Lithuanian National Pleads Guilty in $123 Million Business E-Mail Compromise Scheme Affecting Facebook and Google

On March 20, Evaldas Rimasauskas, a Lithuanian national, pleaded guilty to one count of wire fraud in an indictment returned in 2017 in the Southern District of New York, for his conduct of a business e-mail compromise (BEC) scheme that led to defrauding Google and Facebook out of $123 million.

According to the Indictment’s allegations, from 2013 through 2015, Rimasauskas orchestrated a fraudulent BEC scheme designed to deceive Google and Facebook (named in the indictment only as “Victim 1,” “Victim 2,” or “the Victim Companies”) into wiring funds to bank accounts that Rimasauskas controlled.  In particular, Rimasauskas

registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.  Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.

The emails, which purported to be from employees and agents of Company-1,

were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1.  This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After Google and Facebook wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, Rimasauskas

caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.  [He] also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Google reportedly sent more than $23 million and Facebook nearly $100 million to bank accounts that Rimasauskas controlled.  Google stated that it has recouped its money, and Facebook stated that it recovered most of its money.

Rimasauskas was arrested in Lithuania in _ 2017 and extradited to the United States in August 2017.  He is scheduled to be sentenced on July 24.

Note:  The Rimasauskas case is a particularly prominent example of how cybercriminals can set up and carry out a BEC scheme with relative ease.  The total gross proceeds it obtained, and the size of the companies that Rimaskauskas defrauded, make it one of the largest BEC schemes conducted in recent years.  By contrast, the FBI’s 2018 Operation WireWire against international BEC schemes resulted in the seizure of nearly $2.4 million and the recovery of approximately $14 million in fraudulent wire transfers.

Chief Information Security Officers, Chef Compliance Officers, and comptrollers in companies of all types and sizes should use this case as an opportunity to compare notes about their companies’ external fraud programs and test whether their business processes would detect the kind of BEC scheme that Rimasauskas conducted in this case.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s