This story isn’t quite as dramatic as if the Feds had managed to reverse tens of thousands of separate Bitcoin (BTC) transactions used in a global online scam to defraud tens of thousands of separate and vulnerable victims…
…but it’s spectacular nevertheless, given that the stolen-but-recovered amount came to BTC 3,879.16, which worked out as a remarkable $189,568,730.46 at the rate quoted this afternoon by one online source. (Rates subject to change; transaction fees may apply; your mileage may vary.)
The victim in this case was the Sony Life Insurance Company Limited (yes, that Sony), which was allegedly defrauded of this enormous sum in an audacious internal scam that was apparently pulled off by a single employee.
The US Department of Justice claims that a certain Mr Rei Ishii conducted a classic “send funds to a different account” scam.
That’s the same sort of thing that external cybercriminals try to pull off by hacking into one or more company email accounts in an attack known as Business Email Compromise (BEC).
By keeping their eyes on insider emails – the crooks try really hard to crack high-ranking accounts such as the CEO’s or the CFO’s, which is why BEC is often referred to as CEO fraud – and picking the right moment to intervene with instructions to change payment details…
…these criminals often get away with hundreds of thousands of dollars, or even millions of dollars, conducting what is more of a social engineering confidence trick than a typical cybersecurity breach.
Higher and higher
In some cases, the amounts are significantly higher: an infamously extreme case was the so-called Bangladesh Bank Robbery (the BBR wasn’t technically a robbery at all, because there was no physical violence, no stick-up, and no giant bag of cash involved) back in 2016.
Crooks apparently managed to kick off bogus transactions totalling over $1 billion, and to get away with just over $100 million, although $850 million was never transferred, supposedly due to a spelling mistake made by the fraudsters during the process.
(Perhaps overwhelmed or overexcited by the prospect of getting their hands on all those lovely funds, and thinking of how much fun they were going to have with the proceeds, the crooks managed to type FUND-ation instead of FOUND-ation, which raised the alarm.)
As you can imagine, if that’s what outsiders can do with access to company email flows (although the BBR cyberheist may have involved insider assistance), just think what a determined insider might be able to pull off, given enough time to prepare, combined with a sufficiently reckless approach.
Allegedly, Ishii was that sort of risk-taker, diverting $154 million that was supposed to be moved around inside the corporation into an account he’d set up in California.
According to the FBI, he then started what you might call his cash-out procedure by converting the funds into the aforementioned stash of Bitcoins.
But cashing out that much cryptocurrency into regular funds is not as easy or as speedy as you might think, and a multi-department, multi-country law enforcement intervention quickly kicked in.
Ishii, who has already been arrested and charged in Japan, was investigated by a group including at least the FBI, Sony, Citibank, Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, and the Japan Prosecutors’ Unit on Emerging Crimes (JPEC).
This led to the recovery of the private encryption key needed to “own” and transfer the stolen cryptocurrency, and the announcement of a lawsuit in the US to ensure that the funds get formally frozen until they can be returned to Sony, the rightful owner.
What happened?
How the password or passwords for the Bitcoin wallet or wallets were recovered, we don’t know.
Ishii may simply have decided to confess in the hope of more lenient treatment, or the cryptographic keys may have been recovered following careful forensic analysis of the data and devices available to the investigators, or…
…he may have used his cat’s name as a password.
All we know at this point is what we don’t yet know, with the DOJ concluding by saying:
The FBI continues to investigate the alleged crime.
Still, close to BTC 4000 stolen-and-recovered is a pretty good result already!
LEARN MORE ABOUT BUSINESS EMAIL COMPROMISE
AND HOW TO AVOID IT
Watch directly on YouTube if video won’t play here.
Use the cog icon to speed up playback or turn on subtitles
Anon
“…a spelling mistake made by the fraudsters during the pricess.” – Lol, I see what you did there!
Paul Ducklin
Glad you liked the joke! (I wish it were a joke… now fixed, thanks!)
Fred Higgins
What irony! Doesn’t Sophos have a spell checker?
“supposedly due to a spelling mistake made by the fraudsters during the pricess.”
Paul Ducklin
I suppose it’s an irony of sorts, though the typo in this case didn’t result in an attack (or a defence) failing, as in the crooks’ blunder…
…but I’ve fixed it now, thanks!
Larry Marks
“… the so-called Bangladesh Bank Robbery (the BRR…”
Should be BBR, as it is in the second instance.
Paul Ducklin
Ha. I looked at that N times and thought it looked weird, but couldn’t figure out what it was. Self-proofreading… it’s harder than you think because you know what it’s supposed to look like (so that’s what you end up seeing).
Ralph Hartwell
When you proofread your own writing, always read it to yourself out loud. You’d be surprised at the errors you catch that way.
Paul Ducklin
Reading it backwards (so it doesn’t make sense) is one suggestion I’ve tried. It sort of works, but you have to resist seeing and reading whole sentences at a time.
Colin Cohen
Is the crypto worth a whole lot more now than when it was stolen from Sony? Who profits?
Paul Ducklin
BTC price in May 2021 ranged between $34,000 and $59,000, and since then has swung betweem $30,000 and $68,000.
If the heist was of $154m and BTC3900 came out of it, that implies a price of about $40,000 at the time. Today it’s about $50,000. Who gets the profit or pays for the loss, if any, when the case finally finishes and the BTC go back to where they belong?
No idea. Any US lawyers able to advise?
John Knops
There is the 1970’s story of the four [REDACTED] [employees] who made off with about 150 million pounds of questionable commissions. Rather than stand trial they disappeared to south of France. The authorities tried and tried to get them to stand trial in England but with no extradition treaty for that sort of crime it didn’t happen. Ten years or so later, they showed up at the airport, were promptly arrested and within days wrote a cheque for the 150 million amount of the alleged theft. Restitution was made and they lived happily ever after. Ten years at, say 10% investment income (which was easy in the 1970’s), means they more than doubled the money. They got their 150 million, and no convicted, permanent criminal record and [REDACTED] got their money. At the time the law required restitution of the loss, no interest was payable.
I wonder if that was also Ishii’s plan.
Young taxpayer
It’s expensive to have so many government employees working on this. Given a 30 trillion dollar public debt in the US and a big overhang on the future of younger taxpayers, I hope Sony was willing to pay a few percent “commission”, “finders fee” or “reward” to help offset these costs.
Of course everybody thinks it’s Ok for governments to just print more money and let inflation eat away our standard of living. Sigh.
Paul Ducklin
Well, at least this incident gave Young Taxpayers something to complain about :-)
Amusingly, perhaps, the Young Taxpayers of 20 years ago, who were already familiar and comfortable with the internet, used to complain that The Government, notably law enforcement and the court system, was inept and incompetent in dealing with internet crime such as computer viruses, banking malware, spam, online fraud and so on. “They’re just uselessly far behind in knowing anything about the internet,” you’d hear all the time. “The crooks do what they want, but no one ever gets busted. Is that what we pay our taxes for?”
Of course, that attitude changed when Edward Snowden’s revelations stunned the world. Young Taxpayers (those with a social conscience, anyway) were shocked to find that The Government was quietly way more competent than they had ever suspected. “Is that what we pay our taxes for?”
Now, apparently, because The Government, notably law enforcement and the court system, seems to be getting better at investigating, charging and prosecuting cybercriminals who might previously have gone undiscovered, “They’re trying too hard, which is costing lots of money. Is that what we pay our taxes for?”
I think the only enduring truth here, whether you approve of the answer in each case or not, is that the answer is, in each case, “Yes.”
(Ironically, if Sony were to donate a percentage of the BTC stash to all the government departments in the US, Japan and elsewhere that helped in this case, I wonder what those countries’ bribery-and-corruption departments might think of that? Is that even possible without looking inappopriate, no matter how well-intentioned the “gift” might be? Any lawyers out there with public sector expertise?)
Bryan
I wish the upvote / downvote buttons were still here… this insightful comment warrants a skyward thumb or two. In fact, it contains several statements each deserving of its own “ah good point” nod.
Bryan
Hah, never mind… the buttons are back.
Apparently I’m now someone’s grandfather, my technical expertise limited to microwaving my Metamucil and then wondering why the clock keeps flashing 12:00…
:,/
Paul Ducklin
I use (Firefox INCLUSIVEOR Edge) with Tracking Prevention turned on in both. This suppresses the up/down thumbs, at least for me, presumably because they are scripty things that come from another site (albeit another service from the same company that runs WordPress.com VIP). The comments appear as expected but the voting buttons are very neatly missing. By ‘neatly’ I mean that the layout still looks right and the other general functionality of the page is unaffected.
If you make this site an exception then the thumbs will reappear, though if you autoclear history on exit the safer behaviour will reassert itself next time you start the browser. (I assume that this is down to autoclear on exit – haven’t tried it without.)
Bryan
I use Brave with “Shields” ostensibly performing a similar function. While I should recall if switching to Brave originally prompted me to “report broken site” to the Brave developers, it’s been a while. Apparently at some point Naked Security and the Naked Thumbs were added to a whitelist or similar.
Wondering yesterday (Monday?) if a change in Shields had something to do with the missing scores, I tested by briefly disabling Shields–revealing no thumbs–so I assumed that by design the ratings had followed comment notification into oblivion for one reason or another.
I made no such attempt today to find them and commented without refreshing.
Ergo my Chicken Little post.
Maybe there was a glitch in the Matrix.
Pretty certain I saw Puffy, the oBSD mascot outside my office–twice.
Paul Ducklin
One mascot twice, or two mascots once each?
Bryan
It may even have been 2/3 of a mascot thrice… been a long week.