A Lithuanian man was sentenced today to five years of prison time after tricking Google and Facebook employees into wiring over $120 million into bank accounts he controlled as part of several business email compromise (BEC) fraud attacks spanning from 2013 to 2015.

He previously pleaded guilty to wire fraud, aggravated identity theft, and three counts of money laundering according to a Department of Justice press release from March 2019.

"Evaldas Rimasauskas devised an audacious scheme to fleece U.S. companies out of more than $120 million, and then funneled those funds to bank accounts around the globe," U.S. Attorney Geoffrey S. Berman said today.

"Rimasauskas carried out his high-tech theft from halfway across the globe, but he got sentenced to prison right here in Manhattan federal court."

As detailed in the guilty plea court documents, Rimasauskas agreed to forfeit $49,738,559.41 to the United States, "the amount of proceeds traceable to the offense in Count One of the Indictment that the defendant personally obtained," representing the wire fraud charge.

Evaldas Rimasauskas before extradition verdict (Image: REUTERS/Andrius Sytas)

$99 million stolen from Facebook, $23 million from Google

According to the indictment, Rimasauskas registered and incorporated a company in Latvia using the same name as the Asian computer hardware manufacturer Quanta Computer Inc.

He also opened multiple bank accounts at banks from Cyprus, Lithuania, Hungary, Slovakia, and Latvia that he would later use to receive the fraudulent payments.

Phishing emails were then sent to Google and Facebook employees who "regularly conducted multimillion-dollar transactions with" Quanta representatives, instructing them to deliver large sums of money to Rimasauskas accounts.

He also used "forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer."

After the funds were deposited in his accounts, Rimasauskas scattered the money to other bank accounts from six countries, trying to cover his tracks.

In addition to the prison term, Judge Daniels ordered RIMASAUSKAS to serve two years of supervised release, to forfeit $49,738,559.41, and to pay restitution in the amount of $26,479,079.24. - DoJ

Even though the indictment did not specifically identify Google and Facebook as the US companies that got tricked in the BEC scammer's attacks, Reuters reported that "a Lithuanian court order in 2017 identified Google and Facebook as the victims."

"We detected this fraud and promptly alerted the authorities. We recouped the funds and we're pleased this matter is resolved," a Google spokesperson told Bleeping Computer after Rimasauskas plead guilty in March, confirming that the company was targeted in Rimasauskas' BEC attacks.

The FBI said in a BEC public service announcement issued from September that victim complaints related to 166,349 domestic and international incidents were received between June 2016 and July 2019, revealing a total exposed dollar loss of more than $26 billion.

In July, the Financial Crimes Enforcement Network (FinCEN) also issued a report stating that BEC SAR (short for suspicious activity reports) filings increased from a $110 million monthly average during 2016 to more than $301 million per month in 2018.