Category: US Department of Justice

Source: United States Department of Justice Criminal Division

Note: View the superseding indictment here.

Phobos Group Alleged to have Attacked Over 1,000 Victims Worldwide

The Justice Department today unsealed criminal charges against Roman Berezhnoy, 33, and Egor Nikolaevich Glebov, 39, both Russian nationals, who allegedly operated a cybercrime group using the Phobos ransomware that victimized more than 1,000 public and private entities in the United States and around the world and received over $16 million in ransom payments. Berezhnoy and Glebov were arrested this week as part of a coordinated international disruption of their organization, which includes additional arrests and the technical disruption of the group’s computer infrastructure.

From May 2019, through at least October 2024, Berezhnoy, Glebov, and others allegedly caused victims to suffer losses resulting from the loss of access to their data in addition to the financial losses associated with the ransomware payments. The victims included a children’s hospital, health care providers, and educational institutions.

According to court documents, Berezhnoy, Glebov, and others operated a ransomware affiliate organization, including under the names “8Base” and “Affiliate 2803,” among others, that victimized public and private entities through the deployment of Phobos ransomware.

As part of the scheme, Berezhnoy, Glebov, and others allegedly hacked into victim computer networks, copied and stole files and programs on the victims’ network, and encrypted the original versions of the stolen data with Phobos ransomware. The conspirators then allegedly extorted the victims for ransom payments in exchange for the decryption keys to regain access to the encrypted data by, among other things, leaving a ransom note on compromised victim computers and separately reaching out to victims to initiate ransom payment negotiations.

As alleged, the conspirators also threatened to expose victims’ stolen files to the public or to the victims’ clients, customers, or constituents if the ransoms were not paid. The conspirators are further alleged to have established and operated a darknet website where they repeated their extortionate threats and ultimately published the stolen data if a victim failed to pay the ransom.

After a successful Phobos ransomware attack, criminal affiliates paid fees to Phobos administrators for a decryption key to regain access to the encrypted files. Each deployment of Phobos ransomware was assigned a unique alphanumeric string in order to match it to the corresponding decryption key, and each affiliate was directed to pay the decryption key fee to a cryptocurrency wallet unique to that affiliate.

The charges unsealed today against Berezhnoy and Glebov follow the recent arrest and extradition of Evgenii Ptitsyn, a Russian national, on charges relating to his alleged administration of the Phobos ransomware variant.

In parallel with this week’s arrests, Europol and German authorities have announced an international operation involving the FBI and other international law enforcement partners to disrupt over 100 servers associated with this criminal network.

Berezhnoy and Glebov are charged in an 11-count indictment with one count of wire fraud conspiracy, one count of wire fraud, one count of conspiracy to commit computer fraud and abuse, three counts of causing intentional damage to protected computers, three counts of extortion in relation to damage to a protected computer, one count of transmitting a threat to impair the confidentiality of stolen data, and one count of unauthorized access and obtaining information from a protected computer. If convicted, Berezhnoy and Glebov face a maximum penalty of 20 years in prison on each wire fraud-related count; 10 years in prison on each computer damage count; and five years in prison on each of the other counts. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division, U.S. Attorney Erek L. Barron for the District of Maryland, Assistant Director Bryan Vorndran of the FBI’s Cyber Division, and Special Agent in Charge William J. DelBagno of the FBI Baltimore Field Office made the announcement.

The FBI Baltimore Field Office is investigating the case. The Justice Department extends its thanks to international judicial and law enforcement partners in the United Kingdom, Germany, Japan, Spain, Belgium, Poland, Czech Republic, France, Thailand, Finland, and Romania, as well as Europol and the U.S. Department of Defense Cyber Crime Center, for their cooperation and coordination with the Phobos ransomware investigation. The National Security Division’s National Security Cyber Section and the Justice Department’s Office of International Affairs also provided valuable assistance.

Senior Counsel Aarash A. Haghighat of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) and Assistant U.S. Attorney Thomas M. Sullivan for the District of Maryland are prosecuting the case. Former CCIPS Trial Attorney Riane Harper and former Assistant U.S. Attorneys Aaron S.J. Zelinsky and Jeffrey J. Izant for the District of Maryland provided substantial assistance.

Additional details on protecting networks against Phobos ransomware are available at StopRansomware.gov, including Cybersecurity and Infrastructure Security Agency Advisory AA24-060A.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

Source: United States Department of Justice

A New Jersey accountant was sentenced today to 24 months in prison for his role in the promotion and sale of abusive syndicated conservation easement tax shelters.

According to court documents and statements made in court, Ralph Anderson was a CPA and return preparer working for accounting firms in New Jersey and New York. From approximately 2013 to 2019, Anderson promoted and sold tax deductions to his high-income clients in the form of units in illegal syndicated conservation easement tax shelters created by convicted co-conspirators Jack Fisher and James Sinnott.

Anderson knew that, contrary to law, the transactions related to these illegal tax shelters lacked economic substance and that his high-income clients purchased units at his recommendation only to obtain a tax deduction on their tax returns. The charitable deductions purchased by clients were derived from the donation of land with a conservation easement or the land itself to a charity, and the deductions were based on fraudulently inflated appraisals for the donated land. Anderson and the promoters promised the clients a so-called ratio of “4.5 to 1” in charitable deductions for every dollar paid into the tax shelter.

In some instances, to make it appear that his clients had joined the partnerships before the date of the conservation easement donation — which was necessary to claim the tax benefits — Anderson and his co-conspirators also instructed and caused clients to falsely backdate documents, including subscription agreements and checks related to the partnerships. Each year from 2013 to 2019, Anderson and his co-conspirators assisted clients with claiming these false deductions on their tax returns.

In total, Anderson assisted in preparing tax returns for clients that claimed over $9.3 million in false charitable deductions based on backdated documents, which caused a tax loss to the United States of nearly $3 million.

Between approximately 2016 and 2019, Anderson earned over $300,000 in commissions for promoting and selling the illegal tax shelters to his clients. Anderson also claimed false tax deductions for charitable contributions generated from the syndicated conservation easement tax shelters he received as “free units” on his own returns and fraudulently reduced his own taxes on the income he earned from the scheme.

In addition to his prison sentence, U.S. District Court Judge Michael A. Shipp for the District of New Jersey ordered Anderson to serve three years of supervised release and to pay $3,543,005.53 in total restitution to the IRS and Small Business Administration.

After being convicted on all counts after a trial in U.S. District Court for the Northern District of Georgia, Anderson’s co-conspirators, Jack Fisher and James Sinnott, were sentenced to 25 and 23 years in prison, respectively. Nine additional defendants pleaded guilty to criminal conduct related to the syndicated conservation easement tax shelter scheme. These other defendants include appraiser Walter Douglas “Terry” Roberts and Certified Public Accountants Stein Agee, Corey Agee, James Benkoil, Victor Smith, Herbert Lewis and William Tomasello. In addition, attorneys Randall Lenz and Vi Bui pleaded guilty to their roles in this scheme. The fraudulent syndicated conservation easement tax shelter scheme created and promoted by Fisher and Sinnott resulted in over $1.3 billion in fraudulent tax deductions and caused over $400 million in total tax loss to the IRS.

Acting Deputy Assistant Attorney General Karen E. Kelly of the Justice Department’s Tax Division and Chief Guy Ficco of IRS Criminal Investigation (IRS-CI) made the announcement.

IRS-CI and the U.S. Postal Inspection Service investigated the case.

Senior Litigation Counsel Richard M. Rolwing and Trial Attorneys Parker Tobin and Jessica Kraft of the Tax Division prosecuted the case with assistance from former Tax Division Trial Attorney Nicholas Schilling and support from the U.S. Attorney’s Office for the Northern District of Georgia.

Source: United States Department of Justice Criminal Division

An Alabama man pleaded guilty today in connection with the January 2024 unauthorized takeover of the U.S. Securities and Exchange Commission (SEC)’s social media account on X, formerly known as Twitter, in which hackers posted a fraudulent message in the name of the then-SEC Chairman, temporarily causing the value of Bitcoin (BTC) to increase by more than $1,000.

According to court documents, Eric Council Jr., 25, of Athens, conspired with others who took unauthorized control of the SEC’s X account and falsely announced that the SEC approved BTC Exchange Traded Funds, a decision highly anticipated by the market. Immediately following the false announcement, the price of BTC increased by more than $1,000 per bitcoin. Shortly after this unauthorized post, the SEC regained control over its X account and confirmed that the announcement was false and the result of a security breach. Following the correction, the value of BTC decreased by more than $2,000 per bitcoin.

The conspirators gained control of the SEC’s X account through an unauthorized Subscriber Identity Module (SIM) swap carried out by Council. A SIM swap refers to the process of fraudulently inducing a cell phone carrier to reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor. As part of the scheme, Council used an identification card printer to create a fraudulent identification card with a victim’s personally identifiable information obtained from his co-conspirators. Council used the fraudulent identification card to impersonate the victim and gain access to the victim’s cellular phone number for the purpose of accessing the SEC’s account. Council’s co-conspirators then accessed the account and posted in the name of the SEC Chairman. Council received payment in bitcoin from his co-conspirators for his role.   

Council pleaded guilty to conspiracy to commit aggravated identity theft and access device fraud. He is scheduled to be sentenced on May 16 and faces a maximum penalty of five years in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division; U.S. Attorney Edward R. Martin Jr. for the District of Columbia; Special Agent in Charge Sean Ryan of the FBI Washington Field Office, Criminal and Cyber Division; and SEC Inspector General Deborah Jeffrey made the announcement.

The FBI Washington Field Office and SEC Office of Inspector General are investigating the case.

Trial Attorney Ashley Pungello of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Lauren Archer of the Criminal Division’s Fraud Section, and Assistant U.S. Attorney Kevin Rosenberg for the District of Columbia are prosecuting the case. Substantial assistance was provided by Cyber Fellow Paul M. Zebb III.

For more information on SIM swapping, visit www.ic3.gov/PSA/2024/PSA240411.

Source: United States Department of Justice Criminal Division

The Justice Department announced today that a federal judge in Oklahoma City has approved an agreement with Oklahoma City Public Schools (OKCPS) to resolve allegations that OKCPS violated Air Force Reserve Staff Sergeant Michael J. McCullough’s rights under the Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA). The department’s lawsuit alleged that OKCPS violated USERRA when it failed to renew Mr. McCullough’s employment contract because of his military deployment and then failed to reinstate him on his return.

“When servicemembers answer their nation’s call — leaving home and work to serve and protect us — federal law protects them against employment discrimination and unjust termination,” said Deputy Assistant Attorney General Kathleen Wolfe of the Justice Department’s Civil Rights Division. “Veterans must be able to serve their country free from worry about jeopardizing civilian career opportunities.”

“We owe it to our service members to safeguard their employment rights when they are deployed,” said U.S. Attorney Robert J. Troester for the Western District of Oklahoma. “Doing so shields the service member and their families from suffering financial and other hardships extending beyond the term of the deployment.  My office will continue to vigorously defend the rights justly earned by military veterans who serve our country.”

According to the complaint, filed in the U.S. District Court for the Western District of Oklahoma, Mr. McCullough was employed as a music teacher at OKCPS’s Fillmore Elementary School in January 2022. He was under contract for the remainder of the school year, and his principal told him that she wanted him to return to teach the following year. In February 2022, Mr. McCullough was ordered to perform military service. When he notified his principal, she suggested it would be easier if he just resigned his teaching position. Less than a month later, during his deployment, OKCPS advised Mr. McCullough that his contract would not be renewed for the 2022-2023 school year. Prior to and on his return from active military duty, OKCPS refused Mr. McCullough’s repeated requests for reemployment, despite available positions.

Under the agreement, OKCPS will pay Mr. McCullough monetary damages, and it will revise its polices, practices, and trainings to prevent violations of USERRA.

USERRA is a federal statute that prohibits employment discrimination based on military status, service, or obligation and protects the rights of uniformed servicemembers to retain their civilian employment following absences due to military service obligations. The Justice Department gives high priority to the enforcement of servicemembers’ rights under USERRA. Additional information about USERRA can be found on the Justice Department’s websites at https://www.justice.gov/crt/laws-we-enforce and www.justice.gov/servicemembers, as well as on the Department of Labor’s website at www.dol.gov/vets/programs/userra.

The Department of Labor referred this matter to the Justice Department following an investigation by its Veterans’ Employment and Training Service.

Senior Trial Attorneys Robert Galbreath and Kathleen Lawrence of the Civil Rights Division’s Employment Litigation Section and Assistant U.S. Attorney Emily Fagan for the Western District of Oklahoma are handling this case.

Source: United States Department of Justice Criminal Division

Lockheed Martin Corporation (LMC) has agreed to pay $29.74 million to resolve False Claims Act allegations of defective pricing on contracts for F-35 military aircraft. This payment is in addition to $11.3 million that LMC previously paid to the Department of Defense (DOD) for the same undisclosed cost and pricing data on some of the same contracts. LMC, headquartered in Bethesda, Maryland, is one of the world’s largest defense contractors.

According to court documents, between 2013 and 2015, LMC inflated pricing proposals it submitted to obtain contracts for the F-35 by failing to provide to DOD’s F-35 Joint Program Office (JPO) accurate, complete, and current cost and pricing data during the negotiations leading to the award of five contracts for the production or sustainment of the F-35. The United States alleged that LMC had knowledge of suppliers’ cost or pricing data that it did not disclose to the JPO in violation of the Truth in Negotiations Act (TINA). Congress enacted TINA in 1962 to help level the playing field in sole source contracts — where there is no price competition — by making sure that government negotiators have access to the cost or pricing data that the offeror used when developing its proposal. The United States alleged that had LMC provided accurate, complete, and current cost and pricing data, JPO would have awarded the contracts in lower amounts.

“Those who do business with the government must do so fairly and honestly,” said Acting Assistant Attorney General Brett A. Shumate of the Justice Department’s Civil Division. “We will pursue contractors that knowingly misuse taxpayer funds.”

“The United States relies on contractors such as Lockheed Martin to provide accurate, complete, and current information, including pricing data, when negotiating contracts with the government,” said Acting U.S. Attorney Abe McGlothin, Jr, for the Eastern District of Texas. “If a contractor fails to do so, and that failure affects the value of its contract with the government, the Eastern District of Texas will take steps to ensure that the contractor is held accountable.”

“The F-35 program is at the heart of our nation’s defense,” said Air Force Lt. Gen. Mike Schmidt, Director and Program Executive Officer, F-35 Joint Program Office. “The F-35 Joint Program Office will continue to insist on integrity and honesty in all business transactions. We demand 100% accountability for every dollar spent on this program on behalf of U.S. taxpayers and international customers and taxpayers.”

“The Department of Defense Office of Inspector General’s Defense Criminal Investigative Service (DCIS) will methodically pursue all alleged violations of the False Claims Act and Truth in Negotiations Act,” said Principal Deputy Director James R. Ives of DCIS. “Today’s outcome reflects the unwavering commitment of DCIS and our investigative partners to hold accountable those who bilk the American taxpayer by perpetrating fraud against the DOD.”

“Overinflation of production and sustainment costs for an aircraft critical to our national defense undermines operational readiness and erodes the trust placed in the Department of Defense by the American people,” said Special Agent in Charge Greg Gross of the Naval Criminal Investigative Service (NCIS) Economic Crimes Field Office. “NCIS and our investigative partners remain steadfast in our commitment to investigating entities that compromise the integrity of government contracts.”

The settlement derives from allegations originally brought in a lawsuit filed in the Eastern District of Texas by a whistleblower under the qui tam provisions of the False Claims Act, which allow private parties, known as relators, to bring suit on behalf of the government and to share in any recovery. The qui tam case is captioned U.S. ex rel. Patrick Girard v. Lockheed Martin Corp., No. 4:17-CV-147 (EDTX). The relator’s share of the settlement has not yet been determined.

This settlement was the result of a coordinated effort between the Civil Division, Commercial Litigation Branch, Fraud Section of the Department of Justice, and the U.S. Attorney’s Office for the Eastern District of Texas with assistance from JPO, DCIS, NCIS, and the Defense Contract Audit Agency.

Trial Attorney Arnold M. Auerhan of the Justice Department’s Civil Division and Assistant U.S. Attorney James Gillingham for the Eastern District of Texas handled the matter.

The claims resolved by the settlement are allegations only, and there has been no determination of liability