CyberCrime & Doing Time

Hushpuppi and Mr.Woodbery, BEC scammers: Welcome to Chicago!

Read the original article: Hushpuppi and Mr.Woodbery, BEC scammers: Welcome to Chicago!

There are quite a few West African scammers who try to explain away their wealth by claiming they are a “bitcoin entrepreneur” or “real estate investor” when in fact they conduct Business Email Compromise scams against American companies, and Romance Scams against vulnerable women, and steal their money.  Back in October, one such criminal, Ismaila Mustapha, who went by the Instagram nickname Mompha, was arrested and I mentioned it in a tweet:

https://twitter.com/GarWarner/status/1186816176019648513

Replying to my own tweet, I said “Maybe they’ll get his friend #Hushpuppi next ??” and linked to his Instagram account, tagging @officialEFCC in the post.  My posts received the most attention of anything I had ever shared on Twitter, which I learned was because of some headlines in Nigerian media such as these:

Mompha is a Top 10 BEC Scammer

With all of the attention of 4,000+ new Nigerian Twitter followers, I have to admit it felt a bit prophetic when we learned of Hushpuppi’s arrest on June 10th.  I shared these images from their respective Instagram accounts that day.

Ever since their arrest by Dubai Police on June 10, 2020 in the UAE, Nigerian media has been going crazy with theories on what was going to happen to Hushpuppi and Mr.Woodbery.  The original posts said that Hushpuppi was arrested in the UAE “by Interpol” (who has no arresting authority) for his role in a $35 Million ventilator scam.  Other versions say he was involved in “fraud and money laundering of over $100million which was supposed to be given to Native Americans during the Coronavirus Pandemic.  More recently, Nigerian media claimed that the pair were already in the United States in Moshannon prison and that Woodbery had fallen sick there.

The EFCC, Nigeria’s government anti-corruption agency, put out a thread of Tweets on June 18th confirming that they were cooperating with the FBI to try to identify additional victims and to investigate parts of his money laundering empire that are still in Nigeria.  In the thread they called him “Nigerian most-wanted hacker, Ramoni Igbalode, alias Ray Hushpuppy.”

The Dubai police called their case against Hushpuppi “Operation Fox Hunt 2”– in the video they mention seizing 21 laptops, 47 phones, 15 USB drives, 5 hard drives, 119,580 files, and 13 cars!

An English version of the Fox Hunt 2 video is available on Vimeo here (click to play):

The video also makes clear that while only two “celebrity-level” hackers were arrested, there were actually at least twelve other people arrested in Dubai that night during six raids.  The video claims that they had information on 1,926,400 victims!

Who knows their names?  Please answer in the comments below …

Hushpuppi and MrWoodbery Charged in the United States

In the United States when charges are brought, the charges are made for victims within the jurisdiction where the charges are brought.  Rather than listing every possible crime, the staff of the top prosecutor in that district, known as Assistant United States Attorneys, brings charges for crimes where the victims or the activities occurred within their jurisdiction.  Because of the prominence of these case, a cybercrime special prosecutor from the Cyber and Intellectual Property Crimes Section of the Department of Justice is assisting in prosecuting these cases.  In these cases, Hushpuppi is being charged in Los Angeles, California, and Mr. Woodberry (Jacob Olalekan Ponle) is being charged in Chicago, Illinois.  Both men arrived in Chicago, on 02JUL2020 after being expelled from the United Arab Emirates.

Click to read Northern District of Illinois Press Release

Click to read Central District of California Press Release

Chicago Case vs. Mr.Woodbery 

In the Chicago case, there are two primary victims that establish venue there.  Victim Company A lost $2,300,000 USD.  Victim Company K lost $15,268,000 USD.  Jacob Olalekan, who the FBI refers to as “PONLE” says that in the latter operation Ponle received at least 1494 Bitcoins from that case, which at the time would have had a value of $6,599,499 USD!

In their investigation, they found that Ponle used US-based “money mules” — criminals who are paid to open bank accounts on behalf of a scammer.  One of these mules said that he received his instructions from someone that he knew as “Mark Kain.”  Mark Kain used a voice over IP telephone number that was issued from the company Dingtone.  Since Dingtone fully cooperates with law enforcement, they were able to quickly learn that this number was paid for by someone using the South African telephone number +27 793 837 890.

The Money Mule also indicated that he made transfers to a Bitpay bitcoin account with the wallet id 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn.  Bitpay, who also cooperated with law enforcement, was able to show this account was created in September 2015 and that the account owner used the email address “hustleandbustle@gmail.com.”

The next step in the investigation was to ask Apple about those telephone numbers and email addresses.  Apple, who can provide law enforcement with all information about any iPhone, shared with the FBI that the telephone number +27 793 837 890 belonged to Jacob Olalekan, who used the hustleandbustle email while logged in from that telephone.  Apple was also able to provide a photo of a Nigerian passport in the name “Olalekan Jacob Ponle” born May 1991 in Lagos, Nigeria, and also a photo of a UAE Visa and a UAE Resident Identity Card in the same name.

Ponle Nigerian
Passport

Ponle UAE
Resident Card

Ponle USA
Visa

The FBI has contents of many WhatsApp chats that Ponle had with various scammers and money mules he worked with. 
In addition to Ponle’s Chicago crimes, he also committed many others that are documented in his case:
– 16JAN2019 – $188,000 fraud against a company in Des Moines, Iowa.
 – 04MAR2019 – $415,000 fraud against a company in Great Bend, Kansas.
– June 2019 – attempted $19,292,690.30 wire for a company – stopped by JP Morgan Chase!
– September 2019 – the FBI took over the accounts of one of the former money mules and received instructions from Ponle to open a new bank account.  The FBI opened the account, but stopped a $1.2 million fraudulent transaction from occurring.  
These details and more can be found in the Criminal Complaint against Olalekan Jacob Ponle.

MoneyLaundering via LocalBitcoins

The big Chicago case happened on 11FEB2019 – $2,300,000 fraud against a Chicago company. In that case, the money was sent to a six-month old Personal Checking Account opened by the money mule.  He then moved $2.1 million into a SilverGate bank account belonging to Gemini Trust, a cryptocurrency exchange.  The mule then tells Ponle that the funds will be moved to him $500,000 USD at a time, and asks him for his bitcoin account.  The mule says we are sending you 340 bitcoins and the rest is coming.
All of this is easy to confirm by looking at the blockchain.  I use CipherTrace for Bitcoin analysis.  This shows that over the lifetime of this Bitcoin address, 3,798.20832689 BTC were received by the account Ponle claims as his own, in 434 different transactions.  (At current Bitcoin values, that would be $34,315,216 USD!)  You can clearly see the 340 Bitcoin transaction being received from Gemini.com on 15FEB2019:
MrWoodbery/Ponle Bitcoin account receiving stolen funds
Right after this transaction, you can see that MrWoodbery sent 611 Bitcoin (currently worth $5,522,495 USD!) to Bitcoin wallet 15go6kCncrhkt6z2ziQr6W39SVpyZ52tpM, from which the funds were sold off bit by bit in LocalBitcoins.com transactions.
40 BTC on 16FEB via LocalBitcoins.com 
15.7 BTC on 16FEB via LocalBitcoins.com