Frauds & Scams: Predictive Modeling

Pamela Clegg, VP of Financial Investigations, CipherTrace

2

Psychologyof Scammers & Victims

Human Behavior: Addiction to Attention and ValidationAdvanced Feed Fraud

Addicted to the attention

• “Do You Love Me? Psychological Charateristics of Romance Scam Victims,” Monica T. Whitty at the Univ of Warwick

• “The online dating romance scam: causes and consequences of victimhood,” T. Buchanan & M.T. Whitty at Univ of Westminister

• “Romance Scams and Psychological Profile of a Perfect Victim,” Psychologia.co

• “Internet romance scammers know what their victims are longing to hear, expert says,” abc.net.au

After Scam is Discovered or Ended, Victims Still Crave the Attention

This scam has been found to cause a “double hit”–a financial loss and the loss of a relationship. Whitty and Buchanan found that for some victims the loss of the relationship was more upsetting than their financial losses, with some victims describing their loss as the equivalent of experiencing a death of a loved one.

4

Complex Language of Love to Get Hooked

"The language is really important. When we speak to victims they say they've been connected, prolifically in the initial stages, using extremely validating language and we are all suckers for it....being told how much they are loved, how wonderful they are … regular text messages not just through the day, but through the night.”

"The victim is then expecting those validating messages to come through. They're incredibly supportive, they're appealing, they're flattering, they're soothing.

"It is quite addictive."

The process results in the brain releasing specific chemicals... like dopamine, which causes euphoric feelings that are pre-emptive to falling in love, adrenaline, norepinephrine … oxytocin levels rise in these cases, which increases our level of trust.”

5

DOJ and Mules

6

Psychological Factors: Who is Likely to Fall Victim

● Impulsivity. Because extracting money from victims often involves a sense of urgency, such as in the example above or, even more extreme, supposedly urgent medical expenses, impulsive people are more likely to pay and do so sooner without careful consideration.

● Desperation. Middle aged and elderly people, abandoned people, people with emotional problems, single mothers or people who view themselves as unattractive can be very desperate to find a partner and are more likely to become victims.

● History of addiction. People with addictive personality can become addicted to the idea of romance and the scam itself.

In addition, women tend to fall victims more frequently than men, and it doesn’t matter whether or not they are highly educated.

7

Scammers are constantly coming up with new ideas and even informed people can fall victims of online romance scams. However, there are some common personality traits that make it more likely:

Scammer Opportunities

9

Scammer Motivation

• Lack of Pursuit

• Easier to Launder Digital Proceeds- Easy doesn’t fix dumb

• Targets are easy to acquire

10

Case Examples

Romance Scam

11

From Bank to Crypto

Romance Scam

12

Romance Scam

13

Romance Scam

14

SBA Loan/ Romance Scam

SBA Loan/ Romance Scam

17

Virtual Currency Risks, Red Flags and Illicit Activities

In May 2019, FinCEN released FIN-2019-A003 Advisory on Illicit ActivityInvolving Convertible Virtual Currency.

FinCEN issued this advisory to assistfinancial institutions in identifying andreporting suspicious activity concerning howcriminals and other bad actors exploitconvertible virtual currencies (CVCs) formoney laundering, sanctions evasion, andother illicit financing purposes, particularlyinvolving darknet marketplaces, peer-to-peer (P2P) exchangers, foreign-locatedMoney Service Businesses (MSBs), andCVC kiosks.

18

Risk Scenarios to Watch For

In September 2020, FATF released a report on Virtual Assets Red Flag Indicators of ML/TF.

In order for banks to detect any of the red flag indicators of ML/TF, it is necessary for them to be able to accurately identify and monitor all crypto-related transactions.

19

Risk Scenarios to Watch For

FATF Virtual Asset Red Flag Indicators of ML/TF cover suspicious activity in the following areas:

1. Transactions2. Transaction Patterns3. Anonymity4. Senders or Recipients5. Indicators in the Source of Funds or Wealth6. Geographical Risks

20

Money Mule

BTM Money Mule Romance Scam

Use of BTMs for Scams

22

23

Red Flag IndicatorsRelated to Senders or Recipients

Profile of potential money mule or scam victims

⚑ A customer significantly older than the average age of platform users opens an account and engages in large numbers of transactions, suggesting their potential role as a VA money mule or a victim of elder financial exploitation.

⚑ A customer being a financially vulnerable person, who is often used by drug dealers to assist them in their trafficking business.

⚑ Customer purchases large amounts of VA not substantiated by available wealth or consistent with his or her historical financial profile, which may indicate money laundering, a money mule, or a scam victim.

BEC: Count the Red Flags

24

Bank A Bank B US VASP

BEC

US VASP

Offshore VASP

X

Offshore VASP

P2P Exchange

$3M

Trace the Crypto

25

CEX1

CEX1

CEX1

CEX1

CEX1

US CEX

US CEX

Business Email Compromise and Cryptocurrency

26

Additional BEC victim discoveredthrough blockchain analyticsby analyzing consolidations

27

Red Flag IndicatorsRelated to Transactions

Size and frequency of transactions

⚑ Structuring VA transactions in small amounts, or in amounts under record-keeping or reporting thresholds

⚑ Making multiple high-value transactions in short succession, or in a staggered and regular pattern

⚑ Transferring VAs immediately to multiple VASPs, especially to VASPs registered or operated in another jurisdiction there is non-existent or weak AML/CFT regulation

⚑ Depositing VAs at an exchange and then often immediately:

• withdrawing the VAs without additional exchange activity to other VAs, which is an unnecessary step and incurs transaction fees;

• converting the VAs to multiple types of VAs, • withdrawing the VAs from a VASP immediately to a

private wallet. This effectively turns the exchange/VASP into an ML mixer.

⚑ Accepting funds suspected as stolen or fraudulent

28

Red Flag IndicatorsRelated to Transaction Patterns

Transactions Concerning New Users

⚑ Large initial deposit to open a new relationship with a VASP

⚑ Large initial deposit to open a new relationship with a VASP and funding the entire deposit the first day

• trade the total amount or a large portion of the amount on that same day or the day after, or withdraws the whole amount

• laundering in large amounts could also be done through over-the-counter-trading to avoid VASP have a transactional limits

⚑ A new user attempts to trade the entire balance of VAs, or withdraws the VAs and attempts to send the entire balance off the platform

FinCEN, OFAC Warn of Potential Sanctions Violations for Allowing Customers to Pay Ransomware

If a ransomware victim uses an FI to send cryptocurrency to a sanctioned actor, that FI could be in violation of sanctions.

Blockchain analysis is vital to determine the entities associated with counterparty addresses.

Even if a specific crypto address isn’t designated, addresses associated with a sanctioned entity could result in potential sanctions violation.

OFAC Update in September 2021

30

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf

OFAC Sanctions SUEX OTC, S.R.O.

31

https://home.treasury.gov/news/press-releases/jy0364

Sep 21, 2021 - In response to the growing ransomware threat, OFAC imposed financial sanctions on a cryptocurrency exchange platform, SUEX.

OFAC claimed that SUEX facilitated the laundering of cryptocurrency from eight ransomware strains, and that approximately 40% of its overall trading — more than $370 million — was illicit.

SUEX was incorporated in the Czech Republic and advertised its services to Russian users.

OFAC included a total of 25 bitcoin, ethereum, and tether addresses known to be controlled by SUEX on its sanctions list, which have received more than $930 million in total in various cryptocurrency.

32

https://home.treasury.gov/policy-issues/financial-sanctions/recent-actions/20210921

SPECIALLY DESIGNATED NATIONALS LIST UPDATEThe following entity has been added to OFAC's SDN List:

SUEX OTC, S.R.O. (a.k.a. "SUCCESSFUL EXCHANGE"), Presnenskaya Embankment, 12, Federation East Tower, Floor 31, Suite Q, Moscow 123317, Russia; Skorepka 1058/8 Stare Mesto, Prague 110 00, Czech Republic (Latin: Skořepka 1058/8 Staré Město, Praha 110 00, Czech Republic); Website suex.io; Digital Currency Address - XBT 12HQDsicffSBaYdJ6BhnE22sfjTESmmzKx; alt. Digital Currency Address - XBT 1L4ncif9hh9TnUveqWq77HfWWt6CJWtrnb; alt. Digital Currency Address - XBT 1LrxsRd7zNuxPJcL5rttnoeJFy1y4AffYY; alt. Digital Currency Address - XBT 1KUUJPkyDhamZXgpsyXqNGc3x1QPXtdhgz; alt. Digital Currency Address - XBT bc1qdt3gml5z5n50y5hm04u2yjdphefkm0fl2zdj68; alt. Digital Currency Address - XBT 1B64QRxfaa35MVkf7sDjuGUYAP5izQt7Qi; Digital Currency Address - ETH 0x2f389ce8bd8ff92de3402ffce4691d17fc4f6535; alt. Digital Currency Address - ETH 0x19aa5fe80d33a56d56c78e82ea5e50e5d80b4dff; alt. Digital Currency Address - ETH 0xe7aa314c77f4233c18c6cc84384a9247c0cf367b; alt. Digital Currency Address - ETH

OFAC Sanctions SUEX OTC, S.R.O.

33

High Priority

Red flags that can pertain to any financial institution are:- IT enterprise activity is connected to cyber indicators that have been associated with possible ransomware activity or cyber

threat actors known to perpetrate ransomware schemes.- When opening a new account or during other interactions with the financial institution, a customer provides information that

a payment is in response to a ransomware incident.

Red flags specific to VASPs include:- A customer’s CVC address, or an address with which a customer conducts transactions, appears on open sources, or commercial or

government analyses have linked those addresses to ransomware strains, payments, or related activity.- A digital forensics and incident response (“DFIR”), cyber insurance companies (“CIC”), or other company that has no or limited history

of CVC transactions sends a large CVC transaction, particularly if outside a company’s normal business practices.- A customer that has not identified itself to the CVC exchanger, or registered with FinCEN as a money transmitter, appears to be using

the liquidity provided by the exchange to execute large numbers of offsetting transactions between various CVCs, which may indicate that the customer is acting as an unregistered MSB.

- A customer initiates multiple rapid trades between multiple CVCs, especially AECs, with no apparent related purpose, which may be indicative of attempts to break the chain of custody on the respective blockchains or further obfuscate the transaction.

34

Best Practices: Financial Red Flag Indicators of Ransomware and Associated Payments

FinCEN advisory (CYBER FIN-2020-A006) identifies ten financial red flag indicators of ransomware-related illicit activity

Best Practices: Financial Red Flag Indicators of Ransomware and Associated Payments

FinCEN advisory (CYBER FIN-2020-A006) identifies ten financial red flag indicators of ransomware-related illicit activity.

Red flags specific to banks and traditional financial institutions include:

- A transaction occurs between an organization, especially an organization from a sector at high risk for targeting by ransomware (e.g., government, financial, educational, healthcare), and a DFIR or CIC, especially one known to facilitate ransomware payments.

- A DFIR or CIC customer receives funds from a customer company and shortly after receipt of funds sends equivalent amounts to a CVC exchange.

- A customer shows limited knowledge of CVC during onboarding or via other interactions with the financial institution yet inquires about or purchases CVC (particularly if in a large amount or rush requests), which may indicate the customer is a victim of ransomware.

- A customer uses a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or known to have inadequate, AML/CFT regulations for CVC entities.

35

Applying VASP Red Flags to FIs

How Criminals Use Crypto to Take Advantage of Banks

36

LayeringBank

High-Risk VASP

IntegrationBank Clean Funds

Dark WebDrug Proceeds

2. Illicit funds will be sent from VASPs to the bank accounts of the drug trafficker or professional money launderer. Bank is unaware they are transacting with a high-risk VASP.

3a. Criminals now have access to clean funds

1. Funds for illicit activities such as trafficking and stolen financial data are sent from dark markets to High-Risk VASPs.

Russian Cryptocurrency Exchange – Transactional Risk

37

FinCEN Red Flag Indicators Darknet Marketplaces

38

⚑ A customer conducts transactions with CVC addresses that have been linked to darknet marketplaces or other illicit activity.

⚑ A customer’s CVC address appears on public forums associated with illegal activity.

⚑ A customer’s transactions are initiated from IP addresses associated with Tor.

⚑ Blockchain analytics indicate that the wallet transferring CVC to the exchange has a suspicious source or sources of funds, such as a darknet marketplace.

⚑ A transaction makes use of mixing and tumbling services, suggesting an intent to obscure the flow of illicit funds between known wallet addresses and darknet marketplaces

Illicit MSBs and P2P Vendors Using Bank Accounts

• Indirect fiat offramps for exchanges

• Sell crypto then transfer the value to consumer accounts at crypto exchanges

• Merchants who sell crypto not using the correct MCC code

• CipherTrace verifies and corrects these MCC codes and crypto merchants

• Zelle, Simplex, Wirex and 40+ more

39

41

Red Flags P2P Exchange

• Bank was alerted of a large-scale credit card fraud involving crypto. The scam defrauded credit card customers of over $50M in several days.

• Detected numerous walk-up cash deposit accounts being used by P2P illicit cryptocurrency exchanges.

• Bank was able to shut down these accounts and block the associated merchant from credit card transaction approvals, which were processing $5,000 per day.

Use Case

Banking Details on P2P Exchangers

$50M Credit Card Fraud at Top-10 US Bank

FinCEN Red Flag Indicators Unregistered or Illicitly Operating P2P Exchangers

42

⚑ Transfers or receives funds, including through traditional banking systems, to or from an unregistered foreign CVC exchange or other MSB with no relation to where the customer lives or conducts business

⚑ Utilizes a CVC exchanger or foreign-located MSB in a high-risk jurisdiction lacking, or known to have inadequate AML/CFT regulations for CVC entities, including inadequate KYC or customer due diligence measures

⚑ A customer directs large numbers of CVC transactions to CVC entities in jurisdictions with reputations for being tax havens

⚑ A customer that has not identified itself to the exchange, or registered with FinCEN, as a money transmitter appears to be using the liquidity provided by the exchange to execute large numbers of offsetting transactions,

43

Red Flag IndicatorsRelated to Transaction Patterns

Transactions Concerning All Users

⚑ Transactions involving the use of multiple VAs, or multiple accounts, with no logical business explanation.

⚑ Making frequent transfers in a certain period of to the same VA account –

• by more than one person, from the same IP address or large amounts

⚑ Incoming transactions from many unrelated wallets in relatively small amounts (accumulation of funds) with subsequent transfer to another wallet or full exchange for fiat currency

⚑ Conducting VA-fiat currency exchange at a potential loss

⚑ Converting a large amount of fiat currency into VAs, or a large amount of one type of VA into other types of VAs

BTM Smurfing

44

https://coinatmradar.com

BTM Smurfing

45

https://coinatmradar.com

46

How Criminals Use Crypto to Take Advantage of Banks

• Drug Traffickers sent bitcoin they received from darknet narcotic purchases to Kalra, through his P2P exchange account.

• Kalra used his virtual asset account at Gemini to convert the bitcoins into USD.

• The USD was wired from Gemini to Kalra’s business bank accounts at both a top 5 US bank and a smaller, regional bank.

• These bank accounts in fake names allowed Kalra to operate his high-volume, long-term unlicensed cryptocurrency-to-fiat currency exchange business.

• Kalra concealed the true nature of the funds when he sent the USD back to the Drug Traffickers as either a cashier's check or direct deposit, from his business bank accounts.

California Man Pleads Guilty to Money Laundering Charges for Running Unlicensed Bitcoin Exchange and ATM at His Smoke Shop

Kunal Kalra

BTM Smurfing

47

FinCEN Red Flag Indicators Unregistered or Illicitly Operating CVC Kiosks

48

⚑ A customer operates multiple CVC kiosks in locations that have a relatively high incidence of criminal activity.

⚑ Large numbers of transactions from different customers sent to and from the same CVC wallet address but not operating as a known CVC exchange

Illicit Activity Leveraging CVC Kiosks

⚑ Structuring of transactions just beneath the CTR threshold or the CVC kiosk daily limit to the same wallet address either by using multiple machines or tied to the same phone number

49

Questions?

pamela@ciphertrace.comThank You