Cyber Incident Victim: City of Baltimore
Date:
Mar 2025
Location:
United States of America
Summary
The FBI is investigating a cyberattack and identity theft that resulted in more than $1.5 million in fraud against Baltimore City. The perpetrator used the names of city employees and a vendor employee, established trust over several months, then altered banking information to cash one check for approximately $803,000 and attempt a second check for about $721,000, with the latter flagged by the bank. The attacker bypassed the city’s geofencing by using an IP address routed through Starlink, and the case has also been referred to the Office of the Inspector General while authorities assess whether other jurisdictions were targeted.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On March 13, 2025, the Baltimore City Comptroller’s Office alerted authorities to a cyberattack and identity theft that had defrauded the city of more than $1.5 million. The Federal Bureau of Investigation is now investigating the incident. According to Deputy Comptroller Erika McClammy, the perpetrator used the names of city employees with whom they had gained trust, combined with information about a vendor and publicly available online data. The attacker assumed the identity of a current vendor employee to infiltrate the city’s accounts payable system. Initial contact with city personnel was established in the fall of the previous year, around October or November, and the relationship was nurtured over several months with multiple employees across various departments. After establishing trust, the attacker altered the banking details on file for the vendor.
In February, a check for $803,000 was issued based on the fraudulent banking information and was successfully cashed. A second check for $721,000 was prepared in March, but the bank flagged the transaction and returned the funds to the city. Upon detection, the city immediately froze the account designated for the vendor to prevent further unauthorized transfers. McClammy noted that the attacker bypassed the city’s geofencing controls by using an Internet Protocol address routed through a Starlink connection. The full scope of the attack remains uncertain, and officials have indicated that other municipalities or agencies may have been targeted as part of the same campaign. The Baltimore City Office of the Inspector General has been asked to conduct its own investigation into the matter. The vendor, which works with the Baltimore City Department of Public Works, is scheduled to receive its rightful payment this week. While current protocols were followed, McClammy acknowledged that the incident demonstrates a need to enhance existing security measures. When questioned about whether the city’s human resources and payroll system, Workday, remains vulnerable to similar Starlink‑based attacks, McClammy stated that she cannot confirm any ongoing risk.