Brazilian gang defrauds Uber, Lyft, DoorDash using GPS spoofing and stolen IDs
US authorities have charged a gang of Brazilian nationals for a scheme that defrauded the customers of services like Uber, Lyft, DoorDash, and two other unidentified food delivery services.
According to court documents obtained by The Record, the gang used stolen IDs to create driver accounts at the aforementioned services, which they later sold to individuals who were not eligible for such accounts.
The gang also sold GPS-spoofing tech to drivers that made rides appear longer than they were or food delivery routes shorter in order to obtain increased fares.
Justice Department officials said the group, which began operating in September 2019, initially targeted ride-hailing services but switched to target food delivery services in 2020 after the onset of the coronavirus pandemic and after ride-hailing services saw a decline in business.
Group coordinated via WhatsApp
The group, which operated primarily in Massachusetts but also across California, Florida, and Illinois, coordinated via a WhatsApp group called "Mafia," where the FBI said they negotiated similar pricing schemes to prevent undercutting each one's profits.
According to court documents, the group usually rented driver accounts on a weekly basis. A driver account on a ride-hailing service cost between $250 and $300 per week, while an account at a food delivery site was rented for $150 per week.
During their investigation, the FBI said it tracked more than 2,000 accounts that had been registered by the gang's members.
To create these accounts, the FBI said the group relied on stolen identities from different sources, even the dark web. Additional identities were also stolen while deliveries were being conducted, with the drivers taking quick photos of a customer's ID.
According to court documents, the group operated by editing high-quality photos of a legitimate driver's license with the details from a stolen identity.
Court documents also show that some of the group's members had collected hundreds of thousands of US dollars in their accounts from the scheme.
The group would usually collect funds from the ride-hailing and food delivery platforms in their bank accounts, withdraw weekly renting commissions, and then send the money to the drivers who rented the fake accounts and were doing the actual driving.
But the group also made money from referral bonuses for new accounts. According to a screenshot posted in the group's WhatsApp channel, one of the gang's members earned $194,800 via DoorDash's user referral system for 487 accounts they had on the platform.
But besides bragging about profits, the WhatsApp group was primarily used to share and organize ways to promote their scheme online, exchange stolen identities between each other, and discuss ways to avoid the victim companies' fraud detection systems, such as using VPN to rotate their IP addresses when registering a new account.
Uber's security team discovered the scheme
In an email today, an Uber spokesperson told The Record that the company's Global Investigations team eventually discovered the scheme last year and notified the FBI.
The Uber team, led by Vince Lisi, a former special agent in charge of the FBI Boston office, tracked the group in real-time and shared information with law enforcement, helping them map out the gang's entire network across the US.
We are grateful for the FBI's efforts to investigate these cases and bring those who are involved in these serious crimes to justice.Uber spokesperson
Lyft, which also had to deal with the group's shenanigans, sent over the following statement.
The safety of the Lyft platform is our top priority and we have been in close communication with the Department of Justice during their investigation.Lyft spokesperson
Lyft said it now requires drivers to provide a photo of their license and a headshot in real-time in order to prevent such fraud attacks.
Four arrested, more charged
The DOJ cracked down on this group in two waves. It charged 19 Brazilian nationals at the start of the month, including six individuals whose names were not released and still remain at large.
On Thursday, the DOJ announced a second wave of charges against five Brazilian nationals. Four were arrested and arraigned in a San Diego court, while a fifth remains at large and is believed to reside in Brazil.
If arrested and found guilty, the individuals risk prison tens of years in prison and fines of $750,000.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.