BEC Busts Take Down Multimillion-Dollar Operations

The two extraditions of business email compromise attackers indicate a step forward for international law enforcement collaboration.

Kelly Sheridan, Former Senior Editor, Dark Reading

July 6, 2020

5 Min Read
Dark Reading logo in a gray background | Dark Reading

On Friday, July 3, the Department of Justice announced extraditions of two Nigerian nationals to face charges related to separate business email compromise (BEC) operations. Both men are accused of participating in BEC schemes to defraud US organizations out of millions of dollars.

Ramon Olorunwa Abbas, also known as "Ray Hushpuppi" and "Hush," was expelled from the United Arab Emirates to Chicago, where he made his first court appearance. Charges allege he conspired to launder hundreds of millions of dollars from BEC frauds and other scams.

Abbas was arrested in the UAE last month and brought to the US to face a charge of conspiring to engage in money laundering, as alleged in a criminal complaint filed June 25. This complaint describes an Instagram account with several publicly viewable images of Abbas posing on or in luxury vehicles, wearing designer clothing, and possessing luxury items "indicating substantial wealth." In one photo, Abbas posed in front of two vehicles, one of which he said was his new Rolls-Royce Wraith. Multiple photos showed him in private jets or traveling to cities around the world.

"The FBI's investigation has revealed that Abbas finances this opulent lifestyle through crime, and that he is one of the leaders of a transnational network that facilitates computer intrusions, fraudulent schemes (including BEC schemes), and money laundering, targeting victims around the world in schemes designed to steal hundreds of millions of dollars," the affidavit states.

This case targeted a key player in a large, transnational scheme who used illicit funds to support his lifestyle while allegedly giving a safe haven to stolen money, says US Attorney Nick Hanna in a statement. The affidavit alleges Abbas and co-conspirators conspired to launder funds in a $14.7 million operation targeting a foreign financial institution. Another scheme attempted to defraud a New York-based law firm out of approximately $922,857 in October 2019. In one case, Abbas and others tried to steal roughly $124 million from an English Premier League club.

"With Hushpuppi, what's really important about this arrest is he is one of the primary money launderers of the BEC threat landscape," says Crane Hassold, senior director of threat research at Agari. "From a financial perspective, that is where I think the biggest impact of this will be."

Hassold describes Abbas as "an essential chokepoint" to money coming in from US BEC attacks and funds going out to Nigeria. Following his arrest, many Nigerian threat actors will need to find a way to transfer money from point to point. "That will take some time, to replace someone at the scale of Hushpuppi," he adds.

A second case involves Nigerian national Olalekan Jacob Ponle, also known as "Mr. Woodbery" and "Mark Kain." A criminal complaint accuses him of orchestrating BEC schemes to defraud US companies, which led to attempted or actual losses amounting to tens of millions of dollars. One Chicago company was tricked into sending wire transfers totaling $15.2 million. Ponle was arrested last month in the UAE and, like Abbas, made his first court appearance in Chicago.

Ponle's alleged operation lasted the first nine months of 2019, during which one or more actors gained unauthorized access to the email account of a US-based company and sent messages to employees claiming to be from the company or a known contact. These fake emails instructed employees to send wire funds to a bank account set up by money mules at Ponle's request. He instructed the mules to convert funds to Bitcoin and send them to a virtual wallet he controlled.

In addition to Chicago, Ponle targeted firms in Iowa, Kansas, Michigan, New York, and California.

Bringing BEC Operations to Justice
These extraditions represent a step forward in how foreign BEC attackers will be brought to justice. The DoJ, in collaboration with the Department of Treasury, recently published the first set of formal sanctions against Nigerian cybercriminals. Officials imposed financial sanctions on each of six individuals charged with involvement in BEC operations.

"This action represents a significant shift in how the United States responds to these types of criminal activities and demonstrates a willingness to impose cost to cyber actors living abroad outside of the reach of US law enforcement," says Pete Renals, principal researcher for Unit 42 at Palo Alto Networks. He anticipates more extraditions will be announced in coming months.

It's worth noting that many BEC attackers have a global footprint, Hassold points out. It's likely they will be extradited to other countries if they cause more damage somewhere else. Even so, what we see here is not only are more people being extradited for BEC — the transition from arrest to extradition is happening quickly, indicating a willingness among international law enforcement organizations to work together and support extradition for these types of attacks.

"It's important to consider that extradition isn't necessarily a long-term solution," says Renals. "At a macro level, there is a need for rapid adoption of legal frameworks tailored to what is arguably a new and nascent threat."

BEC schemes haven't been around long, but in that time, they have "grown exponentially" in terms of scale, global reach, and financial impact, he adds. These threats cost businesses $1.7 billion in 2019 alone, the FBI reported back in February. In the cases of both Abbas and Ponle, the attackers made hundreds of thousands of dollars in a single operation, emphasizing the financial impact of these types of attacks.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Profile of the Post-Pandemic CISO."

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights