Artificial Chaos

Lifestyles of the Rich & Famous [Money Laundering]

May 11, 2022 Morgan and Holly Season 1 Episode 7
Show Notes Transcript
Holly:

So in the last episode we talked about my hobby, which is mountain climbing. In this episode we're gonna talk about your hobby, which is money laundering. So how do you wanna get started on this topic?

Morgan:

<Laugh>, I'd, I'd like to get started by clarifying that I'm not a hobbyist money launderer,

Holly:

Oh you-, Sorry? Is is like semi-professional, professional? Is that what we-, I didn't mean to patronize or talk down to you.

Morgan:

<Sigh>

Holly:

As an expert in the field of money laundering, how do you get away with it?

Morgan:

<Laugh> You're gonna get me sent to prison. I've never laundered money. I just worked in the finance sector for a few years.

Holly:

That is what somebody who laundered money would say though, right?

Morgan:

I guess it depends who they're talking to. Like if you're selling money-laundering-as-a-service, you're not gonna go, I've never laundered money.

Holly:

You know what a Kafka trap is?

Morgan:

No.

Holly:

A Kafka trap is where you set up a situation so that no matter what a person says, they sound guilty. So you would say something like, Oh, alcoholics always deny it and then either you admit to being an alcoholic or you deny it, thereby admitting.

Morgan:

Okay. Well...

Holly:

It sounds like that when you, when you say, you know,"Honestly I've never been into money laundering", it's like that's what somebody who's really into money laundering would say.

Morgan:

I think it's interesting. I've never done it and I would never have a reason to do it cause I don't routinely do crime.

Holly:

When I worked, uhhhh, with the gaming industry, there was a like a lecture, like a guest lecture that was put on, uh, about money laundering. And this was five or six years ago. So it was very new to me. And uh, I realized that I think that was the point in which I was first put on a list because I went to a lecture about money laundering and I was the only person who took notes.

Morgan:

< Laugh>, That's such a Holly move. I quite enjoy that actually.

Holly:

If I go to a lecture to learn something. I'm gonna take notes; as you well know. I have a terrible, terrible memory. I have a hilariously bad memory.

Morgan:

You-, you do have a pretty terrible memory. Okay. Um, I suppose we should start by defining what money laundering actually is for people who maybe aren't familiar with it.

Holly:

Yeah.

Morgan:

Yeah. So money laundering is the illegal processing of the proceeds of crime to disguise their origin. So you, you commit a crime, how do you then use the money that you've got from that crime without being picked up by the police?

Holly:

The reason that this interests me is because, uh, so I work in cyber security, right? In particular offensive security with penetration testing. And very often people like to compare the work that we do as penetration testers with the actions of cyber criminals. And of course that is the point in which we actually have no experience and it's just not a thing that we work on. So I will break into computers and then demonstrate those vulnerabilities to organizations. Whereas an actual cyber criminal breaking into the computer is just the first step, right? You've got a whole bunch of activity that has to come after that in terms of monetizing that attack and then getting that money into some form that you can actually spend it without being arrested, right? So we're gonna focus in this episode on the back end side of that, right? It's like, hey, you have committed some kind of crime. Maybe a cybercrime, or maybe otherwise how does getting that money into usable form work? And of course importantly how come so many criminals are really bad at it and keep getting caught.

Morgan:

And then we gonna talk a little bit about cryptocurrency, which is Holly's favorite thing.

Holly:

We'll talk a little bit about crypto. I do think crypto is important in these discussions.

Morgan:

Sorry, sorry, sorry. We're gonna talk about cryptocurrency.

Holly:

That's what I said. Crypto.

Morgan:

No,

Holly:

Like Doge, Ethereum...

Morgan:

No, Holly crypto means cryptography.

Holly:

Are you team Bitcoin or Bitcoin Cash?

Morgan:

Neither< Sigh>

Holly:

Are you team proof of stake or proof of work?

Morgan:

Please. Stop.

Holly:

Okay, we'll get to that. We'll get to that. So you said we should define money laundering and I think everybody kind of like implicitly knows what money lingering is, right? It's like that taking the money from the point in which you're stolen it to making it usable. But are there stages that are involved? Is there like common steps that an attacker would go through for money laundering or is it different every time?

Morgan:

Yeah, so broadly speaking, there are three phases to money laundering. Um, three steps. So the first stage would be, uh, placement, which is where you place or deposit the money into a financial system. Um, the next stage is layering where you create a complicated web of transactions or a trail of activities so that you can obscure the initial source or deposit. Um, and then the, the third and final stage is integration and that's when the funds are integrated into the economy, um, returned or accessible to the person who's been doing the laundering.

Holly:

Okay, so you have some funds. So for example, we are talking about cybercrime and we're talking about the, like the theft of cryptocurrency. So for example, you've hacked a cryptocurrency exchange, something like that. And when you first take the funds from their original wallet or source and you put it into a wallet that you control, that's placement, right?

Morgan:

Yeah.

Holly:

Okay. So you then mentioned layering and you described that as like a mixing activity, right? So it's several actions where you're trying to obfuscate the source. So you're trying to effectively put some logical distance between where the money was stolen from and when the money enters an account that you can use it from, right?

Morgan:

Yeah. So you're basically just, um, trying to make that as complex as possible. Um, and there are a few ways that you can do that, which we'll get onto.

Holly:

This is the thing that, that has always confused me because very often you hear people misunderstanding. Cryptocurrency are generally misunderstanding the blockchain and those kinds of things. And one, one of my great frustrations is technologies like the blockchain, the, the feature that they bring is they are distributed and or I guess, uh, decentralized is a better term in this context. Uh, the blockchain is decentralized and people hear that and think it means"anonymous", right? Because the problem that I have in my head when we start our conversation about money laundering is if you steal some cryptocurrency from an exchange and then you move it through some wallets and then you put it into a wallet that you control, that you can withdraw into cash or some other form of fungible currency that you can exchange for goods and services. If you wanna know where that money came from, right? You just look at the blockchain, right? It's a published source of this is all of the transactions that have taken place. So just moving it between one or two or three wallets that you've made doesn't sound like it's really hiding anything.

Morgan:

I guess having, um, a public ledger where all of your transactions are recorded for all of time is, is probably not, um, a great place to be laundering money, but there are online services and bitcoin blenders and cryptocurrency, tumblers and things like that that people use to swap a certain amount of cryptocurrency with somebody else. Uh, so I guess like the, the tokens, what am I trying to say right now?

Holly:

Tokens. You can, you can say tokens. Yeah.

Morgan:

So you would be swapping an amount of cryptocurrency with somebody else, the same volume I suppose, which would disguise more easily the source of those funds. But it does mean that that other person would potentially now have the cryptocurrency that you had that came from that criminal source initially.

Holly:

So before we dive more into cryptocurrency and and how it works, and I've got some notes on a, a recent money laundering story which went hilariously- should we talk about the basics of the foundations of how do we stop money laundering? So what is anti-money laundering?

Morgan:

Um, so anti-money laundering is the name given to like collective legislation and regulation that requires banks and financial institutions to uh, have process in place to things, uh, for things like know your customer processes and to report suspicious transactions, via suspicious activity reports if they suspect that somebody is involved in money laundering or in uh, anything surrounding the proceeds of crime or terrorism financing. And similar, so anti-money laundering is both a process and also, um, collective of legislation.

Holly:

So you mentioned know your customer. What, what is know your customer?

Morgan:

Know your customer is the requirement for banks and financial organizations to understand their customer. What usual behavior is for that customer? What are normal amounts of cash or or volumes of cash to be moving in and out of their accounts? So their regular deposits that go into that account? How much do they earn? Where do they live to say if somebody's had, you know, quite a, a low paid job for their entire life and then suddenly comes into a large volume of money that would flag up, a fraud team would detect that and and wonder where the source of that that original money was. And also it requires a vetting process. When you open an account with a bank or a finance institution, they'll have to sort of screen their perspective customers against a list of politically exposed people and make sure that they're not involved in like crime or terrorism financing and similar things. It's almost like a, a bit of a watch list I suppose.

Holly:

The know your customer stuff just sounds like the bank being aware of like what is normal for your account, right? So if you get paid by the same company every month, it's just like, oh, we don't need to investigate this transaction because it's just a normal activity for this user. And then anytime you get abnormal activity, so like a large deposit or you use the term volume there, I presume you're talking about not necessarily a large deposit, but maybe just a large number of transactions. It's just them being able to pick up on that as potentially suspicious, right?

Morgan:

Yeah. So there's a, a couple of things here. The first being if you've had an account with a bank for 10 years but you've hardly ever used it and suddenly you start using that really heavily, that looks suspicious. And secondly, know, your customer also links to things like detecting modern slavery and people trafficking. If somebody comes into a bank and they're potentially being scammed or being taken advantage of or you have it with foreign nationals, whether they'll sometimes go into open bank account or withdraw some money and someone else is with them and has their passport, for example, that could be evidence or, or a sign that they're being coerced.

Holly:

Oh, so it's not, it's not only like bank account activity, but it's like behavior when interacting with the financial institution.

Morgan:

Yeah, absolutely. So, uh, an interesting thing is as a, a consultant who works in a bank, um, or a teller, whatever you call them, wherever you are, you are required in the UK to report any suspicious activity. So even if you don't have hard evidence that somebody is laundering money or that something criminal is, is occurring, you still have to submit a suspicious activity report so that that can be investigated by say the police, um, or the National Crime Agency who sometimes work in um, conjunction with police forces. What that means is usually if you submit a suspicious activity report, the fraud team at a bank will freeze somebody's accounts, which means that they're not able to transact, they can't access any money that they might have deposited, they can't withdraw any money, things like that. But you're also not allowed to tell the customer why that's happened because that constitutes tipping them off, which makes you an accomplice.

Holly:

So you can say if somebody goes into a bank, talks to a teller and the teller thinks it's suspicious, they could say, Oh, I'm sorry we're not able to serve you at this time. But they can't say, Oh hey dude, you got a fraud warning on your account so like, can't give you any money today. You know, you probably should, should check into that. Is that what we're talking about?

Morgan:

<laugh> Yeah, basically...

Holly:

It just says call FBI on your account notes,<laugh> like...

Morgan:

They can, they can say anything really. I suppose they could tell them that there's a hold code on the account but they couldn't tell them why. But I think even if you act in a way that gives the customer or the person attempting to launder the funds, uh, the impression that they're being investigated for fraud, um, you can be fined or you can go to prison for that.

Holly:

So you can't tip them off. And this is interesting cuz we were talking the other day, weren't we when we were doing the show notes and things for this episode and I told you that, so I do all of my banking through a mobile application and on the mobile app for my bank, it doesn't have any of the details that I would expect to be like KYC details, right? So like this, this know your customer thing, knowing who you're employed by, how long you've been employed, what your income is, those kinds of things like these details that I would expect my bank to know so that it can tell if a transaction is unexpected or unusual. On my banking app, there are none of those details. There is a space where those details are supposed to be, but when I log in: occupation, unknown employer, unknown start debt the 1st of January, 2010, that definitely feels like a null value, doesn't it? Just like the dropdown starts there or something. Income frequency unknown, income unknown, home address, country of residence, unknown country of birth, unknown town or city of birth unknown. This is my actual bank account.

Morgan:

Maybe you're just really good at opsec.

Holly:

So the the really funny thing was a little while ago, my, my bank rang me in what was at the time somewhat of a suspicious phone call when your bank,"your bank" like inverted comment here was like your bank rings you up and says, Hey, there's a problem with your bank account. We need some details about you, like your name, your address, all of these things. Like you immediately think Phishing and then you, you do the thing where you're like, okay, what what is the the steps for for validating this, uh, this here? And I think that's one of those activities where some people can get caught out. There used to be a problem I'm told with, with landline phones where a scammer would call you up on the landline, they would tell you there's some problem with your account, whatever. And say, oh, for security reasons, you know, you should hang up now and then you should call your bank or you should call whatever company says there's a scam alert on your account and you know, you thank the person for the call, you would hang up, you pick the phone back up, you dial the number, you speak to your bank. But what would happen is the scammers wouldn't hang up the line at their end and on some landline systems that wouldn't disconnect the call. So when you start pressing buttons in your phone, it's just sending the tones but the line hasn't been disconnected. So you're still talking to the scammer. And I saw this recently, in fact you shared this with me on Twitter, didn't you? Somebody who got scammed, an NFT scam, where their mobile phone rang and the call ID, which by the way if you didn't know a call ID can be easily spoofed, call ID on their mobile phone said it was from Apple Inc. So they trusted them. I'm missing a couple of steps here, but they trusted them because their phone in part said it was a legitimate call from Apple. Um, so yeah, the scammers are everywhere and my bank rings me up and says, hey, we need to validate some, some personal details. And it was, it was those kinds of details that they needed to validate. Um, which makes it even weirder that my account still does not have those details showing on my, on my account.

Morgan:

Yeah, it's very strange that they've not tried to capture those at any point. If you use that regularly or if you've spoken to anyone in, in a contact center or gone into a branch, they would try and collect that data while you're there for that exact purpose. But it depends how long you've had the account really. Because if you had that account, say when you were a child or you had it prior to the introduction of some of this legislation, then they wouldn't have collected that data at the time there, there would've been no obligation for them to, to do those things.

Holly:

I've had, I've had the account for something in the region of 19 years.

Morgan:

It's quite a while.

Holly:

Yeah, it's a little little while. Um, I remember I've had, I've had some interesting problems with my bank, um, but one of them being I did open the account when I was what they call a young person, so a child. I don't remember exactly how old I was. And when you get to 18, obviously the details of your account change because you're now legally eligible for, for credit. So you can have an overdraft and things like that. And on a young person's account you can't have any of those things. So it's supposed to be when you turn 18 the account just ticks over and becomes an adult account or what they, I think they just call it a"current account" as opposed to a"young person's account". Like none of those things worked. I remember back when I turned 18 it just didn't happen and I had to go into the branch and be like, hey, it still hasn't done this thing. And so I've had some funny issues with my, with my bank, um, over the time. But yeah, that one made me laugh where we're, we're kind of preparing to have this discussion about, about know your customer. And I'm like, oh, I'll see what information my bank holds about me. And it's like apparently none. Apparently no information.

Morgan:

Yeah, it's, it's really interesting now because when you try and open a bank account online or anything like that, they'll take you through an electronic ID check. So you'll need to provide like a scan or something similar of um, potentially a utility bill. Um, or uh, another piece of correspondence from like an official body. Um, a copy of at least one piece of government issued ID potentially two depending on what kind of account it is, um, and who you're opening that with. And then they'll also check to see if you are on the electoral role for where you live as well. So if you are trying to open a bank account in London but you actually live in Scotland, that might raise some alarm bells and often for say, um, an an ISA savings account for tax purposes, they'll need things like your national insurance number. Um, if you are not registered to vote where you say you are opening the account or where you live, you will fail the electronic ID check for opening that account.

Holly:

I also had this recently so um, so I did open an account with a challenger bank just to see how different that is. I mean based on the competence of my actual bank, it's a really, really low bar. So I thought maybe a challenger bank could be worth investigating. But also more recently, uh, I opened an account on a crypto exchange and they have very similar kind of KYC processes and with it being all mobile app based, you know, you install the app but when you go to open your account, it's starts: take a photograph of your driving license, you have to take a selfie holding your driving license and things like that. I think if I remember correctly, to open the bank account I had to take a video but to open the crypto account it was just a selfie with me holding my id.

Morgan:

I've done that before and I always think it's, it's so funny because it's like a hostage situation. Are you like you have a hostage holding a newspaper, It's like, it feels like that...to open a bank account.

Holly:

It's like how much, how much duress can you appear to be under looking, looking at...I am trying to open an account<laugh> I am not under duress and see how much suspicion you can raise whilst like... Anyway I tried to open this, this crypto account and the verification failed. Now I mentioned this I think in a previous episode I've had this recently where my driving license is the new style of driving license and some of these systems don't recognize it cuz it looks slightly different. So it may have just been that I had it with my exams and I opened the crypto account about the same time so, so it could have just been that but I just kept trying and on like the third or fourth attempt it just worked. So that makes me feel like, you know, maybe there is a machine learning artificial intelligence system that's verifying these photographs or maybe it's just a PRNG and it just rolls the dice and if you get a six you can open an account and I obviously didn't roll a six on the first three attempts but I got there in the end.

Morgan:

<laugh> Statistically you're gonna brute force it in the end is what you're saying.

Holly:

Well it gave me no other option so it just, on the mobile app it just said failed and then a couple of minutes later I got an email and the email basically just said, sorry that we couldn't verify you, please try again. There was no like contact us here or um, make sure that you know, you know some of the details you might expect like make sure you're in good lighting, make sure that the ID is clearly visible or any, any of those kind of details you might expect to like assist the customer through. As far as I remember it was just like that didn't work, try again. So I did just keep trying again and then it let me through in the end.

Morgan:

Amazing. Truly iconic.

Holly:

And that's where I put all of my Doge.

Morgan:

Oh why...are you doing what? Why?

Holly:

Why Doge?

Morgan:

What? No, why you do this to me?

Holly:

Because it's going to the moon! Rocket emoji.

Morgan:

Oh for God's sake.

Holly:

Ironic- Ironically I can't log into my crypto exchange cuz it says I need to verify my ID.

Morgan:

Again?

Holly:

Yeah I've gotta do it every seven days or something. It's not, not the full process. Just like I can log in with Face ID but then there is an absolute timeout, I think it's seven days and then Face ID stops working and I've gotta log in with a password.

Morgan:

That seems excessive.

Holly:

So the way that it works, I open the app so obviously my phone has to be unlocked I unlock my phone first, I open the app, it uses Face ID to log me into my account, but then about every seven days it will log me out completely and then I have to enter my password and it will text me a PIN number. I would much prefer it just uses Face ID.

Morgan:

Actually, now that you mention it, my current pension provider where I work at the moment, they have an app and it's atrocious. You can't just use biometrics whenever you wanna log in. It doesn't ask you for permanent permission. You have to, it redirects you to a browser to log into the website and then authenticates the app using that. And that only lasts for a certain period of time I suppose cuz I don't check my pension account with any great regularity every couple of months or so. So maybe it's just a period of time that it expires, but I always thought that it was just a terrible app because I have to repeatedly log into the browser even though it's given permission to use Face ID.

Holly:

It's annoying isn't it?

Morgan:

It's very annoying. Bad customer experience.

Holly:

Just gonna buy a couple of Doge whilst we're here.

Morgan:

Why?

Holly:

Cool. So we've talked about like what KYC is supposed to be this know your customer aspect of like knowing details of who the person is, maybe who they're employed by, the sources of the funding and then also like something around activity. I've also seen previously as well artificial intelligence and machine learning being used within payment systems to just better detect what activity is maybe suspicious. Cuz you mentioned earlier didn't you like this difference between like a large deposit and then a large number of deposits either could be suspicious depending on context. So I've seen AI and ML being used to determine whether activity is unusual or not. Um, that seems infallible machine learning seems a good fit to to that problem. Can you, can you imagine any problems with that?

Morgan:

Absolutely not, no. It seems like a, like a perfect fit. I think that to be honest, if there's one thing that people do as rational agents, it is figuring out what the rules are and circumventing them when it serves them.

Holly:

I imagine this is one of the reasons why tipping off a potential money launderer is bad. Cuz not only could they take action to evade prosecution or maybe flee, but also like if they perform an action and then you tell them, hey, this thing that you did that was suspicious, it's like they might stop doing that in the future and make an investigation more, more difficult. Right?

Morgan:

Yeah.

Holly:

I just wanted to mention on the machine learning thing though, uh, the reason that I'm, I'm being mean about this is because in a prior episode I mentioned this story of the Americans trying to detect Russian missile silos by feeding in, uh, images. And it, and the story goes that the dataset that they used was bad and the machine learning algorithm optimized for a different problem than the problem they wanted to solve. And I, I recently saw some articles of this being used for COVID research and for using machine learning to detect based on images. So, so scans of uh, patients, chest scans of patients, whether that patient was COVID positive or not. And again, it was just another really good example of machine learning being really good for some problems and not so much for others. A good example of this being the images that were fed into the system, Some of the patients were sitting up and some of them were lying down. The reason for this was the patients who were scanned lying down were COVID positive and were seriously ill. That was why they were lying down. And so this particular machine learning algorithm learned to detect whether the patient was lying down or not, not to detect whether they were COVID positive or not. Another example being the dataset was bad and it contained images, chest scans of children who did not have COVID. And then the obviously testset was just a mix and the AI learned to identify children not COVID. So yeah, machine learning again being absolutely fantastic but not necessarily fantastic at the thing you want it to be.

Morgan:

It's like that Batman, isn't it? It's what you deserve but not what you need right now.

Holly:

This is like the Shakespeare thing. I swear.

Morgan:

What Shakespeare thing?

Holly:

I'm over here on a technology podcast saying here are some really interesting applications of machine learning and then Morgan's over here like, reminds me of Batman.

Morgan:

Batman's really cool. I know if it's the third one where um, I said Luci-, Lucious Fox. Lucian Fox.

Holly:

It's like the, the first three were really popular and then like the second three, the prequels weren't so good, right? Because they introducted...

Morgan:

Okay, I'm talking about, I'm talking about<laugh>, I'm talking about the Christian Bale, Christopher Nolan trilogy. So Dark Night Rises, I think it is. Morgan Freeman's character has built this system and it's like mass surveillance. It uses, um, people's phones to track like location, um, and like detect crime and where that's occurring in this city, like microphones and stuff. And then he shuts it all down at the end cuz he thinks that nobody should have that much power, which I think is really cute and utopian.

Holly:

Robin, I am your father.

Morgan:

<laugh>. Cool. Okay, so yeah, there's lots of legislation around this. Some of it's pretty cool, some of it's not so cool. Um,

Holly:

What makes it not so cool? Can you give us some?

Morgan:

Personal bias? I don't really like 500 page documents that, you know, say what you could say in like 30 pages.

Holly:

Oh, it's just a, just a general, some regulation is not well written. No, I can, I can get down with that. I can,

Morgan:

But interestingly like it, it features in some other areas too. So part three of the Terrorism Act, um, which I think was written around 2000, um, makes it illegal to use, po-, possess or raise funds to finance terrorism or to form an agreement to do that. So all they have to do is find evidence that you've agreed to fund a terrorist organization and you're in contravention of that. You don't even have to have actually successfully laundered the money.

Holly:

Yeah, this is like the US idea of, of conspiracy, right? Where you, you have to have planned an activity and then taken a step towards that activity. You don't necessarily have to have been successful in it. I'm not a lawyer, we should probably point this out, but um, yeah I remember reading the Terrorism Act, having an interesting clause in there where distinct from things like Computer misuse Act where the Computer misuse Act is all about, you know, unauthorized access to a computer program or data. So the implication there is it, it must have been, you must have achieved it. Whereas with the Terrorism Act it's worded differently and it's a seriously planned attack. The attack doesn't have to have been successful, it just has to have been seriously planned.

Morgan:

Yeah, I think that's an important provision. Maybe we need some examples, ways of laundering money to con-

Holly:

That's not where I thought you were going with that. Well I thought you were gonna say, Oh, I think we should have some examples. Like is there any, you know, uh, court cases, case law about like money laundering or like the, the prosecution of money laundering that we can talk about And you're all over here like Yeah. So we should probably finish this episode by telling people how to get away with it. Is that where you're going?

Morgan:

Who's finishing the episode? We're like 20 minutes in. I'm absolutely not finishing the episode right

Holly:

Now. I presume that money launderings quite difficult and I just thought it would take you a while to get out there like, you know, if I was gonna do it, this is how I would do it, story.

Morgan:

<laugh>. No, I just think it's, um, it's interesting to look at ways that this has been done historically and then we can look at, um, the example that you mentioned earlier. Cause I think you got some, some interesting notes on that.

Holly:

Interesting is carrying a lot of weight there. I'm excited.<Laugh>

Morgan:

I-, I'm also excited. Yeah, so some some ways of laundering money. Then I'm gonna let you cover the first one due to the fact that it is called Smurfing.

Holly:

I'm not familiar with Smurfing.

Morgan:

Are you not?

Holly:

No, I don't think so.

Morgan:

Oh. Um...

Holly:

Am I?

Morgan:

Okay, I thought we discussed this previously. It's where you, you deposit it in really tiny amount so-

Holly:

Oh, so I would call that structuring. I've not heard the term smurfing for that.

Morgan:

Oh.

Holly:

So structuring to me is when you, when you hear the, I think it's fairly well known that there is a limit after which a transaction has to be reported, right? So in the US you hear people very often saying if you deposit more than$10,000 you have to report that. And then everybody thinks they're really clever cuz they go, ha ha, I'll just deposit$9,999 and I'll just keep doing that. And it's like, yeah, but they're looking out for that as well. And that activity I would know as structuring, I've never heard it referred to as smurfing though. Is smurfing a specific kind of structuring or is it just a different name for the same thing?

Morgan:

It's-, It's pretty much the same thing. Yeah. Um, it's just, uh, another name for it which I thought that you would enjoy actually. So I'm surprised you hadn't found that. Um...

Holly:

I do, I do enjoy that term. I do.

Morgan:

<laugh> Yeah. Um, also interesting, on things like Monzo where you've got like a challenger bank, if you go into the app, it'll give you limits for a a specific period of time. So if you plan on flying under the transaction limit radar and saying, actually I'll just deposit 9,999 pounds or dollars.

Holly:

I've got a good story for this that, uh, probably won't make it into the podcast. But, um, a little while ago I went out and bought a car and um, the-, the way that this worked was, uh, I, I went into the dealership-

Morgan:

Which car is this?

Holly:

Uh this is the Juke. So I went into the dealership and I was like:"Hi, can I have that car but in white please?"

Morgan:

<Laugh>

Holly:

And so I, being a millennial have no idea how like large money transactions works, right? Cause I've like never put a deposit down in a house or something like that. Owning a house is just something that is in an alien concept to me. My parents did it, but I don't really understand how it would ever financially work in this economy. But I did go in and I bought car and when I buy everything else it's just Apple Pay, right? Don't I just like rub my phone on your payment machine or whatever. And they were like, Oh we can, we can take debit. That's cool. So I bought the car with my Monzo card and, and then I went, they gave me the keys. They were like, you know, thanks for your business. I went outside and I sat in my car and obviously I needed to insure the car before I could drive it home. So I sat in the car, I rang my insurance company, I'd had a quote ready and everything like that. I had the number, just had to ring the guy up and pay for the insurance cuz I had bought the car, rang the guy up, my card wouldn't go through, I'd hit my daily payment limit.

Morgan:

<Laugh>

Holly:

So I now owned a car that was just parked in the garage's car parked that I couldn't legally drive. And then you start doing that, like, what do I do<laugh>? Like I don't have another bank account. I'm just like, what do I do? What do I do? And uh...

Morgan:

That was both a rookie move on your part, an oversight on Monzo's part. And also I would expect the garage to give you like drive away insurance at least so that you could do the paperwork at home.

Holly:

They probably would have. And, and, and maybe that is a standard thing and I just wasn't aware of it cuz the guy like, you know, they run you through all of these things, you know, have you considered insurance? Do you have this, do you have that? Breakdown? All of those things. Cuz I'm sure there's upsells and includes that they can, they can add. And when he said insurance, I was just like, Yeah, like I've got it covered, don't worry. You know, I've got my, my quote number with me and stuff like that. And then anyway, I just rang a friend and I was like, Hey, can I borrow 70 pounds.

Morgan:

< Laugh>

Holly:

But I need you to give me your, uh, debit card number over the phone. And then I ring the guy and the, the insurance company when, when we worked out that this is happening and I'm on the phone to the insurance company and my card won't go through. I said to the guy was like, I'm really, really sorry. I, I don't know what to do. Let me ring a friend and see if he can help me. Uh, I've obviously like fallen into a mistake here that I wasn't expecting. So I don't, I don't have another bank card or anything I can use, you know, like I've got a credit card, but I didn't have my credit card with me so I didn't know the number. Like I couldn't, you know, I did have another card, I just didn't have it on me. So I was like, Oh, I'm just gonna ring a friend and see if he can help me. And the insurance company guy was just like, Oh yeah, don't worry, I'll just wait. And he just sat on hold. Like I put the insurance card, the insurance company on hold for like, however long it took me to ring a friend explained to them that, well essentially without explanation I need 70 pounds. And also the number of-, from your bank card<laugh> got back on the phone to the insurance company. And I was like, Yeah, I've got it, don't worry. And then that went through, we're talking suspicious transactions.

Morgan:

< Laugh> That is such a holly story.

Holly:

The guy's like, is it, is it the same number on this bank card? I'm like, No, I've just told you. I've just rang a random person up and said, hey, I need some money.

Morgan:

<Laugh> I'm not even sure how they're allowed to do that. That's wild. That's, that's such a Holly story.

Holly:

Yeah, I remember saying there was something like, can you not just do a direct debit? Right. Can you not just cause I pay my car insurance by direct debit usually, but there's some like deposit or the first transaction has to be by debit or something like that. I guess for the insurance to be active from right now, you have to presumably pay an amount. But yeah, I had to pay on debit and I couldn't cuz my-, I'd hit my limit.

Morgan:

So, uh, that's, that's the advice kids, uh, if you wanna-, wanna make a large transaction, hit your limit, that's it for 30 days.

Holly:

It's daily, daily limit.

Morgan:

You have a-?, I, I don't wanna ask how much your car was, but it's, it's also a very Holly move.

Holly:

Well everybody knows how much my car was cuz they'll just look at what the daily limit on Monzo is.

Morgan:

I dunno what else you bought that day. You might have spent like a hundred quid on snacks before you bought the car.

Holly:

One of my weird car buying stories.

Morgan:

< Laugh>

Holly:

So structuring then is the activity of a series of smaller deposits to try and mask the fact that you really are making a larger deposit. Are there any other kinds of named activities?

Morgan:

Yeah, so, uh, something that commonly impacts students, vulnerable people and in cities typically is money muleing. So that's where you would ask either potentially someone that, that you know, or a complete stranger to allow you to use their bank account. Ironically,<laugh> temporarily they'll say, you know, something like, can I put five grand in your bank account? I'll let you keep like 500 quid if you let me do this, transfer five grand in and then ask them to transfer four and a half out or something like that to another account. It's part of like the layering phase. So creating like that web of transactions to obscure the initial deposit. If it passes through what are considered to be legitimate bank accounts, then it's less likely to be considered suspicious by bank accounts provided that that is, uh, usual activity for that person. So bank accounts may or may not have like a fraud engine that would flag up a large transaction into a student's account, for example, because they get paid a few thousand pounds from Student Finance every few months. So potentially large transactions wouldn't, wouldn't flag up on their system.

Holly:

I presume there's quite a lot of data there. Like I presume that banks know who Student Finance is, right? And they can tell if this is like, this is a, the sender is a known account used by Student Finance and it's at the right time of the year and all of those kind of things.

Morgan:

Yeah. So some banks are really good at that and some just aren't. Some haven't historically invested in like a, a financial crime team or in the technology that they need to detect those sorts of things, but it's quite data rich. So there was actually an example a few years back that was really cool. Monzo detected that Ticketmaster had been breached before Ticketmaster knew because a lot of people who had previously made a purchase on their Monzo accounts to Ticketmaster were victims of fraud. So they basically aggregated all the transaction data for the people who were being impacted by fraud. And Ticketmaster was like the underlying factor. So they reported it to Ticketmaster who said, Oh no, like this isn't true. We haven't been breached. And then discovered later that they actually had, but Monzo had already taken steps to prevent any further transactions across the board to like all of their customers, to the people who were committing the, the crime<laugh>.

Holly:

Yeah, this is something that, that I've known about for a while actually, which is an interesting statistic when it comes to the statistics behind: how are breaches detected? Because I think very often people think that breaches are detected by internal security teams, uh, internal systems administrators and those kinds of things. And they are, that happens, you know, there's examples out there of like Sys admin looking through a log file to fix an unrelated bug and detecting suspicious activity or something like that. Or an organization paying for an intrusion prevention system or an intrusion detection system that is successful in detecting the activity of data exfiltration or something like that. But a huge number of breaches are actually detected, as you say, by financial organizations when they see that a large number of accounts are tied to fraud activity. And also there is a single point of commerce. So it's like, oh, all of these accounts, there is fraud activity and we know they all shopped at the same store. It's surprising, if you've not looked into it, how frequently actually, uh, breaches are detected by third parties.

Morgan:

Yeah. Um, and for anybody who wants to read more about that, that particular case, Monzo actually wrote a blog, um, about the Ticketmaster case. Um, so you can check out on their website

Holly:

We'll link it in the show notes.

Morgan:

So we've covered smurfing, structuring, um, money mules. There's also things like blending where you use a cash heavy business and this is something that you see actually on Breaking Bad. So there's, I think it's Gus who runs the-, the chicken places. He uses restaurants that are quite cash heavy businesses to blend the proceeds of his like side hustle in dealing methamphetamines. And then<laugh> is it, is it, I dunno if it's Better Call Saul, or Saul, tries to help, um, Walter and Jesse with laundering their money by opening a chain of like nail salons or something like that because they're cash heavy businesses. So it's more difficult to trace the transactions and the source of those funds. You could just say we've done X amount of business and potentially pay variable prices for the goods that you need in order to provide that service. And I think there's, there's one of, of these in every town there's a restaurant that never does any business. Like it's always empty every time you walk past, but it seems to do really well and it's open for years and years. Doesn't even do takeout. Like how is it still running?

Holly:

I think one of the things there as well is the business doesn't necessarily have to be like completely dead. There's definitely no doubt examples of that where there's just like, that business never seems to do any business, but it's still here. But it-, it could also be that you have a cash rich business that is seen to be busy, but it's actually recording like disproportionately high profits. So something like a carwash where you do see cars coming and going, everybody's paying in cash, but they're, you know, supposedly washing 50 cars an hour and in actuality they have capacity for five, and things like that.

Morgan:

Casinos have done things like this before as well. There's been certain cases where casinos have been involved in money laundering. Again, quite cash rich and I think it would be difficult to be an accountant, at a casino personally. So one of the other examples that's uh, I think when you think about it, it makes so much sense. It's things like, oh, maybe in like Bad Boys or another nondescript crime movie, um, trade based. There's usually like some, because they're, they're narcotics police, there's usually some high profile South American drug dealer, he's like trafficking cocaine or something and he has like stacks and stacks of cash in the attic that's like being eaten by rats or something like that, that he needs to launder. And there are various ways that they do this, but something historically that has been picked up is trade-based money laundering. So where you'll pay, like you said previously, a disproportionately high amount for something like a piece of art.

Holly:

Oh yeah.

Morgan:

...that might be, they'll sell it for millions and it's definitely not worth that much, but it's like a cover so that they can then have a legitimate transaction. They don't have to launder the money afterwards. There, there are taxes and things associated with that depending on where you live.

Holly:

Related activities as well. So things like buying wine and then claiming that the wine was consumed and things like that as a-, as a means of hiding money, leaving an account.

Morgan:

How would that work? What do you mean?

Holly:

If you want to, for example, move a large amount of money between countries and you can only travel through an airport with a certain amount. So say you're not allowed to travel with more than$10,000 in cash, you can purchase very, very expensive vintage wines, travel with those because they're not viewed in the same way. The limits, uh, might not be picked up in the same way as literally traveling through an airport with a bag of cash. When you get to the far side, you could sell the wine and therefore you have successfully transferred currency from one nation to another. But on your records you could just claim that you consumed it and then that money disappears from the system.

Morgan:

Of course. Okay. Yeah. Um, that's another thing that people do, um, commonly is they'll-, they'll try and transfer cash from one geographical area to another that has more lax money laundering regulation and anti-money laundering regulation.

Holly:

Uh, sometimes also just as well, like the, the criminals might physically be located in a different territory to where they're steal the money from, right? I mean, steal the money from an organization in the UK, and if you're best in, you know, Eastern Europe, Russia, uh, some other territory like that, like there might be this, um, international transfer hurdle that you have to get over just because of where the attacker is physically located,

Morgan:

That opens you up to more risk because depending on where you're doing the crime and where you're doing the laundering, you are potentially exposing yourself twice to two different investigatory powers and, and different pieces of legislation that could catch you out there. So there was quite a high profile case in 2019 where a banker from Azerbaijan went to prison after he failed to explain the source of his income when the National Crime Agency served him with an unexplained wealth order. Now in an attempt to get his wife to admit to what they suspected, which was that he'd embezzled the money from the bank he'd worked at, they also issued her with an unexplained wealth order because of their shared assets. And her defense was quite funny. It was basically:"you know, there are couples that live under the same roof who don't speak to each other and he's actually in custody at the minute. So I'm not sure what use you expected me to be." Um, but she had effectively been spending on average£4,000 a day at Harrods for over 10 years. She had like over 50 credit cards, really expensive jewelry. So she had uh a 1.1 million pound Cartier ring, the couple owned a property in Nightsbridge, they owned a golf course. So really not subtle on the money laundering front. Where did all of this money come from? How can you afford to live like this when you have no income or, or no legitimate income?

Holly:

That's one of the things that that often comes up with like those major criminals. Isn't it that-, this idea that you get caught out on tax evasion as opposed to the actual crimes that you're committing. Cuz potentially it's easier to prosecute based on that, where it's like, hey, you have this money and you, you can't show that you've paid tax on it. But yeah, I think that's, that's one of the things that very often comes up when you read the stories of criminals getting caught is these unexplained money orders, right? Where it's just like somebody allegedly like works in the post office or works in the corner shop or something like that, but then drives a Jaguar.

Morgan:

Yeah. It-, it's literally that.

Holly:

A lot of people would claim, like if you were to talk to them about like, hey, you know, if you, if you were a successful criminal, how would you get away with it? Like, oh, you know, I'd never spend past my means and I would hide the money and those kinds of things. Then as soon as it actually happens, they're all like:"I bought Lamborghini". It's like-

Morgan:

<laugh>.

Holly:

Don't you work in the Post Office?

Morgan:

<Laugh> Yeah, no, it is that, and that also interestingly, if there is somebody committing fraud who works in the finance sector, that's how they typically get caught because they'll do training, uh, mandatory training for everybody in the organization. So I've done it a few times. Even if you work in a completely unrelated back office function and you don't serve customers and you don't interact with the teams that serve customers, you need to notice, uh, you need to notice and report if someone starts coming into work suddenly with like expensive designer handbags or they're going on holiday all the time to like luxury destinations that you don't think that they could afford based on what they are probably earning. And you are obliged to report that internally. So there's usually a nominated money laundering lead, like a, a financial crime officer or similar, uh, that handles those kinds of reports. But I think the limit for that, the-, the lower limit is it has to be at least£50,000 according to the legislation before uh, an unexplained wealth order can be considered. And they typically don't pursue it in cases whereas low amounts because it's not a good use of like court time.

Holly:

Yeah. Or like a single thing, right? It's like maybe a family member died or something and you've paid for a holiday. Like those things happen. So we're not just talking about like yeah, we went down the pub and he bought one extra round than anyone else. You know, he seemed a bit loose with his capital. No, it's, it's like either a significant amount or a significant number.

Morgan:

Yeah.

Holly:

I'll give you, give you an example where, where this could, could occur that that might be seen as unfair to some people. Very often when you talk to like founders of companies and things like that. And I'm not necessarily talking about like founders of like VC-backed startups and those kinds of things. I just mean people who went from having a job to being self-employed, maybe they do crafts on the side, they're up in an Etsy store and then eventually over time that becomes their job. Very, very often you talk to people about like, when did you make the leap kind of thing. Like when did you think this, this job might, might be able to support you? And I think a lot of people like it has to be pretty long term and it has to be quite a lot of money. You know, if not matching your salary, then at least demonstrating that it has the potential to match your salary before you would make that jump to being self-employed. And that is a perfectly legitimate way that somebody might have a bit more money than you'd expect them to, you know, cuz they're making money through another gig like through a-, a side project or a new company that they might not necessarily talk about at work. And I think this, this might be strange to some people cuz they would think, well if, you know, if you're opening a craft store, you're obviously craft's passionate, you would talk to everybody about that, right? And, and you might talk to friends and family about that because that's something you really into and you've got this goal, you want to be self-employed. But one thing that I would, I would say is for most people not a great idea is telling the people that you work with that you're intending on leaving.

Morgan:

But also on the, on the, the flip side of that, that is perfectly explainable. So if somebody were to contact a whistle blowing hotline or report you to their, their money la-, anti-money laundering officer, nominated person, whatever, you could demonstrate really easy. You could say like, I have a side hustle. Yeah, I-, I've an Etsy or something like, here's my Etsy profile. Yeah. And what we're talking about is where people have millions in undisclosed illegitimate income and then they're splashing that in like Harvey Nickels on like Chloe handbags and stuff. It's, it's really obvious it sticks out.

Holly:

Yeah. I was just giving-m giving an example of where like one of the reasons why they might not investigate every single, every single time somebody spends outside their means is that like, people might have money that you don't know about and that is entirely legitimate.

Morgan:

Yeah. And also on the flip side, in some organizations, especially in the finance sector, and I think in certain government organizations too, the credit checking and fraud checking and stuff and sanctions checking that you have to go through to get the job is pretty robust. So you need typically slightly more references than you are going to work somewhere else. So I think the standard is about two years of work history. Some finance organizations will ask for three or five years of references instead depending. And so I guess a bit more similar to if you're applying for like security clearance rather than a standard job and then they'll do fraud DBS sanctions checking to make sure that you're not affiliated with crime and you haven't previously been prosecuted for fraud. They'll check what your, your credit score is to see if you've potentially got a bit of a gambling problem or if you don't pay your bills on time. Because that puts them in an exposed position where if you are serving customers or you have access to accounts, you are likely to commit fraud.

Holly:

Here's something that comes up on my background checks that, that you're aware of. And it's, it's a purely human thing cuz a computer wouldn't care, but it catches humans out. I I once lived in an apartment and it was fantastic and then I decided to move closer to work. So I left that apartment and moved to an apartment that was closer to work that I hated and was awful. And a year or two later I moved back. I didn't move back into the exact same apartment, but I moved into same building. It was, it was effectively next door. So, you know, you could imagine me for, for two years living in Apartment 19, moving away for a year and then moving back into Apartment 20. And it's, it's, there's a completely sensible story behind it. And it was just because the, the, the other location, the, the other apartment was way nicer way, nicer area way bigger apartment, those kinds of things. But it's a thing that stumbles humans where they look down your address history and they're like, That's weird

Morgan:

<Laugh>

Holly:

It's not that weird. Really. Like-

Morgan:

Yeah. I don't think it's that weird. Like having been to both of those apartment complexes. Yeah. One of them, well they're both pretty cute. I like both of them, but one of them is definitely like-

Holly:

It was way nicer. Yeah.

Morgan:

Yeah.

Holly:

We're not talking like a, like a, you know, a studio apartment versus a mansion here. I'm just saying like, one of them was a bit nicer than the other one I moved Yeah. Regretted the decision and moved back. Um, but that does come up on, you know, when you've got to demonstrate your address history and things like that. It comes up on that. But only ever with, with people when they notice that the numbers are next to each other.

Morgan:

You do move a lot though. So I imagine that raises-

Holly:

I'm agile.

Morgan:

You're one of those people like- Agile!<Laugh> move quickly and break stuff.<laugh> cool. I think that's about all of the, um, immediate historic examples that I've got. There are other things like you can use gift cards, um, you can use in-game currency and rare items on the likes of World of Warcraft. You could buy like a super rare item, sell it on eBay,

Holly:

Real money transactions within video games. So things like Entropia Universe that has real money transactions.

Morgan:

Yeah.

Holly:

Yeah, I think, I think that's pretty much a good summary so far of like money laundering. Is the attempt to obfuscate the source of illegitimately gained funds and anti-money laundering is investigators attempting to prevent that. And also, anytime you think you've come up with a really cool new way of doing money laundering, you haven't, they have already thought of that. You're not as clever as you think you are. Like this whole idea of-

Morgan:

It's been done.

Holly:

Yeah, this whole idea of like, No, no, I'll just put in loads of small transactions. Yes, that has a name, it is structuring.<Laugh>

Morgan:

It's just the, the funniest one for me I think is like trying to blend trade-based money laundering of like a high priced art with the blockchain and creating some mangled NFT thing, it;s-. Oh, I hate it.

Holly:

You know the story of the first tweet, right? The first tweet NFT.

Morgan:

I saw that. Yeah. It was ridiculous. And it's especially funny that they tried to offload that after Jack had resigned from Twitter.<Laugh>

Holly:

Were they offloading it because Jack left or were they offloading it because Elon arrived.

Morgan:

Ehhh.

Holly:

Yeah, for those who don't know that story, there was an NFT made of the first tweet. It was sold for the ridiculous figure of$2.9 million dollars and then recently it went up for auction and it did not do very well auction.

Morgan:

It's almost like people are realizing that there's no legitimate purpose for NFTs outside of having a hexagonal profile picture on Twitter and looking like a dweeb. You can cut that if you want to.< Laugh>. I think for your benefit I might cut that. We'll see. We'll see how many angry NFT owners...uh...< Laugh> Yeah, I think, um, in-game currency is probably, I wanna say favorite. I'm not an advocate for money laundering at all, but I think like there are certain kinds of crime that are-, that they take a lot of skill to pull off and they're a bit of an art form and in-game currency or if you compromise someone's Blizzard account and then sell all of their gold on Warcraft for real money, that's really interesting to me.

Holly:

Yeah, it's definitely an interesting field and I think it's one of those things where it's difficult, right? Like successfully laundering money is difficult and it must be because there's so many stories of people getting it wrong. Either, they made mistakes when they were new. So when they're first starting out with criminal activities, you know, they make mistakes that get them caught in the future or you know, they're maybe really good at hacking but not necessarily really good at, you know, the actual money laundering aspects, those kinds of things. Or maybe there's also examples where groups get together, the groups trust each other and then one of them sells them out for whatever reason, you know, they fall out or maybe one gets caught and then there's a plea deal and those kinds of things. I think I wanna kind of bring in here the, the story that I was talking to you about earlier in terms of just like really good example of some crypto theft from an exchange that led down a really difficult example of money laundering and how, you know what, whilst you might watch movies, you might read books about money laundering. There's a lot of criminals out there who it turns out are just not very good at it.

Morgan:

I wanna hear the story. I've, I've heard it already, but I wanna hear it again cuz it was hilarious.

Holly:

So this is the story of Ilya Dutch Lichtenstein and, and Heather Morgan who I will just summarize as saying both very interesting characters for various reasons. And they were recently charged with money laundering. The beginning of this story, there's some details missing from this story, but they were charged with laundering the money that was stolen from Bitfinex. The reason that I word it like that is so far they have not actually been charged with hacking Bitfinex, it's just that they came into possession of the funds and then they, they have been laundering the funds and it's a huge figure. So when Bitfinex were originally compromised 119,754 bitcoins were stolen, which at the time, this is 2016, was about$71 million. Another way of putting that was 0.75% of all Bitcoin in circulation. So a huge, huge amount of coins. But of course over the years that has increased greatly in value. And when I was writing the show notes a couple of weeks ago, uh, I took a look at what the value was and it was$5.2 billion. So this has slowly been increasing, but it's uh, a huge amount of money that they had in their possession as cryptocurrency that they it is alleged tried to launder so that they could access those funds and, and use them. Illegitimately, this is the biggest law enforcement seizure of all time. The law enforcement were able to seize 94,636 of the Bitcoin, which at the time of the seizure was valued at$3.6 billion. So it's just a crazy amount of money. But the story is interesting not only because a huge amount of Bitcoin in terms of value was stolen, that Bitcoin was then seized by law enforcement, but it's interesting just because of like the difficulty that the two suspects had in actually laundering the money. For one thing, some of their activities did tip off private industry organizations. So when they were trying to access the funds, for example, they were bumping into crypto exchanges, know your customer processes. So some of the crypto exchanges were asking them about the sources of these funds and they were giving, uh, either no answers. So when they were challenged, they would simply just not use that account anymore and the account would be frozen or they would come up with some story which was, was not believed or was not detailed enough for the crypto exchange. So saying things like the cryptocurrency was previously gifted to them and they'd been holding them cold storage and those kinds of things, things that we now know are not true, it's alleged that law enforcement can demonstrate these funds came from, from the Bitfinex breach, right? Because they can track those transactions through the blockchain. They did take actions to obfuscate the sources they use, layering where they are moving the funds between a large number of crypto wallets and they were allegedly doing that using automated software. So they're not just moving it by hand, you know, the same amount of money, not just like drag and drop, 3.6 billion worth of crypto from one wallet to another. They were doing multiple transactions between multiple wallets of varying values. This activity we would call layering. And it's a, it's a money laundering technique and one of the things that occurred from that is they therefore had a large number of crypto wallets that had some funds in. So they needed a way of tracking not only the wallets where the funds were, uh, but they were tracking of course if some of those funds had been frozen, they were tracking those and they also had to keep track of the, the passwords or in this context it would've cost me private keys for those crypto wallets. So, uh, it is alleged that Dutch did the...only sensible thing you would do if you had a whole bunch of passwords you needed to track. He kept them in a spreadsheet on his cloud storage and Law Enforcement as part of their investigation, gained a search warrant for the cloud storage. It is said that Law Enforcement were able to decrypt these files. It's not said in the documentation that I've read how that was possible, but they were able to decrypt these files and they were therefore able to access this spreadsheet of all of the Bitcoin addresses and all of the private keys. And that was how they were able to seize the funds, was they just had access to those wallets so they could transfer the money out. So this is, you know, calling back to earlier of, even if you don't tell the person that they're under suspicion of money laundering and their account has been frozen, if you go into the bank and the teller says, Sorry, you know, there's a hold on your account, we can't process this transaction at this time, that might tip you off that the funds have been frozen. Imagine when Dutch looked into his accountant, all of his funds had gone, that might have been an indicator that that they were on him.

Morgan:

<Laugh> That's actually really interesting though because there's, there's some pieces of legislation and there's some quirks in how you're able to obtain evidence for things like that. And I think when you're looking at e-crime or digital fraud, the Computer Misuse Act and how you obtain evidence in digital forensics is a really difficult thing to navigate. So I'm wondering how they, how they achieve that. I'd like to to know more about that. Maybe we can cover that in like a digital forensics episode.

Holly:

We could also no doubt, talk a little bit about how search warrants work for electronic systems and those kinds of things. How Law Enforcement are able to, to lawfully access these things. And we could maybe talk about balancing that against privacy rights as well. You know, there's a lot to be said about things like law enforcement's, access to messenger platforms, foreshadowing for a future episode there.

Morgan:

We also need a whole episode to discuss the myriad way in which Microsoft Excel has served humanity.

Holly:

It's the second best tool,<laugh>, it doesn't matter what you're doing. It is the second best tool.

Morgan:

It's the best password manager, it's the best place to store all your crypto keys. Sold.

Holly:

So, so far in the story, we know that Dutch and, and Heather had access to these funds that are alleged to have come from the Bitfinex breach. We know that it is alleged that they attempted to launder those through layering through obfuscating where the source of those funds was. But the last step that we haven't talked about is this integration step, right? Of once you've done the layering, you've obfuscated the source of those funds, how do you get it so that you can actually access them? So how do you turn illegitimately gained cryptocurrency into cash or some of the mechanism that you can use? So you've talked about things earlier, you mentioned, you know, using gift cards and those kinds of things and maybe that's one activity using a crypto to buy gift cards and then buying things with the gift cards, those kinds of things.

Morgan:

In this particular instance, it is alleged, what Dutch did was he used the crypto funds with an exchange that allowed you to purchase gold and then had the gold sent to an address that he had access to. So of course that is one mechanism for turning the crypto funds into a source of currency, form of currency that you could then, you know, sell and use to buy products and services. The problem is the exchange that they used, allegedly they signed up for using their actual email address and validated it with their actual driving license and then had the gold sent to their actual home address. That's incredible.

Holly:

Yes.

Morgan:

Incredible.

Holly:

So, you know, tracking that down was relatively easy, and of course you might, you might say that, oh well if you're doing these activities, you know, you need to to worry about OPSEC operational security and effectively protecting the privacy. If you are the criminal, you need to make sure that that law enforcement can't track you. And you know, we're talking about like fake IDs, fake passports, making it so that your communications between your, your co-conspirators are protected from law enforcement. And of course it's alleged that Dutch also performed some of those actions. For example, when they searched his apartment, they found a bag labelled burner phones.

Morgan:

<laugh>

Holly:

That's one thing. And also, um, on the cloud storage there was other files for example, you know, a file giving ideas for where they could get other passports from and those kinds of things. So I mean it's, it's pretty nice of them to, you know, have a folder on their cloud storage called passport ideas and a bag in their apartment called burner phones. If you're gonna get Law Enforcement searching your apartment, I mean, you know, neatly categorizing the evidence for them is only polite.

Morgan:

Yeah, it's like when you check out of an Airbnb and you take the sheets off, right?

Holly:

When you check out of an Airbnb, you take the sheets?

Morgan:

You take the sheets off. What just like and all of the light bulbs, just like, Oh my god.

Holly:

So that's a nice throw pillow. I might keep it.

Morgan:

You leave the sheets on, don't you? Oh my goodness.

Holly:

I don't stay in Airbnbs. That's the problem that we're coming up against here.

Morgan:

The funniest part about all of this for me is what did he think he was going to be able to do with the gold.

Holly:

To, to be clear that gold is not the only thing that they bought. There was some gift cards. Gift cards were used to purchase things like a PlayStation and that kind of thing. So they did gain access to some of the funds. A huge amount of the funds was frozen. Something like$180,000 was uh, restricted by the crypto exchanges. Not necessarily because of a specific suspicion, but because like I said, they had difficulty with the know your customer protocols because they couldn't validate or chose not to validate the accounts, the exchanges therefore locked those accounts by default until a validation process was followed through. So that did cause them some problems and honestly by reading it, it just sounds like they had a real difficult time with these anti-money laundering and know your customer protocols. And it may have just been the case that on one hand maybe they made some mistakes, they made those mistakes when they were less knowledgeable of the processes or maybe it was frustration that they couldn't access these funds. You know, they've got a bank account here with$4 billion in it and they can't get to it.

Morgan:

Well, in in fairness, it didn't have$4 billion in when they committed the crime, it was only, you know, tens of millions.

Holly:

I mean as far as we know, they, they didn't commit the crime, we just know it is alleged that they had access to the funds. It could be that someone else, an associate or or somebody else actually did the Bitfinex breach and then maybe they themselves could not access the funds. You know, this is one of the things when it comes to cybercrime in general, if you have some technical skill but not skill through things like money laundering as a cybercriminal, maybe you just sell that service, right? So you hear things like ransomware-as-a-service and those kinds of things, you know, maybe you, you just sell a capability. So whilst it is true that at this time they've not been charged with the Bitfinex breach itself, it it could literally be that they just did not commit that crime. They were just given the funds through some of the means.

Morgan:

I've been studying cyber crime recently as part of my master's degree and something that comes up quite often and that they iterate to you throughout the module is that it's easier to prosecute fraud than it is to prosecute cyber crime, because attribution is more difficult and there's also less majority in the regulation around cyber crime. So there are interpretation quirks and because it's also such a, a difficult thing for lay people to understand, it's easier to induce doubt into the minds of like a potential jury whether a crime was actually committed or-, or the person in question committed the crime. Whereas fraud is much easier and more widely understood. So it's easier to prove.

Holly:

And the-, the actual charges that they have against them is laundering of monetary instruments, fraud by wire, radio, or television and conspiracy to commit offence or to defraud the United States. So they, you know, they are being charged effectively with, with the laundering of the money. Not at this time, at least with the actual original breach of Bitfinex.

Morgan:

I think the, the volumes, um, in terms of money laundering and potential fraud that they've committed there though, do they really need to be charged with the attack itself? That the breach itself on top of that, I think like the sentence is gonna be pretty huge given the volume of cryptocurrency involved.

Holly:

This is like a societal and like moral question, isn't it? It's-, does it matter if they are charged with all of the offenses that they're committed or does it matter that you know, they're appropriately punished? It, it depends entirely on how you feel about crime in general and should prison be a punishment or should it be aiming for rehabilitation and all of those kinds of things. I think there's like a, a massive moral hole you could fall down there in terms of like should we aim for charges that are easy to get through the courts or should we aim for the charges that most accurately reflect the crimes committed and those kinds of things. And I think this podcast is maybe not the right place to have that kind of moral discussion. And instead we should maybe just close out with a fantastic summary of this particular case that I saw by Matt Levine who's a Bloomberg columnist and I think he really summed up this case really quite accurately. He said:"If you rob a bank and steal a sack of money and the bills are sequentially numbered and a dye pack explodes in the sack and you drive directly to another bank and hand them the dye stained sack and say, I'd like to make a deposit, please, you will totally get arrested and you will probably be charged with money laundering. But in no meaningful sense did you launder the money, it still has dye on it. That happened here."

Morgan:

<laugh>. Yeah, I think people often make the mistake of thinking that cryptocurrency is perfect for money laundering. That is, I think largely due to a lack of understanding around the technology and also this impression that it's not at all regulated. It still has to be regulated to an extent because it still touches the legitimate financial system.

Holly:

You could argue here what what does regulation mean and those kinds of things. But yeah, the fact of the matter is there's a lot of people out there who are committing these crimes and they are being successfully charged with those actions. So I think the first thing is don't confuse bitcoin or, or I guess more accurately the blockchain being decentralized with it being anonymous or untraceable it is definitely not that. There are anonymity enhanced currencies out there, but money laundering is it's difficult topic. And even when you take away things like these people making basic mistakes like using their actual id using their actual home address, all of those kinds of things, it turns out that anti-money laundering and know your customer protocols can work.

Morgan:

But I think on the other side, like as an industry, the finance sector has a long way to go in terms of maturity. I always think it's funny when people report at the end of a, a financial year on statistics and on on criminal statistics and things like that and they'll say that there was like zero pounds of successful fraud. I've seen a stat before it was zero pounds of successful mortgage fraud in a financial year. Like if it was successful, would you have detected it? That stat's meaningless to me because I, I don't think that you have the maturity or the capability to detect it if it's successful and it's well executed. And I think actually we have a gap as a security industry in testing fraud detection systems. So we might approach things in the way that we approach penetration testing or site reliability engineering or something like that where we test the, the confidentiality integrity, availability of information systems. But are we testing fraud detection processes and anti-money laundering processes? How easy is it to circumvent those? And I suppose it sort of falls into fraud adjacent social engineering type work. But I think that there's a lot that we could do in that space and I'm really interested to see how it evolves over the next decade or so.

Holly:

There's a big thing there to be said as well about just like statistics in general. I-, I operate obviously on the cybersecurity side of things more than the the financial side of things but I see a huge number of statistics within cybersecurity that are just wrong, incomplete, or intentionally misleading. I'll give you an example from this week. I saw a statistic that said, and I quote,"phishing attacks increased from 72% to 83% in the last 12 months". What does that mean? Did the efficacy of phishing increase? Did the number of threat groups utilizing phishing increase? Did the number of phishing emails sent increase? The number of companies targeted increased? What increased? But we see these statistics all the time.

Morgan:

Yeah, I would, I would interpret that as business compromise originating from phishing emails or where you can attribute the origin to a phishing email has increased from like 72 to 80 whatever percent. Like that's what I would assume that meant.

Holly:

Yeah, but it doesn't have to mean that, right? So one of the things that I see very often in the context of phishing emails is people saying the frequency of phishing attacks is increasing. Um, that doesn't necessarily matter. It might with phishing but certainly with other attacks it might not. For example, if password guessing attacks are increasing but your organization effectively defends against password guessing attacks, you know, you've got multifactor authentication, let's not worry about the details for now. Something like that. You have a protection that mitigates the risk of password guessing attacks. It doesn't matter how frequent they are, if you effectively defend against them. So the statistic can become meaningless, you can also hide some things. So in the same article I saw another example of um, details getting like conflated. So the article said 47.3% of emails sent or received are spam emails. And then I saw another article citing that original source saying almost half of emails sent in 2021 were phishing. Now, spam email and phishing email are not synonymous.

Morgan:

Yeah, I think there's probably another episode in there where we talk about things like fishing simulations internally, um, awareness campaigns and so on.

Holly:

We definitely need to talk about um, phishing simulations cuz there's so many cybersecurity professionals out there who based on their experience or based on their bias will say a certain defensive mechanism should be used without backing that up with data. And like I'm seeing research that suggests that active phishing campaigns against your own staff can in some instances be actively damaging, but we still see it constantly, constantly advocated for in the same way that we still have organizations enforcing things like password rotation, that is arbitrarily changing passwords after a number of days even though there's so much research that it says that it's actively damaging for defense.

Morgan:

I think it's in keeping with outdated regulation or standards that haven't been updated though. So I think best practice is typically to follow things like NCSC guidance or or NIST guidance depending on a given security control, but that might not always be appropriate for your organization. So, I think like being too prescriptive with like global security controls is a flaw and that's like something that I would like to explore more widely in a-, a different episode but I don't think that you can just set it and leave it and forget about it. With security, you need to constantly review your controls and make sure that they're still appropriate as your organization evolves and as the industry evolves and the behavior of the sorts of threat actors and attacks that you're seeing evolves.

Holly:

There's that side of it as well. But there's also just technology improves and things become better. And even if you are using a control because it effectively mitigates a risk, maybe there is a similar but different control that will offer the same level of protection but it's maybe easier to use for your staff and those kinds of things. So you should constantly review those things not only from a security point of view but just like for other reasons. Operational excellence.

Morgan:

A high level UN panel estimated that annual money laundering flows globally are at$1.6 trillion or about 2.7% of global GDP in 2020. I'll add the source for that into the show notes cuz I know that you love stats.

Holly:

I actually do love data driven arguments. What I hate is, um, people misrepresenting statistics doing things like conflating, spam and fishing, they're different words. They're not synonymous. So yeah, I'm not against statistics, please don't interpret that as me being against statistics. I'm against statistics being used for the benefit of lying,

Morgan:

Um,<laugh>. And secondly, we've just talked about money laundering for about an hour and a half. What is your favorite money laundering mechanism?

Holly:

I'm not recommending money laundering though. Can we just close this episode out by saying that in that particular case they're facing charges with a maximum sentence of up to 25 years imprisonment.

Morgan:

That's pretty wild. Also not advocating money laundering, I just think it's really interesting.