
The Biggest Digital Heist in History Isn’t Over Yet - wp381640
https://www.bloomberg.com/news/features/2018-06-25/the-biggest-digital-heist-in-history-isn-t-over-yet
======
ur-whale
One interesting bit is the "laundering through a bitcoin warehouse he bought
in China".

I suspect this is actually a Bitcoin mining farm:

In goes dirty money, to buy mining hardware in bulk.

Out comes fresh, never-transacted-with Bitcoin block rewards.

It is fairly hard for authorities to trace the wash: in Bitcoin land, block
rewards are the least-tainted kind of coins.

~~~
SilasX
But I thought Bitcoin mining hardware was all online-only sales?

~~~
ur-whale
We're not talking about buying a couple of miner machines here, but financing
a whole warehouse filled with them.

~~~
SilasX
Which would make it harder to conceal the dubious origin of the money.

~~~
ur-whale
Not really.

From the p.o.v of the seller of mining hardware, he's just selling hardware in
exchange for money, and he has no KYC/AML requirement, he's not a bank, he's
just a regular business.

And any other company involved in building the mining operation are the same
way.

~~~
SilasX
Right but the point of laundering is that you have cash you want to
legitimize, so it must "re-enter" as cash. But hardware mining sales are all
online, not cash, hence my original comment!

------
neilk
I've learned to be skeptical when I see law enforcement praising the l337
skillz of their targets.

    
    
        > “This guy is in another league, he’s like Rafa Nadal
        > playing tennis,” Yuste says. “There are few people in
        > the world capable of doing what he did.”
    

It sounds really cool (and budget-justifying) to be chasing some mastermind,
and a journalist is likely to pump up that aspect of the story too. Because
they know we're reading it to be entertained, for there to be suspense, to
enjoy the frisson of a "victimless" crime requiring ingenuity, like Ocean's
11.

Then you find out later it's just a python script probing for default
passwords, or someone who learned some of nmap's command-line switches.

~~~
_bxg1
Yeah; I also have the general impression (admittedly without much data to
support it) that IT security at banks and other gargantuan, long-lived
institutions is pretty crappy? I would think it's easy to get in, and hard to
not get caught.

Anecdotally, I have a friend who briefly worked at a company which exclusively
makes software for financial institutions. Their product was a web app that
_only_ worked in a version of Internet Explorer so old, it didn't support
Ajax. Asynchronous requests were made by changing the src attribute of a 1px
<iframe>.

This was in 2015.

~~~
vpmpaul
It is and it is (sorta). I worked in the bank industry for many years and I
could have stolen money a hundred different ways without getting caught.

The problem is that in the end the money has to go somewhere or be spent (why
else steal it?). Also to live a legal life (house,car,boat) you have to have a
source of income/spending that does not set off red flags. If you are a high
paid bank employee why even bother? Many (most?) financial type crimes have no
statue of limitations so to get away you literally have to get away with it
for the rest of your life. The other side is even if you get away you will
spend the rest of your life wondering if today is the day you get caught. To
be honest I think that is why so many white collar crimes are so brazen
looking. I think they would rather go to jail for a few years be done with it
and live the rest of their lives with the money they have "lost".

Unless you live in a country like Russia where stealing money from the US is
basically legal. Then go for it.

~~~
downandout
_Many (most?) financial type crimes have no statue of limitations so to get
away you literally have to get away with it for the rest of your life_

At least in the US, this is inaccurate. Most financial/fraud crimes have a
statute of limitations of 3-5 years, both at the state and federal level. Some
federal crimes specifically against financial institutions have a SOL of 10
years. Generally the only crimes that have no statute of limitations are
punishable by life/death (such as first degree murder). See
[https://www.justice.gov/usam/criminal-resource-
manual-650-le...](https://www.justice.gov/usam/criminal-resource-
manual-650-length-limitations-period)

~~~
kolpa
SOL is a timer from time of crime to time of indictment, and indictment
doesn't necessarily require knowing the precise identity of the defendant or
capturing the defendant.

In GA, fleeing stops the clock, and in WA, "John Doe" can be indicted, subject
to some restrictions.

[https://tollefsenlaw.com/statute-limitations-tolled-
against-...](https://tollefsenlaw.com/statute-limitations-tolled-against-john-
doe/)

------
sandworm101
>> Someone had sent emails to the bank’s employees with Microsoft Word
attachments, purporting to be from suppliers such as ATM manufacturers. It was
a classic spear-phishing gambit.

Microsoft Windows + Outlook Email + Attached word document = the Drake
equation for internet security. No matter how secure each of these things are
individually, when added together infection becomes inevitable.

Why does outlook have to pass such documents to Word? Why does Word have to
open and run macros so willingly? Why does Windows allow word to talk to the
internet so easily? I just don't understand the use case these links are meant
to address. Are there really so people out there installing software via links
inside word documents? That this has to be a seamless user experience? There
are so many opportunities to limit such such infections. Why do we still
tolerate this?

~~~
cgh
>> Why do we still tolerate this?

This is the real question. The thieves are just a symptom of the real
infection: terrible, insecure client software. I'm not sure what the solution
is but I am pretty sure it involves Microsoft having skin in the game somehow.

~~~
r00fus
I'm sure it doesn't have anything to do with Microsoft's willingness to roll
over to the US government (PRISM, NSAKEY).

------
dmvinson
The article doesn't really go into the thieves' backgrounds at all strangely
enough. How did Katana end up in the bank heist business? How did he acquire
the skills to turn making fake bank transactions into an "art"? I always
wonder about the kind of person who ends up in these criminal dealings and
where they come from.

~~~
mywittyname
He probably worked for a bank. Lots of smart people learn the "loopholes" of
their trades.

My mom worked at a car dealership and realized that you could steal a car from
them and it would be upwards of a year before they figured it out, since
that's when they did inventory. Back then, the keys were all kept in an
marginally secured cases.

~~~
kolpa
Johnny Cash figured how to steal them from the factory

[https://www.youtube.com/watch?v=18cW_yHo3PY](https://www.youtube.com/watch?v=18cW_yHo3PY)

------
adreamingsoul
Am I the only one that finds it suspicious that one of these guys would drop a
debit card at a heist?

~~~
21
People are always shocked at the stupid mistakes that big criminal masterminds
make.

Like the Silk Road guy, "how could he possibly ask on stack overflow using his
real name".

And so on.

There are ten thousands different mistakes that you can make, you need to
guard against all of them. And against whatever unknown tech exists.

In this story, that dropped bank card turns out to not be that significant.
The real breakthrough was identifying another mule through the video
surveillance videos, following him to the airport and putting surveillance on
the lockers used to store the cash.

He was also emptying ATMs apparently with witnesses behind him. This is like a
bad movie. One of those witnesses might as well be an off-duty cop who could
just pull out his gun right there.

~~~
greggarious
> _Like the Silk Road guy, "how could he possibly ask on stack overflow using
> his real name"._

I always had the impression that Ross suffered from the fatal flaw that he
didn't think what he was doing was wrong. He was an evangelical libertarian,
and I think he didn't see "not getting caught" as the #1 priority the way a
profit oriented criminal would.

~~~
kolpa
If that was the flaw, then why did he try so hard to remain anonymous?

~~~
greggarious
Does posting under your real name about drugs and bitcoins constitute "trying
hard?" :)

------
adiack
Nowadays everything runs on SAAS, why are banks and other institutions letting
key people use MS windows and outlook in the first place. Don't you reduce
your risk by like 90% by using Linux clients instead?

------
wazoox
Reminds me of the book "Stealing the network - how to own a continent", it was
a fun read back then...

[https://books.google.fr/books/about/Stealing_the_Network.htm...](https://books.google.fr/books/about/Stealing_the_Network.html?id=TIVArzStPGAC&redir_esc=y)

------
_bxg1
From the headline alone I assumed it was going to be about the tech industry's
theft of the world's data

~~~
mikro2nd
And I thought they were going to talk about cryptocurrencies... :)

~~~
ealexhudson
They do say a lot of theft cash ended up converted to Bitcoin. So, at least a
measurable chunk of the liquidity in the market is down to this...

~~~
huac
The authorities often resell the bitcoins so they could reenter the market.

~~~
pembrook
I've not heard any cases of bitcoins being "seized" by government authorities
yet, although I see that happening in the future as probably inevitable.

Have any examples?

~~~
stonogo
[https://www.wired.com/2013/12/fbi-wallet/](https://www.wired.com/2013/12/fbi-
wallet/)

------
alanfranzoni
I thought it was an article about Bitcoin.

