FBI arrests social engineer who allegedly stole unpublished manuscripts from authors
On January 5, 2022, the Department of Justice (DoJ) announced the FBI arrest of Italian citizen Filippo Bernardini at JFK International Airport in New York for wire fraud and aggravated identity theft. Along with Bernardini’s arrest, the DoJ unsealed a grand jury indictment dated July 14, 2021 against Bernardini which disclosed a “year-long scheme to impersonate persons involved in the publishing to fraudulently obtain hundreds of preprint manuscripts of novels and other forthcoming books. »
Bernardini’s indictment recounts how over the previous five years (August 2016 to July 2021) he created a personal ecosystem that served to dupe those in the publishing industry. The document recounts how he defrauded or attempted to defraud hundreds of individuals and “obtained hundreds of unpublished manuscripts in the course of the scheme.”
Based on a review of Bernardini’s professional background, it appears that he set his course at the same time as the launch of his career in the publishing world, having obtained a master’s degree in publishing in 2016 from the ‘University College London.
Bernardini’s Targeted Surveillance Contributed to Intellectual Property Theft
A 29-year-old Italian polyglot, according to the NY Times, was an employee of Simon & Schuster until the company suspended him from his post after learning of his arrest. The company said in a statement that it was shocked and horrified. Their statement continued: “Protecting the intellectual property of our authors is of paramount importance to Simon & Schuster, and to everyone in the publishing industry, and we are grateful to the FBI for investigating these incidents and brought charges against the alleged perpetrator.”
A review of the period from 2016 to 2021 shows that Bernardini bounced around with great frequency in the publishing industry, finally landing with Simon and Schuster in October 2019. To the untrained eye, his chip bouncing from a entity to another, often landing as an intern, may seem like someone just trying to find their place in the publishing industry and expand their network. A review of the different positions would easily check both of these boxes.
- Simon and Schuster, Rights Coordinator and Rights Assistant (2019 to present, 28 months)
- Bloomsbury Publishing, royalties assistant (2019 for three months)
- Hay House, Foreign Rights Assistant (2018 to 2019 for six months)
- Pole to Win Asia, localization and QA tester (2018, three months)
- Mira Trenchard, literary location intern (2017, two months)
- La Nave de Teseo, literary translator, Chinese to Italian (2017, five months)
- Andrew Nurnberg Associates, Foreign Law Intern (2016, four months)
- Granta Publications, Editorial Intern (2016, two months)
To a trained eye, enjoying 20/20 hindsight and visibility into his activities via the indictment, his career path paints a much more nefarious picture. Simon & Schuster and the various entities that employed Bernardini from 2016 to 2021 probably had no idea how their intern/entrepreneur/employee was going to school on how they operated to advance his own cottage industry of theft of manuscripts.
Bernardini’s career path provided him with direct and unhindered access to key components used in his fraudulent efforts. He wasn’t trying to watch his target from the outside in. He was on the inside and, from the start, seemingly picking up the many nuances of the various entities and individuals within the publishing industry. This allowed him, in the words of the DoJ, to create “fake email accounts designed to impersonate real people employed in the publishing industry, including literary talent agencies, publishing, literary and other scouts”.
As an initiate, having passed through eight entities in five years, he would have the opportunity to learn:
- The precious authors in the stables of each
- Contact information for authors, agents, colleagues and competitors
- How each individual and entity has formatted their communications
- Financial details
- Publication cadence and trajectories
No apparent collaboration between publishers to investigate the scam
Credit The New York Times’ Elizabeth A. Harris and Nicole Perloth for uncovering Bernardini’s alleged deception in late 2020 when they exposed the phishing scams. They traced them back to 2017, which targeted the publishing industry in Sweden, Taiwan, Israel, Italy and the United States – all places we now know match the language skills of the polyglot Bernardini.
Their efforts may have been enough incentive to get authors and publishers to compare notes. Given Simon & Schuster’s surprise, it seems there has been little coordination or collaboration between the publishers.
The DoJ, both in its statement and in its indictment, highlighted how Bernardini was able to create effective phishing emails and website watering holes through which he tricked targeted individuals. for them to share their intellectual property or to provide login information that would allow them to obtain it illegally.
It’s as if, during his master’s period at University College London to study publishing, he also studied the modus operandi of the infamous couple Michael Haephrati and Ruth Brier-Haephrati, who from 2003 to 2005 created their own intellectual property theft cottage. industry. The pair operated out of London and targeted entities in Israel, investing in targeted surveillance and then selling their illicit services to companies interested in the competitive intelligence they acquired. (See Chapter 1, Stolen Secrets, Lost Fortunes, Syngress 2008, Burgess/Power).
CISO Takeaway on Alleged Theft of Bernardini Intellectual Property
CISOs within organizations that had a professional relationship with Bernardini should engage in an immediate damage assessment. Bernardini created 160 separate Internet domains which he used to impersonate real entities. These domains then provided him with the means to create phishing emails from a seemingly known email address, but which on closer inspection showed “rn” for “m” and others combinations to deceive the eye.
Authors, like many small independent contractors and independent contractors, are among the most vulnerable to these types of efforts because they lack the infosec infrastructure. All entities, regardless of industry sector, should review the Bernardini modus operandi and discuss the nuances of its multi-year success with information security teams and anti-phishing vendors to ensure that the resident solution would not be not vulnerable to methodologies.
Entities charged with protecting the intellectual property of a third party, as is the case in the publishing world, should go deep into the transaction flow and ensure that the protection offered to the most robust extends down to the individual author. in the form of education and the provision of secure means to transfer artistic works.
What future for Bernardini?
“Filippo Bernardini allegedly posed as individuals in the publishing industry so that authors, including a Pulitzer Prize winner, would send him preprint manuscripts for his own benefit. This real-life scenario now reads like a cautionary tale, with the twist of Bernardini facing federal criminal charges for his wrongdoings,” U.S. Attorney Damian Williams said.
At his arraignment on January 6, 2021, Bernardini represented by a lawyer for the Federal Defender, pleaded not guilty, his bond of $ 300,000 guaranteed by his father who named a London apartment as security. Bernardini was ordered to surrender his passport, released on personal bail, and ordered to remain in New York with a GPS tracking device strapped to his person.
Copyright © 2022 IDG Communications, Inc.