In the Southern District of New York, a Nigerian national called Charles Onus pleaded guilty to hacking into a payroll company’s user accounts and stealing payroll contributions. According to the indictment and allegations presented in court, Onus was involved in a conspiracy that entailed taking over user accounts of corporate employees across the United States and stealing payroll deposits by routing salary payments to debit cards controlled by him.
This criminal activity began in July 2017, and by the time Onus was apprehended, he had hacked into 5,500 user accounts and diverted $800,000 in payroll funds. The threat actor used credential stuffing attacks to obtain access to human resources and payroll company accounts that handle salary payments for other companies’ workers.
Credential stuffing is a sort of cyberattack in which threat actors attempt to log in to other websites using username and password combinations obtained from prior data breaches. The approach differs from brute-forcing or guessing passwords in that it does not rely on the victim repeating the same credentials across many platforms rather than cracking them.
“After a Company user account was compromised, the bank account information designated by the user of the account was changed so that Onus would receive the user’s payroll to a prepaid debit card that was under Onus’ control,” clarifies the DOJ announcement.
On April 14, 2021, Charles Onus was apprehended while flying from Abuja, Nigeria, to San Francisco, where he was detained at the airport. The defendant has now pleaded guilty to one count of computer fraud for unauthorized access to overseas computer networks. Judge Gardephe will decide the exact punishment on May 12, 2022, and it carries a maximum sentence of five years in jail.