Month: February 2025

Source: United States Department of Justice Criminal Division

Note: View the superseding indictment here.

Phobos Group Alleged to have Attacked Over 1,000 Victims Worldwide

The Justice Department today unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals, who allegedly operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments. Berezhnoy and Glebov were arrested this week as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.

From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments. The victims included a children’s hospital, health care providers, and educational institutions.

According to court documents, Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names “8Base” and “Affiliate 2803,” among others, that victimized public and private entities through the deployment of Phobos ransomware.

As part of the scheme, Berezhnoy, Glebov, and others allegedly hacked into victim computer networks, copied and stole files and programs on the victims’ network, and encrypted the original versions of the stolen data with Phobos ransomware. The conspirators then allegedly extorted the victims for ransom payments in exchange for the decryption keys to regain access to the encrypted data by, among other things, leaving a ransom note on compromised victim computers and separately reaching out to victims to initiate ransom payment negotiations.

As alleged, the conspirators also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid. The conspirators are further alleged to have established and operated a darknet website where they repeated their extortionate threats and ultimately published the stolen data if a victim failed to pay the ransom.

After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate.

The charges unsealed today against Berezhnoy and Glebov follow the recent arrest and extradition of Evgenii Ptitsyn, a Russian national, on charges relating to his alleged administration of the Phobos ransomware variant.

In parallel with this week’s arrests, Europol and German authorities have announced an international operation involving the FBI and other international law enforcement partners to disrupt over 100 servers associated with this criminal network.

Berezhnoy and Glebov are charged in an 11-count indictment with one count of wire fraud conspiracy, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of causing intentional damage to protected computers, three counts of extortion in relation to damage to a protected computer, one count of transmitting a threat to impair the confidentiality of stolen data, and one count of unauthorized access and obtaining information from a protected computer. If convicted, Berezhnoy and Glebov face a maximum penalty of 20 years in prison on each wire fraud-related count; 10 years in prison on each computer damage count; and five years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney Erek L. Barron for the District of Maryland, Assistant Director Bryan Vorndran of the FBI’s Cyber Division, and Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office made the announcement.

The FBI Baltimore Field Office is investigating the case. The Justice Department extends its thanks to international judicial and law enforcement partners in the United Kingdom, Germany, Japan, Spain, Belgium, Poland, Czech Republic, France, Thailand, Finland, and Romania, as well as Europol and the U.S. Department of Defense Cyber Crime Center, for their cooperation and coordination with the Phobos ransomware investigation. The National Security Division’s National Security Cyber Section and the Justice Department’s Office of International Affairs also provided valuable assistance.

Senior Counsel Aarash A. Haghighat of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Thomas M. Sullivan for the District of Maryland are prosecuting the case. Former CCIPS Trial Attorney Riane Harper and former Assistant U.S. Attorneys Aaron S.J. Zelinsky and Jeffrey J. Izant for the District of Maryland provided substantial assistance.

Additional details on protecting networks against Phobos ransomware are available at StopRansomware.gov, including Cybersecurity and Infrastructure Security Agency Advisory AA24-060A.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Source: United States Department of Justice

A New Jersey accountant was sentenced today to 24 months in prison for his role in the promotion and sale of abusive syndicated conservation easement tax shelters.

According to court documents and statements made in court, Ralph Anderson was a CPA and return preparer working for accounting firms in New Jersey and New York. From approximately 2013 to 2019, Anderson promoted and sold tax deductions to his high-income clients in the form of units in illegal syndicated conservation easement tax shelters created by convicted co-conspirators Jack Fisher and James Sinnott.

Anderson knew that, contrary to law, the transactions related to these illegal tax shelters lacked economic substance and that his high-income clients purchased units at his recommendation only to obtain a tax deduction on their tax returns. The charitable deductions purchased by clients were derived from the donation of land with a conservation easement or the land itself to a charity, and the deductions were based on fraudulently inflated appraisals for the donated land. Anderson and the promoters promised the clients a so-called ratio of “4.5 to 1” in charitable deductions for every dollar paid into the tax shelter.

In some instances, to make it appear that his clients had joined the partnerships before the date of the conservation easement donation — which was necessary to claim the tax benefits — Anderson and his co-conspirators also instructed and caused clients to falsely backdate documents, including subscription agreements and checks related to the partnerships. Each year from 2013 to 2019, Anderson and his co-conspirators assisted clients with claiming these false deductions on their tax returns.

In total, Anderson assisted in preparing tax returns for clients that claimed over $9.3 million in false charitable deductions based on backdated documents, which caused a tax loss to the United States of nearly $3 million.

Between approximately 2016 and 2019, Anderson earned over $300,000 in commissions for promoting and selling the illegal tax shelters to his clients. Anderson also claimed false tax deductions for charitable contributions generated from the syndicated conservation easement tax shelters he received as “free units” on his own returns and fraudulently reduced his own taxes on the income he earned from the scheme.

In addition to his prison sentence, U.S. District Court Judge Michael A. Shipp for the District of New Jersey ordered Anderson to serve three years of supervised release and to pay $3,543,005.53 in total restitution to the IRS and Small Business Administration.

After being convicted on all counts after a trial in U.S. District Court for the Northern District of Georgia, Anderson’s co-conspirators, Jack Fisher and James Sinnott, were sentenced to 25 and 23 years in prison, respectively. Nine additional defendants pleaded guilty to criminal conduct related to the syndicated conservation easement tax shelter scheme. These other defendants include appraiser Walter Douglas “Terry” Roberts and Certified Public Accountants Stein Agee, Corey Agee, James Benkoil, Victor Smith, Herbert Lewis and William Tomasello. In addition, attorneys Randall Lenz and Vi Bui pleaded guilty to their roles in this scheme. The fraudulent syndicated conservation easement tax shelter scheme created and promoted by Fisher and Sinnott resulted in over $1.3 billion in fraudulent tax deductions and caused over $400 million in total tax loss to the IRS.

Acting Deputy Assistant Attorney General Karen E. Kelly of the Justice Department’s Tax Division and Chief Guy Ficco of IRS Criminal Investigation (IRS-CI) made the announcement.

IRS-CI and the U.S. Postal Inspection Service investigated the case.

Senior Litigation Counsel Richard M. Rolwing and Trial Attorneys Parker Tobin and Jessica Kraft of the Tax Division prosecuted the case with assistance from former Tax Division Trial Attorney Nicholas Schilling and support from the U.S. Attorney’s Office for the Northern District of Georgia.

Source: United States Department of Justice Criminal Division

An Alabama man pleaded guilty today in connection with the January 2024 unauthorized takeover of the U.S. Securities and Exchange Commission (SEC)’s social media account on X, formerly known as Twitter, in which hackers posted a fraudulent message in the name of the then-SEC Chairman, temporarily causing the value of Bitcoin (BTC) to increase by more than $1,000.

According to court documents, Eric Council Jr., 25, of Athens, conspired with others who took unauthorized control of the SEC’s X account and falsely announced that the SEC approved BTC Exchange Traded Funds, a decision highly anticipated by the market. Immediately following the false announcement, the price of BTC increased by more than $1,000 per bitcoin. Shortly after this unauthorized post, the SEC regained control over its X account and confirmed that the announcement was false and the result of a security breach. Following the correction, the value of BTC decreased by more than $2,000 per bitcoin.

The conspirators gained control of the SEC’s X account through an unauthorized Subscriber Identity Module (SIM) swap carried out by Council. A SIM swap refers to the process of fraudulently inducing a cell phone carrier to reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor. As part of the scheme, Council used an identification card printer to create a fraudulent identification card with a victim’s personally identifiable information obtained from his co-conspirators. Council used the fraudulent identification card to impersonate the victim and gain access to the victim’s cellular phone number for the purpose of accessing the SEC’s account. Council’s co-conspirators then accessed the account and posted in the name of the SEC Chairman. Council received payment in bitcoin from his co-conspirators for his role.   

Council pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud. He is scheduled to be sentenced on May 16 and faces a maximum penalty of five years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division; U.S. Attorney Edward R. Martin Jr. for the District of Columbia; Special Agent in Charge Sean Ryan of the FBI Washington Field Office, Criminal and Cyber Division; and SEC Inspector General Deborah Jeffrey made the announcement.

The FBI Washington Field Office and SEC Office of Inspector General are investigating the case.

Trial Attorney Ashley Pungello of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Lauren Archer of the Criminal Division’s Fraud Section, and Assistant U.S. Attorney Kevin Rosenberg for the District of Columbia are prosecuting the case. Substantial assistance was provided by Cyber Fellow Paul M. Zebb III.

For more information on SIM swapping, visit www.ic3.gov/PSA/2024/PSA240411.