Hacker challenges 7 On Your Side to help his CA victim in taunting letter: 'You can't catch me!'
SAN FRANCISCO (KGO) -- 7 On Your Side has a long and storied history of helping people solve their consumer problems. But one case brought to 7 On Your Side this year is possibly the wildest of all.
It began when a self-described hacker wrote to 7 On Your Side, saying he used a Bay Area man's identity to get an online bank loan. Now the purported thief wanted 7 On Your Side to help his victim -- and expose what he called weaknesses of online banking.
Was any of this true? 7 On Your Side followed a winding trail and discovered what really happened.
A mysterious delivery
It was a mystery that began here in the offices of ABC7's 7 On Your Side when a manila packet arrived by certified mail, addressed to 7 On Your Side.
Inside was a copy of a letter addressed to SoFi Bank from someone claiming to be a hacker named "Killian" from Nunavut, Canada.
The hacker said he used someone else's identity to apply for a loan from SoFi -- and got it easily.
ABC7 has redacted the victim's last name for privacy.
The letter said: "I was the person who applied for the loan under someone else (sic) name... Sugi (redacted). Sorry Sugi (redacted), but my group has a lot of your data. Your good credit makes you an easy target."
He went on to boast: "The money has been spent -- donated to social programs around the world... You can't catch me, I am long gone from the U.S. by now."
"We didn't know what to make of this letter," 7 On Your Side producer Renee Koury said.
"We didn't know who it was from, what was their intent, or if any of it was true," said 7 On Your Side coordinator Simone Chavoor.
"What made us take it more seriously, though, is the envelope was stuffed full of highly detailed, highly sensitive personal information about this 'Sugi,'" Koury said.
"It had his Social Security number, addresses, phone numbers... even screenshots from Zoom," Chavoor said.
You can't catch me, I am long gone from the U.S. by now.Killian
The envelope contained a copy of his driver's license, Social Security number, addresses, phone numbers, bank accounts, emails, and it also included public records showing that "Sugi" works right here in the Bay Area at the University of California at Berkeley.
Finding Sugi
"We weren't sure what to make of this. Was this really a hacker confessing to a crime, or was it someone pranking us? Did this Sugi (redacted) even exist?" said Koury.
So the 7 On Your Side team checked the UC Berkeley staff directory. And sure enough, there he was: Sugi. We called him at work.
"It was surreal, it was surreal that's for sure," Sugi said of the bizarre situation.
Sugi told 7 On Your Side that, indeed, SoFi Bank was insisting he took out a $52,000 personal loan just before Christmas last year. Sugi said he never took out any loan and had been disputing it for weeks.
"They said, 'There's a personal loan under your name.' And I was like, 'That definitely wasn't me,'" Sugi said.
"On top of worries about the loan, we showed Sugi the packet that seemed to show somebody out there had an awful lot of his personal information," Koury said.
"It was creepy, that's for sure. They have my driver's license, addresses I even forgot, phone numbers from 10 years ago... I mean, you've seen something like this in the movies. That person could literally imposter me to do anything," Sugi said.
It was creepy, that's for sure... I mean, you've seen something like this in the movies.Sugi
Sugi said he'd been a victim in three major data breaches, and how he thought cybercriminals somewhere in the world had compiled a virtual dossier on him that they could use at any moment.
"You're helpless... even if I move anywhere in the world, my Social will still be the same, and my birthday never changes. It's a virtual space and I don't know how to protect it anymore..." Sugi said.
So, Sugi said, he took cover. He closed all of his bank accounts, wiped his cellphone and deleted his email account. He funneled all finances through his wife's accounts.
The letter had said, "Sugi (redacted), I am sending these statements to a well-known customer advocate in Northern California, ABC 7 On Your Side... if SoFi does not reach out to you, contact ABC 7 On Your Side and make your case public."
"It was probably the first time an alleged criminal came to 7 On Your Side to help his victim," Koury said.
SoFi's response
SoFi Bank said it too received the mysterious mailing but would not say whether it looked into the claims. However, SoFi stood by its decision rejecting Sugi's dispute.
SoFi tells 7 On Your Side: "We conducted a thorough investigation into Mr. (redacted)'s claim of fraudulent activity when he first contacted us regarding his concerns, and, throughout each conversation our team has had with him since then, treating this instance as we treat all claims of fraudulent activity: with the utmost seriousness and a genuine sense of urgency... and we stand by our initial response to Mr. (redacted), who we've re-confirmed was not the victim of identity theft or third-party fraud."
SoFi continued to demand Sugi start making loan payments of $2,400 per month. It sent him a collections warning. And in April, the bank reported a delinquency on Sugi's credit report.
Sugi says he didn't know about the loan until Jan. 5, about two weeks after SoFi approved it, when the bank sent him an email. It said, "Your SoFi personal loan statement is ready."
"'Check out your loan statement,' and I was, 'What loan statement?" Sugi asked.
He figured it was a mistake. After all, he says the loan did not show up on his credit report. Nor did any credit inquiry from SoFi.
So he called the bank.
"They were like, 'You do have an account with us, and we are sending a statement.' I was like, 'No it wasn't me,'" Sugi said.
SoFi agreed to investigate, but later sent him a form letter dated the very same day he'd called. It said the bank finished investigating and found "no fraud."
"So they open and close the investigation on the same day... it should take more than that," Sugi said.
Sugi filed a second dispute, but this time, SoFi refused to investigate at all, saying the claim was "frivolous."
Protections for identity theft victims
Experts say California law includes broad protections for identity theft victims.
"Banks are definitely supposed to investigate when there's a fraud accusation. Clearly, there's some documentation there and they should have to show that and investigate it," said Jenn Engstrom of CALPIRG.
"It's fact-dependent on what's a diligent investigation," said Nick Barthel, consumer law attorney.
"If you are an identity theft victim and an account is opened in your name, you have the right to demand that application... so that you can see what information is floating out there and what was used to open that account," Barthel continued.
Multiple consumer attorneys tell 7 On Your Side that banks also are required by law to verify the identity of every person who opens a new account -- a post-9/11 rule called "Know Your Customer."
But like many online banks, SoFi's applications are done entirely over the internet, not in person.
"I do think that this calls into question the security of online banking 'cause if it's the actual person handing over their documentation, it's a little easier to check that the ID matches the picture of the human being sitting in front of them," said Engstrom.
SoFi said it does require customers to verify their identity using an electronic identification tool. The process involves uploading a government ID together with a real-time video of the applicant and determining if they match.
But Sugi said SoFi did not tell him whether it verified the person's identity, or how.
The only proof it provided to Sugi was a "Truth in Lending" statement and a copy of the loan agreement with an electronic signature at the bottom.
"It's not my signature, that's for sure," Sugi said.
The e-signature spells out Sugi's name and he says anyone could have forged it.
The bank also did not tell Sugi where all that money went. Sugi said he did not see any deposits into his bank accounts before shutting them down.
He also showed 7 On Your Side his credit reports, which do not show any credit inquiries by SoFi Bank -- a standard practice before approving a loan.
Sugi says an inquiry would have triggered an alert that someone was opening an account in his name, and he could have stopped the loan.
"The protections... they are kind of ignored..." Sugi said.
The bank told 7 On Your Side it did pull his credit, even if it doesn't appear on Sugi's credit report.
In a statement, SoFi said: "We're confident in the fact that our team took all appropriate steps each and every time we went through our investigation process... We see no proof of third-party fraudulent activity and no proof of identity theft. We will not be relieving Mr. (redacted) of the responsibilities he committed to upholding when he personally applied for and accepted the personal loan."
Sugi told 7 On Your Side he'd been hosting family members from his homeland in Indonesia over the holidays when he found out about the loan. As he agonized over what to do, he says his half-brother Rudi Yanto tried to help, urging him to report the fraud to authorities.
So Sugi filed identity theft reports with the Federal Trade Commission, the police department in Brentwood where he lives, the state attorney general's office, and all three credit bureaus.
He swore under penalty of perjury on the FTC report that an imposter took out the loan. Still, SoFi would not reopen his case.
That's when 7 On Your Side contacted SoFi Bank, asking what evidence it used to identify the loan applicant. And where did it send all that money?
And that's when the story took a dramatic turn.
Who was the thief?
SoFi told 7 On Your Side it had plenty of evidence showing Sugi took out the loan, not an imposter.
Bank officials at SoFi's San Francisco headquarters declined to go on camera, but in a written statement SoFi said a man identifying himself as Sugi called in December asking when he'd get the loan money. The bank said a recording of that voice matched a recording of Sugi's voice when he called in January to dispute the loan.
SoFi did not provide technical proof of a voice match.
Even more compelling, SoFi said it had a video of Sugi verifying his identity during the online application process.
The bank wrote: "We've retained the video he submitted of himself, which shows him holding the driver's license up with his face in the frame, before panning to his computer screen (where he was applying for the loan). The man in the video is the same man pictured on his driver's license."
7 On Your Side asked Sugi: did you make such a video?
It was at that moment, Sugi says, the realization struck.
Like a dagger.
"I got a big clue from you yesterday when you told be about the recording of me holding my driver's license... number one, I never done that..." he said.
But, he said, it suddenly dawned on him who did. He knew the imposter! The real Killian!
"As weird and convoluted as it is... the police report is still correct, in a way. The FTC report is correct, someone did steal my identity, but apparently, I hosted him," Sugi said.
Sugi said he now realized the thief was his own brother, Rudi Yanto, one of the family members who had been visiting from Indonesia over the holidays.
Sugi says he and Yanto share a striking resemblance, and they are often mistaken for one another.
"He is a slightly younger version of me and if, if he wears my glasses... you can't already tell us apart," Sugi said.
It was Yanto who'd helped him file identity theft reports, and, Sugi said he now recalled, he did not seem surprised when the "Killian" packet arrived at ABC7 weeks later.
"He said, 'OK, that can help you, now you can put it under the bed, and it will clear you.' I said it's not that simple," Sugi said.
One by one, he said, the pieces fell into place.
Sugi says Yanto had been staying at his Brentwood home in December and January.
To make life easier for his guest, Sugi says he let his brother use his home computer, his Chase debit card, and his personal cellphone. Yanto also had access to Sugi's wallet with his driver's license. He says Yanto was alone in the house while Sugi and other family members were skiing in Oregon on the day the loan application was made. He said Yanto didn't return to Indonesia until February, just after the "Killian" packet was mailed.
Sugi confronts his brother
Sugi said he confronted his brother in a phone call to Indonesia.
"I asked him point blank, 'Do you have anything to do with this?' His response was, 'Do I need to get a lawyer?' I was shocked when he said that... I opened my home to him. We are brothers, we are close," he said.
Sugi says he was devastated -- but also relieved. He said that, on the one hand, he no longer had to worry that an elusive cybercriminal, somewhere in the world, had all of his personal information and could ruin his life at any moment.
On the other hand, he says, a beloved family member had betrayed him.
"I don't know which one is worse, to have that information out in the open or to have your flesh and blood stab you in the back," Sugi said.
7 On Your Side told SoFi Bank Sugi now believed it was his lookalike brother who took out the loan while he was a guest in Sugi's house. Right away, the bank softened its stance, a bit -- offering to let Sugi open a new claim based on "family fraud."
Still, all signs pointed to Sugi as the one who took out the loan. The application was made on Sugi's computer, the money went into his Chase Bank account, his ID and debit card were used to withdraw the money in large chunks.
Sugi confronted his brother again.
I don't know which one is worse, to have that information out in the open or to have your flesh and blood stab you in the back.Sugi
He says this time, he got answers.
"He basically came clean, you know... he did apply under my name. He had my ID, he has my ATM," Sugi said.
"I asked how were you able to do that? To rip me off? Stay in my house? We went to a trip, celebrate the new year... He broke down, cried," he said.
Sugi says Yanto told him he'd planned to replace the funds -- but lost everything in a cryptocurrency scam. And so he tried to undo the damage by concocting the Killian packet and confessing to the bank... and to 7 On Your Side.
"He's like... that's all I could think of, if I can make you an alibi... and some sort of well-known organization can help you out," Sugi said.
Sugi says he felt torn. His brother may have scammed him, but Yanto will always be his little brother.
Sugi filed new reports to the FTC and the Brentwood Police Department, naming his own brother as the identity thief. He hired an attorney who demanded SoFi Bank stop trying to collect on what he called a fraudulent loan.
However, SoFi said it still holds Sugi responsible for payments since no one has shown proof of an identity thief and no one could've fooled the ID verification.
However, Yanto says he did just that.
The brother agreed to speak with 7 On Your Side.
'It was a mistake'
"My name Rudi Yanto, I live in Indonesia, I brother with Sugi (redacted)," Rudi Yanto said in a Zoom interview with 7 On Your Side.
Yanto said he hoped the call could help the brother he allegedly swindled
"I went to America, visit Sugi (redacted), my brother, in December... I made mistake," Yanto said.
Yanto told 7 On Your Side he used his half-brother's identity to apply for that $52,000 loan online from SoFi Bank. He said it was approved instantly.
"I use brother name. I also know it was a mistake... I want to make right, help him, I not sure how," Yanto said.
"When I spoke to Rudi he was very nervous. He'd been saying things like, 'I'm not a criminal, I don't want to go to jail, I just made a mistake," said Koury.
Yanto told 7 On Your Side he poured the loan money into a cryptocurrency investment he thought would pay him tens of thousands of dollars, and he'd pay his brother Sugi right back.
But he says the crypto deal was a scam.
Yanto said he lost everything.
He panicked. He says didn't mean to hurt his brother.
"No money, I scared, not know what to do," Yanto said. "No sleep."
In his call with 7 On Your Side, Yanto wore an eyepatch due to an injury he says he got in his new life. Since returning to Indonesia from the United States, Yanto has joined a volunteer organization traveling to remote Indonesian villages, teaching math and videography.
"I try to be better, no more mistake," Yanto said.
"If this is his purpose it's good, but if he is there just to run away and torture himself, that is also not good," Sugi said of Yanto.
"Sugi was furious when he says he realized it was Rudi who allegedly scammed him, and not some anonymous hacker," Koury said. "Now Rudi seemed remorseful and was trying to help, so things had softened between them."
Still, the huge debt was looming.
Yanto says he tried to undo the damage.
Trying to right a wrong
"I need help to tell SoFi," Yanto said. "I use a name, Killian."
Yanto said he was the one who mailed the mysterious packet to SoFi Bank and 7 On Your Side in January. He was the one who wrote the letter claiming to be a hacker named "Killian" who took out that loan under Sugi's name.
Yanto had stuffed the packet with Sugi's personal information to help prove a hacker stole Sugi's identity.
SoFi said it received the packet, but would not say what it did with the documents.
Now Yanto has told the bank directly he was the one who took out the loan, and he wants to pay it back -- slowly.
In an email to a SoFi attorney, Yanto said: "I applied a personal loan using my brother identity. My brother not know. I do not have much money, I am scared, but I want try to fix this.''
SoFi did not respond.
The bank continues to say it has no reason to believe an imposter took out the loan. All evidence pointed to Sugi.
"I asked SoFi Bank why it ignored Rudi's confession and his offer to pay back the loan, and wasn't that evidence of the fraud. The bank had no comment about that letter," Koury said.
So in emails to 7 On Your Side, Yanto laid out how he says he fooled the bank one fateful night -- and why he did it.
Yanto wrote: "Let us get to the point here. I, Rudi Yanto, applied for the loan in SoFi, using my brother information. Why? I need money fast, to get money out in a crypto investment I (was) in... The contact in the crypto, Killian... said to borrow money from family or open a loan."
Yes, "Killian," the name he'd used in the mystery letter, was the alias Yanto said the alleged crypto scammer was using.
"No never met him, never met him," Yanto said of this "Killian."
Yanto said he only met with so-called Killian over the messaging app Telegram and WhatsApp, never in person.
How it all unfolded
Yanto said Killian told him he had to deposit $50,000 into his crypto account to unlock the $80,000 he had "earned."
Yanto says he believed it.
But how to get 50 grand?
At the time, Yanto was a guest in Sugi's Brentwood home as family members from Indonesia were visiting over the holidays.
Sugi said he had opened his home to his brother, letting Yanto use his computer, his personal cellphone, even his Chase debit card. Yanto also had access to a wallet containing Sugi's driver's license.
Then, Yanto says he found his chance.
"Sugi and family left for a trip to Oregon on Dec. 18. I decided to not go because I no like ice and snow," Yanto said in an email.
Yanto says he was alone in Sugi's house.
He wanted to get the crypto money out.
Yanto says "Killian" told him he could easily get an online bank loan. He suggested two banks that advertise loans over the internet in as fast as one day.
Yanto writes: "Killian, gave me idea to try to open loan under Ko Sugi name.' He said let's try. Especially, (because) I had his driver license, know his social security number and the bonus is I also look like him."
Indeed Yanto and Sugi bear a striking resemblance -- many can't tell them apart.
Yanto said the first bank rejected his application, so he applied to SoFi.
And when it came to ID verification, he had to take a photo of himself and look exactly like Sugi.
In an audio call, Yanto told Sugi how he did it.
"To look like Ko Sugi, I wore glasses. I also fix hair to look more bald, more serious. I also use his clothes," he said.
When selfies didn't pass ID verification, Yanto said he edited portions of Zoom recordings he found on Sugi's laptop.
"I have four videos in his laptop from some video meeting. I change it, make it shorter, make sure to use Ko Sugi's face. I try more than three times, all kinds, my face, his video," Yanto said.
When nothing worked, he said a member of the crypto group came to Sugi's house, and hacked into a database containing security video of Sugi. Yanto claims a recording of that video plugged into the app had passed ID verification.
And the loan was approved.
"I surprised when it worked. Application get OK same day. Same night... Killian said to call and ask, money arrives when? I did and SoFi said, one to two days. Money arrive two days, 21 December," Yanto said in the call with Sugi.
$52,000 popped into Sugi's Chase Bank account. Yanto says the "crypto group" encouraged him to go to several Chase branches to withdraw the money.
"I scared to go to bank," Yanto said. "The group said, no problem especially I look like Ko Sugi."
He said he withdrew large chunks at the teller's windows using Sugi's driver's license and debit card.
He deleted bank alerts from Sugi's cellphone, poured the money into Bitcoin ATMs, and uploaded it to the crypto group.
Yanto writes: "The plan, I get money back on Dec. 29, then return money to Ko Sugi and tell him everything. He then pay back SoFi. Problem, my crypto investment account closed that night and I lost all money, everything gone $140,000."
Yanto said the stranger who went by Killian took everything.
He writes: "I have no money, not sure how to explain to Ko Sugi so I stay quiet."
The family was in Las Vegas, welcoming the new year, when Sugi said he got the first email from SoFi bank: your SoFi personal loan statement is ready.
"I was like what, what statement?" Sugi said.
Yanto says he watched his brother struggle to figure out why a bank thought he took out a loan. He says he helped Sugi file identity theft reports, knowing he was the identity thief.
When SoFi rejected Sugi's claim, Yanto said he came up with a plan.
He writes: "I created the 'Killian' package trying to help Ko Sugi. I save his information, some of video clip and photo clip from his laptop. Hoping SoFi blamed someone else, Killian Rose, for this problem."
He says friends from San Francisco helped write the letter to convince the bank a hacker took out the loan.
Speaking little English, Yanto says he wrote the letter first in Indonesian, they used ChatGPT and Google to translate the text.
"And it spit out that letter claiming it was from a hacker named Killian, bragging that he took out the loan under Sugi's name," Koury said.
The letter boasted: "You can't catch me, I am long gone from the U.S. by now..."
Yanto also said he wanted to make sure SoFi didn't ignore the confession, and the fraud would be exposed.
Yanto wrote: "I went online searching for customer help news station, ABC7 came up."
So he mailed the packet to SoFi Bank and 7 On Your Side.
After 7 On Your Side investigated, SoFi told us it had a video of Sugi holding his driver's license up to his face to verify his identity -- that's when Sugi says he realized the culprit was his lookalike brother.
Still, SoFi said there was no proof of fraud.
Sugi was still responsible. It tore his Indonesian family apart. A reunion was canceled.
In emails to Sugi, translated from Indonesian, Yanto said: "Sorry, sorry I didn't mean to hurt you. How could I be tricked like this? It continues to hurt you and your family."
"Yeah, he was tricked. But he did it," said Sugi.
Yanto agreed to provide more proof of the fraud, emailing copies of receipts for thousands of dollars in Bitcoin, allegedly purchased with the loan money in late December, and uploaded to the crypto group.
Yanto wrote: "Collecting these photos hurts my heart... I didn't expect to be cheated like this."
7 On Your Side told SoFi about Yanto's confession. The bank said: "We take these allegations incredibly seriously and are eager to receive information verifying Mr. (redacted)'s claims... We look forward to cooperating with law enforcement in any investigation and reviewing any valid leads that can help resolve this matter."
SoFi did not directly address Yanto's claims that he foiled the ID verification. But in a written statement, SoFi said: "We've retained the original video he submitted during the application process, which includes a live recording of his face, a valid driver's license, and the computer screen where he was applying for the loan."
SoFi still has not shown the video to Sugi.
"I know I wrong," said Yanto. "I wanna ask SoFi if I can pay back, slow. I pay. I pay. Not Sugi pay."
But none of that happened. There was no repayment plan. No blame for Killian.
Instead, Sugi discovered that SoFi had sold the loan to a debt buyer. Sugi says the bank never notified him.
"They were hoping we would just quit. I'm not gonna stop fighting for my rights. I mean, I don't know, when this is gonna end? But I will fight this... till the end," said Sugi.
Sugi has filed a dispute with the dept buyer, again claiming he never applied for the loan. Sugi says he now realizes cyber criminals did have a lot of his data -- and that helped Yanto get the loan. Sugi hopes his story will help victims of identity theft know their rights to an investigation -- and realize California law has strong protections few may be aware of.
