author photo
By Bruce Sussman
Thu | Sep 9, 2021 | 3:45 AM PDT

The U.S. Department of Justice (DOJ) makes him sound like a natural-born leader—the kind that can really motivate a team.

But in this case, the reward for his hard work is not a bigger bonus. Instead, he'll spend more than a decade in jail.

That's because Ghaleb Alaumary motivated teams of criminals to commit cybercrime and financial crime, and to collectively steal tens of millions of dollars.

Victims include organizations in the United States, Canada, and the U.K.

Cybercrime ringleader confesses to conspiracies

First, the 36-year-old directed the sending of spoofed emails used in successful Business Email Compromise (BEC) attacks.

Then he led a wealthy bank customer scheme that involved the use of stolen Personally Identifiable Information (PII) and in-person bank visits.

And Alaumary also confessed to recruiting individuals to withdraw stolen cash from ATMs. Then there was the money laundering, the cryptocurrency, the digital wallets, and more.

Those are some of the highlights; now let's look at a few specifics.

Business Email Compromise scheme and social engineering

Prosecutors say Ghaleb Alaumary, a native of Ontario, Canada, confessed to two specific conspiracies. One of them involved social engineering in a couple of different flavors, including a BEC attack:

"In the first case, which was filed and investigated in the Southern District of Georgia, Alaumary conspired with others who sent fraudulent 'spoofed' emails to a university in Canada in 2017 to make it appear the emails were from a construction company requesting payment for a major building project.

The university, believing it was paying the construction company, wired $11.8 million CAD (approximately $9.4 million USD) to a bank account controlled by Alaumary and his co-conspirators. Alaumary then arranged with individuals in the United States and elsewhere to launder the stolen funds through various financial institutions."

This type of thing is common practice in the world of Business Email Compromise.

Stephen Dougherty of the United States Secret Service investigates this type of crime and recently talked about it during a keynote at a national SecureWorld conference

"They get information that I call contemporaneous and privileged, meaning only you know what it is, and only the person you think you're working with would have that information.

So you believe you're having a trusted conversation. The bad actor then takes that contemporaneous and privileged information and weaponizes it.

They get you to send a wire transfer or an invoice, or a real estate transaction, payroll, you name it, they pretty much target every industry. And once they have that, they send those instructions and they look legitimate to you. You wire your funds out and boom, they're gone."

If your accounting team received an email from a trusted vendor, with the correct due date and amount of the next payment, would they trust the new wire transfer instructions requested in that same email? Too many do.

But in this case, BEC was not the only attack vector.

Social engineering—in person—was the next part of the scheme. According to the Department of Justice:

"Weeks later, Alaumary arranged for a co-conspirator in the United States to make several trips to Texas to impersonate wealthy bank customers in a scheme to steal hundreds of thousands of dollars from victims' accounts using the victims' stolen personally identifiable information."

Alaumary also confessed to a second conspiracy. Here is what was involved:

"Alaumary recruited and organized individuals to withdraw stolen cash from ATMs; he provided bank accounts that received funds from bank cyber-heists and fraud schemes; and, once the ill-gotten funds were in accounts he controlled, Alaumary further laundered the funds through wire transfers, cash withdrawals, and by exchanging the funds for cryptocurrency.

The funds included those from a 2019 North Korean-perpetrated cyber-heist of a Maltese bank. Other victims of Alaumary's crimes included banks headquartered in India, Pakistan and Malta, as well as companies in the United States and U.K., individuals in the United States, and a professional soccer club in the U.K."

Beyond these schemes, prosecutors say he and his team illegally moved and cleaned massive amounts of cash and crypto:

"The defendant in today's case laundered millions of dollars in losses from companies, universities and banks," said Assistant Director Calvin A. Shivers of the FBI's Criminal Investigative Division. "Today's sentence demonstrates that cybercriminals who launder illegitimate profits can't evade detection from the FBI and our law enforcement partners."

"This case is an example of our relentless determination to hold criminals accountable no matter how sophisticated their crimes may seem," said Acting Special Agent in Charge Phil Wislar of the FBI's Atlanta Field Office. "The arrest and sentencing of cyber criminals like Alaumary, who feel safe hiding behind a computer screen, are only possible through persistent investigative efforts of the FBI and our close collaboration with our U.S. and international partners."

The end result of these crimes?

For Ghaleb Alaumary, it means the court is ordering him to repay $30 million in restitution to victims and spend the next 11 years in jail. 

[RELATED: Register for SecureWorld Great Lakes to join a fireside chat with one of the leaders of the United States Secret Service on the ransomware surge happening right now, what is fueling it, and how organizations can fight back.]