Cybersecurity, Emerging Issues in Security

Calif. Man Convicted for $23M Phishing Scam Against U.S. Department of Defense

Cybercrime can impact anyone, anywhere, and that includes even the U.S. government.

A California man was convicted on six counts related to the theft of over $23 million from the U.S. Department of Defense (DoD), money destined for one of its jet fuel suppliers, according to U.S. Attorney for the District of New Jersey Philip R. Sellinger.

Sercan Oyuntur, 40, of Northridge, Calif., was convicted on April 28, 2022, of one count of conspiracy to commit wire, mail, and bank fraud; two counts of bank fraud; one count of using an unauthorized access device to commit fraud; one count of aggravated identity theft; and one count of making false statements to federal law enforcement officers, following an eight-day trial before U.S. District Judge Joseph H. Rodriguez in Camden, N.J., federal court.

According to documents filed in this case and the evidence presented at trial:

A corporation that had a contract with the DoD to supply jet fuel to troops operating in southeast Asia employed an individual in New Jersey, who was responsible for communicating with the federal government on behalf of the corporation through a government computer system. Through a complex phishing scheme, Oyuntur and criminal conspirators in Germany, Turkey, and New Jersey targeted the corporation and the individual so that the conspirators could steal money that DoD intended to pay to the corporation for providing jet fuel.

READ: Back to Basics: Understanding Phishing

Oyuntur’s conspirators created fake email accounts in other people’s names and designed fake webpages that resembled the General Services Administration’s (GSA) public-facing website. From June to September 2018, the conspirators caused phishing emails to be sent to various DoD vendors, including the individual from New Jersey who represented the corporation, to trick these vendors into visiting the phishing pages. These emails appeared to be legitimate communications from the U.S. government, but were actually sent by the conspirators, and contained electronic links that automatically took individuals to the phishing pages. There, they saw what appeared to be a GSA website and were prompted to enter their confidential log-in credentials, which were then used by the conspirators to make changes in the government systems and ultimately divert money to the conspirators.

As part of his participation in the scheme, Oyuntur worked closely with another conspirator, Hurriyet Arslan, who owned a used car dealership, Deal Automotive Sales, in Florence, N.J. Arslan opened a separate shell company based in New Jersey for use in the criminal scheme, obtained a cell phone number for the shell company, hired another person to pose as the shell company’s owner, and opened a bank account in the name of the shell company. 

On Oct. 10, 2018, based on the fraudulent activities of Oyuntur and his conspirators, DoD transferred $23.5 million that had been earned by the victim corporation into Arslan’s Deal Automotive bank account. Arslan went to the bank and was able to access some of this money, but the bank would not release all of the funds to Arslan. That same day, a conspirator in Turkey sent Arslan an email with an altered government contract that falsely indicated Deal Automotive had been awarded a DoD contract valued at approximately $23 million. Oyuntur instructed Arslan to take this fake contract into the bank to explain why he had received the money, so that Arslan could convince the bank to release the remaining funds.

The conspiracy and bank fraud counts of which Oyuntur was convicted each carry a maximum potential penalty of 30 years in prison. The count of using an unauthorized access device to commit fraud carries a maximum potential penalty of 10 years in prison. The false statement count carries a maximum potential penalty of five years in prison. The aggravated identity theft count carries a statutory mandatory consecutive term of two years in prison. The conspiracy and bank fraud counts each carry a maximum fine of equal to the greatest of $1 million or twice the gross profits or loss resulting from the offense, whichever is greatest; the remaining counts carry a $250,000 fine, or twice the gain or loss from the offense, whichever is greatest. Oyuntur will be sentenced on a date to be determined.

Arslan pleaded guilty in January 2020 to conspiracy, bank fraud, and money laundering and is scheduled to be sentenced on June 21, 2022.