The #1 crime which results in the biggest financial loss is BEC fraud. The #2 crime is pig butchering. Ronnie Tokazowski https://twitter.com/iHeartMalware walks us through this wild world.SponsorsSupport for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.
A few years back, a listener wrote to me to tell me about a problem they're facing. Okay, check this out. They went to buy a house, right? And when you go to buy a house, there's like a little dance that everyone does. Like, do you give them the money first? Or do they give you the deed first and the keys? Or do you do like a quick swap at the same time?
What if it's a phony check or the deed is made up? This is where escrow comes in. Both the seller and buyer hand their things to a third party, someone that both sides trust and waits for everything to clear. If the check clears and the deed is valid, then escrow says, okay, the deal is done and gives the money to the seller and the keys to the buyer.
So this guy, a listener of mine, says he bought a house and during this process, he gave $250,000 to the escrow company. But then someone scammed the escrow company. They posed as the seller and said, hey, could you just deposit the money into our bank account directly? And escrow's like, oh yeah, of course, no problem. We do this all the time. Here you go.
And they deposited the $250,000 into the scammer's account instead of the actual seller. But here's the crazy part. Because the seller never got the money, escrow wouldn't give the keys to the buyer. They were being jerks about it. They were trying to say, oh, sorry, we lost the money. No house for you. The deal has been canceled. And the buyer's like, whoa, no, no, no. That's what escrow is for.
You're our trusted third party. We trusted you to do this deal. You screwed up and that's not our problem. That's yours. But escrow's like, hmm, I never got an update on what happened here and if this got resolved. I think the buyer took escrow to court to try to get their money back.
What a nightmare, though, to send a huge check somewhere only for it to go to the wrong place and then someone else runs off with the money. Ah!
These are true stories from the dark side of the Internet. I'm Jack Recider. This is Darknet Diaries.
This episode is brought to you by SpyCloud. For some people, ignorance is bliss. But for you, as a security practitioner, that's not the case. I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening.
From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right. Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud.
With SpyCloud, you have a trusted partner to fight the good fight with. Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime. To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries.
That's spycloud.com slash darknetdiaries.
This episode is sponsored by Delete Me. In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit.
Anyone on the web can buy your private details to do anything they want. This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And they got busy deleting these things.
It was great to have someone on my team when it comes to privacy. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20. I was clicking around the other day and came across this story on Good Morning America.
Shreya Dada thought she'd met the man of her dreams on a dating app, only to find out her Prince Charming was a scam and she was out more than $450,000. What the?
How in the world does some guy on a dating app scam someone for $450,000? Bah!
This person presented themselves to be everything I was looking for.
She was the victim of a scam known as pig butchering. A scammer pretends to be looking for love online. They find a love interest, casually encourage them to invest in crypto via a fake app, but eventually they can't access the money at all. The money is gone. The investment's not real.
Dang. Things we do for love, huh? Or maybe it was for money. Or maybe it was for the love of money. I don't even know.
Yeah, so hearing that story, I've heard it a thousand times over.
Okay, hold on. Who are you and what do you do?
Oh, yeah, yeah. So my name is Ronnie Tokazowski. I've been fighting business email compromise for the last eight years now. So my role in this is I work behind the scenes with a lot of people who are working with romance scam victims. I do a lot of work with Secret Service, FBI. I also work back and forth with victims too.
Because a lot of what happens is the scammers will go to different dating websites. They will go and... Find people in order to date. They will move the discussions off of the platform just because most of the platforms cost. But they'll move it to WhatsApp. And then from there, they'll start grooming the person. They'll say loving things.
We've had pick cases where some of the victims might send nude pictures over to their lover. And once they go and are exchanging those sweet nothings, the scammers directly build that relationship, build those emotions.
So I heard this term pig butchering, and I'm not connecting the dots here. Nowhere in this romance or crypto or gold, you know, sending money to people, is there a pig involved? Where is this term pig butchering coming into?
Yeah. So the term pig butchering comes from a Chinese phrase called Xia Zhupan, which is essentially a broiled... I think it's broiled meat. I forget the exact translation. But what the concept is, is the scammers will go and try and fatten the pig, if you will. So what they will do is extract as much money as they can out of a victim.
And where the pig butchering comes in is that once the scammers get to a point where they feel like they can't get any more money out of the victim, they will take the pig in for slaughter or slaughter the pig. And what they mean by that is actually pulling the rug out from under the victims and like walking away and essentially be like, I got all the money that we could.
So that's kind of where the phrase pig butchering comes from.
Okay, so for some reason, Ronnie is attracted to this type of scam or fraud or whatever you want to call it, and zooms in to whenever he sees these stories come up. And one day, he heard about a colleague who got pig butchered and wanted to help him out.
Him and his girlfriend, they were dating for several years. Like, they've been together for as long as I've known. It's probably about eight years now that they've been together. So they were engaged to be married. They had a house together. And unfortunately, things happened and that relationship kind of flopped. So they went their separate ways. He lost the house.
And unfortunately, it wasn't really a good circumstance. breakups are hard.
It's a tough time for anyone. You can sink into deep levels of depression. Your defenses are weak and your vulnerabilities are exposed.
So he went to go online and go date somebody. So he went onto a dating platform, found this really pretty French girl who was very involved with him and very kind of attached to him. So the two of them really hit it off. And at some point she popped the question to say, hey, I'm also doing a lot of crypto investments. Is that something that you'd be interested in?
Okay, I don't see any red flags yet. And he didn't either. At this point, they were just chatting through text, like a lot. She seemed to be into everything he was interested in, and he was liking that. He was coming out of his breakup, and she seemed to be caring and helpful. Yeah, okay, so she's into crypto investments. That's fine. She could be into that. But he was curious.
Was it really working for her? He had some crypto somewhere. I was like, tell me more about what you're invested in. So she tells him, man, there's this hot investment. It's making mad bank. And he's like, yeah, okay, well, what is it? Show me. So she keeps talking it up. I'm basically just living off the profit from this thing. It's nuts.
And he's like, you got to show me what you're talking about. So she's like, okay, so you know how your savings account makes interest, right? This is like that, but it just pays much more. You put your money in and then daily it makes interest and you could just take that interest out if you want or leave it in and it adds up and you make even more.
So he's like, well, how much interest are you earning? And she's like, 20%. If you have $1,000 invested, it'll earn you $200 in interest a day. And at any time, you could just take your $1,000 out if you want. And he's like, man, that does sound too good to pass up. So she gives him the links to read up on.
Being in the field, he knew a good bit of crypto. He's naturally a very skeptical person. So he did his research on a lot of the way that they present the money. So he went, they provided links and information for him to check once he went and submitted his money.
This scheme was very, very clever. I mean, this guy was a cybersecurity professional. He knew about the dangers of cryptocurrency and was suspicious about all this. but this had a mix of legitimate information with just a small dash of fraud. See, the way they had this set up was they made it look like it was using a legitimate exchange, in this case, crypto.com.
And the way that the application was presented to him was, and this is his perspective, I'm still trying to get the full scope here, but there was actually a browser that they could use within crypto.com that will have it show up that actually looks like the application. And looking at some of the screenshots, it looks like it was right within the crypto.com application.
And because of that, when your user goes and clicks that stuff, it appears to be 100% legitimate.
I looked at some of these screenshots myself. It's hard to tell what's going on, but one thing is clear. They social engineered him and tricked him into sending his crypto to the scammer's wallet. They just disguised the wallets to look trustworthy. Basically, he would buy cryptocurrencies on Crypto.com with real money and then send those crypto coins to this investment project.
Investment in quotes there. really, it was a scam. And it looked really good. It didn't look like a scam at all. You could see your balance. You could see your earnings. You could interact with it. You could pull your money out at any moment. So he decided to give it a try. He put some money in, sent the crypto.
And when he saw it was generating interest, he tested it by taking some out and was like, wow, this is actually working because it looked like it was. But This is where the pig butchering scam comes in.
The scammers wanted him to take the bait, start with putting in a little, see that it's working, and then hopefully put in some more and more and more and hope that he dumps a ton of money into this. And when they think he's put in enough, they'll take the money and run. So as he starts watching the money grow on this site, the scammers start ramping up the pressure.
They tell him if he invests a little bit more within this time frame, he'll get locked in for bonus interest. basically presenting him with more exciting opportunities that were time-sensitive.
In addition to putting his own money in there, because of the high returns that were being shown, he also went and had gotten a loan. So he actually used a loan to go and put more money into it because, again, if you can use that loan to go and get more money, who wouldn't do that? So that's another common thing we see with a lot of people is they'll go take loans out from a financial institution.
They'll take a second mortgage out on their homes in order to go and get more money based on those investments.
Taking loans out? Now I see why someone can end up losing a ton of money in this scam. But not only that, these scammers were really tricky. They would sometimes tell him, look, we locked your account because there's not enough funds to cover withdrawals. Please deposit another $40,000 in the next 96 hours to unlock your account. And he's like, well, wait a minute. What if I don't deposit that?
Then you risk losing your money. So he's like, oh no, I don't want that. And so he goes scrambling, looking for even more money to put into this. So this guy eventually goes all in and then some, putting all his savings in and taking a loan out to add more. Because to him, this was a way to get out of debt, a past financial freedom.
And it was very exciting. From there, the scammers were able to successfully collect about $90,000 out of him.
Oh, how cruel. And yeah, this $90,000 was a nice fat pig. And the scammers were like, okay, that's ripe. Let's take it. And they did. They took his money, leaving him high and dry. Ouch. He saw his money disappear and he knew he was screwed. But he sat and thought about it for a bit. Is there a way to get any of this money back from the scammers?
What he did was he used the exact same emotional manipulation tactics against the scammers. And what he did was he was like, hey, I'm going to go ahead and invest more, but I need to pull this little bit of money out in order to help with this loan. So if you can let me pull some of my money out or wire it over here, I'll go ahead and do that.
So he was able to get $10,000 of his back by, again, deploying those same tactics against the scammers. And he was able to build up enough trust with them to where he's able to get that money back.
He scammed them back. Hilarious. Man, that reminds me of this story I have. Okay, so this one time I was in Vegas, right? I was actually going there for a DEF CON. And when I went, I brought a burner phone with me, right? It's just a phone that I paid with cash. You got a prepaid plan, all that stuff. It was a new phone number. And when I got to Vegas, I was getting text messages from a scammer.
I sniffed it out right away. They were trying to play on my empathy, saying things like, we can't afford money to buy food for our kids and medicine and clothes and something. And they specifically asked for $749 to get themselves sorted. And I'd be an absolute angel if I could help. And I was like, hmm. I replied, look, I'd love to help, but I'm currently stranded.
My boyfriend and I got in a fight and he dumped me off in the middle of nowhere. And I don't know anyone here who can help me. I don't have any money to get home. I am screwed. I was trying to use the scammer's tactics on themselves, trying to be someone in distress, just like they were saying. It did not work. They kept asking me for money. And I was like, okay, listen, I'm happy to help you.
I have money to help you. But my boyfriend took my purse and all I have is my phone and there's strangers all around me. So unless you can help me get home, like, I don't know, send me $200. Then once I get home, then I can help you. It didn't work. They stopped texting after that and just left me alone. So when you run into someone who's been a victim of this, how do you help them?
So the way I help them is I help them a couple ways. So the first place is that when it comes to understanding the emotions in our body tied back to a lot of the way the scam works, people feel a lot of shame. They feel a lot of hurt. They feel a lot of disconnect because of the stigmas associated with it. What I mean by that
is when you're a victim like this, people don't want to come forward on this. So I try and help them learn how to work with their own bodies in that regard. So that's one way that I help them. The second way is I point them to the resources where they can go and submit a live request.
So they may be working with IC3, it may be working with colleagues who also work with romance scams, or it may be helping introduce them over to some of the crypto assets where they can start pulling some of that money back. The third thing I do is, again, just trying to help put them in contact with the right people.
Because what happens is, when you're in this scam, your head's spinning 1,000 miles an hour. You don't know which way is up. You don't know which way is down. You don't know who to trust. And many of us work behind the scenes to try and help be that good driving force for many of these victims. And when we go and we try and help them out, that's where we do our assistance.
In addition to that, we've also been running a... mailing list for the last seven years, talking on many things as a result of business email compromise and overlapping things with that.
And we have close contacts with a lot of the banks and financial institutions to help either try and reverse some of that money or do what we can to get some of that money back or try and flag those assets where we know, hey, these are actually part of a scam.
$90,000, that's a lot of money to lose. Is that kind of the upper limit of where you're seeing people losing stuff or are people losing more?
I really wish I could say that that was the upper limits, but I have seen so much more. I'm working with one victim now. I've been working with him for the last two weeks where he was suicidal and didn't know which way to turn. Jeez, you really take some heavy phone calls.
So how did this guy lose his money?
So very much the same way as the first person. He found a relationship. And as the relationship built, they're like, hey, I have this great investment opportunity. They strung him along as far as they could. And once he went and put some of the money in, he saw his returns. It was the same story. this individual actually was ready to retire. He had several homes as well.
So because of that, he ended up opening and doing a second mortgage on a couple of his homes in order to pull some money out. So because of that, and because of what he was able to pull out on those homes, he may now be facing losing those homes as well. And as it stands right now, he has lost over $1.7 million. Dang. I mean, I've...
I've heard of people losing their life savings, but for some reason, this feels worse than that. I guess it's one thing to lose all your stuff when you're young, but it's different when you've worked your entire life to save up for retirement and then lose all of that. Your retirement's now gone, poof. You were financially stable and now super in debt and your whole future is screwed.
It's awful. I was at an RSA last year, or this year as a matter of fact, got to speaking with somebody who had a, it was a grandfather who had committed suicide and they didn't know why. And they ended up going to look through his records and it was over $5 million that he had lost.
What? People are actually killing themselves over pig butchering scams? This is nuts.
Whoever is behind this is just ruthless. I wish that was an isolated case, but I've also had another victim out at DEF CON a couple years ago. And for her, she ended up losing her house, losing custody of her kids, lost her relationship with her husband, and... lost her business and she was into over a tune for a million dollars.
And when I asked her what kept her in, she said her husband was abusive and she just wanted to feel loved. And that's the reality of many of these crimes is that people don't realize that you have two factors at play here. You have the financial losses and then you have the emotional hurt that goes along with it. And somebody may lose... $90,000, it may mean nothing to them.
Or you may have somebody who loses $8,000 and it's the entire world to them. So it really, right now, we're not accounting for the emotional losses on this or the emotional damages for many of the victims.
So... In these first few stories we've heard, it keeps getting back to romance, right? Do you see like kind of a pattern of who the victims typically are? Are they usually people who are looking for love or what are some other, you know, like if we're going to watch our own back, like we got to know when we're in a vulnerable state and what makes a person more vulnerable to this sort of stuff.
Yeah. So first and foremost, one of the constant patterns I've seen, and this is something I've seen with many victims, I've kind of discussed and researched the topic. Many of them tend to be extremely trusting, where if you were to be walking on the side of the street, this is the type of person who would go and help a homeless person in need.
If a dog was hurt on the side of the road, they would go and help them out. And they're some of the most kind of souls you'll ever meet. And because of that trust, the scammers have figured out that they can go manipulate and abuse that person and get them to do things that they want.
A lot of what happens is from that control perspective, they will actually, quote unquote, I'm going to use a term that one of the victims used to me, is that they'll essentially hijack their own consciousness and give them a different perspective of reality and a different perception of reality.
And what happens is the victims will be manipulated to a point where they will be pulled away from friends, they'll be pulled away from family, and only put all their trust in this one person. And because of that, and because of the kind words that they're saying, the victims will want to go and be with that person.
In addition to that, you've also got a case where they will say the right words in the right way. to make the victims want to stay in it even longer. So like I said, it's a matter of working with the emotions and kind of manipulating the people in that way too.
Another piece I also noticed is that when it comes to how we as humans process our emotions, so many of us are just disconnected and we don't even know how our emotions work. It's like, we might feel this one way about this one thing, we might feel this one way about another, but we don't realize that we actually pick up emotions from other people.
And because of that, it's something where we don't understand how those mechanics work in our own bodies, let alone how we are emotionally manipulated to go and do this thing or influenced to go and do that thing.
Yeah, so what are some of the skill sets that these scammers or thieves have? Because it sounds like they understand psychology a bit, so that would put them in social engineering skills, right? Tricking people, posing as someone on a dating app, whatever. But also being able to set up these websites and understanding crypto and putting malware on systems or whatever the case is.
What do you see as their skill sets in these cases at least?
Yeah, so I'll kind of talk on the geographic of where some of these skill sets are. So for the pig butchering angle, which is mostly out of Southeast Asia, we see scammers who are skilled in setting up websites. They're skilled at working with cryptocurrencies. They understand that they need to influence a person's emotions and play on their emotions.
We have some tutorials and documents from the scammers where it's like a 30-page PowerPoint in Chinese that essentially comes down to, here's where you go and tell them this piece. Here's where you influence their emotion here and do this. So they understand that emotional manipulation piece there. For some of you romance scammers in Nigeria, they're a whole different basket.
For them, they're sophisticated in money laundering. They know how check systems work. They know how to wire money from a United States bank out to another bank. And they also understand the underlying cryptocurrency networks to go and cash out a gift card or move money over here for Bitcoin.
So it's something where depending on the geography of where the scammers are coming from, it really depends on what that skill set is. And that's just two of the top countries that we see. But there's probably four more that I could list off that we see elements of social engineering scams coming out of that, again, go back to that human emotion and kind of those human pieces.
The thing that strikes me... you know, I think it should strike us all with like a bit of fear is that this isn't, you know, you see the cybersecurity news every day. It's, you know, ransomware hit by this company and, you know, this other company got hacked and all that. This is us getting hacked. This is you and me. This is each one of our neighbors.
This is individuals of the world, the citizens of the United States or wherever they are. And that is just such a close-to-home thing. It's not far away in some other company that I don't have to deal with. It's me and my personal assets are being attacked. And that, I don't know.
Like when you realize that the threat actor is right here in my bedroom on my computer, it gives us a different sense of safety.
Yeah. And the other thing too, because of that safety, we will go and play so much on... trusting the social media providers to be like, okay, this social media provider has a really big name. So that means they have to be safe and I can trust anything that's coming from there. So because of how large many of these providers are, there's inherent trust of using these platforms.
And so many victims will go and be like, okay, I'm going to go and trust Facebook for seeing this stuff. Yet, there was an article that came out a couple weeks ago that said, no, 8 out of 10 cybercrime or 8 out of 10 cases of cyber fraud originate on Facebook.
So when you see numbers like that, it's something where the scammers are going to use those trusted platforms to try and go after people on that. But no, I agree with you 100% is that it definitely adds a different level of fear
to how the scam actually works is because, yeah, it's like that scammer is now in your bedroom with you, and they're now stuck in your head as you're ruminating over all of the ways where they'll be like, okay, does this person love me? Are they trying to build this relationship? What else is going on? And the victims run it through their head over and over again.
With these victims you've talked to, like, you know, the $90,000 one, the $1.7 million one, are they actually, like, how far along in the... how close are they to these people? Right? Are they having video calls with them? Are they having phone calls? Are they texting?
Yeah, so many of them will be texting back and forth or using WhatsApp to communicate. Like I said, we know that that's how some of them are. And many of them are receiving like Multiple messages per day. The one colleague who was in for $90,000, I'm pretty sure they would have been sending pictures back and forth.
Just because again, you're not thinking of it in the case of, okay, this is a victim. You're not trying to think of it as somebody who believes they're in a relationship. So you're going to go and do everything that you can that you believe of that you're in a relationship. I had one victim who was sending pictures of his food to his girlfriend.
And the scammers do all kinds of weird things, like they'll send photos of two different outfits and ask, which outfit should I wear today? And then when the victim picks one, it gives them just that little bit more of information to know about them. Like, do you like formal clothes more than casual clothes? Let's send them more photos of that. Keep them on the hook.
And just think about how much you share about yourself on a personal level when you have a new love interest. A scammer could easily write all that down and figure out your vulnerabilities and play on that if they're really good. But I still think one way to sniff out these scammers is just to pick up the phone and call them.
I'm betting that a lot of these scammers are just guys posing as women, you know? So how do they sound on the phone? Even if they grab someone else to just pose as them and get on the phone, that person isn't going to know your whole chat history and won't be able to carry on a conversation in any way that makes sense. Or even more, let's do a video call and see what you really look like.
And so just keep that in your head, that it's probably a red flag. If your love interest refuses to answer the call or get on video chat with you.
Yep. So sometimes that is a red flag. However, some scammers have figured ways around that. I know in the concept of like deep fakes and AI, and I know it's a whole buzzword right now, but some scammers are using that technology in order to generate video content. messages back and forth.
The other thing too, some of them will also use online video without audio and they'll just be kind of like moving in the camera like, oh, my microphone's not working. Or they'll go and share and have a phone call with them and they won't share video and just say, hey, this part here, my video isn't working.
So they know that that's a piece that people use as a metric, but they will go and try and find different ways to bypass that.
Yeah, dang, I didn't even think of that. So I've done video interviews with people a lot, you know, but I use a Snapchat filter on my video to obscure my face. In real time, on a live video call, my face gets distorted. And yeah, you could absolutely just use a filter to change your face to be a pretty lady, even though you're just some dude who doesn't even speak English.
We're going to take a quick ad break here, but stay with us because when we come back, we're going to talk about Black Axe. And you're not going to want to miss this. This episode is sponsored by Arctic Wolf. Arctic Wolf, an industry leader in managed security operations, surveyed a thousand security and IT professionals across the globe to better understand them.
What are their top priorities, current challenges and future concerns? This survey revealed some startling findings, and you can discover them all in the State of Cybersecurity 2024 Trends Report. Learn why the number of insider threats spikes severely, what lessons can be learned from the year over year change, and how many organizations disclose a breach.
and what cyber attacks struck 70% of organizations. Download the State of Cybersecurity 2024 Trends Report today at arcticwolf.com forward slash darknet. That's arcticwolf.com forward slash darknet. Okay, so I'm looking you up online. You're known as that BEC guy. What's BEC?
BEC is a business email compromise. Okay, so let's stop there. Okay, sounds good, sounds good.
BEC, we break down the term business email compromise, right? So the compromise part makes me think somebody has taken over my Office 365 email server and is in my emails. They've compromised my emails. But that's not what you say is BEC.
No. So if you go and look up the history of BEC, business email compromise has been the number one crime seven years in a row, minus last year. But the way most people know it as is if you receive an email that says, Hi, I'm the CEO of your company. I need you to do this urgent wire transfer for me. Can you wire $40,000 out to this account?
And that's what most people think of as business email compromise.
When you tell me that story, I just think that's a phishing. I don't call phishing BEC. I just call it phishing.
Right. And phishing is kind of the overarching term for any email-based threat like that.
Is BEC always money-related or is it sometimes, no, we're just going to phish them so that we can get our malware on to steal their intellectual property?
Yeah. So business email compromise, in most of the cases, it does not use malware. It does not employ any of those tactics around trying to install software on the computer. At most, they will do credential phishing where they'll try and harvest the email credentials and email passwords. But for a vast majority of business email compromise, there is no malware tied to that.
There's only been a handful of cases that have been publicly documented specific to BEC actors using malware or something like that. But just for the most case, there is just no malware that's tied back to those types of crime.
So if we're going to classify something, because let's say we get phished, somebody sends us a phish, we click the link, we installed malware, you'd say, oh yeah, that wasn't BEC. But if it was, okay, we got phished, it would send money to this, and I sent the money, you'd say, oh yeah, that was BEC. Yep. Okay. So if you're going to classify as BEC, it's likely going to be financial related.
Yeah.
So now this pivots the whole thing in my head, right? Instead of you and me being targeted, now they're like, well, why target somebody who has thousands of dollars when we can target a business who has hundreds of millions of dollars?
Yep. And that is exactly what it is. So we did a study. What we found was that When you go and think of your Nigerian print scams, your 419 scams, or you have this long lost relative in Nigeria, you go send me this money. What we found was that business email compromise was not some new crime. It was a symptom of ignoring your quote unquote easy 419 scams.
And we've had direct confirmation that the scammers behind business email compromise are are the same people who have been doing these Nigerian print scams for years.
By the way, 419 scams are those Nigerian print scams. You know the ones where they send you an email saying, if you pay us some money, we'll release the inheritance that we owe you. And the reason why it's called 419 scams is because specifically in Nigerian law, Section 419 makes it illegal to do this. We've all laughed at these scams in the past, but they're getting more sophisticated now.
They're evolving.
So very much with what you said, they realize, oh, wait, no, I can go and get $40,000 out of this company as opposed to going to hit this one victim over here. And that's where we see the overlap between the romance scams is that when the...
is when they go and send that phishing email to that company, they will use those romance scam victims as the money-muling network to send money for these scams. So the victims will be the ones who will be receiving the money, who then wire it from the United States elsewhere in order to launder it up the chain.
I mean, that's amazing. But what I am surprised of is just like hearing the evolution of it. It sounds like they've really honed their skills over time.
They have. They have. Yeah. And it's a combination of honing their skill, yet still keeping the stigma that these things are simple and unsophisticated. And that's the thing is that quote, unquote, simple and unsophisticated crime, again, minus last year, it was number one crime seven years in a row based on financial losses.
What's the number one crime?
Business email compromise. So from 2015 to 2021, it was the number one cybercrime based on losses year after year. And the only reason it was not the number one LAT for 2022 was because we had this crime called pig butchering that came up. So the way it was ranked was pig butchering was number one, business email compromise was number two.
Wow, so this is the number one crime? I guess I'm just so surprised that it's those awful Nigerian scammers who are doing this. And when I say awful, I mean the least sophisticated phishing emails I've ever seen. You know the ones. Sir, you had a long lost relative who was the prince of Nigeria and he has recently died and left a large inheritance for you.
Just send us $500 so we can process this and we'll get the money over to you. Like who in the right mind thinks their long-lost relative is the Prince of Nigeria and you never knew it? It's just the absolute dumbest attempt at a phishing scam that everyone laughs at. And it's those guys who are number one? This is the biggest criminal financial loss for companies today?
Now, getting a business to pay a fake invoice can take a lot of prep. You gotta figure out who this company normally pays large bills to, and then try to pose as them. And one way to pose as them is to register a domain that's one letter off from the real one. So at first glance, it looks like it's from that person you normally do business with, but it's not.
Or sometimes you can pose as like the CTO sending a bill to the CEO of the same company. But still, to know who the CTO and CEO are, you got to know who the people are that work at this company and what their emails look like and what their invoices look like so that it can be as close to the original as possible for this to work. And that takes a lot of work.
We've seen cases where they will go and find and use different lead generation services in order to identify the key controllers and the key stakeholders within the company. And when they do that, that's where they get that information on who's the person within the company that they can go ahead and target.
And based on something that tells us that we've seen, we know that they'll target the controllers of companies. We know that they will target companies different financial advisors. So they will go and find that recon in order to identify who can I target within the company.
Oh, and it's not always bill paying. Sometimes they try to scam these companies to send them gift cards. The scammers will pose as like some manager in the company and they'll ask someone higher up, hey, the company did such a great year. I'd like to give my employees gift cards as rewards. And the person's like, ah, it's a great idea.
Then the scammer's like, okay, well, since everyone's remote, could you just purchase the gift cards and then send me a photo of the back of the cards and I'll just pass those gift cards out to the employees. And that's how these companies end up sending gift cards to Nigerian scammers. It's crazy.
Mm-hmm. And we actually did a study where we gave gift cards to the scammers and tracked where they clicked from. Crazy, crazy insights that we were able to gain from that. But it was such a different perspective of what we thought we were going to get. But like I say, it was really fascinating with some of the data we had that came back from that.
Now, email providers or system admins need to work to protect users from all this. You can't just present every email that comes into the user. That used to be the case in the old days when we didn't filter any emails at all. But think about this. Suppose you do get an email, but it's one letter off.
They switch the lowercase L for the capital I, and it looks the exact same to the human eye to make you think this email is from someone you normally get email from, but that one letter off means it's not. So if a human can't detect it, we better have machines that are detecting it.
And there's a thing called the Levenstein distance, which is an algorithm that will compare two words to tell you how different they are. And I sure hope that email providers today are using this to first develop a baseline of who you're normally getting email from and then look for emails coming in with a very similar domain.
If the Levenstein distance is very low, meaning it's only one letter off from someone you normally see email from, then that should be flagged, maybe rejected or quarantined and let the user know.
Another area to look at for a lot of domains is how long has the domain been registered? If it's been registered within like the last month, more than likely it's going to be a phishing email. So looking for the reputation, the age of domain is a very, very important
successful way to do stuff because most scammers will go and just like get one month's worth of domain time and then use that for their attack.
You know, now that I think about it, I'm disappointed that there's not better information on these emails I get. Sure, I have a spam folder and stuff gets thrown in there, but I'd love to see reasons for why my email provider put it in spam. To me, spam is ads I don't want. So why not have a second folder of threats?
You know, spam and threats are two different things in my mind that they all seem to end up in the same bucket in my email. I would love, love, love to get threat intelligence on my inbox where I could see a little dashboard that says, we've blocked 20 phishing emails for you this month.
In there, we had five BEC attempts, two pig butchering emails, and 13 emails containing malware from a threat actor known for targeting journalists. At a bare minimum, just show me a big bright red banner on the email that says, look out, this email comes from a domain that was registered two days ago. That would be really cool.
Google, if you're listening, fix that. And fix the Google dot bug too.
I mean, they might be already filtering it out and putting it in spam, but stuff that gets through, you know, I'm like, hey, that is a good tip.
Yeah. And just from the way BEC is, so many of these emails still get through. There's a reason it's been the number one crime 70 years in a row. So many email gateways are trying to put protections. And a lot of information security focuses on the malware, the APTs, the blinky boxes. And this stuff still gets passed because there's no malware. There's no malicious URLs or content in there.
It's manipulating the humans. So many of these attacks just bypass your email gateways. with a lot of your BEC actors from an attribution perspective. This ties back to groups such as like Black Axe, where they will go and use those type of manipulation in order to gain that foothold. Wait, so what's Black Axe? So Black Axe is one of the larger Nigerian con fraternities that dabble in this.
So if you're unfamiliar with the term confraternity, think of a college fraternity here in the States, but mixed with black magic and voodoo. And what I mean by that is some of the hazing rituals for black acts include a human sacrifice or trying to use those type of techniques in order to, quote unquote, gain extra powers to become a better scammer. What?
Are we still on the same podcast? What is going on here?
Hey, hey, trust me, trust me. Yeah, no, I'm dead serious on it. No, it's not like I went off into Cyberland, but no, no. But no, Black Axe is one of the larger groups who's doing a lot of the business email compromise activity.
Okay, are we really going here? I mean, when someone tells me they're using voodoo and black magic to become a better scammer, I'm, like, skeptical and just want to move on past that. I don't even want to pick that up. But for some reason, I'm feeling compelled to look this one up. So first of all, I watched an hour-long BBC documentary on who Black Axe is. And it's absolutely bonkers.
I mean, just listen to the first 40 seconds of their documentary.
This morning, several bodies, some with their heads decapitated, were littered around the city. 30 people have been killed in cult-related killings within the past week.
A secret death cult is thriving in Nigeria, more terrifying than anything I've ever seen. Around the world, crime agencies are cracking down on their multi-million dollar internet fraud and human trafficking network. Nigerians are trying to fight back too. But here in their homeland, the cults seem unstoppable. And thousands of young lives are being destroyed.
This documentary explains that Black Axe is a cult full of gang violence.
They have agreed to let us film what they call a gyration, a cultist ceremony.
And these guys are really dangerous. They go around murdering people all the time. Sometimes shooting up buildings or causing massacres, which I guess in the U.S. is called mass shootings. The Black X has killed thousands of people.
I'm on my way to the University of Benin to understand where all this violence began. The Black Axe formed here 40 years ago, and students are still being murdered on campus today. The Black Axe emerged out of a student fraternity known as the Neo-Black Movement of Africa, or NBM. The movement initially stood for peace, but over time became linked to crime.
Today, many people use the names Black Axe and NBM interchangeably.
This has been going on for 40 years? What? That's interesting because they initially started as a neo-black movement to fight oppression. But it's very different now. And it's unclear to me what their motives are now. Something, something, freedom. Something, something, defend. But even though Wikipedia thinks NBM and Black Acts are the same, the people within NBM don't agree.
Here's the president of NBM.
NBM is not black ass. NBM has nothing to do with criminality. NBM is an organization that tends to help achieve greatness in the world.
Despite the president's denials, the NBN is facing mounting international pressure. Weeks after our interview, the FBI arrested more than 35 NBN members in the U.S. and South Africa charged with multimillion-dollar Internet fraud. But the U.S. Department of Justice statement names the new black movement of Africa as a criminal organization and part of the Black Axe.
Okay, so you've got this extremely violent street gang, a cult, Black Axe slash NBM, but they seem to also be involved with internet scams. Here's Vice explaining what they found.
The Black Axe is synonymous with cybercrime. It's spread around the world. They've claimed to have as many as 30,000 members globally. How much were they trying to get out of you?
Like 96,000 and saying that I was going to go to jail. In October 2021, eight men were arrested in Cape Town on serious fraud charges. The men were allegedly members of the Black Axe, a notorious Nigerian organized crime group
And specific to the human sacrifice, the way that that plays out, is for your Nigerian scammer, they are called a Yahoo boy. So in order to become a better scammer, a Yahoo boy plus, there is a human sacrifice ritual where you have to kill somebody to gain better powers to go and continue this type of scamming.
And like I said, sounds far out there, but it's widely documented that this is unfortunately one of those cases and that's why I get so bitter towards ransomware is that people are like, oh, somebody might die here, over here. Somebody might die over here because of this ransomware attack. I'm like, no, we have people literally sacrificing each other because of this stuff.
And like, that's where the problems are on some of these cases.
Holy moly. Yep. Yep. I also watched a few videos about Yahoo Boys. I guess they get their name because they started out using Yahoo Messenger to conduct their scams over. And they interviewed some of the Yahoo Boys who then explained how they do it. And they were open about what they were doing. They're like, yeah, we scam people. We'll steal lots of money from them.
In fact, they even posted a video of one of their victims on the verge of suicide. Here, listen.
Please, I trusted you. I hate you.
So even though they're ruining people's lives and know that some of these victims that they have are committing suicide and they say they're all addicted to drugs, they deny their involvement with human bloodshed.
It wasn't exactly clear from these interviews I watched, but it did seem like they were killing cows or other animals to try to level up their scamming, which I have to admit, at first I'm just like shocked that anyone would think that they'd become a better scammer because of an animal sacrifice.
But the thing is, the culture of Nigeria is rich with a lot of this voodoo and hexing and charms and stuff. In fact, when the BBC reporter went to investigate the Black Axe cult, he found a vigilante group who was trying to stop the Black Axe. And they gave him a charm to protect him during his investigation.
Their commander, Landry Olabinjo, summons ancestral spirits to protect his men.
They gave him an amulet to protect him from gunshots. He still wore a bulletproof vest, though. But this is what I mean. The culture there is really big into this. And you know, luck is a weird thing. It feels like a mysterious force.
Can it be changed in any way? So I can see why somebody would want to do weird stuff to try to improve their luck. And if you really, really, really want to improve your luck, then maybe you've got to do something a little insane. And I can see how bloodshed can get mixed up in all this. It's very awful and strange, though. How the hell did we get from romance scams to this?
Man, the places we go on this show. Now I can see why you're so fascinated by all this. These stories are crazy.
Yeah, yeah.
Tell us about that one story you heard about going on in South Africa.
Okay, yeah, yeah. So this was a Black Axe case they had down in South Africa. And like I mentioned earlier, I do a lot of work backing forth with law enforcement, so I get to hear a lot of the good stories as a result of this. But they were doing the case. They went down to go and arrest the individuals. And they were kind of at this compound down in South Africa.
And they were able to get into most of the houses and most of the buildings. And there was one window in the back that they couldn't get into. So they were able to bust it down, got in there. And in that building, what they found was they found a pile of money covered with blood and dead chickens.
So as they came out and unlocked the door to get in there, they kind of got talking to the people that they were addressing. And they were like, what's this? Because you don't really expect to find that on a law enforcement engagement. So what the scammers had said was, well, it turns out that the magic here in South Africa is not as strong as the juju in Nigeria.
So we need a larger pile of money. And that's one of the things that most people don't realize is that there is a spiritual aspect that plays on this that many of the scammers believed. And when you account for that and you account for a lot of the way that they perceive a lot of that stuff, it gets really, really interesting.
And because of, again, that spiritual aspect, it's like I said, there's so many other things that the scammers are kind of playing with and using or believe that they don't fully understand, like, well, they're playing with, in my opinion.
Man, Ronnie, I don't even know what to ask you at this point. Like, you've just got me going down jack rabbit holes or something.
Yeah, yeah. I'm the kind of guy who's at a dinner table. I was like, hey, let's talk about blood sacrifices and voodoo.
Okay, so while looking up these Nigerian scammers, I saw something about this group called Scattered Canary. Can you tell us about this group?
Yeah. Scattered Canary was a mostly Nigerian cyber fraud group that we found back in 2018 that was engaging in business email compromise. The reason we named them Scattered Canary was because one, they were very scattered in their targeting. And two, they were kind of our canary in the coal mine that let us identify a lot of things around 419 scams and business email compromise.
One of the things that happened during the pandemic was was unemployment money was given out fairly easily. And whenever one of these programs happened, the scammers are quick to jump on that. And they quickly jumped on that bandwagon for a lot of the unemployment funds. What Scattered Canary did... was they used different email accounts or email accounts that had the Google.bug in them.
And they went and hit the unemployment fraud systems. And at the peak, we saw them hitting 14 different states. For unemployment fraud in general, where that stands, we are upwards of around $400 billion that's been stolen as a result of some of these things. And there's some new information coming out from about ID.me and how some of the stolen money may not have been fully articulated.
But what we know of right now is that $100 billion was confirmed from Secret Service. We know that $400 billion is up in question for the money that was taken.
Wait, $100 billion was confirmed? Yep, $100 billion.
So that was... I'll...
I'll submit unemployment on behalf of some American and then I'll tell them to send the money here to me in Nigeria. But it probably is money milled through and then to Nigeria. But that's where the hundred million hundred billion. That's what I'm. Yeah.
Billion with a billion with a B. Yeah. Yeah. And that's kind of where the lines get muddy between business email compromises because we know that Scouter Canary, again, who was doing business email compromise, we know they were doing romance scams. We know they were doing unemployment fraud. And that's kind of why I say BEC is the number one crime that's out there because...
That's over $500 billion that we know are tied back to business email compromise scammers who are doing this. And we know other scammers were involved in that too. But no, it's, yeah, it was $100 billion that was confirmed from Secret Service. There's a possible, it's a possible $400 billion that is up for discretion and kind of being pushed through for Congress.
But that's what it looks like the new number is going to lay at is about $400 billion that has been confirmed.
I mean, I've got to try to understand these numbers more, okay? So I'm just walking through it in my mind. So $100 billion is coming from the U.S. Treasury? Mm-hmm. Yep. That's a lot of money that's just like the U.S.
Treasury has lost. Not only is that a lot of money that the U.S. Treasury lost, that's a lot of money that came out of... Are you an American citizen?
Yeah.
Okay. So that's a lot of money that came out of mining your pocket. In addition to that, scammers, what it looks like is it may have been upwards of about $400 billion. So... And the other kicker here too is that fraud is still happening. Two of my intelligence sources out in Nigeria, within the last two weeks, they're still stealing money from the government. The average salary for a Nigerian
is 100 U.S. dollars per month. So when you go and you have that much money coming in, it becomes very enticing for your youth out there to want to go and try and do this fraud.
But still, I can't fathom this amount of money coming in. Like the entire GDP of Nigeria is $500 billion. You're telling me that this one group has stolen almost the equivalent to the whole country's GDP from the U.S. government, almost doubling Nigeria's GDP?
It's just unreal. Secret Service says nearly $100 billion in pandemic relief funds have been stolen. That adds up to about 3% of the cash handed out by the government. Most of the lost money is from unemployment fraud. Right now, the Secret Service says it has more than 900 active criminal investigations into pandemic fraud with cases in every single state.
Man, the more I look into this, the more problems I see.
I mean, listen to this guy. Michael Horowitz is the top cop overseeing the effort to make sure the $5 trillion in taxpayer dollars went to the right place. This is his first interview in his role as the head of the Pandemic Response Accountability Committee.
When the Small Business Administration, in sending that money out, basically said to people, apply and sign and tell us that you're really entitled to the money. And of course, for fraudsters, that's an invitation. What didn't happen was even minimal checks to make sure that the money was getting to the right people at the right time.
The U.S. government spent $5 trillion to try to help Americans get through the pandemic. but it sounds like they didn't do a very good job at protecting that money from fraudsters. I mean, this Rolling Stone article I'm reading right now says it's more like $1 trillion was stolen from the U.S. Treasury. My goodness. I guess it really is the number one crime. And that's such a waste of money.
What an awful problem. How can a trillion dollars be stolen from the U.S. Treasury and it be an acceptable amount of loss? And to me, it must be acceptable since this got rolled out in phases. I think $2 trillion was the first to be approved. And of course, scammers immediately started grabbing that cash.
And when that wasn't enough, they rolled out even more trillions of dollars without putting changes in place to stop this from happening. You'd think someone would have said, listen, that last round, a lot of money got stolen. Is this really an acceptable amount of loss? But no, nobody listened. And the money just kept getting handed and handed right to the scammers. What an embarrassment.
I'm tempted to get to the bottom of this and figure out who bungled this money. Who was in charge of handing out $5 trillion and was like, oh, we don't need guardrails. I don't think anyone's going to steal from us. Who denied the budget for a security audit or team? Who ignored the person saying, hold on, if we start handing money out this way, we're going to get a lot stolen.
Who out there thinks it's totally fine that we lost a trillion dollars? I want my voice to be clear. As an American, this is unacceptable to me. I'm very disappointed that the U.S. government handed this much money to the same Nigerian scammers who tried to convince us all that our long-lost relative was the Prince of Nigeria.
I would be understanding if the government fell victim to some sophisticated cyber attack like a ruthless, unstoppable bull. But you got taken by the least sophisticated scammers on the planet. You need to do better. When you're handing out this much money as fast as you can, you've got to look at who you're handing it to. At the very least, give it to an American.
What is this, your first day on the internet? Listen to Secret Service agent Roy Dotson here. He's the lead investigator of this case. Fast money equals fast crime. I mean, at this point of this interview, I'm just kind of feeling defeated.
Welcome to the last seven years of my life. Because it's something where it's very disheartening. And like I said, staring at this stuff for so long, it's something where it's like, it is very disheartening because you do feel defeated. You do feel like, okay, we've literally lost $500 billion. And that's just what we know.
If we were to actually piece together what we knew, I'm just going to throw this out there. We're easily over a trillion dollars that we lost here. And a lot of what it comes down to is, admitting that there was a problem, admitting that something needs to be fixed, admitting that something needs to give.
Because if you keep having this much money that's going out and you don't admit that it's a problem, like you're just going to be stuck. And when you go and look at the 20, 25 years of Nigerian print scams, this is the whole reason that we're here right now is because no one wanted to admit that, no, this is actually something that's happening.
Yes, there were people who were actually being socially engineered into this. We have to work with those people in order to identify some of that. Trust me, I totally resonate with you. I totally feel you when you feel defeat on that because a lot of times I do too.
But knowing that I'm on the right side of this, knowing that I'm helping victims, knowing I'm helping them recover their money, and knowing that I'm helping reshape a lot of the way that the industry thinks about themselves, that's what keeps me fighting this stuff every day.
A big thank you to Ronnie Takazowski for sharing his stories with us. He works for a place called Intelligence for Good, and he's the chief fraud fighter there. If you run into any of the problems that you heard today, you might want to check out Intelligence for Good because they might be able to help you.
This episode was created by me, the master of disaster, Jack Recyder, assembled by the juicy smoocher, Tristan Ledger, mixing done by Proximity Sound, and our theme music is by the mysterious Breakmaster Cylinder. You might be wondering what my political association is. I'm Alt-Tab. This is Darknet Diaries.