A fake company, unsuspecting ‘money mules’ and bitcoin: How a Manitoba municipality lost $430K

It was a quiet January day in 2020 when the chief administrative officer of a southwestern Manitoba rural municipality noticed the series of unusual cash withdrawals from its bank account.

She quickly alerted her assistant, showing how money had been sent to multiple bank accounts the municipality had never dealt with.

“It was just kind of like a mad scramble to try and figure out what was going on,” said Kate Halashewski, who at the time was the assistant chief administrative officer for the Municipality of WestLake-Gladstone.

“As the day went on and [we’re] digging through the paperwork … it’s like withdrawal after withdrawal after withdrawal.”

Little did they know that while the roughly 3,300 residents of WestLake-Gladstone were enjoying the holiday season, the municipality had become the victim of a sophisticated cyberattack — one that involved a fake company tricking over a dozen students and new Canadians into acting as intermediaries to bilk the municipality out of more than $470,000.

The job offer

It began with a job advertisement.

A seemingly legitimate company, with a professional website and a Nova Scotia address, claimed it was looking for cash processors.

The contract was for one month. Employees could work from home.

They were told they would receive payments to their credit cards, which they would be expected to move to their bank accounts. They would then withdraw the payments, convert them into bitcoin, and send that to another account.

“This company was advertising on a number of the major job websites that you would expect people to seek employment,” said Cpl. Tarek Rabie, with the RCMP’s financial crime unit.

In an interview with CBC News, Rabie went through the RCMP’s investigation into the attack and explained how scammers were able to pull off the cyberheist without being detected.

The majority of the 18 people hired were young and lived in various communities across the country. Most were new Canadians, said Rabie.

“The individuals would be referred to — it’s not a flattering term — but as a money mule,” he said.

In this case, the 18 “money mules” were considered unwitting participants, lured to the company using what Rabie described as “professionally prepared” documents created to “entrap” them.

A CBC News reporter viewed the agreement signed by these new employees, which laid out the conditions of their work.

The four-page document included a seal with the company’s name and corporate number, signed by the company’s development manager.

The only requirements for the job were access to the internet, a phone, knowledge of internet banking and proximity to a bitcoin machine.

Anyone who did an internet search for the company would find a professional website, with information matching what was provided in the employment agreement.

The phishing email

In early December 2019, the cybercriminals sent a phishing email to multiple people at the municipal office of WestLake-Gladsone, a municipality about 150 kilometres west of Winnipeg, on the southwestern shore of Lake Manitoba.

At least one person clicked on the link, which allowed the hackers to get into the municipality’s computers and bank accounts.

But weeks went by and nothing happened, so the municipality didn’t report it to the police. It was only after the money disappeared that the municipality discovered the two incidents were connected, said Halashewski.

Rabie doesn’t believe the municipality was specifically targeted, but was unlucky enough to have an employee click on the malicious link.

“Most of these tend to be sent to as many email addresses as possible, hoping that anyone clicks on it,” he said.

Phishing scams typically send an email with a “lure,” such as promising a prize or impersonating the government in order to entice someone to click a link.

“Once a computer network is compromised, it typically spreads from one computer to another,” said Rabie.

Court documents say that on Dec. 19, 2019, a person logged into the municipality’s bank account and changed the password, along with the personal verification questions.

Over the next 17 days, the cyberattackers added the 18 “employees” hired as payees and began systematically making withdrawals, transferring the money to the employees’ credit cards.

Dozens of withdrawals were made, totalling $472,377, according to court documents — a considerable amount for a municipality with an entire annual budget of $7 million.

Those withdrawals weren’t discovered until Jan. 6, when Halashewski saw 48 bank transfers — each less than $10,000 — going to unfamiliar accounts.

“It was really alarming,” said the former assistant CAO, who left the job in June 2021.

The timing of the attack over the holidays was no coincidence, said Rabie.

“The person waited until the office would have been empty in order to initiate the suspicious transactions, because otherwise it would have been discovered sooner,” he said.

“[It] likely showed a certain amount of forethought and planning.”

Once staff realized that the transactions were unauthorized, they informed RCMP and the municipality’s credit union, which froze the account and recovered just under $50,000.

Where the money went

Rabie said the 18 workers were paid a commission of a few hundred dollars to accept the transfers.

He suspects that it was mostly newcomers to Canada who took the job due to their “unfamiliarity with Canadian employment procedures … and their desire for gainful employment.”

Once they’d completed the initial transfers and conversion, the bitcoin was then sent to the private account of the scammers — who cybersecurity experts say likely aren’t in Canada.

Once the money is out of a Canadian banking institution it becomes more difficult to trace, because officials no longer have jurisdiction to easily get a warrant, explained Sgt. Guy Paul Larocque, with the RCMP’s Canadian Anti-Fraud Centre.

“The fact that the world is global makes it easy for perpetrators to basically target victims … [from] any area of the world,” he said.

Meanwhile, for months, the citizens of WestLake-Gladstone had no idea about the cyberattack or missing money.

“I guess … you would hope that you could find a reason, or find where it went before you had to tell somebody,” Halashewski said when asked about the delay in telling residents.

“Because wouldn’t it be better to say to somebody, ‘Oh, well, you know, this thing happened, but we found it and we fixed it.'”

The municipality finally announced it had lost nearly half a million dollars in an Oct. 12, 2020, news release.

It said the municipality was “the target of a malicious cybersecurity breach” in which a “significant” amount of money was stolen from the municipality’s bank account.

Lawsuits filed

Around town, the rumour mill began churning, with accusations that someone within the municipality was involved — allegations the municipality denied.

RCMP say there is no evidence that anyone within the community was involved in the attack.

Behind the scenes, a fight was ensuing between the municipality against its financial institution, Stride Credit Union, and its insurance provider, Western Financial Group.

Both refused to cover WestLake-Gladstone’s loss.

In an attempt to recoup those losses, the municipality filed a lawsuit in the Court of King’s Bench against Stride in March 2021 and against Western Financial Group in December 2021.

Both remain before the courts.

Stride Credit Union’s statement of defence claims the municipality has not conducted a full forensic audit of its IT system, despite the credit union’s request for one.

The statement also claims the municipality has not given additional information when it has been requested by the credit union.

Western Financial’s statement of defence said there is no coverage for funds-transfer fraud or computer fraud under the municipality’s policy.

Officials with the municipality did not respond to a request for comment for this story.

Both Stride Credit Union and Western Financial Group declined to comment as the matter is still before the courts.

Insurance may not offer protection: expert

Imran Ahmad, a cybersecurity expert and lawyer in Montreal with the firm Norton Rose Fulbright, says his law firm was tracking or dealing with 500 cyberattack cases in 2022, up significantly from 320 in 2021.

“And that’s just one firm in Canada,” he said.

Police also say cybercrimes are on the rise. Police-reported crimes have steadily increased from just over 27,000 five years ago to more than 70,000 incidents in 2021, according to Statistics Canada data.

But officials estimate that only five to 10 per cent of incidents get reported.

“I can tell you that it’s not a crime that’s going to go away,” said the RCMP’s Larocque.

As for insurance, Ahmad said the “devil’s in the detail” as to whether you’ll be covered following a cyberattack.

He said it is rare to find a policy that will cover the sort of loss the municipality experienced — especially when a business or organization is attacked through an email phishing scam.

The municipality is responsible for keeping its passwords safe, he said.

“If somebody was able to get into the municipality’s systems or get into an email account where the username and password were made available, or they could do a reset of the password, that’s on the municipality or that organization,” he said.

Province orders investigation

In a rare move, a provincial government cabinet directive was made earlier this year to Manitoba’s auditor general to conduct an investigation into the operations “of various municipalities, including the municipality of WestLake-Gladstone.”

The government document, published in September, says the municipal relations department heard concerns from citizens in those municipalities with “respect to council governance, financial management, oversight and public accountability.”

No arrests have been made in connection with the WestLake-Gladstone cyberattack and RCMP say it is no longer under active investigation.