A Baltimore man faces a potential maximum 20-year prison sentence after being charged for his alleged role in running an online service that sold personal data which was later used for financial fraud.
An underground TLO service is based on the idea and branding of TLOxp, the proprietary background checker tool owned by credit reporter TransUnion and typically used by law enforcement agencies, insurance companies, and the like, for digging up information on a specific person.
TLO lookups can reveal data including social security numbers, phone numbers, and dates of birth - the holy trinity for criminals looking to defraud victims of their financial security.
The charges were brought against Charleron by the United States Postal Service, whose investigators claim they found that he didn't even think to use a VPN when administering the group.
A review of the searches for PII records revealed the associated IP addresses with those searches led to Charleron's home address in Laurel, Maryland, according to the complaint.
The filing claims customers would approach Charleron with a name and home address, plus a payment in the region of $25 sent either via cryptocurrency or other digital means, and in return they would receive the PII necessary to take out credit cards in a victim's name.
It's unclear if the accused and his alleged co-conspirators used TLOxp itself, or had their own system of aggregating the data their clients sought, or both, but the collection of customers - 799 of them at the operation's peak - were all contacted via a group chat through what court documents describe as an unspecified encrypted messaging app.
This may be explained by the complaint's estimated timeline of Charleron's administration of the TLO service, which the filing claims ran from at least February 2020 to around May 2023.
During the period Charleron allegedly ran the service, he is said to have sold the PII belonging to more than 5,000 individuals, with criminals later using it to spend tens of thousands of dollars of their victims' money.
In one March 2022 case that appeared in the court docs, a member of the customer network sent across five names and addresses, and the following day the requisite payment of $119.64.
Three minutes after the payment was made, the PII for all five individuals was sent to the customer.
That PII was then used to activate credit cards in the victims' names via a phone call with their bank.
The criminal in question activated multiple credit cards for many victims over the course of nearly a year, between July 2021 and May 2022, racking up more than $90,000 in illegal charges.
At least 80 of the victims are alleged to have been supplied to them by Charleron, according to the unsealed criminal complaint [PDF].
In 2020, the same customer is also thought to have stolen a letter from an intended target, sent by a financial institution, containing an unactivated credit card.
The complaint claims a picture of the letter was sent to Charleron, and claims he then supplied the PII required to activate it.
A second customer's case presented to the court alleges that Charleron was able to supply data to tight deadlines.
In the case, the customer asked for the PII, stating that the banks close in 28 minutes and Charleron supplied the required PII in 21 minutes, the complaint claims.
Within a two-week period in 2022, Charleron is alleged to have sent a message to the group advertising a three-for-$100 offer - a price higher than the average $25 because it also included driving licenses.
Filed on January 19, an arrest warrant [PDF] is currently out for Charleron and it's unknown if he's yet in custody.
This Cyber News was published on www.theregister.com. Publication date: Wed, 24 Jan 2024 01:44:04 +0000