KEEPNET LABS > Blog > The US DoD Tricked to Pay $23.5 Million After Phishing Scam

The US DoD Tricked to Pay $23.5 Million After Phishing Scam

A spear-phishing attack caused the US Department of Defense to pay $23.5 million to cyber criminals after the attackers stole the login credentials of a vendor.

A phishing scam that damaged the U.S. Department of Defense (DoD) nearly $23.5 million has once again shown that phishing attacks are effective weapons in the hands of cyber criminals to trick even the most secure organizations.

Sercan Oyuntur launched the attack against DoD in 2018 along with several other co-conspirators, according to the Department of Justice (DoJ). Oyuntur and his conspirators registered the domain “”, which is very similar to the legitimate “, and used it to send phishing emails to DoD vendors in order to steal their login credentials. The phishing messages contained links to a cloned “” website, where the victimized vendors entered their account details, unknowingly exposing them to Oyuntur.

Cloned Websites and Stolen Credentials 

One of these vendors was a corporation that had a contract with the DoD to supply jet fuel to troops operating in southeast Asia. According to the DoJ, from June to September 2018, the conspirators caused phishing emails to be sent to various DoD vendors, including the individual from New Jersey who represented the corporation, to trick these vendors into visiting the phishing pages. Emails seemed to be a part of  legitimate communications from the United States government, however they were not. They were sent by the conspirators, and contained links that automatically took individuals to the phishing pages. In the mails, the users saw a web site that was almost the same as the General Services Administration (GSA) website, an agency established to help manage and support various functionalities of federal agencies. Since the users trust the website they did not see any trouble to enter their confidential login credentials which were then used by the conspirators to make changes in the government systems in order for money to be diverted to an attacker-owned bank account.

Target selection

The selection of the target is another aspect that makes the attack more sophisticated. The attackers did not send the malicious emails randomly but chose the victimized users on purpose. One of the victims is an individual in New Jersey who worked in a corporation that had a contract with the DoD to supply jet fuel to troops operating in southeast Asia. The employee is significant for the attackers because he/she was responsible for communicating with the federal government on behalf of the corporation through a government computer system. The malicious emails were delivered to users of SAM (System for Award Management), which is a vendor database where companies that want to conduct business with the Federal Government register themselves. When the criminals were able to steal the login credentials of a SAM user, they changed the registered banking information, replacing the foreign account with one that they controlled. In the end, the cyber gang was able to convince DoD to pay $23,453,350 for the provision of so-called 10,080,000 gallons of jet fuel to their accounts.

Phishing Attacks Still A Critical Threat

Phishing attacks continue to be the most used type of cyberattack and the trend shows that they get more sophisticated.The FBI Internet Crime Complaint Center, declared the number of phishing attacks reached 323,972, up from 241,342 in 2020. With the increase of remote and hybrid workforces, cyber security researchers warn that the organizations have more difficulties in defending their digital assets against phishing attacks.

Our Newsletter

Sign up to learn about the latest threats, hacking methods, and news.