How a techie guy scammed the US Department of Defense and stole $23 million using a simple phishing email

The U.S. Department of Justice (DOJ) announced that Sercan Oyuntur, a 40-year-old Californian citizen, was convicted of six counts related to a $23 million usd fraud related to a Department of Defense (DOD) fund intended for the purchase of fuel.

The defendant learned of his conviction on April 28, when he was found guilty of charges such as conspiracy to commit wire and bank fraud, access to electronic devices to commit fraud, identity theft and false statements to federal agents.

To complete the fraud, Oyuntur and his accomplices deployed a complex phishing campaign against an employee of the fuel supply company, who was responsible for communication between the company and the DOD through a government computer system of the General Services Administration (GSA).

The cybercriminals created several fraudulent email accounts with which they pretended to be employees of the fuel company, in addition to designing websites similar to those of the company. Between June and September 2018, Oyuntur and his accomplices sent multiple emails to the affected employee, successfully redirecting him to phishing websites.

On these websites, threat actors managed to trick the employee into obtaining their login credentials, subsequently employed to break into GSA systems and divert DOD money to their bank accounts.

A key element in the fraudulent operation was an automotive dealership and the creation of a fictitious company run by Hurriyet Arslan, Oyuntur’s accomplice. On October 10, 2018, the DOD transferred $23.5 million USD to the shell company’s bank account; subsequently, a third conspirator sent Arslan an altered government contract awarding the transfer of the money to Arslan’s concessionaire.

The charges of conspiracy and bank fraud for which Oyuntur was convicted could lead to more than 60 years in prison, while charges of unauthorized access to electronic systems are punishable by up to 10 years in prison. For his part, Arslan pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering. His sentence will be known in mid-2022.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.