Manila: Filipino investigators announceed the arrest on Friday (January 21, 2022) of five people — 3 Filipinos and 2 African nationals — in connection with an online heist that reportedly compromised hundreds of bank accounts in the country.
Customers of BDO Unibank, the country’s top lender, reported unauthorised transactions in mid-December which siphoned off millions from their bank accounts. The scammers allegedly used the digital payment platform Gcash in their attacks.
Digital payments saw a massive jump in the country even as the economy slid into a recession and COVID-related mobility curbs were imposed.
Fake page or 'scampage'
On Friday, agents of the National Bureau of Investigation (NBI) said the hackers used “phishing” attacks, by baiting unwitting victims with a fake page — or “scampage” — in the mistaken belief that they were opening Gcash’s official portal, investigators said.
“They (hacking suspects) sent out phishing emails… they were able to generate OTPs (one-time passwords),” NBI chief Victor Lorenzo explained in Filipino to local media.
The scampage allowed the hackers to “harvest” the victim’s Gcash account details, which were then used on the real page to steal money from the victims, the investigators said.
In December, local media reported that funds stolen from BDO clients were reportedly transferred to the UnionBank account of a certain “Mark Nagoyo.”
'Mark Nagoyo' heist group
On Friday, investigators said that apart from the five arrested, other persons involved in the “Mark Nagoyo Heist Group” are already known to them.
“We now know the identities of all of the members although they have not yet been arrested,” Lorenzo told local media in Filipino language. “Sooner or later, we will get them,” Lorenzo said.
He said that “Mark Nagoyo” is a fictitious name. “He is not a real person but we know who is using it,” he added.
Red flag
The NBI chief said the perpetrators failed to encash most of the deposits from BDO after transferring the money to a recipient bank.
“The fraudulent proceeds were not cashed out after being transferred to the recipient bank. The recipient bank has a system in place that red flags suspicious transactions,” he also said.
Lorenzo explained that the perpetrators gained access to the accounts of depositors through “phishing”; the hackers also exploited the vulnerability of BDO in one-time password (OTP) generation.
Events that led to arrest
In December, BDO customers reported unauthorised transactions involving tens of thousands of pesos.
NBI said the suspects failed to cash in the money they siphoned out of the hacked accounts as their transactions were flagged by the receiving bank. The NBI said they launched a probe after an informant disclosed details of individuals believed to be part of the Mark Nagoyo Group — named after the account that reportedly made the illegal money transfers.
According to NBI, the informant said the suspects provided access to “anyone looking for options to cash out funds fraudulently obtained.” The accounts include bank accounts, cryptocurrency wallets to point-of-sale terminals of legitimate merchants.
The informant also said he received a call from a certain “Mark Froilan” who later contacted Ifesinachi Fountain Anaekwe (also known as “Daddy Champ”), one of the Nigerian suspects, through his alias.
Anaekwe then offered to provide the informant three different accounts to transfer P10 million each — apparently referring to the funds from BDO alluded to by Mark Froilan.
Anaekwe and another African man, identified as Chukwuemeka Peter Nwadi, were caught in the act offering accounts for sale on January 18 in Mabalacat, Pampanga, the NBI added.
Phishing website
NBI agents also arrested the Filipino suspect Jherom Anthony Taupa the same day in Floridablanca, Pampanga “for selling ‘scampage’ or phishing website.”
Another informant identified Taupa as one of the masterminds in the “Mark Nagoyo” scam selling scampages that imitate the looks of popular e-wallet app Gcash.
“Taupa modified the code in order to gather log-in details of unwitting victims who would access the scampage in the mistaken belief that they were opening Gcash’s official portal,” the NBI said.
The owner of the phishing website would then be able to gain access to victim’s Gcash accounts to steal funds from the said e-wallet.
Gcash statement
GCash, in a statement, said it cooperated with authorities in the investigation, adding that its platform "retains its integrity and is secure."
"It employs up-to-date security technologies and global best practices applied on its system and its app, assuring customers of safe transactions. GCash would also like to clarify that it is not party to incidents from other financial institutions," the company said.
The NBI launched the buy-bust operation after Taupa and the informant agreed on P2,000 as payment in cash for the phishing website. Taupa also admitted to selling Gcash scampages stored in his computer, the NBI added.
“Further investigation revealed that subject [Taupa] is involved in a group heist, being the one sending the email list containing personal details of various bank customers,” the agency added.
A separate operation led to the arrest of two more suspects — Filipino citizens Ronelyn Panaligan and Clay Revillosa, tagged as web developer and downloader in the BDO hacking incident, the NBI added.
