Files
claudetools/clients/kittle/reports/2026-06-09-ic3-bec-fraud-report.md
Mike Swanson 53584e1497 report(kittle): IC3 complaint filed - submission ID aa2ef504... (2026-06-09)
IC3 filed 2026-06-09 12:46 EST. Stamped the submission ID on the report; bank freeze letters
(Truist/First State/Chase) updated with the IC3 # and real Kittle/ACG contacts - now turnkey to send.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 09:49:35 -07:00

9.2 KiB
Raw Blame History

FBI IC3 Complaint Package — BEC / ACH Payment-Redirection Fraud

Prepared by Arizona Computer Guru (ACG) for Kittle Design & Construction LLC Incident date: 2026-06-08 to 2026-06-09 (UTC) · Package date: 2026-06-09 Complaint type: Business Email Compromise (BEC) / EAC — Wire/ACH fraud FILED: FBI IC3 complaint aa2ef50482ca4c05a54ae0f6cb56ffa0 — 2026-06-09 12:46 PM EST


1. VICTIM INFORMATION

Primary victim (compromised business):

  • Kittle Design & Construction LLC — Tucson, Arizona
  • Domain / M365 tenant: kittlearizona.com (tenant ID 3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
  • EIN on the fraudulent form: 86-0942406 (purported Kittle EIN — verify; attacker likely copied the real EIN)
  • Point of contact: Ken Schagel (owner), ken@kittlearizona.com, cell 520-310-1525
  • Compromised mailboxes: Ken@kittlearizona.com (entry point, Global Admin), Accounting@kittlearizona.com (finance — accessed via Ken's delegate rights)

Intended payer targeted by the fraud:

Reporting party / IT provider: Arizona Computer Guru (Managed Service Provider). Contact: Mike Swanson.

2. FINANCIAL TRANSACTION INFORMATION

Nature: Attacker submitted a fraudulent ACH/EFT banking-change ("BSD ACH Application", "Change" box) to the City of Tucson, impersonating Kittle's bookkeeper, to redirect Kittle's incoming City payments to attacker-controlled accounts.

Targeted / exposed payments (City of Tucson → Kittle, EFT):

  • Invoice #31468 — Job #5654.25, "MMC Generator Upgrade" — $123,776.75 (confirmed from the City payment thread).
  • Invoice #31400 — KDC Job #5700.25B, "COT Knights Inn — Fire Suppression" (PO-007291); City indicated EFT processing 2026-06-09. Amount ~$8,818.00 (approximate per thread; confirm exact with City).
  • Additional open Kittle invoices were identified in the mailbox (e.g. Invoice #31453, $41,231.00, due 2026-06-28); any billed to the City would also have been exposed.
  • Total identified exposure: $130,000+ (≥ $123,776.75 + ~$8,818). Because an approved ACH banking change redirects ALL future City-of-Tucson payments to Kittle, exposure is NOT limited to a single invoice and the true figure may be higher.

Fraudulent receiving (mule) accounts:

# Bank Routing/ABA Account # Name on account Source
1 (submitted to City) Truist Bank 053201607 1410020505238 "Kittle Design & Construction" BSD ACH Application form attached to the attacker's 2026-06-08 email
2 (second form in mailbox) First State Bank (Eastpoint, MI) 072410165 62100616 FOAM FACTORY INCORPORATED ACH-FoamFactory.pdf found in Ken's mailbox
2b JPMorgan Chase Bank, N.A. (New York, NY) 021000021 (wire) / 072000326 (ACH); SWIFT CHASUS33 2906183268 FOAM FACTORY INCORPORATED same form

Attacker contact phone on the fraudulent form: (659) 221-9243

Loss status — PREVENTED (no completed loss). Confirmed 2026-06-09 by Kittle's bookkeeper (Darline Cabrera), after speaking with the City of Tucson: the City stopped the payment before any funds were transferred to the attacker. No completed financial loss occurred. Attempted / exposed amount: $130,000+ (as above). Kittle also confirmed it has no business relationship with Foam Factory Incorporated, confirming both receiving accounts are attacker-controlled mule accounts. The fraudulent accounts should still be reported and frozen, and the perpetrator pursued (this complaint documents an attempted wire/ACH fraud).

3. SUBJECT (PERPETRATOR) INFORMATION

IP addresses used:

IP Use Geolocation ASN
64.44.131.168 OWA access to Ken + Accounting mailboxes; sent the fraudulent ACH emails; deleted evidence Chicago, IL AS20278 Nexeon Technologies (VPN/hosting)
40.126.41.96 Contact harvesting via python-httpx Microsoft Azure Microsoft Corp
45.134.224.220 Bulk phishing send (1,000 emails) Kansas City, MO AS147049 PacketHub S.A. (hosting)

Impersonation infrastructure:

  • Accounting.kittlearizona@gmx.com — GMX free account impersonating Kittle's Accounting dept (inserted into the City invoice thread starting 2026-06-05)
  • tucsonoz.com — lookalike domain of the City's tucsonaz.gov (e.g. randi.arnett@tucsonoz.com)
  • Attacker tooling: python-httpx/0.28.1 using an OAuth token for the Microsoft Desktop app (d3590ed6-52b3-4102-aeff-aad2292ab01c)

4. INCIDENT NARRATIVE

On 2026-06-08, an external attacker compromised the Microsoft 365 account of Ken Schagel (owner / Global Administrator) of Kittle Design & Construction LLC, accessing it via Outlook on the Web from IP 64.44.131.168 beginning 13:24 UTC. Ken's account held standing FullAccess (delegate) permission to the company's Accounting (finance) mailbox (a legitimate permission Ken granted himself on 2026-05-15, ~3 weeks before the incident). The attacker used that delegate access to enter the Accounting mailbox.

From the Accounting mailbox, the attacker — impersonating Kittle's bookkeeper ("Darline Cabrera") — submitted a fraudulent ACH/EFT banking-change form to the City of Tucson's Accounts Payable, attempting to redirect Kittle's incoming City payments (including Invoice #31400, EFT scheduled 2026-06-09) to a Truist Bank account they controlled. The attacker had pre-positioned by inserting a GMX lookalike address (Accounting.kittlearizona@gmx.com) into the legitimate Kittle↔City invoice thread as early as 2026-06-05. The attacker hard-deleted the EFT and invoice emails from both Ken's and Accounting's mailboxes to conceal the activity (recovered by ACG from the audit-log dumpster).

Separately/concurrently, the attacker harvested contacts (18:3618:53 UTC) and sent ~1,000 phishing emails ("Ken Schagel shared a file with you") from 45.134.224.220 between 21:1421:26 UTC (747 delivered). ACG detected the incident ~21:30 UTC and performed containment/remediation. The payment-redirection fraud was identified by ACG on 2026-06-09 via mailbox-audit and message-trace analysis.

5. TIMELINE (UTC)

  • 2026-06-05 ~11:52 — Attacker (via Accounting.kittlearizona@gmx.com) inserts into the Kittle↔City invoice thread.
  • 2026-06-08 13:24 — First attacker OWA login to Ken's account (64.44.131.168).
  • 2026-06-08 14:5121:09 — Attacker accesses Accounting mailbox as delegate (21 access events); reads Inbox\Customers, Assured Partners, Employees, Sent, Deleted.
  • 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 — Attacker sends "EFT UPDATE" / ACH-change emails on behalf of Accounting@ to Randi Arnett (City of Tucson); hard-deletes the thread after each.
  • 2026-06-08 18:3618:53 — Contact harvest (python-httpx, 40.126.41.96).
  • 2026-06-08 21:1421:26 — 1,000-recipient phishing blast (45.134.224.220).
  • 2026-06-08 ~21:30 — ACG detects, begins containment.
  • 2026-06-09 — ACG identifies the ACH payment-redirection fraud; password resets; client notified; this package prepared.

6. EVIDENCE INVENTORY (preserved by ACG)

  • Downloads/kittle-bec-attachments/FRAUD_BSD_ACH_APPLICATION.pdf — the fraudulent ACH change form submitted to the City (shows Truist 053201607 / 1410020505238).
  • Downloads/kittle-bec-attachments/Ken_ACH-FoamFactory.pdf — second ACH form (Foam Factory Inc accounts).
  • Recovered email thread (EFT UPDATE / ACH, Accounting@ ↔ Randi Arnett) — recovered from the M365 Recoverable Items dumpster via Graph (the attacker hard-deleted the originals).
  • Microsoft 365 Unified Audit Log: MailItemsAccessed (delegate, IP 64.44.131.168), SendOnBehalf, SoftDelete/HardDelete events for Accounting@ and Ken@ — exportable on request.
  • Message trace confirming delivery of the fraud emails and the original recalled message.
  • Prior incident report: clients/kittle/reports/2026-06-08-breach-check.md (full BEC remediation, phishing campaign, inbox rules).

7. ACTIONS TAKEN BY ACG / VICTIM

  • Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09).
  • Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09).
  • Kittle contacted the City of Tucson; the City stopped the fraudulent payment before any funds were transferred (confirmed 2026-06-09). Kittle confirmed no relationship with Foam Factory Incorporated.
  • Ken's account was auto-restricted from sending by outbound-spam protection during the phishing blast; ACG verified nothing malicious was queued (Outbox/Drafts empty) and removed the restriction (sending restored 2026-06-09).
  • Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts.

Package compiled from M365 unified audit log, message trace, and recovered mailbox evidence. Dollar amounts to be confirmed with the City of Tucson. ACG can provide raw audit-log exports and the recovered emails/attachments on request.