$84M USPS Treasury Check Theft Ring Pleads Guilty: What Banks and BSA Teams Should Take From It

TL;DR

• Four defendants pleaded guilty May 5, 2026 to a conspiracy that stole $84M in Treasury checks from a Philadelphia USPS facility and resold them on Telegram
• Two were USPS mail processing clerks; the other two ran the Telegram resale and shipped checks to buyers nationwide
• About $11M (13%) was successfully cashed — banks stopped the rest at deposit
• Reg CC funds-availability rules give Treasury checks a fast clock; controls have to fire at deposit, not after settlement

The Philadelphia USPS Processing and Distribution Center was supposed to be where Treasury checks finished their last mile to the people who earned them. From June 2023 to September 2024, it was where two mail processing clerks pulled them off the sorting machines and into a side business.

On May 5, 2026, the U.S. Attorney’s Office for the Eastern District of Pennsylvania announced guilty pleas from all four defendants in the case: Saahir Irby (28, Montgomery County, PA), Tauheed Tucker (24, Philadelphia), Cory Scott (26, Ardmore, PA), and Alexander Telewoda (26, Clifton Heights, PA). The charges: conspiracy to steal government funds, theft of government funds, and mail theft. The face value of the stolen checks exceeded $84 million.

This case is not, on its surface, a financial-services compliance story. But every dollar of the $84M was meant to land in someone’s bank account — Social Security, tax refunds, federal benefits — and the only thing that stopped 87% of the loss from materializing was deposit-side controls at receiving institutions. That makes this a BSA/AML and check-fraud control story, with hard numbers attached.

What actually happened

Irby and Tucker worked as mail processing clerks at the USPS Philadelphia Processing and Distribution Center — the kind of high-volume facility where envelopes pass through sorting machines at industrial speed. According to the indictment and plea documents, the two systematically removed thousands of envelopes containing Treasury checks from the sorting machines over a 16-month period and walked them out of the facility.

The checks went to Scott and Telewoda, who ran the resale side. Their channel of choice was Telegram, the encrypted messaging app that has quietly become the dominant marketplace for stolen U.S. checks. Once a buyer paid, Scott or Telewoda mailed the original check to whatever address the buyer provided. Buyers — spread across the country — then tried to deposit or cash the checks at banks, credit unions, and check-cashing storefronts.

The numbers from the U.S. Attorney’s announcement, reported by WFMZ and the DOJ Eastern District of Pennsylvania press release:

That ~$11M out of $84M is the headline number for compliance teams. It’s evidence that deposit-side controls — Treasury Check Verification System lookups, image-based check fraud models, manual review on flagged accounts — actually worked. It’s also evidence that the controls that mattered were on the receiving end of the check, not anywhere in USPS’s chain.

Penalties and timeline

Each defendant also faces three years of supervised release. The original superseding indictment was returned in May 2025, and the case was prosecuted by the U.S. Attorney for the Eastern District of Pennsylvania, David Metcalf.

The Telegram piece is the part you can’t ignore anymore

For a few years, the check-fraud uplift in U.S. banks has had a consistent root-cause story: stolen checks aren’t being passed hand-to-hand anymore. They’re photographed, posted to channels, and sold by check number, payee, and amount to buyers who don’t know each other. SentiLink’s research, summarized here, cataloged 5,443 Treasury checks shared across 53 different Telegram channels totaling more than $140 million in face value. Recorded Future tracked 1.9 million stolen U.S. bank checks across 700+ Telegram channels in 2024 alone.

Half of stolen check images appear on dark-web platforms within eight days of the theft. By the time the payee notices the check never arrived, the image is already in a buyer’s hands and the deposit attempt is queued up.

This is no longer an emerging risk. FinCEN received 15,417 BSA reports citing mail-theft-related check fraud in a six-month window of 2023 alone. Mail-theft check fraud has its own SAR category for a reason.

For BSA/AML practitioners, the implications:

1. Telegram and dark-channel intel is a real input to fraud detection. If your fraud team isn’t subscribing to a feed that surfaces stolen check numbers and images posted in known Telegram channels, you’re starting from behind.
2. Deposit-side detection has to assume the check is real-looking. These aren’t crude forgeries. They’re original Treasury checks the bank’s image system will validate as genuine. Your model has to flag based on payee/account mismatch, deposit location, deposit channel, and behavioral signals — not on the check being “off.”
3. SAR narrative quality matters. When you file a mail-theft SAR, the better your description of the channel and the resale pattern, the more useful that filing is to FinCEN’s pattern-of-life work and to other institutions seeing the same checks.

If you’ve been treating mail-theft check fraud as a noisy, low-loss SAR category, this case is the reminder that the upstream pipeline behind those filings is industrial. For more on FinCEN’s BSA modernization plans, see our recent breakdown of the FinCEN AML/CFT proposed rule on BSA program reform.

Reg CC is the exposure window

Treasury checks aren’t just trusted by the public — they’re trusted by Reg CC. The funds-availability rules require the first $5,525 to be available by the next business day, with the remainder available within nine business days. That window is the bank’s exposure period.

Once the funds are available, a depositor can withdraw and walk. The check itself can take weeks to clear and bounce back as fraudulent — by then, the money is gone, the account is closed, and the bank eats the loss. The math is unforgiving: cumulative across the industry, every bank that takes a stolen Treasury check on a fresh account is paying out tens of thousands of dollars in available funds before the chargeback comes back.

The control that works in that window is verification at deposit, not after. The Treasury Check Verification System (TCVS) lets banks confirm a check’s status in real time. If your front-line tellers, mobile deposit systems, and ATMs aren’t routing first-time Treasury check deposits through TCVS — especially on accounts open less than 30 days — that’s the gap.

For institutions thinking about the broader insider/third-party angle, our DOJ bank fraud mail theft scheme post covers an adjacent control failure pattern, and our writeup on FinCEN’s record Canaccord BSA/AML penalty shows what happens when SAR filings don’t keep up with channel risk.

Mapping the case to compliance gaps

Treasury check theft via insiders is a control failure that crosses three programs: the issuer’s mail-handling controls, the receiving bank’s deposit-side fraud detection, and the BSA/AML program’s SAR and channel-monitoring posture.

The 87% of face value that didn’t get cashed is the visible work of controls 3 and 4. The $11M that did get cashed is the visible failure of those same controls — and probably tells you which institutions were over-reliant on Reg CC defaults and under-reliant on TCVS.

What to do Monday morning

If you sit on a BSA/AML, fraud, or operational risk team at any institution that takes Treasury checks, work through this list this week:

1. Pull your Treasury check deposit volumes for the last 12 months. Bucket by deposit channel (teller, mobile, ATM), account age (<30 days vs. >30 days), and TCVS-checked vs. not. The risk concentration is in new accounts taking large Treasury checks via mobile.
2. Confirm TCVS is wired into the deposit flow. Not “available to the front line if they want to use it” — actually called automatically on first-time Treasury check deposits over a threshold. Document the threshold and who owns it.
3. Audit your Reg CC hold policy on flagged Treasury checks. Reg CC permits longer holds on suspect deposits. If your default hold is the regulatory minimum even when TCVS or fraud scoring flags the item, you’re paying out funds on items you’ve already identified as risky.
4. Subscribe (or confirm subscription) to a check-fraud threat intel feed. Vendors aggregate Telegram-posted check images by routing number and check number. Treat the intel like sanctions screening — block first, investigate second.
5. Review your last 90 days of mail-theft SARs. Look for patterns: same drop-off zip codes, same depositor demographics, same channels. These are inputs to your fraud model, not just a regulatory filing exercise.
6. Talk to your fraud-ops counterparts at peer institutions. 314(b) information sharing exists for cases exactly like this. The buyers are mailing stolen checks to addresses across the country — your peer banks are seeing the same fraud ring you are.

For Risk and Audit teams: this case belongs in your enterprise risk register under “fraud — instrument theft,” and the open issues from the Monday-morning checklist above belong in an issues tracker with owners and dates. If your issues management process is informal — sticky notes, a shared spreadsheet, follow-ups in email threads — this is a good week to fix that. Our Issues Management Tracker & Template is built for exactly this kind of remediation work.

The bigger picture

The story of this case isn’t that USPS insiders stole $84M of Treasury checks. That’s not new — mail theft has existed since mail has. The story is that the resale side has industrialized. Telegram-channel marketplaces, dark-web aggregators, and 8-day-from-theft-to-listing turnarounds mean that any bank cashing checks is on the receiving end of a coordinated, distributed laundering pipeline.

The $11M that got through is the cost of running a Reg CC-default check operation in a Telegram-distribution world. The $73M that didn’t is the value of TCVS, threat-intel feeds, and a fraud team that knows where the upstream pipeline lives.

If you’re building or rebuilding a BSA/AML program in 2026, the question isn’t whether mail-theft check fraud is on your risk assessment. It’s whether your controls match the industrial scale of what’s happening on the other side.

Want a structured way to track the issues this case surfaces — TCVS coverage, Reg CC hold policy, threat-intel subscriptions, SAR quality reviews — through to remediation? The Issues Management Tracker & Template gives compliance and audit teams a defensible workflow from finding to closure.