When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.
The mystery is now unraveled. A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the three unnamed companies plus other details of the case.
The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. But the crime also raises questions about why the companies have so far kept silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.
The Heist
In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies.
The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.
These allegations first appeared in a sealed indictment filed by federal prosecutors in New York last December. In a press release announcing the arrest of Rimasauskas three months letter, the feds hailed cooperation among international law enforcement, and said they had recovered much of the money.
Rimasauskas, however, denies the allegations. Currently facing extradition proceedings in Lithuania, he and his lawyer denounced the charges and the U.S.-led investigation.
“Mr. Rimasauskas cannot expect a fair and impartial trial in the USA. The uncertainty is further increased taking into account the behavior of FBI agents during the interrogations of Mr. Rimašaukas, frightening him with long years in US prisons, and the transfer of computers to US law enforcement officials, which was made without the presence of the owner,” said the lawyer, Linas Kuprusevičius, in an email to Fortune.
Kuprusevičius, who works for the law firm Cobalt, added that the decision of the U.S. Justice Department and Lithuania authorities not to name the companies infringed on Rimašauskas’s rights to due process and a fair trial.
A spokesperson for the U.S. Attorney’s office in Manhattan confirmed Rimasauskas is in custody in Lithuania, but did not offer more details about the crime, or why the office chose not to identify the firms. Law enforcement sources say the Justice Department is likely to identify the tech firms once the extradition process—which is expected to take months—is over, and Rimasauskas faces a bail hearing in a U.S. court.
But while the authorities have remained tight-lipped about the identity of the victims, they also dropped some big clues.
Company 1 and Company 2
Quanta Computer, which was founded in Taiwan in 1988, is a major supplier of parts to U.S. tech companies. Its contracts have included parts for Apple watches (AAPL) and for Amazon’s Kindle e-reader (AMZN).
In the Justice Department’s indictment, Quanta simply appears as “Company-1..an Asian-based manufacturer of computer hardware… established in or about the late 1980s.”
In late March, Quanta publicly acknowledged it was the innocent supplier named in the indictment, but did not offer any further details such as the identity of the companies that had been swindled by the imposter (named as Company-2) by means of invoices sent in Quanta’s name.
The Justice Department, though, dropped hints by referring to one victimized firm as a “multinational technology company, specializing in Internet-related services and products” and the other as “a multinational corporation providing online social media and networking services.”
In background conversations, multiple sources identified the second company—the provider of social media services—as Facebook.
According to a person familiar with the investigation, the social media giant approached the U.S. Attorney’s Office in Manhattan (which is known for its prowess in prosecuting financial crime) and asked for help recover the money it had paid for the false invoices.
The person, who was not authorized to speak for attribution, said the office regularly hears from companies that are victims of similar phishing swindles involving fake suppliers, but the Facebook case stood out for its scale.
“We internally thought this was huge. There’s a plague of these kind of companies [that operate business phishing scams],” said the source, adding in many cases the FBI has been adept in working with the Treasury Department and regulators to claw back stolen money.
In response to an email from Fortune, Facebook confirmed it was one of the victims of the fraud.
“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” said a company spokesperson.
In the course of the investigation that led to the arrest of Rimasauskas, another source explained the Justice Department also learned of another prominent tech company that had been victimized—Google. The search giant (“a multinational technology company, specializing in Internet-related services and products” in the words of the indictment) became a target because, like Facebook, it buys enormous amount of computer servers from Quanta.
Google this week confirmed it had been targeted.
“We detected this fraud against our vendor management team and promptly alerted the authorities. We recouped the funds and we’re pleased this matter is resolved,” said a Google spokesperson.
A Material Event?
When a publicly traded company experiences a significant event, federal securities law requires it to disclose this to investors. Such an incident (a “material event” in legal lingo) might include the departure of an executive or a problem with an important product—or a fraud worth tens of millions of dollars.
According to Mary Jo White, a former head of the SEC who is now a partner at Debevoise & Plimpton, the disclosure requirements can vary depending on the nature of the incident. In some cases, a company must file a public form known as an 8-K with the SEC within four days of learning about it. Other times, White said, disclosure may take the form of a press release or a note in the company’s quarterly filings. Some incidents, of course, are not important enough to merit a disclosure at all.
A review of public records from Facebook (FB) and Google (GOOGL) indicate neither company has disclosed the wire fraud incident at all.
This omission does not necessarily violate SEC guidelines. While a $100 million theft would represent an enormous blow for most companies, such a loss would barely ding the balance sheets of giants like Facebook and Google—especially if the Justice Department recovered some of the money.
But the “material event” in this case may amount to more than the company losing some money, according to White, who was aware of the indictment when she spoke to Fortune, but not the identity of the companies involved.
“I think companies need to be looking more broadly than that – not just at operational direct loss,” said White. “There’s the possibility of reputational damage. What does this say about internal controls over assets?”
Facebook and Google declined to comment, but people close the companies suggested they had decided the Rimasauskas fraud was not material enough to require disclosure of it.
The wire fraud episode comes at a time when companies of all sorts are facing waves of attacks from cyber-criminals. Despite the prevalence of these attacks, many executives are reluctant to discuss them—in part due a perceived stigma and because they don’t want to encourage other criminals.
“I understand the dynamic. You don’t want to provide a road map to future hackers into your system,” White said. “But that doesn’t excuse not disclosing an event if it’s material.”
Correction, April 27, 2017: An earlier version of this article misstated the name of Mr. Kuprusevičius’s law firm.
