Cyberattack via Zoom-Invite Downs Hedge Fund

By Hedge Fund Insight staff


A hedge fund based in Sydney Australia has been the victim of a cyber attack that ultimately put it out of business. The rogue software was delivered via a Zoom invitation. Fake invoices were sent to the fund’s trustee and fund administrator leading to payments totaling $8.7m.

cyber icons 2

Levitas Capital was a quantitative investment manager specialising in equity volatility. The firm was founded by Michael Fagan and Michael Brookes in 2013. It was managing $75m and was up around 20% for the year when the attack happened in September.

Michael Fagan discovered the cyber attack on Levitas by chance on September 23, when the fund was preparing to receive an additional subscription of $16 million from Australian Catholic Super.

According to Australia’s “Financial Review“, “Cyber investigators hired by Levitas said the attack was initiated after Fagan or Brookes clicked on a fake Zoom invitation, which triggered a malicious software program to be planted on the company’s network. This allowed the cyber criminals to take control of its email system and send off the bogus invoices.”

Michael Fagan was in early  on the fateful day and, on checking the Commonwealth Bank account, found that $1.2m had been transferred out eight days earlier to an entity unknown to him. The recipient, Unique Star Trading, used an account at an ANZ Bank branch in suburban Sydney.

Financial Review reports that the payment was approved by AET Corporate Trust, Australia’s third-largest trustee with $55 billion under supervision, which holds money on behalf of funds like Levitas and is responsible for protecting investors. The owners of AET have said in a statement that they are continuing to investigate to determine “how the manual processes required to verify instructions may have fallen down”.

Michael Fagan has said that  the payment request was suspicious on many levels and should have been picked up by both the trustee and the administrator, Apex. There were at least three flags:

  1. The attached invoice was addressed to Levitas, not the trustee as was required.
  2. The invoice claimed to be a “capital call”, something the fund had never previously requested.
  3. Unique Star was not on the supplier list of the fund or manager, and there was no previous relationship.

The fund administrator, Apex, did call Michael Fagan to verify the transaction, but he was at the gym and said he would call back before approving any payments, according to “Financial Review”.

When he returned to the office Fagan emailed Apex but received no reply or call back. The $1.2 million was transferred to Unique Star’s ANZ account that day – September 16.

In the background, the fund later learned, the hackers had sent another email to the fund administrator Apex authorising the transaction, as they had taken control of the hedge fund’s email system.

A week after the first transaction, another fake invoice was wrongly authorised from the Levitas account. This time $2.5 million was sent to the Bank of China in Hong Kong to a company called Pavelin Limited. Once again, the fund hadn’t previously dealt with this company.

The hacker had sent a further email from Mr Fagan authorising the transaction. Neither Fagan nor Brookes received calls from the administrator or trustee to check the transaction.

On the same day – September 22 – the trustee received further instructions from the administrator to send $5 million to East Grand Trading at the United Overseas Bank in Singapore. The same red flags were evident on the invoice, but again, no verification calls were made. The money was approved for transfer.

Fortunately, on that same day, Mr Fagan checked the bank accounts, something he would not normally do, as he was waiting for the additional funds from Catholic Super. Fin Review Levitas 2

On realising more than $8 million was missing, he immediately issued stop orders with a series of frantic phone calls. Since then he has retrieved the $5 million sent to Singapore and the $2.5 million which went to Hong Kong.

But had he not checked the account, or waited even another day, the funds would have most likely cleared both overseas banks and become almost impossible to trace. The losses could have been of $30m if the transactions in process had gone to completion.

After the cybercrime the Australian Catholic Super not only decided to pull its’ additional subscription but withdrew all the capital previously committed to Levitas Capital. As the Catholic Super was the firm’s largest institutional investor, this left the Sydney hedge fund manager with little choice but to close.



related content:

More than the Money: Seven Steps to Protect Your Firm from the Fallout of a Cyberattack

Infographic: Financial Service Cyber Attacks Up Fivefold In 2018