NewzIntel.com

Category: Federal Bureau of Investigation

  • MIL-OSI Security: Hartford Man Sentenced to 11 Years in Federal Prison for Drug Trafficking, Gun Possession Offenses

    Source: Office of United States Attorneys

    Marc H. Silverman, Acting United States Attorney for the District of Connecticut, announced that LUIS DeJESUS, 30, of Hartford, was sentenced today by U.S. District Judge Michael P. Shea in Hartford to 132 months of imprisonment, followed by five years of supervised release, for narcotics distribution and firearm possession offenses.

    According to court documents and statements made in court, DeJesus’s criminal history includes felony convictions in state court for criminal possession of a firearm and burglary in the third degree.

    According to court documents and statements made in court, in 2022, members of the Connecticut State Police’s Statewide Narcotics Task Force – North Central Office conducted a series of controlled purchases of narcotics from DeJesus.  DeJesus was arrested on state charges on December 16, 2022, and, on that date, a court-authorized search of his Hartford residence revealed approximately 460 grams of fentanyl, approximately 90 grams of crack cocaine, nearly a kilogram of marijuana, drug processing and packaging materials, a loaded Glock 45 9mm handgun, a loaded 9mm magazine, and $52,579 in cash.

    The case was adopted for federal prosecution and, on March 7, 2023, a grand jury returned an indictment charging DeJesus with one count of possession with intent to distribute 400 grams or more of fentanyl and a quantity of cocaine, and one count of unlawful possession of a firearm by a felon.

    After his federal arrest, DeJesus was released on a $100,000 bond and into home confinement at residence of a family member on Warren Street in Hartford.  On November 20, 2023, DeJesus was again arrested after law enforcement executed a search warrant at the residence.  As investigators entered the residence, DeJesus threw fentanyl out of a window.  A search of the residence revealed an additional quantity of fentanyl, a small quantity of cocaine, and drug processing and packaging materials.  In total, DeJesus possessed more than 490 grams of fentanyl on that date.

    On February 20, 2024, the grand jury returned a superseding indictment charging DeJesus with an additional count of possession with intent to distribute 400 grams or more of fentanyl.

    DeJesus has been detained since November 20, 2023.  On October 17, 2024, he pleaded guilty to possession with intent to distribute 400 grams or more of fentanyl, and unlawful possession of a firearm by a felon.

    This matter was investigated by the Drug Enforcement Administration’s Hartford Resident Office and the Connecticut State Police’s Statewide Narcotics Task Force – North Central Office, with the assistance of the Federal Bureau of Investigation.  The case was prosecuted by Assistant U.S. Attorney A. Reed Durham.

    MIL Security OSI

  • MIL-OSI Security: Palmdale Man Indicted for Allegedly Producing Sexually Explicit Material Featuring Teenage Girls

    Source: Office of United States Attorneys

    LOS ANGELES – A Palmdale man is scheduled to be arraigned today on a 12-count federal grand jury indictment alleging he coerced two minors into producing and sharing with him sexually explicit content of themselves and enticed one minor to have sex with him. 

    Darius Desean Edwards, 21, of Palmdale, is charged with five counts of production of child pornography, five counts of receipt of child pornography, and two counts of enticement of a minor to engage in criminal sexual activity.

    Edwards, who was employed by Palmdale’s Department of Parks and Recreation until his recent termination, was arrested this morning and is scheduled to be arraigned this afternoon in United States District Court in downtown Los Angeles.

    According to the indictment, from October 2023 until December 2023, Edwards engaged in sexual conversations with a then 16-year-old girl and requested her to produce and share with him child sexual abuse material (CSAM) of herself. Edwards received at least one video from this victim depicting CSAM.

    In March 2024, Edwards communicated with a then 15-year-old girl and requested that she produce and share with him CSAM of herself. Edwards received at least one photo and three videos from this victim depicting CSAM.

    An indictment contains allegations that a defendant has committed a crime. Every defendant is presumed to be innocent until and unless proven guilty beyond a reasonable doubt in court.

    If convicted, Edwards would face a mandatory minimum sentence of five years in federal prison for each count of receipt of child pornography, a mandatory minimum sentence of 15 years in federal prison for each count of production of child pornography, and a mandatory minimum sentence of 10 years in federal prison and a statutory maximum of life in prison for each count of enticement of a minor to engage in criminal sexual activity.

    The FBI is investigating this matter.

    Assistant United States Attorney Lyndsi Allsop with the Violent and Organized Crime Section is prosecuting this case.

    MIL Security OSI

  • MIL-OSI USA: ICE investigation leads to 8 criminal arrests and charges for Trinitarios gang members

    Source: US Immigration and Customs Enforcement

    BOSTON — An investigation led by U.S. Immigration and Customs Enforcement led to federal charges unsealed against two dozen leaders, members and associates of the Trinitarios gang — a violent transnational criminal organization. An ICE Homeland Security Investigations-led a task force arrested eight alleged gang members early Feb. 19, and 22 individuals have been charged with federal offenses, including racketeering conspiracy in connection with six murders and 11 attempted murders. Two individuals, who were juveniles at the time of the alleged criminal offenses, have been charged by the Essex County District Attorney’s Office with murder.

    The charges are the result of a multijurisdictional investigation that began in the aftermath of four murders, and a series of attempted murders and shootings that took place in Lynn, Massachusetts in 2023, allegedly committed by the Trinitarios criminal enterprise.

    According to court documents, Chapters of the Trinitarios were identified in in Lawrence, Lynn, Boston and Haverhill. Trinitarios members in these cities allegedly undertake efforts to dominate their communities by intimidating rival gangs and establishing control over certain neighborhoods. It is further alleged that the Trinitarios do not hesitate to use violence, including murder, to further the organization’s goals and purposes. According to the charging document, these gang rivalries develop through personal enmity and disrespect between members of the rival gangs, competition over drug territory and customers as well as violent acts (such as robberies, shootings and murders) that have been committed by the gangs against each other in the past. It is alleged that these rivalries have become deadly and multiple murders have been committed by Trinitarios gang members.

    Specifically, ICE HSI’s investigation allegedly identified that the Massachusetts Trinitarios have committed at least 10 homicides in Essex County over the past decade and are believed to be responsible for numerous attempted murders, shootings, kidnappings and robberies. Sixteen members of the Trinitarios criminal enterprise in Massachusetts have been charged with six of these murders — two of which took place in Lawrence in 2017 and two double murders in Lynn in 2023. The remaining four homicides are being prosecuted by the Essex District Attorney’s Office.

    “Today the message should be loud and clear: transnational criminal organizations and foreign-born malign actors committing violent acts in our communities will never have refuge in the United States. We are working every day with our state, local, and federal partners to tackle transnational crime from all angles with all of the resources available to us to make our streets safer,” said ICE HSI New England Special Agent in Charge, Michael J. Krol.

    According to the charging documents, the Trinitarios are a hierarchical criminal organization, with positions that are known to exist at the state and local chapter level, whose members adhere to a code of conduct. Enmanuel Paula-Cabral, aka “Nelfew,” aka “Gordo,” aka “Manny,” allegedly serves as the State Supreme of the Trinitarios for Massachusetts, responsible for the entirety of the gang’s criminal activities, coordination with other state leaders and communication with leadership of the Trinitarios in the Dominican Republic.

    Paula-Cabral is also allegedly responsible for the Trinitarios Chapter operating in Manchester, New Hampshire as well the Trinitarios located in Maine, where the gang operates a lucrative drug-trade. Below the Supreme is a position referred to as the “Flag” or “Segundo,” which in Massachusetts is allegedly held by Ery Jordani Rosario, aka “Racacha.”

    The Massachusetts Trinitarios allegedly recruit new members among communities of legal immigrants and illegal aliens from the Dominican Republic — specifically juveniles in local high schools in Lawrence and Lynn. To curry favor with these new recruits, the Trinitarios allegedly appeal to their shared Spanish language and culture, Dominican patriotism and use the appearance of prosperity and brotherhood.

    It is further alleged that members are generally initiated into the gang after a period of observation or probation and are often inducted following the completion of a “mission” — which is generally a substantial act of violence such as shootings, beatings, or fist fights with rival gang members that were the same age or stature. According to the court documents, upon induction, new members are formally “blessed” into the organization during a formal ceremony, are administered oaths by the State Supreme and are awarded with ceremonial beaded necklaces. Younger members are allegedly tasked with lesser roles during many violent “missions,” including standing lookout during a shooting, holding or concealing weapons on behalf of full members and transporting weapons after their use in shootings.

    According to the charging documents, the Trinitarios endeavor to project power over the internet and social media allegedly producing music and music videos featuring members in Trinitarios colors and clothing holding weapons, cash and other items, as well as lyrics that boast about violence, drugs and other criminal endeavors as warnings and threats to other rival gangs.

    “As the court papers make clear, for well over a decade, Trinitarios gang members have engaged in brazen acts of murder, assault, and drug distribution — instilling fear in the communities of Lynn and Lawrence in particular. Today’s law enforcement operation has struck a significant blow against the leadership of the Trinitarios operating in Massachusetts — virtually dismantling an organization responsible for years of bloodshed, drug trafficking, and lawlessness,” said United States Attorney Leah B. Foley. “This enforcement action ends the Trinitarios reign of terror in Massachusetts. Today, our communities are safer with the removal of these alleged violent offenders from our streets, and where appropriate, from our country. This operation is a testament to the tireless collaboration among the dedicated members of our federal, state and local law enforcement agencies. Such shameless and senseless acts of violence have no place anywhere; especially not in any city in Massachusetts. If you threaten the safety of our residents, we will find you, we will hold you accountable, and we will ensure that justice is served.”

    “This operation is another example of how the FBI and our law enforcement partners work together to dismantle large-scale, violent transnational criminal organizations that cause chaos and death in our communities. We believe those arrested today — leaders, members, and close associates of the Trinitarios – have allegedly shown a reckless indifference to human life in order to control their turf, push their poison, and make money. There is no question our streets are safer because of this takedown,” said Jodi Cohen, Special Agent in Charge of the Federal Bureau of Investigation, Boston Division. “The FBI’s North Shore Gang Task Force will continue to work on the public’s behalf to lock up these dangerous offenders who shatter folks’ sense of security and quality of life.”

    “Gang violence, as well as illegal gun and drug trafficking, have no place in the Commonwealth,” said Massachusetts State Police Colonel Geoff Noble. “Operations like this show the Massachusetts State Police is committed to working alongside our law enforcement partners to find those responsible for these crimes, arrest them, and pursue justice. Getting these criminals off the street makes Massachusetts a safer place to live.”

    “This investigation and the results represent the best of law enforcement partnerships. The residents of Essex County are safer today with the dismantling of this violent criminal enterprise,” said Essex County District Attorney Paul F. Tucker.

    “Today’s operation marks the culmination of an extensive investigation, demonstrating the strength of our collaborative efforts to combat gangs and violent criminal activity. These significant arrests will undoubtedly prevent further harm to our community. I want to express my deepest gratitude to our officers and our State and Federal law enforcement partners, the Essex County District Attorney’s Office and the Office of the United States Attorney for Massachusetts for their relentless pursuit of justice and for their commitment to making our city safer,” said Lynn Police Chief Christopher P. Reddy.

    “I commend the successful collaboration with the U.S. Attorney’s Office and Homeland Security Investigations,” says Manchester New Hampshire Police Chief Peter Marr. “By arresting multiple gang members involved in violent criminal activities throughout the region, we are reinforcing the commitment to making our community safer.”

    The charge of conspiracy to conduct enterprise affairs through a pattern of racketeering activity (also known as “racketeering conspiracy” or “RICO conspiracy”) provides for a sentence of up to life in prison, five years of supervised release and a fine of up to $250,000. The charge of conspiracy to interfere with commerce by robbery (Hobbs Act conspiracy) provides for a sentence of up to 20 years in prison, three years of supervised release and a fine of up to $250,000.

    The investigation was led by ICE HSI New England’s Strike Force, Massachusetts State Police, the Essex District Attorney’s Office, the Lynn Police Department and the Manchester New Hampshire Police Department. Valuable assistance was provided by ICE Enforcement and Removal Operations, the U.S. Attorney’s Office for the District of New Hampshire; U.S. Customs and Border Protection; Federal Bureau of Investigations; and the Andover, Boston, Franklin, Lawrence, Peabody and Salem Police Departments.

    MIL OSI USA News

  • MIL-OSI Security: Ohio Woman Sentenced to Prison for Insurance Claim Fraud

    Source: Office of United States Attorneys

    CLEVELAND – Angela Frase, 60, of Sterling, Ohio, has been sentenced to 24 months in prison by U.S. District Judge Dan Aaron Polster after pleading guilty to four counts of mail fraud for accepting insurance checks after she knowingly submitted false claims. Frase was also ordered to pay restitution in the amount of $327,072.

    Frase pleaded guilty to devising a scheme that took place from July 2 to Aug. 23, 2019, to defraud a homeowner’s insurance company. According to court documents, the scheme began when Frase called fire emergency services on July 2, 2019, and again on July 3, 2019, to report a fire in her home. Fire marshals were unable to determine the cause of the fire at the time. The insurance company then housed Frase and her husband at an extended stay hotel. An investigation later conducted by insurance company experts determined no evidence of electrical failure as the cause of the fire.

    On the morning of Aug. 6, 2019, the fire department responded to a natural gas leak at the Frase residence. Home remodeling employees entered the home to work on the damage caused by the fire but were forced to evacuate due to the strong smell of natural gas. The fire marshal later determined that the stove was turned on, filling the residence with explosive-causing levels of natural gas. Frase and her husband were the last people in the home prior to the discovery of gas and claimed to have locked the doors. There was no sign of forced entry.

    On Aug. 6, 2019, at approximately 10:43 p.m., Frase left her extended stay hotel room, drove to her home on Spruce Street in Seville, Ohio, and started a fire. Investigators later learned through her cellphone location data that she remained in the area of her home from 10:54 p.m. until 11:39 p.m. and then returned to her hotel room. On Aug. 7, 2019, at approximately 12:36 a.m., the Sterling Fire Department and Wayne County Sheriff’s Office responded to the home in reference to a fire and explosion. The Ohio State Fire Marshal later determined the cause of the fire was incendiary in nature. In addition to starting the fire, Frase spray-painted what appeared to be racial disparities on her own garage and vandalized her neighbor’s vehicle.

    On Aug. 11, 2019, between 9:30 and 10 p.m., Frase returned to her home and again spray-painted hate speech on her own garage. When a sheriff’s deputy responded and discovered the words, Frase told the deputy that she saw two suspicious individuals running through the field behind her property. Three days later, on Aug. 14, Frase called authorities again after she placed a stuffed doll painted black with a noose tied around its neck in her own mailbox. On Aug. 23, she once again contacted law enforcement to report that she found an envelope at her residence while walking around the property that had a racial slur written on it and inside was a plastic bag filled with an unknown white substance and the word “die.”

    From Nov. 1, 2019 to June 17, 2020, the insurance company mailed four checks to Frase for property losses and damages which she accepted. She was later charged with four counts of mail fraud for attempting to swindle money from the homeowner’s insurance company through intentionally deceptive actions.

    This case was investigated by the FBI Cleveland Division, Wayne County Sheriff’s Office, and Ohio’s Division of State Fire Marshal. Assistant U.S. Attorney Scott Zarzycki for the Northern District of Ohio prosecuted the case.

    MIL Security OSI

  • MIL-OSI Security: Federal Grand Jury in Louisville Indicts 3 Illegal Aliens

    Source: Office of United States Attorneys

    Louisville, KY – A federal grand jury in Louisville, Kentucky, returned indictments on February 19, 2025, charging 3 illegal aliens with federal criminal offenses.   

    U.S. Attorney Michael A. Bennett of the Western District of Kentucky, Special Agent in Charge Michael E. Stansbury of the FBI Louisville Field Office, Special Agent in Charge Rana Saoud of Homeland Security Investigations, Nashville, Police Chief Mike Canon of the Calvert City Police Department, and Sam Olson, Field Office Director for Enforcement and Removal Operations (ERO) Chicago, U.S. Immigration Customs Enforcement made the announcement.

    According to the indictments:

    Juan Baltazar Felipe-Pedro, age 26, a citizen of Guatemala, was charged with reentry after deportation or removal. On or about January 23, 2025, Felipe-Pedro was an alien found in the United States after having been denied admission, excluded, deported, and removed from the United States on or about April 25, 2019. If convicted he faces a maximum sentence of 2 years in prison. This case is being investigated by HSI and ICE/ERO.

    Jhoandiris Jimenez-Barrio, age 26, and Yirvel Yonaker Rios-Castro, age 20, citizens of Venezuela, were indicted for conspiracy to commit bank larceny and attempted bank larceny. On or about January 31, 2025, they conspired with each other and others to break into and steal money from an automated teller machine (ATM). They traveled to a bank in Calvert City, Kentucky and attempted to open an ATM to steal money. Homeland Security Investigations verified that Jimenez-Barrio and Rios-Castro are Venezuelan and entered the United States illegally. If convicted, the men face a maximum sentence of 50 years in prison. The case is being investigated by the FBI, Calvert City Police Department, and HSI.

    A federal district court judge will determine any sentence after considering the sentencing guidelines and other statutory factors.

    There is no parole in the federal system.

    Assistant U.S. Attorneys A. Spencer McKiness, Seth Hancock, and Raymond McGee are prosecuting the cases.

    An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

    ###

    MIL Security OSI

  • MIL-OSI Security: New Orleans Man Guilty of Commodity Exchange Act Violation

    Source: Office of United States Attorneys

    NEW ORLEANS, LA – Acting U.S. Attorney Michael M. Simpson announced today that MICHAEL BRIAN DEPETRILLO, (“DEPETRILLO”), age 43, from New Orleans, pled guilty on February 18, 2025 to violating the Commodity Exchange Act, in violation of Title 7, United States Code, Section 13(a). DEPETRILLO faces up to ten (10) years imprisonment, up to three (3) years of supervised release, up to a $1,000,000.00 fine, plus the amount of any proceeds, and a mandatory $100 special assessment fee.

    According to court documents, DEPETRILLO was not properly registered as a Commodity Pool Operator (“CPO”) or an Associated Person (“AP”) of a CPO with the United States Commodity Futures Trading Commission (“CFTC”). DEPETRILLO, through various companies including, Meteor, LLC; NOLA FX Capital Management, LLC; ELC Enterprise Solutions, LLC; and Argosapolis, LLC, acted as a CPO and AP of a CPO and embezzled client funds in violation of federal law.     DEPETRILLO, while acting as an AP of unregistered CPOs, represented to victim investors that their funds would be pooled and invested in the NOLA FX FUND, that, in turn, would be used to trade foreign currency pairs on a leveraged, margined, or financed basis (“retail forex”).

    DEPETRILLO told investors that pooling their funds would be beneficial to them.  DEPETRILLO further represented, to certain investors, that either METEOR or NOLA FX CAPITAL managed the NOLA FX FUND.  In at least one representation, however, DEPETRILLO identified “NOLA FX Capital,” not the NOLA FX FUND, as the pooled investment vehicle.  DEPETRILLO lured investors by claiming he was investing their funds by trading in the foreign currency exchange, gold futures options, stocks, and cryptocurrency.  Instead of trading as promised, DEPETRILLO misappropriated pool funds.  DEPETRILLO then used these misappropriated pool funds to pay approximately $3,700,000 in “returns” to prior investors; approximately $575,000 on his own personal investments; approximately $425,000 on rent; approximately $200,000 on private air travel; and approximately $300,000 on online gambling, among other personal expenses.  To conceal DEPETRILLO’s misappropriation, he created and issued fictitious account statements in the names NOLA FX FUND and NOLA FX CAPITAL.  The fictitious account statements purported to show that: (1) DEPETRILLO had traded forex using pool participant funds, and (2) the NOLA FX FUND and NOLA FX CAPITAL had achieved significant trading returns for pool participants because of his profitable forex trading.  In fact, DEPETRILLO never deposited pool participant funds into trading accounts belonging to NOLA FX FUND or NOLA FX CAPITAL, and he never achieved the trading returns represented on the false account statements.  DEPETRILLO also did not set up the forex pool in the manner required by the regulations, did not receive pool participant funds in the name of the forex pool, and commingled pool participant funds with his own funds.  DEPETRILLO took in approximately $9.2 million in investor funds from approximately 55 victim investors during a seven-year period.

    Sentencing in this matter is scheduled for May 25, 2025, before United States District Judge Jay C. Zainey.

    The case is being investigated by the Federal Bureau of Investigation (“FBI”).  The FBI is seeking information that may help identify potential victims of DEPETRILLO’s fraudulent scheme.  FBI encourages the public to report any information to http://fbi.gov/depetrillovictims.

    The prosecution of this case is being handled by Assistant United States Attorneys Kathryn McHugh of the Financial Crimes Unit and Brian M. Klebba, Chief of the Financial Crimes Unit.

    MIL Security OSI

  • MIL-OSI Security: 14 members of Bandidos motorcycle gang indicted for offenses including racketeering, assault and murder

    Source: Office of United States Attorneys

    HOUSTON – A 22-count indictment has been unsealed in the Southern District of Texas (SDTX) following an operation targeting multiple members of an allegedly violent, transnational motorcycle gang in the Houston metropolitan area.

    Current and former members of the Bandidos Outlaw Motorcycle Gang and Mascareros Motorcycle Club are charged for their alleged roles in a criminal enterprise engaged in violent criminal activity in and around Houston. The Mascareros is a support club of the Bandidos.

    Several of those are expected to make their initial appearance before U.S. Magistrate Judge Dena Hanovice Palermo at 2 p.m. Feb. 20.

    A federal grand jury returned an indictment Feb. 11 against 14 members and associates of the Bandidos outlaw motorcycle gang accusing them of various crimes, to include engaging in a conspiracy to commit racketeering activity and committing violent crimes in furtherance of the gang such as murder, attempted murder and assault. The indictment alleges the Bandidos are a self-identified “outlaw” motorcycle organization with a membership of approximately 1,500 to 2,000 in the United States and an additional 1,000 to 1,500 members internationally, including in Mexico.

    “Ensuring the safety of the public is SDTX’s paramount concern,” said U.S. Attorney Nicholas J. Ganjei. “The indictment here not only alleges shocking crimes of violence, but also alleges that these offenses were committed openly and wantonly, where any innocent member of the public could have been hurt or killed.” 

    “Today’s indictment is an important step in eliminating the Bandidos Outlaw Motorcycle Gang,” said Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division. “The Bandidos declare war on rivals—and they wage that war on our streets. Criminal behavior like this has no place in America, and the Department of Justice is fully committed to bringing peace back to our communities.”

    The indictment alleges that beginning in 2019, a violent turf war erupted between the Bandidos and B*EAST, a rival outlaw motorcycle gang in the Houston area. As part of this turf war, Bandidos national leadership allegedly put out a “smash on site” order to commit physical assaults, including murder, against B*EAST members. The turf war has resulted in gunfire exchanged on public roadways and in public establishments with innocent civilians present, according to the charges.

    John M. Pfeffer aka Big John, 32, Darvi Hinojosa aka 10 Round, 35, Bradley Rickenbacker aka Dolla Bill, 37, all of Katy; Michael H. Dunphy aka Money Mike, 57, Cleveland; Christopher Sanchez aka Monster, 40, Tomball; and Brandon K. Hantz aka Loco and Gun Drop, 33, Crosby; are charged with conspiracy to commit racketeering activity. Pfeffer, Dunphy, Hinojosa, Rickenbacker and Sanchez are further charged with multiple counts of assault in aid of racketeering. Pfeffer, Hinojosa, Rickenbacker and Sanchez are also charged with using a firearm during and in relation to a crime of violence, while Sanchez faces charges of being a felon in possession of a firearm. Hantz is also charged with arson.

    Pfeffer, Hinojosa, Rickenbacker and Sanchez each face up to life in prison if convicted, while Dunphy and Hantz each face up to 20 years on each of their counts upon conviction.

    The indictment also charges David Vargas aka Brake Check and First Time, 33, Houston, with murder in aid of racketeering; using a firearm during and in relation to a crime of violence resulting in death; attempted murder in aid of racketeering; and using, carrying, brandishing, discharging and possessing a firearm during and in relation to the attempted murders. All those charges relate to the killing of a rival and the shooting of two others. Murder in aid of racketeering carries a mandatory life sentence or the death penalty, if convicted.

    Further, Pfeffer and Rickenbacker are also charged with assault in aid of racketeering and using a firearm during and in relation to a crime of violence  along with Marky Baker aka Pinche Guero and Guero, 40, Ronnie McCabe aka Meathead, 56, and Jeremy Cox aka JD, 37, all of Houston; Roy Gomez aka Repo, 50, Richmond; and Marcel Lett, 56, Pearland. These charges are in relation to an alleged assault and robbery that resulted in the death of a rival. If convicted, they face up to life in prison.

    Hinojosa is also charged along with John Sblendorio aka Tech9, 54, Houston, with conspiracy to commit murder in aid of racketeering, attempted murder in aid of racketeering, assault in aid of racketeering and using a firearm during and in relation to a crime of violence in connection with the shooting of a rival gang member. Hinojosa is also charged with conspiracy to distribute cocaine and three counts of possession with intent to distribute cocaine. Sblendorio and Hinojosa each face up to life in prison, if convicted.

    In addition, Sean G. Christison, aka Skinman, 30, Katy, is charged with possession with intent to distribute cocaine and possession of a firearm in furtherance of a drug trafficking crime. He faces a maximum penalty of life imprisonment. 

    The FBI, Texas Board of Criminal Justice – Office of Inspector General, Texas Department of Public Safety and Montgomery County Sheriff’s Office conducted the Organized Crime Drug Enforcement Task Forces (OCDETF) investigation with the assistance of Harris County Sheriff’s Office; Houston and Pasadena Police Departments; Texas Alcoholic Beverage Commission; LaMarque and Katy Police Departments; U.S. Marshals Service; Bureau of Alcohol, Tobacco, Firearms and Explosives; and the Cypress-Fairbanks Independent School District Police Department. 

    OCDETF identifies, disrupts and dismantles the highest-level drug traffickers, money launderers, gangs and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state and local law enforcement agencies against criminal networks. Additional information about the OCDETF Program can be found on the Department of Justice’s OCDETF webpage.

    This case is being prosecuted as part of the joint federal, state and local Project Safe Neighborhoods (PSN) Program, the centerpiece of the Department of Justice’s violent crime reduction efforts. PSN is an evidence-based program proven to be effective at reducing violent crime. Through PSN, a broad spectrum of stakeholders work together to identify the most pressing violent crime problems in the community and develop comprehensive solutions to address them. As part of this strategy, PSN focuses enforcement efforts on the most violent offenders and partners with locally based prevention and reentry programs for lasting reductions in crime.

    Assistant U.S. Attorneys Byron H. Black and Kelly Zenón-Matos of the Southern District of Texas are prosecuting the case in partnership with Trial Attorneys Grace H. Bowen and Christopher Taylor of the Department of Justice’s Criminal Division – Violent Crime and Racketeering Section.

    An indictment is a formal accusation of criminal conduct, not evidence. A defendant is presumed innocent unless convicted through due process of law.

    MIL Security OSI

  • MIL-OSI Security: Detroit Man Sentenced To Over Four Years in Federal Prison For Participating In Multi-State Pandemic Unemployment Insurance Fraud Scheme

    Source: Office of United States Attorneys

    DETROIT – A man from Detroit, Michigan was sentenced today for his role in a multi-state, million-dollar unemployment insurance fraud scheme aimed at defrauding the U.S. government and the states of Michigan, Pennsylvania, and Maryland, of funds earmarked for unemployment assistance during the COVID-19 pandemic, announced Acting United States Attorney Julie A. Beck.

    Joining in the announcement were Special Agent in Charge Cheyvoryea Gibson, Federal Bureau of Investigation, Special Agent in Charge Charles Miller, Internal Revenue Service-Criminal Investigation, and Megan Howell, Acting Special Agent in Charge, Chicago Region, U.S. Department of Labor Office of Inspector General.

    Tracey Dotson, 49, was sentenced to 51 months in prison and ordered to pay more than $900,000 in restitution in the sentence handed down by United States District Judge Matthew F. Leitman.

    According to court records, Dotson and a co-defendant conspired to, and did, defraud the federal government and the states of Michigan, Pennsylvania, and Maryland of roughly $1 million in funds intended to support individuals who had lost their jobs during the COVID-19 pandemic. The pair committed their crimes through the use of interstate wires and the unauthorized possession and use of social security numbers and other means of identification belonging to other individuals.

    Dotson pleaded guilty to wire fraud and conspiracy to commit wire fraud in April 2024. Dotson and his co-defendant, using stolen personal identification, filed hundreds of false unemployment claims with state unemployment insurance agencies in Michigan, Pennsylvania, and Maryland in the names of other individuals without their knowledge or consent.   The defendants then received hundreds of Bank of America prepaid debit cards in the names of those individuals loaded with roughly $1 million in Pandemic Unemployment Assistance funds at addresses in Michigan and Pennsylvania. Dotson, his co-defendant, and their accomplices then successfully unloaded more than $930,000 from the cards via cash withdrawals and purchases that included high-end jewelry, designer fashion accessories by Gucci and Louis Vuitton, drugs, at least one vehicle, and at least one firearm.

    “Taxpayer unemployment assistance funds diverted to the pockets of criminals during the pandemic resulted in fewer resources that were available for those genuinely in need at that challenging time,” said Acting U.S. Attorney Julie Beck. “Our office is steadfast in its commitment to bringing those to justice who used a global health crisis as a means to illegally line their own pockets at the expense of taxpayers. “

    “This sentence underscores the FBI’s commitment to investigating complex financial crimes,” said Cheyvoryea Gibson, Special Agent in Charge of the FBI in Michigan. “We will not tolerate the greed and selfish conduct demonstrated by those who chose to defraud the unemployment insurance system, especially when we faced an unprecedented global pandemic. The FBI and our federal partners remain steadfast in holding criminals accountable and protecting government assistance programs. The pandemic may be in our rearview mirrors, but our investigations continue to move forward in the name of justice.”

    “Individuals who commit such blatant unemployment insurance fraud and identity theft of this magnitude deserve to be punished to the fullest extent of the law,” said Charles Miller, Special Agent in Charge, Detroit Field Office, IRS Criminal Investigation.  “Tracey Dotson and his co-conspirator took advantage of a program intended to help those in need get through a devastating global pandemic, exposed personal identity information of many, and caused immeasurable hardship to innocent victims. IRS Criminal Investigation remains committed to the pursuit of pandemic fraud and identity theft, together with our partners at the U.S. Attorney’s Office, we will hold those who engage in similar conduct accountable.”

    “Tracey Dotson and his co-conspirator defrauded multiple state workforce agencies by using stolen identities to obtain unemployment insurance (UI) benefits. As a result, he stole vital taxpayer resources intended for unemployed American workers in dire need of UI benefits. Today’s sentencing affirms the Office of Inspector General’s commitment to work with our law enforcement partners to investigate and bring to justice those who exploit this critical benefit program,” said Megan Howell, Acting Special Agent-in-Charge, Great Lakes Region, U.S. Department of Labor, Office of Inspector General.

    This case was prosecuted by Assistant United States Attorneys Carl D. Gilmer-Hill and Jessica A. Nathan. The investigation was conducted jointly by the Federal Bureau of Investigation, Internal Revenue Service – Criminal Investigation, and Department of Labor, Office of Inspector General.

    MIL Security OSI

  • MIL-OSI Security: Financial TV News Analyst-Turned-Fugitive Agrees to Plead Guilty to Federal Charge for Conning Investors Out of Millions of Dollars

    Source: Office of United States Attorneys

    LOS ANGELES – A former San Gabriel Valley resident – who was a frequent guest on financial television news programs then became a fugitive from justice after being accused of scamming investors – has agreed to plead guilty to defrauding his victims out of at least $2.7 million, the Justice Department announced today.

    James Arthur McDonald Jr., 53, formerly of Arcadia, has agreed to plead guilty to one count of securities fraud, a felony that carries a statutory maximum sentence of 20 years in federal prison.

    McDonald has been in federal custody since June 2024, when he was arrested in a residence in Port Orchard, Washington, after being a fugitive since November 2021, when he failed to appear before the United States Securities and Exchange Commission (SEC) to testify after allegations arose that he had defrauded investors. 

    According to his plea agreement, at McDonald’s Washington state hideout, law enforcement found, among other things, a fake Washington, D.C., driver’s license bearing McDonald’s photograph and the name “Brian Thomas.”

    McDonald was the CEO and chief investment officer of two companies headquartered in Los Angeles: Hercules Investments LLC and Index Strategy Advisors Inc. (ISA). He frequently appeared as an analyst on the CNBC financial television news network.

    In late 2020, McDonald lost tens of millions of dollars of Hercules client money after adopting a risky short position that effectively bet against the health of the United States economy in the aftermath of the U.S. presidential election. McDonald projected that the COVID-19 pandemic and the election would result in major selloffs that would cause the stock market to drop. When the market decline didn’t occur, Hercules clients lost between $30 million and $40 million. By December 2020, Hercules clients were complaining to company employees about the losses in their accounts, according to court documents.

    In early 2021, McDonald solicited millions of dollars’ worth of funds from investors in the form of a purported capital raise for Hercules but misrepresented how the funds would be used and failed to disclose the massive losses Hercules previously sustained. As part of the capital raise, McDonald obtained $675,000 in investment funds from one victim group on March 9, 2021. He misappropriated most of those funds in various ways, including spending $174,610 at a Porsche dealership and transferring $109,512 to the landlord of a home McDonald was renting in Arcadia.

    McDonald also defrauded clients of ISA, his other firm, using less than half of the approximately $3.6 million he raised for trading purposes. Instead, McDonald frequently commingled ISA client funds with funds from his personal bank account, which he used to purchase luxury cars and to pay rent on his home, personal credit card charges, and Hercules operating expenses and to make Ponzi-like payments to ISA clients — that is, paying some ISA clients using funds from other clients. 

    In total, McDonald caused losses of between approximately $2,745,892 and approximately $3,025,892, according to his plea agreement.

    The FBI and IRS Criminal Investigation are investigating this matter.

    In September 2022, the SEC filed a civil complaint charging McDonald and Hercules with violations of federal securities law. In April 2024, United States District Judge Percy Anderson found McDonald and Hercules liable and ordered that they pay several million dollars in disgorgement and civil penalties.

    Assistant United States Attorneys Alexander B. Schwab and Nisha Chandran of the Corporate and Securities Fraud Strike Force are prosecuting this case.

    MIL Security OSI

  • MIL-OSI USA: Fourteen Members and Associates of Violent Transnational Motorcycle Gang Indicted on RICO and Murder Charges

    Source: US State of North Dakota

    An indictment was unsealed today in the Southern District of Texas charging 14 members and associates of the Bandidos Outlaw Motorcycle Gang for their alleged roles in a criminal enterprise engaged in murder, robbery, arson, narcotics distribution, and witness intimidation in and around Houston.

    The indictment accuses the defendants of various crimes, including engaging in a conspiracy to commit racketeering (RICO) activity and committing violent crimes in furtherance of the gang such as murder, attempted murder, and assault. The indictment alleges that the Bandidos are a self-identified “outlaw” motorcycle organization with a membership of approximately 1,500 to 2,000 in the United States and an additional 1,000 to 1,500 members internationally, including in Mexico.

    “Today’s indictment is an important step in eliminating the Bandidos Outlaw Motorcycle Gang,” said Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division. “The Bandidos declare war on rivals — and they wage that war on our streets. Criminal behavior like this has no place in America, and the Department of Justice is fully committed to bringing peace back to our communities.”

    “Ensuring the safety of the public is Southern District of Texas’ paramount concern,” said U.S. Attorney Nicholas J. Ganjei for the Southern District of Texas. “The indictment here not only alleges shocking crimes of violence, but also alleges that these offenses were committed openly and wantonly, where any innocent member of the public could have been hurt or killed.”

    According to court documents and statements in court, beginning in 2019, a violent turf war erupted between the Bandidos and B*EAST, a rival outlaw motorcycle gang in the Houston area. As part of this turf war, Bandidos national leadership allegedly put out a “smash on site” order to commit physical assaults, including murder, against B*EAST members. The turf war has resulted in gunfire exchanged on public roadways and in public establishments with innocent civilians present, according to the charges.

    John M. Pfeffer, also known as Big John, 32, Darvi Hinojosa, also known as 10 Round, 35, and Bradley Rickenbacker, also known as Dolla Bill, 37, all of Katy, Texas; Michael H. Dunphy, also known as Money Mike, 57, of Cleveland, Texas; Christopher Sanchez, also known as Monster, 40, of Tomball, Texas; and Brandon K. Hantz, also known as Loco and Gun Drop, 33, of Crosby, Texas, are charged with conspiracy to commit racketeering activity. Pfeffer, Dunphy, Hinojosa, Rickenbacker, and Sanchez are further charged with multiple counts of assault in aid of racketeering. Pfeffer, Hinojosa, Rickenbacker, and Sanchez are also charged with using a firearm during and in relation to a crime of violence, while Sanchez faces charges of being a felon in possession of a firearm. Hantz is also charged with arson.

    If convicted, Pfeffer, Hinojosa, Rickenbacker, and Sanchez each face a maximum penalty of life in prison, while Dunphy and Hantz each face a maximum penalty of 20 years in prison on each of their counts.

    The indictment also charges David Vargas, also known as Brake Check and First Time, 33, of Houston, with murder in aid of racketeering; using a firearm during and in relation to a crime of violence resulting in death; attempted murder in aid of racketeering; and using a firearm during and in relation to the attempted murders. All those charges relate to the killing of a rival and the shooting of two others. If convicted, Vargas faces a mandatory penalty of life in prison or the death penalty.

    Further, Marky Baker, also known as Pinche Guero and Guero, 40; Ronnie McCabe, also known as Meathead, 56; and Jeremy Cox, also known as JD, 37, all of Houston; Roy Gomez, also known as Repo, 50, of Richmond, Texas; and Marcel Lett, 56, of Pearland, Texas, are charged along with Pfeffer and Rickenbacker with assault in aid of racketeering and using a firearm during and in relation to a crime of violence. These charges are in relation to an alleged assault and robbery that resulted in the death of a rival. If convicted, they each face a maximum penalty of life in prison.

    Hinojosa is also charged along with John Sblendorio, also known as Tech9, 54, of Houston, with conspiracy to commit murder in aid of racketeering, attempted murder in aid of racketeering, assault in aid of racketeering, and using a firearm during and in relation to a crime of violence in connection with the shooting of a rival gang member. Hinojosa is also charged with conspiracy to distribute cocaine and three counts of possession with intent to distribute cocaine. If convicted, Sblendorio and Hinojosa each face a maximum penalty of life in prison.

    In addition, Sean G. Christison, also known as Skinman, 30, of Katy, is charged with possession with intent to distribute cocaine and possession of a firearm in furtherance of a drug trafficking crime. He faces a maximum penalty of life in prison.

    For all defendants, a federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

    The FBI, Texas Board of Criminal Justice — Office of Inspector General, Texas Department of Public Safety, and Montgomery County Sheriff’s Office conducted the investigation, with assistance from the Harris County Sheriff’s Office; Houston and Pasadena Police Departments; Texas Alcoholic Beverage Commission; LaMarque and Katy Police Departments; U.S. Marshals Service; Bureau of Alcohol, Tobacco, Firearms and Explosives; and Cypress-Fairbanks Independent School District Police Department.

    Trial Attorneys Grace H. Bowen and Christopher Taylor of the Criminal Division’s Violent Crime and Racketeering Section and Assistant U.S. Attorneys Byron H. Black and Kelly Zenón-Matos for the Southern District of Texas are prosecuting the case.

    This investigation was part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts and dismantles the highest-level drug traffickers, money launderers, gangs and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state and local law enforcement agencies against criminal networks. Additional information about the OCDETF Program can be found on the Justice Department’s OCDETF webpage.

    This case is being prosecuted as part of the joint federal, state and local Project Safe Neighborhoods (PSN) Program, the centerpiece of the Justice Department’s violent crime reduction efforts. PSN is an evidence-based program proven to be effective at reducing violent crime. Through PSN, a broad spectrum of stakeholders work together to identify the most pressing violent crime problems in the community and develop comprehensive solutions to address them. As part of this strategy, PSN focuses enforcement efforts on the most violent offenders and partners with locally based prevention and reentry programs for lasting reductions in crime. For more information about PSN, please visit www.justice.gov/psn.

    An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

    MIL OSI USA News

  • MIL-OSI USA: CISA and Partners Release Advisory on Ghost (Cring) Ransomware

    News In Brief – Source: US Computer Emergency Readiness Team

    Today, CISA—in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)—released a joint Cybersecurity Advisory, #StopRansomware: Ghost (Cring) Ransomware. This advisory provides network defenders with indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and detection methods associated with Ghost ransomware activity identified through FBI investigations.

    Ghost actors conduct these widespread attacks targeting and compromising organizations with outdated versions of software and firmware on their internet facing services. These malicious ransomware actors are known to use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) where available patches have not been applied to gain access to internet facing servers. The known CVEs are CVE-2018-13379, CVE-2010-2861, CVE-2009-3960, CVE-2021-34473, CVE-2021-34523, CVE-2021-31207.

    CISA encourages network defenders to review this advisory and apply the recommended mitigations. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including added recommended baseline protections.

    MIL OSI USA News

  • MIL-OSI USA: #StopRansomware: Ghost (Cring) Ransomware

    News In Brief – Source: US Computer Emergency Readiness Team

    Summary

    Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

    The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

    Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

    Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

    Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

    The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

    Download the PDF version of this report:

    For a downloadable copy of IOCs, see:

    Technical Details

    Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

    Initial Access

    The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

    Execution

    Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

    Persistence

    Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

    Privilege Escalation

    Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

    Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials. 

    See Table 1 for a descriptive listing of tools.

    Credential Access

    Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

    Defense Evasion

    Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

    Discovery

    Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

    Lateral Movement

    Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

    This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

    In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

    Exfiltration

    Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

    Command and Control

    Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

    For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

    Note: Table 2 contains a list of Ghost ransom email addresses.

    Impact and Encryption

    Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

    These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

    The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

    Indicators of Compromise (IOC)

    Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

    Note: Authors of these tools generally state that they should not be used in illegal activity.

    Table 1: Tools Leveraged by Ghost Actors
    Name Description Source
    Cobalt Strike Cobalt Strike is penetration testing software. Ghost actors  use an unauthorized version of Cobalt Strike. N/A
    IOX Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. github[.]com/EddieIvan01/iox
    SharpShares.exe SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. github[.]com/mitchmoser/SharpShares
    SharpZeroLogon.exe SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. github[.]com/leitosama/SharpZeroLogon
    SharpGPPPass.exe SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. N/A
    SpnDump.exe SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. N/A
    NBT.exe A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. github[.]com/BronzeTicket/SharpNBTScan
    BadPotato.exe BadPotato.exe is an exploitation tool used for privilege escalation. github[.]com/BeichenDream/BadPotato
    God.exe God.exe is a compiled version of GodPotato and is used for privilege escalation. github[.]com/BeichenDream/GodPotato
    HFS (HTTP File Server) A portable web server program that Ghost actors use to host files for remote access and exfiltration. rejitto[.]com/hfs
    Ladon 911 A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. github[.]com/k8gege/Ladon
    Web Shell A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx
    Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity
    File name MD5 File Hash
    Cring.exe c5d712f82d5d37bb284acd4468ab3533
    Ghost.exe

    34b3009590ec2d361f07cac320671410

    d9c019182d88290e5489cdf3b607f982
    ElysiumO.exe

    29e44e8994197bdb0c2be6fc5dfc15c2

    c9e35b5c1dc8856da25965b385a26ec4

    d1c5e7b8e937625891707f8b4b594314
    Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
    iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3
    x86.log (IOX)

    c3b8f6d102393b4542e9f951c9435255

    0a5c4ad3ec240fbfd00bdc1d36bd54eb
    sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5
    main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9
    isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d
    sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090

    Ransom Email Addresses

    Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

    Table 3: Ransom Email Addresses
    Email Addresses
    asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com
    cringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com
    crptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com
    d3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com
    d3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com
    eternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org
    evilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com
    fileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com
    fortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com
    genesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com
    ghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com

    Ransom Notes

    Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

    MITRE ATT&CK Tactics and Techniques

    See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

    Table 4: Initial Access
    Technique Title  ID Use
    Exploit Public-Facing Application T1190 Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.
    Table 5: Execution
    Technique Title  ID Use
    Windows Management Instrumentation T1047 Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.
    PowerShell T1059.001 Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.
    Windows Command Shell T1059.003 Ghost actors use the Windows Command Shell to download malicious content on to victim servers.
    Table 6: Persistence
    Technique Title  ID Use
    Account Manipulation T1098 Ghost actors change passwords for already established accounts.
    Local Account T1136.001 Ghost actors create new accounts or makes modifications to local accounts.
    Domain Account T1136.002 Ghost actors create new accounts or makes modifications to domain accounts.
    Web Shell T1505.003 Ghost actors upload web shells to victim servers to gain access and for persistence.
    Table 7: Privilege Escalation
    Technique Title  ID Use
    Exploitation for Privilege Escalation T1068 Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.
    Token Impersonation/Theft T1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.
    Table 8: Defense Evasion
    Technique Title  ID Use
    Application Layer Protocol: Web Protocols T1071.001 Ghost actors use HTTP and HTTPS protocols while conducting C2 operations. 
    Impair Defenses: Disable or Modify Tools T1562.001 Ghost actors disable antivirus products.
    Hidden Window T1564.003 Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.
    Table 9: Credential Access
    Technique Title  ID Use
    OS Credential Dumping T1003 Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.
    Table 10: Discovery
    Technique Title  ID Use
    Remote System Discovery T1018 Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.
    Process Discovery T1057 Ghost actors run a ps command to list running processes on an infected device.
    Domain Account Discovery T1087.002 Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.
    Network Share Discovery T1135 Ghost actors use various tools for network share discovery for the purpose of host enumeration.
    Software Discovery T1518 Ghost actors use their access to determine which antivirus software is running.
    Security Software Discovery T1518.001 Ghost actors run Cobalt Strike to enumerate running antivirus software.
    Table 11: Exfiltration
    Technique Title  ID Use
    Exfiltration Over C2 Channel T1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.
    Exfiltration to Cloud Storage T1567.002 Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.
    Table 12: Command and Control
    Technique Title  ID Use
    Web Protocols T1071.001 Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.
    Ingress Tool Transfer T1105 Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.
    Standard Encoding T1132.001 Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.
    Encrypted Channel T1573 Ghost actors use encrypted email platforms to facilitate communications. 
    Table 13: Impact
    Technique Title  ID Use
    Data Encrypted for Impact T1486 Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.
    Inhibit System Recovery T1490 Ghost actors delete volume shadow copies.

    Mitigations

    The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

    • Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
    • Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
    • Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
    • Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
    • Train users to recognize phishing attempts.
    • Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
      • Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
    • Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
    • Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
      • Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
    • Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
    • Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

    Validate Security Controls

    In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

    To get started:

    1. Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
    2. Align your security technologies against the technique.
    3. Test your technologies against the technique.
    4. Analyze your detection and prevention technologies’ performance.
    5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
    6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

    Reporting

    Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

    The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

    Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

    The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

    Disclaimer

    The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

    Version History

    February 19, 2025: Initial version.

    MIL OSI USA News

  • MIL-OSI Security: Fourteen Members and Associates of Violent Transnational Motorcycle Gang Indicted on RICO and Murder Charges

    Source: United States Attorneys General

    An indictment was unsealed today in the Southern District of Texas charging 14 members and associates of the Bandidos Outlaw Motorcycle Gang for their alleged roles in a criminal enterprise engaged in murder, robbery, arson, narcotics distribution, and witness intimidation in and around Houston.

    The indictment accuses the defendants of various crimes, including engaging in a conspiracy to commit racketeering (RICO) activity and committing violent crimes in furtherance of the gang such as murder, attempted murder, and assault. The indictment alleges that the Bandidos are a self-identified “outlaw” motorcycle organization with a membership of approximately 1,500 to 2,000 in the United States and an additional 1,000 to 1,500 members internationally, including in Mexico.

    “Today’s indictment is an important step in eliminating the Bandidos Outlaw Motorcycle Gang,” said Supervisory Official Antoinette T. Bacon of the Justice Department’s Criminal Division. “The Bandidos declare war on rivals — and they wage that war on our streets. Criminal behavior like this has no place in America, and the Department of Justice is fully committed to bringing peace back to our communities.”

    “Ensuring the safety of the public is Southern District of Texas’ paramount concern,” said U.S. Attorney Nicholas J. Ganjei for the Southern District of Texas. “The indictment here not only alleges shocking crimes of violence, but also alleges that these offenses were committed openly and wantonly, where any innocent member of the public could have been hurt or killed.”

    According to court documents and statements in court, beginning in 2019, a violent turf war erupted between the Bandidos and B*EAST, a rival outlaw motorcycle gang in the Houston area. As part of this turf war, Bandidos national leadership allegedly put out a “smash on site” order to commit physical assaults, including murder, against B*EAST members. The turf war has resulted in gunfire exchanged on public roadways and in public establishments with innocent civilians present, according to the charges.

    John M. Pfeffer, also known as Big John, 32, Darvi Hinojosa, also known as 10 Round, 35, and Bradley Rickenbacker, also known as Dolla Bill, 37, all of Katy, Texas; Michael H. Dunphy, also known as Money Mike, 57, of Cleveland, Texas; Christopher Sanchez, also known as Monster, 40, of Tomball, Texas; and Brandon K. Hantz, also known as Loco and Gun Drop, 33, of Crosby, Texas, are charged with conspiracy to commit racketeering activity. Pfeffer, Dunphy, Hinojosa, Rickenbacker, and Sanchez are further charged with multiple counts of assault in aid of racketeering. Pfeffer, Hinojosa, Rickenbacker, and Sanchez are also charged with using a firearm during and in relation to a crime of violence, while Sanchez faces charges of being a felon in possession of a firearm. Hantz is also charged with arson.

    If convicted, Pfeffer, Hinojosa, Rickenbacker, and Sanchez each face a maximum penalty of life in prison, while Dunphy and Hantz each face a maximum penalty of 20 years in prison on each of their counts.

    The indictment also charges David Vargas, also known as Brake Check and First Time, 33, of Houston, with murder in aid of racketeering; using a firearm during and in relation to a crime of violence resulting in death; attempted murder in aid of racketeering; and using a firearm during and in relation to the attempted murders. All those charges relate to the killing of a rival and the shooting of two others. If convicted, Vargas faces a mandatory penalty of life in prison or the death penalty.

    Further, Marky Baker, also known as Pinche Guero and Guero, 40; Ronnie McCabe, also known as Meathead, 56; and Jeremy Cox, also known as JD, 37, all of Houston; Roy Gomez, also known as Repo, 50, of Richmond, Texas; and Marcel Lett, 56, of Pearland, Texas, are charged along with Pfeffer and Rickenbacker with assault in aid of racketeering and using a firearm during and in relation to a crime of violence. These charges are in relation to an alleged assault and robbery that resulted in the death of a rival. If convicted, they each face a maximum penalty of life in prison.

    Hinojosa is also charged along with John Sblendorio, also known as Tech9, 54, of Houston, with conspiracy to commit murder in aid of racketeering, attempted murder in aid of racketeering, assault in aid of racketeering, and using a firearm during and in relation to a crime of violence in connection with the shooting of a rival gang member. Hinojosa is also charged with conspiracy to distribute cocaine and three counts of possession with intent to distribute cocaine. If convicted, Sblendorio and Hinojosa each face a maximum penalty of life in prison.

    In addition, Sean G. Christison, also known as Skinman, 30, of Katy, is charged with possession with intent to distribute cocaine and possession of a firearm in furtherance of a drug trafficking crime. He faces a maximum penalty of life in prison.

    For all defendants, a federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.

    The FBI, Texas Board of Criminal Justice — Office of Inspector General, Texas Department of Public Safety, and Montgomery County Sheriff’s Office conducted the investigation, with assistance from the Harris County Sheriff’s Office; Houston and Pasadena Police Departments; Texas Alcoholic Beverage Commission; LaMarque and Katy Police Departments; U.S. Marshals Service; Bureau of Alcohol, Tobacco, Firearms and Explosives; and Cypress-Fairbanks Independent School District Police Department.

    Trial Attorneys Grace H. Bowen and Christopher Taylor of the Criminal Division’s Violent Crime and Racketeering Section and Assistant U.S. Attorneys Byron H. Black and Kelly Zenón-Matos for the Southern District of Texas are prosecuting the case.

    This investigation was part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts and dismantles the highest-level drug traffickers, money launderers, gangs and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state and local law enforcement agencies against criminal networks. Additional information about the OCDETF Program can be found on the Justice Department’s OCDETF webpage.

    This case is being prosecuted as part of the joint federal, state and local Project Safe Neighborhoods (PSN) Program, the centerpiece of the Justice Department’s violent crime reduction efforts. PSN is an evidence-based program proven to be effective at reducing violent crime. Through PSN, a broad spectrum of stakeholders work together to identify the most pressing violent crime problems in the community and develop comprehensive solutions to address them. As part of this strategy, PSN focuses enforcement efforts on the most violent offenders and partners with locally based prevention and reentry programs for lasting reductions in crime. For more information about PSN, please visit www.justice.gov/psn.

    An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

    MIL Security OSI

  • MIL-OSI Security: Sacramento County Man Sentenced to 33 Months in Prison for Fraud in Connection with Medical Device Sales

    Source: Office of United States Attorneys

    SACRAMENTO, Calif. — Michael Andrew Scott, 38, of Fair Oaks, was sentenced Tuesday by Senior U.S. District Judge Kimberly J. Mueller to 33 months in prison for fraud in connection with a medical device sales scheme, Acting U.S. Attorney Michele Beckwith announced. In addition, Scott was ordered to pay $376,044 in restitution to his victims.

    According to court documents, between June 2018 and June 2022, Scott devised a scheme to defraud investors in his company, Trusted Medical Partnership. Scott told investors that either he or Trusted Medical Partnership received purchase orders from health care providers for medical devices but lacked the capital to fulfill the orders. Scott solicited and obtained loans from these investors, and, in exchange, promised them substantial returns in a relatively short time with zero risk.

    In reality, Scott’s representations to these prospective investors were false because Scott did not have purchase orders from health care providers. To some of his victims, Scott sent purchase orders that he had doctored or fabricated in order to convince them to lend money. The health care providers listed on these purported purchase orders confirmed that the orders were fake altogether or altered to reflect inflated amounts or other false information. Trusted Medical Partnership was not a legitimate business — while incorporated in the State of California, it conducted no legitimate business transactions, paid no taxes, submitted no wage or employment-related records, and was suspended in December 2021 before Scott solicited investments on its behalf from some of his victims.

    Scott’s victims lent him money on the basis of his false statements, including the fraudulent purchase orders, but received little to no returns on their investments. Instead, Scott spent the money on gambling at several local casinos (sometimes the same day he received the victims’ money), personal expenses, or payments to other, prior investors in order to keep the scheme running. Collectively, Scott defrauded at least 16 victims of almost $470,000.

    This case was the product of an investigation by the Federal Bureau of Investigation. Assistant U.S. Attorney Dhruv M. Sharma prosecuted the case.

    MIL Security OSI

  • MIL-OSI Security: Floridian Sentenced for Role in Money Laundering Operation

    Source: Office of United States Attorneys

    PITTSBURGH, Pa. – A resident of Ocala, Florida, has been sentenced to time served, to be followed by three years of supervised release, on his conviction for money laundering conspiracy, Acting United States Attorney Troy Rivetti announced today.

    Senior United States District Judge Nora Barry Fischer imposed the sentence on Charles Wilson Stout, 66, who had served approximately six months of imprisonment for his crime.

    According to information presented to the Court, Stout engaged in a money laundering conspiracy from in and around April 2022 until in and around June 2022. The Court was advised that a Washington, D.C.-based university was the victim of a business email compromise that resulted in the fraudulent transfer of more than $603,000 from a bank account located in the Western District of Pennsylvania into a separate bank account owned by Stout.

    To obfuscate the source of the fraudulent funds, Stout and his co-defendant, David Kakra Mensah, created a shell company and transferred portions of the fraudulently obtained proceeds into a cryptocurrency account that Mensah owned. In addition to participating in the business e-mail compromise, Mensah was also involved in a romance fraud scheme in which he obtained and moved money through individual victims living in Pennsylvania, Oregon, and elsewhere. Mensah previously pleaded guilty and was sentenced to 24 months of imprisonment.

    Assistant United States Attorneys Mark V. Gurzo and Kelly M. Locher prosecuted this case on behalf of the government.

    Acting United States Attorney Rivetti commended the Federal Bureau of Investigation for the investigation leading to the successful prosecution of Stout.

    MIL Security OSI

  • MIL-OSI Security: #StopRansomware: Ghost (Cring) Ransomware

    Source: US Department of Homeland Security

    Summary

    Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

    The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Ghost (Cring)—(“Ghost”)—ransomware IOCs and TTPs identified through FBI investigation as recently as January 2025.

    Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware. This indiscriminate targeting of networks containing vulnerabilities has led to the compromise of organizations across more than 70 countries, including organizations in China. Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses.

    Ghost actors rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time. Names associated with this group include Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture. Samples of ransomware files Ghost used during attacks are: Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe.

    Ghost actors use publicly available code to exploit Common Vulnerabilities and Exposures (CVEs) and gain access to internet facing servers. Ghost actors exploit well known vulnerabilities and target networks where available patches have not been applied.

    The FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Ghost ransomware incidents.

    Download the PDF version of this report:

    For a downloadable copy of IOCs, see:

    Technical Details

    Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16.1. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.

    Initial Access

    The FBI has observed Ghost actors obtaining initial access to networks by exploiting public facing applications that are associated with multiple CVEs [T1190]. Their methodology includes leveraging vulnerabilities in Fortinet FortiOS appliances (CVE-2018-13379), servers running Adobe ColdFusion (CVE-2010-2861 and CVE-2009-3960), Microsoft SharePoint (CVE-2019-0604), and Microsoft Exchange (CVE-2021-34473CVE-2021-34523, and CVE-2021-31207— commonly referred to as the ProxyShell attack chain).

    Execution

    Ghost actors have been observed uploading a web shell [T1505.003] to a compromised server and leveraging Windows Command Prompt [T1059.003] and/or PowerShell [T1059.001] to download and execute Cobalt Strike Beacon malware [T1105] that is then implanted on victim systems. Despite Ghost actors’ malicious implementation, Cobalt Strike is a commercially available adversary simulation tool often used for the purposes of testing an organization’s security controls.

    Persistence

    Persistence is not a major focus for Ghost actors, as they typically only spend a few days on victim networks. In multiple instances, they have been observed proceeding from initial compromise to the deployment of ransomware within the same day. However, Ghost actors sporadically create new local [T1136.001] and domain accounts [T1136.002] and change passwords for existing accounts [T1098]. In 2024, Ghost actors were observed deploying web shells [T1505.003] on victim web servers.

    Privilege Escalation

    Ghost actors often rely on built in Cobalt Strike functions to steal process tokens running under the SYSTEM user context to impersonate the SYSTEM user, often for the purpose of running Beacon a second time with elevated privileges [T1134.001].

    Ghost actors have been observed using multiple open-source tools in an attempt at privilege escalation through exploitation [T1068] such as “SharpZeroLogon,” “SharpGPPPass,” “BadPotato,” and “GodPotato.” These privilege escalation tools would not generally be used by individuals with legitimate access and credentials. 

    See Table 1 for a descriptive listing of tools.

    Credential Access

    Ghost actors use the built in Cobalt Strike function “hashdump” or Mimikatz [T1003] to collect passwords and/or password hashes to aid them with unauthorized logins and privilege escalation or to pivot to other victim devices.

    Defense Evasion

    Ghost actors used their access through Cobalt Strike to display a list of running processes [T1057] to determine which antivirus software [T1518.001] is running so that it can be disabled [T1562.001]. Ghost frequently runs a command to disable Windows Defender on network connected devices. Options used in this command are: Set-MpPreference -DisableRealtimeMonitoring 1 -DisableIntrusionPreventionSystem 1 -DisableBehaviorMonitoring 1 -DisableScriptScanning 1 -DisableIOAVProtection 1 -EnableControlledFolderAccess Disabled -MAPSReporting Disabled -SubmitSamplesConsent NeverSend.

    Discovery

    Ghost actors have been observed using other built-in Cobalt Strike commands for domain account discovery [T1087.002], open-source tools such as “SharpShares” for network share discovery [T1135], and “Ladon 911” and “SharpNBTScan” for remote systems discovery [T1018]. Network administrators would be unlikely to use these tools for network share or remote systems discovery.

    Lateral Movement

    Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) [T1047] to run PowerShell commands on additional systems on the victim network— often for the purpose of initiating additional Cobalt Strike Beacon infections. The associated encoded string is a base 64 PowerShell command that always begins with: powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIA… [T1132.001][T1564.003].

    This string decodes to “$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(“” and is involved with the execution of Cobalt Strike in memory on the target machine.

    In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim.

    Exfiltration

    Ghost ransom notes often claim exfiltrated data will be sold if a ransom is not paid. However, Ghost actors do not frequently exfiltrate a significant amount of information or files, such as intellectual property or personally identifiable information (PII), that would cause significant harm to victims if leaked. The FBI has observed limited downloading of data to Cobalt Strike Team Servers [T1041]. Victims and other trusted third parties have reported limited uses of Mega.nz [T1567.002] and installed web shells for similar limited data exfiltration. Note: The typical data exfiltration is less than hundreds of gigabytes of data.

    Command and Control

    Ghost actors rely heavily on Cobalt Strike Beacon malware and Cobalt Strike Team Servers for command and control (C2) operations, which function using hypertext transfer protocol (HTTP) and hypertext transfer protocol secure (HTTPS) [T1071.001]. Ghost rarely registers domains associated with their C2 servers. Instead, connections made to a uniform resource identifier (URI) of a C2 server, for the purpose of downloading and executing Beacon malware, directly reference the C2 server’s IP address. For example, http://xxx.xxx.xxx.xxx:80/Google.com where xxx.xxx.xxx.xxx represents the C2 server’s IP address.

    For email communication with victims, Ghost actors use legitimate email services that include traffic encryption features. [T1573] Some examples of emails services that Ghost actors have been observed using are Tutanota, Skiff, ProtonMail, Onionmail, and Mailfence.

    Note: Table 2 contains a list of Ghost ransom email addresses.

    Impact and Encryption

    Ghost actors use Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe, which are all ransomware executables that share similar functionality. Ghost variants can be used to encrypt specific directories or the entire system’s storage [T1486]. The nature of executables’ operability is based on command line arguments used when executing the ransomware file. Various file extensions and system folders are excluded during the encryption process to avoid encrypting files that would render targeted devices inoperable.

    These ransomware payloads clear Windows Event Logs [T1070.001], disable the Volume Shadow Copy Service, and delete shadow copies to inhibit system recovery attempts [T1490]. Data encrypted with Ghost ransomware variants cannot be recovered without the decryption key. Ghost actors hold the encrypted data for ransom and typically demand anywhere from tens to hundreds of thousands of dollars in cryptocurrency in exchange for decryption software [T1486].

    The impact of Ghost ransomware activity varies widely on a victim-to-victim basis. Ghost actors tend to move to other targets when confronted with hardened systems, such as those where proper network segmentation prevents lateral moment to other devices.

    Indicators of Compromise (IOC)

    Table 1 lists several tools and applications Ghost actors have used for their operations. The use of these tools and applications on a network should be investigated further.

    Note: Authors of these tools generally state that they should not be used in illegal activity.

    Table 1: Tools Leveraged by Ghost Actors
    Name Description Source
    Cobalt Strike Cobalt Strike is penetration testing software. Ghost actors  use an unauthorized version of Cobalt Strike. N/A
    IOX Open-source proxy, used to establish a reverse proxy to a Ghost C2 server from an internal victim device. github[.]com/EddieIvan01/iox
    SharpShares.exe SharpShares.exe is used to enumerate accessible network shares in a domain. Ghost actors use this primarily for host discovery. github[.]com/mitchmoser/SharpShares
    SharpZeroLogon.exe SharpZeroLogon.exe attempts to exploit CVE-2020-1472 and is run against a target Domain Controller. github[.]com/leitosama/SharpZeroLogon
    SharpGPPPass.exe SharpGPPPass.exe attempts to exploit CVE-2014-1812 and targets XML files created through Group Policy Preferences that may contain passwords. N/A
    SpnDump.exe SpnDump.exe is used to list service principal name identifiers, which Ghost actors use for service and hostname enumeration. N/A
    NBT.exe A compiled version of SharpNBTScan, a NetBIOS scanner. Ghost actors use this tool for hostname and IP address enumeration. github[.]com/BronzeTicket/SharpNBTScan
    BadPotato.exe BadPotato.exe is an exploitation tool used for privilege escalation. github[.]com/BeichenDream/BadPotato
    God.exe God.exe is a compiled version of GodPotato and is used for privilege escalation. github[.]com/BeichenDream/GodPotato
    HFS (HTTP File Server) A portable web server program that Ghost actors use to host files for remote access and exfiltration. rejitto[.]com/hfs
    Ladon 911 A multifunctional scanning and exploitation tool, often used by Ghost actors with the MS17010 option to scan for SMB vulnerabilities associated with CVE-2017-0143 and CVE-2017-0144. github[.]com/k8gege/Ladon
    Web Shell A backdoor installed on a web server that allows for the execution of commands and facilitates persistent access. Slight variation of github[.]com/BeichenDream/Chunk-Proxy/blob/main/proxy.aspx
    Table 2: MD5 File Hashes Associated with Ghost Ransomware Activity
    File name MD5 File Hash
    Cring.exe c5d712f82d5d37bb284acd4468ab3533
    Ghost.exe

    34b3009590ec2d361f07cac320671410

    d9c019182d88290e5489cdf3b607f982
    ElysiumO.exe

    29e44e8994197bdb0c2be6fc5dfc15c2

    c9e35b5c1dc8856da25965b385a26ec4

    d1c5e7b8e937625891707f8b4b594314
    Locker.exe ef6a213f59f3fbee2894bd6734bbaed2
    iex.txt, pro.txt (IOX) ac58a214ce7deb3a578c10b97f93d9c3
    x86.log (IOX)

    c3b8f6d102393b4542e9f951c9435255

    0a5c4ad3ec240fbfd00bdc1d36bd54eb
    sp.txt (IOX) ff52fdf84448277b1bc121f592f753c5
    main.txt (IOX) a2fd181f57548c215ac6891d000ec6b9
    isx.txt (IOX) 625bd7275e1892eac50a22f8b4a6355d
    sock.txt (IOX) db38ef2e3d4d8cb785df48f458b35090

    Ransom Email Addresses

    Table 3 is a subset of ransom email addresses that have been included in Ghost ransom notes.

    Table 3: Ransom Email Addresses
    Email Addresses
    asauribe@tutanota.com ghostbackup@skiff.com rainbowforever@tutanota.com
    cringghost@skiff.com ghosts1337@skiff.com retryit1998@mailfence.com
    crptbackup@skiff.com ghosts1337@tuta.io retryit1998@tutamail.com
    d3crypt@onionmail.org ghostsbackup@skiff.com rsacrpthelp@skiff.com
    d3svc@tuta.io hsharada@skiff.com rsahelp@protonmail.com
    eternalnightmare@tutanota.com just4money@tutanota.com sdghost@onionmail.org
    evilcorp@skiff.com kellyreiff@tutanota.com shadowghost@skiff.com
    fileunlock@onionmail.org kev1npt@tuta.io shadowghosts@tutanota.com
    fortihooks@protonmail.com lockhelp1998@skiff.com summerkiller@mailfence.com
    genesis1337@tutanota.com r.heisler@skiff.com summerkiller@tutanota.com
    ghost1998@tutamail.com rainbowforever@skiff.com webroothooks@tutanota.com

    Ransom Notes

    Starting approximately in August 2024, Ghost actors began using TOX IDs in ransom notes as an alternative method for communicating with victims. For example: EFE31926F41889DBF6588F27A2EC3A2D7DEF7D2E9E0A1DEFD39B976A49C11F0E19E03998DBDA and E83CD54EAAB0F31040D855E1ED993E2AC92652FF8E8742D3901580339D135C6EBCD71002885B.

    MITRE ATT&CK Tactics and Techniques

    See Table 4 to Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, version 16.1, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.

    Table 4: Initial Access
    Technique Title  ID Use
    Exploit Public-Facing Application T1190 Ghost actors exploit multiple vulnerabilities in public-facing systems to gain initial access to servers.
    Table 5: Execution
    Technique Title  ID Use
    Windows Management Instrumentation T1047 Ghost actors abuse WMI to run PowerShell scripts on other devices, resulting in their infection with Cobalt Strike Beacon malware.
    PowerShell T1059.001 Ghost actors use PowerShell for various functions including to deploy Cobalt Strike.
    Windows Command Shell T1059.003 Ghost actors use the Windows Command Shell to download malicious content on to victim servers.
    Table 6: Persistence
    Technique Title  ID Use
    Account Manipulation T1098 Ghost actors change passwords for already established accounts.
    Local Account T1136.001 Ghost actors create new accounts or makes modifications to local accounts.
    Domain Account T1136.002 Ghost actors create new accounts or makes modifications to domain accounts.
    Web Shell T1505.003 Ghost actors upload web shells to victim servers to gain access and for persistence.
    Table 7: Privilege Escalation
    Technique Title  ID Use
    Exploitation for Privilege Escalation T1068 Ghost actors use a suite of open source tools in an attempt to gain elevated privileges through exploitation of vulnerabilities.
    Token Impersonation/Theft T1134.001 Ghost actors use Cobalt Strike to steal process tokens of processes running at a higher privilege.
    Table 8: Defense Evasion
    Technique Title  ID Use
    Application Layer Protocol: Web Protocols T1071.001 Ghost actors use HTTP and HTTPS protocols while conducting C2 operations. 
    Impair Defenses: Disable or Modify Tools T1562.001 Ghost actors disable antivirus products.
    Hidden Window T1564.003 Ghost actors use PowerShell to conceal malicious content within legitimate appearing command windows.
    Table 9: Credential Access
    Technique Title  ID Use
    OS Credential Dumping T1003 Ghost actors use Mimikatz and the Cobalt Strike “hashdump” command to collect passwords and password hashes.
    Table 10: Discovery
    Technique Title  ID Use
    Remote System Discovery T1018 Ghost actors use tools like Ladon 911 and ShapNBTScan for remote systems discovery.
    Process Discovery T1057 Ghost actors run a ps command to list running processes on an infected device.
    Domain Account Discovery T1087.002 Ghost actors run commands such as net group “Domain Admins” /domain to discover a list of domain administrator accounts.
    Network Share Discovery T1135 Ghost actors use various tools for network share discovery for the purpose of host enumeration.
    Software Discovery T1518 Ghost actors use their access to determine which antivirus software is running.
    Security Software Discovery T1518.001 Ghost actors run Cobalt Strike to enumerate running antivirus software.
    Table 11: Exfiltration
    Technique Title  ID Use
    Exfiltration Over C2 Channel T1041 Ghost actors use both web shells and Cobalt Strike to exfiltrate limited data.
    Exfiltration to Cloud Storage T1567.002 Ghost actors sometimes use legitimate cloud storage providers such as Mega.nz for malicious exfiltration operations.
    Table 12: Command and Control
    Technique Title  ID Use
    Web Protocols T1071.001 Ghost actors use Cobalt Strike Beacon malware and Cobalt Strike Team Servers which communicate over HTTP and HTTPS.
    Ingress Tool Transfer T1105 Ghost actors use Cobalt Strike Beacon malware to deliver ransomware payloads to victim servers.
    Standard Encoding T1132.001 Ghost actors use PowerShell commands to encode network traffic which reduces their likelihood of being detected during lateral movement.
    Encrypted Channel T1573 Ghost actors use encrypted email platforms to facilitate communications. 
    Table 13: Impact
    Technique Title  ID Use
    Data Encrypted for Impact T1486 Ghost actors use ransomware variants Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe to encrypt victim files for ransom.
    Inhibit System Recovery T1490 Ghost actors delete volume shadow copies.

    Mitigations

    The FBI, CISA, and MS-ISAC recommend organizations reference their #StopRansomware Guide and implement the mitigations below to improve cybersecurity posture on the basis of the Ghost ransomware activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.

    • Maintain regular system backups that are known-good and stored offline or are segmented from source systems [CPG 2.R]. Ghost ransomware victims whose backups were unaffected by the ransomware attack were often able to restore operations without needing to contact Ghost actors or pay a ransom.
    • Patch known vulnerabilities by applying timely security updates to operating systems, software, and firmware within a risk-informed timeframe [CPG 1.E].
    • Segment networks to restrict lateral movement from initial infected devices and other devices in the same organization [CPG 2.F].
    • Require Phishing-Resistant MFA for access to all privileged accounts and email services accounts.
    • Train users to recognize phishing attempts.
    • Monitor for unauthorized use of PowerShell. Ghost actors leverage PowerShell for malicious purposes, although it is often a helpful tool that is used by administrators and defenders to manage system resources. For more information, visit NSA and CISA’s joint guidance on PowerShell best practices.
      • Implement the principle of least privilege when granting permissions so that employees who require access to PowerShell are aligned with organizational business requirements.
    • Implement allowlisting for applications, scripts, and network traffic to prevent unauthorized execution and access [CPG 3.A].
    • Identify, alert on, and investigate abnormal network activity. Ransomware activity generates unusual network traffic across all phases of the attack chain. This includes running scans to discover other network connected devices, running commands to list, add, or alter administrator accounts, using PowerShell to download and execute remote programs, and running scripts not usually seen on a network. Organizations that can successfully identify and investigate this activity are better able to interrupt malicious activity before ransomware is executed [CPG 3.A].
      • Ghost actors run a significant number of commands, scripts, and programs that IT administrators would have no legitimate reason for running. Victims who have identified and responded to this unusual behavior have successfully prevented Ghost ransomware attacks.
    • Limit exposure of services by disabling unused ports such as, RDP 3398, FTP 21, and SMB 445, and restricting access to essential services through securely configured VPNs or firewalls.
    • Enhance email security by implementing advanced filtering, blocking malicious attachments, and enabling DMARC, DKIM, and SPF to prevent spoofing [CPG 2.M].

    Validate Security Controls

    In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in this advisory.

    To get started:

    1. Select an ATT&CK technique described in this advisory (see Table 3 to Table 13).
    2. Align your security technologies against the technique.
    3. Test your technologies against the technique.
    4. Analyze your detection and prevention technologies’ performance.
    5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
    6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

    Reporting

    Your organization has no obligation to respond or provide information back to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.

    The FBI is interested in any information that can be shared, to include logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, and/or decryptor files.

    Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, date of infection, date detected, initial attack vector, and host and network-based indicators.

    The FBI, CISA, and MS-ISAC do not encourage paying ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to promptly report ransomware incidents to FBI’s Internet Crime Complain Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).

    Disclaimer

    The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and the MS-ISAC.

    Version History

    February 19, 2025: Initial version.

    MIL Security OSI

  • MIL-OSI Security: Anchorage Man Sentenced to Over 11 Years for Attempting to Coerce a Minor

    Source: Federal Bureau of Investigation (FBI) State Crime Alerts (b)

    ANCHORAGE, Alaska – An Anchorage man was sentenced today to over 11 years in prison and will serve the rest of his life on supervised release for attempting to coerce and entice a minor in 2023.

    According to court documents, in early July 2023, Benjamin Roundy, aka “Aleks” or “Alekzander Marko,” 43, responded to a public group chat post on an internet-based app by an individual who identified herself as a 13-year-old living in Anchorage. The group chat post was actually made by an undercover agent.

    Court documents explain that Roundy communicated with the undercover agent for nearly a month, first on the app and then via text message, and he initiated sexual conversations. Roundy discussed sexual acts he wanted to perform on the individual, who be believed to be a child, and made repeated requests for explicit photos of her.

    On Aug. 4, 2023, Roundy asked the undercover agent to meet in person at the parking lot of a grocery store in Anchorage. The undercover agent told Roundy she was going to walk home from a friend’s house, and Roundy asked what street the friend lived on. Shortly after learning the fictional address of the friend, the defendant left his home to meet the undercover agent, who he thought was a minor.

    Court documents further explain that Roundy texted the undercover agent instructions on where to meet him. When he received no response to his instructions, Roundy drove to a parking lot where he could see the street of the fictitious friend. Law enforcement arrested Roundy in the parking lot shortly thereafter and discovered a new bottle of personal lubricant and condoms in his vehicle.

    The investigation revealed thousands of images and videos depicting child sexual abuse on Roundy’s electronic devices and data detailing his online presence, which included searches for child sexual abuse materials (CSAM) and related terms.

    On April 25, 2024, Roundy pleaded guilty to one count of attempted coercion and enticement of a minor.

    “Mr. Roundy’s conduct was heinous, as he tried to meet with who he believed was an underage girl in Anchorage to engage in sex, sought explicit images of the child, and obtained graphic images and videos depicting the sexual abuse of other minors for years,” said First Assistant U.S Attorney Kathryn R. Vogel for the District of Alaska. “Our office’s commitment to safeguarding Alaska’s children from those who seek to exploit their innocence is unwavering. We will relentlessly pursue justice by working with law enforcement to identify, investigate and hold accountable anyone who targets children.”

    “The defendant posed a significant threat to children in Alaska and abroad, as demonstrated by his disturbing pattern of conduct involving child exploitation,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “Even in the darkest corners of the Internet, the FBI’s Child Exploitation and Human Trafficking Task Force will find a way to seek justice for our most vulnerable.”

    The FBI and Anchorage Police Department investigated this case as part of the FBI’s Child Exploitation and Human Trafficking Task Force.

    Assistant U.S. Attorney Adam Alexander of the District of Alaska and Trial Attorney Rachel L. Rothberg of the Criminal Division’s Child Exploitation and Obscenity Section (CEOS) prosecuted the case.

    This case was brought as part of Project Safe Childhood, a nationwide initiative to combat the growing epidemic of child sexual exploitation and abuse launched in May 2006 by the Department of Justice. Led by U.S. Attorneys’ Offices and CEOS, Project Safe Childhood marshals federal, state, and local resources to better locate, apprehend and prosecute individuals who exploit children via the Internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit https://www.justice.gov/psc.

    ###

    MIL Security OSI

  • MIL-OSI Security: Twenty Years Later, FBI Continues to Pursue Information on the Disappearance of Danielle Imbo and Richard Petrone, Jr.

    Source: Federal Bureau of Investigation FBI Crime News (b)

    The FBI continues to seek the public’s assistance as we investigate the disappearance of Danielle (Ottobre) Imbo and Richard Petrone, Jr., 20 years ago today.

    Imbo and Petrone were last seen in the late evening hours of Saturday, February 19, 2005, leaving a bar on Philadelphia’s South Street for Petrone’s black 2001 Dodge Dakota pickup truck with the license plate YFH 2319.

    An extensive investigation to date has generated some promising leads; however, neither they nor the vehicle have ever been located.

    Danielle was last seen wearing a dark colored jacket, cream colored sweater, and blue jeans and carrying a two-handle black purse at the time of her disappearance. She has worked as a loan mortgage processor.

    Richard was last seen wearing a gray Polo brand sweatshirt and blue jeans. He has a tattoo of the word “Angela” on his left arm and a tattoo of clowns on his right arm.

    “Today marks a somber 20 years since this tragic disappearance and their case exemplifies that the passage of time does not diminish our pursuit of justice,” said Wayne A. Jacobs, Special Agent in Charge of FBI Philadelphia. “Our office remains unwavering in seeking justice for Danielle and Richard, their loved ones, and our city.”

    The FBI is offering a reward of up to $15,000 for information leading to the arrest and conviction of anyone involved in the disappearance of Richard Petrone and Danielle Imbo.

    If you have any information concerning this person, please contact your local FBI office or the nearest American Embassy or Consulate.

    FBI Philadelphia can be reached at (215) 418-4000.

    MIL Security OSI

  • MIL-OSI Security: Fifty-Two-Month Prison Sentence for a D.C. Convicted Felon Who Traveled to the Jersey Shore to Rob an Overnight Pharmacy

    Source: Federal Bureau of Investigation (FBI) State Crime News

               WASHINGTON – Ashawntea Henderson, 32, of Washington, D.C., was sentenced today in U.S. District Court in Washington D.C. to 52 months in federal prison for participating in an early morning robbery of a drug store at the Jersey Shore. During the May 2020 robbery, he and his co-conspirators jumped the counter, overpowered the night pharmacist, stole thousands of prescription narcotics, and then – as they attempted to flee to the District – crashed into a responding police cruiser.

               The sentencing was announced U.S. Attorney Edward R. Martin, FBI Special Agent in Charge Sean Ryan of the Washington Field Office Criminal and Cyber Division, and FBI Special Agent in Charge Terence Reilly of the Newark Field Office.

                Henderson pleaded guilty on October 30, 2024, to interference of commerce by robbery (Hobbs Act robbery). In addition to the 52-month prison sentence, Judge Amy Berman Jackson ordered Henderson to serve three years of supervised release.

    According to court documents, Henderson and his co-conspirators researched potential targets including Walgreens and CVS pharmacies which were open all night. On May 9, 2020, Henderson and others drove more than 200 miles from Washington, D.C. to a Walgreens Pharmacy on State Road 33, in Neptune, New Jersey.

    At 3:09 a.m., Henderson and two others dressed in masks and gloves entered the Walgreens. All three jumped over the pharmacy counter and demanded codeine, Adderall, and Percocet. One of the co-conspirators grabbed the night pharmacist, demanded that he open the locked cabinets containing additional pills, and forced the pharmacist to assist them. After grabbing thousands of prescription medicines – including Oxycodone, morphine, amphetamine, and Nucynta – Henderson and the two co-conspirators fled in a black Nissan Altima operated by a fourth co-conspirator. At one point, the Nissan collided with a responding police officer’s patrol car but continued at high speed back to Washington D.C.

    After returning to the District, as they celebrated at a hotel, one of the co-conspirators received a text from a known drug distributor asking the price for a drug of the same type stolen from Neptune, New Jersey. The co-conspirator and the drug distributor continued to exchange texts about the sale of drugs for the following weeks.

               Henderson is currently serving a five-year prison sentence in Maryland in connection with his 2022 possession of a firearm. 

               The case was investigated by the FBI Washington Field Office’s Violent Crimes Task Force and the Neptune Township Police Department. The matter is being prosecuted by AUSAs Justin Song, Sarah Martin and Cameron Tepfer.

    23cr190

    MIL Security OSI

  • MIL-OSI Security: Convicted Drug Trafficker Found Guilty Of Distributing Fentanyl That Resulted In The Deaths Of Two Hillsborough County Men

    Source: Office of United States Attorneys

    Tampa, Florida – Acting United States Attorney Sara C. Sweeney announces that a federal jury has found Marquis Lamar McCullough (39, Tampa) guilty of two counts of distribution of fentanyl and one count of possession with intent to distribute fentanyl. For both counts of distribution of fentanyl, the jury also found that the death of a person resulted from the use of the fentanyl that McCullough had distributed. McCullough, who was previously convicted of trafficking in cocaine, faces mandatory sentences of life imprisonment. 

    According to testimony and evidence presented at trial, on April 22, 2021, deputies from the Hillsborough County Sheriff’s Office (HCSO) responded to the residence of K.K. to conduct a wellness check. They found K.K. dead when they entered his apartment, standing with his feet on the floor and his head and torso on top of the bathroom counter. Deputies found two baggies with small quantities of a substance, suspected to be heroin or fentanyl, in K.K.’s residence. Detectives reviewed K.K.’s cellphone and found communications with a woman who appeared to help K.K. purchase fentanyl the previous evening. The woman—who was a heroin user and not a dealer—was arrested on an unrelated charge and interviewed by detectives. She told them that K.K. could not get heroin from his usual source, so he asked her to buy heroin for him from her source, and she agreed to do it if she got to keep a bag for herself. The woman arranged a meeting with her supplier, “Slim,” and K.K. took her to meet Slim. With money provided by K.K., the woman bought several bags from Slim, provided most of them to K.K., and kept a couple of bags for herself.

    On April 28, 2021, HCSO detectives conducted a controlled purchase during which detectives observed “Slim” deliver fentanyl and identified him as Marquis Lamar McCullough.

    On May 6, 2021, the son of N.M. found his father dead, lying in his bed, and called 911 to report the death. HCSO deputies and detectives responded to the residence, and inside N.M.’s wallet they found a baggie with a small amount of a substance suspected to be heroin or fentanyl. While reviewing calls and texts on N.M.’s phone, a detective who had participated in the surveillance operation eight days earlier recognized that the last three calls placed by N.M. were to McCullough’s phone number, and the call and text history indicated that McCullough was N.M.’s supplier. Later that day, HCSO detectives planned for another purchase of heroin or fentanyl from McCullough, using N.M.’s cellphone to set up the meeting. When McCullough arrived at the meeting location, he tried to call N.M., but when his calls went unanswered, McCullough fled the area. An arrest team pursued his vehicle and took McCullough into custody.

    The Drug Enforcement Administration laboratory determined that the substances found at the residences of K.K. and N.M., and the substances purchased from McCullough on April 28, 2021, all contained fentanyl. The Hillsborough County Medical Examiner’s Office investigated both deaths and determined that the use of fentanyl caused the deaths of K.K. and N.M. 

    This case was investigated by the Federal Bureau of Investigation, the Drug Enforcement Administration, the Hillsborough County Sheriff’s Office, and the Hillsborough County Medical Examiner’s Office. It is being prosecuted by Assistant United States Attorneys Michael Sinacore and Ross Roberts.

    This case was part of an Organized Crime Drug Enforcement Task Force (OCDETF) investigation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at www.justice.gov/OCDETF.

    MIL Security OSI

  • MIL-OSI Security: Providence Man Admits to Role in Bank Fraud Conspiracy

    Source: Office of United States Attorneys

    PROVIDENCE – A Providence man has admitted to a federal judge that he participated in a conspiracy to defraud banks by creating and depositing  tens-of-thousands of dollars’ worth of bogus checks, announced Acting United States Attorney Sara Miron Bloom.

    Jarrod Smith, 43, pleaded guilty on Tuesday to a charge of conspiracy to commit bank fraud.

    Smith admitted to the court that he engaged in a fraud scheme that used information from stolen checks, primarily business checks, to create bogus checks that were then deposited into bank accounts of individuals that he or other members of the conspiracy recruited and enticed, often times via social media. Shortly after the checks were deposited, Smith or another member of the conspiracy withdrew the proceeds from the bank accounts. As part of the conspiracy, the person’s whose bank account was used was also paid  for the use of their bank account.

    Smith is scheduled to be sentenced on August 19, 2025. The defendant’s sentence will be determined by a federal district judge after consideration of the U.S. Sentencing Guidelines and other statutory factors.

    The case is being prosecuted by Assistant United States Attorneys Christine Lowell and Taylor Dean.

    The matter was investigated by the Federal Bureau of Investigation.

    ###

    MIL Security OSI

  • MIL-OSI Security: Leader of Large-Scale Drug Trafficking Organization Pleads Guilty in Federal Court

    Source: Office of United States Attorneys

    CONCORD – A Boston man pleaded guilty yesterday in federal court in Concord to conspiring to distribute fentanyl and cocaine in New Hampshire, Acting U.S. Attorney Jay McCormack announces.

    Juan Ramon Soto Baez, 55, pleaded guilty to one count of conspiracy to distribute controlled substances, namely, cocaine and fentanyl.  U.S. District Court Judge Samantha Elliott scheduled sentencing for May 29, 2025.  On April 26, 2023, the defendant was charged along with 20 other defendants. To date, 10 defendants involved in the conspiracy have been convicted.

    According to the plea agreement and statements made in court, the defendant was the leader of a Massachusetts-based drug trafficking organization that distributed large quantities of fentanyl and cocaine in New Hampshire, particularly Manchester, between September of 2019 and April of 2023.  The organization was run like a business, operating “dispatch” telephone lines where customers could call in to order narcotics. The defendant or a trusted member of the conspiracy working for him would take customer orders on the phone, and then he would either deliver the order himself or send a runner to conduct the drug sale at an arranged meeting location.

    During the timeframe of the conspiracy, law enforcement agents observed and recorded the defendant and his co-conspirators selling fentanyl and cocaine on nineteen occasions. On the day of the defendant’s arrest, a search of a residence associated with the conspiracy yielded $15,000 and drug ledgers.  A search of a vehicle used by the drug trafficking organization yielded roughly 94 grams of fentanyl and 196 grams of cocaine packaged in small baggies for distribution.

    The charging statute provides a sentence of no greater than 20 years in prison, at least three (3) years of supervised release, and a maximum fine of $1,000,000. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.

    The Federal Bureau of Investigation and the Drug Enforcement Administration led the investigation. Valuable assistance was provided by the Manchester Police Department. Assistant U.S. Attorney Aaron Gingrande is prosecuting the case. 

    This effort is part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.

    ###

     

    MIL Security OSI

  • MIL-OSI Security: Oregon Man Pleads Guilty in Swatting and Bomb Threats Scheme That Targeted Jewish Hospitals in New York City and Long Island

    Source: Office of United States Attorneys

    One Hospital Entered Lockdown and Partially Evacuated After Defendant’s Bomb Hoax

    Earlier today in federal court in Brooklyn, Domagoj Patkovic pleaded guilty to conspiring to make threats concerning explosives and conveying false information concerning explosives.  The proceeding was held before United States District Judge Ramon E. Reyes.  When sentenced, Patkovic faces up to 15 years in prison.  Patkovic was charged in August 2024. 

    John J. Durham, United States Attorney for the Eastern District of New York and James E. Dennehy, Assistant Director in Charge, Federal Bureau of Investigation, New York Field Office (FBI), announced the guilty plea.

    “As he admitted today, the defendant intentionally targeted Jewish hospitals and care centers in our District with bomb threats.  In doing so, he needlessly endangered patients and staff and diverted critical law enforcement resources from their core mission of keeping our community safe,” stated United States Attorney Durham.  “We will prosecute dangerous bomb threats and swatting schemes to the fullest extent of the law.”

    Mr. Durham expressed his appreciation to the Federal Bureau of Investigation, New York Field Office, the New York City Police Department, Nassau County Police Department and the U.S. Attorney’s Office for the District of Oregon for their assistance on the case.

    As set forth in the indictment and in court filings, beginning at least as early as May 2021, the defendant and others made anonymous phone calls in which they made violent threats, including threats to detonate explosive devices, to Jewish hospitals and care centers within the Eastern District of New York, among other targets throughout the United States.

    The defendant himself made threats in at least six separate calls to hospitals and on a call with local law enforcement who had responded to a 911 notification from one of the hospitals.  The defendant livestreamed the calls to others on an online social media and electronic communications service.  On several occasions, local police responded to the scene and conducted bomb sweeps. On at least one occasion in September 2021, the hoax bomb threat resulted in a partial evacuation and lockdown of an entire hospital on Long Island.  No explosive devices were ultimately found in any of the locations.

    The government’s case is being handled by the Office’s National Security & Cybercrime Section.  Assistant United States  Attorneys Alexander A. Solomon, Laura Zuckerwise and Andrew D. Reich are in charge of the prosecution, with assistance from Trial Attorney James Donnelly of the National Security Division’s Counterterrorism Section and Paralegal Specialist Wayne Colon. 

    The Defendant:

    DOMAGOJ PATKOVIC 
    Age: 31
    Portland, Oregon

    E.D.N.Y. Docket No. 24-CR-317 (RER)

    MIL Security OSI

  • MIL-OSI Security: McKees Rocks Resident Pleads Guilty to Possession of Child Sexual Abuse Materials

    Source: Office of United States Attorneys

    PITTSBURGH, Pa. – A resident of McKees Rocks, Pennsylvania, pleaded guilty in federal court on February 18, 2025, to a charge of child exploitation, Acting United States Attorney Troy Rivetti announced today.

    Brandon Jennings, 38, pleaded guilty before Senior United States District Judge Joy Flowers Conti to one count of possession of material depicting the sexual exploitation of a minor.

    In connection with the guilty plea, the Court was advised that, in and around March 2021 and July 2021, Jennings possessed 926 images and 803 videos depicting the sexual exploitation of minors, some of whom were prepubescent.

    Judge Flowers Conti scheduled sentencing for June 25, 2025. The law provides for a maximum total sentence of up to 20 years in prison, a fine of up to $250,000, or both. Under the federal Sentencing Guidelines, the actual sentence imposed would be based upon the seriousness of the offense and the prior criminal history, if any, of the defendant.

    Assistant United States Attorney V. Joseph Sonson is prosecuting this case on behalf of the government.

    The Federal Bureau of Investigation and Allegheny County Police Department conducted the investigation that led to the prosecution of Jennings.

    This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by the United States Attorneys’ Offices and the Criminal Division’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to locate, apprehend, and prosecute individuals who sexually exploit children, and to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.
     

    MIL Security OSI

  • MIL-OSI Security: Former Reno Police Officer Indicted for Civil Rights Violations

    Source: Federal Bureau of Investigation (FBI) State Crime Alerts (c)

    RENO – A former Reno Police Department officer made his initial court appearance today for allegedly depriving two individuals of their civil rights under color of law by violating their right to be free from unreasonable search and seizure.

    A federal grand jury returned an indictment charging Tyler Michael Baehr, 30, of Reno, with two counts of depravation of rights under color of law. Baehr appeared before United States Magistrate Judge Craig S. Denney who scheduled a jury trial to begin April 8, 2025, before United States District Judge Miranda M. Du.

    According to allegations contained in the indictment and statements made in court, on December 31, 2023, Baehr willfully deprived an individual of the right to be free from unreasonable search and seizure by taking her cellular phone during a routine traffic stop and unlawfully seizing sexually explicit photos of her from her phone. On August 12, 2024, Baehr willfully deprived another individual of the right to be free from unreasonable search and seizure by taking her cellular phone during a routine traffic stop and unlawfully searching through her private photos and messages.

    If convicted, Baehr faces the maximum statutory penalty of 2 years in prison. A federal district court judge will determine any sentence based on the U.S. Sentencing Guidelines and other statutory factors.

    Acting United States Attorney Sue Fahami and Acting Special Agent in Charge Jeremy N. Schwartz for the FBI made the announcement.

    This case was investigated by the FBI and Sparks Police Department. Assistant United States Attorney Andolyn Johnson is prosecuting the case.

    An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

    ###

     

    MIL Security OSI

  • MIL-OSI Security: California Man Who Molested Teen on Flight Sentenced to Two Years in Prison

    Source: Federal Bureau of Investigation (FBI) State Crime News

    Seattle – A 42-year-old Los Angeles County, California man was sentenced today in U.S. District Court in Seattle to two years in prison for abusive sexual contact aboard an aircraft enroute to Seattle from Burbank, California, announced Acting U.S. Attorney Teal Luthy Miller. Justin Baker was arrested March 14, 2024, when the Alaska Airlines plane arrived at SEA.  Baker has been in custody since the jury returned its guilty verdict on October 23, 2024.  At sentencing U.S. District Judge John C. Coughenour imposed the maximum sentence allowed by law saying, “I was particularly struck by the candor of the victim and her bravery in testifying.”

    “This was a calculated and predatory sexual assault on an 18-year-old girl,” said Acting U.S. Attorney Miller. “Mr. Baker underestimated the victim’s strength in testifying, as well as the commitment we have in the Western District of Washington to hold these aircraft offenders accountable.”

    According to records filed in the case and testimony at trial, Baker was in the middle seat, with the victim seated to his right next to the wall of the plane. Baker learned the victim was preparing to go to college and was just 18 years old. According to testimony at trial, Baker showed the teen sexually explicit text messages he had on his phone and then draped his jacket over his lap as well as her lower body. The victim attempted to move away from Baker and closer to the wall. He reached under the jacket and groped her leg. Despite the victim saying “No” and moving away when he first tried to touch her, he continued to grope her genitals over her clothing. Then he reached into her top and groped her breast

    Ultimately, the victim got out of her seat to contact the flight crew. As she tried to pass by Baker, he groped her buttocks and pulled her back down into her seat. Ultimately the victim was able to leave and report the assault.

    Speaking in court today, Assistant United States Attorney Grace Zoller said Baker, “treated the victim like an object… He dehumanized her.”

    The victim shared how the assault has “shattered the trajectory of her life.” She told the court about anxiety around airports and flying, and how her family and loved ones “have watched me change in ways I have never imagined.” Her goal she said is to “hold Baker accountable.”

    Judge Coughenour said he was imposing the maximum two-year sentence because of the “seriousness of the crime, the harm to the victim and the danger (Baker) poses to the community.”

    When released from prison, Baker will be on five years of federal supervision and will be required to register as a sex offender.

    The case was investigated by the FBI and the Port of Seattle Police. The case was prosecuted by Assistant United States Attorneys Kristine Foerster and Grace Zoller.

    MIL Security OSI

  • MIL-OSI Security: Jury Convicts Winnebago Woman for Second Degree Murder

    Source: Office of United States Attorneys

    Acting United States Attorney Matthew R. Molsen announced that on February 7, 2025, a jury found Michelle Lee Marr, 49, of Winnebago, Nebraska, guilty of second-degree murder and tampering with documents or evidence after an almost five-day federal trial in Omaha, Nebraska. United States District Judge Brian C. Buescher presided over the trial. Marr faces a maximum sentence of life in prison for the second-degree murder charge and a maximum 20 years in prison for the tampering with documents or evidence charge.

    On March 12, 2022, Marr contacted Winnebago EMS to report the victim was not waking up and requested an ambulance respond to her residence. EMS transported the victim to Twelve Clans Unity hospital. Due to the severity of his injuries, the victim was taken by helicopter to Mercy One Medical Center in Sioux City, Iowa.  The medical treatment team at Mercy determined the victim had brain trauma and swelling. Nurses also noted significant amounts of makeup applied to the victim’s face, which revealed bruising when removed, as well as numerous bruises on the victim’s body. On March 13, 2022, the victim succumbed to his injuries. A subsequent autopsy determined the victim’s cause of death to be blunt force trauma and the manner of death to be homicide. The pathologist testified the victim’s injuries were consistent with inflicted trauma as opposed to trauma which might result from some type of fall.

    Marr claimed to have been passed out from approximately 5:00 PM on March 11, 2022, until finding the victim on March 12, 2022. Social media evidence and evidence from Marr’s phone, found during the investigation, contradicted Marr’s claims. During the trial, witnesses testified to observing previous incidents of Marr physically assaulting the victim. 

    Marr will be sentenced on June 5, 2025, at 10:00 AM, before Judge Buescher in Omaha.

    This case was prosecuted in federal court because the offense was a felony and occurred on the Winnebago Indian Reservation in Nebraska.

    This case was investigated by the Federal Bureau of Investigation.

    MIL Security OSI

  • MIL-OSI Security: Lowell Man Pleads Guilty to Trafficking Methamphetamine Pills

    Source: Office of United States Attorneys

    Defendant sold thousands of the counterfeit “Adderall” pills supplied by the Asian Boyz gang

    BOSTON – A Lowell man pleaded guilty on Feb. 14, 2025 to trafficking methamphetamine pills supplied by three fellow Asian Boyz gang associates.

    Bill Phim, a/k/a “Bonez,” 36, pleaded guilty to two counts of conspiracy to distribute and to possess with intent to distribute 500 grams and more of methamphetamine, and two counts of distribution of and possession with intent to distribute 50 grams and more of methamphetamine.  U.S. District Court Judge Nathaniel M. Gorton scheduled sentencing for May 14, 2025.

    A long-term investigation proved that Asian Boyz gang members and associates had access to a plentiful supply of homemade methamphetamine pills marketed as the pharmaceutical product, Adderall. These pills were similar in shape, size, and appearance to genuine Adderall. On 12 different dates in 2022, Phim sold these counterfeit “Adderall” pills to an undercover agent. In total, Phim sold the undercover agent over 10,000 pills for more than $36,000.

    Phim’s supplier for the first five pill deals with the undercover agent was Asian Boyz gang member, Erickson Dao. Between February and May 2022, Dao gave Phim the pills from his home in Lowell shortly before Phim was planning to meet the undercover agent for the sales.  After the deals, Phim either returned to Dao’s house to split the cash paid by the undercover agent, or he used an electronic payments service to send Dao his share of the drug proceeds.

    For the next five deals, Phim conspired with Asian Boyz gang associate, Brian Gingras, to source the pills. Between May 2022 and September 2022, Gingras met Phim prior to the planned deals with the undercover agent to deliver the pills personally. The investigation revealed that Gingras was stashing the pills in a nearby storage unit.  

    For the final two pill sales with the undercover agent, alleged Asian Boyz gang member Marcus Holder allegedly delivered pills to Phim in Lowell immediately before Phim met the undercover agent, on Sept. 30, 2022, and again on Oct. 18, 2022.  

    The charges of conspiracy to distribute and to possess with intent to distribute 500 grams and more of methamphetamine. The charges of distribution of and possession with intent to distribute 50 grams and more of methamphetamine provides for a sentence of at least five years and up to 40 years in prison, at least four years and up to life of supervised release and a fine of up to $5 million.

    In January 2025, both Gingras and Dao pleaded guilty. Gingras is scheduled to be sentenced on April 15, 2025. Dao is scheduled to be sentenced on May 13, 2025. Holder has pleaded not guilty and his case is pending trial.  
     
    U.S. Attorney Leah B. Foley, Jodi Cohen, Special Agent in Charge of the Federal Bureau of Investigation, Boston Division and Superintendent Gregory C. Hudon of the Lowell Police Department made the announcement. Valuable assistance was provided by the Massachusetts State Police and the Billerica, Haverhill, North Andover and Salem Police Departments. Assistant U.S. Attorney Fred M. Wyshak, III of the Organized Crime & Gang Unit is prosecuting the case.

    This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities and measuring the results.

    This case is also part of an Organized Crime Drug Enforcement Task Forces (OCDETF) operation. OCDETF identifies, disrupts, and dismantles the highest-level criminal organizations that threaten the United States using a prosecutor-led, intelligence-driven, multi-agency approach. Additional information about the OCDETF Program can be found at https://www.justice.gov/OCDETF.

    The details contained in the charging documents are allegations. The remaining defendant in the case is presumed innocent unless and until proven guilty beyond a reasonable doubt in a court of law.
     

    MIL Security OSI

  • MIL-OSI: Taitiko Announces Strategic Update: New Real-Money Competitions to Launch on Taitiko ARENA

    Source: GlobeNewswire (MIL-OSI)

    FAMAGUSTA, Cyprus, Feb. 19, 2025 (GLOBE NEWSWIRE) — Taitiko, the emerging leader in Web3 gaming, is poised to make a major announcement today, unveiling the upcoming launch of real-money competitions on its popular Taitiko ARENA platform. With over 100,000 active users already engaged in skill-based mini-games via Telegram, the introduction of real-money competitions will elevate the gaming experience, offering players the opportunity to earn tangible rewards in exchange for their skills and achievements.

    This milestone is part of Taitiko’s ongoing strategy to create a sustainable, player-centric ecosystem within the Web3 space. “We’re committed to prioritizing genuine player engagement and innovation, not just speculative tokenomics,” said Alex Pei Fresneda, spokesperson for Taitiko. “The new real-money competitions will enhance the fun and competition in our platform while ensuring that users can benefit directly from their gaming experience.”

    A New Era for Taitiko ARENA

    As part of Taitiko’s broader vision, the integration of real-money competitions will provide a dynamic new avenue for players to showcase their abilities and compete against a global community. The update, set for release in the coming weeks, will enhance the user experience by adding financial stakes to the already competitive and skill-driven environment of Taitiko ARENA.

    “We want to give players an opportunity to turn their skills into real rewards,” Fresneda added. “This update is just the beginning of a series of exciting developments for Taitiko in 2025.”

    Strengthening Industry Position

    Taitiko’s growth is fueled by its strategic partnerships with prominent entities such as DEXTools, Tonstation Games, SidusPad, and Decubate. These collaborations have enhanced Taitiko’s technological capabilities and broadened its reach within the blockchain and gaming communities, setting the stage for further expansion.

    Additionally, the ongoing development of Taitiko Party, a multiplayer desktop game for both Windows and Mac, is progressing at full speed, with the game nearing completion at 80%. Taitiko’s upcoming token launch and plans for a year-long NFT collection further underscore its commitment to delivering both immersive experiences and long-term growth in the Web3 gaming space.

    About Taitiko

    Taitiko is at the forefront of revolutionizing the gaming industry with its innovative approach to Web3 gaming, focusing on player engagement, strategic partnerships, and a sustainable business model. With a growing user base and a clear roadmap, Taitiko aims to lead the next wave of blockchain-powered gaming experiences.

    For more information on Taitiko, visit Taitiko.com.

    Media Contact:

    Alex Pei Fresneda
    info@taitiko.com

    Taitiko Official Website
    Taitiko on X
    Taitiko on Telegram

    Disclaimer: This content is provided by Taitiko. The statements, views, and opinions expressed in this content are solely those of the sponsor and do not necessarily reflect the views of this media platform. We do not endorse, verify, or guarantee the accuracy, completeness, or reliability of any information presented. This content is for informational purposes only and should not be considered as financial, investment, or trading advice. Readers are strongly encouraged to conduct their own research and consult with a qualified financial advisor before investing in or trading cryptocurrency and securities. Please conduct your own research and invest at your own risk.

    Photos accompanying this announcement are available at

    https://www.globenewswire.com/NewsRoom/AttachmentNg/9ac8e0b1-58f1-4721-bee1-cb461d9f6966

    https://www.globenewswire.com/NewsRoom/AttachmentNg/fc3dad94-8f4b-4788-8381-a9feac2b9e9f

    The MIL Network

  • MIL-OSI Security: Honolulu Man Sentenced to 151 Months in Prison for Child Exploitation of Multiple Minors

    Source: Office of United States Attorneys

    HONOLULU – Acting United States Attorney Kenneth M. Sorenson announced that Jonathan Farr, 31, of Honolulu, was sentenced today in federal court by U.S. District Judge Shanlyn A.S. Park to 151 months of imprisonment followed by 30 years of supervised release for receipt of child pornography. Farr will also be required to pay $3,000 in restitution to two minor victims and register as a sex offender when he is released. Farr previously pled guilty on February 14, 2024.

    In his plea agreement, Farr admitted that from approximately June 2019 through May 2020, he used the internet to contact two minor females and engaged in sexually explicit conversations with them. Farr also solicited and received images and videos of the minors engaged in sexually explicit conduct, including masturbation videos.

    In Court at sentencing, the government explained that Farr not only groomed the minors over time and solicited sexually explicit images and videos, `but also distributed those videos to others, including to other minors. Farr also discussed purchasing flights for the minors to travel to Hawaii or for him travel to the mainland where they were located. According to information provided to the Court, Farr’s predatory conduct included additional victims beyond the two minors who were victimized as part of the federal charges. Farr admitted to law enforcement and told other minor victims that he had hands-on sexual contact with at least three minor females and another minor, all located in Hawaii.

    This case was brought as part of Project Safe Childhood, a nationwide initiative launched in May 2006 by the Department of Justice to combat the growing epidemic of child sexual exploitation and abuse. Led by U.S. Attorney’s Offices and the Department’s Child Exploitation and Obscenity Section, Project Safe Childhood marshals federal, state, and local resources to better locate, apprehend, and prosecute individuals who exploit children via the internet, as well as to identify and rescue victims. For more information about Project Safe Childhood, please visit www.justice.gov/psc.

    This case was investigated by the Federal Bureau of Investigation’s Violent Crimes Against Children Section. Assistant U.S. Attorney Rebecca A. Perlmutter prosecuted the case.

    MIL Security OSI