BRUSSELS—Nikos Tornikidis, a trader of carbon emissions permits in the Czech Republic, was used to the ups and downs of Europe's Emissions Trading System, a euro90 billion ($122 billion) online market splintered across 30 nations.
But the news last week that hackers had stolen euro7 million in emissions permits from his firm revealed just how vulnerable the market -- and his company's money -- was.
"No one had any clue," said Tornikidis, a portfolio manager at emissions permits trading company Blackstone Global Ventures, after alerting national authorities on Wednesday morning.
By evening, the emissions trading system -- the main tool in the continent's fight against climate change and a role model for similar schemes in California, China and elsewhere -- had been shut down.
For at least a week, until Jan. 26, no trading can take place on the spot market. While investors can still buy and sell carbon futures and derivatives, which make up the vast majority of trades, no permits can be moved from one account to another.
The heart of the problem, experts say, is that security systems at some national registries, which manage companies' accounts, are pervasively lax, that there is no hub for the market, no central clearing house, not even a single set of laws to define the legal status of emissions permits.
And Tornikidis' company was not the only victim. Similar cyber attacks had taken place on five other Czech accounts as well as in Poland, Austria, Greece, and Estonia -- taking the value of stolen credits to some euro28 million ($38 million), according to the European Commission, the European Union's executive.
The Commission, which oversees the carbon market, says the attacks were organized and that staff members at some companies or national registries may have been involved.
National registries in the 27 member states of the EU -- plus Iceland, Norway and Liechtenstein -- are in charge of tracking the ownership of the permits. They run the carbon accounts of some 11,000 power stations and industrial plants, as well as those of banks, investment firms, and intermediaries like Blackstone Global.
The fragmented nature of the market means there is nobody to track stolen or missing certificates, no catch-all number to ring up when an account has been raided.
Crucially, security standards like safe log-ins to online accounts can vary greatly from country to country. The Commission says national registries won't be reconnected to the trading system until they have upgraded their security procedures.
In contrast to trading in bonds or securities -- which is settled through clearing houses -- the national registries don't have the ability to verify the identity, and therefore the legality, of carbon credits prior to moving them into an account.
That means traders like Tornikidis often don't know if they're buying from a thief or not. While there are some private companies that provide clearing-house functions, carbon exchanges currently find it difficult to verify that credits, which only exist online, and sellers are legitimate before a buyer has taken delivery.
"The problem is, once you exchange them they have already been sold," said Thomas Rassmuson, partner at CF Partners, a London-based advisory and investment firm that helps its clients discern good emissions permits from bad ones.
When his boss told him of the raid, Tornikidis knew that recovering the certificates was a race against time. Finding a buyer on one of Europe's carbon exchanges wouldn't be a problem for the thieves, and the moment the credits had changed hands, the thieves could quickly disappear.
Tornikidis passed the serial numbers of the stolen certificates to anyone he could think of. He sent them to BlueNext and ICE -- two big carbon exchanges -- and large traders and consultancies. Finally, he posted the numbers of the missing 475,000 permits on the company's website.
But it was too late. Within hours, the 1.36 million stolen Czech carbon credits had moved through accounts registered in Poland, Italy, Estonia, Liechtenstein and Germany, according to OTE SA, the Czech state-owned carbon registry.
OTE is now frantically working with other registries to find out where exactly they are -- an effort it says could take several days.
The fast movement of the permits raises another problem. With the thieves at large and the money gone, who is the legal owner of the stolen certificates and who takes the loss? Blackstone Global, the companies that bought the permits, the exchanges where they changed hands, or the hacked national registries?
"The answer to that may very well be, 'whose law are you talking about'," said Henry Derwent, chief executive of the International Emissions Trading Association, which represents carbon market participants such as big industrial companies and investment firms.
The suspension of spot trading is a setback -- not least in terms of image -- for the EU's cap-and-trade system, which is pioneering a new way to reduce carbon emissions and ease the risks of global warming.
The trading system limits the carbon dioxide emissions of big plants and factories in the region by issuing allowances for each ton of carbon they can emit. At the same time, firms can gain carbon credits, for reducing emissions. Allowances and credits can be traded, providing a financial incentive to cut emissions. Over time, the number of allowances will be lowered, thus cutting overall emissions in the EU.
California and China have recently introduced similar schemes, and Japan and Australia are working on setting up their own system. Next year, the EU plans to also include airlines in its scheme, adding even more players to the market.
But six years into its existence, the legal landscape of the European emissions market is still murky.
"There hasn't been some kind of legal harmonization of what these things are," Derwent said.
The International Emissions Trading Association had alerted the Commission to "the rather lax security in some registries almost a year ago," says Derwent.
But getting the European Emissions Trading System up to speed will take more than some quick fixes to online security, says Derwent.
"There are a lot of quite complicated areas to deal with here," he says.
In addition to clearing up the legal status of the certificates and setting up a central "notice board" for suspicious permits, experts say it might be necessary to move to a single European registry for carbon trades before 2013, the current deadline.
CF Partners' Rassmuson says that the security problems in the national registries are normal growing pains of a new financial market and an administration problem, rather than a sign there is something fundamentally wrong.
"It's like the early days of banking," he said. "It was also more easy to rob a bank in the old days."
Karel Janicek in Prague contributed to this article.