You are listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity and IOT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species, and dive into the emerging digital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. Your host is Leigh Dow, VP of Global Marketing at Identiv.
Leigh Dow (00:43):
Thanks for listening. Today's topic is a fun one, crypto crimes, which has increasingly become a growing concern in our high-tech digital world. According to blockchain analysis company, Chainless, cryptocurrency transactions that were known to be involved in illicit activities like cyber crime, money laundering, and terrorism financing made up about $14 billion in transactions in 2021. That's up $7.8 billion from 2020. Our guest today returns for a second time because we like talking to him so much.
Drew Todd is a journalist at Secure World News, covering cybersecurity. He's written many articles, like 'Top 10 Data Breaches of All Time', which we talked about in a prior Humans and Tech episode. Holiday season cyber threats, trends for retail hospitality industries, and new record dark net markets are booming, and so many more. For 20 years, Secure World has been tackling global cybersecurity issues and sharing critical knowledge and tools needed to protect against ever-changing threats. Hi again, Drew. Thanks for joining us for this Crypto Crimes podcast today. It's so great to have you back.
Drew Todd (01:45):
Hey Leigh, it is great to be back. It's good to hear that you actually like talking to me enough to invite me back.
Leigh Dow (01:52):
Yeah, we had such a fun conversation last time. This is definitely a good series. So for first time listeners, can you give a really quick summary of how you ended up as a journalist covering cybersecurity in such a fast-paced world of cybersecurity and tech?
Drew Todd (02:05):
Yeah, so I think, like a lot of people who have found themselves working in the cybersecurity industry, it's not necessarily a career path that you set out on. For me, I graduated from college in 2020, right at the beginning of the pandemic. And I graduated with a degree in economics and had no idea what I wanted to do with that. And I found my way to Secure World. And I started working, kind of doing some marketing things at first as really just an intern. And then my role evolved after about a month being there. I was asked if I could do some writing and do some articles for the company. And it's been two years since then. And I have just been covering cybersecurity stories ever since. So I guess the people that are reading my stuff must like it if I'm still doing it after two years.
Leigh Dow (02:56):
Well, you know we like it.
Drew Todd (02:58):
Yeah. Yeah. Thanks. It's been fun. I think it's a great time to be in cybersecurity, as the industry is expanding quickly and there's just so much change happening. It's very, very interesting to be involved in.
Leigh Dow (03:12):
So what exactly are crypto crimes? And maybe you can explain some of the terms associated with crypto crimes, like crypto jacking or crypto mining. Whenever I talk to people who don't really understand crypto, they have this vision of people actually in their basement mining. They don't really understand what these terms mean.
Drew Todd (03:33):
So I mean, I would say that crypto crimes is a really broad term. It can be applied to really any type of crime related to cryptocurrency. So starting with some terms like crypto mining and crypto jacking. Crypto mining is, you could get the picture of somebody hiding in their mom's basement, mashing buttons on a computer, is sort of the image you get. But it's really just the computer is doing all of the work. So crypto mining is the process of verifying transactions related to cryptocurrencies.
Transactions have to be legitimized by miners for completion by solving number puzzles with mining computers. And then the mining process results in cryptocurrency for the user. That sounds a little complicated, but it's essentially just computers solving digital puzzles and earning cryptocurrency. Unfortunately, this process requires a whole lot of energy. And since crypto has taken off in popularity in the last couple of years, the environmental effects have been a little bit concerning. And some countries, like Sweden, are already calling for the ban of crypto mining because of this.
And so then crypto jacking is really similar to crypto mining. It's just basically a cyber criminal taking unauthorized control over someone's device, and using that device's energy For crypto mining. The purpose of doing this is to remain anonymous and hidden from the victim, so that you can continue using their device for free to do the mining.
Leigh Dow (05:03):
So I guess people get confused, crypto jacking, crypto mining, with investing in crypto.
Drew Todd (05:11):
Yeah, sure. I mean, investing in crypto is pretty much something that anybody can do. You can go online and there's a ton of platforms that offer you to invest in crypto. And that's a legitimate transaction. If you're using a verified website and using your own money to purchase cryptocurrency, then that's totally legit. But when you get into the crypto mining aspect, and you have computers that are just solving these digital puzzles and earning cryptocurrency, as well as with crypto jacking, that's where you get into the kind of illegal illicit activity of cyber criminals.
Leigh Dow (05:46):
Well, probably the biggest story lately surrounding crypto crimes is Sam Bankman-Fried or Fried, I don't even know the correct pronunciation of his last name. But AKA SBF, the founder of Failed Crypto Exchange FTX. And he was recently arrested in The Bahamas. And I believe he's, yeah, he's been extradited back to the United States. Can you fill us in a bit on this case and how Secure World has covered it?
Drew Todd (06:10):
Yeah, so there is a lot to unpack in this case.
Leigh Dow (06:14):
Well wait. Is it Bankman-Fried, or Fried? Or did I say neither one of those correctly?
Drew Todd (06:18):
I think it's Fried.
Leigh Dow (06:21):
I'm thinking Fried. Okay.
Drew Todd (06:22):
I could be wrong though. He is really-
Leigh Dow (06:24):
Who ironically is not free right now.
Drew Todd (06:29):
Yeah, right. It's basically just a whopper of a case study that everybody can learn from. And so the story is really centered around FTX, and SBF's, financial fraud related to crypto. And so they had a ton of wrongdoings with their business practices that resulted in fraud. But there were a ton of security concerns related to that story that came to light after the collapse.
And so some of the things that I've read about, you read them and you have to read it again. Because you're like, there's no way that this multi-billion dollar company, that is sponsoring the Miami Heat's home arena, is doing these things behind doors. And so some of the things that I've read about, it's like that they had no appropriate security controls with their digital assets. So SBF controlled all of the access to the assets, which involved using an unsecured group email.
Another thing that I read about was that about $740 million in cryptocurrency was placed into cold wallets. And so cold wallets being the digital crypto wallets that are not connected to the internet. And so it's not that that's necessarily illegal. It's kind of just like, why are you trying to hide $740 million in cryptocurrency? And that's only a small fraction of what they had under management.
Another piece that came out was that, at the time that they filed for bankruptcy, there was $372 million in unauthorized transfers. And it's still kind of unclear whether that was due to a hack or an inside job. That money's kind of just floating out there right now.
And then these next two things that I'm going to say, you just have to laugh at because you can't believe that it's real. So it's been reported that SBF used chat apps that auto delete messages, and encouraged employees to do so. Essentially hiding any evidence, any incriminating evidence, that there could possibly be. And then the other thing was that their payment requests were done through a chat platform and they were approved with personalized emojis. So that's like, you read that and you're like, "What are they doing over there?"
Leigh Dow (08:52):
Although, wait a minute. I have to say, it would be quite interesting, is that the future of business language is, we just communicate in emojis. Because that's how people that age communicate.
Drew Todd (09:06):
I mean, that would be kind of funny. And I'm sure as the workforce demographic gets a little older, everyone is just so used to communicating that way that it would be a convenient way to do things.
Leigh Dow (09:19):
It's like shorthand.
Drew Todd (09:20):
Less words, shorthand, quick emoji. Give it a thumbs up.
Leigh Dow (09:24):
Well, even you saying that that money's kind of just floating out there, it's like the digital equivalent of a sunken ship with gold. Or somebody saying that they buried treasure somewhere and people try to find it 200 years later.
Drew Todd (09:38):
Yeah, yeah. That's basically exactly it.
Leigh Dow (09:41):
So about a year ago you wrote a story, 'A New Record: Dark Net Materials are Booming'. What exactly are dark net markets? And why are they booming?
Drew Todd (09:52):
They're booming because they're easy and very popular among cyber criminals. Dark net markets are essentially commercial websites on the dark web that facilitate the selling of illicit goods and services. In the past, really before the internet has gotten so popular, it was associated with things like drugs and weapons, traditionally. But more so in recent years, it's being used to buy and sell sensitive personal information like social security numbers, login credentials, and credit card info. As well as a variety of services.
Leigh Dow (10:27):
I just watched a movie that, because all movies are just real life. I just watched a movie, and I wish I can remember the name of it. But it's with the woman from 'Parks and Rec' who was in 'White Lotus', the last episode of 'White Lotus', who played Audrey. But it was a whole movie about people who buy people's personal information. And then they create identification documents and credit cards with their personal information, give it to people, and have them go shop for really expensive goods with it that they can then sell on a black market.
Drew Todd (11:04):
Yeah, I haven't heard of that movie. But I definitely want to check it out. That sounds really interesting.
Leigh Dow (11:07):
Yeah, I'll find the link. I'll send it to you. I just watched it. It was really good.
Drew Todd (11:10):
Yeah, I mean, that sounds like a typical story that you see. I mean, I'm sure that stuff happens regularly, daily. And I'm sure the movie would just be a good way to get a visual representation of how that happens.
Leigh Dow (11:21):
And so what kind of services are they selling? Are they always illicit? Or is it also just stuff that's hard to get?
Drew Todd (11:27):
I'd say it's pretty much all illicit. So they're selling services, like ransomware is a service. And DDoS has a service, they're super popular. As well as things like Phishing, hacking, and spamming campaigns. So say if I wanted to conduct a ransomware attack on an organization, but I don't have the technical knowledge to do so, if I can figure out how to get on the dark web, then it's fairly easy for me to purchase access to these types of services.
And so if I had a vendetta against an organization, and I wanted to hack them, it's like all I have to do is really just figure out how to get on the dark web and find the right dark net market. And then you can really purchase whatever you want. You can purchase access to the organization, or just you can pay somebody else to hack them. And a lot of times it's not very expensive. I've seen reports that it only costs a couple hundred dollars to pay for access to an organization. And so-
Leigh Dow (12:23):
Drew Todd (12:23):
It's really just, if you know how to get on the dark web, then it's kind of up to you.
Leigh Dow (12:29):
So what are fraud shops?
Drew Todd (12:31):
So fraud shops, they're basically like Dark net marketplaces. They're just selling things like malware, or stolen credit card numbers, compromised user accounts. And they also sometimes assist with money laundering. So really any type of personal consumer info that you can buy, fraud shops will be selling.
Leigh Dow (12:55):
So when someone's credit card info is stolen, it could be sold in one of these fraud shops on the dark web, like in the movie I described.
Drew Todd (13:01):
Yeah, I would say it's more than likely that that is the case. I'd say it's probably pretty rare that someone steals credit card info, and that's just a one-off case. It's usually that there's some kind of breach and they get access to a whole server of credit card information. And then that's posted online. And then for a data set like that, that goes for really exorbitant amounts of money on the dark web. If you had a whole list of thousands of people's credit card info that could be purchased for a few hundred thousand dollars, maybe a million dollars, something like that.
Leigh Dow (13:39):
That's so crazy. What's the major way that criminals in the crypto world launder money? I mean, not that we're asking for tips and tricks.
Drew Todd (13:46):
No, I was thinking about that as I was researching some of this stuff. I'm typing in these questions to Google. And I'm like, they're probably keeping track of all of this and-
Leigh Dow (13:58):
Drew Todd (13:58):
[inaudible 00:13:58] to their rosters.
Leigh Dow (13:58):
Yeah, that was another question I was going to ask you.
Drew Todd (13:58):
Or some crypto crimes.
Leigh Dow (14:01):
Yeah, I was going to ask you, I'm like, "How do you keep from the FBI showing up at your doorstep every day, where you're like, no, I'm just a reporter.
Drew Todd (14:09):
Hopefully I can redirect them to our Secure World news page. And make them see that I'm just curious.
Leigh Dow (14:15):
An essay comes knocking every now and then.
Drew Todd (14:18):
Yeah. So the cyber criminals are laundering crypto money. Basically, they're sending their digital assets across block chains, bypassing a centralized service that can trace and freeze those transactions. And they use these so-called cross-train bridges that make it happen. And the dollar amounts just keep getting larger.
Leigh Dow (14:41):
So what's a cross chain bridge? What is that?
Drew Todd (14:45):
So the cross chain bridge is essentially a bridge that communicates between crypto platforms. It's kind of hard for me to explain without having all of the info in front of me, because I'm not that technical of a person. But it essentially communicates between two block chains.
Leigh Dow (15:05):
Somewhere in the future, someone is going to be listening to this, and their head's going to pop off because they're like, "That's not what it is."
Drew Todd (15:14):
Probably. You're probably right. You're probably right.
Leigh Dow (15:16):
They're going to be like, "That's not what it is. It's so technical. Here's how to describe it." Well, I'll let you know if I get that email.
Drew Todd (15:25):
Leigh Dow (15:25):
And so the dollar amounts are getting larger. I see that in the news. And I think Fast Company just did a big story about it in one of their recent editions. Just getting bigger and bigger in... And is it that they're getting more bold? Or is it that it's whether you take a little or you take a lot, the process is the same, so why not take a lot?
Drew Todd (15:48):
Yeah, there's definitely a little bit of that. I think it's just the fact that it's all becoming so accessible for so many people is one of the reasons why the dollar amounts keep getting bigger. With the growth of cryptocurrency, and with the growth of the dark web in recent years, it's pretty easy to see why the dollar amounts just keep getting bigger.
Leigh Dow (16:06):
How much revenue do these dark net markets bring in? How big a business is it?
Drew Todd (16:10):
It is massive. So in short, I'd say the answer is a lot. In the article that you referenced that I wrote earlier, Chainalysis did a study in 2020 showing the growth of dark net markets. And in 2011, it was essentially at $0. And by 2020, it had climb to $1.7 billion. And that number has definitely gone up since that study was conducted. And another thing to consider when looking at the total number, or the total revenue that these dark net markets are bringing in, is the fact that these numbers are probably severely under reported.
Leigh Dow (16:47):
Well, yeah, criminals don't like to share that kind of information with you.
Drew Todd (16:50):
Obviously their goal is to remain hidden and anonymous for as long as possible. So I'd say the total revenue for all of these dark markets is definitely in the multi-billions range.
Leigh Dow (17:02):
So tell us a little bit more. Tell us about Hydra, which is allegedly, I guess, or not allegedly, the largest dark net market in the world.
Drew Todd (17:12):
So I covered a story about Hydra about a year ago. And so when, actually two stories. So when I wrote the article, the first one, Hydra was the largest dark net market in the world. It's a Russian based market that focuses on the distribution of illegal narcotics, stolen financial information, fraudulent identification documents, and money laundering and mixing services. The Department of Justice said in 2021 that it accounted for 80% of all dark net market related crypto transactions. So 80% is such a high number, I can't imagine any organization anywhere having 80% of a market share. It's just hard to comprehend how large that is.
Leigh Dow (17:56):
Well, I once worked for a company that had 80% of the market segment share of... They don't anymore for that product. But yeah, I can tell you the power it wields. So I can only imagine in the criminal world.
Drew Todd (18:09):
Yeah, massive. And so Hydra was started in 2015, and they racked in about $5.2 billion, with 17 million customers over seven years. So even with the-
Leigh Dow (18:25):
I'm sorry to interrupt. But does that mean that Hydra itself is illegal? Or is it the activity that takes place on Hydra is illegal?
Drew Todd (18:33):
It's both. Okay. Hydra is illegal for being a dark net marketplace that offers these services. And then the people who use it to purchase those services.
Leigh Dow (18:33):
Got it. Okay.
Drew Todd (18:44):
Both very illegal.
Leigh Dow (18:46):
Drew Todd (18:46):
So thankfully, the follow-up article that I got to write about Hydra was about how German and US law enforcement cooperated together to bring down Hydra. And that was about probably eight months ago. So one thing that I have seen all of the time, when looking at cyber criminals and dark net markets, is while the authorities have taken down Hydra, which was the largest dark net market in the world at the time, almost always they will reappear and rebrand as something else. Something, you cut off the snake, you cut off the head of a snake, and two grow back kind of thing. So surely, we'll see another major player emerge in the dark net market space.
Leigh Dow (19:34):
And probably mostly the same people.
Drew Todd (19:37):
Yeah. Unless that those people were actually arrested. They usually try and do a pretty good job of getting the top guys that are organizing the whole thing. But it's still like the people that have been working under them have learned all this info, and they're not just going to go get a nine to five at your local store or whatever. They're going to continue to do this because they can make a ton of money. If they're doing it right, and they think that they're being anonymous and hidden, it's an opportunity for them to make a ton of money. Obviously the risks are not-
Leigh Dow (20:12):
Drew Todd (20:12):
Worth it, in my opinion.
Leigh Dow (20:14):
Yeah. Well, is there any advice that you give people, or would give to people, who use cryptocurrency? How would they avoid becoming victims of crypto crimes?
Drew Todd (20:24):
Leigh Dow (20:25):
But wait. It's not just people who use crypto, right? It's anybody.
Drew Todd (20:28):
Yeah, it's anybody. And so it falls into stuff that I hear cybersecurity professionals talk about all of the time, and it's just practicing good cyber hygiene. And so that means creating a strong and unique password for all of your accounts online, enabling multifactor authentication, and making sure your software is up-to-date. Kind of like maintenance things like that. But most importantly, when it comes to avoiding crypto crimes, I would say it is being knowledgeable and aware that scammers are out there every day looking for ways to get you. And so just being smart and being able to spot a phishing email, or a fraudulent text you receive on your phone, is really important when it comes to helping yourself out. And so there's a ton of resources online that you can take. There's courses that you can take, to learn how to be more vigilant when it comes to defending against scams like this. But ultimately, just be smart and cautious when it comes to stuff on the internet.
Leigh Dow (21:31):
And also read Secure World News and your articles.
Drew Todd (21:34):
And also read Secure World News.
Leigh Dow (21:36):
Drew Todd (21:36):
Leigh Dow (21:37):
Well, Drew, thank you so much for joining us on this episode. It's always super fun to talk to you. Hopefully we're all a lot more informed about crypto crimes in this high tech world and how to protect ourselves. Appreciate you being here.
Drew Todd (21:50):
Yeah, Leigh, thanks for having me again. It's a pleasure to be back for the second podcast. And who knows, maybe we'll get to do it for a third time.
Leigh Dow (21:58):
Oh, for sure. If you enjoyed this podcast, please like and subscribe for me. We drop a new episode every Thursday.
Eliminate the risk of data breaches, Phishing, password theft, and replay attacks with hardened multifactor authentication cyber security. Passwordless logins are simple and secure with You Trust 502 NFC Plus security keys. Insert the device, tap the button, and get secure access. It really is that easy. Learn more at identiv.com.
We designed powerful NFC enabled identity solutions that seamlessly integrate into kiosks, terminals, vending machines, slot machines, betting machines and more. Our new You Trust NFC kiosk kit features our contactless USB CCID, You Trust 3523F reader, module, NFC antenna, and highly customizable LED array. The kit can easily support loyalty cards and digital wallets. If you're ready to add NFC to your slot machine or kiosk, speak to an expert today at identiv.com.
Physical security identity verification, the IOT. The hyperconnectivity of our lives will only grow more pervasive. As technology becomes more automated, and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is, are we up for the challenge?