Phishing scam convinces US government to pay $23.5 million to cyber criminals

US Department of Defense badge mounted on a lectern
(Image credit: Getty Images)

The US Department of Defense (DoD) has confirmed it was the victim of a $23.5 million phishing scam in 2018, and that the criminal has finally been punished.

Forty-year-old California resident Sercan Oyuntur was trialled on 28 April and found guilty of committing multiple counts of fraud against the US government, as well as aggravated identity theft and making false statements to federal officers.

What is phishing? Five giveaways that show an email is a phishing attack The top 12 password-cracking techniques used by hackers

During a three-month window between June and September 2018, Oyuntur and his associates in Germany, Turkey, and New Jersey helped to send phishing emails to DoD contractors purporting to be communications from the government.

The emails contained links to spoofed web pages they created that appeared to mimic the real web page of the General Service Administration (GSA).

The emails and spoofed website encouraged the vendors to input their login credentials which could be used to access their account details, including the financial information required for the DoD to pay for goods and services.

The successful incident saw a supplier of jet fuel fall victim to the phishing scam and Oyuntur was able to use the login credentials to change the vendor’s payment details to his own, eventually leading to the DoD paying Oyuntur $23.5 million for jet fuel he did not supply.


The state of email security 2022

Confronting the new wave of cyber attacks


Oyuntur opened a bank account registered to a shell company and used it in the scam. The shell company was created with assistance from an associate, Hurriyet Arslan, who owned a used car dealership in New Jersey.

Arslan was responsible for opening the shell company, registering its phone number, finding an individual to pose as the company's owner, and opening the bank account itself.

The criminals had difficulty accessing all the funds after the DoD completed the payment and sought help from an associate in Turkey to forge a government contract, which they could show the bank, in a bid to convince it to release the full sum.

The combined maximum prison sentences for Oyuntur’s charges amount to 107 years, with all fines relating to the fraud charges also amounting to $3 million or twice the gross profits or loss relating to the offence, whichever is greater, the DoD said.

The remaining charges also bring a potential $250,000 fine or twice the gain or loss from the offence, whichever is greater.

Oyuntur’s sentencing will be determined later, while Arslan will be sentenced in June.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.