Cybercrime ExamplesReal-World Case Studies in Cyber-Criminality
High-Profile Examples of Cybercrime Tactics That Criminals Can Use to Target You (Yes, You!)
For the most part, cyber attacks are not random.
It’s possible that names are being haphazardly pulled out of the sorting hat, but it’s more likely that the criminals have done their research. They’re looking for companies that are the easiest to hack into… and that also have something worth stealing.
With so many different types of cybercrime out there, trying to list them all would be overwhelming. So we chose a few cybercrime examples to show you how they might work.
Cybercrime
“Cybercrime” sounds futuristic and high-tech, but hackers have no end of tricks, techniques, and even resources to do a lot of damage in a short time. In this post, we look at cybercrime from your perspective: what it is, what it costs, how it works… and how to protect business now and down the road.
Facebook & Google $100 Million Phishing Scam
Lithuanian man Evaldas Rimasauskas orchestrated an elaborate business email compromise scheme that defrauded Facebook and Google of more than $100 million between 2013 and 2015.
The scammer set up a fake company posing as Taiwan-based Quanta Computer, which conducted legitimate business with both tech giants. But, he also sent convincing phishing emails with forged invoices to employees who regularly handled multimillion-dollar transactions. The fraud was exposed when the companies detected suspicious activity and alerted authorities, leading to Rimasauskas's arrest in Lithuania in March 2017 and extradition to the US a month later.
The man pleaded guilty to wire fraud and agreed to forfeit roughly $49.7 million. He faced up to 30 years in prison at his July 2019 sentencing, while both Facebook and Google recovered the bulk of their losses.
2020 Twitter Account Hijacking
On July 15, 2020, hackers compromised 130 high-profile Twitter accounts including those of Barack Obama, Joe Biden, Elon Musk, Bill Gates, and major companies like Apple and Uber to promote a bitcoin scam.
The attackers used social engineering to gain access to Twitter's internal administrative tools through employees working remotely during Covid-19. They also scraped LinkedIn for employee information, and created fake VPN portals to capture credentials and two-factor authentication codes. But, the scheme was exposed within hours as Twitter detected the coordinated attack and temporarily disabled verified accounts' ability to tweet, while the scam netted over $118,000 in bitcoin from more than 320 transactions before being shut down.
Three individuals were arrested on July 31, 2020, including 17-year-old Graham Ivan Clark who was sentenced to three years in prison. British citizen Joseph James O'Connor received five years in federal prison, and forfeited $794,000 to victims.
Green Bay Packers Online Store Hack
The Green Bay Packers’ official Pro Shop online store was breached in October 2024 when hackers injected malicious card skimmer code into the checkout page. This compromised the credit card data and personal information of over 8,500 customers who made purchases between late September and early October.
The breach was discovered on October 23, 2024, and security firm Sansec revealed that the attack used YouTube's oEmbed feature and a JSONP callback to bypass the site's Content Security Policy. The malicious script harvested data from input fields and exfiltrated it to external servers.
The team immediately disabled all checkout and payment capabilities upon discovery and hired cybersecurity experts to investigate. They also offered affected customers three years of free credit monitoring and identity theft restoration services through Experian. No arrests or prosecutions have been publicly reported in connection with this ongoing case.
Orion Manufacturing $60 Million BEC Scam
In 2024, chemical manufacturing company Orion S.A. fell victim to a business email compromise (BEC) scam that cost the Luxembourg-headquartered firm $60 million.
A non-executive employee was tricked into transferring funds to accounts controlled by unknown third parties in August 2024. The fraud was discovered and disclosed by the company on August 10, 2024, through a filing with the U.S. Securities and Exchange Commission, though no specific details about the attack methodology or how the employee was deceived were provided.
The company stated it was working with law enforcement to pursue recovery of the stolen funds through all legally available means, including potentially available insurance coverage. They also confirmed there was no evidence of additional fraudulent activity or unauthorized access to company systems or data. The filing did not mention any arrests or criminal consequences, and the perpetrators remain unknown and at large.
