Skip to main content
Press Release

Nigerian National Arrested For Scheme To Conduct Cyber Intrusions To Steal Payroll Deposits

For Immediate Release
U.S. Attorney's Office, Southern District of New York
Hacking Campaign Resulted in the Compromise of At Least Approximately 5,500 Individual User Accounts and the Theft of Approximately $800,000

Audrey Strauss, the United States Attorney for the Southern District of New York, William F. Sweeney Jr., Assistant Director-in-Charge of the New York Field Office of the Federal Bureau of Investigation (“FBI”), and Jonathan D. Larsen, Special Agent in Charge of the New York Field Office of the Internal Revenue Service, Criminal Investigation (“IRS-CI”), announced today the arrest of CHARLES ONUS for charges in connection with a scheme to conduct cyber intrusions of multiple user accounts maintained by a company that provides human resources and payroll services to employers across the United States, in order to steal payroll deposits.  ONUS was previously arrested on April 14, 2021, in San Francisco and detained, and he will be presented later today in Manhattan federal court before Magistrate Judge Sarah L. Cave.  The case is assigned to U.S. District Judge Paul G. Gardephe.  

Manhattan U.S. Attorney Audrey Strauss said:   “Charles Onus allegedly participated in a scheme that stole nearly $1 million by hacking into a payroll processing company’s system to access user accounts and divert payroll to prepaid debit cards he controlled.  As alleged, Onus did this as effectively as someone who commits bank burglary, but with no need for a blowtorch or bolt-cutters.  Thanks to the FBI and IRS-CI, Onus is in custody and facing serious federal charges.”

FBI Assistant Director William F. Sweeney Jr. said:  “Cyber intrusions ripple through everything our society relies upon – this one impacted people’s paychecks.  The FBI’s goal is to prevent cyber criminals from causing harm and holding them accountable, but we can’t do it alone.  Companies need to continuously improve their cyber hygiene and awareness.  Taking steps like training the workforce to protect and frequently change passwords, and to use different login credentials across platforms, can have an impact.  Each one of us, from the individual citizen to the biggest corporation, plays a critical role in defending the nation from cyberattacks.”

IRS-CI Special Agent in Charge Jonathan D. Larsen said:  “IRS Criminal Investigation will always work with our law enforcement partners to track down those who try to breach our country’s tax and financial infrastructure.  We will continually endeavor to bring to justice criminals who think they can comfortably steal from victims in America while hiding behind their computer screens.”

According to allegations in the Indictment filed in federal court[1]

From at least in or about July 2017 through at least in or about 2018, ONUS participated in a scheme to conduct cyber intrusions of multiple user accounts maintained by a company that provides human resources and payroll services to employers across the United States (the “Company”), in order to steal payroll deposits processed by the Company.

During the course of the scheme, unauthorized access was obtained to over 5,500 Company user accounts through a cyber intrusion technique referred to as “credential stuffing.”  During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies.  The threat actor then systematically attempts to use those stolen credentials to obtain unauthorized access to accounts held by the same user with other companies and providers, to compromise accounts where the user has maintained the same password.

After ONUS successfully gained unauthorized access to a Company user account, he changed the bank account information designated by the user of the account so that ONUS would receive the user’s payroll to a prepaid debit card that was under ONUS’s control. 

From at least in or about July 2017 through at least in or about 2018, at least approximately 5,500 Company user accounts were compromised and more than approximately $800,000 in payroll funds were fraudulently diverted to prepaid debit cards, including those under the control of ONUS.  The compromised Company user accounts were associated with employers whose payroll was processed by the Company, including employers located in the Southern District of New York.

*                *                *

ONUS, 34, a resident and national of the Federal Republic of Nigeria, was charged with one count of  computer fraud for causing damage to a protected computer, which carries a maximum sentence of 10 years in prison; one count of computer fraud for unauthorized access to a protected computer to further intended fraud, and one count of receipt of stolen money, each of which carries a maximum sentence of five years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison to be served consecutively to any other sentence imposed. 

The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.    

Ms. Strauss praised the outstanding investigative work of the FBI and IRS-CI.  Ms. Strauss also thanked the New York City Police Department, the FBI New York Cyber Task Force, U.S. Customs and Border Protection, and the FBI Field Office in San Francisco for their assistance in the investigation of this case.

The prosecution of this case is being handled by the Office’s Complex Frauds and Cybercrime Unit.  Assistant United States Attorney Sagar K. Ravi is in charge of the prosecution.


[1] As the introductory phrase signifies, the entirety of the Indictment and the description of the Indictment set forth herein constitute only allegations, and every fact described should be treated as an allegation.


James Margolin, Nicholas Biase
(212) 637-2600

Updated June 2, 2021

Identity Theft
Press Release Number: 21-125