UnIntelligence, Ep. 15: The TD Bank Scandal

Jan 7

Written By Dave H.

UnIntelligence, Episode 15, the TD Bank Scandal and Money Laundering 101 (Jan. 2, 2025)

Link to The UnIntelligence Network and this episode on YouTube: https://www.youtube.com/watch?v=fbSSSIU_KGM&t=6s.

Also available on Spotify, Apple, Podbean, Audible/amazon Music, iHeart Radio, Podchaser, Tumblr, and LinkedIn.

Episode Transcript

Welcome back to UnIntelligence, episode 15 with my new co-host, Matthew Hedger. If you follow the UnIntelligence journey, you'll know that Ryan Rambo has started a new venture with mutual friends over at IXN and we wish him all the best. They've got their own podcast called the CI Press. Check it out for more interesting conversations on the topic.

The topic du jour is the TD Bank laundering scandal, and Matthew and I are going to dissect that today. But first, let's get an idea for what it is we're talking about. Money laundering in a nutshell.

Clip from Narcos:

“Money makes the world go round. Legal or illegal? Good guys and bad guys. We all chase money for the DEA. It's about budget meetings and kissing the right ass to keep the funding flowing. But if you're a trafficker, getting the money is easy. It's holding on to it. It's heart strings. Everything around me to you. The money. I grew up going to crime in the early days. Cash was flown back to Columbia on the same planes that carried cocaine to the States. Then it was converted into pesos. Or if you were Pablo Escobar, stuck in a hole somewhere.

One trafficker died with so much cash buried on his property. When it rained, the river downstream became clogged with bills that it washed free. The biggest problem with illegal money is the trail that it leaves. Once upon a time, American banks would take your money. No questions asked. That changed from President Nixon signed the Bank Secrecy Act, requiring all U.S. banks to report transactions involving more than $10,000 in cash.

And from that law, money laundering was born. It's the 21st stage of money laundering is called placement. Well, Kelly had it down to an art bringing workers from the colonies to the U.S., where their job was to buy money orders, each just under ten grand so they wouldn't be reported. No idea was required, and the orders could even remain blank until they were deposited or cashed.

Once they bought a bunch of money orders, they packed them up and sent them south to a land of sunshine. LAX oversight Switzerland on the Caribbean. Panama. Since they didn't regulate wire transfers. Panama was the perfect place for the second stage of money laundering. Layering. And here's where the master goes to work. The behind the scenes MVP of any drug cartel is the money launderer.

The guy that takes the dirty money and scrubs it clean. Here's how the money orders were deposited into local bank accounts and then bounced through shell companies and limited partnerships, creating an untraceable web of foreign purchase orders and transaction reports. Wiping clean the money's criminal origins. But no matter how well you hide it, money always leaves a trail.

Matthew. Welcome to the studio, brother.

Thanks for having me. It's good to be on this side of the table with you.

We've got a lot queued up to to run through, and you're the expert, so I'll be picking your brain. Man, I can't wait to hear your thoughts on this TD Bank scandal. It's kind of a big deal. This is the kind of insider threat case that has strategic impacts. Not the standard misconduct case that kind of swamps corporate investigations departments, right? This one resulted in billions in losses and fines and in lawsuits, and allegedly involved seniors in the company who were able to plant people in really specific positions to help the scandal being from being caught.

That's right. It's a really good example of what going very badly looks like for a company.

Badly, yeah. I think they took the Joe Pesci version a little too far of. Of what money laundering is.

From Lethal Weapon 2:

“Okay. Thank you. All right. Yeah. I'm okay. Where were you, man? … Like, What did you see? Did you witness a murder or something? What? No, nothing like that on. Okay, okay, okay. All I did was I launder a half $1 billion in drug money. Okay?”

You know, Matthew, as a business matter, somebody at the top of TD Bank is just looking at this, they're shaking their head. How could the head of the financial intelligence unit allegedly be involved in this with nobody detecting it? The regulatory agencies obviously require some form of monitoring to figure out, you know, are people doing the right thing inside the bank? And also, allegedly, there were a couple other well-placed insiders placed throughout the company in positions where they could kind of steer those sorts of continuous monitoring things away. What's your take?

Absolutely. The Colombian drug trafficking organization that was referenced here clearly knew what they were doing. If you look at that clip with Pedro [Pascal, portraying the late DEA Special Agent Pena], they recruited somebody different to do each step, very detailed. And they picked exactly the right person at each level, at a local branch, at the higher ups that could facilitate that, just like you mentioned, including the head of the financial intelligence unit.

And when the person who's supposed to oversee your system of catching this stuff is complicit with it, it becomes quite simple to get away with it at that point. I’m looking at the case, and apparently the Department of Justice is saying that there are criminal investigations into individuals at just about every level of the company. That's a thorough compromise.

That's right. I know that there was somebody at a local branch in Florida that’s recently been named, they were responsible for doling out debit cards to the different cartel members. There was somebody up in new Jersey, I believe that's also been named at this point who was actually setting up the accounts separately and then, of course, several people, I believe, in their Counter Fraud Office, who were supposed to catch this.

And there was a separate bank as well, a separate branch where somebody was taking in the bulk cash for them, which we can get into in a minute - what that is and why that's so difficult. But this person was caught doing it up to $1 million a day in bulk cash. You know, you're only supposed to be able to bring $10,000 in cash into a bank without a currency transaction report associated with it.

And, obviously, those weren't getting made when the person who's supposed to file the report is complicit. That's what was happening. That's how they got around that restriction. The person who's supposed to notify the U.S government that there's illicit activity going on was the one depositing the cash at the bank on behalf of the cartel.

Gotcha. Okay. I came to a conclusion maybe two years ago now, on the commercial side, this was already pretty prevalent inside of the DoD side. But on the commercial side, that if you're a company that's kind of pushing the innovation window as a prime mover or you're coming out with new technologies, you end up being a target of everybody else who's in your competitive space legitimately on the business intelligence side, but then illegitimately, of course, through all kinds of threat actors out there by category, call it organized crime, state sponsored, non non-state actors, does that make sense?

All the proxies out there. And then state sponsored actors that are part of state run universities and things like that. So apart from all of that all this is happening. But when your company should be a target of all of those, an you're not seeing any kind of risk indicators popping up in your cyber perimeter or your human perimeter with reporting, etc., or even in your business processes, with supply chain, with third party risk.

If you're not seeing risk indicators and you should be, you might be compromised. That came crystal clear in a couple cases that I worked over the last few years, but also through one of my colleagues at a big innovation company here in the US that was seeing some of their trade secrets appear on the market, and they couldn't figure out, you know, how did the competition get those?

After that investigation, they found that they were in fact compromised on multiple levels throughout their company operations. Not just with well-placed insiders as in the T.D. Bank case, but also with people, legacy people who had already gone, who placed things inside of the IT network, that were steady-state compromises to meddle, as we say. And I would think that that's the situation here as well.

You know, they've named three people or at least three positions in one person's name. Which to me is perhaps a compromise with the Justice Department on how many people are going to get offered up for this. But more than three people inside the bank knew about it for it to happen at this level. I think the last report was they tracked 700 million that was moved just by one organization. And that's just assuming that the Colombian drug trafficking organization is the only nefarious activity across the entire bank at that point, which is unlikely to be the case. Then there were shell companies all over the place, and that's part of what we would say, traditional money laundering operations or methods.

Allegedly, some of these insiders were opening shell companies to hide the transactions. But there was also a China connection to this case that I found really interesting. I'm not sure how fleshed out it is. So this could be an allegation, but allegedly, there is a Chinese drug trafficking network that was using the TD Bank insiders too, actually in several branches across several states, including new Jersey, New York, Pennsylvania, Maine, Florida, as you mentioned, they were bribing insiders with gift cards to facilitate their operations. And then those illicit funds were primarily proceeds from the sale of fentanyl and other illegal drugs. So you've got the China Drug Connection, the Colombian money laundering network, which allegedly, used about 30 accounts across TD Bank. Moving somewhere upwards of close to 40, $40 million.

Well, the China one specifically, I know one person had moved 400 million to the China connection. And the reason that China is so significant for this is not just with the Colombian drug trafficking organizations, but also with the Mexican cartels. The Chinese launderers are very big buyers of bulk cash, you know, all the actual hard currency that results from the sale of narcotics on the street. They're very well placed here in the United States to take that bulk cash and then move it through their system and pay it out later. So there's often a Chinese connection when it comes to moving the money for narcotics in the U.S.

Well, if the details of the case so far are correct, China moved a lot more money than the Colombians and some Mexicans did through this connection.

Correct. And so I would say it's probably three ways the Chinese did it for themselves, but they were probably also involved at some stage in both the Mexican and Colombian money movement, also. At least at the bulk cash stage.

What makes you say that, is there some media sort of story that's saying, hey, the Chinese and the Mexicans and or Colombians are colluding on this case? Or is it from some background knowledge you have or inference?

Both. Both, some background, but it's also pretty well documented that the Chinese had a really strong relation with the Sinaloa Cartel for a long time, specifically moving bulk cash out of Chicago. For a long time, they were the big buyer on the street of bulk cash.

So who is it that's doing the States-based, the US-based boots on groundwork and visiting these establishments?

So that that could be, a lot of different people. You know, one of the things that wasn't detailed in this case is that you don't use the same person to do all of all of these things. It wasn't, you know, one person from the Colombian cartel walking into all these people one by one. It takes quite an expansive network to move that much money. For that long, I think it was almost ten years they were doing this, without raising flags. And so there would be a lot of people involved. But sometimes a third party, especially on the money movement side, they'll bring in someone who's not, let's say, a card-carrying member of the cartel.

But that does this for a lot of different clients. And they're diverse in who they represent. And I would assume that that took place in this instance.

So, Matthew, take us back to, Agent Pena's description as portrayed by Pedro Pascal of “money laundering.” He hit on a couple steps that are involved, typically in a money laundering operation. You've actually done this before. Was that accurate?

They are, at a high level. Everything he said was accurate. His example was one specific way of doing each step. There are many ways to do each of these steps, but that one was taken from a real example during that investigation of what had gone down.

And I'm glad we're covering it because, you know, since our last talk, we've gotten a lot of questions back about, you know, can you explain what actually goes into an operation like this?

You know, when a government does it, it's called covert finance. When criminals do it, it's called money laundering. But also the steps that are in this process are not illegal of themselves.

So there are a lot of legal reasons why people would do the exact same mechanisms, with their money, such as hiding their PII, trying to increase their security, legal tax strategies and things like that. So money laundering itself is not illegal. Money laundering is illegal if it supports an underlying criminal activity like tax evasion, narcotics trafficking.

Yeah, something like that. And so whether you're doing this for illegal or an illegal reason, the first step is always placement, which is you've got cash, you've got the proceeds from something. Let's say it's narcotics sales on the street. You've got boxes and boxes of what we refer to as bulk cash. And you need to get it into the financial system somehow so that you can move it around.

This has become extremely difficult lately. I think in that clip you referenced, it was Nixon that changed some of the laws on this in the U.S specifically, but everybody's familiar with the $10,000 a day limit. But if you do 10,001, they're going to write it up. What people are less familiar with is, suspicious activity report at this level, which means if I'm the banker or I'm a teller and somebody comes in and they only do 5000 a day, but I think that they're probably up to no good.

The report still gets filed and you still get caught and, so it's not well, if I do 9000 every day, that's going to that's going to get past the bank. Unless the bank's in on it, like we were talking about, that's not going to work. And the reason people are supposed to be caught outside the ten is through the KYC policies, the regulations on banks that know your customer.

And so that's why when you're at the bank and the tellers chatting you up and trying to elicit information from you, that seems a little awkward. This is what they're trying to do is they're trying to establish some relationship where they know what normal looks like for you, and they're supposed to report if it steps outside that or it had seen the flags in their training.

And so that's that all makes sense. I see the big the big process there. I like the difference as you explain it between covert finance and money laundering. When you were doing this, you can say Yes, those are the steps. They're pretty representative at a high level. Were you involved in the covert finance, piece of it or the laundering piece of it or both at different times.

Both at different times. So the covert finance piece mostly. But then also when I worked, you know, undercover with transnational organized crime, this was the cover that I use that I could help them facilitate things like that. And so, while the U.S government was aware of those activities at the time, it was still coming at it from that angle.

And one of the things that is really key, you know, especially for like high net worth clients, people that want to do this legally is just because you are not doing anything wrong doesn't mean you don't appear to be doing something wrong. And so when you mimic a lot of these things that we'll talk about, like offshore structuring, it really doesn't matter if you made your money, you know, developing ping pong balls, if it looks like something bad, you're going to have, you know, some problems, such as the bank saying, well, we haven't been notified you do anything illegal, but we're going to choose not to do business with you because we're not too sure what's going on here or they're going to ask for more proof, you know, proof of funds, that there's a legitimate source for your income. And that's kind of a negative that law abiding people have to deal with now, because this laundering in a negative way, is so prevalent these days.

Just one more type of fraud that throws off free market competition and makes everything less predictable.

Absolutely. And the amount of money that's laundered every year globally, there's a massive, massive impact on the economy. And normal people don't often know that it affects them, that, yeah, policies are changed and rates are changed. I'm sure that, in this case, we're going to see some rate changes at the bank, soon. And, you know, the people that invested in the stock lost money as well, even though they weren't involved in this illicit activity.

Yeah. If you think about the impacts of some of this from a risk perspective, in risk management, you think about financials, reputation, operations, strategy, etc. down the line. And here you've got impacts across just about all of those risks, those risk categories. The regulation piece of it might be the worst for TD Bank, but the financial aspect hurts customers.

And the reputational aspect, of course, hurts the bank because investors now know that there's a problem. So when this with this broke in the news, we were immediately aware of the strategic impacts based on reputation, right? We saw the stock price dip. That means investors aren't confident anymore. And let's say the senior leadership had no idea this money laundering scheme was happening.

All of a sudden, they're shocked by it. This is I mean, I've seen this in other companies where they realized that someone in the company has done something that causes strategic effects in the reputational risk department, not to mention all the other financials at stake. But from a reputational perspective, you've got employees of the company and that's often overlooked, the impacts of employees feeling like they can't trust their own company and company leadership.

And then you've got investors, you've got partners, suppliers all across the board thinking, are we hitched to a wagon that's on fire right now? Is it is it time to let the horses loose?

Absolutely. And, you know, you mentioned the employees. I think in one of the first stories that broke, they detailed how a branch in Canada, I believe, is in Toronto. I could be wrong, but it was somewhere in Canada that they had audio surveillance of the employees joking about this, like everybody at the bank knew. So if it's that prevalent, you know, how do you expect your employees to behave, any of the other rules that you set for them when they're watching? You know, this flagrantly happened. So I'm sure that things that aren't in these stories are employees feeling, I can do basically whatever I want around here, and it's okay and hurting the institution in other ways as well.

You know, that's not a part of the story I was tracking. So you're saying apart from the alleged insiders, there were other employees that were also kind of witting. They knew something was up right?

If not participating, they would have to know, according to the investigation, they did know. But also, it's not that easy to just walk into a bank with $1 million in bulk cash, you know, once a week and hope nobody notices. So you would have to have a lot of people waiting and for this to go on for so long and at the structuring it would take to actually do this, lots of people had to know about it. Yeah. How many would you say here, given the several brands.

Tto move $700 million through multiple branches of a bank? Dozens of people now, dozens at least.

So Matthew, with all of these people involved, I can only imagine there is a robust counterintelligence effort internally to keep detections, detection software applications, human interaction, type of behavioral indicators, out of play. Whether it was offensive counterintelligence to divert people's attention away or it was defensive to hide communications and plans and that sort of thing.

I'd be interested in and seeing your thoughts on the counterintelligence aspect of an operation like this. Going back to the original, DOJ complaint or the information at least, that they've released, you know, this was a failure of Anti-Money Laundering detections more than it was, some really successful penetration of a bunch of insiders. According to some of the literature I've read, if the bank had followed the AML fundamentals, they would have detected this long ago.

And so one thing you said earlier, hey, they presented themselves as a soft target because they weren't doing, allegedly, the type of AML that they should have been doing where they would have detected this. So let's say they were doing the right AML, and this was just a total breakdown of the system to detect money laundering activities. That would tell me that there was some counterintelligence happening, whether they knew that's what they were doing or not, they were still using the fundamentals to have those conversations off of corporate communication channels where they couldn't be monitored.

From what you've seen or been a part of, when you've got lots of insiders at different levels of the company in different branches, you've got the external partners involved in the operation, which allegedly are China-based threat actors and, Colombian cartel-based actors. What were they communicating with each other? Is that how that would work? Was there one person who would have been the facilitator for the network?

Was it all ad hoc? And everybody got lucky? From what you know, how would this operation work from, in terms of, like, support terrorist support structures? Right? This is Aml (not AML, but ML) ML support structures. Right.

So I think it's important to keep in mind how large the money laundering operations for an organization like a cartel this size actually are. This would be a drop in the bucket for them as far as what they're doing globally. And the way that they approach it from their own CI is they keep things very compartmented. There's not someone who runs all of this for them all over the world. When opportunities come up and go down in that world, it's, hey, this cryptocurrency thing is something we can use right now. Let's take advantage of it. Then that little segment, that compartment of the criminal organization takes advantage of it. And that can be because they have relationships like this one with China. Just in that pocket and say some of their operations somewhere else are not taking advantage of the same, network to move their money.

And so it can be very compartmented. They do this for several reasons. One is when things go bad, they know where to look. Same way as, you know, a traditional counterintelligence program like you were involved in would do. But also you don't want to bring problems from somewhere else to a situation that's working. Right? So you don't say, well, our, our laundering operation in San Francisco is just falling apart every time we try to use it. But the one in Florida is going fantastic. So why don't we just bring the San Francisco money into that. That's not how they approach things. So that compartmentalization is really the key to their CI approach.

And yeah, you know, you mentioned, communications. These are people that use encrypted communications at the highest levels. These are organizations that have SIGINT collection gear to support their counterintelligence effort the same way a small nation state would.

So they're extremely sophisticated with it. They have people in their organizations that used to be counterintelligence agents before they joined. So they're about as sophisticated as you could imagine these days. It's not, it's not the cocaine cowboys, you know, anymore from back in the day, a lot of these people that are especially involved in the money laundering side are Ivy League grads with business degrees and financial degrees, and they run this like a business, like a Walmart.

They're just asking one of the homies, you know, on the street to jump in there and give it a try. They have a sophisticated networks of people that do this for a living.

And these are the external actors involved, or are these insiders that are just too sophisticated in their counterintelligence… I don't know, acumen.

That's I would say, I would say both, to an extent and in a modern version of this, if you're a criminal organization, you don't want to launder your own money. You bring in outsiders for that. That's a much more sophisticated way. Just like the instance we saw in Europe with, the Russians that were involved. There are boutique firms that do this on behalf of multiple clients, just like, the Panama Papers.You know, where Mossack Fonseca, the attorneys in Panama, were supporting everything from terrorist organizations to drug cartels. These people aren't picky with who they represent.

So we're talking about people that have advanced degrees, training in counterintelligence and COVCOM. Certainly, at least at least from the outside. And for them to trust an insider, it’d have to be a high level insider. That's what makes me think that this this higher level person that was, kind of, you know, closer to the top of the company had to be on point, inside, to be able to marshal the troops and to say things to the troops in a way that they believed and they could trust and say, hey, if I'm going to jump in here with both feet, I've got some protection on top. Does that make sense?

It does. I mean, you're doing something that comes with, you know, a 20 year criminal penalties. You know, in a lot of cases here, you know, this is a this is a big kid crime to commit, especially with players like that. And you saw the lower levels like you mentioned at the beginning of the conversation, some of these people that were helping to facilitate the smurfing at a branch level, and they got $57,000.

Total - across all of them.

Right. So and I don't know if there were other bribes paid, there probably were in different ways. But you're not anywhere close to the amount of money to make the risk reward structure here, you know, make any sense. And so it just proves, you know, I think it's two sides.

One, like you pointed out, the head of the, you know, FIU, you got to get that person 100% recruited some of the lower level branch people. You know, you can bring these people, you can use them. If it doesn't work out, you go somewhere else. You know, they're much more expendable. It's not like they're going to go turn themselves in.

So you can rotate through people like that if you lose them. And, you know, people are so intimidated by these criminal organizations that, okay. But they're very good at deterring that kind of reaction from the people they approach.

So with the sheer number of access agents that were recruited at a lower level and offered these gift cards, to me that sounds like as an access agent-type methodology from a counterintelligence perspective. The way to control that risk is intimidation.

Absolutely. I mean, you would want to get it on a positive pitch, right? You'd want to be in it for the money or you're helping them with some situation. But, you know, this isn't - they don't run things like, let's say the U.S. Intelligence Service would. Their negative pitch and the heavy hand is a very present thing where they interact with people.

And media has done a great job of of helping them market that. And so people's minds can wander on their own a lot of times in those rooms.

Sure. Making inferences to maybe the parties that are involved, maybe all enough, all that, all that it takes to strike the fear into the lower-level access agents so that they know if they're going to play, they’ve got to keep their mouth shut.

Absolutely. And you don't play. You know, one of the things that was surprising to me when I was, when I was doing this, because we wouldn't, you know, say, hey, we're going to do this operation ahead of time, was you didn't really have to pitch a lot of people to help you with this. You could hint at it a little bit, and they would kind of volunteer before you even, you know, got them to that point. And so, you know, people like money. And this is a great example of how little money it takes to get people to compromise themselves. A lot of times.

Crazy. Yeah, I help you. You help me keep your mouth shut. This is a big boy game you're playing. It won't last forever, but as long as it does and forever after, keep your mouth shut.

Yeah, a lot of people, they have these grand ideas. You know, one banker I met was under the impression I'm just going to do this for a year. I'm going to make enough money to pay my house off. And then, you know, those people never hear from me again. That's not how that goes in the end. But that was his impression of how life was going to go. And he seemed pretty happy and chill about it when he was describing…

What is the off ramp? So for lower level access agents, what is the off ramp for them?

I mean, some people do get in and get out of it, you know, say I'm going to change jobs or something. They're not it's not good for business to go around whacking everybody that's helped you ever. And it transnational organized crime groups that are successful are nothing except great marketers for their brand. And they approach it the same way an intelligence service would.

We want to have a good reputation for how people that work with us the right way and up, and so it can it can go that way sometimes. But in my experience, people who are doing it for money are so greedy they never take the offering. They just stay on the highway and they find a new mile marker that they want to achieve getting down to, and they just stay on it.

They also, you know, if you aren't being taught how to handle your money, that you're getting paid at some point, they're making so much money that they become a red flag themselves because they're living outside their means and things like that.

So. Well, it looks like that was somewhat controlled here in this situation because you had multiple access agents getting paid, from what we know. So far, a grand total of around 57,000 and gift cards. So that's not the kind of money that makes you look like you're affluent. You know, you're not you're not going to show those indicators to people in the workplace or even your family that, oh, I just resolved a major money problem, like to the tune of, you know, let's say six, seven figures.

And because of that, that tells me that someone at the top has done this before. They know how this works. You don't overpay people. When you do that, they start getting excited. They start taking risks that they're not trained or experienced enough to take. They start talking, but you keep them on the hook with just enough, and they're hungry for more.

They keep their damn mouth shut, and they're not they're not giving out those indicators of affluence, or undue affluence that... So anyway, you know, I think about this from the leadership perspective, trying to kind of get inside the mind of the leaders of this operation. Is that the person that is the top in the bank in the new or is it, is that the external threat actor saying, hey, buddy, we're going to take control of this, okay?

We need you. Obviously, you're going to be the one making a bunch of money, but let us handle all the counterintelligence side of things. What do you think?

Absolutely. They would never ask the person in the bank to help them with that kind of a thing. And you never know what the situation was. I think it'll be extremely enlightening when it comes out what the senior figure you officer was, you know, tied in with. You know, maybe this person had a narcotics problem themselves. Maybe they had gambling debt. Maybe they had something that they could help go away or continue to, to provide a service for that wasn't $500,000 a year in cash that's going to be treated incorrectly. So I'm really curious as to what the compensation for that person was.

But everybody below them, I think it's just much easier to pay people a lot less money than everyone thinks.

Yeah. And I've seen that in a lot of cases where there's a big difference between, what access agents are getting paid and anybody who is leading one of the various support structures for the activity, whether it's logistics or finance or leadership, or Intel, somebody is at the top of each of those. And they're people are either like trusted, recruited, fully recruited and tasked insiders that have been part of the network for a long time, or they're just a loose network of access agents that are getting small amounts of money, enough to keep them on the hook so that they're not talking, getting excited, like we said.

Right. It's also helpful to note what percentages are made off of money laundering. And so it usually ranges between 3 and 25% is what a laundering operation is going to charge.

That's quite a spread.

Well, the best ones in the world can do it at 3%. If the amount of money coming through the system is large enough to justify it.

Fair enough. And so volume

If somebody who was approaching me when I was in that world before and they said, hey, I've got this, you know, narcotics business, I've been doing well for myself and I'd like to move a whole $50,000, please. How much is this going to cost? It's going to cost. Almost all of it is what it's going to cost at that level. But if somebody wants to move $15 million, it's a much different thing. And the people who do this the best have such an infrastructure that they can make money off of it while it's passing through on top of a percentage, because they're just like a bank.

When you put your money into the bank, they invest your money somewhere and that's how they make a profit.

Got that short window where some kind of speculative trading can make you money?

Exactly. Yeah. Well, and also, you know, we haven't got into this yet. The second step in the laundering process is layering. And so this is once you got it in there, you want to distance it from its original source to hide where the money came from. And you know, people use this term shell companies. Right. Different than a shelf company. A shell company is essentially an entity where there is no legitimate business that happens out of it. It's only used as a pass through to move money through. And this could be in different jurisdictions that don't cooperate. You're just bouncing it around. But that's a fairly amateurish way to do it.

The pros put it through businesses that are legitimate, and this becomes an influx of cash, like it's a capital contribution to the business for the time that it's there. And so just imagine if you were able to run a business. And every time you need capital, you don't have to go to the bank and pay a percentage loan.

You just had access to free money to run it. You could save quite a bit over thousands and thousands of businesses collectively. And so that's one of the main layering steps that helps the big boys make their margins. And so they don't have to charge the client that much. Their businesses are profiting from the money coming through them.

Well, at this point, all we know about the external actors is that they're associated with China and Colombia. Specifically, drug cartels in China and drug cartels in Colombia. We don't know about state backing. We don't know about foreign intelligence service involvement or even proxies. We just know that these are criminal organizations that are good at what they do. Obviously done it before. Would you expect that the Chinese or the China-based organized crime elements are working together with the Colombia based, organized crime elements, or are they separate, completely compartmented parts of this kind of operation?

So during the money phase, I would assume it's almost completely separated. They that the Chinese representative, whatever Chinese criminal faction it is, would interact at the level of picking up the bulk cash and notifying where at the final stage the money can be picked up from, and there would be almost no communication during that time to as an overlap, just from a CI precaution for them.

The Chinese, everybody thinks, during the layering stage, something like a hawala network. Yeah. That became very popular during the GWOT era. But the Chinese, you know, have for an extremely long time had a very similar banking network. It's called fēi qián. And it means flying money. And it's essentially the same concept to where I can move money from one country to another, let's say, to China, without actually having to send it, because I just balance the books on one side. Right.

So if let's say, yeah, 5000 people in China want to get money to the United States, which is huge, right? Because there are Chinese restrictions on flight of capital flight leaving. So if they want to buy a house in LA, say a thousand people in China want to buy a house in LA or houses in California, then the money launderer in the United States who wants to get things the other way simply balances the books with the Chinese representative and then gives that money to the person who has a need for it here.

And so those informal networks keep there from ever being a hop. This is done on pads of paper and mouth to mouth. And so it's very, very difficult to trace in that way.

And that's still happening then. I mean this is a hawala.

It is - it's happening more because as the wickets to catch financial crime become more sophisticated on the cyberspace, these old school ways of doing it become more valuable and more difficult to catch because people aren't aware of them.

So is the assumption here with this case that they weren't using that? The more the old school sort of traditional hawala-style analog way of doing business there, was there a was there a cyber trail that created a string that could be pulled?

You know, I'm not sure they haven't released that for this case. Specifically, we do know that in this instance, part of it was a lot more simple because the branch person in Florida was issuing out debit cards from the bank. So the money's just in the bank. It moves around in the same financial institution, which is not sophisticated and is able to be pulled out by the same financial institution.

You know, in layering, there's so many steps that you want to take advantage of such as invoice manipulation, trade-based things. An example of that would be if you wanted to move money out of a country, you simply overpay on an invoice. So an old school way would be to see an invoice for, I don't know, bananas that are being imported into the United States. And the payment comes down to $4,000. A banana is what you know it happened to be that's progressed now, but that it used to be that flagrant. So you would want to have things like that.

You would want the currency to change form, you know, from U.S. dollars to Deutschmarks to Crypto currency. The more times this happens, the more difficult it is to trace. And so leaving the money in the same place of placement with this bank and then withdrawing it from the same bank, is probably part of the reason they got caught doing it.

Yeah, yeah. Because, you know, especially once this happens one time, you can create a threat signature off of it the same way a cyber incident response team would create an IOC. Well, IOC is a little bit different. The threat signatures, more sequential line of activities that you would look for. The same kind of thing you and I looked for when we served together in Afghanistan.

It's the sequence of specific activities together that is the threat signature, right? In our case, early on, before we got involved with all kinds of, you know, advanced counterintelligence methodology and money laundering and undercover ops and all of that while we were still fairly green in our careers, it was - if there is a cellular emanation coming off of a combat outpost just before the troops pull out of the base and turn right or left, and then there's another emanation after they make that turn, that's a threat signature. It looks a little bit like someone on the base is calling out the direction of the convoy to whoever is staged in either direction.

Likewise with “walking rounds in”, as we say, if you see emanations from a base right before indirect fire, like mortars are fired onto the base, and then you see emanations after that first volley, they're bracketing from an infantry or an artillery perspective to walk those rounds in closer and closer to target. That's a threat signature.

With this case, you've got people moving money around inside of the bank. To me, that looks like a threat signature, because it's not something normal people would do, right?

That's it. And that’s a great way to put it.

And that mistake was allowed to happen. Was it just not common knowledge that that is is kind of a known M.O.?

You know, again, there's there's a lot that we're still waiting to see come out here. But I'm getting the impression that they thought because they're KYC regulators, because the head of the financial intelligence unit, because people like this were in on it, that they didn't have to, you know, really go through that, that much trouble, which is true, you know, all of these steps can be short circuited by someone who's in charge of catching you just saying, hey, just do whatever and we won't we won't do anything about it.

But. I think sometimes laziness comes into it as well. Or perhaps, you know, just not having a sophisticated option at the time. But yeah, I'm very curious to see what it comes out as here.

Yeah. And, you know, did they just not know because the insider didn't have the proper training to be involved at this level or background or were they lazy and, you know, they started thinking, hey, this is too easy and they got complacent. Or perhaps were there detection methods that were evolving out there in the counterintelligence space, counter insider threat space that they just weren't tracking, which they should have been. Honestly, you know, I yeah, I agree.

Or is it one of those things like we tell people, don't overuse tradecraft if what you've been doing for ten years is working, don't add new levels of tradecraft if you don't have to, because you're complicating a process that's already working.

You know, we always say don't use tradecraft if it doesn't need to be used, you're probably going to end up drawing attention to yourself and making mistakes you wouldn't have made. So you'll only increase your tradecraft when there's a real need to do it. So there's all kinds of explanations here. And like you said, I know we don't have the details of the case, so it's more inference now.

You bring up a lot of good points and, you know, I'll refer to something I said earlier, which is this was a compartmentalize thing for them. And so it could have been someone bumped up the chain in the cartel and said, look, we've compromised the head of the financial intelligence unit over here. You know, let's just try to run it that way. And they kept it simple. And, you know, we can say, oh, they got caught eventually, but I haven't seen anybody from the cartel that's been named at this point. They got at least $700 million through it.

And something to keep in mind is how the cartels approach their business structure. So if you look at, say, sending loads across the border, they expect a certain percentage of those loads to get caught. They're not trying to hit 100%. They figured out business wise and math wise, what's an acceptable loss for their loads. And they approach the money in very much the same way. This isn't the only thing that they're up to at the moment, and they got almost $1 billion, at least, through, during a very long stretch. And so I don't think they're looking at it like anything but a win and doing something else.

Yeah, yeah, yeah. I ran into a case in Afghanistan where the US was bringing all of the materiel for military resupply through Karachi, through the port there, and then over road through western Pakistan into eastern Afghanistan. And that same percentage of loss - there was there was an acceptable percentage of loss at the top levels of the DoD, where they wouldn't get involved at all.

So if it was under 10%, I'm going to throw out a number, 10%. No response necessary. If it got above 10%, then there was going to be a national level criminal investigation to figure out if there wasn't some kind of insider facilitation happening. So it makes sense, you know, and that was years ago for us. That was back in like oh eight, oh nine and surely, that has become a best practice in logistics.

We're talking about logistics right now. All right. The logistics support structure of an operation like this, the logistics losses are acceptable at a certain point.

You know, this is the logistics of money, you know, to them as well. And another thing to keep in mind for everybody that's listening is this is the first time a U.S. bank in the history of this country has ever pled guilty to money laundering.

It is the largest bank or the people involved?

The bank. It is the largest where I'm gonna make sure I'm saying this right where they pled guilty to the Bank Secrecy Act. So the largest of that. But they actually pled to money laundering charges above it. And that's never happened before. And so part of this coming to an end could have been a lot of people saying, nobody ever gets in trouble for this.

This is never happened. So why wouldn't it continue to go the way it's going? So I don't think anybody expected that from the cartel side. I think they were under the impression that in this country and in Canada, stuff like that does not get prosecuted very often.

Well, it sure doesn't very often, but it could be that they were overlooking all of the lower level charges that get levied on people once they're found out doing something like this. Surely they're rethinking their M.O. right now.

I'm sure they are. And there's a lot of other ones out there. There's a lot of different ways to, to do this. A couple we haven't talked about is gambling. That's another classic one, moving money through a casino. Online gambling is huge now, a lot of these online casinos offer a very attractive piece to them, which is they will let you deposit money under one name, Jane Smith, and then take the money back out under a completely different one.

Now, how is that possible? But you can't do that in any other financial institution, from what I understand.

It's in defiance of the international kind of money laundering, laws and mandates, which is why they typically operate in jurisdictions that are outside of those. I know that has recently been a big one there.

Which one?

Latvia was one for a while that was being used for this. But they're still getting, you know, attempts at prosecuting them. I know the head of one of the biggest online casinos is wanted on money laundering charges. Right now the casino still operates. But, and then with the merger of cryptocurrency within that, the, you know, different, you know, hawala versions for cryptocurrency like mixers. So you're taking the same concepts and just adding on top of them.

It used to be with casinos, you had to go in and try to not lose all the money while you were in there. Right? So you played blackjack perfectly. Try to lose 1% in that way. But the problem is the casinos today, they're going to ask if you bring more than $10,000 in cash in and put it out on the table, they’re gonna ask you to fill out a form for it, just like a bank.

And if you win a bunch of money, they're going to ask you to fill out a form for it because they want - because of taxes, mostly. Not that they're too worried about the illicit activity, but they are worried about tax fines. And so that's become very hard to get around as well. But the online casinos don't have that problem and they won't ask you for any KYC stuff.

They won't ask you where your money came from for proof of funds, and they won't ask why you deposit it from an IP address in Manhattan, and they're pulling it out in Hong Kong. They don't mind under a different name.

So it looks like that was in play as well. You know, ATM withdrawals can trigger alerts, but if the ATM is in Colombia, then there's not going to be an alert triggered because there's no restriction there on how much you can pull out from an ATM.

So if one person, I guess puts and drops money into the top of the funnel in the US, let's say with a US IP address into a gambling sort of app scenario, loses the money and it's pulled out of an ATM in Colombia, and a portion of that money is then balanced on the books hawala style, back to the insider in some way. Does that sound reasonably at a high level, like what was happening, so everybody was paid?

So I don't think it was that niche or that sophisticated in this instance, but in a more sophisticated one. You know, there's if, let's say that you were in another country and we get on and we're playing poker against each other, you know, online poker room, and we're using an encrypted messaging app to text each other what our cards are.

You know that I'm bluffing. There's nothing that says it's illegal for me to lose $100,000 to you in a day at that poker table. So I just moved all of that money in what could have been one hand of poker at some of the levels that the online room support. So. Okay. Masterclass in moving money illicitly with Matthew Hedger, ladies and gentlemen.

Well the main you know, the main concept, the, you know, with detailed maybe a few different ways to do it. But the main concept to understand is…

… basically don't play cards with Matthew Hedger.

Well, sometimes what's losing is winning in that world. And the once that money came out of the ATM there's still steps, you know, to it. And you want to do the step. That's integration right. What do you spend the money on. How do you invest it. And the main concept when you're learning money laundering or anti-money laundering and trying to catch it, is to understand that what you're trying to do is transfer value between things, not transfer cash necessarily, you know, gold, diamonds, but mostly things like art where value is not specifically assigned to something.

So if you paint something and to me, at an auction, it's worth $200,000, and that's what it's worth. And what we've seen in the crypto space are things like NFTs, where you have a digital piece of art that looks like complete trash. And if you look at the chain of it, somebody paid $1.5 million for that little digital piece of art, and there's really no way to say it's not worth that to me.

And so typically that money, once it gets pulled out of the ATM, is going to be put into something like that. An art auction that's takes all cash, and then you can later sell it at a very reputable place. And that place will write you a check from a reputable place that no bank is going to wonder about.

Yeah. It makes me glad that I never worked for the FBI's, counter-fraud units. You know, because that's some complicated stuff to track down right there. And it sounds like a losing game. Absolutely. And that's only if it happens in the United States. You know, when you're doing the layering of it, you're trying to use jurisdictions to where what you're doing is completely legal.

And so, you know, there are countries where they don't have the ten K a day law, and you want to do your business in a place where it's okay, not where you have to get away with it. And so if you're an FBI agent trying to track this down and you're waiting for, you know, response to some request for information from a Central European country that doesn't have a great relationship with us, it might take two years for them to get back to you on that piece of the hop.

And so if you daisy chain these things together, the jurisdictions alone can make it very hard for law enforcement to, to keep up with it.

Yeah. You know, I think it's interesting you bring up the jurisdictions again. I have seen some Interpol wins in the news recently where they finally put enough together where they could name people or organizations involved in illicit activities without the fear of reprisals that usually keep them from being able to do so.

I guess they finally reached the threshold where they thought, okay, it's safe for us to indict people and, you know, they've rolled up some pretty significant ransomware gangs in the last few months. And, you know, maybe Interpol is getting some teeth somehow. And in these wins are indicative of better cooperation across jurisdictions. Because otherwise without access to the other side of the data, you can't put the whole picture together outside of inferences.

And you certainly can't get the evidence that you need to establish an evidence chain of custody useful in court without that kind of international cooperation. So I don't know much about Interpol like of late. I haven't been tracking Interpol and how well they're doing. But when I look at the these big wins with the ransomware gangs, I have to assume that there are some really, really powerful players involved with these operations that are finding ways to prosecute them without the retribution that gets everybody killed.

These types of cases are the kind that get you killed when billions - an important person in my life was a MITRE, a senior at MITRE. I was asking him about some things while you and I were serving in Afghanistan. Because I needed to understand the money part of some of the terrorist support structures that we were up against more at a strategic level than all the other tactical stuff we were engaged in.

And he said, “hey, man, if you don't mind I might just keep that a little close to the chest, because billions get people killed. If you need to know something ask the question. I'll tell you what I can, but I don't want to put you in harm.”

No, you're absolutely right. The level of money like you reference, it changes the entire game.

Yeah. And the players involved at that level, nobody moves billions in ransomware without state backing, as we're seeing, right. We're seeing significant state backing through Russia. And I don't even know if the governments involved. I mean, I guess I would assume that FSB is somewhere involved in the mix, but that's just an assumption on my part. But knowing that the back end of these big ransomware operations are typically executed there in Moscow in big cubicle farms, organized office environments, people coming in and clocking in and clocking out, like, you know, we've done in cubicle farms periods of our careers.

These aren't, like, seedy back, you know, back of the strip club operations. They're corporate environments now. The ransomware gangs are kind of, like, all over the place. They're, you know, it’s a wide spread. It's basically whoever can figure out how to make it successful. But then the transactions happen there in Moscow. Well, nobody's going up against Moscow based ransomware back end, financiers and accountants because that kind of money again we're talking billions and billions and billions.

There's no way that's happening in Moscow without senior government involvement. And my inference is that if Russia is involved, they're involved for a couple reasons. One, the illicit funds are obviously useful for what they're trying to do right now. And expanding their borders. But the other is if they have an opportunity to kind of mess with the US, right? Just give us a hard time. Well, obviously they're going to jump all over that because that's fun for President Putin. He gets a kick out of it. And so he's going to endorse it. But those are all just kind of like those are my assumptions and inferences based off of this. If we're talking billions, senior government officials are involved somewhere.

I don't think we've reached that level with this particular case. But let's assume for a minute that this wasn't just the only laundering operation that was facilitating the Colombian cartel or whatever cartel was pushing fentanyl out of China. It's probably one of 20, 50. How many? What would you say?

I think almost everybody running, I think I list every criminal organization in this country at some level has the touch China in the fentanyl game. I mean, at some point, that's just their space. They control that space from the manufacturing level or from the chemicals that are required for it level, and then they end up with it again, you know, for the money. But, when people think about structuring all over the world and they think about shell companies and trusts and things like that, they always think the jurisdictions are similar, but they're not.

There's jurisdictions that are good for trusts. They're jurisdictions that are good for corporations, and their jurisdiction and that are good for banking. And Hong Kong is still one of the most amenable places to do discreet banking. Put it that way. They're the modern version of what Switzerland used to be thought of. You have countries like Luxembourg that know.

Does that account for China's takeover of Hong Kong? I would assume that the records are now being centralized.

Right, I would I would think so as well. Yeah. But you know, like you mentioned with the Russians, both the Chinese and the Russians, and you know this more than I do from your counterintelligence experience, there were very high thresholds for the aggressiveness of an intelligence operation. And so at some point, to the Russians or to the Chinese, covert finance and narcotics money laundering become the exact same operation.

So the article in Europe was there was a boutique shop, there was moving a bunch of money on behalf of a bunch of different criminal organizations, some Russian oligarchs, they knew everybody. But what was hidden in the news story about it was that multiple assets of the Russian intelligence service were also paid out of the same pot of money.

So that's a good illustration of both covert finance and some of the money laundering for criminal activity overlapping or at least intersecting, in a way that no doubt the Russian government was completely aware of.

Yeah, yeah. These different jurisdictions that, are in play. And I think it's easy to assume that when someone breaks U.S law, they're breaking everyone else's laws. But that's not all the case. Always the case as we know it can be. Said also about things like surveillance, electronic surveillance, physical surveillance. A lot of things in the US would require a warrant, particularly for things like electronic surveillance that is just standard business in other jurisdictions. And from a counterintelligence perspective, I think that if you're if you're just getting your feet wet and learning about the field, it can seem like, oh, these countries are bad.

Well, they're just different. They have a different logic, based on different factors. And to them to stay safe, that's what it requires. So for an operation to be successful like this, what you're talking about is actors who are savvy. They've done this before and they know that you've got to exploit the vulnerabilities in multiple jurisdictions, whether those vulnerabilities lie within the norms and expectations culturally or they rely on the regulatory environment.

Either way, you got to exploit all of that successfully across many jurisdictions so that all of your extended network are safe. Any one person that gets wrapped up in something is now a loose string that can be pulled by law enforcement agencies. And, you know, you start unraveling, right? So compartmentalization comes in, like you were mentioning earlier in the episode, as being an important counterintelligence consideration, keeping people completely separated from one cell to another, one jurisdiction to another.

Either way, it sounds to me like an operation like this that went on so long - yes, it was probably somewhat simplistic in recent terms, like in light of the technological environment that we have today versus ten years ago. But it was professional in that there was a process, a process that we've seen in countless other cases, that only unravels if something goes wrong.

That's right. And, you know, one of the things you mentioned was keeping up with jurisdictions. All of those jurisdictions don't have static laws forever. You know, one thing that was proposed this year was the Corporate Transparency Act in the United States, which was were going to require the beneficial owner information to be exposed for every company, even if it was held by a trust.

So when, you know, traditionally, Wyoming has been one of the best offshore jurisdictions because of the trust laws. You know, also, jurisdiction like Nevis, which can couple with banking in Belize. But if the law changes and all of a sudden you still have all of your stuff there and you didn't rip it out in anticipation of it, then all of a sudden you're doing something illegal on Tuesday that wasn't illegal on Monday.

And so it takes a lot of regulatory studying constantly by lawyers to stay ahead of. And it's an extremely complicated business to be in.

I think it takes automation as well. No one company is going to have the all of the right risk analyst to sit here and manually detect every change in regulatory environments in every jurisdiction in which the company does business around the world and turn that into continuous monitoring configurations for the internal security-related monitoring programs that are going on right? I mean, you would need such a large team to do that kind of thing manually. Imagine doing cyber threat Intel manually and tracking every IOC as it comes out manually.

No thank you, I forget it.

Nobody does that right. And there you know, so when you look at their internal continuous monitoring capabilities, some of those are required if you're in the financial sector, others are voluntary. I think that it's we're going to need a lot more automated sophistication across the board if we're going to get our hands around this problem, for our clients as well. We have the laws, but we might not have detections in place. Dude, this is a complicated topic.

I can see it going in a lot of different directions. If we were trying to teach people how to conduct money laundering, we would need hundreds of these episodes to account for all the ways people get caught. What I'd like to do, though, is spend a second on some practitioner insights that help organizations catch insiders involved in money laundering by the numbers, and just run down a couple of the standard things that companies can do and our clients are doing because we're in the mix. And they're successfully detecting these instances and more importantly, they're setting themselves up with an infrastructure that's adaptable to those changes in jurisdictional, regulatory environments. And also changes in how threat actors are coming at them.

Like we were talking about the laws are basically in place. You have the Bank Secrecy Act, you've got the Anti-Money Money Laundering Act, the Federal Financial Institutions Examination Council counsel guidelines for recommendations. Then you've got you've got SIFMA that's always pushing out recommendations and guidelines. You've got the SEC here in the US. So the law and the regulatory environment is there; now, the financial institutions of course, have to be up to date with that.

Their compliance officers are very, very smart and savvy, and they're doing continuous monitoring on the regulatory environment, not on their staff, right? They have to monitor the regulatory environment, not just here in the States, but with whom they're doing business around the world. Correct. Internally, though, what are some of the things that banks should be thinking about? Obviously they're already doing to some extent, to get ready for this next phase in applying automation to all of these types of detective activities so that they can keep a pace with the volume of the threat signals coming across their desk. One of those ways is transaction monitoring systems. Not a new concept, but AML specific using automation.

You know, banks are required to deploy automated monitoring systems capable of identifying unusual patterns, things like structuring transactions below reporting thresholds. We think it looks great in the news, but, you know, there are detections in place to detect, you know, $9,600 going in multiple times. Repeated large cash deposits or withdrawals of any kind; transfers involving high risk jurisdictions is another thing that transaction monitoring systems are supposed to help you detect.

So the recommendation here would be, you know, make sure you've got a good transaction monitoring system, and a vendor that is staying abreast of all of those changes in threat actor activity, like any software security company, what with their IOCs. Apart from that, you've got insider threat monitoring. This is kind of new. I mean, we say the insider threat monitoring side of the business has been in place maybe 14 or 15 years.

Okay. And it took a little while to get off the ground. You know, it was, really originally started within Lockheed. There's, there's a certain leader in our industry, that everyone will know if I bring up Lockheed that was largely responsible for this paradigm of insider monitoring. And he now works in the financial industry.

And the people that he brought into that type of paradigm are still in the business. They're either running software companies that are designed specifically to help companies detect insider risk, or they're working for various types of government positions. You know, all the way up to a high level in NCSC-type of positions. Or they're practitioners throughout commercial and defense industries.

That being said, it's not very well, it's not very mature yet. From an industry perspective, there are still companies trying a lot of different ways to monitor insider activity, and there are different philosophies that are guiding the technical implementations of those detective paradigms.

But there are some simple ways to attack. Maybe this particular case, looking for frequent overrides of compliance controls is one thing that I would look for as an indicator, excessive access to high risk client accounts.

I would look for as an indicator communication with flagged external entities. That's going to pop up anyway. But is there a threat signature like we were kind of talking about earlier in the episode. Then with KYC and enhanced due diligence or EDD? You've got customer risk assessments, continuous evaluation of customer profiles to look for things like the use of those shell or shelf companies or other high risk entities, as they're just going about their daily work.

Mismatches between customer activities and declared business purpose.

These things can be automated and we can create threat signatures off of these things and then deploy them. I think the advent of ML and security detection systems is going to really assist with, not just detecting the threat signature, but turning around in an automated way and deploying that across the entire IT environment and looking for similar things with any manual intervention.

Yeah, that's coming. And there are some thought leaders and some prime movers that are very close to deploying that in the insider risk IT space. It's already happening in the OT space, which is great. I love to see that all the tricks and traps of the OT space are going to come into our space on the IT side. Enhanced due diligence for high risk accounts has got to be taken a lot more seriously.

When I think about enhanced due diligence, particularly in supply chain security, compliance isn't enough. It's so easy to work around compliance requirements when you're coming from a jurisdiction that doesn't have the same laws. Opening up hundreds or thousands of white-labelled companies in the U.S run by U.S persons is the easiest way to get around restricted entities, entity lists.

So there's always a workaround and we need to create threat signatures and deploy them into our detective software applications and get them looking for those things. Right now, it's still kind of nascent. So it's up to the practitioners to bring these ideas up to their vendors and their leaders and say, how do we create a model for this?

I think data analytics and AI-driven behavioral analysis, we've got to get a lot more serious about. In the insider threat space, which this case, this TD Bank case is, you know, obviously an insider threat case…

… several times over.

You know their compliance based detections didn't pick it up. So we need insider threat based detections to pick it up so we can build our own models, pattern recognition tools, behavioral anomalies.

There's a lot of great work that's been done in a couple of the vendors, that are really prime movers in some ways, but also with some of the federally funded research and development centers like MITRE, as they start using, contributors’ operational data streams, which is not test data.

The real thing to look at, understanding the critical components of the adversary success and modeling those into detection models. There are a couple key vendors that are taking those insights and testing them with their, their clients, working with their clients to say, is this going to work in your environment? And they're getting insights and publishing papers on it that are obviously pseudonymized, so that we're not seeing who's contributing and things like that. They're good insights, though, and there's enough out there that's scientifically useful, to try.

You've got whistleblowing channels and anonymous reporting, as another way to counter this, we do always want to include things like confidential hotlines when we talk about insider threat, countering the insider threat. That means different things in different jurisdictions. Here in the US, there's a little less fear of reprisal than there is in a lot of other jurisdictions around the world. There might be some uncomfortable conversations or sideways glances in the workplace, someone might even get fired, but they're probably not going to get kidnapped, thrown into a van and dismembered in a third country somewhere.

And that is that's absolutely happening right now with certain threat actors who will come into the U.S, pick people up who have reported a security concern and blown an operation. And if we don't know about that, I would say out there in the community, it's something to be aware of. Because your workforce, some of your workforces, statistically at least, being targeted for exploitation of their vulnerabilities and coerced into positions where they're not allowed to report concerns to security.

Well, that's a good point. You know, with the training aspect of this for employees, you know, if somebody is approached by someone who's a member or a purported member of a organization like this, who do they go to? What do they say? Are they safe to go to that person? You know, I don't think a lot of people are completely aware of what the steps should be in response to that kind of an approach at every level of an institution like that.

And so that training becomes extremely critical for the employees.

Well, it is, and to my knowledge, there's not any one organization saying train your employees in this way. In fact, in the professional associations that I participate in, I don't really hear people talking about, how to deal with employee educational aware and awareness outside of the U.S, particularly in those jurisdictions where reprisals can mean death if they report security concerns.

You know, the whistleblower protection, confidential reporting hotlines, it is nascent. In the U.S it's easier. But we haven't really cracked that nut for a lot of our foreign workforce. And we need to find ways to protect them so that they can tell us their concerns without those fear of reprisals. And I'll tell you, you know this, too.

Anytime China or drug cartels are involved, the reprisals are not going to be fun. Now. It's not going to be legal, whatever happens to you, it's going to be illicit, extrajudicial judicial extraditions. And then what happens when they get you out? See you later.

Well, they play by different rules than we do. And I think it's important for people to understand, you know, what situation they're in, when they're when they're approached or when they're targeted as an employee of an institution like this and what to do about it

Yeah. I mean. It's a part of our business that I would love to see mature. I don't know where, even where to start with it, except to ask for volunteers to come in and have conversations philosophically about the topic. Not in any way that puts them in danger, but to help us begin to understand how do we work their concerns into our education and awareness programs, into the infrastructure of our confidential reporting hotlines, and into the cultural aspects of security in a corporate security department, so that everyone is aware just how dangerous it is for people in certain jurisdictions to tell us about things that they're seeing that are, that are concerning. I'd love to see that part of the conversation progress. And, you know, maybe that was a part of what made the TD Bank operation so successful for so many years for the adversarial actors, is the coercion aspect involving Chinese, you know, and Colombian drug smugglers. They're very sophisticated actors. They probably have huge targeting packages on anybody involved in their operation, whether they're cooperating or not.

Absolutely.

And they can reach out and touch people.

Yeah. When you mention the targeting packages, these are people are going to put effort into it. They have technical and physical surveillance capabilities, and they're going to find out where the vulnerabilities exist for people. They're going to go after the slowest gazelle in the herd that can get the job done for them. Somebody they can have leverage over and so that becomes an HR function for the institution, right? Having the right people there, training them the right way, if they are approached by somebody and then continually monitoring the health of your employees to see if you have the right people with the right tools in place to avoid situations like this.

Yep. And for those that aren't prepared, giving them a way to safely raise their hand and say I need help, I feel like I'm being targeted. Super common. They might not know who to trust or who to help, even if there is a corporate security function. Do they have the ability to keep this report really confidential in a way that a foreign compromise won't reveal my participation in helping my company defend itself against, external actors?

It's a tough, tough, thing to crack. And I think all that was in play with this TD Bank scandal, all of that sophistication, the use of old school fundamentals were in play. Coercion was probably in play. The use of access agents, absolutely. In compartmented, different functional teams was in play. And these people may not have known they were in a functional team with any kind, like any kind of support structure.

They just knew they had a button to push and they got gift cards on the other side. It's a well played operation. And I think for us to start countering this at scale, we've got to automate it. And to automate it, we need ML based models that are constantly trying out new ideas for detecting threat signatures and replicating them on the fly, then seeing if they exist anywhere else.

We can't do this manually. Just like in a cyber defense shop, you could never do threat intelligence manually.

Completely agree.

We've got tools at our disposal. And inside of our own institutions, we've got the Bank Secrecy Act, the US Patriot Act, you know, imposes stringent KYC and AML requirements. FFIEC, BSA AML examination manual, has a whole bunch of guidance on AML program structures. You've got FATF recommendations that set global standards for combating money laundering and terrorist financing. We want to know you know, obviously - have these things in our back pocket, but I think build them into those detective AML models and constantly work to keep them adaptive to whatever the threat actor is doing externally.

That is it the adaptive word specifically because these people are extremely creative, they're extremely knowledgeable, and they move very quickly. They innovate very quickly. And we'll see what happens this coming year with the, bank. The Corporate Transparency Act and how that affects things here domestically or not. And it was supposed to start January 1st based on the December 3rd lawsuit. It's been pushed back indefinitely, from the lawsuit from Garland, Texas. But we'll see what happens this year.

Yeah. Look for big changes in 2025 to combat all of this. But don't look for things to really reduce on the on the threat surface. Those adversaries that were involved in the TD Bank scandal? Are using big data analytics too, and in particularly in China, if there is state backing, we know that their are big data analytics engine is just massive, is second to none. So they're able to generate very, very clear insights on whom to target, how to target them, what types of ops people are suited for. A lot of this is already automated. This is my assumption anyway, based on what I know about their systems. So we've got our work cut out for us. Matthew, this is a great conversation, dude.

And what a pleasure.

Had to heavily rely on your expertise on the, the money piece of it to clean no wash.

From Office Space: “Here it is to conceal the source of money as by channeling it through an intermediary to connect to that source. It doesn't really help us, Michael. I can't believe what a bunch of nerds we are. We're looking up money laundering in a dictionary.”

Hey, everyone, episode 15 is a wrap. Thank you so much for joining us. This is our first venture into video. This is all we're going to do from here on out. We're excited to bring you Matthew Hedger and all of these different topics, to the forefront on video. Look for us on YouTube. We'll be putting out small segments related to, the shorter insights we discuss that could be valuable for practitioners.

That's all coming out in 2025. We're building a studio out in 2025. That's exciting. We're looking forward to bringing you these topics. Thanks for following our journey. And, we will see you after the New Year. Happy holidays everyone. For those of you that celebrate Christmas. Happy Christmas! If you're English or Australian, Merry Christmas if you're American. Happy Hanukkah and to all of those around the world following our podcast, we wish you all the best and we will see you.

Thanks for listening to UnIntelligence. If you're enjoying this channel, like and subscribe. Everyone makes this program possible. All thoughts, opinions and mistakes are our own. Tell us if you hear one. If you need to know more about anything covered in this channel's library of content, don't hesitate to reach out. Stay safe out there, everyone.

“Sharks patrol these waters. Sharks patrol these waters. Don't let your fingers dangle in the water. And don't you worry about the dayglo orange life preserver. It won't save you. It won't save you. Swim for the shore just as fast as you're able. Swim like a motherfucker.” (Morphine)

Citations for select conversational elements:

- Coverage of the TD Bank scandal:

"TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations." United States Department of Justice, 3 Oct. 2024, https://www.justice.gov/opa/pr/td-bank-pleads-guilty-bank-secrecy-act-and-money-laundering-conspiracy-violations.
Argentieri, Nicole M. "Principal Assistant Attorney General Nicole M. Argentieri Delivers Remarks Announcing TD Bank's Guilty Plea." United States Department of Justice, 3 Oct. 2024, https://www.justice.gov/opa/speech/principal-assistant-attorney-general-nicole-m-argentieri-delivers-remarks-announcing-td.
Garland, Merrick B. "Attorney General Merrick B. Garland Delivers Remarks Announcing TD Bank's Guilty Plea." United States Department of Justice, 3 Oct. 2024, https://www.justice.gov/opa/speech/attorney-general-merrick-b-garland-delivers-remarks-announcing-td-banks-guilty-plea-bank.
"TD Bank Pleads Guilty to Bank Secrecy Act and Money Laundering Conspiracy Violations." United States Attorney's Office District of New Jersey, 3 Oct. 2024, https://www.justice.gov/usao-nj/pr/td-bank-pleads-guilty-bank-secrecy-act-and-money-laundering-conspiracy-violations.

- The China connection in drug and money laundering:

Westhoff, Ben. Fentanyl, Inc.: How Rogue Chemists Are Creating the Deadliest Wave of the Opioid Epidemic. Atlantic Monthly Press, 2019.
Felbab-Brown, Vanda. "Why America Is Struggling to Stop the Fentanyl Epidemic." Foreign Affairs, 1 June 2023, https://www.foreignaffairs.com/mexico/why-america-struggling-stop-fentanyl-epidemic.
Barrios, Ricardo, et al. "China Primer: Illicit Fentanyl and China’s Role." Congressional Research Service, 20 Feb. 2024, https://crsreports.congress.gov/product/pdf/IF/IF10890.
Cassara, John A. China - Specified Unlawful Activities: CCP Inc., Transnational Crime and Money Laundering. Independently published, 2023.

- Interpol efforts to counter ransomware:

"INTERPOL Cyber Operation Takes Down 22,000 Malicious IP Addresses." Interpol, 5 Nov. 2024, https://www.interpol.int/News-and-Events/News/2024/INTERPOL-cyber-operation-takes-down-22-000-malicious-IP-addresses.
"INTERPOL-Led Operation Targets Growing Cyber Threats." Interpol, 1 Feb. 2024, https://www.interpol.int/en/News-and-Events/News/2024/INTERPOL-led-operation-targets-growing-cyber-threats.
"Cybercrime Operations." Interpol, https://www.interpol.int/en/Crimes/Cybercrime/Cybercrime-operations. Accessed 2 Jan. 2025.

Featured musicians include:

Intro songs (x 3): Stephen Nathaniel, available on request.
Outro song: The Frickashinas. I Like Your Band Better, 1768335 Records DK, 20 Nov. 2022. (Available on Spotify and YouTube)

Feature video clips include:

"Follow the Money." Narcos, directed by Gabriel Ripstein, season 3, episode 3, Netflix, 1 Sept. 2017.
Lethal Weapon 2. Directed by Richard Donner, performances by Mel Gibson, Danny Glover, and Joe Pesci, Warner Bros., 1989.
Judge, Mike. Office Space. Twentieth Century Fox, 1999.

Dave H.

UnIntelligence, Ep. 15: The TD Bank Scandal

Today, We Salute You, Mr. Venn Diagram Guy

UnIntelligence: The Corporate Counterintelligence Podcast