4 min read

Hackers Steal $10M in "Wonderfully Done" fraud from Norway’s State Investment Fund

Graham Cluley

May 18, 2020

Hackers Steal $10M in "Wonderfully Done" fraud from Norway’s State Investment Fund

Norfund, the Norwegian state-owned investment fund for developing countries, has revealed that it has been swindled out of US $10,000,000 (approximately 100 million Norwegian Krona) intended for an institution in Cambodia.

The fund, which helps the Norwegian government build sustainable businesses and industries in developing countries by providing equity capital, is thought to have had its email system compromised by scammers for several months.

After breaching its infrastructure, the attackers were able to patiently monitor Norfund's email communications with partners, gather information, and create an account impersonating a member of staff authorised to make payments.

As Norfund's press release explains, the fact that the hackers had bade their time, learning how the investment fund operated, helped the fraud succeed:

"The defrauders manipulated and falsified information exchange between Norfund and the borrowing institution over time in a way that was realistic in structure, content and use of language. Documents and payment details were falsified."

According to Norfund, as a result, the funds were sent on March 16th to a bank account in Mexico which were in the same name as LOLC, the legitimate microfinance institution in Cambodia.

As local media reports, the scammers cunningly took advantage of the compromise of Norfund's email system to inform LOLC that the payment had been delayed due to the Coronavirus pandemic.

Meanwhile, Norfund itself received fake emails claiming to come from LOLC in Cambodia.

As a result, no-one realised that $10,000,000 loan had gone missing until the criminals attempted to steal yet more money via the same method on April 30th.

Describing the fraud, Norfund's CEO Tellef Thorleifsson said "It was wonderfully done."

Thorleifsson admitted that his organisation had previously sharpened its procedures in light of "similar cases with our partners" but that clearly it had not done enough:

"This is a grave incident. The fraud clearly shows that we, as an international investor and development organisation, through active use of digital channels are vulnerable. The fact that this has happened shows that our systems and routines are not good enough. We have taken immediate and serious action to correct this."

Norfund says it immediately contacted law enforcement agencies, and has brought in an consulting firm PWC to conduct an investigation as to what went wrong, and how similar attacks can be prevented in future.

Fraudsters are said to have attempted to steal a jaw-dropping $9 billion from organisations through Business Email Compromise attacks since September 2016.

All firms need to ensure that they have educated their staff about the significant threats posed by Business Email Compromise, protected email accounts with multi-factor authentication, introduced technology, policies, and procedures to reduce the risk of becoming the next victim of an attack that could cost millions of dollars.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like