November 14, 2013

Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages.

Photo: Fresnorotary.org

Adrian, left, and Gheorghe Baltaga (right). Photo: Fresnorotary.org

Taken into custody on Oct. 29 were Adrian and Gheorghe Baltaga, 25 and 26-year-old men from Moldova. Documents unsealed by the U.S. District Court for the Northern District of California laid out a conspiracy in which the brothers allegedly stole login credentials for brokerage accounts of Fidelity Investments customers, and then set up fraudulent automated clearing house (ACH) links between victim accounts and prepaid debit card accounts they controlled.

From there, according to the government, the men then used the debit cards to purchase money orders from MoneyGram and the U.S. Postal Service, which were deposited into different accounts that they could pull cash from using ATM cards. An attorney for the Baltaga brothers did not respond to multiple requests for comment.

According to interviews with investigators, the Baltaga indictments (PDF) reveal surprisingly little about the extent of the cybercrimes that investigators believe these men committed. For example, sources familiar with the investigation say the Baltaga brothers were involved in a 2012 cyberheist against a Maryland title company that was robbed of $1.7 million.

In April 2012, I was tracking a money mule recruitment gang that had hired dozens of people through bogus work-at-home jobs that were set up to help cybercrooks launder funds stolen from hacked small businesses and retail bank accounts. One of the mules I contacted said she’d just received notification that she was to expect a nearly $10,000 transfer to her bank account, and that she should pull the money out in cash and wire the funds (minus her 8 percent commission) to three different individuals in Ukraine and Russia.

The mule said she’d been hired by a software company in Australia, and that her job was to help the firm process payments from the company’s international clients. This mule told me the name of her employer’s “client” that had sent the transfer, and a Google search turned up a Washington, D.C.-area title firm which asked not to be named in this story out of concern that company’s competitors would use it against them.

Baltaga residence in Fresno.

Baltaga residence in a Fresno gated community.

That title firm was unaware of it at the time, but fraudsters had recently installed the ZeuS Trojan on an employee’s computer and were using it to send wire transfers and ACH payments to money mules and to bank accounts controlled by the bad guys. In many cases, victim companies will react with hostility when alerted to such crimes by a reporter, but in this case the company quickly contacted their bank and discovered that the thieves had already pushed through more than $700,000 in fraudulent wires and ACH payments. Just minutes before I contacted the title firm, the crooks had initiated a fraudulent wire transfer of $1 million.

The company and its bank were ultimately able to block the $1 million wire and claw back about half of the $700,000 in wires and fraudulent ACH transfers. The firm and its bank seemed doomed to battle it out in court over the remaining amount, but earlier this year the two sides reached a confidential settlement.

The Baltaga brothers were charged with wire fraud, conspiracy to commit bank fraud and wire fraud, aggravated identity theft, and aiding and abetting. If convicted, the two men also stand to lose the 5-bedroom, $800,000 home they purchased together in Fresno.

If you operate a small business in the United States and are banking online, please take a moment to read this piece: Online Banking Best Practices for Businesses. Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves. As a result, organizations can be held responsible for any losses due to phishing or account takeovers.


43 thoughts on “Feds Charge Calif. Brothers in Cyberheists

  1. Charlie

    The good part of that two-brother story is that they were duped into paying 800K for a five bedroom house with a pool….RIGHT….ON….A…..ROARING …..FREEWAY!.

    STOOPID, and obviously they have no class.

      1. SeymourB

        In some parts of the world anything that’s bigger than a 2-lane dirt road is a freeway.

  2. wiredog

    There are houses selling for $800k in Fresno? Fresno? I’ve been to Fresno, I can’t imagine paying that kind of money for a house there.

    1. IA Eng

      Its was “free” money to them, It didn’t matter. It was almost like hitting the lotto, minus it being legal. They didn’t have to pay taxes on it either.

      The Feds might be light on information since they want to try to drag others – and are probably close to tying up some loose ends. In due time I am sure we’ll hear more about it.

      As far as small businesses and protection of funds, its all about setting up limits that can be withdrawn within a period of time. No one can tell me the are too busy to approve a large transaction with a call from/to the bank. Its laziness if it’s simply wide open for the crooks siphon off large amounts. Commmmon – how often does a “small” businesses transfer a million bucks at one time? Probably more rarer than most people realize.

      Its convenience. Instead of having a sole computer that is used strictly for financials, and limiting the amount of people who have access to that computer, issues will happen. For a regular workstation or laptop, you just need to load up a decent anti-malware suite for the computer that also blocks ads, and has a software firewall built in. From there use the “whitelist” feature, allowing communication to the banking site only. As long as that computer receives operating system updates, anti-malware updates, and any speciality software, all should be well.

      But people rather gamble daily, and are curious to visit sites and open “SPAM” emails because the curiousity gets the best of them. Eventually a lax practice will be subject to an attack and they are in. Some of the laptops out there for this purpose cost a few hundred bucks. In the case of krebs article, it could have saved the company quite a bit of moooola. =\

      1. meh

        It is simpler than that, the banks are off the hook so they don’t care… When they are liable they are sure quick to call me up over a $50 legitimate transaction to verify… But since they have no liability here they could care less.

        Banks are the weak point in most malware/botnet/banking security models… They could stop enough to make these a waste of time if they had any skin in the game, but they don’t so they run whatever transactions they get even if they could easily verify them as fraudulent. Look at western union, probably half of what they process is fraudulent and they don’t care at all.

        1. Ayla

          Not all banks though. I work for one of the largest bank in the US and I do my job quite fair. We save millions of money everyday. We have separate departments for credit, debit cards and wires. Even for check forgery. Let’s just think positive. The world can’t be perfect. Just be thankful these guys are caught. And I personally care about other people’s money. I do my best in working every review if I’m letting go of the money that’s being our sorted for fraud. May it be millions or just a dollar. We have our ways. We just don’t make it public. Not unless we suspect you’re committing fraud, then that’s the only time we call you.

          1. IA Eng

            HA ! looks like the good ole’ 1930 communication style from banks live on. The only thing they accept is the hard earned cash of others.

            Communication is a two way street. Sure there are ways for banks to “do their job”, they cannot read people’s minds and cannot assume what a person wishes to do with their funding, even if it is to leave it within the bank – vice giving it freely to an overseas location.

            Open communication between the PR person at the bank and a few phone calls to a VIP list could avoid much pitfalls. Worse case if the people or the bank don’t want to do it over the phone or email, invite the customer in via an appointment and have some quality face time.

            I find it hard to believe anyone from a bank is going to call a would-be fraudster. IF, and I say IF they were smart when they recieved one of those calls, its like a tip off that the fuzz is inbound, and they typically need electronics to do digital forensics and well, lets leave that side of the scenario alone. Let the potential fraudsters go to jail, vice figuring out a way to dodge that issue.

            More than likely its the local FBI, Police and if its a barn-burner my pals at the Secret Service come calling. Depends on what level the intent is, of course.

            One person doing their job at one location isn’t enough. I’ll say it even though it sounds harsh. Until the banks and credit card agencies start to feel a real hard pinch, most of what happens will go sight-unseen and quiet. The reputation and inflow is much more important than some hiccup along the road.

            Criminals are smart. I am sure that some were on the inside and in their mind probably decided it was a job that they weren’t making cash fast enough for their liking. They probably read some articles about what happened in different locations and thought, HUNH. I know how that process works, and they’d say they could do it better. Now, they probably are part of some process that not so good.

            It happens alot more than people think, or want to know.

  3. The Oregano Router

    Only stupid Americans would believe that a software company in Australia needed someone in the United States to wire transfer money to eastern Europe.

    1. stupid

      Stupid knows no borders, stupid.

      (disclaimer – I’m not American either, but you shore do sound dumb saying what you said, dumb dumb!)

      1. The Oregano Router

        What makes you think that I’m outside the United States?

        Clearly the so called “digit divide” is huge in many countries where people don’t have access to things like the internet to be better informed about these types of fraud that center around money mules.

        1. really stupid

          LOL good point, I misinterpreted your phrase “only stupid Americans” – I guess there could be stupid and smart Americans as well as there are stupid and smart persons across all lands ;o)

      2. Mucho Estupido

        Ummm, “shore” is a word that refers to the beach in NJ. Perhaps that was your intended insinuation and not “stupidity” on your part.

  4. Simon

    Hi Krebs,

    Thanks for the educational articles.

    I work for an Inter bank switch and wondered about this line from the article above
    ‘…and then set up fraudulent automated clearing house (ACH) links between victim accounts and prepaid debit card accounts they controlled’

    How is this even possible? Please shed more light on what loopholes allow such a breach.

    1. BrianKrebs Post author

      It’s quite simple, actually. Thief has access to someone’s online banking credentials. They log in to that account, then connect it to another account. The system doesn’t care if it’s a real bank account or a prepaid card. Once a microdeposit is made to establish the connection, the two accounts are linked.

      1. David Dows

        Brian,

        I think what he’s getting at is what I’ve experienced whenever I have setup ACH links between accounts. The name of at least one owner on each account must match, so they would have to setup a joint account for themselves and the victimized company. Any bank that would allow such an account to be opened must be complicit in the crime.

        Dave (you still owe me a beer 😉

  5. QHoster

    I am not sure how money transfers are not phone confirmed etc. with such a amount like 1 million USD.

  6. Aleksey

    Again and again, the same old conclusion can be drawn from this tale of criminals being punished: if you’re in “da biz” – neverset foot in the USA and moreover, don’t reside in the USA. And if you stand out among the cybercrime crowd – don’t ever set foot in any country that may respond favorably to the extradition request from the USA.

    1. Robert Walter

      Not not storing one’s meat where one steals one’s bread may help improve one’s chances somewhat, but just last week, Latvia agreed to extradite some of their own nationals who had ventured into the cyber thievery business.

  7. Frances

    Krebs wrote “The mule said she’d been hired …”

    Technically, a female mule is referred to as a molly or Molly mule.

    I wish you’d find a new name for humans who are so naive that they cannot see that their job involves money laundering. We mules are intelligent creatures.

    It still burns me that Mr. Ed is the talking equus most people remember.

  8. ric

    with all the crap going on in the internet I wonder now if krebs should start ssl these sessions? 🙂

    1. The Oregano Router

      + 1 on using S.S.L. for this website. Furthermore, I think posting here should be done by some type of account signup integration .

      1. SeymourB

        But then we’d lose all those quality posts by the individuals who are actually committing crimes.

        1. The Oregano Router

          Oh you mean all the posts with the real bad grammar and English spelling mistakes .

          1. SeymourB

            I don’t have any idea what you mean.

            (tongue lodged firmly in cheek)

      2. voksalna

        I’m pretty sure he’d lose a lot more than just ‘criminals’ if he decided to incorporate that wonderful thing known as cross-site tracking, er, I mean logins. I know for sure I’d stay away, as I do with everything that requires Disqus or anything of the like (I know I’m not the only commenter on here who feels this way). But maybe you’d like that.

  9. Old School

    “The Baltaga brothers were charged with wire fraud, conspiracy to commit bank fraud and wire fraud, aggravated identity theft, and aiding and abetting. ” Baltaga brothers, welcome to the United States, the land of opportunity. You could have made something of yourselves making possible a long, prosperous and happy life. But instead, you dumb f**ks used your freedoms to choose the Dark Side. So now Baltaga brothers, welcome to United States Federal Bureau of Prisons ( http://www.bop.gov/ ) where your fellow inmates will “eat you for breakfast.”

    1. nonius

      I’m sure the brother who plays the pan flute will do just fine and practice a lot in the prison. Not sure of the other brother though, violin is not a particularly popular instrument with those audiences.

    1. The Shark™

      Not sure. But soon enough, they’ll surely be known as the ‘Backdoor Brothers.’

  10. Jim

    If they’re here illegally, they should do prison time in the U.S. and be deported to the hole in the ground they came from.

    1. nonius

      I visited Kisinev in Moldavia twice about 12-15 years ago. Once I bought newspapers from a stand (true, the stand was inside the hotel lobby) and forgot my wallet there. I returned after 30 min. to ask (was not sure I forgot it there, just recreating my steps) and the lady at the stand gave it to me (with the entire content). So there are honest people there, as everywhere, despite the fact that exporting individuals like the Baltaga brothers might seem to suggest otherwise.

  11. Curious

    Brian:

    This sounds more organized than just two kids in a house in Fresno. Do you have any thought on who is behind it all?

    1. DefendOurFree

      The indictment Brian has linked to the article does say “others”.

    2. Andrew

      Two ‘kids’ in Fresno who managed to buy a $800,000 home and either passing the credit checks or paying cash without raising money laundering flags. Or is that where the heat came from?

  12. IA Eng

    Ahhhh common, can’t we all play nice?

    I found two more interesting articles that might tickle Kreb’s fancy = Þ

    28. November 14, Help Net Security – (International) Sinowal and Zbot trojan collaborate in new attack. Researchers at Trend Micro observed a variant of the ZeuS/Zbot trojan working in collaboration with a new Sinowal trojan to attempt to make ZeuS’s job easier by disabling the Trusteer Rapport security software. The two trojans are dropped by the Andromeda backdoor attached to malicious emails. Source: http://www.net-security.org/malware_news.php?id=2626 29.

    November 14, Softpedia – (International) MacRumors hacker says he will not leak the 860,000 passwords he stole. The MacRumors forums were hacked and 860,000 users’ usernames, emails, and password hashes were compromised, MacRumors confirmed November 12. However, the hacker who took credit for the breach claimed that they would not reveal the information. Source: http://news.softpedia.com/news/MacRumors-Hacker-Says-He-Will-Not-Leak-the-860-000-Passwords-He-Stole-400064.shtml

    31. November 14, Softpedia – (International) Cybercriminals use new Linux backdoor to steal information from companies. Symantec researchers identified a cybercriminal operation that carried out an attack against a large hosting provider using a new Linux backdoor, dubbed Linux.Fokirtor that was able to gain access to usernames, passwords, emails, and possibly financial information. The backdoor hides inside server processes that could give the attack away and prompt security reviews. Source: http://news.softpedia.com/news/Cybercriminals-Use-New-Linux-Backdoor-to-Steal-Information-from-Companies-400203.shtml

    That’ll keep him busy for a few hours =Þ

  13. Keith B. Rosenberg

    Interesting how Uncle Sugar goes after people who hack financial institutions, but not the black hats that use ransomware to extort money out of large numbers individuals a few hundred dollars at a time.

    1. IA Eng

      heh, it depends on whats important to the economy. You can recreate your files. The only way your going to recreate cash is if you steal (BAD !) some printing plates and make enough cash for everyone ( without permission of course – BAD !).

      So, pick your poison. What more important to the general population…and Ummm no, I am not interested on any one else’s hard drive – encrypted or not.

  14. DefendOurFree

    http://webcache.googleusercontent.com/search?q=cache:thXkBshOrdsJ:www.thebusinessjournal.com/subscriberold/public-notices/fictitious/7958-fictitious-august-26-2013+&cd=11&hl=en&ct=clnk&gl=us

    Fictitious – August 26, 2013
    Published on 08/29/2013 – 10:24 am Written by chad webster

    (1)
    FICTITIOUS BUSINESS
    NAME STATEMENT
    File No. 2201310004491

    The following person(s) is (are) doing business as:

    Gama Plus Motors, 10667 N. Medinah Circle, Fresno, CA 93730; County of Fresno

    Gama Plus LLC, 10667 N. Medinah Circle, Fresno, CA 93730.
    This business is conducted by LLC

    The registrant commenced to transact business under the fictitious business name or names listed above on 08/07/2013.

    Article of Incorporation 201320510090

    I declare that all information in this statement is true and correct. (A registrant who declares as true information which he or she knows to be false is guilty of a crime.)
    S/ Adrian Baltagak Manager

    This statement was filed with the County Clerk of Fresno on August 14, 2013.

    NOTICE-In accordance with Section 17920(a), a Fictitious Name Statement generally expires five years from the date it was filed with the County Clerk, except as provided in Section 17920(b), where it expires 40 days after any change in the facts set forth in the statement pursuant to section 17913 other than a change in the residence address of a registered owner. A New Fictitious Business Name Statement must be filed before the expiration.
    The filing of this statement does not of itself authorize the use in this state of a Fictitious Business Name in violation of the rights of another under Federal, State, or common law (See Section 14411 et seq., Business and Professions Code).

    New filing
    8/26, 9/2, 9/9, 9/16/13
    CNS-2524833#
    FRESNO BUSINESS JOURNAL
    08/26/2013, 09/02/2013, 09/09/2013, 09/16/2013

Comments are closed.