How Kenyan scammers stole over $3 million from US firms

Robert Mutua Muli and Jeffrey Sila Ndungi were arrested by the FBI. PHOTOS | COURTESY

What you need to know:

  • BEC fraud is a new sophisticated type of cyber-enabled crime facilitated by the Internet where fraudsters use hacked email accounts to convince businesses or individuals to make payments that are either bogus or similar to actual payments owed to legitimate companies.

  • As part of the scam, fraudsters learn about key personnel in companies who are responsible for payments as well as the protocols necessary to perform wire transfers in various companies and then target the businesses that regularly perform wire transfer payments.

On August 1 last year, employees at the finance department of the little-known Fairfax County, which forms part of the suburban ring of Washington, DC in the United States, received an email they believed to be from the headquarters of Dell Computers in Texas.

Fairfax had a running multimillion-dollar computer supply deal for its schools in the county, and the email indicated it had been written by the Accounts Payables department of Dell. It asked Fairfax to reroute its pending payments, which were almost due, to another account in Ohio.

ELECTRONIC TRANSFERS

Fairfax County obliged, and from August 8 to September 10 sent a total of $1,345,423.20 to the new account using electronic transfers. In total, the county sent 28 payments ranging from as low as $328 to as high as $241,223.

Unknown to the county, the money was being transferred almost immediately it hit the Ohio account to several other accounts worldwide before ending up thousands of kilometres away in the hustle and bustle of Kenya's capital Nairobi. By September 10, when Fairfax County discovered it was being defrauded, some $526,517.04 had already been withdrawn in Nairobi.

“The fraudulent email account was very similar to a Dell employee’s true email address and contained revised banking information for Dell,” evidence filed in US courts would later say.

This discovery triggered a chain of investigations which were eventually taken over by the Federal Bureau of Investigations (FBI), which was deployed to Nairobi. The global hunt for the suspects, code-named Operation reWired, was then widened to include a search for criminals in similar schemes. It eventually led to the arrest of 281 suspects from nine countries and was only made public last week by the FBI.

This is one of the most brazen Kenyan cyber theft syndicates in recent history.

The FBI sweep resulted in the seizure of nearly $3.7 million and the disruption and recovery of approximately $118 million in fraudulent wire transfers.

“The FBI is working every day to disrupt and dismantle the criminal enterprises that target our businesses and our citizens,” said FBI Director Christopher Wray. “Through Operation Re Wired, we are sending a clear message to the criminals who orchestrate these Business Email Compromise (BEC) schemes that ‘I will keep coming after you, no matter where you are’. The effects of this crime are far-reaching, and the dollar amounts involved are staggering.”

The FBI has since 2013 gathered reports of more than $10 billion in losses from US victims alone. The worldwide tally is more than $26 billion.

CYBER CRIME

BEC fraud is a new sophisticated type of cyber-enabled crime facilitated by the Internet where fraudsters use hacked email accounts to convince businesses or individuals to make payments that are either bogus or similar to actual payments owed to legitimate companies.

As part of the scam, fraudsters learn about key personnel in companies who are responsible for payments as well as the protocols necessary to perform wire transfers in various companies and then target the businesses that regularly perform wire transfer payments.

Interestingly, Kenya and Nigeria were the only African countries on the list of nations where the FBI made arrests and recovered property bought by scammers after a year of investigations. Other countries in the list include Italy, Japan, Malaysia, United Kingdom, France and Turkey.

The big puzzle for the FBI was how Kenya and Nigeria, two African countries with meagre computing skills and resources, had hacked their way into a list of major global cybercrime hotspots.

But with its good Internet speeds, easy availability of cheap computers and a robust banking system driven by technology, it is not difficult to figure out why Kenya has bred such sophisticated criminals.

So entrenched is the vice among Kenyan hackers that the US government now has a special unit whose role is to monitor cybercrime emanating from IP addresses in Kenya.

The American Embassy in Nairobi declined to give us the list of Kenyans who were arrested and extradited to the US to face charges, or the assets repossessed during Operation Re Wired.

WEB OF THEFT

Documents filed by the US Department of Justice however indicate that three Kenyans, Robert Mutua Muli, Amil Hassan Raage, and Jeffrey Sila Ndungi, were arrested during the time of the operation.

Between them they had stolen $3,154,118.83. About half of this money has not been recovered, according to court papers in the US. All the three have been found guilty of their crimes after making plea bargain deals with the courts. Mr Muli is set to be sentenced next month, on October 4, Mr Raage will know his fate on October 11, while Mr Ndungi has already begun his 20-year sentence.

However, among the three it is Mr Muli, a 59-year-old Kenyan immigrant from Ohio, Texas, who had stolen the most; $2,128,133.83, followed by Mr Raage, 48, who was picked by FBI detectives from Nairobi on May 9 this year with $949,393.14 in his bank accounts.

Mr Ndungi, 33, who was in April last year sentenced to 20 years in prison, had only managed to steal $76,592.86 before FBI detectives lured him to fly to a trap in Dallas, Texas from Nairobi. He was arrested at the Los Angeles International Airport as the plane he had boarded sat on the tarmac waiting for clearance to fly to London, where he would have connected to Nairobi.

Before the US theft, it appears that the 2010 University of Nairobi engineering graduate had not only honed his skills by hacking and selling DStv bouquets in Kenya and Nigeria from his house in South B, Nairobi, but also made tonnes of money while at it. So lucrative was this venture that by the age of 26, just two years after graduating, Mr Ndungi had bought two Cessna planes with the tail numbers 5Y-CCN and 5Y-CCO.

In 2013 he leased one of the planes to Nairobi Flight Training Limited. Apart from that he also owned a top-of-the-range Escalade and a Range Rover Sport, which the US repossessed after he was arrested. He also had a house at Executive Suites Estate in South B.

During his trial, it emerged that Mr Ndungi had filed fake tax return requests amounting to $116,000 using the names of a person who had died — Mrs Cynthia Short — by pretending she was still alive and based in Nairobi.

“These returns used social security numbers belonging to deceased individuals and attached fictitious forms reporting substantial wages. However, many of the addresses and bank accounts receiving fraudulent tax refunds are located in the US,” say court papers.

FRAUD SCHEME

As Mr Ndungi was being sent to prison to start his term, detectives had on their sights two other Kenyans, Mr Muli and Mr Raage, who had apparently tricked their victims to think they were receiving emails from Dell Computers.

Apart from defrauding the Fairfax County government by tricking them that they were sending payments for computers to Dell, Mr Muli also conned Vermont County government of $13,684.63 and the Detroit County government of $769,226. In these deals, he tricked his victims by pretending to be other companies other than Dell Computers, but the mode of operation was similar to what he had used on Fairfax County.

In papers filed before court, Mr Muli is said to have opened a business checking account at Wells Fargo Bank in the name of Rogram Home Improvement Ltd on February 22, 2018. In the application to open the account, he said he was the sole owner of Rogram.

Between May and July 2018, The City of Detroit entered into a sales agreement with another firm named Aecom Great Lakes Limited to meet the sales needs of the city.

“On May 14, 2018 a co-conspirator of Mr Muli sent an email to the City of Detroit from an email falsely claiming to be an Aecom Great Lakes employee, directing the city of Detroit’s office of Contracting and Procurement to change the Aecom Great Lakes bank of records to Wells Fargo and directing payments to a second account which was at all times controlled by Mr Muli. The email account name matched the name of a former Aecom employee,” say court papers.

On May 25, 2018, the City of Detroit made a $69,464 deposit to the new account, and on June 1 a second payment of $699,802 was made to the account.

On May 25, which was the same day that $69,464 hit the fake account that the City of Detroit thought belonged to Aecom, $49,990 was transferred to Rogram Home Improvement. Then, 11 days later, on June 6, $74,527 and $39,990 were transferred to Mr Muli’s personal account, which was then wired to Kenya. Most of this cash was recovered, but the City of Detroit lost $130,154 in the scam.

As he was busy defrauding the City of Detroit, Mr Muli was also engaged in a similar fraud targeting the State of Vermont, this time by faking he was yet again a Dell employee. Like Mr Ndungi before him, Mr Muli was arrested in Texas as he attempted to flee to Kenya.

Mr Raage, however, managed to escape to Nairobi on September 22 last year after his bank accounts were frozen, but was arrested eight months later, on May 8, by the FBI. He was extradited to the US on May 23 to face justice.

Before being smoked out, Mr Raage had defrauded the University of California, San Diego of $749,158 and Pennsylvania University of $123,643 by tricking them to make payments they believed were going to Dell Computers.

So perplexed was the US Justice Department on the arrest of Mr Raage that Attorney Robert Brewer would later say that “modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice”.

- This article was first published in the Daily Nation.