US Department of Defence Hit By $23m Phishing Attack

Hackers stole $23 million (£18m) from the US Department of Defence in 2018 through an eloaborate phishing scam, according to the US Justice Department, which said it has successfully convicted two of the conspirators.

Sercan Oyuntur, 40, of Northridge, California, was convicted of counts including wire fraud, bank fraud and aggravated identity theft last week, following an eight-day trial in Camden, New Jersey federal court.

Another conspirator, Hurriyet Arslan, of New Jersey, pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering and is due to be sentenced in June, the Justice Department said.

Phishing attack

From June to September 2018 the two men, along with others in Germany and Turkey, circulated phishing emails to various government contractors.

One of these, a jet fuel supplier’s intermediary based in New Jersey, was tricked by the scheme into supplying his login credentials to a malicious website posing as the General Services Administration’s public-facing site.

Arslan, who oned a used car dealership called Deal Automotive Sales in Florence, New Jersey, was tasked with creating a shell company, setting up a mobile phone number for the firm, hiring someone to pose as the firm’s owner and opening a bank account in the firm’s name.

On 10 October, 2018, based on fraudulent information suplied by Oyuntur and the others, the Department of Defence transferred $23.5m intended to pay for jet fuel into the Deal Automotive bank account.

$23m fraud

Arslan was able to access some of the funds, but the bank wouldn’t release the balance.

The conspirators then obtained a falsified government contract from a collaborator in Turkey indicating that the used car dealership had obtained a defence contract worth $23m in an effort to convince the bank to provide access to the remaining funds.

The combined maximum prison sentences for Oyuntur’s charges amount to 107 years, while the fines for the fraud charges amount to $3m or twice the gross profits or loss relatd to the offence, whichever is greater, the Department of Justice said.

The remaining charges mean a potential $250,000 fine or twice the gain or loss from the offence, whichever is greater.