Skip to content
 
Episode 109

The Lazarus Heist: A Cybercrime Ocean's 11 with Geoff White

EPISODE SUMMARY

Geoff White, author and investigative journalist, has interviewed the masterminds behind some of the most notorious cyberattacks. His new book, Rinsed, reveals how technology has revolutionized money laundering, from drug cartels washing their cash in Bitcoin to organized fraud gangs recruiting money mules on social media. In this episode, the expert on technology and organized crime joins Joe to share what he’s learned about the motives and techniques cyberattackers use to conduct their crimes. Listen in to learn their secrets. This is more than the typical discussion of phishing, social engineering and malware, as Geoff and Joe dig into the intricacies of cryptocurrency, money laundering, and diversionary tactics. The more you know about emerging techniques, the more prepared you’ll be to prevent, detect, and combat them.

Watch the video or scroll down to listen to the podcast:

 

Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied Podcast. I'm the host of the show, Joe Carson, and it's a real pleasure to be here with you. I'm always looking for amazing guests to come on the show. I have one fantastic, awesome guest, who I saw quite a few years ago speaking and I was mesmerized about the whole topic and it was awesome. So, I'm joined today by the amazing Geoff White. So, Geoff, welcome to the podcast and welcome to the show.

Geoff White:

Hi, Joe. Thanks for having me. Appreciate it.

Joseph Carson:

Many thanks. It's great having you. I just want to give the audience a bit of background about yourself, maybe also how did you get into the industry? Let's get into that area.

Geoff White:

Yeah, sure. So, I'm an author and investigative journalist and what I cover is organized crime and technology. So, we have a technology and organized crime come together. That tends to be where I hang out. In terms of how I got into it, I worked many years ago for an internet company. I joined almost at the peak of the .com bubble and then left shortly after the .com crash about 18 months later when the share price had gone from $60 to I think 6 cents. I took my unemployment credentials to a journalism college. I'd always fancy being a journalist. I signed up for journalism course for the handsome price of 10 pounds because being unemployed, you get a discount on these things, and then started in local newspapers and worked my way up from there.

What was interesting was when I started doing TV news and broadcast news and that kind of thing, technology stories were I think seen with a bit of fear, I think, by some news editors at that point and program editors because they thought, "Well, technology's very difficult, very complicated. How are we going to do this?" So as somebody in the newsroom who'd worked for a technology company and could look at HTML code and work out what it was, I would put my hand up and say, "No, we can do that story. I can do that story."

So you started developing a bit of an expertise there, and of course, we then had all of the cyber securities break out, all the famous classic stories that your listeners know. So, I found myself covering more and more of those stories and eventually getting into it full time.

Joseph Carson:

Fantastic. I went back and you've done amazing books and speaking sessions and interviews and podcasts over the years. I went a little bit in the reverse order. I started with The Lazarus Heist. I remember you speaking at InfoSec few years ago and I listened to your talk at that. It got me really interested. I wanted to know more. So, I went and I actually did the audiobook for The Lazarus Heist and then went back and I thought, "Okay, I saw that you had another book, the Crime Dot Com." I went back and listened to that and I thought it was fascinating because it brought a lot of memories back for me because a lot of the topics you were talking about was really the start of my security career.

I've been in IT and security for almost 30 years, but it was the early 2000s when we had the Melissa virus and we also had the ILOVEYOU and the Love Bug. Listening to your research and insights was very fascinating. You want to give the audience a bit of how did you start with the Crime Dot Com? How did that start and what was intriguing for you?

Geoff White:

Yeah, well, when I wrote Crime Dot Com, I'd been working for Channel 4 News, one of the big UK news programs for about 10 years covering technology, but then increasingly covering cybercrime, cybersecurity, and so on. We've been through by that stage the anonymous hacks. We've been through the Snowden Leaks. We've been through Sony Pictures, the US presidential election. So, obviously cybercrime was something that the public was increasingly concerned about, wanted to know about.

What really got to me though was the way a lot of the cybercrime and cybersecurity stories were told wasn't very helpful I felt for the public. You tend to get the crash bang wallop news story of this has been hacked, that's been done, and then everything goes quiet and the public's just left slightly bewildered. What really annoyed me was I would read then the reports and the legal documents and the technical reports afterwards.

I think to myself, "That's absolutely amazing. The way the hackers got in, the ingenuity they showed there, and the way that hack worked out is actually an amazing story, but nobody bothered to try and tell it to the public or at least not enough people that bothered to tell it to the public in a way they can get the hang of with the drama that I really wanted to convey." So that's what I wanted to do with Crime Dot Com was get all my favorite stories, if you like, of cybercrime and put them all together in a way the public could maybe not enjoy is the right word, but could find compelling as that's what I wanted to do with that book.

Joseph Carson:

I found it very fascinating because even to the point where so many years later that you got to interview the so-called person behind it, which I always find fascinating as well as what was the original intentions for those types of activities or for those. I remember it was about trying to get free internet access because ultimately many of us, even when I started back in the '90s, my big thing was gaming. I was into gaming at the time, and you can afford them. So, you're always looking for ways in order to how can you play games for the lowest cost you possibly could. This all started physically from getting internet access from neighbors, I believe. How was traveling out to the Philippines and meeting, how was that for you?

Geoff White:

Yeah, no, it was very interesting. This was the Love Bug, the famous Love Bug virus of 2000, which was interesting. I was trying to work out where do you start the book and the first chapter of the book talks about the very early days of the internet and talks about L0pht and the Cult of the Dead Cow and all those very early hacking groups, but I wanted to bring it up to more modern times and I was trying to think of where do you start. The classic cybercrime book, and to be honest, classic cybercrime drama usually starts in a dark basement with hacker in a hoodie, typing in some code and so on. I thought, "Well, what's the complete opposite? Where do you start the complete opposite from that?" So I was trying to find the guy who created the Love Bug virus.

Now, at the time there, obviously, it come from the Philippines and there was a couple of guys whose names were attached to it who were Filipino coders who had been at a university and were into a slightly murky scene of early malware development, but no one had ever actually been arrested and tried and prosecuted for it, because at the time there were no laws in the Philippines against hacking. It's obviously changed now. So, I thought, "Well, if I can find that guy, I can start the story there with him and with that tale." But obviously, I'm trying to find a man called Onel de Gutman was his name in the Philippines. It's like, "Okay, well, where do you start? There's no phone book for that."

But I read, and this is the mad thing about investigative journalism. Most of investigative journalism doesn't work out. 95% of it doesn't work out, but the 5% of it or less that does work out, you end up with a great story. So, I thought, "Well, I read..." It was literally some forum. Somebody had mentioned, "Oh, I think he works at a mobile phone stall in this particular market in this area of Manila, the capital of Philippines." I thought, "Well, I'll just go there and I'll find the mobile phone stall and maybe he'll be there." Of course, I go there and there's 30 mobile phone stalls. So, I'm not kidding, I wrote down his name on a piece of paper and I just went around holding it up and seeing if anybody recognized it.

Just as I was doing it, I had this almost out of body moment of thinking, "This is ridiculous. You look ridiculous. This obviously isn't going to work." But sure enough, after an hour or so, somebody said, "Well, yes, I know him. He works at this other stall across town." So I went there again thinking, "This is ridiculous. There's got to be a wild goose chase. The person was lying to me." But I make my way into the back of this shopping mall and on the stall there he is, Onel de Guzman. So, we sit down. We start talking about it, and even at this stage, I thought, "Maybe I've been stitched up. Maybe this is a big game that these guys are playing with me."

So I thought, "Well, I've got to verify that the person in front of me is Onel de Guzman." I had photographs of him from 20 years ago, but he's 20 years old. So, I found myself as I was talking to him, drawing a little sketch of his face with the moles on his face, he had some moles on his neck. I thought, "Well, if I can triangulate those with the moles on the man in the photograph from 2000, then I know I've got the right person." He admitted to it. He said he launched this virus. He had no idea it was going to go around the world. In fairness, in those days, it wasn't that difficult. I think it was a Visual Basic virus.

He'd ripped the code off frankly from somewhere else, but he weaponized it by putting this lovely fishing lure on it, which was the ILOVEYOU letter. Somebody's written you an anonymous love letter, and it went around the world and caused all sorts of damage and mayhem. I was working for an internet company at the time, and yeah, it crashed our email server the same as everybody else's, I think.

Joseph Carson:

Likewise. SQL Slammer is probably another big one, Melissa Bug. Those basically fill up your email servers. It takes a while to clean it up and get it back running again. So, a lot of organizations from a performance perspective was heavily affected.

Geoff White:

Yeah. So, I wanted to start the book, as I say, somewhere that was completely the opposite of where you would normally start a cybercrime book. So, the opening chapter of the book is basically me running round a market in the Philippines full of clothing stalls and religious trinkets. It's next to a church. There's loads of statues, the Virgin Mary and stuff, and I thought, "Well, there's a place to start a cybercrime book that's going to be completely unexpected for people and at least it's a fun start to get people-"

Joseph Carson:

But it's the reality. That's the thing is that's where most of it starts, that the reality is that people that a lot of times they're buying these, the motives are very simple. I think one of the things you portrayed really well is that it was really that taking something that was from a malware propagation perspective and combining it with phishing, and a lot of actually phishing campaigns are done today are using that lure. It's still using the same lure that Onel did back 20+ years ago.

Geoff White:

Yes. Yeah. I mean, human beings are fundamentally quite simple machines. I don't mean that to understate the joy of being a human, but fundamentally, we go towards things we like and we go away from things we don't like. So, getting somebody to do something is either the stick or the carrot and Onel de Guzman came up obviously with the perfect carrot and that carrot type approach gets used again and again. One of the cases I talk about in my new book is a break in of a video game called Axie Infinity where the hacker stole $625 million, so possibly the world's biggest theft. I think that's fair to say.

The way they got in was offering an employee a lucrative, juicy job offer. It's still the same tactics, but it's just human beings endlessly intricate. So, there are endless carrots that you can offer people in different ways and different perspectives. So, in a way, the myriad different ways that we are as human beings gives the phishing, email, social engineers myriad different ways to attack.

Joseph Carson:

Absolutely. I've used in the past to doing different penetration tests. We've used various different types of phishing campaigns, and the ones that I find the most effective is if it's time sensitive or financially rewarding or something that's really interesting. People to try to find what's their motivations, and then you try to find things that attaches to that. One that I found that was very effective was speeding tickets many years ago was. One of the financial motivation was also the fear of doing breaking the law and leveraging that in order to lure people in. It was very effective. So, a lot of it goes back to psychology is trying to understand the human motivations or interests, and definitely the most successful ones do those really well.

Geoff White:

Yeah, absolutely.

Joseph Carson:

So moving on to speeding tickets, it's a talk that I did, which I'll share with you in another time, but it was really fun. It was a bit of a bet that resulted in a bottle of wine at the end of it, but it was a fun experience. Ultimately, one of the things was that it was very successful, but I wanted to know the people that didn't click in it. I wanted to know why it wasn't successful with certain, and ultimately the short answer is that the people that didn't click in it, they simply didn't see it ultimately.

Geoff White:

Interesting.

Joseph Carson:

They went home on Friday afternoon and didn't check their emails till Monday afternoon. So, it was just ultimately that they didn't see it and that was the failure part of that piece itself. But I want to get into one of the things I find, the first talk that I saw that you gave was around The Lazarus Heist. I remember that so well, because I remember covering it, I was looking into the details because it was one of the biggest... It was almost like Ocean's Eleven cyber. Can you talk a little bit about what started with The Lazarus Heist and what got you really interested in investigating it?

Geoff White:

Yeah. Well, it goes back to the first book I wrote, Crime Dot Com. In fact, two of the chapters were about North Korean hacks or hacks attributed to North Korea and actually the Bangladesh Bank job you talked about, I think I named the chapter OceansEleven.com because it was almost like they'd watched Oceans Eleven or a heist movie. In heist movies, there are certain classic scenes that you put in a heist movie. There's a structure to a heist movie. So, you have to assemble the crew and then you break into the bank and it's always on a bank holiday weekend or New Year's Eve when it's really noisy and nobody can hear you drilling into the walls.

Joseph Carson:

Yes, the misdirections, you're looking for things that's distracting, something is bigger that's happening that you try to stay stealthy behind.

Geoff White:

Precisely so. Then there's always the bit where they either loop the video camera or they spray over the video cameras. It's almost like the hackers in the Bangladesh Bank job had seen those heist movies and thought, "We'll just do that, but just in cyberspace," because so many of bits of it map on to a classic heist movie. This was 2016. It was the raid on the National Bank of Bangladesh, and they broke in. Well, it wasn't a bank holiday weekend. They actually broke in a year before they actually took the money out. So, I say it's 2016, 2016 when they took the money out. It was 2015 when they broke into the bank, again, phishing email, and it was a job applicant who was applying to the bank for a job.

That's how they got the malware on the system. They then scroll around in Bangladesh Bank systems and they navigate their way to the thing called the SWIFT software, which transfers money between big financial institutions, which basically gives you the ability to just transfer money out of Bangladesh Bank. They then waited a year, and this is where the money laundering piece comes in. My new book's partly about is lining up the money laundering routes. Once they're in the bank, they realized they could get the money. The question then is, well, where do we send it? So lining up all those money laundering routes and trying to get a system for how they would get the money out was what took them a year. Finally, after a year, they've got that in place.

They decide they're going to go into action. Bangladesh, the weekend runs from Friday to Saturday, not Saturday and Sunday, but the money that they were stealing from Bangladesh Bank crucially was held in a Bangladesh Bank account in New York where obviously Friday is a regular working day. So, they go to work Thursday evening knowing that Bangladesh Bank headquarters in Dhaka is emptying out. But of course, when they're sending the messages to transfer the money on Friday, New York is up and running, the New York Fed where the bank account is.

Joseph Carson:

Still open.

Geoff White:

It's still working. So, then the money starts to go. Saturday, the Bangladesh Bank staff start to really work out what's going on. So, they're trying to phone the Federal Reserve Bank in New York, but of course it's a Saturday, so nobody's answering minimal staff there. The money was then sent to the Philippines, and so it starts to filter into a bank in the Philippines. So, by Saturday, Sunday to the Monday, gradually, Bangladesh and New York are onto it and work out what's happening.

But when they phone the Philippines bank to work out, it's a bank holiday on the Monday in the Philippines. So, they had a four-day bender basically to get this money out and to move it. By the time the wheels started to turn in the Philippines on the Tuesday, the money had been extracted in cash and funneled into casinos for the money laundering exercise.

Joseph Carson:

It was amazing. I think the casinos is amazing because I always remember when somebody was asking me back about what's my thoughts around things like cryptocurrency, and I remember a couple of cryptographers telling me that they believed that cryptocurrency was all started in the idea of a casino because there was money moving around that had equal value to what was in between different casinos. So, ironically, when you're saying the best place, and that's what criminals have been doing for years is using gambling and casinos to launder money because it's a way to move large sums around and lose track of who was putting it in, who's taking it out.

Geoff White:

Exactly. Yeah, I mean at this point in the Philippines, it's not the case now, but in the Philippines at that point, the money laundering regulations I don't think covered casinos. So, you could really walk up to a casino with a suitcase with a million dollars in it and turn it into chips and start gambling. It's not the case now, but that was what happened actually. They had a guy who'd worked with the casinos before who was trusted but a bit shady, and he ended up introducing the stolen money into the casino where it was gambled across the tables. Now you might be thinking, "Well, don't you lose your money if you gamble?"

Joseph Carson:

What was the game we were playing? Because I remember you mentioning about that the game specifically was a low risk game to make sure-

Geoff White:

Exactly, yeah. Baccarat was the game. So, in order to get your money into a casino and not lose the lot, because me, I'd walk in with a million, I'd bet it on 24 red and I'd walk out with nothing. So, these guys, they weren't betting on the general casino floor. They had what's called the junket room, which is a casino within a casino, and so you can put your own players in. So, they weren't playing against the general public. The people who'd stolen the money had people in the casino who were a team of effectively professional gamblers who were probably making a bit of a cart and enjoying the drinks and everything. So, immediately, you've got a situation where when one person wins a bit and another person loses a bit.

If you are running all of those people, you're effectively using them as pawns in your game. So, you're not losing money to the general public. All the money's staying in the room if you like. Now, obviously, the casino will take some money. The house always wins as they say, but in a baccarat game, if you are good, you can get back about 90% of what you put in if you run this operation. Now, losing 10% to money laundering is a steal. A lot of money launderers will take up to 60% for laundering. So, running a game like baccarat, losing 10% is a pretty good, sweet deal for money laundering and that's what they did. They spent weeks in the casino just gambling this money over the tables.

Joseph Carson:

Enjoying the luxury of the casino itself.

Geoff White:

Yeah, exactly.

Joseph Carson:

I think that's fascinating as it is.

Geoff White:

One of the casino workers we interviewed said that the people who played didn't seem to be having that good a time. They didn't seem to worry whether they won or lost because of course they didn't care. They were being paid to just sit there, getting the chips across the table. I said, "Well, were they partying or drinking?" He said, "No, they would just turn up. They'd have an orange juice and a sandwich and they'd gamble." Because this was their job. They were basically professional gambler, money launderers. Really interesting.

Joseph Carson:

Try not to get attention to themselves ultimately.

Geoff White:

Exactly.

Joseph Carson:

As you mentioned, one of the things, the planning behind that and all the setup and organization and how many people must've been involved in whole operation sounds pretty significant, especially when you think about one of the things... I've did a lot of work with Europol and investigations and stuff in the past, and what they always told me is that there was two things they overlooked at. One is what's the motive behind it? Again, you look at even recently the Verizon Data Breach Investigations Report, majority of cybercrime is financially motivated. So, there's always that piece.

Then they always say that when they're doing any investigations, and I think this also goes back to a lot of the things that Andrew Greenberg has done with things like Tracers in the Dark and looking at some of the things like the silk roads in the US. Ultimately, you follow the money. If you can follow the money, you typically find the person behind it or the group behind it. This is what's really fascinating is the research you've done really does amazing job at telling that follow the money story. Can you tell a little bit about how do you find the money trail and the methods that they're doing? One is to hide your tracks and two to your point is tumbling the money and cleaning it and getting it out. What's the methods that you tend to find the most common?

Geoff White:

Yeah, yeah, it's interesting. So, classic money laundering, like money laundering 101 is a three-step process. Step one is what they call placement, which is where you get your dodgy cash into some financial institution. So, you set up a carwash for example. So, you're selling drugs on the street. You're getting drug money. You set up a carwash. For every car you wash, you put 10 pounds from the customer and 10 pounds of your drug money in. You go to the bank and say, "Hey, we charge 20 pounds a car and so here's our money." So that's a classic placement exercise.

Second stage is layering, because if you get caught for the drug dealing, they can see your money going into the carwash and into the bank and they can freeze the money in the bank. You don't want that. So, second stage is what's called layering, which is where you take that money and you put it into a different account and then you take it out and you spend it on some gold and you sell that and you put it back in or you buy an expensive car and you sell it. Layering is basically muddying the waters. Then the third stage, what they call integration, which is where you get to actually spend your money. Again, for criminals, I think they have this idea that criminals go out and splash the cash on prostitutes and cocaine and stuff.

A smart criminal and the best criminals, the organized ones are smart. They know they're probably going to get arrested at some point. They're going to do some time in prison. When you come out of jail, you don't want to have to start again getting your money back together. You want to walk out of prison and go straight back into your apartment and start your Lamborghini and just start again. So, in terms of that last stage, integration, you're looking for something long-term. Property's good. Art is sometimes good, investing in a business. You can do that and that's your future guaranteed. If your criminal career comes to an end, you've got that still in the bank.

Now these days, obviously, that placement stage, that first stage has got a bit easier because a lot of crimes are not being done for cash. They're being done for digital money, fraud. The money's already in the bank account. Crypto theft, it's already in crypto. So, we've now got from that perspective criminals with wards of money trying to get them into banks. That does still happen. But in the high-tech crime space, it's already digitized. But the problem with that is the next stage, the layering stage becomes commensurate more difficult because all money is now digital or most money is digital. You can track it. You can track bank accounts and so on. So, that layering stage has got to be the really important stage now.

So, if you are stealing money from somebody's bank account, Joe, if I steal money from your bank account, if I just transfer it straight to my account, well, it's obvious who's nicked it, isn't it? So what I need is somebody else's bank account, put the money into. There may be a string of other accounts to move it through before I finally bring it back to my account. That's money laundering. That's the modern era of money laundering. Now, to go to the point you talked about with cryptocurrency, and you mentioned Andy Greenberg from WIRED. Great book, Tracers in the Dark talks all about this. Cryptocurrency is eminently traceable. You can trace crypto transactions through this thing, the blockchain, this public ledger where all the Bitcoin and Ether transactions attract.

Yes, you can trace the money through there, but again, there there's this layering stage where you transfer it from wallet to wallet to wallet, you put it into this exchange and that exchange, you change it to this currency and that currency, and then finally you extricate it through somebody who's working in the Philippines or China or Argentina or somewhere.

Joseph Carson:

With less regulation, less visibility.

Geoff White:

Exactly. So, yes, you can trace cryptocurrency, but then freezing it and getting it back is actually a much bigger challenge. So, that's the problem game with...

Joseph Carson:

Which is what the FTX and the Binance have had challenges with, which is what we're seeing. A lot of the media coverage is related to less strictness in how that money flows in certain areas. Absolutely. Tell us a little bit about the book that's released now. It's out already.

Geoff White:

Now you can pre-order.

Joseph Carson:

Pre-order.

Geoff White:

It's actually out for publication June 13th.

Joseph Carson:

Fantastic. So, tell us about Rinsed itself. What does it cover? What's the background for that book?

Geoff White:

Yeah. Well, so Lazarus Heist was interesting to do because on the surface, it's a podcast and a book about North Korea and cybercrime, but actually the stuff we've talked about, the casino stuff and all of that, that's laundering. That's money laundering. So, I realized in hindsight about half of the Lazarus Heist story is actually not about cybercrime or really about North Korea, it's about money laundering. So, I started getting interested in that, and what I discovered of course was that cyber criminals, hackers, they're very good at breaking into places.

They're very good at getting into a bank or a crypto exchange. But that process of, "Okay, where do we send the money? How do we wash it through accounts? How do we set up a bank account over here and a crypto exchange over there?", that's not necessarily a hacker's skill. It's more of a technical money launderer's skill.

Joseph Carson:

It's a financial person's-

Geoff White:

Exactly, yeah. Look, there are hacking gangs out there who understand that, fine, but quite a lot of hackers, they don't really get that. So, they outsource it to money launderers who are still high-tech people. They still use technology to do it, but their skillset is different. So, you get this symbiosis coming together of computer hackers and high-tech money launderers. Then as I look to those high-tech money, of course, it's not just hackers they're working for. It's cartel drug dealers, it's prostitution gangs, child sexual abuse rings, fraudsters. Anybody who's an organized criminal is making serious money and they're probably going to put it somewhere digital.

Well, at that stage, you need a money launder who knows digital money. Whether it's pounds and dollars with digital or whether it's cryptocurrency digital, you need somebody who can help you with that. So, there's a whole industry of enablers without whom the criminals would struggle to work. I mean, that bank job, as I say, it took them a year not to break into the bank, not to get access to SWIFT system. It took them a year to line up the money laundering route.

Joseph Carson:

Just to move the money.

Geoff White:

If you crack down on the money laundering route, the hackers just can't go to work. They can't put the money anywhere. If I can't as a criminal take the money out, why would I steal it? I need money.

Joseph Carson:

The value of the crime becomes significantly lower.

Geoff White:

Exactly. Your chances of arrest and the cost of getting caught go up. That's the other thing.

Joseph Carson:

That's what I was always saying is when talking to law enforcement, they're always saying, follow the money. Because that's the part that is those financial crimes are the ones they can actually convict people on versus the data theft side of things because those financial laws tend to be much more universal, global where the hacking crimes, as you said, certain crimes may not be applicable in Southeast Asia, Indonesia, Philippines, Vietnam, and so forth, but the financial crimes, they can be implicated in those areas. So, it's very fascinating. For me, it's amazing because it's starting to look at when you think of this broader cybercrime activity, and I think one thing that Miko really mentioned recently is it's really into organized crime.

There was a big discussion, a couple of events I saw last year was to your point is that it's the supply chain. You've got the initial access brokers who gain access, then you've got those who do the hands-on keyboard who basically steal the data, deploy the ransomware, and the ransomware might have been developed by somebody else, software as a service or ransomware as a service. They might even employ a service organization who will help communicate and negotiate and get the money.

Then to the point is how do they actually get it to where they can actually get it out using the money laundering services? So it's a complete structure of supply chain of organized crime. One of the things that it was talked about last year was that if you're starting to pay ransomware, you're funding that other types of criminal activities, basically human trafficking, sex crimes, and other types of activities as well. So, ransomware is funneling into that and it's a major ethical area to whether to pay ransom in that regards.

Geoff White:

I lost you there for a second. Joe, are you back?

Joseph Carson:

Yeah, I'm here. So, I was just saying that it's in that whole supply chain of organized crime.

Geoff White:

Yeah, absolutely. Yeah, it's a more advanced industry now definitely. What I'm interested in is how all those people get paid off. If you are working with an initial access broker, they need paying, you are working with the negotiator. I have this idea out there that there's the Mos Eisley space bar from Star Wars where all these guys get together and they finally settle all of their debts and reconcile everything. I find that ecosystem fascinating.

Joseph Carson:

They all meet at the casino.

Geoff White:

Possibly yeah.

Joseph Carson:

Then just the money goes in and spreads around and they leave.

Geoff White:

Yeah, exactly.

Joseph Carson:

One of the things, so the book's out, we'll make sure that for the show notes, we'll get it all linked in the show notes. We'll put the links in for the books that you've got out.

Geoff White:

Thank you.

Joseph Carson:

I appreciate the work that you've done because I think it's really important to tell those stories because it's really valuable to understand what's the background, how do they get started, and also because it's a very educational and it also allows people to understand about what things you can do to reduce the risk and what simple changes you can make to become more resilient. Any final thoughts or any knowledge you would like to share with the audience? What are the trends that you're seeing essentially?

Geoff White:

Yeah, it's interesting. By the way, thank you for that, the comments about the books and so on, because one of the things about getting that feedback from people like you who've been in the industry for so long and understand it is really, really useful. The thing I dread is somebody coming back to me and saying, "Oh, you've got that bit wrong," or "That's not right." Actually, people saying not just that "Yeah, you got it right," or "That's right" you can get it as a journalist, but saying, "Actually, I enjoyed it and I'm glad you put it out there" is great because I just feel for folks like you, you know all this stuff, but actually the fact that people like you enjoy it is really good because it means I'm adding at least something new to the party.

Joseph Carson:

Absolutely. When I get into it, I know the technical pieces. The pieces that I was missing was the understanding of the money laundering piece. In the past, I was in foreign exchange money market, so I knew parts of it, but what you brought together was the story that connects all of the pieces that certain areas that I wasn't familiar with. So, yes, the technical piece I do, people like myself get into the research. We try to recreate. We try to understand and break it apart, look inside to try and understand how it all works. But what you've done is you've brought it together and created the end-to-end experience. That's what people like myself really enjoy because it allows us to complete the understanding of the events.

Geoff White:

To go back to your question actually, the answer in terms of the future, I hate this phrase, but it is a phrase people are using, the pig butchering scams, which is this horrible hybrid of romance fraud mixed with crypto fraud where you seduce somebody online and then you get them involved in crypto and you steal their money that way. It's a special place in hell, I think, reserved for those people who run those operations. The ground level people who are actually phoning people up and scamming people and tricking people on dating apps, often they're actually coerced into it or seems they're coerced into it. But what's interesting from that perspective is we're starting to see this collapsing together of fraud and cybercrime and crypto and to a certain extent casinos.

I think there's always been this interesting gray area between what's fraud and what's cybercrime. I think for some cybercrime, people have thought fraud's over there, I do cybercrime. If it needs a computer, then I deal with it, but fraud is just phoning people up and scamming them. You don't phone people up anymore. I mean, frankly, people of the younger generation don't answer the phone when you phone them. So, frauds are increasingly done through technical means. The money laundering, certainly for fraud, it's increasingly the same high-tech money laundering that we're seeing from cybercrime. Crypto feeding into this means that crypto stolen money is feeding into the same high-tech laundering technique.

I think if you want a trend to watch, it's that coming together of fraud and cybercrime increasingly. I hope that people covering cybercrime and cybersecurity see fraud as part of their remit. Certainly, they're in financial institutions, hopefully so, but also, we've got this interesting collision with the casino industry, slightly murky, Southeast Asian casino industry where this money's being washed through. So, again, financial crime and money laundering start to be part of it. If I could make a pitch to people, it'd be like, "Okay, start with cybercrime if that's your bag. But try always to be looking a little bit, trying to get a bit helicopter vision, seeing the stuff that's on the fringes view industry like the fraud, like the money laundering."

Because they're just other parts of the mechanics of the people who are hitting you. Money's stolen from your institution, data that's hacked from your institution, the people sending you the ransomware stuff, they are feeding into a much larger criminal economy. So, it's worth keeping an eye on how that criminal economy is moving if only for your own interest, I'd say.

Joseph Carson:

Absolutely. I think one of the things that directly in the center of that from cyber is business email compromise, because it really emphasizes... So, you were looking at somewhere to learn about the financials on the cyber and digital side and business email compromise is really good because it combines all of those pieces together very well.

Geoff White:

I think that's a really good point, and again, from an IT department organizational point of view, you might think, "Well, somebody got sent an email and they responded to it and they were defrauded. Where would IT security have got involved in that process?" Even if the answer to that is, well, we couldn't really, your organization has still suffered a crime that's potentially stolen millions out of the organization. So, as a cybersecurity professional, reversing into that territory and trying to get your arms around that territory, much as I hate to give cybersecurity people more work to do and more workload, that is, I think, increasingly part of the role and your organization will thank you for it and maybe give you a bit more budget. I don't know.

Joseph Carson:

Absolutely. I mean, those tie it back to the business because it is a business impact and that's what security is all about, is protecting the business. So, that's ultimately you have the better connection, more value from the business side. Geoff, it's been wonderful having you on the show, and many thanks for telling your journey and your story and background. For the audience out there, if you do get the opportunity, I know that Geoff, you're on the road quite a lot speaking at different events. There's quite a few podcasts out there that you've done on Lazarus Heist as well.

So, for the audience, we'll definitely make sure you get links to the show and links back to a lot of the episodes and stuff that Jeff's done in the past. If you do see them, the opportunity in the future, make the time to go listen to Geoff's talks because they are fascinating.

Geoff White:

Oh, thank you. I really appreciate it.

Joseph Carson:

So Geoff, many thanks for being on the show. Awesome. Hopefully, I'll see you again in the near future soon. For the audience, this is the 401 Access Denied Podcast, bringing you thought leadership stories, ideas, and trends. It's really to help provide you the knowledge in order to make the world a safer place. So, many thanks for tuning in. Stay safe. Take care, and I'll see you again in two weeks. All the best. Thank you, and bye.