The United States Attorney for the Southern District of New York announced criminal charges against Lithuanian Evaldas Rimašaukas.
The cyber-crime was described as a fraudulent business email compromise scheme that tricked two sophisticated U.S.-based internet companies to wire over $100 million to Rimašaukas’ bank accounts in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
According to an indictment released by the US Justice Department last month, 48-year-old Evaldas Rimasauskas from Vilnius began contacting the accounting departments of the two companies in 2013 using convincing fake email addresses and letterheads impersonating Quanta Computer, a large Taiwanese tech parts supplier used by both Google and Facebook, which were referred to only as Company-1 and Company-2. Using “forged invoices, contracts, and letters,” Rimasauskas persuaded the companies’ employees to wire millions of dollars intended for real purchases, to impostor accounts actually owned by him. He then stashed the massive sums in banks all over Eastern Europe.
It is unclear how soon the victims noticed they were missing millions of dollars or when they alerted the authorities, but according to American investigators, Rimasauskas was able to get away with the scam until 2015. Both Google and Facebook say that investigators were able to trace the money, and most of it has been returned.
“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved,” said Google in a statement.
Facebook said it had “recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation.”
Despite the first sealed indictment coming against Rimasauskas last December, he was only arrested in Lithuania this month. He is now facing wire fraud, money laundering, and identity theft charges that could land him in prison for decades. The accused insists he is innocent and vows to fight extradition to the US.
The FBI collaborated with Google, Facebook, their banks, the Prosecutor General’s Office, and other law enforcement agencies in the Republic of Lithuania to trace the footprints of Rimašaukas’ phishing attacks and make the arrest at his home in Vilnius.
Rimašaukas was indicted by the U.S. Justice Department Office’s Complex Frauds and Cybercrime Unit for identity theft, money laundering, and wire fraud. Federal sentencing guidelines state that conviction for such offenses carries a statutory maximum term of imprisonment of 24 years.
Acting U.S. Attorney for the Southern District of New York, Joon H. Kim, said in a Justice Department announcement, “This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals.”
Rimasauskas, facing extradition from Lithuania, denied the allegations. Rimašaukas claims that he is innocent and intends to fight extradition to the United States. His attorney at the Cobalt firm, Linas Kuprusevicius, told Fortune in an email: “Mr. Rimasauskas cannot expect a fair and impartial trial in the U.S.A.”