Why on Earth Is Someone Stealing Unpublished Book Manuscripts?

Earlier this month, the book industry website Publishers Marketplace announced that Little, Brown would be publishing “Re-Entry,” a novel by James Hannaham about a transgender woman paroled from a men’s prison. The book would be edited by Ben George.

Two days later, Mr. Hannaham got an email from Mr. George, asking him to send the latest draft of his manuscript. The email came to an address on Mr. Hannaham’s website that he rarely uses, so he opened up his usual account, attached the document, typed in Mr. George’s email address and a little note, and hit send.

“Then Ben called me,” Mr. Hannaham said, “to say, ‘That wasn’t me.’”

Mr. Hannaham was just one of countless targets in a mysterious international phishing scam that has been tricking writers, editors, agents and anyone in their orbit into sharing unpublished book manuscripts. It isn’t clear who the thief or thieves are, or even how they might profit from the scheme. High-profile authors like Margaret Atwood and Ian McEwan have been targeted, along with celebrities like Ethan Hawke. But short story collections and works by little-known debut writers have been attacked as well, even though they would have no obvious value on the black market.

In fact, the manuscripts do not appear to wind up on the black market at all, or anywhere on the dark web, and no ransoms have been demanded. When copies of the manuscripts get out, they just seem to vanish. So why is this happening?

“The real mystery is the endgame,” said Daniel Halpern, the founder of Ecco, who has been the recipient of these emails and has also been impersonated in them. “It seems like no one knows anything beyond the fact of it, and that, I guess you could say, is alarming.”

Whoever the thief is, he or she knows how publishing works, and has mapped out the connections between authors and the constellation of agents, publishers and editors who would have access to their material. This person understands the path a manuscript takes from submission to publication, and is at ease with insider lingo like “ms” instead of manuscript.

Emails are tailored so they appear to be sent by a particular agent writing to one of her authors, or an editor contacting a scout, with tiny changes made to the domain names — like penguinrandornhouse.com instead of penguinrandomhouse.com, an “rn” in place of an “m” — that are masked, and so only visible when the target hits reply.

“They know who our clients are, they know how we interact with our clients, where sub-agents fit in and where primary agents fit in,” said Catherine Eccles, owner of a literary scouting agency in London. “They’re very, very good.”

This phishing exercise began at least three years ago, and has targeted authors, agents and publishers in places like Sweden, Taiwan, Israel and Italy. This year, the volume of these emails exploded in the United States, reaching even higher levels in the fall around the time of the Frankfurt Book Fair, which, like most everything else this year, was held online.

Books targeted include “Such a Fun Age,” by Kiley Reid, “The Sign For Home,” by Blair Fell, “A Bright Ray of Darkness,” by Ethan Hawke, and “Hush” by Dylan Farrow. Penguin Random House and Simon & Schuster, two of the biggest publishers, have sent out warnings about the scam.

Cynthia D’Aprix Sweeney, the author of the debut novel “The Nest,” was targeted in 2018 by someone pretending to be her agent, Henry Dunow. The emails began about eight months after she had sold her second novel based on a sample of the manuscript called a “partial.”

Often, these phishing emails make use of public information, like book deals announced online, including on social media. Ms. Sweeney’s second book, however, hadn’t yet been announced anywhere, but the phisher knew about it in detail, down to Ms. Sweeney’s deadline and the names of the novel’s main characters.

“Hi Cynthia,” the email began. “I loved the partial and I can’t wait to know what happens next to Flora, Julian and Margot. You told me you would have a draft around this time. Can you share it?”

It was signed, “Henry.”

The note struck Ms. Sweeney as odd, so she forwarded it to her agent. “He freaked out,” she said. She did not reply to the scammer, but the emails kept coming. Finally, she said, she wrote back, asking the person to leave her alone.

Instead, Ms. Sweeney got this response: “It’s me, Henry. How could I know about your new novel??”

“It’s so befuddling because it’s not like fiction is driving our economy,” Ms. Sweeney said. “Ultimately, how do you monetize a manuscript that you don’t own?”

Ms. Sweeney’s first book was a best seller, so she, like well-known authors Jo Nesbo and Michael J. Fox, may be an obvious choice. But the scammer has also requested experimental novels, short story collections and recently sold books by first-time authors. Meanwhile, Bob Woodward’s book “Rage,” which came out in September, was never targeted, Mr. Woodward said.

“If this were just targeting the John Grishams and the J.K. Rowlings, you could come up with a different theory,” said Dan Strone, chief executive of the literary agency Trident Media Group. “But when you’re talking about the value of a debut author, there is literally no immediate value in putting it on the internet, because nobody has heard of this person.”

One of the leading theories in the publishing world, which is rife with speculation over the thefts, is that they are the work of someone in the literary scouting community. Scouts arrange for the sale of book rights to international publishers as well as to film and television producers, and what their clients pay for is early access to information — so an unedited manuscript, for example, would have value to them.

“The pattern it resembles is what I do,” said Kelly Farber, a literary scout, “which is I get everything.”

Cybercriminals regularly trade pirated movies and books on the dark web, alongside stolen passwords and Social Security numbers. Yet a broad search of dark web channels, like the Pirate Warez website, an underground forum for pirated goods, didn’t yield anything meaningful when searching for “manuscripts,” “unpublished” or “upcoming book,” or the titles of several purloined manuscripts.

In the past, cybercriminals who lifted Hollywood scripts and screenplays turned a profit by posting them online and charging impatient fans fees to access them. In 2014, someone posted Quentin Tarantino’s script for “The Hateful Eight” online, and it eventually found its way to Gawker. Mr. Tarantino threatened to end production before it had even begun. Oren Peli, the screenwriter behind the “Paranormal Activity” film franchise, saw his script outlines end up on the internet.

None of that seems to be happening with the stolen book manuscripts. Apparently nobody has posted them online out of spite or tried to entice eager fans to turn over their credit card information in exchange for an early glimpse. There have been no ransom demands of the authors by extortionists threatening to dump the authors’ years of work online if they don’t pay up. In this absence, and with no clear monetization strategy to the thief’s or thieves’ efforts, cybersecurity experts have been left scratching their heads.

The scammer's ever-so-slight variations on registered websites are a tried-and-true tactic. In an attempt to steal the manuscript for Mr. Nesbo’s “Knife,” the thief sent email from Salornonsson.com, a domain designed to mimic Salomonsson, the Swedish literary agency. The domain was registered with GoDaddy, using a computer whose IP address had never been picked up in previous phishing scams, spam campaigns or cyberattacks. But whoever is behind the phishing emails is keeping their tools current: They had set up the domain in June 2018 and re-registered it as recently as Nov. 25 this year.

“The trouble they went to — fabricating conversations with trusted people and sort of acting as if they are filling in the target on those conversations to grant themselves credibility — definitely demonstrates very specific targeting, and probably more effort than we see in most phishing emails,” said Roman Sannikov, a threat analyst at Recorded Future whom The Times asked to review the emails.

The thefts have rattled some once-trusting literati and left publishing professionals unsure of whom they can trust. For authors, the stakes couldn’t be higher: This is their unfinished work, still littered with typos and plot lines that would not survive a final edit, pried out into the open before it’s ready.

“You feel violated,” Mr. Hannaham said. “I don’t want anyone to know how bad the early drafts of things are.”