IC3 filed 2026-06-09 12:46 EST. Stamped the submission ID on the report; bank freeze letters (Truist/First State/Chase) updated with the IC3 # and real Kittle/ACG contacts - now turnkey to send. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
9.2 KiB
FBI IC3 Complaint Package — BEC / ACH Payment-Redirection Fraud
Prepared by Arizona Computer Guru (ACG) for Kittle Design & Construction LLC Incident date: 2026-06-08 to 2026-06-09 (UTC) · Package date: 2026-06-09 Complaint type: Business Email Compromise (BEC) / EAC — Wire/ACH fraud FILED: FBI IC3 complaint
aa2ef50482ca4c05a54ae0f6cb56ffa0— 2026-06-09 12:46 PM EST
1. VICTIM INFORMATION
Primary victim (compromised business):
- Kittle Design & Construction LLC — Tucson, Arizona
- Domain / M365 tenant: kittlearizona.com (tenant ID 3d073ebe-806a-4a5e-9035-3c7c4a264fc0)
- EIN on the fraudulent form: 86-0942406 (purported Kittle EIN — verify; attacker likely copied the real EIN)
- Point of contact: Ken Schagel (owner), ken@kittlearizona.com, cell 520-310-1525
- Compromised mailboxes: Ken@kittlearizona.com (entry point, Global Admin), Accounting@kittlearizona.com (finance — accessed via Ken's delegate rights)
Intended payer targeted by the fraud:
- City of Tucson, Business Services Department (BSD) — Accounts Payable
- Finance contact in the fraud thread: Randi Arnett, Finance Manager (Randi.Arnett@tucsonaz.gov); AP: HCDAccountsPayable-Finance@tucsonaz.gov
- Other City staff CC'd by the attacker: Monica Barcenas, Angelica Favela, Alexa Johnson, Katharine Mitchell; Buyer: Casey Adams (Casey.Adams@tucsonaz.gov)
Reporting party / IT provider: Arizona Computer Guru (Managed Service Provider). Contact: Mike Swanson.
2. FINANCIAL TRANSACTION INFORMATION
Nature: Attacker submitted a fraudulent ACH/EFT banking-change ("BSD ACH Application", "Change" box) to the City of Tucson, impersonating Kittle's bookkeeper, to redirect Kittle's incoming City payments to attacker-controlled accounts.
Targeted / exposed payments (City of Tucson → Kittle, EFT):
- Invoice #31468 — Job #5654.25, "MMC Generator Upgrade" — $123,776.75 (confirmed from the City payment thread).
- Invoice #31400 — KDC Job #5700.25B, "COT Knights Inn — Fire Suppression" (PO-007291); City indicated EFT processing 2026-06-09. Amount ~$8,818.00 (approximate per thread; confirm exact with City).
- Additional open Kittle invoices were identified in the mailbox (e.g. Invoice #31453, $41,231.00, due 2026-06-28); any billed to the City would also have been exposed.
- Total identified exposure: $130,000+ (≥ $123,776.75 + ~$8,818). Because an approved ACH banking change redirects ALL future City-of-Tucson payments to Kittle, exposure is NOT limited to a single invoice and the true figure may be higher.
Fraudulent receiving (mule) accounts:
| # | Bank | Routing/ABA | Account # | Name on account | Source |
|---|---|---|---|---|---|
| 1 (submitted to City) | Truist Bank | 053201607 | 1410020505238 | "Kittle Design & Construction" | BSD ACH Application form attached to the attacker's 2026-06-08 email |
| 2 (second form in mailbox) | First State Bank (Eastpoint, MI) | 072410165 | 62100616 | FOAM FACTORY INCORPORATED | ACH-FoamFactory.pdf found in Ken's mailbox |
| 2b | JPMorgan Chase Bank, N.A. (New York, NY) | 021000021 (wire) / 072000326 (ACH); SWIFT CHASUS33 | 2906183268 | FOAM FACTORY INCORPORATED | same form |
Attacker contact phone on the fraudulent form: (659) 221-9243
Loss status — PREVENTED (no completed loss). Confirmed 2026-06-09 by Kittle's bookkeeper (Darline Cabrera), after speaking with the City of Tucson: the City stopped the payment before any funds were transferred to the attacker. No completed financial loss occurred. Attempted / exposed amount: $130,000+ (as above). Kittle also confirmed it has no business relationship with Foam Factory Incorporated, confirming both receiving accounts are attacker-controlled mule accounts. The fraudulent accounts should still be reported and frozen, and the perpetrator pursued (this complaint documents an attempted wire/ACH fraud).
3. SUBJECT (PERPETRATOR) INFORMATION
IP addresses used:
| IP | Use | Geolocation | ASN |
|---|---|---|---|
| 64.44.131.168 | OWA access to Ken + Accounting mailboxes; sent the fraudulent ACH emails; deleted evidence | Chicago, IL | AS20278 Nexeon Technologies (VPN/hosting) |
| 40.126.41.96 | Contact harvesting via python-httpx | Microsoft Azure | Microsoft Corp |
| 45.134.224.220 | Bulk phishing send (1,000 emails) | Kansas City, MO | AS147049 PacketHub S.A. (hosting) |
Impersonation infrastructure:
Accounting.kittlearizona@gmx.com— GMX free account impersonating Kittle's Accounting dept (inserted into the City invoice thread starting 2026-06-05)tucsonoz.com— lookalike domain of the City'stucsonaz.gov(e.g. randi.arnett@tucsonoz.com)- Attacker tooling: python-httpx/0.28.1 using an OAuth token for the Microsoft Desktop app (
d3590ed6-52b3-4102-aeff-aad2292ab01c)
4. INCIDENT NARRATIVE
On 2026-06-08, an external attacker compromised the Microsoft 365 account of Ken Schagel (owner / Global Administrator) of Kittle Design & Construction LLC, accessing it via Outlook on the Web from IP 64.44.131.168 beginning 13:24 UTC. Ken's account held standing FullAccess (delegate) permission to the company's Accounting (finance) mailbox (a legitimate permission Ken granted himself on 2026-05-15, ~3 weeks before the incident). The attacker used that delegate access to enter the Accounting mailbox.
From the Accounting mailbox, the attacker — impersonating Kittle's bookkeeper ("Darline Cabrera") — submitted a fraudulent ACH/EFT banking-change form to the City of Tucson's Accounts Payable, attempting to redirect Kittle's incoming City payments (including Invoice #31400, EFT scheduled 2026-06-09) to a Truist Bank account they controlled. The attacker had pre-positioned by inserting a GMX lookalike address (Accounting.kittlearizona@gmx.com) into the legitimate Kittle↔City invoice thread as early as 2026-06-05. The attacker hard-deleted the EFT and invoice emails from both Ken's and Accounting's mailboxes to conceal the activity (recovered by ACG from the audit-log dumpster).
Separately/concurrently, the attacker harvested contacts (18:36–18:53 UTC) and sent ~1,000 phishing emails ("Ken Schagel shared a file with you") from 45.134.224.220 between 21:14–21:26 UTC (747 delivered). ACG detected the incident ~21:30 UTC and performed containment/remediation. The payment-redirection fraud was identified by ACG on 2026-06-09 via mailbox-audit and message-trace analysis.
5. TIMELINE (UTC)
- 2026-06-05 ~11:52 — Attacker (via Accounting.kittlearizona@gmx.com) inserts into the Kittle↔City invoice thread.
- 2026-06-08 13:24 — First attacker OWA login to Ken's account (64.44.131.168).
- 2026-06-08 14:51–21:09 — Attacker accesses Accounting mailbox as delegate (21 access events); reads Inbox\Customers, Assured Partners, Employees, Sent, Deleted.
- 2026-06-08 15:52 / 16:45 / 18:52 / 20:29 — Attacker sends "EFT UPDATE" / ACH-change emails on behalf of Accounting@ to Randi Arnett (City of Tucson); hard-deletes the thread after each.
- 2026-06-08 18:36–18:53 — Contact harvest (python-httpx, 40.126.41.96).
- 2026-06-08 21:14–21:26 — 1,000-recipient phishing blast (45.134.224.220).
- 2026-06-08 ~21:30 — ACG detects, begins containment.
- 2026-06-09 — ACG identifies the ACH payment-redirection fraud; password resets; client notified; this package prepared.
6. EVIDENCE INVENTORY (preserved by ACG)
Downloads/kittle-bec-attachments/FRAUD_BSD_ACH_APPLICATION.pdf— the fraudulent ACH change form submitted to the City (shows Truist 053201607 / 1410020505238).Downloads/kittle-bec-attachments/Ken_ACH-FoamFactory.pdf— second ACH form (Foam Factory Inc accounts).- Recovered email thread (EFT UPDATE / ACH, Accounting@ ↔ Randi Arnett) — recovered from the M365 Recoverable Items dumpster via Graph (the attacker hard-deleted the originals).
- Microsoft 365 Unified Audit Log: MailItemsAccessed (delegate, IP 64.44.131.168), SendOnBehalf, SoftDelete/HardDelete events for Accounting@ and Ken@ — exportable on request.
- Message trace confirming delivery of the fraud emails and the original recalled message.
- Prior incident report:
clients/kittle/reports/2026-06-08-breach-check.md(full BEC remediation, phishing campaign, inbox rules).
7. ACTIONS TAKEN BY ACG / VICTIM
- Compromised accounts' sessions revoked; passwords reset (Ken's password changed in person 2026-06-09).
- Malicious inbox rules removed; mailbox forwarding, transport rules, and delegate access re-verified clean (2026-06-09).
- Kittle contacted the City of Tucson; the City stopped the fraudulent payment before any funds were transferred (confirmed 2026-06-09). Kittle confirmed no relationship with Foam Factory Incorporated.
- Ken's account was auto-restricted from sending by outbound-spam protection during the phishing blast; ACG verified nothing malicious was queued (Outbox/Drafts empty) and removed the restriction (sending restored 2026-06-09).
- Client advised to file this IC3 complaint and notify Truist / First State Bank / JPMorgan Chase fraud departments to freeze the receiving accounts.
Package compiled from M365 unified audit log, message trace, and recovered mailbox evidence. Dollar amounts to be confirmed with the City of Tucson. ACG can provide raw audit-log exports and the recovered emails/attachments on request.