How to steal millions from Facebook and Google: invoice them

In today’s DGiT Daily newsletter I included a link to the following story: “Man stole $122m from Facebook and Google by sending them random invoices, which the companies promptly paid.”

I undersold it. Not because the story has many twists and turns, but because the invoices were hardly random.

The story

Lithuanian man Evaldas Rimasauskas was first arrested in Lithuania in March, 2017, according to a US Department of Justice press release from March 21st, 2017.

The unsealed indictment alleged Rimasauskas hatched a scam “from at least in or around 2013 through in or about 2015,” to swindle more than $100 million from “multinational technology companies”. The DOJ didn’t reveal the companies, but the scale and size of the fraud indicated only a few possible companies that it could be. A month later, a Fortune investigation revealed that the two companies involved were Google and Facebook, while Quanta admitted earlier that it was the victim company. Later, it emerged the sums stolen were higher: around $99m from Facebook and $23m from Google, according to reports.

How was it done?

According to the Justice Department and Bloomberg reports, Rimasauskas forged email addresses, invoices, and corporate stamps in order to impersonate tech hardware manufacturer Quanta Computer Inc, based in Taiwan.

The now 50-year-old Lithuanian registered a business in Latvia with the same name, and sent bills to Google and Facebook. The companies regularly did business together, so it appears enough boxes were ticked for the invoices for supplies to be paid.

The Justice Department alledge the money was distributed widely throughout Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.

Lithuanian authorities agreed to extradite Rimasauskas to New York in August 2017. Last week, he plead guilty to one count of wire fraud before U.S. District Judge George Daniels on Wednesday, under an agreement with prosecutors, and will forfeit $49.7 million.

Last week, Rimasauskas plead guility. The waters muddy to an extent: Assistant U.S. Attorney Eun Young Choi told U.S. District Judge George Daniels that prosecutors don’t allege that Rimasauskas was the one who directly induced the companies to send the money, instead alledging the man “created the infrastructure” rather than induce Facebook and Google to pay.

Joon H. Kim, the Acting U.S. Attorney for the Southern District of New York, suggested that a good part of the money has been recovered, echoed by Google in a statement to BleepingComputer.

“We thank the companies and their banks for acting quickly, coming forward promptly, and cooperating with law enforcement; it led[to] the recovery of much of the stolen funds,” Kim said in a statement.

What’s next:

  • Rimasauskas could receive a maximum sentence of 30 years of jail time, although his lawyer believes four of the five charges will be dropped at sentencing, set for July 24th, 2019.

What’s not clear:

  • The flow of money: While a large amount has been forfeited, more than $70m hasn’t been announced as collected.
  • How did it happen? While Google’s statement in the last week said: “We detected this fraud and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved,” it’s rather clear that being defrauded for approximately two years is hardly “prompt” alerting of authorities.
  • Why did Rimasauskas get so greedy? Fraud at the scale of nine figures is well worth being chased by the US Justice Department, including extradition.
Leave a comment