How a Simple Email Forced a +75M Hedge Fund to Close
A simple Zoom invite brought a $75 million hedge fund to its knees.
How? Because the Zoom invite was never one to begin with.
Today, we deep dive into this cautionary tale, relevant not only to the asset management industry but to every company worldwide.
In September 2020, Australian hedge fund manager Levitas Capital, co-founded by Michael Brookes and Michael Fagan, was at its peak. They had achieved a 20 percent increase that year and were days away from finalizing a $16 million investment.
Then came September 10th, 2020.
On that fateful day, Michael Fagan received what appeared to be an innocuous email containing a link to an even more innocuous Zoom invitation. Unaware of the life-changing effect that link would have on his life and his firm, he clicked on it and forgot about it.
Unbeknownst to him, this link granted a criminal organization full access to Levitas Capital’s email system, utilizing a classic cyber criminal tactic known as business email compromise (BEC).
From that moment on, the perpetrators behind this scheme took the time to familiarize themselves with how Levitas Capital operated, mimicking their writing style, tone, and email interactions to get in — and get the money out.
Once they had achieved their goal, and as they now had the ability to send emails from all compromised parties, they struck on September 15th, 2020.
The Attack
Michael Fagan was at the gym when the administrator of Levitas Capital’s fund received an invoice requesting a transfer of $1.2 million to an account under the name of Unique Star Trading at the Australian bank ANZ.
Before transferring such a large amount of funds, the fund’s administrator wanted to double-check with Michael Fagan and called him. As Michael was in the middle of a workout, he let the administrator know that he would contact him back later.
After the call, the administrator received an email from Michael approving the $1.2 million transfer. The next day, the money was wired to Unique Star.
Unfortunately for Levitas Capital, Michael Fagan had never sent this email; it was the work of cybercriminals who had infiltrated the company.
Days passed, and no alarm was raised.
Probably feeling lucky, the criminals chose to strike again, and to strike big.
7 days after their first heist, on September 22nd, using the same modus operandi, they got the administrator to transfer an additional $2.5 million! This time, the money was to be wired to a certain “Pavelin Limited” at the Bank of China based in Hong Kong.
But they did not stop there. They also instructed the administrator to send no less than $5 million to another “firm,” East Grand Trading at the United Overseas Bank in Singapore. This transfer, authorized by AET Corporate Trust — Levitas Capital’s trustee — after receiving the administrator’s green light.
The next day, Michael Fagan was awaiting expectantly for the $16‑million investment the company had secured, and decided to check the firm’s bank accounts. He probably got the shock of a lifetime when he saw that $8 million was missing from them.
In a stroke of luck, he successfully stopped the $7.5 million transfers allowed the day before, but it was already too late for Levitas Capital.
1.2 million was already gone and with it Levitas Capital’s reputation.
The Aftermath
The investigation uncovered that Muhammad Bhatti, the mastermind behind the bogus firm “Unique Star,” successfully withdrew $800,000 over 66 transactions in the span of 10 days, between September 16th, 2020, and September 26th, 2020.
He had already left Australia by the time authorities traced the crime back to him.
While Bhatti was enjoying the fruits of his heist, Levitas Capital was forced to close up shop. After their largest institutional client, Australian Catholic Super, caught wind of what had happened, trust was broken, and they dropped Levitas Capital.
But Australian Catholic Super was not only their most important client. Remember the $16 million investment that indirectly saved Levitas Capital from losing a staggering $7.5 million? It was from Australian Catholic Super.
Levitas Capital was left with no choice but to throw in the towel.
The downfall of Levitas Capital sent shockwaves through Australia, and extensive investigations soon uncovered that this hack was part of a $174 million cybercrime spree targeting businesses, especially hedge funds, in Australia in 2020.
The criminals behind these operations are believed to be a mix of Chinese hackers and Middle Eastern crime gangs.
Business email compromise accounted for 99% of all reported threats faced by businesses in 2023, following a vertigo-inducing jump of 81% in 2022. BEC was responsible for more than $2.7 billion in losses in the U.S. alone, according to the FBI Internet Crime (IC3) Report.
Firms with a significant concentration of funds, such as asset managers, are prime targets for BEC criminal ventures.
This kind of threat demands a high level of education for every single person in a company because individuals are today’s greatest attack vector for cybercriminals.
Multi-factor authentication, strong email authentication protocols, and strict financial controls are a must.
Additionally, implementing a foolproof security suite can help mitigate the risks associated with malicious software downloads through links or even PDFs.
Learn more on the subject here:
About us
Nefture is a Web3 real-time security and risk prevention platform that detects on-chain vulnerabilities and protects digital assets, protocols and asset managers from significant losses or threats.
Nefture core services includes Real-Time Transaction Security and a Threat Monitoring Platform that provides accurate exploits detections and fully customized alerts covering hundreds of risk types with a clear expertise in DeFi.
Today, Nefture proudly collaborates with leading projects and asset managers, providing them with unparalleled security solutions.
