Darknet Diaries - 141: The Pig Butcher
Episode Date: January 2, 2024The #1 crime which results in the biggest financial loss is BEC fraud. The #2 crime is pig butchering. Ronnie Tokazowski https://twitter.com/iHeartMalware walks us through this wild world.Spo...nsorsSupport for this episode comes from NetSuite. NetSuite gives you visibility and control of your financials, planning, budgeting, and of course - inventory - so you can manage risk, get reliable forecasts, and improve margins. NetSuite helps you identify rising costs, automate your manual business processes, and see where to save money. KNOW your numbers. KNOW your business. And get to KNOW how NetSuite can be the source of truth for your entire company. Visit www.netsuite.com/darknet to learn more.Support for this show comes from Drata. Drata streamlines your SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR & many other compliance frameworks, and provides 24-hour continuous control monitoring so you focus on scaling securely. Listeners of Darknet Diaries can get 10% off Drata and waived implementation fees at drata.com/darknetdiaries.This show is sponsored by Shopify. Shopify is the best place to go to start or grow your online retail business. And running a growing business means getting the insights you need wherever you are. With Shopify’s single dashboard, you can manage orders, shipping, and payments from anywhere. Sign up for a one-dollar-per-month trial period at https://shopify.com/darknet.
Transcript
Discussion (0)
A few years back, a listener wrote to me to tell me about a problem they're facing.
Okay, check this out. They went to buy a house, right? And when you go to buy a house,
there's like a little dance that everyone does. Like, do you give them the money first? Or do
they give you the deed first and the keys? Or do you do like a quick swap at the same time?
What if it's a phony check or the deed is made up?
This is where escrow comes in.
Both the seller and buyer hand their things to a third party,
someone that both sides trust and waits for everything to clear.
If the check clears and the deed is valid, then escrow says,
okay, the deal is done and gives the money to the seller and the keys to the buyer.
So this guy, a listener of mine, says he bought a house.
And during this process, he gave $250,000 to the escrow company.
But then someone scammed the escrow company.
They posed as the seller and said, hey, could you just deposit the money into our bank account directly?
And escrow's like,
oh yeah, of course, no problem. We do this all the time. Here you go. And they deposited the $250,000
into the scammer's account instead of the actual seller. But here's the crazy part. Because the
seller never got the money, escrow wouldn't give the keys to the buyer. They were being jerks about it.
They were trying to say, oh, sorry, we lost the money. No house for you. The deal has been
canceled. And the buyer's like, whoa, no, no, no. That's what escrow is for. You're our trusted
third party. We trusted you to do this deal. You screwed up and that's not our problem.
That's yours.
But escrow's like, no.
I never got an update on what happened here and if this got resolved.
I think the buyer took escrow to court to try to get their money back.
What a nightmare, though, to send a huge check somewhere only for it to go to the wrong place, and then someone else runs off with the money.
Ah!
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service that finds and
removes personal information from hundreds of data brokers websites and continuously works to keep it
off. Data brokers hate them because Delete.me makes sure your personal profile is no longer
theirs to sell. I tried it and they immediately got busy scouring the internet for my name and
gave me reports on what they found and then they got busy deleting things. It was great to have
someone on my team when it comes to my privacy. Take control of your data and keep your private
life private by signing up for Delete Me, now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and
use promo code darknet at checkout. The only way to get 20% off is to go to join delete me.com
slash darknet diaries and enter code darknet at checkout. That's join delete me.com slash
darknet diaries. Use code darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
I was clicking around the other day and came across this story on Good Morning America.
Shreya Dutta thought she'd met the man of her dreams on a dating app, only to find out her Prince Charming was a scam and she was out more than $450,000.
What the? How in the world does some guy on a dating app scam someone for $450,000? That's insane. This person presented themselves to be everything I was looking for. She was the victim of a scam
known as pig butchering. A scammer pretends to be looking for love online. They find a love
interest, casually encourage them to invest in crypto via a fake app, but eventually they can't
access the money at all. The money is gone. The investment's not real. Dang. Things we do for love, huh?
Or maybe it was for money. Or maybe it was for the love of money. I don't even know.
Yeah. So hearing that story, I've heard it a thousand times over.
Okay. Hold on. Who are you and what do you do?
Oh, yeah, yeah. So my name is Ronnie Tokazowski. I've been fighting business email compromise for
the last eight years now.
So my role in this is
I work behind the scenes
with a lot of people
who are working with romance scam victims.
I do a lot of work with Secret Service, FBI.
I also work back and forth with victims too.
Because a lot of what happens is
the scammers will go to different dating websites.
They will go and find people in order to date.
They will move the discussions off of the
platform just because most of the platforms cost, but they'll move it to WhatsApp. And then from
there, they'll start grooming the person. They'll say loving things. We've had pick cases where
some of the victims might send nude pictures over to their lover. And once they go and are
exchanging those sweet nothings, the scammers directly build that relationship, build those
emotions. So I heard this term pig butchering, and I'm not connecting the dots here.
Nowhere in this romance or crypto or gold, sending money to people, is there a pig involved?
Where is this term pig butchering coming into?
Yeah, so the term pig butchering comes from a Chinese phrase called Xia Zhupan, which
is essentially a broiled, I think it's broiled meat.
I forget the exact translation.
But what the concept is, is the scammers will go and try and fatten the pig, if you will.
So what they will do is extract as much money as they can out of a victim.
And where the pig butchering comes in is that once the scammers get to a point where they feel like they can't get any more money out of the victim, they will take the pig in for slaughter or slaughter the pig.
And what they mean by that is actually pulling the rug out from under the victims and like walking away and essentially be like, I got all the money that we could.
So that's kind of where the phrase pig butchering comes from. Okay, so for some reason, Ronnie is attracted to this type of scam
or fraud or whatever you want to call it
and zooms in to whenever he sees
these stories come up.
And one day, he heard about a colleague
who got pig butchered
and wanted to help him out.
Him and his girlfriend,
they were dating for several years.
Like, they've been together
for as long as I've known.
It's probably about eight years now that they've been together.
So they were engaged to be married.
They had a house together.
And unfortunately, things happened.
And that relationship kind of flopped.
So they went their separate ways.
He lost the house.
And unfortunately, it wasn't really a good circumstance.
Breakups are hard.
It's a tough time for anyone.
You can sink into deep levels of depression.
Your defenses are weak
and your vulnerabilities are exposed.
So he went to go online and go date somebody.
So he went onto a dating platform,
found this really pretty French girl
who was very involved with him
and very kind of attached to him.
So the two of them really hit
off. And at some point, she popped the question to say, hey, I'm also doing a lot of crypto
investments. Is that something that you'd be interested in? Okay, I don't see any red flags
yet. And he didn't either. At this point, they were just chatting through text, like a lot.
She seemed to be into everything he was interested in, and he was liking that.
He was coming out of his breakup, and she seemed to be caring and helpful.
Yeah, okay, so she's into crypto investments. That's fine. She could be into that.
But he was curious. Was it really working for her? He had some crypto somewhere. I was like,
tell me more about what you're invested in. So she tells him, man,
there's this hot investment. It's making mad bank. And he's like, yeah, okay, well, what is it? Show
me. So she keeps talking it up. I'm basically just living off the profit from this thing. It's nuts.
And he's like, you got to show me what you're talking about. So she's like, okay, so you know
how your savings account makes interest, right? This is like that, but it just pays much more. You put your money in,
and then daily it makes interest, and you could just take that interest out if you want,
or leave it in, and it adds up, and you make even more. So he's like, well, how much interest are
you earning? She's like, 20%. If you have $1,000 invested, it'll earn you $200 in interest a day.
And at any time,
you could just take your $1,000 out if you want.
And he's like, man, that does sound too good to pass up.
So she gives him the links to read up on.
Being in the field, he knew a good bit of crypto.
He's naturally a very skeptical person.
So he did his research on a lot of the way that they present the money.
So he went, they provided links and information for him to check once he went and submitted his money.
This scheme was very, very clever.
I mean, this guy was a cybersecurity professional.
He knew about the dangers of cryptocurrency and was suspicious about all this.
But this had a mix of legitimate information
with just a small dash of fraud.
See, the way they had this set up
was they made it look like it was using a legitimate exchange,
in this case, crypto.com.
And the way that the application was presented to him was,
and this is his perspective,
I'm still trying to get the full scope here,
but there was actually a browser that they could use within crypto.com
that will have it show up that actually looks like the application.
And looking at some of the screenshots,
it looks like it was right within the crypto.com application.
And because of that, when your user goes and clicks that stuff,
it appears to be 100% legitimate.
I looked at some of these screenshots myself.
It's hard to tell what's going on.
But one thing is clear.
They social engineered him
and tricked him into sending his crypto
to the scammer's wallet.
They just disguised the wallets to look trustworthy.
Basically, he would buy cryptocurrencies
on crypto.com with real money
and then send those crypto coins
to this investment project.
Investment in quotes there.
Really, it was a scam and it looked
really good. It didn't look like a scam at all. You could see your balance, you could see your
earnings, you could interact with it, you could pull your money out at any moment. So he decided
to give it a try. He put some money in, sent the crypto, and when he saw it was generating interest,
he tested it by taking some out and was like, wow, this is actually working because it looked like it was.
But this is where the pig butchering scam comes in.
The scammers wanted him to take the bait, start with putting in a little, see that it's working,
and then hopefully put in some more and more and more and hope that he dumps a ton of money into this.
And when they think he's put in enough, they'll take the money and run.
So as he starts watching the money grow on this site,
the scammers start ramping up the pressure.
They tell him if he invests a little bit more within this time frame,
he'll get locked in for bonus interest,
basically presenting him with more exciting opportunities that were time sensitive.
In addition to putting his own money in there,
because of the high returns that were being shown, he also went and had filed a, had gotten a loan.
So he actually used a loan to go and put more money into it. Because again, if you can use that
loan to go and get more money, who wouldn't do that? So that's another common thing we see with
a lot of people is they'll go take loans out from a financial institution.
They'll take a second mortgage out on their homes in order to go and get more money based on those investments.
Taking loans out?
Now I see why someone can end up losing a ton of money in this scam.
But not only that, these scammers were really tricky.
They would sometimes tell them, look, we locked your account because there's not enough funds to cover withdrawals.
Please deposit another $40,000 in the next 96 hours to unlock your account.
And he's like, well, wait a minute.
What if I don't deposit that?
Then you risk losing your money.
So he's like, oh, no, I don't want that.
And so he goes scrambling, looking for even more money to put into this.
So this guy eventually goes all in.
And then some, putting all his savings in
and taking a loan out to add more.
Because to him, this was a way to get out of debt,
a past financial freedom.
And it was very exciting.
From there, the scammers were able to successfully collect
about $90,000 out of him.
Oh, how cruel.
And yeah, this $90,000 was a nice fat pig.
And the scammers were like, okay, that's ripe.
Let's take it.
And they did.
They took his money, leaving him high and dry.
Ouch.
He saw his money disappear and he knew he was screwed.
Ugh!
But he sat and thought about it for a bit.
Is there a way to get any of this money back from the scammers?
What he did was he used the exact same emotional manipulation tactics against the scammers.
And what he did was he was like, hey, I'm going to go ahead and invest more, but I need to pull this little bit of money out
in order to help with this loan. So if you can let me pull some of my money out or wire it over here,
I'll go ahead and do that. So he was able to get $10,000 of his back by, again, deploying those
same tactics against the scammers. And he was able to build up enough trust with them
to where he's able to get that money back.
He scammed them back.
Hilarious.
Man, that reminds me of this story I have.
Okay, so this one time I was in Vegas, right?
Yeah, I was actually going there for a DEF CON.
And when I went, I brought a burner phone with me, right?
It's just a phone that I paid with cash.
You got a prepaid plan, all that stuff. It was a new phone number. And when I got to Vegas, I was getting
text messages from a scammer. I sniffed it out right away. They were trying to play on my empathy,
saying things like, we can't afford money to buy food for our kids and medicine and clothes and
something. And they specifically asked for $749 to get themselves
sorted. And I'd be an absolute angel if I could help. And I was like, hmm. I replied, look, I'd
love to help, but I'm currently stranded. My boyfriend and I got in a fight and he dumped me
off in the middle of nowhere. And I don't know anyone here who can help me. I don't have any money to get home. I am screwed. I was trying to use the
scammers tactics on themselves, trying to be someone in distress, just like they were saying.
It did not work. They kept asking me for money. And I was like, OK, listen, I'm happy to help you.
I have money to help you. But my boyfriend took my purse and all I have is my phone
and there's strangers all around me.
So unless you can help me get home,
like, I don't know, send me $200.
Then once I get home, then I can help you.
It didn't work.
They stopped texting after that
and just left me alone.
So when you run into someone
who's been a victim of this, how do you help them?
So the way I help them is I help them a couple ways.
So the first place is that when it comes to understanding the emotions in our body tied
back to a lot of the way the scam works, people feel a lot of shame.
They feel a lot of hurt.
They feel a lot of disconnect because of the stigmas associated with it. What I mean by that is when you're a victim like this, people don't want to come
forward on this. So I try and help them learn how to work with their own bodies in that regard.
So that's one way that I help them. The second way is I point them to the resources where they
can go and submit a lot of requests. So they may be working with IC3,
it may be working with colleagues who also work with romance scams,
or it may be helping introduce them
over to some of the crypto assets
where they can start pulling some of that money back.
The third thing I do is, again,
just trying to help put them in contact
with the right people.
Because what happens is,
when you're in this scam,
it becomes...
Your head's spinning a thousand miles an hour.
You don't know which way is up.
You don't know which way is down.
You don't know who to trust.
And many of us work behind the scenes
to try and help be that good driving force
for many of these victims.
And when we go and we try and help them out,
that's kind of where we do our assistance.
In addition to that, we've also been running
a mailing list for the last seven years, talking on many things as a result of business email compromise and overlapping things with that.
And we have close contacts with a lot of the banks and financial institutions to help either try and reverse some of that money or do what we can to get some of that money back or try and flag those assets where we know, hey, these are actually part of a scam.
$90,000. That's a lot of money to lose. Is that kind of the upper limit of where you've seen
people losing stuff or people losing more? I really wish I could say that that was the
upper limits, but I have seen so much more. I'm working with one victim now. I've been
working with him for the last two weeks where he was suicidal and didn't know which way to turn.
Jeez, you really take some heavy phone calls. So how did this guy lose his money?
So very much the same way as the first person. He found a relationship and as the relationship
built, they're like, hey, I have this great investment opportunity. They strung him along
as far as they could. And once he went and put some of the money in,
he saw his returns.
It was the same story.
This individual actually was ready to retire.
He had several homes as well.
So because of that,
he ended up opening and doing a second mortgage
on a couple of his homes
in order to pull some money out.
So because of that,
and because of what he was able to pull out on those homes, he may now be facing losing those homes as well. And as it
stands right now, he has lost over $1.7 million. Dang. I mean, I've heard of people losing their
life savings, but for some reason, this feels worse than that. I guess it's one thing to lose
all your stuff when you're young, but it's different when you've worked your entire life
to save up for retirement and then lose all of that.
Your retirement's now gone.
Poof.
You were financially stable and now super in debt,
and your whole future is screwed.
It's awful.
I was at RSA last year,
this year as a matter of fact,
got to speaking with somebody
who had a,
it was a grandfather
who had committed suicide
and they didn't know why
and they ended up going
to look through his records
and it was over $5 million
that he had lost.
What?
People are actually
killing themselves
over pig butchering scams?
This is nuts.
Whoever is behind this is just ruthless.
I wish that was an isolated case,
but I had another victim out at DEF CON a couple years ago.
And for her, she ended up losing her house, losing custody of her kids,
lost her relationship with her ex, with her husband,
and lost her business.
And she was into over a tune for a million dollars.
And when I asked her what kept her in,
she said her husband was abusive
and she just wanted to feel loved.
And that's the reality of many of these crimes
is that people don't realize
that you have two factors at play here.
You have the financial losses
and then you have the emotional hurt that goes along with it.
And somebody may lose $90,000.
It may mean nothing to them.
Or you may have somebody who loses $8,000,
and it's the entire world to them.
So it really, right now,
we're not accounting for the emotional losses on this
or the emotional damages for many of the victims.
So in these first few stories we've heard,
it keeps getting back to romance, right?
Yeah.
Do you see kind of a pattern of who the victims typically are?
Are they usually people who are looking for love?
Or what are some other, you know,
like if we're going to watch our own back,
like we got to know when we're in a vulnerable state and what makes a person more vulnerable
to this sort of stuff. Yeah. So first and foremost, one of the constant patterns I've
seen, and this is something I've seen with many victims, I've kind of discussed and researched
the topic. Many of them tend to be extremely trusting, where if you were to be walking on the side of the street,
this is the type of person who would go
and help a homeless person in need.
If a dog was hurt on the side of the road,
they would go and help them out.
And they're some of the most kind of souls you'll ever meet.
And because of that trust,
the scammers have figured out that they can go
and manipulate and abuse that person and get them have figured out that they can go manipulate and abuse that
person and get them to do things that they want.
A lot of what happens is from that control perspective, they will actually, quote unquote,
I'm going to use a term that one of the victims used to me, is that they'll essentially hijack
their own consciousness and give them a different perspective of reality and a different perception
of reality and a different perception of reality. And what happens is the victims will be manipulated to a point where they will be pulled away
from friends, they'll be pulled away from family, and only put all their trust in this
one person.
And because of that, and because of the kind words that they're saying, the victims will
want to go and be with that person.
In addition to that, you've also got a case where they will say the right words
in the right way
to make the victims want to stay in it even longer.
So like I said,
it's a matter of working with the emotions
and kind of manipulating the people in that way too.
Another piece I also noticed
is that when it comes to
how we as humans process our emotions,
so many of us are just disconnected
and we don't even know how our emotions work.
It's like, we might feel this one way about this one thing,
we might feel this one way about another,
but we don't realize that we actually pick up emotions
from other people.
And because of that,
it's something where we don't understand
how those mechanics work in our own bodies,
let alone how we are emotionally manipulated
to go and do this thing
or influenced to go and do that thing.
Yeah. So what are some of the skill sets that these scammers or thieves have?
Because it sounds like they understand psychology a bit.
So that would put them in social engineering skills, right?
Tricking people, posing as someone on a dating app, whatever, but also being able to set up these websites
and understanding crypto and putting malware on systems
or whatever the case is.
What do you see as their skill sets in these cases, at least?
Yeah, so I'll kind of talk on the geographic
of where some of these skill sets are.
So for the pig butchering angle,
which is mostly out of Southeast Asia, we see scammers who are skilled in setting 30-page PowerPoint in Chinese that essentially
comes out to, here's where you go and
tell them this piece, here's where you
influence their emotion here, and do
this. So they understand that emotional
manipulation piece there. For some of
your romance scammers in Nigeria,
they're a whole different basket. For
them, they're sophisticated in money
laundering. They know how check systems work.
They know how to wire money from a United States bank out to another bank. And they also understand
the underlying cryptocurrency networks to go and cash out a gift card or move money over here for
Bitcoin. So it's something where depending on the geography of where the scammers are coming from,
it really depends on what that skill set is.
And that's just two of the top countries that we see.
But there is probably four more that I could list off that we see elements of social engineering scams coming out of that, again, go back to that human emotion and kind of those human pieces, if you will. The thing that strikes me,
I think it should strike us all with a bit of fear,
is that this isn't, you see the cybersecurity news every day,
it's ransomware hit by this company,
and this other company got hacked and all that.
This is us getting hacked.
This is you and me.
This is each one of our neighbors.
This is individuals of the world, the citizens of the United States or wherever they are. And that is just such a close to home thing. It's not far away and some other company that I don't have to deal with.
It's me and my personal assets are being attacked. And that, I don't know, like when you realize
that the threat actor is right here in my bedroom on my computer, it gives us a different sense of safety.
Yeah. And the other thing too, because of that safety, we will go and play so much on trusting the social media providers to be like, okay, this social media provider has a really big name.
So that means they have to be safe and I can trust anything that's coming from there. So because of how large many of these providers are, there's
inherent trust of using these platforms. And so many victims will go and be like, okay, I'm going
to go and trust Facebook for seeing this stuff. Yet there was an article that came out a couple
weeks ago that said no, 8 out of 10 cybercrime or 8 out of 10 cases of cyber fraud originate on Facebook.
So when you see numbers like that,
it's something where the scammers are going to use those trusted platforms to try and go after people on that.
But no, I agree with you 100% is that
it definitely adds a different level of fear
to how the scam actually works.
Because yeah, it's like that scammer is now
in your bedroom with you.
And they're now stuck in your head as you're ruminating over all of the ways where they'll
be like okay does this person love me or are they trying to build this relationship what else is
going on and the victims run through their head over and over again with these victims you've
talked to like you know the 90 000 one the 1.7 million dollar one are they actually like how
far along in the,
how close are they to these people, right?
Are they having video calls with them?
Are they having phone calls?
Are they texting?
Yeah, so many of them will be texting back and forth or using WhatsApp to communicate.
Like I said,
we know that that's how some of them are
and many of them are receiving
like multiple messages per day.
The one colleague who was in for $90,000,
I'm pretty sure they would have been sending pictures back and forth. Just because again,
you're not thinking of it in the case of, okay, this is a victim. You're not trying to think of
it as somebody who believes they're in a relationship. So you're going to go and do
everything that you can that you believe of that you're in a relationship. Like I had one victim
who was sending pictures of his food to his girlfriend.
And the scammers do all kinds of weird things.
Like they'll send photos of two different outfits and ask,
which outfit should I wear today?
And then when the victim picks one,
it gives them just that little bit more of information to know about them.
Like, do you like formal clothes more than casual clothes?
So let's send them more photos of that.
Keep them on the hook.
And just think about how much you share about yourself on a personal level Formal clothes more than casual clothes. Let's send them more photos of that. Keep them on the hook.
And just think about how much you share about yourself on a personal level when you have a new love interest.
A scammer could easily write all that down
and figure out your vulnerabilities and play on that if they're really good.
But I still think one way to sniff out these scammers
is just to pick up the phone and call them.
I'm betting that a lot of these scammers are just guys pick up the phone and call them. I'm betting that
a lot of these scammers are just guys posing as women, you know? So how do they sound on the phone?
Even if they grab someone else to just pose as them and get on the phone, that person isn't
going to know your whole chat history and won't be able to carry on a conversation in any way that
makes sense. Or even more, let's do a video call and see what you really look like. And so just keep that in your head.
That is probably a red flag if your love interest refuses to answer the call or get on video chat with you.
Yep. So sometimes that is a red flag.
However, some scammers have figured ways around that.
I know in the concept of like deep fakes and AI, and I know it's a whole buzzword right now. But some scammers are
using that technology in order to generate video messages back and forth. The other thing too,
some of them will also use online video without audio. And they'll just be moving in the camera
like, oh, my microphone's not working. Or they'll go and share and have a phone call with them.
And they won't share video and just say, hey, this part here, my video isn't working.
So they know that that's a piece
that people use as a metric,
but they will go and try and find
different ways to bypass that.
Oh, yeah.
Dang, I didn't even think of that.
So I've done video interviews with people a lot,
but I use a Snapchat filter on my video
to obscure my face.
In real time, on a live video call, my face gets distorted.
And yeah, you could absolutely just use a filter
to change your face to be a pretty lady,
even though you're just some dude who doesn't even speak English.
We're going to take a quick ad break here, but stay with us,
because when we come back, we're going to talk about Black Axe.
And you're not going to want to miss this. scaling your GRC program, proving your commitment to security has never been more critical or more
complex. And that's where Vanta comes in. Businesses use Vanta to establish trust by
automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001,
centralized security workflows, complete questionnaires up to five times faster,
and proactively manage vendor risk. Vanta helps you start or scale your security program by
connecting you with auditors and experts toanta helps you start or scale your security program by connecting you with
auditors and experts to conduct your audit and set up your security program
quickly. Plus with automation and AI throughout the platform,
Vanta gives you time back so you can focus on building your company.
Join over 9,000 global companies like Atlassian, Quora,
and Factory who use Vanta to manage risk and prove security in real time.
For a limited time, listeners get $1,000 off Vanta at vanta.com.
That's spelled V-A-N-T-A, vanta.com.
For $1,000 off.
Okay, so I'm looking you up online.
You're known as that BEC guy.
What's BEC? BEC is a business email compromise. Okay, so let'm looking you up online. You're known as that BEC guy. What's BEC?
BEC is a business email compromise.
Okay, so let's stop there.
Okay, sounds good. Sounds good.
BEC, we break down the term business email compromise, right? So let's,
the compromise part makes me think somebody has taken over my Office 365,
you know, email server, and is in my emails. They've compromised my emails.
But that's not what you say is BEC.
No.
So if you go and look up the history of BEC,
business email compromise has been the number one crime
seven years in a row, minus last year.
But the way most people know it as
is if you receive an email that says,
Hi, I'm the CEO of your company.
I need you to do this urgent wire transfer for me.
Can you wire $40,000 out to this account?
And that's what most people think of
as business email compromise.
When you tell me that story,
I just think that's a phishing.
I don't call phishing BEC.
I just call it phishing.
Right.
And phishing is kind of the overarching term for any email-based threat like that. Is BEC always money-related or is it
sometimes, no, we're just going to phish them so that we can get our malware on to steal their
intellectual property? Yeah. So business email compromise, in most of the cases, it does not
use malware. It does not employ any of those tactics around trying to install software on the computer.
At most, they will do credential phishing where they'll try and harvest the email credentials and email passwords.
But for a vast majority of business email compromise, there is no malware tied to that.
There's only been a handful of cases that have been publicly documented specific to BEC actors using malware or something like that.
But just for the most case,
there is just no malware that's tied back to those types of crime.
So if we're going to classify something,
because let's say we get phished,
somebody sends us a phish, we click the link,
we installed malware, you'd say,
oh yeah, that wasn't BEC.
But if it was, okay, we got phished, it was send money to this,
and I sent the money, you'd say, oh, yeah, that was BEC.
Yep.
Okay.
So if you're going to classify as BEC, it's likely going to be financial related.
Yeah, yeah.
So now this pivots the whole thing in my head, right?
Instead of you and me being targeted,
now they're like, well, why target somebody who has thousands of dollars when we can target a business who has hundreds of millions of dollars?
Yep. And that is exactly what it is.
So we did a study.
What we found was that when you go and think of your Nigerian print scams,
your 419 scams, or you have this long-lost relative in Nigeria,
you go send me this money.
What we found was that business email compromise was not some new crime.
It was a symptom of ignoring your quote-unquote easy 419 scams.
And we've had direct confirmation that the scammers behind business email compromise
are the same people who have been doing these Nigerian print scams for years.
By the way, 419 scams are those Nigerian print scams.
You know, the ones where they send you an email saying,
if you pay us some money, we'll release the inheritance that we owe you.
And the reason why it's called 419 scams is because specifically in Nigerian law,
Section 419 makes it illegal to do this.
We've all laughed at these scams in the past,
but they're getting more sophisticated now.
They're evolving.
So very much with what you said,
they realize, oh, wait, no,
I can go and get $40,000 out of this company
as opposed to going to hit this one victim over here.
And that's where we see the overlap
between the romance scams
is when they
go and send that phishing email to that company, they will use those romance
scam victims as the money-muling network to send
money for these scams. So the victims will be the ones who will be receiving the money
who then wire it from the United States elsewhere in order to launder it
up the chain.
I mean, that's amazing.
But what I am surprised of is just like hearing the evolution of it. It sounds like they've really honed their skills over time.
They have, they have.
Yeah, and it's a combination of honing their skill,
yet still keeping the stigma that these things are simple and unsophisticated.
And that's the thing is that quote- things are simple and unsophisticated. And that's the thing
is that quote-unquote simple and unsophisticated
crime, again,
minus last year, it was the number one
crime seven years in a row based on
financial losses. What's the number one crime?
Business email compromise.
So from
2015 to 2021,
it was the number one cyber crime
based on losses year after year.
And the only reason it was not the number one lap for 2022 was because we had this crime called
pig butchering that came up. So the way it was ranked was pig butchering was number one,
business email compromise was number two. Wow. So this is the number one crime? I guess I'm
just so surprised that it's those awful Nigerian scammers who are doing this.
And when I say awful, I mean the least sophisticated phishing emails I've ever seen.
You know the ones.
Sir, you had a long-lost relative who was the prince of Nigeria,
and he has recently died and left a large inheritance for you.
Just send us $500 so we can process this this and we'll get the money over to you.
Like who in their right mind thinks their long-lost relative
is the Prince of Nigeria and you never knew it?
It's just the absolute dumbest attempt
at a phishing scam that everyone laughs at.
And it's those guys who are number one?
This is the biggest criminal financial loss for companies today?
Now, getting a business to pay a fake invoice can take a lot of prep.
You got to figure out who this company normally pays large bills to,
and then try to pose as them.
And one way to pose as them is to register a domain
that's one letter off from the real one.
So at first glance, it looks like it's from that person
you normally do business with, but it's not.
Or sometimes you can pose as like the CTO sending a bill to the CEO of the same company. But still,
to know who the CTO and CEO are, you got to know who the people are that work at this company and
what their emails look like and what their invoices look like so that it can be as close
to the original as possible for this to work. And that takes a lot of work.
We've seen cases where they will go and find and use different lead generation services in order to identify the key controllers and the key stakeholders within the company.
And when they do that, that's where they get that information on who's the person within
the company that they can go ahead and target.
And based on something intelligence that we've seen,
we know that they'll target the controllers of companies.
We know that they will target different financial advisors.
So they will go and find that recon
in order to identify who can I target within the company.
Oh, and it's not always bill paying.
Sometimes they try to scam these companies
to send them gift cards.
The scammers will pose
as like some manager in the company and they'll ask someone higher up, hey, the company did such
a great year. I'd like to give my employees gift cards as rewards. And the person's like,
ah, it's a great idea. Then the scammer's like, okay, well, since everyone's remote,
could you just purchase the gift cards and then send me a photo of the back of the cards and I'll
just pass those gift cards out to the employees.
And that's how these companies end up sending gift cards to Nigerian scammers.
It's crazy.
And we actually did a study where we gave gift cards to the scammers and tracked where they clicked from.
Crazy, crazy insights that we were able to gain from that.
But it was such a different perspective of what insights that we were able to gain from that. But it was such a
different perspective of what we thought we were going to get. But like I say, it was really
fascinating with some of the data we had that came back from that. Now, email providers or system
admins need to work to protect users from all this. You can't just present every email that
comes into the user. That used to be the case in the old days when we didn't filter any emails at all. But think about this. Suppose you do get an email, but it's one letter off.
They switch the lowercase l for the capital I, and it looks the exact same to the human eye.
To make you think this email is from someone you normally get email from, but that one letter off
means it's not. So if a human can't detect it, we better have machines that are detecting it.
And there's a thing called the Levenstein distance,
which is an algorithm that will compare two words
to tell you how different they are.
And I sure hope that email providers today are using this
to first develop a baseline
of who you're normally getting email from
and then look for emails coming in
with a very similar domain.
If the Levenstein distance is very low,
meaning it's only one letter off
from someone you normally see email from,
then that should be flagged,
maybe rejected or quarantined,
and let the user know.
Another area to look at for a lot of domains
is how long has the domain been registered?
If it's been registered within like the last month,
more than likely it's going to be a phishing email.
So looking for the reputation, the age of domain
is a very, very successful way to do stuff
because most scammers will go and just like
get one month's worth of domain time
and then use that for their attack.
You know, now that I think about it,
I'm disappointed that there's not better information on these emails I get. Sure, I have a spam folder
and stuff gets thrown in there, but I'd love to see reasons for why my email provider put it in
spam. To me, spam is ads I don't want. So why not have a second folder of threats? You know,
spam and threats are two different things in my mind,
yet they all seem to end up in the same bucket in my email. I would love, love, love to get
threat intelligence on my inbox, where I could see a little dashboard that says,
we've blocked 20 phishing emails for you this month. In there, we had five BEC attempts,
two pig butchering emails, and 13 emails containing malware from a threat
actor known for targeting journalists. At a bare minimum, just show me a big bright red banner on
the email that says, look out, this email comes from a domain that was registered two days ago.
That would be really cool. Google, if you're listening, fix that. And fix the Google dot bug
too. I mean, they might be already filtering it out
and putting it in spam,
but stuff that gets through,
I'm like, hey, that is a good tip.
Yeah.
And just from the way BEC is,
so many of these emails still get through.
There's a reason it's been the number one crime
70 years in a row.
So many email gateways
are trying to put protections.
And a lot of information security
focuses on the malware,
the APTs,
the blinky boxes.
And this stuff still gets passed
because there's no malware.
There's no malicious URLs
or content in there.
It's manipulating the humans.
So many of these attacks
just bypass your email gateways.
With a lot of your BEC actors,
from an attribution perspective,
this ties back to groups such as Black
Axe, where they will go and use
those types of manipulation in order to
gain that foothold. Wait, so what's
Black Axe? So Black
Axe is one of the larger
Nigerian
confraternities that dabble in this.
So if you're unfamiliar with the term confraternity,
think of a college fraternity here in the States,
but mixed with black magic and voodoo.
And what I mean by that is some of the hazing rituals for Black Axe
include a human sacrifice or trying to use those type of techniques
in order to, quote unquote,
gain extra power to become a better scammer.
What are you,
are you still on the same podcast?
What is going on here?
Hey, hey, trust me, trust me.
Yeah, no, I'm dead serious on it.
No, it's not like I went off into Cyberland,
but no, no.
But no, Black Axe is one of the larger groups
who's doing a lot of the business
email compromise activity.
Okay, are we really going here?
I mean, when someone tells me they're using voodoo and black magic to become a better scammer,
I'm like skeptical and just want to move on past that.
I don't even want to pick that up.
For some reason, I'm feeling compelled to look this one up.
So first of all,
I watched an hour-long BBC
documentary on who Black
Axe is. And it's
absolutely bonkers. I mean,
just listen to the first 40 seconds of
their documentary.
This morning, several bodies, some with
their heads decapitated, were littered around
the city. 30 people have been killed in cult-related killings within the past week.
A secret death cult is thriving in Nigeria, more terrifying than anything I've ever seen.
Around the world, crime agencies are cracking down on their multi-million dollar internet fraud and human trafficking network.
Nigerians are trying to fight back too.
But here in their homeland, the cults seem unstoppable.
And thousands of young lives have been destroyed.
This documentary explains that Black Axe is a cult full of gang violence. They have agreed to let us film what they call a gyration, a cultist ceremony.
And these guys are really dangerous.
They go around murdering people all the time.
Sometimes shooting up buildings or causing massacres,
which I guess in the U.S. is called mass shootings.
The Black Axe has killed thousands of people.
I'm on my way to the University of Benin
to understand where all this violence began.
The Black Axe formed here 40 years ago,
and students are still being murdered on campus today. The Black Axe emerged here 40 years ago, and students are still being murdered on campus today.
The Black Axe emerged out of a student fraternity known as the Neo-Black Movement of Africa, or NBM.
The movement initially stood for peace, but over time became linked to crime.
Today, many people use the names Black Axe and NBM interchangeably.
This has been going on for 40 years? What?
That's interesting because they initially started as a neo-black movement to fight oppression.
But it's very different now.
And it's unclear to me what their motives are now.
Something, something freedom. Something, something defend.
But even though Wikipedia thinks NBM and Black Acts are the same,
the people within NBM don't agree.
Here's the president of NBM.
NBM is not Black Ass.
NBM has nothing to do with criminality.
NBM is an organization that tends to help achieve greatness in the world.
Despite the president's denials, the NBM is facing mounting international pressure.
Weeks after our interview, the FBI arrested more than 35 NBM members in the US and South Africa, charged with multi-million dollar internet fraud. But the U.S. Department of Justice statement
names the neo-black movements of Africa
as a criminal organization
and part of the Black Axe.
Okay, so you've got this extremely violent street gang,
a cult, Black Axe slash NBM,
but they seem to also be involved with internet scams. Here's Vice explaining what
they found. The Black Axe is synonymous with cybercrime. It's spread around the world.
They've claimed to have as many as 30,000 members globally. How much were they trying to get out of
you? Like 96,000 and saying that I was going to go to jail.
In October 2021, eight men were arrested in Cape Town on serious fraud charges. The men were allegedly members of the Black Axe, a notorious Nigerian organized crime group. And specific to
the human sacrifice, the way that that plays out, is for your Nigerian scammer,
they are called a Yahoo boy.
So in order to become a better scammer,
a Yahoo boy plus,
there is a human sacrifice ritual
where you have to kill somebody
to gain better powers to go
and continue this type of scamming.
And like I said, sounds far out there,
but it's widely documented
that this is unfortunately one of those cases.
And that's why I get so bitter towards ransomware
is that people are like,
oh, somebody might die here, over here.
Somebody might die over here
because of this ransomware attack.
I'm like, no, we have people literally sacrificing each other
because of this stuff.
And that's where the problems are on some of these cases.
Holy moly.
Yep, yep.
I also watched a few videos about Yahoo boys.
I guess they get their name because they started out using Yahoo Messenger to conduct their scams over.
And they interviewed some of the Yahoo boys who then explained how they do it.
And they were open about what they were doing.
They're like, yeah, we scam people. We'll steal lots of money from them. In fact, they even posted a video of one of their victims on the verge of suicide.
Here, listen.
Please, I trust you.
I hate you.
Fucking asshole.
Please, I trust you.
So even though they're ruining people's lives
and know that some of these victims that they have are committing suicide
and they say they're all addicted to drugs,
they deny their involvement with human bloodshed.
It wasn't exactly clear from these interviews I watched,
but it did seem like they were killing cows or other animals to try to level
up their scamming, which I have to admit, at first I'm just like shocked that anyone would think that
they'd become a better scammer because of an animal sacrifice. But the thing is, the culture
of Nigeria is rich with a lot of this voodoo and hexing and charms and stuff. In fact, when the BBC
reporter went to investigate the Black Axe cult,
he found a vigilante group who was trying to stop
the Black Axe, and they gave him
a charm to protect him during his
investigation. Their commander,
Lanry Olabinjo, summons
ancestral spirits to protect his men.
We just got this sort of
amulet, and this will guarantee
my safety on this raid,
that no bullet will penetrate into my skin, regardless of this.
But this is what the Uyambos are relying on.
They gave him an amulet to protect him from gunshots.
He still wore a bulletproof vest, though.
But this is what I mean. The culture there is really big into this.
And you know, luck is a weird thing.
It feels like a mysterious force. Can it be changed in any way? So I can see why somebody would want to do weird
stuff to try to improve their luck. And if you really, really, really want to improve your luck,
then maybe you've got to do something a little insane. And I can see how bloodshed can get mixed up in all this.
It's very awful and strange, though.
How the hell did we get from romance scams to this?
Man, the places we go on this show.
Now I can see why you're so fascinated by all this.
These stories are crazy.
Yeah, yeah.
Tell us about that one story you heard about going
on in South Africa. Okay. Yeah. Yeah. So this was a Black Axe case they had down in South Africa.
And like I mentioned earlier, I do a lot of work backing forth with law enforcement. So I get to
hear a lot of the good stories as a result of this. But they were doing the case. They went
down to go and arrest the individuals.
And they were kind of at this compound down in South Africa.
And they were able to get into most of the houses
and most of the buildings.
And there was one window in the back
that they couldn't get into.
So they were able to bust it down, got in there.
And in that building, what they found
was they found a pile of money
covered with blood and dead chickens.
So as they came out and unlocked the door to get in there,
they kind of got talking to the people
that they were addressing
and they were like,
what's this?
Because you don't really expect to find that
on a law enforcement engagement.
So what the scammers had said was,
well, it turns out that the magic here in South Africa is not as strong as the juju in Nigeria. So we need a larger pile of money. And that's one of the things that most people don't realize is that there is a spiritual aspect that plays on this gets really, really interesting. And because of, again, that spiritual aspect, it's like I said, there's so many other things that the scammers are kind
of playing with and using or believe that they don't fully understand like, well, they're playing
with in my opinion. Man, Ronnie, I don't even know what to ask you at this point. Like you've just got me going down jackrabbit holes or something.
Yeah, yeah. Yeah, I'm the kind of guy who's at a dinner table. I was like, hey, let's talk about blood sacrifices and voodoo. Okay, so while looking up these Nigerian scammers, I saw something about
this group called Scattered Canary. Can you tell us about this?
Yeah.
Scattered Canary was a mostly Nigerian cyber fraud group that we found back in 2018
that was engaging in business email compromise.
The reason we named them Scattered Canary
was because one, they were very scattered in their targeting.
And two, they were kind of our canary in the coal mine
that let us identify a lot of things around 419 scams and business email compromise.
One of the things that happened during the pandemic was unemployment money was given out
fairly easily. And whenever one of these programs happen, the scammers are quick to jump on that.
And they quickly jumped on that bandwagon for a lot of the unemployment funds. What Scattered Canary did was they used different email accounts or email accounts that had the Google.bug in them. And they went and hit the unemployment fraud systems. And at the peak, we saw them hitting 14 different states. For unemployment fraud in general, where that stands,
we are upwards of around $400 billion that's been stolen
as a result of some of these things.
And there's some new information coming out about ID.me
and how some of the stolen money may not have been fully articulated.
But what we know of right now is that $100 billion was confirmed from Secret Service.
We know that $400 billion is up in question
for the money that was taken.
Wait, $100 billion was confirmed?
Yep, $100 billion.
So that was,
I'll submit unemployment on behalf of some American
and then
I'll tell them to send the money here to
me in Nigeria. But it probably is money
mulled through and then to Nigeria.
But that's where the $100 billion
that's what I'm surprised about.
Yeah, billion with a B.
And that's kind of where
the lines get muddy between business email compromises
because we know that
Scouter Canary,
again, who was doing business email compromise, we know they were doing romance scams. We know
they were doing unemployment fraud. And that's kind of why I say BEC is the number one crime
that's out there because that's over $500 billion that we know are tied back to business email
compromise scammers who are doing this. And we know other scammers were involved in that too.
But no, it was $100 billion that was confirmed from Secret Service.
There's a possible, it's a possible $400 billion
that is up for discretion and kind of being pushed through for Congress.
But that's what it looks like the new number is going to lay at
is about $400 billion that has been confirmed.
I mean, I've got to try to understand
these numbers more, okay?
So I'm just walking through it in my mind.
So $100 billion is coming from the U.S. Treasury?
Mm-hmm.
Yep.
That's a lot of money that's just like
the U.S. Treasury has lost.
Not only is that a lot of money
that the U.S. Treasury lost,
that's a lot of money that came out of...
Are you an American citizen?
Yeah.
Okay, so that's a lot of money that came out of... Are you an American citizen? Yeah. Okay, so that's a lot of money
that came out of mining your pocket.
In addition to that, scammers,
what it looks like is it may have been upwards
about $400 billion.
And the other kicker here too
is that fraud is still happening.
Two of my intelligence sources out in Nigeria,
within the last two weeks,
they're still stealing money from the government.
The average salary for a Nigerian is $100 per month.
So when you go and you have that much money coming in,
it becomes very enticing for your youth out there to want to go and try and do this fraud.
But still, I can't fathom this amount of money coming in.
Like the entire GDP of Nigeria is $500 billion. You're telling me that
this one group has stolen almost the equivalent to the whole country's GDP from the U.S. government,
almost doubling Nigeria's GDP? It's just unreal. Secret Service says nearly $100 billion in
pandemic relief funds have been stolen. That adds up to about 3% of the cash
handed out by the government. Most of the lost money is from unemployment fraud. Right now,
the Secret Service says it has more than 900 active criminal investigations into pandemic fraud
with cases in every single state. Man, the more I look into this, the more problems I see.
I mean, listen to this guy. Michael Horowitz is the top cop overseeing the effort to make sure the $5 trillion in taxpayer dollars went to the right place.
This is his first interview in his role as the head of the Pandemic Response Accountability Committee.
When the Small Business Administration, in sending that money out, basically said to people,
apply and sign and tell us that you're really entitled to the money.
And of course, for
fraudsters, that's an invitation. What didn't happen was even minimal checks to make sure that
the money was getting to the right people at the right time. The U.S. government spent $5 trillion
to try to help Americans get through the pandemic. But it sounds like they didn't do a very good job
at protecting that money from fraudsters. I mean, this Rolling Stone article I'm reading right now says it's more like
$1 trillion was stolen from the U.S. Treasury. My goodness. I guess it really is the number one
crime. And that's such a waste of money. What an awful problem. How can a trillion dollars be
stolen from the U.S. Treasury and it be an acceptable amount of loss? And to me, it must be acceptable since this got rolled out in phases. I think $2 trillion was
the first to be approved. And of course, scammers immediately started grabbing that cash. And when
that wasn't enough, they rolled out even more trillions of dollars without putting changes
in place to stop this from happening. You'd think someone would have said, listen, that last round, a lot of money got stolen.
Is this really an acceptable amount of loss? But no, nobody listened. And the money just kept
getting handed and handed right to the scammers. What an embarrassment. I'm tempted to get to the
bottom of this and figure out who bungled this money. Who was in charge of handing out $5 trillion and was
like, oh, we don't need guardrails. I don't think anyone's going to steal from us. Who denied the
budget for a security audit or team? Who ignored the person saying, hold on, if we start handing
money out this way, we're going to get a lot stolen. Who out there thinks it's totally fine
that we lost a trillion dollars? I want my voice to be clear. As an American, this is unacceptable to me. I'm very disappointed that the U.S. government
handed this much money to the same Nigerian scammers who tried to convince us all that
our long-lost relative was the Prince of Nigeria. I would be understanding if the government fell
victim to some sophisticated cyber attack like a ruthless, unstoppable bull. But you got taken by the least sophisticated scammers on the planet.
You need to do better. When you're handing out this much money as fast as you can,
you've got to look at who you're handing it to. At the very least, give it to an American.
What is this, your first day on the internet?
Listen to Secret Service agent Roy Dotson here.
He's the lead investigator of this case.
Fast money equals fast crime.
I mean, at this point of this interview,
I'm just kind of feeling defeated and surprised. Welcome to the last seven years of my
life. Because it's something where it's like, it's very disheartening. And like I said, staring at
this stuff for so long, it's something where it's like, it is very disheartening because you do feel
defeated. You do feel like, okay, we've literally lost $500 billion. And that's just what we know.
Like if we were to actually like piece together what we knew, I'm just going to throw this out there. Like we're easily over a trillion
dollars that we lost here. And a lot of what it comes down to is admitting that there was a
problem, admitting that something needs to be fixed, admitting that something needs to give.
Because if you keep having this much money that's going out and you don't admit that it's a problem,
like you're just going to be stuck.
And when you go and look at the 20-25 years of Nigerian print scams, this is the whole reason that we're here right now. It's because no one wanted to admit that, no, this is actually
something that's happening. Yes, there were people who were actually being socially engineered into
this. We have to work with those people in order to identify some of that. So trust me, I totally
resonate with you. I totally feel you when you're like, you feel defeat on that.
Because like, a lot of times I do too.
But knowing that I'm on the right side of this, knowing that I'm helping victims, I'm
helping them recover their money.
And knowing that I'm helping reshape a lot of the way that the industry thinks about
themselves, like that's what keeps me fighting this stuff every day. You might want to check out Intelligence for Good because they might be able to help you. This episode was created by me, the master of disaster, Jack Recider.
Assembled by the juicy smoocher, Tristan Ledger.
Mixing done by Proximity Sound and our theme music is by the mysterious Breakmaster Cylinder.
You might be wondering what my political association is.
I'm Alt-Tab.
This is Darknet Diaries.