Fraudsters have hit the international carbon market, using a phishing scam to steal around 250,000 permits worth over EUR3 million.
Account holders at emissions registries were targeted last week when e-mails linking to a fake Web site were sent to market participants, says the German Emissions Trading Authority (DEHSt).
The European Commission says the Web site that the e-mails directed victims to asked for user identification codes and passwords and had its "visual identity and appeared genuine".
The e-mails were sent to thousands of firms around the world, with seven German companies known to have been duped into handing over registration details. Of these, six were subject to theft, with 250,000 permits stolen worth EUR3 million, before being sold on to unsuspecting parties. It is believed illegal transactions also occurred in the Czech Republic.
Registries in nine countries, including Belgium, Denmark, Spain, Italy and Greece, closed after details of the attacks emerged. Registries in Austria, the Netherlands and Norway were temporarily suspended but reopened the same day. Trading continued via the European Emissions Exchange.
The EC says that, although the security of the community registry and the community independent transaction log was not compromised, it will now revise its Internet security guidelines. It is also investigating the fake site and is working on closing it permanently.
The United Nations' Framework on Climate Change (UNFCCC) says it is also working closely with national registries to ensure their systems are secure.