Fortune Magazine just identified Google and Facebook as the two sophisticated U.S.-based tech companies whose employees were swindled out of $100 million by a Lithuanian hacker in the last three years.
The United States Attorney for the Southern District of New York announced criminal charges against Lithuanian Evaldas Rimašaukas. The cyber-crime was described as a fraudulent business email compromise scheme that tricked two sophisticated U.S.-based internet companies to wire over $100 million to Rimašaukas’ bank accounts in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
Although the U.S. Justice Department initially screened the names of the scammed U.S. companies, Fortune on April 27 identified what prosecutors had referred to in the federal indictment as Victim 1, as Google, and Victim 2, as Facebook. Rimašaukas beginning in 2013, “forged email addresses, invoices, and corporate stamps in a scam to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.”
The Endgaget blog identified Taiwanese parts supplier Rimašaukas impersonated as Quanta Computer. The company is a huge supplier to numerous tech giants, including Apple, Amazon, Google and Facebook.
The Department of Justice describes Business Email Compromise (BEC) as a sophisticated scam that targets business deals with foreign suppliers and regularly issues electronic wire transfer payments. The scheme usually seeks to compromise access to legitimate supplier business e-mail accounts through social engineering or cyber-hacking techniques. The fraudsters then request the victims to make unauthorized electronic fund transfers by disguising their activities to appear consistent with normal business practices.
The FBI collaborated with Google, Facebook, their banks, the Prosecutor General’s Office, and other law enforcement agencies in the Republic of Lithuania to trace the footprints of Rimašaukas’ phishing attacks and make the arrest at his home in Vilnius.
Rimašaukas was indicted by the U.S. Justice Department Office’s Complex Frauds and Cybercrime Unit for identity theft, money laundering, and wire fraud. Federal sentencing guidelines state that conviction for such offenses carries a statutory maximum term of imprisonment of 24 years.
Acting U.S. Attorney for the Southern District of New York, Joon H. Kim, said in a Justice Department announcement, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”
Rimasauskas, facing extradition from Lithuania, denied the allegations. Rimašaukas claims that he is innocent and intends to fight extradition to the United States. His attorney at the Cobalt firm, Linas Kuprusevicius, told Fortune in an email: “Mr. Rimasauskas cannot expect a fair and impartial trial in the U.S.A.”