Israeli Forex Traders Being Targeted by Hacker Gangs Extorting Money

Fearing loss of customers and reputations, many targets quietly pay up 500 Bitcoins ($120,000).

Dreamstime

A large number of online foreign-currency trading firms and others in similar businesses operating in Israel have been hit in recent weeks by cyberattacks and extortion attempts, TheMarker has learned.

The companies that have been targeted include firms based in Israel, Israeli-owned firm operating overseas and foreign companies with Israeli offices, most of them specializing in online foreign-currency and options trading.

Most, if not all, of the attacks followed a pattern. An unknown person or organization, apparently based in Russia or one of the former Soviet republics, plants malware into the target company’s website and then sends screenshots to the site’s operators to show them they have been hacked. The hackers warn that they can do the company damage or steal information and data, such as client details. They demand a ransom in exchange for removing the malware.

The hackers have reportedly been seeking payment of 500 Bitcoins, which at the current rate of $250 per Bitcoin amounts to $120,000. That is not a particularly huge sum for companies with annual turnover in the millions of dollars, which sources say is intentional: The amount is small enough for victims to pay rather than fight the hackers.

“I think an attack like that is a phishing attempt,” said one industry source, who asked not to be named. “The hacker is testing his luck against everyone the same way. He asks for 500 Bitcoins. That’s not a lot ... but let’s say 20 Israeli forex companies are hacked and he succeeds in getting money from a third of them, he’s made a couple of million dollars easy.”

The threats are usually delivered to the cellphones of the targeted companies’ managers, in some cases by text message.

Each attack is launched against several companies at a time, typically firms engaged in what are known as binary options, and may include companies operating outside of Israel.

In that context, FXCM, a U.S.-based online foreign exchange broker that has offices in Israel, said last week that its systems were hacked and a “small number” of unauthorized wire transfers were made from customer accounts. All the funds have been returned to the accounts that were compromised, the company added.

FXCM said that after receiving an email from a hacker claiming to have obtained customer information, the company notified the FBI. An FBI spokeswoman said the bureau was “aware of the incident and is investigating.”

FXCM declined to confirm whether that was the firm’s first known hacking incident, but The Wall Street Journal reported last week that industry officials say cyberattacks are increasingly common.

“It is a huge issue for foreign exchange brokers,” Thomas Peterffy, CEO of Interactive Brokers Group, which also provides online trading services, told WSJ.

By contrast, no Israeli company that’s been targeted is known to have revealed the breach publicly — they are under no regulatory obligation to do so — and few have reported it to the police. Company officials calculate that the most serious damage from an attack is to the company’s reputation and customer confidence, so better to keep the incident under wraps.

In any case, many of the companies aren’t domiciled in Israel but in countries like Cyprus. They operate under Cypriot law and don’t serve Israeli clients, among other reasons in order to avoid having to be licensed by the Israel Securities Authority. Many other firms have only recently registered with the ISA and aren’t under effective regulation yet.

Cybersecurity consultants say one of the reasons these kind of firms have been singled out for attacks is because they don’t like publicity or dealing with the authorities — the police and anti-moneylaundering authorities in particular. By press time, the Israel Police hadn’t responded to TheMarker about complaints made in recent weeks about cyberextortion.

Figures from the targeted companies have discussed with each other whether to report the attacks or to pay ransom. Worldwide, about 30% of hacked companies opt to pay. The other question the firms have been debating is whether to inform their clients. They do, however, have set up teams of technical and legal experts, including people with expertise in negotiations.

Meanwhile, reports circulating among financial firms none of the recent attacks have caused damage. There have been rumors of hackers stealing client details and offering to sell them to competitors, but none of them have been verified.

The hackers’ identity has been verified either. Many say they are criminal gangs from Eastern Europe, who conduct multiple simultaneous attacks after they’ve identified a security breach common to many forex-trading firms. The idea is to act before words gets out and the breach is closed.

Others suspect that the hacker are contracted out by someone in the industry to get on edge on competitors. In any case, all agree the hackers are based in Russia or the former Soviet republics, based on the way they express themselves in English.