Washing Cash with Geoff White | Rinsed

Transcript

We're joined today by the rather brilliant Jeff White. From billion dollar cyber heists to global money laundering rings and crypto gangsters, Jeff White has covered it all. As an author, speaker, investigative journalist and podcast creator, his work has been featured by Penguin, the BBC, Audible, Sky News, the Sunday Times, and has now reached the heady heights of Cyber Tuesday. His new book for Penguin, Rinsed, reveals how technology has revolutionized money laundering, from drug cartels washing their cash in Bitcoin, to organised fraud gangs recruiting money mules on social media. Jeff, thank you so much for joining Michelle and I today.

Thanks, thanks for having me, it's a pleasure. Brilliant stuff. And Jeff, one of the things that we always try to start with when we're talking to people is to try and understand where you've come from. So how are you sitting here today? Have you always been in cyber or as a technology journalist or how did you start off in this crazy world? Yeah, to be honest, I started off just as a general journalist. I started off on local newspapers. The August Hornsey Journal in North London covering sort of cats up trees and that kind of thing and serious stuff too, local papers do cover serious stuff too. I then joined Channel 4 News, I was a producer at Channel 4 News for a while and the correspondent, the tech correspondent there, because you work as a pair, a correspondent works with a producer generally, the producers frankly do all of the work and I say that as somebody who's now a bit of correspondent. The time, it was sort of the era of the iPod launches and the iPad launches, and tech was seen as being this Cassandra subject that wasn't really very serious. It was the end of the program, funny basically. And I started going to tech security conferences and seeing all the hacks. I mean, there was the RSA hack that happened at the time. There was the anonymous that started to emerge. And I realized it's like, this is serious stuff. People are losing serious money. Companies are losing serious IP.

There is sort of a cyber war going on here. That needs covering. And also that needs... featuring higher up the program. Technology is a serious subject. And since then, of course, we had Snowden, we had Anonymous, we had the Sony hack, Bangladesh Bank, and on and on and on. And then the US presidential election of 2016. So it turned out to be quite a smart move to go into that area. It really does. And kudos to you for recognizing it early doors. I mean, it's, from my perspective, I remember when there wasn't a cyber security industry and I hearing that word cyber.

02:25
and thinking, what on earth are you talking about? Surely that's just security. Why are we putting funny words in places that don't belong there? And it's been, it has changed over the last few years and Northern Island is a bit of a hotbed for cyber security. We have some awesome companies here and some really, really great things going on. And I think we'll try and touch on a few of those as we're going through, but.

02:51
One of the things we wanted to start with, Jeff, is not actually your current book. We're going to come back to that, I promise. But we do want to hear a little bit about some of your previous research. And, you know, one of the things I wanted to firstly ask you about before we move into the actual questions were about how do you protect yourself when you are, when you're doing these stories? You know, there are some dangerous enemies out there. We had the fantastic Joseph Cox speaking to us very recently.

03:21
And one of the things that we're very aware of with him was making sure that we didn't give away his location. We didn't say where he was or who he was around or, you know, things like that. Do you have to think about the same sort of thing? Yes. I mean, Joe's work's fantastic. Really, really great work. And I suspect he's far more under the over the on the radar of the hackers, of the attackers than I am. So I respect him for the security measures he's taking, certainly. Look, for me, we do take this stuff seriously.

03:49
Organizations I've worked with, the BBC and Penguin among them, they have high-risk security teams who deal with things. So we were aware of the risk, certainly in making the Lazarus Nights podcast, which we'll talk about in the book. They have a whole legal team, of course, who weigh in and make sure that what I publish is legal. So I have to protect myself against legal threats, libel threats as well. It's not impossible that you get sued for libel as an author. It is incredibly time consuming and often quite costly. So you want to try and avoid it if you can.

04:18
On the tech security side, I take this quite seriously, very seriously in fact, obviously, and what's interesting is having covered a lot of the hacking behavior, particularly of the North Korean hackers, the so-called Lazarus Group, the advantage is at least I know the sort of tactics and I know the kind of tricks they're trying to use to social engineer people. So what I hope is that I'm wise to those sort of social engineering techniques and I don't fall for them. Never say never, it could happen. So then what I also look for is resilience and recovery, which stuff obviously businesses try and do. So...

04:46
Every now and again, I kind of do sometimes a sort of theoretical, sometimes an actual practical exercise of, okay, what happens if, what happens if the email inbox gets, gets compromised? What happens if my phone is compromised, the laptop, have I got spare secondary infrastructure I can use, and I have offsite backups, which may sound very high for looting. What that actually means is every now and again, I put everything onto a USB stick, encrypt it and post it to my mum.

05:11
who then stores it. And I said to mum when I went round, I said, have you got that USB stick I sent with all of the vital information on it? And she said, yes, she said. And she led me to the drinks cabinet where she opened the drinks cabinet, which under where she had gaffer taped the USB stick to the top of the drinks cabinet. And I thought, that's good. The apple doesn't fall far from the tree. Good work, mum. So that's my offsite backup is my mum's place. Oh, I love that. That's absolutely fantastic. And you know, you mentioned your book, The Lazarus Heist there. And you know, I know Michelle has been

05:40
kind of devouring that over the last wee while. I think you were audiobook-tastic for that, weren't you, Michelle? But you've been loving that. You were really interested in a few different areas of it, weren't you? Yeah, absolutely. Love your books, Jeff. And I've listened to the podcast a little bit too. And if my understanding is correct, the book is based on the podcast. But it's actually... Yeah, sorry, go ahead. I was going to say, yes, so the...

06:08
confusingly the book came between season one and season two of the podcast. So it straddles both of them, but the book has some stuff that isn't in either series, but the series also has a couple of quite a lot of things that aren't in the book. So it's, it's a sort of mishmash of all three. But it's so interesting. It's such a good read. It's easy to follow, easy to understand. I want everybody I know to read it so that they have an idea now of what I do as a pen tester. And I also want all of my clients to read it because what it does is really

06:38
highlights the real life impact of what we're trying to do in helping them protect themselves. And in the Lazarus heist, it really shines the light on North Korea as a global leader in cybercrime, with the involvement of the takedown of Sony Pictures, with the link to the ransomware that impacted the NHS to the tune of 92 million, and that was only the financial impact, all of the disruption to surgeries and things like that as well.

07:06
Interestingly, the messaging from the GCHQ director on Tuesday at Cyber UK called out Russia and China and ransomware as bad and collaboration between industry and government as good. But notably, North Korea was not called out, which kind of suggests to me more that intelligence and power are more of a focus and that cybercrime less so possibly. Do you think North Korea are still being underestimated?

07:36
That's a really good question and actually you're absolutely right. That's a sort of thing that I've missed even though I was at cyber UK. So yeah, I think you've made a good observation, I assured observation. Look, North Korea and people who study North Korea and obsess about it, frankly, will tell you this is that North Korea goes up and down the news agenda. At the moment, obviously, we have obviously great concerns about Russia being, frankly, an adversary, I think it's fair to say, of the UK. China, there are concerns about we've seen the recent attribution of

08:05
of MOD data being lost to China. But what's interesting is if you talk to the intelligence agencies, they will give the top four as Russia, China, usually interchangeably in one and two, and three and four are Iran and North Korea. Now, what I would say is, although I understand why the British government would look at the top two, the three and four places are definitely still worth paying a lot of attention to, and simply for the reason that...

08:31
If you look at what happened with Ukraine, a country that seemed far away and didn't seem to have much impact, frankly, on my life, turned out to have a massive impact on my life when things went wrong there. If you look at North Korea and the countries that surround it, obviously, South Korea, Japan, Taiwan, China, and you think about the gadgets that we all use and that we're recording this podcast on, and where they're made and where the components are made, North Korea destabilizing that region, as it could do if the nukes and the missile tests keep going.

08:58
that is going to have a massive instant and detrimental impact on everybody in the world overnight. So whilst I understand where the British government is coming from, you have to sort of choose your, you know, your things you're going to talk about. It is definitely worth keeping an eye on the North Korean threat. The other thing about North Korea that's fascinating for me as an investigative journalist is you get this sort of amazing two for one deal with looking at North Korean hacking accusations because yes, they're trying to do all the things government hackers do, Russia and China and the UK and the US, let's face it as well, espionage, data supremacy.

09:27
economic supremacy, but they also are trying to frankly steal cash. And so they're doing cyber criminal tactics is the accusation alongside the government espionage. So you get this amazing collision of cyber crime and nation state hacking in North Korea. So even if it's not of interest to you strategically, looking at that gives you so much ability to look at different bits of the cyber crime, cyber security picture, I would argue. Yeah, fantastic. And one of the things I believe you called it in the Lazarus Heist

09:56
possibly also in RINST is that cybercrime at the high level, at the top, the global scale could not exist without money laundering, which brings us to your next book RINST, which covers money laundering in a big way and how that ties to cybercrime and security. Yeah, and I just wanted to kind of jump in on that as well, you know, kind of say that, you know, the money involved in this is incredible.

10:26
And you start your book with someone called Steve, you know, and Steve is a dealer who a drug dealer and he doesn't make a lot of money. But, you know, he doesn't have a lot of spare cash. But, you know, you look up higher up the chain and I think you start with Pablo Escobar, isn't it? And, you know, his his problem was hiding the money or keeping the money safe, wasn't it? And, you know, so tell us a little bit more about how they used to do things. And we'll move on to how they're doing it now.

10:54
Well, I mean, money laundering is probably as old as the history of crime. You know, once you've stolen some money, you need to hide it because otherwise you're going to get caught with it. So at a basic level, you know, money laundering has been around for a long time. The reason I started with Pablo Escobar is to explain to readers. And if you listen to the audiobook listeners, money laundering is quite a complex, quite technical subject, has a lot in common with cybercrime, cybersecurity in that perspective. So I wanted to kind of start somewhere tangible. I want to start with a basic sort of easy to grasp mechanics of money laundering.

11:24
Pablo Escobar's operation was the perfect thing to start with because the thing that made Pablo Escobar rich was obviously cocaine smuggling. The thing that made cocaine great as a smuggling proposition is you can package it really small and sell it for huge amounts. So a kilo of cocaine will sell for, I don't know how much it was in those days, $70,000 or something like that. That's great. But the problem with that is he's doing that from Colombia. At some stage, he's got to bring back the money to Colombia so he can pay off the people he's buying the cocaine from.

11:52
because he's a smuggler, remember, not necessarily a grower of cocaine, a maker of cocaine. The problem is, the money, when you packaged it up, even in hundred dollar bills, was bigger than the cocaine. So for every plane of cocaine you sent to the US, you were having to get two planes back of money. And anybody who's done logistics will know that's an absolute nightmare. I ended up with two planes here and no planes there. So it was a constant struggle. And he was constantly having to try and work out ways to sort of launder all of this money.

12:18
And so using that kind of cocaine, they call it the cocaine cowboy's era of money laundering, was just a great way in, obviously, lots of people have seen Narcos, the series, even if you haven't, you know of Pablo Escobar. What was amazing was I actually interviewed his nephew for the book who finds a stash of Pablo's old money, which sounds like a sort of fantasy dream you have, you know, finding your uncle's millions in the loft, but actually it turns out the millions of dollars he finds have just turned to dust. And that's again, one of the points about money laundering is good money laundering.

12:46
protect money for the long term. You know, if you're a good money launderer, you don't let your money rot in a loft, you put your money into a bank or a building society if you can, or a property or a boat or something that holds its value, ideally. So it was a good way that the drug stuff to start off with. Obviously the book then goes into cybercrime and prostitution and fraud and all these other things. But I thought as a start off, that image of finding the money in the loft, I thought was just a great, great example. I loved it, it was a great interview to do with Nicholas Escobar as well.

13:14
Must have been so cool. And, you know, you talk about the cash stashing and it's Goodfellas, isn't it, where they send somebody over to Switzerland with money wrapped around them. And, you know, I think in the book you talk about Antigua was one of the places that they used to stash the cash. And, you know, that's the phrase you use, isn't it? Cash stashing. So they would literally wrap money around them, give them a big suitcase and a

13:43
and ship them off, isn't that right? Exactly so. I mean, look, cash has some advantages. It's anonymous. It's the classic sort of fungible token, but it has some big disadvantages. It's bulky and it's suspicious. And so one of the things drug dealers will still do, even to this day, is try and spend the drug money on something like a Rolex watch or an expensive Audi, because you can drive around and drive across borders and you can give those to somebody else without it looking suspicious. If the cops stop you,

14:12
You can say, well, I'm just rich. I've got an Audi and a Rolex. You know, what's the problem? Whereas if they stop you in a Ford Fiesta with a hundred thousand pounds in bank notes, that's just instantly suspicious. So converting it into goods is a good way of moving it. But of course, increasingly, as I'm sure we'll come onto, this is where the technology piece comes in. If you can get that stuff into digital currency, you know, into a bank account, an online bank account, you can transfer it. But even better, if you can go for crypto, you can transfer the money from cash into crypto. Suddenly,

14:39
You don't have to sell or take banknotes around your body anymore. You can just send the crypto straight to Antigua or Columbia or Frankfurt or whatever you need it. It's liquid, it's international and it's outside the traditional banking system. And so much crime, cybercrime and other organized crime relies on that. Without those laundering networks, you can't move the money, you can't enjoy it, you don't do the crime. There's no point hacking the company if when you get the money, you're just going to get caught. You've got to have the laundering network lined up and ready. And that's increasingly the game for these gangs.

15:09
And you mentioned in your book again that there are five things that money launderers look for. I think they were high volume, high volume, flexible prices, lack of regulation, global scale. Sorry, four things there. And, you know, and we've with that, you instantly obviously think of crypto. You think straight away you're there. Yes, yes, yes. Maybe some regulation now. I want to ask you about that in a minute. See how you think that will affect it. But crypto lends itself so nicely to those to those issues, doesn't it? Yeah.

15:39
Yeah, it does. And, you know, I want to make it clear, it's not the people who invented these cryptocurrencies like Bitcoin and Ether and so on. They weren't targeting it for crime. I genuinely don't think they set out to think, well, create a fantastic anonymized currency. There's lots of other arguments why you would create cryptocurrencies. There's a libertarian argument that, you know, governments have classically always exercised their power through money, through setting interest rates, through setting money supply. It's a classic lever of state power. And if you're anti-state, a classic libertarian, you like cryptocurrency.

16:09
There's also issues around fairness around money that, you know, it costs money to remit money back home If you're a worker working overseas well cryptocurrency can help with that and that's because it doesn't stand inside the digital finance system It can move across borders seamlessly for people who think that money should be transferable and that you know Big organizations like banks shouldn't take a cut of it. It works. There's lots of philosophical You know support behind Cryptocurrencies, but also inevitably for crime if used correctly

16:39
cryptocurrency is often anonymous. It can be shipped around the world instantly outside the traditional banking system. So there's lots of applications. What you find is interesting is that if you're a money launderer, as you say, you're looking for several things. You're looking for lots and lots of money sloshing around in the system so that you can wash your criminal money, hide in the crowd, hide in the noise. You're looking also for an international system so you can deposit your money in Los Angeles and withdraw it in London, and looking for lack of regulation. You do not want the cops and regulators sniffing around and forcing the rules.

17:08
If you look at the things that tech companies, particularly startups like to do, if I'm setting up a technology startup, I wanna choose a sector where there's lots of money sloshing about, you know, Uber's the classic example. How much is an Uber car worth? Well, it could be loads, could be nothing, who knows? How much is an NFT worth? Apparently 10,000 pounds, who knew? So you've got lots of, you know, it ticks the first box. It's international, of course, because tech startups want to scale internationally. You know, again, Uber wants to dominate in every territory. They want an international scalable product. And thirdly,

17:36
they target areas where there isn't regulation. The reason Uber is picking taxis because there's holes in the regulation. You can set up a taxi service, it was originally a ride share service, and just ride a horse and cart through the regulations. So all those things tech startups like, lots of money sloshing about, big international exercise, not much regulation, they're exactly the things that money launderers want. It's not that they want to work together, it's just the things the techies tend to end up doing are the things the money launderers really like and enjoy. So they end up just inhabiting the same territory, the same environment.

18:06
And how do you think regulation might impact crypto in the UK? It's an ongoing debate and I find it a slightly sort of double think situation. On the one hand, you know, financial institutions and the government understand that, you know, this is a radical new form of currency and a value exchange that has some great merits. I mean, the trackability of it, the blockchain that tracks all the crypto transactions, lots and lots of people see the merits of that, not just for transactions, but for storing information.

18:36
auditing information. Excuse me. But the other thing is obviously they see this can be used for crime. So on the one hand, you have parts of government who are trying to get digital currencies off the ground, the Financial Conduct Authority is trying to regulate cryptocurrencies, try to attract these companies to the UK, because it ties in with our existence as a financial centre. On the other hand, you've got other parts of the UK government thinking it's an absolute nightmare. There's already lots of money laundering going on through places like London financial institutions. Do we really want to get into

19:04
to bear with this new currency. So you start to see this sort of double-sided approach going along. And looking at regulation, the Financial Conduct Authority was keen that cryptocurrency companies register for activity in the UK. They made the tests so hard that the cryptocurrency companies went, well, solid, we're not gonna apply, we're getting out. We'll disappear, we'll go across to another regime. And so for the UK, you think, well, we've lost the opportunity to work with these companies.

19:32
Maybe we should make the regulations lighter so they'll come to us. But that way danger lies because, of course, the lighter the regulations are, the more abuse there can be. So we're steering this territory at the moment. It's really fascinating to see. And of course, the UK, whatever we do, Europe does something else. The US does something else. And again, look at the international nature of crypto. These companies will shop around for the best jurisdiction. And that's, I think, what we're really seeing. For instance, we've seen some examples of where people have been blocked from working in certain territories.

20:02
And all they do is they set up shop in somewhere else where the regulation is less. And, you know, it still allows you to do everything. And, you know, they talk about, you know, don't they, that, you know, some of this stuff, some of the regulation doesn't bother cyber criminals anyway, because they're criminals. They don't, they're not going to put the real home address that they live in Ontario, Canada, for instance, where you're not allowed to do so various bits and pieces. They're not going to put that address anyway. They'll just make a fake address or, you know.

20:30
move a VPN or something like that. So it must be the case, I think, that we're starting to see that move to unregulated territories. Absolutely, and I think what's interesting is in terms of confirming identity, if you're a bank, you have to kind of confirm somebody's identity to a certain level. Otherwise, you can get fined, you can lose your banking licenses. Layers and layers of iron regulation that surrounds traditional finance. Not that they don't abuse it and get caught out, not that they don't do blind eye to things, but.

20:58
The regulation legislation is there at least. With crypto companies, there's far less regulation around them. And so, yes, as a crypto company, you can sort of volunteer to do this. And certainly there are crypto companies who say, we want to that because we want to get investment and we want our investors to see that we're a clean pair of hands. There are other crypto companies who say, look, that's not our job. And by the way, we're gonna lose business if we do that. And the other thing you have to factor in is this interesting philosophical approach that crypto community has, some in the crypto community have.

21:27
which is this, they say, look, these traditional banks, traditional finance, and actually traditional institutions generally like governments and even religion, they haven't exactly done a great job. We're not in a brilliant situation as humanity. If we have things like crypto, we can actually create a better society going forward. We have created crypto, we the techies have set it up, we've made it work, regardless of what you think of Bitcoin, it's been around for more than a decade, you know. We've made this thing work, it's resilient, it's been road tested, and we built it.

21:55
And now you, traditional forces of government and finance, come in and try and regulate us and tell us what to do. No, the whole point of this currency was it wasn't traditional. It doesn't sit inside traditional structures. And so you trying to bring us into the fold is patronizing and misguided. So there's a philosophical objection, which you've got to, I think it's important for people to get their heads around in terms of crypto and the crypto community and understanding that really strong libertarian DNA that's in at the heart of it, I think can help you contextualize some of the responses around things like regulation.

22:24
fascinating. And,

22:51
recently there was a story about the Heighton Firm, I think it was, you know, an organized crime group that used EncroChat to do some, some bits and pieces. You know, when you're investigating these, these gangs, do you, I mean, do you, do you, do you EncroChat with them? Do you, do you kind of work with them or do you, do you just kind of find evidence and, and bring it out? It's extremely difficult, I have to say, for an investigative journalist to penetrate a lot of these organizations.

23:20
I mean, you're looking basically at sort of three levels of people. You're looking at the nation state level. You're looking at organized crime, organized cybercrime, organized fraud gangs. And you're looking at kind of hacktivist, have a go type type people. The nation state folks just do not talk to you just generally. The have a go hero types, the hacktivist types will often chat because they want to sort of, you know, they want to talk. It's quite a lonely job and so on. The cybercrime stuff in the middle, the organized crime stuff.

23:47
you occasionally get glimpses into it, and you can occasionally speak to people who are sort of on the fringes of that. The problem is, of course, there's not a huge amount of point in them speaking to journalists. They don't want to be sort of covered. And also as a journalist, I have to behave ethically. So, you know, I can't entrap people into saying things. I have to identify myself as a journalist. And often at that point, people sort of run a mile. So often I am reliant on researchers who have access to these communities, reports that come out, criminal complaints and indictments that sort of expose these kind of, you know, insider communities.

24:17
I don't want your listeners to be left with the impression that I've got a hotline to the folks who are in charge of the crime gangs. It's not that. But I find I can do enough research, speaking to people who do have those levels of access, that it's possible to get in. I have to say, I'm fascinated by threat intelligence companies that manage to get access to sort of dark web channels and dark web forums and so on. Because I know those forums and sometimes you have to pay to get in and it's not cheap. It's thousands and thousands of bucks. And even when you're in, you're expected to be able to get in.

24:46
to be part of the hacking community. You can't just go in and say, oh, pay my money, I'm just gonna sit here now and listen to what you're saying. They'll be like, no. Log everything you're talking about. Exactly, it's like, you know, you're meant to be participating here. What are you bringing to the party? So I find it interesting how those security companies manage to bring something to the party without that thing being an illegal product. I find that fascinating. It is, it is fascinating. And you know, you hear about, you know, some of these groups and some of the things they're getting up to. I mean, you know, you started off.

25:14
talking about things like Backpage and Craigslist and just nipping back quickly into the crypto world. I think that one of the stories you're telling there is that actually the goods were paid for by the rise in crypto between what you bought it at and what you sold it at rather than anything actually changing hands. Isn't that right? Can you say a bit more about that? I'm just trying to think of the example in the book. It's been a while since I wrote it.

25:40
Yeah, no,

26:09
rather than the actual crypto itself, if you see what I mean. So there was reliance on crypto values increasing. And the idea was that was sort of fun purchases. I mean, Backpage, I should say, is a fascinating story. The story is, again, it's got a civil liberties aspect at the heart of it. The folks who ran this Craigslist type site, Backpage, believed in freedom of speech. And one of the things they believed in was that advertisers should have freedom of speech to print.

26:38
adverts for stuff they wanted to advertise. And that included adverts for prostitution, and in some cases, traffic to people and people traffic for sex, and in some cases, frankly, children who were trafficked for sex. Now that's an interesting position from a freedom of speech aspect to such a sport, but they were hardcore libertarian freedom of speech folks. They were like, freedom of speech applies to everybody, you can't pick and choose. What that meant was there was lots of dodgy ads basically running on back page. Now at some stage, they hit upon

27:07
problem which was that the credit card companies Visa and MasterCard stopped processing payments because like now we even if you could argue this is legal we just don't want to be part of it and so in order to solve that problem Backpage got into various different systems setting up shell companies and so on and one of the systems that they relied on of course was cryptocurrency so what was interesting was that they tried to sort of convince the finance companies the banks that the incoming supply of money part of it coming from crypto wasn't paying for adverts on the site for the prostitution it was paying for something somewhere else

27:37
that was legitimate, but the person who actually paid for the legitimate thing actually got to post an advert for prostitution. So in the end it sort of worked out even. So yeah, and interestingly that case, as I was completing the book, came to fruition. One of the defendants, one of the founders of that site, Backpage, actually committed suicide in the course of the trial. The other chap was convicted finally after years and years and years of prosecutors trying to prosecute him for prostitution advertising.

28:04
it was money laundering and particularly the crypto side and the high tech side of money laundering that got him in the end. So again, that story, that back pay story speaks really well to the sort of the boundary between crime and between the laundering that enables that crime. And talking again, you know, moving with that was, they felt that was a legitimate use of crypto, but you know, we look at people like Alphabet, Conti, Hydra, Darkside and all those things. Hydra, I find,

28:31
particularly fascinating. You know, I've finished reading, sorry, watching some of the TV shows about the opioid crisis in the US and things like that. You know, Hydra were using that and drug dealing to flow money into Russia, weren't they, to do these things? Yeah, Hydra was endlessly fascinating. It's a dark website. And I was aware of Hydra, but it was one of the Russian sites. So you talk about the fentanyl boom in the US, tragic fentanyl boom.

28:58
in the US having really severe consequences there. Hydra wasn't part of that because Hydra didn't ship to the US, it was just a Russian service. And yet, Hydra was dominating the dark web, loads and loads of money was flowing in and out of Hydra. I was a bit confused by this. So that's not fair. I wasn't confused by it. I just ignored it because I thought it was a peculiar case. They must be doing loads of drug deals in Russia, I guess. There was a bizarre period in Russia where, because obviously shipping the drugs to people was difficult.

29:26
the Russian government started inspecting the packages and finding the drugs. So they invented this whole industry called clad in Russia, which was this network of people who would stash the drugs, sometimes using using magnets to attach them sort of girders under buildings and stuff. And you go and recover your clad and you could you could earn as a cladsman. You could earn money, you know, shipping goods. But it's all Russian federation drug dealer. How is this? How is that making so much money that this site is massively valuable? Of course, the answer is laundering. It wasn't just drug money that was flowing through hydro.

29:56
increasingly loads and loads of ransomware money and other cyber crime money was sloshing through it. So the reason it became a billion dollar a year business, Hydra, was because it was laundering money. It was almost a dark web market on the side of a money laundering business. And that's certainly what led the US to it. It was when it started laundering money from ransomware attacks in the US, notably things like Colonial Pipeline, that the US went, right, we're going off to Hydra as a money laundering business as well as an illegal dark net market.

30:25
I mean, interesting, had Hydra just stuck to dealing drugs to Russians and sticking them under girders and stuff, they might have got away with it, they might still be in business, but yeah, you make your choices. Yeah. Jeff, have you had any involvement with it in any of the takedowns from the NSA or similar? I have not, no. Yeah, they keep those things quite secret. And look, I'd love to say that I'm read into these intelligence operations and so on. Absolutely not. I don't think they want a journalist anywhere near it. I have had situations where...

30:55
we've discovered something or I've discovered something that the police are probably investigating. And at that point, you've got to make a decision as a journalist as to who you're serving. You know, should you tell the police you're investigating it? The problem with that is there've been situations where the police have said to the journalist, well, don't report it, but when it happens, we'll give you the exclusive, you can be the first to report it. And that has not worked out well for journalists. There's a bad reputation of.

31:23
the story leaking out and the journalist not getting the scoop. So frankly, as a journalist, my audience, the people I serve is the public. And sometimes what I do is aligned with what the police want to do. And sometimes the police are like, oh, I wish you hadn't reported that. But, you know, I'm not there to serve the police. I'm there to serve the public. I've seen series three of The Wire where, you know, they give the story to the Baltimore Sunfella and a weekly and promising me it can publish in a week. And then it all gets leaked out anyway. And, you know, that's.

31:50
Most things in life relate back to the wire in some way, shape or form. So, you know, so it's great. Um, you were talking there about, you know, kind of journalistic sources and, you know, kind of finding these stories and being who you serve and that sort of thing, you must have absolutely loved the Conti leaks, um, and the, uh, the bits and pieces that came from that. And I know that you talk about that in the book as well. Yeah. I mean, the Conti leaks was absolutely astonishing. I mean, one of the world's biggest ransomware gangs who, after the invasion, the reinvasion, I should say, of Ukraine.

32:19
by Russia in 2022, the Conti gang, like a lot of ransomware gangs sided with the Russian government and frankly I don't blame them for that. If you're in Russia and your existence as a crime gang is sort of beholden to, you know, acquiescence from the government, of course you're going to support the government. I don't think that was a surprise. Of course the reaction to that was somebody in Ukraine, we think, connected to the Conti ransomware gang leaked something like 60,000 of the messages.

32:45
I still think that there's a stage play to be done or some kind of innovative, different way of doing that because I'd always been told as a journalist, you know, these, these gangs, they run like businesses, they clock in, they clock out, but being confronted with the sort of office gossip and minutiae of a ransomware gang as it's going about its business, you know, and the sort of backbiting and bitchiness of, oh, why'd you hire that guy? He's rubbish. Get rid of this. But I'm worth way more than that, you know.

33:10
It really was an insight into the struggles and strains of that of that organization. I thought it's absolutely absolutely amazing. I'm hoping to research another book and I'll be going back to the ContiLeaks. What I would love to do and I don't know if this is possible is to go through all 60,000 messages and just read it almost like a sort of email thread. The problem of course with that is I had a fascinating chat with somebody from Syjax, one of the threat intelligence companies the other day, who was talking about the language, the Russian language in which they communicate.

33:40
I'm going to say ZENYA, I might have got that word wrong, but it's a Russian criminal slang. And so unless you really know the Russian criminal slang, Google Translate will not do this for you. You've really got to know what they're talking about. And so I think I'll probably need the assistance of someone like that who has that knowledge to sort of interpret those messages. But it is just a fascinating trove of data and really speaks to the fact that, you know, we think of cybercrime, I think, as automated and scalable and this tsunami of cybercrime washing over us like it's a computer.

34:07
there's actually people behind it. There are people who run this and they have stresses and strains and job difficulties the same as we do. And that's maybe a useful thing, I think, to remember for cybersecurity people. Absolutely. And I saw Lisa Forte, I don't know if you know Lisa, but Lisa's gonna be joining us on Cyber Tuesday, I think next month. So I saw her do a fantastic talk about the Conti leaks. And it's just so class when it's brought to life. I would love to see a show like that, the lyric here in Belfast,

34:37
the national in London or whatever it is, you know, that would be, I wasn't aware of that language, by the way, that's a very cool thing to know. That's- I haven't looked into that. But I think it's interesting. So we've had, famously, I think it was one of the public inquiries that they turned into a stage play and they used the verbatim transcripts from the public inquiry. It's been done before where you take what's essentially a dry subject, but use the transcripts and you bring it to life. And I do wonder about whether there's a possibility of having-

35:04
I don't know if it's stage or at least the Conti podcast where you sort of follow the personalities along and you sort of weave it. I don't know. I just think it's an amazing resource that I don't think has been fully, fully utilized. So if there's any stage directors or film directors out there, I get in touch. Absolutely. Well, we'll pass that on to anyone we know as well. I'm very conscious that we're kind of, you know, we've used up a lot of time already. I wanted to go back to the Irish connection as well, because obviously we're sitting here in Belfast and

35:34
I'm actually an Englishman, but I've been here 26 years. So I kind of my wife still calls me a blow in, but I'll I think I'm a bit more local. Michelle's from just down the road here. And, you know, there is this Irish connection to some of these stories as well. As now as reading about Kenoli Ubudu in Cork and some of the work that was happening in Dublin as well. Yeah, this is really fascinating. So one of the things I wanted to look at in the book was about these international laundering networks and.

36:03
One in particular that I find really, really fascinating is a crime group called the Black Axe, who originates in Nigeria in the 1970s. It's interesting, it starts out as a sort of political emancipation movement, and then through various things, ends up basically as a sort of criminal enterprise. I wanna make clear, by the way, the vast majority of people in Nigeria have nothing to do with it, and hate it as much as we all do, and the vast majority of people outside of Nigeria have nothing to do with it, but this gang is...

36:30
even though it's a tiny minority, they've exerted a huge amount of influence. At a certain point, they kind of merge into and morph into the sort of classic Nigerian Prince email scam sort of gang. So it's a tall crossover. Now, what's happened is as those scams internationalized and as they escalated, so yes, the Nigerian Prince emails went out worldwide, the new scam frankly is a different version of that same exercise where instead of emailing somebody individually and saying, hey, I've got a million pounds

36:59
million dollars

37:29
Well, you need somebody locally to sort that payment out. You've got to have somebody who's going to take the money, who's going to wash it, and then send it back to the originators, possibly in Nigeria or wherever, whether the Black Axe individuals working. So you need this sort of money-launching network. So Black Axe became really interesting from that perspective. And I'd say Ireland, I'd say it's the Republic of Ireland in this case, but on the island of Ireland, there's a lot of this stuff going on. Black Axe seems to have...

37:55
set up shop in that region and used it as a bit of a money laundering hub. Obviously lots of financial organisations on the island of Ireland, you know, an august history in financial institutions, well the Black Acts have seen that and have seen that you can wash money through that and what they're doing is using social media, things like Snapchat, Instagram, to recruit anybody they can find with offers of tempting money and what they actually do is use that person's bank account for

38:25
It's huge, there are thousands of people suspected of being pulled into this, hundreds have been arrested and if you Google it you will see conviction after conviction after conviction. Now often they're suspended sentences, it's suspended for a year perhaps, but it's still a criminal conviction on your record and that's going to have a lot of detrimental impact. It's worth saying in the UK the approach seems to have been different over here. If they catch people for these money laundering offences, they don't seem to prosecute them and certainly not on the same extent as they do in Ireland.

38:55
you're given what's called a SyFast marker, which is an indication of money muelling activity, which may sound really dull and boring. But what it means is your bank account gets closed and every bank will refuse you because one bank flags you and all the other banks will probably turn you down. And what that means is no bank account for you, buddy. That's hugely problematic for the people who have pulled into this. So yeah, that whole Ireland black acts link with the money muelling and money mule recruitment. Fascinating. And that's, that's one and a half to two chapters of the book is all about that gang and the exercise they've been doing in Ireland.

39:24
Kanodi Bodu, by the way, the chap you mentioned, exactly that, gets an offer on, I think it was Snapchat, you know, can we use your bank account, we'll pay you a bit of money, he says yes. A couple of years later he gets a one-year suspended sentence, so he's a perfect example of that. He's interviewed for the book, it's a fascinating tale about how he gets drawn into the cycle of crime. That's amazing. I'd love to ask you, Geoff, who was the most interesting or your favourite standout person that you've interviewed while researching the book?

39:54
You know, the person I interviewed that was most fascinating, that's a really good question. There's quite a lot of contenders for that actually. There's Sam Bent, who was a dark web drug dealer who had an amazing operational security setup, which eventually failed catastrophically and he got arrested. There was the guy in Dubai who I hadn't heard of and who put himself on my radar by phoning me up bizarrely, failing to mention he had his own conviction for VAT fraud, which I then found out about, so he's in the book. There's one called Lillian Fante who did

40:23
The Hydra thing that we talked about, she did a huge amount of the investigation for the DEA, the Drug Enforcement Administration on the Hydra case. She's super fascinating. But the one that really, really stands out to me is a chap who helped to fund and create a cryptocurrency mixer. So this is a sort of anonymizing service for cryptocurrency, which can be used both good and ill. And what was interesting talking to him was, we might see cryptocurrency as being an exchange of value, sending payments back and forth. As I say, for those crypto libertarians like this chap.

40:52
He sees a future world where crypto can be used to create a better society, a more functional functioning society, a better functioning society. And it was just really fascinating to talk to somebody who's got a really big world view, who sees technology and sees a different world. It was like going through the looking glass. And I was really glad he spoke to me and I'm really glad that we managed to get the interview in. And I worry in the book that I've tried to encapsulate as best I can his world view. The book is not about the future world we're going to have.

41:21
potentially through crypto, it's about money laundering. So inevitably that's the filter for his comments, but it was a really fascinating thing and it really helped open my eyes to how that sort of hardcore of crypto libertarians see this technology going forward. And like I say, that's really important, I think, to get the context of crypto crime and also crypto privacy and freedom of speech debate. And speaking of freedom of speech, did you come up against much censorship or any threats along the way in writing the book? No.

41:51
But the book hasn't been published yet, so you tend to find it's after you've published it that you get people coming after you saying you shouldn't have said that. Look, there's been some extensive legal process at Penguin and we've looked at it from all different angles. Frankly, my view is that everybody in the book is accused of something, is accused for good reason. I've given away at all possible people's right of reply. I've tried to put their side of the argument, as I do as a journalist. So we'll see.

42:19
how that works out. But I mean what's interesting is, you know, there are journalists, Catherine Belton by the way, who wrote a book called Putin's People, which was about Vladimir Putin, was then sued by various people. Other journalists who do the same kind of investigation and same kind of narrative non-fiction that I do, you know, there's a track record of rich and powerful people trying to stop authors putting out information. It's expensive, it's time consuming. I'm told that the British legal establishment is starting to push back on that.

42:49
partly because they don't want to be, frankly, the handmaiden to the tigress oligarchs who want to just shut journalists up. I don't think that's where the judicial establishment in the UK wants to be. So I think that pendulum might be swinging back the other way, but it's certainly a risk. It's a risk any author is doing investigation and naming names takes very seriously. And the penguins should the publisher do as well. That's fantastic.

43:12
Jeff, there's so much more we could talk about with you. You know, I have notes coming out of, you know, every screen here, you know, things like this extortion work that you were doing to kind of highlight that and the problems that still happens from this incredibly prevalent issue. You know, things like Alphabet and the basic OPSEC of hiding an email address in a web page, I think it was, you know, more of a dark side and colonial and...

43:38
You know, WannaCry is particular fascination for me. And, you know, we just have so many more questions for you, but we are gonna have to let you go. I wanted to finish off just very briefly, if I may, by just asking you, we always try to ask people about security culture. It's a really important thing. We think it's more important than any technology, any kind of bits and pieces that you can buy is about putting a great culture in place. You've obviously reported on lots of...

44:05
issues, lots of ransomware things, lots of incidents, lots of people having money stolen, things broken. What have you seen that are particularly good or bad examples of security culture? It's interesting. I think it's interesting. There's a non-technical answer to this, which I'll give, which for people listening might strike them as something that sort of is outside their remit or above their pay grade or whatever. But I'll mention it anyway in that in a good and healthy organization.

44:36
each of the people in it understands they have a role to play and that they're valued and that they're important and that the company can't work without all of them. From the lowest level of the organization right up to the top. Part of that is understanding that thanks to the way organizations are now created, where pretty much everyone has access to all of the data, everybody is a potential way in for the hackers. The answer to that, I think partly, is to emphasize to people you are all now.

45:04
part of this organization. We value you all and we want to protect you all from this wrongdoing because it could target any of you. It's not that the chief executive because they earn five times as much as you is a more important target for hackers. You're all important targets and we take all of you seriously. And one of the great things as a law firm that we did a cybersecurity talk for and hundreds of people, 200 people turned up for a lunchtime talk so unprecedented. I said well

45:30
How did you sort of do that? How did you get everybody in the room? Even the fee earners, who I'm not in a law firm, but they are the fee earners. They're the sort of supermodels who don't get out of bed for less than a hundred grand or whatever. Even they came along and the law firm said, look, we told people, come along and learn how to protect your family online. We didn't make it about work. We didn't say, well, come along and there's a fishing training or whatever. They said safety online, which you can apply both in work and out of work. And it was that sort of...

45:58
It's quite paternalistic and quite community led approach by an organisation to say look, this isn't just about us protecting our money and it's not about just the chief executive not getting hacked. Everybody in this organisation is of value to us and we want to help you all be safer. So I think if you can do that, that's a good sort of place to start. You will always have to be an organisation who just frankly don't give a damn, they're there to pick up a pay check. But the more you can do to say to people, you're part of this company, you're part of this organisation, if it suffers, we all suffer. As I say, I'm sure a lot of people listening will think

46:27
How do I enact that? But I think just doing on that and thinking about that might lead to some good outcomes and conclusions possibly. Jeff, that is, and that's the message we are absolutely trying to get out to people as well is that you can do so much by talking to people, by educating them, by just having those conversations. You know, you can buy a brand new firewall for 10, 15, 20 grand, and you know, someone will still set a password as password01, or they'll still click that link, or they'll still do whatever it is that they shouldn't be doing. So.

46:54
You know, that is absolutely fantastic. And, you know, we really appreciate your time today. Geoff, thank you so much for joining us. Hopefully we'll see you out and about very soon. And best luck with the release of the book, which I think is, by the time this goes out, we'll already be released. And what is the release date of the book, Geoff? It's June 13th, and it's gonna be called Winced, as in washing machine winced. Fantastic, very good. Michelle, thank you very much for your hosting duties.

47:24
Jeff, we look forward to seeing you again very soon. Thanks very much. Speak again soon. Thanks for having me. We enjoyed it. Thank you.

Confused?

Washing Cash

Transcript

Need help?