Damian Williams, the United States Attorney for the Southern District of New York, and Michael J. Driscoll, Assistant Director in Charge of the New York Office of the Federal Bureau of Investigation (“FBI”), announced today the arrest of FOSTER COOLEY for charges in connection with a scheme to conduct cyber intrusions targeting a New York-based company that owns and operates hair salons in New York City, New Jersey, Colorado, and elsewhere, which resulted in the theft of over $400,000. COOLEY was arrested this morning and is expected to be presented today or tomorrow before a U.S. magistrate judge in the District of Arizona. The case is assigned to U.S. District Judge Paul A. Crotty.
U.S. Attorney Damian Williams said: “Foster Cooley allegedly participated in a scheme to hack into a salon company’s point-of-sale provider and steal over $400,000 of credit card payments from its customers. And because Cooley was able to steal this money without stepping foot into one of the salons he stole from, his crimes went undetected for weeks. Hacks like this that compromise the integrity of our electronic payment systems cause great harm to businesses and consumers alike. Thanks to this Office’s teamwork with the FBI, Cooley is now facing serious criminal charges for his alleged cybercrimes.”
FBI Assistant Director in Charge Michael J. Driscoll said: “As alleged, the defendant hacked into the victim’s business systems and diverted hundreds of thousands of dollars to his own bank accounts. The FBI’s Cyber Task Force along with our law enforcement partners are committed to tracking down malicious hackers who target private businesses and ensuring they face the consequences for their actions. If your business is the victim of a cyber intrusion, please report it as soon as possible; the faster we are made aware, the sooner we can provide assistance.”
According to the allegations in the Indictment unsealed today in Manhattan federal Court:
In or about May 2022, FOSTER COOLEY perpetrated a scheme to conduct cyber intrusions and steal money from a New York-based company that owns and operates hair salons in New York City, New Jersey, Colorado, and elsewhere (“Victim-1”). COOLEY stole money from Victim-1 by obtaining unauthorized access to Victim-1’s account with Victim-1’s point-of-sale provider (the “Victim-1 POS Account”) and diverting credit card payments from Victim-1’s bank accounts to bank accounts controlled by COOLEY and others.
COOLEY obtained unauthorized access to the Victim-1 POS Account by obtaining usernames and passwords of Victim-1’s employees. Those credentials were stolen using a type of malicious software or malware that secretly steals, among other things, a victim’s usernames, passwords, and credit card information that have been saved in the victim’s internet browser. After COOLEY successfully gained unauthorized access to the Victim-1 POS Account, COOLEY changed the bank accounts designated to receive credit card payments from Victim-1’s hair salons to bank accounts controlled by COOLEY and others. As a result, credit card payments from Victim-1’s hair salons were fraudulently diverted to COOLEY and others.
In or about May 2022, for a period of approximately two weeks until the scheme was discovered by Victim-1, more than $430,000 in customer payments from Victim-1’s hair salons were fraudulently diverted to bank accounts controlled by COOLEY and others.
* * *
COOLEY, 23 of Chandler, Arizona, is charged with one count of computer fraud for causing damage to a protected computer, which carries a maximum sentence of 10 years in prison; one count of computer fraud for unauthorized access to a protected computer to further intended fraud and one count of receipt of stolen money, each of which carries a maximum sentence of five years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison to be served consecutively to any other sentence imposed.
The maximum potential sentences are prescribed by Congress and are provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.
Mr. Williams praised the investigative work of the FBI. Mr. Williams also thanked the FBI New York Cyber Task Force, the NYPD Cyber Task Force, and the FBI Field Office in Phoenix for their assistance in the investigation of this case.
This case is being handled by the Office’s Complex Frauds and Cybercrime Unit. Assistant U.S. Attorney Andrew K. Chan is in charge of the prosecution.
The charges contained in the Indictment are merely accusations and the defendant is presumed innocent unless and until proven guilty.
 As the introductory phrase signifies, the entirety of the text of the Indictment constitutes only allegations, and every fact described herein should be treated as an allegation.
Source: U.S. Attorney’s Office, Southern District of New York