Feds say a transnational cyber crime ring based in Vietnam has ties to two exchange students.
A U.S. Department of Homeland Security investigation dubbed "Operation eMule" has led federal agents to a pair of 22-year-old foreign-exchange students in Winona who are suspected to be part of a sophisticated cyber crime ring based in Vietnam that has been misusing the identities of countless Americans to bilk online retailers out of millions of dollars.
"It's a big one," said Jason Calhoun, a fraud investigator with the Rosetta Stone language software company who has been working on the case with federal agents.
Numerous major companies have been stung in the scam, including eBay, PayPal, Amazon, Apple, Dell and Verizon Wireless, according to federal court documents and Calhoun.
Authorities say the operation is built around stolen identities that are used to open accounts with eBay, PayPal and U.S. banks. Through those accounts, the fraudsters sell popular, expensive merchandise at discounted prices. The sellers fill the orders by purchasing the goods from other vendors using stolen financial accounts. When the identity-theft victims protest the charges, the merchants end up holding the bag.
The two Winona State University students controlled more than 180 eBay accounts and more than 360 PayPal accounts that were opened using stolen identities, according to documents that were unsealed Dec. 29 by a federal magistrate judge in St. Paul.
Susan Higginbotham, 49, of Bemidji, was among the scheme's victims. She discovered that someone had stolen her identity in January when she started getting mail from banks welcoming her as a new customer.
"Sometimes there were seven, eight in a day. This happened over a number of days," Higginbotham said Friday. Then came some bills from eBay for trades she hadn't made.
Higginbotham, a special education teacher in Bagley, Minn., turned the matter over to a pre-paid legal services company called Identity Theft Shield, which she had learned about at work. "They just did a wonderful job," she said.
Investigators found that the two Winona students collected nearly $1.25 million in illicit funds, much of which was then wired to accounts in Vietnam and Canada, according to an affidavit filed by Daniel Schwarz, an agent with Homeland Security Investigations in Minnesota. Schwarz is working on the case with the National Cyber Crimes Center (C3) in Washington, D.C. The center is part of U.S. Immigration and Customs Enforcement.
The two Winona students contributed significantly to about $1 million in fraudulent credit card orders for Rosetta Stone software, which were charged back to the company, Schwarz said in his affidavit, which was used to obtain and execute a search warrant in November for the students' Winona apartment.
The students, Tram Vo and Khoi Van, have F1 visas that allow them to study at the university, but they're not allowed to work outside of it, the government says.
Vo could not be reached for comment. Van declined to comment. Immigration officials declined to comment Friday on their status, noting that the matter is part of an "ongoing criminal investigation." Public records show no criminal charges against the students, however.
Calhoun said that C3 investigators uncovered the ring in Vietnam while pursuing a similar scheme that he uncovered at Rosetta Stone in 2008. That operation was run by a computer programmer named Randall Craig Senn, of Billings, Mont., and Osama Moosa Al Hami, of Amman, Jordan.
Senn pleaded guilty to conspiracy and was sentenced in March to 30 months in prison. Al Hami was arrested and prosecuted in Jordan, according to federal court records.
Operation eMule officially began in September 2009 to investigate criminal rings based in Vietnam that are targeting online commerce and express mail courier operations. Investigators estimate that the rings contribute "hundreds of millions of dollars" to an underground economy in Vietnam, according to the affidavit.
Schwartz said in his affidavit that the rings involve an "elaborate network" of specialists, including computer hackers, vendors of stolen identities and financial information, fraud managers and facilitators, money mules and shippers. The members communicate through a secure web site "accessed by vetted members only."
Investigators say the fraudsters, hiding behind proxy Internet addresses, pose as eBay sellers using stolen identities, offering heavily discounted merchandise for popular items like software, video games, textbooks and Apple iTunes gift cards.
But the fraudsters don't actually have the merchandise. So when someone buys the products on eBay using a credit card or PayPal account, the fraudsters collect the payments and order the merchandise -- at full price -- from third-party vendors using stolen identities. The goods are then shipped to the eBay buyers, and victims like Higginbotham get billed for products they neither ordered nor received. After they protest, the banks issue "chargebacks" to the vendors.
Meanwhile, money "mules" transfer the illicit funds to various U.S. bank accounts, then wire it to accounts where the money can be swept away.
"These guys overseas often feel like they are relatively untouchable," said Calhoun, who participated in a forum on Operation eMule with federal investigators and two other retail fraud investigators at an Oct. 1 meeting of the Merchant Risk Council. The Seattle-based organization was formed to fight online fraud schemes.
"Operation eMule has resulted in the infiltration of several underground criminal forums and the identification of numerous transnational cyber crime syndicates operating in Vietnam," according to a description of the presentation. It says the syndicates rely heavily on international exchange students to act as money mules.
Duped into participating
Craig Sorum, a supervisory agent overseeing the FBI's cyber crimes investigations in Minneapolis, said in a recent interview that most money mules are duped into participating in such schemes. In many cases, he said, they are recruited through Internet job sites by fraudsters posing as legitimate employers who offer good pay for easy work. Sorum could not be reached for comment on this particular case.
PayPal records link Vo to 24 eBay accounts and at least 56 accounts opened under the name of stolen identities, according to the affidavit. Some $247,000 flowed through those accounts. She also opened at least 26 bank accounts at Wells Fargo, Capital One, Eastwood and HSBC banks under purloined identities, the government says.
Deposits to those accounts totaled $352,676, nearly $200,000 of which was wired to Vietnam or Canada.
Investigators linked Van -- who recently won an award as an outstanding biochemistry student at Winona State -- to 157 eBay accounts and 310 PayPal accounts that were opened under stolen identities.
The affidavit says more than $1 million flowed through those accounts. It says that Van opened at least six Wells Fargo and Eastwood bank accounts under stolen identities. Deposits in those accounts totaled about $524,000, of which $480,020 was wired to Vietnam.
"I don't know when he would have time to do that. He spends all of his time studying," Thomas Nalli, a chemistry professor at Winona State who has worked closely with Van, said Saturday. "I hope none of it is true."
The government says it has probable cause linking Vo and Van to crimes of wire fraud, identity theft and money laundering.
Dan Browning • 612-673-4493