So You Want To Launder Money?

That's a so it's great this is a clickbait title and actually this talk has evolved for bides was it leads and I thought oh I can do something like that so you were this kind of genesis of this um so to the previous conversation question about old machines I'm another life evolving um sorry migrating a 1992 uh Sonos 4.1.1 machine uh which uh is supporting an old type of aircraft onto an emulator. So they're still around. Uh so um I actually retired 2 and a half years ago. Uh I worked as a kernel hacker for Oracle and Sun Micros Systemystems. And you may wonder how does a colonel hacker get into uh money laundering? uh and uh I will explain um

so I I have some association with laborist I I mentor students hopefully into careers I do the contract work for kept the train go and I work for a Dutch firm as a cur hacker when it rains and that literally is our agreement um I actually come from mid Wales and I live in mid Wales and there's been lots of money laundering mid Wales has a long history of money laundering so in the 1970s we had um the largest LSD factory in uh the world which uh was now would be worth about 800 million when the police 14 police forces shut it down 90% of the LSE in the UK disappeared and was worth sort of about I think it was 800

million in today's money it was so good they made musical out of it and two three years ago there was 80 million worth or 70 80 42 depending who you listen to. Uh million pounds of cocaine washed up on the beach. Uh so again, I wouldn't like to be the I think lottery money. Whoever lost that will it'll be the least of their problems. Um but on a non-drug thing, I'm besides a barber, but I know you're a long way. Um but you're more than welcome. We hope to be very small. Won't be as good as this. Uh I was besides Newcastle, but you're you're very welcome to come along. Um so how getting money la? How do I get into

money launch? That's the wrong thing to say. Uh but it was kind of the focus of this it's not technical and it's not um I'm not an accountant thankfully. It's about some of the things we just changing your pattern of thinking a little bit. Um so I look out into the audience. You're all beautiful people. That is not in doubt. But there is a pretty good uh smattering of tax avoiders I can detect. Uh I was talking to at least one gentleman earlier who is definitely a tax evader. Um and a couple of you involved in money laundering but for what for in this room I can text nobody who is involved in scamming old people out of their

savings. >> Now if I get this wrong if those people could leave now and if you could trip on the stairs on the way down that would be great. Um when I call tax avoiders I include myself in that and pensions okay that's a way of government um encouraged tax avoidance if you behave in a certain way since uh the first pension relief came in 1921 UK government now spends 70 billion a year on pension tax relief and then you think of ISA tax relief and how many people are on a bike to work scheme right you get tax relief on that That's tax avoidance. So that's at one end of the scale. And then there's the, you

know, moving tax around from Cayman Island companies is kind of at the upper. Tax evasion is where you uh you get a plumber to come to your house to fit a leaking valve on the system on the toilet and they go 50 quid, but I'll do it for you for 50 quid cash. And you go, "Yeah, here's the 50 quid." Right? You are a facilitator. That's tax avoiding. That is tax. That is to pay on the money. We're not actually talking about that today. That is money you kind of legitimately have, but you you've you've either taken advantage of the government tax scheme to avoid tax or you're evading it. You're trying to hide it

from the tax man. But it is kind of legitimate money. And when we talk about t u money laundering, we're talking really about money that you shouldn't have. So you have sold something you shouldn't uh sell like ketamine for example. um ivory um you know what I mean there's there's lots of things yourself um his own fans tax evasion possibly um so that that's really what we're talking we're talking about money that people shouldn't have and that is drip and um what do we actually go and think about what's the thing here well I got this and this is a different talk but is that AI I is an asymmetric multiplier for cyber crime. And I'm going to guess that

10 to one, right? It's going to be 10 times better. And you can disagree and that's fine. Um I have time for a beer cuz I'm going to have a dean. But you whatever the multiplier is, I believe it will be substantial. uh and it will be substantially better at aiding finding exploits and empowering the exploiting of people and from this I'm saying we try and fix the situation not the response and for those who know Troy Hunt you you being pawned fishing you know I don't think a lot of link training but what I'm saying is try and fix the response rather than situation and one of the responses a situation is trying to stop or slow the flow of money

that is part of as part of your overall cyber strategy. So, a couple of case studies and what I'm trying to get across is think about money when you're thinking about how you avoid getting hit either in uh personal life, which I'm going to focus on a fair bit, or when you're in a business situation cuz it's just business. So um there are you could have a whole week course on know your customer the technology of Bitcoin. I'm just doing these to point out a couple of things. So one of the key things that is required by regulators and the regulators are the scary people that make companies who do anything that's financial. Uh and one of the things to

do is know your customer. So this is that you prove who you are. Now, as you can not 21, as you might guess, I've got quite a long banking history. So, when I go and open an account, it's actually really easy. When my daughter goes and tries to open an account, 21, relatively little history, it's much more difficult. They require more things, more proof of identity. I'm quite easy to prove online. I've got a track record, not that sort of track record, um, but it's quite difficult for her. And so know your customers about proving you are who you are. And that is part of money laundering is be able it's anti-moneyaundering to be able to tie

your face. This will come up later to uh the the flow of money. And this is why some of the monthly laundry the things like cooping where you might use people with learning disabilities as as money mules and get to open accounts because that's very easy to manipulate. That's one of the things for for drugs. Um, so this is quite I'm sure you've all been involved in this. Uh, but proving identity is a really key part of that. And I don't invest in cryptocurrency. When it appeared, I kind of looked at it and went, "Oh, there's a lot of risks here." And one of them, uh, I didn't understand how it wasn't criminal. And it was there just there to support

criminality. And cryptocurrency for me, you you kind of stop people knowing what you're buying, drugs, pornography, whatever else, and stopping others knowing what you sold, drugs, pornography, whatever else. And there are lots and you can buy now um financial derivatives based on Bitcoin and in effect making a margin on the first two activities. And so this kind of doesn't fit with me. And I kind of think about cryptocurrency at at a high level as an online swift bank account with much lower charges. Bankers are really expensive. But cryptocurrency does have a trail that can be followed. And so we're just going to go a little bit into the blockchain. Now I'm no expert on blockchain. I obviously I until about 6

months ago, I kind of understood its principle. uh but I hadn't delved into it and in effect they are big blockchain big long numbers that are cryptographically secure can't be tampered uh they are distributed uh and it's a ledger a database of transactions and there is no centralized authority and that trust is distributed so all this is great and I just picked up from a the transactions there was a bitcoin here this was one transaction for 22 just over $22,000 and it was split into two. Now, I don't know what was going on there. I don't know whose transaction it was. I Everybody can go and look at the blockchain. You can go and look at other

people's transactions. Uh and but this splitting is is is quite trivial. And this is so I'm I'm priming here for one of the case studies. Uh the thing that surprised me about Bitcoin wallets which I hadn't looked into was that the key thing is the private key. So you have a Bitcoin wallet, it stores the private key which in effect signs transactions and we can have hot wallets. So those might be online on a phone or cold wallet key hard devices or even a piece of paper. And the whole point of a private key is to be able to sign the transaction when you move the Bitcoin. So if you know the private key, you can sign a transaction.

There's no concept on Bitcoin of matching that private key to identity. And Bitcoin sort of appear the sort of whole blockchain philosophy appearing in 2000s and it seems to me they haven't really thought about mobile phones and scraping and identity. And this to me is a fundamental weakness in the whole blockchain architecture. So I don't have any investment in in in blockchain in Bitcoin or or any of those derivatives, but it the blockchain doesn't care who should own it. It only cares who can prove control by knowing the private key. And uh you will see that that um comes into play later. But on this side, this is a LM chatbot implemented in C for the obsticated C contest cuz I find

that funny. On here are a list of things. You can go and have a look at them if you want the slides to share them. But there's mixers that will mix in many Bitcoin transactions so you can't see what's coming in and tumblers and privacy coins and hopping chains. And they're basically is you put lots of um lots of Bitcoin transactions into a pool and then split them out. That's basically all of these doing. So it's it's dark pools uh where you put bitcoins in and you bitcoins uh bitcoins come out or other things may come out. You can also use a casino which uh takes bitcoin and you use it for your bets and you will

lose 10 15% of the casino but clean money comes out or you use a jurisdiction you can't follow into like China or Switzerland or somewhere like that. And I I did some work with a uh a um a Bitcoin uh company exchange and every so often though this was remote you'd find cameras going off and people disappearing and they would be called they would have private clients and they would be called out and you start talking to them the break and they go yeah he's had they've had money nicked and they are spending the customer service managers the the client executive. They are spending most of their time. They might have a subset of customers um trying to follow up money

that has been slurped out of Bitcoin wallets. Uh which was quite frightening. I'm glad I didn't invest in Bitcoin. But there are firms uh and we're going off into a different direction here where I'm not going to go very deep that make a really good living at following um u stolen bitcoin and so chain assic labs and they will take 25 sorry 10% of the uh money that they recover. Um, so for example, there was the Bet Exchange hack uh where there was uh I think there was 1.5 billion was stolen uh from one of their coal wallet stores. So like the exchange and then there's a pool of money behind that that shouldn't be

avail but they it was actually North Koreans suspected and Jeff White's book is is really good on this and and if you're in this area it's worth following up and that and that actually did use for part of moving the money they managed to recover tens of millions uh and some of it was actually laundered through an exchange J um casinos in uh China, but these companies probably won't chase 20k stolen from a Bitcoin wallet on your phone. Now uh I'll talk about the case for a Bitcoin wallet I was involved in, but actually most transactions you can follow them if you have enough patience. And I kind of got through steps and then I kind of lost interest and I wouldn't

be able to get it back for them. Um, but the investigators are really good at doing this forensically. Um, but it's got to be a lot of money for them to for it be worth them to do it. So, um, there's a kind of had an excellent talk earlier this morning on the um, Java packet manager npm and supply chain chats. This is apparently the worm from Doom uh sorry Doom and the the malware was targeted at Ethereum and supply chain attack. It's like they're going where the money goes and just because they went through the Ethereum it could have been much much worse. But one of the things that has has come to me and I'll talk about the three case

studies is that it it's very good to have a look what your devices are actually doing. And so one of the ways is proxy man and to reduce the attack surface. And so what I've gone to do is actually I've got a second phone, you know, either a spy, an adulterer, or else um drug dealer. Um but all I put on it is my three banking apps. Um Amazon stealing money and OS maps cuz if I'm on a mountain, it's really good. Have a spare phone in case the battery first one goes. I think the attack service maps is is bad. And a VPN. And there's a 45 quid a year e I've got no relation

these people and it kind of works um for those apps the only mobile will only do 500 apps um but it my money is now not on anything I will click a link I would not trust myself to be um that diligent if Troy Hunt can't get it right then you know an idiot from mid Wales can't get it Right. So, I try and separate out anything I do money on. And if you haven't played Proxy Man, I really recommend it because I did had no idea on my laptop that there was a Skype agent running. I have never used Apple Music. Uh, and it was like I thought I'd pay attention to these things. Uh, but

there's was stuff on there that I I really didn't um expect. So, that's well worth it. And this is just about cutting down the attack surface. Um because I suspect what we see on Bitcoin wallets we'll start to see on weentially see on banking apps. So just three case studies we got 12 minutes be very quick. Ruth on the start there Ruth does not look like that. She go swimming in the sea in the summer in Aberith and she's 94 and uh her her children live in Lincoln Derby and Lancaster. So every so often I get a call. The latest one was that she had a damaged roof. So, this is just we're looking at cut damaged room

in the middle. Why Ruth had agreed to do unneeded work, why she was targeted by uh rogue roofers. Okay. Uh on this side is uh the the barriers she breached which she shouldn't really let them in the door and there was no cold caller deterrence and she didn't ask for trusted help and there were no barriers to payments and the things on this side that contributed she has a 1960s trust model 1994 we're not going to change that you know it's beautiful thing in a way and oh I invited him there to go tea and um they were path brothers and oh and then I point out you've been scammed why well these are the 10 reasons and uh you

don't think you've been scammed until they say they work for next door but one we go to next door one they go what we can't change Ruth's trust model what we could do is put a poster on the inside of the door to say don't let these people in um and because what's going on here This is a dopamine hit. Uh, and this is a dopamine dopamine. She wants a company. Okay. Yeah. And they've managed to exploit that. I mean, these people here, these professionals, they take, you know, they're the guild of scamming rumors. They take they're good at what they do and they uh clearly must make money out of it. So, a couple of things

we can do. We can do things like put a video doorbell. And this is where the ties into money laundering. That ties a face which possibly the police will know to any money that she might transfer by account. We'll come back to Ruth again. Um yeah, I've had to change this a little bit to protect the guilty, but this is actually was one of my work things and there was a near miss of a fraudulent transfer of 98k. And so what happens is a CFO who has just been on a trip to I think it was Thailand uh is in asleep and he gets two phone calls both of which drop and then a text

from the CEO saying please read your email. Okay, he is in you know planning jet lag and he reads the email and says uh can you please make this transfer from uh for 98k so that we can start due diligence on the acquisition we talked about. So he phones up the office gets quite a junior person who we will forsake Paul maybe this but wasn't the name and says can you transfer this money as soon as you can and then I think he tried what he said is he tried to go back to bed he couldn't sleep and ended up going in and on his way in and this is like bizarre circumstances he actually bumps into the CEO in a

petrol station which is bizarre car because the petrol the CO has an electric car which was in the garage so was filling up a diesel car and the CO says oh I've actioned the um the the transfer requested uh tell me again what what what and they realized it wasn't one now Mavis is just qualified as quite a trainy accountant but she thinks that's odd why are we paying these consultants as a transfer when normally we'd pay as a would be a purchase order. CFO's like he's too jetlagged for that to click. So she delays it to check with somebody else. She was first in the office and that's basically what stopped um a 98k. Okay. Could it was 98k was

under a limit. But what they managed to do is they managed to hack the CEO's phone. And so there was a I guess it was a SIM swap and there was a phone, text, and email. They knew they had access. I'm surmising that they had access to the calendar of the the execs of the company. So they knew he would be a space cadet and not thinking straight and crafted the email um uh appropriately. So there's a lot of things you can do in terms of stopping uh sim swapping and that's a really good a good place to go. Um, but you can also do things like revisiting the 100k limit and uh put it and putting in things like

multifactor authentication for the exact calendars and he didn't actually speak to the co in person. So again this is one one of the things that we did here was we recommended that the seuite because it's not a big not a huge company uh but they have three phones one for internal one for external email uh and one for for their own email and a phone is now you're right you can have one iPhone and then you've got two GP60 phones but for the other two. And you can modify the exchange server to route to different uh phones because if you get uh an email and it's actually, you know, it's got a one instead of an L,

you might not notice that it might look right, but it will be coming from an external source. Uh so the other bit of this is I asked to look at the CFO's phone. the CEO. Yes, that's fine. And so I was busy going through his phone. He said, um, there's stuff on there you don't need to look at. Okay. Oh, fine. Okay. I'll see with you while you look through it. And uh, hold that thought cuz it comes back in the next one. There's a common theme here, but you can kind of imagine what it was. Um, I'm time time. Uh and so this is a friend of mine for many many years u is an electrician. One of his

friends is an electrician got scammed and he says oh knows about computers he'll go and have a look and maybe you can get money back. So yeah but it was interesting and you see I'm Unix person dev null right gone. Um basically 52k goes missing from a bitcoin wallet. So we start money's gone. Bitcoin. Why? We think I think right this is sitting in somebody's kitchen. The private key got scraped. Why his phone got facted? How did his phone got hacked? Not as red and as unknown as you might think. But again, we're looking at what the barriers um were were breached from here. He he did some daff things like he registered from an address in the United Arab Emirates.

So when he phones the exchange they go uh you're in the UK you've joined this exchange in the United Arab Emirates and they realize he hasn't doesn't actually live in United Arab Emirates. So no help. Um he had all his Bitcoin in one wallet. All right. This man, he can rewire your house and he's really good at it. But phones and technology are not his thing. There is no concept of obsc. And then we think about the circumstances that contribute to this. A positive circumstance is something that makes it better, not as bad. And a negative circumstance is something that makes it worse. Uh, okay. So well I I actually went and this is opportunity

for me to go and try and do some forensics on the blockchain and I found that his what had been extracted was tumbled within three three times in 10 minutes. I didn't go any further. So I suspect it was automated. Not not that I'm an expert here. Uh it's probably an automated attack. uh and this thing here is the circumstance is the blockchain having no concept of owner and this makes a difference to us in a business context if we're asked to pay and we choose to pay a ransom I know not meant to um to be fair I I could choose my words many ways but his phone was a bit of curious process names

um and he also had a number of friends from the internet who may not have been quite who they said they were who were all and again go back to the CFO I think the CFO had friends from the internet um hormonal control dopamine and so I think that there's a principle here is different phones for fun profit you're throwing the money back um the phone actually is a great enabler Uh, okay. Now on to the most important stuff. I'd like to is a call to action to adopt an elderly person. And this is actually more challenging than a CFO. All right. Or a spark. Unfortunately, elderly people and other lowhanging scam fruit. You know, I said these two

roofers were professionals. They have a profession of scamming um elderly people. And because they don't roof bless, you know. I say she goes swimming in the sea in the summer. She still drives, but her trust models from the 60s. It does it lovely. She doesn't believe it's quite needed. Um, and we can't use a preventative action or a corrective action that relies on memory. The other thing which is didn't think this being a talk is when they start when all people get start getting paranoid actually can be an indication of a urinary tract infection. really serious and is the biggest killer of elderly people and all these other things. But paranoia is often a leading

indicator of that. One of the things that does work is putting signs on the back of the door and putting once you put a no call cold call sticker up. It actually becomes an a different offense and more serious offense to be cold calling them then. and a video doorbell to track these ring light ring but still to track back to um people um also adding any ant any money laundering their saving account behind the current account current account saving account um but they have to be on board with any changes because they see this as a threat to his independence and losing freedom but what we're trying to do is extend their the length of

independence often the offspring aren't up for a battle. Police officers and doctors ely will often listen to them and sometimes you just have to say for now I'm going to shrug my shoulders. Um and I'll come back to it and particularly if you're not in that family chain. Um but banks really I found them to be very cooperative. Um and things like co- approvals over a certain amount. I know that feels like a loss of independence or maybe a two-day uh delay payment. It is they can be pushing a rock up the hill cuz again they don't see the need but it's a really you encourage you we're aware of this stuff uh to to try

and adopt an ordinary person. So I think it's a going to be a wild ride. Thank you for turnup and thank you for helping me. Um, one of my goals in life is do a be bod talk. So, thank you for being here for the journey. >> Any questions? >> How do you lo? >> How do you lo money? >> I think you you follow the advice from the anti-money launder training and and reverse engineer it. I just clicked through it. >> You just clicked through it. Yeah. And yeah absolutely. >> You know, I would not be hit. You You're not going to come here and give a talk on how to launder money. You are going

to come and say, you know, how do we avoid getting hit? And I think that thing of following the money trail into your thinking is what I hope you get come away with. >> Um, adding power of attorney to your list of people. Excellent point. >> Yes. >> Yes.

>> What other questions or concerns?

about what to do about giving people the information to pass on in the event. >> That's a good that's a good point. Yeah, >> password. Yeah, I mean there's a different talk there, but yeah, I I think that would be that would be quite it's not something I've had to go through myself, so I guess it doesn't not yet anyway. Um, so uh and when I did my parents, it was back in late ' 90s, so it was kind of a different world then. But yeah, that's a good point. Thank you. In >> absense of your question. Thank you.