Site icon Easy Prey Podcast

Crypto Fraud and Recovery Scams with Nick Smart

Easy Prey
“Anyone can fall victim to these scams. Anyone can get locked into it. Any number of ways it happens. What then happens is you get indexed in lists and you get targeted again for a recovery assistance scam.” - Nick Smart Click To Tweet

We are all being targeted by imposters on social media, websites, and dating sites. Once a person has been scammed, your information can be added to a database where criminals can purchase your data and then offer you “recovery assistance” from that scam. Today’s guest is Nick Smart. Nick has 18 years experience as a professional Intelligence and Security Analyst working for government agencies and private companies as well as experience as a compliance officer.

“If you’ve been a victim, speak up. Move fast and report it.” - Nick Smart Click To Tweet

Show Notes:

“It happens to the best of us. No one is immune.” - Nick Smart Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Nick, thank you so much for coming on the Easy Prey Podcast today. 

Oh, thanks for having me, Chris. 

Can you tell myself and the audience a little bit about who you are and what you do?

Gladly. My name is Nick Smart. I am the Director of Blockchain Intelligence and Data for Crystal Blockchain. We're a blockchain intelligence company. What it means is we analyze transactions on the blockchain for suspicious activity and provide that as an alert to our clients and also help things like law enforcement track and trace funds on the various blockchains to exist. 

About myself, I guess I've been in crypto for about four years now. I'm a latecomer to space. Before that, I worked in IT security roles, and I was in the British military for 12 years. 

What got you interested in going into the crypto space blockchain space? 

I'll be honest, I started as a very much a massive cynic and I think that my general life outlook is of pessimism, which is always great for people around you. Certainly working in intelligence sometimes pays to be a bit pessimistic. Crypto specifically, I walked away from it. I didn't like a lot of the noise that was going on in space to begin with. I thought there were lots of outlandish claims being made. 

My sort of wake-up call moment, and what really got me interested in the technology, was the successful cooperation between law enforcement agencies taking down a child pornography website called Welcome to Video. There are some really fantastic write-ups of that in various books, which I strongly recommend people. Read Tracers in the Dark, I believe it's called, but it's definitely worth your time if you haven't read it. 

Cool. We're talking about fraud recovery scams. Let's kind of talk a little bit about the fraud and then we'll talk about recovery scams and kind of how to navigate between the two. What are some of the scams targeting people that are victims of? 

OK, we've got to first start with the origin. Why does crypto have this reputation for scams and fraud? Often, you hear lots of perceived high return on investments. Very few people are sensitive to the financial climate. There's patchy regulation globally, so people aren't always protected or potentially there's no supervision of the activities, which might cause people to go into it and think, “OK, whatever else.” 

The technology is not really that well understood widely and there's lots and lots of financial jargons thrown around it. There are lots and lots of crypto scams and opportunities for criminals to take advantage of people by using a combination of these different factors. I'm sure there are plenty more, but it's regulation, technology, and this idea of a high-return investment.

Anyone can fall victim to these scams. Anybody can sort of, like, get locked into it because there'll be an ad on a social media post, or a friend might refer to you, or you might be introduced to somebody on a dating website and they'll start talking to you about it. Any number of ways it happens and people fall victim to it. That just happens. 

What then happens is you get indexed in a list by the criminals and you get targeted again for a fun recovery scam. These are particularly nasty because not only have you been deceived once by the fraudster, you are now going to be deceived a second time and they're going to take more money from you when you are potentially desperate to get it back. It's nasty particularly for people who've been affected. It's a very difficult thing to get away. 

Let's use a real-world example, something that will probably result in, and if it has not already, a lot of recovery scams: the FTX collapse. For those who haven't read about it, there's plenty going on in the news about FTX and their collapse and how they allegedly, most likely, mismanaged a lot of their funds and resultantly, there was a run on the bank. The organization collapsed with $4 billion or $5 billion in missing assets, something to that extent. You've got $4 billion or $5 billion that people want to get a piece of. 

Yeah, exactly. I think people are impatient with crypto because the price is volatile and people want to act quickly, and they want to take their money now from the exchange. People are desperate. 

You often see, and FTX aside, whenever there's a major incident in crypto, if there's like a theft, if there is a widespread scam, or if there's an […] to FTX or Terra Luna I think happened before then as well, fairly quickly afterwards, particularly on social media platforms and generally on Twitter because that's where a lot of crypto is discussed, you'll start seeing in responses to the announcement by FTX or the announcement by the operator of the site that was hacked, “We'll get your money back for you. My friend, Cyber Chris, he'll get your money back.” There is actually one called Cyber Chris. I must say, it's not actually you.

I hope not. We'll be very clear, it's not me. 

There are lots and lots of people who jump up straight away. We were describing them as ambulance chasers, do you know what I mean? The old injury compensation lawyers, the same kind of idea, like, “We'll come and help you get your money back.” 

We need to sort of unpack slightly how desperate people are to return their money. You do read horror stories about how people who've lost it all for the market, but this is another type of issue where they've saved money, which technically, at least to them, they're still eligible to get back now. “We’ve got rent payments, we've got college to pay for, we've got COVID payment and I had a big medical bill to do. We need the money now.”

You've created this sense of urgency in a victim, which in a lot of other frauds, the criminals work really hard to try and convey a sense of urgency. They don't have to work so hard here because they've already got one. You're… Click To Tweet

You've created this sense of urgency in a victim, which in a lot of other frauds, the criminals work really hard to try and convey a sense of urgency. They don't have to work so hard here because they've already got one. You're already desperate. I also think it's proportional to the individual's own income when we were discussing this on the sidelines of a conversation. 

What's odd about scams or what's particularly nasty is the value of the scam is proportional to its victim. Whereas for some people who are wealthy, they may not miss $400 or $500 in a fraud. “[…] we're not going to treat ourselves to a couple of fancy meals or a weekend break this month,.” However your life goes. For some people, that might be the difference between feeding their children or not. That's where I feel like these front full recovery things really have that. They've already got the motivation to go to them in order to get the money back. 

If we work back to the fact that we talked at the start about the general patchy regulation, not necessarily a lack, particularly on consumer protection and the lack of understanding of the technology, it's very easy for somebody who's offering the ability to recover funds to say, “Hey, I've got your solution. Yeah, private key cracking. Yeah, I can do that.”

Irrespective of even with the advances in modern computers and the incredible speed of supercomputers, which would still take hundreds of thousands of years to crack the encryption used on a Bitcoin private key, they’ll claim to do the same thing with their MacBook Pro. Don't get me wrong, I'm an Apple fan, but it's not that good, man. You can't do it. 

Again, they can rely on the fact that people don't know and that's really what comes out here. It's a wider problem with the internet as well. People don't understand DNS poisoning. They don't understand about redirects or ad poisoning or that kind of stuff. They don't understand what's going on. They just think something's happened and they can't tell it. 

In the fund recovery scams, they've already got a captive audience who's desperate, might be a very desperate person. Imagine that scenario, you've lost $500 on FTQ. You thought you were going to turn it into $700 and half that money's for your food. “Now how do I eat? What should I do?” People are really desperate, and that's how these guys work. They're ruthless. 

The key I always look at is the urgency. There's emotion and authority. After a crypto exchange crash, you've got the urgency. “Gosh, I've got to pay my bills.” You've got the emotion because, “I've lost all this money.” Someone just has to come along and say, “Hey, I'm an expert in a field that you know nothing about.” They've got it. 

It's really well understood whenever there’s, like, a major incident, you instantly look for somebody in a uniform. Do you know what I mean? It's just built into you. When a building's on fire, you either don't care if it's a police officer, if it's a firefighter, a paramedic, it could be anybody in a uniform. It could be a McDonald's worker. You'd still look to them for a figurable authority to tell you what to do and you'll listen to it because you're so desperate. I feel that's the thing there. 

There are some other ways why this is more effective too. We have the desperation aspect. It's also the fact that the law enforcement's still catching up to not necessarily how to investigate this, because they're much, much better than they were at the outset, but how to do this under legislation, how to speak on these people who are doing it, and there's lots of motivation for a victim to look for a nonofficial source, particularly if it looks like an easy win. 

Also, in cases they might be suspicious of law enforcement. It might not sit in their ideology that they want to go to the police to get the money back. I'd rather get help from outside for whatever reason. Again, all of this is just more in the toolkit of the crypto-fraud recovery teams. 

Honestly, if someone came to me and said, “Hey, I lost $100 or $500 in,” let's specifically say a crypto-fraud, I wouldn't tell them to go to law enforcement because it's such a small amount of money that, at least here in the US, even if the police knew what to do and have a crypto unit, likely that's not enough money to interest them. I don't know that anyone would even suggest going to law enforcement. It makes sense that people would look for alternative venues.

Also, this idea of the seizures and the other legislation that law enforcement would use in various jurisdictions, because that regulation and the legislation hasn't quite caught all of the things yet and it's still new law maybe. It also means that maybe they're unwilling to go for any sort of action itself. We do have lots of understanding this is the case. They just don't know yet.

Are these kinds of recovery things specific to the crypto space or do they follow kind of as a result of other criminal activity?

No, they've been around for quite a while. I think as long as the fraud has been happening, the fund recovery has been set alongside it and things like binary options, trading, or forex trading, that's been frauds. There are plenty of other services that sprung up. Mostly probably operated by the same people, I think, ironically, have sprung up in the background to offer this kind of support.

Main difference with the crypto's recovery options is attorneys, and, “We have paperwork, and we're investigators, and we'll find it for you. We don't need to use that narrative entirely. I can now use a hacker for hire. We've got this guy who's inside the matrix. He can do it all, everything. He can just get your crypto back through technical stuff.”  

I even saw one advert once for a crypto service that claims expertise in C++ programming, which is fantastic. He's clearly one of the high-level languages, but he still has some serious skills there. I've never put that on a recovery thing. 

Again, people don't know what that means. He's a C++ programmer. He clearly must know what's going on. You Google C++ and you see what's written and then you're like, “Oh, wow. OK, this must be something that's going to be good.” That’s the two sides. 

These professionals—I say professional, I mean that in the loosest use of the term—but recovery services that say, “We can do the […], and we can get the money back.” They do have very convincing websites and very legitimate-looking domains, emails, and registrations and so on and so forth. Again, they ask for money and it's never returned. 

The same goes for the hacker for hire. They really like to put it out there, lots of videos of dark screens, scrolling green text, and someone's just probably running like a port scan on the whole internet to see what comes out to make it look interesting, that kind of stuff. They're pretty common. 

The way they fish for their prey is very different. Whereas the fund professional recovery services will show up in AdWords and that kind of stuff, they’ll be there as a listing on Google or something. 

The way they fish for their prey is very different. Whereas the fund professional recovery services will show up in AdWords and that kind of stuff, they’ll be there as a listing on Google or something. -Nick Smart Click To Tweet

The hacker for hire, generally what they'll do is they'll post a statement on one platform. For example, […] got hacked and I wrote down Twitter. Then someone will find it and then they'll say, “By the way, you want to speak to my friend?” This guy, Tim the hacker, or whatever his name is, and he'll find you his Instagram. Then they give you the Instagram, and then there's an email address and you can contact them and then you can start losing your money all over again, which is really quite sad, to be honest with you. 

The other thing, as well, is that when they claim to do the fund recoveries, particularly for the technical ones, you also then give them access to your whole device potentially. There's probably going to be some malware left on your device. They're probably going to use other tricks they have up their sleeves, like other forms of social engineering, to get you to do bank transfers or even just to steal the credentials from your devices, which is the other way they hit you.

It's not only you’re going to lose money from the crypto scam, and not only you're going to pay these guys to help you, but you're also going to be attacked again and again and again. They really don't care. Some of them are very convincing. They even have video testimonials or they've clearly paid somebody on a gig-working platform to record something, saying how great they are and it's all lies just to feed the narrative. 

It's funny, anytime I do an episode and we talk about crypto in one shape or form, on the YouTube videos, down in the comments, there will inevitably be a post about getting ahold of So-and-So on Instagram and he can help you recover your funds. It's amazing how fast those comments appear and how consistently those comments appear. Get them in the comments on the post, on Instagram, pointing them to Twitter accounts and vice versa. 

There are some really fantastic websites out there that do community monitoring of cryptocurrency addresses. Say you could put an address into search and you'll get a result like Bitcoin Abuse or Chainabuse, which is another TRM product, you'll get these things out there and they'll tell you this address has been used in a fraud and it's brilliant. In Bitcoin Abuse as well, the fund recovery guys are posting there too. 

Clearly that's where they're going after victims. Again, it's you search for your cryptocurrency deposit address where you sent the money to, and then all of a sudden, there you go again. We've now got one more time to say we've got more money from you. 

We were talking a little bit before we started recording. You’ve done some research into some of the recovery websites and we were talking about there's this thought that cryptocurrency is a hundred percent anonymous. It's untraceable. 

The public view of cryptocurrency is just that you put money here and it pops out some random place somewhere else in the world and no one can see what's going on. It's entirely a black box. That's not entirely correct, right? 

No, it's not. We have to sort of drill into here if anybody understands stages of money laundering, I'll use our references like terrorism financing. We have raise, store, move, and spend. Those are the four pillars of terrorism financing or any particular criminal activity. It's just how the raise is different and what it's spent on site is different. 

When you look at different asset scams, we have raised, we do the scam. Store, wherever it gets stored. It gets moved between various different parties, paying off people they have to. Then let's talk about spending. I want to convert cryptocurrency into a luxury good or service. In order to do that, I'm probably going to need currency and in fear of currency because that's still what's mostly required.

Most places that will allow you to convert your cryptocurrency into fear currency will have controls around that. By insistence of their financial partners, there will be insistence that KYC has done and their […] process and so on and so forth. It's difficult at that stage to do the cash out phase, which I guess is like the main all of this—to try and get fear currency from the crypto that you've taken in the first place. 

Why is this important? It's because when you do the raise stage, I don't mean to rant on purpose, of that sort of like process, you are distributing to your victims the address you want to receive payment in.

Then every movement in that chain onwards, if it's written to a public blockchain—and there are private ones, so there is Monero, for example, which is privacy enhanced, you can't track between two points. Certainly for Bitcoin, Ethereum, or any of the major big crypto or big well-known blockchains, you can follow it between different points and you can see where it goes up to.

We can track from the point of raising all the way through to where it gets converted and it's this area of conversion where there is opportunity for us to learn potentially who is behind it. 

Now, that doesn't mean that the criminal can't come up with ways of getting around that. For time eternal, they've found ways of deceiving financial institutions about who the real person doing business is. It's not like we've now tracked the money and we don't need to do KYC anymore. We still need to do that and we still need to keep on top of them. We still need to watch out for fraud at that end. But the point is we can link a payment from one location to another. 

When we look at the scale of how these operations generally work, in some cases they are highly sophisticated, but the bread and butter ones, the ones that are most common are typically smaller sites that may last for a few weeks before they ever get taken down or they haven't got enough victims. They collate maybe $3000 or $4000 and then they funnel this money into a few clusters of addresses and then that one gets sent on forward. It's possible to start drawing these things together. It's possible to start linking together groups of individuals and activities thanks to the blockchain. 

You can doubt the technology, and there are some fairly convincing arguments about why the technology is […], but if you doubt the idea that we can actually track a payment from a victim to a wallet and then we might be able to detect other victims and we might be able to find sites belonging to other people we didn't even know about. That's a really powerful way of looking at this. 

It does find the face of anonymity. It's not anonymous, it's pseudo-anonymous. We also know at some stage they're going to want to swap it to something else. They're going to want to get the fear currency you can. You can in some places, but it's very difficult to go and buy a house entirely in crypto assets. Even if you do, you're gonna get asked a lot of questions, like where does this money come from? If your real estate agent uses a tool like a transaction monitoring tool, they're going to reject your money. You still need to go through a lengthy process to do that. 

Tesla is accepting Dogecoin. I think at some point you could actually buy a car. You can't currently, but let's say you could, it's not like if the criminal bought a Tesla and the FBI goes to Tesla and says, “Who bought this car?” “We see this transaction.” Of course, Tesla's going to turn over the information. 

Yeah, of course it is. I think one of the things we can say about the crypto asset industry generally is it's hyper scrutinized, I think. I don't say that lightly. We scrutinize our financial institutions, but a lot of it is opaque and we only find out about what's been going on and who they've been receiving money from after the fact. 

There's some fairly severe penalties for money laundering, for example for Danske Bank, Deutsche Bank, and HSBC, to name three. Many other international banks have had heavy penalties for money that have come from dubious sources. They had KYC programs, they had compliance programs, but they still got caught. 

The reality is with crypto, we can see very quickly which exchanges are receiving money directly from drug marketplaces, or child pornography websites, or just general frauds. That does mean it's hyper transparent. I don't think that's necessarily a bad thing. I think that means that there's more work on the exchanges front to be better. If they really want to be in the respected institutions that they are, they need to be on top of it, but I think it is a hyper-transparent industry. 

The blockchain is the blockchain. The announcement, I think it was last week of Bitzlato, which was a Hong Kong-headquartered cryptocurrency exchange that was mainly serving Russian users. You could look on the blockchain and if you have an analytics tool, you can see where the money's coming from. You can see they received a large amount of payments from a larger marketplace. A prolific eastern European CS region, drug marketplace. You can see that they received money from ransomware groups. 

We can also read on dark web forums between criminals talking to each other in Russian that, “Actually, we like Bitzlato because we can get passed their KYC. We just send them some fake docents and they let us go.” Even though they've known the transactions come from a dark place, they just ignored it. It's out there and I think that's what's kind of sad about crypto more broadly. 

It is a transparency tool and public trust can be improved by transparency as we know that from corporate ownership records, but we also need—I won't say give them an easy time—to stop shouting, “It's all drugs. It's all legal.” It's all everything else when we can see that they're actually working really hard to do something about this. 

Just for clarity, for those who are listening, I know the term, but what does KYC stand for in the banking institution?

KYC is know your customer. At its most primitive description, it would be providing identity documents and some proof of your salary or your income to the bank. What this is used for is basically to build up an idea of who you are as a client so the bank knows what to expect from you. The financial institution knows what to expect from you. 

If I go into a private bank and I bring in my pay slip, and I bring in my identity documents, they've got a record that was me, and then if I say that I'm an office cleaner and I make $2000 a month. If I suddenly start having payments of $20,000 into my bank account every month, they're going to ask what the hell's going on? I suppose primitive, that's what KYC is and what it's used for. It's to understand who your client is. 

That's basically a system to reduce fraudulent transactions and things like that. 

[…] cybersecurity we are looking at. There are things where you buy a firewall. What does it do? It keeps bad links out? But it also helps you detect them when they're in. The firewall might stop most of the attacks, but you also want to have some logging and monitoring in the background that says if something does happen, we know where they've been and what they've done.  

KYC is kind of like that too. Not only is it good for maybe acting as a low-level deterrent because fake IDs happen and stolen IDs also happen. It's also effective if something does happen and we ask the question, we can start providing information on who this person might have been and what they were doing on our platform.

For someone who's listening who has lost money to a romance scam, they've lost money on FTX or some other exchange which has crashed, and they hear someone saying, “Hey, I can help you get a portion of your money back,” what should they do? 

Engage cynicism and pessimism and take it with a pinch of salt. I think one of the first things they should do, and I think anybody involved in countering fraud or discussing fraud needs to be aware of, is we need to try and lift the stigma around people who've been victims. 

We need to try and lift the stigma around people who've been victims. -Nick Smart Click To Tweet

I think romance fraud is a really good example. People who've been fooled in romance frauds and they've basically learned to trust somebody and formed an emotional connection with them to the point where they're happy to part with money. They may have been lonely, they may have worked a lot of things in this relationship, and now they've discovered that not only is the person who was doing it not acting in their best interest, they've now stolen their money too, which is  the problem financially. We really need to try and lift this stigma around it.

What I'd say is if you've been a victim, speak up, report it, and tell people who can help. The best way you can do that, I would say in crypto, is move fast. -Nick Smart Click To Tweet

What I'd say is if you've been a victim, speak up, report it, and tell people who can help. The best way you can do that, I would say in crypto, is move fast. Report it on the Chainabuse, blockchain abuse websites, and so on and so forth. Put the thing out there and say, “This is what's happened.” Advertise what's going on. Also keep records of what happened. If it was on a dating app or platform, let the provider know what's going on. Maybe they can do something about the account. Also, preserve the evidence.

When it comes to fund recovery options, the first thing first is I'll dispel a couple of technical myths that go out there: it's not possible to hack a private key. You can't get control of a private key to then redistribute the funds back to your account. It's not going to happen that way. The way in which a recovery would usually work is we will identify where the money's gone to and then it'll be stopped there or it can be noted that it's there. When it does try to move again, then we can do something about it. That's generally how a recovery works.

I wouldn't want to recommend specific services or providers. Many blockchain intelligence companies, including ours, have an investigations team. It's provided with a cost. You have to pay for that service, but we're a company that has tools, technology, and skills to do this. There are cowboys out there who will claim to do the same thing, and generally, there's nothing to stop them at the moment. There's no charter or there's no block in place to stop them from working that way. That’s my first protocol for that. 

The other thing to do as well is, of course, speak to your law enforcement. Speak to local law enforcement. Tell them what's happened. Make sure you put a record down on there and maybe something can be done. I think the other thing too is that it won't be a fast process, and I think I don't have tons of experience in asset recovery myself. It's not my forte, but certainly from many of the people I've spoken to in the industry and I've met since being in crypto assets is that asset recovery is not a fast process. 

It takes a long time to, in traditional asset recovery, locate the assets. In crypto's case, get the law to go through to get the courts to do what they need to do. It's possible, but it does take time. Maybe that's the thing there. 

I suppose another one would be—let’s use FTX as an example—the US government has stepped in and has seized some assets and has said, “We will be returning some of those assets to some people under specific circumstances.” The government is not going to ask you to pay the FBI in order to get a portion of your assets. If it's anyone approaching you from the government and saying, “Give us money so we can release your assets to it,” that's definitely a scam.

Yeah, exactly. To be honest, you already paid the FBI. If you pay taxes, you've already paid their salaries. They don't need any more money from you to do that job. You've already made your investment with those guys and that's really how it is. 

There are private companies that do that. There are law firms and something that we are advocating for is more class action against frauds, particularly the lower level frauds. The more people who get involved in a class action potentially the more likely you are to get smaller amounts of money back in part of a bigger deal. 

I do think a lot of it comes down to civil courts rather than criminals. We have to be pragmatic, maybe, and think that as much as we want to send the guys who are doing this to prison, some of them sit in jurisdictions we can't get near to. A more pragmatic view is, “OK, well, maybe we can get your money back at least and that will be done through a civil recovery or a civil prosecution.”

That does come with cost. That does come with, again, more time and more resources. For example, losing $500, that's going to cost you a lot more than $500 to do a civil recovery. It's going to cost a lot more and it'd be more than you would want to. You'd spend a lot more than the $500 you'd lost in the first place. The economics doesn't work. 

If there are enough of you and somebody takes this on like, “OK, how many of these frauds can we link together? How many of these people, of these websites, can draw together as one big group?” Maybe something can then be done at that level and say, “OK, right. That's that.” 

I'll also add that exchanges are quite responsive to frauds. There is a dedicated investigations team in all the big, regulated, or at least attempting regulated exchanges. They all have pretty good stuff. They are the household names, they are the Krakens, the Coinbase, the Binances. They set their resources properly because again, as an industry, it's an existential crisis.

If everyone says, “Everything about cryptocurrency is a scam” continuously is fact through reputation. We had it five years ago when cryptocurrency was drugs and cryptocurrency is now fraud. I don't know what it'll be next, but it'll be something. Just saying something over and over again doesn't make it true. 

Exchanges will work with you or will try and help you if they know the money's come to them. If you know an address belongs to Binance, Coinbase, or Kraken, you can tell them. I can't say on their behalf what they'll do, but they're generally quite responsive to your complaints. They're not just going to walk away from it because they know the problems. 

They have an interest in self-regulating. 

Yeah, absolutely. In a market that's had a kick for trust, mainly due to a couple of fairly big incidents last year with the Terra Luna collapse and what's happened with FTX, but the market then has lost trust. They're incentivized to try and rebuild it. In order to do that, they know full well that you can't just ignore your clients or not ignore people who've got complaints to you. You need to cooperate. 

From our side, we see that they generally do, but again, individual experiences may vary. I don't want to comment on any circumstance specifically.

Earlier you talked about reducing the stigma of fraud and cybercrime victims. I've been trying to do a better job of it by asking my guest, have you been a victim of fraud or cyber crime? 

Directly myself, no. I think I'm very fortunate, but now I've said that I'm probably going to have something come my way. I'll knock on wood and see how we get on. I do remember an incident. We were doing a presentation to a group of regulators from a national bank. My colleague was setting up a demonstration and he wanted to show how a mixer worked. We thought we would show practically how it worked by sending a small amount of money to a known mixing service and then see it get mixed and then watch how it goes around or whatever else. 

Turns out that the place he sent the money to wasn't an actual mixer, it was a fraud. He lost his $40 or whatever else in front of a room full of people who you're trying to impress with a well-rehearsed demonstration. It was actually a fraud or wrong. How do we not know this? It looked kind of silly. 

I'd also know it happens to the best of us. Nobody's immune to this. The crux has always got some way of enticing you in. Everyone's got a particular thing, they'll just keep […] until they find it.

It's kind of the same way that you look at anti-terrorism and terrorism. The terrorists only have to get it right once, but the people that are affording the protection, you have to get it right 100% of the time. 

You can't miss because the impact to you of getting it wrong is far greater cost than whatever happens from the other side. I think it's an interesting parallel too to call to use the word terrorism because fraud has a lot of the hallmarks of how terrorism works. People are generally frightened, especially fund recovery, into activity. They're terrified that I'm never going to get my money back. 

I'll go back to the example we talked about the person's romance-for-investment fraud. They call it pig butchering now. I think that's disgusting. I think it's a really horrible term. Again, we're now insulting the victims. We're not being compassionate at all about them.

I understand it's easy to say and it's not as nice as romance-for-investment fraud, or confidence fraud, or whatever you want to call it. But let's be nice to the people who've had this happen to them, please.

The thing in those particular instances is these people feel genuinely affected. They aren't just going away from it. They're generally upset about everything that's happened to them. They've lost twice. They've lost a relationship and they've lost money. How do you recover from that? 

I think the challenge that most people don't understand is there's two aspects to being a victim of a fraud or a scam. There's the financial cost and then the emotional relational cost. “OK, I may be able to afford to lose the monetary amount, but now I've got this innate distrust of people. I told my family members, ‘No, it couldn't possibly be a scam.’ Now I've put a wedge in my relationships.” There's a lot of cascading issues. 

You just reminded me another story about loss of trust. It's not related to cryptocurrency. My parents are quite old, not that old, but they're old. The banks that they use back in the UK changed their websites and they had been consuming like all these reports of they're out to get you, whatever else. 

They went to the length of taking the website, on a tablet, into a brick-and-mortar branch, the actual building, to show the teller, “This is what your website looks like now,” because they were that frightened of being defrauded again. This is the kind of impact this is having on people's behavior. It may be frightening, and as you said, do you trust anyone again? “What happens? How am I going to get out of this? How am I going to rationalize this to myself?” 

As you said a lot of the frauds that happen generally, I'm sure you're aware, affect communities of people. It'd be like a religious group, and particularly a minority group. You might have a stronger trust for your friends and family. You might be recommended a fraud from a friend and you trust them because they're part of your group or whatever else.

What happens when it's unearthed? What happens when it's found out? All that trust is broken. All of a sudden, it's like you were the one who told us all it's going to be alright. You were the one who said we were going to be making money and we were going to have a great life. Now you are the villain.

I have heard a story from last week of somebody who took their own life because of a romance fraud, because of the situation they're going into. This isn't little.

Also, it's highly embarrassing. I kind of look at them as similar-type magic tricks. There's that famous magician, James Randi, who's a very prominent skeptic as well. He sort of says like, “The difference between a scam and a magic trick is a magic trick, I'm going to tell you a lie and you're going to believe me, but we both know it's a lie. Whereas with a fraud, you're going to lie to me and I'm not going to tell you.” 

The feeling afterwards is very different. You'll laugh about a magic trick or maybe you'll find it interesting or something. For a fraud, it's hollow. “How can I be so stupid?” That self-loathing must really flow within those people. We don't help by calling it things like pig butchering. We don't help by putting a stigma to it. 

We need to allow people to come forward and say, “OK, you've had money stolen from you. These guys are clever. They know what they're doing. They target you for specific reasons. In the case of fund recovery, they've got you already, you're desperate. You acted fast because you felt you had to.”  

I think it would go a long way for people to take this off them and say it's a problem, but we can solve it. It's not the end of the world. We can deal with it. But again, that's very little consolation to people who have lost large amounts of money. At least maybe the people who can help come forward and offer information and cooperate with people to sort of shut these guys down will be a little bit […] what's coming. 

As we wrap up here, you mentioned some blockchain abuse websites, but you did not provide any specifics. Can you provide a couple specific ones that we can add to the show notes so people can go if they're interested in checking out an address, they can do that.

We offer a blockchain explorer on our website. You won't get any reputation about addresses there, but you can report abuse of addresses to us directly. There's a button on the website. You'll have to browse and find it, but it's there. 

There is also bitcoinabuse.com which is for reporting Bitcoin abuse addresses. It is a competitor's product, but I do like it myself. I think it's a good initiative. There's Chainabuse, which is by TRM, which allows you to sign up for an account and report the abuse of various addresses on the blockchain. There are various other formats and forms to do that. What I'd say is, though, is by offering this information directly to a blockchain analytics provider, whoever it might be, you get that one step closer.

If we go back to what we said before about that flow of funds, like raise, store, move, spend. If at the spend phase, if at the stage where the criminal goes to convert the money from cryptocurrency to fee, it's known that the address that they received the money from was used in a fraud and the exchange at the other end sees that, they can freeze the account. They will file a suspicious transaction report and maybe that's just one step closer to catching the people who are doing this. 

They're not invincible. They're not immune to this. They will get caught and then their day is coming, and I really hope to speed that up, but really, we need people to get forward and volunteer that information, particularly, “These are the addresses that they use to take the money from us. These are the websites that they used.” If we can link those two pieces of information together, we can absolutely have a much bigger impact on these guys because you take away the payment infrastructure, and without that, they aren't able to do what they do.

On the other side, we can freeze the funds on the exchanges. When they come to cash out and they're stuck, they can't do anything about it. They've just wasted all their time and resources. 

I think that's good because it makes me think that I periodically get the random sextortion email and it contains a wallet address. I need to be in the habit of whenever I get one of those emails, report the wallet address. 

Absolutely. I think a lot of mail screen providers do offer that information as well. A lot of that is sent and added to those chain abuse sites or is even packed up and sent out. Imagine a blockchain is a photograph. You're looking down on space, on the ground, you can see there are buildings, you can see there are roads, you can see there are rivers and trees and whatever else. What a blockchain analytics tool does is it says, “OK, that building there, that's the bank. That's another bank, that's the shops, that's this, and that's that.” We label those parts. 

What you can do as individuals is you can help us label the other buildings because you see them. You say, “Oh, that's like a really shady bit of town.” You can put a pin in that and we can say, “OK, anything that comes from there, any cars that drive from that road to the bank, we want to know who's driving them.” That's how this works properly.

It takes a community to sort of shut this down. We can do a lot that we do at the moment, but we are a team. We're a small team compared to the enormity of the people we're fighting against. However, if everybody reports out every single time they have a scam or a fraud that happens to them, that address gets reported. We get one more point on the chain or one more marker for our clients and law enforcement to sort of pursue them and say, “OK, we know who they were. Now we can go after them properly.” At the least we can shut down their accounts or get it frozen. In the best case, we can get them sent to prison.

Awesome. If people want to find out more about you, where can they find you?

I'm on LinkedIn, Nick Smart. There aren't that many of us, but I'm there. Also, you can go to crystalblockchain.com, which is our company website. We have blogs and insights. We wrote some really interesting stuff recently about the […] seizures by the US government and other law enforcement agencies around the world. 

We also write bits and pieces around. Again, we've got a really exciting thing coming out soon on romance fraud more generally, which is quite interesting, including some material that we have obtained through leaks of a criminal’s computer, which we found. It's like a script they would use for romance frauds. It's quite interesting. 

Just generally around, sometimes in the crypto media myself, I've been on a few publications there, but more than happy to sort of entertain the conversation. If people have general questions, just shoot us an email and we can talk. 

Great. Nick, thank you so much for coming on the Easy Prey Podcast today.

Thank you so much, Chris. It's great being here.

Exit mobile version