This story isn’t quite as dramatic as if the Feds had managed to reverse tens of thousands of separate Bitcoin (BTC) transactions used in a global online scam to defraud tens of thousands of separate and vulnerable victims…
…but it’s spectacular nevertheless, given that the stolen-but-recovered amount came to BTC 3,879.16, which worked out as a remarkable $189,568,730.46 at the rate quoted this afternoon by one online source. (Rates subject to change; transaction fees may apply; your mileage may vary.)
The victim in this case was the Sony Life Insurance Company Limited (yes, that Sony), which was allegedly defrauded of this enormous sum in an audacious internal scam that was apparently pulled off by a single employee.
The US Department of Justice claims that a certain Mr Rei Ishii conducted a classic “send funds to a different account” scam.
That’s the same sort of thing that external cybercriminals try to pull off by hacking into one or more company email accounts in an attack known as Business Email Compromise (BEC).
By keeping their eyes on insider emails – the crooks try really hard to crack high-ranking accounts such as the CEO’s or the CFO’s, which is why BEC is often referred to as CEO fraud – and picking the right moment to intervene with instructions to change payment details…
…these criminals often get away with hundreds of thousands of dollars, or even millions of dollars, conducting what is more of a social engineering confidence trick than a typical cybersecurity breach.
Higher and higher
In some cases, the amounts are significantly higher: an infamously extreme case was the so-called Bangladesh Bank Robbery (the BBR wasn’t technically a robbery at all, because there was no physical violence, no stick-up, and no giant bag of cash involved) back in 2016.
Crooks apparently managed to kick off bogus transactions totalling over $1 billion, and to get away with just over $100 million, although $850 million was never transferred, supposedly due to a spelling mistake made by the fraudsters during the process.
(Perhaps overwhelmed or overexcited by the prospect of getting their hands on all those lovely funds, and thinking of how much fun they were going to have with the proceeds, the crooks managed to type FUND-ation instead of FOUND-ation, which raised the alarm.)
As you can imagine, if that’s what outsiders can do with access to company email flows (although the BBR cyberheist may have involved insider assistance), just think what a determined insider might be able to pull off, given enough time to prepare, combined with a sufficiently reckless approach.
Allegedly, Ishii was that sort of risk-taker, diverting $154 million that was supposed to be moved around inside the corporation into an account he’d set up in California.
According to the FBI, he then started what you might call his cash-out procedure by converting the funds into the aforementioned stash of Bitcoins.
But cashing out that much cryptocurrency into regular funds is not as easy or as speedy as you might think, and a multi-department, multi-country law enforcement intervention quickly kicked in.
Ishii, who has already been arrested and charged in Japan, was investigated by a group including at least the FBI, Sony, Citibank, Japan’s National Police Agency, the Tokyo Metropolitan Police Department, Tokyo District Public Prosecutors Office, and the Japan Prosecutors’ Unit on Emerging Crimes (JPEC).
This led to the recovery of the private encryption key needed to “own” and transfer the stolen cryptocurrency, and the announcement of a lawsuit in the US to ensure that the funds get formally frozen until they can be returned to Sony, the rightful owner.
How the password or passwords for the Bitcoin wallet or wallets were recovered, we don’t know.
Ishii may simply have decided to confess in the hope of more lenient treatment, or the cryptographic keys may have been recovered following careful forensic analysis of the data and devices available to the investigators, or…
…he may have used his cat’s name as a password.
All we know at this point is what we don’t yet know, with the DOJ concluding by saying:
The FBI continues to investigate the alleged crime.
Still, close to BTC 4000 stolen-and-recovered is a pretty good result already!
LEARN MORE ABOUT BUSINESS EMAIL COMPROMISE
AND HOW TO AVOID IT
Watch directly on YouTube if video won’t play here.
Use the cog icon to speed up playback or turn on subtitles