. Since their first digital assets seizure in 2014, the FBI has seized $427 million in virtual assets (as valued at time of seizure.)  In February 2022, the FBI created the Virtual Assets Unit.  The Department of Justice has also created a Digital Asset Coordinators Network which is composed of designated prosecutors in U.S. Attorney's Offices across the country who work closely with CCIPS, MLARS, and NCET.  The program is based on the successful CHIP Network (Computer Hacking and Intellectual Property) and the National Security Cyber Specialist (NSCS) Network which each designate prosecutors in every field office to be specially trained and equipped to handle the relevant case types for their office. 

Cryptocurrency fraud investigations are listed as well, including the Baller Ape Club NFT rug pull case, the EmpiresX crypto Ponzi case, the Circle Society crypto commodities case, and the Titanium Blockchain Infrastructure Services Initial Coin Offering case. The Bitqyck case and the $2.4 Billion BitConnect Ponzi scheme case serve as an example of an IRS Cyber tax evasion cases, with the latter also being charged civilly by the SEC. 

The DEA's Cyber Support Section is described as performing cryptocurrency analysis related to the use of cryptocurrency to facilite drug trafficking, while the US Marshals Service is the group manages and liquidates seized crypto funds. HSI has been a key player in many crypto cases, with at least 500 currently active investigations, especially via their Financial Crimes Unit, Cyber Crimes Center, and Asset Forfeiture Unit. The US Secret Service is also involved, with 302 cases involving digital assets and at least 535 seizures of digital assets valued at more than $113 Million at time of seizure.  The US Secret Service is also a top trainer of state and local law enforcement via the National Computer Forensics Institute (NCFI) headquartered here in Hoover, Alabama! They also operate a Digital Assets Awareness Hub to educate the public on crypto risks. 

Regulatory Agencies also play their part, with FinCEN working to enforce Bank Secrecy Act (BSA) guidelines and regulations related to Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) requirements. Treasury manages the OFAC office, which includes sanctioning mixer and state-sponsored crypto hackers. The SEC regulates crypto scams that are structured as "investment contracts, such as BlockFi Lending LLC or the DeFi Money Market. The Commodity Futures Trading Commission (CFTC) regulates the trade of commodities in interstate commerce. They have brought 50+ enforcement actions against organizations such as Coinbase, Payward Ventures (Kraken), Blockratize (Polymarket).  BitMEX is one cryptocurrency derivatives exchange targeted for CFTC enforcement, after $209 Million in darknet market transactions were cashed out via BitMEX, who paid a $100 Million fine, with three co-founders pleading guilty to criminal charges and paying a $10 million fine. 

One last organization of note is IVAN, the Illicit Virtual Asset Notification platform, being built by FinCEN and the FBI's National Cyber Investigative Joint Task Force. The goal of IVAN is to be a public-private information exchange to allow industry to collaborate on timely detection and disruption of the use of virtual assets in furtherance of illicit activity. 

Requests for Legislation 

The Justice report does make several requests for additional legislation, in five categories: 

1. extend the prohibition against disclosing subpoenas (currently in effect for financial institutions) to VASPs (Virtual Asset Service Providers), strengthen the laws against operating an unlicensed money transmitting business, and extend the statutes of limitations from 5 to 10 years for certain crimes. 
2. support for initiatives that would aid investigators in gathering evidence
3. strengthening sentencing guidelines for certain BSA violations
4. extend BSA record keeping rules to VASPs 
5. ensuring that law enforcement has resources to conduct and staff sophisticated digital asset-related investigations. 

The details for this legislative proposals are in section IV of the report, LEGISLATIVE AND REGULATORY ACTIONS THAT COULD ENHANCE EFFORTS TO DISRUPT, INVESTIGATE,

AND PROSECUTE CRIMINAL ACTIVITY RELATED TO DIGITAL ASSETS on pages 41-49 of the PDF. 

International Considerations 

One of the main observations of the report on International Law Enforcement Cooperation is the standard complaint that the Mutual Legal Assistance treaties are too slow, and that faster methods of international law enforcement cooperation, such as the "24-7 Network" often do not have a standard way of sharing requests regarding Virtual Asset Service Providers. (VASPs). 

Next, while the western-friendly nations of the world have largely standardized cybercrime laws under the Budapest Convention on Cybercrime, the way in which the nations of the world define, regulate, and enforce actions against VASPs are varied and inconsistent.  Under the concept of Dual Criminality, where one nation may only ask another to enforce laws which are similar in both countries, much of crypto-crime enforcement lacks such standards. 

While the Cybercrime laws may not have caught up, the International body that deals with Anti-Money Laundering, FATF or the Financial Action Task Force, are clear thought leaders on the Virtual Assets guidelines. (We wrote about FATF in 2019, please see: Money Laundering and Counter-Terrorist Financing: What is FATF? ) Unfortunately, as of July 2021, only 35 participating nations had implemented the FATF suggestions regarding virtual assets and VASPs into their national laws. 

My favorite part of the "Strengthening International Law Enforcement" report is Annex B: "Examples of Successful Cross-Border Collaboration on Digital Asset Investigations." 

Liberty Reserve
BTC-e

Helix 

Silk Road 

Operation Bayonet (AlphaBay and Hansa)

Dream Market

Wall Street Market 

DeepDotWeb

Welcome To Video 

Operation DisrupTOR

Hydra Market 

Twitter hack 

Sodinokibi/REvil Ransomware 

NetWalker Ransomware 

BitConnect 

For each example above, details are shared about which international law enforcement agencies partnered with which US agencies in order to reach the successful resolution.  Inspiring reading! 

Two Iranian Hackers charged with $6 Million in SamSam Ransomware Attacks

Today the Department of Justice announced an indictment against two Iranian men: Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri for their roles in stealing more than $6 Million in Ransom payments from a 34 month long ransomware campaign known as SamSam.

They were charged with:

18 U.S.C. § 371 - Conspiracy to Defraud the United States

18 U.S.C. § 1030(a)(5)(A) - knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

18 U.S.C. § 1030(a)(7)(C) - demand or request for money or other thing of value in relation to damage to a protected computer, where such damage was caused to facilitate the extortion

18 U.S.C. § 1349 - Conspiracy

Victims were found in nearly every state:

Victim Locations from: https://www.justice.gov/opa/press-release/file/1114736/download

Piecing together the case involved gaining cooperation from two European VPN services, and apparently at least one search engine.   The indictment refers, for example, to the defendants using Bitcoin to pay for access to a European VPS, and then searching on May 15, 2016, for "kansasheart.com".  The same day, they accessed the public website of Kansas Heart Hospital, and on May 18th, encrypted many key computers on the network and sent their ransom note.

Another key part of the investigation was gaining the cooperation of a Bitcoin Exchanger, which was able to demonstrate that on July 21, 2016, the defendants cashed out at least some of their ransomed Bitcoin into Iranian Rials and deposited it into bank accounts controlled by MANSOURI and SAVANDI.

Chat logs were also available to the investigators, as the indictment mentions contents of chat consistently throughout their timeline.  Using the combination of events, some of the key dates were:

• December 14, 2015 - Defendants chatting about the development and functionality of SamSam.
• Jan 11, 2016 - Attack on Mercer County Business in New Jersey 
• Feb 5, 2016 - Attack on Hollywood Presbyterian Medical Center 
• March 27, 2016 - Attack on MedStar Health 
• May 15, 2016 - Attack on Kansas Heart Hospital 
• May 27, 2016 - Attack on University of Calgary 
• July 27, 2016 - Attack on Nebraska Orthopedic Hospital 
• April 25, 2017 - Attack on City of Newark, New Jersey 
• January 18, 2018 - Attack on Allscripts Healthcare Solutions, Inc. 
• February 19, 2018 - Attack on Colorado Department of Transportation 
• March 22, 2018 - Attack on City of Atlanta, Georgia 
• July 14, 2018 - Attack on LabCorp 
• September 25, 2018 - Attack on the Port of San Diego 

FBI Wanted Poster from: https://www.justice.gov/opa/press-release/file/1114746/download

IRS Call Scammers Sentenced in Texas

Back in 2016 we blogged about a major set of arrests in India and the United States related to a call center scam imitating the IRS.  (See "Major Call Center Scam Revealed - 56 Indicted")

This post is to just share an update on that case.  There have been so many arrests made and yet the fraud continues every day!  I received two IRS calls myself in the past week!

To begin, the IRS is NEVER going to call you and threaten arrest.  If you receive such a call, the investigative agency for IRS scams is TIGTA, the Treasury Inspector General for Tax Administration. You can call their scam hotline to report at 1.800.366.4484, or share details online at the IRS Impersonation Scam Reporting form.  All of the arrests below started because someone reported their scammers.  Although the form seems to be focused on people who actually lost money, even non-loss reports can be helpful.

The biggest round of arrests came in October 27, 2016, which was the focus of that "Major Call Center Scam" blog post.  The DOJ press release was titled "Dozens of Individuals Indicted in Multimillion-Dollar Indian Call Center Scam Targeting U.S. Victims
Over the next several months, many of the criminals pled guilty.  All but two were from India, although several were now American citizens.  Each has now been sentenced for their crimes in a mass sentencing before Judge Hittner in Houston, Texas.  Below, we show their guilty plea date, where they were living and/or conducting their crime, and what the DOJ/TIGTA press release said about their guilty plea.  We feel that the sentences were fair, ranging from just over four years to 188 months (15 1/2 years).  

Just wanted to share that EVENTUALLY, Justice is served.

However, PLEASE KEEP REPORTING!  There certainly are more IRS-imitating criminals who need to go to prison!

Bharatkumar Patel (April 13, 2017) - a resident of Midlothian, Illinois - sentenced to 50 months in prison and removal to India. 

According to his plea, beginning in or about July 2013, Patel worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country. Patel admitted to purchasing reloadable cards or retrieving wire transfers and using the misappropriated personal identifying information of U.S. citizens. Patel also admitted to opening personal bank accounts in order to receive scam proceeds and payments from defrauded victims as well as creating limited liability companies in his name to further the conspiracy. According to his plea, Patel opened one bank account that received more than $1.5 million in deposits over a one-year period and another bank account that received more than $450,000 in deposits over a five-month period.

Ashvinbhai Chaudhari (April 26, 2017) - a resident of Austin, Texas. - sentenced to 87 months in prison.

According to his plea, since in or about April 2014, Chaudhari worked as a member of a crew of runners operating in Illinois, Georgia, Nevada, Texas and elsewhere throughout the country. At the direction of both U.S. and India-based co-conspirators, often via electronic WhatsApp text communications, Chaudhari admitted to driving around the country with other runners to purchase reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Chaudhari admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Chaudhari also admitted to shipping money orders purchased with victim funds to other U.S. based co-conspirators, receiving fake identification documents from an India-based co-conspirator and using those documents to receive victim scam payments via wire transfers.

Harsh Patel (May 11, 2017) - a resident of Piscataway, New Jersey. - sentenced to 82 months in prison and deportation after his sentence.

According to his plea, since around January 2015, Patel worked as a runner operating primarily in New Jersey, California and Illinois. At the direction of India-based co-conspirators, often via electronic WhatsApp text communications, Patel admitted to purchasing reloadable cards registered with misappropriated personal identifying information of U.S. citizens. Once victim scam proceeds were loaded onto those cards, Patel admitted that he liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts while keeping a percentage of the victim funds for himself. Patel also admitted to receiving fake identification documents from an India-based co-conspirator and other sources and using those documents to receive victim scam payments via wire transfers.

Nilam Parikh (May 18, 2017) - a resident of Pelham, Alabama - sentenced to 48 months in prison 

Since around December 2013, Parikh worked as a runner operating in Alabama.　 In connection with her plea, Parikh admitted that, at the direction of an India-based co-conspirator, often via electronic WhatsApp text communications, Parikh purchased reloadable cards registered with misappropriated personal identifying information of U.S. citizens.　 Once victim scam proceeds were loaded onto those cards, Parikh admitted that she liquidated the proceeds on the cards and transferred the funds into money orders for deposit into various bank accounts, while keeping part of the victim funds for herself as payment.　 Parikh also admitted to sending and receiving scam proceeds to and from her co-conspirators via Federal Express.

Information on the next five all came from the same DOJ Press Release: "Five More Defendants Please Guilty for their Roles in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims" 

Dilipkumar A. Patel (May 26, 2017) - a resident of Corona, California - sentenced to 108 months in prison and removal to India. 

Based on the admissions made in his May 26 guilty plea, since late 2013, Dilipkumar A. Patel operated as a runner in and around Southern California, along with other co-defendants based in the region. At the direction of India-based co-conspirators, often via electronic WhatsApp communications, Patel admitted to participating in the purchase of reloadable cards registered with the PII of U.S. citizens, and the subsequent liquidation of victim scam funds loaded to those cards by co-conspirators, while keeping a percentage of the victim funds on the cards for himself. 

Fahad Ali (May 26, 2017) - a resident of Dyer, Indiana (from Pakistan) - sentenced to 108 months in prison 

According to his guilty plea, also on May 26, beginning in or around 2013, Fahad Ali worked as a member of a crew of runners operating in the Chicago, Illinois area, the Southern District of Texas and elsewhere throughout the country. Ali admitted that he first served as a driver for an Illinois-based co-defendant engaging in activities in furtherance of the conspiracy. Ali later operated at the direction of that co-defendant and others, via various means of communication, including text messages, to purchase reloadable cards, and then liquidate victim scam proceeds placed on those cards by India-based co-conspirators, in exchange for recurring payments. Ali also admitted to using false identification documents to receive wire transfers from victims of the fraud.

Hardik Patel (June 2, 2017) - a resident of Arlington Heights, Illinois - sentenced to 188 months in prison and removal to India upon completion of the sentence.

Based on the statements in his June 2 guilty plea, beginning in August 2012, Hardik Patel owned and managed the day-to-day operations of an India-based scam call center before later leaving for the U.S. While in India, in his capacity as a manager, Hardik Patel communicated extensively via email, text, and other means with various India-based co-defendants to operate the scheme and exchange scripts used in the scheme, coordinate the processing of payments from scammed victims, obtain and exchange lead lists used by callers to target U.S. victims, and exchange spreadsheets containing the personal identifying information (PII) of U.S. persons misappropriated by the scammers to register reloadable cards used in the scheme. Hardik Patel also managed worker payroll and kept detailed records of profits and expenses for various associated scam call centers. Hardik Patel continued to communicate with India-based co-defendants about the scheme and assist with the conspiracy after he moved to the U.S. 


Rajubhai Patel (June 2, 2017) - a resident of Willowbrook, Illinois - sentenced to 151 months in prison 

According to his June 6 guilty plea, Rajubhai Patel operated as a runner and assisted a co-defendant in managing the activities of a crew of other runners, based primarily out of Illinois, who liquidated victim funds in various locales in the U.S. for conspirators from India-based call centers. Rajubhai Patel communicated about the liquidation of scam funds via electronic WhatsApp communications with domestic and India-based co-defendants, purchased reloadable cards registered using the misappropriated PII of U.S. citizens that were later used to receive victims’ funds, and used those cards to purchase money orders and deposit them into various bank accounts of co-defendants and others as directed. Rajubhai Patel also admitted to creating and maintaining spreadsheets that detailed deposits, payments to co-conspirators, expenses and profits from the scheme.

Viraj Patel (June 2, 2017) - a resident of Anaheim, California - sentenced to 165 months in prison and removal to India.

According to admissions made in his June 2 guilty plea, Viraj Patel first became involved in the conspiracy between April and September 2013, prior to entering the U.S., when he worked at and assisted with overseeing the operations of a call center in India engaging in scam activity at the behest of a co-defendant. After entering the U.S., beginning in December 2014 Viraj Patel engaged in additional activities in support of the scheme in exchange for a cut of the profits, including serving as a processor of scam victim payments and as a runner engaging in the purchase and liquidation of cards loaded with victim scam funds. Viraj Patel communicated with various India-and U.S.-based co-defendants in furtherance of the conspiracy, and also obtained and circulated lead lists to his co-conspirators containing the PII of U.S. citizens for use by the call centers in targeting victims of the various fraud schemes and to register reloadable cards used to launder the proceeds of the schemes.  

Bhavesh Patel (July 7, 2017) - a resident of Gilbert, Arizona and Alabama - sentenced to 121 months in prison.

According to Bhavesh Patel’s guilty plea, beginning in or around January 2014, Bhavesh Patel managed the activities of a crew of runners, directing them to liquidate victim scam funds in areas in and around south and central Arizona per the instructions of conspirators from India-based call centers. Patel communicated via telephone about the liquidation of scam funds with both domestic and India-based co-defendants, and he and his crew used reloadable cards containing funds derived from victims by scam callers to purchase money orders and deposit them into various bank accounts as directed, in return for percentage-based commissions from his India-based co-defendants. Patel also admitted to receiving and using fake identification documents, including phony driver’s licenses, to retrieve victim scam payments in the form of wire transfers, and providing those fake documents to persons he managed for the same purpose.

Asmitaben Patel (July 7, 2017) - a resident of Willowbrook, Illinois - (previously sentenced to 24 months) 

Based on admissions in Asmitaben Patel’s guilty plea, beginning in or around July 2013, Asmitaben Patel served as a runner liquidating victim scam funds as part of a group of conspirators operating in and around the Chicago area. At the direction of a co-defendant, Patel used stored value cards that had been loaded with victim funds to buy money orders and deposit them into various bank accounts, including the account of a lead generating business in order to pay the company for leads it provided to co-conspirators that were ultimately used to facilitate the scam.

The next seven criminals guilty pleas were announced by the Department of Justice on November 13, 2017 in their press release:  "Last Defendant in the United States Pleads Guilty in Multimillion Dollar India-Based Call Center Scam Targeting U.S. Victims"

Miteshkumar Patel (November 13, 2017) - a resident of Willowbrook, Illinois - sentenced to 240 months.

Based on admissions in Miteshkumar Patel’s plea, beginning in or around 2013, Miteshkumar Patel managed a crew of a half dozen domestic runners involved in the criminal scheme, liquidating as much as approximately $25 million in victim funds for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Patel communicated about the fraudulent scheme with various domestic and India-based co-defendants via email, text messaging and WhatsApp messaging.  Miteshkumar Patel and his runners purchased reloadable GPR cards that were registered using the misappropriated personal identifying information (PII) of unsuspecting victims that were later used to receive victims’ funds, and used those reloadable cards containing victims’ funds to purchase money orders and then deposit those money orders into bank accounts, as directed, while keeping a portion of the scam proceeds as profit.  Miteshkumar Patel also trained the runners he managed on how to conduct the liquidation scheme, provided them with vehicles to conduct their activities in Illinois and throughout the country, and directed a co-defendant to open bank accounts and limited liability companies for use in the conspiracy.  Miteshkumar Patel further admitted to using a gas station he owned in Racine, Wisconsin to liquidate victim funds, and possessing and using equipment at his Illinois apartment to make fraudulent identification documents used by co-defendant runners in his crew to receive wire transfers directly from scam victims and make bank deposits in furtherance of the conspiracy.

Raman Patel (age 82) (November 13, 2017) - a resident of Gilbert, Arizona - (previously sentenced in Phoenix, Arizona to probation, in consideration of his age and his cooperation.)
According to admissions in Raman Patel’s guilty plea, from in or around 2014, Patel served as a domestic runner in and around south-central Arizona, liquidating victim scam funds per the instructions of a co-defendant.  Patel also served as a driver for two co-defendants in furtherance of their GPR liquidation and related activities and sent bank deposit receipts related to the processing of victim payments and fraud proceeds to an India-based co-defendant via email and document scan services offered at various retail stores.

Sunny Joshi of Sugar Land, Texas - sentenced to 151 months in prison for money laundering conspiracy, and 120 months in prison for naturalization fraud.

Rajesh Bhatt of Sugar Land, Texas - sentenced to 145 months in prison and removal to India.

Based on admissions in Joshi and Bhatt’s guilty pleas, beginning in or around 2012, Joshi and Bhatt worked together as runners in the Houston, Texas area along with a co-defendant.  They admitted to extensively communicating via email and text with, and operating at the direction of, India-based conspirators from organizational co-defendant CALL MANTRA call center to liquidate up to approximately $9.5 million in victim funds, including by purchasing GPR cards and using those cards, funded by co-conspirators with scam victim funds, to purchase money orders and deposit them in third party bank accounts, while keeping a percentage of the scam proceeds for themselves as profit.  Joshi has also agreed to plead guilty to one count of naturalization fraud pursuant to a federal indictment obtained against him in the Eastern District of Louisiana, based on fraudulently obtaining his U.S. citizenship.

Jagdishkumar Chaudhari of Montgomery, Alabama - sentenced to 108 months in prison and removal to India.

Jagdishkumar Chaudhari admitted in his plea that between April 2014 and June 2015, he worked as a member of a crew of runners operating in the Chicago area and elsewhere throughout the country, at the direction of Miteshkumar Patel and others.  In exchange for monthly cash payments, Jagdishkumar Chaudhari admitted to driving to hundreds of retail stores to purchase GPR cards to be loaded with victim funds by co-conspirators in India, purchasing money orders with GPR cards that had been funded with victim proceeds, depositing money orders purchased using victim scam proceeds at various banks, and retrieving wire transfers sent by victims of the scheme.  Jagdishkumar Chaudhari is an Indian national with no legal status in the United States, and has agreed to deportation after he serves his sentence as a condition of his guilty plea.

Praful Patel of Fort Myers, Florida - sentenced to 60 months in prison 

In his plea, Praful Patel admitted that between in or around June 2013 and December 2015, he was a domestic runner who liquidated funds in and around Fort Myers, Florida for conspirators from India-based call center and organizational co-defendant HGLOBAL.  Praful Patel communicated extensively via WhatsApp texts with his conspirators.  For a percentage commission on transactions he conducted, Praful Patel admitted to purchasing reloadable GPR cards that were registered using the misappropriated PII of unsuspecting victims that were later used to receive victims’ funds, using those reloadable GPR cards containing victims’ funds to purchase money orders and depositing those money orders into bank accounts as directed, and using fake identity documents to receive wire transfers from victims.

Jerry Norris of Oakland, California - sentenced to 60 months in prison 

According to Norris’ guilty plea, beginning in or around January 2013 continuing through December 2014, he was a runner who worked with conspirators associated with India-based call center and organizational co-defendant HGLOBAL, and was responsible for the liquidation of victim scam funds in and around California.  Norris admitted he communicated extensively via WhatsApp and email with India-based co-defendants including Sagar “Shaggy” Thakar, purchased GPR cards used in the scheme, sent lead lists to conspirators in India that were then used by callers located in the call centers to target potential victims in the telefraud scheme, received scam proceeds via wire transfers using fictitious names, and laundered scam proceeds from GPR cards via ATM withdrawals.

Others sentenced whose guilty pleas were not mentioned above include: 

Montu Barot - 60 months in prison and removal to India after sentence

Rajesh Kumar - 60 months in prison 

Nilesh Pandya - sentenced to three years probation 

Dilipkumar R. Patel of Florida - sentenced to 52 months in prison 

Nisarg Patel of New Jersey - sentenced to 48 months in prison and removal to India.

Dipakkumar Patel, of Illinois, was sentenced to 51 months by Judge Eleanor Ross in Atlanta, Georgia.

"Unlimited" ATM Mastermind Ercan Findikoglu pleads guilty

One of the most fascinating types of cybercrime, in my opinion, is the Unlimited ATM attack.  There have been several such attacks over the years, as we've written about in this blog previously, including:

• 02JUL2008 - 7-11 ATM Hackers - More Details
• 07SEP2008 - Is the Analyzer Really Back? (The return of Ehud Tenenbaum) 
• (Tenenbaum was transferred to the US, pled guilty to two other cases, sentenced in July 2012 to Time Served and ordered to pay $503,129 restitution) 
• 11NOV2009 - The $9 Million World-Wide Bank Robbery
• 09MAY2013 - ATM Cashers in 26 Countries Steal $40   

In an "Unlimited" attack, hackers gain access to the internal systems of a bank or banking network and are either able to "reset" ATM withdrawal limits or eliminate the limits altogether for a card or group of cards.  The magnetic stripe data from these cards are then widely distributed to "cash-out crews" who take responsibility for draining as many ATM cards as possible in their area, while each time a card is used, the hackers "undo" the transaction so that the card appears to have not been used.

33-year old Turkish citizen Ercan Findikoglu was charged with conducting three such Unlimited campaigns.

In February 2011, $10M was withdrawn using the pre-paid debit cards distributed by the American Red Cross to disaster relief victims.  The cards were operated by JPMorgan Chase.  On February 27 and 28, 2011 a total of around 20 pre-paid debit cards were used in approximately 15,000 transactions to withdraw $10M from ATM machines in 18 countries, including ATMs in the Eastern District of New York.

In Findikoglu's second Unlimited attack, pre-paid debit cards for the India-based company ECS, operated by National Bank of Ras Al-Khaimah PSC (RAKBANK) in the United Arab Emirates were used.  On December 21 and 22, 2012, approximately 5,000 transactions in at least 20 countries resulted in withdrawal of $5M.

In the largest of his three documented Unlimited campaigns, enStage, a California-based payment processor, suffered an intrusion and had many cards stolen from its internal database.  A group of pre-paid debit cards for Bank Muscat in Oman were selected as the target, and on February 19 and 20, 2013, 36,000 transactions in 24 countries were used to steal $40M.

ERCAN FINDIKOGLU, who called himself "Segate" or "Predator" online, was arrested in December of 2013 while visiting Germany.

He was originally charged with 18 counts:

(1)   CONSPIRACY TO DEFRAUD THE UNITED STATES
(2-4) FRAUD ACTIVITY CONNECTED WITH COMPUTERS
(5-6) ATTEMPT AND CONSPIRACY TO COMMIT MAIL FRAUD
(7)   BANK FRAUD
(8)   ATTEMPTS TO COMMIT AN OFFENSE
(9-14) PRODUCES/TRAFFICS IN COUNTERFEIT DEVICE
(15) MONEY LAUNDERING CONSPIRACY
(16) MONEY LAUNDERING
(17) TAMPERING WITH WITNESS, VICTIM, OR AN INFORMANT
(18) INTIMIDATION OR FORCE AGAINST WITNESS

On June 24, 2015, Ercan was ordered into US detention, having been extradited from Germany.  The German courts in Frankfurt declared that Findikoglu was "the most-wanted computer hacker in the world and may face more than 247 years in prison if convicted of all U.S. charges" (as quoted in Bloomberg's story of 23JUN2015 - "Most-wanted cybercriminal extradited to U.S. from Germany."

As usual, the reality of sentencing varies dramatically from the overblown initial press release.  On March 1, 2016, All parties appeared before the honorable Judge Kiyo A. Matsumoto for a Change of Plea Hearing.    Sentencing is scheduled for July 12, 2016, but according to the BBC, prosecutors have agreed in a plea deal to limit his incarceration for "between 11 and 15 years."  (See "US bank hacker faces long jail time").

Many of the "Cash-out crews" from these operations have been separately arrested and charged, while many others (the vast majority really) remain at large.

Vovnenko / Fly / MUXACC1 pleads guilty

Sergey Vovnenko pleads guilty

This week a Ukrainian hacker made famous for attempting to frame security journalist Brian Krebs by sending him heroin purchased on the Silk Road, had his day in court and chose to plead guilty.  Krebs blogged about his arrest in Italy in 2014 with the title The Fly Has Been Swatted, but now that a guilty plea has been entered, we can see the details of the case.

In June 2013, a U.S. Secret Service agent swore out a criminal complaint against Vovnenko for crimes he committed against citizens in New Jersey.  Although we refer to "Federal Crimes" in most cyber crimes, charges can only be brought for damages local to the U.S. Attorney's office where the prosecution makes the charges.

From 2003 until 2013, the complaint states, SERGEY VOVNENKO, AKA Centurion, AKA Flycracker, AKA Flyck, AKA MUXACC1, AKA Stranier, ran various scams related to carding.  In a specific instance, cards were stolen "on or about" March 14, 2011 from a victim in Rutherford, NJ, violating Title 18 Section 371 of the Federal Code.  Many of the early attacks used SQL Injection to gain access to target computers that were accessible via the web and had access to databases of personally identifiable information and credit card data.  Vovnenko in particular advertised "dumps" services using both his Twitter account and an ICQ account.

Between 2009 and 2011, Vovnenko managed to plant malware on computers at "Victim 1" which is described as a "global financial institution with millions of customer accounts" that "maintaned signficant infrastrucutre in New Jersey, including computer servers housing banking information located in New Jersey."

Vovnenko was an old-school carder.  He originally sold his dumps on the Shadowcrew website, which was shut down in 2004 by the U.S. Secret Service.  (This site is where Vovnenko began chatting with now infamous Data Breach king Albert Gonzalez.)  In 2008, Vovnenko used ICQ to chat with Vladislav Horohorin, the hacker known as "BadB."  BadB was sentenced to 88 months for trafficking in stolen cards and for his role in the $9M theft from Atlanta-based RBS WorldPay.  By 2010, Vovnenko was actively selling as "Centurion" on CardingWorld, Mazafaka, and Verified.ru.

Our complaintant testifies that on or about March 16, 201, Vovnenko chatted with another criminal who asked him to review his logs from his botnet to see whether he had IP addresses indicating that some of his bots were in the NJ-based Financial Institution known as "Victim 1" in the court documents.  He did, and was asked to plant an executable on that computer to give his co-conspirator remote control to the computer.  (We've heard about this type of "log selling", where a "commodity botnet infection" leads to targeted attacks at specific institutions before.  See my blog post about the Fox-IT/Group-IB "Anunak" report, "Botnets, APTS, and Malicious Emails")

A "Zeus Logs" seller offers 240MB of logs for $300-$400 ...

A Criminal Complaint is only intended to show Probable Cause to open an investigation.  It does not require the same level of details as an Indictment, which charges the accused of committing specific criminal acts.

The Indictment came in April of 2014 ...

The Indictment adds additional aliases (Tomas Rimkis, Darklife) and specific charges.  We'll focus on Charge One and Three, which are the ones he pleaded guilty to this week.

Count One:  Wire Fraud Conspiracy (18 u.s.c.§1349)
From September 2010 to August 2012, VOVNENKO and his co-conspirators "operated an international criminal organization that hacked into the computers of individual users and of companies in the United States and elsewhere, and used that access to steal data, including, among other things, user names and passwords for bank accounts and other online services, as well as debit and credit card nubmers and related personal identifying information.   After stealing the Log-In Credentials and Payment Card Data, defendant VOVNENKO and his co-conspirators used that information to illegally access and withdraw money from bank accounts and to incur unauthorized charges using the payment card data."  They also sold the data using online forums to individuals and groups that in turn did other illegal things with the data.

The indictment states that VOVNENKO had a botnet of "over 13,000 computers infected with malware" and that several of the infected computers were in New Jersey.  At least part of the malware was the "Zeus" malware that specializes in stealing banking information and recording keystrokes of users.  At least one employee (known as "J. H." in the indictment) of the Victim 1 bank had his workstation infected and from that base, the botnet was able to contact and interact with computers located inside financial institutions.  Counts Three through Six of the indictment refer to the specific acts of logging in to J.H.'s computer "in related to felony violations

18 U.S.C.§1349 and 18 U.S.C.§1030(a)(2)(C) and (c)(2)(B)(i)

By December of 2015, Vovnenko and his lawyers knew he was going to be found guilty on all charges, no ifs, ands, or buts.  They agreed to a plea agreement where Vovnenko took the rap for Count One and Count Three, agreeing that he could face a sentence of 20 years imprisonment and $250,000 fine.  Because he also faced the charge of Aggravated Identity Theft, there is an additional two year mandatory minimum sentence that cannot run concurrently with any other sentence.  Further, VOVNENKO understood that he may be required to pay restitution, and will likely be deported after his sentence is served.

Sentencing in this case is set to May 2, 2016.  At that time, a Money Judgement will also be made regarding the amount of Restitution that may be required.

Many more details about "Flycracker" (as he was known on Silk Road) or "MUXACC1" (as he was known on Twitter) are available from Brian Krebs' story "Hacker Who Sent Me Heroin Faces Charges in U.S."

Blackshades RAT leads to 97 Arrests in 16 countries

On May 19, 2014, the FBI announced a worldwide coordinated action against criminals who created, sold, and used a Remote Administration Trojan (RAT) known as BlackShades. In the FBI's BlackShades Press Release they shared that 40 participating FBI Field Offices had conducted 100 interviews, executed more than 100 e-mail and physical search warrants and seized more than 1,900 domains used by BlackShades to control victims' computers.

(image from FBI.gov)

The case actually was a spin-off from another major international operation called "Operation Card Shop" that we wrote about in April 2012 (see SOCA & FBI seize 36 Criminal Credit Card Stores. As Law Enforcement reviewed the seized websites from that case, they began to realize the extent of the role of the BlackShades RAT in the theft of credit card information, but realized also that it was much larger than they had at first believed. One of those arrested during Operation Card Shop was Michael Hogue, one of the co-authors of Blackshades, who agreed to cooperate in unveiling the rest of the BlackShades operation.

Blackshades and Miss Teen USA

For many Americans, the first time they heard of Blackshades was in the case of Miss Teen USA 2013, Cassidy Wolf. In that case, Blackshades customer Jared James Abrahams, a 20-year-old college student, used Blackshades to begin capturing video from Cassidy's webcam. The victim, unaware that their webcam is even recording, goes about their business, including dressing and undressing. Like most teens, having a laptop on in the bedroom is not unusual, and after capturing some nude images, Abrahams attempted to extort additional videos in exchange for not releasing the first images to Cassidy's friends on Facebook. But Blackshades is able to do so much more than capturing an occasional nude image! While most commonly used for good old fashioned credential and credit card theft, Blackshades has also been used to infiltrate Syrian rebel computers, as first reported by the EFF and with many more details shared by MalwareBytes.

Blackshades CoCreators HOGUE and YÜCEL

Michael Hogue, who used the hacker name xVisceral, was originally arrested in Tucson, Arizona as part of a group of arrests announced by Preet Bharara, the US Attorney in the Southern District of New York, on June 26, 2012 as part of the follow-up to Card Shop. In addition to xVisceral/Hogue that sweep grabbed up 404myth (Christian Cangeopol of Lawrencevill, Georgia), Cubby (Mark Caparelli of San Diego, California), Kabraxis314 (Sean Harper of Albuquerque, New Mexico), kool+kake (Alex Hatala of Jacksonville, Florida), OxideDox (Joshua Hicks of Bronx, New York), JoshTheGod (Mir Islam of Manhattan, new York), IwearaMAGNUM (Peter Ketchum of Pittsfield, Massachusetts), theboner1 (Steven Hansen, who was already in jail in Wisconsin) as well as 13 others in the UK (6), Bosnia (2), Bulgaria (1), Norway (1), and Germany. (See: Manhattan U.S. Attorney and FBI Assistant Director in Charge Announce 24 Arrests in Eight Countries as Part of International Cyber Crime Takedown).

For a fascinating "how I became a hacker" biography interview, please see The Rise and Fall of xVisceral which details how as a 17 year old Halo player, xVisceral first was introduced to hacking as a way to cheat other Halo players, and a detailed history of how this led to ever-more-advanced hacking tools and ultimately the creation of Blackshades. (the original source is currently unavailable, this is an archived copy of an article from:

The Charges against Hogue (filed January 9, 2013) say that "Michael Hogue a/k/a xVisceral, the defendant, and others known and unknown, willfully and knowingly combined, conspired, confederated, and agreed together and with each other to engage in computer hacking in violation of Title 18, USC, Section 1030(a)(5)(A)." It was part of the conspiracy that Hogue and others "did cause the transmission of a program, information, code and command, and as a result of such conduct, wouuld and did intentionally cause damage without authorization, to a protected computer, which would and did cause damage affecting 10 and more protected computers during a one-year period, in violation of Title 18, USC Sections 1030(a)(5)(A), 1030(c)(4)(B)(i), and (c)(4)(A)(i)(VI), to wit, HOGUES used malware to infect computers and sold that malware to others, enabling them to infect and remotely control victims' computers."

Like most RATs, once a victim has been tricked into clicking on the installer, the RAT is controlled by connecting to a server used for that purpose. The FBI was able to learn considerably more about the person being described as the "co-creator" of BlackShades, Alex YÜCEL, (also spelled Alex Yucel, Alex Yucle, Alex Yuecel), AKA marjinz, AKA Victor Soltan, by tracking one of his servers. As they investigated the various domains used to host the servers for the malware. In one case, Alex contacted a company to lease certain computers for this purpose (November 8, 2012) paying for them on January 30, 2013. On March 18, 2013, he sent email requesting tech support due to a problem with his servers. Alex was the administrator of "www.blackshades.ru" and "www.bshades.eu". Alex is a 24 year old citizen of Sweden, arrested in Moldova and awaiting extradition to the United States.

Symantec actually has an interesting screenshot from 2011 where Hogue claims to be resigning from Blackshades and turning full control over to "marjinz" in a post shared in their article from June 2012 when Hogue was first arrested. The fact that so many "script kiddie" hackers use Hack Forum may be part of why Blackshades was so popular:

(Source: www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested )

A Sample Customer: kbello

A look at the Criminal Complaint against one of his customers may be revealing. Kyle Fedorek (aka kbello) was charged May 15, 2014 in the Southern District of New York. On Septmeber 12, 2012, kbello purchased a copy of Blackshades over the Internet. An undercover FBI agent in New York had also purchased the software on June 30, 2010 from the same source. The FBI used this criminal complaint to document the scope and abilities of Blackshades. Between September 12, 2012 and March 2014, kbello acquired "thousands" of credit card numbers and financial account numbers through hacking using the RAT. According the the Criminal Complaint the FBI agent described Blackshades as giving the hacker "Free rein to, among other things, access and view documents, photographs and other files on the victim's computer, record all of the keystrokes entered on the victim's keyboard, steal the passwords to the victim's online accounts, and even activate the victim's web camera to spy on the victim -- all of which could be done without the victim's knowledge."

The FBI's investigation has shown that the RAT was purchased by at least several thousand users in more than 100 countries and used to infect more than half a million computers worldwide.

After kbello purchased his copy of the RAT, it was used against at least 400 victims, and was also part of a suite of additional malware that he installed on the victims' computers. After a victim was infected, the hacker could activate the "Spreader" module on that victim's computer, which would use that victim's chat programs (AOL/AIM, ICQ, MSN) and any USB devices attached to the computer to attempt to infect others.

Other modules of the program allowed the hacker to encrypt any files on the system and share a Ransomware message, demanding that payment be sent to decrypt the module. The message could be customized per victim, or the same message could be sent to many victims.

Many other modules were available, including password stealers, webcam capture tools, DDOS attack tools, and others.

Records from the primary Blackshades server indicate that the program, which often sold for as little as $40 per copy, had generated $350,000 in direct sales between September 2010 and April 2014. When a purchase was made, the purchasing hacker would establish a domain name that he or she would use as their main "controlling" domain. A custom version of the software was then generated which would only take infected users to that domain. The logs on the server indicate there were at least 6,000 Blackshades customer accounts for users in 100 countries, and that at least 1900 domain names had been registered by customers to control infected computers. All 1900 of these domains have been seized by the FBI, disabling the RAT from controlling the infected computers any more.

In February 2013, the FBI obtained a warrant to search the email account "blackshadessupport@hotmail.com" - which Yucel used to communicate with his employees who were offering technical support and administering his various infrastructure. The search revealed many email communications requesting customer support and also contained copies of receipts sent to customers for various products and services offered by the Blackshades organization.

This search warrant revealed a home address in Stony Point, New York for Kyle Fedorek when he purchased "Blackshades Remote Controller (R.A.T.) for 40.00 USD". The seized Blackshades Server also provided the information that KBello had registered the hostnames "kbella.zapto.org" and "kbello.zapto.org" as his controllers. The IP address to which these names resolved in April and May of 2013 were subscribed to at the Fedorek Residence.

In a subsequent search warrant, executed March 6, 2014, agents seized a laptop from the bedroom of Kyle Fedorek, where the username of the laptop was Kyle, and recovered a copy of the Blackshades RAT. The RAT was configured to run the "Form Grabber" (stealing any information victims typed into a webform, such as a userid and password prompt box on a banking website). At least 400 victims had provided information unwittingly to Fedorek through this form grabber. The laptop also was being used to run other malware schemes, including CARBERP, Andromeda, and Citadel, and had evidence of having been used to create Phishing sites as well. DDOS tools, SQL Injection tools were also present. More than 9,000 sets of userids and passwords and 50,000 sets of credit card information were found on the laptop.

The UK's National Crime Agency

The UK's National Crime Agency (NCA, formerly SOCA), issued their own press release. (See Unprecedented UK Operation aids global strike against Blackshades malware) indicating that 17 Blackshades customers were apprehended in the UK and that their records suggested that at least 200,000 worldwide victims had their information harvested by Blackshades customers in the UK.

EuroJust

The European Union's Judicial Cooperation Unit in The Hague also issued a press release. (See International operation hits Blackshades users.) They indicated that at least 359 "house searches" were carried out worldwide and that 97 people had been arrested. 1100 data storage devices had been seized in those searches, including computers, mobile phones, external hard drives, and USB memory sticks, in addition to "substantial quantities" of cash, illegal firearms, and drugs.

Dutch High Tech Crime Team

The Dutch High Tech Crime Team was able to secure a server in Delft operated by an 18 year old Black Shades customer. One of their most high-profile Blackshades customers was a 19 year old man who was controlling more than 2,000 webcams being used to capture photos and videos of female victims. The Dutch police seized 96 computers and laptops, 18 mobile phones, and 87 USB sticks and hard drives during searches on 34 residences. (See: 34 Dutch homes raided in worldwide crackdown on hacking software.

Dutch High Tech Crimes statement - www.om.nl/actueel/nieuwsberichten/@162701/wereldwijde-actie/