Cyber Incident Victim: City of Baltimore
Date:
Nov 2024
Location:
United States of America
Summary
Baltimore City suffered a cyberattack involving identity theft and fraud resulting in over $1.5 million in losses. Perpetrators impersonated a legitimate vendor employee, leveraging publicly available information to establish trust with multiple city employees over several months before altering banking details to redirect payments. The fraud involved two checks, with $803,000 successfully cashed before a second attempt for $721,000 was flagged by the bank. Attackers bypassed geofencing protocols using a Starlink IP address. The FBI and local inspector general are investigating, while officials assess potential vulnerabilities in other systems and plan security enhancements. The legitimate vendor, affiliated with the Department of Public Works, will receive owed payments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late October or early November 2024, a perpetrator initiated a cyberattack against Baltimore City’s accounts payable department through identity theft and social engineering. The attacker impersonated an employee of a legitimate vendor working with the Baltimore City Department of Public Works, using publicly available online information to establish credibility. Over several months, the perpetrator cultivated trust with multiple city employees across various departments, a process described by Deputy Comptroller Erika McClammy as "incubating and nurturing a relationship." This prolonged engagement enabled the attacker to bypass existing security protocols, including Baltimore City’s geofencing controls, by utilizing a Starlink internet connection to mask their location. In February 2025, the fraud culminated in the successful diversion of an $803,000 payment intended for the legitimate vendor, followed by an attempted $721,000 transfer in March 2025. The second transaction was flagged and blocked by the bank, preventing further losses.
City officials discovered the fraud on March 13, 2025, and immediately froze the compromised vendor account to prevent additional unauthorized transactions. The Comptroller’s Office confirmed the legitimate vendor would receive their overdue payment within days of the discovery. Authorities referred the incident to the FBI for investigation, with McClammy noting the perpetrator’s identity remained unknown and that multiple jurisdictions might have been targeted. The Baltimore City Office of the Inspector General also launched a parallel investigation. While city employees followed existing protocols during the incident, McClammy acknowledged the need for enhanced security measures, particularly regarding geofencing vulnerabilities exposed by the attacker’s use of Starlink. The full scope of compromised systems and potential residual risks to other city platforms, including the Workday HR and payroll system, remained undetermined as federal investigators continued their examination.