Toronto-based arts-grant provider says nearly $10M was stolen by 'cybercriminal intruder'

A Toronto-based non-profit foundation that provides financial aid to musicians and others in the music industry has announced that about $10 million was stolen from its bank account by a "cyberthief" and then converted into digital currency.

The Foundation to Aid Canadian Recording Talent (FACTOR) explained the theft in documents filed with the Ontario Superior Court of Justice last month.

The organization claims that the Bank of Scotland should be responsible for compensating for this loss. However, lawyers for Bank of Scotland said in court documents that the FACTOR login information was likely obtained through "unintentional disclosure to a fraudster through phishing", "employee fraud" or "failure to properly protect" the information.

Court documents show that the Department of Canadian Heritage sent about $14.3 million to FACTOR in early June this year.

The money was deposited into FACTOR's public bank account at Bank of Scotland to be allocated to the foundation's grantees.

A few days later, on June 11, FACTOR transferred five million dollars from this account to its short-term investment account, and the remainder remained in the general account to make two important program payments to customers by the end of the month.

But in court filings, the arts grant provider said a "cyberthief" effectively hacked into its account and, by creating a new user profile, transferred $9.77 million to another account at the same bank belonging to a company with no. has transferred

Court documents show that immediately after that transfer, the sole owner of the numbered company - James Campagna - deposited about $9.4 million into the account of a digital currency exchange platform called VirgoCX. Then this money was converted into digital currency USDC (stablecoin) and transferred to various digital wallets.

While the illegal transfer of funds took place in June, court documents allege the "fraudster" logged into FACTOR's ScotiaConnect account on Jan. 18 using an employee's information. The fraudster used login information, password and digital token that was verified through the bank's systems.

Subsequently, a new user was created with the email address sara.stasiuk@outlook.com, a former FACTOR financial advisor. This account then gained access to the accounts of this foundation.

The fraudster then logged into the account more than two dozen times from January to June.

"it took more than five months for Bank of Scotland to announce that the only legitimate FACTOR employee with digital access, along with FACTOR's CEO, were removed from the Bank of Scotland system as authorized users as soon as the unauthorized transfer was made"; FACTOR announced in an online statement.

Court documents reveal a complicated state of contention between different parties, each with reasons to deny responsibility for the $10 million loss.

Bank of Scotland's legal filings state that a digital expert from Deloitte said the most likely explanation for how the fraudster obtained employee information is that they either engaged in fraud or "unintentionally" gave away their information in a phishing or engineering attack. Social media revealed. But FACTOR disagrees, saying four independent investigations have found "no evidence" that the company or any individual was responsible for the problem.

Meanwhile, Campagna has "vehemently" denied any involvement in the scam. In court filings, Campagna's lawyers alleged that someone from FACTOR emailed an associate to buy 2,800 Bitcoin mining machines, each priced between $3,200 and $3,500 (approximately $4,500 to $4,920 CAD at the time of publication). The lawyers say that the transfer was to complete this order.

A Toronto police spokesperson confirmed in a statement to CTV News that they are investigating the matter, but said it was too early to release more information.

So far, about $378,500 has been recovered and returned to FACTOR.

For its part, FACTOR told CTV News Toronto that it will "vigorously pursue the full return of the stolen funds, defend Bank of Scotia's baseless allegations against its systems and employees, and ensure that Bank of Scotland honors its security assurances to customers." and will make every effort to bring the criminals to justice."

Bank of Scotland declined to comment on the case pending legal proceedings.

news source