Carabinieri: gang gangs of cyber criminals, cheated banks and depositors

(To Arms of the Carabinieri)

At the dawn of today, in the Provinces of Reggio Calabria and L'Aquila, the Carabinieri of the Provincial Command of Messina carried out an order for precautionary custody in prison issued by the GIP of the Court of Messina at the request of the Peloritan Public Prosecutor's Office, guided by the Attorney Maurizio De Lucia, charged to 5 subjects held responsible - for various reasons - of criminal association aimed at computer fraud, illegal access to computer or electronic system and substitution of person.

At the same time, the personal precautionary measure was also implemented by a decree of preventive seizure, ordered against current accounts and bank deposits in the availability of suspects, for a total value of over 1,2 mln. of Euro.

The restrictive measure arises from a complex investigative activity, conventionally called "FRAUDATORES", launched in February 2018 by the Investigative Unit of the Provincial Command Carabinieri of Messina in collaboration with the Department of Telematics Research of the ROS, coordinated by the deputy Public Prosecutor Dott.ssa Antonella Fradà, whose results have allowed to prove the operativity of a group of cyber criminals, based in the ionic band of Reggio and active throughout the national territory, specialized in extracting large sums of money from several hundred bank accounts "online ".

The investigations, in particular, have shown how the suspects were able to modify, on the main institutional websites (Telemaco Infocamere,,, etc ..), the certified e-mail addresses (pec) of some of the best known national and foreign credit institutions, replacing them with those of similar certified e-mail accounts, named in a completely similar way to the original ones, specially activated on specialized providers and registered to unaware or non-existent subjects.

In the course of the investigation it was found that, by this expedient, the hackers managed, on the one hand, to interpose themselves between the holders of the "on line" current accounts and the respective institutes - according to a cybernetic attack mode known as MITM (man in the middle) - and, on the other hand, to get hold of the access credentials to financial reports, using which they had a sequence of "home-banking" transactions in favor of further bank accounts, in the name of unaware victims of identity but managed by the same members of the coterie.

The suspects activated at the providers of certified e-mail accounts (PEC) with similar addresses - different if only for the domain on which they were activated - to those actually used by some lenders. For example, the fraudulent mail was created in place of that or the fraudulent one in place of These certified mailboxes were activated, always via the web, providing false identities, sometimes completely invented and sometimes stolen from unaware victims, without any control over the real identity of the person who activated them or on their title to operate in the name and on behalf of that institution of credit.

At this point the criminals, through some Chambers of Commerce to which requests for variation of the PEC address of some credit institutions were sent, obtained the replacement of the genuine one with the fraudulent one - in all similar to the original one - but from activated.

Once modified and published, the fake web address of the bank was automatically updated in all the main online directories (Registroimprese, Telemaco-infocamere, etc).

Interposing himself with this stratagem between the customer interested in contacting the bank and the bank, implementing a typical cyber attack method known by the English acronym MITM (man in the middle), the scammers received the client's e-mail that he believed he would contact his bank to represent his needs (for example closing or opening current accounts or succession mortis causa) and, once the contact was established, they stole the trust of the victims and induced them to provide access credentials and codes operating accounts that they used to steal money.

The stolen proceeds were recycled through a sequence of various transfers made on a series of current accounts, opened fraudulently and, in some cases, made payable to the same unsuspecting victims.

However, if the availability on current accounts of which they appropriated were of a slight consistency, they cleared the account balance through purchases of goods on e-commerce sites, and then delivered the goods at convenient addresses in the municipalities of residence. Moreover, in order to make their fraud more credible, the criminals had also created facebook profiles made out to fraudulent identities and, to make them more credible, they included photos, résumés and fake logos to pretend to be employees of the credit institution.

The evidence collected showed the existence of a well-structured criminal association that had planned an indefinite number of crimes at the top of which there is TRICARICO Giuseppe Cesare who is the organizer and leader promoter of the group and is assisted by his brother TRICARICO Davide. The two, although they were both subjected, for some time, to the precautionary measure of house arrest, because of their involvement in an investigation by the Procuratorate of Reggio Calabria for similar crimes to those now disputed, they could continue to organize and promote the illegal activity with the help of the countrymen AMEDURI Nicola and PORPORINO Nicodemo. AMEDURI is the arm of TRICARICO Giuseppe on behalf of which he carries out the activities that the latter, due to the limitation of his personal freedom, can not accomplish, he goes to meetings with the other members, activates the phone cards essential to carry out the crimes, withdraws correspondence, contact the couriers who must deliver the purchased goods etc. PORPORINO and CANCELLI Antonello, the latter resident in the province of L'Aquila, make available as terminals to make money flow, after the various intermediate steps to clean up, which is collected by them in current accounts in their name and then shot in cash at TRICARICO Giuseppe.

Being subject to the precautionary measure of house arrest did not interrupt the criminal activity of the group, which, exploiting the previous experience gained in the field, has refined the methods and methods of commissioning online scams, while increasing the precautions necessary to conduct criminal activity. Therefore the members placed the utmost attention in never using their names to perform any activity related to the crimes implemented, they controlled with careful attention their cars fearing that there were bedbugs, taking care never to use telephone cards to them.

One of the methods used to steal money from victims was to simulate the existence of an SDD against them. SDD stands for SEPA Direct Debit. This is a SEPA instrument for pre-authorized collection on a debit mandate requested by the debtor in favor of a creditor. In the SEPA Direct Debit scheme (SDD) the mandate is the contract with which the debtor provides two separate authorizations. Authorizes the creditor to have one or more debits from his account. It also authorizes its bank to debit the account on the basis of the aforementioned instructions received through the creditor.

Specifically, the investigations made it possible to ascertain how TRICARICO Giuseppe, always using false identities, first enlisted unwitting collaborators - making him believe that he was an external operator of credit institutions - and subsequently through their work, he carried out the illicit activity. In particular, TRICARICO made it clear to these unaware collaborators, entrusted with the task of processing the SDD mandates through their companies, to be responsible for a credit recovery agency to which various subjects (banking institutions, Inland Revenue and Courts) entrusted the task of recovering their claimed claims. These collaborators should have digitally instructed the SDD process, acquire debtor payments on their current accounts and, withheld their commission, turn over the money on the accounts indicated by TRICARICO. In the short period of investigation, a whirlwind of SDDs for collection was documented, 124 in use only day for a counter value of almost 200 thousand euros.

Numerous reconstructed crimes including some emblematic crimes of the modus operandi.

A woman from the Province of Milan contacts the fake Pec created by the suspects to close their current account. TRICARICO Giuseppe, using an identity stolen from another victim, recontacts him by telephone, posing as the bank's official in charge of managing the account closure practice and being able to have the codes indicated to operate on that account. The outcome of the phone calls with the woman convinces her that his account has been closed but, in fact, he has replaced all the addresses of the woman with others attributable to him and since there were only a few euros on the account, he used his credit card combined with this account to complete a series of online purchases of various goods up to the maximum limit of one thousand euro.

Another woman from Milan was telephonically contacted by TRICARICO Giuseppe, who, pretending to be an official of the woman's bank, informed her that for security reasons some personal data had to be changed on her home banking site and invited her to report the credentials access and asked for an OTP (one time password) essential for the transactions. The woman gave them to him but shortly after reflecting on the conversation she had just had the foresight to verify her banking situation, discovering that a transfer of 49 thousand euro from her bank account to a current account held by a third person had been made. duped.

A man from Bergamo, whose wife has died, is contacted by TRICARICO who, once again, uses the identity stolen from a victim to pass himself off as the bank's official. This makes the man aware that he can quickly resolve the problem of succession to his wife in the current account and proposes him, to speed up the procedures, to provide him with the codes to operate via the internet on behalf of the deceased in order to have him cashed immediately sums deposited by means of a transfer on the current account of the man. The old man, fortunately for him, gives him the wrong codes and then TRICARICO suggests him to go to the branch to get new codes to work online since those were blocked. The man goes to the branch but here the bank employee intervenes, saving him from the fraudster, since he contacts TRICARICO, always under his false generality, and asks him the reason for the anomalous procedure suggested to the client. TRICARICO is justifiably justified and from which moment it no longer responds to the further calls that are addressed to it.

The investigations have shed light on the system used to recycle the money taken from victims through steps in various current accounts, banking and postal, in order to make it more complex to follow the financial flows. Therefore, in addition to the personal precautionary measures, also the preventive seizure of well-known 31 financial reports was carried out, some of them directly to the suspects and their next relatives and others headed in the name of unsuspecting victims whose identities had been stolen and used to light these accounts actually managed by the suspects.

The precautionary measure carried out today interrupted the criminal activity in progress, preventing further victims from falling into the fraudulent network. The searches and seizures may provide further investigative elements derived from the examination of the copious computer material acquired and the analysis of the financial flows of the seized current accounts also because there is reason to believe that part of the illicit proceeds have been invested in the purchase of bitcoins , the virtual currency also used to make purchases of weapons and illegal goods in the deep web.

The Carabinieri of the Provincial Command of Messina have executed 5 measures against the undersigned investigated:

TRICARICO Giuseppe Cesare, 37enne the 11.4.1981 by Gioiosa Ionica (RC)

TRICARICO Davide, 33enne, of Grotteria (RC)

AMEDURI Nicola, 35enne of Gioiosa Ionica (RC)

PORPORINO Nicodemo, 54enne of Grotteria (RC)

GATES Antonello, 35enne of the province of L'Aquila.