Last June, the FBI got a warrant to hunt through the Google accounts of Abedemi Rufai, a Nigerian state government official.
What they found, they said in a sworn affidavit, was all the ingredients for a “massive” cyber fraud on U.S. government benefits: Stolen bank, credit card and tax information on Americans. Money transfers. And emails showing dozens of false unemployment claims in seven states that paid out $350,000.
Rufai was arrested in May at New York’s John F. Kennedy airport as he prepared to fly first class back to Nigeria, according to court records. He is being held without bail in Washington state, where he has pleaded not guilty to five counts of wire fraud.
Rufai’s case offers a small window into what law enforcement officials and private experts are calling the biggest fraud ever perpetrated against the United States, a significant portion of it carried out by foreigners.
Russian mobsters, Chinese hackers and Nigerian scammers have used stolen identities to plunder tens of billions of dollars in COVID benefits, spiriting the money overseas in a massive transfer of wealth from American taxpayers, officials and experts say. And they say it’s still happening.
For more on this story, tune in to NBC Nightly News with Lester Holt tonight at 6:30pm ET/5:30pm CT or check your local listings.
Among the ripest targets for this cyber theft have been jobless programs. The federal government can’t say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 to $400 billion–at least half of which went to foreign criminals, law enforcement officials say.
Those staggering sums dwarf, even on the low end, what the federal government spends each year on intelligence collection, food stamps, or K-12 education.
“This is perhaps the single biggest organized fraud heist we’ve ever seen,” said security researcher Armen Najarian, of the firm RSA, who tracked a Nigerian fraud ring as it allegedly siphoned millions out of more than a dozen states.
Jeremy Sheridan, who directs the office of investigations at the Secret Service, called it “the largest fraud scheme that I’ve ever encountered.”
“Due to the volume and pace at which these funds were made available and a lot of the requirements that were lifted in order to release them, criminals seized on that opportunity and were very, very successful–and continue to be successful,” he told NBC News.
While the enormous scope of COVID relief fraud has been clear for some time, scant attention has been paid to the role of organized foreign criminal groups, who move taxpayer money overseas via laundering schemes involving payment apps and “money mules,” law enforcement officials told NBC News.
“This is like letting people just walk right into Fort Knox and take the gold, and nobody even asked any questions,” said Blake Hall, the CEO of ID.me, which has contracts with 27 states to verify identities.
Officials and analysts say both domestic and foreign fraudsters took advantage of an already weak system of unemployment verification maintained by the states, which has been flagged for years by federal watchdogs. Adding to the vulnerability, states made it easier to apply for COVID benefits online amid the pandemic, and officials felt pressure to expedite processing. The federal government also rolled out new benefits for contractors and gig workers that required no employer verification.
In that environment, crooks were easily able to impersonate jobless Americans using stolen identity information for sale in bulk in the dark corners of the internet. That data—birthdates, social security numbers, addresses and other private information—has accumulated online for years through huge data breaches, including hacks of Yahoo, LinkedIn, Facebook, Marriott and Experian.
At home, prison inmates and drug gangs got in on the action. But experts say the best organized efforts came from abroad, with criminals from nearly every country in the world swooping in to steal on an industrial scale.
“They were literally calling this easy money,” said Ronnie Tokazowski, a senior threat researcher at Agari, who has been monitoring Dark Web communications by West African fraud gangs.
In some cases, overseas organized crime groups flooded state unemployment systems with bogus online claims, overwhelming antiquated computer software benefits in blunt force attacks that siphoned out millions of dollars. On several occasions, states have had to suspend benefit payments while they attempted to figure out what was real and what was not.
“It’s definitely an economic attack on the United States,” FBI deputy assistant director Jay Greenberg, who is investigating cases as part of the Justice Department’s COVID-fraud task force, told NBC News. “Tens of billions of dollars will be missing…It’s a significant amount of money that’s gone overseas.”
Under the “Pandemic Unemployment Assistance” program for gig workers and contractors, people could apply for retroactive relief, claiming months of joblessness with no employer verification possible. In some cases, that meant a check or debit card worth $20,000, Hall said.
“Organized Crime has never had an opportunity where any Americans identity could be converted into $20,000, and it became their Super Bowl,” he said. “And these states were not equipped to do identity verification, certainly not remote identity verification. And in the first few months and still today, organized crime has just made these states a target.”
Sheridan, whose purview at the Secret Service includes financial crimes, pointed out that the sums of money stolen far exceeds the annual cost of ransomware, a problem estimated to cost the economy about $20 billion a year but which has commanded outsized media attention.
The huge windfall to criminal groups will fuel other types of crime, including drug and human trafficking, he said.
“These groups that are profiting so greatly from these types of schemes, they engage in a host of other crimes,” he said. Drug trade, crimes against children, more sophisticated cyber related fraud. And this money is basically an investment to them to conduct more extensive criminal operations…some of which include crimes that will compromise national security.”
By the time states recognized the extent of the criminality, the spigot of cash had been gushing for months.
“Nobody really understood how big the problem was, until it was playing out,” Najarian, the RSA security researcher, said. “We all accepted that there was fraud taking place, organized fraud and local fraud. But what we didn’t realize…was that the organized fraud was very aggressive and very efficient and moving very, very large sums of money offshore.”
The investigative journalism site ProPublica calculated in July that from March to December 2020 the number of jobless claims added up to about two thirds of the nation’s labor force, when the actual unemployment rate was 23%. Though some people lose a job more than once in a given year, that alone could not account for the vast disparity.
The thievery continues. Maryland, for example, in June detected more than half a million potentially fraudulent unemployment claims in May and June alone. Most of those attempts were blocked, but experts say nationwide, many are still getting through.
The Biden administration has acknowledged the problem and has blamed it on the Trump administration.
“There is perhaps no oversight issue inherited by my Administration that is as serious as the exploitation of relief programs by criminal syndicates using stolen identities to steal government benefits,” Biden said in a statement in May, as his government announced a Justice Department COVID-fraud task force.
The Biden administration has allocated $2 billion to shore up state unemployment systems. That appears to be badly needed, because states have failed to take basic steps to improve identity verification, according to the Department of Labor Inspector General.
In a February memo, the IG reported that as of last December, 22 of 54 state and territorial workforce agencies were still not following its repeated recommendation to join a national data exchange designed to check Social Security numbers. And in July, the IG reported that the national association of state workforce agencies had not been sharing fraud data as required by federal regulations.
Twenty states failed to perform all the required database identity checks, and 44 states did not perform all recommended ones, the inspector general found.
“The states have been chronically underfunded for years–they’re running 1980s technology,” Hall said.
Not a victimless crime
Along with the huge losses inflicted on the U.S. treasury, the criminals also hurt tens of thousands of Americans, many of whom suffered delays in getting much-needed benefits.
When Yvonne Matlock lost her job last year as a fundraiser for an Indiana addiction treatment center, she applied for unemployment benefits online, like millions of other Americans.
But she was told she was already getting relief money.
“Somebody had gotten ahold of my Social Security number and set up an account in my name. It seems as though it was really easy for them to do,” she said.
She said it was an ordeal to verify her identity with the state and get her benefits.
“I sent them everything but a blood sample,” she said. “I sent my driver’s license, my social security card, my gun permit, which they issued by the way, my W-2 forms.”
“I sent more than what they asked me for and was still denied,” Matlock added.
She finally got the benefits after three months. And then she was victimized again. Somebody else stole her identity and diverted $1,200. The local police are investigating.
The detective “said I’ll do my best (but) the chances of us finding this person are pretty slim,” she said.
So far there has been relatively little recovery of the stolen cash – or accountability for the criminals who took it.
The FBI has opened some 2,000 investigations, Greenberg told NBC News, but has recovered just $100 million. The Secret Service, which focuses on cyber and economic crimes, has clawed back $1.3 billion. But the vast majority of the pilfered funds are gone for good, experts say, including tens of billions sent out of the country via money moving applications such as Cash.app.
‘Sick to my stomach’
The U.S. government doesn’t seem to know how much has been stolen.
Through a public records request, NBC News obtained data from the Department of Labor, which funds Covid relief unemployment benefits programs, that is riddled with blank values and underestimates. The data lists just over a billion dollars in fraud across the three CARES Act unemployment programs—a figure experts say is off by orders of magnitude.
In fact, state officials have made public statements that refute their own reporting into the Labor Department data system. California, for example, appears to have reported only $2 million in fraud across CARES Act programs, despite publicly acknowledging over $11 billion in unemployment fraud after a January audit. State officials said in early 2021 that projected losses could reach $31 billion.
More than two thirds of states – 34 total — reported no cases of identity theft overpayments in the most vulnerable unemployment benefits program. Experts say that simply isn’t accurate.
The inspector general pointed out in a recent report that the Labor Department reduced testing and reporting requirements on state unemployment systems during the pandemic.
One result of that is that the public is in the dark about the scope of the fraud.
“It makes me sick to my stomach, particularly when I see how much is coming out of my taxes each month for unemployment,” said Agari’s John Wilson.
The IG has projected that there will be $87 billion in misspent unemployment funds, a conservative estimate which assumes no spike in fraud rates. Both the inspector general and the FBI declined to offer an estimate of what the actual value of lost funds may be.
The ID.me estimate of $400 billion comes from the data that company has seen across the states, Hall said.
ID.me implements extra verification steps beyond paper or digital records, requiring, for example, people to prove through Facetime that their faces match the ones on the drivers’ license. As a result, fraudsters have used barbie dolls, silicon masks and deep fake videos in an unsuccessful effort to beat the system, he said.
A Nigerian fraud group strikes
One of the few examples in which analysts have pointed the finger at a specific foreign group involves a Nigerian fraud ring dubbed “Scattered Canary,” by security researchers. The group had been committing cyber fraud for years when the pandemic benefits presented a ripe target, said Najarian.
“The moment the pandemic hit, that was the next big thing that they jumped on, and they did a great job exploiting that opportunity,” he said.
Scattered Canary took advantage of a quirk in Google’s system. Gmail does not recognize dots in email addresses—John.Doe@gmail.com and JohnDoe@gmail.com are routed to the same account. But state unemployment systems treated them as distinct email addresses.
Exploiting this trait, the group was able to create dozens of fraudulent state unemployment accounts that all funneled benefits to the same email address, according to research by Najarian and others at Agari, a security firm.
In April and May of 2020, Scattered Canary filed at least 174 fraudulent claims for unemployment with the state of Washington, Agari found—each claim eligible to receive up to $790 a week for a total of $20,540 over 26 weeks. With the addition of the $600 per week COVID supplement, the maximum potential loss was $4.7 million for those claims alone, Agari found.
Scattered Canary and other groups made use of so-called money mules – witting or unwitting third parties who moved the stolen funds through bank accounts so that they could be transferred out of the country, Najarian said.
CashApp, which describes itself as “the easiest way to send money, spend money, save money, and buy cryptocurrency,” has been frequently used by fraudsters to move money, law enforcement officials and private consultants told NBC News.
“When you use the app, you can quickly and easily convert everything over to Bitcoin,” Tokazowski said. “Within like 10 minutes, you can get that cash converted and sent on its way.”
CashAPP said in a statement that it has “enhanced our systems to monitor and act upon deposits that we deem to be risky, despite coming from largely trusted sources like state unemployment agencies. We also partner with law enforcement and government agencies to investigate potential fraud and work collaboratively to return those funds when possible.”
Rufai, the Nigerian official, is accused of using 100 fraudulent claims to steal $350,000. He’s being held without bail after having been transferred from New York to Washington State. He has been placed on leave from his government job, said his lawyer, Lance Hester.
Federal officials have not linked these cases to Scattered Canary. But in a detention hearing against Rufai, prosecutors portrayed him as a significant player in cyber fraud going back to 2017.
“This is a defendant who is charged with participating in a massive fraud on the United States,” Assistant U.S. Attorney Seth Wilkinson said, according to a public transcript. “It is someone who exploited our country’s efforts to take care of its own people during the biggest emergency of our lifetime.”
Hester said he could not comment because he has not had a chance to speak in detail with his client.
“I know he stands strongly behind his not guilty plea,” Hester said.
This content was originally published here.