Evaldas Rimasauskas, a 48-year-old Lithuanian man, has been charged with defrauding two major US-based internet companies for more than $100m through whaling attacks.
Rimasauskas, from Vilnius, was arrested late last week by Lithuanian authorities on the basis of a provisional arrest warrant, according to the US Department of Justice.
He is accused of whaling (like phishing, but bigger) his way to more than $100m. Whaling is a form of social engineering fraud in which criminals trick financial controllers at large corporations into paying money into the wrong bank accounts. Attacks are far more successful than you'd think.
Acting US Attorney Joon Kim said: "From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control. This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cybercriminals."
FBI assistant director William F Sweeney Jr. said: "As alleged, Evaldas Rimasauskas carried out a business email compromise scheme creatively targeting two very specific victim companies. He was initially successful, acquiring over $100 million in proceeds that he wired to various bank accounts worldwide. But his footprint would eventually lead investigators to the truth, and today we expose his lies."
According to allegations in the indictment against Rimasauskas, which was unsealed this week, he had orchestrated his scheme between 2013 and 2015, targeting "a multinational technology company and a multinational online social media company" and tricking them into wiring funds to bank accounts under his control.
The bank accounts in question belonged to companies that Rimasauskas had himself set up and incorporated with the same name as an unspecified "Asian-based computer hardware manufacturer" with whom the victim companies were involved in legitimate business.
Rimasauskas's phishing emails posed as if they represented the real hardware manufacturer, and requested that money which the victim companies owed to that manufacturer for legitimate good and services be paid into the accounts of the company he'd set up himself.
Once he'd snared the funds, the would-be mastermind attempted to wire the stolen money into different bank accounts in various jurisdictions throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
He also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies, and which bore false corporate stamps embossed with the victim companies' names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.
Rimasauskas is charged with one count of wire fraud and three counts of money laundering, each of which carries a maximum sentence of 20 years in prison, and one count of aggravated identity theft, which carries a mandatory minimum sentence of two years in prison. ®