In the investigation into the visa fraudulence scheme carried out by Michael T. Sestak, former head of non-immigrant visa department of the Consulate General in Ho Chi Minh City, and his conspirators, US investigators detected visa-related relations through three IP addresses used in the scam.
>> Visa seller Sestak once regarded as ‘devoted and professional’ >> Investigative leads in Sestak’s visa-for-money scam >> Visa bribery case: how did ex-US officer make money? As shown in an affidavit by Simon Dinits, a Special Agent with the Diplomatic Security Service (DSS) of the US Department of State, Sestak received nearly US$4 million in bribes from Vietnamese residents seeking visas from March to September 2012. The fee was from $50,000- $70,000 per visa and Sestak later used the money to buy property in Thailand. A review of records on the American Registry for Internet Numbers (“ARIN”) website revealed that IP Address A was assigned to Black Oak Computers Inc. (“B1ack Oak”), an ISP with headquarters in California. Records obtained from Black Oak revealed that a single Black Oak Virtual Private Network (“VPN”) account was used to access all 408 NIV applications, and that the subscriber on this account was Co-conspirator 3 of an address in Denver, Colorado (“Denver Address”), with a Google e-mail address that included Co-conspirator 3’s first and last name (“Co-conspirator 3 Google Account”). A subsequent check of Department of State passport records revealed that Co-conspirator 3 had also listed the Denver address on its U.S. passport application in 2006. A review of Co-conspirator 3’s profiles on various social media websites revealed that it maintained a blog website. In a post on the website, Co-conspirator 3 stated that it used StrongVPN to visit social media and other websites that may be blocked in Vietnam, and that StrongVPN offered anonymity for Internet browsers. StrongVPN is a business operated by Black Oak Computers. There is also evidence that Co-conspirator 1 used the Black Oak VPN Account. In a Google chat, dated July 10, 2012, recovered from a court-authorized search warrant executed on Co-conspirator 3’s Google email account, Co-conspirator I wrote to Co-conspirator 3, “strong VPN has not been working all night, what’s up w/ that‘? I figured you or [Co- conspirator 4] were on then . . .” Co-conspirator 3 replied that Co-conspirator 1 should try again and that the VPN was working. DSS investigation revealed that, unlike IP Address A, IP Address B was a static IP address with service provided by an ISP in Vietnam. Review of evidence in the form of IP address trails, and geographic tags embedded in photographs emailed by the co-conspirators indicate that IP Address B is tied to Co-conspirator 1’s workplace. Co-conspirator 1 is the General Director of the Vietnam office of a multi-national company (“Co-conspirator I Company”). The Company’s website lists an address for the Company’s office in Ho Chi Minh City (“Company Address”). Review of information obtained through a court-authorized search warrant executed on Co-conspirator l’s Google Account (“Co-conspirator I Google Account”), revealed that Co-conspirator 1 repeatedly accessed its personal email from IP Address B. The header information for at least 17 emails in Co-conspirator I’s Google email account indicated that they were sent from IP Address B. At least three of these emails contained photograph attachments, for a total of five photos; all three emails had been sent from an iPhone. DSS review of Consulate records also revealed that Sestak also had a pattern of approving visas connected to a third IP Address. Approximately 91 visa applications were created or last accessed from static IP address 188.8.131.52 (“IP Address C”), between November, 2011, and September 6, 2012. Sestak interviewed and issued visas to 85 of these 91 applicants. DSS investigation revealed that, like IP Address B, IP Address C is a static IP address with service provided by an ISP in Vietnam. Evidence in the form of IP address trails, and geographic tags embedded in photographs emailed by the co-conspirators, indicate that IP Address C is tied to the residence where Co-conspirator 2’s parents live in Vietnam. DSS investigation revealed that Co-conspirator 1 and Co-conspirator 2 repeatedly accessed their personal email accounts from IP Address C. A court-authorized search warrant was executed on a Yahoo email account belonging to Co-conspirator 2’s father. Review of the IP logs for this account indicated that Co-conspirator 2’s father had logged into his account approximately 256 times between November 2, 2011, and December 12, 2012. Of these 256 log-ins, approximately 210 (or 82%) were made from IP Address C. Co-conspirator 2’s father’s 2011 U.S. NIV application listed an address in Ho Chi Minh City (“Family Home”) as his residence and his place of employment. Co-conspirator 2’s father’s NIV application, which was submitted from IP Address C on October 12, 2011, also listed Co-conspirator 1 as the individual who had prepared the application. A court-authorized search warrant was also executed on a Yahoo email account belonging to Co-conspirator 2’s sister-in-law. Review of Google data revealed that Co-conspirator 2’s sister-in-law had logged into the account approximately 828 times between November 24, 2011, and December 11, 2012. Of these 828 log-ins, approximately 816 (or 98%) were made from IP Address C. Co-conspirator 2’s 2011 U.S. visa was also created from IP Address C, and Co-conspirator 2 also listed the Family Home as its residence on its 201 I U.S. visa application. Additionally, Co-conspirator 2’s sister-in-law and brother listed the Family Home as their home address and their work address on their 2012 US visa applications. Their visa applications were accessed from IP Address C. Open source information indicated that the Family Home is a residential rental building. The header information for 19 emails in the Co-conspirator 1 Email Account (which spanned the date range of April 18, 2011 through September 10, 2012) indicated that Co-conspirator I sent them via Address C. Of the 19 emails sent from the Co-conspirator 1 Google Account via IP Address C, at least 7 had photograph attachments that were taken with an iPhone.(To be continued – Next Issue: Approvals of visas for money)