There's something almost inspiring about the simplicity of what Evaldas Rimasauskas pulled off. No technical zero-day attacks. No malware. No months spent inside anyone's network. Just a Lithuanian man and his laptop, sending fake invoices to two of the world’s largest companies and actually getting them to pay.

Evaldas identified a real vendor that both Facebook and Google actually did business with. Quanta Services. Quanta is a company that builds servers and components for these companies. They’re a trusted brand and are part of the normal supply chain for both Google and Facebook. This means that when payment requests came from Quanta, there’s no immediate reason to treat them as suspicious.

Evaldas created email domains that looked similar to Quanta. Domains that looked liked the real deal at a glance. i.e “@Quonta.com”. Then he started sending the invoices. Professional invoices with proper formatting, project codes, invoice numbers. The kind that finance teams receive constantly. Between 2013 and 2015, he sent these emails & invoices to employees at both companies. The amounts seemed reasonable for the work described and the requests always followed normal business patterns.

Finance departments processed the transfers routinely and the money moved to accounts Evaldas controlled. Over a hundred million dollars in aggregate.

He got away with this for a couple years before the whole thing unraveled, due to a regular financial audit. Someone at Facebook or Google was reviewing accounts, noticed something off, and the discrepancies started to reveal themselves. Once they looked closer, the details became obvious. The fake email domains, websites, and invoices that didn't match their actual records with Quanta. Wire transfers routed to accounts on the other side of the world.

Finally, law enforcement got involved, and the FBI traced the money as it moved through multiple jurisdictions. Some had already been moved to banks in Cyprus and Latvia. By the time the police caught up with Evaldas in his hometown in Lithuania, they were only able to recover a small amount of the funds.

Evaldas didn't need to be a talented hacker. He just needed to understand the processes and inner workings of organizations at scale. At a company the size of Google or Facebook, the person processing an invoice probably doesn't have the full context to question whether a wire should go to account “A” versus account “B”. They're handling so many transactions on a daily basis, that if the email looks right and the budget lines up, the payments get approved.

This is called business email compromise, or BEC. The 2024 FBI Internet Crime Report found that BEC attacks account for about $2.9 billion in annual losses globally. It's one of the most financially destructive cybercrimes precisely because it doesn't require technical sophistication. It requires understanding how a certain business operates and then positioning yourself in the middle of that process.

Evaldas pleaded guilty to wire fraud and money laundering in 2017 and was sentenced to five years in federal prison.

The way to defend against this threat is almost as simple as the threat itself. Create a layer of friction in the process. Dual approval on wire transfers above a certain amount. Independent verification by calling a known contact at the vendor directly. Segregation of duties so the person authorizing payment isn't the same person initiating it. These are nothing innovative-they’re just basic controls that slow things down.

That’s all for tonight!

dontgetgot