A phishing operator from California scammed the US DoD with $23.5M

Phishing Operator California Online Scam US DoD Fraud Prevention DNS Intelligence

A California resident phishing operator named Sercan Oyuntur has been indicted by the US Department of Justice (DoJ) for its malicious campaigns causing the US Department of Defense (DoD) to lose over $23.5 million in damages.

The money swindled from the US DoD was meant for funding a jet fuel supplier. However, the phishing operator diverted the money for deposit into his bank account. The suspect was detained until proven guilty of committing bank fraud, illegal access to a device, identity theft, and lying to the authorities through false statements.

The suspect’s fraudulent activity transpired in September 2018 after he and other conspirators created a domain similar to a legitimate government website to send phishing emails to their targets. The targets in the campaign include the users of System for Award Management (SAM) – a vendor database for companies that engage in business with federal authorities.


The phishing emails attached links to a spoofed government website where victims are instructed to enter their account credentials, of which the operator will then collect the data.


The suspect logged in to one of the stolen accounts owned by a Southeast Asian company with 11 active contracts as a fuel supplier for the US DoD. One of the contracts has the $23.5 million pending payment for provisioning 10.8 million gallons of jet fuel for the military agency.

Since the suspect was logged into the SAM database using the corporation’s account, he altered their banking information into one he owned. The military agency’s security servers had a feature that could scan the SAM database daily. The scanning feature includes detecting changes in bank account data and blocked payments of outstanding invoice receipts encountering specific risk criteria.

Upon noticing the security feature as they performed the unauthorised intrusion, the threat operators contacted the Defense Logistics Agency or DLA to submit false statements and request a manual approval of the bank account changes.

The $23.5 million payment went through the suspect’s bank account. Since the amount is a hefty sum and would trigger suspicions, the group used fake invoices that represented a legitimate source of the money.

Little did the malicious operators know that the fake invoices they used were not registered on the SAM database, thus showing a mismatch in its automated checking system, resulting in an urgent investigation that uncovered all the cyberattack stages that the operators executed.

The prime suspect was charged with 30 years imprisonment and a maximum fine of $1 million. His other conspirators also faced punishments, respectively.

About the author

Leave a Reply