The Department of Justice has announced the conviction of 40-year-old Sercan Oyuntur, who successfully phished a government vendor and was able to steal $23,453,350.
Oyuntur had registered "dia-mil.com" which is very similar to "dla.mil", the Defense Logistics Agency's domain name. He then delivered spoofed e-mails to the users of the System for Award Management database, where contractors and the government frequently interact.
A user from a Southeast Asian corporation accidentally clicked the "login" button on one of the spoofed e-mails and entered her information into what she thought was the System for Award Management database. However, this information was sent right to Oyuntur, who in turn was able to log in and see that the unnamed corporation had "11 active contracts of fuel provision for the United States Military at the time," according to BleepingComputer.
Having access to the corporation's login, Oyuntur then was able to change the recipient banking information for one of the contracts -- the one for $23,453,350.
With others, Oyuntur funneled the money into a shell account, registered in New Jersey, and hired someone to act as the company's owner. They then fabricated invoices to cover the influx of capital.
Unfortunately for the criminals, the System for Award Management has safeguards in place that continually check for errors or changes in the system. Because the shell company wasn't registered as a government contractor, an investigation began.
Oyunter pleaded guilty in January of 2020 and is now awaiting sentencing. He faces a maximum potential penalty of 30 years and a max fine of $1,000,000.