Risk In:Review #43 - 21 January 2024
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on subscribe.
Perspectives
After a hiatus over the festive season, Risk In:Review is back!
The first Perspectives of 2024 focuses on two stories emerging from China – the use of quantum technology to help protect e-commerce transactions, and the role sanctions could play in how the Artificial Intelligence (AI) industry develops.
On the first story, the threat of quantum computing to encryption methods based on factoring large numbers and solving discrete logarithm problems, such as RSA, is well documented. And while industry consensus places commercial release of quantum computers somewhere between 2030 and 2040, nation state and military use of such machines could come earlier.
Over 2023, Google, Microsoft, and Amazon all made advances in the quantum landscape, ranging from increasing the number of qubits and system scalability (Google) to new chip designs with active error correction (Amazon). It is probable we will see further advances and perhaps acceleration of the quantum project over 2024.
It is helpful then to see researchers and cryptologists making use of another aspect of quantum technology, quantum entanglement, to help safeguard against identity theft and payment fraud.
Their aim is to sign transactions using a Quantum Digital Signature that leverages quantum entanglement. In principle this would make the message or transaction unhackable because any attempt to observe or alter the quantum state would immediately change the state itself, alerting the parties involved.
While this is only one of a number of different approaches being taken to achieve security in the coming quantum age, it is promising to see early breakthroughs which could help neutralise the threat quantum computing poses to modern-day security.
The second story relates to a report suggesting that Baidu's Ernie chatbot might have been used by the People's Liberation Army (PLA) in China for military technology research. This in turn has raised concerns that the US may impose sanctions on Baidu.
Baidu has categorically denied any involvement in such research, stating that any use of its technology would have been through the publicly available version of their chatbot. However, the US has previously issued sanctions against Chinese technology corporations - specifically Huawei – over national security concerns, and could do so again.
The worry here is that any company with an open source or public-facing generative AI service could find their technology being utilised for military purposes. While the risk of criminals abusing such technologies is widely discussed, there has been less conversation about such technologies being used by militaries, and how this might interplay with sanctions.
As of now, there are no sanctions imposed by the US on Baidu in relation to its Ernie AI platform, but this will be one to watch over 2024.
This Week In:Review
Australia
China
Hong Kong
India
South Korea
Singapore
Best of the Rest
Australia In:Review
Justin Untersteiner, Chief Operating Officer of the Australian Financial Complaints Authority (AFCA), ironically became a scam victim himself, discovering his account was overdrawn by AUD 4,000. This personal experience underscores a growing trend in Australia, where scam complaints have surged, with AFCA receiving over 100,000 complaints last year, 9,000 of which were scam-related. The banking sector has faced criticism for its slow response in safeguarding customers against increasingly sophisticated scams.
Victims like Gerald Chin and Sunni Wan, who lost nearly AUD 1 million collectively, exemplify the seriousness of these scams. They, among others, have formed groups to pressure banks for reimbursement. According to the Australian Securities and Investments Commission, the rate of reimbursement for scam victims is low, between 2-5%, highlighting the burden placed on individuals rather than on banks.
In response, Australian banks have announced a "scam-safe accord," investing AUD 100 million in a new security system. Despite this proactive step, critics argue that such measures are overdue. The Australian Banking Association asserts that banks are committed to resolving complaints and reimbursing customers under certain circumstances. With the sector processing 15.4 billion transactions annually, a major initiative is underway to improve security and fund recovery, set to commence in mid-2024.
China In:Review
Chinese researchers have made an advancement in e-commerce security by developing a quantum algorithm for non-repudiation in online transactions, as reported by Xinhua News Agency. This breakthrough, detailed in 'Science Advances', involves a new quantum digital signature (QDS) protocol, marking a significant step forward in securing e-commerce against the vulnerabilities posed by quantum computing.
Classical encryption algorithms face increased hacking risks due to the emergence of quantum computing. To counter this, cryptologists have been exploring quantum entanglement, which allows the distribution of unhackable quantum states to prevent identity theft and payment fraud.
The innovation by researchers from Nanjing University and Renmin University of China addresses a key challenge: ensuring non-repudiation in transactions, where message senders cannot deny their offers. Their QDS-based protocol leverages quantum laws to generate correlated bit strings among multiple parties, maintaining the integrity and authenticity of transactions.
Combining quantum secret sharing with one-time universal hashing, this QDS approach ensures transaction non-repudiation, crucial for trustworthy online trading. Demonstrating its practicality, the team showcased a five-user quantum network using this protocol, which facilitates swift and accurate contract signings and payments without needing a pre-identified trusted third party.
In China, cryptocurrency trading continues despite the nationwide ban, with traders adopting unconventional methods to circumvent restrictions, as reported by the Wall Street Journal (WSJ). Crypto users are meeting in everyday public locations like cafes, snack kiosks, and laundromats to trade, exchanging wallet addresses, arranging bank transfers, or using cash.
Social media apps like WeChat and Telegram have become pivotal in these transactions, hosting dedicated groups that facilitate direct buyer-seller interactions without the need for an exchange. This physical trading is especially prevalent in inland China, where local governments, often preoccupied with other issues due to general poverty, are less interested in enforcing the crypto ban imposed by the central bank.
In 2021, the People's Bank of China (PBOC) declared all crypto-related activities illegal, leading to crypto exchanges barring mainland Chinese citizens from opening accounts. Despite these measures, China witnessed considerable over-the-counter (OTC) trading, with a volume of USD 86.4 billion in 2023, as per Chainalysis.
A Shanghai court has established a significant legal precedent in China by issuing a verdict in a case of money laundering using the Chinese digital yuan and cryptocurrency. The Yangpu District People’s Court of Shanghai adjudicated this landmark case, involving a group led by Xiao, known as a “point racing team”, which laundered money through digital yuan and crypto.
Xiao's team engaged in laundering by purchasing Tether (USDT) from private traders and then transferring it to clients in exchange for digital yuan. They used the anonymity of Type 4 e-CNY wallets, which require only mobile number verification, to facilitate their operations. Despite these wallets having low deposit and transfer limits, the group managed to withdraw over CNY 10 million using more than 30 smartphones and numerous phone numbers.
The operation was uncovered when one team member, Wang, made 30 withdrawals totalling CNY 123,000 in two hours, triggering a bank alert that led to investigations and arrests. The court sentenced eight individuals, including Xiao, to fixed-term imprisonments ranging from seven months to four years and six months, along with fines. Additionally, Gong and Huang, who sold USDT to the racers, were found guilty of assisting with information network criminal activities and sentenced to one year and four months of imprisonment with fines.
The Chinese artificial intelligence (AI) firm Baidu is facing the potential of US sanctions following allegations of the People’s Liberation Army’s (PLA) use of its technology for military purposes. The South China Morning Post reported that researchers in China utilised Baidu’s Ernie chatbot in collaboration with the PLA on military technology projects.
Baidu has strongly denied any involvement or authorisation of its technology for such research, stating that Ernie, alongside other models like OpenAI's GPT3.5 and GPT 4, was merely part of the publicly available tools used in the cited research. The company emphasised that it had no business collaboration or provided tailored services to the researchers or their institutions.
Despite no official confirmation of sanctions, defense analyst Wilson Jones from GlobalData anticipates that the US may impose sanctions on Baidu, similar to actions taken against Huawei in 2019 over espionage allegations. This speculation has already impacted Baidu's stock, which dropped by 12 percent following the report.
The potential US sanctions on Baidu raise significant concerns, particularly if the PLA used publicly available AI systems for its research without Baidu's consent. Sanctions based solely on this evidence could be seen as hindering the development of public-facing large language models globally, especially if the company could not have reasonably intervened or prevented such use of its technology.
Hong Kong In:Review
Hong Kong's government plans to install an additional 2,000 CCTV cameras in public spaces this year, primarily in densely populated or high-crime areas, as part of its crime-fighting strategy. Deputy Chief Secretary Cheuk Wing-hing stated that while privacy concerns exist, the number of CCTV cameras in Hong Kong is "relatively low" compared to other cities. The exact number of existing surveillance cameras, used by various departments including police and the Food and Environmental Hygiene Department, is not publicly disclosed.
领英推荐
The Security Bureau spokesperson mentioned that the new cameras would only cover public spaces and assured that privacy protections would be discussed with the Office of the Privacy Commissioner for Personal Data. They emphasised the effectiveness of CCTV in preventing violent and serious street crimes and their value as evidence in court. However, the resolution of the new cameras is yet to be specified.
Comparitech, a cybersecurity and privacy research company, reported that as of May 2023, Hong Kong had 7.09 cameras per 1,000 people, significantly lower than in mainland China but higher than in Tokyo. The city has also implemented 400 "smart lampposts" with integrated sensors, data connectivity, and cameras, raising public surveillance concerns, especially after some were destroyed during the 2019 protests.
Venture Smart Financial Holdings Limited, based in Hong Kong, is preparing to launch its spot Bitcoin exchange-traded fund (ETF) in the city's financial market in Q1. Brian Chan, the group's head of investment and product, revealed in an interview with Bloomberg the company's ambitious target to amass up to USD 500 million in assets under management by the end of 2024.
To date, Hong Kong regulators have approved only three futures Bitcoin ETFs: Samsung Bitcoin Futures, CSOP Bitcoin Futures, and CSOP Ether Futures. However, in December 2023, the Securities and Futures Commission (SFC) and the Hong Kong Monetary Authority (HKMA) jointly expressed their willingness to consider applications for funds with exposure to cryptocurrencies, including spot ETFs.
The SFC has updated guidelines to facilitate both in-kind and in-cash subscription and redemption processes for spot ETFs. These guidelines require management companies to transfer cryptocurrencies to the custody accounts of SFC-authorized providers, with valuation based on an indexing approach using trading data from major crypto platforms.
India In:Review
Artificial Intelligence (AI) has become a significant force in shaping various aspects of our lives, including cybersecurity. AI's integration into cybersecurity has enhanced the ability to detect and counter cyber threats through machine learning algorithms that analyse large datasets, identifying patterns and anomalies. However, this integration also introduces vulnerabilities in India’s digital defense infrastructure.
AI algorithms are susceptible to adversarial attacks where input data is manipulated to misguide the system's decision-making process. This vulnerability is particularly concerning in India’s rapidly expanding digital landscape. Large Language Models (LLMs) are potent tools in identifying cyber anomalies but are prone to prompt injection attacks. These attacks can lead LLMs to generate harmful outputs like malware or phishing emails.
The growing reliance on AI in cybersecurity also raises ethical questions due to the "black box" problem, where AI's decision-making process lacks transparency. This issue is crucial in India, where digital literacy varies widely and accountability is key. Furthermore, India's digital initiatives, such as Aadhaar and digital payment platforms, elevate the nation’s cyber risk profile.
AI vulnerabilities also encompass the human factor, with a risk of over-reliance on technology potentially diminishing human intuition and expertise. Cybersecurity requires a holistic approach that balances technological solutions with human judgment and ethical considerations.
A balanced approach is needed to harness AI's benefits while mitigating its risks. India’s secure digital future depends on a comprehensive, adaptive cybersecurity strategy that leverages AI's strengths and remains cognisant of its inherent vulnerabilities, ensuring innovation, collaboration, and a nuanced understanding of the interplay between technology and security.
Korea In:Review
The Manta Network, a zero-knowledge L2 blockchain, is facing allegations of money laundering in South Korea, coinciding with its token listing on major exchanges like Binance, Bithumb, and KuCoin. These allegations primarily involve the Bithumb exchange and emerged following a Distributed Denial-of-Service (DDoS) attack on the network.
The suspicions arose when approximately 2 million MANTA tokens were transferred to the personal wallet of MANTA’s Korean Business Development (BD) representative on the day of its listing on Binance. Subsequently, these tokens were deposited into a Bithumb wallet, constituting over 75% of the exchange's total circulation volume. Remarkably, the MANTA price on Bithumb surged to USD 230, over 100 times its opening price of USD 2.26.
The Korean BD is alleged to have sold all 2 million MANTA tokens at a premium of 50 to 100 times the listing price, converting the sale proceeds of USD 5.16 million into 2094.7 Ethereum (ETH), which were then transferred to their personal wallet. This action has drawn scrutiny, especially given South Korea's stringent regulations on money laundering and financial transactions.
Manta Network has refuted these claims, explaining the allocation of community funds to the Korean BD as part of its token economic model. The network also announced plans to establish branches in South Korea and Hong Kong to expand its Asian presence.
Furthermore, Manta Network experienced a DDoS attack, with over 135 million RPC requests on 18 January, as confirmed by Kenny Li of p0x labs. Despite the attack's severity, the blockchain operated securely without compromising fund safety. However, it impacted communication between applications and the blockchain.
Following the initial spike in price, Manta's crypto experienced a pullback, with a recorded price of USD 2.13 and a market cap of USD 534.93 million. The trading volume saw a significant increase, with over USD 1.2 billion worth of Manta traded on the first day.
The South Korean government is considering introducing strict regulations against crypto-mixing services, which are increasingly being used by criminal organisations for money laundering.
South Korea's Financial Intelligence Unit (FIU), part of the Financial Services Commission, is leading the initiative to regulate virtual asset mixers. This move is a response to the high risks of money laundering associated with these digital tools. An FIU official highlighted the urgency of addressing this financial system vulnerability.
This approach follows actions taken by the US, where the Treasury Department's Financial Crimes Enforcement Network (FinCEN) has imposed strict record-keeping and reporting requirements on transactions involving cryptocurrency mixers.
Additionally, the US Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash, a cryptocurrency mixing service, for its involvement in laundering over USD 7 billion since 2019. This sanction, along with FinCEN's actions, has led to questions about the impact on decentralised technologies and the broader implications for the crypto landscape.
South Korea's Presidential Office is actively reconsidering its stance on the trading of Bitcoin exchange-traded funds (ETFs), following initial warnings from the Financial Services Commission (FSC) against trading US-based spot Bitcoin ETFs. Sung Tae-yoon, the head of the presidential policy office, indicated a readiness to adapt the country's legal system to align with international financial developments, especially in the realm of cryptocurrencies.
This shift in perspective comes after the FSC's warning on 12 January, which led to major South Korean securities firms halting the trading of these ETFs. The Presidential Office's intervention suggests a potential policy change, recognising the need for continuous review of cryptocurrency regulations in response to global market developments.
The reevaluation in South Korea contrasts with the cautious approach of other Asian countries like Singapore and Thailand towards Bitcoin ETFs, while Hong Kong is becoming a potential hub for such financial instruments. This highlights the diverse and evolving nature of cryptocurrency regulation across Asia, with each country balancing its unique regulatory environment and market conditions.
Singapore In:Review
The Singapore Police Force (SPF) and DBS Bank have issued a joint warning about a surge in phishing scams in Singapore. In just the first two weeks of 2024, these scams have affected 219 victims, leading to losses of nearly SGD 446k. Scammers impersonate banks or bank staff via SMS, misleading victims into clicking on links and revealing their banking credentials. The SMSs often claim to represent DBS/POSB bank and falsely alert victims of unauthorised access to their accounts.
Since early 2022, banks in Singapore have removed clickable links in emails and SMSs to retail customers as a safeguard against phishing scams. Additional measures include lowering the default threshold for transaction notifications and increasing scam education alerts. The public is advised to be vigilant, as scammers constantly evolve their technology and methods.
The SPF and DBS Bank have provided crime prevention measures, urging the public to use the ‘ScamShield’ app, set up security features like transaction limits and Two-Factor Authentication, and be cautious of unsolicited SMS links. They also encourage the public to spread awareness that banks do not send clickable links via SMS.
For suspected scam victims, DBS offers a dedicated fraud hotline and the option to temporarily block access to funds. The police also provide a hotline and an online reporting portal for scam-related information.
The Monetary Authority of Singapore (MAS) has stated that spot Bitcoin exchange-traded funds (ETFs) are not approved for offer to retail investors in Singapore. This announcement follows the US Securities and Exchange Commission's (SEC) approval of the first US-listed ETFs tracking Bitcoin. Despite the SEC's move, which saw USD 4.6 billion worth of shares traded on the first day, MAS maintains that such products are unsuitable for retail investors in Singapore due to their highly volatile and speculative nature.
In Singapore, ETFs are regulated under the Securities and Futures Act and face restrictions on the types of assets they can invest in. MAS has not approved Bitcoin and other digital payment tokens (DPTs) as eligible assets for retail collective investment schemes (CIS). MAS defines CIS as arrangements where participants pool contributions and profits or income, sharing in or receiving profits or income generated, without having day-to-day control over the management of the property.
MAS warns Singaporeans considering trading Bitcoin ETFs in overseas markets to exercise extreme caution and be aware of the additional risks of trading in such markets. Licensed capital market intermediaries in Singapore offering access to overseas markets must ensure adequate risk disclosures and proper customer suitability assessments.
Best of the Rest
Researchers have uncovered the workings of a large-scale scam campaign, known as Inferno Drainer, which spoofed over a hundred cryptocurrency brands and stole at least USD 80 million from victims' digital wallets over the past year. This operation, detailed by the Singapore-based cyber firm Group-IB, functioned as a "crypto drainer" and operated under a scam-as-a-service model. Despite shutting down in November 2023, the infrastructure and affiliates involved in the scam remain active and continue to pose a significant threat to cryptocurrency owners.
Inferno Drainer's method involved sophisticated phishing websites where victims were tricked into connecting their cryptocurrency wallets to the attackers’ infrastructure. These sites were disguised as official crypto token projects and promoted on platforms like X (formerly Twitter) and Discord. The scammers spoofed popular Web3 protocols such as Seaport, WalletConnect, and Coinbase, enticing users with promises of financial gains like free tokens or NFT minting rewards.
The drainer malware only targeted assets over USD 100 in value, requiring victim consent for each fraudulent transaction. Group-IB discovered over 16,000 unique domains linked to Inferno Drainer’s operations, with at least 100 crypto brands impersonated. The scam was also promoted through an English-language Telegram channel, which had over 10,000 subscribers.
The identity of the software’s developers is unknown, but their impact on the crypto industry has been significant, paving the way for new forms of criminal exploitation in the sector. The ongoing threat posed by such operations highlights the growing risks in the cryptocurrency landscape.
The Federal Police of Brazil recently arrested an individual at Guarulhos Airport, S?o Paulo, for their involvement in a significant money laundering operation that moved around USD 2.6 billion through crypto assets. The person, attempting to fly to Dubai where they resided to avoid police action, was involved in converting money from drug trafficking and other crimes into cryptocurrencies in Brazil. These funds were then channeled through various shell companies, one of which handled USD 285 million in just ten months, to obscure their origin. This activity, including continued criminal actions abroad, was not declared to tax authorities.
This arrest is part of 'Operation Colossus,' a broader investigation initiated in 2022 to uncover tax evasion, money laundering, and criminal associations related to cryptocurrency trading between 2017 and 2021. The operation covers multiple Brazilian cities and states, including Sao Paulo, Rio de Janeiro, and Minas Gerais.
Despite the growing mainstream financial industry's adoption of cryptocurrencies, such as the recent approval of Bitcoin ETFs in the US, digital currencies remain popular among criminals due to their decentralised nature. Globally, law enforcement agencies have been cracking down on large-scale illegal operations using crypto.
North Korean hackers, including the infamous Lazarus Group, are reportedly collaborating with fraudsters and drug traffickers in Southeast Asia, using casinos and crypto exchanges for money laundering and underground banking, as per a United Nations report. The United Nations Office of Drugs and Crime (UNODC) observed such activities in the Mekong region, comprising Myanmar, Thailand, Laos, and Cambodia, based on case analysis and blockchain data.
North Korea's mission to the United Nations in Geneva dismissed these reports as speculation and misinformation. However, the Lazarus Group, identified by the United States as controlled by North Korea's primary intelligence bureau, has a history of high-profile cyberheists and ransomware attacks, with stolen funds contributing significantly to Pyongyang's funding, including its weapons programs.
The UNODC report highlights Southeast Asia's casinos and junkets, which cater to high-wealth gamblers, and unregulated cryptocurrency exchanges as foundational elements of the criminal banking network in the region. These casinos are efficient in moving and laundering large volumes of crypto and traditional cash, integrating billions of criminal proceeds into the formal financial system undetected.
The junket sector is heavily infiltrated by organised crime for large-scale money laundering and underground banking, linked to drug trafficking and cyberfraud. The report references the 2016 cyber-attack on Bangladesh's Central Bank, where around USD 81 million was laundered through licensed casinos and junket operators in the Philippines, attributed to the Lazarus Group. The growth of casinos and cryptocurrencies has significantly empowered organised crime groups in the region, posing a sophisticated threat and exploiting the same underground systems and services.
I hope you find Risk In:Review informative and helpful.
Excited to delve into Risk In:Review! The intersection of risk management and technology in the Asia Pacific is a critical lens to navigate issues like money laundering, cyber threats, and the evolving landscape of fintech. Looking forward to the insights!