Kariva Cross, 39, pleaded guilty Monday to conspiracy to commit bank fraud and aggravated identity theft. Marlon McKnight, 40, pleaded guilty last week to the same charges.
Both are from Bowie, Md., according to prosecutors, but have ties to the Hampton Roads area of Virginia.
Left unexplained is how Cross and McKnight obtained the OPM information. Government officials traced the hack to China, and a Chinese national was accused in California last year of using the same type of malware. Cross and McKnight were not accused of any hacking-related crimes.
A spokesman for the Eastern District of Virginia would not elaborate on how the two defendants got access to data stolen in the OPM breach. In a statement Thursday, he added that the government “continues to investigate the ultimate source” of the information used to obtain the loans, and noted that numerous victims of the loan scheme also were victims of the OPM hack.
The three would take out car and personal loans at Langley Federal Credit Union in the names of the victims, many of whom prosecutors say were based in Colorado.
Then they would pose as the car owners and cash loan checks or get wire transfers from the accounts they set up.
The case began when a victim identified as “K.B.” got a past due balance on a vehicle loan and contacted the bank, according to court documents.
The fraudsters had the victim’s Social Security number and driver’s license information.
Asked how they might have gotten the information, “K.B.” revealed he or she was a victim of the OPM hack.
A third woman, Erica Latin-Hunter, admitted in March she let her name be used as the supposed owner of a Nissan SUV sold to K.B. She then cashed checks against a loan made in K.B.’s name.
Experts said it was unlikely that the people charged in the case had anything to do with the OPM breach.
Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said the information may have surfaced on the dark web, where criminals could have purchased it for as little as $20 to $30. He said there must have been a “telltale sign” that enabled investigators to confirm that it came from the OPM breach and not another data compromise.
“It seems like there was a two- to three-year lag on seeing the crime, investigating it, catching and then indicting people, so maybe we’ll start to see more of these coming now, with more prosecutions in the pipeline,” Wysopal said.
Charges were dismissed against three others who said they were unaware of the source of funds that ended up in their bank accounts, according to court filings.
This article has been updated to include additional statements from the U.S. Attorney’s Office regarding the source of personal information used in the scheme.