A Nigerian national was arrested in Ghana on charges of wire fraud, aggravated identity theft, and unauthorized access to a protected computer.
The charges are related to a $7.5 million scheme aimed at defrauding two charitable organizations by impersonating employees and gaining access to their email accounts.
The indictment was announced by United States Attorney for the District of Maryland Erek L. Barron and Acting Special Agent in Charge R. Joseph Rothrock of the Federal Bureau of Investigation, Baltimore Field Office.
According to the eight-count indictment, between June and August 2020, Adejorin perpetrated a scheme to defraud Victim 1, a charitable organization located in North Bethesda, Maryland and Victim 2, a charitable organization located in New York, New York by gaining access to employee email accounts and impersonating employees to induce financial transactions.
The indictment alleges that Adejorin posed as an employee of Victim 2 to request withdrawals of Victim 2’s funds from Victim 1, a charitable organization that provided investment services to Victim 2. Withdrawals over $10,000 required approval from at least one of several individuals authorized by Victim 1. According to the indictment, Adejorin fraudulently obtained the credentials of employees at Victim 1 and Victim 2 and posed as those employees to send emails from their accounts, including emails making fraudulent requests for the withdrawal of investment funds.
As part of the scheme, Adejorin also allegedly purchased a credential harvesting tool designed to steal email login credentials, registered spoofed domain names, and concealed the fraudulent emails from a legitimate employee by causing the fraudulent emails to be moved to an inconspicuous location within Employee 1’s mailbox.
The indictment alleges that, as part of the scheme, Adejorin caused more than $7.5 million of Victim 2’s funds to be sent, pursuant to fraudulent withdrawal requests, from Victim 1 to bank accounts that were not Victim 2’s bank accounts.
If convicted, Adejorin faces a maximum sentence of 20 years in federal prison for each of five counts of wire fraud; a maximum of five years in federal prison for unauthorized access to a protected computer; and a mandatory sentence of two years in federal prison, consecutive to any other sentence imposed, for each of the two counts of aggravated identity theft.
The maximum penalty for two of the wire fraud counts could be increased by seven years for knowingly falsely registering and using a domain name. Actual sentences for federal crimes are typically less than the maximum penalties. A federal district court judge will determine any sentence after taking into account the U.S. Sentencing Guidelines and other statutory factors.
