The US DoD Got Snookered In A $23.5M Phishing Scam But Got Revenge In Court
The DoJ revealed this information after Sercan Oyuntur, a Turkish national who operated a phone repair business in California, was found guilty of conspiracy to commit mail, wire, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers. From June to October 2018, Oyuntur worked with four co-conspirators to access a government website and divert DoD funds to a bank account operated by the criminals. The group used a number of phishing techniques to carry out this high stakes theft.
The criminals began by registering the domain “dia-mil.com, which could be mistaken for “dla.mil,” a domain operated by the Defense Logistics Agency (DLA). The conspirators then sent emails from their newly registered domain to vendors who had registered in the System for Award Management (SAM) to work with the federal government. The emails redirected users to a website that appeared identical to the “login.gov” site, but functioned to steal user credential.
Oyuntur sought to capitalize on this particular pending invoice by changing the banking information of the recipient to a bank account controlled by a shell company set up by a co-conspirator. The scheme was almost thwarted by an automated security system that flags bank account changes and blocks payments, but the conspirators were able to call the DLA and offer false explanations sufficient to satisfy scrutiny and have the bank account change manually approved. The DoD then completed the transaction, unknowingly depositing the full $23.5 million sum in a bank account owned by the conspirators.
The conspirators worked to create an explanation for the huge payment by falsifying invoices for a New Jersey car dealership owned by one of the co-conspirators. This effort ultimately failed, as the dealership wasn’t a government contractor registered in SAM. An automated system caught the mismatch, resulting in a investigation that eventually unraveled the scheme and led to the return of the stolen funds.
In the course of the investigation, the DoJ caught both Oyuntur and the owner of the car dealership, Hurriyet Arslan. Both criminals have been found guilty on multiple counts. Two of the counts could land Oyuntur in prison for 30 years and charge him with a fine of $1 million, or twice the gross profits or loss resulting from the offense. Oyuntur’s sentencing date is still yet to be determined, while Arslan’s sentencing is set for June 21.