A Medfield man faces a federal charge for his alleged role in a hacking plot to suck out money from companies whose e-mail systems had been breached - including a Russian manufacturer and its American supplier of equipment to make tubes and pipes.
Paul Iwuanyanwu, 38, managed to divert some $884,000 the Russian company thought it was wiring to a company in Illinois, according to an affidavit filed by a Homeland Security investigator filed in connection with Iwuanyanwu's arrest yesterday on a charge of conspiracy to commit wire fraud.
But before he could take out most of the money, he was done in by an alert fraud investigations team at Bank of America and by a police attache at the Russian embassy in Washington, who alerted Homeland Security that one of his country's companies had been ripped off, according to the affidavit.
An alleged accomplice in Houston was also arrested, but not before he managed to withdraw most of the $11,335 that he'd had wired from a shipping company that thought it was sending the money to the captain of a ship about to dock in Turkey.
According to the affidavit, the plot against the Illinois and Russian companies began when somebody managed to get into the e-mail systems at both companies and install software that would route their e-mails to a computer he controlled. The affidavit details how that worked:
Both Company 1's and Company 3's email systems had been breached and that email passwords to both companies' networks were compromised, which allowed an unauthorized program to be placed on their servers [Company 1 is the Illinois manufacturer; Company 3 is the Russian buyer].
This unauthorized program routed both companies' emails directly to an unauthorized third party, which allowed the third party to answer emails as if the third party was a representative of one of the companies.
The compromised email addresses involved Company 3, Company 1, and Company 1's sister company. The unauthorized third party was able to modify the emails and contact information in the Company 3 and Company 1 computers to route emails to the unauthorized third party.
The unauthorized third party intercepted, manipulated, and then sent emails from a ghosted email address that looked almost exactly like the original address, which caused the recipient to believe they were authentic emails.
For example, Company 1's email addresses were slightly changed by one letter.
Similarly, Company 3's authentic emails came from their employee. This employee's original emails were incepted, manipulated, and then sent from ghost email with transposed letters as compared to the real email address.
Other email addresses listed on correspondence between companies also went through the third-party account and were forwarded on with slightly modified email addresses. Company 1's computer security consultant concluded that the emails between Company 1 and Company 3 were passing through the ghost email address and being forwarded on by the unauthorized users for several months.
Iwuanyanwu, the affidavit continues, set up an account last July 6 at a Bank of America branch in Medfield. He listed his occupant as nurse's aide at a nursing home in Needham. State records show he is, in fact, a certified nurse's aide, with a license that runs through next month.
That was one day after the Illinois company had sent an invoice to its Russian customer for $884,274, with directions to wire the money to a bank in Hinsdale, IL, the affidavit states. However, that invoice was intercepted and an altered one sent to Russia, with directions to send the money to the account that Iwuanyanwu's account at the Bank of America branch in Medfield. At the same time, the Illinois company received a bogus acknowledgement that payment was on its way.
On July 16, the affidavit continues, the Russian company's bank, Gazprombank, wired the money to the Bank of America account.
The next day, Iwuanyanwu went to the bank and sought to transfer $95,320 of that to an account at a Citibank branch in New York - an account used by a Nigerian bank. But there was a problem: Bank of America's fraud investigations team flagged the payment from Gazprombank as fraudulent. The affidavit does not state if this was because Medfield is a small town where nothing exciting ever happens and people rarely get large wire transfers from the third largest bank in Russia.
After review of the account, Bank of America concluded that the BOA Account was not a real account for the legitimate company, Company 1, located in Illinois. On July 21, 2018, Bank of America forced closed the BOA Account, and recovered the $95,320 wired to Citibank, NA. Upon review of the transactions, Bank of America concluded that the transactions were fraudulent and transferred all the funds from the BOA Account into the bank’s “Hold Harmless Department” account and assigned the funds to Party ID # [redacted]. BOA is currently holding in this Hold Harmless Department account the total $884,274 wired by Company 3 on July 16, 2018, as well as the initial $200 cash deposit into the account (minus $45 in bank wire fees), for a total of $884,429.
Iwuanyanwu allegedly stewed about this for awhile, waiting until December to call the bank several times and demand to know why his account had been locked and to state that $95,000 of the money was actually his and that the bank should fork it over.
What he didn't know at the time was that on Oct. 9, "a Russian Government Police Attaché from the Embassy of the Russian Federation in Washington D.C. contacted [Homeland Security] to report that a Russian company, Company 3, had been defrauded out of $884,274.00."
In addition to stating the case against Iwuanyanwu and his alleged Houston accomplice, the affidavit also explains why Homeland Security was requesting a search warrant for his apartment, that it likely houses "fruits, evidence, and instrumentalities of violations" of the wire-fraud law. Also:
The evidence set forth above provides probable cause to believe that the victims identified in this investigation had funds stolen by way of a [Business Email Compromise] scheme and that an electronic device used for this scheme, as well as other evidence of the scheme, is present at the Target Premises.
The affidavit never specifically states that Iwuanyanwu was the mastermind of the plot, although it notes he spent time in Cairo studying computer science. The document in fact says that the people behind such "business email compromise" schemes are often "often members of transnational criminal organizations" and discusses the role of "money mules:"
Money mules receive ill-gotten funds from victims and then transfer those funds as directed by persons involved in the BEC scams. The funds are wired or sent by check to the money mule who then deposits the funds in his or her own bank account. The money mules usually retain a portion of the funds before transferring the remaining funds as directed by the BEC scammers.
At his arraignment in US District Court in Boston yesterday, Iwuanyanwu was released on $20,000 bail.