In 2012, Facebook’s financial success netted them over $5 billion in revenue. As the company was thrived, one man, Evaldas Rimasauskas, took notice of this and saw an opportunity. He was intrigued by their business to business accounting practices that allowed large sums of money to be transferred. Earlier in the year, Facebook purchased Instagram for $1 billion, Rimasauskas wondered who at Facebook had the power to make such an enormous payment.
Rimasauskas gathered a team to embarked on a meticulous plan to defraud Facebook and Google. They began by gathering information through social engineering, and learning the internal workings of Facebook’s financial operations. Through this, they discovered that Facebook did a lot of business with Quanta Computer, a legitimate company in Taiwan. The group proceeded to set up a fake company with the same name in Latvia and Cyprus and opened bank accounts under the same name.
Using a real Quanta invoice, Rimasauskas altered the payment details to redirect funds to his accounts. He created a fake email domain resembling Quanta’s and emailed the right person at Facebook, instructing them to update payment details. Facebook fell for the scam and sent payments to Rimasauskas’ accounts instead of Quanta’s.
After suceeding with Facebook, Rimasauskas expanded his scheme to Google, which also did business with Quanta. Google too fell for the ruse, sending payments meant for Quanta to Rimasauskas instead. Over two years, he extracted $23 million from Google and $98 million from Facebook.
Rimasauskas laundered the money through various bank accounts worldwide, using fake legal documents to disguise his activities. Eventually, parties at Facebook and Google noticed the fraud taking place. Investigations traced the payments to a bank in Cyprus and uncovered the fake email domain. Activities were connected back to Rimasauskas when investigators found he had made a critical mistake: he registered the domain with his own personal email address.
The FBI was notified and quickly acted, freezing Rimasauskas’ funds and gathering evidence. He was arrested in Lithuania, extradited to New York, and pleaded guilty to wire fraud in 2019. He was sentenced to five years in prison and ordered to pay $26 million.
Google and Facebook managed to recover most of their financial losses with government assistance but the permanent reputation damage was done.