Adding COVID-19 exploitation to its nefarious arsenal targeting governments, the Nigerian Scattered Canary criminal gang most recently attempted to exploit the CARES Act on May 17, filing two fraudulent unemployment claims through Hawaii’s Department of Labor and Industrial Relations website.

The bogus claims were part of a larger criminal effort in the past month that has left several hundred fraudulent droppings in at least eight U.S. states, with additional claims expected, according to Agari, which “cataloged the evolution of a Nigerian cybercriminal organization from its emergence as a one-man shop into a powerful business email compromise (BEC) enterprise employing dozens of threat actors,” in a whitepaper published today.

“Since its inception, at least 35 different actors have joined Scattered Canary in its fraudulent schemes,” the researchers wrote. “The group has turned to a scalable model through which they can run multiple types
of scams at the same time. And with multiple tools designed to help them expand their operations and stay hidden from law enforcement, it is no wonder that they are seeing massive success.”

The Hawaii filings come on the heels of at least 259 bogus claims in Florida, Massachusetts, North Carolina, Oklahoma, Rhode Island, Washington, Wyoming designed to take advantage of the CARES Act providing financial relief in the form of Economic Impact Payments (EIP), tracked by Agari.

Using gmail dot accounts, Scattered Canary generated the fraudulent accounts to file claims and receive payments.

Noting that the CARES Act includes $600 in Federal Pandemic Unemployment Compensation each week through July 31, Agari estimated maximum potential losses of $4.9 million as a result of these fraudulent claims to date.

Armen L. Najarian, Agari’s CMO and chief identity officer, said in a statement that the company had been tracking Scattered Canary for more than a year and had alerted the U.S. Secret Service to the latest development.

Between April 15 and April 29, Washington state received at least 82 fraudulent claims for CARES Act EIPs filed by Scattered Canary, which, according to Agari, used the IRS website to process claims from individuals who are not required to file tax returns. Of the 82 claims Scattered Canary filed, at least 30 of them were accepted by the IRS and presumably paid out.

Scattered Canary emerged about a decade ago, unleashing a steady flow of fraudulent activity against government services, including unemployment fraud, social security fraud, disaster relief fraud, and student aid fraud.