A Lithuanian man’s scheme to steal more than $120 million from Facebook and Google has earned him 60 months in U.S. federal prison.
A federal judge in Manhattan handed down the sentence Thursday to Evaldas Rimasauskas, who pleaded guilty in March to orchestrating a phishing plan that allowed him to pose as a Taiwanese technology manufacturer, then collect money transfers from the U.S. technology giants.
Rimasauskas created domains spoofing Quanta — a contractor that actually did build servers and other components for Facebook and Google — then sent fraudulent invoices, directing the companies’ employees to wire the fake Quanta real money.
The activity occurred between 2013 and 2015, during which time Rimasauskas, now 51, netted $99 million from Facebook and $23 million from Google. A judge in the U.S. Southern District of New York ordered the Lithuanian man to pay that money back, along with the five years in prison and two years of supervised release.
Rimasauskas likely also will face deportation proceedings following his incarceration.
Lithuanian police apprehended the hacker in 2017 and extradited him to the U.S. in August 2017. He faced up to 30 years behind bars.
While business email compromise attacks remain one of the primary ways cybercriminals earn their pay — the FBI reported scammers made $301 million every month in 2018 — it’s rare for such large attacks to hit major technology companies, and even more uncommon for the public to learn about it. The Japanese media conglomerate Nikkei said in October it lost $29 million in a BEC scam, while thieves also fleeced a Chinese venture capital firm out of $1 million this year.
Often, though, corporations don’t report such losses. BEC scams typically don’t involve the kind of personally identifiable information that, if compromised, requires firms to report a breach. Large companies also list cybersecurity and related issues as a risk in financial reporting documents aimed at shareholders, affording corporate lawyers with some leeway to keep quiet about BEC attack unless they’re especially large.
In this case, a Lithuanian court order identified Facebook and Google as the victims.