FRANKFURT/BERLIN (Reuters) - Online fraudsters have targeted international carbon markets to steal emissions permits from companies and sell them illegally, officials said on Wednesday.
Account holders at emissions registries were hit by a “phishing” scam last week when emails were sent to market participants requesting their details, an official at German registry DEHSt said on Wednesday, clarifying a media report.
“It was not a hacker attack but a phishing action at firms participating in emissions trading,” said Hans-Juergen Nantke, the head of DEHSt.
Phishing commonly refers to hoax e-mails purportedly from trusted organisations to trick recipients into revealing information such as bank account numbers and passwords.
In the $135 billion global carbon market, which includes the European Union’s Emissions Trading Scheme, companies can buy permits from others to emit greenhouse gases when cutting those emissions is too expensive.
“It was a world-wide action,” Nantke said, adding that, to his knowledge, not just the 27-member EU but also New Zealand, Norway and Australia were affected.
The United Nations’ Framework on Climate Change (UNFCCC) Secretariat said it is aware of nine fradulent transactions but the software of national registries operated by Kyoto Protocol members do not appear to have been compromised.
“The secretariat is collaborating closely with the remaining national registries to ensure that access to their systems is secured. Meanwhile, these registries have been disconnected from the International Transaction Log (ITL), which is under the control of the secretariat,” it said in a statement.
The Financial Times Deutschland had earlier reported that fraudsters broke security systems to steal EU emissions permits.
Nantke said some seven out of 2,000 German companies had responded to the emails.
“Of the seven, six have been subject to theft,” said Nantke, putting the number of stolen permits at 250,000, worth over three million euros ($4.20 million) at current market prices.
Nantke said the registry had formally submitted a complaint to state prosecutors in Berlin.
The EU scheme, which was targeted last year by carousel fraudsters, has not been impaired by the case.
The EU Commission said it was not yet participating in investigations as emissions registries, which administer the permits, are the responsibility of member states.
“The investigation at this moment is at the national level. We have preliminary information that investigations are going in Germany and other member states, but I can’t identify them,” a spokeswoman for the European Commission (EC) told Reuters.
“They will have to follow where the transactions went. If they happened at national level, they are traceable. If they happened internationally, our community registry (CITL) will be involved as we can trace international transactions.”
The spokeswoman said the EC will issue non-binding guidelines on security and on future possible attacks shortly.
German registry entries denoting ownership changes of carbon certificates have not been possible since last Friday but the registry would resume this on Thursday, Nantke said, adding that it planned to add transactions done in the interim period.
German energy bourse EEX, which trades carbon permits, said there have not been any attempts to access the DEHsT account of its clearing arm where EEX clients deposit their permits.
“The account balances are being checked and handled on a daily basis,” it said in a statement, adding that trading was also unaffected.
Other registries in Belgium, Denmark, Spain, Hungary, Italy, Greece, Romania and Bulgaria had been temporarily closed on Tuesday, the newspaper said.
Traders noted last week that the EU Commission sent emails advising registries to notify account holders.
Additional reporting by Michael Szabo and Nina Chestney in London; Editing by Anthony Barker
Our Standards: The Thomson Reuters Trust Principles.