Full Report
Greenbelt, Maryland – After a six-day trial, a federal jury convicted Olusegun Samson Adejorin, 32, a Nigerian national, of wire fraud, aggravated identity theft, and unauthorized access to a protected computer to obtain information. Adejorin was previously extradited from Ghana in connection with the case. Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the... Source
Analysis Summary
# Incident Report: Financial Fraud via Unauthorized Computer Access and Identity Theft
## Executive Summary
This incident resulted in a conviction against Olusegun Samson Adejorin for orchestrating a multi-victim financial fraud scheme. The attacker gained unauthorized access to organizational computer systems and email accounts to impersonate employees, leading to the fraudulent transfer of over \$7.5 million out of Victim 2's funds held by Victim 1. The case concluded with a federal jury conviction on charges including wire fraud and aggravated identity theft.
## Incident Details
- Discovery Date: Not explicitly stated, but implied via ongoing investigation leading to trial/conviction (Post-August 2020).
- Incident Date: Between June and August 2020.
- Affected Organization:
- Victim 1: Charitable organization in Maryland providing investment services.
- Victim 2: Charitable organization in New York.
- Sector: Non-Profit/Charitable Services (Financial Transactions).
- Geography: Maryland and New York (Victims); Perpetrator extradited from Ghana.
## Timeline of Events
### Initial Access
- **Date/Time:** Commenced during June 2020.
- **Vector:** Unauthorized access to protected computers (specifically email accounts of Victim 1 and Victim 2 employees).
- **Details:** Adejorin obtained access to email accounts belonging to Victim 2 employees.
### Lateral Movement
- **Date/Time:** Ongoing within the execution phase (June–August 2020).
- **Vector:** Internal email compromise, spoofing, and system trust manipulation.
- **Details:** Adejorin used compromised Victim 2 emails to send requests and used compromised Victim 1 emails to confirm fraudulent withdrawal requests. He also registered spoofed domain names to pose as employees.
### Data Exfiltration/Impact
- **Date/Time:** Executed during the scheme timeline (June–August 2020).
- **Vector:** Financial Transfer Fraud.
- **Details:** Caused more than \$7.5 million of Victim 2's funds to be transferred from Victim 1 to unassociated bank accounts. Identity theft was used to lend credibility to the requests.
### Detection & Response
- **Date/Time:** Investigation concluded with arrest, extradition (date unknown), and culminated in a 6-day trial ending in a conviction (December 2025 context).
- **Vector:** Law enforcement investigation (FBI).
- **Details:** The case involved extradition from Ghana, followed by a federal trial managed by the U.S. Attorney’s Office for the District of Maryland.
## Attack Methodology
- **Initial Access:** Unauthorized access to protected computer systems (email accounts).
- **Persistence:** Maintained through repeated, fraudulent communication validated via compromised accounts.
- **Privilege Escalation:** Not applicable in privilege context, but the **"privilege" of trust** was gained via impersonation and spoofing.
- **Defense Evasion:** Utilizing spoofed domain names to bypass email security checks/sender authentication.
- **Credential Access:** Implied access to employee email credentials (for both Victim 1 and Victim 2).
- **Discovery:** Not detailed beyond identifying targets (Victim 1 & 2).
- **Lateral Movement:** Moving from accessing Victim 2 emails to confirming actions via Victim 1 emails, utilizing the established trust between the two organizations.
- **Collection:** Gathering necessary information to execute fund transfer requests targeting Victim 2's assets held by Victim 1.
- **Exfiltration:** Transfer of funds ($7.5M+) to attacker-controlled bank accounts via wire fraud.
- **Impact:** Financial loss exceeding \$7.5 million and conviction for identity theft.
## Impact Assessment
- **Financial:** \$7.5 million+ fraudulently transferred.
- **Data Breach:** Access to and use of employee email content (impersonation suggests sensitive operational data may have been accessed). Aggravated Identity Theft conviction implies PII/personal data misuse.
- **Operational:** Disruption to Victim 2’s assets management and Victim 1’s authorized financial processes.
- **Reputational:** Damage to the reputation of both charitable organizations, necessitating federal investigation disclosure.
## Indicators of Compromise
*Note: Specific IOCs like IPs/URLs were not provided in the text and are therefore omitted/generalized.*
- **Network indicators:** Use of spoofed domain names.
- **File indicators:** N/A.
- **Behavioral indicators:** Out-of-band requests for fund transfers followed by confirmations using internal accounts/spoofed domains.
## Response Actions
- **Containment measures:** Not detailed in the text, but necessary containment would involve locking compromised accounts and halting unauthorized transactions.
- **Eradication steps:** Not detailed.
- **Recovery actions:** Primarily legal action leading to investigation, arrest, extradition, and conviction.
## Lessons Learned
- **Key takeaways:** Establishing robust email authentication protocols is critical when processing financial transactions across partner non-profits. Spoofed domains were successfully used to aid impersonation.
- **What could have been done better:** Implement multi-factor authentication (MFA) for email access, and enforce strict out-of-band verification procedures for all wire transfer requests, regardless of originating email domain authority.
## Recommendations
- Implement DMARC, DKIM, and SPF policies rigorously across both organizations to prevent executive/employee spoofing.
- Establish mandatory multi-person verification (or separate channels) for all fund transfers over a nominal threshold, especially when initiated after unexpected email correspondence.
- Conduct regular security awareness training focused specifically on Business Email Compromise (BEC) and phishing campaigns targeting email credentials.