A five-year mystery has been (mostly) solved, as the FBI arrested Italian citizen and UK publishing worker Filippo Bernardini yesterday on charges of impersonation and fraud. (Here’s the same story in The Guardian, in case you, too, have reached your NYT article limit.) This is such a bizarre case, and the arrest answers the question of who, but not why.
The short story is: a mystery person (now believed to be Bernardini) was posing as various publishing industry professionals and soliciting pre-publication manuscripts of assorted books, some of them high profile like The Man Who Chased His Shadow, the fifth installment in the Stieg Larsson/David Lagercrantz Millennium series of Lisbeth Salander books and some from debut authors who were not yet big names. He pretended to be everyone from publicists to book scouts to agents. He used email addresses that appeared to be legit, sent from domains that were extremely similar to the real thing and using the same font, email signature, and writing style as the person he was pretending to be.
He clearly knew publishing and publishing people and knew exactly what to ask for. And he very often got exactly what he requested, with many of the people he tricked realizing it only after the fact. In several cases described in the Vulture article, they only found out because they sent the manuscripts — or other replies — directly to the people they thought had asked for them, rather than replying to the email requests. In one case, an assistant realized the email had not come from their boss because it included the words “please” and “thank you.”
Industry professionals began using extra precautions when sharing manuscripts with (legit) colleagues, in some cases going to what seemed like really extreme lengths, including password protection for manuscripts no one had heard of and non-disclosure agreements; people suspected one another and felt paranoid, changing passwords and sending out faked manuscripts to anyone they suspected might be the thief. Many people tried to Nancy Drew the case themselves, unsuccessfully. Two Vulture journalists spent at least a year investigating, following a promising lead that proved to be nothing at all.
But none of the manuscripts he did get ever ended up on eBay, pirated, or otherwise revealed. No other common phishing scams (such as stealing credit card information) occurred. And no one could tell what he was doing with the manuscripts once he got them. Was it a power game? Was he looking for insider information for some other purpose? Did he simply think asking for advance reader copies was beneath him? Was it some sort of very convoluted long con? NO ONE KNOWS.
Theories were wild: was it a hacker training program? A security program trying to scare them into buying new protective software? An attempt by North Korea to destabilize the west? (I almost didn’t dignify that last one by acknowledging it, but I need you to understand how panicked some people in publishing were — this was shortly after the alleged North Korean leak of Sony Pictures emails.)
And most of all: how on earth would they catch this guy?
As it turns out, the method of impersonation was the thing that eventually led to his capture, assuming Bernardini is the right guy. Although he initially started out using easy to fake gmail addresses, he ultimately registered at least 160 fraudulent domain names such as wylieaqency.com (with a Q instead of a G) and wwnorfon.com (with an F for the T), many of them through Dutch registrars and all of them pointing to a wide assortment of fake addresses.
Bernardini worked for Simon & Schuster UK, which has suspended him pending investigation.
A spokesperson for the publisher told The Guardian, “The safekeeping of our authors’ intellectual property is of primary importance to Simon & Schuster, and for all in the publishing industry, and we are grateful to the FBI for investigating these incidents and bringing charges against the alleged perpetrator.”
We can only hope that eventually we will find out what on earth he was really up to.