Hackers posed as the French stock market regulator to break into Bank of Valletta’s IT systems and walk away with millions of euros, Maltese and European authorities believe.  

The group, dubbed EmpireMonkey by investigators, carried out a €13 million heist from the bank on February 13, which led BOV to temporarily take its services offline.

The investigations have seen the police, the financial services watchdog, the State IT authority and foreign counterparts all come together to try and trace the missing cash and fish out flaws in Malta’s banking security systems.

“This investigation has involved a lot of collaboration, both in Malta between different authorities but also overseas, with Europol and other entities that are assisting in this,” a source privy to the details of the investigation said.

“We are working around the clock on the case, but it is extremely complex and we have never had anything like this in Malta before.”

A review of the bank breach has already uncovered how the hackers could have been attempting to infiltrate as far back as October 2018. A source said similar “phishing” – a method used to break into a computer system via electronic communication – had first been detected locally some four months ago. This had the same digital fingerprint as the hacking group believed to have carried out this month’s heist.

The hacking group is also believed to have targeted another Maltese bank, however, their attempts to infiltrate appear to have been unsuccessful.

A source was quick to point out that banks regularly receive such threats and attempts to infiltrate their systems were commonplace.  

He told The Sunday Times of Malta that last year the hackers were believed to have broken into the Autorité des Marchés Financiers which regulates the stock exchange in France. 

We have never had anything like this in Malta before

They then sent out e-mails to Maltese and French entities posing as the authority using an innocent-looking e-mail that included the authority’s official letter heads and a decoy document that, when clicked on, gave the hackers access to the bank’s systems.

The hackers then sought to move hefty sums to international banks in the UK, US, Czech Republic and Hong Kong. 

Sources said the authorities had identified the BOV computers that had clicked on the malicious e-mails which inadvertently gave the hackers the keys to the vault.

It is not yet clear how long the hackers had access to the bank’s systems before the robbery was carried out.

Read: Just €19 left and 'no access to my own money'

BOV went completely dark on February 13 after they discovered their systems had been compromised. Branches, ATMs, mobile banking and even e-mail services were suspended and its website was also taken offline. 

The attack was detected shortly after start of business, when bank employees started encountering difficulties reconciling international transfers. 

The bank was quick to reassure customers that their accounts and funds had in no way been impacted or compromised by the incident. 

BOV said yesterday that its third-party payment services outside the euro area were being reactivated from its branch network and it would endeavour to have them fully operational by tomorrow. The bank is in the meantime working to also reinstate these payments through internet banking.

The bank’s euro area payments were activated last week and are operational through all BOV channels in the normal manner.

Read: As cybercrime grows, banks are increasingly being targeted

Meanwhile, industry veterans have their doubts as to whether all the money will be recovered.  

“There are mechanisms in place to start tracing the money but this is not as simple as just reversing a transfer,” one of them said.

“The bank now has to reassure people that it is secure – it is of paramount importance if customers are to continue trusting it.”

ivan.martin@timesofmalta.com

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.