Two Nigerian nationals, Olayinka Olaniyi and Damiola Ibiwoye, have been sentenced to federal prison on multiple fraud and identity theft charges after the FBI was able to track them down in Malaysia and have them extradited to the United States.
The FBI said the two were living in Kuala Lumpur and targeted U.S. colleges and universities with their sophisticated operation -- including at Georgia Tech, according to Special Agent Tyson Fowler of the FBI's Atlanta Field Office.
“We found their computer folders with documents showing efforts to phish employees at 130 to 140 schools,” Fowler said. “They would steal a logo and do the work to make it look legitimate.”
They sent fraudulent emails to personnel at the schools in an attempt to obtain system credentials. The phishing messages appeared official, but they took unsuspecting recipients to fraudulent sites allowing the criminals to capture names and passwords.
This allowed them to enter the official systems and using the stolen credentials, reroute employee paychecks and access financial documents. Fowler said they were successful at about 20 institutions.
When they hit Georgia Tech, the school's information security team was able to quickly determine that their systems had been compromised. The staff at Georgia Tech, working together with the FBI's Atlanta Field Office were able to track the hackers and determine where they were and what they were doing.
"By watching them online, we could see 20 people chatting. People from all over the globe," Fowler said. "They had ties to many others. Some people were better at the phishing emails; some had bank accounts lined up."
Fowler said that if the criminals had rerouted employee paychecks to international accounts, it would have immediately raised red flags. For this reason, the scammers needed a ready supply of U.S. bank accounts through which to funnel the stolen pay.
The investigative team was able to trace the computers used by the suspects to an address in Malaysia. Then, after obtaining search warrants for the suspects’ email accounts, the FBI was able to identify the two suspects by name.
Armed with that information, the next question became how to reach them in person.
The United States does not have an extradition treaty with Malaysia, but the FBI’s legal attaché in Kuala Lampur has a strong working relationship with Malaysian authorities. When the FBI in Atlanta identified the hackers, the legal attaché’s office shared the information with the Malaysian Royal Police.
“I can’t give the Malaysians enough credit,” said Fowler. “They truly wanted to help and they wanted to address the issue.”
When the FBI agents provided the Royal Malaysian Police with the IP address they had traced to the Georgia Tech intrusion, the local authorities confirmed that it was registered to the same two suspects the FBI had identified.
It also turned out that the two were in Malaysia on expired visas. The Malaysians were able to arrest them for immigration violations.
By that time, the FBI had also uncovered that the payroll diversion was only the beginning of an even larger scheme. The hackers had gone after hundreds of W2-forms and switched over to fraudulently filing for income tax refunds with the stolen documents.
In total, the hackers attempted to steal more than $6 million.
With the cooperation of the Malaysians, the FBI issued an arrest warrant for the two men in the United States on charges of conspiracy to commit wire fraud, computer fraud and aggravated identity theft. Police in Malaysia were able to honor the American arrest warrant by citing the suspects on equivalent local violations.
The two men were taken into custody and brought back to the United States in December 2016.