A bogus company, unsuspecting ‘money mules’ and bitcoin: How a Manitoba municipality lost $430,000
It was a quiet January day in 2020 when the CEO of a rural municipality in southwestern Manitoba noticed the series of unusual cash withdrawals from his bank account.
She quickly alerted her assistant, showing how money had been sent to several bank accounts the council had never processed.
“It was just kind of like a mad scramble to try to figure out what was going on,” said Kate Halashewski, who at the time was the assistant executive director of the municipality of WestLake-Gladstone.
“As the day went on and [we’re] digging through the papers … it’s like withdrawal after withdrawal after withdrawal.”
Little did they know that while the 3,300 or so residents of WestLake-Gladstone were enjoying the holidays, the municipality had fallen victim to a sophisticated cyber attack – one involving a fake company that tricked over a dozen students and new Canadians into acting as middlemen to bilk the municipality out of more than $470,000.
The job offer
It started with a job advertisement.
An apparently legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash handlers.
The contract was for one month. Employees could work from home.
They were told they would receive payments to their credit cards, which they would be expected to transfer to their bank accounts. They would then withdraw the payments, convert them to bitcoin and send it to another account.
“This company advertised on a number of the major job sites that you would expect people to be looking for work,” said Cpl. Tarek Rabie, with the RCMP’s financial crime unit.
In an interview with CBC News, Rabie went through the RCMP’s investigation into the attack and explained how fraudsters were able to pull off the cyber heist without being detected.
The majority of the 18 employees were young and lived in various communities across the country. Most were new Canadians, Rabie said.
“The individuals will be referred to — that’s not a flattering term — but as a money mule,” he said.
In this case, the 18 “money mules” were considered unwitting participants, lured to the company using what Rabie described as “professionally prepared” documents designed to “catch” them.
A CBC News reporter looked at the agreement signed by these new employees, which set out the terms of their work.
The four-page document contained a seal with the company’s name and company number, signed by the company’s development manager.
The only requirements for the job were access to the internet, a telephone, knowledge of online banking and proximity to a bitcoin machine.
Anyone who did an internet search for the company would find a professional website, with information that matched what was provided in the employment contract.
The phishing email
In early December 2019, cybercriminals sent a phishing email to several people at the municipal office of WestLake-Gladsone, a municipality about 150 kilometers west of Winnipeg, on the southwest shore of Lake Manitoba.
At least one person clicked on the link, which allowed the hackers to gain access to the municipality’s computers and bank accounts.
But weeks passed and nothing happened, so the municipality did not report it to the police. It was only after the money disappeared that the municipality discovered that the two incidents were connected, Halashewski said.
Rabie does not believe the municipality was specifically targeted, but was unlucky enough to get an employee to click on the malicious link.
“Most of these tend to be sent to as many email addresses as possible in the hope that someone will click on it,” he said.
Phishing scams usually send an email with a “lure”, such as promising a prize or pretending to be the government, to entice someone to click on a link.
“When a computer network is compromised, it usually spreads from one computer to another,” Rabie said.
Court documents say that on December 19, 2019, a person logged into the municipality’s bank account and changed the password, along with the personal verification questions.
Over the next 17 days, the attackers added the 18 “employees” who were hired as payees and began systematically making withdrawals, transferring the money to the employees’ credit cards.
Dozens of withdrawals were made, totaling $472,377, according to court documents — a significant amount for a municipality with a full annual budget of $7 million.
Those withdrawals weren’t discovered until Jan. 6, when Halashewski saw 48 wire transfers — each less than $10,000 — go to unknown accounts.
“It was really alarming,” said the former assistant CAO, who left the job in June 2021.
The timing of the attack during the holidays was no coincidence, Rabie said.
– The person waited until the office would have been empty to initiate the suspicious transactions, because otherwise it would have been discovered earlier, he said.
“[It] probably showed a certain amount of forethought and planning.”
When staff realized the transactions were unauthorized, they informed the RCMP and the municipality’s credit union, which froze the account and recovered just under $50,000.
Where the money went
Rabie said the 18 workers were paid a commission of a few hundred dollars to accept the transfers.
He suspects that it was mostly newcomers to Canada who took the jobs because of their “unfamiliarity with Canadian employment procedures … and their desire for wage work.”
Once they completed the initial transfers and conversion, the bitcoin was sent to the private account of the fraudsters – which cyber security experts say is probably not in Canada.
Once the money is out of a Canadian banking institution, it becomes more difficult to trace because officials no longer have the jurisdiction to easily obtain an arrest warrant, explained Sgt. Guy Paul Larocque, with the RCMP’s Canadian Anti-Fraud Centre.
“The fact that the world is global makes it easy for perpetrators to initially target victims… [from] any area of the world, he said.
Meanwhile, for months, WestLake-Gladstone residents had no idea about the cyberattack or missing money.
“I guess … you would hope you could find a cause, or find where it went before you had to tell somebody,” Halashewski said when asked about the delay in telling residents.
“Because wouldn’t it be better to say to somebody, ‘Oh, well, you know, this thing happened, but we found it and we fixed it.’
The municipality eventually announced that they had lost nearly half a million dollars in a press release on October 12, 2020.
It said the council was the “target of a malicious cyber security breach” in which a “significant” amount was stolen from the council’s bank account.
Lawsuit filed
Around town, the rumor books began to swirl, with accusations that someone in the municipality was involved – claims the municipality denied.
RCMP say there is no evidence that anyone in the community was involved in the attack.
Behind the scenes, a battle was going on between the municipality against the financial institution Stride Credit Union and the insurance provider Western Financial Group.
Both refused to cover WestLake-Gladstone’s loss.
In an attempt to recoup these losses, the council brought proceedings in the Court of King’s Bench against Stride in March 2021 and against Western Financial Group in December 2021.
Both remain before the courts.
Stride Credit Union’s statement of defense alleges that the municipality has not conducted a full forensic audit of its IT system, despite the credit union’s request to do so.
In the statement, it is also claimed that the municipality has not provided additional information when it has been requested from the credit union.
Western Financial’s statement of defense said there is no cover for wire fraud or data fraud under the council’s policy.
City officials did not respond to a request for comment for this story.
Both Stride Credit Union and Western Financial Group declined to comment as the case is still before the courts.
Insurance may not provide protection: expert
Imran Ahmad, a cybersecurity expert and lawyer in Montreal with the firm Norton Rose Fulbright, says his law firm tracked or handled 500 cyber attack cases in 2022, a significant increase from 320 in 2021.
“And there’s only one firm in Canada,” he said.
The police also say that cybercrime is increasing. Police-reported crimes have risen steadily from just over 27,000 five years ago to more than 70,000 incidents in 2021, according to Statistics Canada data.
But officials estimate that only five to ten percent of incidents are reported.
“I can tell you it’s not a crime that’s going to go away,” RCMP’s Larocque said.
When it comes to insurance, Ahmad said “the devil is in the details” if you want to be covered after a cyber attack.
He said it is rare to find a policy that will cover the kind of loss the municipality experienced – especially when a business or organization is attacked through an email phishing attack.
The municipality has a responsibility to keep its passwords safe, he said.
“If someone was able to get into the council’s systems or get into an email account where the username and password were made available or they were able to do a password reset, that’s on the council or that organisation,” he said.
The province orders an investigation
In a rare move earlier this year, a directive was issued by the provincial government to Manitoba’s auditor general to conduct an investigation into the operations “of various municipalities, including the municipality of WestLake-Gladstone.”
The government document, published in September, says the Department of Municipal Relations heard concerns from residents of these municipalities with “respect for council governance, financial management, oversight and public accountability.”
No arrests have been made in connection with the WestLake-Gladstone cyberattack, and RCMP say it is no longer under active investigation.