Hacker News new | past | comments | ask | show | jobs | submit login
Hackers stole $650k and got away, showing limits to law enforcement’s reach (wsj.com)
118 points by nabilhat 11 days ago | hide | past | favorite | 95 comments

This happened to someone I know with a reasonably well-run but not super technical small business. Someone compromised the email account of their accounts receivable person, silently monitored it for a while, and then used it to send a few strategic requests to change the payment account. By the time my friend noticed and politely asked their customers (mid-size businesses all) “Why haven’t you paid this $50,000 bill?”, the hackers had made off with a few hundred thousand - a big deal to my friend, but not so much to law enforcement, who pretty much shrugged and said “Sucks to be you.”

Luckily, several of those customers theoretically had policies against changing payment directives without phone confirmation, which were not followed, so they are taking some shared responsibility for this.

There's a story about when Robert MacNamara arrived at Ford. Accounting was in such disarray that they weighed their invoices and only checked them if X pounds was more than Y dollars. That must have been a scammer's paradise.

I worked for a megacorp and made friends with a guy who worked in the underground data centers at HQ. He'd end up with spare equipment and ask I wanted it to play with.

He once offered me (with no witnesses) a check writing machine that was still loaded with a spool of thousands of blank corporate checks. Knowing what would be considered a rounding error with the billing & accounting systems there, I probably could have made off with a fair amount of loot. It still surprises me to this day that he didn't really realize what he had and what it could do, but then again he didn't get a lot of sunlight, so...

maybe he was smarter than you give him credit for. He didn't directly ask you to collude in fraud, but he got as close as he could without implication.

I thought cyber insurance was a scam for awhile, but our beezly underwritten policy specifically covers us up to 100k of exactly this scenario.

I can recommend their portal/system so far, maybe it’s shit, I don’t think so though.

I'm surprised the types of things you can get insurance for. I know one company that got hacked and data (no money) was exposed. There was an insurance pay out (to the company) to pay for "fixing the digital infrastructure".

This is like saying: If you leave the door to your house open, and someone robs you, we will pay to show you how to lock your front door.

except now imagine the same thing, only you are a blind man with no arms or legs.

> On Feb. 25, nearly a month later, the FBI assigned a special agent to the case. On March 3, the agent emailed Ms. Williams to say the U.S. attorney’s office in San Francisco had declined to open an investigation. He didn’t explain and the FBI hasn’t been in contact since, she said.

More and more people finally realizing the police don’t help them, one crime at a time.

So I recently started working in LE as an IT specialist. The biggest issue is that there's more criminals than there are LEOs/detectives. So often you have to choose between working a physical crime or a digital one. If someone gets robbed of $50 at gun point, that usually gets more attention than $600k stolen by hackers. The reason is that a robbery is deemed to have more impact on the victim.

So yes, not every crime gets investigated. No, it's not because they just don't feel like helping people.

Also, some people think there are different people working on these types crimes. But because every criminal has a phone, a lot of work in physical crimes is digital. Therefore the amount of people working on on digital crimes is small and they often work on really large cases, like Darknet markets etc.

I have never heard of the US police doing much more than taking a report for someone who was robbed of $50 either. In fact people get mugged/robbed of items that are much higher in value (phones, bicycles, etc) without investigation. My impression has been that if you're out by less than a few thousand dollars in value you might as well not bother.

Counterpoint: a friend in Brooklyn was mugged for only around $10 but almost immediately after ran into street police on patrol. They jumped in the car with him and summoned other local cars to catch the robbers successfully.

The police want to catch the bad guys too, but after 8 hrs has passed, it becomes virtually impossible to succeed.

If we're sharing anecdotes: a former schoolmate, also in NYC, had their phone stolen and was quite literally able to track the phone to the thief's home, but all the police did was take a report.

Hmmm. Maybe the problem is that the police are Luddites.

Maybe the problem is that legally, you can't just bust open a door if someone says: "my phone was stolen and is now in this location". Because especially in buildings, the location isn't always accurate, for example. Also, who says the phone was stolen and wasn't planted by the person filing the report? Who says it wasn't found by this person after the person who stole it threw it in some bushes?

Before you can bust down a door, you often need to do a lot of work. People tend to underestimate this greatly. And any hours spent on this one iPhone isn't spent catching rapists (for example). If only the issues were as simple to solve as people commenting here make it seem.

Yes, obviously, the police would need a warrant to actually enter the building.

But there was no attempt to get one, or even just to knock on the door. There was no attempt to do anything apart from record the fact that a crime had (allegedly) occurred. Which, no matter how understandable, is not exactly the pursuit of justice.

> And any hours spent on this one iPhone isn't spent catching rapists (for example).

Okay, so I understand that you have recently taken a job with law enforcement and I can see why you feel the need to defend your workplace but the point remains that objectively speaking, whether one thinks the US police is benevolent or malicious, they don't really do much for the vast majority of property crimes. It's simply not a priority, as you've inadvertently said yourself.

Plus law enforcement...doesn't exactly catch a lot of rapists either.

> It's simply not a priority, as you've inadvertently said yourself.

That wasn't inadvertent, that was precisely the point they're trying to make to you — resources aren't unlimited and thus need to be triaged.

This would be true even if law enforcement didn't completely suck for orthogonal reasons.

Given how popular it is to call a SWAT team on someone as a 'prank' I can't say I see too much truth in "Before you can bust down a door, you often need to do a lot of work."

The perceived emergency in the bogus 911 call adds some weight of course, but in lots of cases the Police seem far too gung ho to roll out heavy and bust down some doors. Not to say that it is an appropriate response to go raid a house in search of a reportedly stolen phone, but goddamn.

As you alluded to, I think telling the cops someone has your phone and telling the cops someone is about to shoot up a bunch of people should get different responses.

Now, I'm not saying cops don't abuse their power nor what response they should give to an "obviously" bogus threat, but even for a trigger happy cop, why bother the risk for someone's phone when there are gonna be hundreds of "credible" threats? I doubt even a crooked cop would be willing to break the rules over someone's stole phone.


Old roommate's company in SF - Car, bikes and computers. Car was stashed in Bayview & cops waited till they had enough backup to lock down the blocks around the house, thieves weren't there unfortunately.

> The police want to catch the bad guys too, but after 8 hrs has passed, it becomes virtually impossible to succeed.

There are places around the world with extremely wide rollout of CCTV cameras across the city, where the crime is recorded and police literally could trace a criminal back to his home. Yet even there police are often uninterested in doing more than providing victims of "petty" crime a copy of the police report for insurance purposes.

The $50 was an example, not a benchmark for when police does investigate. Like I said, there are more criminals than LEOs and this general hateful attitude towards LEOs doesn't really make people want to do that job. So if people want computer crimes to be solved, they should start motivating people to take those jobs in stead of hating on people who are working hard to solve crimes.

Where do you find a position in the police force as an IT/computer forensics specialist? Everything I've researched indicated that I needed to join the FBI in order to focus on cyber crimes, and their agents are required to work a minimum of 50 hours per week, which is nuts.

> in order to focus on cyber crimes

That's the thing, I don't focus on cyber crimes, I focus on regular crime. There's always a digital aspect in crimes these days.

I can't tell you what you can join in the US, however, since that's not where I'm located. But it could be useful to check vacancies at local police forces, since they might also have positions for people with digital skill sets, just not cyber crime related, per se.

Who said anything about volunteering? Did you just want to post some more negativity?

> hateful attitude towards LEOs doesn't really make people want to do that job

Good people shouldn't do that job, because either they'll stop being good people (either by becoming like other police or not whistleblowing on bad police) or suffer the consequences (being forced out or retaliated against).

Taking as a starting point that the police are basically healthy people wearing a costume - what do you expect them to do in this circumstance?

They can't even be certain from the outset that a crime has been committed - maybe there is some sort of complicated fraud afoot. There is a soft cap on how much they can spend on this of a bit less than $600k, which is not that massive given the skillsets needed to track this down.

Why would the investigation budget be capped at $600k? Those criminals probably won't stop there and who knows for what they are using the profits.

Budget would be far under that in most cases unless there was tax evasion or physical violence involved.

Most of the time the criminal is in another country and the money is no longer in the US which is just a general nightmare to solve.

The secret is to be rich.

And here yet again an example of how the system is rigged against the poor and stacked in favor of the rich. If you have enough (and get stolen enough), then you get help, otherwise, too bad.

I understand that there’s a resources allocation problem here and the current solution is prioritizing bigger crimes. But given the resources of the victims, maybe the priorities should be inverted. Help the people that can’t pay for their own investigations, or just charge for the investigation services in proportion to the “size of the crime”.

What you want is to maximize the utility of the police, but then the policy question is how do you define utility. The people in power will of course tend to define it with a bias towards them and theirs.

Perhaps the crime should be looked at in context. Stealing $100 from a homeless person is equivalent to stealing $1,000 from an averagely salaried person.

The police doesn't care about you, they want promotions like most people do. Solving cases with big values helps, imagine trying to get promoted by solving petty crimes.

Man, this shit is depressing to read as someone who just joined LE and sees mostly people who really want to help victims.

Better get used to it; the police receive a lot of flak, left and right. Sometimes warranted, sometimes not. The are also people in who's interest it is that the population distrusts the police. Crooks, obviously. But also conspiracy theorists, foreign agents, etc. The trick is to still listen to constructive criticism while listening and empathizing to negative criticism.

As you said, limited manpower, expertise, time, and budget are an issue for law enforcement. Not just for US law enforcement. For law enforcement world-wide.

Police departments in major American cities have bigger budgets than almost every other country's military.

Police officers earnings often rank in the top 1% of their communities.

Compare your city's police budget with their investments in communities and education and services - things that can actually make lives better and prevent the economic desperation that leads to crime.

An ounce of prevention is worth a pound of cure, and police are the very inefficient, violent cure.

Problem is, the truth of the matter varies a lot by country, region, city, precinct and by the people themselves.

There are police departments out there that are a valued contributor to the community, and there are some departments that seem to exist wholly to extract money and pain from the citizenry.

One bad apple spoils the bunch, unfortunately.

I think an order of magnitude (or three) increase in independent accountability of police across the board is the only way you'll see the trust start to rebuild, but certain organizations seem dead set against letting that ever happen.

I think its more a case of the public not being aware of this non-investigation habit and not pressuring enough. At the same time I understand, there are so many issues on the table its a wonder anything gets done at all. Priorities and all that.

You can argue in the opposite direction that stealing $1,000 should be prioritized because it gives more buying power to those criminal gangs and it finances more criminal activity than the $100.

Right, which is the current state of affairs. The problem is well known in OS scheduling. If you have jobs that are prioritized over others, and there is more work than workers as is the case with the police, you'll have lower-prioritized jobs that are NEVER executed.

I don't know how OSes solve these problems.


Round robin is one of the algorithms that may be employed by an OS to handle scheduling. The problem you're talking about is known as 'starvation'.

The frequent context switching is a source of inefficiency here- if you interrupt one job to switch to another, you've got to ditch everything in memory from job 1 and load a bunch of new data from disk for job 2. And then when you switch back to job 1- same deal. I'd imagine the same would apply, maybe even more so, for people

It should be a inverse U curve. If the amount is relatively inconsequential or occurs in super high frequency then it should be ignored. But if you lose more than 5 million then it's kind of on you

I'd estimate orgs with roughly 100k to 5 million in revenue it is mostly small players and assuming margins of 20% they are really only doing 20k to 1 million in profit/discretionary spending.

Add in a few factors like charity vs Inc, and it shouldn't be hard to narrow down who LE should assist.

Meanwhile the US oil pipeline gets hacked by a exposed password and the whole Federal Government comes in to fix the mess and agrees to spend more money.

Perhaps because that affects swaths of the population?

Well... the government couldn't even really fix anything besides catch the hackers. At the end of the day it was the limited scope of the attack and some preperation on the companies part that restored functionality as I understand it.

Alternitively, these industries are already heavily regulated including extensive safetly regulations - so perhaps a basic level of security practices should also be required. We regulated how high of a ladder an employee can climb without safety equipment but we don't really do anything if a company reuses passwords, runs known vulnerable software, etc. Occasionally there are fines after the fact but that is too late.

Not just allocation, it's a quality problem too. The type of cops you need for street busts is not the type of cops you need when pursuing interstate (or even international) wire fraud. If your organization is historically unbalanced towards the former, changing towards the latter will take generations (and a lot of political capital).

I don;t understand how this proves the system is rigged. Isn't the simple truth that jurisdictions are sacred and just because "somebody did something", doesn't mean that the other authorities are interested for a variety of reasons.

An NGO redeveloping an island and making 650k wires (ok, in three tranches) is not "poor" by any reasonable standard.

Exactly, so if they can’t get help, then what’s left for the rest?

It means only the top 5-10% are getting help. And probably most of them are not people but companies.

This isn't so much a story about the limits of law enforcement as it is about the reality that they don't expend much time investigating "small" crimes and their definition of small is surprisingly large to the average person.

> they don't expend much time investigating "small" crimes and their definition of small is surprisingly large to the average person.

On the other crime types, for example drug related, law enforcement seems to pay a lot attention to the small-time criminals.

Drug-related offenses are often that of possession. It's not hard to investigate possession and it's not like the cops are going to ignore the gram of coke they just found in your pocket.

A lot of legwork and resources are expended to shake down enough members of society to come across that gram of coke, prosecute, and incarcerate.

The cost of prosecution could trivially run into thousands of dollars including public defenders the cost of incarceration 36k per year.

A 5 year stint could run the people almost 200k to punish someone for hurting themselves by hurting them worse.

> it's not like the cops are going to ignore the gram of coke they just found in your pocket.

Why not? Seems like a waste of time and $. If they get the $50k or $650k back, they at least have a chance at civil forfeiture.

How are the cops going to catch someone in Russia, China, Iran, NK, or any of the other countries who turn a blind eye to cyber crime schemes? I doubt they will even be able to find a single person to arrest much less a real identity.

Drugs are right there in front of the cops most of the time.

I'm a bit surprised by this...

There are only a finite number of people who commit crimes like this, and if you can find them at any point after they have committed one or more crimes, you ought to be able to arrest them.

It therefore doesn't really matter the size of the crime - it still enables an arrest of someone who might be involved in large numbers of crimes both big and small, but that you couldn't arrest before for lack of evidence they are involved in crime.

In many cases smaller crimes will be less well concealed too (hiding stuff costs money, paying more middlemen costs money, not worth it for smaller crimes)

Yet they will arrest and prosecute to the full extent of the law someone who steals a $15 T-Shirt from JC Penny without blinking.

To be fair, that's because JC Penny does 95% of the work of apprehending and gathering evidence against the suspect. If they came to a small business that had a shirt shoplifted but did not apprehended the thief, and had no security cameras, they'd take the report and leave. Vast majority of police departments won't have time for that.

>Vast majority of police departments won't have time for that.

How much of that is because they won't allocate time for that but rather allocate time for a more profitable operation, like writing traffic citations?

Has there ever been a public accounting on what police departments spend their time on? My medium sized city spends about $500 million a year on police. That seems like a lot. It's the largest single expenditure.

That amount of theft is not illegal in California

Are you mistaking the difference between legal and won’t be prosecuted?

It’s the latter. And not for nothing, but I don’t think that policy is working out so well for some businesses specifically in the Bay Area.


It's not that it's small. It's that the suspect is likely not in the jurisdiction and the money is likely out of the country.

I wonder if Frost Bank filed a Suspicious Activity Report for these transfers and whether or not they will face any enforcement actions. Having worked with quite a number of banks at this point, they all talk a big game about compliance but yet very few seem to actively mitigate these events. It's not Frost's only such issue: https://www.expressnews.com/business/local/article/Former-of...

But they are a fairly large bank so hard to say how they do relative to others for their volume.

SARs are no additional help in this situation as they would only report the fraudulently given information, and there is no aspect to this crime that would particularly interest the Treasury department.

It's not so much about helping the situation as it is identifying whether or not the bank is actively monitoring and mitigating money laundering (which this situation would technically fall under as the mule is laundering the money through the bank). If they are failing to identify and report these then it could face regulatory action.

I see. I’d be very surprised if those amounts didn’t generate the required SARs. KYC is also not foolproof.

Had a similar experience with IC3 and FBI though for a much lesser amount. It's nice that both exist but neither seem helpful for amounts that are meaningful to a small business, tens of thousands, but not meaningful at their level. Do any entities exist to try to help find justice for these smaller electronic financial crimes?

Investigate it yourself? Police don't have many powers available to them that aren't also available to the average citizen. Hire a private investigator if you don't want to put your own time in.

Investigation is not exactly the problem (as the article notes the non-profit investigated it themselves as well). Rather, the problem is enforcement. In our case, it was relatively easy to track the perpetrator. However, there is generally no provision allowing for vigilante justice in such situations. Going to another country to personally threaten one of their citizens over their financial crime will likely not have a productive result.

If you lay all the relevant evidence at the cops feet they are going to be a lot more likely to carry though with the final step of arresting the person.

And then you find out perpetrator comes from criminal subculture and has more violent friends then you.

I feel like a bounty system for online crime might help. Let the free market figure out whether this is worth investigating / solving. Registered bounty hunters / investigators could take up the case and operate on it. I sense that a lot of investigation around this case could be done from the comfort of a warm armchair. The rest involves boots on the ground.

Its not $650k either, its more like 10 or 20 x 650k. Why? These are criminals operating a business. They will do this again.

I'm a local law enforcement officer in California who investigates these. I love working on these cases, but there are tons of issues that stop them from being prosecuted successfully other than laziness. Ask me anything.

the wire transfer was made to someone. why isn't that person / company on fire?

There are a couple reasons. Sometimes they are. However, the recipients are often also romance/work from home scam victims. It can be hard/impossible to prove their intent.

Best case scenario is, assuming they are in on it, that they are a money mule and will immediately split up the money, transfer it 5-10 times (sometimes to themselves, sometimes to other people), and after several jumps, it usually ends up as bitcoin, if you get that far.

Every single transfer of money requires going to a judge and getting a search warrant for the next account or accounts. Each search warrant takes several weeks to a couple months for the bank to respond. So if the money jumps 5 times, we are taking pages and pages of search warrants before we find out where the money truly went. Probably over a year. Probably into crypto. Probably overseas.

The prosecutors would love to prosecute the scammer, but are typically left with someone who just passed on the money and says they had no idea there was a scam happening.

A similar story from a few years ago:


It looks like they were able to recover much of the money, but at a cost of $250,000 in legal and banking fees:


This is literally fraud and maybe identity theft, isn't it?

And not even high tech, people used to do the exact same thing with paper cheques by mail.

There's a sending bank account, a receiving bank account and a digital trail. With the newer KYC laws, it should be easier to find the criminals.

Happens a lot in the UK and they don't do anything about it because the police has been defunded to hell.

I don't assume it is because the police had been defunded. I think the reality is that it is not worth anyone's time to follow up e.g. £100 theft when the bank will refund you. That could easily cost £5K+ to investigate and prosecute and if the thief doesn't really have anything, they can't get the money back anyway.

I had a motorbike jacket stolen once which contained my house keys and wallet. The police found the guy and he was fined £40 or something. I lost the £100 bike jacket and had to pay around £40 to get my keys recut. Was it really worth it?

I hate to look at things like this, but by getting a WSJ article and likely other press coverage our of this, there's a fairly good chance that the charity could view the loss as "fundraising" and see a positive return of investment.

Seems like an area that needs innovation to improve efficiency. Perhaps all transactions could be made electronic and reversible within 30 days? Maybe instead of mailing a check or doing a wire transfer something with two factor authentication is needed based on a physical token? Doesn't seem difficult to give your trusted partners and associates a USB key to make sure funds can not go to anyone else. Why is banking mostly not using 2FA already? Any place that can mail me a debit card can mail me a USB key. The card could BE the USB key.

Time to wake up, ban cryptocurrencies so this never happens again, then go back to sleep!

Interesting that the FBI guy pretty much outlined how to do this and get away with it. Just steal less than $1M from each victim.

I suppose the hardest part is recruiting the "money mules" to open the destination bank accounts.

The root problem here is that someone moved money/resources on the basis of an anonymous (i.e. unsigned) email. If you can't be sure where the email came from you really need to do a manual verification.

> The pair arrived in Odessa, near the border with New Mexico

No, it isn't.

Good for them.




Reporting like this makes me want to stop reading Hacker News. Making unsupported claims and following up with self-indulgent drivel isn't clever, it's just a nuisance.

The news is 100% legit but it's pursuant to an ongoing investigation into corruption and infiltration by malicious/rogue actors in SV. The article was published for this dual use purpose and my comment supports that secondary use.

If this makes no sense, then carry on, nothing to see here.

russian device on front page of hn; metrologists respond with feces joke. rustaceans make fun of being a code spelunker, make a godfather joke. oh, and multi national food corp offers their fake processed food to aliens re: disclosures.

all of these are tied together, as is the unfortunate news about defrauding homeless orgs in sf.

Where are Anonymous now? [deafening silence]

to do ...what exactly?

Why, counter-hack of course.

When Social Engineers become hackers?

To me, a hacker is someone who exploit a RCE or something like that.

I recall in 90's we had this kids who got access to ton of companies all around the world. They would have conquered the earth along with the FBI.

> Authorities are unlikely to pursue a case unless the loss is at least half a million dollars

Note to future supervillian self: steal from widows and orphans in increments of $499,999.99.

Two things:

- No one is fooled by a penny. Do it in increments of $400,000.

- You need to prevent your thefts from being tied together; as soon as someone notices that you stole a small-time $400,000 from a widow AND another small-time $400,000 from an orphan, you've become a big-time $800,000 thief.

Separate corps and nominee directors it is. Biggest problem will be choosing which corporation provider and country to go with. It’s like they’re competing for my incorporating dollar.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact