A fake company, unsuspecting ‘money mules’ and bitcoin: How a Manitoba municipality lost $450K | 24CA News

It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality observed the collection of bizarre money withdrawals from its checking account.

She shortly alerted her assistant, exhibiting how cash had been despatched to a number of financial institution accounts the municipality had by no means handled. 

“It was just kind of like a mad scramble to try and figure out what was going on,” stated Kate Halashewski, who on the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.

“As the day went on and [we’re] digging through the paperwork … it’s like withdrawal after withdrawal after withdrawal.”

Little did they know that whereas the roughly 3,300 residents of WestLake-Gladstone had been having fun with the vacation season, the municipality had develop into the sufferer of a complicated cyberattack — one which concerned a faux firm tricking over a dozen college students and new Canadians into appearing as intermediaries to bilk the municipality out of greater than $470,000.

The job provide

It started with a job commercial.

A seemingly reliable firm, with knowledgeable web site and a Nova Scotia tackle, claimed it was in search of money processors.

The contract was for one month. Employees might work at home.

They had been informed they might obtain funds to their bank cards, which they might be anticipated to maneuver to their financial institution accounts. They would then withdraw the funds, convert them into bitcoin, and ship that to a different account.

“This company was advertising on a number of the major job websites that you would expect people to seek employment,” stated Cpl. Tarek Rabie, with the RCMP’s monetary crime unit.

In an interview with 24CA News, Rabie went through the RCMP’s investigation into the attack and explained how scammers were able to pull off the cyberheist without being detected.

The majority of the 18 people hired were young and lived in various communities across the country. Most were new Canadians, said Rabie.

“The individuals would be referred to — it’s not a flattering term — but as a money mule,” he said.

In this case, the 18 “money mules” were considered unwitting participants, lured to the company using what Rabie described as “professionally prepared” documents created to “entrap” them.

A 24CA News reporter viewed the agreement signed by these new employees, which laid out the conditions of their work.

The four-page document included a seal with the company’s name and corporate number, signed by the company’s development manager.

The only requirements for the job were access to the internet, a phone, knowledge of internet banking and proximity to a bitcoin machine. 

Anyone who did an internet search for the company would find a professional website, with information matching what was provided in the employment agreement.

The phishing email

In early December 2019, the cybercriminals sent a phishing email to multiple people at the municipal office of WestLake-Gladsone, a municipality about 150 kilometres west of Winnipeg, on the southwestern shore of Lake Manitoba.

At least one person clicked on the link, which allowed the hackers to get into the municipality’s computers and bank accounts. 

But weeks went by and nothing happened, so the RM didn’t report it to the police. It was only after the money disappeared that the municipality discovered the two incidents were connected, said Halashewski.

Rabie doesn’t believe the municipality was specifically targeted, but was unlucky enough to have an employee click on the malicious link.

“Most of these tend to be sent to as many email addresses as possible, hoping that anyone clicks on it,” he said.

Phishing scams typically send an email with a “lure,” such as promising a prize or impersonating the government in order to entice someone to click a link.

“Once a computer network is compromised, it typically spreads from one computer to another,” said Rabie. 

Court documents say that on Dec. 19, 2019, a person logged into the municipality’s bank account and changed the password, along with the personal verification questions. 

Over the next 17 days, the cyberattackers added the 18 “employees” hired as payees and began systematically making withdrawals, transferring the money to the employees’ credit cards.

Dozens of withdrawals were made, totalling $472,377, according to court documents — a considerable amount for a municipality with an entire annual budget of $7 million.

Those withdrawals weren’t discovered until Jan. 6, when Halashewski saw 48 bank transfers — each less than $10,000 — going to unfamiliar accounts.

“It was really alarming,” said the former assistant CAO, who left the job in June 2021.

The timing of the attack over the holidays was no coincidence, said Rabie.

“The person waited until the office would have been empty in order to initiate the suspicious transactions, because otherwise it would have been discovered sooner,” he said.

“[It] likely showed a certain amount of forethought and planning.”

Once staff realized that the transactions were unauthorized, they informed RCMP and the municipality’s credit union, which froze the account and recovered just under $50,000.

Where the money went

Rabie said the 18 workers were paid a commission of a few hundred dollars to accept the transfers.

He suspects that it was mostly newcomers to Canada who took the job due to their “unfamiliarity with Canadian employment procedures … and their desire for gainful employment.”

Once they’d completed the initial transfers and conversion, the bitcoin was then sent to the private account of the scammers — who cybersecurity experts say likely aren’t in Canada.

Once the money is out of a Canadian banking institution it becomes more difficult to trace, because officials no longer have jurisdiction to easily get a warrant, explained Sgt. Guy Paul Larocque, with the RCMP’s Canadian Anti-Fraud Centre.

“The fact that the world is global makes it easy for perpetrators to basically target victims … [from] any area of the world,” he said. 

Meanwhile, for months, the citizens of WestLake-Gladstone had no idea about the cyberattack or missing money.

“I guess … you would hope that you could find a reason, or find where it went before you had to tell somebody,” Halashewski said when asked about the delay in telling residents.

“Because wouldn’t it be better to say to somebody, ‘Oh, well, you know, this thing happened, but we found it and we fixed it.'”

The municipality finally announced it had lost nearly half a million dollars in an Oct. 12, 2020, news release.

It said the municipality was “the target of a malicious cybersecurity breach” in which a “significant” amount of money was stolen from the RM’s bank account.

Lawsuits filed

Around town, the rumour mill began churning, with accusations that someone within the municipality was involved — allegations the municipality denied. 

RCMP say there is no evidence that anyone within the community was involved in the attack.

Behind the scenes, a fight was ensuing between the municipality against its financial institution, Stride Credit Union, and its insurance provider, Western Financial Group.

Both refused to cover WestLake-Gladstone’s loss.

In an attempt to recoup those losses, the municipality filed a lawsuit in the Court of King’s Bench against Stride in March 2021 and against Western Financial Group in December 2021.

Both remain before the courts.

Stride Credit Union’s assertion of defence claims the municipality has not performed a full forensic audit of its IT system, regardless of the credit score union’s request for one.

The assertion additionally claims the municipality has not given extra data when it has been requested by the credit score union. 

Western Financial’s assertion of defence stated there is no such thing as a protection for funds-transfer fraud or pc fraud underneath the RM’s coverage.

Officials with the municipality didn’t reply to a request for remark for this story.

Both Stride Credit Union and Western Financial Group declined to remark because the matter continues to be earlier than the courts.

Insurance might not provide safety: knowledgeable

Imran Ahmad, a cybersecurity knowledgeable and lawyer in Montreal with the agency Norton Rose Fulbright, says his legislation agency was monitoring or coping with 500 cyberttack circumstances in 2022, up considerably from 320 in 2021.

“And that’s just one firm in Canada,” he stated.

Police additionally say cybercrimes are on the rise. Police-reported crimes have steadily elevated from simply over 27,000 5 years in the past to greater than 70,000 incidents in 2021, in keeping with Statistics Canada information.

But officers estimate that solely 5 to 10 per cent of incidents get reported.

“I can tell you that it’s not a crime that’s going to go away,” stated the RCMP’s Larocque.

As for insurance coverage, Ahmad stated the “devil’s in the detail” as as to whether you will be coated following a cyberattack.

He stated it’s uncommon to discover a coverage that can cowl the form of loss the municipality skilled — particularly when a business or group is attacked by way of an electronic mail phishing rip-off.

The municipality is chargeable for holding its passwords protected, he stated. 

“If somebody was able to get into the municipality’s systems or get into an email account where the username and password were made available, or they could do a reset of the password, that’s on the municipality or that organization,” he stated.

Province orders investigation

In a uncommon transfer, a provincial authorities cupboard directive was made earlier this 12 months to Manitoba’s auditor normal to conduct an investigation into the operations “of various municipalities, including the municipality of WestLake-Gladstone.”

The authorities doc, printed in September, says the municipal relations division heard issues from residents in these municipalities with “respect to council governance, financial management, oversight and public accountability.”

No arrests have been made in reference to the WestLake-Gladstone cyberattack and RCMP say it’s now not underneath lively investigation.