Carbon Crooks Arrested in Romania?

Steve Zwick

Law enforcement agencies have prevented cyberthieves who hacked into European carbon registries from making off with more than $30 million they extracted from the market, the Wall Street Journal reports, citing unnamed officials.  The paper says the hackers were based in Romania, and that arrests will be announced within days.  No word yet on when registries will reopen.

29 January 2011 | Law enforcement agencies have prevented cyberthieves who hacked into European carbon registries from making off with more than $30 million they extracted from the market, the Wall Street Journal reports, citing unnamed officials.   The paper says the hackers were based in Romania, and that arrests will be announced within days.

You can find their coverage here (subscription required).   Below is our coverage from last week:

Cyberthieves who hacked the Czech carbon registry on Tuesday had intimate knowledge of different registries.   They acted just days before a key security upgrade would have made the heist impossible, then sold the credits immediately – keeping the cash and letting the credits bounce around the system.   Participants are now bracing for a fight over who will bear the loss.

20 January 2011 | A competent thief dumps his loot long before the rightful owner knows its gone – and the cybercriminals who hacked the Czech Republic’s carbon-credit registry on Tuesday are nothing if not competent.

Nikos Tornikidis can attest to that.   He works for Czech environmental asset management group Blackstone Global Ventures, which was the first company to notify others that the state   registry had been breached earlier this week.

Registries are, in a sense, the central banks of environmental markets.     They make sure that every credit represents an environmental benefit, and they do that in part by assigning serial numbers that buyers can use to see where the credits came from.   Different regimes recognize different types of credits, even within the European Union, and that makes it nearly impossible to forge a carbon credit, or to sell one outside the system.

It doesn’t, however, prevent the kind of breach banks have been guarding against for centuries.

Fragmented System

Each country in the European Union Emissions Trading System (EU ETS)   has its own registry under an ungainly – and controversial – arrangement that eventually required the creation of 27 different registries by 27 different development teams in a complex, fragmented system responsible for making sure that credits aren’t double-counted or lost.  

“We were checking our inventory around 8am Wednesday morning,” says Tornikidis.   “That’s when we found that our account was empty and the details of our account had been changed.”

More than 450,000 credits valued at € 7 million euros ($9.4 million) were gone, so Tornikidis contacted the national registry to make sure the stolen credits weren’t being passed around the system.   In the case of the Czech Republic,   the registry was administered by government-owned state energy-trading platform OTE.

“I didn’t realize it until I read it on Bloomberg, but OTE has to trawl through their whole book by hand to get the serial numbers,” he says.   “We didn’t get the numbers until the end of the day, and we posted them on our web site as soon as we could, but by then it was too late.”

The credits, it turns out, had already been passed on to an account in the Estonian registry, and from there may have passed to Poland, Germany, and Lichtenstein as well.  

“They had been passed on and sold around mid-day on Tuesday,” says Tornikidis.   “It was right around the time of the bomb scare.”

The Execution

The bomb scare had been the talk of downtown Prague.   It was phoned into the building that houses OTE shortly before 11am on Tuesday.

Police speculate that the bomb scare provided a diversion so that employees wouldn’t see phantom cursors moving across unattended screens or other telltale signs of a breach.

While waiting for the serial numbers, Tornikidis and his brokers sent a notice to all participants they knew letting them know that the registry had been breached.

OTE began looking into its books and realized that Blackstone wasn’t alone — more than two million credits worth roughly €28 million ($37.7 million)1 were missing from the accounts of several companies, all with account numbers ending in “121” — the designation given to brokers and other non-industrial entities.

Although earlier reports claimed accounts were hacked at five separate registries, sources tell Ecosystem Marketplace that the suspect credits passed through five separate registries, possibly via dummy accounts.   Many of those registries are also in the process of upgrading their security systems.

What the Hackers Knew

To pull off the heist, the hackers had to know their target well.   They certainly knew their way around OTE, which was in the process of installing a security system that would have required all traders enter a second password that is generated randomly and delivered to their mobile phones.   That system was set to be installed this week — indicating that the hackers knew their target intimately, and timed their heist accordingly.  

The timing also worked on the market front: the next surrendering of allowances doesn’t happen until April, so companies with offsets on deposit with OTE might be lax about checking their inventories right about now.

Formerly known as Operí¡tor trhu s elektinou (“the Electricity Market Operator”), OTE is a small operation with net assets of just 1.6 billion Czech krona ($88 million) at the end of 2009, according to its most recent annual report.   What’s more, it operates the registry as a separate, unregulated – and even smaller – entity, with “tangible assets” of just SK 27,390,000 ($1,518,760).

“This all raises some huge issues,” says one local broker.   “For one, you have this small entity being responsible for huge assets, and now you can expect this big fight over who pays.   Second, you have the question of how these criminals got access to the carbon markets.”

He suspects someone somewhere violated basic “know your client” (KYC) rules, which is a major regulatory no-no.
“We quite often have people applying for accounts, and we’re like, ‘You’re kidding me, there is no way you are a real trader,’” he says.   “KYC is basic due diligence – we’re not allowed to open accounts if we have the slightest suspicion that something funny is going on – and someone dropped the ball.”

Unappreciated Value

The fragmented scheme is on its way out, thanks to the so-called “Registry Regulation” (available for download, right), which the European Commission issued last October.   Among other things, the Directive called for a more consolidated Union Registry System by the start of 2012.

It also called for the immediate implementation of simple security measures that European Commission spokeswoman Maria Kokkonen says would have cost less than $10,000 per country to implement, but would have saved tens of millions of dollars – unless the money stolen on Tuesday is recovered.  

Because of its size, OTE was one of 14 EU registries (out of 27 total) that hadn’t yet implemented the upgrades.

“All of this highlights   the fact that we’ve created carbon credits with monetary value,” says one local broker.   “Carbon credits are like bearer bonds in many ways, or like trading gold.”

But while bearer bonds were designed to ensure economic value, carbon credits were designed to ensure environmental value.

“Environmental value is the hard part,” he says.   “Now they just have to get the easy part – they have to make sure they give them to somebody who has more security than a master lock.”


Additional resources
Steve Zwick is Managing Editor of Ecosystem Marketplace.  He can be reached at [email protected].

Please see our Reprint Guidelines for details on republishing our articles.


1) This figure was inserted after initial publication to provide clarity.  It did not appear in the initial posting.

Please see our Reprint Guidelines for details on republishing our articles.

Cyberattack Timeline