On an ordinary spring morning in 2015, a Facebook accounts-payable clerk keyed in a seven-figure wire to what looked like a trusted hardware supplier. No alarms rang, no red flags popped. The money left California, landed in Latvia and vanished.
It was one of dozens of payments that ultimately siphoned $122 million from the coffers of Facebook and Google over a three-year stretch. All orchestrated by a single Lithuanian man armed only with forged stationery and nerve.
The perfect cover
A shell company built to fool
In 2013, Evaldas Rimasauskas registered Quanta Computer LLC in Latvia, a name chosen to mimic the legitimate Taiwanese manufacturer Quanta Computer Inc., a long-time parts vendor to both tech giants.
He opened bank accounts in Latvia and Cyprus, complete with matching corporate stamps, mocked-up purchase orders and email domains that differed from the real supplier’s by a character or two.
Spoofed mail, no hacking required
The scheme fell squarely into the FBI’s “business-email compromise” (BEC) playbook: exploit trust, forge documents, request payment.
Unlike headline-grabbing zero-day attacks, BECs rely on soft targets – busy people and routine processes. Rimasauskas’s emails referenced genuine purchase-order numbers and project names scraped from earlier leaks or guesswork, adding authenticity that even seasoned auditors missed.
Money on autopilot
Between 2013 and 2015, Facebook wired roughly $99 million, while Google sent about $23 million to accounts Rimasauskas controlled.
Each transfer was accompanied by impeccable-looking documentation – and each sailed through multilayer approval chains unchecked. Both companies later told reporters they recovered “most” of the funds, but neither denied the initial losses.
How did this pass compliance?
Internal investigators would later point to automated vendor-management tools that suggested the shell firm was already vetted. Human approvers saw a known name, saw familiar logos, and clicked “approve.” As one cybersecurity analyst quipped, “A billion-dollar empire dropped by a PDF.”
The unraveling, 2015-2017
Google’s treasury team first spotted anomalies in late 2015 during a supplier-ledger reconciliation, triggering a quiet probe that soon reached the FBI’s New York field office.
By March 2017, Lithuanian police arrested Rimasauskas in Vilnius on a U.S. warrant; he was extradited to Manhattan that August.
Facing wire-fraud and money-laundering charges, the 50-year-old pleaded guilty in U.S. District Court, admitting he’d simply exploited gaps in basic verification. When asked by the court how he outfoxed two of the planet’s smartest companies, Rimasauskas reportedly shrugged: “I just sent them invoices.”
“I had no hacking skills – only paperwork”
Sentencing & restitution
Judge George Daniels handed down a five-year federal sentence in December 2019, ordered forfeiture of $49.7 million and full restitution to both firms.
In a statement, Google said it had “swiftly detected the fraud and recovered the funds,” while Facebook confirmed “the bulk of the money” was returned.
In an era of quantum-resistant encryption and AI anomaly detection, sometimes the softest target in cybersecurity is the human who clicks approves.
