Money Laundering 101: a chat with Investigative Journalist Geoff White
Perry Carpenter: Hi, I'm Perry Carpenter, and you're listening to "8th Layer Insights." [ Music ] Picture this: Imagine you're standing outside a small, unassuming coffee shop nestled in the heart of a busy city. On the surface, this is just another place for your daily caffeine fix. But behind the scenes, it's a hub for an intricate network of financial transactions designed to scrub illicit gains clean. The process, it's known as money laundering. It transforms dirty money into seemingly legitimate funds, often with the help of our good old friend technology and even more help from how confusing complex financial systems can be. From cartels needing clean cash to cyber criminals needing to wash away the digital trails from their ill-gotten crypto gains of their latest ransomware scheme, money laundering has evolved into a sophisticated, high-tech enterprise. It's a dark dance of deception and constant innovation. Every step meticulously planned to evade detection. Place. Layer. Integrate. Place. Layer. Integrate. Rinse. Repeat. And the cycle goes on. Today's guest is Geoff White, an investigative journalist and author of the new book, "Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World's Deadliest Crooks." Geoff will take us through the world of money laundering and shed light on how the very technology designed to enhance our lives is being manipulated by some of the world's most dangerous criminals and nation states. And so, on today's show, how money laundering works and a few other dark insights. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything from why we think the things that we think to why we do the things that we do and how we can all make better decisions every day. This is "8th Layer Insights," Season 5, Episode 6. I'm Perry Carpenter. Welcome back. Let's dive right into our interview with Geoff White.
Geoff White: I'm Geoff White. I'm an author and investigative journalist. My new book, "Rinsed," is out in June.
Perry Carpenter: So it's been -- How long has it been since you released the "Lazarus Heist" book? I think it was the second volume of that, right?
Geoff White: That's right. That was two years ago. So that would have been in June 2022. Yeah.
Perry Carpenter: Yeah. So bring us up to speed a little bit on the release of that book because we, I think, we talked prior to that, what some of the reactions were, what you learned, and any of the follow-up that you may have done since that. And then we'll shift gears and talk about what you're currently working on.
Geoff White: Yeah, sure. I mean, the "Lazarus Heist" book obviously came out of the BBC World Service podcast of the same name, which is all about North Korea and how North Korea has become a computer hacking superpower, I guess one would call it. And the book was really interesting because we'd done Season 1 of the podcast. I then wrote the book, and we put that out, published that. But then after that was Season 2 of the podcast. So the books sort of occupy an interesting position in that it was halfway between Season 1 and Season 2. Season 2 of the podcast then pushed things on a little bit more. But what's been incredible is watching the alleged North Korean cyber activity subsequent to that. I mean, in Season 2 of the podcast and in the book, you know, we did cover the cryptocurrency thefts. But they've just been on an absolute terror. And then the stuff that's been going on subsequent to that is astonishing. I was reading only today a report on North Korea's sort of alleged crypto laundering activity. I mean, you're looking at, you know, $3 billion as a conservative estimate over the last few years of how much they've stolen in crypto. But what's amazing is the technology, the crypto technology they're using to launder this stuff. I mean, it's cutting edge. I understand crypto a fair bit. But the stuff they're using, you know, the cross-chain bridges and the, you know, the swapping services, the DeFi services, this is the cutting edge of finance. And North Korea, if the reports are to be believed, has mastered it and mastered it in a lot more effective way than a lot of people in the world could actually even understand.
Perry Carpenter: Maybe this is going to be too reductive of a question. But when I think about different countries, different regions, there's kind of this idea of a national export, the thing that the country is known for, the thing that they deliver to the world. Would you say from a North Korean standpoint that the thing that -- the national export of North Korea is cybercrime?
Geoff White: That's a very good question. [Laughs] Yeah, it's an interesting question because, of course, North Korea, because of its belligerent pursuit of nuclear weapons and missile technology, is largely sealed off from the outside world in terms of trade. So immediately in your question, there's the fact that North Korea doesn't have any real legitimate exports. There's nothing really North Korea can legitimately export to make money. And we've made it that way to try and force North Korea to the negotiating table. So look, I think that would be slightly overplaying it to say its main export is cyber. Its main export, according certainly to the US, is crime. But you've also got a lot of other things. You've got export of natural resources. You've got deals that it does with China and other countries to sort of try and get around sanctions and so on. But certainly cybercrime would definitely be up there. How much money cybercrime makes for the North Korean regime in terms of GDP is an interesting question. If you are looking at three billion, that's a fair chunk. I mean, the difficulty with that is we don't know what North Korea's GDP is because unlike a lot of other countries, it doesn't really publish figures or certainly not reliable figures.
Perry Carpenter: Right.
Geoff White: But it's got to be a big chunk of that money.
Perry Carpenter: Yeah. And I assume that it was probably an overly reductive question, especially for somebody who has studied some of the nuances of North Korea. But it does, for us that live in the cybersecurity world, it seems to be the only thing that we hear about. And so I think that our frame of reference when it comes to North Korea and then certainly things like Russia and Iran and China is very cybersecurity centric. Also, since the last time we spoke, I don't think Russia-Ukraine had kicked off yet, and certainly Israel and Hamas had not kicked off yet. What are you seeing as far as trends in cyber warfare and cybercrime when it comes to these escalated conflicts?
Geoff White: It's a really good question, actually. Yeah, the Russia-Ukraine conflict was very interesting from that perspective because there was a conversation going on inside the cybersecurity community. And then there was a conversation going on outside but on the periphery of the cybersecurity community. And that latter conversation, in some quarters, came down to, well, we thought cyberwar would happen, but it's not, is it? Because, you know, Russia-Ukraine proves we don't do cyberwars. We just do hot wars, and that's how it works. That was an annoyingly basic way of approaching things because there was cyber activity going on at the start. There was malicious cyber activity from the Russian Federation against Ukraine. There was also cyberattacks from Ukraine against Russia, let's face it. What was difficult was sort of stressing to people that that stuff did actually matter. It was a force multiplier in the conflict. And I think a lot of the traditional, conflict-analysis-type people saw that as a way of playing down the cyber threat, that, you know, when it came to Russia and Ukraine, fundamentally, it was a physical war. Therefore, we shouldn't really be hyping up this whole cyberwar threat. I think that was missing a trick. There was cyber activity going on, as I said, between Russia and Ukraine. And the other thing that gets missed out of that is the defensive activity that was going on. Yes, there was offensive activity between the two countries. There's a huge amount of defensive activity, particularly around Ukraine, you know, loads and loads of different companies and employees rushing to help Ukraine and try and defend its networks. So all of that gets missed out because, of course, when people talk about cyberwar, they talk about the offensive stuff. They sort of miss the defensive stuff. But the good thing is there's, you know, lots and lots of reporting. You know, Microsoft, in particular, I think, did really well in terms of isolating how those cyberattacks fed into physical attacks. You could almost time, you know, the cyberattack happened, and a few hours later, the target gets attacked physically. So I think we're getting into maybe a more mature view of what cyberwar would be like, you know. We won't have a cyber-Pearl Harbor, but if there is a Pearl Harbor, there'll be a massive cyber element to it. I think we're getting to a bit of a more mature stage with that conversation. Israel-Gaza is an interesting one. The activity around that, it was really interesting. It fed into this incredibly febrile Middle Eastern sort of information warfare, DDoS attack-type community. But what was really interesting was seeing not just the Palestinian and Israeli groups. Obviously, Israel has got, you know, a large cyber army resource that it can throw at things. But it was more the other groups, you know, groups in places like India or other countries in the Middle East getting involved in different ways, groups in Turkey, hacking groups in Turkey, getting involved in different ways. The sort of Gaza-Israel, Palestine-Israel conflict seemed to be another platform on which people could express animosities that they were already expressing in cyberspace. You know, we had these aggressive cyber groups weighing in on that conflict, but that's what they do. Any conflict that breaks out in that region, they're going to have a side in it. They're going to have an angle on it. And they're going to use it to sort of up their -- up their ante, as it were.
Perry Carpenter: There's two threads I want to pull on before we switch over to talking about money laundering and some of your new work. But one of the threads comes out of what you had mentioned about Russia-Ukraine and saying that the cyber elements were not what everybody was predicting. And so a lot of people just saw that as a binary. There is cyberwar. There is not cyberwar. When in reality, it seems like the cyber warfare component of these things happens like any, you know, quote-unquote, "warfare component," whether that's air war, ground war, whether that's propaganda, whether that's, you know, X, Y, and Z. Why is it, do you think, that we humans tend to be so all or nothing in our thinking when it comes to our perceptions and the way that we expect the world to come at us? And then all of a sudden, we, you know, tend to throw everything out because the things have not met our expectations. And then what is it like to deal with that as a journalist?
Geoff White: Yeah, it's interesting. As you were asking the question, I was thinking, well, the prism through which I approach this is the prism of a journalist, somebody who watches the media debate going on. Frankly, within, you know, within government, within military, within intelligence establishments, they're smart enough to know that it isn't binary. You either get cyberwar or you don't. They understand that. For the public, they don't necessarily understand that. And the intermediary between the two worlds is obviously the media, it's journalists. And, yeah, it's a failing of journalism, I suspect, that we want the headline. We want the new. We want something revelatory and different and incredibly groundbreaking to happen that we can then report and say, this is unprecedented, this is the first time. And so, you know, inevitably, the idea is, well, cyberwar will be the next sort of zone of war, you know. There'll be cyberwars, and that's what will happen. So when it doesn't happen, the headline has to become, well, cyberwar didn't happen. Media sort of flattens things to a kind of fairly binary level, unfortunately. Trying to do sort of subtle news and nuanced news, particularly in a conflict like that, is quite difficult.
Perry Carpenter: Yeah. And then just following on that, it seems like as the world becomes more politicized and polarized, the word journalist or journalism is almost spoken sometimes like a curse word. How do you -- how do you respond to that? And what got us to where we are? And then how do we start to recover from that? Because, of course, journalism does incredibly important work. But for some reason, it tends to get overly politicized. And people use it as a weapon against one another rather than a real search for the truth.
Geoff White: Yeah, it's interesting. And as you were asking the question, I'm sort of thinking of the answer in my mind, which probably add up to another hour's worth of podcast content on this debate. Look, I think you're right. There was a dim view of journalism. And there's a company called Edelman, a PR company called Edelman, who have a thing called the trust barometer, which tracks people's trust.
Perry Carpenter: Yeah.
Geoff White: And trust in traditional media has been declining, according to the last figures I remember from Edelman. But what's interesting is when you speak to people, if you just mention on the abstract, what do you think of journalists? People will give you that dim reaction. Oh, bloody journalists lying all the time, et cetera. But when you actually dig deeper, and people say, oh, I read this story the other day about this thing, or I saw this thing on the news. And you say, well, that was the result of a journalist. Do you have a dim view of that? And they say, well, no, because I saw the story and I thought it was interesting. I thought it was, you know, relevant to me. So, if you talk about journalists in the abstract as a species or a breed, the view might be quite dim. But weirdly, the output of journalism, people don't seem to have that much of a problem with all the time. So it's weird. We, as individuals, can get castigated, but the product that we generate, a lot of people seem to find quite useful. I will say as well, there's a wide range of journalists. Obviously, I'm speaking here about some decent, legitimate, above-the-board journalists.
Perry Carpenter: Right, yeah.
Geoff White: Basically, the traditional role of journalism was we're there because you can't be, you know. The classic Pathé newsreel, you know, the Queen arrives looking radiant. You know, there's footage of the Queen arriving looking radiant because you couldn't be in Kenya watching the Queen arriving looking radiant, you know, back in the 1950s. We have Facebook Live now. You know, we have X, where people can, you know, absorb material direct from the source. That job of journalists being there because you can't be there is starting to fade away. The space I think that's opening up and the territory we've got to inhabit as journalists is investigations and analysis. No matter how good technology gets, it's going to struggle to do the kind of analysis and the kind of investigative work that journalists are good at and should be good at and getting better at. That's partly because a lot of this technology is algorithmic. And algorithms have to look at past performance in order to predict future success. So, if you give -- I mean, you know, one of the great stories of British journalism was the Thalidomide scandal, which the Sunday Times covered. Thalidomide being a drug that was given to pregnant women and caused birth defects. Now, if you'd have given an algorithm that Thalidomide story back before it had been covered as a news story, the algorithm would not have seen it as a story. It wouldn't have had any track record for that. So it probably would have skipped over it. But the journalists could see it and think, yeah, nobody's covered this. And that's a good thing. Journalists go where the news hasn't been yet. Algorithms inevitably go where it has been. And so I think the role for journalists is to keep doing those investigations and analysis and keep pushing into the things that haven't been covered, the things that are being hidden, that are being covered up, that haven't been investigated because that's where the technology won't go because the technology won't go there because it doesn't think there's anything there because there's no track record. For me, something that's got no track record is a scoop.
Perry Carpenter: Yeah.
Geoff White: For an algorithm, something that's got no track record is redundant. Anyway, that's my [inaudible 00:15:32].
Perry Carpenter: Yeah, I think that's a profound answer, which I think leads into the last question I want to ask before we pivot and talk about your current work. In the past two years since we spoke, of course, algorithms and machine learning and AI have become not only the topic du jour but the technology that's really changing the way that we view technology and interact as a society. What are your thoughts about that in the abstract? And then how has that impacted either positively or negatively the work that you're doing in cybercrime reporting?
Geoff White: Gosh, yeah, that's another big question. It's interesting. Looking at AI as a type of algorithm, which I think is quite useful, it's leading us further down a path we've already got into, which is people existing in their own echo chambers, people being given more of the information that they've already sought, people, therefore, being pushed away from types of thought and types of thinking, types of areas that they wouldn't necessarily have got into. So I think AI just sort of doubles down on that. What's been remarkable and remarkably good is the speed with which the tech community and the AI community have themselves responded to how terrifying this all is. I think that's actually quite a positive thing. I mean, when you've got AI companies themselves saying, we'd like to be regulated, that's remarkable. That did not happen, to compare the social media field, that did not happen with social media. People like Mark Zuckerberg, you know, were not saying, please, could you regulate us? We'd like that. They were fighting tooth and nail to stop that. Now, I take some of this stuff with a pinch of salt. And I have my beefs with the various AI companies. But fundamentally, there is a will, I think, in the industry to be regulated and to sort of control this stuff. And so I think that's a sort of, broadly speaking, a positive thing. In terms of how it affects my industry and how it affects journalism, we're yet to be overrun by the sort of waves of AI generated sort of fake news. But my worry is just feeds into this lack of trust, lack of faith in output. You know, I had a friend the other day I was having a coffee with. And she said she'd seen some news footage of some riots. I think it was in Turkey. And then she immediately said, but who knows, maybe it's all fake news. Maybe it's all artificially generated. And that's the worry is, you know, as the AI generation gets better, and particularly as video gets better -- You know, we innately trust video, I think, more than text because you can see it with your own eyes. But at the point where AI is able to generate more video footage, people's inability to trust what they see is going to be, I think, a big issue. There's also an interesting thing about -- You know, this is my third book coming out. So there are now three books. It's not unfeasible somebody could train an algorithm on those books and try and write a Geoff White book. But I've thought about that and thought, well, yeah, you could put together a book that sort of had my style of writing and kind of the sort of stuff that I cover. But everything in it would be complete bullshit because you would be able to generate a book in my style. But what I do is go away and find the facts and find stuff that hasn't been out there before and speak to people who haven't spoken before and then put that in the book. So you can come out with something that's in my style. But you can't come out with something that actually has my content because my content is the stuff that I go away and get exclusively. So --
Perry Carpenter: Yeah.
Geoff White: -- it's interesting. Yeah, from an AI perspective, I feel I'm slightly insured from the worst effects of this.
Perry Carpenter: Yeah. That's really good. And I think your friend that mentioned, you know, that, who knows, that could be AI video, is touching on something because with, what, 71 elections going on around the world this year and AI video hitting the tipping point around, you know, things that could be believable in a lot of ways and some of the political rhetoric, we have seen figures in politics and in the media. Anytime a bad story comes up or a bad photo that may have been taken 10-15 years ago, and in a reputable newspaper, they're now saying, oh, that's AI generated. And there's a phrase for that that's been around for a long time. It's called the liar's dividend, which means that, at some point, the people that benefit from that aren't the people that are telling the truth and bringing real things. It is the fact that a liar and somebody who's trying to get away with something can now inject enough, in the public's mind, plausible doubt that at least spins up a delay and investigation and everything else. So it's interesting times we live in.
Geoff White: Yeah. And I think that the Russian Federation is really fascinating to look at from that perspective because I think we've got used to, in the West and outside Russia, the idea that you can vaguely trust media, roughly, you know, as they're not going to completely outright lie to you. In Russia, under the USSR, people who've lived under that system knew it was rubbish. They knew that the propaganda being put out by the government was nonsense. But they were able to simultaneously, the Orwellian double-think thing, they were able to simultaneously tell themselves they believed it but understand that it was nonsense. So living in that system, where a situation where you don't quite know what's going on, where you don't know whether to trust the information, but you just have to get on with it, is something that people who've grown up in the USSR are much better at doing than we are. And so I suspect that's why Russia's playing of that information, that propaganda game, is so shrewd and so effective, has been put so effective, is because they've just grown up in that situation. You know, for decades there was that information environment to grow up in.
Perry Carpenter: Yeah. That's really interesting. All right, so I've taken up enough time on catch up. Tell us what you've been working on right now and like, you know, how did you get into the topic? when does the book come out? and some of the interesting facets that you're really hoping to tease so that people are kind of ready to get engaged with the material.
Geoff White: Yeah, yeah, fair enough. I mean, what's interesting is through covering the North Korean cyber activity, and particularly around "The Lazarus Heist," these big bank heists, and also the big crypto attacks, I realized increasingly that actually the interesting bit for me was the money laundering bit, was how they actually got away with the money. I don't want to do down the sort of cybersecurity element of this, but frankly, the hacking piece, you send enough phishing emails to somebody, they click on the email. Look, if you're into malware and malware analysis, all that stuff is fascinating. But fundamentally, they send the email. They get into the systems. That's it. The next thing is, well, okay, we've got our hands on the money as computer hackers. What do we do with it?
Perry Carpenter: After the break, the conclusion of our interview with Geoff White. [ Music ] Welcome back.
Geoff White: I think when I first started out covering cybercrime all those years ago, I had this idea that computer hackers were sort of omnipotent, godlike creatures who, with a few lines of code, could hack into a bank account and then move the money around, and then it will all be gone. Over time, I've realized I don't think that's actually the case. I think computer hackers are very good at breaking into places. That's absolutely true. But once they're in, their ability to kind of work out what to do with the money and how to move it and how to hide it, wash it, and so on, that's another group of people. They're not computer hackers. They are tech savvy. They understand how to create bank accounts. They understand how to whiz money around the world. They understand how to use crypto exchanges. They understand how to use ATMs to launder money. It's a whole set of skills. But it's not hacking skills. It's financial crime skills. So what I'm interested in now is where those two things come together, the sort of financial high-tech criminals who enable the computer hackers to get away with the money. And so that's what sort of led me to the money laundering space. And what's interesting is, of course, they're not just laundering money for computer hackers and cybercriminals. They are also laundering money for cartel drug dealers and people traffickers and fraudsters of all types. So, you know, the money laundering sort of drain through which all this money pours takes the money from all these different places. And it's really the glue that holds everything together. You know, if you can't launder the money, if you can't get away with the money, you don't do the crime. You know, there's a sort of a ceiling to how much crime you can do if you can't pull the money out. Again, I was reading, just going back to the North Korean example now, there's been a bit of a slowdown in North Korean cyber activity. And one of the theories behind that is that over the last few years, there's been a glut of alleged North Korean hacking of crypto. And they've now got a glut of money that they've got to move, to wash. And there's no point stealing more crypto if the channels through which you're washing your existing stolen crypto are clogged up. You've got to clear the channels in order to do more of the crime. And so, if that theory is true, and I think it probably holds a bit of water, it absolutely proves this point. Unless you can launder the money, unless you've got clear channels to wash the money through, you stop doing the crime because you're clogged up. There's a sort of a intestinal analogy. I'm sort of vomiting. You know what I mean? But, so that's -- Anyway, so that's what I got interested in. And so the whole book, "Rinse," this next book, which is going to be out on June 13th, is all about that: how technology is enabling the money laundering piece, basically.
Perry Carpenter: Okay. So, within that, what -- what really interesting, you know, factoids are relatable in a podcast form versus, you know, maybe what somebody needs to read and process a little bit more intentionally to understand? Like, what are some of the sexy bits you can tell us about?
Geoff White: Yeah, well, it's interesting. The -- I've been looking at how to communicate this to the public's general readership. Money laundering is difficult. It's a difficult subject. But it's difficult in the same way cybercrime is. I think there's a hunger for people to know. But -- but it's tough stuff and it can be quite tense -- technical and quite complex and quite dense. And the other problem with money laundering is a lot of the time when you hear the headlines, you know, bank X has been fined a huge amount for money laundering. But when you actually read the coverage, they talk about compliance failures. And they talk about the bank not taking the right measures. And you think, well, so what was the money being laundered? You know, you're talking about them having laundered money, but laundered money from whom? And so a lot of the kind of money laundering coverage ends up being quite impenetrable. So what I wanted to do was basically start with the crimes, follow each of the crimes along, and then show how the money got laundered afterwards. One of the things I tried to do to make this understandable for the public is go through the sort of basic steps of money laundering. Which classically, people in financial crime know all about this. And you've got placement, layering, and integration. Placement is getting your money into the financial system. Layering is moving it around, so you sort of break the connection between the money and the crime. And integration is effectively pulling it out, spending it on something juicy that you can enjoy like a yacht or, you know, fancy apartment or a Lamborghini or something like that. So try to sort of use that kind of triple breakdown. What's interesting about that is that first stage, placement, goes back to the sort of cocaine cowboy's era of the 1980s and probably the late 1970s as well. So drug dealers out in the street making huge amounts of cash, you know, $5 bills, $10 bills. Somehow, you've got to get that into the bank. So that's where you set up, you know, your restaurant or your car wash or whatever. So you've got an excuse why you're handling so much cash. What's interesting is now that all the money started digitizing, increasingly digital financial economy, that placement stage has actually got easier because you don't need to sort of get banknotes into a bank. The money is already in the bank, or it's in a crypto exchange, or it's in some virtual asset. So that first stage has got a lot easier. What's got harder is the second two stages. Layering, as in moving the money around to break the connection to the crime. In the digital era, that's quite difficult to do because there's always a link back to, you know, you can always trace back the paper trail. And the last stage of integration, again, using your stolen money now that it's clean to buy things. Well, again, digitally, there's often a trail. So those two latter stages, the layering and integration stages, are the key ones. That's what I'm trying to concentrate -- concentrate on in the book.
Perry Carpenter: Yeah. So, for people that pick that up, I guess I have two questions there. Is do you have an intended audience in mind? And then is there something that you're hoping that they will do or think differently after they put it down?
Geoff White: Yeah. So what I'm trying to do with this book is bring together the sort of cybercrime-cybersecurity audience that I'm often talking to but also bring in the financial crime audience and the crypto audience.
Perry Carpenter: Yeah.
Geoff White: I found it very strange. I started attending, obviously, a lot of financial crime conferences as part of this. And it was interesting because when I go to a cybersecurity conference, I know a lot of the company names and know a lot of the people there. I'd go to these financial crime conferences, completely different set of people of companies. But when they started talking, I thought, oh, well, you're just covering the other side of this. You know, cybersecurity often covers the hackers getting in, the hackers working inside the institution. The financial crime community are covering what happens afterwards when the money escapes and money gets away. And I just thought these are two sides of the same coin. So what I'm hopeful is that cybersecurity and cybercrime people will read the book and understand the financial crime industry that's working on this, the financial crime side of it. Conversely, what I'm hoping is financial crime people will read it and understand the sort of cybercrime side. And eventually, we can kind of bring those two sort of communities together. The crypto community has a massive part in this. Crypto is being used, you know, daily as well, we know, for laundering money and is also, crypto is being stolen itself. So it's both a crime scene and a laundering scene, the crypto scene. So, again, I'm hoping they can kind of get some insights from the book. Yeah. And also, look, anyone who's read my books or listened to the podcast and so on, there's always a fun, there's always a tale, there's always a boy's own adventure to it. So I'm hoping that even if people aren't interested in any of these areas, the sort of incredible criminal heists and crimes that go on are going to be of interest to people and keep them hooked, hopefully.
Perry Carpenter: Yeah. I do want to ask you about the -- some of the story and the narrative in a second. But I guess before that, since you mentioned going to these different conferences and getting plugged into different communities, it is interesting because when you go into the fraud detection and prevention world, it is like cybersecurity but with a different syntax to it.
Geoff White: Yeah.
Perry Carpenter: And a lot of the technologies you can see map across to each other. A lot of the things around fraud prevention, detection, response seem to have arisen like way before many of the comparable technologies in the cybersecurity world and have gotten very, very mature. Were you exposed to, or did you see any interesting technologies that you think may be foreshadowing technologies that may become everyday pieces of the way that we look at cybersecurity in the future?
Geoff White: It's a good question. Yeah. And I think your point is well made that, you know, that the fraud detection people have been on at this challenge for a while. And they've faced a similar challenge to a lot of what the cybersecurity industry has faced, which is huge amounts of data trying to find the signal in the noise and that not being possible, you know, at a human level. You have to have some automated tool in that. And the sort of attendant risks of too many false positives, too many false negatives, et cetera. So they've been looking at that. And frankly, this is one of the areas where artificial intelligence is going to be of real help and is going to be -- and is already being of real help, actually. You know, it's almost tailor made for these kinds of challenges where you've got huge swathes of data. And you've got to spot the anomaly in it. And so when I talk to people about AI and they talk about AI and crime and AI and cybercrime, at the moment, what I say to people is I feel like the defenders have actually got a better handle on this than the attackers. I don't see huge evidence of criminal groups ramping up their AI capability. Yes, they'll use ChatGPT to craft phishing emails. And they might use ChatGPT to sort of, or they'll try, ChatGPT has tried to stop that, obviously, they'll try and use these tools to try and improve their malware writing and so on. But, you know, the idea that this is being done at scale, I don't see that at the moment. On the defender side, both on the sort of cybersecurity side and the financial crime side, there is massive use of artificial intelligence to try and prevent attacks, prevent malware, to try and spot suspicious transactions, and so on. How long that's going to remain the case, I don't know. And what I would say also is as an attacker, do I need to invent my own AI to get around your AI? No. I just need to know the parameters your artificial intelligence system is working to. So if I discover that you are -- that you find a transaction above a certain limit suspicious, I just put my transaction through for slightly below that limit. You know, it's the classic thing where I don't need to invent a sort of anti-antivirus product. I just need to know what your antivirus product detects so that I can get around it. That's the -- Yeah.
Perry Carpenter: Yeah, yeah. That's -- that's very insightful because, at that point, it is just the human side of understanding how to harness the technology and understand the thresholds and the limits and the ways that those are set up. So that makes a lot of sense. Is there a really interesting story within the book that really jumps out to you as like one of your favorite cyber heists that you've covered?
Geoff White: Yes. But before I come on to that, I should say that, for fans of "The Lazarus Heist," they may remember the two intriguing characters, Big Boss and Hushpuppi. Hushpuppi turned out to be an Instagram influencer living in Dubai who ended up, possibly not knowing, certainly not knowing at the beginning, certainly knew by the end, that he was laundering money for the North Korean Government apparently. He's now doing 11 years in prison in the US for that. There is much more detail in the book about those characters. Managed to find out a lot more about them. And the story behind it is just, it gets even weirder and more bizarre and fascinating. But the one that really interests me was, again, it's a North Korean hack. It's the hack of Axie Infinity back in 2022, which is a video game based in Vietnam. And I'll be honest. I'm not a massive gamer. This game hadn't really crossed my radar very much. But it was hugely -- it was hugely successful because it was during sort of lockdown. So people had lost their jobs. They didn't have a lot to do. But the idea of this game was that it wasn't just a game where you would pay and download the game and play the game. The game had an in-game economy that was all based on crypto. So the premise of Axie Infinity is you're wrestling these Axies, which are based on the axolotl salamander. You have these little characters, and you wrestle them. It's a bit like -- it's a bit like those Tamagotchi things, you know, the little --
Perry Carpenter: Yeah.
Geoff White: It's like that crossed with WWF wrestling. So you're wrestling them, but you're also taking care of them. And so you would buy your Axies in the game. And then when they got successful, you could sell them. You could buy the land that the game was based on. Everything in the game was sort of for sale. And so it created this whole in-game industry. And people in Southeast Asia were actually apparently making enough money in some cases to give up their jobs because they were playing this game and actually trading the assets around the game, all of which was done by crypto. So this game became, kind of unknown to most people, hugely, hugely profitable. North Korea's hackers were accused of breaking in in 2022 and stealing $625 million worth of cryptocurrency. Now, my belief is that that's actually one of the biggest thefts of all time, which is quite a bold statement to make. But if you think about it, I mean, $625 million. I've been looking around for other crimes that compare to that. I mean, the Great Train Robbery, nowhere near. Brink's Map, nowhere near. The Isabella Stewart Gardner Heist, there was a museum art gallery that was robbed for various artworks. That was $500 million. So that's not even quite there. So $625 million, I really think, could be a contender for the biggest theft of all time. And even if it isn't, it's the quickest because they managed to get the money out in one minute 55 seconds --
Perry Carpenter: Oh, my gosh.
Geoff White: -- which is how long it takes to transfer $625 million worth of crypto because, of course, you just, you know, the transaction goes through.
Perry Carpenter: Yeah.
Geoff White: So certainly, I really -- it dismays me still that this isn't in the record books for the fastest crime of all time. But then what's interesting, what happens next, of course, put yourself in the criminal's position, you've now got $625 million worth of crypto that you've got to launder. And to go back to our early conversation, you don't do that unless you can put it somewhere, wash it somewhere.
Perry Carpenter: Right.
Geoff White: So they go to a thing called Tornado Cash, which is a crypto mixer. So you put your crypto in. The software mixes it with everybody else's crypto and then ejects your crypto back out to you at a fresh address. So the idea is, you know, you can't see what's going on. And look, there's actually legitimate reasons why you might want to use that. If you want to make an anonymous donation to Ukraine, for example, you know, you might want to use one of those services so that you can't be tracked with your transaction. But the North Koreans went to Tornado Cash. And they pumped through, I think it was about $488 million worth of what they stole, they pumped through Tornado Cash successfully. This money is now gone. It's just, you know, disappeared. What's interesting is the US Government obviously cottoned on to this, very quickly accused North Korea, tracked the money, of course, successfully to Tornado Cash but then realized, well, the money's gone. We can't seize the money. Well, how about we go after the people who run Tornado Cash? What's interesting about this Tornado Cash service is it's a DAO, a decentralized autonomous organization, which basically is a sort of online entity that is self-governing. Anybody who uses it and interacts with it gets a vote on how it's used. And the owners of this service effectively burned their passwords, destroyed their passwords. They don't control it anymore. They've handed it over to the users.
Perry Carpenter: Wow.
Geoff White: So the idea is nobody is in charge. It's a, you know, as the name suggests, decentralized and autonomous thing. So the US Government decides, well, we can't necessarily convict the people behind this. So what we're going to do is sanction it. We're going to put sanctions on this mixer, which doesn't shut it down. But it means that anyone interacting with this is now persona non grata. In the US, if you're caught using Tornado Cash, you're committing an offense because you're using a sanctions-dodging tool. Now, the crypto community didn't react to that was really interesting because they said, well, hang on. This is a piece of software. Yes, it's been abused. But if somebody gets stabbed with a knife, you don't generally prosecute the person who made the knife. You prosecute the person who did the stabbing. You can't sanction the piece of software because the software isn't to blame. So this has kicked off a whole sort of freedom of speech debate around crypto, around the US Government trying to sanction these kind of things and crack down on them. Meanwhile, by the way, the US Government has prosecuted the people in charge of this Tornado Cash. They don't buy this decentralized nonsense at all. It's like, you guys are in charge of it. So there's two guys have been charged in the US, another guy charged in Holland. But meanwhile, there's this whole freedom of speech debate going on in the crypto community to say, look, we know this was abused. We know it laundered money, but it wasn't built for that. And it's -- you can't sanction the code. You can't shut us down. It gets to the heart of this thing that the crypto community, for them, freedom of speech, in this case, freedom of speech trumps the fight against money laundering. You know, they are prepared that money will be laundered by North Korea, a potential nuclear power. They will wear that because if that means services like Tornado Cash can exist for privacy and for freedom of speech, that's an okay deal with them. I'm paraphrasing. But that's, broadly speaking, how it comes [inaudible 00:38:03]. So fascinating debate, really fascinating debate. Yeah. And all comes about because of salamanders in a video game. It's just bizarre.
Perry Carpenter: Wow. Yeah. I mean, those privacy, freedom of speech, extreme examples like that are always like really, really difficult to parse out like what the right answer for things are. Like your example of the legitimacy of services like that for people that need to give anonymously or people that need to be a whistleblower in certain circumstances for total privacy and the way that you communicate with people, is that something that you have thought deeply about as a journalist and that you may, you know, where you do have confidential sources? Like, do you see lines in where privacy should begin and end? Or do you -- do you have some moral complexity about that?
Geoff White: It's difficult. And actually, the Tornado Cash DAO Privacy Preserving Mixer argument thing is an interesting one because it's simply actually another iteration of something we've been wrestling with for quite a long time. You know, the encryption debate is actually another example of this, where technology has got to the point now where it allows really strong privacy-preserving tools. Actually, I mean, this goes back to the PGP debate from the, you know, the Cypherpunks from years ago. It's a rerun of that debate of, well, look, we have the technology and the tools now to give everybody good privacy. But then, at that stage, you give it to everybody, whether it's people trying to preserve their privacy or people trying to commit crime. The government then obviously weighs in and tries in a usually fairly heavy-handed way to sort of police this and crack down on this.
Perry Carpenter: Yeah.
Geoff White: And that's the debate we've seen again around encryption of apps like WhatsApp in the UK. What does get to me is that whenever that's debated, certainly in the UK, and I'm sure it's the same in other countries as well, the politicians who come out in favor of some kind of solution, they don't know what the solution is, but they want some kind of solution that allows them to effectively penetrate this privacy-securing technology. The example they always go to is pedophiles. They just -- It's like, well, pedophiles can hide in here. And it's a -- and I understand that is a threat and a risk, but it's basically dog-whistle politics. It's basically going to the worst possible example. And what you're trying to subtly argue is, well, if you support privacy-preserving technology, you like pedophiles. And you, you know -- It's a really sledgehammer way of doing this. And it doesn't do anyone any favors. In terms of how it works with journalism, it's interesting in that privacy-preserving technology and encryption are things that are extremely useful for us as journalists. And yet, I also cover instances in which, like the Tornado Cash example I pointed out, privacy-preserving technology creates hideous consequences. I mean, North Korea is now half a billion dollars better off, thanks to Tornado Cash. That's the inescapable outcome of this. So, yeah, I'd love to tell you that I have an easy solution to this. So I, you know, I vacillate back and forth, as I suppose most people do.
Perry Carpenter: Yeah, yeah. Absolutely. Is there anything else that you want to tease out about the book that you want to make sure people are thinking about as they decide whether they want to make a purchase decision?
Geoff White: [Laughing] Make the purchase.
Perry Carpenter: Invest a few hours in reading?
Geoff White: Yeah, absolutely. One of the interesting things is the crime that I would broadly speak of as being cyber-enabled as opposed to cybercrime -- So, in the book, there's lots of stuff about ransomware. You know, we cover the Conti leaks and so on. But there's this whole sort of contingent sort of area, this kind of fringe area around the edges in terms of fraud, which is cyber-enabled fraud. And one of the groups that I look into is a group called the Black Axe, who are behind quite a lot of the romance fraud type stuff that goes on, you know, seducing people on dating apps and then tricking them into giving over their money. Also, the business email compromise fraud that goes on where an organization will get an email from its supplier saying, hey, we've changed our bank account. Please pay our new bank account. And actually, the email comes from the fraudster. So these are -- these are fairly basic frauds, you know, tricking people into doing something they wouldn't normally do, tricking people into making a payment. But now, that has massively shifted into the sort of cyber realm. And what's, again, interesting about that is you've got a huge money laundering problem. As soon as those people pay up, as soon as the businesses pay up, as soon as the romance fraud victims pay up, you've got a problem. Where are you going to put that money? How are you going to do that? And again, those high-tech laundering networks that also launder money for cybercriminals, they're increasingly looking at those fraud networks as well. So I have this idea. Do you know, out in the, I think it's the Pacific Ocean, there's this huge mess of ocean-going rubbish. There's just this massive circling spiral of [inaudible 00:42:34]. And every time, you know, you flush away, you know, your Q-tips or whatever, it joins that huge spiral. I have this sense that somewhere out in the internet, in the crypto space somewhere, there's this huge spiraling island of just horrible, ill-gotten money. And that's what I've tried to tap into in the book is, who is actually running that island? And who is pulling the money in and out of that? Because it feels to me like a lot of this stuff is connected. People who are laundering money for allegedly North Korea, allegedly for the romance fraudsters, for the business email compromise people, the money is filtering into the same drain. And I think that's why this is a really interesting territory to look into.
Perry Carpenter: Do you see a future podcast coming where you're going to be covering a lot of this?
Geoff White: I would like to, yes. The thing with the podcast that's slightly different to a book is, in a book, you can go quite wide-ranging.
Perry Carpenter: Yeah.
Geoff White: So, in this book, I've talked about lots of different types of crimes. As I say, there's cartel drug dealing, there's child sexual abuse, there's the fraud I've talked about, the romance fraud, there's the North Korean hacking. So I've talked about lots of different things. For a podcast, you need to sort of concentrate on one thing, one trajectory. I have got a couple of ideas I'm working on, which I can't talk about right now. But you need that sort of one story, that kind of one thing, which is what we got with the Lazarus Group. You're following one gang along, and that's sort of the way to do it. So, yes, I think there's a podcast in it. But the book is helpful because it covers the territory in a different way.
Perry Carpenter: All right. Any last thoughts for folks who are listening? Any interesting things on the horizon that you want people to know about what you're working on?
Geoff White: We are working on a piece of AI technology around the book, which I probably can't -- I shouldn't talk about publicly now. But if it does happen, it's going to be really, really cool. So what I'm hoping is there's a way where, as a journalist, rather than just my work being hoovered up by some horrible company and used to train their AI, somehow I can use AI to make a thing for my book that's going to be really cool. But watch this space because if I get it -- if I get it to work, it's going to be great. [Laughs]
Perry Carpenter: And if you're wondering, Geoff was able to get that to work. That new AI tool is called Rinsed GPT, and you can get to it at rinsedgpt.com. It's a generative AI model trained on the content of "Rinsed," the book. You can ask it questions, and it will give you answers, summarizing content within the book. And speaking of the book "Rinsed," it comes out on audiobook and Kindle on June 13th. That's just about a week after this episode publishes. And the hardback releases August 13th. And with that, thanks so much for listening, and thank you to my guest, Geoff White. I've loaded up the show notes with more information about Geoff, his books, his podcasts, and a few other tidbits. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. Oh, and I'd also love it if you tell someone else about the show. That does really help us grow. If you want to connect with me, feel free to do so. You'll find my contact information at the very bottom of the show notes for this episode. The "8th Layer Insights" branding was designed by Chris Machowski at ransomwear.net, that's W-E-A-R, and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter, signing off.
