A Lithuanian man pleaded guilty today to wire fraud, aggravated identity theft, and three counts of money laundering, after tricking employees of Alphabet's Google unit and Facebook into wiring more than $100 million into bank accounts he controlled as part of multiple business email compromise (BEC) fraud attacks spanning from at least in or around 2013 through in or about 2015.

"As Evaldas Rimasauskas admitted today, he devised a blatant scheme to fleece U.S. companies out of over $100 million, and then siphoned those funds to bank accounts around the globe," stated Manhattan U.S. Attorney Geoffrey S. Berman in the DoJ press release containing the unsealed indictment from March 21, 2017.

According to the indictment [.PDF], Rimasauskas registered and incorporated a Latvian company with the same name as the Asian computer hardware manufacturer Quanta Computer Inc as reported by Bloomberg, and also opened multiple accounts at banks from Cyprus, Lithuania, Hungary, Slovakia, and Latvia to receive the fraudulent payments.

Facebook defrauded of $99 million, Google of $23 million

Today's DoJ release states that he "caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."

With the help of several spoofed emails and using the fact the two companies had identical names, the scammer was able to trick Google and Facebook employees as well as the banks they worked with to make and approve payments to his Latvian company's bank accounts.

Evaldas Rimasauskas before extradition verdict (Image: REUTERS/Andrius Sytas)

After successfully receiving the funds in the accounts he controlled, Rimasauskas distributed the money to bank accounts from six other countries, attempting to cover his tracks.

While the indictment did not specifically identify Google and Facebook as the two US companies which got tricked by the Lithuanian scammers BEC attacks, Reuters says that "a Lithuanian court order in 2017 identified Google and Facebook as the victims."

Also, according to the same report, "The scheme defrauded Google out of $23 million and Facebook out of $99 million, according to that order."

Rimasauskas faces a maximum sentence of 30 years in jail

As detailed in today's guilty plea court documents, Rimasauskas agreed to forfeit $49,738,559.41 to the United States, "representing the amount of proceeds traceable to the offense in Count One of the Indictment that the defendant personally obtained," representing the wire fraud charge.

Rimasauskas is could receive a maximum sentence of 30 years of jail time if he's found guilty of the wire fraud, aggravated identity theft, and three counts of money laundering charges he faces, with the sentencing date having been set for "7/24/2019 at 10:00 AM before Judge George B. Daniels."

The FBI's Internet Crime Complaint Center (IC3) warned in June 2016 that BEC attacks were behind huge monetary losses, malicious actors having defrauded companies from all over the world of more than $3 billion in just a little over three years, with "a 1,300% increase in identified exposed losses."

BleepingComputer has reached out to Google and Facebook for more details but did not receive an answer prior to publication.

Update March 20, 17:46 EDT: A spokesperson confirmed that Google was targeted by Rimasauskas' BEC fraud attacks: