Cyber is a critical risk for the asset management industry. In Australia, a hedge fund, Levitas, was subject to a sophisticated phishing scam, where attackers gained control of an executive's email account. The attackers were then able to initiate and "approve" cash transfer requests by sending fake invoices to the fund's trustee and third party administrator. $8 million went missing - and the manager will now shut down due to a key investor redeeming their assets in the aftermath of the hack.
The Australian Financial Review provides a detailed summary of the events. Per the article, it appears that:
So what happened then? Per the AFR:
In a 10-day period after that money was transferred, a Pakistani national, Muhammad Bhatti, walked into an ANZ branch in Bankstown and withdrew $240,000 via a bank cheque.
He also raised another bank cheque for $240,000 from an ANZ branch in Kogarah during this period. One of these cheques was then deposited in a Bank of Queensland account; the other was blocked by Commonwealth Bank, Levitas' bankers.
On September 26, Mr Bhatti left Australia on a Qatar Airways flight, but prior to this he made 64 more withdrawals from the ANZ account totalling about $300,000. These included cash withdrawals from ANZ branches and convenience stores, along with purchases from David Jones and JB Hi-Fi.
The story continues per the article:
A week after the first transaction, another fake invoice was wrongly authorised from the Levitas account. This time $2.5 million was sent to the Bank of China in Hong Kong to a company called Pavelin Limited. Once again, the fund hadn't previously dealt with this company.
The hacker had sent a further email from Mr Fagan (the founder) authorising the transaction. Neither Mr Fagan nor Mr Brookes (other co-founder of the firm) received calls from the administrator or trustee to check the transaction.
....On the same day – September 22 – the trustee received further instructions from the administrator to send $5 million to East Grand Trading at the United Overseas Bank in Singapore.
Per the AFR: The same red flags were evident on the invoice, but again, no verification calls were made. The money was approved for transfer.
In this case, the transfers to Hong Kong and Singapore were stopped as the transfers had not yet cleared, with the money returned to the fund. Mr Bhatti, however, was able to get away with a total of $781,000 - and the firm's largest investor, an Australian superannuation scheme, elected to redeem their investment. Now below break even assets under management, Levitas will close.
What can investors and asset managers do to protect their assets against cyber attacks? We will provide some diligence observations in our next post.
1080 Côte du Beaver Hall, Suite 904
Canada, H2Z 1S8
84 Chain Lake Drive, Suite 501
Canada, B3S 1A2
1 Pancras Square, Kings Cross
London, N1C 4AG
+44 20 3036 0828
Ground Floor, Three E-com Center
Mall of Asia Complex
Pasay City, Metro Manila
24th Floor Al Sila Tower, Suite 2422
Abu Dhabi Global Market Square
Al Maryah Island, Abu Dhabi, UAE
+971 (2) 694 8510
Level 36 Governor Phillip Tower
1 Farrer Place Sydney 2000
+61 (2) 8823 3370