The criminal
complaints against the cyber fraudsters showed the FBI agents trailing them
since last year, before the Dubai Police went for the harvest.
In complaints
filed before Illinois courts, FBI agents describes in details how they were
able to trail and smash two notorious Nigerian fraudsters, Ramon Olorunwa Abbas
a.k.a Hushpuppi and Olalekan Ponle a.k.a Woodberry and gang.
Though the
two conmen are Nigerians, they operated in different ways in executing their
cyber heists and the loot therefrom.
Olalekan
Ponle often asked his co-conspirators to convert his share into bitcoins.
Raymond, on
the other hand, favours cash, the heist moving from several accounts he set up
in Mexico, Romania and other parts of Europe, before getting to him.
In one daring
effort, Hushpuppie planned to cyber-rob an English Premier League club.
Hushpuppi,
real name Ramon Olorunwa Abbas was investigated by special agent ANDREW JOHN
INNOCENTI.
Ponle on the
other hand was investigated by special agent Ali Sadiq.
Hushpuppi by
Andrew John Innocenti:
First,
messages found on the iPhone of Co-conspirator 1 (reviewed pursuant to a federal
search warrant issued in this District) reflect that ABBAS, Co-conspirator 1,
and Co-conspirator 2, with others, committed a BEC scheme that defrauded a
victim in the United States of approximately $922,857.76, including
approximately $396,050 that ABBAS, Coconspirator 1, and Co-conspirator 2
laundered while Co-conspirator 2 was in Los Angeles, California.
Second, ABBAS
and Co-conspirator 1 conspired to launder funds intended to be stolen through
fraudulent wire transfers from a foreign financial institution (the “Foreign
Financial Institution”), in which fraudulent wire transfers, totalling
approximately €13 million (approximately USD $14.7 million), were sent to bank
accounts around the world in February 2019. Co-conspirator 1 conspired with the
persons who initiated the fraudulent wire transfers, and also conspired with a
number of others, including ABBAS, to launder the funds that were intended to
be stolen. ABBAS, specifically, provided Co-conspirator 1 with two bank accounts
in Europe that ABBAS anticipated would each receive €5 million of the
fraudulently obtained funds.
Other
communications between ABBAS and Co-conspirator 1 indicate that, in addition to
these schemes, ABBAS and Co-conspirator 1 conspired to launder tens, and at
times hundreds, of millions of dollars that were proceeds of other fraudulent
schemes and computer intrusions, including a fraudulent scheme to steal £100m
from an English Premier League football club.
In reviewing
data from Co-conspirator 1’s iPhone, I and another FBI employee saw messages
reflecting that, in or around October 2019, ABBAS had conspired with
Co-conspirator 1 and Co-conspirator 2 to commit a fraudulent wire transfer and
money-laundering scheme, in which a U.S. victim (the “Victim Law Firm”) lost
approximately $922,857.76. The messages reflected that part of the scheme,
including acts in furtherance of the conspiracy, occurred while Co-conspirator 2
was physically present in the Central District of California.
20. Records
obtained from JPMorgan Chase Bank (“Chase”) for a bank account held in the U.S.
(the “Chase Account”) reflect that the Chase Account received a wire transfer
on October 15, 2019 for approximately $922,857.76 from the Victim Law Firm. On
October 17, 2019, there was a wire transfer from the Chase Account to an
account at Canadian Imperial Bank of Commerce (“CIBC”), in Toronto, Ontario,
for approximately $396,050. Bank records reflect that the specific account at
CIBC ended in 1716 (the “CIBC Account”), consistent with what is discussed
below in paragraphs 21, 24, and 25. The remaining funds in the Chase Account
were transferred to other accounts.
21. Based on
review of data from Co-conspirator 1’s iPhone, on or around October 17, 2019,
ABBAS, using what appeared to be the Snapchat account “hushpuppi5,” sent an
image of a Chase wire confirmation to Co-onspirator 1. The image appeared to
show a wire transfer form related to a transfer of approximately $396,050 from
the Chase Account to the CIBC Account, which, based on other messages on
Co-conspirator 1’s iPhone, appears to have been held by Co-conspirator 2.3
22. On April
14, 2020, I interviewed S.R., owner of the Victim Law Firm, about the
above-referenced wire sent on October 17, 2019. On April 16, 2020, I
interviewed N.C., who was an attorney and co-worker of S.R., and on May 21,
2020, I interviewed K.C., a paralegal of the Victim Law Firm. Based on these
interviews, I learned the following:
The Victim
Law Firm, which is located in New York State, was representing a client, A.D.,
in the refinance of real estate.
b. A.D. was
refinancing his/her property with Citizens Bank. As part of the closing for
this refinance, on October 15, 2019, K.C. sent a verification email to what
appeared to be a Citizens Bank email address (later identified as a “spoofed”
email address) requesting wire instructions. Per internal policy of the Victim
Law Firm, all wire verifications were to be sent to their firm via fax and
followed-up by a phone call. K.C. received a fax message in response to her
verification email with what was later determined to be fraudulent wire
instructions to transfer the loan payoff amount of their client A.D. to the
Chase Account. K.C.
then called the phone number listed on the fax to verify
the wire instructions.
Neither the
Victim Law Firm, nor their client A.D., realized the funds had been
fraudulently transferred to the Chase Account until later in October 2019, when
A.D. checked his/her account and realized that the funds for the refinance had
not been credited. By this time, all of the funds had been depleted from the
Chase Account.
c. On October
15, 2019, K.C. initiated the wire transfer to the Chase Account for
approximately $922,857.76.
d. Neither
the Victim Law Firm, nor their client A.D., realized the funds had been
fraudulently transferred to the Chase Account until later in October 2019, when
A.D. checked his/her account and realized that the funds for the refinance had
not been credited. By this time, all of the funds had been depleted from the
Chase Account. (I further understand from K.C. that, as of June 25, 2020, no
funds had been recovered.)
23. Messages
on Co-conspirator 1’s iPhone reflect that, at approximately the same time on
October 17, 2019 that ABBAS sent Co-conspirator 1 an image of the wire transfer
confirmation for the transaction from the Chase Account to the CIBC Account,
Co-conspirator 1 was communicating with another phone number to confirm the wire
had been deposited into the CIBC Account. Based on other messages on the iPhone
and records obtained by the FBI, that phone number was used by Co-conspirator 2.
24. The
communications between Co-conspirator 1 and Co-conspirator 2 on October 17, 2019
included the following messages:
Co-conspirator
1: Keep lookout for the 396 and so ur thing till u hear from me
Co-conspirator
2: Ok will do
Co-conspirator
2: I’m in La so how can I make sure??4
25.
Co-conspirator 2 also sent Co-conspirator 1 a photograph showing a secure login
to the CIBC Account in Co-conspirator 2’s name. The account number ended in
1716, consistent with the account number that ABBAS sent to Co-conspirator 1 in
an image on October 17, 2019.
26. I
reviewed international travel records from a law enforcement database, which
showed that Co-conspirator 2 travelled from Toronto, Canada to Los Angeles,
California on October 16, 2019. This was one day before the wire transfer from
the Chase Account to the CIBC Account in Co-conspirator 2’s name. Further, as
referenced above, Co-conspirator 2 messaged Co-conspirator 1 on October 17, 2019
that “I’m in La.” Travel records also show that Co-conspirator 2 departed Los
Angeles around October 23, 2019 for Canada. Taken together, this indicates that
Co-conspirator 2 was in Los Angeles at the time of the wire transfer.
27. Later in
the day on October 17, 2019, while still in Los Angeles, Co-conspirator 2
appeared to confirm the wire transfer in an iMessage found on Co-conspirator 1’s
iPhone:
Co-conspirator
1: Did the big hit? Co-conspirator 2: Yessir
Olalekan
Ponle a.k.a Woodberry:
Beginning no
later than January 2019 and continuing until at least September 2019, OLALEKAN
JACOB PONLE conspired with others to engage in BEC schemes to defraud several
United States-based companies. These schemes resulted in attempted and actual
losses to victim companies in the tens of millions of dollars.
As described
below, as part of the scheme, PONLE directed money mules in the United States
to open bank accounts in the names of victim companies. Proceeds from BEC
schemes, ranging from hundreds of thousands of dollars to millions of dollars,
were then wired by unwitting employees to the bank accounts opened by PONLE’s
mules. PONLE then instructed the mules to convert the proceeds to Bitcoin and
to send the proceeds of the BEC schemes to a bitcoin wallet that he owned and
operated.
One of these
BEC schemes involved a Chicago-based company (Victim Company A) that was
defrauded out of $2,300,000. A second Chicago-based company (Victim Company K)
was defrauded into sending wire transfers totalling $15,268,000.00. Preliminary
blockchain analysis indicates that PONLE received at least 1,494.71506296
bitcoin related to these BEC schemes, valued at approximately $6,599,499.98 at
the time he received the proceeds.
PONLE Used
the Alias “Mark Kain” To Correspond with Money Mules
12. As
described in more detail below, money mules in the United States were
approached by a person they knew as “Mark” or “Mark Kain.” “Mark” later
directed them to open bank accounts in the names of victim companies. Those
accounts received proceeds from the BEC schemes, and at “Mark’s” direction, the
money mules converted proceeds to bitcoin and sent proceeds to “Mark”.
13. According
to one of those money mules, Individual B, “Mark Kain” contacted Individual B
using telephone number (323) 985-4088 (“the 4088 phone number”). According to
records obtained from Dingtone, a messaging and Voice over Internet Protocol
application, subscribing customer records for the 4088 phone number included
the cellular telephone number 27793837890 (“the 7890 phone number”), which
based on law enforcement database searches, is owned by a South African service
provider.
Based on my
review of chat transcripts from online messaging applications between PONLE and
Individual B and a second money mule, Individual A, “Mark” instructed
Individual B and Individual A to send money to the bitcoin wallet
16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn (“the 16AtGJ BTC Wallet”) on at least nine
occasions. Records obtained from Bitpay, a processor of cryptocurrency
transactions, indicated that between approximately September 18, 2015 and
November 29, 2016, the 16AtGJ BTC wallet made five purchases associated with
the Gmail account hustleandbustle@gmail[.]com (the “hustle Gmail account”).
Based on
records obtained from Apple, an iCloud account (Subject Account 1) was
subscribed to by Jacob Olalekan, listing the 7890 phone number, the hustle
Gmail account, and a physical address in Johannesburg, South Africa.
Based on my
review of records from Apple, Subject Account 1 contained several identity
documents and photographs of PONLE. These included a photo of a Nigerian
passport with a photo of an individual named Olalekan Jacob Ponle, born in May
1991 in Lagos, Nigeria, a photo of a United Arab Emirates visa with a photo of
an individual named Olalekan Jacob Ponle with the profession “marketing
representative” and a photo of a United Arab Emirates Resident Identity Card
with a photo of a Nigerian national named Olalekan Jacob Ponle.”
 |
| Olalekan Ponle -Woodberry |
No comments:
Post a Comment