The company,Terra Global Capital LLC,spent the morning desperately trying to move $25 million out of San Francisco lender First Republic Bank amid fears the regional lender would soon collapse. The little-known carbon abatement investor had a lot to lose. Only months beforehand,it won a $US640 million ($960 million) investment mandate from Anew Climate,which is majority owned by a division of US private equity giant TPG Capital.
Over a series of hurried emails,Anew agreed to help its partner out. Over the next two weeks,Terra Global and Anew arranged for Terra Global to send its cash in First Republic – $US19 million ($25 million) – to Anew’s bank accounts at Bank of America for safe keeping. The two companies agreed that Anew would then return it to Terra Global on request at a later date.
What would happen next would seem more fitting of a modern-age financial crime thriller.
Without either Anew or Terra Global’s knowledge,a group of hackers had been lurking in Terra Global’s systems. These hackers used cloned emails of Terra Global’s chief executive and chief financial officer to impersonate them and convince executives at Anew to send the money to a bank account in Australia,despite Terra Global having no business here.
The hackers appear to have opened that bank account with National Australia Bank using an Australian company claiming to operate out of a house in the Sydney suburb of Leichhardt. The director and shareholder of the Australian company was a man called Michael,living nearly 175 kilometres away in the outer suburbs of Maitland,a rural city in the NSW Lower Hunter Valley.
The mega swindle is now the subject of investigations by the US Secret Service,the Federal Bureau of Investigation,Australian agencies and lawyers from the major Australian firm Gilbert + Tobin,who are all trying to find the missing cash.
But investigators have hit a snag after learning the names and addresses of ordinary Australians,with no links to Terra Global,Anew,or in some cases even NAB,have been used,or attempted to be used,by the hackers as part of their fraud.
Much like the hacks of other large companies in Australia such as Optus,Medibank and Latitude Financial,the fraud at Terra Global again highlights the hacking dangers posed to big businesses with weak security systems.
It also cruelly demonstrates how easy it is for crooks to plunder the rivers of Australian identification documents that have been uploaded to the dark web after hacks of our biggest companies. It’s on the dark web that fraudsters can get the data to set up bank accounts to commit frauds in the names of unsuspecting,ordinary people. (This masthead has chosen not to report the surnames of the Australian people tied to fraud as they are suspected victims of identity theft).
Anew Climate,which counts TPG Capital as a major shareholder,had invested nearly $1 billion for carbon abatement projects in developing countries.Getty
The set-up
Back on January 11,things were bright for Terra Global and Anew. Both groups had trumpeted the $US640 million investment by TPG’s Anew into Terra Global,which invests in forest renewal and other similar style carbon-offset programs in developing countries.
“We’re proud to partner with another woman-led business that drives the development and advancement of climate finance,” said Marc Mezvinsky,partner at TPG and member of Anew’s board of directors.
It was big money and someone was already watching.
Within 20 days of the January 11 announcement,unbeknown to anyone at the time,someone set up a company in Australia called Terra Global Capital LLC. The company was registered to a man called Jason who was said in documents filed with the corporate watchdog to live in an apartment building in the Melbourne suburb of Malvern. It appears that group never did any business.
Several weeks later in early March – about 10 days before the meeting between Terra Global executives and Anew senior management – another Australian entity was set up. This time the company’s name was Terra Global Capital LL. The director was listed as Allan from Peakhurst in Sydney. Again the business appears to have not done any business.
By March 23 – during Terra Global’s discussions with Anew over the transfer of the $US19 million – the fraudsters had hit on the winning formula. They set up a new Australian company,Terra Global Capital Pty Ltd. Michael from Maitland was listed as the director and shareholder. Now the company looked like a legitimate Australian small business and would soon obtain an NAB bank account.
It became one of the final pieces needed for the gang to execute their fraud.
The intercept
Already the hackers had infiltrated Terra Global’s systems. Once inside,the hackers created a rule in the Terra Global emails that caused emails between Anew and Terra’s CFO and CEO to be diverted to third-party email addresses so that the emails could be intercepted. At the same time,the hackers set up new email addresses for the senior staff at Anew under the domain anewclimates.com instead of anewclimate.com.
These tricks,along with the cloning of the CFO and CEO’s email,meant that the hackers were able to send emails from Terra Global’s cloned email addresses to Anew’s legitimate email addresses. Terra Global’s real executive email addresses were then programmed to only contact the fake Anew addresses.
The incredibly complex scheme set the scene for the intercept.
At some point around late March,hackers hijacked the conversation between Terra Global and Anew,which was now safely holding the cash for Terra Global in its Bank of America accounts and expecting an email from its investment partner asking to return the money.
Using a cloned email of Terra Global’s chief financial officer,Bart Kortum,hackers wrote to Anew:“Please find revised wire instructions for the return of funds we have better insurance with the Australian bank than with First Republic bank to cover the funds. Feel free to use ‘return of funds’ as description. Amounts and bank information can be found in email string below. Copying for your convenience…”
The email included wiring instructions to an account held by National Australia Bank.
Two days later on April 6,the Thursday before Easter,Anew’s top brass received an email from the hackers again impersonating Kortum saying:“We confirm safe receipt of the funds in our Australian bank,Thank you. Have a good easter[sic] weekend.”
It would take 10 days for anyone in the US to suspect they had been had.
Once they were aware of the heist,lawyers in Australia would quickly lodge civil action in the Victorian Supreme Court to successfully obtain freezing orders over the NAB bank account,while Anew would report the matter to the FBI and then the US Secret Service.
The Secret Service deputy assistant director Jason Kanetold Anew’s executives that most of the money was long gone.
Hackers are easily able to access the rivers of Australians’ personal data on the dark web.Getty
As the lawyer for Anew,Gilbert + Tobin partner Janet Whiting told the Victorian Supreme Court:“During the call,Mr Kane indicated the amount of funds identified to be recovered was $US1.18 million and those funds were at NAB.
“He also indicated that the Secret Service believe the remaining funds had been transferred to accounts in China and Turkey and they were continuing to work to recover funds and pursue the wrongdoers.
“Mr Kane did not indicate the identity of the wrongdoers but did indicate that he believes it was a sophisticated organisation that co-ordinated the attack.”
Investigations by Anew’s lawyers,who are also representing the American Terra Global company,are continuing in Australia.
The problem for investigators is that it appears that none of the information provided on the Australian company with the NAB bank account,Terra Global Capital Pty Ltd,is true.
Lawyers visited the residence in Leichhardt in mid-May,attempting to serve documents on the company and the man,Michael,listed as the company’s director and shareholder.
Two people at the property,neither of whom are called Michael,told the lawyer:“It doesn’t have anything to do” with them,according to court documents. The court documents added:“They ‘don’t know who this Michael person is’ and ‘don’t know why this company would be connected to[their] house’. They said they had lived there for 40 years,that they owned the property and had never rented it out.”
This week in a suburb on the outskirts of Maitland,two men on the same street have received three bundles of court documents relating to the case,wrapped in rubber bands and placed on their doorstep.
One,Michael,is the man listed as the sole director and shareholder of Terra Global Capital.
He told this masthead he had previously been a victim of stolen identity fraud.
“It all began three or four years ago. There was someone in Melbourne using my name on Gumtree ads and I got a call from the police,” he says.
“I went to the bank ... It was Westpac at the time,and they said there were 13 accounts in my name. I spent an hour with the fraud department and got it all sorted out.”
Michael,who works a trade and doesn’t appear to have any significant assets apart from his modest house,says he’s been left utterly confused after the documents were left.
“I haven’t looked in them. Am I named in them? Why would I be named in them?”
After hearing that he was a company director of the company being sued by Anew in the Supreme Court of Victoria as part of a $US19 million fraud on large American companies,he says:“Are you kidding me,is my name in those court documents?”
Up the road,Michael’s neighbour Peter has also received a bundle of court documents and doesn’t understand why either. There is no mention of him in any of the documents pertaining to the case. “It has nothing to do with me,” he says.
Gilbert + Tobin is now seeking more information from NAB as it tries to trace where the money may have gone,and press the bank on its systems and controls that led to fraudsters being able to use the bank for their great heist. The firm declined to comment as the matter was before court.
NAB also declined to comment specifically on the case because it was before the court.
“At NAB,we take our financial crime obligations very seriously,” said Chris Sheehan,a NAB executive in charge of the bank’s investigations.
“We have robust systems in place to ensure we’re meeting our customer identification and KYC[know your customer] obligations,and we continually invest in our ability to detect,deter and prevent financial crime.”
The case continues.
The Business Briefing newsletter delivers major stories,exclusive coverage and expert opinion..