In the summer of 2017, MacEwan University in Edmonton was duped into sending more than $11-million to someone posing as a construction contractor.
The university eventually chased down and recovered a large chunk of the money. But what lay behind the swindle remained a mystery. Now, a man described as a trusted, high-level money launderer who moved tens of millions of dollars for a network of North Korean cybercriminals has pleaded guilty in connection with the crime.
Ghaleb Alaumary, 36, is a dual Canadian and U.S. citizen from Mississauga, Ont. His arrest was announced with much fanfare last month by the U.S. Department of Justice, which simultaneously announced indictments against three North Korean state-sponsored hackers whose activities it described as “staggering.” The three are alleged to be members of a North Korean military intelligence agency blamed for the hack of Sony Pictures in 2014 as well as high-profile ransomware attacks, cyberheistsand thefts of cryptocurrency.
U.S. authorities were keen to trumpet Mr. Alaumary’s guilty plea on a charge of conspiracy to launder money, for which he faces a maximum penalty of up to 20 years in prison. Less attention was paid that day, though, to Mr. Alaumary’s pending sentencing for one of the biggest cyber heists known to have been committed in Canada.
A separate indictment filed in Georgia (where Mr. Alaumary was first apprehended) describes a multi-million-dollar scam that targeted “a Canadian public undergraduate university,” though U.S. authorities declined to name the school. But the manner of the swindle, the amounts of money involved, the banks through which the cash flowed and the dates on which the transactions occurred all match details revealed by MacEwan University, either in public statements or civil court filings.
MacEwan declined to comment on the case because it is still before the courts. Mr. Alaumary’s lawyers in Georgia did not respond to telephone and e-mail messages.
There have been a number of significant cyberattacks at Canadian postsecondary institutions in recent years. In 2020, Royal Military College in Kingston, Ont., was hit by a ransom attack that encrypted data and then released the personal information of cadets online. The University of Calgary paid $20,000 to hackers to end a ransomware attack in 2016.
Bob Gordon, executive director of the Canadian Cyber Threat Exchange, said universities in Canada are finding out that hackers see them as repositories of money, intellectual property and the personal data of thousands of students and employees.
“There are a variety of ways that a university is a particularly lucrative target,” Mr. Gordon said.
In June, 2017, builders were putting the finishing touches on an expansive new building at the MacEwan campus in downtown Edmonton. Allard Hall, a $143-million, 425,000-square-foot building featuring dance studios, lecture theatres and classrooms, was supposed to open in time for the fall term. Mr. Alaumary’s co-conspirators (who are not named in the court documents) are alleged to have sent e-mails to university employees that appeared to be from a contractor working on the construction project.
MacEwan’s accounting department received an e-mail from an account whose name and format closely resembled the accounts-receivable address used by a contractor working on Allard Hall. The key difference was that the fraudulent e-mail address included a period between the words “accounts” and “receivable,” whereas the real address was unpunctuated. The text of the e-mail asked that funds owing for construction work be sent to a different bank account than the one currently on file. The new account was controlled by Mr. Alaumary, according to U.S. prosecutors.
It’s not clear how Mr. Alaumary or the people with whom he was working decided to target the Edmonton university. It’s the kind of crime often described as e-mail phishing – or, more precisely, a business e-mail confidence scam – and it’s the reason IT departments are constantly warning employees to pay careful attention before opening or replying to unsolicited e-mails.
In August, 2017, U.S. prosecutors said Mr. Alaumary sent a message via WhatsApp to a co-conspirator telling him to have bank accounts ready to accept large amounts of cash: “Bro, this is the real deal,” he wrote.
He told more than one person working under his direction that they should lay the foundation for the money transfers by alerting their banks they had millions coming in large payments within the next 60 days.
MacEwan, in a civil action seeking to freeze its missing assets, said it wired $1.9-million on Aug. 10, followed by more than $9-million on Aug. 18, as well as some smaller transactions. In all, more than $11.8-million was sent to the wrong account.
On Aug. 23, 13 days after the first wire was sent, MacEwan received an e-mail from the building company inquiring about more than $10-million in outstanding payments. That request sent administrators at the university scrambling to investigate. When the error was uncovered, MacEwan alerted authorities and went to court in an attempt to trace, freeze and recover the funds.
The money had already moved to the account of a dormant shoe company in Quebec, then to accounts in Hong Kong and British Columbia. Lawyers hired by the university were able to freeze most of the funds before they went any further.
By April, 2018, MacEwan said in a press release that it had recovered $10.9-million of the $11.8-million that it lost in the scam. It credited fraud units at the banks involved, as well as the police and legal counsel in several jurisdictions. Mr. Alaumary is also accused of attempting to get the frozen funds unlocked in the months after the scam was discovered.
It’s not clear how and when Mr. Alaumary connected with North Korea’s prolific state-sponsored cyberhackers. The U.S. court filings say beginning no later than the summer of 2018, he conspired with others, largely outside the United States, to transmit the proceeds of wire fraud and computer hacking.
His plea agreement says he managed a crew of no fewer than 20 people in the United States and Canada who would withdraw cash from ATMs using debit cards credited with proceeds of fraud. This was a technique to turn successful cyberhacks into hard currency, the prosecutors said. Mr. Alaumary admitted targeting an Indian bank in that manner for US$16-million, a Pakistani bank for US$6-million and a Maltese bank for US$14-million. The Pakistani and Maltese heists were led by North Korean hackers, the U.S. Department of Justice alleges, and Mr. Alaumary has pleaded guilty to laundering the funds. Mr. Alaumary also acted as a liaison for fraudsters seeking bank accounts where they could deposit funds.
Christian Leuprecht, a professor at Canada’s Royal Military College, said there is an entire industry of intermediate brokers that serves those looking to move dirty money.
He described the North Korean use of cybercrime to raise funds for the regime as “par for the course.”
“This is how they raise their money, which is basically organized crime,” Prof. Leuprecht said. “And the fact that they use intermediaries is also not a outlier, because often their problem is they can steal the money but then they have to figure out what they have to do to move money around the world.”
Mr. Alaumary was arrested in October, 2019, while travelling through Atlanta. He has agreed to plead guilty to one count of conspiracy to commit money laundering in relation to the frauds involving the international banks.
He has also pleaded guilty to a charge of conspiracy to commit money laundering in the case involving MacEwan University, according to documents filed in a U.S. court. He has not yet been sentenced.
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.