Month: August 2018

Those who track cybercrime and cybersecurity developments might be forgiven for thinking that the United States is an indispensable player in successful multinational law enforcement operations against cybercrime.  The U.S. Department of Justice, of course, has for many years been a leader in numerous aspects of transnational cybercrime enforcement, ranging from its participation in drafting the Council of Europe Cybercrime Convention to its aggressive pursuit of international cybercrime networks, as recent indictments against members of the Infraud and FIN7 organizations have shown.

Cybersecurity and compliance teams, however, should be careful in gathering threat intelligence not to fall victim to what psychologists term the “availability heuristic” (i.e., a mental shortcut involving people’s evaluation of the likelihood of events based on the ease of recalling recent events).  Because cyberattacks and data breaches against U.S.-based companies and U.S. law enforcement operations against cybercriminals typically dominate media coverage here and in other countries, it can be easy to overlook other cybercrime developments outside the United States that receive less coverage.

One recent example is “Operation Warenagent.”  Publicly disclosed on July 20, 2018, Warenagent is a multinational operation that the German Prosecutor’s Office of Dresden, the Saxon State Office of Criminal Investigation, the Lithuanian Police, and the Lithuanian Prosecutor’s Office, together with Europol (the European Union’s (EU’s) Police Office) and Eurojust (the EU’s Judicial Cooperation Unit), successfully conducted in June and July 2018 against members of an online fraud network that caused €18 million in damage.  According to Europol, since 2012 the network had conducted more than 35,000 detected instances of online fraud.   The scheme involved using fraudulently obtained credit-card data to order high-quality goods through a network of “package mules” (i.e., individuals who received the goods as intermediaries) who were mostly recruited in Germany.  After receiving the goods, the package mules, who may have received a commission for their services, sent the packages to new addresses, primarily in Eastern Europe.  The fraud network’s methods of operation included the use of codenames and encrypted access in the network, and settling payments with the help of cryptocurrencies. Other participants in the network provided IT infrastructure, recruited package mules, coordinated criminal activity, and laundered money.

Warenagent, which required six years to prepare and coordinate, is noteworthy for two reasons. First, it involved the establishment of a Joint Investigative Team (JIT) with the support of Europol and Eurojust.  Under the terms of the EU’s 2000 Convention on Mutual Assistance in Criminal Matters and the EU Council’s 2002 Framework Decision on Joint Investigation Teams, a JIT can operate in any of the EU member states.  Its leader is a JIT member from the country in which the JIT is based, and its membership can include law enforcement officers, prosecutors, judges, and other personnel.  In this case, the JIT, which included eight participating European countries, had five coordination meetings at Eurojust and frequent information exchange and analysis by Europol.

Second, Warenagent succeeded in conducting a series of successful enforcement actions against network members over nine months, despite the members’ efforts to conceal their identities and operations.  In October 2017, according to Eurojust, Lithuanian and German police officers conducted 11 searches in various Lithuanian cities, which led to the arrest of 5 suspects.  Ultimately, the investigators identified and located the key target in Cyprus.  From June 12-15, 2018, authorities reportedly conducted 31 house searches in Cyprus, Estonia, Finland, Germany, Latvia, Lithuania, Switzerland, Ukraine, and the United Kingdom; detained the alleged head of a criminal organization in Cyprus, as well as four individuals in Latvia and Finland respectively, two criminals in the United Kingdom, and one individual each in Estonia, Lithuania, Switzerland, and Ukraine. Over the course of the investigation, four other individuals were detained in Germany.  In addition, between June 26 and 29, 2018, authorities conducted two further actions in Lithuania, with 4 arrests and 10 searches.

The crimes with which network members are charged consist of crimes related to tax evasion, money laundering, participation in a criminal organization, production of counterfeit electronic means of payment, forgery of genuine electronic means of payment, and unlawful possession of electronic means of payment or data thereof.

On August 6, the U.S. Department of Justice announced that Donville Inniss, a former Member of the Barbados Parliament and Minister of Industry, was arrested on August 3 and had his initial court appearance on August 6, in connection with an indictment charging him with laundering bribes that he allegedly received from a Barbadian insurance company in exchange for official actions that he took to secure government contracts for the insurance company.   The indictment, returned on March 15 under seal in the Eastern District of New York, charges Inniss with one count of conspiracy to launder money and two counts of money laundering.

The Justice Department press release summarized the indictment’s allegations as follows:

[I]n 2015 and 2016, Inniss took part in a scheme to launder into the United States approximately $36,000 in bribes that he received from high-level executives of a Barbadian insurance company.  At the time, Inniss was a member of the Parliament of Barbados and the Minister of Industry, International Business, Commerce, and Small Business Development of Barbados.  In exchange for the bribes, Inniss leveraged his position as the Minister of Industry to enable the Barbadian insurance company to obtain two government contracts.  To conceal the bribes, Inniss arranged to receive them through a U.S. bank account in the name of a dental company, which had an address in Elmont, New York.

At this early stage, the most interesting aspect of the case is the theory of prosecution.  If, as can be surmised from the Justice Department press release, Inniss received the funds in Barbados from the Barbadian insurance company, neither the relevant language of the anti-bribery provisions of the Foreign Corrupt Practices Act (FCPA) nor the guidance in the Justice Department’s and Securities and Exchange Commission’s FCPA Resource Guide would appear to bring Inniss’s receipt of the bribes within the scope of the FCPA.

Inniss’s alleged transfer of the bribe money through a U.S. bank account, however, is another matter under the federal money laundering offenses, 18 U.S.C. §§1956 and 1957.  Among other possibilities, subsection 1956(a)(1)(A) of Title 18 makes it a felony for a person, knowing “that the property involved in a financial transaction represents the proceeds of some form of unlawful activity, [to] conduc[t] or attemp[t] to conduct such a financial transaction which in fact involves the proceeds of specified unlawful activity     . . . (i) with the intent to promote the carrying on of specified unlawful activity.”  Subsection 1956(c)(1) specifically defines the phrase “knowing that the property involved in a financial transaction represents the proceeds of some form of unlawful activity” to mean “that the person knew the property involved in the transaction represented proceeds from some form, though not necessarily which form, of activity that constitutes a felony under State, Federal, or foreign law, regardless of whether or not such activity is specified in paragraph (7)[of subsection 1956(c)].”  (Emphasis supplied)  Subsection 33(2) of Barbados’s Prevention of Corruption Act 2012-31 certainly criminalizes bribery of a public official, and  subsection 1956(c)(7)(B) of Title 18 defines “specified unlawful activity” to include “bribery of a public official” without reference to any particular federal  or foreignoffense.

The Department of Justice has used this approach successfully in other cases involving defendants who laundered in the United States the proceeds of a crime that was completed or consummated outside the United States.  As one example, in United States v. Molina, the Department successfully prosecuted a defendant who assisted a Brazilian-based securities- and telemarketing-fraud scheme by laundering through U.S. bank accounts the payments that fraud victims made to the scheme (mostly through bank accounts in Miami).  See United States v. Molina, 2011 WL 445650 (11^th Cir., Feb. 9, 2011) (per curiam) (unpublished decision).

On August 1, the U.S. Department of Justice announced the arrests of three individuals described as “high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe,” FIN7.  In three separate indictments returned in the Western District of Washington and unsealed August 1, Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, each were charged with 26 federal felony counts alleging conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

According to the Department, since at least 2015, members of FIN7 (also known as the Carbanak Group and the Navigator Group) “engaged in a highly sophisticated malware campaign targeting more than 100 U.S. companies, predominantly in the restaurant, gaming, and hospitality industries.”  FIN7’s method, as shown in a Justice Department chart, was to launch numerous waves of cyberattacks on numerous businesses operating in the United States and abroad.  The cyberattacks were initiated with “spear phishing” email messages that would appear legitimate to businesses’ employees, accompanied by telephone calls that were intended to provide additional legitimacy to the emails.  Once a recipient opened the emails and activated a file, FIN7 used an adapted version of Carbanak (a remote backdoor designed, in part, to provide remote access to infected machines), as well as other tools, to access and steal payment card data pertaining to the business’ customers.

Overall, FIN7 allegedly

hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit.

In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations.  Additional intrusions occurred abroad, including in the United Kingdom, Australia, and France.  Companies that have publicly disclosed hacks attributable to FIN7 include such familiar chains as Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.  Additionally in Western Washington, FIN7 targeted other local businesses.

Since 2015, FIN7 also allegedly sold the data in online underground marketplaces.

Each of the defendants reportedly played separate but related roles in FIN7’s operations:  Fedorov, as a high-level hacker and manager who supervised other hackers assigned to breach the security of victims’ computer systems; Hladyr, “as FIN7’s systems administrator who, among other things, maintained servers and communication channels used by the organization and held a managerial role by delegating tasks and by providing instruction to other members of the scheme”; and Kolpakov, as a supervisor of a group of hackers.

Each of the three defendants is also at a separate stage of extradition and prosecution.  In January 2018, the Polish Central Bureau of Investigation’s “Shadow Hunters” team arrested Fedorov, who remains in detention in Poland pending extradition to the United States, and the German State Criminal Police Office (Bundeskriminalamt) and the Dresden Police (Polizeidirektion Dresden) arrested Hladyr, who has since been extradited to the United States and is awaiting trial on October 22 in Seattle.  In late June 2018, the Spanish National Police’s (Cuerpo Nacional de Policía’s) Logical Security Group (Grupo de Securidad Logica) arrested Kolpakov, who remains detained in Spain pending his extradition to the United States.

Compliance and information security managers and counsel concerned with cybercrime and cybersecurity issues should take note of these arrests for three reasons:

(1)  Significance and Sophistication of Cybercrime Group: According to Wired, “ researchers regard FIN7 as a particularly professional and disciplined organization . . . [that]  has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly.”  One threat intelligence expert estimated that FIN7 makes at least $50 million every month and “probably ha[s] at least a billion dollars on hand.”

In addition, FIN7 has shown versatility in its “spear phishing” targeting financial services companies and other corporations.  Last year, for example, a digital security company reported that FIN7 appeared to be targeting persons involved with Securities and Exchange Commission (SEC) filings – many of them listed in the SEC filings — at 11 different organizations in the financial services, transportation, retail, education, IT services, and electronics sectors.

FIN7 also has shown sophistication in its recruiting techniques.  In the case of the Fedorov/Hladyk/Kolpakov indictments, the Justice Department commented that FIN7 “used a front company, Combi Security, purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise.  Combi Security’s website indicated that it provided a number of security services such as penetration testing.”

(2) Importance of Threat Intelligence: For the benefit of in-house cybersecurity and cybercrime experts, the documents that the Justice Department posted in connection with the arrests include a detailed summary of FIN7’s attacks and examples of the emails used to transmit infected files.

(3) Significance of Arrests and International Cooperation: As indicated above, the three defendants, though only three of the dozens of FIN7 members, reportedly played significant roles in FIN7’s operations. These arrests, however, are not the first law enforcement actions against FIN7 this year.  On March 26, 2018, Europol reported that “[t]he [unnamed] leader” of FIN7 was arrested in Alicante, Spain, after an investigation by the Spanish National Police (SNP).

Both operations also indicate the extent to which law enforcement authorities are capable of coordinated investigations involving multiple jurisdictions.  In the case of the Fedorov/Hladyr/Kolpakov arrests, the Justice Department gave credit for assistance not only to the foreign police services making the arrests, but to “the National Cyber-Forensics and Training Alliance, numerous computer security firms and financial institutions, FBI offices across the nation and globe, as well as numerous international agencies.”  Similarly, in the case of the March 26 arrest, Europol stated that the SNP had the support of Europol, the FBI, the Romanian, Moldovan, Belarussian and Taiwanese authorities and private cyber security companies.  In particular, Europol gave credit to its European Cybercrime Centre for “facilitat[ing] the exchange of information, host[ing] operational meetings, provid[ing] digital forensic and malware analysis support and deploy[ing] experts on-the-spot in Spain during the action day.”

Although criminal trials are far from the best means of learning about the details of cybercrime operations and techniques, additional details about FIN7 may come to light this fall in the upcoming trial of Hladyr.

In 2018, the fervor in some quarters for cryptocurrencies, Initial Coin Offerings (ICOs), and blockchain technology has been surging, even in the face of reports of cryptocurrency exchange hacking, investor fraud, and a 44 percent survival rate for cryptocurrency startups after just 120 days.  From 2017 to 2018, according to CoinSchedule, companies’ fundraising via ICOs increased substantially, from $3.8 billion to $11.9 billion.

Since June, however, a series of reports indicate that while industry leaders like IBM and Microsoft are heavily engaged in blockchain spending, companies and individuals should maintain a high degree of skepticism about the near-term prospects for cryptocurrencies, ICOs, and blockchain:

• On July 2, CNBC reported that more than 800 cryptocurrency projects that had materialized in the preceding 18 months “are now dead because they were scams, a joke or the product hasn’t materialized” and their coins “are worthless and trade at less than 1 cent.” The report also noted that the price of bitcoin had fallen approximately 70 percent since its record high near $20,000 in 2017.
• On July 16, the Commodity Futures Trading Commission (CFTC) issued an advisory that warned customers to “exercise caution and conduct extensive research before purchasing digital coins or tokens.” The CFTC, which has issued three previous advisories about virtual currencies, warned that “[t]he market for digital coins and tokens is still very young, and there is no widely-accepted standard for placing a value on a particular digital coin or token.”
• On July 31, Forrester Research issued a report that indicated approximately 90 percent of U.S. companies’ experimental blockchain projects are ultimately being ended before they reach the operational stage.
• On August 5, the Wall Street Journal reported, according to CoinTelegraph, that it had found 175 organized groups, trading 121 different coins, that had been engaging in “pump and dump” schemes to inflate coin prices artificially and sell their coin holdings rapidly in high volumes. In just the first six months of 2018, according to the Journal, these trading groups generated revenues of $825 million.

While there are reasons to hope that blockchain technology can improve financial crimes risk management and other processes in the future, at present cryptocurrencies as a payment instrument are, as Forrester put it, “not for the faint-hearted” and require a risk management decision if an organization is considering whether to accept them as payment.

On June 27, the U.S. Court of Appeals for the Fourth Circuit issued an unpublished opinion holding that a written agreement between an unnamed corporation (designated as “X Corp.”) and the U.S. Department of Justice “preserved X Corp.’s attorney-client privilege and work-product protection for information that the General Counsel of an X Corp. subsidiary disclosed to the Government.”  The decision stems from an investigation that the Justice Department began several years ago into whether X Corp. and its subsidiaries violated certain federal laws (likely the Foreign Corrupt Practices Act). To facilitate the investigation, X Corp. entered into a number of written agreements with the Government, permitting employees of X Corp. and its subsidiaries to share with the Government information that was protected by attorney-client privilege and work product protection.

One such agreement (“Agreement”) allowed the Government to interview the General Counsel (designated as “Doe”) of an X Corp. subsidiary.  The Agreement, which acknowledged that Doe might disclose privileged or protected information during the interview, included three relevant clauses (designated respectively as “First Clause,” “Second Clause,” and “Third Clause”):

• “Please be advised that, to the extent any Protected Information is provided to the Fraud Section or EDVa pursuant to this agreement, [X Corp. and its directors] do not intend to waive the protection of the attorney work product doctrine, attorney-client privilege, or any other privilege.
• “The Fraud Section and EDVa will maintain the confidentiality of any Protected Information provided to the Fraud Section and EDVa pursuant to this agreement and will not disclose such information to any third party, except to the extent that the Fraud Section or EDVa determines in its sole discretion that disclosure would be in furtherance of the Fraud Section’s or EDVa’s discharge of its duties and responsibilities or is otherwise required by law.
• “The Fraud Section and EDVa each agree that it will not assert that the disclosure of any Protected Information by [Doe] provides the Fraud Section or EDVa with additional grounds to subpoena other privileged materials from [X Corp. and its directors] or [Doe] although any grounds that exist apart from such disclosure shall remain unaffected by this agreement.”

Pursuant to the Agreement, Doe was interviewed and disclosed privileged and protected information.

“Years later,” in the words of the court, the Government subpoenaed Doe to testify in a federal grand jury about the same statements that Doe made during the interview. X Corp. was allowed to intervene, but the federal district court denied X Corp.’s motion to quash the subpoena, holding that the agreement waived attorney-client privilege and work-product protection for Doe’s interview statements.

On appeal, the panel opinion by Chief Judge Gregory determined that interpretation of the Agreement presented a question of law that it would review de novo.  To determine whether the Agreement limited the effect that Doe’s disclosure otherwise would have had on X Corp.’s right to assert privilege against the Government, the other contracting party, it applied “standard principles of contract interpretation.”  Looking at the Agreement’s language to determine the parties’ intent, and reading it to give effect to all of its provisions and to render them consistent with each other, it held that that the Agreement preserved X Corp.’s privileges as to the Government, as to hold otherwise “would require us to discount the plain language of the Agreement’s First Clause, which expressly reserves those privileges.”

In particular, the court stated that the First Clause “plainly convey[ed] X Corp.’s intent not to waive any privileges,” and that nothing in the Agreement qualified its reservation of privilege.  It distinguished the First Clause, which addressed privilege, from the Second Clause, which addressed confidentiality, in stating that in the Second Clause, “the parties agreed that the Government would not share the Protected Information with third parties outside judicial proceedings except in furtherance of its duties   . . . [and that] the exception in the Second Clause qualifies only the Government’s promise to keep the information confidential.”  As the Second Clause did not modify the First Clause, it did not negate X Corp.’s reservation of privilege.  As for the Third Clause, the court held that the First and Third Clauses served distinct purposes: the First Clause preserving X Corp.’s privileges for the disclosed information, the Third Clause preserving X Corp.’s privileges for other related information.

The court concluded that

the Agreement maintains the status quo regarding X Corp.’s privileges.  It nullifies the effect of both Doe’s initial disclosure of privileged information and the Government’s later disclosure of the same information on X Corp.’s ability to assert privilege against the Government. As a result, X Corp. may assert privilege here as if Doe had never disclosed the information in the first instance.

Regardless of whether the Department of Justice further contests the X Corp. decision, or continues to assert its ability to compel testimony from a witness covered by such an agreement in the future, X Corp. offers a number of lessons for corporate in-house and outside counsel who deal with the Department in other criminal investigations.  First, as the chronology of events in X Corp. indicates, counsel cannot assume that the passage of substantial time means that the Government will have no interest in obtaining testimony from a present or former corporate employee who was the subject of such an agreement.  Depending on the pace of the Government’s investigation, and the vagaries of acquiring sufficient evidence to prove one or more counts of a potential indictment, prosecutors may come to believe that the need for the corporate employee’s testimony about the privileged or protected information is more insistent that it might have seemed at an earlier stage of the investigation.

Second, while the Fourth Circuit’s interpretation of the language in the Agreement seems sufficiently protective of a corporate entity’s interest in securing its privileges, counsel who are approached by prosecutors to have a corporate employee execute a similar agreement in the future should consider negotiating for additional protective language in the agreement.  In X Corp., Judge Niemeyer concurred in the judgment, but found the exception in the Second Clause and its effect on the privilege to be ambiguous.  Because the Second Clause’s language, as Judge Niemeyer noted, provides no guidance about what kinds of external event might “promp[t] the Justice Department to conclude that it must, as a matter of duty, disclose the privileged material”, counsel should consider seeking clarifying language on that circumstance in the agreement.

Finally, if a corporation whose employee is the subject of such an agreement is confronted with a grand jury or trial subpoena requiring testimony by that employee about privileged or protected material disclosed pursuant to that agreement, it should consider not only intervening but moving to expedite the proceedings.  The duration of the X Corp. appeal, just from oral argument date to decision date, was more than five months, and corporations should have little interest in comparably protracted proceedings of this type in the future.  Accordingly, if the Government takes the step of compelling sworn testimony from the employee, the corporation would be within its rights to contend that the urgency of the proceedings and the “important policy considerations” that the X Corp. court identified concerning cooperation with the Government warrant expedited hearing and decision.