The man, Evaldas Rimasauskas, 50, pleaded guilty today in a New York court and now faces a sentence of up to 30 years in prison for his crimes.
Rimasauskas was arrested by Lithuanian authorities in March 2017 and extradited to the US to face charges in August of that year.
US officials said Rimasauskas operated by using a company he set up that employed a name similar to Quanta, a reputable provider of data center hardware products.
He targeted Google and Facebook because both companies run their own data centers and were known to have had business relations with Quanta.
According to court documents, Rimasauskas operated by sending emails made to look like they were coming from Quanta to both Google and Facebook, and demanding payment for alleged services and products.
He used fake invoices, contracts, and letters that fooled Google and Facebook employees into sending requested payments to the bank accounts provided by Rimasauskas, located at banks in Latvia and Cyprus.
US authorities said that as soon as the suspect received payments in these bank accounts, they were immediately transferred to other banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong, at accounts controlled by Rimasauskas.
Rimasauskas ran the scheme for three years between 2013 and 2015, allegedly defrauding Google out of $23 million and Facebook out of $100 million.
The scheme was novel at the time, but is now well known and referred to as whaling, BEC (Bussiness Email Compromise) scam, or CEO fraud.
The FBI's Internet Crime Complaint Center (IC3) issued an alert in July 2018 warning that BEC scammers had defrauded companies around the world of over $12 billion since October 2013.
Besides Google and Facebook, other companies also lost huge sums of money in BEC scams. Previous incidents have been reported at FACC, an Austrian manufacturer of airplane parts, which lost $56.79 million; Leoni, a German manufacturer of wires and electrical cables, which lost $45 million; Crelan, a Belgian bank, which lost $76 million; and Pathe, a French film production and distribution company, which lost $21 million.
Rimasauskas' sentencing hearing has been scheduled for July 29, this year.
These are the worst hacks, cyberattacks, and data breaches of 2018