Thieves apparently used a Nigerian-based scam to steal $2.5 million from the Utah treasury, covering their tracks by using intermediaries and a church address.

A Salt Lake Tribune review of the names listed in a search warrant as receiving or transferring money have names of African origin or connections to that continent. Michael Kessler, president of Kessler International, a forensic accounting and investigation agency in New York City, said the thieves appear to have used a simple scam that originated in Nigeria about five years ago.

The Utah theft is the first time he's seen a government victimized.

"Their IT people should have known better," Kessler said after reviewing a copy of the search warrant Thursday. "It sounds like any kid could have done this."

In one case investigated by Kessler's firm, thieves used computer software transmitted by e-mail to monitor financial information input by the chief financial officer of an Ohio insurance firm. Once they had the information, they diverted insurance payments to their bank account. About $1 million was stolen.

At least one address listed for the perpetrators in an affidavit filed with the warrant appears to be false. While it lists a Duncan N. Ongaga living on the second floor at 18 Union Ave. in Irvington, N.J., Irvington police detective Chris Jenkins on Thursday said the address is for a church -- and there's no second floor. Irvington police have no record of someone by that name.

John Reidhead, the director of the Utah Division of Finance, on Wednesday said his division has added procedures to verify direct deposit information and made other changes to prevent future fraud.

The search warrant, made public this week in Salt Lake City's 3rd District Court, said someone in August obtained a vendor number for the University of Utah's design and construction department. They then forged the signature of the department's director and submitted paperwork to the state of Utah changing the department's bank account information.

Fraudsters logged onto a state Web site and submitted invoices to the state on behalf of the campus department. When the state paid the invoices, the money went to a Bank of America account in Texas.

The thieves reaped $2.5 million before the bank called the state to inquire why such large payments were going to the account.

The search warrant says the Texas account was opened by a man with a Minnesota driver's license. The warrant also makes reference to a truck driver, and a search of business records shows another name in the search warrants has a registered trucking company in Arlington, Texas.

Kessler said the thieves may have recruited intermediaries to open the accounts and transfer the money. The account holders may not have participated in the theft itself or known where the money came from, Kessler said.

Once the money moved to Texas, the warrant says, several checks were written to various people.

Attempts to contact any of the people listed in the search warrant Thursday as receiving or transferring money were unsuccessful.

Once the fraud was discovered, a Texas bank froze $1.8 million of the stolen funds. It's unclear how much of the remaining money has been recovered. The Attorney General's Office has declined to comment on the investigation or any arrests that may have been made in connection with it.