Thomas Breen file photo
U.S. Attorney Vanessa Avery, with First Assistant U.S. Attorney Alfred Pavlis.
The hackers who stole roughly $6 million from city coffers earlier this year spent a month monitoring the “compromised” email account of a school district staffer before impersonating the district’s bus contractor, convincing the city to send a fake company real funds, and then shuttling that money between a handful of different bank accounts — including one steeped in cryptocurrency.
Those are some of the details to emerge in a seven-page civil asset forfeiture complaint newly filed in federal court on Wednesday by the office of U.S. Attorney Vanessa Avery. The complaint itself was written by Assistant U.S. Attorney David Nelson.
The legal filing offers the first public updates in months in a case in which hackers impersonating the school district’s chief operating officer succeeded in stealing $6 million in city funds that were largely meant to pay for New Haven school buses.
That theft took place in June, and the Elicker administration and city police first went public with the story in August, after staying quiet for two months at the request of the FBI to give law enforcement time to try to recover as much of the stolen money as possible without tipping off the culprits.
The U.S. Attorney’s office’s newly filed complaint and an accompanying press release state that federal prosecutors and the FBI have seized and are seeking to take back $1,187,677.94 that they believe came from June’s “business email compromise attack” and that is currently stashed in two TD Bank accounts.
That nearly $1.2 million in TD Bank-stored money is in addition to the roughly $3.6 million in stolen funds that the city has already gotten back from JP Morgan Chase thanks to the bank’s Automated Clearing House (ACH) system, which allows banks “to recover transferred money within a certain period via ‘hold harmless agreements,’ ” per the complaint.
According to city spokesperson Lenny Speiller, city and federal law enforcement are still working on recovering the remaining stolen funds — which, after taking into account the $1.2 million covered by this complaint and the $3.6 million already recovered, amount to around $1.2 million still outstanding.
Speiller added that an employee of the city’s finance department who was put on paid administrative leave following the hacker attack is now back at work after a third-party investigator found that they did nothing wrong, violated no city policies, and were not at fault for what went wrong during the theft.
“While we will continue to pursue criminal prosecution of the individuals involved in this scam, recovering the victim’s money is a priority,” U.S. Attorney Avery is quoted as saying in Thursday’s press release.
Maya McFadden file photo
Cyberattacks stole around $6 million meant for First Student school buses.
The civil asset forfeiture complaint itself provides a wealth of details on how law enforcement concluded this scam took place, while still raising questions about who exactly committed this crime. (A footnote in the complaint states that “the number of individuals involved in this scheme is unknown at this point in time.”)
Here’s what law enforcement does know, per the complaint:
On June 23, the Elicker administration reported to law enforcement that it had been the victim of a “business email compromise” attack, also known as “an email spoofing attack.”
“Email spoofing is the creation of email messages with a deceptive sender display name. When a bad actor engages in an email spoofing attack, the bad actor sends an email header that displays an inaccurate sender address, which can deceive the receiver unless the receiver inspects the header closely. This inaccurate sender address is usually someone the receiver knows and/or trusts, so the receiver might open malicious links or engage in risky behavior that the receiver would otherwise not engage in.”
The attack itself centered on hackers compromising the email of a member of the New Haven Board of Education’s management team. Though not identified by name in the U.S. Attorney’s filing, city officials have previously identified the hacked email as belonging to New Haven Public Schools (NHPS) Chief Operating Officer Thomas Lamb.
“Law enforcement believes that criminal actors who breached this account waited and reviewed email traffic within the breached account for at least approximately one month,” the complaint continues.
In early June, the compromised email account and the city school district’s bus company, First Student, were in communication “about an outstanding payment owed by the Board of Education to the contracted bus company” worth around $5.9 million.
“Around this time, the criminal actors created a new email address designed to look nearly identical to the email address from the bus company.” They then used Lamb’s compromised email address to “send test emails between the compromised email address and the newly created fake bus company email address.”
This fake bus company email address asked the school board and/or the city for instructions on how to change the payment information for the bus company. City and school board staff then instructed the criminal actors, via the fake bus company email address, to change the payment information for the bus company in city government’s online portal for paying vendors.
“On or around June 12, 2023, the criminal actors, using the fake bus company email address, emailed New Haven’s Board of Education (including the compromised email account) and informed the New Haven Board of Education that the bus company’s payment information had been updated and that New Haven could pay the bus company the outstanding $5.9 million dollar balance.”
And so New Haven paid that $5.9 million to the new account that had been set up by the bus company impersonator.
The $5.9 million was paid out over four transactions between June 15 and June 23. “Shortly thereafter, legitimate employees of the contracted bus company contacted New Haven and reported that the bus company had not received the money New Haven owed to it under the contract, prompting law enforcement to investigate the situation.”
The investigation found that the four payments sent to the fake bus contractor ultimately went into a JP Morgan Chase bank account held in the name of OM Mobile Care LLC, a Miramar, Florida-based holding company controlled by someone named Malcolm K. O’Shane.
On June 16, five cashier’s checks totaling nearly $2.3 million were issued from that JP Morgan Chase and deposited in a TD Bank Account also held in the name of O’Shane. (O’Shane could not be reached for comment for this article.)
On June 20 and 21, that O’Shane’s TD Bank account then sent two wire transfers totaling around $494,000 to another TD Bank account controlled by someone named Michael Harrison (who also could not be reached for comment for this story).
And on June 20, Harrison then transferred $245,500 from his TD Bank account to MCB Foris, “a bank handling currency for Crypto.com, which is an online cryptocurrency trading platform. This money was dissipated and law enforcement has been unable to recover it.”
Law enforcement has seized the remaining money in Harrison’s TD Bank account, totaling around $248,469.24, as well as the remaining money in O’Shane’s TD Bank account, totaling around $939,222.68.
And so, the complaint concludes, the U.S. Attorney’s office thinks that these TD Bank-held funds “constitute the proceeds of violations of 18 U.S.C. § 1343 (wire fraud) and are therefore subject to forfeiture” by the federal government.
“Wherefore, the United States of America prays that a Warrant of Arrest In Rem be issued for the Defendant Assets; that due notice be given to all parties to appear and show cause why the forfeiture should not be decreed; that judgment be entered declaring the property to be condemned and forfeited to the United States of America for disposition according to law; and that the United States of America be granted such other relief as this Court may deem just and proper, together with the costs and disbursements of this action.”
Mayor: "Financial Controls" Being Strengthened
In a separate Friday afternoon phone interview, Mayor Justin Elicker added that city government has “multiple insurance policies that are associated with cyberattacks,” and that his administration is currently in conversation with various insurance companies “about the level of coverage for the remaining loss” of around $1.2 million.
He also said three different outside parties are working with the city “to improve our cybersecurity and financial controls.”
One group, associated with the city’s insurance companies, is helping evaluate this particular $6 million cyberattack. “They did a forensic analysis of the incident itself to understand what happened” and uncover any other damage that might have been done. “That investigation is almost complete.”
A second company hired by the city is helping review both the city and NHPS’s cybersecurity protocols. “That’s ongoing,” he said, though the company has already provided some initial recommendations.
And a third company, he said, has been hired by the city to strengthen city government’s “financial controls.”
Elicker added that, since the cyberattack, city government is no longer doing electronic payment transfers except for payroll, but instead is just “issuing checks” to city-hired vendors.
And he said that, to his knowledge, no one has been arrested in this case, though there is a still an “active investigation” and the city hopes to hold accountable whoever perpetrated this crime.
Anybody arrested?