Cybercriminal Enterprise ‘Ringleaders’ Stole $55M Via COVID-19 Fraud, Romance Scams


The Department of Justice (DoJ) cracked down on a Ghana-based cybercriminal enterprise behind a slew of romance scams, COVID-19 fraud attacks and business email compromise schemes since 2013.

Threatpost Webinar February Promo

Click to Register

U.S. law enforcement arrested six “ringleaders” of a Ghana-based cybercriminal enterprise, who had allegedly launched a slew of money-stealing scams dating back to 2013 that included romance scams, business email compromise attacks and fraud. Seized in the arrests were a slew of luxury vehicles including two 2019 Rolls Royce Cullinans, a 2020 Bentley Continental GT and a 2020 Mercedes-Benz G63 AMG.

Authorities estimate the alleged group of criminals made over $55 million during its crime spree robbing mostly elderly online daters, small businesses and more.

“The fraud schemes alleged that these defendants facilitated were lucrative, diverse, and most of all, callous,” said Manhattan U.S. Attorney Audrey Strauss in a Wednesday statement. “As alleged, they engaged in email spoofing, duping elderly online daters into wiring them money, and applying for government-funded Coronavirus relief funds earmarked for the benefit of small businesses affected by the pandemic.”

While the six arrested were allegedly involved with the criminal enterprise based in Ghana, they were located across the U.S. and targeted individuals and businesses in the U.S.

Scams Relating to Romance, COVID-19 Relief

The six allegedly carried out various types of fraud over the past seven years. This includes business email compromise (BEC), where they allegedly duped businesses into wiring funds into attacker-owned accounts. This was done by impersonating employees of a victim’s company, or third-party companies that partnered or did business with the victim’s company.

The six also allegedly carried out romance scams targeting older men and women who lived alone.

They allegedly sent messages via email, text messaging, or online dating websites and tricked vulnerable victims into believing they were in a romantic relationship with a fake identity. Then, after gaining a victim’s trust, they would allegedly convince them to wire money to attacker-controlled bank accounts.

For instance, in one incident a 64-year-old victim was tricked into believing that he was in a relationship with a Ghanaian model. The victim subsequently wired $39,000 to an attacker-controlled account – believing that the purported “model” needed it to leave Ghana and to receive an inheritance.

Finally the six allegedly launched fraud schemes related to the COVID-19 pandemic. They did so by submitting fraudulent loan applications through the U.S. Small Business Administration’s (SBA) Economic Injury Disaster Loan (EIDL) Program, which is designed to provide relief to small businesses during the pandemic — and collecting the money.

“The Enterprise submitted fraudulent EIDL applications in the names of actual companies to the SBA and when an EIDL loan was approved, the funds were ultimately deposited in bank accounts controlled by members of the Enterprise, including certain of the defendants,” according to the Department of Justice (DoJ) on Wednesday.

Cybercriminal Activity: Moving the Illegal Money

The six defendants, charged in connection with their roles in the fraud and money laundering conspiracy, are Fred Asante, 35, Lord Aning, 28, (both arrested in Virginia on Wednesday), Celvin Freeman, 47, and Faisal Ali, 34, (both arrested in New Jersey on Wednesday). The four were presented in court on Wednesday. Also part of the group are Farous Appiedu, 35, (previously arrested in Queens, New York in October) and Sadick Edusei Kissi, 24 (previously arrested in Fargo, North Dakota on February 2020).

The six allegedly received fraudulent proceeds from various victims in dozens of business bank accounts that they owned and controlled. These business bank accounts – totaling at least 45 – were opened in the names of companies that the six allegedly pretending to be involved with – including companies relating to automobile sales, food imports and exports, and freight trucking and shipping. From 2013 to 2020, the bank accounts had deposits totaling over $55 million.

After the stolen money entered these bank accounts, the six allegedly withdrew and transported those fraudulent proceeds to other members of the cybercriminal enterprise, abroad.

“This trade-based money laundering scheme was designed to obscure the origin of the fraud proceeds as well as the identity of the ultimate beneficiaries of these schemes,” according to the DoJ.

A “vast majority” of the deposits consisted of large wire transfers or check deposits from various individuals and entities. This also included payments for vehicles, food products, and other goods sold by the defendants that were purchased using fraud proceeds, according to the DoJ.

COVID-19 Fraud and Romance Scams Continue

Email based attacks – such as romance scams or business email compromise – and fraud scams continue to plague enterprises and individuals.

Below, Ronnie Tokazowski, senior threat researcher with Agari, talks to Threatpost about why these types of scams continue to work.

At the same time, cybercriminals are following the money – and there is certainly money to be made in launching these types of attacks.

In fact, last year, romance schemes accounted for a record $304 million raked into cybercriminals, according to new data – up about 50 percent from 2019.

At the same time, in September researchers found that the average wire-transfer loss from BEC attacks is significantly on the rise: In the second quarter of 2020 the average was $80,183, up from $54,000 in the first quarter.

As seen in this recent law enforcement crackdown, the increase in scams around current events – particularly around the pandemic – have continued to also earn cybercriminals money. Beyond Covid-19 relief funds, attackers have also tweaked their lures to cash in on vaccine rollouts and personal protective equipment (PPE) needs.

Cases of identity theft in the U.S. also doubled in 2020, mainly due to cybercriminals taking advantage of people affected economically by COVID-19 who filed to receive government benefits.

Is your small- to medium-sized business an easy mark for attackers?

Threatpost WEBINAR:  Save your spot for 15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.

Suggested articles