Cyber Incident Victim: Virtu Financial
Date:
May 2020
Location:
United States of America
Summary
A high-speed trading firm lost $6.9 million in a business email compromise scam after attackers illicitly accessed an executive's email account, monitored communications for weeks, and altered settings to conceal fraudulent activity. The perpetrators impersonated the executive to direct the accounting department to wire $10.8 million to Chinese banks, with only $3.8 million recovered post-discovery during an audit. The firm sued its insurer for denying coverage, disputing claims that employee actions—rather than the email system breach—directly caused the loss. The insurer argued the incident did not meet policy standards, asserting the accounting team authorized transfers based on spoofed instructions they believed legitimate.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, Virtu Financial experienced a business email compromise incident resulting in significant financial losses. On May 13, an unauthorized actor gained access to a company executive's email account and monitored communications for two weeks before initiating fraudulent activities. The attacker altered the account's settings and created inbox rules to conceal malicious messages from the legitimate account holder. Between late May 13 and late May 27, the compromised account was used to send fraudulent emails to Virtu's accounting department, impersonating legitimate business requests. These communications instructed staff to execute two wire transfers totaling $10.8 million to bank accounts in China. The accounting department processed both payments under the assumption they represented valid business transactions. The fraudulent nature of the transfers was discovered two days after execution during routine auditing procedures, prompting immediate internal investigation efforts. Virtu's forensic examination traced the attack chain back to the executive's compromised email account, though the initial access vector remained unspecified in available documentation. The company successfully froze $3.8 million of the transferred funds through banking channels but assessed the remaining $6.9 million as unrecoverable.
Following discovery, Virtu Financial notified its cyber insurance provider Axis Insurance about the incident and filed a claim for coverage of the financial loss. Axis Insurance denied the claim, asserting that unauthorized system access did not directly cause the loss, instead attributing liability to Virtu employees who authorized the transfers based on spoofed instructions. The insurer's position maintained that employee actions constituted an intervening cause outside policy coverage parameters. Virtu disputed this interpretation, filing a breach of contract lawsuit against Axis in New York State court based on specific policy clauses it believed obligated coverage. The company's legal filings emphasized that accounting staff acted in good faith on what appeared to be legitimate executive communications. No public resolution of the insurance dispute was documented in the immediate aftermath of the lawsuit filing. The incident represented one of numerous high-value BEC schemes documented in 2020, with the FBI having previously reported $1.7 billion in annual losses attributed to such attacks during 2019. Virtu's operational response included internal forensic review and attempted fund recovery, while its legal response focused exclusively on insurance litigation rather than pursuing criminal charges against unidentified perpetrators.