Black Dragon: UK hacker comes clean on carbon credit thefts

By Michael Szabo

LONDON (Reuters) - A British hacker, speaking out for the first time since he was jailed for attempting to steal 8 million euros ($11 million) (6.45 million pounds) in carbon credits, said he was easily able to break into online government and corporate registries.

Matthew Beddoes, known online as the Black Dragon, was arrested in November 2011 with two other men for hacking into carbon trading registries including those of Spain and the United Nations, along with the websites of a London-based commodity broker and an online carbon trading marketplace.

Permits stolen from the Spanish registry were sold to a third party, while those taken from the UN were frozen.

In March 2013, the men were imprisoned for a combined 5-1/2 years for helping to steal 350,000 credits – worth 3.7 million euros – from an account on Spain's registry, and for attempting to steal a further 426,000 credits from a UN account valued at 4.1 million euros.

A carbon credit is a tradable certificate, or permit, that allows a country or organisation to emit one tonne of carbon dioxide or the equivalent mass of another greenhouse gas into the atmosphere.

Speaking by phone from his home in Liverpool, Beddoes, who was released from prison last year, said in an interview that he had helped gain access to all accounts on the UN registry, which contained more than 500 million carbon credits worth around 10 euros each.

Through the Spanish registry the men acquired control over hundreds of millions of European Union credits, at the time valued at around 15 euros each.

Beddoes' disclosures shed fresh light on security breaches that helped prompt regulators to make sweeping reforms and EU lawmakers to call into question their flagship 36 billion-euro ($49 billion) market. The EU wants countries to replicate its scheme and link into it as a way of tackling climate change.

Previously a self-proclaimed 'hacker for hire', Beddoes said he had little knowledge of emissions trading before he was contracted in February 2011 by an unnamed man seeking to access carbon registries – online hubs through which account holders can trade carbon credits with each other.

"It was totally anonymous. He was the client and the target was carbon credits. He told me he wanted access to government registries, brokers and anything else I could get, so I went on the warpath and got whatever I could," Beddoes said.

Beddoes said he was also able to hack into government carbon trading registries in Africa and Asia.

"I was paid around 3,000 pounds ($5,100) for every access that I gave them and they used," he added.

The three men are thought to be the first to be jailed for stealing carbon credits through phishing scams and hacking.

The EU and the UN run the world’s two largest carbon trading markets by tonnage traded, helping to put a price on emitting greenhouse gases in an effort to stop runaway climate change.

ZEUS THE TROJAN

For the job, Beddoes told Reuters that he used a trojan – a malicious computer program that when installed can provide remote access to a system or network – called Zeus.

Zeus was attached to blank PDFs and emailed to the registries as part of applications to open trading accounts.

"An hour later, the trojan would appear in our control panel, meaning we had infected their system and could control it," Beddoes said.

According to the UK's Serious Organised Crime Agency (SOCA), 8,340 credits stolen in the Spanish registry were sold for 89,000 euros to an unsuspecting third party in October 2013.

Attempts to steal credits in the UN registry were thwarted by its administrators, leading authorities in Spain and the UK to freeze the unsold hacked units on the Spanish registry and to arrest the Black Dragon.

Beddoes said he used alternate methods to hack into other registries but no credits were stolen, helping the security breaches to go undetected until police searched his computer hard drives following his arrest.

"Half of these companies didn't even know they got penetrated until they were contracted by SOCA," he added.

FROM BLACK TO RED

Beddoes in March 2013 pleaded guilty to conspiracy to commit Computer Misuse Act offences, fraud and money laundering, and was sentenced to 33 months in prison.

Jasdeep Singh Randhawa was sentenced to 21 months in jail and Jandeep Singh Sangha was given a one-year suspended sentence.

Beddoes was released in July 2013 on electronic tag, and remains on probation until May 2015.

In separate incidents in 2010 and 2011, cyber thieves made off with more than 3 million emissions units from registry accounts in Germany, Italy, Romania and the Czech Republic.

Cement maker Holcim is still pursuing a legal battle to recoup the costs of around 15 million-euros worth of permits stolen in late 2010.

While little is known about these cases, including whether there have been any arrests, they prompted the EU to beef up security at its new bloc-wide trading registry, which was launched in 2012 to replace individual national registries.

An official at the European Commission said the move to a bloc-wide registry was among a series of measures taken to improve the security of its emissions trading scheme, including adding spot trade to the regulation of carbon transactions.

As for the Black Dragon, Beddoes said he now uses his knowledge and hacking experience for good.

Earlier this year he set up his own IT security firm – Red Dragon Security – through which he gives live hacking demonstrations and helps small businesses protect themselves from online threats.

(Reporting by Michael Szabo, additional reporting by Ben Garside; editing by Veronica Brown and Keiron Henderson)