Miami

Miami Street Gangs See No Hope In Dope. They’ve Switched To Identity Fraud Fueled By Russian Hackers


Instead of selling drugs on street corners, gang members are costing Americans millions by using personal data stolen by Russian cybercriminals to maintain fancy lifestyles.

In August 2018, when police in Miami searched the home of Geno St. Flerose, a teenager they said was a member of the Everybody Eats street gang, they discovered incriminating evidence that had little to do with the drugs and guns they more typically find.  

Police say St. Flerose had three notebooks full of other people’s personal information – names, dates of birth, bank account numbers and social security numbers – and a “to-do” list, in which No. 7 was simply “Fraud.” Investigators revealed that St. Flerose was buying stolen data online, saying in one text message he was after “some of that black market sh*t” and was directed to the Russian site PlusCC. (Flerose is yet to file a plea as he faces various charges for identity fraud, murder and assault with a dangerous weapon. His lawyer hadn’t responded to requests for comment).

Everybody Eats and its rival, Little Haiti Vulchas, were known as violent drug gangs. Now, as homicides on either side and amongst innocent bystanders rack up, police say they’ve turned their backs on narcotics and are getting most of their revenue from a less risky crime. They’re using data stolen by Russian hackers and peddled on Russian-hosted sites like PlusCC to take control of other people’s bank accounts, sign up for benefits in a someone else’s name, scam government programs like Medicare or the Covid-19 Paycheck Protection Program, buy weapons, rent cars and take vacations in luxury resorts. In South Florida, it’s possible to draw a line from Russian cybercrime to U.S. street gang killings and frauds. It’s costing American businesses, citizens and government agencies hundreds of millions of dollars. 

“Fraud is the new dope,” says Armando Aguilar, criminal investigations chief at the Miami Police Department. “Fraud committed by gang members is a nationwide problem, but as with all things fraud, Miami is at the forefront.”

There’s no national data that breaks out how much street gangs are reaping from white-collar crime, but law enforcement sources say the trend started about 10 years ago and is accelerating. The most recent figures show crimes related to identities stolen by data breaches rose to $3.3 billion in 2020 from $1.8 billion in 2019, according to the Federal Trade Commission. The numbers for 2021 are expected to be even higher, given the jump in Covid-19-related fraud.


“Fraud committed by gang members is a nationwide problem, but as with all things fraud, Miami is at the forefront.”


The Little Haiti Vulchas are using one of the biggest sources of stolen data, a site called Blackpass. According to a search warrant application from the FBI and the Secret Service, communications between two alleged members of the crew, Jerry Vernelus and Erick Cadet Jr., discussed using Blackpass data for a “jwett” – slang describing an easy way to make illegal money. (Neither Vernelus’ nor Cadet’s previous lawyers had responded to requests for comment).

Cybersecurity researchers tracking underground markets told Forbes that Blackpass is run by Russian cybercriminals. Since its founding in 2012, it has built a reputation as one of the largest hosts of stolen banking and PayPal logins, as well as personal data like social security numbers, with each data point going for between $1 and $5. Earlier this year, Blackpass was selling 20 million different records, according to data from cyber intelligence provider Intel 471. It’s been gaining popularity since another allegedly Russian-run site, Slilpp, was knocked offline by a global law enforcement operation last summer. 

Compared with PlusCC, the site linked to St. Flerose’s identity thefts, Blackpass is gigantic. Over its four-year lifetime PlusCC offered just 410,000 cards, according to Group-IB, a Singapore-based cybercrime company. Blackpass operators, on the other hand, have the largest cache of stolen usernames and passwords in the world, reaching into the billions of items, says Alex Holden, chief technology officer of Hold Security. 

Holden has been tracking the people behind Blackpass for over five years and says they’re Russian natives, living in Yoshkar-Ola, a small city east of Moscow. To get the logins and peddle them, the operators either have others sell the information or they use programs to repeatedly guess logins, trying to “brute force” their way into the world’s most popular websites, getting a hit and then selling the data.

Holden says that earlier this year he saw the group barrage an array of the internet’s most popular sites, including Walmart, Uber, Stamps.com, Deliveroo, and the $12 billion OnlyFans social network popular with consumers of adult entertainment, among others, to try to see if they got any hits. Blackpass operators have also been seen offering access to organizations’ networks. The site was selling remote access to computers inside an unnamed major airport, according to a 2018 report from cybersecurity company McAfee.

The Blackpass hackers sometimes lurk in the same dark corners of the web as other Russian cybercriminal gangs. Earlier this year, a researcher at cybersecurity company RiskIQ found ransomware crew REvil using at least one of the same web servers as Blackpass. The REvil name became infamous earlier this year as one of the most prevalent perpetrators of ransomware, with the group’s malware used to infect as many as 175,000 computers worldwide and extort $200 million out of victims who pay to retrieve their data from the hackers’ grip.

Just how the Little Haiti Vulchas used data obtained from Blackpass was not discussed in the FBI and Secret Service warrant, and neither alleged gang member, Cadet or Vernelus, have been charged with the crimes relayed in the document. A look into Cadet’s criminal history, however, shows how Miami’s gangsters use their fraudulent proceeds. Cadet was previously convicted in 2016 in Hendry County, Florida, for using personal data that wasn’t his. In an arrest warrant from 2015, Cadet told officers that he loaded Walmart gift cards with money from fraudulently obtained credit cards and used them to buy guns, saying “people have beef with me, so we come out shooting.” Police said they found three notebooks full of 197 personal identities when they searched a vehicle in which Cadet was a passenger. Ten of those identities were later discovered to belong to dead people.

While Cadet’s data theft was relatively small, other figures in the Miami gang warfare have had more voluminous lists to steal from. When the police raided the house of Everybody Eats member Kenny Terlent in June 2021, he ran, slipped and fell, but managed to throw his phone into a lake. That didn’t stop the police from recovering the device, searching it and discovering he was gathering Americans’ personal data from at least two Russian-run websites: UniCC and Robocheck. Police later raided his iCloud account and found a file called “I’m rich bitch.” It was 7,620 pages long and contained thousands of people’s personal data. At the top of the list of organizations from whom data was pilfered was an unnamed Orlando medical facility.

While the alleged gangsters are making comparatively small sums, rarely hitting six figures when they strike, the Russians supplying them with data are handling hundreds of millions in illegal transactions, causing huge financial damage, and, in some cases, getting extraordinarily rich. The administrator of one of the websites Terlent used to harvest data, UniCC, was reportedly arrested by Russia’s FSB. According to an analysis by cryptocurrency tracking company Elliptic, UniCC had facilitated $358 million in transactions for stolen credit-card data over nine years. That included $100 million worth of bitcoin in 2021 alone and was part of an overall stolen credit market that surpassed more than $1.4 billion in sales with Bitcoin alone, not counting all the sales made in fiat currencies. The market owners were following in the footsteps of former industry leader Joker’s Stash, which saw sales of nearly $400 million in stolen cards before its owner announced their retirement with what Elliptic said was a $1 billion fortune.

By comparison, in a previously unreported case in the U.S., the government alleged that an American buyer of data from Slilpp – closed by law enforcement in July 2021 after the Justice Department found it was selling as many as 80 million logins, causing over $200 million in losses in the U.S. alone – had bought nearly 40,000 PayPal usernames and passwords from the site. With all that data he only managed to attempt $1 million in fraudulent transactions. 

Aguilar, of the Miami police, says the street gangs are “making money hand over fist, defrauding not only the federal government, but the state unemployment systems throughout the country.” That’s enough to support the gang’s lifestyles, which they’re not shy about showing off on Facebook and Instagram. A review of Cadet’s Facebook page, and those of his friends, reveals post after post of photos of guns, cars and cash. Gift cards are shown fanned like a deck of playing cards, piled high in stacks or covering floors and tables. Cadet appears brazen about his shift from drug sales to fraud, in one Facebook post from October 2020: “I remember I was f***ed up, shout out to my computer, I ain’t gotta sell dope no moe. I just sigh in da jwett.” 

For identity thieves, the market is even more attractive than it was before the pandemic. “So much funding was released, people have the ability to make an incredible amount of money,” said Dan Lipskey, a former superintendent-in-chief of the Boston Police Department and now an executive at detective agency Kroll. “How many ounces of cocaine would you have to sell, bought at a wholesale price and then sold at retail, to make that profit, when you can put a [fake] business together and the government is going to send you $3 million to $4 million?”

Though there appears to be plenty of evidence available to prosecutors, current and former police officers say there’s often not much of an appetite to jail gangsters for fraud, largely because single frauds aren’t big enough, even if the overall cost is significant. Neither the victims of cybercrime nor the police have the resources to track down every case. “I used to look at some of the financial institutions and they wouldn’t go after a loss under $100,000,” Lipskey said. Just this week, the Justice Department alleged a rap crew in New York had committed Covid fraud to the tune of nearly $4 million.

Perhaps law enforcement would have more incentive to chase down fraud if the results of the crimes were bloody. Last spring, police say St. Flerose, the alleged Everybody Eats gang member found with hundreds of pieces of stolen data and a to-do list that included fraud, was firing a Glock pistol at the driver of a car, believed to be a member of the Little Haiti Vulchas. The car crashed and the body inside was found covered in blood, with five bullet holes in his body, according to federal prosecutors. Yet to file a plea as he awaits a trial, St. Flerose was booked for murder.

MORE FROM FORBES

MORE FROM FORBESHow Azukis Suddenly Became The World’s Best-Selling NFT Collection
MORE FROM FORBESTracking Trump: A Rundown Of All The Investigations And Cases Involving The Former President
MORE FROM FORBESThe Highest-Paid Entertainers 2022



Source link