
Man Stole $122M from Facebook and Google by Impersonating Quanta - paulgerhardt
https://boingboing.net/2019/03/24/evaldas-rimasauskas.html
======
sschueller
This is very similar to these domain renewal or the trademark renewal invoices
spam letters that you get in your mail.

They look very legitimate but are actual from other companies just sending you
a bill for something that you don't owe.

I assume many smaller companies with untrained staff pay these items without
double checking and that is why these things still come int he mail.

I find the "trademark renewal" ones especially devious as they come from a
company called something like "US Trademark Renewal services" and the invoices
look like they come from a federal agency.

~~~
Waterluvian
You'd think that impersonating the government is the best way to get the DOJ
on you, but I suspect they really lack the resources.

~~~
delinka
Indeed it is illegal and you'll definitely get into trouble with some law
enforcement agency if you impersonate the government. But there's not a US
Trademark Renewal Services Department to impersonate. You can name your
company anything that's not already someone else's property or the name of a
governmental body.

Are these companies despicable? Yes. Are they misleading people? I'd say so.
Can you make a fraud charge stick? Probably not. In cases I've seen, if you
read the entire document, including fine print, and you think logically about
the content, you can deduce that the companies sending these
notices/invoices/wtfe are just hoping the target isn't savvy enough to figure
things out.

~~~
rad_gruchalski
In the UK, there is a list of words which can’t be used as part of a
registered company name:
[https://www.gov.uk/government/publications/incorporation-
and...](https://www.gov.uk/government/publications/incorporation-and-
names/annex-a-sensitive-words-and-expressions-or-words-that-could-imply-a-
connection-with-government)

~~~
JumpCrisscross
> _there is a list of words which can’t be used as part of a registered
> company name_

Similar prohibitions exist in America. They’re typically handled at the state
level, however, since incorporation is done by states.

(Some federal prohibitions exist, however. Like on calling oneself a “national
bank.”)

~~~
roywiggins
Which just means the persistent can just find a state to incorporate in that
is just a little bit more lax than the others...

~~~
JumpCrisscross
> _Which just means the persistent can just find a state to incorporate in
> that is just a little bit more lax than the others_

At that point, set up in Latvia. Generally speaking, companies incorporated
outside Delaware or the state they’re physically in get extra scrutiny. Also,
if your only check before issuing payment is looking at the entity’s name,
that’s more the problem than anything else.

------
ben1040
This sounds like the old copier toner social engineering scam at Google scale.

Some random employee would get a call from someone claiming to be from the
copier toner supplier, asking for the name of the person in charge of buying
that stuff.

The pretext might be their files got mixed up and they want to straighten it
out, or maybe they're a prospective supplier who wants to beat whatever price
you're paying now.

Then they make a fake invoice with that name, mail it to the company's
accounts payable desk, and hope it gets paid.

------
sokoloff
Whenever you get annoyed by a tedious paperwork exercise to buy something in
your company, it helps to realize that crap like this is (part of) why those
processes exist.

~~~
baddox
It seems like tedious paperwork exercises would make it _easier_ for scams
like this to happen, since there’s no one person with the responsibility to
say yes or no to specific purchases/invoices. If the responsibility is placed
on the bureaucratic process rather than specific people, surely that’s going
to make it easier for bad stuff to slip through (while also making it more
challenging to get legitimate requests through).

~~~
sokoloff
What is intended to happen is someone fills out a vendor creation form (to
guard against paying the wrong vendor/bank account), fills out a PO, later
someone agrees they received goods or services against that PO, later AP
receives an invoice, AP checks against the PO that goods/services have been
received in the amount of the invoice, and pays the invoice to the previously
setup vendor information.

When properly followed, the process makes scams harder, not easier. If people
don't follow the process...

(You can look at this as the process having one person responsible for each
step in the process, with the system recording each step.)

------
forinti
When McNamara arrived at Ford, its accounting was in such a bad state that
they weighed batches of invoices in order to have some kind of verification.
It must have been scammer's paradise.

I just didn't expect such a thing to occur today.

------
cosmodisk
While the numbers are impressive,this kind of stuff can be easily done to a
lot of companies. If a company lacks proper PO system or things often get done
in excel instead of CRM/ERP or similar software, it's pretty tricky to chase
all the ends properly. I personally seen many examples where legitimate
suppliers double invoice,enter random amounts or inflate them by quite a
lot.And these suppose to be the people you are having business with.

~~~
captn3m0
I’m surprised he went with 100M+ amounts. At that large numbers, you have to
be sure that you are gonna get caught.

Why not settle for smaller change and call t quits?

~~~
inuhj
We don't know that the person being prosecuted is the ultimate recipient of
the funds. He could very well be the fall guy.

------
paulpauper
This is an example of someone who devises a smart scheme but messes up in the
most important stage: keeping the money and getting away with it. Should have
just stopped at $10 million or so and moved it into bitcoin and then go on the
low-down until statue of limitations passes or change identity or move to non
extradition country. Tons of options. . .

~~~
_trampeltier
To buy an EU passport is easy and legal in a couple of countrys (cheap in
Malta, expensive in Austria).

~~~
roywiggins
He's Lithuanian, he already has one.

------
everdev
> He's agreed to forfeit about $50m. It's not clear what's happened to the
> other $73m

I wonder if he was doing this on behalf of someone else? A few million is more
than enough to live comfortably for the rest of your life in Lithuania. $122M
seems like an addiction or an organized crime ring.

~~~
dmix
If anything he should have took his $50M and moved to Russia or some other
country without an extradition treaty. His biggest mistake was staying in
Lithuania.

------
dboreham
Given how hard it can be to get a legitimate invoice paid, this is frustrating
to hear.

------
nullc
Facebook and Google can't keep their money safe, why does anyone think they
can keep anyone's data safe?

~~~
joshuamorton
Different processes.

Why would you assume the security around user data and around invoices are at
all similar?

~~~
908087
Facebook was just caught with their pants down after logging passwords in
plain text for years. Why would you assume they aren't?

------
EGreg
This reminds me of a dude who robbed banks by simply slipping a note to the
teller asking for money, with no threats. He got it many times.

------
azhenley
If only he had put his social engineering skills and boldness towards
something positive.

~~~
jarfil
If he got $120M over 3 years, there aren't many jobs out there which would pay
$40M a year. And if you can just send invoices and get paid, why even do any
work, like ever?

~~~
azhenley
Morals? Karma? Guilt? The desire to do something meaningful? The risk of
getting caught?

He did get arrested after all.

------
burtonator
My company, which is small, gets these forged invoices from time to time.

Some of them are pretty good but we're smaller so we're able to see that we're
not actually doing business with these companies.

------
GBiT
I'm from Lithuania, he is a Lithuanian citizen. What is interesting, that his
wife told, that he is not capable to do this, because he was a small
businessman in the construction business. His wife told, that he doesn't know
how to use a computer properly for things like banking etc... USA asked for
the extradition of this person, and my country gave him up, but he never was
in USA.

The only thing he said, is that he meet some guy in Russia, who wanted to do
some business with him. It seems, that he was just a proxy. He never saw
money...

It's a very interesting story to look into because its not so simple how it
looks from this post.

[https://translate.google.com/translate?sl=lt&tl=en&u=https%3...](https://translate.google.com/translate?sl=lt&tl=en&u=https%3A%2F%2Fwww.15min.lt%2Fnaujiena%2Faktualu%2Fnusikaltimaiirnelaimes%2F100-mln-
doleriu-vagyste-kaltinamo-lietuvio-zmona-jis-tam-neturi-smegenu-59-835398)

~~~
UncleEntity
I, for one, would blame "some guy in Russia" if the alternative was 30 years
in prison...

...then plead guilty to all counts.

~~~
sridca
Yes, but do we know the facts of the situation?

~~~
JumpCrisscross
> _do we know the facts of the situation?_

We know he plead guilty and was in a position to return $50 million of stolen
money. The top comment takes, on one hand, a mountain of criminal evidence,
and weighs it against, on the other hand, things his wife said.

~~~
tunzy26
i think it's due to frustration. lol

------
pje
Folk hero, TBH

------
onetimemanytime
fraud is bad and illegal.

stealing is bad and illegal.

But if you're going to do it, do it this way! A++

------
jondubois
Just another reason why corporations should be broken up. The idea that they
can so easily transfer that kind of money in a small number of transactions is
dangerous.

