Hackers, launching a phishing attack, asked companies involved in emissions trading to re-register with local emission trading authorities, but set up a fake website to steal credentials.
Companies that responded suffered huge losses and hackers stole, then sold their carbon permits on the open market.
The scam involves six German companies and meant emissions trading registries in a number of EU countries shut down temporarily on 2 February.
It was a world-wide action, Hans-Juergen Nantke, head of German emissions registry DEHSt told Reuters.
The carbon market allows companies to buy and sell permits to emit greenhouse gases.
Criminals made fake websites and sent emails to thousands of firms around the globe, including New Zealand, Norway and Australia.
Seven out of 2,000 German firms targeted are known to have fallen victim to the scam, handing over registration details which allowed the thieves to steal their emissions permits.
Of the seven, six have been subject to theft, said Mr Nantke.
Nantke described the attack as highly professional, and said that the German Federal Criminal Office (BKA) was investigating the incident.
Access to the German database to register emission deals would be barred for at least the rest of this week, Nantke said.
The United Nations' Framework on Climate Change (UNFCCC) said it was working closely with national registries to ensure their systems were secure.
According to the Norwegian market watchdog, Point Carbon, more than 8 million tons of CO2 emissions worth 94 billion euros were traded in Europe last year.