Claims Xinja investors spooked after ‘red flags’ in cyber security audit

A Las Vegas headquartered online security firm that claims it was hired by Dubai investors to audit Xinja says it found significant problems with the fallen neobank's technology that left customers vulnerable to cyber attacks.

Defensury director Luca de la Torre said his firm was enlisted by Abu Dhabi based World Investments to discreetly probe Xinja’s digital infrastructure ahead of finalising a $433 million lifeline payment announced in March.

But after detecting "red flags" with the neobank’s technology infrastructure, Mr de la Torre recommended World Investments withhold from providing any capital before encouraging a complete overhaul of the app.

Xinja chief executive Eric Wilson has gone to ground since announcing the neobank’s decision to exit banking.

World Investments confirmed it had engaged Defensury as part of its due diligence when contacted by The Age and Sydney Morning Herald. Xinja denied any knowledge of the company.

Mr de la Torre claims his security audit was the main reason the Emirati investor's money never materialised, contributing to Xinja’s shock decision to exit banking.

"It’s a bank without any branches so the application was their only asset," Mr de la Torre said. "If they have any issue with their application, it’s a big deal."

The claims are the latest twist in the demise of Xinja, a neobank that aimed to shake-up the Australian banking market but has now returned all customer deposits and will soon relinquish its regulatory licence.

Defensury's website claims its staff are world-leading hackers with experience in global intelligence agencies including the US's National Security Agency, Russia's GRU, the UK's MI6 and Israel's Mossad.

Mr de la Torre said his team was easily able to open bank accounts with Xinja using fake identification documents, creating a "major red flag" for the neobank's ability to adhere to anti-money laundering and counter-terrorism financing laws.

Defensury director Luca de la Torre said his firm was enlisted by Abu Dhabi-based World Investments to discreetly probe Xinja’s digital infrastructure ahead of finalising a $433 million lifeline payment.Credit:Getty

"This is a regular process we do in every due diligence when it comes to banks, we try to understand how their internal processes work, how they make sure they don't get sued or fined by the government," he said.

"Xinja didn't even notice spoofed or virtual numbers. It was easy to create accounts."

Mr de la Torre said his team also identified "issues that were deeply wrong" with Xinja's technology architecture, particularly in the Android version of the app.

"This critical flaw would have allowed threat actors to easily create a sophisticated attack and to operate in textbook style," he said. "We are confident that an attacker would have been able to hack into client accounts and possibly transfer money."

Xinja claims it never granted Defensury access to its systems to conduct a review, adding the neobank had suffered no known technology breaches.

"Xinja's technology, as part of the process of holding an ADI [authorised deposit-taking institution] has undergone extensive independent 'fit for purpose' assessments. Xinja ran weekly automated penetration testing and at regular intervals conducted third-party penetration testing," a spokesman said.

Xinja announced in March it had reached a deal with Emirati-owned World Investments, with $160 million to be invested "immediately" and the balance transferred over a two-year period.

However, the money is yet to materialise and Xinja’s shares could now be worthless as the neobank became the first Australian institution to return all customer deposits on Tuesday.

The deal is under investigation by an anonymous group claiming to be linked to a US law firm, that is offering cash rewards of up to $1 million for insider information on Xinja, World Investments or First Penny Investments chief executive Michael Gale, a serial entrepreneur celebrated for brokering the deal.

A spokeswoman for the anonymous group said the team was employed by a private individual interested in suing one or multiple parties involved in the deal and that its appeal for information had already yielded enough evidence for a lawsuit in Australia and the US.

"Our client lost a significant amount of money in a past transaction that is linked to individuals involved in the Xinja deal," the spokeswoman said in an email. "Our client recognised a certain pattern in the Xinja deal and wants to put an end to the 'scheme'."

This masthead does not suggest Mr Gale was one of those individuals.

Mr Gale said he had not been contacted by the anonymous group or Defensury and believed both were illegitimate outfits attempting to blackmail First Penny and Xinja.

"I believe that any licensed investigator or class action law firm is required to correctly identify itself as part of their licensing conditions," he said. "I am very certain that they have not collected any information or have any intention of filing a lawsuit. No party has suffered any loss at this point in time."

Mr Gale said it was unlikely that World Investments would hire a small company like Defensury to conduct due diligence. "And surely in the security business you would never breach the confidentiality of your clients as that would be your last client. So I simply don’t credit that."

Xinja said the last formal interaction the company had with World Investments was in September when the "fund establishment agreement" was updated and re-signed by all parties.

Business Briefing

Start the day with major stories, exclusive coverage and expert opinion from our leading business journalists delivered to your inbox. Sign up here.

Most Viewed in Business

Source: Read Full Article