news

the fraudsters bought various corporate email accounts on the black market. after brute-forcing the passwords and logging into the email accounts, they sent mass "phishing" emails to the account's address book, asking for "labor subsidies," "epidemic subsidies," "financial subsidies," and other types of telecommunications network frauds.

be careful! this kind of "subsidy" is not allowed

if you receive an email about receiving "labor subsidies" in your company mailbox, will you believe it and complete the collection process as required? xiao fan received an email from the company one day, scanned the qr code in the email and filled in the materials, but 60,000 yuan was transferred out of his bank account in an instant...

"during the case, while pursuing criminal responsibility for the criminals, our court also issued procuratorial suggestions and reminder letters to the relevant companies regarding the issue of corporate email account leakage exposed by the case, reminding them of the importance of data protection and conducting anti-fraud publicity." on august 12, the reporter went to the haidian district procuratorate of beijing for an interview. sun peng, director of the second procuratorial department of the procuratorate, said when introducing the fraud case of sending "phishing" emails to corporate employees, "we will continue to deepen the implementation of the special action of 'procuratorial protection of enterprises', provide procuratorial protection for building the 'beijing service' brand of the business environment, and promote the high-quality development of the capital's economy."

a letter applying for "labor subsidy"

"enterprise notification" email

"important notice, please read! notice on the application for personal labor subsidies... in order to manage the subsidies for corporate employees, the ministry of finance has uploaded the process and related materials for receiving labor subsidies. employees are requested to scan the qr code of the notice and fill in the materials. only today can you apply for subsidies." one day in december 2022, xiao fan, an employee of a certain company, saw a new email reminder pop up in his company mailbox when he was at work. the sender was his colleague xiao zhang. after xiao fan clicked on the email, he completed the application as required, but unexpectedly, he received a text message on his mobile phone reminding him that 60,000 yuan had been transferred from his account.

xiao fan was dumbfounded and immediately went to xiao zhang to confirm, only to learn that xiao zhang’s email address had been stolen by criminals and many colleagues had received the same email. not only xiao fan, but other colleagues had also been cheated.

in may 2023, the company organized its employees to report the case to the public security authorities. subsequently, the public security authorities quickly launched an investigation and found that this was a cross-border criminal gang that specifically targeted corporate employees for fraud, and locked in one of the suspects, qiu. in june, the public security authorities invited the procuratorate to intervene in the investigation in advance.

after tracing the network data flow involved in the case, on july 28, 2023, the public security organs arrested the criminal suspect qiu mou, and on august 25, they requested the procuratorate to approve the arrest of qiu mou on suspicion of fraud.

although the person was arrested, the handling of the case encountered challenges.

qiu had a strong sense of anti-detection. he and one of the gang members, wang (who has been arrested), rented a house outside and changed their residence every once in a while. they used other people's identity information to register various online accounts and collected payments through virtual currency to conceal the flow of funds. when the public security organs searched qiu's temporary residence, they found three computers in his house, two of which had lost their hard drives, and the mobile phone qiu carried with him was borrowed from a friend.

"after locking the network data flow of the fraudulent 'phishing' website involved in the case and retrieving the cloud server data of a certain company, the public security organs found that the server was rented by sun (handled in another case), not qiu." li peng, the prosecutor of the haidian district procuratorate, said that after investigation, sun and qiu were good friends. sun said that he had never rented a cloud server, and it was qiu who rented the server using his identity information. in addition, the public security organs also retrieved the network cloud disk storage data of qiu and related personnel. however, qiu always defended himself with excuses such as "i don't know", "i didn't do it", and "i can't use a computer", and refused to explain.

hard disk left at the scene

associate six remote servers

after the case was transferred for review and prosecution, the procuratorate conducted review and analysis of the electronic data involved in the case through the electronic data review room.

the case handling team of the haidian district procuratorate is reviewing electronic evidence.

"we found a telegram chat software account with the nickname 'dong' (hereinafter referred to as the tg account) from the hard disk data left at the scene, but the real name of the mobile phone number associated with the account was not qiu." li peng introduced that the procuratorate subsequently worked with the public security organs to crack the password of the tg account through technical means and successfully obtained the data in it. it was found that there were a large number of chat records involving cracking and selling email account passwords between "dong" and a person nicknamed "when can i get rich?", and the two had a common group, which mentioned sending fraudulent emails, fraudulent "receiving subsidies" copywriting, and the bank card accounts and passwords of the deceived persons.

in addition, the prosecutor also found that the hard drive was connected to six remote servers, which contained programs for brute-forcing email passwords, a large number of email account passwords, and electronic documents for "receiving labor subsidies." however, the other network accounts on the hard drive had no actual connection with qiu, and the real user was in doubt.

although there are vague facts and insufficient evidence, the prosecutor believed that there was an important connection between qiu and the crime of telecommunications network fraud based on the evidence and facts at hand, as well as qiu's various abnormal behaviors. therefore, on september 1, 2023, the prosecutor decided to approve the arrest of qiu.

find out "when can i get rich overnight"

who is “when can i get rich” who conspired with “dong” to steal email data and modify fraudulent copy?

with this question in mind, the case handling team launched an investigation. since qiu's gang used virtual currency to collect payments, the procuratorate guided the public security organs to retrieve relevant information and data of the virtual currency accounts involved in the case. through the data, it was discovered that "dong" was actually another gang member, wang.

at the same time, the procuratorate guided the public security organs to investigate sun, who was impersonated to rent the server involved in the case, and found that sun's tg account friend also had "when can i get rich", and it was exactly the same as the one in the "dong" account. sun identified that this "when can i get rich" was qiu.

"we analyzed the payment records of the cloud server that hosted the fraudulent website and found several paid wechat id numbers. after investigation, we found that the real-name information associated with these ids was all qiu, and they were consistent with sun's wechat friends." guo shuzheng, a data reviewer in the electronic data review office of the haidian district procuratorate, told reporters that they also found the springboard email account of the case (that is, the corporate email account of xiao zhang and others that was stolen) and the email account of the victim in the residual data on the fraudulent server, and found a large number of email account passwords and software for brute force password cracking in qiu's cloud disk storage data.

at this point, the procuratorate finally constructed the multi-dimensional correlations between fragmented objective evidence such as the hard drive left at the scene by qiu, the server with destroyed evidence, the server payment records, the fraud-related documents, the company's stolen email account, and the "when will i get rich" tg account.

the truth gradually surfaced - this group of criminals bought various corporate email accounts through overseas online black markets, and after brute-forcing passwords and logging into email accounts, they sent mass "phishing" emails to the account's address book to claim "labor subsidies," "epidemic subsidies," "financial subsidies," and other types of telecommunications network frauds. after the victims believed them and followed the instructions, they stole the money from their bank accounts. upon investigation, qiu was found to have participated in 11 fraud crimes, involving a total of more than 120,000 yuan.

the prosecutor appeared in court to support the prosecution.

on january 31 this year, the haidian district procuratorate filed a public prosecution against qiu for suspected fraud. during this period, under the accumulation of objective evidence, qiu's psychological defenses collapsed, and he voluntarily pleaded guilty and accepted punishment, and returned the money involved in the case to all the people who were deceived. on may 31, the haidian district court sentenced qiu to two years in prison for fraud and a fine of 20,000 yuan. at present, the judgment has come into effect.

(jian jian sihan, procuratorate daily)