Cyber Incident Victim: Afognak Native Corporation

On April 15, 2015, Afognak Native Corporation’s subsidiary Alutiiq LLC experienced a cyberfraud incident involving the unauthorized transfer of $3.8 million to an offshore bank account. The attack coincided with a shareholder meeting in Port Lions, during which senior management was absent from the Kodiak Island headquarters. Perpetrators created a Europe-based email account impersonating CEO Greg Hambright’s address and sent instructions to Alutiiq’s controller regarding a "confidential transaction." A co-conspirator posing as an attorney followed up with a phone call minutes later, urgently requesting the funds be sent to a fictitious Hong Kong-based entity. The controller, believing the request legitimate, executed the transfer under the attackers’ demands for strict confidentiality. Corporate systems remained uncompromised, with no breach of computer accounts or exposure of customer data.

The fraudulent transfer was discovered two days later on April 17 by Hambright and CFO Bill Zang. Afognak immediately notified its corporate bank and the FBI, which sought to freeze the Hong Kong account. The corporation engaged FBI investigators, law enforcement agencies, private investigators, and cybersecurity consultants to trace the attack’s origins—linked to Asia or Eastern Europe—and pursue prosecution. Afognak’s board of directors acknowledged the incident in an April 30 shareholder letter, expressing dismay while emphasizing efforts to recover funds "to the maximum extent possible under law." Auditors initiated a review of financial protocols, and an insurance claim was filed. No further financial losses or operational disruptions beyond the initial transfer were reported.