The failure of fund administrators, trustees and banks to stop the transfers raises questions around the oversight of Australia’s $1.2 trillion superannuation industry and its readiness to deal with increasingly frequent cyber attacks.
The Australian Financial Review has been told of another fund which lost $25 million in client money from a similar cyber attack, while the trustee for another firm blocked a $1.8 million transfer after the fake invoice was spotted.
Cyber investigators hired by Levitas said the attack was initiated after Mr Fagan or Mr Brookes clicked on a fake Zoom invitation, which triggered a malicious software program to be planted on the company’s network. This allowed the cyber criminals to take control of the its email system and send off the bogus invoices.
Mr Fagan discovered the cyber attack on Levitas by chance on September 23, when the four-year-old fund was preparing to receive a further $16 million from Australian Catholic Super after a bumper year. ACS declined to comment.
This is one example of the manifest failure of these checks and balances with dramatic consequences for our business.
— Michael Fagan, Levitas Capital co-founder
The fund, which Mr Fagan founded with fellow trader Michael Brookes, had risen 20 per cent for the year as its algorithm-based model benefited from the wild fluctuations on global markets.
“We were really flying,” Mr Brookes said.
By chance on that Wednesday morning, Mr Fagan was in the office early and checked the company’s Commonwealth Bank account only to discover $1.2 million had been transferred out eight days earlier. The company receiving the money, Unique Star Trading, meant nothing to him.
Even more curious was that the money had been transferred to an ANZ account in the south-western Sydney suburb of Bankstown, which the fund had never dealt with previously.
The payment was approved by AET Corporate Trust, Australia’s third-largest trustee with $55 billion under supervision, which holds money on behalf of funds like Levitas and is responsible for protecting investors. AET is owned by Sargon, a superannuation services roll-up that was bought by New York financiers this year after going into voluntary administration.
In a statement, Sargon said it was “continuing to investigate the compromise“ to determine “how the manual processes required to verify instructions may have fallen down”. The company stressed its SargonPay infrastructure remained secure.
Mr Fagan said the payment request was suspicious on many levels and should have been picked up by both the trustee and the administrator, Apex.
“The entire funds management industry relies on a range of important checks and balances to ensure the integrity of the system – in particular the role trustees and administrators are supposed to play,” he said.
“This is one example of the manifest failure of these checks and balances with dramatic consequences for our business. It makes you wonder where else in the system could this happen?”
Issues that weren’t picked up included the attached invoice being addressed to Levitas, not the trustee as was required.
It also claimed to be a “capital call”, something the fund had never previously requested. Unique Star also had no links or previous relationship with the fund and was not on its supplier list.
The fund administrator, Apex, did call Mr Fagan to verify the transaction, but he was at the gym and said he would call back before approving any payments.
When he returned to the office he emailed Apex but received no reply or call back. The $1.2 million was transferred to Unique Star’s ANZ account that day – September 16.
In the background, the fund later learned, the hackers had sent another email to the fund administrator Apex authorising the transaction, as they had taken control of the hedge fund’s email system.
Apex said it “strongly disputes claims that insufficient attempts were made to inform the managers of potentially fraudulent transfers”.
“We have robust internal procedures and controls in place. We are confident that our processes were followed appropriately,” it said in a statement.
In a 10-day period after that money was transferred, a Pakistani national, Muhammad Bhatti, walked into an ANZ branch in Bankstown and withdrew $240,000 via a bank cheque.
He also raised another bank cheque for $240,000 from an ANZ branch in Kogarah during this period. One of these cheques was then deposited in a Bank of Queensland account; the other was blocked by Commonwealth Bank, Levitas’ bankers.
On September 26, Mr Bhatti left Australia on a Qatar Airways flight, but prior to this he made 64 more withdrawals from the ANZ account totalling about $300,000. These included cash withdrawals from ANZ branches and convenience stores, along with purchases from David Jones and JB Hi-Fi.
In a statement, ANZ said while real-time payments provided opportunities for criminal elements, it continued to work closely with AUSTRAC, law enforcement and the broader industry to detect, prevent and disrupt serious financial crimes.
A week after the first transaction, another fake invoice was wrongly authorised from the Levitas account. This time $2.5 million was sent to the Bank of China in Hong Kong to a company called Pavelin Limited. Once again, the fund hadn’t previously dealt with this company.
The hacker had sent a further email from Mr Fagan authorising the transaction. Neither Mr Fagan nor Mr Brookes received calls from the administrator or trustee to check the transaction.
On the same day – September 22 – the trustee received further instructions from the administrator to send $5 million to East Grand Trading at the United Overseas Bank in Singapore. The same red flags were evident on the invoice, but again, no verification calls were made. The money was approved for transfer.
Fortunately, on that same day, Mr Fagan checked the bank accounts, something he would not normally do, as he was waiting for the additional funds from Catholic Super.
On realising more than $8 million was missing, he immediately issued stop orders with a series of frantic phone calls. Since then he has retrieved the $5 million sent to Singapore and the $2.5 million which went to Hong Kong.
But had he not checked the account, or waited even another day, the funds would have most likely cleared both overseas banks and become almost impossible to trace.
“We could have lost $30 million,” Mr Brookes said.
By the time the pair were alerted to the fraud, the $1.2 million ANZ payment had already gone through – and $781,000 had been taken out of the account by Mr Bhatti.