Is Nothing Sacred?

Over a cup of coffee one spring afternoon in the heart of Boston's Financial District, an attorney and veteran insurance industry executive with 30 years of experience put it succinctly. “When you get labeled with child pornography, that's the worst-case scenario. How do you ever come back from that? You get branded with the label of being associated with child pornography, and that's it. You can kiss your career good-bye.”

He posed an interesting question. It used to be that the subject of child pornography never saw the light of day, at least not among respectable adults, except law enforcement. But this seems to be a troubling corner around which we have turned, thanks to organized crime, which has the dubious and disgusting distinction of controlling much of that despicable content.

Another attorney, a former U.S. Justice Department official, attended a meeting in Washington, D.C., in which photographs of children engaged in sexual acts with adults were spread across the table. He threw up. He had passed the test. Child pornography disgusted him to the point of nausea. He would now join the task force formed to combat the sexual abuse of minors. Human smuggling is an equally appalling crime and is associated with transnational organized crime.

Disturbingly, an increasing number of data breaches involve either actual photographic, morphed, or textual references to child trafficking and sexual exploitation. The intent is often to extort money, blackmail, compromise corporate brands, and steal proprietary information. It seems that the criminals behind these crimes will stop at nothing to devise extortion and blackmail schemes. Using the Internet for exploitation has become commonplace.

According to the White House, human trafficking is linked to other transnational crimes that include “drug trafficking and the corruption of government officials. [Traffickers] can move criminals, fugitives, terrorists, and trafficking victims, as well as economic migrants. They undermine the sovereignty of nations and often endanger the lives of those being smuggled.”

In its 2010 report The Globalization of Crime: A Transnational Organized Crime Threat Assessment, the UNODC estimated that the smuggling of persons from Latin America to the United States generated approximately $6.6 billion annually in illicit proceeds for human smuggling networks.⁴

The connection to cyber crime is, among other things, money laundering. Criminal proceeds must be laundered. The Internet and the Web have become tools used by money launderers. The offshore company known as Liberty Reserve was shut down by U.S. law enforcement and charged with a number of financial crimes for laundering the assets of criminal organizations around the world.

In written testimony before the House Committee on Appropriations Subcommittee on Homeland Security hearing on the president's fiscal year 2013 budget request for the Secret Service, Director Mark J. Sullivan remarked that “threats posed by cyber criminals to our nation's payment and financial systems…are a growing concern to the Secret Service.”⁵ The director stated that among the Secret Service's top priorities are “safeguarding and securing cyber space; and preventing cyber crime and other malicious uses of cyber space.…The Secret Service's Cyber Intelligence Section manages three cyber crime working groups that work to identify, locate, and apprehend transnational cyber criminals involved in network intrusions, hacking attacks, malware development, phishing schemes, and other forms of cyber crime.”

Transnational cyber crime is complex to break. Data and criminals move at will across national boundaries. While investigating these crimes can be challenging, it's not impossible.

The Liberty Reserve Case: Money Laundering in the Digital Age

Consider the Liberty Reserve case. “These arrests are an example of the Secret Service's commitment to investigate and apprehend criminals engaged in the misuse of virtual currencies to conduct global monetary fraud,” says Steven G. Hughes, special agent in charge of the U.S. Secret Service New York Field Office. “Cyber criminals should be reminded today that they are unable to hide behind the anonymity of the Internet to avoid regulated financial systems.”

Federal prosecutors point to Liberty Reserve as a major player in cyber crime. “Liberty Reserve has emerged as one of the principal means by which cyber criminals around the world distribute, store, and launder proceeds of their illegal activity.”⁶ It was believed to have become the “financial hub of the cyber-crime world, facilitating a broad range of online criminal activity, including credit card fraud, computer hacking, child pornography, and narcotics trafficking.” Simply put, Liberty Reserve helped a lot of transnational criminal organizations launder ill-gotten gains. The U.S. government called the scope of the defendants' unlawful conduct “staggering.” It was also a tangled web.

Here is how Liberty Reserve operated. According to the indictment, Liberty Reserve was “used extensively for illegal purposes, functioning, in effect as the bank of choice for the criminal underworld.” Liberty Reserve users are said to have routinely established accounts under false names. Prosecutors will argue in court that Liberty Reserve users believed that the veil of anonymity created and deployed by Liberty Reserve would protect them with impunity.

And for a while, it did.

The Liberty Reserve case has affected a number of U.S. companies that were targeted for a variety of Web-related frauds, including blackmail and extortion. The Secret Service, the Department of Homeland Security, and the Internal Revenue Service executed arrest and search warrants in seven countries, including Spain, Costa Rica, the Netherlands, and the United States. Assets of Liberty Reserve were frozen in Hong Kong, Spain, Morocco, and China. Current and former executives of Liberty Reserve were charged with violating numerous anti–money laundering statutes and operating as illegal money transmitters.

According to the Treasury Department, Liberty Reserve developed a virtual currency called “LR” that was used to anonymously buy and sell software designed to steal personal information and attack financial institutions. The hackers who in 2013 stole $45 million from two Middle Eastern banks by hacking prepaid debit cards used Liberty Reserve to distribute the proceeds of the crime.

Liberty Reserve's criminal conduct was as widespread as it was lucrative. It had approximately 1 million users worldwide, with more than 200,000 in the United States. It is estimated that Liberty Reserve processed more than 12 million financial transactions annually, with a combined value of more than $1.4 billion. From 2006 to May 2013, it is believed that Liberty Reserve, according to the Secret Service, processed an estimated 55 million separate financial transactions and laundered more than $6 billion in criminal proceeds.

The U.S. Department of the Treasury, using the USA Patriot Act, said of Liberty Reserve that it was “specifically designed and frequently used to facilitate money laundering in cyber space.”

A grand jury indictment filed in U.S. District Court for the Southern District of New York lays out a number of details about Liberty Reserve and the crimes it is alleged to have committed. The indictment describes in detail the financial frauds committed by Liberty Reserve defendants, including the development of a system of payments that allowed users to open accounts under false names in order to conceal criminal activity. Users opened accounts under false names such as “Russia Hackers” and “Hacker Account.”

Here is how the money-laundering scheme worked:

A user first had to open an account through the Liberty Reserve web site. Users did so using only a name, address, and date of birth. Liberty Reserve is said not to have made any attempt to verify any account holder information through the examination of identification documents or even a credit card. This was tantamount to an open invitation to criminal use for money-laundering purposes. Accounts could be opened using fictitious information.

Once an account was opened, the user could conduct business anonymously with any other Liberty Reserve users, a group of unidentified and undocumented individuals. Liberty Reserve charged a 1 percent fee every time a user transferred the LR digital currency through the Liberty Reserve system. Users could opt to include what was called a “privacy fee” of 75 cents per transaction that enabled users to hide account numbers, adding an additional layer of anonymity and making the transaction virtually untraceable.

But Liberty Reserve added another layer of anonymity. It did not allow users to deposit money directly into their accounts by issuing a credit card payment, for example, or by wire transfer. Users were not allowed to withdraw funds from Liberty Reserve, so no ATM withdrawals, for example. Users were required to make deposits and withdrawals through third-party operations known as “exchangers.” This enabled Liberty Reserve to avoid collecting any user data through banking transactions or other activity that would leave a centralized financial paper trail.

Liberty Reserve's exchangers were third parties who maintained direct relationships with the company. They bought and sold LRs in bulk in exchange for conventional currency. Then they bought and sold LRs in smaller transactions with end users in exchange for conventional currency. So in order to fund a Liberty Reserve account, a user was required to transmit conventional currency to an exchanger. When the exchanger received the user's payment, the exchanger credited the user's Liberty Reserve account with a corresponding amount of LR, by transferring LR from the exchanger's Liberty Reserve account to the user's Liberty Reserve account.

If a Liberty Reserve user wanted to withdraw funds from the Liberty Reserve account, the user was required to transfer LRs from the Liberty Reserve account to an exchanger's Liberty Reserve account, and then the exchanger made arrangements to provide the user a corresponding amount of mainstream currency.

Liberty Reserve's web site, taken down by U.S. law enforcement in May 2013, recommended a number of what it labeled at the time as “preapproved” exchangers. Of course, consistent with the fraud, the exchangers tended to be unlicensed money-transmitting businesses operating without meaningful government oversight or regulation, in nations not well known for financial transaction oversight and regulation. The exchangers listed by Liberty Reserve were concentrated mostly in Malaysia, Russia, Nigeria, and Vietnam.

The Corruption Factor

Government corruption is always a factor when it comes to trusted transactions, ones subject to close scrutiny, and where the interests of law enforcement, consumers' rights, and information integrity are enforced. Interestingly, each of the nations noted above that hosted the exchangers recommended by Liberty Reserve received poor ratings on the Transparency International Corruption Perceptions Index of 2012. The index scores countries on a scale of 0 to 100. A zero score means that a country is perceived to be highly corrupt, while a score of 100 means that a country is perceived to be free of corruption. No country received a score of 100, though some rated very highly.

According to the index, about two-thirds of countries scored below 50, “indicating a serious corruption problem.” Transnational criminal factions are often attracted to the lower-scoring nations, where corruption and bribery are more common and where governments are more likely to look the other way, many times even participating in illicit activity themselves.

Russia, for example, one of the countries hosting unlicensed money transmitters, received a score of 28 and was ranked 133 out of 174 countries in lack of corruption. For perspective, consider that nations also receiving a score of 28 and a ranking of 133 included Comoros, Guyana, Honduras, Iran, and Kazakhstan. Nigeria, another host country, ranked 139 of 174, with a score of 27. Vietnam, with a score of 31, was ranked 123. Malaysia was ranked higher, at 54, and its score was 49, the same as the Czech Republic and Latvia. Costa Rica, the former host country to Liberty Reserve, was ranked 48 and scored 54. By comparison, Denmark and Finland (both scored 90) were perceived as the least corrupt, followed by New Zealand, Singapore, Switzerland, and Australia. The United States was ranked 19 and scored 73, while Canada received a rank of ninth and scored 84.

The Liberty Reserve–recommended exchangers, not surprisingly, charged transaction fees for their services. Typically the fee would be 5 percent or even more of the transaction value, much higher than a legitimate bank or payment processor would charge for the same service. Clearly, the Liberty Reserve system was designed “so that criminals could effect financial transactions under multiple layers of anonymity and thereby avoid apprehension by law enforcement,” according to court records.

Liberty Reserve's web site featured a shopping cart feature, similar to most any transactional web site. So-called merchant web sites used this feature to accept LR digital currency as a form of payment. These “merchants” were, according to prosecutors, overwhelmingly criminal in nature. The criminal actions included “traffickers of stolen credit card data and personal identity information; peddlers of various types of online Ponzi schemes; computer hackers for hire; unregulated gambling enterprises; and underground drug-dealing web sites.” But the criminal activity did not stop there. Liberty Reserve was also used by “cyber criminals to launder criminal proceeds and transfer funds among criminal associates. The company was used by credit card theft rings and computer hacking operating in countries around the world, including Vietnam, Nigeria, Hong Kong, China, and the U.S.”

Not mentioned in the court documents was a case in which a Costa Rican national came to the United States, worked for a company there, gained access to consumer credit cards, and sold them to criminal gangs operating in the United States and Costa Rica. It is believed that the proceeds from the credit cards were laundered through Liberty Reserve.

Liberty Reserve defendants knew that the U.S. government was breathing down their necks. In fact, U.S. law enforcement was able to capture an online chat between two defendants. The chat shows that Liberty Reserve was on the law enforcement radar screen: “Everyone in the USA,” such as “DOJ [Department of Justice],” knows that “LR is a [a] money laundering operation that hackers use.”

In 2009 the company applied for a license to operate out of Costa Rica, but the application was denied, for a very simple reason: Liberty Reserve, according to Costa Rican authorities, lacked even the most basic anti–money laundering controls, such as the one called “know your customer,” or KYC. This is especially important as a defense for financial institutions. U.S. regulations refer to it as a Customer Identification Program, or CIP, and one of its goals is to be able to anticipate the likelihood of a customer's engagement in money laundering.

The USA Patriot Act requires that financial institutions “shall establish appropriate, specific, and, where necessary, enhanced, due diligence policies, procedures, and controls that are reasonably designed to detect and report instances of money laundering through those accounts.”⁷ Not only did Liberty Reserve fail to observe the KYC requirement, but the company also had no effective means of tracking suspicious activity. Of course, it appears that Liberty Reserve had no incentive or desire to track suspicious activity, because seemingly the overwhelming majority of its transactions were suspicious.

If the company had been a legitimate entity, it would have made some attempt to remedy its anti–money laundering deficiencies. Instead, it created a deception. Liberty Reserve “created a system designed to feign compliance with anti–money laundering procedures,” according to court records. The defendants, in effect buying more time in which to continue their illicit operations, “created a computer portal that appeared to give Costa Rican regulators the ability to access Liberty Reserve transactional information and monitor it for suspicious activity.” In fact it was a ruse. Most of the data in the portal was planted by the company; it was mostly false. The falsified data could be manipulated and serve as a veil to conceal information that Liberty Reserve did not want regulators to see.

By November 2011 the company was still unable to obtain a license to operate legally in Costa Rica. During that time the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN) took notice. The U.S. government began to notify financial institutions of the risk of doing business with Liberty Reserve. In part, the notification stated, there was a “risk associated with providing financial services to Liberty Reserve.…Information obtained by the United States Department of the Treasury indicates Liberty Reserve is…currently being used by criminals to conduct anonymous transactions to move money globally.”

In a move of deception, about two weeks after the FinCEN notice the defendants told Costa Rican authorities that the business had been sold to a foreign company and would no longer be operating in Costa Rica. But that was not the case. It just withdrew its application for a money-transmitting license, suggesting that it had shut down its office there. Of course, Liberty Reserve continued to operate out of Costa Rica. It went underground and used a scaled-down office, working out of facilities held in the name of shell companies controlled by one of the defendants.

The misrepresentations didn't end there. At about the same time, the defendants were emptying Liberty Reserve bank accounts in Costa Rica of millions of dollars. According to the indictment, the monies were transferred first to a bank account in Cyprus held in the name of a shell company controlled by several of the Liberty Reserve defendants, and then to a bank account in Russia in the name of another shell company.

Soon after Liberty Reserve moved to empty its bank accounts, U.S. law enforcement authorities requested that the Costa Rican government move against the Liberty Reserve accounts. Costa Rica seized about $19.5 million. In response to the seizure, the defendants took another evasive action against more seizures by moving Liberty Reserve funds into more than two dozen shell companies' accounts in Cyprus, Hong Kong, China, Morocco, Australia, and Spain.

Prosecutors have charged that the defendants knew that the money they were laundering was the result of unlawful activity: identity theft, access device fraud, computer hacking, wire fraud, child pornography, and narcotics trafficking.

It is important to remember that the application was filed in 2009 and that the company was not taken down by U.S. law enforcement until May 2013. So for more than three years after the application was denied, Liberty Reserve continued to operate. The point is this: Every company must rely on its own risk management and due diligence process. Law enforcement and prosecutorial action require varying but significant time for evidence collection and case development. This is especially true in transnational crime, conflicting laws, and geopolitical considerations. So even when a corrupt company has come under the close examination of federal authorities and advisories have been sent to financial firms as a warning, the continued operation of the criminal company poses a significant threat to any enterprise that drifts into its scope or is targeted by it.

Although not specified in the indictment, some of the illicit financial proceeds handled by Liberty Reserve involved the theft and unauthorized use of corporate intellectual property by criminal networks around the world. The use of compromised intellectual property was involved in the commission of identity theft and financial fraud, through the deployment of scam web sites. The web sites looked valid. And that's the point. Because the web sites looked authentic, potential investors and other high net worth individuals and executives would visit them and open an account “to receive additional information.” To open an informational account, the site visitor would simply create a login ID and a password.

Such sites typically work in the following way: Once a prospective investor reads the sales pitch, they have the option to learn more. Potential investors are often high net worth executives who possess discretionary income available for investment. The investor has the option to learn more by establishing a no-obligation account, created by entering login identification and a password. The problem, one anticipated by the organized criminals, is that many visitors will use their corporate e-mail address as the login ID and their corporate e-mail password. The visitor will assume that the password, because it does not display on the screen in clear text, is secure. In fact, it is not. So in registering for an informational account, the visitor has just handed over to criminals around the world four critical pieces of information to be used later:

1. The name of the visitor;
2. The name of the company;
3. The prominence of the company (established, well-known brands, for example); and
4. A password.

The site visitor, having unwittingly surrendered critical confidential information, is now at elevated risk, and so is the company. The visitor could be targeted for specialized attacks to defraud him. But the data could also be used to try to gain access to proprietary data belonging to the company. With the individual's secret login credentials, depending on other security measures in place at the company, the criminals may gain access to privileged information, including valuable trade secrets, even the individual's financial accounts. Additionally, these individuals' profiles could be used to create and proliferate additional fraudulent investment sites.

There are cases where extensive financial account information on executives has been stolen from financial institutions and posted online by criminals in order to intimidate the targeted executive. Once the corporate and executive brand data is distributed by the franchisees across the Web and plastered on unsavory web sites containing references to human trafficking, sexual exploitation, and other crimes, the criminals know that the executive and the company are under a lot of stress. They know that law enforcement will be brought in, and they know that the targeted company is going to be very sensitive to the negative exploitation of its brand and its executives. They keep putting pressure on the company by spreading its information to more and more exploitative web sites around the world.

So the web site is up, running, and proliferating: It is set to generate revenue from the franchises. The number of operators of the scam helps slow down law enforcement. Sometimes the criminal groups offshore will coordinate an up-close-and-personal component of an attack. They will have a contact close to the target company positioned within wireless broadcast range and provide a provocative name to the wireless network. If an employee at the target company clicks on the link, malware transmitted to the environment, unless it is identified and disabled, may broadcast data back to the criminal organization.

Once the corporation and its management and board have been victimized in this multifaceted fashion, the company is likely to start getting extortion demands: Buy the rogue web site to stop the attack and defamation. But of course, the attacks and defamation never stop, especially where franchised scam web sites continue the assault.

In addition to Liberty Reserve, at least one of the defendants in the case was also running companies named Silverhand Solutions & Technology, Worldwide E-Commerce Business, Grufo Lulu Limitado, Triton Group, Gold Age Inc., and Cyberfuel.com. These companies are assumed to have been engaged in various money-laundering activities. Any legitimate company that used the services of any of these brands should investigate the transactions to determine any potential risk.

Information Threat, Physical Threat

Being attacked by organized crime is always serious business. While many attacks originate in foreign countries, there is always the risk that local criminal affiliates engaged in transnational crime may become involved in extortion schemes, as has been discussed. Clients often ask about the potential physical threat against senior executives and their families. Some targeted executives acquire kidnapping insurance and hire executive protection firms to guard against the threat, and they may also want to understand the degree of physical security protection at their companies.

While many companies have successfully integrated physical, logical, and administrative security, many others have not. Physical security is often lax. When the executive team understands that their firm has been targeted and that organized crime may be behind the breach, the perception changes. Security takes on a new meaning. It is not a stretch to suggest that transnational crime is going to grow, and that cyber crimes will increasingly involve proximity, especially given the widespread use of wireless networks and corporate vulnerabilities.

As the old saying goes, better safe than sorry. When criminals attack the corporate brand, it goes without saying that they will do whatever they deem necessary to defraud and extort companies. This may mean disclosing an executive's home address and family members' names as a form of intimidation. It may mean showing up outside the corporate headquarters and broadcasting a wireless network in an attempt to get employees to log in and thereby allow for the downloading of malware. Criminals may e-mail the targeted executive with extortion demands. They may even threaten that executive. Law enforcement cannot be depended on to protect every executive targeted by criminals. Every company should practice good security and the management of risk. The time to develop a robust response plan is not after the extortion demand is made.

Tomas Filipiak, an information security consultant and information warfare officer who served as a U.S. Army captain, observed, “Instead of proactive leadership, information security awareness has been implemented as a reaction to unfortunate events such as government and corporate espionage and identity theft. The trend of reactionary vulnerability remediation is an effect of the natural challenge of establishing return on investment metrics for security. The high cost of information security measures coupled with tight budgets may tempt leadership to reduce security expenditures, especially if a high-profile incident hasn't occurred in the recent past.”⁸

He continues, “Enemies that choose to engage in cyber warfare to attack our national interests or steal information are patient. They can see the trend in reactionary measures, and if they are smart they will wait for calm to relax our vigilance and our information security budgets. With our defenses weakened, they would be empowered to strike utilizing zero day attacks that may have not been considered or for which defensive measures have proved to be cost-prohibitive. Zero day attacks are simply ones that have not yet been addressed by those developing patches or fixes to stop the attacks. Certainly there will be a response to such an attack, but what collateral damage will need to be overcome that could have been prevented with proactive information security awareness measures?”