Risk In:Review #68 - 18 August 2024
Anthony Hope
Risk & Compliance Executive | Fintech Founder & Innovator | Strategic Leader | Expert Speaker
Welcome to Risk In:Review, your weekly newsletter curating the best of the week’s news stories from the crossroads between risk management and technology in Asia Pacific.
Keep updated with the latest news and insights by clicking on subscribe.
Perspectives
Risk In:Review is back after a deserved two week hiatus. The focus this week is on two fraud-related headlines.
First, Meta is once again embroiled in significant legal challenges related to its handling of scam advertisements. The Australian Competition and Consumer Commission (ACCC) has taken legal action against Meta, accusing the company of allowing deceptive cryptocurrency ads to flourish on Facebook.
These ads often feature unauthorised images of public figures like David Koch and Celeste Barber, misleading users into fraudulent schemes. A preliminary analysis suggested that 58% of the ads reviewed by the ACCC violated Meta's advertising policies, or were potential scams.
The ACCC alleges that Meta has been aware of these practices since 2018 but has failed to implement adequate safeguards to prevent such ads, despite their clear violation of Meta's policies.
The ACCC action is only the most recent challenge for Meta, who are not only facing scrutiny in Australia but also globally. In the United States, a federal court has allowed a lawsuit by Australian billionaire Andrew Forrest to proceed, which centres on similar allegations of Meta's complicity in allowing scam ads to use his likeness.
Forrest argues that Meta negligently profited from these ads, despite the potential harm they posed to users. This case is particularly noteworthy as it challenges the applicability of Section 230 of the US Communications Decency Act, which traditionally shields platforms from liability for user-generated content.
Meta’s legal woes highlight the complexity of balancing content moderation with platform responsibility. Should either of these cases succeed, it could change the balance of liability between victims, content platforms, telecoms providers, and financial institutions.
The second headline relates to the ongoing threat of business email compromise (BEC) fraud. BEC fraud has broadly avoided the headlines over the past couple of years, primarily due to increased media focus on scams. ?
However, INTERPOL's recent recovery of USD 41 million from a BEC fraud in Singapore underscores the growing sophistication of these crimes. The fraud, which targeted a commodity firm, involved cybercriminals posing as legitimate suppliers to mislead the company into transferring funds to a fraudulent account.
This incident is part of a broader trend, as BEC fraud is on the rise globally, fuelled by increasingly elaborate social engineering tactics backed by artificial intelligence (AI). Despite advancements in detection and prevention, such as INTERPOL's I-GRIP mechanism, the scale of BEC-related losses remains significant.
I anticipate that BEC-related losses will continue to rise as generative-AI makes it easier for fraudsters to socially engineer access to company systems, and for less technologically competent fraudsters to take advantege of new tools to attack corporate systems through AI-generated code.
This Week In:Review
Australia
China
Hong Kong
India
Korea
Singapore
Best of the Rest
Australia In:Review
The Australian Competition and Consumer Commission (ACCC) has taken legal action against Meta, alleging that the company profited from scam advertisements using the unauthorised images of public figures, including David Koch and Celeste Barber. These ads, primarily related to cryptocurrency, were found to be misleading or deceptive.
The ACCC claimed that since January 2018, Meta has been aware of the significant number of cryptocurrency-related ads on Facebook that employed such deceptive practices. A preliminary analysis revealed that 58% of the ads reviewed by the ACCC violated Meta's advertising policies or were potential scams.
The court case focuses on 234 advertisements, narrowed down from an initial 600. The ACCC argues that Meta has not implemented sufficient safeguards to prevent these misleading ads and continues to generate revenue from similar content, even after removing specific ads or banning accounts.
Despite Meta's assertions that scams are a complex issue, the ACCC maintains that the company could have developed technology to warn users about potentially deceptive ads but has failed to do so.
Meta responded by stating that it actively works to prevent scams and protect users, citing actions taken against accounts violating its policies. A hearing date for the case has yet to be set.
The Australian Federal Police (AFP) has uncovered more than 2,000 Australian-owned cryptocurrency wallets that were compromised by offshore scammers, potentially resulting in millions of dollars in stolen digital assets.
This discovery was part of Operation Spincaster, a multinational effort coordinated by the AFP-led Joint Policing Cybercrime Co-ordination Centre (JPC3). The operation, which involved significant global collaboration, generated over 7,000 law enforcement leads across several countries, including the United States, United Kingdom, Canada, and Australia.
The losses connected to the operation amounted to AUD 248 million, primarily involving fake investment apps and romance scams that tricked victims into granting scammers access to their cryptocurrency wallets.
Assistant Treasurer Stephen Jones has underscored the Albanese government’s commitment to tackling the rise in scam-related losses, which reached AUD 2.74 billion in 2023. Jones highlighted plans to hold banks and social media platforms accountable for compensating victims when they fail to implement adequate preventive measures.
While prosecuting the perpetrators of these offshore scams is challenging, the AFP aims to disrupt and prevent these crimes before significant losses occur. The operation, led by New York-based Chainalysis, involved extensive training and intelligence sharing, proving to be a critical step in combating the global scam epidemic.
Jatinder Singh, a cryptocurrency enthusiast, has been sentenced to three years in jail by the Victorian County Court after mistakenly receiving a refund of AUD 10.47 million and spending it on luxury goods.
The incident began in May 2021 when Singh, 39, attempted to deposit AUD 100 into his Crypto.com account through his partner Thevamanogari Manivel's Commonwealth Bank account. However, due to a significant accounting error, the refund was mistakenly processed as AUD 10.47 million.
Singh discovered the overpayment the next day and directed Manivel to transfer the funds to a joint account to avoid detection. Over the next several months, Singh spent AUD 6.07 million on property, luxury items, and a AUD 1 million gift to a friend.
Manivel also transferred AUD 4 million to her bank account in Malaysia. The error was only discovered in December 2021, leading to their arrest in March 2022.
Singh claimed he believed the money was won in an online competition but later accepted that he knew it was not his. Despite pleading guilty, the court noted Singh's lack of insight into his wrongdoing and attributed some blame to Crypto.com and Commonwealth Bank.
Singh will be eligible for parole in August 2025. Manivel received a lighter sentence, including time served and a community corrections order. Crypto.com has initiated legal action to recover the funds, but the exact amount recovered remains undisclosed.
China In:Review
A series of targeted cyberattacks against Russian government organisations and IT companies, starting in late July 2024, has been linked to Chinese hacking groups APT31 and APT27. Kaspersky, who uncovered this campaign, named it "EastWind."
The attacks utilise an updated version of the CloudSorcerer backdoor, previously seen in a May 2024 cyberespionage operation targeting Russian government entities. The campaign begins with phishing emails carrying RAR attachments, which drop a backdoor onto the system using DLL side loading, while a decoy document is opened to distract the user.
Once installed, the backdoor allows the attackers to navigate the filesystem, execute commands, exfiltrate data, or introduce additional malware. Among the tools used in this campaign is a trojan called 'GrewApacha,' associated with APT31, and a refreshed version of CloudSorcerer, packed with VMProtect for evasion.
Another tool introduced through the CloudSorcerer backdoor is 'PlugY,' a versatile backdoor with capabilities for file operations, screen capturing, key-logging, and clipboard monitoring.
Kaspersky's analysis suggests that APT27 and APT31 are likely collaborating in these sophisticated cyberespionage operations, highlighting the complexity of relations between nations that, while diplomatically aligned, continue to engage in covert intelligence gathering against each other.
Chinese authorities reactivated a significant amount of Ethereum (ETH), previously seized during the crackdown on the Plus Token Ponzi scheme. The reactivation involves approximately USD 2 billion worth of ETH, which had been dormant since its seizure in 2021.
Over 789,000 ETH, tied to the fraudulent scheme, were transferred from wallets that had remained inactive since early 2021. This sudden movement of such a large quantity of Ethereum has sparked concerns about its potential impact on the market, particularly regarding fears of large-scale sell-offs that could destabilise Ethereum’s price.
The Plus Token scheme, which deceived numerous investors, was one of the largest crypto scams, and the recent reactivation of these funds has reignited discussions about the long-term effects on the cryptocurrency market.
Additionally, a separate wallet from Ethereum’s 2014 Initial Coin Offering (ICO), which had been inactive for years, was also activated. The wallet, originally holding 500 ETH purchased at USD 0.31 each, is now valued at around USD 1.25 million.
A recent small transfer from this wallet suggests potential test transactions, which could further influence Ethereum’s market dynamics.
Hong Kong In:Review
Hong Kong customs has dismantled a sophisticated money-laundering operation that processed HKD 1.5 billion in alleged criminal proceeds through cryptocurrency transactions and over 200 bank accounts.
The crackdown led to the arrest of four suspects, including a family of three. The syndicate, reportedly led by a 39-year-old man and his 66-year-old father, utilised 39 bank accounts across six shell companies to collect suspicious funds, primarily from South Korea.
The investigation, led by the customs' financial investigation bureau, uncovered that the illicit funds were laundered using both traditional bank transfers and cryptocurrency transactions.
Between August 2020 and August 2022, over 2,000 transactions were made, with the largest single transaction amounting to HKD 23 million. The funds were rapidly moved through the shell companies' bank accounts, then divided into smaller amounts and transferred to 180 additional bank accounts to obscure their origins.
One of the suspects, a 31-year-old taxi driver, was allegedly paid HKD 70,000 per month to launder HKD 300 million through cryptocurrency transactions using an overseas trading platform. The syndicate's operation was described as well-established and meticulously planned, involving premeditated methods to avoid detection.
Customs officers, acting on a tip-off received earlier this year, conducted an operation code-named “Fencing,” leading to raids on three flats and an office in Kwun Tong. The arrests were made in Tseung Kwan O, Shek Kip Mei, and Sau Mau Ping. Authorities also froze bank accounts linked to the shell companies, holding HKD 2.2 million in connection with the case.
The suspects, who face charges of money laundering, which carry penalties of up to 14 years in prison and a HKD 5 million fine, have been released on bail pending further investigation. Hong Kong customs has indicated that further arrests are possible as the investigation continues to trace the destination of the laundered funds and other individuals involved.
领英推荐
Hong Kong is set to strengthen its position as a global fintech hub by introducing stricter cryptocurrency regulations over the next 18 months. Announced at the Foresight Summit 2024 by Legislative Council member David Chiu, the new regulations will focus on stablecoins and aim to establish robust oversight through legislation.
Chiu emphasised that while the digital asset industry has made significant progress, it is still in its early stages, necessitating the development of a sound exchange system and comprehensive stablecoin regulations.
Hong Kong plans to introduce stablecoins by the end of the year, following the selection of sandbox participants in July, including major players like Standard Chartered Bank (Hong Kong) and Animoca Brands Limited. The sandbox, part of the Hong Kong Monetary Authority’s (HKMA) efforts, allows participants to test stablecoin projects under strict conditions, including a ban on public fundraising.
The regulatory focus includes ensuring that the new laws are effective and enforceable within the next 18 months. Additionally, there is speculation that Hong Kong might add Bitcoin to its federal reserves.
The Hong Kong Monetary Authority (HKMA), in collaboration with state-run technology company Cyberport, launched a generative artificial intelligence (GenA.I.) sandbox on 13 August 2024.
The GenA.I. sandbox, introduced during the FiNETech2 event, is designed to facilitate AI innovation in finance by providing a controlled environment where financial institutions and technology companies can jointly experiment with generative AI applications. These applications span various areas, including risk management, anti-fraud measures, customer services, and process re-engineering.
Carmen Chu, HKMA’s executive director, highlighted that the sandbox addresses both technical and regulatory challenges, offering supervisory feedback and the necessary computing capabilities for effective AI adoption. HKMA Chief Executive Eddie Yue encouraged banks to utilise the sandbox fully, integrating generative AI tools into their business processes.
The initiative is part of HKMA's broader Fintech 2025 strategy, which aims to promote fintech adoption. Concurrently, the Securities and Futures Commission of Hong Kong (SFC) continues its crackdown on unlicensed cryptocurrency exchanges, issuing warnings against platforms involved in illegal operations and extortion tactics.
The HKMA plans to use insights from the sandbox to identify best practices and the latest developments in fintech, reinforcing its commitment to advancing AI in the financial sector.
India In:Review
A doctor in Maharashtra, India, was duped into transferring over money in a drugs-in-parcel scam involving cryptocurrency. Between 02 and 06 August 2024, the scammers posed as officials, falsely accusing the victim of sending a parcel containing illegal drugs, passports, and SIM cards to Thailand.
Under pressure and fearing legal trouble, the doctor was coerced into purchasing INR 30.86 million worth of cryptocurrency through a mobile application, transferring the funds to multiple bank accounts to make it difficult for authorities to trace.
This scam is part of a growing trend in India, where perpetrators use fear tactics to convince victims to make large cryptocurrency payments as a way of avoiding purported legal consequences. Once the money is transferred, the scammers disappear, leaving victims without recourse.
A similar investigation in Pune, launched in December 2023, revealed over 12 victims had lost USD 480,000 in such scams, with the funds laundered through various bank accounts and ultimately transferred to China, Dubai, and Taiwan.
Indian regulators have tightened controls on cryptocurrency exchanges, mandating registration with the Financial Intelligence Unit (FIU). Despite these efforts, crypto-related fraud continues to rise, with law enforcement agencies also implicated in some cases.
The Indian government has confirmed that it has no immediate plans to regulate the sale and purchase of cryptocurrencies, despite increasing scrutiny of crypto-related money laundering and terrorism financing activities.
During a parliamentary session on 05 August 2024, Pankaj Chaudhary, the Minister of State for Finance, clarified that while crypto assets remain unregulated in India, the government does not collect data on these assets. Chaudhary emphasised that India has not conducted any studies to understand the level of cryptocurrency adoption among its citizens.
India has implemented a taxation system for cryptocurrency transfers and profits, which includes a 30% tax on unrealised gains and a 1% tax deducted at source (TDS), effective from 01 April 2022.
However, the government has no plans to introduce legislation to regulate crypto transactions. India has taken steps to curb illicit crypto activities, including banning several non-compliant offshore exchanges.
Additionally, during its 2023 G20 presidency, India advocated for a coordinated international effort to combat the illegal use of cryptocurrencies. Despite these efforts, there is no proposal to regulate the domestic crypto market at this time.
Korea In:Review
South Korean prosecutors are preparing to try a crypto market maker, known as Park, who allegedly masterminded a USD 59.6 million fraud involving an altcoin-themed "scam coin" called Podocoin.
Park, nicknamed "the Coin King," is accused of duping 18,000 investors through price manipulation and using the proceeds to purchase over a dozen luxury cars, including a Bugatti Divo and a Ferrari LaFerrari.
Park was arrested earlier this month on charges related to price manipulation. He had previously attempted to flee South Korea by sea in December 2023 but was forced to dock due to a storm, leading to his arrest by the coast guard. Park has already served time for this escape attempt but now faces additional fraud charges.
The Seoul Southern District Prosecutors' Office's Virtual Asset Crime Joint Investigation Team is leading the case. Prosecutors allege that Park artificially inflated the price of Podocoin by distributing fake promotional materials and then selling all 1 billion tokens for a substantial profit. He allegedly operated a dedicated team to manipulate the price and used social media channels to promote the scheme.
In addition to the 13 luxury cars, valued at approximately USD 14.6 million and hidden in a countryside warehouse, investigators have seized funds they believe were raised from trading these supercars with both domestic and international buyers.
Two other individuals have also been charged with submitting false information to a crypto exchange to facilitate the listing of Podocoin.
Singapore In:Review
The Monetary Authority of Singapore (MAS) has signed an agreement with four major banks - DBS, HSBC, OCBC, and UOB - and two tech companies, SPTel and SpeQtral, to explore quantum security in financial services.
This collaboration, announced during the FiNETech2 event on 14 August 2024, aims to investigate the application of Quantum Key Distribution (QKD), a secure method for exchanging cryptographic keys, to address the cybersecurity threats posed by quantum computing.
The partnership will focus on three key areas: testing QKD solutions in a controlled sandbox environment to evaluate their viability for financial services, validating QKD's security features to ensure robust data protection, and enhancing technical competencies among participants.
These trials are expected to inform future technology and cyber risk management policies, helping to "quantum-proof" Singapore's financial sector.
This initiative aligns with MAS's broader efforts to promote fintech innovation, including the recent launch of a quantum track under its Financial Sector Technology and Innovation Grant Scheme. The move reflects growing concerns about the potential for quantum computing to break existing cryptographic protocols, making current financial systems vulnerable.
INTERPOL has successfully used its "Global Rapid Intervention of Payments" (I-GRIP) mechanism to recover circa USD 40 million from a business email compromise (BEC) scam, marking the largest-ever recovery in such a case.
The scam targeted a Singapore-based commodity firm in mid-July 2024, where cybercriminals posed as a trusted supplier and convinced the firm to transfer USD 42.3 million to a fraudulent bank account in Timor-Leste. The firm realised the fraud only after the legitimate supplier reported not receiving the payment.
Upon detection, Singaporean authorities, leveraging I-GRIP, swiftly froze the counterfeit bank account and recovered the majority of the funds. Additionally, seven suspects were arrested in connection with the scam, leading to the recovery of another USD 2 million.
I-GRIP, launched in 2022, has played a crucial role in intercepting hundreds of millions of dollars in illicit funds globally, particularly in cases involving both fiat and cryptocurrency crimes. INTERPOL has urged businesses to adopt preventative measures to protect against BEC and other social engineering scams.
This development follows the recent US seizure of the cryptocurrency exchange Cryptonator, accused of facilitating over USD 1.4 billion in illicit transactions, including those linked to darknet markets, ransomware groups, and sanctioned entities.
Cryptonator, founded by Roman Boss in 2013, was allegedly used by cybercriminals to launder funds through various illegal activities, exploiting the growing popularity of cryptocurrency for fraudulent schemes.
Wang Xinghong, the Chief Technological Officer (CTO) of A&A Blockchain Innovation, was sentenced to five years in jail after pleading guilty to six charges of cheating in a Ponzi scheme that defrauded investors out of more than SGD 1 million.
A&A Blockchain Innovation falsely claimed to operate 300,000 cryptocurrency mining machines to attract investments, promising fixed daily returns of 0.5% through its "A&A chain mining scheme." However, no such mining machines existed, and the returns were generated by using funds from newer investors to pay earlier ones, a classic Ponzi scheme setup.
The scheme, which ran between May 2021 and February 2022, attracted over 700 investors in Singapore. Wang, a Chinese national, was described by the prosecution as a "key cog" in the scam. He developed and maintained an app that falsely displayed investor returns, despite knowing that no real cryptocurrency mining or revenue generation was taking place.
The scheme was spearheaded by Yang Bin, a Dutch national who served as the chairman of A&A, and Lu Huangbin, a Chinese national and the company's CEO. Both individuals are still awaiting trial.
The court heard that Wang's role primarily involved the technical development of the fraudulent app, and he was not involved in the scheme's marketing or in making false representations to investors.
The court imposed a sentence of five years, with each count of cheating carrying a potential penalty of up to 10 years in jail and a fine. Wang's legal team argued for a lesser sentence, noting that he did not conceptualise the scam and had no role beyond app development.
However, the court held him accountable for his central role in enabling the fraudulent activities of A&A Blockchain Innovation.
Best of the Rest In:Review
The United Nations (UN) has finalised a draft for a "Cybercrime Convention" aimed at enhancing global cooperation to combat cybercrime. The draft, introduced in 2017 by China and Russia, carries significant implications, particularly for banking secrecy, security analysts, journalists, and cryptocurrency companies.
Set to be presented for a general vote in the autumn of 2024, the draft mandates that member states collaborate closely to prevent cybercriminals from finding safe havens and ensure their crimes are prosecutable anywhere.
The proposed convention seeks to abolish banking secrecy entirely by empowering courts and authorities in each member state to access, freeze, and confiscate assets linked to cybercrime, including cryptocurrencies.
The draft explicitly forbids governments from refusing information requests on the grounds of banking secrecy and could compel countries to release bank data based on foreign court rulings. This could also extend to crypto companies and potentially decentralised finance (DeFi) platforms, raising concerns about the impact on privacy and financial autonomy.
Moreover, the draft's vague definitions of cybercrime, such as unauthorised access to IT systems and interception of electronic data, have sparked criticism from organisations like the Electronic Frontier Foundation (EFF).
The EFF warns that these broad definitions could criminalise standard security practices and leave security researchers and investigative journalists unprotected. Critics argue that the draft lacks essential safeguards against misuse of digital investigations, potentially leading to increased surveillance and erosion of trust in digital technologies.
While the UN's initiative addresses the growing threat of cybercrime, the proposed measures have sparked a debate over the balance between security and civil liberties. The draft has yet to be voted on and could face revisions before becoming enforceable, depending on the level of resistance and protest it encounters during the legislative process.
The US Securities and Exchange Commission (SEC) has filed a lawsuit against cryptocurrency company NovaTech and its co-founders, Cynthia and Eddy Petion, accusing them of orchestrating a fraudulent scheme that raised over USD 650 million from more than 200,000 investors globally, including many Haitian-Americans.
The SEC alleges that NovaTech and the Petions misled investors by promising that their funds would be secure and that they would be "in profit from day one." However, the SEC claims that the Petions used new investor funds to pay off earlier investors and reward promoters, while siphoning off millions for personal use.
The alleged scheme continued for four years until NovaTech collapsed in May 2023. This federal lawsuit follows a separate legal action filed in June 2023 by New York Attorney General Letitia James, which estimated the fraud at over USD 1 billion. Both regulators have described the operation as a pyramid scheme.
NovaTech is said to have exploited victims' religious beliefs through social media platforms, including Telegram and WhatsApp, with Cynthia Petion marketing herself as "Reverend CEO" and claiming that the company was "God's vision."
The SEC has also charged six promoters with fraud for continuing to recruit investors despite evident "red flags," such as delayed withdrawals and regulatory actions in the US and Canada. One promoter, Martin Zizi, has agreed to pay a USD 100,000 civil fine. The lawsuits seek restitution for victims and the imposition of civil fines on those involved.
I hope you find Risk In:Review informative and helpful.