A suburban Houston resident has been found guilty by a jury of 27 federal criminal charges for hacking into the Los Angeles Superior Court computer system and then using it to send approximately 2 million malicious phishing emails.
Oriyomi Sadiq Aloba, 33, of Katy, Texas, was found guilty late Thursday afternoon after a three-day trial. The jury found Aloba guilty of one count of conspiracy to commit wire fraud, 15 counts of wire fraud, one count of attempted wire fraud, one count of unauthorized impairment of a protected computer, five counts of unauthorized access to a protected computer to obtain information, and four counts of aggravated identity theft. Aloba was taken into federal custody immediately after the verdict was read.
According to the evidence presented at trial, in July 2017, Aloba and his co-conspirators targeted the Los Angeles Superior Court for a phishing attack. During the attack, one court employee’s email account was compromised and sent an email – without her authorization – to co-workers purporting to be from the file hosting service Dropbox. In fact, it was a phishing email that contained a link to a phishing website that asked for the users’ Superior Court email addresses and passwords, court papers state. Thousands of court employees received the Dropbox email and hundreds disclosed their email credentials to the attacker. Multiple court employees’ emails then were used by the attacker to send out millions of phishing emails.
These additional phishing emails purported to be communications from American Express, Wells Fargo, and other companies, and led victims to a webpage that asked for their banking login credentials, personal identifying information, and credit card information. The link for the fake American Express website used source code that designated Aloba’s email account as the delivery address for the information that the victims input into the website, according to court documents.
Investigators executed a search warrant at Aloba’s residence in Texas, which revealed a thumb drive in a toilet, a damaged iPhone in a bathroom sink, and – in the closet of a spare bedroom – a laptop computer with a smashed screen that was smeared with fresh blood. Nearby, agents found a broken mug, which apparently was used to smash the laptop computer. At the time of his arrest, Aloba had blood on his hands and agents saw him picking something out of his hands.
During the search, agents retrieved from the thumb drive and bloody laptop dozens of phishing kits, which is software designed to facilitate a phishing attack, including the American Express phishing kit used in the court attack.
As a result of the phishing attack, the court suffered monetary losses, including more than $45,000 in employee time paid to respond to the attack that would have otherwise been spent on ordinary work activities. Additionally, there were more than $15,000 in combined actual and intended losses to credit card victims, according to court documents.
United States District Judge R. Gary Klausner has scheduled a sentencing hearing for October 21, where Aloba will face a statutory maximum sentence of more than 350 years in federal prison.
Aloba was initially charged by the Los Angeles County District Attorney, but the matter was referred to the United States Attorney’s Office for federal prosecution.
A co-defendant, Robert Charles Nicholson, 28, of Brooklyn, New York, pleaded guilty last month to one count of conspiracy to commit wire fraud. His sentencing hearing is scheduled for September 30. Aloba’s other three co-defendants remain at large outside the United States.
This matter was investigated by the Federal Bureau of Investigation and the Los Angeles County District Attorney’s Office.
This case is being prosecuted by Assistant United States Attorneys Robyn K. Bacon and Ryan White of the Cyber and Intellectual Property Crimes Section.
Submitted by Ciaran McEvoy, USDOJ Public Information Officer