A Toronto-based non-profit that provides grants to musicians and others in the music industry says that nearly $10 million was stolen from its bank account by a “cybercriminal” and then converted into cryptocurrency.
The Foundation Assisting Canadian Talent on Recordings (FACTOR) detailed the theft in paperwork filed with the Ontario Court of Justice last month.
The organization is arguing that Scotiabank should be responsible for reimbursing it for the loss. However, lawyers for Scotiabank contend in the court filings that FACTOR’s login credentials were likely obtained through either “inadvertent voluntary disclosure to the fraudster via phising,” “employee fraud” or “a failure to adequately protect” the information.
“The Court will have to determine how FACTOR’s ScotiaConnect account was breached. While neither party’s experts have definitively asserted how the breach of FACTOR’s ScotiaConnect account occurred, Scotiabank and FACTOR advance opposing theories as to the likely cause of the breach,” the court documents state. “FACTOR claims that the breach could not have occurred on FACTOR’s end, and that, as a result any breach must necessarily have been the result of a failure in Scotiabank’s system. The evidence led by Scotiabank indicates the opposite; namely, that it is likely that FACTOR’s log-in credentials were somehow compromised on or prior to January, 18, 2024 when the breach occurred.”
The court documents state that the Department of Canadian Heritage sent roughly $14.3 million to FACTOR in early June of this year.
The money was deposited in FACTOR’s general bank account with Scotiabank, with the money to be used to fund the grant provider’s recipients.
A few days later, on June 11, FACTOR transferred $5 million from that account to its short-term investment account with the remainder to stay in its general account to cover two major client program payments by the end of the month.
But in the court documents, the arts-grant provider alleges a “cybercriminal intruder” effectively gained access into its account by creating a new super user profile and moved $9.77 million to an entirely different account with the same bank that belongs to a numbered company.
The court filings allege that minutes after that transfer the sole owner of the numbered company - James Campagna - then wired about $9.4 million into an account belonging to VirgoCX, a cryptocurrency trading platform. The cash was subsequently converted to USDC – cryptocurrency stablecoin – before being dispersed into cryptowallets, the court documents state.
While the alleged illicit transfer of funds took place in June, the filings allege that the “fraudster” hacked into FACTOR’s ScotiaConnect account with an employee’s credentials on Jan. 18. The alleged fraudster used the employee’s log-in, password and digital token, which was fully authenticated through the bank’s systems.
A new user was created with the email address sara.stasiuk@outlook.com, who was FACTOR’s former chief financial advisor. The account was then able to access the grant provider’s accounts.
The fraudster then logged into the account more than two dozen times from January to June, the filings state.
“It took more than five months before Scotiabank disclosed that the sole legitimate FACTOR employee with digital access, along with FACTOR’s CEO, were deleted from Scotiabank’s system as authorized users within minutes of the unauthorized wire,” FACTOR said in an online statement.
“No alert advising of the deletion of FACTOR’s personnel was provided to FACTOR. Nor was there any notice from Scotiabank about this suspicious activity.”
The documents paint a proverbial blame game among all the parties involved, each making a case as to why they’re not responsible for the near $10-million loss in taxpayer funds.
In Scotiabank’s legal filings, they point to an explanation provided by a digital forensics expert at Deloitte, who said the most likely explanation as to how the cybercriminal got the employee’s credentials was either to due to their involvement in the fraud or that they “unwittingly gave up” their credentials “as part of a phishing, social engineering or malware attack.” FACTOR disagrees with this assertion, saying four independent investigations found “no evidence” that the company, or anyone part of it, were in any way responsible.
Meanwhile, Campagna “vehemently” denies involvement in the fraud. In the court documents lawyers for Campagna claim someone from FACTOR emailed one of his affiliates to buy 2,800 bitcoin mining machines, which cost between US$3,200 and US$3,500 (roughly C$4,500 to $4920, at the time of publication).The lawyers say that the transfer was payment to fulfill that order.
In a statement provided to CTV News, a spokesperson for the Toronto Police Service confirmed that it has launched in an investigation into the matter, but said it is too early in the process to provide any further information.
So far, about $378,500 has been recovered and sent back to FACTOR.
For its part, FACTOR told CTV News Toronto that it will “vigorously pursue the full recovery of the stolen funds, defend the baseless allegations being made by Scotiabank against our systems and staff, and ensure that Scotiabank honours its security guarantee to customers, while making every effort to see that the criminals responsible are brought to justice.”
Scotiabank declined to comment on the case due to the ongoing nature of the legal action.