BOV cyber-heist: Canadian money launderer pleads guilty

A Canadian money launderer has been sentenced to over 11 years in an American prison for crimes that include his links to the €13 million Bank of Valletta cyber-heist in 2019.

Ghaleb Alaumary, 36, was part of the massive online banking theft by North Korean cyber criminals, that is part of a pending case in Los Angeles.

Alaumary is a dual Canadian and U.S. citizen. He pleaded guilty to two counts of conspiracy to commit money laundering in two cases, and ordered to pay more than $30 million in restitution to victims.

Alaumary and his co-conspirators used business email compromise schemes, ATM cash-outs, and bank cyber-heists to steal money from victims and then launder the money through bank accounts and digital currency.

Alaumary laundered the funds from the North Korean-perpetrated cyber-heist of Bank of Valletta and a 2018 ATM cash-out theft from BankIslami in Pakistan. Other victims included a bank headquartered in India, as well as companies in the U.S. and U.K., individuals in the U.S., and a professional football club in the United Kingdom.

Alaumary recruited and organized individuals to withdraw stolen cash from ATMs; he provided bank accounts that received funds from bank cyber-heists and fraud schemes; and, once the ill-gotten funds were in accounts he controlled, he further laundered the funds through wire transfers, cash withdrawals, and exchanging the funds for cryptocurrency.

“International money launderers provide critical services to cybercriminals, helping hackers and fraudsters to avoid detection and hide their illicit profits,” said Assistant Attorney General Kenneth A. Polite Jr., for the Justice Department’s Criminal Division. “Small and large companies, a university, banks and others lost tens of millions of dollars in this scheme.”

Three North Koreans are indicted for their alleged roles with the Lazarus Group – aka, APT38 or Hidden Cobra – to which Alaumary has been linked, and which has been associated with the regime’s military intelligence operation, the Reconnaissance General Bureau.

Prosecutors allege this hacking group created malware used in the 2018 WannaCry global ransomware attack, the 2016 theft of $81 million from Bangladesh Bank and the 2014 attack on Sony Pictures Entertainment.

Believed to be located in North Korea, the three men – Kim Il, Park Jin Hyok and Jon Chang Hyok – are unlikely to face charges in the U.S., as North Korea does not extradite suspects to America.

BOV went dark on 13 February after their systems were compromised by the EmpireMonkey group, with branches, ATMs, mobile banking and even e-mail services suspended and its website taken offline.

The cyber-attack saw €13 million transferred out of the bank through false international transactions. The transactions were made to bank accounts in four countries – the US, the UK, Czechia and Hong Kong. The bank immediately advised its correspondent banks to block the transactions and the process was started to reverse the payments.

BOV recovered more than €3 million of the €13 million, the bulk of the rest being frozen in foreign jurisdictions.

Ramon Abbas has yet to be sentenced for his role in the heist

Nigerian ‘influencer’ convicted

The Nigerian Instagram influencer Ramon “Hushpuppi” Abbas, 37, earlier this year pleaded guilty in a California court to money laundering and other business email schemes that cost his victims nearly $24 million – among them his role in the Bank of Valletta cyber-heist. He faces up to 20 years’ imprisonment.

Abbas was a high-profile money launderer who used his celebrity status and ability to make connections with legitimate organisations. He built a global following from posting pictures of his lavish spending on cars, watches, designer clothes and private jets, amassing 2.5 million Instagram followers.

Abbas was detained by authorities in Dubai in June 2020 and then extradited to California to face charges of money laundering.

Between January 18, 2019 and June 9, 2020, Abbas and his co-conspirators laundered funds fraudulently obtained through bank cyber-heists. He pleaded guilty to inflicting loss amounts of €13 million on Bank of Valletta in June, and $7.7 million losses for the so-called “victim companies” in a separate case linked to an unnamed Premier League Club. Two other loss amounts – one to an unnamed law firm, the other to a Qatari businessman – total under $1 million each.

The U.S. Justice Department connected Abbas to the North Korean hackers through Alaumary, who conspired with the Nigerian to launder funds from the North Korean-perpetrated cyber-heist of BOV.

Threat of cyber-criminals

HSBC Malta had been targeted by the hacking group ‘EmpireMonkey’ in October 2018. Cyber-intelligence consultants were aware of a hacking campaign that would target one or more Maltese banks, as reports came in of malicious codes being tested by the hackers.

On 5 November, 2018, HSBC were told that EmpireMonkey was active in France and Malta “and spoofing the French stock market regulator AMF” – Autorité des marchés financiers – with the image of a letter with the AMF letterhead.

On 19 January, 2019, a month before the BOV heist, the security consultants identified yet another attack, using the brand of Société Générale, the French bank, to match the theme used by EmpireMonkey, and had developed encryption certificates for their domain – “which suggests a campaign has more recently occurred or is imminent”, the security consultants said.