Inside Story: How the FBI took down Hushpuppi, Woodberry & gang
In complaints filed before Illinois courts, FBI agents described in details how they were able to trail and smash two notorious Nigerian fraudsters, Ramon Olorunwa Abbas a.k.a Hushpuppi and Olalekan Ponle a.k.a Woodberry and gang.
The criminal complaints against the cyber fraudsters showed the FBI agents trailing them since last year, before the Dubai Police went for the harvest.
Though the two conmen are Nigerians, they operated in different ways in executing their cyber heists and the loot therefrom.
Olalekan Ponle often asked his co-conspirators to convert his share into bitcoins.
Raymond, on the other hand, favours cash, the heist moving from several accounts he set up in Mexico, Romania and other parts of Europe, before getting to him.
In one daring effort, Hushpuppie planned to cyber-rob an English Premier League club.
Hushpuppi, real name Ramon Olorunwa Abbas was investigated by special agent ANDREW JOHN INNOCENTI.
Ponle on the other hand was investigated by special agent Ali Sadiq.
Hushpuppi by Andrew John Innocenti:
First, messages found on the iPhone of Coconspirator 1 (reviewed pursuant to a federal search warrant issued in this District) reflect that ABBAS, Coconspirator 1, and Coconspirator 2, with others, committed a BEC scheme that defrauded a victim in the United States of approximately $922,857.76, including approximately $396,050 that ABBAS, Coconspirator 1, and Coconspirator 2 laundered while Coconspirator 2 was in Los Angeles, California.
Second, ABBAS and Coconspirator 1 conspired to launder funds intended to be stolen through fraudulent wire transfers from a foreign financial institution (the “Foreign Financial Institution”), in which fraudulent wire transfers, totaling approximately €13 million (approximately USD $14.7 million), were sent to bank accounts around the world in February 2019. Coconspirator 1 conspired with the persons who initiated the fraudulent wire transfers, and also conspired with a number of others, including ABBAS, to launder the funds that were intended to be stolen. ABBAS, specifically, provided Coconspirator 1 with two bank accounts in Europe that ABBAS anticipated would each receive €5 million of the fraudulently obtained funds.
Other communications between ABBAS and Coconspirator 1 indicate that, in addition to these schemes, ABBAS and Coconspirator 1 conspired to launder tens, and at times hundreds, of millions of dollars that were proceeds of other fraudulent schemes and computer intrusions, including a fraudulent scheme to steal £100m from an English Premier League football club.
In reviewing data from Coconspirator 1’s iPhone, I and another FBI employee saw messages reflecting that, in or around October 2019, ABBAS had conspired with Coconspirator 1 and Coconspirator 2 to commit a fraudulent wire transfer and money-laundering scheme, in which a U.S. victim (the “Victim Law Firm”) lost approximately $922,857.76. The messages reflected that part of the scheme, including acts in furtherance of the conspiracy, occurred while Coconspirator 2 was physically present in the Central District of California.
Records obtained from JPMorgan Chase Bank (“Chase”) for a bank account held in the U.S. (the “Chase Account”) reflect that the Chase Account received a wire transfer on October 15, 2019 for approximately $922,857.76 from the Victim Law Firm. On October 17, 2019, there was a wire transfer from the Chase Account to an account at Canadian Imperial Bank of Commerce (“CIBC”), in Toronto, Ontario, for approximately $396,050. Bank records reflect that the specific account at CIBC ended in 1716 (the “CIBC Account”), consistent with what is discussed below in paragraphs 21, 24, and 25. The remaining funds in the Chase Account were transferred to other accounts.
21. Based on review of data from Coconspirator 1’s iPhone, on or around October 17, 2019, ABBAS, using what appeared to be the Snapchat account “hushpuppi5,” sent an image of a Chase wire confirmation to Coconspirator 1. The image appeared to show a wire transfer form related to a transfer of approximately $396,050 from the Chase Account to the CIBC Account, which, based on other messages on Coconspirator 1’s iPhone, appears to have been held by Coconspirator 2.3
22. On April 14, 2020, I interviewed S.R., owner of the Victim Law Firm, about the above-referenced wire sent on October 17, 2019. On April 16, 2020, I interviewed N.C., who was an attorney and co-worker of S.R., and on May 21, 2020, I interviewed K.C., a paralegal of the Victim Law Firm. Based on these interviews, I learned the following:
The Victim Law Firm, which is located in New York State, was representing a client, A.D., in the refinance of real estate.
A.D. was refinancing his/her property with Citizens Bank. As part of the closing for this refinance, on October 15, 2019, K.C. sent a verification email to what appeared to be a Citizens Bank email address (later identified as a “spoofed” email address) requesting wire instructions. Per internal policy of the Victim Law Firm, all wire verifications were to be sent to their firm via fax and followed-up by a phone call. K.C. received a fax message in response to her verification email with what was later determined to be fraudulent wire instructions to transfer the loan payoff amount of their client A.D. to the Chase Account. K.C. then called the phone number listed on the fax to verify the wire instructions.
Neither the Victim Law Firm, nor their client A.D., realized the funds had been fraudulently transferred to the Chase Account until later in October 2019, when A.D. checked his/her account and realized that the funds for the refinance had not been credited. By this time, all of the funds had been depleted from the Chase Account.
On October 15, 2019, K.C. initiated the wire transfer to the Chase Account for approximately $922,857.76.
Messages on Coconspirator 1’s iPhone reflect that, at approximately the same time on October 17, 2019 that ABBAS sent Coconspirator 1 an image of the wire transfer confirmation for the transaction from the Chase Account to the CIBC Account, Coconspirator 1 was communicating with another phone number to confirm the wire had been deposited into the CIBC Account. Based on other messages on the iPhone and records obtained by the FBI, that phone number was used by Coconspirator 2.
The communications between Coconspirator 1 and Coconspirator 2 on October 17, 2019 included the following messages:
Coconspirator 1: Keep lookout for the 396 and so ur thing till u hear from me
Coconspirator 2: Ok will do
Coconspirator 2: I’m in La so how can I make sure??4
Coconspirator 2 also sent Coconspirator 1 a photograph showing a secure login to the CIBC Account in Coconspirator 2’s name. The account number ended in 1716, consistent with the account number that ABBAS sent to Coconspirator 1 in an image on October 17, 2019.
I reviewed international travel records from a law enforcement database, which showed that Coconspirator 2 traveled from Toronto, Canada to Los Angeles, California on October 16, 2019. This was one day before the wire transfer from the Chase Account to the CIBC Account in Coconspirator 2’s name. Further, as referenced above, Coconspirator 2 messaged Coconspirator 1 on October 17, 2019 that “I’m in La.” Travel records also show that Coconspirator 2 departed Los Angeles around October 23, 2019 for Canada. Taken together, this indicates that Coconspirator 2 was in Los Angeles at the time of the wire transfer.
Later in the day on October 17, 2019, while still in Los Angeles, Coconspirator 2 appeared to confirm the wire transfer in an iMessage found on Coconspirator 1’s iPhone:
Coconspirator 1: Did the big hit? Coconspirator 2: Yessir
Olalekan Ponle a.k.a Woodberry:
Beginning no later than January 2019 and continuing until at least September 2019, OLALEKAN JACOB PONLE conspired with others to engage in BEC schemes to defraud several United States-based companies. These schemes resulted in attempted and actual losses to victim companies in the tens of millions of dollars.
As described below, as part of the scheme, PONLE directed money mules in the United States to open bank accounts in the names of victim companies. Proceeds from BEC schemes, ranging from hundreds of thousands of dollars to millions of dollars, were then wired by unwitting employees to the bank accounts opened by PONLE’s mules. PONLE then instructed the mules to convert the proceeds to Bitcoin and to send the proceeds of the BEC schemes to a bitcoin wallet that he owned and operated.
One of these BEC schemes involved a Chicago-based company (Victim Company A) that was defrauded out of $2,300,000. A second Chicago-based company (Victim Company K) was defrauded into sending wire transfers totalling $15,268,000.00. Preliminary blockchain analysis indicates that PONLE received at least 1,494.71506296 bitcoin related to these BEC schemes, valued at approximately $6,599,499.98 at the time he received the proceeds.
PONLE Used the Alias “Mark Kain” To Correspond with Money Mules
As described in more detail below, money mules in the United States were approached by a person they knew as “Mark” or “Mark Kain.” “Mark” later directed them to open bank accounts in the names of victim companies. Those accounts received proceeds from the BEC schemes, and at “Mark’s” direction, the money mules converted proceeds to bitcoin and sent proceeds to “Mark”.
According to one of those money mules, Individual B, “Mark Kain” contacted Individual B using telephone number (323) 985-4088 (“the 4088 phone number”). According to records obtained from Dingtone, a messaging and Voice over Internet Protocol application, subscribing customer records for the 4088 phone number included the cellular telephone number 27793837890 (“the 7890 phone number”), which based on law enforcement database searches, is owned by a South African service provider.
Based on my review of chat transcripts from online messaging applications between PONLE and Individual B and a second money mule, Individual A, “Mark” instructed Individual B and Individual A to send money to the bitcoin wallet 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn (“the 16AtGJ BTC Wallet”) on at least nine occasions. Records obtained from Bitpay, a processor of cryptocurrency transactions, indicated that between approximately September 18, 2015 and November 29, 2016, the 16AtGJ BTC wallet made five purchases associated with the Gmail account hustleandbustle@gmail[.]com (the “hustle Gmail account”).
Based on records obtained from Apple, an iCloud account (Subject Account 1) was subscribed to by Jacob Olalekan, listing the 7890 phone number, the hustle Gmail account, and a physical address in Johannesburg, South Africa.
Based on my review of records from Apple, Subject Account 1 contained several identity documents and photographs of PONLE. These included a photo of a Nigerian passport with a photo of an individual named Olalekan Jacob Ponle, born in May 1991 in Lagos, Nigeria, a photo of a United Arab Emirates visa with a photo of an individual named Olalekan Jacob Ponle with the profession “marketing representative” and a photo of a United Arab Emirates Resident Identity Card with a photo of a Nigerian national named Olalekan Jacob Ponle.”