$17 Million Gone by Morning: Palm Beach Law Firm Sues Its Bank Over an Escrow Wipeout

Real estate law firms are, functionally, banks that practice law. The escrow accounts they hold for property closings can swell to tens of millions of dollars in transit between buyers, sellers, and lenders. That makes them an irresistible target — and it makes the question of who eats the loss when those funds are stolen one of the most consequential fights in cybersecurity. A lawsuit out of Palm Beach is about to test it with $17.3 million on the line.

On an early Thursday morning this past January, more than $17.3 million disappeared from the client escrow account of Rabideau Klein, a prominent real estate firm led by attorneys Guy Rabideau and David Klein. The money — funds held in trust for real estate deals — left in a burst of 13 unauthorized wire transfers. In the week of June 12, 2026, the firm sued its bank, First Horizon Bank, to recover what it could not claw back.

How the account fell

The complaint describes a takeover that combined technical intrusion with old-fashioned social engineering — the hallmark of the most effective financial-fraud crews. According to the lawsuit, the attacker:

• Gained access to the firm’s online banking platform
• Changed passwords to lock out legitimate users
• Created a new user ID for persistent control
• Disabled existing user accounts so the firm couldn’t intervene

But the detail that elevates this from a generic account takeover to an alleged bank failure is the human one. The suit claims the attacker called First Horizon’s customer service impersonating Guy Rabideau and requested that an RSA security token be reissued — and that a bank employee handed over Rabideau’s user ID to the caller. If accurate, the bank’s own help desk became the final link in the chain, supplying a credential that helped unlock the very account it was meant to protect.

This is the anatomy of business email compromise and account-takeover fraud at the high end: not a brute-force hack but a patient blend of credential compromise, process manipulation, and a customer-service representative trained to be helpful rather than suspicious. The technical controls were arguably defeated less by code than by a phone call.

$10.7 million back, $6.5 million gone

Speed of response determined how much survived. Rabideau Klein managed to recover $10.7 million of the stolen funds — the portion that could be frozen or reversed before it was laundered out of reach. But roughly $6.5 million remains outstanding, and that gap is the heart of the lawsuit. The firm wants First Horizon to refund the missing money, with interest.

The legal theory leans on the rulebook that governs commercial wire transfers. The complaint alleges First Horizon violated state law governing funds transfers, breached its contract with the firm, and was negligent — specifically by ignoring what the suit calls “numerous and glaring red flags” of a malicious attack. Thirteen wire transfers draining $17 million from a law firm’s escrow account in a single morning is, the firm argues, exactly the pattern a bank’s fraud-monitoring systems exist to catch.

The unsettled question of who pays

Cases like this turn on a body of law most people never think about until millions are missing: the rules — under the Uniform Commercial Code’s Article 4A in the U.S. — that allocate liability for unauthorized or fraudulently induced wire transfers between a bank and its commercial customer. The core question is commercial reasonableness: Did the bank offer and follow security procedures appropriate to the risk, and did the customer agree to and follow them? Liability often hinges on which side failed its part of that bargain.

Banks routinely argue that once a customer’s credentials are compromised, the transfers appeared authorized and the loss belongs to the customer. Customers counter — as Rabideau Klein does — that the bank’s monitoring should have flagged anomalous, high-velocity transfers and that the bank’s own staff enabled the takeover. There is precedent on both sides; wire-fraud victims have sued their banks for decades with mixed results, and the outcomes are notoriously fact-specific.

What makes the Rabideau Klein suit compelling is the alleged token-reset call. A breach that lives entirely on the customer’s side is a hard case for the customer to win. A breach in which the bank’s representative reportedly disclosed a user ID to an impersonator shifts the narrative toward the bank’s own procedures — and that is precisely the kind of internal failure that can move a court.

A warning for every firm holding other people’s money

For the legal, title, and real estate industries, the lesson is brutal and familiar: you are a target because of the money you hold in trust, not the size of your IT department. The defenses are unglamorous and effective. Enforce phishing-resistant MFA on all banking access. Establish out-of-band verification for any change to wire instructions, security tokens, or account credentials — a callback to a known, pre-established number, never a number or request that arrives in the moment. Set transaction velocity limits and dual authorization for large wires so that 13 transfers cannot drain an account before anyone blinks. And press your bank, in writing, on what its anomaly detection will actually catch.

The firm did much right after the fact — it moved fast enough to recover $10.7 million. But the $6.5 million still missing, and the lawsuit now chasing it, is the part that can’t be undone with a quick response. In the world of escrow fraud, the only reliable win is the transfer that never leaves.

Sources

• The Real Deal — $17M in escrow funds gone overnight: Palm Beach law firm sues bank over cyber attack
• BankInfoSecurity — Wire fraud victim sues bank (background on UCC 4A liability)