Cyber Incident Victim: Chinese venture capital firm
Date:
Dec 2019
Location:
Israel
Summary
A Chinese venture capital firm and an Israeli startup were targeted in a business email compromise attack where a threat actor registered lookalike domains (appending an 's' to both entities' legitimate domains) to conduct a man-in-the-middle scheme. The attacker intercepted and modified email communications between the parties over several months, facilitating a fraudulent $1 million wire transfer. To avoid exposure, the actor canceled a planned physical meeting between the organizations by sending falsified cancellation notices. Despite remediation, the startup continued receiving monthly spoofed emails requesting further wire transfers. The operation demonstrated advanced reconnaissance, patience, and persistence, with the attacker attempting to hijack subsequent funding rounds after the initial theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late 2019, a Chinese venture capital firm and an Israeli startup discovered a financial theft during a scheduled $1 million seed funding transfer. The Chinese firm's bank alerted them to transaction irregularities, while the Israeli company realized the funds never arrived. Both parties identified discrepancies in their email communications, including modified messages and unauthorized correspondence. The Israeli CEO engaged Check Point's Incident Response Team (CP IRT) to investigate. Evidence collection faced significant challenges: email hosting through GoDaddy provided limited audit logs showing only five recent logins—all legitimate—and investigators initially had only mobile screenshots of suspicious emails. CP IRT reconstructed communication threads by analyzing mailbox archives from CC'd recipients, identifying keywords from the screenshots to locate original messages.
Analysis revealed an attacker had monitored email threads months prior to the transaction, registering two deceptive domains mimicking the legitimate ones—appending an 's' to both the Israeli startup's and Chinese VC's domains. The threat actor executed a man-in-the-middle attack by impersonating both parties: emails to the Chinese firm appeared sent from the Israeli CEO's spoofed domain, while communications to the startup mimicked the VC's account manager. The attacker intercepted all 32 emails exchanged (18 to the Chinese side, 14 to the Israeli side), selectively modifying content before forwarding. This included fabricating a last-minute cancellation of a planned Shanghai meeting between the parties, preventing in-person verification of bank account changes. After stealing the funds, the attacker attempted to intercept a subsequent investment round and continued monthly spoofed wire transfer requests to the Israeli CFO even after remediation efforts. The incident permanently diverted the $1 million transaction and compromised critical business communications between the organizations.