Service Members Targeted in Identity Fraud Scheme

Five individuals were indicted for the reprehensible crime of defrauding U.S. military veterans and current service members of their benefits. The five accused of the fraud are identified as Robert Wayne Boling Jr., Fredrick Brown and Trorice Crawford, all U.S. citizens; Allan Albert Kerr, an Australian citizen; and Jongmin Seok, a South Korean citizen. All were charged with multiple counts of conspiracy, wire fraud and aggravated identify theft. Boling, Kerr and Seok were arrested in the Philippines, while Brown and Crawford were arrested in the United States.

How the Identity Fraud Occurred

According to the unsealed indictment, Brown was the source of the personally identifiable information (PII), having worked at the U.S. Army’s 65th Medical Brigade at Yongsan Garrison, South Korea, from 2010 to 2015 as a civilian medical records technician. Throughout his tenure he stole the PII of thousands of military-affiliated individuals from the Armed Forces Health Longitudinal Technology Application (AHLTA), the principal repository for the electronic health records of military-affiliated personnel.

Brown had direct and unencumbered access to the names, date of birth, gender, mailing address, telephone number, social security numbers and Department of Defense ID numbers. The manner in which he captured the information would not have been detected by resident information security applications as being unusual, as his access to AHLTA was both authorized and natural. The AHTLA application allowed for the information for up to 10 individuals to be available on-screen at once. Brown took photos of his work screen, thus acquiring the information without a digital forensic trail to follow or be discovered, had he attempted to print or download the data.

How the Information was Exploited to Enable the Fraud

This information was provided to the co-conspirators Boling, Kerr and Seok, who were residing in the Philippines, for exploitation. With the information in hand, the trio used this PII to obtain the credit reports or official military records of the compromised individuals.

The trio accessed the Defense Self-Service Logon (DS Logon) accounts, which consolidates 70 nonpublic websites under a single username and password. Once into the DS Logon, they had access to even more PII than Brown had acquired. They were able to access the military-affiliated individual’s dependents (spouse and children), tax information and health records, and could alter the account and routing numbers for bank accounts into which salaries, benefits, disability payments and pensions were paid by the Department of Defense or Veterans Affairs.

The trio was able to spoof the system into thinking they were specific individuals, given they had garnered sufficient information to be “validated” as the veteran or service member, thus perpetrating the identity fraud.

Once in, they were able to determine the level of benefits each service member or veteran received and where the benefits were sent (either direct deposit or payment by check). With the information in hand, they then attempted to steal millions from the identified bank accounts of the service members and veterans and redirect the benefit payments to accounts they controlled.  Two military-focused financial institutions, USAA and Randolph-Brooks Federal Credit Union, were among those from which they stole funds from service members and veteran’s accounts.

Given the number of victims and the volume of money to be moved, Boling recognized the need to disperse the deposits across numerous accounts.

Crawford, who lived in San Diego, was enlisted to recruit “money mules”—individuals who would accept the stolen funds into their accounts and then under Crawford’s direction either pass the funds to Crawford or directly remit the funds abroad (laundering the stolen money) via wire transfer or other money transfer options.

The indictment notes how they targeted “older military-affiliated” individuals who were less likely to use DS Logon and disabled veterans who were more likely to receive larger veteran’s benefits.

Example of Identity Fraud Targeting Elderly Veterans

The indictment contains many examples of the identity fraud, including one detailing a 79-year old Navy veteran Petty Officer First Class and his account at the Kitsap Federal Credit Union:

  • Petty Officer First Class “A.D”, United States Navy
    • On or about October 19, 2016, a member of the conspiracy based in the Philippines conducted initial registration of the eBenefits account of Petty Officer First Class (“P0 1 A.D.”), and thereby obtained the account and routing information of the account held through Kitsap Federal Credit Union (“Kitsap FCU”) into which P01 A.D.’s veterans benefit was paid.
    • On that date in October 2016, P01 A.D. was 79 years old, and had never used DS Logon or eBenefits.
    • On or about October 24, 2016, BOLING contacted Kitsap FCU customer service, and impersonated P01 A.D.
    • Over the course of the following two days, BOLING arranged two wire transfers out of the bank account of P01 A.D.
      • The first wire transfer, in the amount of $18,500, was successfully deposited into the bank account of a member of the conspiracy.
      • Following that transfer, P01 A.D. contacted Kitsap FCU customer service, and advised that the wire had been unauthorized. BOLING then attempted a second wire transfer in the amount of $27,000 from P01 A.D.’s account, which was denied as unauthorized. Kitsap FCU then closed P01 A.D.’s account, and assigned
        P01 A.D. a new Kitsap FCU account number.

What are VA and DoD Doing?

The fraud began in 2014 and was discovered in early 2019. Thousands of service members were victimized and millions of dollars were stolen.

Veterans Affairs (VA) Assistant Secretary for Public and Intergovernmental Affairs James Hutton stated, “VA is working with DoD to identify any instances of compromised VA benefits accounts. Just as importantly, VA has taken steps to protect Veterans’ data and are instituting additional protective measures.”

Meanwhile, according to a statement by the Department of Justice in unsealing the indictment: “The Departments of Defense and Veterans Affairs are coordinating with the Department of Justice to notify and provide resources to the thousands of identified victims. Announcements also will follow regarding steps taken to secure military members’ information and benefits from theft and fraud.”

Featured eBook
The Next Generation of Application Security

The Next Generation of Application Security

Application security is usually done by finding, fixing and preventing vulnerabilities, with an emphasis on finding solutions to prevent cybersecurity events in the future. However, many of the breaches we’re seeing are caused by a vulnerability related to the application, often because developers move so quickly to push out new code. AppSec promises to become ... Read More
Security Boulevard

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 98 posts and counting.See all posts by burgesschristopher