ATHENS, Ohio — The City of Athens will recover over a quarter of the nearly $722,000 stolen from it in a 2024 cyber scam, city officials said at a press conference Monday, March 30.
The city negotiated the return of $205,000 through mediation of a civil lawsuit with another scam victim that had a claim to the recovered funds, according to a prepared statement City Service-Safety Director Andrew Stone read aloud at the press conference.
The settlement agreement in the civil case is not yet in writing, City Law Director Lisa Eliason told the Independent in a March 30 email.
Previously, the city recouped $200,000 via an insurance payout.
The city may also receive restitution via a criminal case. At the press conference, Stone said that federal investigators have found evidence linking the theft from the city to a series of similar crimes throughout the country.
Two defendants face criminal charges as a result of those crimes. Although Athens is not yet formally listed as a victim in the criminal case, Stone said the city would see a payout as part of any restitution order in the case.
Recovery of stolen funds
The city has been working to recover stolen funds since shortly after the theft was discovered.
In early December 2024, the city filed a lawsuit in the Athens County Court of Common Pleas against the responsible individuals, whose identities were unconfirmed.
Even without knowing who scammed Athens, the case allowed the city to subpoena banking records to aid in recovering stolen funds, Stone said at the press conference.
The city’s funds were deposited in an account with a Kentucky bank. That same account held funds stolen from Regency Centers, a Florida-based development company. Regency Centers lost $327,000 to a similar email phishing scam.
The bank recovered almost $350,000 of the money deposited in the account — but both Regency Centers and the city had a claim to the funds in the account. The bank put the recovered funds into a special account that neither party could touch until reaching a conclusion in court.
Through mediation, the city negotiated the return of just under 59% of the recovered funds. The rest of the recovered funds went to Regency Centers, Deputy Service-Safety Director Andrew Chiki told the Independent.
“My thought is, what we negotiated was fair for both us and Regency,” Chiki said.
One factor in the mediation was “how much was left in the account prior to efforts to pull back any funds” that had been put on debit cards or spent from the account “and how that was apportioned,” Chiki said.
The date and time that funds were taken out of the account and “pulled back in” were also considered, Chiki said.
“The negotiated process came pretty darn close to what both Regency and the city of Athens expected,” Chiki said.
Criminal case
According to the city’s prepared statement, the Federal Bureau of Investigation Field Office in Iowa City, Iowa, contacted the Athens Police Department investigations team in December 2025 to say it had found evidence “that appears to link our cyber theft case to ones that they were working on.”
The FBI informed the city that it will be added as a victim in that criminal case, now before the U.S. District Court for the District of Delaware, should the defendants in the case be convicted. That would allow the city to take part in any restitution order in the case, Stone said.
The indictment, initially filed in the Southern District of Iowa, identifies Chijioke Timothy Odimegqu and Harafat Mogaji as defendants. Both served in the U.S. Air Force and were stationed in Dover, Delaware, according to the indictment.
The indictment lists 15 undisclosed corporate, public, or nonprofit “victims or attempted victims” from around the country. Athens is not yet included among the list of the victims, Stone said in the city’s prepared statement.
Odimegqu and Magaji in some cases used phishing scams to steal usernames and passwords for the victims’ company accounts, according to the indictment. They also purchased stolen information online, the indictment says.
They used the stolen account information to monitor the victims’ accounts “for information regarding financial transactions with the victim company’s trusted business partners,” according to the indictment.
Odimegqu and Magaji used fake email accounts, mimicking actual email addresses used by the company or trusted business partners, to “trick the employees into believing they were communicating with their legitimate counterparts when in fact they were communicating with fraudsters,” per the indictment.
Through these communications, Odimegqu and Magaji redirected transactions to accounts controlled by either conconspirators or “romance scam victims,” who the defendants allegedly met on internet dating sites for the purpose of exploiting as part of their crimes.
The City of Athens was scammed in a manner similar to that laid out in the indictment. The city received communications from an email mimicking a city contractor requesting a direct deposit instead of the typical method of payment.
The city fell victim to the scam in part because the email and invoice closely matched previous legitimate communications.
The defendants in the criminal case also stole financial account information, credit and debit card numbers, personal identification numbers, and in at least one instance “a means of identification of another person,” according to the indictment.
The defendants face charges of conspiracy to commit wire fraud; wire fraud; conspiracy to commit access device fraud; and aggravated identity theft.
According to the statement Stone read at the March 30 press conference, “criminal investigations remain active and additional victims and other indictments may be brought, including state indictments if warranted.”
The city’s ability to recover funds via the criminal case may impact possible penalties city employees could face as a result of falling victim to the scam.
The Ohio Auditor of State previously warned that municipal employees who fail to follow its recommendations to guard against cyber crime could be held personally responsible for any loss of funds resulting from the scams they fall for.
In the city’s 2024 audit, the Ohio Auditor of State required the city take corrective action to guard against future cyber scams, but the city and its employees were not penalized.
However, the state auditor’s office “will be considering the outcome of the federal court case in the Southern District of Iowa during the next financial audit of the City of Athens,” David Roorbach, press secretary with the Ohio Auditor of State, told the Independent in a January email. At that time, Roorbach did not respond to an inquiry asking about which case he was referencing.
City officials told the Independent at the March 30 press conference that they have received no further updates from the Ohio Auditor of State.
Other updates
Additionally, the city completed “three cyber forensics investigations … related to the city’s cyber environment,” Stone read from the prepared statement at the March 30 meeting.
The investigations each concluded that “the intrusion likely did not occur through any city-owned or controlled system,” Stone said. However, the investigations all provided recommendations for cyber security improvements.
As a result, the city has replaced aging hardware and servers; required multi-factor authentication for all staff to access their accounts; provided training for staff on phishing scams; partnered with the FBI for training for city staff “on the latest evolutions in cybercrime,” at no cost to the city; and established “additional internal controls implemented by the city auditor’s office,” according to Stone’s statement.
Stone also praised City Treasurer Josh Thomas for investing bond money for the city’s fire station project during the construction period, to add over $270,000 to the project fund. Stone also said that the city is working “to review various bank, transaction and ATM fees that may be recoverable.”
Stone praised the city and its employees for their response to the cyber crime in his statement.
“Progress in this case would not have been possible without having filed an Internet Crime Complaint Center Report with the FBI, the investigatory work of Athens Police, legal representation from McDonald Hopkins, or the continued diligence of our City staff working the civil case,” Stone said in his statement.
Stone shared that prosecution of cybercrimes is rare, and that most cybercrime cases in Ohio have not resulted in arrests or actual recovery of funds beyond insurance.
“Athens has been able to achieve results only because of a continued commitment to our community,” he said.
