Californian Phished $23.5m from DoD

A Californian man who used a phishing scam to steal millions of dollars from the United States Department of Defense (DoD) could spend the rest of his life behind bars.

Sercan Oyuntur, of Northridge, was found guilty of six counts related to the 2018 theft of more than $23m of DoD money that was supposed to go to one of the Department’s jet fuel suppliers. The 40-year-old was convicted on Thursday following an eight-day trial before US district judge Joseph Rodriguez in Camden federal court.

The court heard that Oyuntur and criminal conspirators in Germany, Turkey and New Jersey created fake email accounts and fake webpages that spoofed the General Services Administration’s (GSA) public-facing website.

From June to September 2018, the criminals sent a phishing email to a slew of DoD vendors, including a corporation that had a contract with the DoD to supply Aviation JA1 Turbine fuel to troops operating in southeast Asia. An employee of that corporation, believing the email to be a genuine communication from the US government, followed a link contained within it.

The duped employee was directed to a malicious phishing page where they were prompted to enter confidential login credentials. These details were then stolen by the conspirators, who used them to make changes in government systems that ultimately diverted a DoD payment of $23.5m away from the targeted corporation and into the bank account of a shell company created and controlled by the conspirators. 

Oyuntur was convicted of one count of conspiracy to commit wire, mail and bank fraud; two counts of bank fraud; one count of using an unauthorized access device to commit fraud; one count of aggravated identity theft; and one count of making false statements to federal law enforcement officers.

The conspiracy and bank fraud counts each carry a maximum penalty of 30 years in prison, and the count of using an unauthorized access device to commit fraud carries a maximum penalty of 10 years in prison. For the offenses of making a false statement and aggravated identity theft, Oyuntur could be sentenced to five years and two years, respectively.

What’s Hot on Infosecurity Magazine?