Mr de la Torre claims his security audit was the main reason the Emirati investor’s money never materialised, contributing to Xinja’s shock decision to exit banking.
“It’s a bank without any branches so the application was their only asset,” Mr de la Torre said. “If they have any issue with their application, it’s a big deal.”
The claims are the latest twist in the demise of Xinja, a neobank that aimed to shake-up the Australian banking market but has now returned all customer deposits and will soon relinquish its regulatory licence.
Defensury’s website claims its staff are world-leading hackers with experience in global intelligence agencies including the US’s National Security Agency, Russia’s GRU, the UK’s MI6 and Israel’s Mossad.
Mr de la Torre said his team was easily able to open bank accounts with Xinja using fake identification documents, creating a “major red flag” for the neobank’s ability to adhere to anti-money laundering and counter-terrorism financing laws.
“This is a regular process we do in every due diligence when it comes to banks, we try to understand how their internal processes work, how they make sure they don’t get sued or fined by the government,” he said.
“Xinja didn’t even notice spoofed or virtual numbers. It was easy to create accounts.”
Mr de la Torre said his team also identified “issues that were deeply wrong” with Xinja’s technology architecture, particularly in the Android version of the app.
“This critical flaw would have allowed threat actors to easily create a sophisticated attack and to operate in textbook style,” he said. “We are confident that an attacker would have been able to hack into client accounts and possibly transfer money.”
A spokeswoman for the anonymous group said the team was employed by a private individual interested in suing one or multiple parties involved in the deal and that its appeal for information had already yielded enough evidence for a lawsuit in Australia and the US.
“Our client lost a significant amount of money in a past transaction that is linked to individuals involved in the Xinja deal,” the spokeswoman said in an email. “Our client recognised a certain pattern in the Xinja deal and wants to put an end to the ‘scheme’.”
This masthead does not suggest Mr Gale was one of those individuals.
Mr Gale said he had not been contacted by the anonymous group or Defensury and believed both were illegitimate outfits attempting to blackmail First Penny and Xinja.
“I believe that any licensed investigator or class action law firm is required to correctly identify itself as part of their licensing conditions,” he said. “I am very certain that they have not collected any information or have any intention of filing a lawsuit. No party has suffered any loss at this point in time.”
Mr Gale said it was unlikely that World Investments would hire a small company like Defensury to conduct due diligence. “And surely in the security business you would never breach the confidentiality of your clients as that would be your last client. So I simply don’t credit that.”
Xinja said the last formal interaction the company had with World Investments was in September when the “fund establishment agreement” was updated and re-signed by all parties.
Start the day with major stories, exclusive coverage and expert opinion from our leading business journalists delivered to your inbox. Sign up here.
Charlotte is a reporter for The Age.