2016–2021 literary phishing thefts

Between 2016 and 2021, multiple prepublication manuscripts were stolen via a phishing scheme that investigators believed were conducted by an industry insider or insiders. In 2022, the FBI arrested Filippo Bernardini, a 29-year-old Italian citizen living in London and working for Simon & Schuster.

Background
Piracy in the publishing industry can have a negative impact on profits and royalties, and some industry professionals take extreme precautions with highly-anticipated releases. Translators for some books in The Da Vinci Code series were reported by Vulture to have been "required to work in a basement with security guards clocking trips to the bathroom".

Phishing attempts
In 2016, individuals involved in the publishing industry as authors, editors, agents, and publishers reported successful attempts to coerce authors into emailing unpublished manuscripts to email addresses impersonating publishing professionals known to those authors. The attempts were made by emailing from a domain name that resembled a legitimate one; the domain names were created using "common phishing techniques" such as using the letters "rn" to mimic the look of the letter "m" in an organizational name such as Macmillan, instead spelling it Macrnillan. The emails ostensibly came from other publishing industry professionals who worked closely with the target on the manuscript in question. In 2020, a cybersecurity firm found that the thief or thieves had registered over 300 domain names, and that their own security measures were amateurish. Some of the domains may have been paid for with stolen credit cards, according to Vulture.

Many of the phishing attempts involved approaching multiple people involved in a particular book's release; in the case of The Girl Who Takes an Eye for an Eye, the phisher, impersonating the book's Italian translator, emailed the book's publisher and the author's agent within minutes of each other.

The person or persons doing the phishing demonstrated familiarity with the industry and used jargon common within the industry. In the case of The Man Who Chased His Shadow, an industry insider estimated that the number of people worldwide who knew the necessary details to know whom to impersonate and whom to approach was "only a few dozen." The emails themselves seemed believable; one failed attempt was made on a William Morris Agency employee whose suspicions were raised only because 'her boss would never write "please" or "thank you"'. An Israeli publisher became suspicious because the request came in Hebrew, which he does not use for work emails. A literary agent found the emails so convincing they sent multiple manuscripts to the phisher over the course of seven months.

In 2018, the Association of American Representatives warned its members of the phishing scams.

During the coronavirus pandemic, the phishers became "more vicious", according to Vulture, telling one editor who thwarted a phishing attempt, "I hope you die of the Coronavirus." They also started hiring translators to read and report on books they'd stolen, then disappearing when payment was due. The thief also started impersonating the contacts of a journalist who was working on a story about the scam and conducting other online stalking of the journalist and a colleague of the journalist. In the summer of 2020 they started also impersonating industry professionals in Hollywood.

Motives
Motives for the phishing attacks were unclear. None of the manuscripts were subsequently sold on the black market or dark web and no ransoms were asked. Speculation as to motive included talent scouts or others in the industry or in Hollywood seeking early access to anticipated releases, impatient readers wanting the book solely for their own use, or "pleasure in the act itself". One IT professional speculated that portions of a highly-anticipated book might be used to convince readers to enter credit card information online. One agent wondered if the motive could be to sell security software to those who had been targeted. Hackers speculated that the attempts could be a low-risk training program for teaching hacking techniques.

After the arrest, the New York Times wrote, "Early knowledge in a rights department could be an advantage for an employee trying to prove his worth. Publishers compete and bid to publish work abroad, for example, and knowing what’s coming, who is buying what and how much they’re paying could give companies an edge." Other industry professionals were still puzzled, saying that early access to unpublished manuscripts would be of little benefit to a low-level foreign rights specialist like Bernardini. Bernardini would claim that the motive behind the theft was in order to be professionally involved in the publishing industry, and wanted to have access to the manuscripts before anyone else was able to own them.

Fallout
As news of the ongoing scam emails spread in the industry, many publishers increased their security measures to include even very obscure titles.

The attacks surrounding Margaret Atwood's The Testaments were so determined and concerning that her agency delayed sharing the final manuscript with multiple publishers, which delayed the book's global release.

Targets
Thefts or attempts were reported by representatives of Anthony Doerr, Jennifer Egan, Laila Lalami, Taffy Brodesser-Akner, Kevin Kwan, Joshua Ferris, Eka Kurniawan, Sally Rooney, Margaret Atwood, Hanna Bervoets, Ethan Hawke, Ian McEwan, Bong Joon Ho, Michael J. Fox, and Kiley Reid, as well as unknown debut authors. In September 2020, a manuscript was stolen from a Pulitzer Prize-winning author, who according to Forbes has not been publicly identified. Agencies and publishers in Taipei, Istanbul, Barcelona, Sweden and Israel were targeted. Vulture reported as of 2020 at least 200 companies in 30 countries had been targeted or impersonated.

Arrest and charges
The FBI arrested Filippo Bernardini, a 29-year-old Italian citizen living in London, upon landing at John F. Kennedy International Airport on January 5, 2022. He was charged with federal counts of wire fraud and aggravated identity theft. The Washington Post reported that Bernardini's LinkedIn profile listed London's Simon and Schuster as his employer. Forbes reported he described himself in his profile as a "foreign rights management professional and a translator". The company released a statement saying they were "shocked and horrified to learn today of the allegations of fraud and identity theft by an employee."

Prosecutors with the US Department of Justice alleged that Bernardini had registered "more than 160" domain names similar to those used by legitimate publishers, literary agents, talent scouts, and other industry professionals in order to send emails from those domain names impersonating editors, agents, scouts, and other industry insiders in order to convince authors to send pre-publication manuscripts to him. Prosecutors also alleged Bernardini had stolen emails and passwords from industry employees. Combined, the charges of fraud and identity theft are punishable in the US by up to 22 years.

Bernardini pleaded not guilty on condition of surrendering his passport, submitting to electronic monitoring, and providing bail of US$300,000.