The Federal Bureau of Investigation (FBI) has arrested a Nigerian, Charles Onus, for his alleged involvement in diverting about $800,000.
A statement on Wednesday by the US Department of Justice alleged that Onus was connected with a scheme to conduct cyber intrusions of multiple user accounts maintained by a company that provides human resources and payroll services to employers across the country, in order to steal payroll deposits.
He was said to have been arrested on April 14 in San Francisco and detained and was scheduled to appear at the Manhattan Federal Court before Magistrate Judge Sarah Cave on June 2.
According to allegations in the indictment filed in the court, the suspect participated in the scheme from July 2017 through 2018.
The unauthorised access was said to be obtained during the scheme to over 5,500 company user accounts through a cyber intrusion technique referred to as “credential stuffing.”
During a credential stuffing attack, a cyber threat actor collects stolen credentials or username and password pairs obtained from other large-scale data breaches of other companies.
The threat actor then systematically attempts to use those stolen credentials to obtain unauthorised access to accounts held by the same user with other companies and providers, to compromise accounts where the user has maintained the same password.
After Onus successfully gained unauthorised access to a company user account, he was alleged to have changed the bank account information designated by the user of the account to enable him to receive the user’s payroll to a prepaid debit card under his control.
The statement said between July 2017 and 2018, “at least approximately 5,500 company user accounts were compromised and more than approximately $800,000 in payroll funds were fraudulently diverted to prepaid debit cards, including those under the control of Onus”.
It added, “The compromised company user accounts were associated with employers whose payroll was processed by the company, including employers located in the Southern District of New York.”
Manhattan US Attorney Audrey Strauss said, “Charles Onus allegedly participated in a scheme that stole nearly $1 million by hacking into a payroll processing company’s system to access user accounts and divert payroll to prepaid debit cards he controlled.
“As alleged, Onus did this as effectively as someone who commits bank burglary, but with no need for a blowtorch or bolt-cutters. Thanks to the FBI and IRS-CI, Onus is in custody and facing serious federal charges.”