The National Bureau of Investigation on Friday said it arrested three Filipinos and two Nigerians who were allegedly involved in the hacking of the accounts of more than 700 clients of BDO Unibank last December.
The NBI dubbed the group behind the online fraud as the “Mark Nagoyo Heist Group,” for the obviously fictitious name used in the unauthorized transfer of money, from the BDO accounts. Investigators did not disclose the total amount stolen.
NBI officer in charge Director Eric Distor identified those arrested as Jherom Anthony Taupa, Ronelyn Panaligan and Clay Revillosa, and Nigerian nationals Ifesinachi Fountain Anaekwe and Chukwuemeka Peter Nwadi.
The five were arrested separately through the cooperation of at least two informants, according to the NBI.
The first informant reportedly volunteered information to the NBI Cybercrime Division, implicating several individuals as the “leaders, members or affiliates” of the Mark Nagoyo group.
With the help of the first informant, the two Nigerian nationals were arrested in an entrapment in Mabalacat, Pampanga, on Tuesday, according to the NBI.
The second informant led the NBI to Taupa, who was described as “one of the masterminds behind the Mark Nagoyo heist.”
Taupa was arrested in a buy-bust operation in Floridablanca, Pampanga, also on Tuesday while selling a scampage, or phishing website, to the informant for P2,000.
How they did it
In a statement, the NBI said initial reports indicated that the hackers were able to access the BDO customers’ accounts by bypassing the one-time personal identification number (PIN) requirement and then “drained [the] funds in those accounts.”
Email confirmations for the bulk of the illegal transfers showed that they were made by a certain Mark D. Nagoyo. “Nagoyo” is a Filipino colloquial term for fooled or duped.
The NBI said the first informant claimed the Nigerian suspects illegally provided “access devices” to people who are looking for options to cash out fraudulently obtained funds.
These access devices can be in the form of bank accounts, crypto wallets or even point-of-sale terminals of otherwise legitimate merchants.
The first informant allegedly claimed a certain Mark Froilan called her up asking about money cash outs and alluded to funds from the hacked BDO accounts. She then contacted Anaekwe, who allegedly offered three bank accounts that could each receive P10 million.
‘Group heist’
The NBI did not explain how the informant came to know Froilan and Anaekwe, who uses Daddy Champ as an alias.
The NBI Cybercrime Division said the two Nigerians were arrested in the act of selling the bank accounts during the entrapment in Mabalacat.
The NBI said the second informant identified Taupa as someone who sells a scampage, particularly an imitation of the GCash webpage.
According to the NBI, Taupa had modified the code so the holder of the scampage could gather the account details of unwitting victims who thought they were opening GCash’s official portal. The NBI said Taupa later admitted that he sold GCash scampages.
Further investigation showed that Taupa was “involved in a group heist.”
The NBI said Taupa was “the one sending the emailing list containing the personal details of various bank customers to a group of individuals responsible for sending the email” to the bank clients.
“The email contains a link which when clicked, will be used for the hacking process of the heist group,” the NBI said.
It said said two of the Filipino suspects, Panaligan and Revillosa, who were arrested in a separate operation, were involved in the BDO hacking as “web developer and downloader.”
The NBI said the two Nigerian suspects and Taupa underwent inquest before the Department of Justice in Manila.
The Nigerian nationals were charged with trafficking in unauthorized access devices in violation of Republic Act No. 8484, or the Access Devices Regulation Act of 1998.
Taupa was charged with misuse of devices under Republic Act No. 10175, or the Cybercrime Prevention Act of 2012.
Social media chat
The theft came to light on Dec. 11, 2021, when a number of BDO clients reported on social media that they lost hundreds of thousands of pesos through unauthorized online fund transfers to a UnionBank account owned by a certain “Mark Nagoyo.”
BDO later reported that some clients were hit by a “sophisticated fraud technique” through its online banking platform.
According to BDO president Nestor Tan, the incident affected a 10-year-old web service that is for phaseout and replacement.
Many of the complaints alleged that cybercriminals were able to access their BDO accounts even if they did not click on suspected phishing links or disclose any of their banking details.
They also claimed that they did not receive any SMS prompts or OTPs (one-time passwords) indicating that someone had logged into their accounts even when the online transactions exceeded the bank’s daily limit.
Restituted accounts
BDO already restituted about 700 affected accounts, but did not disclose the total amounts.
NBI Cybercrime Division chief Victor Lorenzo would not give an estimate of the amounts lost by the BDO clients.
He said the hackers were not able to cash out most of the stolen funds because the receiving bank red-flagged them.
For its part, UnionBank froze around P5 million from “mule accounts” used as vehicles by the cybercriminals who stole from the BDO accounts.
Lorenzo said the hackers mostly transacted online to remain anonymous, but he was confident they would be rounded up. He did not say how many more the NBI was after.
“We have the entire picture. We know all their members. Sooner or later we will get them,” he said. —WITH A REPORT FROM INQUIRER RESEARCH