A Nigerian national was sentenced to 10 years in U.S. federal prison for stealing almost $20 million from hundreds of people through cyber fraud. 

Babatunde Francis Ayeni, a 33-year-old who had been living in the U.K, was convicted for his role in a business email compromise scheme that targeted real estate transactions. Ayeni pleaded guilty to wire fraud charges in April and was sentenced this week. 

Ayeni worked with two other people in Nigeria and the United Arab Emirates — co-defendants Feyisayo Ogunsanwo and Yusuf Lasisi — who allegedly sent phishing emails with malicious links and attachments to title companies, real estate agents, and real estate attorneys across the U.S. 

Through the phishing emails, the hackers gained access to employee login information, which they used to monitor email accounts for messages indicating a buyer was preparing to make a payment. Ayeni and his co-conspirators would then contact the buyer from the compromised email address and provide wire information linking to their financial accounts. 

Among the more than 400 victims of the scheme, 231 of them were unable to reverse the wire transactions and lost the full amount sent to the hacker-controlled accounts. In total, $19,599,969.46 was lost. 

The thefts were particularly painful for dozens of people who lost all of the money they had saved up to purchase a home. Multiple people provided victim impact statements to the court and testified about the shame, despair, and depression they felt after the losses. One victim said more than $100,000 was stolen from him after he tried to buy his elderly father a home following a Parkinson's diagnosis.

The indictment mentions at least two victims who lost more than $114,000 and $42,000, respectively. The hackers used the funds to purchase Bitcoin on Coinbase, which was then sent to three different addresses. 

At least one of the victim companies was a real estate title company in Gulf Shores, Alabama.

“Cyber-enabled crimes can cause substantial and lasting harm to victims in an instant,” said U.S.Attorney Sean P. Costello. “Criminals across the world may believe that they are causing no harm to their victims and that they are safe behind their keyboards, but this case proves otherwise.”

Lasisi and Ogunsanwo have not been located and are believed to be at-large. Ogunsanwo was last tracked spending $40,000 of the stolen funds at a Louis Vuitton store in a Dubai mall.

Business email compromise continues to be one of the thorniest — and costliest — digital crimes committed. 

Most schemes target businesses that deal with wire transfers or automated clearing house payments, with the end goal being to get victims to mistakenly send funds to hacker-controlled accounts. 

The FBI said in 2023 that business email compromise accounted for $2.9 billion in losses. The FBI warned last year scammers “are increasingly using custodial accounts held at financial institutions for cryptocurrency exchanges or third-party payment processors, or having targeted individuals send funds directly to these platforms where funds are quickly dispersed.”

In August, about $60 million was stolen from one of the leading suppliers of carbon products after an employee was tricked into making several wire transfers to cybercriminals. A school district in Tennessee was also tricked into handing over millions. 

Law enforcement agencies have sought to step up their takedowns of criminal organizations propagating the schemes. Last month, Interpol took down a phishing scam operation in Côte d'Ivoire, arresting eight people for their involvement.