Cyber Attack: A Fake Zoom Link Kills a Hedge Fund

Cyber is a critical risk for the asset management industry. In Australia, a hedge fund, Levitas, was subject to a sophisticated phishing scam, where attackers gained control of an executive's email account. The attackers were then able to initiate and "approve" cash transfer requests by sending fake invoices to the fund's trustee and third party administrator. $8 million went missing - and the manager will now shut down due to a key investor redeeming their assets in the aftermath of the hack.

The Australian Financial Review provides a detailed summary of the events. Per the article, it appears that:

• First, one of the founders of the firm clicked on a fake Zoom link - which enabled the cyber attackers to implant software on the firm's network. With this software, the attackers were able to infiltrate and use the founder's work email account.
• The attackers created bogus invoices, including a request for the fund to pay a $1.2 million "capital call" to a company called Unique Star Trading. As a hedge fund trading public markets securities, there would, of course, be no reason why the fund would invest in a private equity fund with capital calls. Especially when Unique Star's bank account was held in a bank account in a Sydney suburb.
• The request was sent to the fund's trustee (in Australia, funds are often structured as trusts and a third party firm - in this case AET Corporate Trust - is responsible for approving cash movements as the trustee). Of course, the request was bogus as the cyber attackers were sending fake emails from the compromised email account. In this case AET approved the transfer (and are investigating why they did not question the "capital call" invoice). The trustee then sent the approved invoice on to the administrator, Apex, for payment.
• Apex did question the payment and performed a call back to the founder, reaching him on his cell phone at the gym. The founder said he would call back and subsequently emailed Apex - however, Apex had apparently already received a - fake - email from the founder's compromised email account authorising the transaction, and had proceeded to pay out the cash.

So what happened then? Per the AFR:

In a 10-day period after that money was transferred, a Pakistani national, Muhammad Bhatti, walked into an ANZ branch in Bankstown and withdrew $240,000 via a bank cheque.

He also raised another bank cheque for $240,000 from an ANZ branch in Kogarah during this period. One of these cheques was then deposited in a Bank of Queensland account; the other was blocked by Commonwealth Bank, Levitas' bankers.

On September 26, Mr Bhatti left Australia on a Qatar Airways flight, but prior to this he made 64 more withdrawals from the ANZ account totalling about $300,000. These included cash withdrawals from ANZ branches and convenience stores, along with purchases from David Jones and JB Hi-Fi.

The story continues per the article:

A week after the first transaction, another fake invoice was wrongly authorised from the Levitas account. This time $2.5 million was sent to the Bank of China in Hong Kong to a company called Pavelin Limited. Once again, the fund hadn't previously dealt with this company.

The hacker had sent a further email from Mr Fagan (the founder) authorising the transaction. Neither Mr Fagan nor Mr Brookes (other co-founder of the firm) received calls from the administrator or trustee to check the transaction.

....On the same day – September 22 – the trustee received further instructions from the administrator to send $5 million to East Grand Trading at the United Overseas Bank in Singapore.

Per the AFR: The same red flags were evident on the invoice, but again, no verification calls were made. The money was approved for transfer.

In this case, the transfers to Hong Kong and Singapore were stopped as the transfers had not yet cleared, with the money returned to the fund. Mr Bhatti, however, was able to get away with a total of $781,000 - and the firm's largest investor, an Australian superannuation scheme, elected to redeem their investment. Now below break even assets under management, Levitas will close.

What can investors and asset managers do to protect their assets against cyber attacks? We will provide some diligence observations in our next post.