Source: United States House of Representatives – Congressman Glenn Ivey – Maryland (4th District)
WASHINGTON – Today, U.S. Senator Chris Van Hollen, Ranking Member of the Senate Appropriations Subcommittee on Commerce, Justice, Science, and Related Agencies and Representative Steny Hoyer, Ranking Member of the House Appropriations Subcommittee on Financial Services and General Government, along with Governor Wes Moore, Senator Angela Alsobrooks and Representatives Glenn Ivey, Kweisi Mfume, Jamie Raskin, Sarah Elfreth, and Johnny Olszewski (all D-Md.), and Prince George’s County Executive Aisha N. Braveboy released the following statement regarding the Administration’s attempt to reprogram funding intended for the new FBI Headquarters in Greenbelt, Md.
“The FBI deserves a headquarters that meets their security and mission needs – and following an extensive, thorough, and transparent process, Greenbelt, Maryland, was selected as the site that best meets those requirements. Not only was this decision final, the Congress appropriated funds specifically for the purpose of the new, consolidated campus to be built in Maryland. Now the Administration is attempting to redirect those funds – both undermining Congressional intent and dealing a blow to the men and women of the FBI – since we know that a headquarters located within the District would not satisfy their security needs. Simply moving down the street would ignore the real threats the Bureau faces and further jeopardize the safety of those protecting our communities. That’s why we will be fighting back against this proposal with every tool we have.”
SEATTLE — Today Washington launches a hate crimes and bias incidents hotline pilot in three counties across the state. According to the FBI’s hate crimes statistics, Washington has been in the top five states with the most reported hate crimes since 2018. The non-emergency hotline provides people in Clark, King, and Spokane counties an alternative way to report hate crimes or bias incidents.
Hate crimes and incidents of bias have a devastating and long-lasting impact on individuals, families, and communities, making people feel unwelcome or unsafe where they live. Hotline staff will help callers find local, culturally competent, victim-centered, and trauma-informed support services and, with consent of the caller, can assist in reporting incidents to local law enforcement.
The hotline is available by calling 1-855-225-1010. Anyone who wants to report a hate crime or bias incident in the three pilot counties can also visit atg.wa.gov/report-hate.
The Legislature created the hotline in 2024 when it adopted Senate Bill 5427 with bipartisan support. The bill required a pilot program, managed by the Attorney General’s Office, for the hotline in three counties in Washington state — including one in eastern Washington. The three counties were chosen based on hate crimes data available in the 2023 Washington Association of Sheriffs and Police Chiefs’ Annual Crime Report and the counties’ demographics.
The pilot program will remain active for a year and a half, then the hotline will launch statewide by January 2027. Hate crimes and bias incidents are underreported, and data about their prevalence is limited. Beginning July 1, 2027, the Attorney General’s Office will produce an annual report describing the data collected from hotline reports for the governor, state Legislature, and public regarding hate crimes and bias incidents.
“Hate crimes not only directly harm individuals but also can instill harm throughout the community,” Attorney General Nick Brown said. “Success in these three counties will help us expand the hotline statewide and better understand how to combat hate crimes and bias incidents across Washington.”
Members of the advisory group and local officials offered the following statements on the launch of the hotline pilot:
“We took an important step in 2019 by changing our hate crime laws — but the rise in hate and bias incidents shows there’s still more to do,” said Sen. Javier Valdez, D-Seattle, who sponsored the legislation creating the hotline. “That’s why this hotline matters. It’s not just about policy — it’s about people. It’s about making sure every victim is heard and supported.”
“At a time when a hostile federal administration is fueling bigotry against vulnerable communities, many in King County are living in fear and uncertainty,” said King County Council Chair Girmay Zahilay. “I am proud to join the Attorney General’s Office in this initiative and grateful to the community leaders who’ve contributed to this launch. Together, we will continue to stand united against hate.”
“Spokane welcomes the launch of the new Hate Crimes & Bias Incidents Hotline and is proud to be one of three original test locations,” said Spokane Mayor Lisa Brown. “Our Office of Civil Rights, Equity, and Inclusion has been engaged with the Attorney General’s team through its development, and we see this as a vital tool to improve reporting and ensure accountability throughout our community.”
“I am proud that Spokane county is leading the way by piloting the Hate Crimes Hotline program,” said Spokane County Commissioner Amber Waldref. “I’m hopeful this tool will create a new opportunity for residents to report potential hate crimes to ensure the safety and security of everyone in our community.”
“This hotline is an important step toward ensuring people feel safe reporting hate crimes,” said Clark County Sheriff John Horch. “We want everyone in our community to know that their voice matters, and that help is available.”
“The Asian, Native Hawaiian, and Pacific Islander community has experienced hate crimes and bias incidents for hundreds of years and that was amplified during the height of the pandemic,” said Thanh Tran, co-chair of the HAPPEN Business Resource Group. “These incidents continue to occur every day, with little to no mention in the mainstream news. I’m hopeful this hotline will encourage victims to report these incidents so we can empower the community and move towards justice and healing.”
“The hotline is critically important because it acknowledges what our communities have always known: that hate doesn’t only exist in the narrow legal definitions that require physical harm or property damage,” said Catalina Velasquez, executive director of the Washington Immigrant Solidarity Network. “When immigrant families in my network face verbal harassment that makes them afraid to send their children to school, when transgender people of color experience daily microaggressions that chip away at their humanity, when our elders are told to ‘go back where they came from’ — these are acts of violence that shape our material conditions and our ability to exist safely in the world. The hotline creates space for these experiences to be documented, believed, and responded to with culturally competent, trauma-informed care.”
“I expect that the hotline will allow victims of hate to feel like they have support in their local communities,” said Hershel Zellman, board member of Human Rights Spokane. “I also expect the statistics gathered by the hotline will be used to create educational programming and law enforcement strategies for mitigating the occurrence of hate in the first place.”
“We hope that this hotline will provide culturally competent support, build trust with the Muslim community, and encourage more community members to report incidents,” said Sabrene Odeh, a legal advocate with the Council on American-Islamic Relations in Washington state. “We hope that it will allow for better understanding of Islamophobia, improve the accuracy of future community facing programs and initiatives, and provide the support that resonates with our community members. Representation of the Muslim community in the development and implementation of this hotline reinforces the message that the safety of Muslims is prioritized and valued.”
“Our organization is a trusted messenger of the community we serve,” said Momodou Jobe, programs director of the Washington West African Center. “Our voice comes from what our community tells us and our participation developing the hotline brought our community’s voices into the room.”
“Too many in the Jewish community are grappling with the effects of growing antisemitism and need increased resources and services,” said Miri Cypers, regional director of the Anti-Defamation League in the Pacific Northwest. “From our youngest struggling with bias incidents in K-12 schools to community institutions facing threats, the hotline will provide culturally sensitive support.”
“The Sikh community stands firmly for justice and equality for all,” said Jasmit Singh, executive director of the Khalsa Gurmat Center. “We commend the establishment of the hotline as a crucial mechanism for those who have experienced prejudice or hate to have their voices heard and for incidents to be addressed. This hotline empowers communities and reinforces the message that hate has no home in Washington state.”
For more information on Washington’s hate crimes and bias incidents hotline, visit atg.wa.gov/report-hate.
Definitions
Washington law defines a hate crime as assault, property damage or threats to cause injury or property damage that is committed because of the perception of a person’s race, color, religion, ancestry, national origin, gender, sexual orientation, gender expression or identity, or disability.
Bias incidents are acts of prejudice that are not criminal in nature and do not involve violence, threats, or property damage. While bias incident cannot be criminally charged, they are important to report.
-30-
Washington’s Attorney General serves the people and the state of Washington. As the state’s largest law firm, the Attorney General’s Office provides legal representation to every state agency, board, and commission in Washington. Additionally, the Office serves the people directly by enforcing consumer protection, civil rights, and environmental protection laws. The Office also prosecutes elder abuse, Medicaid fraud, and handles sexually violent predator cases in 38 of Washington’s 39 counties. Visit www.atg.wa.govto learn more.
Media Contact:
Email: press@atg.wa.gov
Phone: (360) 753-2727
General contacts: Click here
Media Resource Guide & Attorney General’s Office FAQ
The U.S. Department of Justice today announced that three additional defendants were sentenced in connection with a long-running and violent conspiracy to monopolize the transmigrante forwarding agency industry in the Los Indios, Texas, border region, located near Harlingen and Brownsville, Texas. The defendants controlled the transmigrate industry through fear, monopolization, and extortion of competitors, and laundered proceeds from the conspiracies.
Pedro Antonio Calvillo Hernandez, age 50 of McAllen, Texas, was sentenced to 37 months’ imprisonment, a three-year term of supervised release, and a $50,000 fine after pleading guilty to conspiracy to illegally fix prices and allocate the market for transmigrante forwarding agency services, conspiracy to monopolize the transmigrante market, and conspiracy to interfere with commerce by extortion.
Jose de Jesus Tapia Fernandez, age 47 of Brownsville, Texas was sentenced to time served, or 31 months in prison, and a three-year term of supervised release after pleading guilty to a money laundering conspiracy through which extortion proceeds were laundered.
Mireya Miranda, age 59 of San Antonio, Texas, was sentenced to 10 months of home detention, and a $75,000 fine after pleading guilty to conspiracy to illegally fix prices and allocate the market for transmigrante forwarding agency services; and conspiracy to monopolize the transmigrante market.
“The danger and the harm to the American people by the use of violence and extortion to fix prices and monopolize the market for an essential service in the Texas border region cannot be understated,” said Assistant Attorney General Abigail Slater of the Justice Department’s Antitrust Division. “Today’s sentences demonstrate the Antitrust Division’s commitment to pursuing incarceration for both white-collar and violent criminals who seek to exploit America’s free markets.”
“Price fixing is an attempt to distort the market in favor of the fixer and to the detriment of basically everyone else. Although such market manipulation is bad enough, it is even worse when brought about through threats and violence,” said U.S. Attorney Nicholas J. Ganjei for the Southern District of Texas. “The Southern District of Texas will work tirelessly to prosecute such criminal syndicates and to ensure markets along the Texas-Mexico border remain free, fair, and open.”
“The FBI is proud of the hard work and collaboration with partners that led to today’s sentencing,” said Assistant Director Joe Perez of the FBI’s Criminal Investigative Division. “We remain absolutely committed to thwarting criminal enterprises that function without regard for the rule of law and whose practices of market manipulation include the use of violence and intimidation.”
“These sentencings reaffirm our unwavering commitment to safeguarding economic integrity at our nation’s borders,” said Special Agent in Charge Craig Larrabee of ICE Homeland Security Investigations San Antonio. “By dismantling an enterprise that thrived on extortion and price fixing, we are ensuring that honest businesses can compete on a level playing field. This case exemplifies how corruption in niche industries can have far-reaching effects, and HSI will continue to pursue those who abuse the system for profit.”
Transmigrantes transport used vehicles and other goods from the United States through Mexico for resale in Central America. There are only a few locations where transmigrantes can legally cross from the United States into Mexico, one of those being the Los Indios Bridge in Texas. Transmigrante forwarding agencies are U.S.-based businesses that provide services to transmigrante clients, including helping those clients complete the customs paperwork required to export vehicles into Mexico.
According to court documents and statements made in court, the co-defendants fixed prices for transmigrante forwarding agency services and created a centralized entity known as the “Pool” to collect and divide revenues among the conspirators, limit competition from other agencies, and increase prices for their services. Some co-defendants also conspired to force forwarding agencies to pay money to the Pool and to pay other extortion fees, including a “piso” for every transaction processed in the industry as well as a “fine” for operating in the market outside of Pool rules. The conspirators perpetrated acts of intimidation, coercion, and violence in furtherance of the antitrust and extortion conspiracies. Co-defendants Carlos Martinez and Tapia also conspired to launder the extortion proceeds.
Calvillo, Tapia, and Miranda must also pay restitution to the victims of the conspiracies. The Court will determine the final restitution amount owed to victims of the conspiracies at a hearing set for Sept. 3.
Four co-defendants have previously been sentenced in this case. One other co-defendant has pleaded guilty and is awaiting sentencing. Three other defendants, Rigoberto Brown, Miguel Hipolito Caballero Aupart, and Diego Ceballos-Soto were also charged in the superseding indictment and remain fugitives. Anyone with information about their whereabouts is asked to contact the Antitrust Division’s Complaint Center at 888-647-3258, or visit www.justice.gov/atr/report-violations.
The Justice Department’s Antitrust Division, the Criminal Division’s Violent Crime and Racketeering Section (VCRS), the U.S. Attorney’s Office for the Southern District of Texas, Department of Homeland Security – Homeland Security Investigations and the Federal Bureau of Investigation investigated the case.
Trial Attorneys Anne Veldhuis, Brittany E. McClure, and Michael G. Lepage and Senior Litigation Counsel John Davis of the Antitrust Division; Trial Attorney Christina Taylor of the Criminal Division’s Violent Crime and Racketeering Section (VCRS); and Assistant U.S. Attorney Alexander L. Alum for the Southern District of Texas prosecuted the case.
Anyone with information in connection with this investigation should contact the Antitrust Division’s Complaint Center at 888-647-3258, or visit www.justice.gov/atr/report-violations.
The U.S. Department of Justice today announced that three additional defendants were sentenced in connection with a long-running and violent conspiracy to monopolize the transmigrante forwarding agency industry in the Los Indios, Texas, border region, located near Harlingen and Brownsville, Texas. The defendants controlled the transmigrate industry through fear, monopolization, and extortion of competitors, and laundered proceeds from the conspiracies.
Pedro Antonio Calvillo Hernandez, age 50 of McAllen, Texas, was sentenced to 37 months’ imprisonment, a three-year term of supervised release, and a $50,000 fine after pleading guilty to conspiracy to illegally fix prices and allocate the market for transmigrante forwarding agency services, conspiracy to monopolize the transmigrante market, and conspiracy to interfere with commerce by extortion.
Jose de Jesus Tapia Fernandez, age 47 of Brownsville, Texas was sentenced to time served, or 31 months in prison, and a three-year term of supervised release after pleading guilty to a money laundering conspiracy through which extortion proceeds were laundered.
Mireya Miranda, age 59 of San Antonio, Texas, was sentenced to 10 months of home detention, and a $75,000 fine after pleading guilty to conspiracy to illegally fix prices and allocate the market for transmigrante forwarding agency services; and conspiracy to monopolize the transmigrante market.
“The danger and the harm to the American people by the use of violence and extortion to fix prices and monopolize the market for an essential service in the Texas border region cannot be understated,” said Assistant Attorney General Abigail Slater of the Justice Department’s Antitrust Division. “Today’s sentences demonstrate the Antitrust Division’s commitment to pursuing incarceration for both white-collar and violent criminals who seek to exploit America’s free markets.”
“Price fixing is an attempt to distort the market in favor of the fixer and to the detriment of basically everyone else. Although such market manipulation is bad enough, it is even worse when brought about through threats and violence,” said U.S. Attorney Nicholas J. Ganjei for the Southern District of Texas. “The Southern District of Texas will work tirelessly to prosecute such criminal syndicates and to ensure markets along the Texas-Mexico border remain free, fair, and open.”
“The FBI is proud of the hard work and collaboration with partners that led to today’s sentencing,” said Assistant Director Joe Perez of the FBI’s Criminal Investigative Division. “We remain absolutely committed to thwarting criminal enterprises that function without regard for the rule of law and whose practices of market manipulation include the use of violence and intimidation.”
“These sentencings reaffirm our unwavering commitment to safeguarding economic integrity at our nation’s borders,” said Special Agent in Charge Craig Larrabee of ICE Homeland Security Investigations San Antonio. “By dismantling an enterprise that thrived on extortion and price fixing, we are ensuring that honest businesses can compete on a level playing field. This case exemplifies how corruption in niche industries can have far-reaching effects, and HSI will continue to pursue those who abuse the system for profit.”
Transmigrantes transport used vehicles and other goods from the United States through Mexico for resale in Central America. There are only a few locations where transmigrantes can legally cross from the United States into Mexico, one of those being the Los Indios Bridge in Texas. Transmigrante forwarding agencies are U.S.-based businesses that provide services to transmigrante clients, including helping those clients complete the customs paperwork required to export vehicles into Mexico.
According to court documents and statements made in court, the co-defendants fixed prices for transmigrante forwarding agency services and created a centralized entity known as the “Pool” to collect and divide revenues among the conspirators, limit competition from other agencies, and increase prices for their services. Some co-defendants also conspired to force forwarding agencies to pay money to the Pool and to pay other extortion fees, including a “piso” for every transaction processed in the industry as well as a “fine” for operating in the market outside of Pool rules. The conspirators perpetrated acts of intimidation, coercion, and violence in furtherance of the antitrust and extortion conspiracies. Co-defendants Carlos Martinez and Tapia also conspired to launder the extortion proceeds.
Calvillo, Tapia, and Miranda must also pay restitution to the victims of the conspiracies. The Court will determine the final restitution amount owed to victims of the conspiracies at a hearing set for Sept. 3.
Four co-defendants have previously been sentenced in this case. One other co-defendant has pleaded guilty and is awaiting sentencing. Three other defendants, Rigoberto Brown, Miguel Hipolito Caballero Aupart, and Diego Ceballos-Soto were also charged in the superseding indictment and remain fugitives. Anyone with information about their whereabouts is asked to contact the Antitrust Division’s Complaint Center at 888-647-3258, or visit www.justice.gov/atr/report-violations.
The Justice Department’s Antitrust Division, the Criminal Division’s Violent Crime and Racketeering Section (VCRS), the U.S. Attorney’s Office for the Southern District of Texas, Department of Homeland Security – Homeland Security Investigations and the Federal Bureau of Investigation investigated the case.
Trial Attorneys Anne Veldhuis, Brittany E. McClure, and Michael G. Lepage and Senior Litigation Counsel John Davis of the Antitrust Division; Trial Attorney Christina Taylor of the Criminal Division’s Violent Crime and Racketeering Section (VCRS); and Assistant U.S. Attorney Alexander L. Alum for the Southern District of Texas prosecuted the case.
Anyone with information in connection with this investigation should contact the Antitrust Division’s Complaint Center at 888-647-3258, or visit www.justice.gov/atr/report-violations.
Source: United States Senator for Commonwealth of Virginia Mark R Warner
WASHINGTON – U.S. Sens. Mark R. Warner, Vice Chairman of the Senate Select Committee on Intelligence, and Tim Kaine (both D-VA) issued the following statement:
“Moving the FBI from the Hoover Building to the Reagan Building isn’t a plan, it’s a punt. For years, Democratic and Republican administrations alike have agreed on the need for a secure, purpose-built headquarters that actually meets the FBI’s mission needs. This announcement brushes aside years of careful planning, ignores the recommendations of security and mission experts, and raises serious concerns about how this decision was made. Unfortunately, it fits a broader pattern from this administration — one marked by indiscriminate firings, canceled leases, and a general disregard for the federal workforce.
“The law enforcement and intelligence professionals of the FBI deserve more than a hasty, improvised approach. They deserve a facility that matches the gravity of their work to keep Americans safe.”
Source: United States Senator for Iowa Chuck Grassley
WASHINGTON – Senate Judiciary Committee Chairman Chuck Grassley (R-Iowa) today released internal Federal Bureau of Investigation (FBI) emails revealing the FBI suppressed intelligence of alleged Chinese interference in the 2020 election to insulate then-FBI Director Christopher Wray from criticism, after Wray provided inaccurate and contradictory testimony to Congress.
The FBI declassified and provided the requested records to Grassley, along with an accompanying cover letter, after Grassley initially received some information from whistleblower disclosures. The FBI emails offer an inside look at the Bureau’s decision to recall and suppress an Intelligence Information Report (IIR) from the FBI’s Albany Field Office on September 25, 2020. The IIR contained information from an FBI Confidential Human Source (CHS) alleging the Chinese government was producing “tens of thousands” of fraudulent drivers’ licenses to manufacture mail-in votes for then-presidential candidate Joe Biden in the 2020 election.
According to the FBI, these allegations, despite showing initial signs of credibility, were allegedly never fully investigated due to the FBI’s sudden and “abnormal” decision to halt the investigation and bury the IIR’s existence, preventing any additional FBI field offices, as well as other Intelligence Community elements, from accessing or studying the document. The FBI’s stated reason for doing so was because “the reporting will contradict Director Wray’s testimony.”
“These records smack of political decision-making and prove the Wray-led FBI to be a deeply broken institution. Ahead of a high-stakes election happening amid an unprecedented global pandemic, the FBI turned its back on its national security mission,” Grassley said. “One way or the other, intelligence must be fully investigated to determine whether it’s true, or if it’s just smoke and mirrors. Chris Wray’s FBI wasn’t looking out for the American people – it was looking to save its own image. Now’s the time to rebuild the FBI’s trust. Director Patel’s willingness to work with me to establish renewed transparency and accountability is a critical part of that process, and I applaud him for his efforts.”
Political ReasoningFollowing the IIR’s recall, an FBI Albany intelligence analyst summarized the concerning series of events that led to the suppression:
“Most concerning to me, is stating the reporting would contradict with Director Wray’s testimony. I found this troubling because it implied to me that one of the reasons we aren’t putting this out is for a political reason, which goes directly against our organization’s mission to remain apolitical and simply state what we know. Likewise, at the field operational level, I do not feel it is our job to assess whether or not our intelligence aligns with the Director…. My concern is that I think it gets dangerous if we cite potential political implications as reasons for not putting out our information.”
Source CredibilityAn FBI Albany official noted “the IIR was coordinated and disseminated in textbook fashion.” Further, a re-interview of the FBI CHS yielded additional context that supported the initial IIR’s findings. An FBI Albany official described the CHS as “competent” and “authentic in his/her reporting.” The CHS described the confidence in his/her sub-sourcing as a “9-10 range. [V]ery, very confident.”
Decision for RecallAccording to an Assistant Section Chief in the FBI’s Counterintelligence Division, the IIR immediately generated “a lot of attention from all [Headquarter] divisions.”
Upon receiving the IIR, an FBI Albany official stated, “We have no reason to recall at this point.” Minutes later, the Albany Field Office was commanded to recall the IIR at the direct request of officials at FBI Headquarters, including Nikki Floris, then-Deputy Assistant Director (DAD) of the FBI’s Counterintelligence Division. Months before dismissing the IIR, Floris provided an unnecessary briefing to Grassley and Sen. Ron Johnson (R-Wis.) regarding their investigation into the Biden family. The briefing – though classified – was later leaked to the press in an effort to falsely smear the senators’ investigation as Russian disinformation.
Following the IIR’s recall, FBI Headquarters informed field offices that “all raw reporting concerning the election will now require [Headquarters] coordination,” which had not been previously required.
Contradictory TestimonyDuring sworn testimony before the Senate Homeland Security and Government Affairs Committee (HSGAC) on September 24, 2020, Wray stated:
“I think what I would say is this: We take all election-related threats seriously, whether it is voter fraud, voter suppression, whether it is in person, whether it is by mail. And our role is to investigate the threat actors. Now, we have not seen historically any kind of coordinated national voter fraud effort in a major election, whether it is by mail or otherwise… [B]ut people should make no mistake we are vigilant as to the threat and watching it carefully, because we are in uncharted new territory.”
Wray doubled down on his assertion in response to further questioning from HSGAC Ranking Member Gary Peters (D-Mich.).
Peters: “Right, but your answer is clear. You have not seen any widespread fraud by mail. It is something the FBI watches continuously to make sure that that is not happening.”
Wray: “That is something that we would investigate seriously.”
Peters: “Absolutely.”
Wray: “And aggressively.”
FITF-China Prevents Further Follow-upOn October 8, 2020, an official with the FBI’s Foreign Influence Task Force (FITF)-China division confirmed FITF-China had still not approved a reissue of the IIR. Despite FITF-China offering to “discuss next steps” for the IIR, the FBI on June 27, 2025 confirmed to Grassley that they had “found no information to indicate that FITF-China aggressively investigated the reported information, despite corroborating intergovernmental reporting and logical investigative leads.”
Wray established FITF with the stated goal to “identify and counteract malign foreign influence operations targeting the United States.” Grassley called the Trump administration’s recent decision to close FITF “a positive step, given what the task force had been twisted into,” noting specifically its conduct against his and Senator Johnson’s Biden family investigation.
-30-
Defendant previously convicted of robbing five banks across four separate cities and towns
BOSTON – A Quincy man has been arrested and charged in connection with the December 2024 armed robbery of a Santander Bank in Weymouth.
Glenn Legere, 46, of Quincy, was charged with one count of armed bank robbery. The defendant was arrested this morning and, following an initial appearance in federal court in Boston today, was ordered detained pending a hearing scheduled for July 8, 2025.
According to the charging document, at approximately 4:52 p.m. on Dec. 17, 2024, local law enforcement was dispatched to a Santander bank branch in Weymouth for a reported bank robbery. There, it is alleged that a bank teller told law enforcement that as employees were preparing to close the bank, a man wearing a sweatshirt, baseball hat, face covering and gloves entered the bank through the main entrance. It is alleged that the suspect approached the victim teller’s window, removed a black firearm from the front pocket of his sweatshirt, opened a black cloth bag and demanded all the money. As the bank teller handed the suspect money from the cash box, the suspect allegedly yelled words to the effect of “I need money,” “I want the money” and “I don’t play.” At various times, the suspect allegedly pointed the firearm directly at the victim teller. It is further alleged that the suspect ran towards other teller windows, gesturing d towards the cash box areas and demanding more money, but the victim teller explained that there was no more money and displayed an empty cash drawer. The suspect allegedly then left the bank with approximately $947 in stolen cash.
According to court documents, a subsequent review of surveillance video footage from nearby locations determined that the suspect drove to and from the robbery location in a silver or grey Jeep Grand Cherokee. A vehicle matching the description was captured on cameras in Quincy immediately before and after the robbery. It is alleged that the vehicle was registered to Legere.
Legere has multiple prior convictions for committing armed and unarmed robberies, including a 2011 conviction of armed robbery in Norfolk Superior Court for which he was sentenced to three to five years in state prison, as well as a 2010 conviction for armed and unarmed robbery of banks in Braintree, Hanover, Duxbury and Plymouth for which he was sentenced to three years in state prison.
As stated in open court at the defendant’s initial appearance today, when Legere was arrested, a firearm and some of the clothing believed to be used by Legere during the robbery were recovered.
The charge of armed bank robbery provides for a sentence of up to 25 years in prison, five years of supervised release and a fine of $250,000. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
United States Attorney Leah B. Foley; Ted E. Docks, Special Agent in Charge of the Federal Bureau of Investigation, Boston Division; Colonel Geoffrey D. Noble, Superintendent of the Massachusetts State Police; and Weymouth Police Chief Richard M. Fuller made the announcement today. Valuable assistance was provided by the Massachusetts State Police, the National Insurance Crime Bureau and the Wellesley Police Department. Assistant U.S. Attorney Luke A. Goldworm of the Major Crimes Unit is prosecuting the case.
The details contained in the charging document are allegations. The defendant is presumed to be innocent unless and until proven guilty beyond a reasonable doubt in the court of law.
BOSTON – A Michigan man was sentenced today in federal court in Boston for a conspiracy to import and sell illegal pharmaceuticals, including opioids, and to fund the operation of the scheme by fraudulently obtaining a COVID-19 pandemic relief loan.
Donald Nchamukong, 37, was sentenced by U.S. Senior District Court Judge Nathaniel M. Gorton to two years in prison, to be followed by two years of supervised release. Nchamukong was also ordered to pay $200,000 in restitution. In March 2025, Nchamukong pleaded guilty to conspiracy to smuggle goods into the United States, committing loan fraud and distributing controlled substances.
Starting in 2019 and continuing to 2022, Nchamukong and co-conspirator, Doyal Kalita, conspired to distribute drugs to persons in the United States over the internet and using call centers in India. Nchamukong used shell companies, including a purported dietary supplements company and an auto parts supplier, and associated bank and merchant accounts to process sales of illegal foreign drugs, including the Schedule IV opioid, tramadol. Nchamukong and Kalita also received shipments of tramadol from India and reshipped the drug to customers across the United States, including in Massachusetts. When the COVID-19 pandemic hit, Nchamukong and Kalita fraudulently obtained a $200,000 Economic Injury Disaster Loan to fund their illegal drug scheme.
In June 2024, Kalita was sentenced to 10 years in prison for orchestrating the online drug distribution scheme, a technical support fraud scheme and related money laundering.
United States Attorney Leah B. Foley; Ted E. Docks, Special Agent in Charge of the Federal Bureau of Investigation, Boston Division; Thomas Demeo, Acting Special Agent in Charge of the Internal Revenue Service Criminal Investigation, Boston Field Office; and Fernando P. McMillan, Special Agent in Charge of the New York Field Office of the U.S. Food and Drug Administration, Office of Criminal Investigations made the announcement today. Valuable assistance was provided by Homeland Security Investigations in New York, the Small Business Administration and the United States Attorney’s Office for the Eastern District of New York. Assistant U.S. Attorney Kriss Basil, Deputy Chief of the Securities, Financial & Cyber Fraud Unit prosecuted the case.
On May 17, 2021, the Attorney General established the COVID-19 Fraud Enforcement Task Force to marshal the resources of the Department of Justice in partnership with agencies across government to enhance efforts to combat and prevent pandemic-related fraud. The Task Force bolsters efforts to investigate and prosecute the most culpable domestic and international criminal actors and assists agencies tasked with administering relief programs to prevent fraud by augmenting and incorporating existing coordination mechanisms, identifying resources and techniques to uncover fraudulent actors and their schemes, and sharing and harnessing information and insights gained from prior enforcement efforts. For more information on the department’s response to the pandemic, please visit https://www.justice.gov/coronavirus and https://www.justice.gov/coronavirus/combatingfraud.
Anyone with information about allegations of attempted fraud involving COVID-19 can report it by calling the Department of Justice’s National Center for Disaster Fraud Hotline via the NCDF Web Complaint Form.
CONCORD – A Franklin man pleaded guilty today in federal court for making a threat in violation of federal law, Acting U.S. Attorney Jay McCormack announces.
Brian Landry, age 69, pleaded guilty in federal court in Concord to one count of transmitting a threat in interstate communication. U.S. District Court Judge Samantha Elliott scheduled Landry’s sentencing for October 2, 2025.
According to the charging documents and statements made in court, on May 17, 2023, Landry left a voicemail at U.S. Senator #1’s district office stating: “Hey stupid I’m a veteran sniper. And unless you change your ways, I got my scope pointed in your direction and I’m coming to get you. You’re a dead man walking you piece of f***ing sh*t.” Investigators identified the phone call as coming from a number associated with Landry. When they interviewed Landry, he admitted to having called the Senator’s office but did not initially recall exactly what he said in the voicemail.
The charge of conviction provides for a sentence of up to 5 years in prison, up to 3 years of supervised release, and a fine up to $250,000. Sentences are imposed by a federal district court judge based upon the U.S. Sentencing Guidelines and statutes which govern the determination of a sentence in a criminal case.
The Federal Bureau of Investigation and the United States Capitol Police led the investigation. Valuable assistance was provided by the New Hampshire State Police, the Franklin Police Department, and the Manchester Police Departments. Assistant U.S. Attorney Charles L. Rombeau is prosecuting the case.
EL PASO, Texas – A Mexican national charged with four counts in a 14-count indictment was extradited to the Western District of Texas following his arrest in Mexico last week.
According to court documents, from January 2016 through August 2019, Hector Adrian Rojero Ramos aka Teto, 54, allegedly engaged in a conspiracy to import heroin and fentanyl from Mexico to destinations in Texas, Oklahoma, Illinois and elsewhere in the United States. Rojero Ramos was arrested in Mexico June 25 and made his initial appearance in a federal court in El Paso on June 27.
Rojero Ramos is charged with one count of conspiracy to import a controlled substance, one count of conspiracy to possess with intent to distribute a controlled substance, and two counts of aiding and abetting possession with intent to distribute a controlled substance. If convicted, he faces up to life in prison. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors.
U.S. Attorney Justin R. Simmons for the Western District of Texas made the announcement.
The Drug Enforcement Administration and FBI are investigating the case.
Assistant U.S. Attorney Jose Luis Acosta is prosecuting the case.
This case is part of Operation Take Back America, a nationwide initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations, and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces (OCDETFs) and Project Safe Neighborhoods (PSN).
An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
FORT WAYNE –Derek L. Taylor, 47 years old, of Fort Wayne, Indiana, was sentenced by United States District Court Chief Judge Holly A. Brady after pleading guilty to possessing with intent to distribute a controlled substance and possessing a firearm in furtherance of a drug trafficking crime, announced Acting United States Attorney Tina L. Nommay.
Taylor was sentenced to 197 months in prison followed by 4 years of supervised release.
According to documents in the case, in August and September 2023, Taylor distributed cocaine. Search warrants resulted in the recovery of heroin, fentanyl, cocaine, and M30 pills containing fentanyl, along with three handguns, a stolen semi-automatic rifle, multiple digital scales, baggies, and a substantial amount of powder used in the distribution of narcotics. Taylor was previously convicted twice of distributing drugs and was also previously convicted of felony battery, making him a career offender for purposes of federal sentencing.
This case was investigated by the Federal Bureau of Investigation’s Fort Wayne Safe Streets Gang Task Force, which includes the FBI, the Indiana State Police, the Allen County Police Department, and the Fort Wayne Police Department. Also assisting this investigation was the Drug Enforcement Administration’s North Central Laboratory and the Bureau of Alcohol, Tobacco, Firearms, and Explosives. The case was prosecuted by Assistant United States Attorney Stacey R. Speith.
This case was part of an Organized Crime Drug Enforcement Task Force (OCDETF) investigation. OCDETF identifies, disrupts, and dismantles the highest-level drug traffickers, money launderers, gangs, and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state, and local law enforcement agencies against criminal networks.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
“The FBI Minneapolis Division is honored to have joined our law enforcement partners in the ongoing effort to recover Manny Collins,” said Alvin M. Winston Sr., special agent in charge of the FBI Minneapolis Field Office. “In response to a request for assistance from the Anoka County Sheriff’s Office, FBI Minneapolis deployed our highly trained Evidence Response Team, along with the FBI’s Laboratory Evidence Response Team Unit and the Technical Hazardous Response Unit from Quantico, VA. Both units are expertly trained in ensuring safety at complex crime scenes.
“This collaborative effort underscores our deep commitment and unity in the mission to recover Manny Collins. The coordination and resource-sharing among all agencies and volunteers have been crucial to finding Manny.
“The FBI extends its heartfelt condolences to the family and friends of Manny Collins during this difficult time. We remain dedicated to pursuing justice and will continue to work closely with our partners to ensure that the truth is uncovered and that justice is served.”
FBI Atlanta Warns Public to Increase Hiring Scrutiny
FBI Atlanta is warning the public about the threat of hiring Remote IT workers who use false identifications to conceal their true North Korean identities.
Today, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Koreans, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주) and Chang Nam Il (창남일), with a scheme to steal from two companies virtual currency, valued at over $900,000 at the time of the thefts, and to launder proceeds of those thefts. The defendants concealed their North Korean identities from their employers by providing the employers with false identification documents that contained stolen and fake identity information.
In approximately December 2020 and May 2021, respectively, Kim Kwang Jin (using victim P.S.’s stolen identity) and Jong Pong Ju (using the alias “Bryan Cho”) were hired by a blockchain research and development company headquartered in Atlanta, Georgia, and a virtual token company based in Serbia. Both defendants concealed their North Korean identities from their employers by providing false identification documents containing a mix of stolen and fraudulent identity information. Later, on a recommendation from Jong Pong Ju, the Serbian company hired “Peter Xiao,” who in fact was Chang Nam Il.
After gaining their employers’ trust, Kim Kwang Jin and Jong Pong Ju were assigned projects that provided them access to their employers’ virtual currency assets. In February 2022, Jong Pong Ju used that access to steal virtual currency worth approximately $175,000 at the time of the theft, sending it to a virtual currency address he controlled. In March 2022, Kim Kwang Jin stole virtual currency worth approximately $740,000 at the time of theft by modifying the source code of two of his employer’s smart contracts, then sending it to a virtual currency address he controlled.
To launder the funds after the thefts, Kim Kwang Jin and Jong Pong Ju “mixed” the stolen funds, using the virtual currency mixer Tornado Cash, and then transferred the funds to virtual currency exchange accounts controlled by Kang Tae Bok and Chang Nam Il but held in the names of aliases. These accounts were opened using fraudulent Malaysian identification documents.
According to the indictment, the defendants traveled to the United Arab Emirates on North Korean travel documents, along with other individuals, and worked together as a co-located team.
Neither of the victim companies in this investigation would have hired the individuals had they known they were North Korean citizens. FBI Atlanta is warning the public about the threat of North Korean citizens who often apply for Remote IT roles as blockchain developers. These individuals often use multiple fake names, identity cards, and social media accounts to gain employment at numerous companies. Companies looking to hire Remote IT workers, especially for blockchain development, are encouraged to apply additional layers of scrutiny to their interview and hiring processes.
Recommendations for Strengthening Remote-Hiring Processes
Implement identity-verification processes during interviewing, onboarding, and throughout the employment of any remote worker. Cross-check HR systems for other applicants with the same resume content and/or contact information. The FBI has observed in other instances that North Korean IT workers use artificial intelligence and face-swapping technology during video job interviews to obfuscate their true identities.
Educate HR staff, hiring managers, and development teams regarding the North Korean IT worker threat, specifically focusing on changes in address or payment platforms during the onboarding process.
Review each applicant’s communication accounts as North Korean IT workers have reused phone numbers (particularly voice-over-IP numbers) and email addresses on multiple resumes purportedly belonging to different applicants.
Verify third-party staffing firms conduct robust hiring practices and routinely audit those practices.
Use “soft” interview questions to ask applicants for specific details about their location or educational background. North Korean IT workers often claim to have attended non-US educational institutions.
Check applicant resumes for typos and unusual terminology.
Complete as much of the hiring and onboarding process as possible in person.
Reporting: If you suspect you have been approached or victimized by a North Korean IT worker, the FBI recommends taking the following actions:
Report the suspicious activity to the FBI’s Internet Crime Complaint Center (IC3) at www.IC3.gov as quickly as possible.
Evaluate network activity from the suspected employee and their assigned device(s), and use internal intrusion-detection software to capture activity on the suspected device(s).
Reference
In 2022 and 2023, the United States, along with foreign partners, issued public advisories regarding how North Korean IT workers operate and provided red-flag indicators and due diligence measures for businesses to avoid hiring North Korean freelance developers. In May 2024, the FBI provided further guidance regarding North Korean IT workers and their use of witting and unwitting US-based individuals.
NEW ORLEANS, LOUISIANA – Acting U.S. Attorney Michael M. Simpson announced that CARDELL GLOVER, (“GLOVER”), age 24, was sentenced on Tuesday, June 17, 2025, by United States District Judge Darrel J. Papillion, after previously pleading guilty to a three-count indictment. Count One charged GLOVER with being a felon in possession a firearm, in violation of Title 18, United States Code, Sections 922(g)(1) and 924(a)(8). Count Two charged GLOVER with possession of a stolen firearm, in violation of Title 18, United States Code, Sections 922(j) and (a)(2). Count Three charged GLOVER with possession of a machine gun, in violation of Title 18, United States Code, Section 922(o) and 924(a)(2).
GLOVER was sentenced to 96 months imprisonment as to each of the three counts of the indictment, to be served concurrently. Judge Papillion also ordered that GLOVER be placed on supervised release for three years as to each of the three counts, to be served concurrently, and pay a $300 mandatory special assessment fee.
According to court documents, on July 9, 2024, a rideshare driver reported to the Jefferson Parish Sheriff’s Office (JPSO) that her weapon had been stolen. She also works as a security guard and had placed her work firearm, a Glock Model 19 Gen 5, nine-millimeter pistol, in her trunk earlier that afternoon prior to starting her rideshare work. She reported to law enforcement that she had picked up a fare, a male and a female passenger, at the Dollar General and allowed them to place their groceries in the trunk of her car. When they arrived at the passengers’ destination, an apartment complex in Jefferson Parish, Louisiana, the passengers retrieved the groceries from the trunk and went to an unknown second floor apartment. The rideshare driver then looked in the trunk of her vehicle to discover her firearm missing. She had said that the first name of the passenger who ordered the ride was “Dell.”
GLOVER pled guilty to the entire indictment and admitted that he stole the Glock pistol. GLOVER also admitted that, at the time of its recovery, the Glock pistol, was equipped with machinegun conversion device, making it a machinegun as defined by the National Firearms Act (26 U.S.C. § 5845(b)).
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
Acting U.S. Attorney Simpson praised the work of the Federal Bureau of Investigation and the Jefferson Parish Sheriff’s Department. The case was prosecuted by Assistant United States Attorney Sarah Dawkins of the Violent Crime Unit.
NEW ORLEANS, LOUISIANA – Acting U.S. Attorney Michael M. Simpson announced that on Tuesday, June 24, 2025, LINDA TRIGGS (“TRIGGS”), age 73, a resident of Marrero, pleaded guilty to making a false statement related to the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), in violation of Title 18, United States Code, Section 1001(a)(2).
On March 27, 2020, the President of the United States signed into law the CARES Act, which provided emergency assistance, administered by the United States Small Business Administration (SBA), to small business owners affected by the Coronavirus (COVID-19) pandemic. One of the primary sources of funding for small businesses was the Paycheck Protection Program (PPP).
According to the charging documents, on or about April 18, 2021, TRIGGS,on behalf of a non-profit corporation that she owned, made false statements to an approved lender to obtain approximately $59,065 for PPP loans.
TRIGGS faces a maximum term of imprisonment of five (5) years, a fine of up to $250,000, a period of supervised release of up to three years, and a mandatory special assessment fee of $100.00. United States District Judge Brandon S. Long will sentence TRIGGS on September 30, 2025.
For more information on the Department of Justice’s response to the pandemic, please visit https://www.justice.gov/coronavirus. Anyone with information about allegations of attempted fraud involving COVID-19 can report it by calling the Department of Justice’s National Center for Disaster Fraud (NCDF) Hotline at 866-720-5721 or via the NCDF Web Complaint Form at https://www.justice.gov/disaster-fraud/ncdf-disaster-complaint-form.
Acting U.S. Attorney Simpson praised the work of the Federal Bureau of Investigation in investigating this matter. Assistant U.S. Attorney Brittany Reed of the Violent Crimes Unit is in charge of the prosecution.
SALT LAKE CITY, Utah – Andrew Armani Deionte Rowe, 29, of Salt Lake City, was sentenced today to 57 months’ imprisonment, and a term of three years’ supervised release after he robbed multiple 7-Eleven stores across the Salt Lake Valley in 2023.
The sentence, imposed by U.S. District Court Judge Jill N. Parish, comes after Rowe pleaded guilty in September 2024 to four counts of interference with commerce by robbery.
According to court documents and statements made at Rowe’s change of plea and sentencing hearings, Rowe admitted that from September 12, 2023, through September 27, 2023, he robbed multiple 7-Eleven stores and threatened the clerk at each location. First, on Sept. 12, 2023, Rowe entered a 7-Eleven in Salt Lake City and locked the doors behind him. Rowe handed the clerk a note that stated, “Do as I say, or you will lose your life.” The clerk complied and gave Rowe the money from the register. On the same day, in a separate robbery, Rowe entered a 7-Eleven in Millcreek, Utah, with a gun and ordered the clerk to give him all the cash in the register. On Sept. 14, 2023, Rowe entered a 7-Eleven in Salt Lake City. Rowe pointed a gun at the clerk and demanded all the cash from the register. On Sept. 27, 2023, Rowe entered a 7-Eleven in Millcreek, threatened the clerk and demanded money from the register. See former press release here.
On October 11, 2023, Rowe was arrested. During the investigation, law enforcement seized clothing that matched the clothing worn by Rowe during the robberies. Law enforcement also seized a black firearm with an extended firearm that matched the description of the firearm used in the robberies. It was later determined the firearm was a BB gun designed to look like a Glock.
“No individual should feel unsafe while at work,” said Acting U.S Attorney Felice John Viti for the District of Utah. “Mr. Rowe threatened and intimidated others for his personal gain and then repeated his criminal behavior three more times. Community safety is a priority for the U.S. Attorney’s Office and our law enforcement partners and we will continue to prosecute and seek justice against those who harm our communities.”
“It’s fortunate Mr. Rowe didn’t physically hurt or kill anyone during his crime spree, although the emotional toll on the victims will be long-lasting,” said Special Agent in Charge Mehtab Syed with the Salt Lake City FBI. “Opportunistic crimes don’t pay. The FBI and our partners are committed to keeping our communities safe from violent offenders.”
The case was investigated jointly by the Salt Lake City Police Department, Unified Police Department of Greater Salt Lake and the FBI Salt Lake City Field Office.
The U.S. Attorney’s Office for the District of Utah prosecuted the case.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce gun violence and other violent crime, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results. For more information about Project Safe Neighborhoods, please visit Justice.gov/PSN.
SALT LAKE CITY, Utah – A federal grand jury returned an indictment today charging a San Juan County man with second degree murder after he allegedly shot a man to death in San Juan County, Utah.
Chevel Cottonwood, 34, of San Juan County, was charged by complaint on June 11, 2025, and ordered detained by a U.S. Magistrate Judge.
According to court documents, on June 10, 2025, Navajo Police Department Officers responded to a 911 call reporting gunfire near the Hovenweep area north of Aneth, Utah, within the Navajo Nation. Upon arrival at a residence, officers spoke with a woman who was allegedly at the residence at the time of the shooting and described hearing gunshots from the living room. She recalled hearing Cottonwood and the victim arguing and then heard another gunshot and saw the flash of the discharge. The woman then went to the living room and saw the victim laying on the floor bleeding from an apparent gunshot wound.
As alleged in court documents, responding officers entered the residence and found the victim deceased with a gunshot wound and an empty shell casing next to him. Cottonwood was found hiding in nearby bushes with a loaded magazine and ammunition. A search warrant was executed, and officers seized a 9mm pistol and two 9mm shell casings. Agents also observed bullet holes through the roof of the house that appeared to have occurred at some point during the incident.
Cottonwood is charged with second degree murder while within Indian Country and being a restricted person in possession of a firearm and ammunition. Cottonwood will have his initial appearance on the indictment on June 26, 2025, at 11:00 a.m. in courtroom 7.4 before a U.S. Magistrate Judge at the Orrin G. Hatch United States District Courthouse in downtown Salt Lake City.
Acting United States Attorney Felice John Viti for the District of Utah made the announcement.
The case is being investigated jointly by the Navajo Nation Department of Criminal Investigations and the FBI Salt Lake City Field Office’s Monticello Resident Agency.
Assistant United States Attorneys Sam Pead and Tanner Zumwalt of the U.S. Attorney’s Office for the District of Utah are prosecuting the case.
This case is part of Operation Take Back America, a nationwide initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations (TCOs), and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces (OCDETF) and Project Safe Neighborhoods (PSN).
An indictment is merely an allegation and all defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
Louisville, KY – On May 6, 2025, a federal grand jury in Louisville charged a total of 20 defendants from across Kentucky and California in 3 separate indictments involving methamphetamine and fentanyl trafficking offenses and firearms offenses. On May 21, 2025, a federal grand jury charged 4 defendants, 2 of whom were previously charged, in an indictment involving methamphetamine and fentanyl trafficking and money laundering offenses. The indictments charging all 22 defendants were the result of a lengthy investigation conducted by multiple law enforcement agencies.
U.S. Attorney Kyle G. Bumgarner of the Western District of Kentucky, Acting Special Agent in Charge Olivia Olson of the FBI Louisville Field Office, Special Agent in Charge Rana Saoud of the Homeland Security Investigations Nashville, Special Agent in Charge John Nokes of the ATF Louisville Field Division, Special Agent in Charge Jim Scott of the DEA Louisville Field Division, Special Agent in Charge Karen Wingerd of the Internal Revenue Service Criminal Investigations, Cincinnati Field Office, U.S. Postal Inspector in Charge Lesley Allison of the Pittsburgh Division, U.S. Customs and Border Protection Chicago Director of Field Operations Lafonda Sutton-Burke, Commissioner Phillip Burnett, Jr. of the Kentucky State Police, and Chief Paul Humphrey of the Louisville Metro Police Department made the announcement.
The following 9 defendants were charged in the first indictment on May 6, 2025:
James Havlicheck, 34, of California
Rodney Hollie, 38, of California
Joseph Nguyen, 38, of California
Minh Ngo, 40, of California
Kevin Nguyen, 30, of California
Johnathan Nguyen, 35, of California
Ordell Smith, Jr., 38, of Louisville
Vanray O’Neal, 38, of Louisville
Darren Render, 33, of Louisville
According to the first indictment, Havlicheck, Hollie, Joseph Nguyen, Ngo, Kevin Nguyen, and Johnathan Nguyen were charged with conspiracy to possess with the intent to distribute 50 grams or more of a methamphetamine for a conspiracy beginning as early as April 2024 and continuing through July 19, 2024. Havlicheck and Ngo were also charged with one count of distribution of methamphetamine 50 grams or more.
Smith, Jr. was charged with four counts of distribution of methamphetamine 50 grams or more.
O’Neal was charged with three counts of distribution of methamphetamine 50 grams or more and two counts of firearms trafficking.
Render was charged with four counts of firearms trafficking, four counts of possession of a firearm by a prohibited person, three counts of distribution of fentanyl, one count of distribution of heroin, and two counts of possession of a firearm in furtherance of a drug trafficking crime. Render was prohibited from possessing a firearm because he had previously been convicted of the following felony offense.
On April 2, 2020, in the United States District Court for the Western District of Kentucky, Render was convicted of possession of a firearm by a prohibited person.
If convicted, Havlicheck, Hollie, Joseph Nguyen, Ngo, Kevin Nguyen, Johnathan Nguyen, Smith, Jr., and O’Neal face a mandatory minimum sentence of 10 years in prison. Render faces a mandatory minimum sentence of 5 years in prison. All the defendants face a maximum sentence of life in prison. A federal district court judge will determine any sentence after considering the sentencing guidelines and other statutory factors.
The following 9 defendants were charged in the second indictment on May 6, 2025:
Antonio Taylor, 39, of Louisville
Terry Matthews, 44, of Louisville
Dylan Bradley, 21, of Louisville
Demetrius Brown, 42, of Louisville
Dominic McCray, 30, of Louisville
Joshua James, 42, of Louisville
Gregory Jackson, 34, of Louisville
Thai Quoc Tran, 24, of Louisville
Devon Wilson, 43, of Louisville
According to the second indictment, Taylor, Matthews, Bradley, Brown, McCray, James, and Jackson were charged with one count of conspiracy to possess with the intent to distribute 400 grams or more of fentanyl for a conspiracy beginning as early as August 21, 2024, and continuing through October 23, 2024.
Taylor was also charged with one count of distribution of 400 grams or more of a fentanyl mixture, eight counts of distribution of 40 grams or more of a fentanyl mixture, one count of possession of a firearm in furtherance of a drug trafficking crime, and one count of possession of a firearm by a prohibited person. Taylor was prohibited from possessing a firearm because he had previously been convicted of the following felony offenses.
On or about May 21, 2018, in Jefferson Circuit Court, Taylor was convicted of possession of a handgun by a convicted felon and trafficking in a controlled substance first degree unspecified less than ten dosage units (two counts).
Matthews was also charged with one count of distribution of 400 grams or more of a fentanyl mixture, three counts of distribution of 40 grams or more of a fentanyl mixture, two counts of distribution of fentanyl, one count of possession of a firearm in furtherance of a drug trafficking crime, one count firearms trafficking, one count of possession of a firearm by a prohibited person, and one count of distribution of a controlled substance. Matthews was prohibited from possessing a firearm because he had previously been convicted of the following felony offense.
On March 9, 2018, in Jefferson Circuit Court, Matthews was convicted of flagrant non-support.
Bradley was also charged with three counts of distribution of 40 grams or more of a fentanyl mixture, one count of distribution of 50 grams or more of methamphetamine, and one count of possession of a firearm in furtherance of a drug trafficking crime.
Brown was also charged with one count of distribution of 40 grams or more of a fentanyl mixture, one count of distribution of a fentanyl mixture, and one count of possession of a firearm by a prohibited person. Brown was prohibited from possessing a firearm because he had previously been convicted of the following felony offenses.
On or about July 17, 2017, in Jefferson Circuit Court, Brown was convicted of assault in the second degree, criminal mischief in the first degree, receiving stolen firearm, and wanton endangerment in the first degree.
McCray was also charged with one count of possession of an unregistered firearm.
James was also charged with one count of distribution of 40 grams or more of a fentanyl mixture.
Jackson was also charged with one count of distribution of 40 grams or more of a fentanyl mixture.
Tran was also charged with one count of distribution of 50 grams or more of methamphetamine.
Wilson was also charged with one count of possession of a firearm by a prohibited person. Wilson was prohibited from possessing a firearm because he had previously been convicted of the following felony offenses.
On July 16, 2024, in Jefferson Circuit Court, Wilson was convicted of flagrant non-support.
On January 9, 2017, in Jefferson Circuit Court, Wilson was convicted of trafficking in a controlled substance in the first degree, schedule I heroin less than two grams.
If convicted, Taylor, Matthews, Bradley, Brown, James, Jackson, and Tran face a mandatory minimum sentence of 10 years in prison and a maximum sentence of life in prison. McCray faces a maximum sentence of 10 years in prison. Wilson faces a maximum sentence of 15 years in prison. A federal district court judge will determine any sentence after considering the sentencing guidelines and other statutory factors.
Matthews and McCray have not been federally arrested and are not yet before the Court.
The following 2 defendants were charged in the third indictment on May 6, 2025:
Mark Foster, Jr., 33, of Louisville
Devante Rice, 30, of Louisville
Foster was charged with two counts of distribution of controlled substances, nine counts of distribution of fentanyl, ten counts of possession of a firearm by a prohibited person, seven counts of possession of a firearm in furtherance of a drug trafficking crime, one count of illegal possession of a machine gun, and one count of firearms trafficking. Foster was prohibited from possessing a firearm because he had previously been convicted of the following felony offenses.
On or about March 30, 2018, in Jefferson Circuit Court, Foster was convicted of receiving stolen property (firearm) and illegal possession of a controlled substance in the first degree, heroin.
On or about June 15, 2021, in Jefferson Circuit Court, Foster was convicted of complicity to trafficking in a controlled substance in the first degree, opioids, complicity to trafficking in a controlled substance in the first degree, methamphetamine, possession of a handgun by a convicted felon, and tampering with physical evidence.
Rice was charged with eleven counts of possession of a firearm by a prohibited person, one count of firearms trafficking, and two counts of possession of an unregistered firearm. Rice was prohibited from possessing a firearm because he had previously been convicted of the following felony offenses.
On January 10, 2014, in Jefferson Circuit Court, Rice was convicted of burglary in the second degree and receiving stolen property over $500.
On April 30, 2019, in Jefferson Circuit Court, Rice was convicted of possession of a handgun by a convicted felon.
On August 8, 2023, in Jefferson Circuit Court, Rice was convicted of complicity to possession of a handgun by a convicted felon, theft by unlawful taking – firearm (two counts), and theft by unlawful taking over $500 but under $10,000.
If convicted, Foster faces a mandatory minimum sentence of 70 years in prison and a maximum sentence of life in prison. Rice faces a maximum sentence of 15 years in prison on each count of possession of a firearm by a prohibited person and the single count of firearms trafficking and a 10-year maximum sentence for the two counts of possession of an unregistered firearm. A federal district court judge will determine any sentence after considering the sentencing guidelines and other statutory factors.
The following 4 defendants were charged in the fourth indictment on May 21, 2025:
Antonio Taylor
Joshua James
Celotia Evans, 39, of Louisville
Jaremei Hinkle, 24, of Louisville
According to the fourth indictment, Taylor, James, Evans, and Hinkle were charged with one count of conspiracy to possess with the intent to distribute 400 grams or more of fentanyl for a conspiracy beginning as early as June 2024 and continuing through July 11, 2024.
Hinkle was also charged with one count of possession with intent to distribute of 400 grams or more of a fentanyl mixture.
James was also charged with one count of conspiracy to distribute 500 grams or more of a methamphetamine mixture.
Taylor is also charged with engaging in monetary transactions derived from specific unlawful activities and laundering of a money instrument during his purchase of a vehicle.
If convicted, Taylor, James, Evans, and Hinkle face a mandatory minimum sentence of 10 years in prison. All the defendants face a maximum sentence of life in prison. A federal district court judge will determine any sentence after considering the sentencing guidelines and other statutory factors.
There is no parole in the federal system.
Evans and Hinkle have not been federally arrested and are not yet before the Court.
The cases are being investigated by the FBI, HSI, ATF, DEA, IRS-CI, CBP, USPIS, KSP, and LMPD.
These cases were investigated and prosecuted by the Kentucky Homeland Security Task Force (HSTF) as part of Operation Take Back America. HSTFs, which were established by President Trump in Executive Order 14159, Protecting the American People Against Invasion, are joint operations led by the Department of Justice and the Department of Homeland Security. Operation Take Back America is a nationwide federal initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations (TCOs), and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces (OCDETFs) and Project Safe Neighborhood (PSN).
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: United States Bureau of Alcohol Tobacco Firearms and Explosives (ATF)
The defendant, a felon, also possessed a firearm in connection with the drug offense.
Baltimore, Maryland – Today, Judge Matthew J. Maddox sentenced Freddie Anthony Curry, 54, of Baltimore, Maryland, to 10 years in federal prison for possession with the intent to distribute 400 grams or more of fentanyl and 500 grams or more of cocaine.
Kelly O. Hayes, U.S. Attorney for the District of Maryland, announced the sentence with Acting Special Agent in Charge Amanda M. Koldjeski, Federal Bureau of Investigation (FBI) – Baltimore Field Office, and Special Agent in Charge Ibrar A. Mian, Drug Enforcement Administration (DEA) – Washington Division.
In May 2024, the FBI and DEA began investigating Curry in connection with suspected fentanyl and cocaine trafficking in the Baltimore area. During their investigation, they verified Curry’s vehicle and residence. Authorities then executed federal search warrants on Curry’s residence and vehicle. During the search, investigators recovered approximately 980 grams of fentanyl, 1,040 grams of cocaine, digital scales, drug-packaging materials, and a Glock 19 9-millimeter handgun. Curry is prohibited from possessing a firearm due to prior felony convictions.
This case is part of Project Safe Neighborhoods (PSN), a program bringing together all levels of law enforcement and the communities they serve to reduce violent crime and gun violence, and to make our neighborhoods safer for everyone. On May 26, 2021, the Department launched a violent crime reduction strategy strengthening PSN based on these core principles: fostering trust and legitimacy in our communities, supporting community-based organizations that help prevent violence from occurring in the first place, setting focused and strategic enforcement priorities, and measuring the results.
This case is part of a Strike Force Initiative, which provides for the establishment of permanent multi-agency task force teams that work side-by-side in the same location. This co-located model enables agents from different agencies to collaborate on intelligence-driven, multi-jurisdictional operations to disrupt and dismantle the most significant drug traffickers, money launderers, gangs, and transnational criminal organizations. The specific mission of the Baltimore Strike Force is to identify, disrupt, and dismantle violent drug trafficking, money laundering, and transnational criminal organizations to reduce drug-related and/or gang violence in the Baltimore metropolitan and surrounding areas. The Baltimore Strike Force is comprised of agents and officers from the Bureau of Alcohol, Tobacco, Firearms, and Explosives, the Drug Enforcement Administration, the Federal Bureau of Investigation, the Department of Homeland Security, the United States Marshals Service, the United States Secret Service, United States Postal Inspection Service, the Maryland State Police, the Baltimore Police Department, the Baltimore Sheriff’s Office, the Baltimore County Police Department, the Maryland Transportation Authority, and the Maryland Department of Public Safety and Correctional Services. The prosecution is being led by the Office of the United States Attorney for the District of Maryland.
U.S. Attorney Hayes commended the FBI and DEA, for their work in the investigation. Ms. Hayes also thanked Assistant U.S. Attorney Sarah Simpkins who is prosecuting the case.
BILLINGS – A Minnesota man who failed to register as a sex offender was sentenced today to 16 months in prison to be followed by 5 years of supervised release, U.S. Attorney Kurt Alme said.
Jeremiah Robert Wiberg, 42, pleaded guilty in March 2025 to one count of failure to register as a sex offender.
U.S. District Judge Susan P. Watters presided.
The government alleged in court documents that Jeremiah Wiberg is required to register as a sexual offender under SORNA following a 2007 federal conviction for receipt of child pornography. Wiberg has been on federal supervised release for the past eight years and has been revoked off supervised release multiple times.
Following his sentence of incarceration after being revoked from supervision, Wiberg was released from the BOP in Louisiana on November 8, 2023. Per his travel itinerary with BOP he traveled to Billings, Montana the same day. Wiberg arrived in Billings that day, but he did not check in with United States Probation on that day, nor did he register under SORNA upon his arrival in Billings. His whereabouts were unknown.
It was determined through records and witness statements that Wiberg was in Montana for a period of a few weeks after he arrived in Billings. Wiberg traveled to Roundup and then left the state. He never registered in Montana.
On December 27, 2023, law enforcement received information that the Wiberg was staying in Minnesota. Wiberg was subsequently located at a VFW in Forrest Lake, Minnesota. He was arrested on a federal warrant for violating his supervised release. Wiberg had not registered in Minnesota.
The U.S. Attorney’s Office prosecuted the case. The investigation was conducted by the FBI, U.S. Marshals Service, U.S. Probation Office, Yellowstone County Sheriff’s Office and Montana Division of Criminal Investigation.
CHICAGO — A Chicago man was convicted in federal court today of conspiring to provide material support to the Islamic State of Iraq and al-Sham (ISIS) by using social media to encourage attacks on ISIS’s enemies and recruit new ISIS members.
ASHRAF AL SAFOO was a leader of Khattab Media Foundation, a sophisticated online organization that swore allegiance to ISIS and created and disseminated threats and ISIS propaganda on social media and other online platforms. Al Safoo and other members of Khattab created and posted pro-ISIS videos, articles, essays, and infographics at the direction of, and in coordination with, ISIS. Much of Khattab’s propaganda promoted violent jihad on behalf of ISIS, which has been designated by the United States government as a foreign terrorist organization. In one posting, Al Safoo encouraged Khattab members to post pro-ISIS information “to cause confusion and spread terror within the hearts of those who disbelieved.” In another posting, Al Safoo wrote, “Work hard, brothers, edit the issue into short clips, take the pictures out of it and publish the efforts of your brothers in the pages of the apostates. Participate in the war, and spread terror, the [Islamic] State does not want you to watch it only, rather, it incites you, and if you are unable to, use it to incite others.”
Many of Khattab’s postings included images of violence, celebrations of terrorist attacks and mass shootings in the United States, and encouragement for “lone wolf” attacks in western countries.
Al Safoo, 41, was arrested in Chicago in 2018. After a bench trial in U.S. District Court in Chicago in 2025, U.S. District Judge John Robert Blakey today announced his verdicts, finding Al Safoo guilty of one count of conspiracy to provide material support to a foreign terrorist organization, one count of conspiracy to transmit threats in interstate commerce, one count of conspiracy to intentionally access a protected computer without authorization, four counts of intentionally accessing a protected computer without authorization, and four counts of providing material support to a foreign terrorist organization.
The convictions carry a maximum sentence of 130 years in federal prison. Judge Blakey set sentencing for Oct. 9, 2025.
The convictions were announced by Andrew S. Boutros, United States Attorney for the Northern District of Illinois, John A. Eisenberg, Assistant Attorney General for National Security at the Department of Justice, and Douglas S. DePodesta, Special Agent-in-Charge of the Chicago Field Office of the FBI. The government is represented by Assistant U.S. Attorneys Melody Wells, Barry Jonas, and Thomas P. Peabody of the Northern District of Illinois, and Trial Attorney Andrew J. Dixon of the National Security Division’s Counterterrorism Section.
“Today’s conviction demonstrates that the safety and security of the American public is always a top priority for me and my entire Office,” said U.S. Attorney Boutros. “The prosecution of Ashraf Al Safoo is a testament to the vigilance and dedication of our prosecutors and law enforcement partners who stand watch to disrupt and prevent dangerous threats before they materialize. We will vigorously pursue and bring to justice those who provide material support–in whatever form–to terrorist organizations.”
“The conviction of Al Safoo affirms the FBI’s strong commitment to protecting and defending the United States from anyone who seeks to harm our citizens,” said FBI Chicago SAC DePodesta. “Those who willingly associate with terrorist organizations or support violent extremism will be investigated, disrupted, and held accountable. It is thanks to the FBI Chicago Joint Terrorism Task Force and its partner agencies that our community is safe from those who pose a fundamental threat to our nation.”
Arrests Disrupted Clandestine PRC Ministry of State Security Intelligence Network Operating in the United States
Two nationals of the People’s Republic of China (PRC) made their initial appearances in federal court in Portland, Oregon, and Houston, Texas, yesterday to face charges issued out of the Northern District of California for acting as agents of the Government of the PRC without prior notification to the Attorney General. The defendants, Yuance Chen, 38, a PRC national and legal permanent resident who resides in Happy Valley, Oregon, and Liren “Ryan” Lai, 39, a PRC national who traveled from the PRC to Houston, Texas, on a tourist visa in April 2025, were arrested Friday on a criminal complaint charging them with overseeing and carrying out various clandestine intelligence taskings in the United States on behalf of the PRC Government’s principal foreign intelligence service, the Ministry of State Security (MSS). These activities included facilitating a “dead drop” payment of cash for information relating to the national security of the United States previously provided to the MSS, gathering intelligence about U.S. Navy service members and bases, and assisting with efforts to recruit other individuals from within the U.S. military as potential MSS assets.
Chen and Lai were arrested on June 27, 2025, by the FBI in Happy Valley, Oregon, and Houston Texas, as part of a coordinated counterintelligence and law enforcement operation across multiple states.
“This case underscores the Chinese government’s sustained and aggressive effort to infiltrate our military and undermine our national security from within,” said Attorney General Pamela Bondi. “The Justice Department will not stand by while hostile nations embed spies in our country – we will expose foreign operatives, hold their agents to account, and protect the American people from covert threats to our national security.”
“The FBI arrested two Chinese nationals who were allegedly attempting to recruit U.S. military service members on behalf of the PRC,” said FBI Director Kash Patel. “The Chinese Communist Party thought they were getting away with their scheme to operate on U.S. soil, utilizing spy craft, like dead drops, to pay their sources. This case was a complex, coordinated effort and is an example of outstanding counterintelligence work done by FBI San Francisco, Portland, Houston, San Diego, and the Counterintelligence Division. The FBI will continue to vigilantly defend the homeland from China’s pervasive attempts to infiltrate our borders.”
“Adverse foreign intelligence services like the PRC’s Ministry of State Security dedicate years to recruiting individuals and cultivating them as intelligence assets to do their bidding within the United States,” said Assistant Attorney General for National Security John A. Eisenberg. “Under my leadership, the National Security Division will continue to defend our nation and neutralize our adversaries’ clandestine spy networks.”
“These charges reflect the breadth of the efforts by our foreign adversaries to target the United States — this time by conducting illegal intelligence-gathering operations aimed at our national security information and military service members,” said U.S. Attorney Craig H. Missakian for the Northern District of California. “My office and the FBI remain ever vigilant in guarding against these threats to the United States. We will continue to undertake counterespionage investigations and prosecutions, no matter how complex and sensitive, to disrupt attempts to weaken our national security.”
As alleged in the criminal complaint unsealed yesterday, the PRC Government conducts intelligence activities against the United States through multiple arms, including the MSS. The MSS handles civilian intelligence collection for the PRC and is responsible for counterintelligence and foreign intelligence, as well as political security. The MSS and its bureaus seek to obtain information on political, economic, and security policies that might affect the PRC, along with military, scientific, and technical information of value to the PRC. The MSS and its bureaus are tasked with conducting clandestine and covert human source operations, of which the United States is a principal target.
As alleged in the criminal complaint, Lai recruited Chen to work on behalf of the MSS in or about 2021. While in Guangzhou, China, in January 2022, Lai and Chen worked together to facilitate a dead-drop payment of at least $10,000 on behalf of the MSS, working with other individuals located in the United States to leave a backpack with the cash at a day-use locker at a recreational facility located in Livermore, California.
Following the January 2022 dead drop, Lai and Chen continued to work on behalf of the MSS, including to help identify potential assets for MSS recruitment within the ranks of the U.S. Navy. For example, beginning in 2022, Chen was tasked by Lai and other agents of the MSS to contact a Navy employee over social media, and then later, in 2025, arranged for a tour with the employee of the USS Abraham Lincoln and provided information about the employee to the MSS. In 2022 and 2023, Chen was tasked to visit a U.S. Naval installation in Washington State and a U.S. Navy recruitment center in San Gabriel, California. While in the recruitment center, Chen obtained photographs of a bulletin board containing the names, programs, and hometowns of recent Navy recruits, the majority of whom listed their hometown as “China,” which he appears to have transmitted to an MSS intelligence officer in China. The complaint also alleges that Chen received instruction from the MSS on what to say to potential recruits regarding potential payment that could be made by the MSS, preferred Naval job assignments for potential recruits, and methods for minimizing Chen’s risk of exposure. The complaint alleges that in 2023, Lai flew to the United States from the PRC and provided Chen with a cellphone that Chen then used to communicate with the MSS. The complaint also alleges that Chen traveled to Guangzhou and met with MSS intelligence officers in April 2024 and March 2025 in order to discuss compensation and specific taskings.
The complaint also alleges that Lai traveled to Houston, Texas, in April 2025, claiming that the purpose of his visit was related to his business as an online retail seller, and that he would be staying in the Houston area for two weeks. However, on May 9, 2025 – more than four weeks after his arrival in the United States – Lai traveled by car with a companion from Houston to Southern California, via New Mexico and Tucson, Arizona, before returning to Texas, on May 15, 2025.
Chen and Lai are charged with violating Title 18, United States Code, Section 951, which makes it a crime for a person to operate or agree to operate within the United States as an agent of a foreign government without notification to the Attorney General of the United States. If convicted, the defendants face a fine of up to $250,000 and a term of imprisonment of up to 10 years.
The FBI San Francisco Field Office is leading the investigation, with valuable assistance provided by the FBI Portland, Houston, and San Diego Field Offices. The Naval Criminal Investigative Service (NCIS) also provided valuable assistance during the operation.
The National Security and Special Prosecutions Section of the U.S. Attorney’s Office for the Northern District of California and the National Security Division’s Counterintelligence and Export Control Section are in charge of the prosecution. Significant operational support and assistance is also being provided by the District of Oregon, the Southern District of Texas, and the Southern District of California.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Source: United States House of Representatives – Representative Randy Feenstra (IA-04)
HULL, IOWA – Today, U.S. Rep. Randy Feenstra (R-Hull) issued the following statement commending President Trump and FBI Director Kash Patel for arresting two Chinese nationals found spying on U.S. Navy servicemembers and bases:
“I commend the Trump administration for arresting two Chinese nationals with ties to the Chinese Communist Party who were spying on U.S. Navy servicemembers and bases. From buying up our farmland to deploying spy balloons in our sovereign airspace, the Chinese Communist Party is no friend of the United States. We will not tolerate foreign espionage that threatens our troops and undermines our national security.”
On October 31, 2023, Cindy Rodriguez Singh was charged with capital murder in the District Court of Tarrant County, Fort Worth, Texas. On November 2, 2023, a federal arrest warrant was issued for Rodriguez Singh in the U.S. District Court, Northern District of Texas, Fort Worth, Texas, for Unlawful Flight to Avoid Prosecution. On August 29, 2024, the FBI announced a reward of up to $25,000 for information leading to her arrest and conviction. Today, the FBI is increasing that amount and now offering up to a $250,000 reward.
“The disappearance and suspected death of Noel Alvarez is still fresh in the minds of everyone in Everman as well as throughout North Texas. The addition of Cindy Rodriguez Singh to the FBI’s Ten Most Wanted Fugitives List is an opportunity to bring this case to the eyes and ears of citizens across the country and around the world,” said FBI Dallas Special Agent in Charge R. Joseph Rothrock. “We are confident that this publicity will culminate in her arrest and that she will be returned to the United States to answer for her alleged crimes.”
“The addition of Cindy Rodriguez Singh to the FBI’s Ten Most Wanted Fugitives list marks a powerful moment in our unrelenting pursuit of justice for Noel. This is a promise we made to him and to this community, that we would never stop until those responsible are held accountable,” said Craig Spencer, former chief of police and current city manager and emergency management coordinator for the city of Everman. “This designation amplifies our reach and renews our focus. We urge anyone, anywhere, with information to come forward now. Noel deserves that much. We are so incredibly thankful to the FBI for their continued effort and support on this incredibly important case.”
“I deeply appreciate the unwavering dedication of our law enforcement agencies throughout this investigation,” Tarrant County District Attorney Phil Sorrells said. “We are hopeful that Cindy Rodriguez Singh will be apprehended and returned to Tarrant County. My office is committed to delivering justice for Noel.”
Rodriguez Singh’s last confirmed sighting was on March 22, 2023, as she, her husband, and six juvenile children, boarded an international flight to India. She was born in Dallas, Texas, in 1985, and is 40 years old. The fugitive is 5’1” to 5’3” tall, weighs 120 to 140 pounds, has a medium complexion, and has tattoos on her back, both legs, right arm, right hand, and right calf. She has brown eyes and brown hair.
Rodriguez Singh is believed to have ties to India and Mexico. Additional information and wanted posters in English, Spanish, and Hindi, can be found at this link: https://www.fbi.gov/wanted/topten.
The FBI’s Ten Most Wanted Fugitives list was established in March 1950. Since its inception, 537 fugitives have appeared on the list and 497 have been apprehended or located—many due to tips from citizens. Since its inception, there have been eight fugitives wanted from the North Texas region placed on the list. In addition, five fugitives that have been placed on the list were arrested in the North Texas region.
The FBI is offering a reward of up to $250,000 for information leading to the arrest of Cindy Rodriguez Singh. Anyone with information concerning Rodriguez Singh should immediately contact the nearest FBI office or local law enforcement agency.
Calls can be directed to 1-800-CALL-FBI (1-800-225-5324) or the FBI’s Dallas Field Office at 972-559-5000. Individuals from outside of the United States should contact the nearest U.S. Embassy or Consulate. Tips can also be submitted digitally at tips.fbi.gov. All information can remain anonymous, and confidentiality is guaranteed.
This fugitive investigation is being conducted by the FBI’s Fort Worth Resident Agency, Everman Police Department, Northeast Tarrant County Child Abduction Response Team, Tarrant County District Attorney’s Office, and Texas Rangers.
Media Contact:
Public Affairs Officer, Melinda Urbina Garcia, murbina@fbi.gov
Arrests Disrupted Clandestine PRC Ministry of State Security Intelligence Network Operating in the United States
Two nationals of the People’s Republic of China (PRC) made their initial appearances in federal court in Portland, Oregon, and Houston, Texas, yesterday to face charges issued out of the Northern District of California for acting as agents of the Government of the PRC without prior notification to the Attorney General. The defendants, Yuance Chen, 38, a PRC national and legal permanent resident who resides in Happy Valley, Oregon, and Liren “Ryan” Lai, 39, a PRC national who traveled from the PRC to Houston, Texas, on a tourist visa in April 2025, were arrested Friday on a criminal complaint charging them with overseeing and carrying out various clandestine intelligence taskings in the United States on behalf of the PRC Government’s principal foreign intelligence service, the Ministry of State Security (MSS). These activities included facilitating a “dead drop” payment of cash for information relating to the national security of the United States previously provided to the MSS, gathering intelligence about U.S. Navy service members and bases, and assisting with efforts to recruit other individuals from within the U.S. military as potential MSS assets.
Chen and Lai were arrested on June 27, 2025, by the FBI in Happy Valley, Oregon, and Houston Texas, as part of a coordinated counterintelligence and law enforcement operation across multiple states.
“This case underscores the Chinese government’s sustained and aggressive effort to infiltrate our military and undermine our national security from within,” said Attorney General Pamela Bondi. “The Justice Department will not stand by while hostile nations embed spies in our country – we will expose foreign operatives, hold their agents to account, and protect the American people from covert threats to our national security.”
“The FBI arrested two Chinese nationals who were allegedly attempting to recruit U.S. military service members on behalf of the PRC,” said FBI Director Kash Patel. “The Chinese Communist Party thought they were getting away with their scheme to operate on U.S. soil, utilizing spy craft, like dead drops, to pay their sources. This case was a complex, coordinated effort and is an example of outstanding counterintelligence work done by FBI San Francisco, Portland, Houston, San Diego, and the Counterintelligence Division. The FBI will continue to vigilantly defend the homeland from China’s pervasive attempts to infiltrate our borders.”
“Adverse foreign intelligence services like the PRC’s Ministry of State Security dedicate years to recruiting individuals and cultivating them as intelligence assets to do their bidding within the United States,” said Assistant Attorney General for National Security John A. Eisenberg. “Under my leadership, the National Security Division will continue to defend our nation and neutralize our adversaries’ clandestine spy networks.”
“These charges reflect the breadth of the efforts by our foreign adversaries to target the United States — this time by conducting illegal intelligence-gathering operations aimed at our national security information and military service members,” said U.S. Attorney Craig H. Missakian for the Northern District of California. “My office and the FBI remain ever vigilant in guarding against these threats to the United States. We will continue to undertake counterespionage investigations and prosecutions, no matter how complex and sensitive, to disrupt attempts to weaken our national security.”
As alleged in the criminal complaint unsealed yesterday, the PRC Government conducts intelligence activities against the United States through multiple arms, including the MSS. The MSS handles civilian intelligence collection for the PRC and is responsible for counterintelligence and foreign intelligence, as well as political security. The MSS and its bureaus seek to obtain information on political, economic, and security policies that might affect the PRC, along with military, scientific, and technical information of value to the PRC. The MSS and its bureaus are tasked with conducting clandestine and covert human source operations, of which the United States is a principal target.
As alleged in the criminal complaint, Lai recruited Chen to work on behalf of the MSS in or about 2021. While in Guangzhou, China, in January 2022, Lai and Chen worked together to facilitate a dead-drop payment of at least $10,000 on behalf of the MSS, working with other individuals located in the United States to leave a backpack with the cash at a day-use locker at a recreational facility located in Livermore, California.
Following the January 2022 dead drop, Lai and Chen continued to work on behalf of the MSS, including to help identify potential assets for MSS recruitment within the ranks of the U.S. Navy. For example, beginning in 2022, Chen was tasked by Lai and other agents of the MSS to contact a Navy employee over social media, and then later, in 2025, arranged for a tour with the employee of the USS Abraham Lincoln and provided information about the employee to the MSS. In 2022 and 2023, Chen was tasked to visit a U.S. Naval installation in Washington State and a U.S. Navy recruitment center in San Gabriel, California. While in the recruitment center, Chen obtained photographs of a bulletin board containing the names, programs, and hometowns of recent Navy recruits, the majority of whom listed their hometown as “China,” which he appears to have transmitted to an MSS intelligence officer in China. The complaint also alleges that Chen received instruction from the MSS on what to say to potential recruits regarding potential payment that could be made by the MSS, preferred Naval job assignments for potential recruits, and methods for minimizing Chen’s risk of exposure. The complaint alleges that in 2023, Lai flew to the United States from the PRC and provided Chen with a cellphone that Chen then used to communicate with the MSS. The complaint also alleges that Chen traveled to Guangzhou and met with MSS intelligence officers in April 2024 and March 2025 in order to discuss compensation and specific taskings.
The complaint also alleges that Lai traveled to Houston, Texas, in April 2025, claiming that the purpose of his visit was related to his business as an online retail seller, and that he would be staying in the Houston area for two weeks. However, on May 9, 2025 – more than four weeks after his arrival in the United States – Lai traveled by car with a companion from Houston to Southern California, via New Mexico and Tucson, Arizona, before returning to Texas, on May 15, 2025.
Chen and Lai are charged with violating Title 18, United States Code, Section 951, which makes it a crime for a person to operate or agree to operate within the United States as an agent of a foreign government without notification to the Attorney General of the United States. If convicted, the defendants face a fine of up to $250,000 and a term of imprisonment of up to 10 years.
The FBI San Francisco Field Office is leading the investigation, with valuable assistance provided by the FBI Portland, Houston, and San Diego Field Offices. The Naval Criminal Investigative Service (NCIS) also provided valuable assistance during the operation.
The National Security and Special Prosecutions Section of the U.S. Attorney’s Office for the Northern District of California and the National Security Division’s Counterintelligence and Export Control Section are in charge of the prosecution. Significant operational support and assistance is also being provided by the District of Oregon, the Southern District of Texas, and the Southern District of California.
A criminal complaint is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
Headline: Jasper Sleet: North Korean remote IT workers’ evolving tactics to infiltrate organizations
Since 2024, Microsoft Threat Intelligence has observed remote information technology (IT) workers deployed by North Korea leveraging AI to improve the scale and sophistication of their operations, steal data, and generate revenue for the Democratic People’s Republic of Korea (DPRK). Among the changes noted in the North Korean remote IT worker tactics, techniques, and procedures (TTPs) include the use of AI tools to replace images in stolen employment and identity documents and enhance North Korean IT worker photos to make them appear more professional. We’ve also observed that they’ve been utilizing voice-changing software.
North Korea has deployed thousands of remote IT workers to assume jobs in software and web development as part of a revenue generation scheme for the North Korean government. These highly skilled workers are most often located in North Korea, China, and Russia, and use tools such as virtual private networks (VPNs) and remote monitoring and management (RMM) tools together with witting accomplices to conceal their locations and identities.
Historically, North Korea’s fraudulent remote worker scheme has focused on targeting United States (US) companies in the technology, critical manufacturing, and transportation sectors. However, we’ve observed North Korean remote workers evolving to broaden their scope to target various industries globally that offer technology-related roles. Since 2020, the US government and cybersecurity community have identified thousands of North Korean workers infiltrating companies across various industries.
Organizations can protect themselves from this threat by implementing stricter pre-employment vetting measures and creating policies to block unapproved IT management tools. For example, when evaluating potential employees, employers and recruiters should ensure that the candidates’ social media and professional accounts are unique and verify their contact information and digital footprint. Organizations should also be particularly cautious with staffing company employees, check for consistency in resumes, and use video calls to confirm a worker’s identity.
Microsoft Threat Intelligence tracks North Korean IT remote worker activity as Jasper Sleet (formerly known as Storm-0287). We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet. To disrupt this activity and protect our customers, we’ve suspended 3,000 known Microsoft consumer accounts (Outlook/Hotmail) created by North Korean IT workers. We have also implemented several detections to alert our customers of this activity through Microsoft Entra ID Protection and Microsoft Defender XDR as noted at the end of this blog. As with any observed nation-state threat actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments. As we continue to observe more attempts by threat actors to leverage AI, not only do we report on them, but we also have principles in place to take action against them.
This blog provides additional information on the North Korean remote IT worker operations we published previously, including Jasper Sleet’s usual TTPs to secure employment, such as using fraudulent identities and facilitators. We also provide recent observations regarding their use of AI tools. Finally, we share detailed guidance on how to investigate, monitor, and remediate possible North Korean remote IT worker activity, as well as detections and hunting capabilities to surface this threat.
From North Korea to the world: The remote IT workforce
Since at least early 2020, Microsoft has tracked a global operation conducted by North Korea in which skilled IT workers apply for remote job opportunities to generate revenue and support state interests. These workers present themselves as foreign (non-North Korean) or domestic-based teleworkers and use a variety of fraudulent means to bypass employment verification controls.
North Korea’s fraudulent remote worker scheme has since evolved, establishing itself as a well-developed operation that has allowed North Korean remote workers to infiltrate technology-related roles across various industries. In some cases, victim organizations have even reported that remote IT workers were some of their most talented employees. Historically, this operation has focused on applying for IT, software development, and administrator positions in the technology sector. Such positions provide North Korean threat actors access to highly sensitive information to conduct information theft and extortion, among other operations.
North Korean IT workers are a multifaceted threat because not only do they generate revenue for the North Korean regime, which violates international sanctions, they also use their access to steal sensitive intellectual property, source code, or trade secrets. In some cases, these North Korean workers even extort their employer into paying them in exchange for not publicly disclosing the company’s data.
Between 2020 and 2022, the US government found that over 300 US companies in multiple industries, including several Fortune 500 companies, had unknowingly employed these workers, indicating the magnitude of this threat. The workers also attempted to gain access to information at two government agencies. Since then, the cybersecurity community has continued to detect thousands of North Korean workers. On January 3, 2025, the Justice Department released an indictment identifying two North Korean nationals and three facilitators responsible for conducting fraudulent work between 2018 and 2024. The indicted individuals generated a revenue of at least US$866,255 from only ten of the at least 64 infiltrated US companies.
North Korean threat actors are evolving across the threat landscape to incorporate more sophisticated tactics and tools to conduct malicious employment-related activity, including the use of custom and AI-enabled software.
Tactics and techniques
The tactics and techniques employed by North Korean remote IT workers involve a sophisticated ecosystem of crafting fake personas, performing remote work, and securing payments. North Korean IT workers apply for remote roles, in various sectors, at organizations across the globe.
They create, rent, or procure stolen identities that match the geo-location of their target organizations (for example, they would establish a US-based identity to apply for roles at US-based companies), create email accounts and social media profiles, and establish legitimacy through fake portfolios and profiles on developer platforms like GitHub and LinkedIn. Additionally, they leverage AI tools to enhance their operations, including image creation and voice-changing software. Facilitators play a crucial role in validating fraudulent identities and managing logistics, such as forwarding company hardware and creating accounts on freelance job websites. To evade detection, these workers use VPNs, virtual private servers (VPSs), and proxy services as well as RMM tools to connect to a device housed at a facilitator’s laptop farm located in the country of the job.
Figure 1. The North Korean IT worker ecosystem
Crafting fake personas and profiles
The North Korean remote IT worker fraud scheme begins with the procurement of identities for the workers. These identities, which can be stolen or “rented” from witting individuals, include names, national identification numbers, and dates of birth. The workers might also leverage services that generate fraudulent identities, complete with seemingly legitimate documentation, to fabricate their personas. They then create email accounts and social media pages they use to apply for jobs, often indirectly through staffing or contracting companies. They also apply for freelance opportunities through freelancer sites as an additional avenue for revenue generation. Notably, they often use the same names/profiles repeatedly rather than creating unique personas for each successful infiltration.
Additionally, the North Korean IT workers have used fake profiles on LinkedIn to communicate with recruiters and apply for jobs.
Figure 2. An example of a North Korean IT worker LinkedIn profile that has since been taken down.
The workers tailor their fake resumes and profiles to match the requirements for specific remote IT positions, thus increasing their chances of getting selected. Over time, we’ve observed these fake resumes and employee documents noticeably improving in quality, now appearing more polished and lacking grammatical errors facilitated by AI.
After creating their fake personas, the North Korean IT workers then attempt to establish legitimacy by creating digital footprints for these fake personas. They typically leverage communication, networking, and developer platforms, (for example, GitHub) to showcase their supposed portfolio of previous work samples:
Figure 3. Example profile used by a North Korean IT worker that has since been taken down.
Using AI to improve operations
Microsoft Threat intelligence has observed North Korean remote IT workers leveraging AI to improve the quantity and quality of their operations. For example, in October 2024, we found a public repository containing actual and AI-enhanced images of suspected North Korean IT workers:
Figure 4. Photos of potential North Korean IT workers
The repository also contained the resumes and email accounts used by the said workers, along with the following tools and resources they can use to secure employment and to do their work:
VPS and VPN accounts, along with specific VPS IP addresses
Playbooks on conducting identity theft and creating and bidding jobs on freelancer websites
Wallet information and suspected payments made to facilitators
LinkedIn, GitHub, Upwork, TeamViewer, Telegram, and Skype accounts
Tracking sheet of work performed, and payments received by the IT workers
Image creation
Based on our review of the repository mentioned previously, North Korean IT workers appear to conduct identity theft and then use AI tools like Faceswap to move their pictures over to the stolen employment and identity documents. The attackers also use these AI tools to take pictures of the workers and move them to more professional looking settings. The workers then use these AI-generated pictures on one or more resumes or profiles when applying for jobs.
Figure 5. Use of AI apps to modify photos used for North Korean IT workers’ resumes and profilesFigure 6. Examples of resumes for North Korean IT workers. These two resumes use different versions of the same photo.
Communications
Microsoft Threat Intelligence has observed that North Korean IT workers are also experimenting with other AI technologies such as voice-changing software. While we haven’t observed threat actors using combined AI voice and video products as a tactic first hand, we do recognize that combining these technologies could allow future threat actor campaigns to trick interviewers into thinking they aren’t communicating with a North Korean IT worker. If successful, this tactic could allow the North Korean IT workers to do interviews directly and no longer rely on facilitators standing in for them on interviews or selling them account access.
Facilitators for initial access
North Korean Remote IT workers require assistance from a witting facilitator to help find jobs, pass the employment verification process, and once hired, successfully work remotely. We’ve observed Jasper Sleet advertising job opportunities for facilitator roles under the guise of partnering with a remote job candidate to help secure an IT role in a competitive market:
Figure 7. Example of a job opportunity for a facilitator role
The IT workers may have the facilitators assist in creating accounts on remote and freelance job websites. They might also ask the facilitator to perform the following tasks as their relationship builds:
Create a bank account for the North Korean IT worker, or lend their (the facilitator’s) own account to the worker
Purchase mobile phone numbers or SIM cards
During the employment verification process, the witting accomplice helps the North Korean IT workers validate the latter’s fraudulent identities using online background check service providers. The documents submitted by the workers include fake or stolen drivers’ licenses, social security cards, passports, and permanent resident identification cards. Workers train using interview scripts, which include a justification for why the employee must work remotely.
Once hired, the remote workers direct company laptops and hardware to be sent to the address of the accomplice. The accomplice then either runs a laptop farm that provides the laptops with an internet connection at the geo-location of the role or forwards the items internationally. For hardware that remain in the country of the role, the accomplice signs into the computers and installs software that enables the workers to connect remotely. Remote IT workers might also access devices remotely using IP-based KVM devices, like PiKVM or TinyPilot.
Defense evasion and persistence
To conceal their physical location as well as maintain persistence and blend into the target organization’s environment, the workers typically use VPNs (particularly Astrill VPN), VPSs, proxy services, and RMM tools. Microsoft Threat Intelligence has observed the persistent use of JumpConnect, TinyPilot, Rust Desk, TeamViewer, AnyViewer, and Anydesk. When an in-person presence or face-to-face meeting is required, for example to confirm banking information or attend a meeting, the workers have been known to pay accomplices to stand in for them. When possible, however, the workers eliminate all face-to-face contact, offering fraudulent excuses for why they are not on camera during video teleconferencing calls or speaking.
Attribution
Microsoft Threat Intelligence uses the name Jasper Sleet (formerly known as Storm-0287) to represent activity associated with North Korean’s remote IT worker program. These workers are primarily focused on revenue generation, use remote access tools, and likely fall under a particular leadership structure in North Korea. We also track several other North Korean activity clusters that pursue fraudulent employment using similar techniques and tools, including Storm-1877 and Moonstone Sleet.
How Microsoft disrupts North Korean remote IT worker operations with machine learning
Microsoft has successfully scaled analyst tradecraft to accelerate the identification and disruption of North Korean IT workers in customer environments by developing a custom machine learning solution. This has been achieved by leveraging Microsoft’s existing threat intelligence and weak signals generated by monitoring for many of the red flags listed in this blog, among others. For example, this solution uses impossible time travel risk detections, most commonly between a Western nation and China or Russia. The machine learning workflow uses these features to surface suspect accounts most likely to be North Korean IT workers for assessment by Microsoft Threat Intelligence analysts.
Once Microsoft Threat Intelligence reviews and confirms that an account is indeed associated with a North Korean IT worker, customers are then notified with a Microsoft Entra ID Protection risk detection warning of a risky sign-in based on Microsoft’s threat intelligence. Microsoft Defender XDR customers also receive the alert Sign-in activity by a suspected North Korean entity in the Microsoft Defender portal.
Defending against North Korean remote IT worker infiltration
Defending against the threats from North Korean remote IT workers involves a threefold strategy:
Ensuring a proper vetting approach is in place for freelance workers and vendors
Monitoring for anomalous user activity
Responding to suspected Jasper Sleet signals in close coordination with your insider risk team
Investigate
How can you identify a North Korean remote IT worker in the hiring process?
To protect your organization against a potential North Korean insider threat, it is important for your organization to prioritize a process for verifying employees to identify potential risks. The following can be used to assess potential employees:
Confirm the potential employee has a digital footprint and look for signs of authenticity. This includes a real phone number (not VoIP), a residential address, and social media accounts. Ensure the potential employee’s social media/professional accounts are not highly similar to the accounts of other individuals. In addition, check that the contact phone number listed on the potential employee’s account is unique and not also used by other accounts.
Scrutinize resumes and background checks for consistency of names, addresses, and dates. Consider contacting references by phone or video-teleconference rather than email only.
Exercise greater scrutiny for employees of staffing companies, since this is the easiest avenue for North Korean workers to infiltrate target companies.
Search whether a potential employee is employed at multiple companies using the same persona.
Ensure the potential employee is seen on camera during multiple video telecommunication sessions. If the potential employee reports video and/or microphone issues that prohibit participation, this should be considered a red flag.
During video verification, request individuals to physically hold driver’s licenses, passports, or identity documents up to camera.
Keep records, including recordings of video interviews, of all interactions with potential employees.
Require notarized proof of identity.
Monitor
How can your organization prevent falling victim to the North Korean remote IT worker technique?
To prevent the risks associated with North Korean insider threats, it’s vital to monitor for activity typically associated with this fraudulent scheme.
Monitor for identifiable characteristics of North Korean remote workers
Microsoft has identified the following characteristics of a North Korean remote worker. Note that not all the criteria are necessarily required, and further, a positive identification of a remote worker doesn’t guarantee that the worker is North Korean.
The employee lists a Chinese phone number on social media accounts that is used by other accounts.
The worker’s work-issued laptop authenticates from an IP address of a known North Korean IT worker laptop farm, or from foreign—most commonly Chinese or Russian—IP addresses even though the worker is supposed to have a different work location.
The worker is employed at multiple companies using the same persona. Employees of staffing companies require heightened scrutiny, given this is the easiest way for North Korean workers to infiltrate target companies.
Once a laptop is issued to the worker, RMM software is immediately downloaded onto it and used in combination with a VPN.
The worker has never been seen on camera during a video telecommunication session or is only seen a few times. The worker may also report video and/or microphone issues that prohibit participation from the start.
The worker’s online activity doesn’t align with routine co-worker hours, with limited engagement across approved communication platforms.
Monitor for activity associated with Jasper Sleet access
If RMM tools are used in your environment, enforce security settings where possible, to implement MFA:
If an unapproved installation is discovered, reset passwords for accounts used to install the RMM services. If a system-level account was used to install the software, further investigation may be warranted.
Monitor for impossible travel—for example, a supposedly US-based employee signing in from China or Russia.
Monitor for use of public VPNs such as Astrill. For example, IP addresses associated with VPNs known to be used by Jasper Sleet can be added to Sentinel watchlists. Or, Microsoft Defender for Identity can integrate with your VPN solution to provide more information about user activity, such as extra detection for abnormal VPN connections.
Monitor for signals of insider threats in your environment. Microsoft Purview Insider Risk Management can help identify potentially malicious or inadvertent insider risks.
Monitor for consistent user activity outside of typical working hours.
Remediate
What are the next steps if you positively identify a North Korean remote IT worker employed at your company?
Because Jasper Sleet activity follows legitimate job offers and authorized access, Microsoft recommends approaching confirmed or suspected Jasper Sleet intrusions with an insider risk approach using your organization’s insider risk response plan or incident response provider like Microsoft Incident Response. Some steps might include:
Restrict response efforts to a small, trusted insider risk working group, trained in operational security (OPSEC) to avoid tipping off subjects and potential collaborators.
Rapidly evaluate the subject’s proximity to critical assets, such as:
Leadership or sensitive teams
Direct reports or vendor staff the subject has influence over
Suppliers or vendors
People/non-people accounts, production/pre-production environments, shared accounts, security groups, third-party accounts, security groups, distribution groups, data clusters, and more
Conduct preliminary link analysis to:
Detect relationships with potential collaborators, supporters, or other potential aliases operated by the same actor
Identify shared indicators (for example, shared IP addresses, behavioral overlap)
Avoid premature action that might alert other Jasper Sleet operators
Conduct a risk-based prioritization of efforts, informed by:
Placement and access to critical assets (not necessarily where you identified them)
Stakeholder insight from potentially impacted business units
Business impact considerations of containment (which might support additional collection/analysis) or mitigation (for example, eviction)
Conduct open-source intelligence (OSINT) collection and analysis to:
Determine if the identity associated with the threat actor is associated with a real person. For example, North Korean IT workers have leveraged stolen identities of real US persons to facilitate their fraud. Conduct OSINT on all available personally identifiable information (PII) provided by the actor (name, date of birth, SSN, home of record, phone number, emergency contact, and others) and determine if these items are linked to additional North Korean actors, and/or real persons’ identities.
Gather all known external accounts operated by the alias/persona (for example, LinkedIn, GitHub, freelance working sites, bug bounty programs).
Perform analysis on account images using open-source tools such as FaceForensics++ to determine prevalence of AI-generated content. Detection opportunities within video and imagery include:
Temporal consistency issues: Rapid movements cause noticeable artifacts in video deepfakes as the tracking system struggles to maintain accurate landmark positioning.
Occlusion handling: When objects pass over the AI-generated content such as the face, deepfake systems tend to fail at properly reconstructing the partially obscured face.
Lighting adaptation: Changes in lighting conditions might reveal inconsistencies in the rendering of the face
Audio-visual synchronization: Slight delays between lip movements and speech are detectable under careful observation
Exaggerated facial expressions.
Duplicative or improperly placed appendages.
Pixelation or tearing at edges of face, eyes, ears, and glasses.
Engage counterintelligence or insider risk/threat teams to:
Understand tradecraft and likely next steps
Gain national-level threat context, if applicable
Make incremental, risk-based investigative and response decisions with the support of your insider threat working group and your insider threat stakeholder group; one providing tactical feedback and the other providing risk tolerance feedback.
Preserve evidence and document findings.
Share lessons learned and increase awareness.
Educate employees on the risks associated with insider threats and provide regular security training for employees to recognize and respond to threats, including a section on the unique threat posed by North Korean IT workers.
After an insider risk response to Jasper Sleet, it might be necessary to also conduct a thorough forensic investigation of all systems that the employee had access to for indicators of persistence, such as RMM tools or system/resource modifications.
For additional resources, refer to CISA’s Insider Threat Mitigation Guide. If you suspect your organization is being targeted by nation-state cyber activity, report it to the appropriate national authority. For US-based organizations, the Federal Bureau of Investigation (FBI) recommends reporting North Korean remote IT worker activity to the Internet Crime Complaint Center (IC3).
Microsoft Defender XDR detections
Microsoft Defender XDR customers can refer to the list of applicable detections below. Microsoft Defender XDR coordinates detection, prevention, investigation, and response across endpoints, identities, email, apps to provide integrated protection against attacks like the threat discussed in this blog.
Customers with provisioned access can also use Microsoft Security Copilot in Microsoft Defender to investigate and respond to incidents, hunt for threats, and protect their organization with relevant threat intelligence.
Microsoft Defender XDR
Alerts with the following titles in the security center can indicate threat activity on your network:
Sign-in activity by a suspected North Korean entity
Microsoft Defender for Endpoint
Alerts with the following titles in the security center can indicate Jasper Sleet RMM activity on your network. These alerts, however, can be triggered by unrelated threat activity.
Suspicious usage of remote management software
Suspicious connection to remote access software
Microsoft Defender for Identity
Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.
Atypical travel
Suspicious behavior: Impossible travel activity
Microsoft EntraID Protection
Microsoft Entra ID Protection risk detections inform Entra ID user risk events and can indicate associated threat activity, including unusual user activity consistent with known patterns identified by Microsoft Threat Intelligence research. Note, however, that these alerts can be also triggered by unrelated threat activity.
Microsoft Entra threat intelligence (sign-in): (RiskEventType: investigationsThreatIntelligence)
Microsoft Defender for Cloud Apps
Alerts with the following titles in the security center can indicate atypical identity access on your network. These alerts, however, can be triggered by unrelated threat activity.
Impossible travel activity
Microsoft Security Copilot
Security Copilot customers can use the standalone experience to create their own prompts or run the following pre-built promptbooks to automate incident response or investigation tasks related to this threat:
Incident investigation
Microsoft User analysis
Threat actor profile
Note that some promptbooks require access to plugins for Microsoft products such as Microsoft Defender XDR or Microsoft Sentinel.
Hunting queries
Microsoft Defender XDR
Because organizations might have legitimate and frequent uses for RMM software, we recommend using the Microsoft Defender XDR advanced hunting queries available on GitHub to locate RMM software that hasn’t been endorsed by your organization for further investigation. In some cases, these results might include benign activity from legitimate users. Regardless of use case, all newly installed RMM instances should be scrutinized and investigated.
If any queries have high fidelity for discovering unsanctioned RMM instances in your environment, and don’t detect benign activity, you can create a custom detection rule from the advanced hunting query in the Microsoft Defender portal.
Microsoft Sentinel
The alert Insider Risk Sensitive Data Access Outside Organizational Geo-locationjoins Azure Information Protection logs (InformationProtectionLogs_CL) with Microsoft Entra ID sign-in logs (SigninLogs) to provide a correlation of sensitive data access by geo-location. Results include:
User principal name
Label name
Activity
City
State
Country/Region
Time generated
The recommended configuration is to include (or exclude) sign-in geo-locations (city, state, country and/or region) for trusted organizational locations. There is an option for configuration of correlations against Microsoft Sentinel watchlists. Accessing sensitive data from a new or unauthorized geo-location warrants further review.
References
Acknowledgments
For more information on North Korean remote IT worker operations, we recommend reviewing DTEX’s in-depth analysis in the report Exposing DPRK’s Cyber Syndicate and IT Workforce.
Learn more
Meet the experts behind Microsoft Threat Intelligence, Incident Response, and the Microsoft Security Response Center at our VIP Mixer at Black Hat 2025. Discover how our end-to-end platform can help you strengthen resilience and elevate your security posture.
For the latest security research from the Microsoft Threat Intelligence community, check out the Microsoft Threat Intelligence Blog.
To get notified about new publications and to join discussions on social media, follow us on LinkedIn, X (formerly Twitter), and Bluesky.
To hear stories and insights from the Microsoft Threat Intelligence community about the ever-evolving threat landscape, listen to the Microsoft Threat Intelligence podcast.
Law Enforcement Actions Across 16 States Result in Charges, Arrest, and Seizures of 29 Financial Accounts, 21 Fraudulent Websites, and Approximately 200 Computers
The Justice Department announced today coordinated actions against the Democratic People’s Republic of North Korea (DPRK) government’s schemes to fund its regime through remote information technology (IT) work for U.S. companies. These actions include two indictments, an arrest, searches of 29 known or suspected “laptop farms” across 16 states, and the seizure of 29 financial accounts used to launder illicit funds and 21 fraudulent websites.
According to court documents, the schemes involve North Korean individuals fraudulently obtaining employment with U.S. companies as remote IT workers, using stolen and fake identities. The North Korean actors were assisted by individuals in the United States, China, United Arab Emirates, and Taiwan, and successfully obtained employment with more than 100 U.S. companies.
As alleged in court documents, certain U.S.-based individuals enabled one of the schemes by creating front companies and fraudulent websites to promote the bona fides of the remote IT workers, and hosted laptop farms where the remote North Korean IT workers could remote access into U.S. victim company-provided laptop computers. Once employed, the North Korean IT workers received regular salary payments, and they gained access to, and in some cases stole, sensitive employer information such as export controlled U.S. military technology and virtual currency. In another scheme, North Korean IT workers used false or fraudulently obtained identities to gain employment with an Atlanta, Georgia-based blockchain research and development company and stole virtual currency worth approximately over $900,000.
“These schemes target and steal from U.S. companies and are designed to evade sanctions and fund the North Korean regime’s illicit programs, including its weapons programs,” said Assistant Attorney General John A. Eisenberg of the Department’s National Security Division. “The Justice Department, along with our law enforcement, private sector, and international partners, will persistently pursue and dismantle these cyber-enabled revenue generation networks.”
“North Korean IT workers defraud American companies and steal the identities of private citizens, all in support of the North Korean regime,” said Assistant Director Brett Leatherman of FBI’s Cyber Division. “That is why the FBI and our partners continue to work together to disrupt infrastructure, seize revenue, indict overseas IT workers, and arrest their enablers in the United States. Let the actions announced today serve as a warning: if you host laptop farms for the benefit of North Korean actors, law enforcement will be waiting for you.”
“North Korea remains intent on funding its weapons programs by defrauding U.S. companies and exploiting American victims of identity theft, but the FBI is equally intent on disrupting this massive campaign and bringing its perpetrators to justice,” said Assistant Director Roman Rozhavsky of the FBI Counterintelligence Division. “North Korean IT workers posing as U.S. citizens fraudulently obtained employment with American businesses so they could funnel hundreds of millions of dollars to North Korea’s authoritarian regime. The FBI will do everything in our power to defend the homeland and protect Americans from being victimized by the North Korean government, and we ask all U.S. companies that employ remote workers to remain vigilant to this sophisticated threat.”
Zhenxing Wang, et al. Indictment, Seizure Warrants, and Arrest – District of Massachusetts
Today, the United States Attorney’s Office for the District of Massachusetts and the National Security Division announced the arrest of U.S. national Zhenxing “Danny” Wang of New Jersey pursuant to a five-count indictment. The indictment describes a multi-year fraud scheme by Wang and his co-conspirators to obtain remote IT work with U.S. companies that generated more than $5 million in revenue. The indictment also charges Chinese nationals Jing Bin Huang (靖斌 黄), Baoyu Zhou (周宝玉), Tong Yuze (佟雨泽), Yongzhe Xu (徐勇哲 andيونجزهي أكسو), Ziyou Yuan (زيو) and Zhenbang Zhou (周震邦), and Taiwanese nationals Mengting Liu (劉 孟婷) and Enchia Liu (刘恩) for their roles in the scheme.
“The threat posed by DPRK operatives is both real and immediate. Thousands of North Korean cyber operatives have been trained and deployed by the regime to blend into the global digital workforce and systematically target U.S. companies,” said U.S. Attorney Leah B. Foley for the District of Massachusetts. “We will continue to work relentlessly to protect U.S. businesses and ensure they are not inadvertently fueling the DPRK’s unlawful and dangerous ambitions.”
According to the indictment, from approximately 2021 until October 2024, the defendants and other co-conspirators compromised the identities of more than 80 U.S. persons to obtain remote jobs at more than 100 U.S. companies, including many Fortune 500 companies, and caused U.S. victim companies to incur legal fees, computer network remediation costs, and other damages and losses of at least $3 million. Overseas IT workers were assisted by Kejia Wang, Zhenxing Wang, and at least four other identified U.S. facilitators. Kejia Wang, for example, communicated with overseas co-conspirators and IT workers, and traveled to Shenyang and Dandong, China, including in 2023, to meet with them about the scheme. To deceive U.S. companies into believing the IT workers were located in the United States, Kejia Wang, Zhenxing Wang, and the other U.S. facilitators received and/or hosted laptops belonging to U.S. companies at their residences, and enabled overseas IT workers to access the laptops remotely by, among other things, connecting the laptops to hardware devices designed to allow for remote access (referred to as keyboard-video-mouse or “KVM” switches).
Kejia Wang and Zhenxing Wang also created shell companies with corresponding websites and financial accounts, including Hopana Tech LLC, Tony WKJ LLC, and Independent Lab LLC, to make it appear as though the overseas IT workers were affiliated with legitimate U.S. businesses. Kejia Wang and Zhenxing Wang established these and other financial accounts to receive money from victimized U.S. companies, much of which was subsequently transferred to overseas co‑conspirators. In exchange for their services, Kejia Wang, Zhenxing Wang, and the four other U.S. facilitators received a total of at least $696,000 from the IT workers.
IT workers employed under this scheme also gained access to sensitive employer data and source code, including International Traffic in Arms Regulations (ITAR) data from a California-based defense contractor that develops artificial intelligence-powered equipment and technologies. Specifically, between on or about Jan. 19, 2024, and on or about April 2, 2024, an overseas co-conspirator remotely accessed without authorization the company’s laptop and computer files containing technical data and other information. The stolen data included information marked as being controlled under the ITAR.
Simultaneously with today’s announcement, the FBI and Defense Criminal Investigative Service (DCIS) seized 17 web domains used in furtherance of the charged scheme and further seized 29 financial accounts, holding tens of thousands of dollars in funds, used to launder revenue for the North Korean regime through the remote IT work scheme.
Previously, in October 2024, as part of this investigation, federal law enforcement executed searches at eight locations across three states that resulted in the recovery of more than 70 laptops and remote access devices, such as KVMs. Simultaneously with that action, the FBI seized four web domains associated with Kejia Wang’s and Zhenxing Wang’s shell companies used to facilitate North Korean IT work.
The FBI Las Vegas Field Office, DCIS San Diego Resident Agency, and Homeland Security Investigations San Diego Field Office are investigating the case.
Assistant U.S. Attorney Jason Casey for the District of Massachusetts and Trial Attorney Gregory J. Nicosia, Jr. of the National Security Division’s National Security Cyber Section are prosecuting the case, with significant assistance from Legal Assistants Daniel Boucher and Margaret Coppes. Valuable assistance was also provided by Mark A. Murphy of the National Security Division’s Counterintelligence and Export Control Section and the U.S. Attorneys’ Offices for the District of New Jersey, Eastern District of New York, and Southern District of California.
Kim Kwang Jin et al. Indictment – Northern District of Georgia
Today, the Northern District of Georgia unsealed a five-count wire fraud and money laundering indictment charging four North Korean nationals, Kim Kwang Jin (김관진), Kang Tae Bok (강태복), Jong Pong Ju (정봉주) and Chang Nam Il (창남일), with a scheme to steal virtual currency from two companies, valued at over $900,000 at the time of the thefts, and to launder proceeds of those thefts. The defendants remain at large and wanted by the FBI.
“The defendants used fake and stolen personal identities to conceal their North Korean nationality, pose as remote IT workers, and exploit their victims’ trust to steal hundreds of thousands of dollars,” said U.S. Attorney Theodore S. Hertzberg for the Northern District of Georgia. “This indictment highlights the unique threat North Korea poses to companies that hire remote IT workers and underscores our resolve to prosecute any actor, in the United States or abroad, who steals from Georgia businesses.”
According to the indictment, the defendants traveled to the United Arab Emirates on North Korean travel documents and worked as a co-located team. In approximately December 2020 and May 2021, respectively, Kim Kwang Jin (using victim P.S.’s stolen identity) and Jong Pong Ju (using the alias “Bryan Cho”) were hired by a blockchain research and development company headquartered in Atlanta, Georgia, and a virtual token company based in Serbia. Both defendants concealed their North Korean identities from their employers by providing false identification documents containing a mix of stolen and fraudulent identity information. Neither company would have hired Kim Kwang Jin and Jong Pong Ju had they known that they were North Korean citizens. Later, on a recommendation from Jong Pong Ju, the Serbian company hired “Peter Xiao,” who in fact was Chang Nam Il.
After gaining their employers’ trust, Kim Kwang Jin and Jong Pong Ju were assigned projects that provided them access to their employers’ virtual currency assets. In February 2022, Jong Pong Ju used that access to steal virtual currency worth approximately $175,000 at the time of the theft, sending it to a virtual currency address he controlled. In March 2022, Kim Kwang Jin stole virtual currency worth approximately $740,000 at the time of theft by modifying the source code of two of his employer’s smart contracts, then sending it to a virtual currency address he controlled.
To launder the funds after the thefts, Kim Kwang Jin and Jong Pong Ju “mixed” the stolen funds using the virtual currency mixer Tornado Cash and then transferred the funds to virtual currency exchange accounts controlled by defendants Kang Tae Bok and Chang Nam Il but held in the name of aliases. These accounts were opened using fraudulent Malaysian identification documents.
The FBI Atlanta Field Office is investigating the case.
Assistant U.S. Attorneys Samir Kaushal and Alex Sistla for the Northern District of Georgia and Trial Attorney Jacques Singer-Emery of the National Security Division’s National Security Cyber Section are prosecuting the case.
21 Searches of Known or Suspected U.S.-based Laptop Farms – Multi-District
Between June 10 and June 17, 2025, the FBI executed searches of 21 premises across 14 states hosting known and suspected laptop farms. These actions, coordinated by the FBI Denver Field Office, related to investigations of North Korean remote IT worker schemes being conducted by the U.S. Attorneys’ Offices of the District of Colorado, Eastern District of Missouri, and Northern District of Texas. In total, the FBI seized approximately 137 laptops.
Valuable assistance was provided by the U.S. Attorney’s Offices for the District of Connecticut, the Eastern District of Michigan, the Eastern District of Wisconsin, the Middle District of Florida, the Northern District of Georgia, the Northern District of Illinois, the Northern District of Indiana, the District of Oregon, the Southern District of Florida, the Southern District of Ohio, the Western District of New York, and the Western District of Pennsylvania.
***
The Department’s actions to combat these schemes are the latest in a series of law enforcement actions under a joint National Security Division and FBI Cyber and Counterintelligence Divisions effort, the DPRK RevGen: Domestic Enabler Initiative. This effort prioritizes targeting and disrupting the DPRK’s illicit revenue generation schemes and its U.S.-based enablers. The Department previously announced other actions pursuant to the initiative, including in January 2025 and prior, as well as the filing of a civil forfeiture complaint in early June 2025 for over $7.74 million tied to an illegal employment scheme.
As the FBI has described in Public Service Announcements published in May 2024 and January 2025, North Korean remote IT workers posing as legitimate remote IT workers have committed data extortion and exfiltrated the proprietary and sensitive data from U.S. companies. DPRK IT worker schemes typically involve the use of stolen identities, alias emails, social media, online cross-border payment platforms, and online job site accounts, as well as false websites, proxy computers, and witting and unwitting third parties located in the U.S. and elsewhere.
Other public advisories about the threats, red flag indicators, and potential mitigation measures for these schemes include a May 2022 advisory released by the FBI, Department of the Treasury, and Department of State; a July 2023 advisory from the Office of the Director of National Intelligence; and guidance issued in October 2023 by the United States and the Republic of Korea (South Korea). As described the May 2022 advisory, North Korean IT workers have been known individually to earn up to $300,000 annually, generating hundreds of millions of dollars collectively each year, on behalf of designated entities, such as the North Korean Ministry of Defense and others directly involved in the DPRK’s weapons programs.
The U.S. Department of State has offered potential rewards for up to $5 million in support of international efforts to disrupt the DPRK’s illicit financial activities, including for cybercrimes, money laundering, and sanctions evasion.
The details in the above-described court documents are merely allegations. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.
A Florida man was sentenced today to 12 years in prison and three years of supervised release for conspiring to defraud Medicare with false reimbursement claims for durable medical equipment (DME). He was also ordered to pay $21,195,540.18 in restitution and forfeiture in the amount of $2,514,040.
According to court documents, Peter Roussonicolos, 64, of Port Saint Lucie, Florida, owned and operated five DME suppliers as a silent partner. Roussonicolos hid his involvement in the companies from Medicare because he had one or more felony convictions, making him ineligible to enroll with the government program. To further conceal his involvement, he recruited and paid co-conspirators to serve as nominee owners of the DME suppliers and caused others to falsify Medicare enrollment forms, bank records, and other documents to conceal the true ownership and control of the DME suppliers. He also knew that a co-conspirator paid kickbacks and bribes to patient recruiters in exchange for beneficiary referrals. As part of the scheme, the DME companies submitted approximately $61.5 million in false and fraudulent claims to Medicare for medically unnecessary DME that was ineligible for reimbursement and were paid approximately $26.7 million of these claims.
“Through lies and deceit, the defendant and his co-conspirators orchestrated a $61 million fraud on Medicare,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “The defendant’s fraud drained critical government resources that could have been used to help vulnerable Americans. Today’s sentencing demonstrates the Department’s steadfast commitment to protecting taxpayer dollars and ensuring accountability for those who seek to defraud our health care programs.”
“Today’s sentence underscores HHS-OIG’s firm commitment to thoroughly investigating individuals who engage in illegal kickback schemes to prescribe medically unnecessary durable medical equipment for their own personal financial gain,” said Deputy Inspector General for Investigations Christian J. Schrank with the U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG). “We remain steadfast in our mission to protect the integrity of Medicare and other federal healthcare programs as well as the people served by those programs.”
“This defendant and his co-conspirators orchestrated an elaborate scheme to steal millions from Medicare through kickbacks and sham billing,” said Assistant Director Jose A. Perez of the FBI Criminal Investigative Division. “Today’s sentencing demonstrates that those who exploit our healthcare system for personal gain will be held accountable. The FBI is committed to working with our partners to protect taxpayer dollars and ensure the integrity of healthcare programs.”
In November 2024, Roussonicolos pleaded guilty to conspiracy to commit health care fraud and wire fraud.
The FBI and HHS-OIG investigated the case.
Trial Attorney Jennifer Burns and Assistant Chiefs Jamie de Boer and Emily Gurskis of the Criminal Division’s Fraud Section prosecuted the case. Trial Attorneys Joanna Bowman and Lindita Ciko Torza of the Special Matters Unit assisted in the prosecution.
The Fraud Section leads the Criminal Division’s efforts to combat health care fraud through the Health Care Fraud Strike Force Program. Since March 2007, this program, currently comprised of 9 strike forces operating in 27 federal districts, has charged more than 5,800 defendants who collectively have billed federal health care programs and private insurers more than $30 billion. In addition, the Centers for Medicare & Medicaid Services, working in conjunction with the Office of the Inspector General for the Department of Health and Human Services, are taking steps to hold providers accountable for their involvement in health care fraud schemes. More information can be found at www. justice. gov/criminal-fraud/health-care-fraud-unit.
Note: View the indictment here and detention letter here.
WASHINGTON — A dual Canadian American citizen was arrested on Sunday, June 15, for his role in a deadly human smuggling conspiracy that left a family of four, including two children under the age of three, dead in the St. Lawrence River. Oakes was arrested as he attempted to enter the United States via the Massena, New York, Port of Entry.
Timothy Oakes, 34, from the Akwesasne Mohawk Indian Reservation (AMIR), Canada, was previously arraigned on numerous human smuggling offenses in the Northern District of New York District Court and had his detention hearing earlier today and will remain detained. Oakes was indicted on April 9 for conspiring with others to engage in alien smuggling, four counts of alien smuggling for profit, and four counts of alien smuggling resulting in death. United States based co-conspirators Dakota Montour, 31, and Kawisiiostha Celecia Sharrow, 43, both of Akwesasne-Mohawk, New York, and Janet Terrance, 45, of Hogansburg, New York, entered guilty pleas on Jan. 23, Oct. 8, 2024, and March 6, respectively.
“As alleged, Oakes and his co-conspirators profited from a human smuggling operation with a singular, cold-hearted aim: making money by bringing illegal aliens into the United States, regardless of the danger to human life involved,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Their greed resulted in the deaths of a mother, a father, and two small children, as well as one of the defendants’ own brothers. The Criminal Division will continue to disrupt and dismantle these organizations and bring justice to smugglers whose actions result in senseless deaths.”
“This case shows the terrible perils of illegally crossing the border,” said U.S. Attorney John A. Sarcone III for the Northern District of New York. “Four family members died because a smuggling network put them in harm’s way. My office is proud to partner with Joint Task Force Alpha to continue to combat dangerous human smuggling and trafficking organizations that operate on our northern border.”
“Oakes’ arrest comes as part of our nearly two-year long investigation into a transnational criminal organization responsible for the large-scale smuggling of aliens from Canada into the United States,” said U.S. Immigration and Customs Enforcement Homeland Security Investigations (ICE HSI) Buffalo Special Agent in Charge Erin Keegan. “ICE HSI leverages its full range of authorities to combat and dismantle the heinous networks of greedy criminals who illicitly sell dangerous, sometimes fatal, passage through our nation’s northern border. We are extremely grateful for a multitude of law enforcement agency partners on the Border Enforcement Security Taskforce who join us in this fight to bring smugglers to justice.”
“Two toddler aged children and their parents were the tragic victims of an alien smuggling attempt gone horribly wrong,” said Chief Patrol Agent Robert Garcia of the U.S. Border Patrol’s Swanton Sector. “Their deaths were a direct result of callous smugglers who exploited the vulnerable. Due to unrelenting perseverance and investigative efforts by multiple law enforcement agencies, those responsible will be held accountable. Our pursuit of justice persists until justice is served.”
According to court documents, Oakes was a key facilitator in a human smuggling organization (HSO) that smuggled aliens from Canada into northern New York. Oakes, working with the HSO, routinely smuggled aliens into the United States by piloting boats across the St. Lawrence River. Additionally, Oakes used his home as a staging area for aliens before the HSO smuggled them into the United States. Oakes earned approximately $1,000 for every alien whom he smuggled across the St. Lawrence River into the United States.
In March 2023, Oakes housed a Romanian family of four, together with other aliens, for about 24 hours. He then transported the family and a boat to a public boat launch. His brother, Casey Oakes, attempted to use the boat to smuggle the Romanian family into the United States, but the boat capsized, killing all four members of the family, as well as Casey Oakes.
Terrance, Montour, and Sharrow admitted in their plea agreements that in late March 2023, they were employed to illegally transport a Romanian family of four — a mother, father, one-year-old boy, and two-year-old girl — from Canada into New York. Specifically, Montour admitted that he was aware of the dangerous weather conditions on the day of the tragedy — high winds, freezing temperatures, and limited visibility — yet another co-conspirator still loaded the family of four into the small boat to attempt to cross the St. Lawrence River.
HSI Massena engaged in an extensive years-long investigation of the case, with assistance from the U.S. Border Patrol, U.S. Customs and Border Protection (CBP), HSI’s Human Smuggling Unit in Washington, D.C., CBP’s National Targeting Center International Interdiction Task Force, New York State Police, Canada Border Services Agency, Akwesasne Mohawk Police Service, St. Regis Mohawk Tribal Police Department, Ontario Provincial Police, Sûreté du Québec, St. Lawrence County Sheriff’s Department, Royal Canadian Mounted Police, and the Cornwall Police Service. The Justice Department’s Office of International Affairs provided significant support with foreign legal assistance requests.
The defendant’s vehicle with light blue boat in tow on March 29, 2023, at 9:29 p.m., consistent with the boat found in the river during recovery efforts.
The investigation is a result of the coordinated efforts of Joint Task Force Alpha (JTFA). JTFA, a partnership with the Department of Homeland Security (DHS), has been elevated and expanded by the Attorney General with a mandate to target cartels and other transnational criminal organizations and eliminate human smuggling and trafficking networks operating within the Americas that impact public safety and the security of our borders. JTFA currently comprises detailees from U.S. Attorneys’ Offices along the border, including the Northern District of New York. Dedicated support is provided by numerous components of the Justice Department’s Criminal Division, led by the Human Rights and Special Prosecutions Section (HRSP) and supported by the Money Laundering and Asset Recovery Section, the Office of Enforcement Operations and the Office of International Affairs, among others. JTFA also relies on substantial law enforcement investment from DHS, FBI, and the Drug Enforcement Administration, and other partners. To date, JTFA’s work has resulted in more than 380 domestic and international arrests of leaders, organizers, and significant facilitators of alien smuggling; more than 340 U.S. convictions; more than 290 significant jail sentences imposed; and forfeitures of substantial assets.
The investigation is being conducted under the Extraterritorial Criminal Travel Strike Force (ECT) program, a joint partnership between the Justice Department’s Criminal Division and HSI. The ECT program focuses on human smuggling networks that may present particular national security or public safety risks, or present grave humanitarian concerns. ECT has dedicated investigative, intelligence and prosecutorial resources. ECT coordinates and receives assistance from other U.S. government agencies and foreign law enforcement authorities.
Trial Attorney Jenna E. Reed of the Criminal Division’s HRSP and Assistant U.S. Attorney Jeffrey Stitt for the Northern District of New York are prosecuting the case.
This case is part of Operation Take Back America, a nationwide initiative that marshals the full resources of the Department of Justice to repel the invasion of illegal immigration, achieve the total elimination of cartels and transnational criminal organizations and protect our communities from the perpetrators of violent crime. Operation Take Back America streamlines efforts and resources from the Department’s Organized Crime Drug Enforcement Task Forces and Project Safe Neighborhoods.
A superseding indictment was unsealed today charging Montez Moore, 20, Duane Benson, 20, Aniya Sheperd, 20, Brandon Irons, 19, Allen Brown, 23, Markaveon Jackson, 19, Raynell Moore, 22, Lavatrice McCully-Collins, 24, Peontay Roddy, 21, and Noah Hornburg, 23 — all of St. Louis, Missouri — with crimes including racketeering conspiracy, carjacking, robbery, and firearm charges related to their participation in “the Strikers,” a violent, interstate stolen car ring.
According to court documents, between September 2023 and March 2024, the Strikers engaged in car dealership burglaries, illegal interstate vehicle sales and thefts, shootings, carjacking, robbery, and other criminal acts throughout Missouri and Illinois.
“As alleged, the Strikers enterprise stole approximately 50 vehicles and inflicted nearly $3 million in losses while carrying out a violent crime spree across Missouri and Illinois,” said Matthew R. Galeotti, Head of the Justice Department’s Criminal Division. “Their reckless actions endangered communities and dealt a serious blow to local businesses. This kind of brazen, lawless conduct will not be tolerated, and the Justice Department is committed to working with our federal, state, and local partners to protect the public and hold those responsible fully accountable.”
“Thanks to the Justice Department’s Violent Crime Initiative, we were able to expand an existing indictment to hold more members of the Strikers responsible for a litany of violent crimes,” said Acting U.S. Attorney Matthew T. Drake for the Eastern District of Missouri. “As we said when we announced St. Louis’ inclusion in the VCI last year, we are targeting and dismantling the criminal organizations that are disproportionately driving violent crime in St. Louis.”
“This was a violent, organized crime operation that spanned across state lines, left a trail of stolen vehicles and cost millions of dollars in losses,” said Assistant Director Jose A. Perez of the FBI Criminal Investigative Division. “This case demonstrates the power of the RICO statute to dismantle interstate criminal enterprises and reflects the FBI’s unwavering commitment to pursuing those who use violence and intimidation to profit from crime.”
In a single burglary, defendants and others burglarized a dealership in Cape Girardeau, Missouri and stole seven high-end vehicles worth approximately $855,000.
To hide their identities during the burglaries, the defendants would wear gloves, dark clothing, and masks. In one incident, defendants Hornburg, Moore, and Irons led police on a high-speed chase, driving on a public street reaching speeds over 110 mph. In another incident, after police seized one of the stolen cars, defendants Shepard, Benson, and others broke into the police impound lot and stole the car back.
After stealing the vehicles, the defendants allegedly concealed their stolen nature or location by attaching stolen out-of-state dealer plates and covering or removing vehicle identification numbers. The stolen vehicles would then be used in other crimes or sold through social media advertising. The Strikers would often advertise a sales price at such a discount that prospective buyers should have suspected the vehicles were stolen. In one Instagram posting, defendants offered for sale a 2019 Infiniti q70 for $3000, a 2016 Mercedes Benz GLE 400 for $1500, and a 2014 BMW 528i for $2500.
In one alleged carjacking and robbery, defendants Benson and Moore pulled up to a BP gas station in a stolen blue 2017 BMW 330i that had been taken from a dealership in Springfield, Illinois. They briefly waited for a lottery machine technician to walk out of the store and as captured on store surveillance, ambushed him at gunpoint, robbed him, and highjacked his white Silverado pickup.
A screenshot showing a January 2024 robbery and carjacking in Cool Valley, Missouri
If convicted, each defendant faces up to 20 years in prison for the racketeering conspiracy. Defendants Moore and Benson face up to an additional 30 years in prison if convicted of carjacking, robbery and use of a firearm in connection thereof. Defendant Aniya Shephard faces up to an additional 10 years in prison if convicted of possessing a machinegun.
The Federal Bureau of Investigation and the St. Louis County Police Department are investigating the case.
Trial Attorney Jared A. Hernandez of the Criminal Division’s Violent Crime and Racketeering Section and Assistant U.S. Attorney Nino Przulj for the Eastern District of Missouri are prosecuting the case.
This case is part of the Criminal Division’s Violent Crime Initiative in St. Louis conducted in partnership with the U.S. Attorney’s Office in the Eastern District of Missouri and local, state, and federal law enforcement. The joint effort addresses violent crime by employing, where appropriate, federal laws to prosecute gang members and their associates in St. Louis.
An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.