In June, the FBI got a warrant to hunt through the Google accounts of Abedemi Rufai, a Nigerian state government official.
What they found, they said in a sworn affidavit, was all the ingredients for a "massive" cyberfraud on U.S. government benefits: stolen bank, credit card and tax information of Americans. Money transfers. And emails showing dozens of false unemployment claims in seven states that paid out $350,000.
Rufai was arrested in May at John F. Kennedy International Airport in New York as he prepared to fly first class back to Nigeria, according to court records. He is being held without bail in Washington state, where he has pleaded not guilty to five counts of wire fraud.
Rufai's case offers a small window into what law enforcement officials and private experts say is the biggest fraud ever perpetrated against the U.S., a significant part of it carried out by foreigners.
Russian mobsters, Chinese hackers and Nigerian scammers have used stolen identities to plunder tens of billions of dollars in Covid benefits, spiriting the money overseas in a massive transfer of wealth from U.S. taxpayers, officials and experts say. And they say it is still happening.
Among the ripest targets for the cybertheft have been jobless programs. The federal government cannot say for sure how much of the more than $900 billion in pandemic-related unemployment relief has been stolen, but credible estimates range from $87 billion to $400 billion — at least half of which went to foreign criminals, law enforcement officials say.
Those staggering sums dwarf, even on the low end, what the federal government spends every year on intelligence collection, food stamps or K-12 education.
"This is perhaps the single biggest organized fraud heist we've ever seen," said security researcher Armen Najarian of the firm RSA, who tracked a Nigerian fraud ring as it allegedly siphoned millions of dollars out of more than a dozen states.
Jeremy Sheridan, who directs the office of investigations at the Secret Service, called it "the largest fraud scheme that I've ever encountered."
"Due to the volume and pace at which these funds were made available and a lot of the requirements that were lifted in order to release them, criminals seized on that opportunity and were very, very successful — and continue to be successful," he said.
While the enormous scope of Covid relief fraud has been clear for some time, scant attention has been paid to the role of organized foreign criminal groups, who move taxpayer money overseas via laundering schemes involving payment apps and "money mules," law enforcement officials said.
"This is like letting people just walk right into Fort Knox and take the gold, and nobody even asked any questions," said Blake Hall, the CEO of ID.me, which has contracts with 27 states to verify identities.
Officials and analysts say both domestic and foreign fraudsters took advantage of an already weak system of unemployment verification maintained by the states, which has been flagged for years by federal watchdogs. Adding to the vulnerability, states made it easier to apply for Covid benefits online during the pandemic, and officials felt pressure to expedite processing. The federal government also rolled out new benefits for contractors and gig workers that required no employer verification.
In that environment, crooks were easily able to impersonate jobless Americans using stolen identity information for sale in bulk in the dark corners of the internet. The data — birthdates, Social Security numbers, addresses and other private information — have accumulated online for years through huge data breaches, including hacks of Yahoo, LinkedIn, Facebook, Marriott and Experian.
At home, prison inmates and drug gangs got in on the action. But experts say the best-organized efforts came from abroad, with criminals from nearly every country swooping in to steal on an industrial scale.
"They were literally calling this easy money," said Ronnie Tokazowski, a senior threat researcher at Agari, a security firm, who has been monitoring dark web communications by West African fraud gangs.
In some cases, overseas organized crime groups flooded state unemployment systems with bogus online claims, overwhelming antiquated computer software benefits in blunt-force attacks that siphoned out millions of dollars. On several occasions, states have had to suspend benefit payments while they tried to figure out what was real and what was not.
"It's definitely an economic attack on the United States," said FBI Deputy Assistant Director Jay Greenberg, who is investigating cases as part of the Justice Department's Covid fraud task force. "Tens of billions of dollars will be missing. ... It's a significant amount of money that's gone overseas."
Under the Pandemic Unemployment Assistance program for gig workers and contractors, people could apply for retroactive relief, claiming months of joblessness with no employer verification possible. In some cases, that meant checks or debit cards worth $20,000, Hall said.
"Organized crime has never had an opportunity where any American's identity could be converted into $20,000, and it became their Super Bowl," he said. "And these states were not equipped to do identity verification, certainly not remote identity verification. And in the first few months and still today, organized crime has just made these states a target."
Sheridan, whose purview at the Secret Service includes financial crimes, pointed out that the stolen sums far exceed the annual cost of ransomware, a problem estimated to cost the economy $20 billion a year, which has commanded outsize media attention.
The windfall for criminal groups will fuel other types of crime, including drug and human trafficking, he said.
"These groups that are profiting so greatly from these types of schemes, they engage in a host of other crimes," he said. "Drug trade, crimes against children, more sophisticated cyber-related fraud. And this money is basically an investment to them to conduct more extensive criminal operations ... some of which include crimes that will compromise national security."
By the time states recognized the extent of the criminality, the spigot of cash had been gushing for months.
"Nobody really understood how big the problem was until it was playing out," said Najarian, the RSA security researcher. "We all accepted that there was fraud taking place, organized fraud and local fraud. But what we didn't realize ... was that the organized fraud was very aggressive and very efficient and moving very, very large sums of money offshore."
The investigative journalism site ProPublica calculated last month that from March to December 2020, the number of jobless claims added up to about two-thirds of the country's labor force, when the actual unemployment rate was 23 percent. Although some people lose jobs more than once in a given year, that alone could not account for the vast disparity.
The thievery continues. Maryland, for example, in June detected more than half a million potentially fraudulent unemployment claims in May and June alone. Most of the attempts were blocked, but experts say that nationwide, many are still getting through.
The Biden administration has acknowledged the problem and blamed it on the Trump administration.
"There is perhaps no oversight issue inherited by my Administration that is as serious as the exploitation of relief programs by criminal syndicates using stolen identities to steal government benefits," Biden said in a statement in May as the government announced a Justice Department Covid fraud task force.
The Biden administration has allocated $2 billion to shore up state unemployment systems. That appears to be badly needed, because states have failed to take basic steps to improve identity verification, according to the Labor Department's inspector general.
In a memo in February, the inspector general reported that as of December, 22 of 54 state and territorial workforce agencies were still not following its repeated recommendation to join a national data exchange to check Social Security numbers. And in July, the inspector general reported that the national association of state workforce agencies had not been sharing fraud data as required by federal regulations.
Twenty states failed to perform all the required database identity checks, and 44 states did not perform all recommended ones, the inspector general found.
"The states have been chronically underfunded for years — they're running 1980s technology," Hall said.
Not a victimless crime
Along with the huge losses inflicted on the U.S. Treasury, the criminals also hurt tens of thousands of people, many of whom suffered delays in getting much-needed benefits.
When Yvonne Matlock lost her job last year as a fundraiser for an Indiana addiction treatment center, she applied for unemployment benefits online, like millions of other Americans.
But she was told she was already getting relief money.
"Somebody had gotten ahold of my Social Security number and set up an account in my name. It seems as though it was really easy for them to do," she said.
She said it was an ordeal to verify her identity with the state and get her benefits.
"I sent them everything but a blood sample," she said. "I sent my driver's license, my Social Security card, my gun permit — which they issued, by the way — my W-2 forms."
"I sent more than what they asked me for and was still denied," Matlock added.
She finally got the benefits after three months. And then she was victimized again. Somebody else stole her identity and diverted $1,200. Police are investigating.
The detective "said I'll do my best, [but] the chances of us finding this person are pretty slim," she said.
So far, there has been relatively little recovery of the stolen cash — or accountability for the criminals who took it.
The FBI has opened about 2,000 investigations, Greenberg said, but it has recovered just $100 million. The Secret Service, which focuses on cyber and economic crimes, has clawed back $1.3 billion. But the vast majority of the pilfered funds are gone for good, experts say, including tens of billions of dollars sent out of the country through money-moving applications such as Cash.app.
'Sick to my stomach'
The government does not seem to know how much has been stolen.
Through a public records request, NBC News obtained data from the Labor Department, which funds Covid relief unemployment benefits programs, that are riddled with blank values and underestimates. The data list just over a billion dollars in fraud across the three CARES Act unemployment programs — a figure experts say is off by orders of magnitude.
In fact, state officials have made statements that refute their own reporting into the Labor Department data system. California, for example, appears to have reported only $2 million in fraud across CARES Act programs, despite publicly having acknowledged over $11 billion in unemployment fraud after an audit in January. State officials said early this year that projected losses could reach $31 billion.
More than two-thirds of states, 34, reported no cases of identity theft overpayments in the most vulnerable unemployment benefits program. Experts say that simply is not accurate.
The inspector general pointed out in a recent report that the Labor Department reduced testing and reporting requirements on state unemployment systems during the pandemic.
One result is that the public is in the dark about the scope of the fraud.
"It makes me sick to my stomach, particularly when I see how much is coming out of my taxes each month for unemployment," said John Wilson, Agari's field chief technology officer.
The inspector general has projected that there will be $87 billion in misspent unemployment funds, a conservative estimate that assumes no spike in fraud rates. Both the inspector general and the FBI declined to offer an estimate of what the actual value of lost funds might be.
ID.me's estimate of $400 billion comes from the data the company has seen across the states, Hall said.
ID.me implements extra verification steps beyond paper or digital records, requiring people, for example, to prove through FaceTime that their faces match the ones on the drivers' license. As a result, fraudsters have used Barbie dolls, silicon masks and deep fake videos in an unsuccessful effort to beat the system, he said.
A Nigerian fraud group strikes
One of the few examples in which analysts have pointed the finger at a specific foreign group involves a Nigerian fraud ring dubbed Scattered Canary by security researchers. The group had been committing cyberfraud for years when the pandemic benefits presented a ripe target, Najarian said.
"The moment the pandemic hit, that was the next big thing that they jumped on, and they did a great job exploiting that opportunity," he said.
Scattered Canary took advantage of a quirk in Google's system. Gmail does not recognize dots in email addresses — John.Doe@gmail.com and JohnDoe@gmail.com are routed to the same account. But state unemployment systems treated them as distinct email addresses.
Exploiting that trait, the group was able to create dozens of fraudulent state unemployment accounts that funneled benefits to the same email address, according to research by Najarian and others at Agari.
In April and May of 2020, Scattered Canary filed at least 174 fraudulent claims for unemployment benefits with the state of Washington, Agari found — each claim eligible to receive up to $790 a week, for a total of $20,540 over 26 weeks. With the addition of the $600-per-week Covid supplement, the maximum potential loss was $4.7 million for those claims alone, Agari found.
Scattered Canary and other groups made use of so-called money mules — witting or unwitting third parties who moved the stolen funds through bank accounts so they could be transferred out of the country, Najarian said.
Cash App, which describes itself as "the easiest way to send money, spend money, save money, and buy cryptocurrency," has been frequently used by fraudsters to move money, law enforcement officials and private consultants said.
"When you use the app, you can quickly and easily convert everything over to Bitcoin," Tokazowski said. "Within like 10 minutes, you can get that cash converted and sent on its way."
Cash App said in a statement that it has "enhanced our systems to monitor and act upon deposits that we deem to be risky, despite coming from largely trusted sources like state unemployment agencies. We also partner with law enforcement and government agencies to investigate potential fraud and work collaboratively to return those funds when possible."
Rufai, the Nigerian official, is accused of having used 100 fraudulent claims to steal $350,000. He is being held without bail after having been transferred from New York to Washington state. He has been placed on leave from his government job, said his attorney, Lance Hester.
Federal officials have not linked the cases to Scattered Canary. But at a detention hearing, prosecutors portrayed Rufai as a significant player in cyberfraud going back to 2017.
"This is a defendant who is charged with participating in a massive fraud on the United States," said Seth Wilkinson, an assistant U.S. attorney in Seattle, according to a public transcript. "It is someone who exploited our country's efforts to take care of its own people during the biggest emergency of our lifetime."
Hester said he could not comment because he had not had a chance to speak with his client in detail.
"I know he stands strongly behind his not guilty plea," Hester said.