Month: June 2019

Two recent developments regarding former Canadian cryptocurrency exchange QuadrigaCX and its late founder and sole director Gerald Cotten provide strong indications that QuadrigaCX was the locus for a massive fraud that victimized QuadrigaCX’s customers.  First, on June 3, the Federal Bureau of Investigation announced that it, the Internal Revenue Service Criminal Investigation {IRS CI), the United States Attorney’s Office for the District of Columbia, and the United States Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS) “are conducting an ongoing investigation” and seeking information from potential victims of QuadrigaCX.

Second, on June 19, the consulting firm Ernst & Young (EY) filed its latest report with the Nova Scotia Supreme Court, in its capacity as Monitor in the bankruptcy proceedings pertaining to the business and affairs of QuadrigaCX and related companies and Cotten.  Although it noted that “the lack of formal books and records and inability to access certain encrypted devices have limited [its] review”, and that Cotten’s death and lack of other “key corporate representative” deprived EY of the ability to seek an explanation or justification, if any,” for the actions under review, EY provided the Court with a number of preliminary observations and findings.

Some of the most significant observations and findings are as follows:

• “No accounting records have been identified by [EY] and there appears to have been no segregation of assets between Quadriga Funds and User Funds. Funds received from and held by Quadriga on behalf of Users appear to have been used by Quadriga for a number of purposes other than to fund User withdrawals. With its available infrastructure, Quadriga does not appear to have had visibility into its profitability, if any.”
• “The Company appears to have engaged in significant “cash” transactions. The Monitor has been unable to verify if cash deposits were deposited into accounts containing User Funds and or properly recorded; (d) The Monitor has been unable to locate basic corporate records including the location and security passwords associated with Quadriga’s Fiat and Cryptocurrency inventories between TPPs, bank accounts, wallet addresses and third-party exchanges. In addition, the Monitor understands passwords were held by a single individual, Mr. Cotten and it appears that Quadriga failed to ensure adequate safeguard procedures were in place to transfer passwords and other critical operating data to other Quadriga representatives should a critical event materialize (such as the death of key management personnel).”
• “User Cryptocurrency was not maintained exclusively in Quadriga’s hot and cold wallets. Significant volumes of Cryptocurrency were transferred off Platform outside Quadriga to competitor exchanges into personal accounts controlled by Mr. Cotten. It appears that User Cryptocurrency was traded on these exchanges and in some circumstances used as security for a margin trading account established by Mr. Cotten. Trading losses incurred and incremental fees charged by exchanges appear to have adversely affected Quadriga’s Cryptocurrency reserves. In addition, substantial amounts of Cryptocurrency were transferred to wallet holders whose identity the Monitor has been unable to confirm.”
• “Mr. Cotten created Identified Accounts under aliases where it appears that Unsupported Deposits were deposited and used to trade within the Platform resulting in inflated revenue figures, artificial trades with Users and ultimately the withdrawal of Cryptocurrency deposited by Users.” The Report stated that those accounts “had no [Know Your Customer] information and were maintained under various pseudonyms (examples include Chris Markay, Aretwo Deetwo and Seethree Peaohh).”
• “Substantial Funds were transferred to Mr. Cotten personally and other related parties,” and EY “has not located any support justifying these transfers.” For example, in one case, EY reported that it appears that Cotten liquidated nearly all of the bitcoin deposited in a particular exchange account, for the equivalent of approximately CDN $80 million over the course of three years. To date, EY stated, it “has been unable to account for what happened to the proceeds of the sale” of that cryptocurrency.

Note: While the Monitor’s Report contains numerous facts reflecting Cotten’s putative fraud, the FBI’s announcement contains a number of facts from which one can infer how the Justice Department is conducting its investigation with the FBI and the IRS CI.  Although both Cotten and his companies were Canadian, it is likely that a substantial number of the 76,000 users of QuadrigaCX’s services were American.  Should the FBI and IRS-CI find evidence of international transfers of funds or email communications between Cotten and U.S. QuadrigaCX customers, those acts could provide the basis for wire fraud charges, and any subsequent transfers of victim funds could provide the basis for money laundering charges, against Quadriga or its related companies.

In addition, the announced involvement of both the United States Attorney’s Office in Washington, DC and CCIPS suggests that the investigation warrants collaboration between CCIPS, whose attorneys have considerable legal and technological expertise with cybercrime investigations, and the United States Attorney’s Office.  That expertise may be especially important as investigators continue to try to access Cotten’s encrypted devices and text messaging services and to trace customer funds.

On June 25, the United Kingdom Water Services Regulation Authority (Ofwat), a government department that serves as the economic regulator of the water sector in England and Wales, published a notice of its proposal to impose a penalty on Southern Water Services Limited (Southern Water) totaling £126 million. The penalty consists of payments to Southern Water customers totaling about £123 million over the next five years, and a £3 million financial penalty on Southern Water “for significant breaches of its licence conditions and its statutory duties.”

Ofwat stated that Southern Water –which The Times reported “supplies water and treats sewage in Kent, Sussex, Hampshire and the Isle of Wight, serving 4.7 million people in two million properties” —  had “deliberately misreported data to us about the performance of its wastewater treatment works,” and

has failed: to have adequate systems of planning, governance and internal controls in place to be able to manage its wastewater treatment works; to accurately report information about the performance of these works; and to properly carry out its general statutory duties as a sewerage undertaker, to make provision for effectually dealing with and treating wastewater.

Among other findings in its investigation, Ofwat concluded

that a material number of Southern Water’s wastewater treatment works have faced a wide range of problems, including some over a long period of time. This includes critical assets – including those used to monitor performance at treatment works and those which form a key part of the treatment process (such as screening equipment) – failing to perform effectively, either through lack of timely investment by the company or inadequate maintenance of those assets. These problems have contributed to the widespread use and adoption of improper practices within Southern Water, including at senior management levels, to present a false picture of compliance.

Ofwat further determined that this situation

has been compounded by failings of corporate culture and governance within the company. Southern Water’s Board did not take the steps that we would expect a diligent and reasonable company to take; firstly to put in place and check that there were adequate systems and processes to ensure that wastewater treatment works were being operated in a compliant manner, and secondly steps to ensure it had sight of and could identify problems at an early stage in order to take action to prevent these.

Among Southern Water’s failures in corporate culture and governance, Ofwat’s notice cited the following:

• Southern Water itself stated “that whilst there is limited direct evidence of front line staff incentives or rewards linked to the implementation of ANFs, there was a potential that incentive schemes for senior management led to inappropriate behaviours to avoid [Ofwat Outcome Delivery Incentive] penalties.”
• “Senior management within the Wastewater Operations division colluded to conceal the actual performance of [wastewater treatment works]. A culture of data manipulation was the norm and was accepted by staff across the division.”
• Southern Water acknowledged
  • “that there were deficiencies in its organisational culture which prevented employees from being comfortable with speaking out about inappropriate or non-compliant behaviours. This included having in place ineffective whistleblowing processes which resulted in no staff coming forward to report their concerns despite certain staff being obviously uncomfortable about the implementation of ANFs and feeling pressured to act in an improper manner . . . .”
• The whistleblower policy that Southern Water had in place at the time
  • “included on its first page and highlighted in bold the following text: ‘Should any investigation conclude that the disclosure was designed to discredit another individual or group, prove to be malicious or misleading then that worker concerned would become the subject of the Disciplinary Procedure or even action from the aggrieved individual’.”
  • Southern Water since confirmed that
    • “this policy has since been replaced with a new policy which makes clear that its whistleblower policy is completely anonymous and that Southern Water is committed to protecting the career of anyone who reports wrongdoing, and would not tolerate any form of retaliation or threat should the person choose not to remain anonymous.”
  • Ofwat also observed “that a company’s board should have oversight over the values and culture of the company to satisfy itself that behaviours throughout the business are aligned with the company’s purpose,” but that “this oversight was absent for the duration of the failures that are described in this notice.”

In summarizing its investigation and findings, Ofwat noted that its findings regarding Southern Water

are purely about regulatory obligations in respect of which Ofwat has jurisdiction. We are not seeking to make findings about environmental permit failures or whether the acts of Southern Water or its employees, were criminal in nature. These matters are currently being dealt with by the Environment Agency, as the environmental regulator.

Note: This action by Ofwat demonstrates that utility companies (including water and sewage) are no less responsible than any other sector for maintaining effective corporate-compliance programs, including with regarding to environmental compliance.  Compliance teams in multiple sectors should review the notice, particularly the section addressing the company’s culture and compliance failures, and compare it against their companies’ compliance programs to identify shortcomings or opportunities for improvement.

Since Ofwat issued the notice, Matthew Wright, who headed Southern Water from February 2011 to the end of 2016, reportedly stated that he had been “genuinely shocked” by Ofwat’s findings of wrongdoing, and that “there was ‘no suggestion’ that he or [the company’s] board were aware of the practices set out in the Ofwat report.”  If both of those statements are taken at face value, they provide further evidence of how substantial the company’s culture and compliance failures were.

Southern Water has already taken steps to address the reported compliance failures.  These include a draft confidential Action Plan that it presented to Ofwat, “listing various measures the company had already taken, was taking or planned to take with the aim of addressing the areas of concern” that Ofwat had previously identified.  Moreover, Ian McAulay, who took over as Southern Water’s chief executive in 2017, stated that the company was “profoundly sorry for these failures,” “that a former member of its executive management, who had since left the company in a restructuring, was among those aware of the cover-up,” and that an unspecified “number of people were dismissed.”

These measures, while necessary, will not suffice to resolve all aspects of Southern Water’s situation.  As Ofwat noted, Southern Water remains under criminal investigation, and the Environment Agency informed The Times “that it expected to start court proceedings ‘soon’.”  In addition, the revelations about Southern Water’s lengthy record of compliance failures have encouraged Labour Party calls for renationalization of Britain’s utilities.  The fact that Ofwat had previously fined Southern Water Ofwat £20.3 million for similar conduct – i.e., “’systematically manipulating information to conceal its true performance over an extended period of time’ — in that case to conceal woeful customer service” – can only increase the challenges for the company to demonstrate that it is truly committed to a culture of compliance.

Recently, Australian telecommunications company Telstra released its Security Report 2019.  This whitepaper drew on interviews with 1,298 security professionals – 61 percent in Asia-Pacific (APAC) and 39 per cent in Europe – in businesses of all sizes across 13 countries.

Highlights of the Report included the following:

• Priorities: In the past 12 months, there has been “a material shift in the priorities of both defenders and attackers. Some aspects of security, like malware, are better-known. However, other emerging security technologies, though not as well understood, are high on the list of considerations to improve cyber defences. For example, 93 per cent of the global respondents are considering, trialling or have implemented next gen endpoint detection and response.”
• Data Breaches: “Breaches, defined as incidents that result in the confirmed disclosure of sensitive data to an unauthorised party, are on the rise. Our survey shows nearly two thirds of respondents have fallen victim to a security breach, showing these events are happening more frequently and continue to be more varied.”
• Phishing: In particular, of the 63 per cent of global respondents and 65 per cent of Australian respondents who reported that their business was interrupted due to a security breach in the past year, “35 per cent of Australian organisations reported phishing incidents on a weekly or monthly basis.”  The Report also noted that “[p]hishing is one of the most common ransomware infection vectors . . . .”
• Ransomware Attacks: Some of the most interesting findings concerned companies’ experiences with ransomware attacks:
  • Frequency: Across multiple regions, a significant percentage of companies that reported being interrupted due to a security breach in the past 12 months reported interruptions “on a weekly or monthly basis” from ransomware attacks:
    • Australia – 32 percent. In addition, 81 per cent of Australian respondents indicated they had experienced a ransomware attack at least once during 2018 – an increase of five percent over 2017.
    • APAC – 26 percent
    • Europe – 24 percent
    • Germany – 27 percent
    • France – 26 percent
    • United Kingdom – 19 percent
  • Ransom Payment: The Report stated that 51 percent of Australian respondents who were victims of ransomware reported paying the ransom – an increase of four percent year on year. “This rate is higher than in the APAC and European regions, where 48 per cent and 50 per cent respectively indicate having paid a ransom. Singapore and New Zealand both reported a higher incidence of ransomware attacks, and also report the highest rate of paying the ransom after an attack (61 per cent respectively).”
  • Success with Data Retrieval: The Report stated that 77 percent of Australian businesses that paid a ransom “were able to retrieve their data after making the payment” – a decrease of nine percent year on year. In contrast, the APAC and European regions reported much higher rates of retrieval (83 and 88 percent, respectively), and Germany and France has been higher retrieval rates (96 percent for both).
  • Willingness to Pay Again: A surprisingly high percentage of respondents indicated that they would pay the ransom again next time if no backup files were available:
    • Australia – 79 percent
    • APAC – 75 percent
    • Europe – 73 percent
    • Germany – 78 per cent
    • France – 68 percent

The Report also commented that “[w]hile ransomware is still pervasive and profitable for cyber criminals, most potential victims have adopted policies and safeguards against such attacks.”

• Cryptocurrency Attacks: “Many adversaries are now turning to cryptocurrency related products, which can often be bolted onto traditional malware and easily activated. The rise in popularity of these currencies makes this market attractive for crypto mining and cryptojacking.” The Report also stated that “[i]n some quarters in 2018, crypto mining was seen on a grand scale, making an appearance on all platforms, devices, operating systems, and in all browsers.”
• Advanced Persistent Threats (APTs): The Report stated that APTs have been a pervasive part of the cyber threat landscape year on year,” citing a recent report from FireEye that “shows an increased use of this attack type by nation-state groups, such as Iran.”
• Formjacking: Formjacking, “the injection of malicious JavaScript code that is written to steal credit card data and other information,” typically “occurs on untrustworthy e-commerce websites.”
• Defender Responses: “This year, an interesting trend is emerging where defenders are striking back. Awareness and understanding of the strategic importance of security is improving. In all regions we surveyed this year, businesses reported investing more resources in security awareness and training, more so than what we saw in our 2018 Security Report. This includes delivering formal education focusing on information management and incident response.”
• Corporate Attention to Cybersecurity: In 2018, “all respondents surveyed identified that within their role they are responsible for both cyber and electronic security within their organisation. There are also early signs of increased C-level participation. . . . Additionally, about one third of businesses told us that because of new regulations, the frequency of C-level and senior management meetings on security in Australia, APAC, and Europe is increasing.”

Note: The key message from the Report, in the words of Telstra Group Executive Michael Ebeld, is that “security has moved far beyond the maintenance of firewalls and is now a whole-of-business concern for C-level executives and boards.”  Although the Report’s survey population included only respondents from Australia, APAC, and Europe, cybersecurity and anti-fraud compliance teams at companies, of all sizes and in all industries, that do business internationally should take note of these principal findings, and include them in their briefings to C-level officials and board members.

On June 13, according to Reuters, Pedro Felicio, head of the Economic and Property Crime Unit at the European police agency Europol, stated that “huge inflows of criminal money” are principally entering Europe from Russia and China.  Felicio, whose duties include combating money laundering in Europe, said that “[t]here are billions of criminal money that are being taken out of the Russian economy,” and  “warned of the dangers of a repeat of scandals involving tainted Russian money in the Baltics . . . .”

Although he recognized that anti-money laundering (AML) oversight has improved since the Danske Bank scandal that came to public attention last year, Felicio reportedly noted that “there are still gaps particularly in the Baltic states.”  In his words, “Some of the banks in the Baltic area are very vulnerable to money laundering activities especially coming in from Russia. It has improved but it is far from being solved.”  He also commented that “It is just a matter of time until we see another scandal coming in from the area and it will probably be very similar to the scandals we have seen in the past.”

In addition, Felicio observed that while the Baltics were in the “front line” for receiving criminal proceeds, those proceeds were being invested elsewhere, particularly via real estate in London and Rome.  He cited two factors that were exacerbating the money-laundering problem in Europe: the high burden of proof in European states, and “zero cooperation from Russia in providing . . . evidence.”

Note: Felicio’s remarks should serve as a reminder to financial institutions with European operations that they need to maintain vigilance in monitoring international financial transactions that, like the funds that flowed through Danske Bank’s Estonian branch, may have their origin in nations such as Russia and China but transit through third countries as part of the layering process.  They also highlight one of the continuing challenges for the European Union in devising and implementing a more robust and effective system of AML oversight and enforcement.

On June 19, the Financial Times reported on signs that North Korea, due to “immense economic pressure from sanctions, increasingly depends on cash from cyber-based theft.”  According to cybersecurity experts, North Korean leader Kim Jong Un’s regime

controls an army of thousands of hackers who bring in hundreds of millions of dollars annually . . . . With North Korea cut off from most trade with the outside world, the cash generated from illicit cyber-based activities is thought to have become a core revenue stream for Pyongyang and has now probably surpassed the value of sales of weapons and military services.

The reported increase in North Korean online crime “also marks the latest example of the Kim regime’s decades-long struggle to bring in cash to the country via unorthodox and illicit means, and follows reported cases of global insurance fraud and the production of counterfeit money and drugs.”  For example, in 2018 the U.S. Department of Justice unsealed charges against “a North Korean citizen, Park Jin Hyok, a member of a conspiracy backed by the North Korean government that carried out numerous computer intrusions.  Those charges alleged that the conspiracy utilized a strain of malware, ‘Brambul,’ which was also used to propagate” the Joanap botnet (i.e., “a global network of numerous infected computers under the control of North Korean hackers that was used to facilitate other malicious cyber activities”).  Subsequently, the Department announced “an extensive effort to map and further disrupt, through victim notifications, the Joanap botnet.”

While the Financial Times cautioned that “[e]stimates vary as to exactly how much money North Korea now makes from any of its illicit activities,” the Department of Justice has alleged that Park and his coconspirators stole $81 million from Bangladesh Bank in 2016 and sought to steal at least $1 billion from financial institutions.  A former U.S. National Security Agency analyst, Priscilla Moriuchi, stated that North Korean operatives “had proved to be ‘persistent, patient and skilled’.  “There was an impression that these [banking hacking operations] were opportunistic targets.  We can see they are decidedly not . . . .”

In addition, the Financial Times reported that “[a]nalysts stressed it was difficult to pinpoint what happens to the stolen cash, cryptocurrencies or gaming credits. But, one expert said, there were signs stolen cryptocurrencies were quickly laundered through several different exchanges, making them ‘virtually untraceable’.”

Note: The increasing sophistication and persistence of these North Korean-authorized cybertheft operations — coupled with the efforts of sanctioned North Korean banks to use companies to launder funds on behalf of those banks – represent serious compliance challenges for the financial sector.  Cybersecurity and compliance teams in financial firms should take this opportunity, if they have not done so recently, to review the capacity of their cybersecurity and AML programs to address these kinds of threats to their firms, and to seek additional funding if necessary from senior management.