$19M Gone: Hackers Scam NYC Real Estate Giant with One Email. Homeland Security Now Investigating.

Milford Management, owner of high-end Battery Park City properties, was duped by a single phishing email—triggering a $19 million transfer to scammers posing as the Battery Park City Authority.

NEW YORK CITY — August 6, 2025 | In a chilling reminder of the scale and sophistication of cybercrime, a prominent Manhattan real estate management firm was allegedly defrauded out of nearly $19 million in early July—all due to a single spoofed email.

The target? Milford Entities/Management, the well-established firm behind Battery Park City’s upscale Liberty View and Liberty Luxe residences. According to sources close to the investigation and internal emails obtained by The Post, the company mistakenly wired the massive sum to an account they believed belonged to the Battery Park City Authority.

But the account wasn’t real.

It was set up by cybercriminals, reportedly using a sophisticated phishing email that mimicked the BPCA’s branding and communication style. The email convinced Milford’s finance department to initiate the wire transfer—unaware they were sending millions into the hands of fraudsters.

“This attack was highly targeted and highly convincing,” said a cybersecurity expert familiar with the case. “This wasn’t a random phishing attempt—this was business email compromise (BEC) at an elite level.”

Department of Homeland Security Leads Investigation

Following the discovery of the fraudulent transfer, the Department of Homeland Security (DHS) quickly assumed leadership of a multiagency federal investigation, sources confirmed. The probe involves the Secret Service, FBI, and NYPD Cyber Unit, all working together to trace the funds and identify the actors behind the scam.

So far, no arrests have been made publicly, and authorities have not confirmed whether any of the stolen funds have been recovered.

Cybercrime Targets Luxury and Trust

The incident has shocked the New York real estate and cybersecurity sectors. Milford, which operates some of the city’s most exclusive residential complexes, is known for its internal rigor and discretion.

“It’s hard to imagine a firm of this size and reputation falling victim to a single phishing email,” said Diana Keller, a cybersecurity consultant who advises NYC real estate firms. “But that’s the frightening truth—today’s attacks aren’t about brute force. They’re about deception and social engineering.”

The phishing email reportedly included language and formatting nearly identical to that used by the real Battery Park City Authority. The email address domain differed by a single character—barely noticeable to an untrained eye.

Human and Institutional Fallout

Employees inside Milford described the aftermath as “chaotic” and “devastating.” Some departments were placed under immediate audit, while others were forced to shut down systems and revert to manual processes pending a full internal review.

“Morale is low. Everyone’s looking over their shoulder,” said a Milford staffer under condition of anonymity. “There’s a feeling of violation—not just financially, but professionally.”

For residents of Liberty View and Liberty Luxe, concerns over data privacy and financial safety have risen sharply. While the company has said resident accounts were not directly impacted, the breach highlights the vulnerabilities even in elite sectors.

Bigger Than One Company

The scam is being viewed as part of a larger trend targeting U.S. real estate, healthcare, and legal industries—where large wire transfers are common and urgency can be weaponized.

According to the FBI’s Internet Crime Complaint Center (IC3), business email compromise (BEC) scams accounted for over $2.9 billion in losses across U.S. businesses in 2024 alone.

“This isn’t just a Milford problem,” said Agent Carla Diaz of the NYPD Cyber Unit. “This is a national threat. Every organization that moves money needs to assume they’re being watched.”