March 29, 2018
A recently closed California hacking and identity theft case sadly illustrates the misery that can be visited on unsuspecting victims when their personal information is compromised.
Between 2011 and 2014, four U.S. citizens who resided in San Diego—but carried out their crimes from across the Mexican border in Tijuana—hacked the computer servers of major U.S. mortgage brokers, stealing detailed loan application information from thousands of customers and then using the victims’ Social Security numbers, addresses, dates of birth, and driver’s license numbers to open unauthorized lines of credit and take over and drain victims’ retirement accounts.
“The damage crimes like these have on victims, the economy, and society in general are significant,” said Special Agent Chris Christopherson, who investigated the case from the FBI’s San Diego Division. “Individuals had their finances wrecked and their credit destroyed, through no fault of their own. For many of them,” he added, “the impacts are still being felt.”
One of the fraudsters in the conspiracy, John Baden, was the chief hacker. He infiltrated mortgage companies using a common hacking technique known as “fuzzing,” which works by overloading a web server with massive amounts of data that can lead to the server revealing security loopholes.
Once Baden had access to victims’ information, he and his conspirators, Victor Fernandez, Jason Bailey, and Joel Nava, went to work. Fernandez—the group’s ringleader—identified multiple victims’ brokerage accounts and took control of them by calling the companies and providing the victims’ personal information to change passwords and contact information. Then it was simple for him and his conspirators to wire funds—sometimes up to $30,000 at a time—from the victims’ accounts to accounts they controlled.
Victims stretched from California to Florida, and one individual lost nearly $1 million in the scheme, Christopherson said. A second part of the scheme involved extensive credit fraud. The criminals used victims’ detailed personal information to set up bogus lines of credit and retail credit card accounts to which they charged thousands of dollars for goods and services. Most of the proceeds from the sale of items in these crimes were used to buy drugs.
“The damage crimes like these have on victims, the economy, and society in general are significant.”
Chris Christopherson, special agent, FBI San Diego
In all, Christopherson estimated there were more than 25,000 victims, and although charging documents listed victim losses at approximately $2.5 million, “in reality the amount was much higher than that,” he said. “There was so much retail fraud over such a long period of time, it was impossible to calculate an accurate and provable loss amount.”
The FBI was alerted to the fraud by a financial institution that noticed irregularities, and about the same time, FBI cyber investigators detected that many victims had a “common point of compromise,” Christopherson said. “They had all recently applied to the same mortgage company.”
Armed with that information, investigators worked backward from the mortgage company, eventually identifying the hack—and the hackers. By that time, Baden was hiding in Mexico. In 2014, he was named to the San Diego FBI’s Most Wanted Cyber Fugitives list, and the reward offered in the case eventually led to his capture in Mexico, Christopherson said.
All four subjects pleaded guilty to their roles in the fraud scheme. In 2015, Baden was sentenced federally to nine years in prison. In January 2018, Fernandez was sentenced to more than 10 years in prison. Bailey received a sentence of more than five years, and in February 2018, Nava was the last subject to be sentenced, to 44 months in prison.
But even years after the crimes were committed, Christopherson said, “the court was still receiving victim impact statements.” Many victims were unable to get jobs or be approved for mortgages or car loans because their credit had been ruined by the fraudsters.
“We are pleased that these criminals are now behind bars and will not be able to victimize anyone else,” said Christopherson, who encouraged the public to regularly check their credit information to make sure their personal information has not been compromised.