How a Fake Channel Partner 'Reaped Millions' in Stolen Avaya Licenses

The U.S. Department of Justice has now received guilty pleas from three people for their role in running a fake Avaya reseller that was distributing stolen Avaya licenses.

A former Avaya employee and his spouse have pleaded guilty to wire fraud for their involvement in stealing their employer’s licenses and passing them on to a now “de-authorized” Avaya reseller.

New Jersey-based “channel partner” Direct Business Services International (DBSI) had been operating as a reseller of Avaya Direct International (ADI) software licenses. However, DBSI had not actually purchased those licenses – adding up to more than $88 million in retail value – from Avaya. It had bought them from an Avaya customer service employee who generated his own license keys using system administrator privileges.

The employee, whom Avaya fired years ago, has pleaded guilty, along with his wife, who ran accounting for his side hustle.  According to a release from the DOJ, they face up to 20 years in prison. Moreover, they owe at least $4 million and must make restitution to victims. A federal judge will decide additional sentencing.

Earlier this summer, the owner of DBSI pleaded guilty to wire fraud in a western Oklahoma court. According to the DOJ, DBSI bought 55% of the licenses the Avaya employee stole and functioned as “one of the biggest users of the ADI license system in the world.”

Stolen Avaya Licenses Lead to Restitution, Likely Prison Time

Before being caught, the fake channel partner’s low prices “undercut” the ADI software market, with competing prices nowhere as close.

The software licenses attached to the Avaya IP Office telephone system and enabled additional features such as voicemail. Authorized Avaya distributors and resellers could sell such a license.

“Avaya used software license keys to control access to Avaya’s copyright-protected software and to ensure that only customers who paid for the software could use it. In addition, Avaya required that each software license on an IP Office system be associated with the system’s Avaya Secure Digital (SD) card – a small flash memory card with a unique serial number that plugged into the IP Office manager computer – which the end user had to keep in its possession in order to use the licenses,” the Sept. 19 DOJ news release said.

The Avaya employee generated new licenses with his admin privileges; then, he leveraged other Avaya employee accounts to make more ADI license keys. The DOJ adds that the terminated employee edited accounts to obscure his activity. As a result, the fraud lasted for “many years.”

Avaya’s Vito Carnevale

“Upon detecting an employee’s suspicious activity, Avaya worked with the DOJ to investigate, resulting in his 2018 termination and the 2022 indictment of the now former employee and two others not employed by Avaya,” said Vito Carnevale, Avaya’s senior vice president and general counsel. “All three individuals have now pleaded guilty. Avaya takes these matters very seriously and we appreciate the DOJ’s assistance. We continue to operate with strict controls to protect our systems and our intellectual property and we view this matter as behind us.”

The employee and his wife established a PayPal account with a fake name to send money to different bank accounts and funnel the money.

The reseller is forfeiting at least $2 million alongside owing victim restitution. In return for the plea deal, the U.S. government will not ask for more than a five-year prison sentence.