BEC Fraudster Extradited To The US To Face Charges In $60M Bank Fraud Scheme
Read also: Major hacking forums seized in an international police op, British trio running the OTP.Agency vishing service sentenced, and more.
Thursday, January 30, 2025
BEC fraudster extradited to the US to face charges in $60M bank fraud scheme
Erick Jason Victoria-Brito has been extradited from the Dominican Republic to face charges related to an international bank fraud and money laundering operation that caused over $60 million in actual losses.
Victoria-Brito and his co-conspirators allegedly registered over 1,000 fake businesses to open bank accounts and launder money stolen through business email compromise (BEC) schemes, which tricked victims into transferring funds to fraudulent accounts. The conspiracy targeted various victims, including major corporations, government entities, nonprofits, law firms, and construction companies.
Victoria-Brito faces up to 30 years in prison for bank fraud and up to 20 years for money laundering. The scheme, which spanned multiple years and countries, resulted in over $60 million in actual losses and over $150 million in attempted theft.
In a separate case, Hassanbunhussein Abolore Lawa from Nigeria, has been extradited to the United States to face charges for sextortion that led to the death of the victim. Lawal allegedly posed as a young woman online to manipulate a teen into sending compromising photos, then extorted the teen for money by threatening to release the images. He later targeted the teen's family in similar schemes. Lawal faces life in prison, mandatory minimum sentences for multiple offenses, and a 30-year sentence for a child exploitation charge related to death. He could also be required to pay restitution for the family's losses.
FBI seizes major hacking forums in Operation Talent
In a coordinated international law enforcement operation dubbed "Operation Talent," the FBI has seized the domains of notorious hacking forums Cracked.io and Nulled.to, along with other cybercrime-related platforms. The operation involved authorities from the United States, Italy, Spain, France, Greece, Romania, Australia, and Europol.
On January 30, 2025, banners appeared on several high-profile hacking websites, including Cracked.io, Nulled.to, StarkRDP.io, MySellIX.io, and SellIX.io, announcing that the sites had been seized by law enforcement. The domains were switched from their original name servers to FBI-controlled servers. The FBI and Europol have confirmed the takedown but said that the operation is still ongoing and more details will be available at a later date.
Cracked.io and Nulled.to offered tools for various illicit cyber activities, such as credential stuffing attacks, password theft, and the distribution of cracked software and hacking tools.
In addition to Cracked.io and Nulled.to, other seized domains included StarkRDP.io, a Windows RDP (Remote Desktop Protocol) virtual hosting provider used by cybercriminals for launching attacks, and MySellIX.io and SellIX.io, platforms that allowed users to set up online stores to sell stolen data, compromised accounts, and software keys.
British trio running the OTP.Agency vishing service sentenced
Three men have been sentenced in a London court for operating a sophisticated fraud scheme that allowed criminals to bypass anti-fraud measures and gain access to victims' bank and telecom accounts.
The men ran a website called ‘OTP.Agency’, which charged a monthly subscription fee for a service that enabled fraudsters to use social engineering tactics to obtain one-time passcodes (OTPs) from victims. These passcodes were then used to bypass multi-factor authentication, allowing criminals to steal money from accounts.
The website offered various packages: a basic plan costing £30 a week, which provided access to an automated call bot to trick victims into giving OTPs, and an elite plan at £380 per month, which included customized services like free text-to-speech calls and pre-scripted scams. The group’s operation is estimated to have generated up to £7.9 million in potential profits, with around 3,000 subscribers.
Callum Picari, the website's owner and primary beneficiary, was sentenced to two years and eight months in prison. Vijayasidhurshan Vijayanathan and Aza Siddeeque, who helped manage and promote the site, received 12-month community orders, community service, and a £760 fine each.
Swatter pleads guilty to targeting Ring doorbell cameras to livestream police responses
Kya Christian Nelson, a 23-year-old US citizen, admitted his involvement in a nationwide "swatting" scheme that targeted Ring doorbell cameras and livestreamed police responses to bogus emergency calls. Nelson and his co-conspirators used unauthorized access to victims' Ring devices to broadcast live police confrontations on social media.
Nelson, currently serving time on unrelated charges, faces federal charges for conspiracy and unauthorized access to protected computers. According to the plea agreement, from November 7 to November 13, 2020, Nelson and his group accessed victims' Ring doorbell cameras after obtaining login information for their Yahoo! email accounts.
The conspirators used the credentials to place false emergency calls to local law enforcement, triggering armed police responses to the victims' homes. While the police were on the scene, Nelson and his co-conspirators livestreamed the events, taunting officers through the Ring cameras.
Nelson is scheduled for sentencing on May 1, 2025, and faces up to five years in prison for each count. One of his co-conspirators, James Thomas Andrew McCarty, was sentenced to seven years in federal prison in June 2024 for his involvement in the same scheme.
12 indicted in multi-million dollar Business Email Compromise scheme
US authorities indicted 12 individuals in connection with a sophisticated business email compromise (BEC) scheme that defrauded victims across the United States out of millions of dollars. The indictment charges the defendants with conspiracy, wire fraud, bank fraud, and money laundering.
The indictment alleges the defendants were involved in a coordinated BEC operation targeting businesses and individuals. They reportedly gained unauthorized access to victims' computer systems to monitor email communications related to financial transactions.
Using this information, the defendants spoofed emails to impersonate internal personnel, vendors, and business partners, convincing victims to initiate payments and transfer funds into bank accounts they controlled.
The stolen funds were then shared and transferred between various bank accounts, with some money funneled out of the country. The victims included construction companies, law firms, private equity firms, and title companies. The defendants now face a maximum penalty of 30 years in prison and fines up to $1 million. They are scheduled to be arraigned on February 4, 2025.
What’s next:
- Join our upcoming webinars
- Follow ImmuniWeb on Twitter, LinkedIn and Telegram
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter
The award-winning ImmuniWeb® AI Platform helps over 1,000 companies from over 50 countries to test, secure and protect their web and mobile applications, APIs and microservices, cloud and networks, to prevent data breaches and reduce third-party risk, and to comply with regulatory requirements.