Waitsfield town government targeted in sophisticated financial hack for $81K

July 14, 2025  |  By Lisa Loomis  |  The Valley Reporter

WAITSFIELD—State and federal agencies are investigating a sophisticated financial hack of $81,000 carried out as the Town of Waitsfield paid its engineering firm $81,000 for work conducted as part of the town’s wastewater project.

The town has two insurance policies that will cover the financial loss, subject to the town’s $1,000 deductible.

Waitsfield has been working with engineers from DuBois and King on Waitsfield planning and engineering for several years. The breach occurred when an ongoing email chain between DuBois and King employees and town employees was hacked mid-stream, meaning the email chain had been ongoing when one letter of one recipient’s email was changed.

That allowed financial data relating to an ACH electronic payment transfer to be exploited, explained Waitsfield Town Administrator York Haverkamp. He said that this type of mid-email-chain hack is relatively new and/or unheard of, according to investigators.

The breach was discovered in late May when Town Treasurer Steve Lewis received a second invoice for $81,683 from DuBois and King, after the town paid that invoice electronically on April 7.

Haverkamp explained that the town received notice in mid-March that DuBois and King was transitioning from check payments to ACH transfers and the select board discussed the change at a meeting before approving the April 7 payment.

The $81,683 invoice was first received in January, sent to Lewis, the town administrator, and Planning Director JB Weir from Eric Hildenbrand at DuBois and King. In early February, D&K corrected the invoice due to a numbering issue and provided a revised version. Engineer Jon Ashley, who has worked with the town since the beginning of the wastewater project, was looped into the chain.

The town paid via ACH in April, and on May 22 Lewis received another invoice from the engineering company, which was followed up by a phone call on May 23.

“After looking into the records, Steve identified a subtle but critical issue: in the mid-March email, Eric’s email address had changed slightly –from “@duboisking.com” to “@dubcisking.com.” The alteration was nearly invisible. Later in the same thread, “Jon Ashley” was looped in, but his email was also a spoofed version of the legitimate address. There is a second, separate email chain that also appears to be fraudulent,” Haverkamp explained to the board in an email late last week.

Once the breach was discovered, Haverkamp, Lewis and Weir filed a report with authorities, contacted their insurance company, reported the event through the FBI’s cybercrime portal, and revisited the town’s security protocols with its IT consultants. Haverkamp said he planned to report the incident to the Vermont Attorney General’s office.

“We are moving quickly to prevent anything like this from happening again. I’ll begin the process of migrating our systems to .gov email addresses next week. It’s a complex and lengthy task, but a crucial step in strengthening our defenses,” he added.

The matter remains under investigation. 

This story was originally published by The Valley Reporter on May 29, 2025.