Category Archives: BEC

Facebook Lotteries to Avoid – with help from AA419

This morning I received a tip from one of the top West African fraud experts in the world, Derek Smythe from AA419. Derek and his team had been in communication with several victims of a "Poker Lottery" scam and had documented a set of linked domains.



PokersLottery[.]me website
The home page of these websites explains how the Lottery works:
Under The Gambling Act 2015, The Poker Lottery Online Board’s Purpose Is To Benefit The Facebook Community By Distributing The Profits From States Lotteries Run By The United State Of America,United Kingdom,Australia And Canada Lotteries Commission.

The Board Is Empowered By The Gambling Act To Make Allocations To Lottery Distribution Committees; The Minister Responsible For The Board For Distribution For Community Purposes; And This Statutory Bodies – A Worldwide Promotion For Disabled, Employed And Unemployed Workers, Retired, Young & Old People. A Sophisticated Automated Database To Randomly Select E-Mail Accounts And Profile Page Owners That Frequently Surf The Facebook. Consequent Upon This, Your Facebook Profile Account Was Chosen As A Winner. 
Doesn't that sound a bit suspicious?  Sure, if that's all there was ... but wait, there is more!
Each website has a list of the 100 "beneficiaries" who have been chosen to receive a prize!

AND IF YOU GOT A MESSAGE FROM THE LOTTERY ON FACEBOOK, YOUR NAME IS ON THE LIST!

Today is your lucky day!  Of course, since there are only 100 winners, they needed to make a bunch of these websites.  Derek and the team at AA419 documented quite a few of them yesterday and today, including these:

Poker Lotto domains, from AA419
The "Beneficiaries" pages all looked something like this, where each named individual is someone who has been invited to be scammed by receiving a Facebook message:

Beneficiary List from a Poker Lotto page

Another Beneficiary List Style
As far as we can tell, the "Status" has one of three meanings:

Delivered - you've already been suckered.
Not Yet Claimed - you've received the Facebook Message, but have not "verified" yourself.
Processing - you've provided your personal information, but they don't have your money yet.

The "AGENT/OFFICER IN CHARGE" link takes you to a Facebook Page, which will be the source of the message that you received via Facebook Messenger.  For many, this acts as a Verification.  They get a message, they follow the link, they see their own name, and when they click "AGENT/OFFICER" it takes them to the Facebook page of the person who sent them the message, completing the loop, and solidifying the concept that this is a "real thing."

Some of the AGENT/OFFICERs we found were:

https://www.facebook.com/clarkrobin.gayle.794
https://www.facebook.com/Dennis-Carney-303175227192556/
https://www.facebook.com/pg/Elizabeth-Cornwel-2280263318963057/

It is also possible that the "Delivered" statuses are just decoys, because who would actually fall for these scams, right?  Actually - according to AA419 and their law enforcement friends, these guys have already stolen money from dozens of victims!

So what happens next?  Next, we need to gather a bit of personal information so we know where to send your money, and make sure that we file your tax information about your winnings:

Necessary Information to Claim Winnings
There were actually several versions of the Verification Form, with some asking for an SSN while others did not.  We believe this may indicate what country that particular form was targeting.  For example, many of the victims were in South Africa, which does not identify their National ID number as a "Social Security Number."  By not having that field, they may avoid raising suspicion.

Quite a few of the websites are hosted on SquareSpace, who thankfully has been terminating the domains as AA419's team swung into action!  Thankfully several of them now look like this:

Well Done, SquareSpace!
So how much did the victims lose?  Strangely, it appears that you get to choose your own winnings, depending on how large a payment you are willing to make.  Yes, as you may have guessed if you are familiar with 419 Scams, there is a small fee that needs to be paid.

Cheap? Pay $1050 to claim $50,000.  Loaded?  Pay $420,000 to claim $20 Million!
On the form one fills out to choose their prize, note that one of the required fields is that you must upload your photo id!!!


Our advice?  Perhaps you shouldn't do that!

US Government Facebook Lotteries?

While Derek and I were exploring the sites and looking for additional ones, we realized that there is another version of the scam that imitates United States Federal Government Agencies.  All of the above works in exactly the same way, however instead of being branded "Poker Lotto" the websites take on a more "Official" tone.

The first one we found claims to be a service to help those who find themselves unemployed run by the United States Agency for International Development (USAID).

http://usaidwbenefits[.]com/
The USAIDWBENEFITS[.]COM website is hosted in NameCheap's data center in Los Angeles on the IP address 199.188.200.93.

There are sixteen pages of beneficiaries who have won the USAID WORLD BENEFITS award, listed in alphabetical order by first name

USAID Benefactors, from A ... 

... to Z 

The other US Government agency we found being abused in these scams was the Department of Labor.

wcabcompensations[.]com and also wcabdhhs[.]org

The "Winners List" from wcabdhhs[.]org

The WCAB / DHHS site is more advanced than the Poker Lotto sites, though not as advanced as the
USAID site, which seems to be the most recent in the evolutionary chain.

The Department of Labor doesn't seem to have as much money as Poker Lotto.  The "Claim" fees are smaller, but then so is the maximum prize:

Don't copy this!  It is (C) 2019 the Workers Compensation Appeals Board and the Department of Health & Human Services!

I'm not quite sure what the National Endowment for the Humanities has to do with this one . . . 

The address information left behind on this "Contact Us" form tells us a bit about how long these scams have been going on.  When we searched on the address information with the phrase "Claim Your Grant" as part of the search, we found that the National Endowment for the Humanities put out a press release on June 21, 2016 warning people about exactly this type of scam!  See: "Scam Impersonates NEH" on their website.

The Workers Compensation Board version of the scam is likely just as old, as one of their "AGENT" Facebook pages that are listed on these scam sites was created in 2015 and updated in 2016!  People may have been receiving notices of Lottery winnings from her account for a Very Long Time!

Asuncio from the Worker's Compensation Board has the odd Facebook Handle "CLAIM IT ONLINE1" 
The other Workers Compensation Appeals Board website did have an option to claim a LOT MORE MONEY, but you also had to pay a much larger fee:

$15 Million!  And all I have to send to Nigeria is $1.2 Million!  What a deal!
hippos://www.wcabcompensations[.]com/claim-compensation.html

A Facebook Lottery?

The last lottery of this type that we explored actually imitates Facebook itself.

YOU HAVE BEEN CHOSEN!!!!
The Facebook Benefit site also uses "A Sophisticated Automated Database to Randomly select E-mail Accounts And profile Page Owners that frequently surf the Facebook."

They like to capitalize almost as much as ME!

fbusersbenefit[.]com Beneficiary List
The agent for this one was - https://www.facebook.com/lise.richard8 

Could You Do Us A Favor?

WHEW!  That was a lot of Lottery Scams to review.  Could you do us a favor?

First, please share this blog post with your friends so they will be aware of this type of scam. Victims tend to be elderly and perhaps more trusting of computers, so sharing this with your older friends might be helpful.

Secondly, if you, a friend, or a family member has encountered any of these lottery scams and have saved any of your communications from the scammers, it would be SUPER HELPFUL if you could share that information.  Especially if you have email addresses or bank accounts that were used by the scammers.  

Feel free to leave me a comment below if you'd like to pass it to me, or if you are in the United States, please take a moment to share your details with the FBI's Internet Crime and Complaint Center, IC3.gov.   The great people at AA419 work closely with the website ScamSurvivors.com and would love to have you report details about anything you may have experienced related to this or other scams by visiting the Scam Survivors Forum.














Business Email Compromise: Putting a Wisconsin Case Under the Microscope

Clement Onuama and Orefo Okeke were arrested on November 1, 2017 in the Western District of Texas after receiving a complaint and warrant from the District of Wisconsin, that the pair were involved in Romance Scams and Business Email Compromise Scams.

This week Okeke was sentenced to 45 months in prison.  Onuama was sentenced on October 30th to 40 months in prison.
Orefo Okeke (image from Dallas News
Clement Onuama, 53

According to the Criminal Complaint and Indictments from the case, from 2010 until at least December 2016, in the Western District of Wisconsin and elsewhere Clement Onuama and Orefo Okeke knowingly conspired with each other and persons known and unknown to the grand jury, to commit and cause to be committed offenses against the United States, namely: wire fraud, in violation of Title 18, United States Code, Section 1343.

They used Romance fraud scams, developing relations via email, chat apps, and telephonic conversations.  Eventually the person that posed as the victim's online partner requested each victim for financial assistance. They told the victims that they needed funds in order to release a much larger sum of money that was frozen by a foreign country.

They also used Business email compromise scams, primarily by sending email messages that altered wire instructions causing funds to be deposited into accounts controlled by the criminals.  Often these emails were "spoofed" to appear to come from an employee or officer of their company.  During several such scams, the real officer was traveling.

 The deposited funds went into bank accounts of "nominees and shell entities" and were quickly converted to cash and cashier's checks, with a portion of the funds wired overseas.  The criminals also failed to pay taxes on their proceeds.

 $3,259,892 in transfers were attempted and the actual fraud losses were $2,678,328.  The proceeds laundered by Onuama totalled $428,346.  The proceeds laundered by Okeke totalled $538,100.

 Details of the Wisconsin BEC Fraud Scam 

  On or about February 19, 2014 at 10:02 am, an email puporting to be from Sarah Smith from the email ssmith@title-pros.com  was sent in reply to real estate agent Terrell Outlay of Madison, Wisconsin asking him to update wire instructions that were sent a few days before.  The email had an attachment from Portage County Title, on Portage County Title letterhead, updating the details and indicating funds should be sent to a Wells Fargo Bank account in Bettendor, Iowa in the name of TJ Hausch.

 $123,747.54 was wired later that day.

 On the same day, a wire transfer from Tammy Hausch's Wells Fargo bank account ending in 9492 sent $80,000 to a Wells Fargo bank account ending in 6411 held by Clement C. Onuama of Grand Prairie, Texas.  Clement withdrew $10,000 in cash that day, $20,000 in cash the following day, and purchased a cashier's check for $28,885 from the account.  On March 11, 2014, a check for $10,000 was sent from Okeke to Onuama, who cashed it.

 An Affidavit from a Treasury Agent shares more details.  Terrell Outlay was a new real estate agent who had recently relocated from Chicago.  Outlay is believed to have had malware planted on his computer in relation to a home sale that he negotiated in January 2014.

 After receiving the email from ssmith@title-pros.com, instructing the agent to have his client, Dynasty Holdings, wire $123,747.54 to the TJ Hasuch Wells Fargo account. He was contacted by the REAL Sarah Smith on February 25, 2014 to inform him the funds were never received into the BMO Harris Account which had been agreed to at closing.  Outlay reported the situation to his boss, who contacted the Madison Police Department.

 Although the email of February 19, 2014 seemed to be from ssmith@title-pros.com, the headers revealed it was sent from 162.144.88.87 and the actual email was ssmith.title-pros@outlook.com.

 A second email, confirming to Mr. Outlay that the new account should be used:  "Yes!! TJ Hausch Wells Fargo" -- used the email server located at web1.sh3lls.net with IP address 64.32.14.162 and the same outlook account, "ssmith.title-pros@outlook.com"

 Four additional pieces of email correspondence used the same "sh3lls.net" IP and return address.  Legitimate emails from Sarah Smith were sent from a Charter Communications IP address, confirmed by subpoena to belong to Portage County Title in Stevens Point, Wisconsin.

 The sh3lls.net IP belongs to Sharktech in Chicago, Illinois, and that particular IP address was leased from August 13, 2013 to March 24, 2014 by a Singapore-based company called Surat IT Pte. Ltd. It was used to host hundreds of websites.  The other IP address, 162.144.88.87, was confirmed to be a Unified Layer IP address operated by Bluehost.  The customer of record at that time was Hind Jouini of Dubai, UAE.

 The additional funds from the Tammy Hausch account were sent to a Bank of America account ending in 9593 held by P.M. Voss of Costa Mesa, California.

 Tammy Hausch was interviewed by the US Secret Service in Madison, Wisconsin.  She was unaware of the source of the $123,000.  She had actually performed four similar transactions in the past, all at the bequest of her online boyfriend, Brian Ward, with whom she had communicated exclusively online.  Brian needed her help because he and his friends had funds that were locked up in Spain and he needed additional funds to pay to have those funds released.

 Hausch had previously received a $12,112 check from the IRS addressed to Brian and Patricia Downing.  "Brian Ward" said that Patricia Downing was the maiden name of his deceased wife.

 Brian Downing was interviewed and reported that when he attempted to file his 2013 taxes, he learned they had already been filed and that an unauthorized tax refund of $12,112 had already been paid to a Wells Fargo account ending in 9492.  He confirmed his wife Patricia was not deceased and introduced her to the agent.

  More BEC Fraud Linked to the Case 

  On August 23, 2016, Anessa Hazelle, the financial controller of Ocean Grove Development of Basseterre, Saint Kitts, West Indies told the Treasury investigator that on November 30, 2015, an email claiming to be from her supervisor, Nuri Katz, urged her to wire $84,100 to D&D Serv, Inc of Grand Prairie, Texas, to pay an invoice for the purchase of "VxWorks Proll" for $84,100.  Hazelle did as she was ordered, and sent the funds.  Katz was on a flight to Russia at that time.  After she landed, they had a telephone conversation and learned that this email had been fraudulent.

 Katz true email was "nkatz@apexcap.org" but the email with the wire transfer instructions was from "nkatz@adexec.com" - similar enough that Hazelle did not notice the difference.  The funds were sent to a Capital One Bank account ending in 8232.

 That Capital One acount was opened by Clement C. Onuama d/b/a D&D Serv, Inc, of 2621 Skyway Drive, Grand Prairie, Texas.  Onuama was the sole signatory of the account.

 On July 26, 2016, Daniel Yet, the owner of D&T Foods of Santa Clara, California, relayed a similar experience.  His personal investment account at TD Ameritrade was managed by Bao Vu.  On June 29, 2015, while Yet was traveling overseas on vacation, Vu attempted to contact him to verify a wire transfer request sending $22,000 to a Regions Bank account ending in 6870 for Sysco Serve.  Since Vu could not reach Yet, and the matter had been described as urgent, Vu went ahead with the wire.  A SECOND request came through asking for an additional $30,000 to be sent.

 The Regions Bank account ending in 6870 was opened by Orefo S. Okeke d/b/a Sysco Serve, with the same address as the Capital One account controlled by Onuama above, 2621 Skyway Drive, Grand Prairie, Texas!

 The 6870 Regions account made a payment of $15,000 on July 1, 2015 (two days after the deposit from Mr. Yet's TD Ameritrade account) to another Regions Bank account ending in 6452.

 The 6452 Regions account was opened by Clement C. Onuama d/b/a D&D Serv, of 2621 Skyway Drive, Grand Prairie, Texas.

  Letters from Okeke

  The defense entered seven letters to be considered during the sentencing hearing.  In the first, Orefo explains that when he first came to America, he made a business of buying used American cars and reselling them in Nigeria.  He ended up in financial hardship, which he blames partly on medical bills for his sick father and partly on caring for his wife and two step children.  He was approached by others in Nigeria who needed his assistance in converting US dollars to Nigerian Niara.

 The other letters explained how Orefo was kind enough to hire a convicted felon to work for him, and a disabled veteran.  One letter, from his Aunty, says he is kind and loves animals. His wife begs the mercy of the courts and explains how much her children miss him.  Okeke's brother in South Africa explains to the judge that his brother is an honest God-fearing man and that his pleading guilty demonstrates his honesty, and that this trial caused the death of their father and now their mother's health is also on the line. His uncle writes how sad it is that the judge has incarcerated his nephew for a non-violent first time offense causing him to miss his sister's wedding and his father's funeral.  A friend explains Okeke's very good moral character and how he always operates with integrity.

 On the other hand, the FBI says that Business Email Compromise has stolen $12 Billion dollars, and that just from June 2016 to May 2018 they have identified 30,787 victims, of which 19,335 of them were in the United States.  Records from October 2013 to May 2013 actually show at least 119,675 victims!  Hopefully the examples shared above will help us realize more about how these people come to be victims -- often losing their entire life savings, or funds that cause them to no longer be able to buy a house or continue the operation of a business!

Memphis BEC Scammers Arrested and At Large

The FBI announced another round of Business Email Compromise arrests this past week.  This time, a focus was in Memphis, Tennessee.  According to the Western District of Tennessee Press Release, "Eight Arrested in Africa-Based Cybercrime and Business Email Compromise Conspiracy", the individuals involved stole more than $15 Million!

The main indictment, originally filed in August 2017, charges 11 individuals with a variety of offenses related to their Business Email Compromise [BEC] crimes.


Count 1: 18 USC §1349.F - Attempt and Conspiracy to Commit Mail Fraud - penalties of up 20 years in prison and fines of up to $250,000, plus supervised release for up to 3 years.

Counts 2-8: 18 USC §1343.F - Fraud by Wire, Radio, or Television - penalties of up to 20 years in prison and fines of up to $250,000, plus supervised release for up to 3 years.

Count 9: 18 USC §§1956-4390.F - Money Laundering - Embezzlement, Other - penalties of up to 20 years in prison and fines of up to $500,000, plus supervised release for up to 3 years.

Count 10: 18 USC §371.F - Conspiracy to Defraud the United States - penalties of up to 5 years in prison and fines of up to $250,000, plus supervised release for up to 1 year.

Count 11-14: 18 USC §10288.A.F - Fraud with Identification Documents + Aggravated Identity Theft - 2 years incarceration consecutive to any other sentence imposed, plus fines of not more than $250,000.

1. Babatunde Martins (Counts 1,9,10,11)
2. Victor Daniel Fortune Okorhi (Counts 1,9,10)
3. Benard Emurhowhoariogho Okorkhi (Counts 1, 2, 3, 9, 10)
4. Maxwell Peter (Counts 1, 4, 6, 7, 8, 9, 10, 11, 14)
5. Dennis Miah - (Counts 1,9,10,11,13)
6. Sumaila Hardi Wumpini - (Counts 1,9,10)
7. Olufolajimi Abegunde (USM # 71343-019), (Counts 1,9,12)
8. Ayodeji Olumide Ojo (Counts 1,9,12)
9. Dana Brady (Counts 1,9)
10. James Dean (USM # 52637-076)  (Counts 1,9)
11. Javier Luis Ramos Alonso, 28,  (USM #24513-111) (Counts 1, 5, 9, 12)

In a separate indictment, Rashid Abdulai, was charged for much of the same, but with his key role being controlling five TD Bank accounts that were used to launder funds.

The primary victim in this case seems to be "Company A", a real estate company in Memphis, who is foolishly identified in the indictment through the carelessness of the author.  I've chosen to redact myself on that, but DAMN!  When you describe the company in such a way that there is exactly one such company on planet earth, you are failing to keep the faith of your victim companies.  Shame!

Fortunately, the indictment also shares a lot of details on the defendants:

RASHID ABDULAI, age 24
a citizen of Ghana, residing in Bronx, New York
controlled at least five TD Bank accounts

BABATUNDE MARTINS, age 62
email: papamart2000@yahoo.com
Company: Afriocean LTD
Nigerian citizen living in Ghana

VICTOR DANIEL FORTUNE OKORHI, age 35 -  *** STILL AT LARGE AND WANTED***
emails:  vicfoko@yahoo.com, VicdarycorriLTD@gmail.com, vicdarycomltd@icloud.com
Company: Vicdary Company LTD
Nigerian citizen living in Ghana

BENARD EMURHOWWHOARIOGHO OKORHI, age 39
emails: Marc.Richards@aol.com, benardokorhi@yahoo.com
Company: Coolben Royal Links LTD
Nigerian citizen living in Ghana

MAXWELL ATUGBA ABAYETA (AKA Peter Maxwell, AKA Maxwell Peter ), age 26
emails: petermaxwell200@gmail.com, sandarlin200@yahoo.com
social accounts: Facebook.com/maxwell.peter.5688
citizen of Ghana

DENNIS MIAH (aka Dennis Brown, AKA Dr. Den Brown), age 34 -  *** STILL AT LARGE AND WANTED***
 emails: JimRoyAirSeal1@yahoo.com, drdenbrown@yahoo.com
social accounts: Facebook.com/Oga.Bossson, Twitter.com/Oga.Bossson
citizen of Ghana

SUMAILA HARDI WUMPINI, age 29 - *** STILL AT LARGE AND WANTED***
email: hardi765_new@hotmail.com
social accounts: Facebook.com/Wumpini.Hardy
resident of Ghana

OLUFOLAJIMI ABEGUNDE, age 31
Nigerian citizen residing in Atlanta, Georgia

AYODEJI OLUMIDE OJO, age 35 -  *** STILL AT LARGE AND WANTED***
Nigerian citizen, lives with ABEGUNDE in Atlanta when in United States

DANA BRADY, aged 61
emails: bradydana50@gmail.com
US Citizen residing in Auburn, Washington

JAMES DEAN, aged 65
US Citizen, residing in Plainfield, Indiana

JAVIER LUIS RAMOS ALONSO, aged 28
Mexican citizen, residing in Seaside, California

D. G. -
emails: d2t2green696@gmail.com, d2t2green696@yahoo.com
US Citizen residing in Mississippi

J.R.
emails: LRIGNWM@yahoo.com
US Citizen residing in New Jersey

M.Z.
emails: CMIMIGO@aol.com
US Citizen residing in Utah

T.W. - US Citizen residing in Tennessee
J.B. - US Citizen residing in Alabama
C.M. - US Citizen residing in Tennessee (Western District)
C.W. - US Citizen residing in Tennessee
A.K. - US Citizen residing in Tennessee (Western District)
V.M. - US Citizen residing in Georgia

How It Worked

Martins, Maxwell, Bernard Okorhi, Victor Okorhi, and/or Miah would get the IP addresses of potentially vulnerable email servers and target them for intrusion.  Using US based IP addresses offered through VPN services, they would access a variety of websites, including credit card transaction processors and dating websites.  Their role in the conspiracy also included originating the spoofed emails that will be explained later.

Martins, both Okorhis, Maxwell, Miah, Wumpini, Brady, Dean, Ojo, and others would open bank accounts for receiving fraudulently-obtained funds and sending them to other accounts controlled by their co-conspirators.  

Because they had control of email accounts at Crye-Leike, they could tell when fund transfers related to real estate sales were scheduled to take place.  They would then spoof the email addresses of those involved in the transactions and send instructions causing the financial transfers to be redirected to accounts controlled by members of the conspiracy.

The funds were then laundered in a variety of ways, including using the funds to purchase goods, including construction materials, cell phones, and other electronics, and having those goods shipped to Ghana for use or resale to benefit the members of the conspiracy.

Maxwell, Miah, and both Okorhis created false identities and created dating profiles with false emails to correspond to their false dating profiles.  Through these, they lured victims into online romance scams, gold-buying scams, and a variety of advanced fee fraud scams.  These romance scam victims would carry out acts on behalf of the conspiracy, including forwarding counterfeit checks, receiving and shipping merchandice, and transferring proceeds via wire, US Mail, ocean freight, and express package delivery services.

Martins, Maxwell, Miah, and both Okorhis also purchased stolen PII, including credit card information, banking information, and IP addresses from underground forums specializing in the sale of such information.

By purchasing cell phones in the United State and activating Voice-over-IP (VOIP) accounts, the US telephone numbers could then be used by the conspirators in Africa, allowing them to appear to be making their calls in the United States.

Some of the activity in this case dates back to 2012, when MIAH was already using fraudulently purchased credit cards and remote desktop protocol (RDP) to make online purchases that appeared to be in the United States.  (Hackers compromise US computers and set them up to use RDP so that foreign criminals can use them to originate credit card purchases in places where the credit card was issued.  By having, say, a Memphis Tennessee IP address, purchases made by a Memphis Tennessee credit card do not seem as suspicious.)

Specific Acts

Some of their crimes were extremely bold.  For example:

"On or about December 13, 2016, MIAH caused construction materials to be purchased with fraudulently obtained funds, and caused a freight container of construction supplies to be sent to him in Ghana."  WHAT?!?!  That's bold!

The compromise of the email accounts at Company A was in play by June 30, 2016, when $33,495 was wired to the wrong location after a tip received from stolen emails.

In August 2016, OJO opened a new Wells Fargo bank account, after his previous account at Bank of America was shut down due to fraud.  He used ABEGUNDE's new address (presumably in Atlanta, Georgia) as the address for the new account.

He also opened a Wells Fargo account in the same address in October of 2016.

Benard Okorhi sent emails as "Marc.Richards@aol.com" directing C.M. to obtain cash advances from credit cards and send the proceeds to recipients in Ghana.  He also ordered C.M. to purchase five iPhones and ship them to Ghana.

Miah used the "DrDenBrown@yahoo.com" email to tell Okorhi (as Marc.Richards) to smooth things out on the phone with a romance scam victim, because Okorhi had a better American accent.

Some of the other interesting "acts" in the conspiracy included:

25JUL2016 - Javier Luis Ramos Alonso accepts a $154,371 wire from Company A into his Wells Fargo account ending in 7688 and then sends the funds to accounts controlled by OJO in Atlanta.

26MAY2017 - Maxwell Peters sends a WhatsApp message directing an undercover Memphis FBI agent to receive a $15,000 check on his behalf.  Ooops!

30MAY2017 - Maxwell Peters directs the FBI agent to send $5,000 of the proceeds to himself in Ghana.

02JUN2017 - Maxwell Peters directs the FBI agent to send a $15,000 check to himself in Ghana.

Although the indictment doesn't lay out more of the particular acts, the Press Release says that this group stole more than $15 Million altogether!

Some interesting images

"M.Z." has an interesting Amazon Wish List for a romance scammer involved in shipping electronics:

On December 8, 2017, Abdulai says is asked in one of his WhatsApp chats:  "Hope Maxwell case didn't put you into any problem."  He responded "FBI came to my house asking me stuff about those transactions that was coming into my account so I'm tryna stay out f this whatapp n stuff for a while cuz I feel like they tracking me."

You got that right, Abdulai!



Operation Wire Wire: the South Florida Cases Part 3

In the main DOJ Operation Wire Wire press release, the South Florida cases are described like this:

  • Following an investigation by the FBI and the U.S. Secret Service, 23 individuals were charged in the Southern District of Florida with laundering at least $10 million from proceeds of BEC scams, including eight people charged in an indictment unsealed last week in Miami. These eight defendants are alleged to have conspired to launder proceeds from numerous BEC scams, totaling at least approximately $5 million, including approximately $1.4 million from a victim corporation in Seattle, as well as various title companies and a law firm.
In Part 1 we reviewed 17-CR-20748, the case against Destiny Asjee Rowland, Lourdes Washington, and Cynthia Rodriguez.  (See Operation Wire Wire: The South Florida Cases, Part 1 )

In Part 2 we reviewed 18-CR-20170, the case against Eliot Pereira, Natalie Armona, Melissa Rios, Bryant Ortega, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loayz.  (See Operation Wire Wire: The South Florida Cases, Part 2

Part 3 in our blog series focuses on those "eight people charged in an indictment unsealed last week in Miami", which refers to case 18-CR-20415, the case against Gustavo Gomez, Selene Joya, Jaremy Lucia Mena, Jose Brito Garcia, Jessica Hyde, Hillary Lee Williams, Juan Frias, and Ariel Champaign Edwards.

What links all of these cases together is that in each case, the ring leaders were recruited into their scam by the same individual: Roda Taher, who will be the focus of our next blog post "Operation Wire Wire: Who is Roda Taher?" 

The indictment begins with the statement:

"Roda Taher, aka Ressi, aka Rezi, hereinafter Taher, was the manager and supervisor of a criminal organization that engaged in money laundering by utilizing money mules and recruiters in the Southern District of Floirda, in other place in the United States, and in foreign commerce."

It then introduces our cast of characters.  As in South Florida case 1 and case 2, each of the players is recruited and instructed to set up a shell company, incorporating it in Florida, and establishing corresponding bank accounts with which to receive the proceeds of various Business Email Compromise and Spear Phishing attacks which fool company employees into wiring funds or transferring them via ACH, into the shell company accounts.

Defendant #1: Gustavo Gomez, b.1985, incorporated AG Universal Links in Hollywood, Florida.
Defendant #2: Selene Joya, b. 1990, incorporated Joya Star Life, Inc. in Miami Gardens, Florida.
Defendant #3: Jaremy Lucia Mena, b. 1992, incorporated Jaremy International, Inc. in North Miami, Florida.
Defendant #4: Jose Brito Garcia, b. 1981, incorporated Brito Commercial Products, Inc. in Hollywood, Florida.
Defendant #5: Jessica "Chuchi" Hyde, b.1987, incorporated Hyde Quality Inc. in Cutler Bay, Florida.
Defendant #6: Hillary Lee Williams, b. 1992, incorporated H Lee W Trade Group Inc. in Miami, Florida.
Defendant #7: Juan Frias, b. 1985, incorporated Ocean Surplus, Inc. in Miami, Florida.
Defendant #8: Ariel Champaign Edwards, b. 1991, incorporated Ariel Prime Trades Inc. in Miami, Florida.

Gustao Gomez worked closely with Roda Taher and other recruiters to recruit money mules and coach them in the manner in which they should set up their bank accounts.  According to the indictment:

"The recruiters would instruct money mules to open bank accounts in the name of their shell companies at various banks in the Southern District of Florida and elsewhere, and to falsely tell bank representatives that their shell company was a legitimate business engaged in the sale, import, or export of goods.  Taher and his recruiters gave different money mules a variety of false and fraudulent explanations regarding the nature of their businesses, including the sale, export, or import of textiles, furniture, electronics, or other goods.  However, the shell companies would not conduct any legitimate business."

"Once a money mule had opened a shell bank account in his or her shell company's name, those accounts would receive wire transfers of the proceeds of various fraudulent schemes.  The fraudulent schemes included, primarily, but were not limited to, email hacking or spoofing, also known as business email compromise and spearphishing scams.  Co-conspirators would hack into a victim's email account or otherwise take over that account without permission.  In a variation of this scheme, co-conspirators would "spoof" or create a fraudulent email account that was made to look like a victim's real email account.  The co-conspirators would then send email messages via the hacked or spoofed email accounts to individuals or corporations, instructing them to wire large sums of money to the money mules' shell bank accounts."

Roda Taher and the other recruiters would notify the mules when funds would be arriving into their accounts. These communications were primarily via the mobile phone encrypted messaging service WhatsApp.  They would be given instructions on what amounts would be received, where to wire the funds, and what commissions they were allowed to withdraw.  The commissions would be split with their recruiter, while the wires often sent the bulk of the money to China, Poland, and other destinations.

When banks closed the accounts, Taher would instruct the mules to open additional accounts at other banks.  Top performing mules were invited to become recruiters by inviting others to join the scheme as mules.  Recruiters received a percentage of the proceeds from the work of each mule they recruited.

The transactions particularly mentioned in the indictment are listed here. 

CountDateDefendantTransaction
202JUL2014Gustavo Gomez$48,500 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
318JUL2014Gustavo Gomez$192,000 from AG Universal Links' Wells Fargo Bank account to Sonish Enterprises FZE in Dubai, UAE
419JUL2014Gustavo Gomez$4,500 from AG Universal Links' Wells Fargo Bank account to Zion Luxury Car Rental Inc.
501AUG2016Selene Joya$8,600 from Joya Star Life Inc's Bank of America Account
601AUG2016Selene Joya$5,500 from Joya Star Life Inc's Bank of America Account
701AUG2016Selene Joya$4,000 from Joya Star Life Inc's Bank of America Account
826JAN2017Jaremy Lucia Mena$78,902 from Jaremy International Inc's TD Bank account to Bella Tyre Co Ltd in China
926JAN2017Jaremy Lucia Mena$9,400 from Jaremy International Inc's TD Bank account
1013FEB2017Jose Brito Garcia$37,904 from Brito Commercial Products Inc's TD Bank account to Huge Elite Limited in Shanghai, China(*)
1117MAY2017Hillary Lee Williams$79,980 from H Lee W Trade Group's SunTrust Bank account to Redington Gulf FZE in Dubai, UAE
1206SEP2017Juan Frias$59,700 from Ocean Surplus Inc's TD Bank account to Zhejiang Oudi Machine Co. Ltd. in Zhejiang, China
1302NOV2017Ariel Champaign Edwards$8,200 from Ariel Prime Trade Inc's Wells Fargo account
1421NOV2017Ariel Champaign Edwards$700 from Ariel Prime Trade's Bank of America account

* - Worth noting that "Huge Elite Limited" in Shanghai, China was also the recipient of ill-gotten gains from Bryant Ortega in "Part 2."

This case is much "fresher" than some of the others.  The first arraignment in the case being Gustavo Gomez's appearance on May 31, 2018.  Gustavo just bonded out on June 11, 2018, for $50,000 posted by his girlfriend's brother.

Operation Wire Wire: the South Florida Cases Part 2

The Second South Florida case is linked to the first because this entire conspiracy also is part of the work of Roda Taher, AKA Ressi, AKA Rezi, the top recruiter in the first case.  However, in this 30 count indictment, the only one NOT named is Roda Taher.

Rezi recruited Eliot Pereira and Melissa Rios, below, who each in turn recruited others.




Defendant #1:  Eliot Pereira, b.1993 - opened "Eliot Products & Arts, Inc." and recruited and managed mules.
Defendant #2: Natalie Armona - opened "Armona Furniture Design Concept & Textile" and recruited and managed multiple mules and recruiters, including defendants #5, #8, #9, #10, and #12.
Defendant #3: Melissa Rios, b. 1996 - opened "Taihan Fiberoptics, Inc." and recruited #2
Defendant #4: Bryant Ortega, b. 1996 - opened "Bryant Tech Deals" and recruited and managed multiple mules, including Defendant #7. (4631 West 9th Court, Hialeah, FL 33012)
Defendant #5: Angelo Santa Cruz, b. 1994 - opened "ASC Worldwide, Inc" and recruited and managed multiple mules, including Defendants #6 & #11.
Defendant #6: Alexis Fernandez Cruz, b. 1992 - opened "Alexis Universal, Inc."
Defendant #7: Roberto Carlos Gracia, b. 1994 - opened RCG Deals, Inc.
Defendant #8: Jose E. Rivera, b. 1989 - opened Rivera Worldwide, Inc.
Defendant #9: Angeles De Jesus Angulo, b. 1996 - opened Angeles Premier Trades, Inc.
Defendant #10: Jennifer Ruiz, b. 1994 - opened Josette Quality, Inc.
Defendant #11: Yirielkys Pacheco Fernandez, b. 1984 - opened YF Nationwide, Inc.
Defendant #12: Sebastian Loayza, b. 1994 - opened Sure Trades, Inc.

This case starts off with a criminal complaint from the Miami office of the United States Secret Service.

It begins with his overview of the case, which is worth quoting here:

"Federal law enforcement agents have been investigating numerous business email compromise and spear phishing scams wherein various fraudsters targeted employees with access to company finances and tricked them into making wire transfers to bank accounts thought to belong to trusted partners -- except in fact, the accounts were shell companies controlled by the fraudsters.

Different people played different roles in the scheme.  Some of the co-conspirators hacked into and took control over certain victim companies' business email accounts without the knowledge or consent of the true email account holders, or created email accounts similar to, but slightly different from, real business email accounts.  Using the sham or compromised email accounts, the fraudsters then sent emails soliciting payments, claiming that funds were owed, and representing that payments for services rendered by the victim companies should be redirected to different accounts.

Other co-conspirators, known as money mules, opened shell companies and bank accounts into which the funds were fraudulently transferred, and then withdrew the fraud proceeds in cash, or wired the fraud proceeds into their foreign and domestic bank accounts.  Several money mules progressed to recruiting and managing other mules."

Natalie Armona may have been a good choice for Melissa to recruit based on her work.  Here's a Facebook post of hers from last year!  But by the dates, she had been in the money mule business quite a while before landing this job as a Junior Processor at a lending firm.


Armona's TD Bank account 

The complaint begins by telling the story of Natalie ARMONA, who opened a business, Armona Furniture Design Concept & Textile Inc., incorporating the business in Florida using her home address and opening a business checking account at TD Bank.  She was the sole signatory, and used her true social security number on the account.  The account was opened on December 9, 2106 and received its first wire December 14, 2016, from a scammed medical center (Victim Company A).  After taking out her commission in cash ($5,500) using her true Florida drivers license number as identity confirmation, Armona wired the rest of the money to "Flame Land International Limited" in Hong Kong.

On December 21, 2016, Armona's TD Bank account received an ACH for $724,395. Armona again paid herself first, withdrawing $10,508 in person.  Three wires went out.  $288,301 to "Caplan Sp Zoo" in Warszawa, Poland.  $194,110 to the same.  $94,218 to "Baolifeng Intl Trading Limited" in Shenzhen, China.  Armona paid herself twice more, once for $5,500 and once for $9400.  On December 27, 2016, she dipped three more times, for $800, $3800, and $9900.

Armona's SunTrust Bank account 

On December 9, 2016, Armona Furniture opened a SunTrust Bank account.  On December 30th she got an inbound ACH of $35,170 from a Pennsylvania sign company.  Also on December 30th, she got an incoming wire from Kukutula Development Company LLC in Koloa, Hawaii in the amount of $59,850.  On January 3, 2017, Armona withdrew $35,170.  On January 13, 2017, SunTrust closed the account for fraud with a balance of $59,850.

ASC WorldWide

A collaborating witness told the Miami Electronic Crimes Task Force that he had been recruited by Armona and had opened a shell company in the name ASC WorldWide, with accounts at TD Bank and Suntrust Bank.  Among other activities, he used email-based scams to cause $80,000 to be wired.

After a few successful jobs, the suspect said that Armona told him he could earn extra money by recruiting others into the scam.  He agreed to allow the USSS to record his emails, phone calls, and any text or WhatsApp communications involving others in the scheme.

The Ortega Case 

Although Bryant is not credited with recruiting Natalie Armona, the two are Facebook friends.  Bryant's profile also suggests that he may have had access to Personal Information, as an agent at a Health Insurance organization.  His cover photo indicates he's a fan of money!


The same USSS agent who did Armona's case also swore out the affidavit of criminal complaint against Bryant Ortega.  Ortega opened a TD Bank account for his new corporation, Bryant Tech Deals, which matched his home address of 2160 NW 111 Avenue, Sunrise, Florida 33322.  Bryant Tech Deals also opened a SunTrust account.  Both accounts were opened on February 13, 2017 and on March 6, 2017 the SunTrust account received an inbound wire of $283,750.50.  On March 7th, three withdrawals were made.  $500 from an ATM, $5600 over-the-counter, and $8400, also over-the-counter.  Ortega's true Florida drivers license was shown as proof of identify for the in-person withdrawals. Also on March 7, 2017, $94,110 was wired to "Huge Elite Limited" in Shanghai, China. After paying himself three more times the following day ($400 ATM, $800 at the counter, and $6200 at the counter), another wire of $128,705 went to Huge Elite Limited.  On March 9, 2017, an additional  $33,000 was wired out to "Lofty Ease Limited" in Shanghai, China.
(Ortega was arrested Jan 25, 2018)

The Pereira Case 

The third case, Feb 23, 2018, has an affidavit from Miami's FBI office from an agent who previously served as a Computer Scientist in the Philadelphia office! Pereira ran several schemes against companies by impersonating their officers, including Fakhoury Law Group (Troy, Michigan), High Tech Lending (San Diego, California), Gaumer Company (Houston, Texas), Park Corporation (Cleveland, Ohio), and Zija International (Lehi, Utah.)  Each of those companies received fraudulent emails, claiming to be from an executive of their own company, ordering that wires be sent to accounts controlled by "OS Fly Tech Incorporated."   Pereira hired an unnamed middle man to set up additional corporate accounts at Bank of America, Wells Fargo, SunTrust Bank, and Regions Bank.  The Middleman says that Pereira was working with an unknown male who he called "Rezi."  This would be the same person that Cynthia Rodriguez was working for (see Operation Wire Wire: The South Florida Cases, Part 1) Roda Taher.  Pereira and Rezi gave one of their mules an email os20technologies@gmail.com to use.


As shown above, nearly $1M in wires were sent to company accounts at Bank of America, SunTrust Bank,  TD Bank, and Wells Fargo Bank in September and October of 2016.  Pereira and his middleman communicated through WhatsApp and Email.  (954.554.5501 / bossmanweston@gmail.com / osflytechnologies@gmail.com )

The Big Picture 

Roda Taher, AKA Ressi, AKA Rezi, was the manager and supervisor of a criminal organization in the Southern District of Florida and elsewhere.  He recruited all of the defendants in this case, encouraged them to open shell accounts and receive illegally transferred funds, some of which they directly wired to China, Poland, and elsewhere.

The case involves 30 distinct financial transactions:
CountDateDefendantTransaction
202SEP2016Eliot Pereira$89,630 from OS Fly Tech's Wells Fargo account to China
330NOV2016Melissa Rios$13,844 from Tiahan Fiberoptics Inc's TD Bank account to Huzhou Nanmei Textile
423DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
423DEC2016Natalie Armona$194,110 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
523DEC2016Natalie Armona$288,301 from Armona Furniture's TD Bank account to Caplan Sp Zoo in Warszawa Poland
623DEC2016Natalie Armona$94,218 from Armona Furniture's TD Bank account to Baolifeng Intl. Trading Limited in Shenzhen China
712JAN2017Natalie Armona$44,618 from Armona Furniture's TD Bank account to Hangzhou Jieenda Textile Co Ltd in China
807MAR2017Bryant Ortega$94,110 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
908MAR2017Bryant Ortega$128,705 from Bryant Tech Deal's SunTrust account to Huge Elite Limited in Shanghai, China
1008MAR2017Bryant Ortega$6,200 from Bryant Tech Deal's SunTrust account
1128MAR2017Bryant Ortega$179,302 from Bryant Tech Deal's SunTrust account to Lofty Ease Limited in Shanghai, China
1214APR2017Roberto Carlos Garcia$3,500 from RCG Deals Inc's Bank of America account
1317APR2017Roberto Carlos Garcia$112,000 from RCG Deals Inc's Bank of America account to KT and G Corp
1417APR2017Roberto Carlos Garcia$7,000 from RCG Deals Inc's Bank of America account
1517APR2017Roberto Carlos Garcia$3,000 from RCG Deals Inc's Bank of America account
1628APR2017Jennifer Ruiz$39,841 from Josette Quality Inc's TD Bank account to Huzhou Nanmei Textile Co. Ltd.
1728APR2017Jennifer Ruiz$3,400 from Josette Quality Inc's TD Bank account
1804MAY2017Roberto Carlos Garcia$100 from RCG Deals Inc's Bank of America account
1926OCT2017Angelo Santa Cruz$88,950 from ASC Worldwide's Chase Bank account to Niche Holding Ltd.
2026OCT2017Angelo Santa Cruz$7,000 from ASC Worldwide's Chase Bank account
2101NOV2017Alexis Fernandez Cruz$8,600 from Alexis Universal Inc's TD Bank account
2207NOV2017Angelo Santa Cruz$96,500 from ASC Worldwide's TD Bank account to Zhejiang Oudi Machine Co. Ltd.
2307NOV2017Angelo Santa Cruz$8,500 from ASC Worldwide's TD Bank account
2409NOV2017Alexis Fernandez Cruz$8,500 from Alexis Universal Inc's SunTrust Bank account
2521NOV2017Yirielkys Pacheco Fernandez$34,810 from YF Nationwide Inc's Chase Bank account to Nantong Gomaa International Co. Ltd.
2606DEC2017Yirielkys Pacheco Fernandez$88,528 from YF Nationwide Inc's Chase Bank account
2730NOV2017Jose E. Rivera$54,210 from Rivera Worldwide Inc's Bank of America account to Zhejiang Senhuang Trading in Zhejiang, China
2830NOV2017Jose E. Rivera$6,100 from Rivera Worldwide Inc's Bank of America account
2903JAN2018Angeles De Jesus Angulo$79,400 from Angeles Premier Trades Inc's Wells Fargo Bank account to Farstar International Ltd
3003JAN2018Angeles De Jesus Angulo$8,600 from Angeles Premier Trades Inc's Wells Fargo Bank account

Altogether, this group is charged with laundering more than $5,000,000.

The case is scheduled to be heard in Jury Trial beginning on June 25, 2018 before Judge Marcia G. Cooke in Miami, Florida.

Tomorrow (June 13, 2018) two of the defendants are meeting to change their plea.  Jennifer Ruiz and Yirielkys Pacheco Fernandez have decided they may not want the 20 year sentence that all of them are facing as part of a conspiracy to commit money laundering at this level!

Operation Wire Wire: The South Florida Cases, Part 1

Yesterday we started a series of posts about Operation Wire Wire, where the Department of Justice announced charges against 74 people for Business Email Compromise and related scams.

The South Florida cases are so huge, we're actually going to break them into three parts as well.  In part one, we'll look at the case against Cynthia Rodriguez, Destiny Asjee Rowland, and Lourdes Washington.


Defendant #1: Cynthia Rodriguez:
18:1349.F Conspiracy to Commit Wire Fraud
18:1956-3300.F Conspiracy to Commit Money Laundering
18:1956-3300.F Money Laundering and Forfeiture Count

Defendant #2: Destiny Asjee Rowland
18:1343 Wire Fraud
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956 Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

Defendant #3: Lourdes Washington
18:1349 Conspiracy to Commit Wire Fraud
18:1956(h) Conspiracy to Commit Money Laundering
18:1956(a)(1)(B)(i) Money Laundering

According to the indictment against Destiny Asjee Rowland, Rowland incorporated "Asjee Luxury Inc" in July 2017 and claimed to be a furniture merchant wholesaler at 3688 NW 83rd Lane in Sunrise, Florida.  The victim companies in her case were a company in Eau Claire, Wisconsin, a lumber company in Illinois, and an escrow company in Roseville, California that was selling property for two people called "KW" and "TW" in the indictment.

Asjee Luxury opened accounts at TD Bank and SunTrust Bank.  Using other people's names and email addresses, she convinced companies to transfer money to her account, including by falsely claiming to be the lumber company, where she sent "urgent audit" notices to the Wisconsin company demanding immediate wire transfers of payments owed to the lumber company.  That email came from an IP address in Nigeria on July 27, 2017.  By July 28th, a Bank of America account in Wisconsin had sent $1,651,699 to her TD Bank account in Florida.

 She also caused the escrow company to redirect payments intended for their clients KW and TW to accounts she controlled, receiving $451,759 from a City National Bank account in California into her SunTrust Bank account in Florida on July 31, 2017.

Cynthia Rodriguez and Loudes Washington have a ten page criminal complaint written by a US Secret Service agent to describe their case.  Washington created a new business, LW Nationwide Inc, at 9561 Fountainebleau Blvd, Apartment 402, Miami, Florida 33172, which coincidentally is also his driver's license address.  Then he opened a Bank of America account in that name.

A Real Estate attorney, BD, was handling the closing on several pieces of property.  On Feb 14, 2017, he receives an email from ***@themarstongroup.com informing him that he would receive a check for $37,225 via registered mail, along with a 1099 tax form.  The next day, an email from the same name ***@gmx.us said that he was leaving town unexpectedly and needed the funds sent via wire transfer instead.  Those funds were then directed to the BofA account of LW Nationwide.  Those funds were immediately RE-wired to a bank account in Zhejiang, China.  The same day, Washington withdrew funds from an ATM in Hialeah, Florida.  Three minutes later, at the same ATM machine, Cynthia Rodriguez withdrew funds from the LW Nationwide account, using the same debit card as Washington.   Bank of America's logs reveal that an IP address, 50.143.68.4 was used to access the account.  That IP address was Rodriguez's home Comcast Cable account at 2914 Funston Street, in Hollywood, Florida.  Rodriguez made additional withdrawals from the account, including from a drivethrough ATM whose cameras captured the license plate of her Nissan Quest, 520-TML, registered to Rodriguez.

Washington was later arrested (December 2017) as a result of an open warrant in Kentucky, and testified to opening the accounts, making the wire transfers, and doing the cash withdrawals "at the behest of her recruiter/manager" who she did not identify.

Meanwhile, the Eu Claire, Wisconsin business contacted the US Secret Service about the scam involving the fake invoices from the lumber company.   Records from the state of Florida revealed that Asjee Luxury only had one officer, and one signatory on their bank accounts. What seems to be a cooperating witness (Individual 1) in that case revealed that Rodriguez had recruited them to open several sham business accounts, including the TD Bank account belonging to Asjee Luxury!  Shortly after the California real estate company wired money into that account, ATM video footage showed Individual 1 withdrawing $8,000 cash from the account.  Individual 1 would then give half of the money to Rodriguez and keep the other half.  Individual 1 also opened a shell company called Wide Assure Trades Inc and a corresponding Bank of America account.

On October 27, 2017, Rodriguez notified Individual 1 that Wide Assure Trades was going to receive some money.  That account was logged into the same day from 76.18.27.6, the IP address that Comcast listed for Rodriguez's home address at 2914 Funston Street, Hollywood Florida at that time.  (DHCP addresses change from time to time.)

Later an additional document, not an indictment, but rather "Superseding Information" was filed



The Superseding Information reveals that Cynthia Rodriguez had incorporated "CR Elegant Trades" in September 2014 from her home address in Hialeah, Florida.  We already spoke of Washington's company, LW Nationwide, and Rowland's company, Asjee Luxury.  The superseding information speaks of (but does not give many details) an ongoing conspiracy from 2014 until 2018 that involved the creation of many shell companies and many fraudulent wire transfers. 

"It was the purpose of the conspiracy for the defendants and their co-conspirators to unlawfully enrich themselves by obtaining and misappropriating money from victims, by making materially false and fraudulent representations, and by the concealment of material facts, concerning, among other things, the true identify of the defendants and their co-conspirators and the purported need for victims to make payments to the defendants and their co-conspirators."

Lourdes Washington entered a plea agreement that included the fact that she may face 20 years in prison, 3 years supervised release, and a fine of $250,000 or double the pecuniary gain, as well as restitution, and acknowledging that they may be "denaturalized and removed" as a result of their crimes.  In other words, Washington had a public defender, as the only funds they tie to her are $37,225.  (It will be interesting to see what actually happens at sentencing on July 9, 2018.)

Cynthia Rodriguez also plead guilty, but in her case, she named her recruiter.  In the plea agreement, she agrees that she and her co-conspirators opened shell corporations and bank accounts for the purpose of receiving proceeds of wire fraud scams in exchange for a percentage of profits.  But then she says she was recruited to the scam by Roda TAHER.  Taher, AKA Res, AKA Rezi, AKA Ressi, recruited Rodriguez initially as a money mule, but advanced her to being a sub-recruiter, working to hire and manage additional money mules in the South Florida area. Rodriguez was responsible for providing corporate documents for her mules' shell companies, driving the money mules to banks, or ordering them to open certain accounts at certain banks, and accompanying them to withdraw funds.  She also provided directions to money mules on how to hide their schemes from banks, law enforcement and other individuals.

Rodriguez's plea agreement states that she knew the money was coming from wire fraud, and that she knew that business email compromise and spear phishing scams were used, including email account takeovers and "spoofed" email accounts making the victims believe they were making wire transfers to trusted partners, but instead depositing the funds into the accounts of the fraudsters.  Rodriguez says that she used the phone application "WhatsApp" to exchange encrypted messages with co-conspirators, including Taher, in order to evade detection by law enforcement.  Her plea confesses to laundering at least $4,760,669.80 between herself and the mules she recruited.

Like Washington, Rodriguez's plea states that she may do 20 years plus 3 supervised, and pay a fine of $250,000 or double the pecuniary gain, plus restitution, and that she may face denaturalization and removal.

Base Offense level for Washington was 8.  Increased by 18 levls due to the amount of laundered funds being between $3.5M and $9.5M.  +3 because she was a manager or supervisor in a scheme involving 5 of more participants.  +2 because of 18USC1956, and +2 because of the "sophisticated nature" of the laundering.  So, a level 33 offense.  They only decreased her 3 levels for "demonstrating acceptance of responsibility and assisting authorities in the investigation".  So she is still facing a level 30 offense.

"Furthermore, the Defendant stipulates that she owes restitution in the amount of $4,760,669.80!"

The plea agreement was signed May 23, 2018.  Rodriguez will be sentenced on July 11, 2018.

In Operation Wire Wire: The South Florida Cases Part 2, we'll look at 18-CR-20170, with defendants Eliot Pereira, Natalie Armona, Bryant Ortega, Melissa Rios, Angelo Santa Cruz, Alexis Fernandez Cruz, Roberto Carlos Gracia, Jose E. Rivera, Angeles De Jesus Angulo, Jennifer Ruiz, Yirielkys Pacheco Fernandez, and Sebastian Loyaza.