Cyber Incident Victim: Levitas Capital
Date:
Sep 2020
Location:
Australia
Summary
A threat actor targeted Levitas Capital through a phishing attack impersonating Zoom, sending a malicious link disguised as a meeting invitation. The attack compromised the Australian hedge fund's email accounts and network, enabling unauthorized access to financial systems. The perpetrators attempted to initiate fraudulent transactions totaling approximately $8.7 million but were detected and blocked by the fund's bank. This security breach directly contributed to the firm's subsequent decision to cease operations permanently. The incident highlighted vulnerabilities in third-party communication platforms and operational security practices within financial institutions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The 2020 cybersecurity incident involving Levitas Capital began when attackers compromised the Australian hedge fund’s email systems through a sophisticated phishing campaign. Threat actors sent fraudulent Zoom meeting invitations mimicking a legitimate investment consultant, exploiting the increased reliance on video conferencing during the COVID-19 pandemic. An employee clicked the malicious link, enabling unauthorized access to the firm’s corporate email accounts. The attackers monitored internal communications for several weeks to understand transaction workflows and identify high-value targets.
On November 5, 2020, the hackers impersonated Levitas’ co-founder via email and instructed the fund administrator to transfer approximately AU$8.7 million to a fraudulent Hong Kong bank account. The administrator processed the payment but later identified discrepancies in the request’s wording and initiated a recall process. Swift intervention by the Commonwealth Bank of Australia froze the funds mid-transfer, preventing permanent loss. The incident forced Levitas to temporarily suspend operations while conducting forensic audits, which revealed the attackers had exfiltrated sensitive financial documents and client data during their email compromise.
Levitas notified the Australian Cyber Security Centre (ACSC) and the Australian Securities and Investments Commission (ASIC) following the incident. Forensic investigators confirmed the attackers used credential-harvesting techniques via the fake Zoom link, bypassing multi-factor authentication through session hijacking. The fund implemented enhanced email security protocols, including stricter payment verification procedures and employee training on phishing detection. The near-loss of funds and operational disruption contributed to Levitas’ decision to permanently close in December 2020, citing reputational damage and financial viability concerns. No additional funds were recovered beyond the initial interception, and the incident underscored vulnerabilities in third-party vendor communication chains within financial services.