skip to Main Content
+44 (0) 1628 308038

VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed


A group of hackers used a compromised email account to steal a start-up’s $1m venture capital payment.

The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel.

It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.

As it turned out, however, the attack was a bit more complicated.

“Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it,” explained Check Point analyst Matan Ben David.

“Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains.”

Using those lookalike domains (one for the VC firm and one for the startup), the bad guys then sent each side an email claiming to be from the other. Having a spoofed email account on each side, the attacker then forwarded the messages to the actual startup and VC email accounts, as needed.

“This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination,” Ben David said.

“Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.”

At one point, it was found, the attacker even managed to cancel a scheduled face-to-face meeting between the two sides.

Finally, after the two companies had agreed on the $1m investment, the attacker provided the VC side with their own account number before again modifying that message and sending it back to the Israeli firm. This caused the VC to send the attacker the money, while also making the startup believe the money was on the way.

“In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,” mused Ben David.

“If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction.”

Organisations need to elevate their user’s understanding of how these tactics are used and the scams that exist via Security Awareness Training. By educating them, users can spot potential phishing scams that may be designed to trick users through the use of identity deception.

WIth thanks to the Reigister. The full story is here:

Will your users respond to phishing emails?

KnowBe4’s new Phishing Reply Test (PRT) is a complimentary IT security tool that makes it easy for you to check to see if key users in your organisation will reply to a highly targeted phishing attack without clicking on a link. PRT will give you quick insights into how many users will take the bait so you can take action to train your users and better protect your organisation from these fraudulent attacks!


Here’s how it works:

Immediately start your test with your choice of three phishing email reply scenarios 

Spoof a Sender’s name and email address your users know and trust

Phishes for user replies and returns the results to you within minutes

Get a PDF emailed to you within 24 hours with the percentage of users that replied

PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser:

Close search


Back To Top