Between March and August 2024, twelve customers of Pacific Northwest Federal Credit Union (PNFCU) in Seattle, Washington had fraudulent credit card accounts opened in their names using their Social Security numbers, dates of birth, and mother's maiden names — information accessible only through the credit union's internal Customer Information System (CIS). Total fraudulent charges across all accounts: $47,234. The FBI Cyber Crimes division traced the applications to IP addresses associated with the credit union's internal network and, in three instances, to a residential IP belonging to defendant Melissa Torres (age 29, bank teller at PNFCU's Capitol Hill branch since 2021). An internal audit revealed that all 12 victims' CIS records were accessed from Torres's employee login (user: mtorres_2021) during her shifts, typically 5–15 minutes before the fraudulent applications were submitted online. Torres was arrested on September 3, 2024 and charged with 12 counts of identity theft (18 U.S.C. §1028A — aggravated identity theft, mandatory 2-year consecutive sentence per count) and 12 counts of wire fraud (18 U.S.C. §1343 — up to 20 years per count). Torres denies all charges, claiming her ex-boyfriend Derek Sullivan (with whom she lived until their breakup in February 2024) had previously observed her login credentials and remotely accessed her workstation using TeamViewer software he had secretly installed.
CIS access logs and employee login records
PNFCU's Customer Information System maintains detailed access logs. All 12 victim accounts were accessed by user "mtorres_2021" between March 4 and August 22, 2024. Access times correlate with Torres's scheduled shifts (she was clocked in via badge for each access). Average time between CIS access and fraudulent application submission: 8.3 minutes. The CIS system does not support concurrent sessions for the same user — meaning if Torres was logged in at her terminal, no one else could be simultaneously logged in as her from another location. However, if TeamViewer was active, a remote user could control her already-logged-in session. IT security review: no forced password resets during the period, no failed login attempts suggesting unauthorized access. Torres's password was "Bella2021!" (her cat's name + hire year) — she admits Sullivan knew this password.
Digital forensics — Torres workstation and TeamViewer artifacts
FBI digital forensics examined Torres's PNFCU workstation (Dell OptiPlex 7090). Findings: TeamViewer v15.x installed January 15, 2024 (Windows installer log). TeamViewer connection logs show 47 remote sessions between January 15 and August 28, 2024. Session IPs traced to: (a) Torres's home IP — 31 sessions (consistent with her accessing her own workstation from home, or Sullivan doing so); (b) a NordVPN exit node — 16 sessions (untraceable to a specific person). Of the 16 VPN sessions, 9 occurred during Torres's work shifts (meaning someone remotely connected while she was already logged in). TeamViewer was uninstalled August 29, 2024 — the day PNFCU's compliance department notified Torres she was under internal investigation. Prosecution: Torres uninstalled TeamViewer to destroy evidence once she learned of the investigation. Defense: Sullivan remotely uninstalled it to cover his tracks once he learned (possibly through mutual friends) that Torres was being investigated.
Fraudulent email and IP address analysis
Email used for fraudulent credit card applications: m.torres.finance@protonmail.com (created February 28, 2024 — 10 days after Torres/Sullivan breakup). Email registered via NordVPN — IP not attributable to either party. Total of 43 logins to this email account between February and August 2024. Login IPs: 38 from VPN (untraceable), 4 from Torres's home IP (April 3, April 19, May 7, May 22 — all after Sullivan allegedly moved out), 1 from Torres's phone cellular IP (June 12, 2:34 PM — during her lunch break). Defense: Sullivan retained a key to Torres's apartment (she changed locks only in July after "feeling someone had been in the apartment") and could have used her WiFi from outside/inside without her knowledge. The phone IP login: Torres says her phone was connected to her car's Bluetooth that day and she left it in the break room unlocked during lunch — Sullivan could not have accessed it. Prosecution argues this explanation strains credulity — 5 separate IP connections from her home and phone all attributed to Sullivan without her knowledge.
Financial records — Torres and Sullivan
Torres financial profile: annual salary $52,000; credit card debt $23,400 (across 4 cards, 2 near limit); student loan balance $41,000 (2 months delinquent as of March 2024); checking account average balance $890. No unexplained deposits or lifestyle changes during the fraud period. Prosecution argues: financial desperation as motive; absence of visible proceeds means Torres was disciplined about not spending conspicuously. Defense argues: if Torres stole $47,000, where did it go? No unusual spending, no hidden accounts found in forensic accounting review. Sullivan financial profile: prior identity theft conviction (Oregon, 2019 — stole 8 identities, $31,000 in fraud, served 18 months at Coffee Creek Correctional). Current address: Portland, OR. Employment: freelance IT consultant (verified). Bank records show a $6,200 cash deposit on May 15, 2024 (source unverified — Sullivan claims "freelance payment from a client paid in cash").
Victim impact and timeline correlation
All 12 victims were PNFCU members who visited the Capitol Hill branch in person during Torres's shifts within 1–3 days before their CIS records were accessed. Branch visitor logs and teller transaction records confirm Torres personally served 9 of the 12 victims (handled their deposits or account inquiries). The remaining 3 were served by other tellers but their records were still accessed by mtorres_2021. Defense argues: as a teller, Torres routinely accesses dozens of customer records daily — accessing a record she personally served is normal job function, not evidence of fraud. The 3 victims she did not personally serve are more suspicious and could indicate someone else using her login. Prosecution argues: the 9/12 correlation — combined with the narrow time window between personal service and CIS lookup — shows Torres was selecting targets based on face-to-face interaction, possibly to assess their vulnerability to fraud.
Special Agent Kevin Bradshaw (FBI Cyber Crimes)
FBI Special Agent assigned to the Cyber Crimes Task Force in Seattle; 11 years with the Bureau; specializes in financial identity theft and digital forensics; has investigated 200+ identity theft cases
Our investigation traced every fraudulent application back to either PNFCU's internal network or Ms. Torres's home IP address. Her employee login accessed every single victim's record minutes before the fraud. The email used for the applications contains her name. Her phone IP accessed that email on June 12. We found no evidence that Mr. Sullivan was physically present in Seattle during the fraud period — his Portland apartment lease, gym check-ins, and debit card transactions place him in Portland on most dates in question. The TeamViewer angle is interesting but does not explain the home IP connections after the breakup or the phone IP access.
Derek Sullivan (defense witness, Torres's ex-boyfriend)
Age 32; freelance IT consultant in Portland, OR; prior felony conviction for identity theft in Oregon (2019, served 18 months); dated Torres from June 2023 to February 2024; lived in Torres's apartment during the relationship
I have nothing to do with this. Yes, I have a record — I served my time and I've been clean since 2020. Melissa and I broke up in February because she was controlling and jealous. I moved back to Portland. I did not install TeamViewer on her work computer — I don't even know what that is. I never had her work password. That $6,200 deposit was from a client who paid cash for a network setup — I can't control how clients pay me. I was in Portland during all of this. Check my gym, my lease, my card transactions. She's trying to pin this on me because I'm an easy target with my record.
Melissa Torres (defendant)
Age 29; PNFCU bank teller since 2021; no prior criminal record; no disciplinary history at work; annual performance reviews rated "meets/exceeds expectations"
I did not do this. Derek set me up. When we were together, he watched me log into my work computer at home — I used to check my schedule remotely. He saw my password. He installed TeamViewer on my work PC in January — I didn't even know what it was until the FBI told me. After we broke up, he kept my apartment key. I didn't change the locks until July because I didn't think he'd do something like this. The email with my name — he made that to frame me. He has a conviction for this exact crime. He knows exactly how to do this. I am a bank teller making $52,000 a year with a clean record. Why would I risk everything for credit card fraud? He's the one with the criminal history and the skills.
Identity Theft & Wire Fraud — Seattle, WA
Choose a role to start
