A California man was convicted last week for his role in a multi-million dollar phishing scheme targeting the US Department of Defense (DoD).
The man, Sercan Oyuntur, 40, of Northridge, California, was convicted on six counts, including conspiracy to commit wire, mail and bank fraud, the use of an unauthorized access device to commit fraud, and aggravated identity theft.
Documents presented in court show that, from June to September 2018, Oyuntur and conspirators abroad targeted various DoD vendors to trick them into accessing phishing pages.
The emails masqueraded as legitimate communications from the US government and directed the targeted individuals to webpages resembling the official website of the General Services Administration (GSA), where they were prompted to supply their login credentials.
The perpetrators were looking to harvest these credentials and then use them to “make changes in the government systems and ultimately divert money to the conspirators,” the US Department of Justice (DoJ) says.
One of Oyuntur’s targets was a corporation that DoD had contracted to supply jet fuel to troops in southeast Asia, and which employed an individual in New Jersey to handle communication with the government.
[ READ: Third Member of FIN7 Cybercrime Gang Sentenced to US Prison ]
Oyuntur worked with Hurriyet Arslan, the owner of a used car dealership in Florence, New Jersey, who opened a shell company for use in the scheme, and also opened a bank account for the shell company.
In October 2018, Oyuntur convinced the DoD to transfer $23.5 million into Arslan’s Deal Automotive bank account. Arslan was able to access only some of the money, but one of the miscreants altered a government contract to falsely indicate that the DoD was working with Deal Automotive.
The court documents state that Oyuntur told Arslan to take the fake contract and use it at the bank to explain the provenance of the money, to convince the bank to release the remaining funds.
Oyuntur, who will be sentenced at a later date, faces up to 30 years in prison for the conspiracy and bank fraud counts he was convicted of, up to 10 years imprisonment for the use of an unauthorized access device to commit fraud, and a statutory mandatory consecutive term of two years in prison for aggravated identity theft. He may also have to pay more than $1 million in fines.
Arslan, who pleaded guilty in January 2020, is scheduled for sentencing on June 21, 2022.
Related: Estonian Ransomware Operator Sentenced to Prison in US
Related: Two Bulletproof Hosting Administrators Sentenced to Prison in U.S.
Related: ‘Money Mule’ Operator Gets Seven-Year Prison Sentence

More from Ionut Arghire
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
