Hacker News new | past | comments | ask | show | jobs | submit login
Man Stole $122M from Facebook and Google by Impersonating Quanta (boingboing.net)
242 points by paulgerhardt 8 months ago | hide | past | web | favorite | 93 comments



This is very similar to these domain renewal or the trademark renewal invoices spam letters that you get in your mail.

They look very legitimate but are actual from other companies just sending you a bill for something that you don't owe.

I assume many smaller companies with untrained staff pay these items without double checking and that is why these things still come int he mail.

I find the "trademark renewal" ones especially devious as they come from a company called something like "US Trademark Renewal services" and the invoices look like they come from a federal agency.


You'd think that impersonating the government is the best way to get the DOJ on you, but I suspect they really lack the resources.


Indeed it is illegal and you'll definitely get into trouble with some law enforcement agency if you impersonate the government. But there's not a US Trademark Renewal Services Department to impersonate. You can name your company anything that's not already someone else's property or the name of a governmental body.

Are these companies despicable? Yes. Are they misleading people? I'd say so. Can you make a fraud charge stick? Probably not. In cases I've seen, if you read the entire document, including fine print, and you think logically about the content, you can deduce that the companies sending these notices/invoices/wtfe are just hoping the target isn't savvy enough to figure things out.


In the UK, there is a list of words which can’t be used as part of a registered company name: https://www.gov.uk/government/publications/incorporation-and...


> there is a list of words which can’t be used as part of a registered company name

Similar prohibitions exist in America. They’re typically handled at the state level, however, since incorporation is done by states.

(Some federal prohibitions exist, however. Like on calling oneself a “national bank.”)


Which just means the persistent can just find a state to incorporate in that is just a little bit more lax than the others...


> Which just means the persistent can just find a state to incorporate in that is just a little bit more lax than the others

At that point, set up in Latvia. Generally speaking, companies incorporated outside Delaware or the state they’re physically in get extra scrutiny. Also, if your only check before issuing payment is looking at the entity’s name, that’s more the problem than anything else.


are suggesting the US should adopt sane, simple, effective legislation?! I'm shocked at your attack on freedom!

they will probably solve this by curating a list of "good words to register your company" which then can be claimed as a tax exemption that requires two new forms. which adds $25 to services bill at H&Rblock. like God intended.


Bad news. In the US, businesses’ God given right to impersonate the government is already being infringed. I ran across this when reading the rules to register a business a few years back. Maybe it was just a state law, but if that’s on the books in Texas, it’s probably prohibited in all states.


> Can you make a fraud charge stick? Probably not.

I wouldn't rely on weasel-wording to keep you out of jail. Even if those people aren't technically lying, it's obvious that they attempt to mislead people into paying for services they have never ordered.


In some of those cases, they're trying to convince someone into ordering a service and paying for it at the same moment. My domains have public registration, so I get a lot of these BS solicitations. (It pleases me every time I get one, because these scammers^DELentrepreneurs are losing money on each of my domains...

"If your domain lapses and no one can get to your site, you could lose business or even lose the domain entirely. Renew your domain today for only $99.95!"

"If you don't submit your business to Google and drop off of search results, your business could suffer. Send us $100 and we'll handle submitting your site to Google for you."

Those statements are not technically wrong; these companies are soliciting to provide a service; obviously techies find the practice abhorrent and misleading, but they live in a muddy grey area where they provide some service and charge money for it.


How are they losing money on each of your domains?


They're mailing me a letter, spending an envelope stuff and a stamp on a domain owner who will never convert.


They usually include a business reply mail envelope too. I make sure to drop those into the mail empty so they get charged for that as well.


Thats evil and I love it. Gonna have to do that from now on.


Gotcha, at first I assumed we were talking emails :)


The government used to care about what it alleged was deceptive mail:

https://en.wikipedia.org/wiki/Publishers_Clearing_House#Gove...


Lying to people for money via mail is wire fraud, a state and federal crime.


In Russia, we had "pay us 1m dollars or we kill you spam." Unsettling it is, given that once in a million times, the threat carried is true.

That was one of many many things that made me leave.


I've gotten ones claiming that I have to send money in order for one of my patents to be registered in some particular country, typically eastern Europe.


> ...these domain renewal or the trademark renewal invoices spam letters that you get in your mail.

> They look very legitimate...

The ones I've seen do not. And I stopped receiving them altogether a few years after I made my domain name registrations private.


I stopped receiving them altogether a few years after I made my domain name registrations private.

I keep my registrations public, as they should be. But I stopped getting those letters when I changed the phone number to a VOIP service in another country.


> I keep my registrations public, as they should be.

Why should they be public?


This sounds like the old copier toner social engineering scam at Google scale.

Some random employee would get a call from someone claiming to be from the copier toner supplier, asking for the name of the person in charge of buying that stuff.

The pretext might be their files got mixed up and they want to straighten it out, or maybe they're a prospective supplier who wants to beat whatever price you're paying now.

Then they make a fake invoice with that name, mail it to the company's accounts payable desk, and hope it gets paid.


Whenever you get annoyed by a tedious paperwork exercise to buy something in your company, it helps to realize that crap like this is (part of) why those processes exist.


It seems like tedious paperwork exercises would make it easier for scams like this to happen, since there’s no one person with the responsibility to say yes or no to specific purchases/invoices. If the responsibility is placed on the bureaucratic process rather than specific people, surely that’s going to make it easier for bad stuff to slip through (while also making it more challenging to get legitimate requests through).


What is intended to happen is someone fills out a vendor creation form (to guard against paying the wrong vendor/bank account), fills out a PO, later someone agrees they received goods or services against that PO, later AP receives an invoice, AP checks against the PO that goods/services have been received in the amount of the invoice, and pays the invoice to the previously setup vendor information.

When properly followed, the process makes scams harder, not easier. If people don't follow the process...

(You can look at this as the process having one person responsible for each step in the process, with the system recording each step.)


In my experience, it’s just motivation to spend your own money on it. Much less frustrating.

I spent too much time trying to get that 25’ RJ-11 cable to avoid that tripping hazard. Best $2 I ever spent.


Most sensible places have an expedited process for employees for things under some trivial amount (ours is $25).


Maybe in private sector.

In public sector... “telecom expenses must go through telecom”, and they may not be willing to bother with the paperwork.

And god help you if you’re working in some kind of private-public partnership where that $9 expense is -$9 profit.

Sometimes you can get around it if you can find what you need from Staples and order it as an office supply.


Even 20 years ago the public sector was perfectly on-board with so-called "catalog purchases" using approved retailers, and "payment card" (e.g., company credit card) without prior approval. I don't know where your experience may have occurred but purchasing and supplier management process actually helps most places get what they need rather than hindering it.


Isn’t a $9 expense always -$9 profit in any business?


Some businesses can hand the expense straight on to the customer.

Government 'cost plus' contracts are that for example. If you are contracted to build a bridge, the concernment will pay for all the hours your employees worked on it, and all the concrete and steel they bought for it, and some profit percentage.


Unless that $9 expense was facilitating a $400,000 sale. I’ve had a number of those $9 expenses over the years.


Sometimes the $9 expense lead to a +$100 value, but not for the private partner operator of the facility.


Are you saying Google didn’t follow such a process and that is the solution?


Not at all. I'm saying that those annoying processes are intended to provide enough information to match up legitimate purchase orders to goods/services receipt to invoices.

Whether AP uses that information is a related but distinct matter. The processes are a necessary, but not sufficient, condition.


When McNamara arrived at Ford, its accounting was in such a bad state that they weighed batches of invoices in order to have some kind of verification. It must have been scammer's paradise.

I just didn't expect such a thing to occur today.


While the numbers are impressive,this kind of stuff can be easily done to a lot of companies. If a company lacks proper PO system or things often get done in excel instead of CRM/ERP or similar software, it's pretty tricky to chase all the ends properly. I personally seen many examples where legitimate suppliers double invoice,enter random amounts or inflate them by quite a lot.And these suppose to be the people you are having business with.


I’m surprised he went with 100M+ amounts. At that large numbers, you have to be sure that you are gonna get caught.

Why not settle for smaller change and call t quits?


We don't know that the person being prosecuted is the ultimate recipient of the funds. He could very well be the fall guy.


Maybe nobody did before (other than obvious Nigerian prince scams), and so they slipped through unexpectedly.


This is an example of someone who devises a smart scheme but messes up in the most important stage: keeping the money and getting away with it. Should have just stopped at $10 million or so and moved it into bitcoin and then go on the low-down until statue of limitations passes or change identity or move to non extradition country. Tons of options. . .


It likely takes quite a bit of willpower to not touch the money for X amount of years. In the meantime, most people are rationalizing why they wouldn't get caught and how it could enhance their lifestyle today.


To buy an EU passport is easy and legal in a couple of countrys (cheap in Malta, expensive in Austria).


He's Lithuanian, he already has one.


Or they could've done something different with their lives other than be scum-sucking criminals.


> He's agreed to forfeit about $50m. It's not clear what's happened to the other $73m

I wonder if he was doing this on behalf of someone else? A few million is more than enough to live comfortably for the rest of your life in Lithuania. $122M seems like an addiction or an organized crime ring.


If anything he should have took his $50M and moved to Russia or some other country without an extradition treaty. His biggest mistake was staying in Lithuania.


Given how hard it can be to get a legitimate invoice paid, this is frustrating to hear.


Facebook and Google can't keep their money safe, why does anyone think they can keep anyone's data safe?


Different processes.

Why would you assume the security around user data and around invoices are at all similar?


Facebook was just caught with their pants down after logging passwords in plain text for years. Why would you assume they aren't?


It is true for anything that involves humans at any point.

Google, compared to everyone else, is probably best positioned to protect it.

Disclaimer: google employee, but opinion above is my own.


"Trust me, I'm a google employee, we're probably better than other companies!"

Well I'm convinced.


I don't think i have a duty to convince you. I just know how the sausage is made, and saw practices from other companies. You choose. The alternative is not between "you protect it vs google will protect it". The discussion is "someone that's not me will protect the data" - who should it be - and google gets a headstart there - we have less mess ups than other large companies. That's it.

I am not married to my employer. I do not get any compensation in doing so.


Framing the discussion that way is disingenuous, though. Most people don't realize the extent to which Google and Facebook track them and collect data, so they're not in a good position to say whether they trust them to protect the data or not. Google's essentially made the decision for them - they're "protecting" it because they've collected it.


I'd agree. But I include most hn posters in the "most people" category. Everyone on this site overestimates tracking.


> Everyone on this site overestimates tracking.

Do we, though? A lot of sites include third party Javascript, fonts, and CSS from Google servers, and it would be trivial for Google to use those requests for tracking purposes, and very useful for targeting ads.


This reminds me of a dude who robbed banks by simply slipping a note to the teller asking for money, with no threats. He got it many times.


If only he had put his social engineering skills and boldness towards something positive.


If he got $120M over 3 years, there aren't many jobs out there which would pay $40M a year. And if you can just send invoices and get paid, why even do any work, like ever?


Morals? Karma? Guilt? The desire to do something meaningful? The risk of getting caught?

He did get arrested after all.


Like becoming a CEO!


My company, which is small, gets these forged invoices from time to time.

Some of them are pretty good but we're smaller so we're able to see that we're not actually doing business with these companies.


I'm from Lithuania, he is a Lithuanian citizen. What is interesting, that his wife told, that he is not capable to do this, because he was a small businessman in the construction business. His wife told, that he doesn't know how to use a computer properly for things like banking etc... USA asked for the extradition of this person, and my country gave him up, but he never was in USA.

The only thing he said, is that he meet some guy in Russia, who wanted to do some business with him. It seems, that he was just a proxy. He never saw money...

It's a very interesting story to look into because its not so simple how it looks from this post.

https://translate.google.com/translate?sl=lt&tl=en&u=https%3...


Pure speculation here based on your comment:

What you describe is called "being a cutout", that is a person who is a proxy for the "real" person who committed the crime. If what you say is accurate, that there was a more sophisticated person who did the crime, there is motivation on his part to plead guilty and stop any further investigation with the assurance that the other party will take care of his family while he serves his time. (At least that is how it has worked in the US with organized crime from time to time). If you step back from the deed itself and look at the bigger picture, if they guy has never been charged before he probably gets a fairly light sentence (not Manafort light, but probably not 30 years), he comes out of it with his family taken care of, the real crook has $73M somewhere safe, and this guy probably doesn't have to work any more if he doesn't want to.


He plead guilty and returned $50M. He also didn't have to be a computer hacker, just able to set up company and bank accounts abroad.


It's "social engineering" part of information security and technically hacking. Smooth talking is often far more effective than "computer hacking".


> USA asked for the extradition of this person, and my country gave him up, but he never was in USA.

International law, in the form of the passive nationality principle, recognizes criminal jurisdiction in the country of which the victims are nationals regardless of whether the criminal has ever set foot there.


Sort of odd to choose the victims location rather than the criminals location...


I don't see what's odd about that. Suppose someone in New Jersey mailed a bomb to someone in NY, killing the victim when he opened the package. Jurisdiction over the murder would lie in NJ and NY. It wouldn't be any surprise if the prosecutors in NY (whether federal or local) were more gung ho about bring charges than those in NJ, after all it was one of their own that was killed.


I, for one, would blame "some guy in Russia" if the alternative was 30 years in prison...

...then plead guilty to all counts.


Well, I'm not saying he is not guilty, he is at some point, but this story is more than it says. It's possible he was only proxy. I see some comments say here, that with his talent he could do more, but he was only some none name construction businessman.

But basically, in US I see, that a lot of people pleads guilty then it is more to the story. We don't know how much he will get for this and what deal he has. We see story, then person pleads to guilty and has to pay hundred million to later see, that they had other deal for him to pay just a few hundred thousands.


If he was a proxy how did he return $50 million?


It's not clear how he returned. We don't know if the accounts of companies were frozen or where the money went, etc... Or did you believe he returned it in Cash? Or maybe transferred from bank accounts where no one knew? It's not how the financial system works.

Here in LT we had some few series about this man and some possible things how it went. This case wasn't public, but every news site had about 15-20 stories about it in two years time.


> We don't know

Returned assets means returning assets one controls under court supervision. He controlled $50 million that he could move under court supervision. Getting confused about whether it was wired is totally irrelevant.

Better sources than a criminal’s wife would be the unsealed indictement [1] and official release [2].

[1] https://www.justice.gov/usao-sdny/press-release/file/950556/...

[2] https://www.justice.gov/usao-sdny/pr/lithuanian-man-pleads-g...


You're missing the point of my question- if he was just a proxy he wouldn't be in control of the assets, so they'd have to go after the person he was proxying for to get the funds. The fact that he was able to return them shows that he was more than a proxy.


Or you know, he had $50M of his own that he "returned" (he was supposedly a businessman), while still being just a proxy to the other that actually stole the real stolen money.


I doubt he would have turned to fraud or become a proxy if he had $50M of his own.


Your theory is the US just snatched some multi-millionaire off the street and got them to confess to some crimes they didn't commit?

Here in the US if you have that much money you can get away with crimes you did commit.


A foreign multimillionaire. Those are worth less, especially if their state owes the US some favors (or doesn't like him in the first place).

That said, sure, having $50M to return points to him being complicit -if not the mastermind- on this. Especially since I don't think we're explicitly told he was multimillionaire to begin with, just a businessman, which can even mean a guy that sells lemonade at a street corner (as long as he owns the stand).

But, and this is what I wanted to point out, returning $50M, doesn't make it entirely implausible.

This boils down to the question: can a multimillionaire ever be successfully framed for something?

I say, why not?


I'd say there's a good chance he was a proxy who had full control of many/all the bank accounts involved, but also had little knowledge that they existed or were set up in his name.


Hmm, that's another possibility, yes! Him having control (as the accounts were made in his name) but no prior knowledge of them or what they'd be used for.

(Though this begs the question how come the real con hadn't gotten the money by then, perhaps they did it piecemeal e.g. to not draw attention, which might explain why only $50M were left).


If he wasn’t a proxy, where did he spend the other 70 million?


Would you, for one, please guilty to all counts and get 10 years if you were innocent, if the alternative was to e.g. risk being found guilty and get a prosecutorial suggested 30 years?


Totally the wrong person to ask since I think it's appalling how prosecutors use that tactic to get innocent people in prison, if you don't take their deal they "throw the book at you" so your average (innocent) person has no chance unless they have a shitton of money to throw at their defense.

Certainly wouldn't turn over $50 million if I were innocent.


Yes, but do we know the facts of the situation?


> do we know the facts of the situation?

We know he plead guilty and was in a position to return $50 million of stolen money. The top comment takes, on one hand, a mountain of criminal evidence, and weighs it against, on the other hand, things his wife said.


i think it's due to frustration. lol


Folk hero, TBH


fraud is bad and illegal.

stealing is bad and illegal.

But if you're going to do it, do it this way! A++


Just another reason why corporations should be broken up. The idea that they can so easily transfer that kind of money in a small number of transactions is dangerous.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: