A gang in New York allegedly spent the past seven years using the ripped-off identities of cellphone subscribers to steal $19 million worth of iPhones, according to a now-unsealed complaint originally filed by federal prosecutors at the end of April 2019.
The six defendants have been charged with felony counts of mail fraud, conspiracy, and aggravated identity theft.
New York City Police Department (NYPD) detective Armando Coutinho, from the NYPD-FBI Joint Major Theft Task Force, said in the complaint that the ring of alleged fraudsters kept it up from at least 2012 to the present, selling new devices – mostly iPhones – through fencing operations.
A simple plan
Here’s how it worked, Coutinho explained: the fraud ring members would break into the accounts of existing cellphone subscribers and add their names as “authorized users.” Later on, they used stolen personally identifying information (PII) instead of their own names to cook up new, fraudulent accounts.
Then, they’d “upgrade” their phones, paying only a pittance, or nothing at all, in-store and putting the rest of the purchase price on pay-by-month plans on the identity theft victims’ dime.
The victims included both the service providers, which typically picked up the cost of the stolen phones, and the customers whose identities were stolen and/or whose accounts were broken into. The complaint didn’t specify which providers were targeted, nor how many people were defrauded.
Using the stolen PII, the fraudsters created fake ID cards and fraudulent credit and debit cards. Using those cards, they’d pose as legitimate subscribers and fan out across the country to waltz into phone stores for their “upgrades.”
A multi-layer fraud cake
Like most well-organized fraud rings, this one had multiple roles for its employees, each of which did their part in the multi-step process of stealing from people. The organizers at the top of the hierarchy called themselves “Top Dogs.” Their duties were to organize and fund the trips and to take care of selling the phones. Being top dogs, they, of course, made the top cut of illicit profits.
Next down were the forgers, who worked with stolen PII and crafted the ID/bank/credit cards. On the bottom rung were the gang members who got sent out on the trips and the drivers who put the stolen PII to use in getting their hands on the phones. That role also included shipping the phones back to the top dogs in NYC.
An insider ratted them out
The ring got ratted out by somebody who was recruited to go on an iPhone-ripoff run in 2013. Identified as “CW-1”, he told investigators that he went on about 18 out-of-state runs, and he was paid $100 for each iPhone he brought in.
CW-1 said he was accompanied by a driver on the trips. Before he left town, his bosses would give him a fake ID and bank card. The bank card was to back up his claims if he got questioned about the fake ID card, CW-1 said.
Like any business traveler, he’d get reimbursed for his travel costs, which included overnight shipping of the iPhones.
That’s a heck of a lot of packages going to NY
Investigators were also helped out by one of the shipping companies – identified as Shipper-1 in court documents – the gang used. In 2014, one of the company’s employees picked up on two notable patterns in all these deliveries: First, in spite of the frequency of the shipping, the package deliveries were always paid for with cash, check or credit card, indicating that the shipper likely didn’t hold an account with the shipping company.
They were always sent to the shipping company’s stores or desks, never to home or business addresses, and those destination stores were always in the Bronx or in Mount Vernon, New York.
The second pattern was pretty much the same, except that these were outgoing packages: they always came from the shipping company’s Mt. Vernon or Bronx stores, and they always got delivered to the shipping company’s stores in other states, never to home or business addresses.
Somewhere between 2014 and July 2017, (presumably in partnership with law enforcement), the shipping company cracked open 39 of the suspicious packages. They found about 250 mobile phones inside of them, as well as dozens of fraudulent credit cards, driver’s licenses, and passport cards.
For example, 16 packages addressed to one of the defendants, Gary Bierd, held a total of about 178 electronic devices. Another five packages addressed to defendant Wilkin de Los Santos had about 55.
All of the devices were listed by the phone service providers as having been obtained through fraudulent activity. Ditto for the phones found in packages searched by law enforcement after they got a series of search warrants.
Meanwhile, two alleged gang members were arrested on unrelated charges. When investigators searched their phones and laptops, they found evidence linking them to the ring carrying out the iPhone scam, including a slew of stolen PII and emails containing cellphone account details – accounts that were used to acquire devices.
Shiny new phones, fat prison sentences
This certainly isn’t the first time that people have gotten the idea to use hacked cellphone accounts to “upgrade” to nice, shiny new iPhones and other pricey gadgets, walking into stores to pay the small upgrade fees, sticking victims with the rest of the costs, selling the loot for full purchase price and then pocketing the profit.
Last August, the Feds indicted a dozen people for allegedly doing just that, with a similar modus operandi to the NY gang, but this gang changed tactics over time in order to evade the law.
For example, they allegedly used Bitcoin to buy stolen PII on the dark web. They also allegedly phished account details out of victims with emails that were laced with rigged links.
Sometimes, the gang members are reported to have bought phones with their real names and fake Social Security numbers that appeared to (and sometimes did) match the spelling of their real names. The taxpayer IDs actually belonged to other people, and those people had their credit damaged as a result of the fraud.
These crimes carry hefty penalties: As of August 2018, those dozen suspects were facing a maximum penalty of 20 years for conspiracy to commit wire fraud and two years for aggravated identity theft. Maximum sentences are rarely handed out, though.
The NY gang members listed in this more recent complaint have all pleaded not guilty. Each is free on $100,000 bond, pending trial.
Laurence Marks
And this has exactly what to do with cybersecurity?
Paul Ducklin
Use of PII to cook up fraudulent accounts?
x
Coutinho, not Coutinh
Paul Ducklin
Fixed, thanks!