B (4:00)

I mean one of the things over here, they have stopped selling electricity through some of the compounds. Right. So it's sort of taking away one of their centers of gravity that they need in order to function.

A (4:14)

Yeah, yeah. Thailand's also done things like cut Internet access.

B (4:18)

Yep.

A (4:19)

And so the, the compounds have adapted by using starlink. But they're also moving geographically and moving into.

B (4:27)

When you have billions of business. Yeah. Once you've got billions, I think that these things are minor inconveniences as opposed to fatal catastrophes that just existentially destroy the business.

A (4:42)

If you're sitting on a billion dollars like, oh no, my Internet access has been cut.

B (4:48)

Send everyone home. That's it.

A (4:51)

So I guess the first question is for somewhere like Cyber Command or ASD to get involved, we would have to think that it's a national security threat, a big problem.

B (5:04)

Yeah. So I think it isn't right now, but it's certainly national security threat adjacent. So they partner and they're starting to work with criminal organizations that are national security threats.

A (5:21)

Yeah, yeah. So one of the things in the report you remind me is that the Chinese money laundering organizations are now working with Mexican cartels. And so they're both apparently cheaper and harder to destroy.

B (5:37)

All of the white collar jobs are being offshore. At first they took the manufacturing, now they're taking the good white collar crime. That's right. When will it end?

A (5:46)

China is getting these were like good well paying white collar crime jobs. You know, what we need is tariffs.

B (5:57)

There we go. 125% on all Chinese money laundering. That's.

A (6:04)

So the report says that they would charge from 0 to 6%. And they have. So yeah, 125% on 0% is not very much. But they also use a whole swath of different techniques so it's harder to track as well.

B (6:23)

Right.

A (6:24)

But yeah, so it's directly related to something that is, I think, a pretty serious threat.

B (6:28)

And I sort of related a bit to the BEC stuff. Right. Business email compromise where it's sort of like, it starts out as the sort of they're, they're scamming people and that's not great, but it's not a threat. And then it's like, well, they're scamming quite a lot of people. This is a bit more of an issue. And then it's like they're scamming people and now they're partnering with the Italian mafia and teaching them how to do it and like trading tips on different sorts of crime industries that you can get into. And it's, it feels a little bit like a tumor in a way where you're like, well, you know, it's not big enough to worry about yet. So I'll just wait. It doesn't seem like that's the best approach of dealing with this. Like you don't go like, well, it's not a threat at this point in time, so let's just wait until it's bigger and harder to deal with and then we can tackle it.

A (7:19)

So you're arguing at a kind of prevention is better than cure perspective.

B (7:24)

Yeah, I know that's not a popular opinion in the national security space. Like strategically, no one likes to do that, but yeah, I don't think that allowing these people to accumulate billions and billions of dollars is going to make them less of a threat going forward.

A (7:38)

Right. Okay. So I guess in contrast to ransomware, say ransomware, you justify it because of things like I guess in the US Colonial pipeline, where ransomware disrupted a gas pipeline, it's disrupted hospitals, it disrupted that healthcare organization, was it UnitedHealth? Like these have all had pretty significant systemic disruptions.

B (8:03)

Yeah. So I don't know if I'd classify scam organizations as cyber organizations. Like, they're certainly cyber criminals, but I don't know if they're cyber organizations. So obviously I think the difference here is that ransomware as a cyber organization poses a cyber threat and that there's a lot of systems that rely on cyber and these guys get into them and disrupt them. So that can be a national security issue because of what they're targeting. Whereas I think that these pig butchering scams and the BEC guys, they're not doing the same sorts of criminal activity. They're not disrupting these systems, they're just stealing money. Just.

A (8:44)

But yeah, well, I guess if you steal a Lot of money from someone like their life savings, which happens all the time. It's not a national security threat. It's easy to ignore it. But I think you're arguing that because the syndicates themselves are so bad, so corrupting, its impacts are because criminals have so much money, rather than because it's taking individually significant but nationally insignificant amounts of money from individuals.

B (9:17)

Yeah, and I think that there's around the edges, you know, as you were saying, I think that around the edges it starts creating, like, it starts introducing corruption into things. So banks initially are very against being used for money laundering until there's huge amounts of money involved, at which point they're like, well, I mean, what is money laundering anyway, if you think about it? And then so you get like the HSBC in Mexico where they had a special teller window that had the size of the suitcases of money that were being brought in. So special window for drug money deposits. Right. So like they knew what they were doing, but they were also making millions of dollars doing it, so they were kind of okay with it. And I think that that starts to happen when you have this much money being taken through banks and that spreads and that's. It's just fundamentally corrosive and bad.

A (10:11)

Okay. So it's the end result of the scam rather than the damage that the scam results in. So I guess it's the opposite for ransomware. Right. It's the.

B (10:20)

Yeah, it's.

A (10:22)

The problem is the crime, not the money. In this case, the problem is the money, not the crime.

B (10:28)

Right.

A (10:28)

Okay. So I.

B (10:29)

From a national security perspective, because we. We're not dismissing the. The pain of the victims, obviously, but.

A (10:35)

Yeah, yeah.

B (10:36)

From a national security point of view.

A (10:37)

Yeah, yes, exactly. Just to be clear, it's a horrendous thing that's going on. Don't like it at all. So I buy that argument. That will be a huge problem. I don't know that it will gain traction. But anyway, let's move on.

B (10:52)

So if we assume for the sake of argument that it is a national security threat and it should be tackled in some way, is cyber the way to tackle it?

A (11:03)

Yep. Okay, so I drew a thumbnail picture of these organizations in a ransomware context, it seems very clear to me that it is a good idea because. And there was a couple of reasons for that for me personally. One of them was that there's a small number of ransomware groups that cause most of the harm. So it's like you target those ransomware groups. They also had relatively few players so they were quite centralized and it seemed like you would be able to find a point of leverage that you could, with a relatively small team, actually make a significant difference. Like there were clear vulnerabilities that even like, you know, me sitting in my office back home can, can say, yes, these must exist. To me, it's not clear at all that these vulnerabilities exist in organizations which are big enough to have, you know, control hundred thousands of people or whatever.

B (11:59)

Yeah, yeah, yeah, yeah, yeah. So I think like one of the differences, ignoring the cyber stuff for a minute, just from the personnel perspective, I think one of the differences is that when you're looking at ransomware, these are cyber criminals. They're cyber first and they're criminals because they're doing cyber crimes. They're like Joe Schmoes or Ivans or whatever. They're normal people who happen to be generating huge amounts of money with this particularly lucrative illegal thing that they do. Whereas I think the syndicates, you're looking at criminal organizations where they're sort of, they're individually powerful on their own, who have adopted this as a way to make money. Like they've discovered a new scam. So they might have been, normally they'd be bankrolling, robbing banks or whatever or you know, various different. Loan sharking or something. Here's just another thing that they're investing in that generates money. I think that the people behind it who are ultimately behind it probably don't even have phones. I don't think that they're particularly embedded into a digital culture. I don't think they're particularly exposed. I don't even know if you could go after them in that way.

A (13:20)

Right, right. I guess one thing about ransomware groups is that they would often talk anonymously, you know, over secure messaging services. Secure in the sense that all the messages would get leaked every few years, but otherwise secure. I imagine in these scam syndicates they're like, they're real face to face people. They're not. Yeah, yeah, there's one avenue that's cut out.

B (13:49)

And I strongly suspect that a lot of these guys started with like running casinos, but like these are like mobbed up casinos, like the old school ones, not the new corporate ones. And so yeah, there's very much, you know, smoke filled room, lots of alcohol or lots of tea or whatever it is, face to face discussions. I don't think they're particularly technical and I don't think they would trust that stuff anyway just because they're not technical. Right. So like I think that in a way, the fundamental difference is because the ransomware people understand encryption, they will trust that encryption secures them, because that's what encryption does. So when they get betrayed and someone leaks everything, they're shocked because that's not part of their threat model. They don't think about that. Whereas these other guys just don't trust computers because they're newfangled gimmicks that the kids understand, but not for these guys. So they're just not going to believe that they're secure regardless of encryption or whatever. Like that's just fundamentally going to be a thing. So I think the actual powerful players within these environments where you've got your ransomware operators versus your syndicates, the syndicate guys are just straightforward criminals who are doing this thing. I don't think that they're exposed. I don't think they're dependent on cyber. So you'd have to go after the scam itself, not after the people. So the scam itself might be what's exposed to cyber, because that does rely on cyber, if that makes sense. Right. So it's that the scan that they're conducting is cyber exposed and they aren't, or it's possibly cyber exposed, whereas ransomware, the group is dependent on cyber, so all of them are exposed.

A (15:34)

Right, okay. So something similar that comes to mind is the Internet Research Agency, where there was basically a building full of people in St. Petersburg who were putting out misinformation or disinformation because it was deliberate. And what Cyber Command did, it seems like, is they disrupted their Internet access for a day or so. So that's the answer, is it? Grip.

B (16:02)

There we go. DDoS booters need to be on the payroll for Cybercom. And yeah, we can solve this with DDoS just like all of life's problems.

A (16:12)

Well, what I was getting at is the Thais cut their Internet access. One of the Plan Bs they adopted was to use Starlink instead.

B (16:21)

Right.

A (16:21)

And it seems like if Thailand can cut Internet access, then surely Starlink can cut their Internet access as well. Right?

B (16:29)

Yeah.

A (16:29)

To particular compounds. Like, surely this has got to be a thing you can do because if someone doesn't pay their bill, you're going to cut them off. Right. So you've got to be able to cut off by terminal and like the nature of a satellite communications company is, you know where the terminals are.

B (16:47)

And yeah, you're probably going to notice that, like there's 50 terminals doing huge amounts of traffic only to WhatsApp in this one. Very, very small Part of the jungle. It's going to be a little bit sus.

A (17:01)

Yeah, yeah. So that doesn't sound to me like a cyber command thing. That sounds to me like we should lean on Starlink to do something about it thing. It also seems that for a lot of what they're doing, they're talking basically on messaging apps. And maybe the messaging app is the.

B (17:17)

Place if we put in back doors so that the encryption is just, you know, we got to get rid of these spaces where criminals can be safe from law enforcement observation. That's what we have to do. And because they're using these encrypted criminal encrypted messaging apps like WhatsApp or Telegram or Facebook messenger, these are the things that are obviously the real problem, and those need to be addressed with just a comprehensive backdoor added for lawful access.

A (17:55)

The phrase I heard about that is the ghetto of the Internet. We don't want these spaces to become the ghetto of the Internet, which I think was. I quite liked it as a turn of phrase. It was quite colorful. So one of the things WhatsApp does is it collects metadata, and it seems like you could use that to try and figure out, like, just patterns. Patterns, like a scan compound's got to have a particularly unique signature, right? As a pattern that would be.

B (18:25)

It's a fixed location with huge amounts of traffic. And I think that what will help is you're not completely blind because you're going to have some number of victims will come forward to the FBI or other law enforcement and say, I've been scammed. You know, like this thing happened to me. And the FBI can say, how are you contacted? Let's look at the messages. And it will give you pointers of where to look. And then you could say, oh, and there's like 50 square meters around this area. There's 20,000 WhatsApp sessions going constantly from 9am until 9pm every day, and then none overnight. Well, it's probably just some teenagers or something, right?

A (19:07)

Like, I actually suspect that some of those companies already do stuff relating to that already. It's not clear how much they have visibility.

B (19:16)

They know what's going on. They might not know, but they definitely suspect. Like, when there's a huge amount of registrations that start coming in, because there has to be some sort of management of these resources. And it's got to be done systematically, not necessarily automated, but in bulk. And as you said, it has to stand out when there's someone registering 50 accounts in an hour from the exact same spot with the same IP address. I find it very hard to believe that Facebook, who knows the color of your underwear, doesn't know these scam call centers.

A (19:53)

Yeah. So I think probably a lot of companies do do things, but that, again, feels like if we want them to do more, that's encouraging companies to do more or requiring them to do more, rather than a Cyber Command thing.

B (20:06)

Right. So I think you're getting at maybe the crux of the issue, which is that I would argue that these are cyber organizations to a degree, simply because of how reliant they are on cyber stuff, but because they are not using any boutique or tailored cyber infrastructure, they're only using existing services like Gmail, like WhatsApp, these services that are provided by companies that provide legitimate services for the most part. I mean, obviously they rely on money laundering and stuff like that, but generally speaking, their bread and butter here is consumer services. Yeah. Like, that's where they're vulnerable. You should be able to get them through that. That seems to me like Cyber Command can go after custom cyber infrastructure used by ransomware groups. Like, that's ideal for their sort of thing. Like that's exactly what you want them doing. Like, I'm not sure that they have much to say when it comes to the ways that these scam compounds are exposed to cyber. Right. Like, they just, they have a lot of phones or they have a bunch of tablets. They don't really have something that you can go after in the same way.

A (21:16)

Yeah. It seems to me that the leadership of these kind of syndicates would be a valid intelligence target and maybe that might get you something that would be useful to enable some sort of other action.

B (21:29)

Yeah. So at the very bottom, you've got your thugs and enforcers and whatever, and they absolutely are going to be posting Instagram stories of them beating people up or whatever it is. But as intelligence targets, they're not going to be very interesting because they don't know anything. But I think that the people who manage them and who manage them, sort of like their boss's boss is where you're going to get people who are still Internet savvy. They will have Facebook profiles, they'll have Instagram, they'll have, you know, they'll watch a lot of TikTok. They'll just, they'll be normal people who do crime. And I think that they would be interesting intelligence targets because they doubtless speak a lot to each other about what's going on, have a lot of insight, and also speak to the upper management and such. So I Think that's probably where you'd want to. You might have to get to them through the goons. But I think there's a lot of information there. What you would do with it is the next thing.

A (22:23)

Well, I mean, I think the information, you would use it to inform law enforcement action and gradually get stuff done there. So at this point it's yes, we think there would be a valid target, but it's hard to think of anything that would be particularly useful to do. Just because these organizations are so different from ransomware groups, which are in a way like the perfect target for offensive cyber operation.

B (22:51)

They're non state threat actors, so there's no state escalation worries that you have. But they operate exactly like a state in many ways. So they're really like, if you have a state capability designed to go after states like cybercom, setting it after a non state actor that happens to mimic a state in pretty much every way, that's your ideal scenario. You sort of couldn't pick a better target. Whereas I think it's like the FBI when they were going after al Qaeda in 2001, and they kept trying to find, you know, who is the number one, who is the number two, who are the deputies, you know, who run the branch offices. And that's just not how Al Qaeda worked. The FBI was just not capable at that point in time of going after a network like they went after the Mafia. The mafia looks exactly like the FBI. They've got a boss, they've got sub bosses, they've got frontline operators. Like all of that made sense to them. But then when you go after, like there's one guy and then everyone kind of discusses and decides on things and they do it like that just didn't make sense to them. And I think that that's, in a way that, that's a similar issue with these scam centers is they just, they don't make sense as threat actors.

A (24:00)

Okay, so how about some of the supporting infrastructure? Is there anywhere else, some of the services they rely on. Could you go after the money launderers, for example?

B (24:13)

So I think that the money launderers are a lot more exposed because they have to do cyber as well. So they're going to be using encrypted apps in the same way. But I think because they interface with the real world through banks, and I think that the banks have an incentive not to support them or at least can be very easily incentivized to go after them, I think that there's a good opportunity there for intelligence collection via cyber, where you can, if you can see what these guys are doing, like if they say $100,000 is going to come into account X and we're going to transfer it to these other accounts to get it out. If you have that information and you can coordinate rapidly enough, I think that the intelligence collection via cyber there could be good. But then I don't know about the execution at the other end. It feels like they're vulnerable to cyber collection in a way that makes them institutionally vulnerable. Like the foundation of what they do is going to be vulnerable. But I don't know if anywhere has the capability of exploiting that vulnerability.

A (25:22)

Yeah, yeah. Again, going back to ransomware, the US Government in particular has sanctioned, I guess, rogue exchanges, cryptocurrency exchanges that facilitate like illicit funds transfers. It seems like the Trump administration is a bit less keen on that or a bit more pro crypto. So I don't know whether we'll see that going forward. To me it makes sense. If it's a criminal enterprise, you should just sanction them. But it seems like some of the money laundering are setting up their own exchanges, so that's possibly something that will happen. Again, it doesn't seem like you need a Cyber Command action to do that. Yeah, the intelligence may lead you to do the sanctioning. And also it seems to me like there would be a reluctance to actually conduct an operation to mess with the financial system. Like North Korea does it all the time. Of course, this is exactly what I.

B (26:15)

Was thinking is like Cyber Command doesn't have what it takes, but you know, who does?

A (26:23)

I mean, that actually does seem like an opportunity for North Korea. I think you're right there.

B (26:27)

Absolutely. Like they could, they could deal with that pariah status and get access to billions of dollars.

A (26:33)

It's a win, win situation. A win for them and a win for us.

B (26:40)

Well, it's half a loss for us.

A (26:48)

Yeah. So I guess where I was starting with that was that it seems like to me that would be a bridge too far for a responsible government. And the rationale is we don't want to upset faith in the financial system. Hacking to disrupt it is bad. It seems to me that it would take like you'd read a really, really, really, really, really good reason to do that.

B (27:11)

Yeah, I think that the. Yeah, you're right. Like the loss of trust and faith in the international financial system would be so big that it's hard to imagine a scenario where it be a worthwhile trade off and a few billion dollars in Scams is absolutely not it.

A (27:30)

Yeah.

B (27:31)

On the other hand, I think Lazarus, again, they're very like, North Korea is very well positioned here because what they like, if they act against the banks, that's a Tuesday. Whereas if, you know, like, they're not going to disrupt trust in the same way, like, they're not going to have the same sort of impact, I very much think that this is worth exploring. Maybe the way to go about doing it is just to write up some ideas and then leave it out with a crypto wallet and let them figure that on their own. Just drop some hints.

A (28:07)

Yeah. So to me, there's this sense that.

B (28:10)

Here we go. I've got an idea. The next time you're doing an interview for someone for an IT role, just mention this as one of your questions and I'm sure it'll get back to the North Koreans very rapidly. Here's your coding challenge. You have to hack into a bank that's doing money laundering so you can access the billions of dollars in scam cash.

A (28:35)

So I think that some of the laundering occurs through cryptocurrency exchanges. And I guess a lot of the money that North Korea has stolen has been in cryptocurrency, which feels adjacent to the real financial system in the sense that you can steal hundreds of millions or billions of dollars and people are like, ah, whatever. Yeah, so maybe I guess cryptocurrency thefts would be like, fine.

B (28:58)

Yeah. So when they went after the Bangladesh Central bank, like, that didn't destroy faith in the international banking system. You know, the fact that they did this hack and almost got all this money, like, that didn't make anyone go, oh my God, banks can't be trusted. Like, it strikes me that if anyone has the capability of gaining access to these money laundering gangs, monitoring their communications and then intercepting their transfers, like, Lazarus is nimble enough to do that. So, like with the Bybit hack, that recent hack where they stole just massive amounts of money, like this very complicated chain of exploits to get to where they were, and then they were only exposing the actual exploit that they were using for a few minutes. As soon as it had executed and done its thing, they got rid of it. Like, I think that they're very fast. I think that they have the coordination and I think that they'd be motivated. I think that they have the authorities internally. Like, they won't have to go to. I think getting approval would not be that difficult for them.

A (30:07)

Right, right. So at this point, I don't know.

B (30:09)

If that's a Title 10 or a Title 50 under there.

A (30:14)

So at this point it's yes, scam syndicates are a national security threat. No, they're no good for Western or five eyes cybersecurity agencies. But yes, we fully endorse North Korea going after them.

B (30:34)

Yeah, because we could steal money from the crime syndicates and give it to the nuclear armed state. That's it.

A (30:46)

Okay. Yeah.

B (30:48)

That's how we reduce national security risk. That's how you get rid of exposure. It's.

A (30:53)

Yeah, okay, rethinking that one now.

B (30:55)

I guess there might be one or two downsides, but generally speaking.

A (31:03)

It'S a win for cyber. It's not a win for nuclear proliferation.

B (31:09)

It'S a trade off. I'm willing to make cyber Uber. Alice.

A (31:14)

Thanks a lot. Craig.

B (31:15)

Thanks a lot, Tom.