A Nigerian man suspected in Washington state’s $650 million unemployment fraud was arrested Friday at New York’s John F. Kennedy International Airport by federal agents as he allegedly attempted to leave the country.
Abidemi Rufai, of Lekki, Nigeria, appeared in federal court Saturday on charges that he used the identities of more than 100 Washington residents to steal more than $350,000 in unemployment benefits from the Washington state Employment Security Department during the COVID-19 pandemic last year.
“This is the first, but will not be the last, significant arrest in our ongoing investigation of ESD fraud,” said Tessa Gorman, acting U.S. Attorney for the Western District of Washington, in a statement Monday.
The federal complaint also provides a detailed glimpse into the scale of the pandemic-related fraud as well as the methods — some of them surprisingly unsophisticated — fraudsters used to pilfer from unemployment systems in Washington and other states.
Rufai, 42, is scheduled for a detention hearing Wednesday. The case will be prosecuted in federal court in Tacoma.
“I want to thank our partners in law enforcement for their continued efforts to hold criminals accountable for their attacks on our unemployment-insurance system,” said ESD Acting Commissioner Cami Feek in a statement Monday.
Rufai was represented by an assistant federal public defender at Saturday’s hearing.
Rufai’s arrest comes almost a year to the day after ESD officials announced they were temporarily suspending unemployment benefit payments after discovering that criminals had used stolen Social Security numbers and other personal information to file bogus claims for federal and state unemployment benefits.
Within days, ESD officials disclosed that “hundreds of millions of dollars” had likely been stolen in a fraud scheme that law enforcement officials and cybercrime experts said was partly based in Nigeria, involving a criminal ring nicknamed “Scattered Canary.”
Washington was among the first states to be hit by a wave of fraud that would eventually strike dozens of states and siphon off billions of dollars in federal aid meant for pandemic victims.
Rufai, who used the alias Sandy Tang, is also suspected of defrauding unemployment programs in Hawaii, Maine, Michigan, Missouri, Montana, New York, Ohio, Pennsylvania, Wisconsin and Wyoming.
Federal officials acknowledged that Rufai’s presence in the United States probably was unusual in the unemployment fraud scheme. Many of the fraudulent claims that hit the ESD were likely filed from outside the United States, according to the complaint.
The federal complaint also offers a detailed explanation of how Rufai — and presumably others — allegedly bypassed security systems at the ESD using a simple feature of Google’s free Gmail service.
Federal investigators initially identified Rufai through a single Gmail account he used to file 102 claims for pandemic-related unemployment benefits from the ESD, as well as claims at programs in other states, according to the complaint.
Thanks to a feature of Gmail, account holders can create dozens of additional email addresses simply adding one or more periods to the original address. Because the Gmail system doesn’t recognize periods, any emails sent to those so-called dot variant addresses are all routed to the inbox of the original Gmail address.
In Rufai’s case, his original email address — Sandytangy58@gmail.com — was expanded to include dot variants such as firstname.lastname@example.org and email@example.com, according to the federal complaint.
Rufai used the dot variant addresses to create multiple accounts in the Washington state system that authenticates online users of government services, the complaint alleges. Rufai was then able to file for unemployment benefits with the ESD using stolen personal identities of real Washington residents, the complaint said.
Because emails sent by the agency to the dot variants all went to Rufai’s Gmail account, Rufai could easily monitor all ESD correspondence regarding each claim, according to the complaint.
In January, a federal judge issued a warrant to Google, which operates Gmail, allowing investigators to search Rufai’s Gmail account, according to the complaint. Investigators found more than 1,000 emails from the ESD, including emails the agency sent allowing new claimants to activate their accounts.
Investigators also found around 100 emails from other states’ unemployment systems and from Green Dot, an online payment system reportedly used for stolen unemployment benefits, the complaint said.
The email and banking tactics allegedly used by Rufai appear to link him with the Nigerian crime organization known as Scattered Canary, according to an expert who has studied the group.
“The details are a dead ringer to the early Scattered Canary activity we saw in the early part of the unemployment fraud epidemic,” said Crane Hassold, senior director of threat research for Agari, a cybersecurity firm.
Federal investigators analyzed ESD’s claims database to identify Gmail accounts that used dot variant addresses to file multiple claims, among them the Sandytangy58@gmail.com account, according to the complaint.
It’s unclear whether the ESD or other state unemployment agencies were aware that Gmail addresses were being used to file multiple claims or had security systems in place to flag claims filed using a single Gmail account.
ESD declined Monday to say whether it had detected dot variant email addresses in new claims during the fraud last spring or whether it has since upgraded its claims system to block similar claims. “For security reasons, we can’t comment on what our systems do or do not screen for,” said ESD spokesman Nick Demerice. “I can say that we learned a lot from the initial attack on our system and make continuous improvements to avoid additional loses.”
Rufai’s alleged schemes extended well beyond unemployment fraud, according to the complaint. Investigators found “substantial evidence” in Rufai’s Gmail account “that the user was actively engaged in stealing and retaining the personal identifying information of American citizens,” the complaint alleges.
Investigators found numerous emails with file attachments containing thousands of bank and credit card numbers, birth dates and other personal identifying information, images of driver’s licenses, and “a very large volume” of tax returns of U.S. taxpayers, the complaint alleges.
But Rufai appears to have let his own security lapse.
Google allows users to add a “recovery” cellphone number to their accounts in case they forget their password. Although Rufai’s Gmail account used his alias, Rufai’s recovery number was a Nigerian-based cellphone number that was also listed on Rufai’s 2019 U.S. visa application, according to the complaint.
A Google Drive account associated with the Gmail account included images of “an individual who matches the physical appearance of Rufai in his 2019 visa application photo” and other government documents, the complaint said.
It also contained purchase confirmation emails for products that listed Rufai’s brother’s address in Jamaica, New York, as the billing address, the complaint alleges.
Investigators determined that Rufai arrived in the United States on Feb. 19, 2020, and left on Aug. 9, 2020, “and was therefore apparently present in the United States during the period of the fraud,” according to the complaint.
Bank records show that between March 3 and Aug. 2, 2020, $288,825 was deposited from multiple sources, including Green Dot, into a Citibank checking account in Rufai’s name, according to the complaint and federal officials. Additional funds were transferred by the ESD to the account of a second individual, identified in the complaint as C.S., who reportedly filed unemployment claims using Rufai’s Gmail account. That individual also filed claims for unemployment benefits in other states.
According to federal officials, Rufai had reportedly returned to the United States at some point after his August departure. Federal officials became aware that Rufai intended to leave the United States via JFK Airport in New York on Friday evening and obtained an arrest warrant.
According to the U.S. attorney in Seattle, the case involves wire fraud, which is punishable by up to 30 years in prison in crimes involving benefits “paid in connection to a presidentially declared disaster or emergency, such as the COVID-19 pandemic.”
The case was investigated by the FBI, with the assistance of multiple federal agencies, including the Department of Labor Office of Inspector General, as well as the cooperation of the ESD.
According to a recent report by the state auditor’s office, fraudsters filed tens of thousands of bogus claims worth $646.8 million. (Not all of the impostor claims were paid; many were stopped by the ESD before funds went out.) Of that, the state has recovered $370 million, according to the audit.