Remington Goy Ogletree (“remi”) was arrested in California on November 4 on a warrant from New Jersey. He was released on an unsecured bond of $50,000 with conditions (see below).
The complaint, filed in federal court in New Jersey (Case 2:24-mj-12280-JBC-1) charges Ogletree with wire fraud and aggravated identity theft for crimes allegedly committed between October 2023 and May 2024:
The investigation into the Cyber Threat Group has revealed that from at least October 2023 through at least May 2024, OGLETREE perpetuated a scheme to defraud in which he called and sent phishing messages to U.S.- and foreign-based company employees to gain unauthorized access to the companies’ computer networks. Once OGLETREE had access to the victim companies’ networks, OGLETREE accessed and stole confidential data, including data that was later posted for sale on the dark web, and, at times, used the companies’ services to facilitate the theft of cryptocurrency from unwitting victims. As a result of OGLETREE’s scheme, victims have suffered over $4 million in losses.
The complaint identifies three victims: one is a financial institution (a U.S. national bank) and the other two are telecoms (one is U.S., the other is EU).
Ogletree’s operational security was not impressive. As one example:
According to Apple records, the OGLETREE iCloud Account was subscribed to by “Steven Durango” at a Key Largo, Florida address (the “Key Largo Address”) and phone number ending in 7923 (the “7923 Phone Number”). As described in more detail below, the Key Largo Address was an Airbnb where OGLETREE and his father stayed in late 2023. A public record check revealed that no person by the name of Steven Durango lives in Key Largo, Florida. Further, the 7923 Phone Number is registered to OGLETREE’s father, and OGLETREE later admitted in an interview with the FBI that it was his own number. Evidence within the OGLETREE iCloud Account, including photos of OGLETREE and emails to OGLETREE, further shows that the account was used by OGLETREE during the relevant period. Finally, OGLETREE is listed as a billing· contact for the OGLETREE iCloud Account.
The FBI reportedly raided Ogletree’s Texas residence on February 23, 2024 and seized his iPhone. The complaint notes:
On February 23, 2024, the FBI conducted a search of OGLETREE’s residence in Fort Worth, Texas (“the Fort Worth Residence”) pursuant to a court authorized search vrnrrant. As explained above, during the search, the FBI seized the OGLETREE A search of the OGLETREE iPhone -in addition to the evidence described above – further revealed photos of OGLETREE as well as evidence of criminal conduct, including: (a) a screenshot of a phishing text impersonating a technology company; and (b) a screenshot of a credential harvesting phishing page impersonating a personal information manager software system. The OGLETREE iPhone also contained screenshots of cryptocurrency accounts showing tens of thousands of dollars in cryptocurrency.
Two days later:
Two days after the FBI searched OGLETREE’s residence, a Telegram user (“User-1”) later identified as OGLETREE contacted the provider of a cash for cryptocurrency money laundering service (the “Cash Service”). On February 25, 2024, OGLETREE stated, “I need $50k cash.” OGLETREE then increased his request to “$75k” and asked that the cash be sent in OGLETREE’s father’s name to the Fort Worth Residence. At the time, OGLETREE was apparently unaware that the Cash Service was part of an undercover FBI operation.
Ogletree seems to have helped the FBI tie him to Scattered Spider in his interview with them while they were executing the search and seizure:
During this interview, OGLETREE demonstrated a knowledge of cybercrime and cybercrime techniques. OGLETREE told the FBI, “I talk to a large variety of people on [the] internet … I know people who commit all sorts of crimes.” OGLETREE then specifically provided information on the hacking group known as “Scattered Spider.” OGLETREE explained, “I know key Scattered Spider members.” OGLETREE further explained, “any company getting ransom … that’s not crypto-related, it’s gonna be them … they target BPOs … because outsourcing companies they have less security.” He further explained that Scattered Spider has hacked at least five of the top “BPO” companies.
Read the conditions of his release, below: