Woodberry wallets show signs of activity
Between January and September 2019, an international criminal group involved in cryptocurrency fraud was operating on a global scale. The organizers and leaders of the group were two Nigerian nationals residing in Dubai: Olalekan Jacob Ponle, also known as “Woodberry,” and Ramon Olorunwa Abbas, aka “Hushpuppi.”
Reportedly, 1.9 million people and several large U.S. companies were the victims of the fraudsters, with the total amount of stolen money equaling $17.3 million. Of that sum, $6.5 million was converted into Bitcoin via the popular cryptocurrency exchange Gemini.
Even though cryptocurrency is an extraterritorial phenomenon, the criminals cheated mostly U.S. companies, while staying in Dubai themselves, as if trying to validate their legend of being part of the crypto industry, of which the UAE was a major center at the time.
On June 11, 2020, key figures of the criminal group of 12 were detained in the UAE by the Dubai police as part of Operation Fox Hunt 2 and extradited to the United States, where in early 2020 they had been charged in absentia for cryptocurrency fraud.
The fraud was a phishing scheme in which victims transferred funds to fake accounts, with some of the stolen money converted later into bitcoin. In this way, the cybercriminals gained access to a company’s email account and sent emails to employees instructing them to transfer funds to the company’s bank account. Accounts in the names of the victim companies were opened in the U.S. by intermediaries working for Ponle. Afterwards, they converted some of the criminally obtained funds into bitcoins and transferred them to Ponle’s wallet. The withdrawals were made through the cryptocurrency exchange Huobi.
According to the FBI, some of the funds collected by the scammers, in the amount of about $15 million, were never recovered, and some of them still sit in unidentified bitcoin wallets of the criminals.
The TokenScope Team discovered that Woodberry’s main bitcoin address, 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn (the turnover at this address equals 3,798 BTC, which is equivalent to $86 million), which had displayed activity until June 1, 2020 (time period that coincides with the detention of the group members in the UAE), withdrew 4.92 BTC (about $120,000) again on April 14, 2022. We decided to figure out where these funds had gone.
The link graph can be seen here.
Simultaneously, the address bc1q4s8ar466yh3qqljtznax0zaax02ag8gz60x6uv saw an amount of 146.8 BTC coming to it from 18 different wallets.
By building link chains of these 18 addresses, we were able to ascertain that they all had received funds from a Woodberry address, 16AtGJbaxL2kmzx4mW5ocpT2ysTWxmacWn, in 2019, which confirms that all the funds had been collected by the same people.
On May 31, 2022, all the funds in the amount of 151.85 BTC (equivalent of $3.5 million at current exchange rates) from the address bc1q4s8ar466yh3qqljtznax0zaax02ag8gz60x6uv were transferred to the address bc1qul2wxt3z578t0m9vux2zratehl52f3ncwm74rt, where they remain to date.
The full link graph can be seen here.
Thus, based on the link pattern given above, we can put forward a version that Woodberry and Hushpuppi’s co-conspirators who had remained at large, or their confidants who have access to their bitcoin wallets, “unfroze” and withdrew to one address an amount of $3.5 million, which had been carefully hidden in 18 different wallets through 30 or more transactions. If the withdrawal of that amount is completed successfully, we will be able to presume that the fraudsters have several million dollars more in the stash, which they will also want to cash out.
We do not rule out that there could still be associates of the Woodberry and Hushpuppi group in the UAE, who continue their activities under the banner of other companies and that it is they who have access to the stolen funds.
In order to protect other users from the risks involved in interactions with compromised addresses and their owners, you can report to us all cases related to specific cryptocurrency addresses and assessed risks. To report such a case, please go to TokenScope.com and press the “Report cryptocurrency address” button.