Uncle Sam seeks to claw back $5M+ stolen from trade union through spoofed email

Funds are currently seized after being sent to offshore accounts

The US Justice Department is seeking permission to recover more than $5 million worth of funds stolen from a trade union by business email compromise (BEC) scammers.

An unnamed group of cyber scumbags defrauded an unidentified union in Dorchester, Massachusetts, out of $6.4 million – $5.3 million of which has been traced to seven bank accounts in China, Singapore, Hong Kong, and Nigeria.

The money held in six JPMorgan Chase accounts and one Texas Bank and Trust account is currently seized and the civil forfeiture action filed on Wednesday aims to provide the legal power to recover the stolen funds.

At the heart of the scam is the trade union, its investment manager who worked for an investment consulting firm in the state, and an unknown perpetrator, according to the complaint [PDF].

The union and its investment manager regularly exchanged email communications, with the latter also regularly making wire transfers on behalf of the union.

On or around January 27, 2023, the BEC scam was launched. The crims behind it spoofed the investment manager's email address – the domain was almost identical to their genuine address but for a single character.

Discussing a legitimate, previously arranged payment of $6.4 million, the spoofed email was convincing enough for the union to transfer funds to a bank account specified in the email. That bank account was found to be under the control of the scammers, not the investment manager.

The brains of the scam, be it an individual or group, recruited money mules to help them carry out the fraud and launder the proceeds through various offshore accounts.

It's not known if these mules were aware of the full context behind the scam, but we do know they received a string of messages via Google Chat and WhatsApp in or around September 2022 promising a "gift" for them being held in a European bank account.

These messages were seemingly enough to convince the mules that complying with the BEC scammer's instructions would genuinely yield a handsome payout.

They were tasked with taking out seven US bank accounts between which various sums were transferred. Prosecutors say many of these transactions appeared to have no purpose and bore the hallmarks of attempts to conceal the source of funds, before they were transferred to offshore accounts.

"This money movement displays the hallmarks of intent to conceal or disguise the source of funds: the account holder did not know the source of the funds, was being directed by the unknown perpetrator, and moved the funds rapidly between multiple accounts, with no discernible purpose," the complaint reads.

"For instance, on January 30, 2023, in a single day, $5 million moved from [account number one] to [account number two];  then back to [account number one]; and then back to [account number two]. And then later that day, $1 million moved from [account number two] to [account number one], and the next day, $3.9 million moved from [account number two] to [account number one]. 

"These rapid movements did not appear to have any legitimate business purpose, and reflect an intent to conceal the nature, location, source, ownership, and control of the fraud proceeds."

One of the mules, who opened the first two accounts that were initially used to receive the full $6.4 million payment, was told to keep $100,000 after completing the transfers requested by the scammers. 

While it was still a hefty sum, it was a far cry from the $17 million they were promised before the scam unraveled.

The Justice Department said BEC scams are rife across the country and estimated daily losses to this brand of cybercrime alone at $8 million.

Recent figures from the FBI peg the yearly losses Stateside at $2.9 billion, with criminals often moving stolen funds to cryptocurrency exchanges before foul play is detected, increasing their chances of making off with the full amount.

Fortunately, in the case of the trade union, the activity was spotted quickly enough to seize the majority of the stolen funds even after they were transferred to offshore accounts. Some were moved into crypto, however. ®

More about

TIP US OFF

Send us news


Other stories you might like