Anatomy of a hedge fund hack

It was only when John made a final phone call to confirm the transfer of about €10m to his family trust that he realised he was about to fall victim to a highly sophisticated financial scam.

A fraudster had spent two months pretending to be one of John’s business associates in order to gain his confidence and trick him into diverting a standard loan repayment to a different bank account.

Having obtained emails through an earlier hack of a financial services company in Liechtenstein, they studied the habits and conversational style of John’s business associate and then imitated him on email.

John, a London-based private investor who invests his family’s money and who regularly works with a number of smaller financial firms across Europe, said the fraud was thwarted at the eleventh hour “purely by luck”.

The Financial Times has pieced together the details of how the attack on John unfolded, and how a separate phishing attack eventually forced the liquidation of the main hedge fund run by Levitas Capital, a Sydney-based firm with $75m in assets under management.

The complexity of the two scams, and the time and money the fraudsters were prepared to invest, highlight the threat now faced by smaller financial services firms such as hedge funds, brokers and administrators, as well as by family offices and wealthy individuals. Often, hackers who obtain valuable information through an attack on one financial firm will sell the stolen data on the dark web to criminal groups experienced in using such data for frauds.

Large banks are attractive targets for hackers, but the millions of pounds they spend each year on cyber security makes them tough to hack. Smaller hedge funds can be more enticing targets because they handle large sums of money but may only spend tens of thousands of pounds protecting themselves, according to cyber security firm Remora. The array of third-party companies that hedge funds use, for instance trustees, administrators and auditors, increases the number of potential weak links in the chain that hackers can target, and their principals are often more visible and easier to target.

Data on attacks is sketchy, in part because firms are often unwilling to admit they fell for a scam. According to a 2019 report by Boston Consulting Group, finance firms are 300 times more likely than other companies to be targeted by a cyber attack.

“Hedge funds and family offices do not spend anywhere near enough [on cyber security] which is why they are targets,” said Alex Mendez, Remora’s co-founder. “Hedge funds are more vulnerable because the principals within hedge funds are more visible and easier to target.”

The US Securities Exchange Commission last summer warned of increasingly sophisticated ransomware attacks on broker-dealers, investment advisers and investment companies, as well as on their service providers. In September it warned that hackers were using usernames, email addresses and passwords obtained on the dark web to try to log into firms’ websites and gain access to accounts.

“There’s a significant worry [about cyber risks] across the hedge fund world. It’s becoming increasingly dangerous, the impact could be catastrophic,” said Nicholas Wells, managing director at recruiter Quantum Chase.

“Hackers may not have stolen anything, but by damaging the reputation of the firm [they damage the firm].”

How the hack unfolded

John, the private investor, asked the FT not to use his real name. He was originally contacted by the fraudster, posing as the trustee, in early February last year in a genuine-looking email. The fraudster had even used the same central European greeting, “Servus!”, that the real trustee uses. The only, almost imperceptible, difference was a change to the sender’s email suffix, meaning it came from an entirely different source.

The email mentioned a regular loan repayment that John was due to make at the end of March, and asked a few questions about the timing, the currency and the account to be used.

“I had no idea it was not the real [trustee]”, said John, who answered the email cordially and said he would make the payment.

Several days later the scammer emailed again, this time pretending to be John’s lawyers in the Middle East. In total there were close to 30 emails exchanged over a couple of months. In some cases they asked about John’s art collection or dropped in personal information, such as the name of the hotel the real trustee would usually stay in when visiting Vienna.

In one email, John questioned the fake trustee about the interest rate on the loan repayment. The fraudster, who had already obtained a copy of the loan schedule, admitted the mistake within minutes and sent a corrected version of the loan spreadsheet.

“None [of the interactions] aroused my suspicion in any way whatsoever,” said John.

In fact, hackers had already obtained emails of Liechtenstein-based fund administrator Caiac Fund Management, which John says helped them to impersonate the real trustee. A spokesman for Caiac said “hackers intercepted email correspondence and unsuccessfully tried to use the information attained on a specific product to trigger payments”. It declined to comment on individual cases but said it informs relevant stakeholders in the case of any data breach.

In early April, John gave the green light to his bank to make the payment. He called the real trustee and then a UK phone number provided by the scammer but neither picked up. It was only when the real trustee called back 45 minutes later and was flummoxed by John’s questions that John realised what was happening. He quickly called his bank, which had not made the payment because it needed to check the exchange rate.

John went to the Metropolitan police’s cyber crime unit, who spotted a rare opportunity to investigate an attempted fraud still in progress and where the fraudster was unaware they had been foiled. They asked John to arrange a meeting in Mayfair’s Berkeley Square under the pretext of signing some routine documents. An undercover policeman would go in place of John.

But at the last minute the scammer cancelled, so John asked him for an address to send the documents to. The address given was on an East London council estate and was known to the police for previous criminal activity. The police decided against raiding it, believing they would only find a mule there.

John has contacted Liechtenstein police and said Europol has been informed. He is not aware of further progress on the case, which he said has been hindered by Covid-19 lockdowns. The Metropolitan police declined to comment.

A fake Zoom invitation

Police have also got involved in the case of Sydney-based Levitas, where money was transferred to the criminals.

In September last year co-founder Michael Fagan clicked on an innocuous-looking but fake Zoom invite that allowed a hacker to infiltrate Levitas’s systems and use Fagan’s email. The hacker then sent fake payment instructions to administrator Apex Fund Services.

Apex tried calling Fagan to check the payment but was unable to reach him. However, after receiving confirmation from Fagan’s email — sent by the hacker — Apex sent an instruction to trustee AET Corporate Trust to pay a ‘capital call’ notice for A$1.2m (US$936,250) to a company called Unique Star Trading, said Levitas CEO Michael Brookes.

Fagan eventually discovered the scam by accident when checking Levitas’s bank account almost two weeks after the phishing attack. Another A$2.5m had been paid out and a further A$5m had been approved for transfer. Fagan quickly stopped the payments and was able to recover most of the money.

Nevertheless, about A$600,000 had been stolen, according to Brookes. Had it been discovered a couple of days later, then the loss could have been A$8.7m, he said. The hack led Australian Catholic Super, Levitas’s largest client, to withdraw its money, and the fund is now being liquidated.

Apex declined to comment. Australian Catholic Super said it had received back its full investment in Levitas’s fund. New South Wales police said its investigation was ongoing but declined to comment further. Certane, which owns AET’s corporate trust business, said it is co-operating with authorities and that its ‘Pay’ system for processing client instructions was not compromised.

Brookes said the payment instructions should have aroused the suspicions of the trustee and administrator.

“It’s why the structure is set up as such, so that somebody will pick this up,” he said. “It’s devastating.”