Flash Report: Threat Actors Seeking to Exploit California Wildfires Recovery Funds

Key Findings

• ZeroFox has identified threat actors actively discussing methodologies to exploit California wildfire recovery funds for financial gain on the dark web.
• In a thread identified on the Dread forum, threat actors discussed methodologies for successful scams, stating that this is “free money”, as well as the importance of exercising patience to avoid early scrutiny during the verification process. 
• Based on previous behavior and attitudes towards disaster relief funds, it is very likely that a broader array of threat actors are interested in exploiting these funds than those identified to date. 
• Although ZeroFox has identified no evidence that threat actors are actively—and successfully—leveraging wildfire recovery funds in financial scams, such activity could result in financial and reputational damage for state or local government authorities and reduce the availability of relief funds for those legitimately affected by the wildfires, as well as perpetuate the idea that these funds are a viable attack vector.

Details

On January 15, 2024, an untested threat actor known as “AngieJ” initiated a topical discussion regarding the exploitation of California wildfire recovery funds on the dark web forum Dread. The actor suggested that these funds could be leveraged to fraudulently illicit payouts from government authorities. AngieJ drew attention to the website hXXps://recovery.lacounty[.]gov/resources/, highlighting it as a potential focus for exploitation. It is very likely that some financially motivated actors perceive these funds as having inadequate verification processes, making them fertile ground for financial gain and posing very little risk to the scammers applying. 

• Following the outbreak of the January 2025 wildfires across California, authorities have made Federal Emergency Management Agency (FEMA) assistance funds available for residents impacted by wildfires in Los Angeles (LA) County.
• In the thread, AngieJ criticized other members of the Dread forum for relying on outdated fraud methods, such as using financial mules and stolen payment cards.
• The post almost certainly indicates ongoing threat actor interest in exploiting these funds via financially motivated scams. Based on previous behavior and attitudes towards disaster relief funds, it is very likely that a broader array of threat actors are interested in exploiting these funds than those identified to date.

AngieJ alluded to scams conducted during the COVID-19 pandemic as a blueprint for exploiting wildfire recovery funds. The actor elaborated on their initial post, stating that trillions of dollars in loans had been obtained from the U.S. government during the COVID-19 pandemic, specifically through the Paycheck Protection Program and Economic Injury Disaster Loans. The actor implied that some of these loans were obtained fraudulently and that similar scams could possibly be leveraged again, with potentially low risk to the threat actor. 

• According to AngieJ, individuals who forged limited liability company (LLC) paperwork to secure USD 50,000 loans were often not pursued by authorities if they disappeared after receiving the funds, barring a few exceptions.

An untested actor known as "satanisyourmaster" replied to AngieJ with a lengthy post that garnered significant attention, the most relevant part of which addresses fraud related to LA wildfire recovery funds. The actor remarked, "I read the first returns through the gate have a much higher chance of being flagged for verification. So maybe wait a little. How long? Idk. But there ya go." This highlights a strategic approach for improving the success rate of applications for relief funds related to the LA wildfires, emphasizing threat actor patience to avoid early scrutiny during the verification process.

Although ZeroFox has identified no evidence that threat actors are actively—and successfully—leveraging wildfire recovery funds in financial scams, the thread indicates threat actor interest in exploiting such relief funds for this purpose. If such scams are successful, not only could it result in financial and reputational damage for state or local government authorities, it would also very likely reduce the availability of relief funds for those legitimately affected by the wildfires—as well as perpetuate the idea that these kinds of schemes are a viable attack vector for bad actors.

Appendix A: Traffic Light Protocol for Information Dissemination

Appendix B: ZeroFox Intelligence Probability Scale

Tags: Threat Intelligence