Pages

2 February 2015

The Hack That Warmed the World

MCKENZIE FUNK
JANUARY 30, 2015 

Europe’s carbon-trading market was supposed to be capitalism’s solution to global warming. Instead, it became a playground for gangsters, international crime syndicates, and even two-bit crooks -- who stole hundreds of millions of dollars in pollution credits. 

The client wanted carbon credits: tradable serial numbers that confer the right to pollute the Earth with invisible, odorless gas. Jugga, as the client called himself, planned to steal the credits, quickly resell them, and become rich overnight—but he needed the Black Dragon to hack into a computer system to help him do it. The Dragon, who in online forums advertised his services as a corporate spy, was sure he could hack anything. But when Jugga contacted him in June 2011, the hacker had no idea what carbon credits even were. “I didn’t think anyone would be stupid enough to come up with that,” the Dragon says of the concept.

The two men communicated via secure online chats, using their pseudonyms. In real life, the Dragon was 31-year-old Matthew Beddoes, a coal miner’s son, high-school dropout, and self-taught computer whiz who collected thousands of strangers’ credit card numbers and floated from couch to couch in central England’s Midlands region. Jugga was 36-year-old Jasdeep Singh Randhawa, who was previously part of a cigarette-smuggling network in Leicestershire.

Randhawa outlined a complicated plan for a backdoor hack into a carbon registry, a kind of stock market for carbon credits. Beddoes agreed to do the job, but, he asked, why not go through the front door? Although stockbrokers have to be licensed, just about anybody can become a carbon trader. (In 2007, the New York Times had called carbon traders the “rising stars” of London’s financial district.) Beddoes recommended a classic confidence trick: Pose as a trader, build email rapport with people at the registry, and then get them to open an infected attachment. Randhawa agreed and sent Beddoes the first half of a fee worth 6,000 British pounds (almost $10,000)—for a job that could have secured Jugga tens of millions of dollars.

Beddoes got into computers at a young age. “I started out on a Commodore 64,” he says via Skype, his lilting speech peppered with “yeah?” and “aight?” “I wasn’t always black hat,” he explains; he was just a smart kid who hated school but loved a challenge. That’s what hacking offered—endless challenges—and it was a “highly addictive hobby,” his lawyer would later explain in court.

Beddoes told me that when he first started hacking computer networks at age 16, it was in part because his attempts to play nice were rebuffed. If while cruising the corners of the Internet he found a business—a local bank, a clothing chain, a school—whose website had a vulnerability, he sent it a courtesy email. “And I’d get a message back,” he recalls. “‘You shouldn’t be testing our website. If anything’s wrong, we’re calling the police.’” This was a bad approach with a teenager, especially one who could easily grab lists of passwords and account numbers. The Dragon doesn’t “like being shit on, so to speak,” Beddoes clarifies. “‘OK, then I’m putting your website up for sale, mate.’ Y’know wha’ I mean?”

Yet what really drove him was not revenge but curiosity: He wanted to see what he could pull off. “You could describe him as a master online locksmith,” his lawyer said in court. In one advertisement to potential customers, which Beddoes sent out on Twitter in 2010, he described himself as 
“[v]irtually unstoppable.”

For the job with Jugga, Beddoes had Randhawa ask officials in Bonn, Germany, at the headquarters of the United Nations’ global carbon registry, what was needed to open a carbon account. When they responded—driver’s license, passport, value-added-tax (VAT) form, and the like—Randhawa inquired whether he could send the documents in encrypted form. “It’s company security policy,” he apologized. Beddoes created a zip file that contained dummy documents, a piece of Trojan horse malware called Zeus, and a crypter that made Zeus “100 percent undetectable by any anti-virus program, including Norton.” He gave the package to Randhawa, who sent the email to Bonn, and someone clicked on the file almost immediately after the message arrived. The recipient would have been reassured by a pop-up that read “‘Santrex Business Encryption’ or something like that,” Beddoes says. “I made the name up.”

It took an hour for Zeus to fully infect the trading system. Randhawa began transferring 426,108 certified emissions-reduction credits—each worth about 10 euros and equivalent to a ton of carbon dioxide—to a trading account he had set up for the scam. But then, suddenly, he was frozen out. He’d typed in the wrong account number for the transfer, and administrators in Bonn had noticed an irregularity. Frantic, he called the Dragon. (They had burner phones with anonymous prepaid numbers in case things got hot.) “Sort it!” Beddoes says Randhawa yelled. “Go in and sort it!”

It was a stormy day; Beddoes remembers rain and thunder and lightning. He grabbed his computer and tried to fix Randhawa’s mistake, but it was too late. Left without the coveted carbon credits, there was little to do but disconnect Zeus and move on.

But the duo didn’t give up. That same month, Beddoes used another hacking method—called SQL injection—to allow Randhawa to siphon off 350,000 carbon credits, each worth about 15 euros, from a Spanish registry within the European Union’s carbon-trading system. (Two years later, a portion of those stolen credits would be resold for almost 89,000 euros to an unsuspecting company: oil giant BP.) Beddoes says he also helped Randhawa break into registries in Africa and Asia, though nothing seems to have been stolen.

As 2011 came to a close, friends told Beddoes that the Serious Organised Crime Agency, then Britain’s equivalent of the FBI, was asking where he was. That stormy day the U.N. had blocked him and Randhawa, the Dragon had been using a 3G modem, a USB stick with an Internet connection that helped mask his identity and his computer’s location. But the lightning must have shorted out his connection just long enough for his computer to join a home Wi-Fi network—just long enough, in other words, for his IP address to disclose his whereabouts. He eluded authorities for weeks until, early one November morning, he was sleeping upstairs at his parents’ house when his father opened the door to go to work and found the police waiting outside. In March 2013, the Dragon, Randhawa (whom Beddoes met for the first time in court), and an associate named Jandeep Singh Sangha were sentenced to a combined five and a half years in prison for the carbon hacks.

The trio is among the thousands of people—gang members, terrorists, hackers, and others—who have tried a hand at what Interpol has identified as the future of international fraud: carbon crime. According to the international police agency in a damning 2013 report, emissions trading is the fastest-growing commodities market in the world, and criminals have eagerly exploited weaknesses and gaps in that market’s regulations and security—reaping tens of millions of dollars in illegal profits and threatening to destroy the much-lauded environmental concept of “cap and trade” as they go.

“If I’d done the carbon thing myself,” claims Beddoes, who is now out of prison, back in the Midlands, and—he says—on the straight and narrow, “I coulda been on a bloody desert island.” The hacking was that lucrative, and that easy. “Everyone says, ‘I bet you had some high-tech software and a badass modified laptop,’” Beddoes brags, speaking of the U.N. hack. “No. I had a shitty little netbook I used to carry around with me. I just put the package together and passed it off.”

As for carbon trading as a strategy to save the world, Beddoes remains skeptical. “Biggest scam on the planet!”

The carbon credit is essentially a 
permission slip with a cash value that allows a country or company to emit a certain amount of greenhouse gases. In a standard cap-and-trade system, a governing body sets a limit on the total allowed emissions and doles out or auctions off credits that add up to that limit.

If a company is flush with carbon credits, it can keep its dirty coal plant. Slash the plant’s emissions, and the company will have excess carbon credits it can trade to, say, an oil company looking to pollute more. Societies have determined that global temperatures should not rise more than two degrees Celsius to avoid the worst impacts of climate change. If they use credits to prevent going over that level, the thinking goes, carbon trading will help keep the world from burning.

The basic mechanisms for carbon 
trading were outlined in the 1997 Kyoto Protocol, a climate agreement adopted by 191 countries that set emissions-reduction targets for 37 industrialized countries and the European Community. This gave rise to the U.N. registry based in Bonn, which oversees credit trading among countries bound by Kyoto and has provided models for other systems. Today, there are more than 60 existing or planned carbon-
pricing schemes worldwide, ranging from one covering the entire European Union to programs launched in the state of California in 2012 and the Chinese city of Shenzhen in 2013. (For a brief moment in 2009, the United States was on the verge of adopting cap and trade: A bill passed the House but died in the Senate.) These systems cover a quarter of civilization’s almost 40 billion tons of annual greenhouse gas emissions.

The World Bank values emissions trading at $30 billion. When the looser market for voluntary emissions reductions—that is, those not bound by legal compliance—is included, carbon trading is worth even more. In 2012, it was a $176 billion industry.

With all that money on the line, it’s no wonder that the likes of Beddoes and Randhawa constitute a burgeoning class of criminals—many of them wildly successful. In the EU, whose cap-and-trade system is the world’s largest, French analyst Marius-Cristian Frunza, author of the book Fraud and Carbon Markets, estimates that some $20 billion was lost to carbon fraud between the system’s launch in 2005 and 2011. According to Interpol, the list of possible carbon crimes goes well beyond stealing and reselling credits: It includes, among other offenses, tax fraud, securities fraud, transfer mispricing, and money laundering, plus phishing and theft “of personal information or identity theft.” And cash procured can end up lining dangerous pockets: In September 2014, prosecutors in Italy announced they were seeking the perpetrators of a roughly $1.4 billion carbon-
trading scam suspected of helping fund terrorist groups in the Middle East.

Among the most galling crimes, from an environmental perspective, are sales of nonexistent credits. Most such crimes involve carbon offsets—when polluters, usually in the developed world, pay for emission cuts elsewhere. (Offset projects have included tree planting in Uganda and South Sudan and biogas projects, in place of coal plants, in India.) Critics of offsets say they only allow rich countries to feel better about bad behavior, rather than encouraging governments to correct that behavior. Environmental writer George Monbiot has compared offsets to indulgences sold centuries ago by the Catholic Church—cash for forgiveness. But the real problem with offsets has been fraud. For instance, back in 2007, fittingly, a Vatican cardinal stood before cameras and received a certificate declaring the Holy See the world’s first carbon-neutral sovereign state, thanks to offsets promised by an American businessman who ran a reforestation project in Hungary. But not one tree of the “Vatican Climate Forest” was ever planted. In Africa, some reforestation projects have reportedly sold the same offsets to two or three different buyers. U.K. regulators announced in November 2013 that they had shut down 19 companies for using offset sales to scam investors out of some $38.7 million.

These crimes point to an inherent flaw in cap-and-trade systems: the difficulty of substantiating transactions that involve nothing palpable.

These crimes point to an inherent flaw in cap-and-trade systems: the difficulty of substantiating transactions that involve nothing palpable. “The noteworthy potential for the carbon market to be exploited,” Interpol says in its report, “rests on a single significant vulnerability that distinguishes it from other markets—the intangible nature of carbon itself.” Put another way, if a man who buys a horse never receives it, he’ll pick up on the scam. But if he buys the right, represented by a numerical code, to emit an invisible gas or the promise that someone else will emit less of that gas in the future, he might easily be fooled.

Perhaps because they were environmental idealists or because they desperately wanted systems to get off the ground, the creators of carbon markets seem to have given little thought to the potential pitfalls of trading. As the Black Dragon’s hacks reveal, protections against crime, from background checks on carbon traders to basic Internet security to unified governance, were minimal from the start. Although trading systems have seen security improvements in recent years, fraud has done enduring damage to carbon markets. Along with credit handouts to polluting industries and the recent global financial crisis, it has undercut carbon trading’s noble goals.

As Interpol’s report concludes, the “discrepancy between the objectives of the financial players in the market—to maximize profit—and the overall objective of the Kyoto Protocol—to ensure overall greenhouse gas emissions are reduced—places diverse pressures on the regulation of the market.” Trying to save the world and trying to make money, in other words, are two distinct things. It was fraudsters who saw this sooner than anyone.

The EU’s Emissions Trading System (EU ETS) is the most robust 
carbon market in the world: Launched in 2005, it covers 31 countries (all EU members as well as Iceland, Liechtenstein, and Norway), 11,000 manufacturers and power plants, and close to half of Europe’s carbon emissions—or roughly 2 billion tons of carbon dioxide.

“The success of the EU ETS has inspired other countries and regions to launch cap and trade schemes of their own,” its website boasts. “The EU aims to link up the ETS with compatible systems around the world to form the backbone of an expanded international carbon market.”

As the forerunner in carbon markets, however, the EU ETS is also where the first cracks in trading became visible. After peaking near 30 euros in 2008, the price per ton of carbon dioxide in the EU ETS now hovers around 5 euros—too low to provide much incentive for companies to lower emissions. The major reason for the price crash was the global recession that began in 2009; power and cement plants had less production than projected, thus fewer emissions and less need for carbon credits. Handouts to industry are also partly to blame. When the EU ETS began, major European emitters lobbied for and were allocated free credits—too many, critics say—as a political compromise to ease the transition to the new carbon economy. This led to deceit: An investment banker I spoke to said he helped power plants cook their books to show a need for more handouts. Today, the system is awash with excess credits.

The Black Dragon was arrested at his parents’ home in 2011.

Fraud has also played a role in undermining the EU ETS. According to Frunza, the French analyst, nearly 60 percent of the money that the system lost to crime between 2005 and 2011 was due to VAT carousel schemes. A VAT of 20 percent or higher is charged on most goods and services in Europe. As foreign tourists to London or Venice know, some purchases are VAT-free if they are taken out of the country. Show a receipt at the airport, and the government provides a refund. Many commodities, including carbon credits, are also eligible for a refund upon export. Carousel schemes exploit these mechanisms: A shell company run by a criminal syndicate imports carbon credits into a country without paying VAT, and then the credits are passed from one shell company to another until it’s difficult to trace their origin. The last company in the chain takes the credits out of the country, shows the equivalent of a receipt to the government, and asks for its VAT back.

VAT fraud is a volume game: Slosh more money through the system, and the 20 percent cut can add up considerably. Around the time of the 2009 U.N. climate conference in Copenhagen—where countries failed to adopt a much-anticipated, legally binding accord to cut emissions—seed money for carousel schemes was typically in the millions of euros, and the money came largely from international criminal gangs, says Frunza. As he put it in the 2013 documentary film Carbon Crooks, “It’s mainly the new wave of organized crime described as Middle East organizations—terrorist financing, Far East Asia, ex-Soviet Union—[and] bits and pieces from south and eastern Italy and Israel.”

The impact of VAT scams has been enormous. Until it was shut down in 2012 amid falling revenues, the world’s largest carbon exchange was BlueNext in Paris, which was partly owned by the French government and offered an immediate VAT repayment. In one period Frunza studied—November 2008 to September 2009—90 percent of BlueNext’s trades appeared to be fraudulent. French taxpayers lost 1.9 billion euros in less than a year. The price of a ton of carbon, meanwhile, dropped by an estimated 4 euros—at current prices, that means it was cut almost in half—as investors lost faith in the market. Over in the United Kingdom, meanwhile, a criminal gang used a carousel scheme to steal about $60 million over six months; three men were later apprehended and sentenced to a combined 35 years in prison. And in a coordinated effort in Germany in December 2012, some 500 police officers burst into offices and homes in three cities in one day to investigate carbon VAT fraud at Deutsche Bank, the country’s most storied financial institution.

Rather than stopping fraud before it begins, regulators and law enforcement often played catch-up to criminals, thanks to weak safeguards included at the inception of the EU ETS.

Rather than stopping fraud before it begins, regulators and law enforcement often played catch-up to criminals, thanks to weak safeguards included at the inception of the EU ETS. In the late aughts, for instance, while carbon traders generally went through background checks in their country of residence or business, there was one significant exception: Denmark. Host of the 2009 climate conference, the country wanted cap and trade to work, and it apparently wanted to remove all barriers to success. For several years before the summit convened, all it took to open an EU ETS trading account in the Danish carbon exchange—until recently, each country in the system had a national exchange—was a name and an email address. Among the 1,300 people who opened accounts, as many as four-fifths of them fraudulently, was someone who gave the name of Indian poet Mirza Ghalib, who died in 1869, along with an address in a Copenhagen suburb. As Carbon Crooks highlights, after Danish authorities finally began background checks in 2011, the number of registered carbon traders dropped to just 30.

There were also early weaknesses in digital security and system governance, which varied hazardously across European countries’ borders. Months before the Black Dragon struck the U.N. in Germany, Europe’s most notorious carbon hack took place on a cold January 2011 day in Prague. It began with a phoned-in bomb threat to a downtown building that, among other offices, housed the Czech Republic’s carbon registry. The building was swiftly evacuated. Police closed down the streets and raced to set up blast barricades. They brought in bomb-sniffing dogs. A full day passed before police understood what had happened. The “bomb scare was a feint to divert traders from noticing exotic cursors moving across their [computer] screens,” wrote journalist Mark Schapiro in his 2014 book, Carbon Shock. Almost 1.2 million carbon credits had disappeared in a flash, part of a wave of hacks that also hit Austria, Greece, and Romania and claimed 45 million euros that month.

Authorities halted carbon trading across Europe and tracked stolen credits to registries in Estonia and Poland and eventually to BlueNext. Some credits were successfully resold to buyers, including Royal Dutch Shell and Credit Suisse. When investigators followed the proceeds, the trail led to bank accounts in China, Hong Kong, Dubai, and India, a source told Reuters—and then petered out. Four British men reportedly described by prosecutors as “foot soldiers” in a criminal syndicate that perpetrated the Czech Republic hack were sentenced in a U.K. court in September 2014. They will serve a combined 19 years in prison for setting up temporary trading accounts to move and help launder some of the credits. But their bosses are still on the loose, with the credits they stole and the money they were paid.

Complicating matters, some credits stolen in the Czech job—at least 13,100 of them—matched the serial numbers of credits stolen the previous year in a major hack of Romania’s carbon registry, and then resold to unsuspecting buyers. The credits had originally come from the Swiss company Holcim, the world’s second-biggest cement manufacturer and one of Europe’s biggest emitters of greenhouse gases. Holcim had lost 1.6 million credits worth 24 million euros. It tracked them as far as it could, through Liechtenstein and Italy to carbon exchanges across Europe. When Holcim hit a wall, the company asked the European Commission, which manages the EU ETS, to freeze the movement of the stolen credits—an easy task, in theory. But officials said they had no authority to help. “The recovery of any allowances which are claimed to have been transferred fraudulently is a matter for national law and national law enforcement authorities,” the EU ETS director-general said in a 2010 statement. “The Commission has no powers to block any such allowances in a registry account.”

Hackers stole nearly 1.2 million credits from the Czech carbon registry after calling in a bomb threat to its headquarters in January 2011.

Individual countries’ laws, however, would have been a problem even if European officials had stepped in, as property rights differ from one EU member to another. In the United Kingdom, for instance, stolen property is generally returned. In Germany, on the other hand, an “innocent buyer” might be allowed to hold on to laundered credits bought in good faith. (Some observers believe the European Commission also didn’t want to go rooting around for stolen credits, lest what it found should cause the market to entirely collapse.)

Holcim’s quest for its lost credits escalated into a 17.6 million euro lawsuit against the European Commission, filed in 2012. This past September, the European Court of Justice agreed that the case was a matter for national, not European, authorities and dismissed it. Now Holcim has added legal fees to its losses.

Even the main victim of the hack in Romania looks different at close range, however. One reason Holcim had so many carbon credits for criminals to steal was that it was given so many free handouts when the EU ETS was set up. With a surplus of 17 million credits, the company is fourth on the list of “Carbon Fatcats” released in October 2014 by the British think tank Sandbag, which lobbies for an overhaul of Europe’s trading scheme. In 2008 and 2009 alone, when the carbon market was high but the continent’s overall economy teetered, Holcim reaped a 100 million euro windfall from selling some of its government-
granted excess. When Holcim sued the European Commission, in short, it was biting the hand that fed it.

In 2015, because of problems like excess credits, the main 
barrier to carbon crime may be that credits have become so cheap. But there’s still strong faith in the potential of cap and trade, and a mounting concern about fraud.

So while officials wait for prices—and global temperatures—to rise, they’re finally tightening security. To better assess carbon-offset projects in the developing world, the United Nations has upped its oversight of third-party certifiers and improved how it measures whether projects would have happened anyway, and thus deserve no offsets. (In U.N. speak, it has better “tools available for testing additionality.”) In response to the 2013 Interpol report, the director of the U.N.’s carbon-offset program defended it in an open letter, asserting that “more mention could have been made … of the maturation that has already taken place in the carbon market.” (At the time, U.N. credits were trading for 61 euro cents a ton.)

In Europe, carbon credits are now exempt from VAT in most countries, making carousel fraud all but impossible, and EU ETS computer security is beginning to match that of stock exchanges. EU member states have replaced a welter of 30 national registries and their myriad problems—no background checks in Denmark, lax website security in Spain and the Czech Republic, rapid VAT refunds in France—with a pan-European system on a single software platform with one set of security procedures. Europol, the EU’s law enforcement agency with a new mandate to fight cybercrime, monitors accounts. National administrators can block suspect activities immediately, without a court order. Backgrounds are reviewed, two parties at a trading office must sign off on every trade, and a waiting period reminiscent of American gun laws means most transactions have a 26-hour delay. Try to move too many carbon credits in one trade, and an account gets blocked, much as a credit card company might block a purchase of expensive electronics made in a state different from the buyer’s location.

As for the Black Dragon, he has done his time—“four prisons, five courts,” he says. He didn’t mind prison so much. After all, he’s a hacker, used to being cooped up indoors. “I was fine,” he says. “I was quite popular. I met a few good friends in there.” Inside were guys from the hacker groups Anonymous and LulzSec. One of them, Beddoes says, had been convicted of temporarily taking a few websites offline but thought he could pull rank because he was part of LulzSec. “I’m like, ‘Look at my papers,’” the Dragon recalls boasting. “It was beautiful, the look on his face. Thirty-eight charges. He walked away.”

Beddoes now refers to himself as the Red Dragon. (“There’s no specific meaning—just not black.”) He’s the sole proprietor of Red Dragon Security, a consulting firm that advises business clients—so far none of them in the carbon industry—on how not to get hacked. He doesn’t plan on going back to the dark side, though clients keep trying to woo him. “I still get calls from India, Pakistan, Ukraine, South America, France, Germany,” he says. “‘Hey, is that Black Dragon? You’re a legend! I’m working on a project.…’ Nah, can’t be bothered with that shit.”

So the EU ETS has upgraded its security? Tell the Dragon that, and his swagger returns. “That doesn’t matter,” he says. “It’s all irrelevant.” What matters—what has always mattered—is that such a system exists in the first place and that carbon credits are stored on computers connected to the Internet. The health of the planet is meant to be protected by intangible digital bits.

Interpol has warned that “[r]egulation and monitoring of the carbon market is not yet pervasive.” The Environmental Defense Fund, a champion of carbon markets, has argued that carbon emissions in the EU in particular are now little different from other worldly things—grains, minerals, water—that have been made tradable. “[W]ill the reforms be enough to prevent security breaches in the future?” the Environmental Defense Fund asked in a 2012 review of the EU ETS’s struggles and successes. “The same question, of course, can be asked for any electronically networked system. The challenge of market oversight confronted by the EU ETS is not unique, since theft, fraud, and money laundering are serious concerns in all markets.”

The Dragon agrees: It’s “just like stock markets and things like that. Trading accounts. Pretty simple.” And the more complex the defenses, the more potential for holes—and for complacent defenders, who often stop expecting the worst. “Say I infect your personal computer, use a form grabber, and get your username and password,” Beddoes continues. “Then I can bounce through your web browser onto their system. Then, if I get a virus on your phone as well, even a one-time password, I can use it to verify my identity”—thwarting two-step verification, the latest security layer. “You have to fiddle around more,” he says, “but once you’re in, you’re in.”

“The more they secure it, the easier it becomes.”

No comments:

Post a Comment