A fake company, unsuspecting 'money mules' and bitcoin: How a Manitoba municipality lost $430K - Action News
Home WebMail Friday, November 22, 2024, 11:49 AM | Calgary | -10.8°C | Regions Advertise Login | Our platform is in maintenance mode. Some URLs may not be available. |
ManitobaCBC Investigates

A fake company, unsuspecting 'money mules' and bitcoin: How a Manitoba municipality lost $430K

In early 2020, the Municipality of WestLake-Gladstone became the victim of a sophisticated cyberattack one that involveda fake company trickingover a dozen students and new Canadians into acting as intermediaries tobilk the municipality outof more than $470,000.

WestLake-Gladstone fell victim to a 'malicious' cyberattack over holiday season in 2019

'Malicious' cyberattack: How a Manitoba municipality lost $430K

2 years ago
Duration 3:26
In early 2020, the Municipality of WestLake-Gladstone became the victim of a sophisticated cyberattack one that involved a fake company tricking over a dozen students and new Canadians into acting as intermediaries to bilk the municipality out of more than $470,000.

It was a quiet January day in 2020whenthe chief administrative officer ofa southwestern Manitoba rural municipality noticed theseries of unusualcash withdrawals from itsbank account.

She quickly alerted her assistant, showing how money had been sent to multiplebank accounts the municipalityhad never dealt with.

"It was just kind of like a mad scramble to try and figure out what was going on," said Kate Halashewski, who at the time was theassistantchief administrative officer for the Municipality of WestLake-Gladstone.

Over the 2019 holiday season, a cyberattack on the Municipality of WestLake-Gladstone led to the fraudulent withdrawal of almost half a million dollars. No arrests have been made in connection with the attack, police say. (Dado Ruvic/Reuters)

"As the day went on and [we're] digging through the paperwork it's like withdrawal after withdrawal after withdrawal."

Little did they know that while the roughly 3,300residents of WestLake-Gladstone were enjoying theholiday season, the municipality had become the victim of a sophisticated cyberattack one that involveda fake company trickingover a dozen students and new Canadians into acting as intermediaries tobilk the municipality outof more than $470,000.

The job offer

It began with a job advertisement.

A seemingly legitimate company, with a professional website and aNova Scotia address, claimed it was looking for cash processors.

The contract was for one month. Employees could work from home.

They were told they would receive payments to their credit cards,which they would be expected to moveto their bank accounts. They would then withdraw the payments, convert them into bitcoin, andsend thatto anotheraccount.

"This company was advertising on a number of the major job websites that you would expect people to seek employment," said Cpl. Tarek Rabie, with the RCMP's financial crime unit.

A sign that says.
The fraudulent transactions began on Dec. 19, 2019, but they were not discovered by town officials until Jan. 6. (Warren Kay/CBC)

In an interview with CBC News, Rabie went through the RCMP's investigation into the attack and explained how scammers were able to pull off the cyberheist without being detected.

The majority of the 18 people hiredwere young and lived in various communities across the country. Most were new Canadians, said Rabie.

"The individuals would be referred to it's not a flattering term but as a money mule," he said.

In this case, the 18 "money mules" were considered unwitting participants, lured to the company using what Rabie described as "professionally prepared" documentscreated to "entrap" them.

A CBC News reporter viewed the agreement signed by these new employees, which laid out the conditions of their work.

The four-page document included a seal with the company's name and corporate number, signed by the company's development manager.

The only requirements for the job were access to the internet, a phone, knowledge of internet banking and proximity to a bitcoin machine.

Anyone who did an internet search forthe company would find aprofessional website, withinformation matching what wasprovided in the employment agreement.

A picture of a famous roadside attraction in Gladstone. It is a rock with a face on it and it is smiling and waving and the words Happy Rock under. The rock is wearing a black top hat.
Rumours began to swirl around the town that someone within the municipality was involved in the theft an allegation both the municipality and RCMP deny. (Warren Kay/CBC)

The phishing email

In early December2019, the cybercriminals sent a phishing email to multiple people at the municipal office of WestLake-Gladsone, a municipality about 150 kilometres west of Winnipeg, on the southwestern shore of Lake Manitoba.

At least one person clicked on the link, which allowed the hackers to get into the municipality's computers and bank accounts.

But weeks went by and nothing happened, so the municipality didn't report it to the police. It was only after the money disappeared that the municipalitydiscovered the two incidents were connected, said Halashewski.

WestLake-Gladstone has a population of just under 3,300 and an annual municipal budget of about $7 million. The dozens of fraudulent withdrawals made totalled $472,377, according to court documents. (Warren Kay/CBC)

Rabie doesn't believe the municipality was specifically targeted, but was unlucky enough to have an employeeclick on the malicious link.

"Most of these tend to be sent to as many email addresses as possible, hoping that anyone clicks on it," he said.

Phishing scams typically send an email with a "lure," such aspromisinga prize orimpersonating the government in order to entice someone to click a link.

"Once a computer network is compromised, it typically spreads from one computer to another," said Rabie.

Court documents say that on Dec. 19, 2019, a person logged into the municipality's bankaccount and changed the password, along with the personal verification questions.

Over the next 17 days, the cyberattackers added the 18 "employees"hired as payees and began systematically making withdrawals,transferring the money to the employees' credit cards.

Dozens of withdrawals were made,totalling $472,377, according to court documents a considerable amount for a municipality with anentire annual budget of$7 million.

Those withdrawals weren'tdiscovered until Jan. 6, whenHalashewski saw48 bank transfers eachless than $10,000 going tounfamiliar accounts.

"It was really alarming," said the former assistantCAO, who left the job in June 2021.

A woman with long blond hair, wearing a green sweater, sits on a couch and looks at a person off-camera with a serious expression.
Kate Halashewski, WestLake-Gladstone's former assistant CAO, said the municipality discovered the money was missing after the holidays. Police believe the timing of the attack when staff were off was not a coincidence. (Warren Kay/CBC)

The timing of the attack over the holidays was no coincidence, said Rabie.

"The person waited until the office would have been empty in order to initiate the suspicious transactions, because otherwise it would have been discovered sooner," he said.

"[It] likely showed a certain amount of forethought and planning."

Once staff realized that the transactions were unauthorized, they informed RCMP and the municipality's credit union, which froze the account and recovered just under $50,000.

Where the money went

Rabie said the 18 workers were paid a commission of a few hundred dollars to accept the transfers.

He suspects that it was mostly newcomers to Canada who took the job due to their "unfamiliarity with Canadian employment procedures and their desire for gainful employment."

Once they'd completed the initialtransfers and conversion, thebitcoin was then sentto the private account of the scammers who cybersecurity experts say likelyaren't in Canada.

Once the money is out of a Canadian banking institutionit becomes more difficult to trace, because officials no longer have jurisdiction to easily get a warrant, explained Sgt. Guy Paul Larocque, with the RCMP'sCanadian Anti-Fraud Centre.

"The fact that the world is global makes it easy for perpetrators to basically target victims [from] any area of the world," he said.

A portrait of a man with short grey hair with a Canadian flag behind him dressed in an RCMP officer's uniform.
Sgt. Guy Paul Larocque, the acting officer in charge of the RCMP's Canadian Anti-fraud Centre, says that once money has left a Canadian bank institution it becomes more difficult to trace. (RCMP)

Meanwhile, for months, the citizens of WestLake-Gladstone had no idea about the cyberattack or missing money.

"I guess you would hope that you could find a reason, or find where it went before you had to tell somebody," Halashewski said when asked about the delay in telling residents.

"Because wouldn't it be better to say to somebody, 'Oh, well, you know, this thing happened, but we found it and we fixed it.'"

The municipality finally announced it had lost nearly half a million dollars in an Oct. 12, 2020, news release.

It said the municipality was"the target of a malicious cybersecurity breach" in which a "significant" amount of money was stolen from the municipality's bank account.

Lawsuitsfiled

Around town, the rumour mill began churning, with accusations that someone within the municipality was involved allegations the municipality denied.

RCMP saythere is no evidence that anyone within the community was involved in the attack.

Behind the scenes, a fight was ensuing between the municipality against its financialinstitution, Stride Credit Union, and itsinsurance provider, Western Financial Group.

Both refused to cover WestLake-Gladstone's loss.

In an attempt to recoup those losses, the municipality filed a lawsuit in the Court of King's Benchagainst Stride in March 2021 and against Western Financial Group in December 2021.

Both remain before the courts.

A building with a sign on it that says,
WestLake-Gladstone's credit union said it would not cover the losses, claiming in a statement of defence that the municipality has not conducted a full forensic audit as requested. (Warren Kay/CBC)

Stride Credit Union's statement of defence claims the municipality has not conducted a full forensic audit of its IT system, despite the credit union's request for one.

The statement also claimsthe municipality has not given additional information when it has been requested by the credit union.

Western Financial's statement of defence said there is no coverage for funds-transfer fraud or computer fraud under the municipality's policy.

Officials with the municipality did not respond to a request for comment for this story.

Both Stride Credit Union and Western Financial Group declined to comment as the matter is still before the courts.

Insurance may not offer protection: expert

Imran Ahmad, a cybersecurity expert and lawyer in Montreal with the firm Norton Rose Fulbright, sayshis law firm wastracking or dealing with 500 cyberattack cases in 2022, up significantly from320 in 2021.

"And that's just one firm in Canada," he said.

Police also say cybercrimesare on the rise. Police-reported crimes have steadily increased from just over 27,000 five years agoto more than70,000 incidents in 2021, according to Statistics Canada data.

But officials estimate that only five to 10 per cent of incidents get reported.

"I can tell you that it's not a crime that's going to go away," said the RCMP'sLarocque.

A portrait of a man in glasses, with a bread wearing a red tie and a suit with dark hair.
Imran Ahmad, a cybersecurity expert and senior partner at the law firm Norton Rose Fulbright Canada, says there are many issues when it comes to recovering losses following a cyberattack. (Supplied by Norton Rose Fulbright Canada LLP)

As for insurance, Ahmad saidthe "devil's in the detail" as to whether you'll be covered following a cyberattack.

He said it is rare to find a policy that will cover the sort of loss the municipality experienced especially when a business or organization is attacked through an email phishing scam.

The municipality is responsible for keeping its passwords safe, he said.

"If somebody was able to get into the municipality's systems or get into an email account where the username and password were made available, or they could do a reset of the password, that's on the municipality or that organization," he said.

Province orders investigation

In a rare move, a provincial government cabinet directive was made earlier this year to Manitoba's auditor general to conduct an investigation into the operations"ofvarious municipalities, including the municipality of WestLake-Gladstone."

The government document, published in September, says the municipal relations department heard concerns from citizens in those municipalities with "respect to council governance, financial management, oversight and public accountability."

No arrests have been made in connection with the WestLake-Gladstone cyberattack and RCMP say it is no longer under active investigation.

With files from Vera-Lynn Kubinec