Transcription performed by LeahTranscribes[START OF RECORDING]
JACK: A few years back, a listener wrote to me to tell me about a problem they were facing. Okay, check this out; they went to buy a house, right? When you go to buy a house, there’s a little dance that everyone does. Like, do you give them the money first or do they give you the deed first and the keys, or do you do a quick swap at the same time? What if it’s a phony check or the deed is made up? This is where escrow comes in. Both the seller and buyer hand their things to a third party, someone that both sides trust, and waits for everything to clear. If the check clears and the deed is valid, then escrow says, okay, the deal is done, and gives the money to the seller and the keys to the buyer. So, this guy, a listener of mine, says he bought a house and during this process, he gave $250,000 to the escrow company. But then someone scammed the escrow company. They posed as the seller and said, hey, could you just deposit the money into our bank account directly? Escrow’s like, oh yeah, of course. No problem. We do this all the time. Here you go. They deposited the $250,000 into the scammer’s account instead of the actual seller. But here’s the crazy part; because the seller never got the money, escrow wouldn’t give the keys to the buyer. They were being jerks about it. They were trying to say, sorry, we lost the money. No house for you. The deal has been canceled. The buyer is like, whoa, whoa, whoa, no, no, no, that’s what escrow is for. You’re our trusted third party. We trusted you to do this deal. You screwed up, and that’s not our problem. That’s yours. But escrow’s like, mm, no. I never got an update on what happened here and if this got resolved. I think the buyer took escrow to court to try to get their money back. What a nightmare though, to send a huge check somewhere only for it to go to the wrong place, and then someone else runs off with the money. Ah!
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: I was clicking around the other day and came across this story on Good Morning America.
HOST1: Shreya Datta thought she’d met the man of her dreams on a dating app, only to find out her prince charming was a scam and she was out more than $450,000.
JACK: What the…? How in the world does some guy on a dating app scam someone for $450,000? That’s insane.
SHREYA: This person presented themselves to be everything I was looking for.
HOST1: She was the victim of a scam known as pig butchering. A scammer pretends to be looking for love online. They find a love interest, casually encourage them to invent in crypto via a fake app, but eventually they can’t access the money at all. The money is gone. The investments? Not real.
JACK: Dang. The things we do for love, huh? Or maybe it was for money. Or maybe it was for the love of money. I don’t even know.
RONNIE: Yeah, so, hearing that story, I’ve heard it a thousand times over.
JACK: Okay, hold on. Who are you and what do you do?
RONNIE: Oh, yeah, yeah. So, my name is Ronnie Tokazowski. I’ve been fighting business e-mail compromise for the last eight years now. So, my role in this is I work behind the scenes with a lot of the people who are working with romance scam victims. I do a lot of work with Secret Service, FBI. I also work back and forth with victims, too, because a lot of what happens is the scammers will go to different dating websites; they will go and find people in order to date. They will move the discussions off of the platform just because most of the platforms cost, but they’ll move you up to WhatsApp and then from there they’ll start grooming the person. They’ll say loving things. We’ve had cases where some of victims might send nude pictures over to their lover, and once they go and are exchanging those sweet nothings, the scammers directly build that relationship and build those emotions.
JACK: So, I heard this term ‘pig butchering’ and it just — I’m not connecting the dots here. Nowhere in this romance or crypto or gold — sending money to people, is there a pig involved. Where is this term ‘pig butchering’ coming into?
RONNIE: Yeah, so, the term ‘pig butchering’ comes from a Chinese phrase called Sha Zhu Pan, which is essentially a broil — I think it’s broiled meat, if I remember. I forget the exact translation. But what the concept is is the scammers will go and try and fatten the pig, if you will. So, what they will do is extract as much money as they can out of a victim, and where the pig butchering comes in is that once the scammers get to a point where they feel like they can’t get any more money out of the victim, they will take the pig in for slaughter or slaughter the pig, and what they mean by that is actually pulling the rug out from under the victims and walking away, and essentially being like, I got all the money that we could. So, that’s kind of where the phrase ‘pig butchering’ comes from.
JACK: Okay, so, for some reason, Ronnie is attracted to this type of scam or fraud or whatever you want to call it, and zooms in to whenever he sees this stories come up. [MUSIC] One day, he heard about a colleague who got pig butchered, and wanted to help him out.
RONNIE: Him and his girlfriend, they were dating for several years. They had been together for as long as I’ve known him. It’s probably about eight years now that they’ve been together. So, they were engaged to be married. They had a house together, and unfortunately things happened and that relationship kinda flopped. So, they went their separate ways. He lost the house, and unfortunately it wasn’t really a good circumstance.
JACK: Break-ups are hard. It’s a tough time for anyone. You can sink into deep levels of depression. Your defenses are weak and your vulnerabilities are exposed.
RONNIE: So, he went to go online and go date somebody. So, he went onto a dating platform, found this really pretty French girl who was very involved with him and very attached to him. The two of them really hit it off, and at some point she popped the question. Goes, hey, I’m also doing a lot of crypto investments. Is that something you’d be interested in?
JACK: Hm, okay, I don’t see any red flags yet, and he didn’t, either. At this point they were just chatting through text, like, a lot. She seemed to be into everything he was interested in, and he was liking that. He was coming out of his breakup and she seemed to be caring and helpful. Yeah, okay, so, she’s into crypto investments. That’s fine. She can be into that. But he was curious; was it really working for her? He had some crypto somewhere and was like, tell me more about what you’re invested in. So, she tells him, man, there’s this hot investment. It’s making mad bank. He’s like, yeah, okay, well, what is it? Show me. So, she keeps talking it up; I’m basically just living off the profit from this thing. It’s nuts. He’s like, you gotta show me what you’re talking about. So she’s like, okay, so you know how your savings account makes interest, right? This is like that, but it just pays much more. You put your money in and then daily it makes interest and you could just take that interest out if you want, or leave it in and it adds up and you make even more. So, he’s like, well, how much interest are you earning? She’s like, 20%. If you have $1,000 invested, it’ll earn you $200 in interest a day, and at any time you could just take your $1,000 out if you want. He’s like, man, that does sound too good to pass up. So, she gives him the links to read up on.
RONNIE: Being in the field, he knew a good bit of crypto. He’s naturally a very skeptical person, so he did his research on a lot of the way that they present the money. So, he went — they provided links and information for him to check once he went and submitted his money.
JACK: This scheme was very, very clever. I mean, this guy was a cyber-security professional. He knew about the dangers of cryptocurrency and was suspicious about all this. But this had a mix of legitimate information with just a small dash of fraud. See, the way they had this set up was they made it look like it was using a legitimate exchange. In this case, crypto.com.
RONNIE: The way that the application was presented to him was — and this is his perspective. I’m still trying to get the full scope here, but there was actually a browser that they could use within crypto.com that will have it show up that actually looks like the application. Looking at some of the screenshots, it looks like it was right within the crypto.com application and because of that, when your user goes and clicks on stuff, it appears to be 100% legitimate.
JACK: I looked at some of these screenshots myself. It’s hard to tell what’s going on, but one thing is clear; they social-engineered him and tricked him into sending his crypto to the scammer’s wallet. They just disguised the wallets to look trustworthy. Basically, he would buy cryptocurrency on crypto.com with real money and then send those crypto coins to this “investment” project. ‘Investment’ in quotes there. Really it was a scam, and it looked really good. It didn’t look like a scam at all. You could see your balance. You could see your earnings. You could interact with it. You could pull your money out at any moment. [MUSIC] So, he decided to give it a try. He put some money in, sent the crypto, and when he saw it was generating interest, he tested it by taking some out and was like, wow, this is actually working, because it looked like it was. But this is where the pig-butchering scam comes in. The scammers wanted him to take the bait, start with putting in a little, see that it’s working, and then hopefully he’ll put in some more and more and more, and hope that he dumps a ton of money into this. When they think he’s put in enough, they’ll take the money and run. So, as he starts watching the money grow on this site, the scammers start ramping up the pressure. They tell him if he invests a little bit more within this timeframe, he’ll get locked in for bonus interest, basically presenting him with more exciting opportunities that were time-sensitive.
RONNIE: In addition to putting his own money in there, because of the high returns that were being shown, he also went and had filed a — had gotten a loan. So, he actually used a loan to go and put more money into it. Because again, if you can use that loan to go and get more money, who wouldn’t do that? So, that’s another common thing we see with a lot of people, is they’ll go and take loans out from a financial institution. They’ll take a second mortgage out on their home in order to go and get more money based on those investments.
JACK: Taking loans out? Now I see how someone can end up losing a ton of money in this scam. But not only that; these scammers were really tricky. They would sometimes tell him, look, we locked your account because there’s not enough funds to cover withdraws. Please deposit another $40,000 in the next ninety-six hours to unlock your account. He’s like, whoa, whoa, whoa, wait a minute. What if I don’t deposit that? Then you risk losing your money. So, he’s like, oh no, I don’t want that. So, he goes scrambling, looking for even more money to put into this. So, this guy eventually goes all in and then some, putting all his savings in and taking a loan out to add more, because to him, this was a way to get out of debt, a path to financial freedom, and it was very exciting.
RONNIE: From there, the scammers were able to successfully collect about $90,000 out of him.
JACK: Oh, how cruel. Yeah, this $90,000 was a nice, fat pig, and the scammers were like, okay, that’s ripe. Let’s take it. And they did. They took his money, leaving him high and dry. Ouch. He saw his money disappear and he knew he was screwed. [MUSIC] Ugh. But he sat and thought about it for a bit. Is there a way to get any of this money back from the scammers?
RONNIE: What he did was he used the exact same emotional manipulation tactics against the scammers. What he did was he was like, hey, I’m gonna go ahead and invest more, but I need to pull this little bit of money out in order to help with this loan. So, if you can let me pull some of my money out or wire it over here, I’ll go ahead and do that. So, he was able to get $10,000 of his back by, again, deploying those same tactics against the scammers, and he was able to build up enough trust with them to where he was able to get that money back.
JACK: He scammed them back. Hilarious. Man, that reminds me of this story I have. Okay, so this one time I was in Vegas, right? [LAUGHS] Yeah, I was actually going there for Defcon. When I went, I brought a burner phone with me, right? That’s just a phone that I paid with cash, got a prepaid plan, all that stuff. It was a new phone number. When I got to Vegas, I was getting text messages from a scammer. I sniffed it out right away. They were trying to play on my empathy, saying things like, ah, we can’t afford money to buy food for our kids and medicine and clothes and something, and they specifically asked for $749 to get themselves sorted, and I’d be an absolute angel if I could help. I was like, hm. I replied, look, I’d love to help, but I’m currently stranded. My boyfriend and I got in a fight and he dumped me off in the middle of nowhere, and I don’t know anyone here who can help me. I don’t have any money to get home. I am screwed. I was trying to use the scammer’s tactics on themselves, trying to be someone in distress, just like they were saying. It did not work. They kept asking me for money and I was like, okay, listen, I’m happy to help you. I have money to help you, but my boyfriend took my purse and all I have is my phone, and there’s strangers all around me. So, unless you can help me get home — like, I don’t know, send me $200. Then once I get home, then I can help you. It didn’t work. They stopped texting after that and just left me alone. So, when you run into someone who’s been a victim of this, how do you help them?
RONNIE: So, the way I help them is I help them a couple ways. So, the first place is that when it comes to understanding the emotions in our body tie back to a lot of the way the scam works, people feel a lot of shame. They feel a lot of hurt. They feel a lot of disconnect because of the stigmas associated with it. What I mean by that is when you’re a victim like this, people don’t want to come forward on this. So, I try and help them learn how to work with their own bodies in that regard. So, that’s one way that I help them. The second way is I point them to the resources where they can go and submit a live request. So, they may be working with IC3, they may be working with colleagues who also work with romance scams, or it may be helping introduce them over to some of the crypto assets where they can start getting — pulling some of that money back.
The third thing I do is, again, just trying to help put them in contact with the right people, because what happens is when you’re in the scam, it become — your head’s spinning a thousand miles an hour. You don’t know which way is up. You don’t know which way is down. You don’t know who to trust. Many of us work behind the scenes to try and help be that good driving force for many of these victims. When we go and we try to help them out, that’s kind of where we do our assistance. In addition to that, we’ve also been running a mailing list for the last seven years talking on many things that is the result of this e-mail compromise and a couple of things with that. We have close contacts with a lot of the banks and financial institutions to help either try and reverse some of that money or do what we can to get some of that money back or try and flag those thing — those assets to where we know, hey, these are actually part of a scam.
JACK: $90,000; that’s a lot of money to lose. Is that kinda the upper limit of where you’ve seen people losing stuff or are people losing more?
RONNIE: I really wish I could say that that was the upper limit, but I have seen so much more. I’m working with one victim now — I’ve been working with them for the last two weeks — where he was suicidal and didn’t know which way to turn.
JACK: Geez, you really take some heavy phone calls.
RONNIE: Mm-hm.
JACK: So, how did this guy lose his money?
RONNIE: So, very much the same way as the first person. He found the relationship and as the relationship built, they were like, hey, I have this great investment opportunity. They strung him along as far as they could, and once he went and put some of the money in, he saw his returns, it was the same story. This individual actually is — was ready to retire. He had several homes as well. So, because of that, he ended up opening — doing a second mortgage on a couple of his homes in order to pull some money out. So, because of that and because of what he was able to pull out on those homes, he may now be facing losing those homes as well. As it stands right now, he has lost over $1.7 million.
JACK: [MUSIC] Dang. I mean, I’ve heard of people losing their life savings, but for some reason this feels worse than that. I guess it’s one thing to lose all your stuff when you’re young, but it’s different when you’ve worked your entire life to save up for retirement and then lose all of that. Your retirement’s now gone. Poof. You were financially stable and now super in debt, and your whole future is screwed. It’s awful.
RONNIE: I was at a RSA last year — or this year, as a matter of fact. Got to speaking with somebody who had a — it was a grandfather who had committed suicide and they didn’t know why. They ended up going to look through his records and it was over $5 million that he had lost.
JACK: What? People are actually killing themselves over pig-butchering scams? This is nuts. Whoever is behind this is just ruthless.
RONNIE: I wish that was an isolated case, but I’ve also had — I had another victim out at Defcon. It was a couple years ago. For her, she ended up losing her house, losing custody of her kids, lost her relationship with her husband, and lost her business. She lost — she was into — over $2 million. When I asked her what kept her in, she said her husband was abusive and she just wanted to feel love. That’s the reality of many of these crimes, is that people don’t realize that you have two factors at play here; you have the financial losses and then you have the emotional hurt that goes along with it. Somebody may lose $90,000; it may mean nothing to them, or you may have somebody who loses $8,000 and it’s the entire world to them. So, it really — right now, we’re not accounting for the emotional losses on this or the emotional damages for many of the victims.
JACK: So, in these first few stories we’ve heard, it’s — it keeps getting back to romance, right?
RONNIE: Yep.
JACK: Do you see kind of a pattern of who the victims typically are? Are they usually people who are looking for love, or what are some other…? If we’re gonna watch our own back, we gotta know when we’re in a vulnerable state. What makes a person more vulnerable to this sort of stuff?
RONNIE: Yeah, so, first and foremost, one of the constant patterns that I’ve seen — and this is something I’ve seen with many victims. I’ve kinda discussed and researched the topic. Many of them tend to be extremely trusting, where if you were to be walking on the side of the street, this is the type of person who will go and help a homeless person in need. If a dog was hurt on the side of the road, they would go and help them out. They’re some of the most kind souls you’ll ever meet, and because of that trust, the scammers have figured out that they can go and manipulate and abuse that person and get them to do things that they want. A lot of what happens is from that control perspective, they will actually — I’m gonna use a term that one of the victims used with me, is that they’ll essentially hijack their own consciousness and give them a different perspective of reality and a different perception of reality.
What happens is is the victims will be manipulated to a point where they will be pulled away from friends and be pulled away from family and only put all their trust in this one person. Because of that and because of the kind words that they were saying, the victims will want to go and be with that person. In addition to that, you’ve also got a case where they will say the right words in the right way to make the victims want to stay in it even longer. So, like I said, it’s a matter of working with the emotions and kind of manipulating the people in that way, too. Another piece that I also notice is that when it comes to how we as humans process our emotions, so many of us are just disconnected and we don’t even know how our emotions work. It’s like, we might feel this one way about this one thing. We might feel this one way about another, but we don’t realize that — how — that we actually pick up emotions from other people. Because of that, it’s something where we don’t understand how those mechanics work in our own bodies, let alone how we are emotionally manipulated to go and do this thing or influenced to go and do that thing.
JACK: Yeah, it’s — so, what are some of the skill sets that these scammers or thieves have? ‘Cause it sounds like they understand psychology a bit, so that would put them in social-engineering skills, right? Trick people, posing as someone on a dating app, whatever, but also being able to set up these websites and understanding crypto and putting malware on systems or whatever the case is. What do you see as their skill sets in these cases, at least?
RONNIE: Yeah, so, I’ll kind of talk on the geographic of where some of these skill sets are. So, for the pig-butchering angle, which is out of — mostly out of Southeast Asia, we see scammers who are skilled in setting up websites. They are skilled at working with cryptocurrencies. They understand that they need to influence a person’s emotions and play on the emotions. We have some tutorials and documents from the scammers where it’s like, thirty — a thirty-page PowerPoint in Chinese that essentially comes out to, here is where you go and tell them this piece, here is where you influence their emotion here and do this. So, they understand that emotional manipulation piece there. For some of the romance scammers in Nigeria, they’re a whole different basket. For them, they’re sophisticated in money laundering. They know how check systems work. They know how to wire money from a United States’ bank out to another bank, and they also understand the underlying cryptocurrency networks to go and cash out a giftcard or move money over here for Bitcoin. So, it’s — depending on the geography of where the scammers are coming from, it really depends on what that skill set is. That’s just two of the top countries that we see, but there is probably four more that I could list off that we see elements of social-engineering scams coming out of that, again, go back to that human emotion and kind of those human pieces, if you will.
JACK: The thing that strikes me — I think it should strike us all with a bit of fear, is that this isn’t — you see the cyber-security news every day. It’s ransomware hit by this company and this other company got hacked, and all that. This is us getting hacked. This is you and me. This is each one of our neighbors. This is individuals of the world, the citizens of the United States or wherever they are. That is just such a close-to-home thing. It’s not far away in some other company that I don’t have to deal with. It’s me and my personal assets — are being attacked, and that — I don’t know. When you realize that the threat actor is right here in my bedroom on my computer, it gives us a different sense of safety.
RONNIE: Yeah, and the other thing, too, because of that safety, we will go and play so much on trusting the social media providers to be like, okay, this social media provider has a really big name, so that means they have to be safe and I can trust anything that’s coming from there. So, because of how large many of these providers are, there’s inherent trust of using these platforms. So many victims will go and be like, okay, I’m gonna go and trust Facebook for seeing this stuff. Yet, there was a article that came out a couple weeks ago that said, no, eight out of ten cyber crime — or eight out of ten cases of cyber-fraud originate on Facebook. So, when you see numbers like that, it’s something where the scammers are going to use those trusted platforms to try and go after people on that. But no, I agree with you 100% — is that it definitely adds a different level of fear to how the scam actually works. It’s because, yeah, it’s like, that scammer is now in your bedroom with you and they’re now stuck in your head as you’re ruminating over all of the ways — where they would be like, okay, does this person love me? Are they trying to build this relationship? What else is going on? The victims run it through their head over and over again.
JACK: With these victims you’ve talked to, like the $90,000-one, the $1.7-million one, are they actually — like, how far along in the — how close are they to these people, right? Are they having video calls with them? Are they having phone calls? Are they texting?
RONNIE: Yeah, so, many of them will be texting back and forth or using WhatsApp to communicate. Like I said, we know that that’s how some of them are, and many of them are receiving multiple messages per day. The one colleague who was in for $90,000, I’m pretty sure they would have been sending pictures back and forth, just ‘cause again, you’re now — you’re not thinking of it in the case of, okay, this is a victim. You’re now trying to think of it — who’s somebody who believes they’re in a relationship. So, you’re gonna go and do everything that you can if you believe that you’re in a relationship. Like, I had one victim who was sending pictures of his food to his girlfriend.
JACK: The scammers do all kinds of weird things; like, they’ll send photos of two different outfits and ask, which outfit should I wear today? Then when the victim picks one, it gives them just that little bit more of information to know about them. Like, they like formal clothes more than casual clothes, so let’s send them more photos of that, keep them on the hook. Just think about how much you share about yourself on a personal level when you have a new love interest. A scammer could easily write all that down and figure out your vulnerabilities and play on that if they’re really good. But I still think one way to sniff out these scammers is just to pick up the phone and call them. I’m betting that a lot of these scammers are just guys posing as women, you know? How do they sound on the phone? Even if they grab someone else to just pose as them and get on the phone, that person isn’t gonna know your whole chat history and won’t be able to carry on a conversation in any way that makes sense. Or even more, let’s do a video call and see what you really look like. So, just keep that in your head, that it’s probably a red flag if your love interest refuses to answer the call or get on video chat with you.
RONNIE: Yeah, so, sometimes that is a red flag. However, some scammers have figured ways around that. I know in the content of deepfakes and AI — and I know it’s a whole buzzword right now, but some scammers are using that technology in order to generate video messages back and forth. The other thing, too; some of them will also use online video without audio, and they’ll just be kinda moving in the camera and be like, oh, my microphone’s not working. Or they’ll go and share and have a phone call with them and they won’t share video and just say, hey, my — this part here — my video isn’t working. So, they know that that’s a piece that people use in the metric, but they will go and try and find different ways to bypass that.
JACK: Oh, yeah. Dang, I didn’t even think of that. So, I’ve done video interviews with people a lot, you know? But I use a Snapchat filter on my video to obscure my face. In real time on a live video call, my face gets distorted. Yeah, you could absolutely just use a filter to change your face to be a pretty lady even though you’re just some dude who doesn’t even speak English. We’re gonna take a quick ad break here, but stay with us ‘cause when we come back, we’re gonna talk about Black Axe, and you’re not gonna want to miss this. Okay, so, I’m looking you up online. You’re know as ‘that BEC guy’. What’s BEC?
RONNIE: BEC is business e-mail compromise.
JACK: Okay, so, let’s stop there.
RONNIE: Okay, sounds good, sounds good.
JACK: BEC — we break down the term; business e-mail compromise, right? So, let’s — the compromise part makes me think somebody has taken over my Office 365 e-mail server and is in my e-mails. They’ve compromised my e-mails. But that’s not what you say is BEC.
RONNIE: No. So, if you go and look up the history of BEC, business e-mail compromise has been the number-one crime seven years in a row, minus last year. But the way it — and most people know it as is if you’re — if you receive an e-mail that says, hi, I’m the CEO of your company and I need you to do this urgent wire transfer for me. Can you wire $40,000 out to this account? That’s what most people think of as business e-mail compromise. But the problem with that…
JACK: Well, to me, I just think — when you tell me that story, I just think that’s a phishing — I don’t call phishing BEC. I just call it phishing.
RONNIE: Right, right, and it’s — phishing is kind of the overarching term for any e-mail-based threat like that.
JACK: Is BEC always money-related or is it sometimes, no, we’re just gonna phish them so that we can get our malware on to steal their intellectual property?
RONNIE: Yeah, yeah. So, business e-mail compromise, in most of the cases, it does not use malware. It does not employ any of those tactics around trying to install software on the computer. At most they will do credential phishing where they’ll try and harvest the e-mail credentials and e-mail passwords. But for a vast majority of business e-mail compromise, there is no malware tied to that. There’s only been a handful of cases that have been publicly documented specific to BEC actors using malware or something like that. But just from — for the most case, there is just no malware that’s tied back to these — those types of crime.
JACK: So, if we’re gonna classify some — ‘cause let’s say we get phished, alright?
RONNIE: Yep.
JACK: Somebody sends us a phish. We click the link. We installed malware. You’d say, oh yeah, that wasn’t BEC. But if it was, okay, we got phished, it was send money to this, and I sent the money, you’d say, oh yeah, that was BEC.
RONNIE: Yep.
JACK: Okay. So, if you’re gonna classify it as BEC, it’s likely gonna be financial-related.
RONNIE: Yeah, yeah.
JACK: So, now this pivots the whole thing in my head, right? Instead of you and me being targeted, now they’re like, well, why target somebody who has thousands of dollars when we can target a business who has hundreds of millions of dollars?
RONNIE: Yep, and that is exactly what it is. So, when you — so, we did a study; what we found was that when you go and think of your Nigerian prince scams, your 419 scams, your — you have this long-lost relative in Nigeria; go send me this money. What we found was that business e-mail compromise was not some new crime. It was a symptom of ignoring your, quote, unquote, “easy” 419 scams. We’ve had direct confirmation that the scammers behind business e-mail compromise are the same people who have been doing these Nigerian prince scams for years.
JACK: By the way, 419 scams are those Nigerian prince scams. You know the ones, where they send you an e-mail saying, oh, if you pay us some money, we’ll release the inheritance that we owe you. The reason why it’s called 419 scams is because specifically in Nigerian law, Section 419 makes it illegal to do this. We’ve all laughed at these scams in the past, but they’re getting more sophisticated now. They’re evolving.
RONNIE: So, very much with what you said, they realize, oh wait, no, I can go and get $40,000 out of this company as opposed to going to hit this one victim over here. That’s where we see the overlap between the romance scams, is that when the — is when they go and send that phishing e-mail to that company, they will use those romance scam victims as a money-muling network to send money for these scams. So, the victims will be the ones who will be receiving the money who then wire it from the United States elsewhere in order to launder it up the chain.
JACK: I mean, what I was — that’s amazing, but what I am surprised of is just hearing the evolution of it. It sounds like they’ve really honed their skills over time.
RONNIE: They have, they have. Yeah, and it’s a combination of honing their skill yet still keeping the stigma that these things are simple and unsophisticated. That’s the thing, is that quote, unquote “simple and unsophisticated crime”, minus — again, minus last year, it was the number-one crime seven years in a row based on financial losses.
JACK: What’s the number-one crime?
RONNIE: Business e-mail compromise. So, from 2015 to 2021, it was the number-one cyber crime based on losses year after year. The only reason it was not the number-one for 2022 was because we had this crime called pig butchering that came up. So, the way it was ranked was pig butchering was number-one. Business e-mail compromise was number two.
JACK: [MUSIC] Wow. So, this is the number-one crime? I guess I’m just so surprised that it’s those awful Nigerian scammers who are doing this. When I say awful, I mean the least-sophisticated phishing e-mails I’ve ever seen. You know the ones; sir, you had a long-lost relative who was the prince of Nigeria and he has recently died and left a large inheritance for you. Just send us $500 so we can process this, and we’ll get the money over to you. Like, who in their right mind thinks their long-lost relative is the prince of Nigeria and you never knew it? It’s just the absolute dumbest attempt at a phishing scam that everyone laughs at, and it’s those guys who are number one? This is the biggest criminal financial loss for companies today?
Now, getting a business to pay a fake invoice can take a lot of prep. You gotta figure out who this company normally pays large bills to and then try to pose as them. One way to pose as them is to register a domain that’s one letter off from the real one, so at first glance it looks like it’s from that person you normally do business with, but it’s not. Or sometimes you can pose as the CTO sending a bill to the CEO of the same company. But still, to know who to the CTO and CEO are, you gotta know who the people are that work at this company and what their e-mails look like and what their invoices look like so that it can be as close to the original as possible for this to work, and that takes a lot of work.
RONNIE: We’ve seen cases where they will go and find and use different lead-generation services in order to identify the key controllers and the key stakeholders within the company. When they do that, that’s where they get that information on who’s the person within the company that they can go ahead and target? Based on the intelligence that we’ve seen, we know that they’ll target the controller’s companies, they will target different financial advisors. So, they will go and find that recon in order to identify who can I target within the company.
JACK: Oh, and it’s not always bill-paying. Sometimes they try to scam these companies to send them giftcards. The scammers will pose as some manager in the company and they’ll ask someone higher up, hey, the company did such a great year. I’d like to give my employees giftcards as rewards. The person’s like, oh, that’s a great idea. Then the scammer’s like, okay, well, since everyone’s remote, could you just purchase the giftcards and then send me a photo of the back of the cards and I’ll just pass those giftcards out to the employees? That’s how these companies end up sending giftcards to Nigerian scammers. It’s crazy.
RONNIE: Mm-hm. We actually did — we actually — with that, we actually did a study where we gave giftcards to the scammers and tracked where they clicked from. Crazy, crazy insights that we were able to gain from that. But it was such a different perspective of what we thought was — we were gonna get. Like, say, it was really fascinating, some of the data we had that came back from that.
JACK: Now, e-mail providers or system admins need to work to protect users from all this. You can’t just present every e-mail that comes in to the user. That used to be the case in the old days when we didn’t filter any e-mails at all. But think about this; suppose you do get an e-mail, but it’s one letter off. They switched the lower-case l for the capital I, and it looks the exact same to the human eye to make you think this e-mail is from someone you normally get e-mail from, but that one letter off means it’s not. So, if a human can’t detect it, we better have machines that are detecting it. There’s a thing called the Levenshtein Distance, which is an algorithm that will compare two words to tell you how different they are. I sure hope that e-mail providers today are using this to first develop a baseline of who you’re normally getting e-mail from, and then look for e-mails coming in with a very similar domain. If the Levenshtein Distance is very low, meaning it’s only one letter off from someone you normally see e-mail from, then that should be flagged, maybe rejected or quarantined, and let the user know.
RONNIE: Another area to look at for a lot of domains is how long has the domain been registered? If it’s been registered within the last month, more than likely it’s gonna be a phishing e-mail. So, looking for the reputation, the age of domain, is a very, very successful way to do stuff because most scammers will go and just get one month’s worth of domain time and then use that for their attack.
JACK: You know, now that I think about it, I’m disappointed that there’s not better information on these e-mails I get. Sure, I have a spam folder and stuff gets thrown in there, but I’d love to see reasons for why my e-mail provider put it in spam. To me, spam is ads I don’t want. So, why not have a second folder of threats, you know? Spam and threats are two different things in my mind, but they all seem to end up in the same bucket in my e-mail. I would love, love, love, to get threat intelligence on my inbox where I could see a little dashboard that says, we’ve blocked twenty phishing e-mails for you this month. In there we had five BEC attempts, two pig-butchering e-mails, and thirteen e-mails containing malware from a threat actor known for targeting journalists. At a bare minimum, just show me a big, bright red banner on the e-mail that says, look out, this e-mail comes from a domain that was registered two days ago. That would be really cool.
RONNIE: Google, if you’re listening, fix that, and fix the Google dot bug, too.
JACK: I mean, they might be already filtering it out and putting it in spam, but…
RONNIE: Yeah, yeah.
JACK: …stuff that gets through, I’m like, hey, that is a good tip.
RONNIE: Yeah, and just from the way BEC is, it’s — so many of these e-mails still get through. There’s a reason it’s been the number-one crime seven years in a row. So many e-mail gateways are trying to put protections and a lot of information security focuses on the malware, the APTs, the blinky boxes, and this stuff still gets past because there’s no malware. There’s no malicious URLs or content in there. It’s manipulating the humans. So many of these attacks just bypass your e-mail gateways. [MUSIC] With a lot of your BEC actors, from an attribution perspective, this ties back to groups such as Black Axe, where they will go and use those type of manipulation in order to gain that foothold.
JACK: Wait, so, who — what’s Black Axe?
RONNIE: So, Black Axe is one of the larger Nigerian confraternities that dabble in this. So, if you’re unfamiliar with that term, confraternity, think of a college fraternity here in the states but mixed with black magic and voodoo. What I mean by that is some of the hazing rituals for Black Axe include a human sacrifice or trying to use those type of techniques in order to, quote, unquote, “gain extra powers to become a better scammer”.
JACK: Are we still on the same podcast? What is going on here?
RONNIE: Hey, hey, trust me. Trust me. Yeah, no, I am dead serious on it. I sound like I went off into cyber-land, but no, no. But no, Black Axe is one of the larger groups who’s doing a lot of the business e-mail compromise activity.
JACK: [MUSIC] Okay, are we really going here? When someone tells me they’re using voodoo and black magic to become a better scammer, I’m like, skeptical and just want to move on past that. I don’t even want to pick that up. But for some reason I’m feeling compelled to look this one up. So, first of all, I watched an hour-long BBC documentary on who Black Axe is, and it’s absolutely bonkers. Just listen to the first forty seconds of their documentary.
SPEAKER1: [MUSIC] This morning, several bodies, some with their heads decapitated, were littered around the city. Thirty people have been killed in con-related killings within the past week.
HOST2: A secret death cult is thriving in Nigeria, more terrifying than anything I’ve ever seen. Around the world, crime agents are cracking down on their multi-million-dollar internet fraud and human trafficking network. [COMMOTION] Nigerians are trying to fight back, too. But here, in their homeland, the cults seem unstoppable, and thousands of young lives have been destroyed.
JACK: This documentary explains that Black Axe is a cult full of gang violence.
HOST2: [FOREIGN IN BACKGROUND] They have agreed to let us film what they call a gyration, a cultist ceremony.
JACK: These guys are really dangerous. They go around murdering people all the time, sometimes shooting up buildings or causing massacres, which I guess in the US is called mass shootings. The Black Axe has killed thousands of people.
HOST2: I’m on my way to the University of Benin to understand where all this violence began. The Black Axe formed here forty years ago, and students are still being murdered on campus today. The Black Axe emerged out of a student fraternity known as the Neo Black Movement of Africa, or NBM. The movement initially stood for peace, but over time became linked to crime. Today, many people use the names Black Axe and NBM interchangeably.
JACK: This has been going on for forty years? What? But that’s interesting because they initially started as a Neo Black Movement to fight oppression, but it’s very different now and it’s unclear to me what their motives are now. Something, something, freedom, something, something, defend. But even though Wikipedia thinks NBM and Black Axe are the same, the people within NBM don’t agree. Here’s the president of NBM.
NBM: NBM is not Black Axe. NBM has nothing to do with criminality. NBM is an organization that tends to help achieve greatness in the world.
HOST2: Despite the president’s denials, the NBM is facing mounting international pressure. Weeks after our interview, the FBI arrested more than thirty-five NBM members in the US and South Africa, charged with multi-million-dollar internet fraud. The US Department of Justice statement names the Neo Black Movement of Africa as a criminal organization and part of the Black Axe.
JACK: Okay, so, you’ve got this extremely violent street gang, a cult, Black Axe/NBM, but they seem to also be involved with internet scams. Here’s Vice explaining what they’ve found.
VICE: [MUSIC] The Black Axe is synonymous with cyber crime. It spread around the world. They’ve claimed to have as many as 30,000 members globally.
SPEAKER3: How much were they trying to get out of you?
SPEAKER4: Like, knowing these things, I was insane and I was gonna go to jail.
SPEAKER5: In October 2021, eight men were arrested in Cape Town on serious fraud charges. The men were allegedly members of the Black Axe, a notorious Nigerian organized crime group.
RONNIE: Specific to the human sacrifice, the way that that plays out, is for your Nigerian scammer, they are called a Yahoo Boy. So, in order to become a better scammer or a Yahoo Boy plus, there is a human sacrifice ritual where you have to kill somebody to gain better powers to go and continue this type of scamming. Like I said, it sounds far out there, but it’s widely documented that this is unfortunately one of those cases. That’s why I get so bitter towards ransomware, is that people are like, oh, somebody might die here, over here, or somebody might die over here because of this ransomware attack. I’m like, no, we have people literally sacrificing each other because of this stuff, and that’s where the problems are, in some of these cases.
JACK: Holy moly.
RONNIE: Yep, yep.
JACK: [MUSIC] I also watched a few videos about Yahoo Boys. I guess they get their name because they started out using Yahoo Messenger to conduct their scams over, and they interviewed some of the Yahoo Boys who then explained how they do it, and they were open about what they were doing. They were like, yeah, we scam people. We steal lots of money from them. In fact, they even posted a video of one of their victims on the verge of suicide. Here, listen.
VICTIM: [FOREIGN]
JACK: [MUSIC] So, even though they’re ruining people’s lives and know that some of these victims that they have are committing suicide and they say they’re all addicted to drugs, they deny their involvement with human bloodshed. It wasn’t exactly clear from these interviews I watched, but it did seem like they were killing cows or other animals to try to level up their scamming, which I have to admit, at first I’m just shocked that anyone would think that they’d become a better scammer because of an animal sacrifice. But the thing is, the culture of Nigeria is rich with a lot of this voodoo and hexing and charms and stuff. In fact, when the BBC reporter went to investigate the Black Axe cult, he found a vigilante group who was trying to stop the Black Axe, and they gave him a charm to protect him during his investigation.
VIGILANTE: [FOREIGN] Someone’s ancestral spirits to protect this man.
SPEAKER6: Just put this sort of amulet, and this will guarantee my safety on this raid, that no bullet will penetrate into my skin. Regardless of this, this is what they are relying on.
JACK: They gave him an amulet to protect him from gunshots. He still wore a bulletproof vest, though. But this is what I mean; the culture there is really big into this. You know, luck is a weird thing. It feels like a mysterious force. Can it be changed in any way? So, I can see why somebody would want to do weird stuff to try to improve their luck. If you really, really, really want to improve your luck, then maybe you’ve gotta do something a little insane. I can see how bloodshed can get mixed up in all this. It’s very awful and strange, though. How the hell did we get from romance scams to this? Man, the places we go on this show. Now I can see why you’re so fascinated about all this. These stories are crazy.
RONNIE: Yeah, yeah.
JACK: Tell us about that one story you heard about going on in South Africa.
RONNIE: Okay, yeah, yeah. So, this was a Black Axe case they had down in South Africa. Like I mentioned earlier, I do a lot of work back and forth with law enforcement, so I get to hear a lot of the good stories as a result of this. But they were doing the case. They went down to go and arrest the individuals, and they were kind of at this compound down in South Africa, and they didn’t really — and they were able to get into most of the houses and most of the buildings, and there was one building in the — or one window in the back that they couldn’t get into. So, they were able to bust it down, got in there, and in that building what they found was — they found a pile of money covered with blood and dead chickens.
So, as they came out and unlocked the door to get in there, they kind of got talking to the people that they were arresting and they were like, what’s this? Because you don’t really expect to find that on a law enforcement engagement. So, what the scammers had said was, well, it turns out that the magic here in South Africa is not as strong as the juju in Nigeria, so we need a larger pile of money. That’s one of the things that most people don’t realize, is that there is a spiritual aspect that plays on this that many of the scammers believe. When you account for that and you account for a lot of the way that they perceive a lot of that stuff, it gets really, really interesting. Because of, again, that spiritual aspect, it’s — like I said, it’s — there’s so many other things that the scammers are kinda playing with and using or believe that they don’t fully understand what they’re playing with, in my opinion.
JACK: Man, Ronnie, I don’t even know what to ask you at this point. You’ve just got me going down jackrabbit holes or something.
RONNIE: [LAUGHS] Yeah, yeah. Yeah, I’m the kind of guy who’s — at the dinner table, I was like, hey, let’s talk about blood sacrifices and voodoo.
JACK: Okay, so, while looking up these Nigerian scammers, I saw something about this group called Scattered Canary. Can you tell us about this?
RONNIE: Yeah, Scattered Canary was a mostly-Nigerian cyber-fraud group that we found back in 2018 that was engaging in business e-mail compromise. The reason we named them Scattered Canary was because, one, they were very scattered in their targeting, and two, they were kind of our canary in the coal mine that let us identify a lot of things around 419 scams and business e-mail compromise. One of the things that happened during the pandemic was unemployment money was fair — was given out fairly easily. Whenever one of these programs happened, the scammers are quick to jump on that, and they quickly jumped on that bandwagon for a lot of the unemployment funds. What Scattered Canary did was they used different e-mail accounts or e-mail accounts that had the Google dot bug in them, and they went and hit the unemployment fraud systems. At the peak, we saw them hitting fourteen different states. For unemployment fraud in general, where that stands, we are upwards of around $400 billion that had been — [MUSIC] that’s been stolen as a result of some of these things, and there’s some new information coming out from — about id.me and how some of the money may not have been fully articulated. But what we know of right now is that $100 billion was confirmed from Secret Service. We know that $400 billion is up in question for the money that was taken.
JACK: Wait, $100 billion was confirmed?
RONNIE: Yep, $100 billion.
JACK: So, that was — I’ll submit unemployment on behalf of some American, and then I’ll tell them to send the money here to me in Nigeria. But it probably is money-muled through and then to Nigeria, but that’s where the $100 billion — that’s what I’m…
RONNIE: Yeah, billion with a B. Billion with a B, yeah. Yeah, so — and that’s kind of where the lines get muddy between business e-mail compromise, is because we know that Scattered Canary, again, who was doing business e-mail compromise, we know they were doing romance scams. We know they were doing unemployment fraud, and that’s kind of why I say BEC is the number-one crime that’s out there, because that’s over $500 billion that we know are tied back to business e-mail compromise scammers who are doing this, and we know other scammers were involved in that, too. But no, it’s — yeah, it was $100 billion that was confirmed from Secret Service. There is a possible — it’s a possible $400 billion that is up for discretion and kind of being put through for Congress, but that’s what it looks like the new number is gonna lay at, is about $400 billion. It has been confirmed.
JACK: Now, I’ve gotta try to understand these numbers more, okay?
RONNIE: Okay.
JACK: So, I’m just walking through it in my mind. So, $100 billion is coming from the US Treasury?
RONNIE: Mm-hm. Yep.
JACK: That’s a lot of money that’s just — the US Treasury has lost.
RONNIE: Not only is that a lot of money that the US Treasury lost; that’s a lot of money that came out of — are you an American citizen?
JACK: Yeah.
RONNIE: Okay, so, that’s a lot of money that came out of mine and your pocket. In addition to that, scammers — what it looks like is it may have been upwards about $400 billion, so — and the other kicker here, too, is that that’s — fraud is still happening. Two of my intelligence sources out in Nigeria, within the last two weeks, they’re still stealing money from the government. The average salary for a Nigerian is $100 US per month. So, when you go and you have that much money coming in, it becomes very enticing for your youth out there to want to go and try and do this fraud.
JACK: But still, I can’t fathom this amount of money coming in. Like, the entire GDP of Nigeria is $500 billion. You’re telling me that this one group has stolen almost the equivalent to the whole country’s GDP from the US government, almost doubling Nigeria’s GDP? It’s just unreal.
HOST3: Secret Service says nearly $100 billion in pandemic relief funds have been stolen. That adds up to about 3% of the cash handed out by the government. Most of the lost money is from unemployment fraud. Right now, the Secret Service says it has more than nine hundred active criminal investigations into pandemic fraud, with cases in every single state.
JACK: Man, the more I look into this, the more problems I see. I mean, listen to this guy.
HOST4: Michael Horowitz is the top cop overseeing the effort to make sure the $5 trillion in taxpayer dollars went to the right place. This is his first interview in his role as the head of a pandemic response accountability committee.
MICHAEL: When the Small Business Administration, in sending that money out, basically said to people, apply and sign and tell us that you’re really entitled to the money. Of course, for fraudsters, that’s an invitation. What didn’t happen was even minimal checks to make sure that the money was getting to the right people at the right time.
JACK: The US government spent $5 trillion to try to help Americans get through the pandemic. But it sounds like they didn’t do a very good job at protecting that money from fraudsters. I mean, this Rolling Stone article I’m reading right now says it’s more like $1 trillion was stolen from the US Treasury. My goodness. I guess it really is the number-one crime, and that’s such a waste of money. What an awful problem. How can $1 trillion be stolen from the US Treasury and it be an acceptable amount of loss? To me, it must be acceptable since this got rolled out in phases. I think $2 trillion was the first to be approved, and of course, scammers immediately started grabbing that cash. When that wasn’t enough, they rolled out even more trillions of dollars without putting changes in place to stop this from happening. You’d think someone would have said, uh, listen, that last round, a lot of money got stolen. Is this really an acceptable amount of loss? But no, nobody listened, and the money just kept getting handed and handed right to the scammers. What an embarrassment.
I’m tempted to get to the bottom of this and figured out who bungled this money. Who was in charge of handing out $5 trillion and was like, oh, we don’t need guardrails; I don’t think anyone’s gonna steal from us? Who denied the budget for a security audit or team? Who ignored the person saying, hold on, if we start handing the money out this way, we’re gonna get a lot stolen? Who out there thinks it’s totally fine that we lost a trillion dollars? I want my voice to be clear; as an American, this is unacceptable to me. I’m very disappointed that the US government handed this much money to the same Nigerian scammers who tried to convince us all that our long-lost relative was the prince of Nigeria. I would be understanding if the government fell victim to some sophisticated cyber attack like a ruthless, unstoppable bull. But you got taken by the least-sophisticated scammers on the planet. You need to do better. When you’re handing out this much money as fast as you can, you’ve gotta look at who you’re handing it to. At the very least, give it to an American. What is this, your first day on the internet? Listen to Secret Service agent Roy Dotson here. He’s the lead investigator of this case.
ROY: [MUSIC] Fast money equals fast crime.
JACK: At this point of this interview, I’m just kinda feeling defeated. And, surprise…
RONNIE: Welcome to the last seven years of my life, ‘cause it’s something where it’s like, it’s very disheartening. Like I said, staring at this stuff for so long, it’s something where it’s like — it is very disheartening because you do feel defeated. You do feel like, okay, we’ve literally lost $500 billion and that’s just what we know. If we were to actually piece together what we knew, I’m just gonna throw this out there; we’re easily over a trillion dollars that we’ve lost here. A lot of what it comes down to is admitting that there is a problem, admitting that something needs to be fixed, admitting that something needs to give. Because if you keep having this much money that’s going out and you don’t admit that it’s a problem, you’re just gonna be stuck.
When you go and look at the twenty, twenty-five years of Nigerian prince scams, this is the whole reason that we’re here right now, is because no one wanted to admit that, no, this is actually something that’s happening. Yes, there are people who are actually being socially engineered into this. We have to work with those people in order to identify some of that. So, trust me, I totally resonate with you. I totally feel you when you’re like, you feel defeated on that, because a lot of times I do, too. But knowing that I’m on the right side of this, knowing that I’m helping victims and I’m helping them recover their money and knowing that I’m helping reshape a lot of the way that the industry thinks about this stuff is like, that’s what keeps me fighting this stuff every day.
(OUTRO): [MUSIC] A big thank-you to Ronnie Tokazowski for sharing his stories with us. This episode was created by me, the master of disaster, Jack Rhysider, assembled by the juicy smoocher, Tristan Ledger, mixing done by Proximity Sound, and our theme music is by the mysterious Breakmaster Cylinder. You might be wondering what my political association is. I’m ALT + Tab. This is Darknet Diaries. [END OF RECORDING]