November 22, 2021

In August, KrebsOnSecurity warned that scammers were contacting people and asking them to unleash ransomware inside their employer’s network, in exchange for a percentage of any ransom amount paid by the victim company. This week, authorities in Nigeria arrested a suspect in connection with the scheme — a young man who said he was trying to save up money to help fund a new social network.

Image: Abnormal Security.

The brazen approach targeting disgruntled employees was first spotted by threat intelligence firm Abnormal Security, which described what happened after they adopted a fake persona and responded to the proposal in the screenshot above.

“According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Abnormal’s Crane Hassold wrote.

Abnormal Security documented how it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. In June 2021, the Nigerian government officially placed an indefinite ban on Twitter, restricting it from operating in Nigeria after the social media platform deleted tweets by the Nigerian president.

Reached via LinkedIn, Sociogram founder Oluwaseun Medayedupin asked to have his startup’s name removed from the story, although he did not respond to questions about whether there were any inaccuracies in Hassold’s report.

“Please don’t harm Sociogram’s reputation,” Medayedupin pleaded. “I beg you as a promising young man.”

After he deleted his LinkedIn profile, I received the following message through the “contact this domain holder” link at KrebsOnSecurity’s domain registrar [curiously, the date of that missive reads “Dec. 31, 1969.”]. Apparently, Mr. Krebson is a clout-chasing monger.

A love letter from the founder of the ill-fated Sociogram.

Mr. Krebson also heard from an investigator representing the Nigeria Finance CERT on behalf of the Central Bank Of Nigeria. While the Sociogram founder’s approach might seem amateurish to some, the financial community in Nigeria did not consider it a laughing matter.

On Friday, Nigerian police arrested Medayedupin. The investigator says formal charges will be levied against the defendant sometime this week.

KrebsOnSecurity spoke with a fraud investigator who is performing the forensic analysis of the devices seized from Medayedupin’s home. The investigator spoke on condition of anonymity out of concern for his physical safety.

The investigator — we’ll call him “George” — said the 23-year-old Medayedupin lives with his extended family in an extremely impoverished home, and that the young man told investigators he’d just graduated from college but turned to cybercrime at first with ambitions of merely scamming the scammers.

George’s team confirmed that Medayedupin had around USD $2,000 to his name, which he’d recently stolen from a group of Nigerian fraudsters who were scamming people for gift cards. Apparently, he admitted to creating a phishing website that tricked a member of this group into providing access to the money they’d made from their scams.

Medayedupin reportedly told investigators that for almost a week after he started emailing his ransom-your-employer scheme, nobody took him up on the offer. But after his name appeared in the news media, he received thousands of inquiries from people interested in his idea.

George described Medayedupin as smart, a quick learner, and fairly dedicated to his work.

“He seems like he could be a fantastic [employee] for a company,” George said. “But there is no employment here, so he chose to do this.”

What’s interesting about this case — and indeed likely why anyone thought this guy worthy of arrest — is that the Nigerian authorities were fairly swift to take action when a domestic cybercriminal raised the specter of causing financial losses for its own banks.

After all, the majority of the cybercrime that originates from Africa — think romance scams, Business Email Compromise (BEC) fraud, and unemployment/pandemic loan fraud — does not target Nigerian citizens, nor does it harm African banks. On the contrary: This activity pumps a great deal of Western money into Nigeria.

How much money are we talking about? The financial losses from these scams dwarf other fraud categories — such as identity theft or credit card fraud. According to the FBI’s Internet Crime Complaint Center (IC3), consumers and businesses reported more than $4.2 billion in losses tied to cybercrime in 2020, and BEC fraud and romance scams alone accounted for nearly 60 percent of those losses.

Source: FBI/IC3 2020 Internet Crime Report.

If the influx of a few billion US dollars into the Nigerian economy each year from cybercrime seems somehow insignificant, consider that (according to George) the average police officer in the country makes the equivalent of less than USD $100 a month.

Ronnie Tokazowski is a threat researcher at the security firm Cofense. Tokazowski maintains he has been one of the more vocal proponents of the idea that trying to fight these problems by arresting those involved is something of a Sisyphean task, and that it makes way more sense to focus on changing the economic realities in places like Nigeria.

Nigeria has the world’s second-highest unemployment rate — rising from 27.1 percent in 2019 to 33 percent in 2020, according to the National Bureau of Statistics. The nation also is among the world’s most corrupt, according to 2020 findings from Transparency International.

“Education is definitely one piece, as raising awareness is hands down the best way to get ahead of this,” Tokazowski said, in a June 2021 interview. “But we also need to think about ways to create more business opportunities there so that people who are doing this to put food on the table have more legitimate opportunities. Unfortunately, thanks to the level of corruption of government officials, there are a lot of cultural reasons that fighting this type of crime at the source is going to be difficult.”


36 thoughts on “Arrest in ‘Ransom Your Employer’ Email Scheme

  1. rip

    Please embed definitions for BEC and EAC in your test. Even the one link to BEC was totally uninformative. Of course, everyone would tell me to altavista it…

    1. ReadandShare

      Of course it would be nice if authors spell out acronymns first… but really, when Life isn’t perfect, you’d rather whine than simply google it up?

        1. Seltzer

          I want to know more about this. Can you please explain your comment at length Dave?

        1. Internet Sociologist

          A “Lycosian” is a member of an ancient tribe which roamed the Information Superhighway circa 1994 – 1996. Lycosians generally practiced a hunter-gatherer form of existence, acquiring information as they encountered it during their travels. Most of them were solitary wanderers, sometimes meeting in small groups on Usenet. They communicated in a short choppy pidgin language that expressed basic needs, such as “action movies NOT Schwarzenegger.”
          A “Jeevesian Askalite” is a member of a different primitive group that arose at roughly the same time, circa 1995. Their practices were similar to those of the Lycosians, although they developed a more robust language to express their needs that was similar in many ways to modern English.
          Both of these primitive groups either died out or were conquered by the Googlians of Googlian Island circa 2004. Isolated members of both groups may still exist in remote areas, but since maintenance of the Information Superhighway has been discontinued for some time, they can be challenging to study.

      1. Gannon (J) Dick

        Brian, The “official” list for currencies and abbreviations is contained in Appendix B of ACE CATAIR – never mind what the acronyms mean: it is automated customs brokerage software. The tables start on page 7.
        https://www.cbp.gov/sites/default/files/assets/documents/2021-Aug/ACE%20CATAIR%20Appendix%20B_28July2021_508c.pdf

        The fly in the ointment is that the data base country codes and currency codes are in the same table. Imports need a “Certificate of Origin” and a currency value which screws up the momentum through the “supply chain” … it is faster to clear a shipment than it is to move a shipment.

    1. mealy

      I’ve long said that about Brian Krebson. Just look at the disdain for his ID badge in the photo.
      Typical delta male. I hear he doesn’t even google, he just remembers the urls.

  2. Jim

    “Tokazowski maintains … that it makes way more sense to focus on changing the economic realities in places like Nigeria.”
    “But we also need to think about ways to create more business opportunities there.”

    Tokazowski may be a great threat researcher but these comments are laughable. Good luck with changing the economic realities in places like Nigeria. Also, why is it up to us (not sure who exactly) to think about ways to create more business opportunities there. That is the role of their government but they are too busy stealing as much as they can to bother with the people who voted them in.

    (Written by someone who lived and worked there as a Financial Controller)

    1. Iliana

      I am saddened by the sustained poverty being suffered by innocent people, and pray that God will hear their crys and redeem them. In the meantime I pray God will put a hunger for education into the childrens heart. A strong eudcation system will foster a sense of investment in his own future and lead away from crime, it is the only government strtegy to will work in the long run. Childrens who work hard to get an education will not risk throwing it all away for the lure of criminal pay. I pray God will put a spirit of good in the childrens heart. Good children bring forth a good future and a good economy, a good culture of love and family.

      1. Richard Turnbull

        I share all your hopes, without the explicit appeal to a deity.
        “God is a comedian playing to an audience too afraid to laugh.”
        — Voltaire, French Enlightenment Writer and a favorite of many of America’s Founders

      2. Bill

        Whatever god you’re praying to clearly doesn’t give a sh*t.

      3. Preston

        The guy who got arrested in the article recently graduated from college. I don’t think education alone is going to cut it. Also from the sound of it he had good intentions at first, “scamming the scammers”.

        1. Tom

          Scamming the scammers would be an interesting use case for bringing back Letters of Marque.

    1. Mark Bennett

      Reminds me of the mystery spoof movie “Murder by Death”, where Alec Guiness portrayed a blind butler named Jamesir Bensonmum.

  3. Phil

    Ok, so if I join Sociogram, I get 40% of it’s revenue. But I also have to keep an eye out for the FBI. Maybe a social network with a lower payout & risk factor isn’t such a bad idea?

    1. Brian

      lol…we have a couple of social media companies magnates here who seem to be doing just fine under those same circumstances..:)

  4. The Sunshine State

    That laptop with the tape on the camera (op-sec?) looks to be about Windows XP or Vista vintage LOL

    Great article , now keep up the good work you “clout-chasing monger.”

    1. Tim

      Looks like it’s at least new enough to have a touch screen because it’s been touched A LOT.

  5. Martin

    I’ve enjoyed many things about this blog down the years, but ‘Mr. Krebson is a clout-chasing monger’ may be my single favourite sentence written here and I’d buy a T-Shirt with it on.

    Much as I despise cybercriminals as much as any sensible person, I do have some grains for sympathy for this guy. 23 years old, growing up in poverty with a large family, smart and hard-working enough to achieve a lot but with no prospects for a proper job. Started out trying to scam other scammers and his ultimate goal was to get a legitimate business off the ground. None of that excuses what he did and he should still be punished, but compared to Twitter handle collectors in rich countries SWATting innocent people and Russian mobsters running ransomware attacks at an industrial scale, Medayedupin seems like small fry and someone who in different circumstances would be a net contributor to society.

    As Brian says, the numbers show that the real damage is being done by the relentless BEC and Romance fraudsters.

    1. an_n

      “Much as I despise cybercriminals as much as any sensible person, I do have some grains for sympathy for this guy. 23 years old, growing up in poverty with a large family, smart and hard-working enough to achieve a lot but with no prospects for a proper job.”

      That describes ~Billions of people. Just for relative comparison of the future threat landscape.
      Assuming the internet or anything attached survives even a decade from now, grains of sympathy
      sufficient to pave a desert. We could solve those problems ahead of time, spend not doing so.

  6. Jon

    “it tied the email back to a Nigerian man who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram.”

    Should be called Sociopath.

Comments are closed.