- Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversarial research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos, a managed intelligence company. In this episode, I talk with CEO and co-founder of Black Hand Solutions, Charles Finfrock. We talked about the nuances of cryptocurrency investigations, including the generalities of crypto itself, and we dive into the tactics, techniques, and procedures for conducting these types of investigations. We also discuss some case studies and what proper outcomes look like for making it more expensive for the bad guys to conduct their operations in this generally unregulated world. Stay with us. Charles, welcome back to the show, sir. Would you mind sharing a little about your background for our listeners? - Yeah, thank you, Landon. I appreciate that. So I'm Charles Finfrock. I based out of Northern Virginia area. Here, I'm the founder and CEO of a company called Black Hand Solutions, that conducts discrete and bespoke investigations for appropriate clients. Before shifting full-time to that, a couple of months ago, I was the senior manager for insider threat at Tesla and had set up their insider threat program and then led their global information security investigations, and I did that for about three years. Before that I'd spent the previous 18 with the Central Intelligence Agency as an operations officer. And I hail from the great state of Ohio. - It is a state indeed. Charles, I can't thank you enough for being on the show. You're our first repeat guest, and we've been going here for about 60 episodes. So I can't thank you enough for your time and look forward to getting into this. I think cryptocurrency is still an up and coming industry. I think that there's certainly a mystery to the many and I'm kinda curious just to describe cryptocurrency basics, how do cyber criminals use different coins, you know? I think a lot of people have heard of Bitcoin, less have probably heard of Ethereum . Few have probably heard a Dogecoin, for example. I'm just kinda curious how Kountable works and who uses what so to speak. - Yeah, great question Landon. So let me roll it back just a little bit and why in the world am I gonna talk to you about cryptocurrency? So I've been following crypto since about 2016, 2017. I was looking at it from an anti-money laundering, and frankly from a money laundering perspective about, you know, tell me about this new fangled, anonymous internet money and how I can move value across the blockchain without being tracked and traced? So I got into it 2016, 2017. I invested quite a bit and I just fell into the space and anyone who has been through the rabbit hole in crypto can understand where I'm coming from, where one podcast becomes two became 15. Now you can go to a conference. Now you read the books. Now you read the blogs. And then you dip your toe in, and you start investing. And I always say with cryptocurrency, really easy to become an expert, really hard to stay an expert because the field is exploding, as you mentioned. I thought in 2018, that cryptocurrency was like the internet in 1996. But what I realized quickly was in 2018, it was like the internet in 1986, where it was there, it started, but unless you had very specialized skills, you weren't going to be involved in the mainstream. I'd like to think that it's moving a little closer to the mainstream, but still, I think it's still a curiosity for a lot of people. And if you've missed the waves from an investment standpoint, from a technology standpoint, my big pitch now is get involved. So why me on this? My company, Black Hand Solutions, we conduct cryptocurrency investigations. Our clients are large cryptocurrency companies. We help them manage their reputation risk by targeting and investigating people conducting scams, using our client's name, image, and likeness. And yes, I did borrow that term from the NCAA, but I think it captures what I'm going at very clearly. That scammers that are claiming to be representatives of our clients are going out and targeting current or potential customers. Crypto is still so new people don't understand it, and so people are taking advantage of other people, unfortunately. Well, that's where we come in. We wear a black hat in a white hat world to identify, to detect scammers, to disrupt their scam operations, and deter them from continuing to conduct scams against our clients, - So somebody who is just new to cryptocurrency, just kinda like you said, how does cryptocurrency work? And realistically, and then what are the differences between the major coins and then kind of how to basically cyber criminals exploit that? - So real basically cryptocurrency, and I'm going to use some terms here for the cryptocurrency purists that are going to make you roll your eyes, but I like to speak about cryptocurrency to the masses. And so technologically we're 95, 98% accurate. There's going to be some things I generalize at risk of overgeneralization, but at the gain of being more widely understood. So in a very basic sense, cryptocurrency is a way to exchange. It has all the factors generally of money, what we know as money, it's a store of value. It's a medium of transfer. It's a unit of account. It is for all intents and purposes, think of it as money or think of it as gold. Something that inherently has value. I'm going to talk a little bit about Bitcoin. Bitcoin's the big daddy. Bitcoin is what most people associate with cryptocurrency, but they're not synonymous terms. Bitcoin is a cryptocurrency. It's the most widely known and the widely adopted, but there are over 6,800, 8,000, depending on how you count them, different types of coins and tokens that are out there. Some of the big ones, you're gonna hear are Bitcoin, Ethereum, you mentioned Dogecoin, which is generally a joke coin, but people get into it. If you're talking about criminal activity, your talking about Monero, things like that. What makes cryptocurrency special? It is not controlled by a central authority. It is ran by a mathematical algorithm that verifies transactions, that talks about the supply of Bitcoin, how much will ever be. And it runs on something called a blockchain. Okay, what's a blockchain? I'll explain it very, very basically in that is a blockchain in its most simplest form is a ledger. It's a really fancy technology that allows you to determine what has been sent and what has been received from an account. It is the oldest technology in the world. If you go all the way back to Mesopotamia in the first instances of human writing on cuneiform tablets, they were accountant ledgers. How many goats for how many sheep? Whatever, that's all a blockchain is. How it technically does it? A lot more complicated than that, but you know, for most people, much like you don't have to understand the internet to send an email, you don't have to understand the blockchain to be able to transact in Bitcoin or any other cryptocurrencies. Okay, to your question, why is it used by criminals or how's it used by criminals? Couple of reasons. First, it's not widely understood, and when it was first set up, people thought that Bitcoin transactions were anonymous. It's not; pseudo-anonymous. What does that mean? When you transact Bitcoin, all of your transactions are recorded on the Bitcoin blockchain, the amount that you sent, the amount that you received when you send it are all recorded on the blockchain and associated with a cryptocurrency wallet address, 34 digit alphanumeric, depending on the coin, but 24 to 34 some odd character, alpha numeric string of characters, that is your wallet. Well, that's great. 34 characters doesn't mean that it's mine. It doesn't, any more than a cell phone number means that that cell phone number is identifiable with you unless you can attribute that cell phone to someone. Now it's marker, now you can associate that. And that's why we call it pseudo-anonymous, not misattributable, not non-attributable, it's not anonymous, it's pseudo-anonymous. So why do criminals use it? Because they can hide their identity and they can use some other techniques and some advanced money laundering techniques to hide that money. Why was it really popular in the mid 2012, 13, 14, 15? It was associated with dark market sites and it was associated with criminality, most prominently, the Silk Road, the online drug marketplace. And law enforcement and security services did not have the forensic tools to be able to follow the money. That has changed, and I'm happy to talk a little bit about that, but criminals used it because they had the criminal first mover advantage. But like everything in security and law enforcement there's punch and counter-punch, and so criminals punched, law enforcement now has counter punched, and law enforcement is in a position to actually track transfers on the Bitcoin blockchain. - Before we kinda go into how law enforcement and the good guys are catching back up, how is crypto in the blockchain different from ultimately a centralized banking system? And I guess where my question is really going with that is, and again, this is really to the novices out there. Even if you're talking about registering an account, let's say you're opening a Coinbase account 'cause you wanna transact crypto, that's still gonna be generally tied to a banking system, at least as far as a lot of people would be aware. 'cause I think you made a keyword, you know, in terms of talking about crypto is really that decentralization. So I guess like from that to novice perspective, what are the monetary differences in terms of the value between the centralized system that many know such as PayPal or Venmo, and of course, you know, cryptocurrency? - So great, great question, and it really gets to the central theme of cryptocurrency and why cryptocurrency is different from Fiat currency. Let me step back for a second and say what's Fiat currency. Fiat currency is a currency that's issued by a central bank, that is either backed up by if it was the U.S. dollar it used to be gold or backed up by the full faith and confidence in the central government. So it's issued by the central government. It's managed by the central government. The supply expands and contracts based on a central government. So each Fiat currency out there is inherently tied to a government. The Euro's tied to the EU and a centralized government conglomerate there. Where cryptocurrency is different, and this is where it's awesome, right? Cryptocurrency is not controlled by any central government. There is an algorithmic mathematic formula that controls it. So no one can modify the supply of Bitcoin. People say, well, what in the world gives it value? Well, the same thing that gives anything value, enough people get together and agree this has value. throughout history, seashells, precious metals, gold, silver, platinum, whatever, there's always been things that we've just arbitrarily assigned value to usually because of their scarcity, usually because of their utility, something like that. Bitcoin's the same way. Well, someone says, "Yeah, but gosh, "how does it have value? "You know, there's nothing behind it." And my usual response to that is, "You mean like the U.S. dollar?" That at one point was backed by gold reserves, but now since Nixon took us off the gold standard is backed by nothing. And to the contrary, there's a fixed supply of Bitcoin. We know how many Bitcoin there will ever be. The U.S. dollar, forget about it. These folks in Washington are cranking the money machine and printing dollar bills, hundred dollar bills, trillions of dollars, like it's going out of style and we're seeing this rampant inflation. So I would say in a lot of ways Bitcoin has a desirable feature from the scarcity and from the fixed supply that there will ever be, you know, particularly compared to a lot of Fiat currencies. That's the biggest difference where PayPal, Venmo, something like that is using a U.S. dollar denomination to transfer. Coinbase is using Bitcoin or Ethereum or Doge or Litecoin or all these other coins, and so it is a re-imagining of the international financial system. I mean, it's pretty groundbreaking. - That's so helpful, and I think that'll resonate certainly with a lot of, you know, folks who are getting into the space. So I guess kind of going on to that from your earlier comments of how the good guys are catching up with the bad guys, I guess provide us a day in the life of conducting cryptocurrency investigations. You know, what are the typical investigations like or the methodologies and TTPs doing this type of work? What are some of the scams you're seeing? - So obviously I'm not going to get into my specific clients. So I'll use a generic term here, and Nike is not a client, but I think most people understand Nike, and so I'm going to use that, right? So a day in the life. We conduct two types of investigations. We conduct reactive and proactive. A reactive is a victim reports in and says, "Hey, Nike, I've been dealing "with one of your portfolio managers. "I've given them $100,000 and they've disappeared." And Nike says, "Unfortunately, you dealt with Nike "with a Y at the end of the domain. "That wasn't us." Well, we will receive those reports from our clients. We will investigate them to understand the TTPs, the tactics, techniques, and procedures used by the scammers to try to identify the infrastructure that's there, and if we can identify the actor behind it, we'll work with our client to go to law enforcement. More often than not, the people behind these are in Africa, India, Eastern Europe, where we don't have the law enforcement connections. And so what we do, we disrupt the infrastructure. So that's cool; I think most people do that reactively. The one thing that we bring, because we're a bunch of former intelligence officers and joint special operation command targeters and operators is our proactive work. We go out into the ecosystem and we proactively hunt scammers. We establish contact with them. We socially engineer them. We collect all of their information that's relevant, and we burn down their infrastructure using lawyers and legal methods to do that. I'm not going to get too too much into how we do that because we don't want to give the adversary too much information about it, but ultimately the product that we deliver to our customer, our clients, when we first start on any given company, there may be 10 different Phil Knights in telegram. Phil Knight, 1 through 27, all are pretending to be that Phil Knight that's gonna help you invest. And then there may be 57 other websites that have nike.net, nike.io, nike.biz, all these typosquatting, domain squatting all the typical scam type techniques. Well, we go out, we hunt that down and we burn it down. And the best thing that we can do is to provide to our clients, here are the 15 scams that we found and we took them all down. Now as a practitioner, you're probably thinking to yourself out there, "Well, that sounds a lot like whack-a-mole." I would say yes, but here's the difference. Not only do we hunt the specific mole and kill it, we kick over the mole hill. So that the next time that a mole shows up out in the field, it's standing out there naked, right? That's what we do with this infrastructure. We burn down the sophisticated infrastructure. So these long running scams that have LinkedIn and Telegram and Facebook and a website and all that stuff, all that gets burned down. So now you've got someone who looks obviously scammy and is saying, "Hey, you know, oh, I'm on Telegram. "Oh yeah, no, no, my website's under construction. "Oh no, this, oh, no, that." Great, now it looks like a scam. Now you can identify that mole that's out there in the field naked. What's a day in the life look like? Man, I wake up, I've got 10 phones on my desk. I'm looking to see, okay, I've got traps laid out. And when I say me, I've got a large team of folks behind me, and so I'm unfortunately getting to do less and less of this and more running a business, but I still do it myself 'cause I like it. It's looking at your traps that you've sent the night before, these messages that you've sent, "Oh my gosh, I'm new to cryptocurrency. "Can you help me invest?" and see who's responded. And then it's just a matter of getting your hooks into them and talking to them and going through all the machinations that we do. And it turns into a nice pithy little report with screenshots and captures, and then a one page slide that lays it all out. But the coolest thing is when we identify the scammers, we find it, and actually when I get off this podcast, I'll be making a call to a bank because we got a bank account information from a scammer yesterday, so we're gonna contact the fraud department in the bank and that bank will investigate and ultimately freeze the assets of the scammer behind it. So it's cool work, man. That's kind of a day in the life. - It's absolutely fascinating. And I think that a lot of things you said resonated there, but certainly one of the things is for intelligence to be intelligence, it has to be timely, actionable, and relevant. And I think that those things resonate certainly to you and I coming from our intelligence community backgrounds, but I think the private sector is making a lot of ground there certainly, 'cause what you're really talking about there is really increasing the ROI on the bad guys to where they ultimately go elsewhere, or they just stop what they're doing against our particular clients. And I think that that's what's most useful because I think that you look at any study, you know, cyber criminal has a return on investment of 400%. Why wouldn't they keep doing this and do this at a massive scale? And I think it's challenging, I guess, to ultimately have private sector institutions think about how to make it more expensive, and that's exactly what you're doing. So I guess what are some case studies that can illustrate that methodology? And I guess what are the typical outcomes for you? - If I could, you know, the cycle that we like to use, or the way that I like to frame it is we detect the scams, we disrupt the scams, and then we try to deter the scams. How in the world do you deter a scam? I'll tell you a story here in just a second about a case study on that, but we do try to go through all three and just what you said, we wanna raise the cost for the scammers. This is not no cost. And I want them to know, and I want them to share this on their dark market comm links and channels with their other scammers, stay away from that company, dude, they're chewing us up. There's no gain to be had there, let's move on to greener pastures. That's exactly what we want to hear. I mean, not for the other people, but that's life right, life in this kind of work. The other thing I want to mention real quick, you talked about the intelligence cycle and this is something else that we bring to bear. And it's going to come into focus when I talk about the case study here, but that is the last piece that makes something humint. You described really well I thought and really succinctly the intelligence cycle. The one piece that I was used to working on was HUMINT, and the one piece that makes something HUMINT compared to the other different intelligence INTs out there is that it's clandestinely acquired. Where how is that relevant here? It's relevant here because there are a lot of companies that are scraping open net looking for that Nike one, Nike two, obvious fraudulent websites. So scammers are pretty savvy. They adjust it just enough so that they don't use specifically the brand. They don't use specifically a lot of these things, although they are working on imposter scams, where they're claiming to be part of this company, but they're not advertising it to make it easy to take down. So where we come in, when we find that website that is using the name, image and likeness, usually the name or derivation of the name of a client, we clandestinely acquire the last mile, and that is, you know, we socially engineer the people that are involved to get them to say, "No, no, no, no, no. "Yes, I am part of that Nike. "You know, the Phil Knight, Nike. "Oh yeah, that Nike. "Yeah, no, I'm totally part of that one." Super, and it's that last mile that we're able to clandestinely acquire that allows us to go back and burn down all the infrastructure. So that's kind of our secret sauce. Maybe it's not secret anymore so I just said it, but that's the secret sauce. Okay, case study. Here's a perfect case study. One of our clients recently had a victim report in that said, "Hey, this website, I was involved with it." The setup was, it was a guaranteed return on investment. Okay, well, anytime that you have a guaranteed return on an investment, you should hold onto your wallet and recognize there's probably some fraudulent activity because no legitimate investment, for the most part, can guarantee a result. Even a bond, I mean, there's still risk involved. Okay, so that's number one. So all I have is a website and that someone has lost money with it, super. So let's pop onto the website and let's take a look at what's going on here. Okay, so we look at it. Yes, it's got our client's name in it, but let's say that it's Nikeforex.com instead of just nike.com, okay. There's a name infringement. There's a little bit of name use, but there's no specific branding. Okay, let me go down through, let me identify, okay. So we've got guaranteed results here, got it. We go down a little bit further, we've got the contact information, got it. Oh, they've got a Telegram channel, interesting, okay. And they've got a website and WhatsApp and some physical addresses, okay, cool. Well, let's just do a quick look. So physical addresses, we take a look and do traditional OSINT on that. Three addresses, one is a Chase Bank, which is clearly not the company that they're claiming to be. Second one is a vacant building in the UK. Third one is a WeWork site in Australia, or equivalent, it's a Regis business center site. Okay, so clearly no, the addresses look good, but aren't affiliated with anything real. Okay, that's strike one. Strike two, phone number that's on there, we take a look. Well, the phone number that's on there is connected to a internet service provider that provides privacy and does the domain registration for companies so that they can hide their own identity. Okay, and that's one phone number, second phone number disconnected. Interesting, okay, Telegram channel. Let's go on and Telegram channel just for fun. Pop over to Telegram, find the channel. It's got 800 and some odd subscribers to it, interesting. It's sending signals, it's trying to drive traffic to the website. You pop open the owner list and you look at it. Of the 800 and some odd members, probably 400 are deleted, which means they're probably bots that were used to unnaturally inflate the amount of members on the site. Okay, now I'm gonna find the owner of the channel. Great, I'm gonna engage him one-on-one, tell me about it. Tell me about your process. Okay, so he tells me about it and then it turns out what I thought was an investment scam is an investment scam, but it's got a different wrinkle to it. There's an ICO scam involved as well. What's an ICO? Initial coin offering. These were all the rage in 2017, 2018 when people were trying to fund projects. They borrowed the term from an IPO, but it has nothing to do with an IPO. It's not regulated, it's not, I mean. A lot of them, even the ones that weren't fraudulent, sometimes were just bad ideas. I mean, a lot of them were legit, but a lot of them weren't. Okay, so it's an ICO scam. So what's he trying to do? He's trying to get you to invest and buy this currency they've just created. Okay, interesting, so how's that work? He explains it to me. Oh, and then we're going to change from this currency that is all about charity, we wanna be charitable all around the world, yada, yada. Okay, great, now we're gonna change that to a new coin that we're going to use this coin to buy that coin.. Okay, well tell me about that coin. Oh, well here's the website to that coin. Super, so now we go through the process again. And at this point I've already identified a website. I've got the guy to say that he is affiliated with our client. I've got the wallet addresses from the original site. I've got the name of the fraudulent ICO coin. Now I've got a second coin. That is a second ICO scam. I've got that website. I've got wallets associated with it. I've got new personas on Telegram. We engage them, we collect the information from them, take this whole package up and burn it all down. And this was one where it was really cool 'cause at the end of it, we had two websites, we had multiple cryptocurrency wallet addresses that we can report to exchanges and we can report as fraudulent so that when money's flowing through those it gets flagged by the exchanges. We've got emails, we've got phone numbers, we've got bank account information. It was awesome. And we were able to take all that down, all from an initial website was all we had. was an initial website, and we were able to use both the open open-source intelligence and the clandestine collection of social engineering to identify, and then ultimately disrupt all that infrastructure. - That's simply fascinating, and easily see where that adds just a ton of value, especially if you're own the take-down side of things. I guess I'm just kind of curious, how critical is attribution on some of these types of scams? How deep the customers usually want you to investigate? I'm kinda curious. - Yeah, the ultimate goal there is if we can attribute the scam to an actor, a real live actor, ideally gosh, if they're in the U.S. or if they're in, you know, Western Europe, that would be great. What we found in the vast majority of times that I may have alluded to it earlier, the scams ultimately resolve to Africa, to India, to Eastern Europe. And so at that point, if someone is out of reach, then the actual ultimate attribution is less important than identifying all the infrastructure and all the pieces involved and burning that down. And clients understand that because at the end of the day, we're not going to pull somebody out of Nigeria for scam activity. There's just too much of it. - No, that's helpful. And I guess, you know, from that perspective, I think a lot of this is going to come down to the cryptocurrency exchanges. When we talk about the traditional banking system, for example, large financial institutions where, you know, fraud is a line item in the risk mitigation bucket, and they ultimately understand there's going to be a certain amount of fraud that has to be investigated on a yearly basis. Are cryptocurrency exchanges almost the same thing, or are they still a few years behind because of the industry is so new? To what degree do they care about going in and investigating? Kinda of curious how the cryptocurrency exchanges are tackling this. - One of the biggest challenges for cryptocurrency exchanges that are trying to operate on the up and up is the uncertain regulatory environment, right? That traditional financial systems have had a long time to develop, have had a long time to put all their regulations in and everything is crystal clear, generally. Cryptocurrency, not so much. It's still under development. They're still disclarity coming out of the U.S. central government and other central governments about how to handle cryptocurrency. One of the things I think that most people are agreeing to now are legitimate cryptocurrencies should be collecting KYC, know your customer, and AML, anti-money laundering information about their clients as a basic. The other thing that's coming in, and this year will be the first year they really do it meaningfully is collecting information for taxable purposes, right? Cryptocurrency transactions should be taxed. Well for a long time the environment was that information wasn't getting reported to the IRS in the U.S, and so it was a little bit of the honor system. And I think a lot of us, myself included, did the best we could based on the information we had about the tax system and tried to pay our taxes as appropriate. But again, unclear. So now what we're facing, and I just posed this question last night. A good buddy of mine from the DOJ I was hanging out with and having a little Chinese food and talking cryptocurrency, which is, you know, what people like to do, I guess. But what we were talking about is if I'm an exchange or I'm a company and I deal with someone in cryptocurrency, if I've looked at that first hop and they're clean, have I met my obligation? Maybe, maybe not. Because with, as we talked about earlier, with the Bitcoin blockchain you can track those transactions several hops down the road. So even if hop number one is clean, hop number two may not be. Hop number two may be a sanctioned entity, or hop number two may be a scam or some kind of criminal actor. Well, are you mandated as an exchange? How many hops are you mandated to go through? That is a little bit unclear, and I think there are a lot of really good companies, and we spoke about this earlier, that are helpful with the blockchain forensics, they can help follow this money across. But I think sometimes where they fall a little bit short is that enriching the information they have from on chain, with special collection or something that enriches it and attributes it. So to sort of sum that up, most U.S.-based cryptocurrency exchanges are trying to do the right thing. They're bringing in all the traditional aspects of KYC, AML, but the environment on what is their duty of care, what is their obligation to investigate, is still a little bit unclear. Some people I think would disagree with that, that it's fairly clear, but I can just tell you from people in the space, once you get into the details of it, you get into the, you know, the devil's end, right into the weeds, still unclear to folks. - Charles, love what you're doing. Congratulations on taking the leap, and you're gonna do well. And thank you for everything, being such a great partner to the Nisos. - Well, Landon, I can't say enough good things about Nisos. What a great company, what a great story. You guys are leaders in the field of what you're doing, and any bit that I can help, happy to do it. And if anyone's interested in hearing more about Black Hand Solutions or about what I'm working on, you can contact Landon at Nisos. They know how to get in contact with me, or you can contact me directly, Charles Finfrock on LinkedIn or via email at charles@blackhandsolutions.io. - For the latest subject matter expertise about managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and conduct high stacks security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.