Avaya sysadmin indicted for illegally generating, selling VoIP licenses

Three defendants who allegedly sold over $88 million worth of software licenses belonging to Avaya Holdings Corporation have been charged in Oklahoma, U.S., facing 14 counts of wire fraud and money laundering.

The defendants are accused of stealing software licenses from ADI (Avaya Direct International) and selling them to thousands of companies worldwide that used them to unlock features of “Avaya IP Office” telephone systems.

The three indicted individuals are Raymond Bradly Pearce, 46, of Tuttle, Oklahoma, a former Avaya employee Dusti O. Pearce, 44, of Tuttle, Oklahoma, his wife, and Jason M. Hines, 42, of Caldwell, New Jersey, a former Avaya authorized reseller.

Insider breach

Avaya IP Office was a cloud-based, on-premise collaboration and communication product for conferencing, IP calls, and voicemail-to-email, geared towards small and medium-sized businesses.

The product was discontinued in 2020 when the “Avaya Cloud Office" replaced it, but many firms worldwide continue using it.

Avaya offered tiered licenses for IP Office, with premium ones unlocking features such as voicemail, unlimited telephones, etc. Depending on the use-case scenario and size of operation, these licenses cost between $100 and several thousand USD.

The licenses are linked to a physical SD card containing a matching unique serial number. These memory cards must be plugged into the computer for the software license to be activated, so forging them is hard.

According to the U.S. DoJ announcement, Brad Pearce, a customer service employee at Avaya, abused his administrator privileges to generate ADI software license keys and sell them to Hines, an authorized Avaya reseller.

Pearce also allegedly hijacked accounts of other Avaya admins to generate licenses through them to avoid raising suspicions due to unusually high volumes of key generation linked to his account.

"As set forth in the indictment, Brad Pearce also allegedly employed his system administrator privileges to hijack the accounts of former Avaya employees to generate additional ADI software license keys," explained the DOJ press release.

"Furthermore, he allegedly used these privileges to alter information about the accounts to conceal the fact that he was generating ADI license keys, preventing Avaya from discovering the fraud scheme for many years."

The DOJ says Hines used his business to resell those keys at a significantly lower cost than Avaya, causing financial damages estimated at $88,000,000.

Brad Pearce’s wife, Dusti, is also accused of participating in the operation by handling the accounting and managing the financial aspects of the business, being fully aware of its illicit nature.

The money received from these “grey” sales went to PayPal accounts, then bounced through multiple bank accounts, and finally transferred to numerous investment accounts.

Substantial amounts were used for purchasing gold, silver, collectible coins, real property, and cryptocurrency, all listed in the indictment and subject to forfeiture.