A competent thief dumps his loot long before the rightful owner knows its gone – and the cybercriminals who hacked the Czech Republic's carbon-credit registry on Tuesday are nothing if not competent.
Nikos Tornikidis can attest to that. He works for Czech environmental asset management group Blackstone Global Ventures, which was the first company to notify others that the state registry had been breached earlier this week.
Registries are, in a sense, the central banks of environmental markets. They make sure that every credit represents an environmental benefit, and they do that in part by assigning serial numbers that buyers can use to see where the credits came from. Different regimes recognize different types of credits, even within the European Union, and that makes it nearly impossible to forge a carbon credit, or to sell one outside the system.
It doesn't, however, prevent the kind of breach banks have been guarding against for centuries.
Each country in the European Union Emissions Trading System (EU ETS) has its own registry under an ungainly – and controversial – arrangement that eventually required the creation of 27 different registries by 27 different development teams in a complex, fragmented system responsible for making sure that credits aren't double-counted or lost.
“We were checking our inventory around 8am Wednesday morning,” says Tornikidis. “That's when we found that our account was empty and the details of our account had been changed.”
More than 450,000 credits valued at € 7 million euros ($9.4 million) were gone, so Tornikidis contacted the national registry to make sure the stolen credits weren't being passed around the system. In the case of the Czech Republic, the registry was administered by government-owned state energy-trading platform OTE.
“I didn't realize it until I read it on Bloomberg, but OTE has to trawl through their whole book by hand to get the serial numbers,” he says. “We didn't get the numbers until the end of the day, and we posted them on our web site as soon as we could, but by then it was too late.”
The credits, it turns out, had already been passed on to an account in the Estonian registry.
“They had been passed on and sold around mid-day on Tuesday,” says Tornikidis. “It was right around the time of the bomb scare.”
The bomb scare had been the talk of downtown Prague. It was phoned into the building that houses OTE shortly before 11am on Tuesday.
Police speculate that the bomb scare provided a diversion so that employees wouldn't see phantom cursors moving across unattended screens or other telltale signs of a breach.
While waiting for the serial numbers, Tornikidis and his brokers sent a notice to all participants they knew letting them know that the registry had been breached.
OTE began looking into its books and realized that Blackstone wasn't alone -- more than two million credits were missing, all from accounts ending in 121 -- the designation given to brokers and other non-industrial entities.
What the Hackers Knew
To pull off the heist, the hackers had to know their target well. They certainly knew their way around OTE, which was in the process of installing a security system that would have required all traders enter a second password that is generated randomly and delivered to their mobile phones. That system was set to be installed this week -- indicating that the hackers knew their target intimately, and timed their heist accordingly.
The timing also worked on the market front: the next surrendering of allowances doesn't happen until April, so companies with offsets on deposit with OTE might be lax about checking their inventories right about now.
Formerly known as Operátor trhu s elektinou (“the Electricity Market Operator”), OTE is a small operation with net assets of just 1.6 billion Czech krona ($88 million) at the end of 2009, according to its most recent annual report. What's more, it operates the registry as a separate, unregulated – and even smaller – entity, with "tangible assets" of just SK 27,390,000 ($1,518,760).
“This all raises some huge issues,” says one local broker. “For one, you have this small entity being responsible for huge assets, and now you can expect this big fight over who pays. Second, you have the question of how these criminals got access to the carbon markets.”
He suspects someone somewhere violated basic “know your client” (KYC) rules, which is a major regulatory no-no.
“We quite often have people applying for accounts, and we’re like, ‘You’re kidding me, there is no way you are a real trader,’” he says. “KYC is basic due diligence – we're not allowed to open accounts if we have the slightest suspicion that something funny is going on – and someone dropped the ball.”
The fragmented scheme is on its way out, thanks to the so-called “Registry Regulation,” which the European Commission issued last October. Among other things, the Directive called for a more consolidated Union Registry System by the start of 2012.
It also called for the immediate implementation of simple security measures that European Commission spokeswoman Maria Kokkonen says would have cost less than $10,000 per country to implement, but would have saved tens of millions of dollars – unless the money stolen on Tuesday is recovered.
Because of its size, OTE was one of 14 EU registries (out of 27 total) that hadn't yet implemented the upgrades.
“All of this highlights the fact that we've created carbon credits with monetary value,” says one local broker. “Carbon credits are like bearer bonds in many ways, or like trading gold.”
But while bearer bonds were designed to ensure economic value, carbon credits were designed to ensure environmental value.
“Environmental value is the hard part,” he says. “Now they just have to get the easy part – they have to make sure they give them to somebody who has more security than a master lock.”