Hushpuppi and Mr.Woodbery, BEC scammers: Welcome to Chicago!

There are quite a few West African scammers who try to explain away their wealth by claiming they are a “bitcoin entrepreneur” or “real estate investor” when in fact they conduct Business Email Compromise scams against American companies, and Romance Scams against vulnerable women, and steal their money.  Back in October, one such criminal, Ismaila Mustapha, who went by the Instagram nickname Mompha, was arrested and I mentioned it in a tweet:

Replying to my own tweet, I said “Maybe they’ll get his friend #Hushpuppi next ??” and linked to his Instagram account, tagging @officialEFCC in the post.  My posts received the most attention of anything I had ever shared on Twitter, which I learned was because of some headlines in Nigerian media such as these:

With all of the attention of 4,000+ new Nigerian Twitter followers, I have to admit it felt a bit prophetic when we learned of Hushpuppi’s arrest on June 10th.  I shared these images from their respective Instagram accounts that day.

Ever since their arrest by Dubai Police on June 10, 2020 in the UAE, Nigerian media has been going crazy with theories on what was going to happen to Hushpuppi and Mr.Woodbery.  The original posts said that Hushpuppi was arrested in the UAE “by Interpol” (who has no arresting authority) for his role in a $35 Million ventilator scam.  Other versions say he was involved in “fraud and money laundering of over $100million which was supposed to be given to Native Americans during the Coronavirus Pandemic.  More recently, Nigerian media claimed that the pair were already in the United States in Moshannon prison and that Woodbery had fallen sick there.

The EFCC, Nigeria’s government anti-corruption agency, put out a thread of Tweets on June 18th confirming that they were cooperating with the FBI to try to identify additional victims and to investigate parts of his money laundering empire that are still in Nigeria.  In the thread they called him “Nigerian most-wanted hacker, Ramoni Igbalode, alias Ray Hushpuppy.”

The Dubai police called their case against Hushpuppi “Operation Fox Hunt 2”– in the video they mention seizing 21 laptops, 47 phones, 15 USB drives, 5 hard drives, 119,580 files, and 13 cars!

An English version of the Fox Hunt 2 video is available on Vimeo here (click to play):

The video also makes clear that while only two “celebrity-level” hackers were arrested, there were actually at least twelve other people arrested in Dubai that night during six raids.  The video claims that they had information on 1,926,400 victims!

Who knows their names?  Please answer in the comments below …

Hushpuppi and MrWoodbery Charged in the United States

In the United States when charges are brought, the charges are made for victims within the jurisdiction where the charges are brought.  Rather than listing every possible crime, the staff of the top prosecutor in that district, known as Assistant United States Attorneys, brings charges for crimes where the victims or the activities occurred within their jurisdiction.  Because of the prominence of these case, a cybercrime special prosecutor from the Cyber and Intellectual Property Crimes Section of the Department of Justice is assisting in prosecuting these cases.  In these cases, Hushpuppi is being charged in Los Angeles, California, and Mr. Woodberry (Jacob Olalekan Ponle) is being charged in Chicago, Illinois.  Both men arrived in Chicago, on 02JUL2020 after being expelled from the United Arab Emirates.

Chicago Case vs. Mr.Woodbery 

In the Chicago case, there are two primary victims that establish venue there.  Victim Company A lost $2,300,000 USD.  Victim Company K lost $15,268,000 USD.  Jacob Olalekan, who the FBI refers to as “PONLE” says that in the latter operation Ponle received at least 1494 Bitcoins from that case, which at the time would have had a value of $6,599,499 USD!

In their investigation, they found that Ponle used US-based “money mules” — criminals who are paid to open bank accounts on behalf of a scammer.  One of these mules said that he received his instructions from someone that he knew as “Mark Kain.”  Mark Kain used a voice over IP telephone number that was issued from the company Dingtone.  Since Dingtone fully cooperates with law enforcement, they were able to quickly learn that this number was paid for by someone using the South African telephone number +27 793 837 890.

The Money Mule also indicated that he made transfers to a Bitpay bitcoin account with the wallet id 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn.  Bitpay, who also cooperated with law enforcement, was able to show this account was created in September 2015 and that the account owner used the email address “hustleandbustle@gmail.com.”

The next step in the investigation was to ask Apple about those telephone numbers and email addresses.  Apple, who can provide law enforcement with all information about any iPhone, shared with the FBI that the telephone number +27 793 837 890 belonged to Jacob Olalekan, who used the hustleandbustle email while logged in from that telephone.  Apple was also able to provide a photo of a Nigerian passport in the name “Olalekan Jacob Ponle” born May 1991 in Lagos, Nigeria, and also a photo of a UAE Visa and a UAE Resident Identity Card in the same name.

Ponle Nigerian
Passport

Ponle UAE
Resident Card

Ponle USA
Visa

The FBI has contents of many WhatsApp chats that Ponle had with various scammers and money mules he worked with. 
In addition to Ponle’s Chicago crimes, he also committed many others that are documented in his case:
– 16JAN2019 – $188,000 fraud against a company in Des Moines, Iowa.
 – 04MAR2019 – $415,000 fraud against a company in Great Bend, Kansas.
– June 2019 – attempted $19,292,690.30 wire for a company – stopped by JP Morgan Chase!
– September 2019 – the FBI took over the accounts of one of the former money mules and received instructions from Ponle to open a new bank account.  The FBI opened the account, but stopped a $1.2 million fraudulent transaction from occurring.  

MoneyLaundering via LocalBitcoins

The big Chicago case happened on 11FEB2019 – $2,300,000 fraud against a Chicago company. In that case, the money was sent to a six-month old Personal Checking Account opened by the money mule.  He then moved $2.1 million into a SilverGate bank account belonging to Gemini Trust, a cryptocurrency exchange.  The mule then tells Ponle that the funds will be moved to him $500,000 USD at a time, and asks him for his bitcoin account.  The mule says we are sending you 340 bitcoins and the rest is coming.
All of this is easy to confirm by looking at the blockchain.  I use CipherTrace for Bitcoin analysis.  This shows that over the lifetime of this Bitcoin address, 3,798.20832689 BTC were received by the account Ponle claims as his own, in 434 different transactions.  (At current Bitcoin values, that would be $34,315,216 USD!)  You can clearly see the 340 Bitcoin transaction being received from Gemini.com on 15FEB2019:
MrWoodbery/Ponle Bitcoin account receiving stolen funds
Right after this transaction, you can see that MrWoodbery sent 611 Bitcoin (currently worth $5,522,495 USD!) to Bitcoin wallet 15go6kCncrhkt6z2ziQr6W39SVpyZ52tpM, from which the funds were sold off bit by bit in LocalBitcoins.com transactions.
40 BTC on 16FEB via LocalBitcoins.com 
15.7 BTC on 16FEB via LocalBitcoins.com 
5 BTC on 17FEB2019 via Luno.com 
56 BTC on 17FEB2019 via LocalBitcoins.com 
23 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 18FEB2019 via LocalBitcoins.com 
15 BTC on 18FEB2019 via LocalBitcoins.com 
30 BTC on 19FEB2019 via LocalBitcoins.com 
29 BTC on 19FEB2019 via LocalBitcoins.com 
22 BTC on 19FEB2019 via LocalBitcoins.com 
Along the way some smaller transactions were made, such as spending 0.03 BTC at UniCC, a stolen credit card shop.
the BTC transactions to Local Bitcoins stay small 1-3 BTC per transaction, until 09MAR2019 when he sells 35.9884 BTC on LocalBitcoins.com 
By June of 2019, the funds which had not been converted to cash via LocalBitcoins were primarily deposited at HuboiGlobal, a cryptocurrency exchange originally founded in China, but now with offices in Singapore, Hong Kong, Korea, Japan, and oh yes, the United States!  

The Los Angeles Case Against HushPuppi

At first it may not be obvious why the HushPuppi case is in Los Angeles, as one of the largest victims is a New York based company, from which Raymon Abbas (aka Hushpuppi) is accused of stealing $922,857 USD from in a Business Email Compromise scam.  The Los Angeles FBI came to have possession of an iPhone which contained many communications between the owner of that phone and Abbas.  During the laundering of the funds from the New York based company, at least $396,050 were laundered by a second money mule, who opened bank accounts in Los Angeles, giving the Los Angeles FBI venue on the case.  
The iPhone showed many communications to the Dubai-based number +971 543 777 711.  This phone was listed in the iPhone contacts under the name “Hush” … there was also a Snapchat contact with this number under the name “hushpuppi5” whose account called himself “the Billionaire Gucci Master!!!”   The FBI’s review of Hushpuppi’s Instagram account found a post where he listed his own Snapchat account as “Hushpuppi5.”  
Instagram, who fully cooperates with law enforcement, provided to the FBI that the Instagram account used the email “rayhushpuppi@gmail.com” and the phone number +971 502 818 689.  The account was created October 10, 2012 and had many logins from the UAE.
Snapchat, also a US based company who fully cooperates with law enforcement, provided that the Hushpuppi5 account used the same email as the Instagram account, rayhushpuppi@gmail.com and a different UAE telephone number +971 565 505 984.  
The Gmail account, (Google is a US based company who fully cooperates with law enforcement) revealed that an Apple Account was created on 29MAR2014 in the name Ray Hushpuppi, and used both the gmail account and the account “rayhushpuppi@icloud.com” and another gmail account.
The other Apple account found used the name Godisgood Godson and the gmail account “godisgoodallthetime0007@gmail.com” but often used the name “Ramon Abbas” in account records, giving the mailing address “1706 Palazzo Versace, Dubai, UAE.”  The rayhushpuppi@gmail.com account was used to lease that property from 04APR2020 through 03MAY2021.  
Through a combination of IP address login records and telephone login records, all of the above accounts could be clearly shown to belong to the same individual.
The emails also contained things such as copies of Abbas’s Nigerian passport and UAE Resident card which further confirm these accounts were under his personal control.  Receipts for wire transfers of large volumes, including $250,000 and $2,397,000 were found in the emails, linking Abbas in the latter case to the Chicago Mr.Woodbery case above.
Other indicators included proof that Abbas picked up wire transfers from Western Union in the UAE in 2018 and MoneyGram transactions in the UAE, all using his UAE Resident card. 

Malta Bank Job

In addition to the New York law firm case, Abbas also discussed a foreign financial institution case where €13 million was stolen ($14.7 Million USD) and the co-Conspirator in Los Angeles asked for accounts which could receive “5m euro” which Abbas provided by sending information for a Romanian bank account.  Abbas communicates with the group who is trying to laudner the money, and confirms receipt of  €500,000
Although it is not stated in the FBI paperwork, this was the Bank of Valetta, mentioned in the headlines of the Times of Malta.  The hackers boast that the bank had not yet noticed their activity and that they were going to hit it more the following day. 
The Prime Minister of Malta issued a statement to the public that although “Hackers sought to make international transfers to banks in the UK, US, Czech Republic and Hong Kong. The transfers were blocked within 30 minutes and the banks alerted.” A follow-up report a week later in the Times of Malta detailed how a bank employee believed he was responding to an email from a French government stock market regulator, but the attached Word document actually planted malware on the banking system, allowing the hack to move forward.  The Times of Malta said the attack was thought to be part of a hacking group called “EmpireMonkey” which has been linked by other cybercrime researchers to CobaltGoblin and even the Carbanak group.  (See for example this Kaspersky article:  FIN7.5: the infamous cybercrime rig continues its activities.
This last example illustrates that once someone begins to operate on the level as Hushpuppi, they are often most useful as someone who has the network to establish bank accounts to receive stolen funds.  It is extremely unlikely that Hushpuppi has the hacking skills to pull off a Bank of Malta attack — however he had the reputation as being someone who could provide accounts capable of receiving 5 million Euro transactions, so criminals reach out to him to fulfill that need. 

*** This is a Security Bloggers Network syndicated blog from CyberCrime & Doing Time authored by Gary Warner, UAB. Read the original post at: http://garwarner.blogspot.com/2020/07/hushpuppi-and-mrwoodbery-bec-scammers.html