Money Laundering

Organized crime is often imagined as something violent, chaotic, and obvious. But today, it looks far more polished than that. It operates like a multinational business, spread across borders, built on trust networks, specialization, and efficiency rather than brute force. This episode looks at how modern scams, fraud, and money laundering actually work and why they’re so hard to spot before serious damage is done.

My guest is Geoff White, an investigative journalist who has spent decades covering organized crime, cybercrime, and financial fraud. His reporting has appeared on BBC News, Sky News, The Sunday Times, and other major outlets, and he is also the creator of The Lazarus Heist, the hit podcast and book series exploring North Korea’s global hacking operations. His latest book, Rinsed, examines how technology has transformed the world of money laundering.

We talk about how modern criminal networks are structured, why scams now rely on patience and psychology rather than speed, and how money laundering functions as a service industry that quietly supports fraud at scale. The conversation also explores why victims are sometimes unknowingly used to move stolen funds, how urgency is weaponized to override judgment, and why slowing down remains one of the most effective defenses people have.

Show Notes:

• [01:08] Geoff shares his background and why the organized crime + technology overlap is where he’s spent his career.
• [02:52] Why longer-form work (books, podcasts) is often the only way to explain complex crimes that don’t fit into a quick news segment.
• [03:56] Old-school enforcement was violence; modern crime groups often can’t use that when partners are anonymous and overseas.
• [04:23] The trust networks holding global crime together can be more fragile than people assume.
• [05:06] The strange “trust inside crime” dynamic, especially in ransomware, where criminals must appear “reliable.”
• [06:18] Competition today looks more like corporate rivalry than street violence, especially in ransomware affiliate ecosystems.
• [07:41] Do these groups evolve from traditional cartels or arise from new tech-native criminals? Geoff says it depends on the region.
• [09:58] The skill split of elite coders builds ransomware, while newer recruits use social engineering to get initial access.
• [11:34] Money laundering adapts fast with crypto, game currencies, NFTs, while the core “service business” model stays the same.
• [12:46] The “cost” of laundering: fees can be extreme for newcomers, and lower for experienced players with connections.
• [13:53] A disturbing case where victims are daisy-chained to launder money and reinforce the romance-scam illusion.
• [15:12] Why money mules are treated as disposable and how many don’t realize the seriousness until law enforcement shows up.
• [16:48] The tactic of letting victims withdraw a little money to make a platform feel legitimate, and why it works so well.
• [18:09] Geoff connects today’s tactics to classic con mechanics (“putting the mark on the send”) and the psychology behind it.
• [19:22] Geoff describes seeing an “escalator scam” firsthand: small payouts early, then pressure to pay to “unlock” higher earnings.
• [21:51] The scary shift is that scams now look polished and patient, stretching across multiple channels and weeks (or longer).
• [23:12] The more we “self-custody” money and identity online, the more security responsibility shifts onto individuals.
• [24:32] A major crypto seizure case raises a messy question when seized assets grow in value: who gets the upside?
• [28:46] Geoff’s practical defense: slow down on anything money-related, create space, and don’t let urgency steer decisions.
• [31:17] Why today’s scammers play the long game of months of relationship-building can lead to life-changing losses.
• [34:29] Repeat victimization: recovery scams and fake “investigators” often target people right after they’ve been hit.
• [36:08] “Traceable” doesn’t mean “recoverable,” why freezing and returning stolen crypto is legally and logistically hard.
• [38:44] UK reimbursement changes shift liability between sending and receiving banks, but there are tradeoffs and open questions.
• [41:28] Geoff reacts to US payment quirks (card taken away, tip written in pen) and why it still surprises outsiders.
• [45:11] Closing advice is to learn from other people’s stories and run “what would I do?” scenarios before a crisis hits.

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

• Podcast Web Page
• Facebook Page
• whatismyipaddress.com
• Easy Prey on Instagram
• Easy Prey on Twitter
• Easy Prey on LinkedIn
• Easy Prey on YouTube
• Easy Prey on Pinterest
• Geoff White
• Geoff White – LinkedIn
• Geoff White – Instagram
• Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World's Deadliest Crooks
• The Lazarus Heist
• Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global

Transcript:

Geoff, thank you so much for coming on the podcast today.

Thanks so much for having me. Cheers.

Looking forward to this conversation. Can you let me know and the guests know a little bit about your background, what you do, and why you do it?

Yeah, I'm an author, an investigative journalist, and what I cover is organized crime and technology. Whatever organized crime and tech crossover tends to be where I hang out. I've done a lot of stuff around cybersecurity, cybercrime, but also fraud and money laundering, various types of financial crime. In terms of why I do it, the honest answer is I just find it fascinating.

I find how organized crime gangs work and work together really super interesting. I say I'm interested in organized crime. I think more I'm interested in organized criminals. I'm always interested in the people behind this and how those people work and interact. And it really is like a legitimate business empire. These are, like, industries. They have office space. They work Monday to Friday. They have sick pay and holiday pay, and they have recruitment issues, and they're experimenting with AI. All the things you have in your normal business, they have on the organized crime side. But it's a super fascinating industry to cover.

Interesting. Is there a specific reason why you got involved in organized crime versus, I don't know, geopolitics or local weather or local issues? What was it about the organized crime that really kind of sparked your interest?

Yeah, I think I've covered cybersecurity for quite a long time at the UK broadcast. I worked for Channel 4 News, one of the big news programs in the UK, a daily news program, and I was covering technology for them. And firstly, I had this interest in how things work. I quite like getting my hands on something and looking under the hood and seeing how things operate. I naturally gravitated to these quite complex, quite intricate sort of stories and trying to get those on air every night, in a two-and-a-half minute, three-minute format. Very, very difficult to do.

Explaining some of these crimes, explaining Bitcoin alone in under three minutes, is extremely difficult. What I ended up doing was doing more investigative work, trying to do longer format pieces, eventually did books, I've done podcast series on this. That's what sort of motivated me to look at the organized crime side, because it is just so fascinating. I think one of the things that's changed about organized crime is that previously back in the day, you tended to know the organized crime people you're working with, you had a gang, you would go on London robbing banks, or New York, robbing, bullion, cars or whatever.

And if something went wrong, obviously, you don't sign a contract with each other to say, “Well, you're going to do this, and you're going to do that. And here's how much you're going to pay me.” If something goes wrong, you can't sue the other members of the crime gang. And so you've got to have somewhere of enforcing contracts, enforcing trust effectively. That was always violence. That was the answer—if you stitch me up, I'll break your legs. That's how it went.

The thing is with the modern organized crime world, and this is a financial crime, also cybercrime as well money laundering, is these gangs are distributed internationally. They do that deliberately to make it harder for law enforcement to catch up, which is an advantage for them. But it's also a disadvantage for them, because a lot of the time, they're working with people where they don't know where the other person is. Sometimes, particularly in cybercrime, they don't know who this other person is, or they've got a hacker handle that they're working with.

So if I don't know who you are, or where you are, I can't break your legs. The trust networks that tie together modern organized crime structures are really interesting, super intricate, and actually, I think quite a lot more vulnerable and tenuous than people might expect.

That has always kind of baffled me about this kind of international scope. Organized crime is this weird, “We're in this business of doing bad things, but we also have to trust each other.” Kind of like, for ransomware to work, “We're bad enough that we're going to ransom your stuff, but we're good enough that when you pay us, we're going to be honorable and give it back.”

It's this weird dynamic of trust and crime. Is there a whole lot of shifting alliances within these organized crime networks of like, “Well, we used to use this conglomeration for the phishing emails that go out and now they stiffed us and didn't give us our cutter.” They didn't get a big enough cut. “Now we use this organization.”

Yeah. It's interesting. Again, comparing the traditional, the old ways and the new ways, not that old ways completely died out, but there's a whole new structure on top. Traditionally, if you look at drug, drug gangs, street, street-dealing drug gangs, you obviously have a certain amount of territory you cover with your dealers and you deal in that particular area. Most drug gangs know that their territory runs out at a certain point and another gang's territory takes over.

Gangs do come together. And this happens globally as well as just local level to carve up territory and say, “You do this, we do this. We do not want…we do always want to make money.” There are agreements made inevitably, something will happen, dealer will appear on a street, they're not supposed to appear on and drug war starts, and these things escalate. That's traditionally how it's happened. Physical territory is a big part of this. Obviously, with modern crimes, modern organized crimes, cyber security, cybercrime, financial crime as well.

It's not quite like that. You don't have those physical territories to fight over. The whole thing becomes a lot less physical. The war really between these crime gangs goes on a commercial level, in the same way that, you know, Google is trying to put out products that steal customers from Microsoft. It's a bit the same in what these modern organized financial crime empires where you can't bully the other person out of existence, you can't, as I say, often kill them off or threaten them.

You just have to out-compete them, particularly we've seen this in ransomware gangs. You know, ransomware is an incredibly competitive space. Because the affiliates who work for these ransomware gangs, the affiliates who spread the ransomware virus, well, they can use multiple different viruses, they can use the ransomware from this crowd or that crowd. Some of them work better and some of them work worse.

The ransomware people who create the ransomware have to appeal to these different operators and say, “Look, our ransomware is great; go with us. And by the way, the cut that we give you is good. And our ransomware works really well.” Intriguingly, in a lot of these organized crime, modern organized crime enterprises, the competition is less physical violence. It's more what we might know as corporate competition between these organizations.

Have these organizations grown up out of kind of existing drug cartels and crime families, or are these brand new operations that have sprung up from?

It's a really good question. It's not one that’s been asked before. Thinking of an answer out loud, but it sort of depends where you look. I mean, we've talked about ransomware gangs, encrypting people's data, charging the ransom to unscramble the data. Those gangs have been around the people behind them for many, many years. Some of these guys go back a good 20, maybe even 30 years just of earliest days of sort of hacking that came out of the post Soviet Union kind of era. They've got this long kind of history.

But a lot of people who are using that ransomware might be new entrants. We've also got quite a large global movement, it seems, of very young people. I mean, we've had arrests in the UK of 16, 17, 18-year-olds who are involved in these quite major cyber crimes. Inevitably, you get this influx of new people, because of course, new younger people understand technology a lot better than, Chris, you I ever will.

And so you do get these new entrants. But you also get developments from people who've been in this kind of organized crime for a long time. I'm thinking particularly around Southeast Asia, we've seen the emergence of these scam compounds be familiar to a lot of your listeners, entire buildings dedicated to online scamming. The people who run those compounds and the research that's been done have been in organized crime for a very long time running all sort of drug and gambling-related schemes.

Again, as all the players see the advantage of these new types of crime, they're going to move into it. And you get this influx from the other side of, I say, school leavers who are really good from a technical point of view. So it's a real mixed picture.

Some of the components are the old school people, some of the components are the up-and-comers, and maybe something like the money laundering aspect. Well, the drug cartels have always had to deal with the gambling organizations have always had to do it. They have a much more robust kind of platform and methodology.

Yes, I think that's true to say. Again, looking at ransomware is a good example to look at the people who actually create those viruses and run those gangs as they are senior people who've had a very long career in cybercrime. However, in order to spread their ransomware, they need people who are going to hack into organizations, going to try loads of passwords, send the phishing emails, you need to just do the grunt work to hack in.

I think what we're seeing, broadly speaking, is a lot of the people doing the latter work and actually breaking into organizations to then deploy the ransomware. Those people are newer people, they have the gift of the gab, they can blag, they can steal passwords. It's technically a lower level of skill. You’re not a coder like a ransomware virus writer. But if you can phone up a help desk and just convince someone to give you a password for a couple of minutes.

You then rely on somebody who's got immense coding skills and can give you the ransomware and there are people out there who'll do it. We've got this interesting mix of skills that take years to build up, as I say, ransomware virus writing takes ages to build up, and then skills that you can acquire fairly quickly in terms of can you trick another human being into giving you a password for a few minutes. In money laundering as well, as you say, laundering has been around since organized crime was invented.

The idea of washing money. Money laundering is a fascinating industry because it does adapt to new needs. It's a very, very classic service industry, money laundering. The options money launderers have have grown. We’ve got, obviously, cryptocurrency now, we've got video game currency, we've got NFTs, all these new financial systems emerging. But for the money launderers, the game is just the same. It's like find the need, find the person who needs to wash their money, find a conduit to put it through and take some percentage off the top. That's still the game.

OK, so maybe you do or don't know this. What's the cost of money laundering these days? What's the percentage that the guy who's running that piece of the business gets as a cut?

Yes, it's a really good question. I mean, there's no sort of rate board. There’s no…they don't publish figures or generally, it's not that I've seen. You sort of go off what goes around in the industry. I've seen on dark web forums, I've seen costs of up to 60%. If you and I, Chris, went as first timers, we would pay that, and you’ve got to realize that's a huge cost to your business. If you're losing 60 cents on every dollar, to some contractor, some way you would try and get rid of that contractor or get another contract.

There's quite a lot of competition around money laundering. You can't see trying to drive that percentage down. Obviously, for more experienced money launderers, or people have better connections, you can push that percentage down to maybe 20, maybe 10%, something like that. But ideally, what you want to do if you can is take the money laundering in house. And that's what's fascinating about some of the fraud gangs I've looked at. There's one particular amazing case in the United States.

It was connected to a character called classic baggy, who hails from Nigeria. And his operation was fascinating, because what they did was they had romance fraud victims. You will have heard this of a lot older people generally who hang out on dating apps and get defrauded. It's a horrible, horrible rime. They also had corporate fraud victims, business email compromise, phoning up finance departments and saying, “Hey, our bank accounts changed. Please pay us into this new bank account.” Classic business compromise.

But what they did was they daisy chained the victims together. They'd have a victim of business email compromise who would send, I don't know, $500,000. But they'd get them to send it to a romance fraud victim. The romance fraud victim would receive the money. And A, they've laundered it because it's arrived in their bank account. And B, the romance fraud victim is then convinced that the person they've been chatting to online, this rich entrepreneur, is genuinely rich because he's just sent them $500,000. Daisy chaining the victims together achieved two purposes for the gang: it convinced the victims that the money was real, but it also helped them launder.

Effectively, the victims became the launderers. Integrating that money laundering together obviously helped them systemically in their crime. But also, it got rid of the overhead. They don't have to pay some guy somewhere to launder it. The victims have laundered it for them. Astonishing. A piece of work, really. Horrible and venal, but a real work of business genius that I think.

And it's also kind of decentralized their money laundering. It's not like all the money comes into one location and then it all goes out to—it’s just all flowing all over the place and probably makes it significantly more complicated for law enforcement to actually track.

It does and it doesn't. What I found is that the money laundering, certainly in that case and some other ones that I've looked at, money laundering, sort of mules, the kind of lower-level money laundering is sort of regarded as a sort of burnable commodity. You will get somebody, you will pay them some money. They will launder something. What that person doesn't know is that the police are almost certainly onto them. I mean, in the classic baggy case, the police were onto this guy who was laundering in the US. Guy called Mike Herman really quickly, and he gets convicted.

But of course, for the guy, classic baggy back in Nigeria, who's accused of being behind this, well, that's just one bloke. I can get another, I can get another, I can get another. These people become burnable commodities. I mean, the victims are inevitably burnable. The victim's a victim, but even the money mules and the money movers who are helping you on the ground, there's a certain extent to where you think, “Well, if that guy disappears, I'll just get somebody else.” It's interesting how that works.

That's kind of awful that the mules are disposable in some sense.

Yeah, eminently so.

For every mule that's out there, we can find 10 more that would be more than happy to take their cut or unknowingly take their cut and move along.

Because people don't understand how serious it is. I mean, they probably know it's a bit gray and a bit dodgy, but they have no idea that if you get caught for that, you're going down for a long time. For the money mules, they think, “Oh, yeah, it's a bit weird, this, but I'll just, yeah, I'll take the money, it'll be fine.” Then suddenly, they get the knock at the door. The scheme is revealed to them. They realize, “Oh, my god. I was enabling millions of dollars worth of crime to happen. I'm in deep trouble. That tends to be how that goes.

They probably don’t. In a maybe even more terrestrial organized crime, you've got someone over you that you can flip on and hopefully negotiate your plea down. I suppose that's a lot more difficult in this kind of transnational, “Well, I thought it was my boyfriend who gave me the money.”

That is true. Actually, that is a very good point. Not one I thought of in that yeah, some of these people get recruited from overseas and you're right, you know, you can't flip and reveal anything about your boss because you don't, again, you don't know who your boss is. So yeah, that's interesting. I hadn't thought of that. It's a good point. It's a very good point.

“It's this guy I've met online and I've never actually met him in person, but he's been giving me lots of money.” I've started to hear that more and more often that as part of the confidence schemes that people are actually given money that the fake crypto platforms, they're now encouraged to take a little bit of their money out. It happens. That just applies to proof that, “Oh, this is legitimate.” Whatever sense that you have that it might be a scam kind of goes away because, “Well, I got some of my money back.”

It's a hugely important tactic and actually it dates back more than 100 years. There's a classic Hollywood film called The Sting. Did you ever watch The Sting? Yeah. The Sting was actually based on real events, or everything in The Sting actually happened into the 1920s America. It's what's called a big store game or big con game, vastly extravagant scam with dozens of people, you know, as actors, employers, actors to pull it off—just watch that film. Basically, it's the playbook of a big scam, a big, big con game.

And what's there's a really important step in. It's what's called putting the mark on the send. The mark is the victim of the scam. When you put the mark on the send, you give them a small amount of money, real money, and you send them away and you say, “Here's some money. Go away, spend a night in the hotel, come back tomorrow.” The psychological impact of putting the mark on the send is hugely significant because the victim walks away and thinks, “Well, I've got their money. This can't be a scam. They've given me their money.” And if you've done your mark well, if you've worked on your mark effectively, the mark will boomerang back. That's why you put the mark on the send because the mark will always come back. But there's a risk because obviously you have given them some of your money if they do walk away with it. I got involved in a really fascinating scam. It was an online thing where you signed up and it was reviewing hotel reviews, like doing hotel reviews would look like for Google.

I don't know whether there was anything behind this, but it would show you a picture of a hotel, you had to give it three stars or five or whatever, and then write a quick review. And I started doing this. I got tipped off to this by somebody else. And at the end of the day, they said, “Well done. You've done a day's work. You're due your,” I think it was 20, “$20.” And they said, “Where can we pay this to?” I thought, “Aha. Here we go. Here's where they get my account is.” No, I gave them a wise account that I'd set up, which enabled me to give them payment details that didn't link to my personal details all through my work email address.

And sure enough, the money turned up in the wise account. I withdrew it. The next day I did some more. They said, “Oh, well, today you've done well. You've done $50 worth of work. But if you want to unlock the next level, you need to pay $100, but then that gets you access to this level.” So what they'd done was I was the mark. Obviously, they put the mark on the send by giving me a small amount of money. But I genuinely had that amount of money. What they were doing was an escalator scam.

So they go up and up and up. And eventually, you're invested for $10,000. And they're telling you, “Oh, now you've unlocked $50,000 worth. So gradually, they're increasing the leverage between what you've put in and what they've given out. And what I found fascinating about this was I just walked away with the money. I just had no interest. I just gained £20 quid out the whole thing. I gave it to charities, by the way. But I realized somebody somewhere in the gang must be running a spreadsheet looking at their leverage positions.

Because if too many people back out too early, you don't make enough money. You've got to keep people in and leverage them up. So how many people do you need to keep going and put in 10,000 to make up for all the people who leave and run away at the £100 stage? Somebody must be doing the maths and doing the numbers. I just found this fascinating. I really wanted to speak to them.

Well, I wonder if they're also selling it as a paid hotel review service, like they go to a hotel and say, “Hey, you know, for 20 bucks, we'll get you 50 reviews.” There's their break-even. They've got the money from the hotels for the fake reviews to pay you. Now they're break-even if you walk away.

That could be true. I'd assume the hotel review thing was just a fake. But actually, you're right. Maybe that was actually a part of their business as well, as well as getting people in. But yeah, it's fascinating. I've spoken to people, particularly with these crypto investment schemes, who've been escalated up so far. And even when they've lost everything—and we're talking about millions in some of the cases I've investigated.

There's this awful thing that the scammers do where they come back and say, “Oh, well, to get that million out, we need to pay some fees. You've got to pay another 100.” Even when they've cleaned them out for everything they have, they come back to sting them even more. It's absolutely appalling. But it's all a riff on this escalator scam thing, which I find really interesting, how you leverage somebody up, pay them a bit, but not enough that you're going to lose out. That's a fascinating calculation to me.

My experience is that the scammers, even in this conversation, the scammers are getting way more sophisticated than they were 20 years ago. Even five years ago, they're more sophisticated now. It's getting particularly scary if there's so much work being done to make it not look like a scam, that all the traditional warning signs are harder and harder to communicate to people. “Hey, watch out for this.” Well, they're not doing that. Or they've now offset this with this other thing. What is the normal person to do to not fall victim to these things?

Yeah, it is difficult. It is difficult. And one of the things that I was chatting to a police officer in the UK the other day, and this person mentioned this more as a thought experiment. I don't think this was police policy that he was coming out with. But he did say, “Look, previously, you would put your money in a bank, and the bank was responsible for security. And a small amount of your money would be taken by the bank because, well, we have to pay for the building and the security guard and CCTV cameras.”

And that was how it worked. There is this idea now of self-custody of our worth. And cryptocurrency is a large part of that, is don't give your money to the bank. Don't give your money to the government. Keep it yourself, self-custody. And this police officer was saying, “Well, then you have to actually spend some money on some security if you don't spend money.” So his reflection—and as I said, I don't think this was police policy.

He was sort of thinking out loud. He was saying, “Well, to what extent are police responsible for your private security?” If you want to stash all your money in a barn somewhere, and then it gets stolen, there would be a question of, “Well, did you sort of guard the barn? Did you protect it the way you would protect a bank? Because there's bank account money in there.” I thought that was an interesting thing. And we see that in a lot of ways.

The more power we have as consumers over our own money, even online banking, in our banking apps and so on, it's great, all this power. But with it comes this responsibility of you don't just take your money to the bank and leave it there and entrust them with all the security around it anymore. The more power we have over our money, the more on the hook we as consumers and individuals become for the security of it. And that's not always an easy lesson to learn. And we're not experts in security.

For the listener, there's the new business opportunity. It's providing security for people's personal crypto. That will become the new scam also. “Send us all your crypto and we'll protect it for you. Wink, wink, nudge, nudge.”

Exactly. Well, actually, it's interesting. I had a chat with the National Crime Agency the other day who investigated a case, an amazing case actually, of a Chinese woman who's scammed—I think 128,000 Chinese folks got scammed in this fraud that she did. She then went on the run and ended up in the UK, which is where the National Crime Agency managed to pick her up.

They seized, as a result of that, a huge amount of cryptocurrency that was taken out of this scam. The scam wasn't just crypto, but a lot of the proceeds of the scam ended up in crypto. That fund is now worth £4.25 billion. It's a giant, giant fund. And so there's now this legal battle over where that goes because the National Crime Agency in the UK could say, “Well, we seized it. I think that belongs to us.” But obviously, there's an acknowledgement that there's Chinese victims who need to be reimbursed.

There's a Chinese government. There's an army of lawyers now pursuing this through the high courts. And I sort of said, “Well, where's the money? Who owns the money now?” And the money has basically been put into the hands of a custody agent, basically, appointed by the court. And I just thought, “God, can you imagine being the person who's sitting on £4 billion with somebody else's money? I hope they’ve got good passwords.” That's all I see.

It's the wonky things to me go, well, if the crypto increases in value, who gets the increase in value?

Exactly. And this is fascinating, because this goes back to there was Mt. Gox, which was the original crypto exchange, which was hacked, I'd say 2010, something like that. And it's fascinating, because at the point it was hacked, the money was worth a million dollars or something like that. Obviously, as they trace this hack along, the value escalated massively, just giant sums.

When they started finding, they managed to find some Bitcoin that they dropped down the back of the sofa or something. And so they managed to get some back. And the victim said, “We won’t be reimbursing today's Bitcoin value.” And there was an argument say, “Well, hang on. You invested X amount of dollars into crypto. That’s what you gave us, and we put it into crypto. We will give you back the dollars in today's value.” But that's nowhere near worth what the Bitcoin is now worth. So with any of these custody cases and seizure cases, what you seize, when, how you hang on to it, and how you then give it back or dispose of it is really, really interesting, particularly with the sort of seesaw Bitcoin prices that we see, that's a really fascinating issue.

And it's probably orders of magnitude more complicated than that. Because, what if I, my initial contribution wasn't Bitcoin, but it was Ethereum, and Ethereum has dropped in value, but the bit, but it's now stored in Bitcoin, and that has increased in value? Do I get less money back now because I originally put it in as Ethereum, or whichever flavor of the day that you happen to have chosen?

Exactly.

It is a really fascinating thing to do with frozen assets. Yeah. And how it's redistributed back because you may not even know who all the victims are.

It's true. Yeah. And so do you then put it in some kind of escrow account again? Who custodies that? What currency is that in? It's not that these issues aren't new. We’ve always had things where somebody might steal some money in one jurisdiction and put it in a bank account. That we're kind of used to, but it's just escalated much more. Much more complexity around that. Obviously, the values, the fluctuations in values are just so much more in crypto than they ever were in fiat usually.

Yeah. For the individual man and woman on the street, what defenses do they have? Like, what are today's warning signs that you would say, “Here's what you need to watch out for”? Or conceptually, maybe it's not, “Hey, if the person winks and nudges, you know you run away, or they won't jump on a zoom call anymore, then you run away.” But yeah, a lot of the old warning signs just don't apply anymore. Can AI can overcome them? What are the concepts that people should watch out for?

Yeah, I think in the UK, we have this thing, it's like a one, two, three cup of tea rule. Basically, if you—because we're British, obviously, obsessed with tea. If somebody put anything to do with money, if somebody sort of asks you just give it a three seconds, go make a cup of tea, and then come back and go, “Wait, are they actually the bank? Is this actually my nephew on the phone or an email from my solicitor or whatever?”

That pausing and taking a second, I think we have to double down on that increase and expand that there's an entire industry out there putting pressure on us to do everything immediately. We've got used to that it used to take three days for payments to clear, now it's just instant. I mean, this is all great, and we can instantly communicate with anybody around the world using a device in our pocket. I mean, that was like a Star Trek thing before that's now reality. We have this wonderful immediacy about the world and we don't have to wait.

But that gets used against us. It gets used against us by companies who want us to buy on impulse, but also gets used by fraudsters and scammers who settled into this world we have, where people make quick decisions and often quick and bad decisions. I think we have to push back against that. The more pressure comes on us to make quick decisions, the more we have to push back and say, “No, no. I don't have to make a quick decision on that.”

This applies to things like social media as well—disinformation, misinformation, malinformation. You don't have to reply to that thing now. You don't have to get back to that WhatsApp group now and put your two pennies’ worth in. You do not—you need to push back on that. We all need to push back on that. This goes along with some of the frauds and some of the cyber crimes that we're seeing. It used to be, as you say, back in the old days, Chris, there'd be a one-and-done email, a phishing email. “I'm a Nigerian prince. Please send me X amount of money.” All those things.

Then if you didn't reply, they just leave you. Again, with cybercrime, “Here's an attachment. Please open it. Urgent information.” If you didn't reply or open it, they just jog on. These days, there is, I think, more patience, ironically, on the scammers’ side to work on somebody, multiple messages through multiple channels. We see this with the kind of SIM swap activity where they've realized the scammers have realized getting somebody's phone is extremely useful.

They'll scam the other SIM, swap the phone, they’ll effectively take over the phone, and then start the scam elsewhere. We're seeing multiple channels being used. It seems to me to be a lot longer a game. It's not just that we have to be more patient and more questioning, more suspicious. Unfortunately, we have to be suspicious over a longer period of time, you could be in conversation with somebody for two or three weeks. And at the end of it, they try and scam you that during those two or three weeks, they might have got a lot of your trust, you might really believe them. Unfortunately, extra vigilance, more constant vigilance, more constant patience to push back on things and not make instant, quick decisions is what we have to do.

That's difficult, because the whole industry is telling us, “Decide now, decide now, click now, you can do it now, it's instant.” We have to push back on that and say no, nothing's instant in my world, I take my time. And understanding that the scammers and hackers and fraudsters will also take their time with you. It's unfortunate, it's not a great message to put out of be suspicious of everyone for a long time. But unfortunately, that's true. That's what we have to do.

Yeah, I've started hearing reports of people saying that it has taken that some of the romance scams have gone on for six, seven, eight, nine months before there's any discussion, there’s even a discussion of money. I'm like, wow, like, from a scammer’s perspective, that's a tremendous amount of investment and patience. Yeah. To cultivate that relationship for such a long period of time. Yeah, before even getting the person on, you know, before even finding out whether the person has assets.

But this is the thing that, you know, the classic baggy case I talked about earlier on. One of the accusations against that gang is a scam that took 18 months. And in the end, the victim paid $6.5 million. Now, $6.5 million. I think if I got that, I'd probably be set for life. Yeah. And I'm living in the UK where it's relatively expensive to live, right? Yeah. So think about that. Yes, you've taken 18 months of your life. But you've got your life's money, you've made your life's money. It's well worth putting it. I'd put in five years’ worth of time and effort on a victim. If I was a scammer, if I knew that I was going to get money out at the end that would basically see me for life, why not? It's your retirement plan.

But the other issue is that, like, once they get their big payout, they don't stop. It's like, “Well, I did this once. Now I can do it twice. Now I can do it 10 times.”

Very true. Very true.

Are you, like, have you seen a shift or an increase or decrease in those that once the person has been victimized, they're re-victimized? Is there a change going on there as well?

It's a good question. I don't have hard data on that. It would be remiss of me to say that I have. I know in the ransomware space, it's an interesting one, because the ransomware gang who got you can never come back and say, “Oh, we're going to get you again.” Because part of the deal is if you pay the ransom, it's like, “Well, we're going to leave you alone. Thank you for the money.” What they will do is pass you on to another gang, another ransomware gang, possibly composed of exactly the same people who will then hit you again.

We know this repeat victimization in ransomware, which makes perfect sense. If you scouted out a victim's territory and you know the ways in, you would hand that on, maybe sell it on to another gang. In terms of scamming and crypto scamming and so on, there's a couple of things to say about that. Number one, there is this process that's gone through by these gangs of escalation. It starts with maybe a fairly simple scam.

Certainly in the case that I mentioned earlier, the $6.5 million, one, there were multiple levels and multiple stories. They took this victim through an incredible journey. The story they created was remarkable. It was a global—it was almost like a sort of a Hollywood film that they'd scripted. Again, in terms of taking one victim and sort of working on them again and again, that certainly happens. But the other thing that happens, and it's awful with these scams, is somebody having lost some money, they might get contacted by a law firm or somebody pretending to be the police or private investigator saying, “We can get your money back.”

That's often how you would retarget, you would sell on that victim sale. “I've just taken this victim for X million, but they're now really sore. They're going to want it back. If you contact them, they're going to be a juicy target for you to take even more money, to say, well, pay me $10,000 and I can get your money back for you.” There's multiple ways to retarget, unfortunately. Yeah.

Are you seeing from law enforcement, the odds of getting money back increasing, decreasing, staying the same, like legitimate recovery?

Yeah. It's a very good question. And it's a real mixed picture. Again, obviously, people have heard of cases, I mean, notably Colonial Pipeline, who were hit with a ransomware attack by the Dark Side Ransomware Gang and did successfully recover their money. Interestingly, though, as I remember, I think Colonial Pipeline paid some like 73 Bitcoin in ransom. I'm going to say I've got that number in my mind.

I think that might be correct, but don't quote me on it. When they paid it, it was worth X amount. And when they got the Bitcoin back, it was worthless. They'd actually lost on the Bitcoin market. But there you go. That's how these things go. There are cases where victims get back large amounts of money. However, at that point, I mean, you're talking about an attack on critical national infrastructure in the US that was hugely political, that was very, very public. The victim got their money back. The vast, vast majority of scams, in my experience, particularly crypto scams, are for small amounts of money and the victim just never gets their money back.

I mean, it's a story on the BBC today about a couple who lost a quarter of a million on a crypto asset. They can see the wallets that the money is in. Of course you can. If you've got a computer, you can trace Bitcoin transactions, but that's not recovering it. I do wish people would be more specific about this and smart about this. Tracing is different to freezing and recovering. If somebody steals my TV and runs down the street with it, I can see the person running away with my telly. That doesn't get me my telly back, does it?

When people talk about crypto is traceable, it's useless for criminals. That's different to freezing and recovering it. Freezing it, you need to get a court order, which means you need to know who you're enforcing the court order against and you need to get a court in that country to issue it. And then recovering it is another legal process on top because you've got to say, “Well, he's frozen it and now I can prove it's mine,” which, again, is difficult.

And the other thing is, as soon as you get crypto as a scammer, one of the things the laundering services will offer you is to stick that money into a thousand different crypto wallets. Well done. You've now got to get a thousand warrants against a thousand people if indeed you can find their names and recover from a thousand different wallets. That's part of how laundering works is you move the assets through all these different accounts, what's called layering in the money laundering world.

To answer your question, it's extremely difficult for law enforcement to go after those smaller cases. In bigger cases, like the one I mentioned, four billion pounds’ worth of crypto, they managed to get back. Yes, they did seize it, but those cases are not as common as I would like to see and a lot of victims do lose out a lot of money.

Yeah. I'm trying to recall here correctly. UK has now either has or is about to put in new laws for banks for money lost in kind of transfer, wire transfer scams, and things like that.

Yes.

Is that correct?

Yes, correct. There's a certain amount and offhand I can't remember what it is. There was a controversy about how much should be reimbursed. I think below a certain level—I’ve got my mind 80,000 pounds, but again, I could be wrong on that. You are covered up to that amount. There's also been an interesting change in the UK in that liability is now split between the sending and receiving financial institution. Because previously, of course, if it was only the sender that was worried about it, the receiver would be like, “Oh, we received the money. It went and why do we care?”

They're trying to sort of tie those two things together to make the recipient institution also liable. That's been an interesting change. How much difference that's made, I don't know. And there was a concern that you effectively inoculate victims because they think, “Well, if I do get scammed, I'll get the money back,” that kind of thing. I'm guilty at the shallow end of that myself, because if I'm on a website and I haven't really seen the website before, used it before, I'll often use my credit card to make that purchase.

Because I know that if it all goes wrong, the credit card company, you know, takes some of the liability. If you scale that up to the point where people are making dubious investments, thinking the bank will reimburse them, it will be fine. That's one thing. However, and again, I don't have data on this, but I just put myself through the thought process of somebody. You think, “Oh, well, I'll get the money back from my bank,” but you’ve still got to go ahead and get scammed.

I'm not sure whether users, you know, consumers, will genuinely just have a blasé attitude and think, “I'm just going to throw my money about because I'll get it back from the bank.” That's going to take some time and it's going to take a process. I'd be suspicious, I'd be skeptical if the public behaved like that. But it's fairly new. I haven't seen data on this, it'd be interesting to see how that all that beds in.

If I'm buying something online, and it's a little bit dodgy. This just seems a little bit off. It's a small amount of money, and it's on a credit card. I usually don't give it a whole lot of thought. If it were $50,000 on a wire transfer, even if I thought I was insured or protected, it's still a big enough chunk of money that I'd be like, “I really need to do my due diligence, regardless of whether there's insurance.”

As I say, even if you think, “Oh, the bank will pay me it back,” you’ve got that thing of, “Well, when and how will they pay me?” I'd be surprised if consumers do. “There's a model. They call it moral hazard. The consumer thinks on blasé about this. But again, we'll see how it beds in.

What, in personal conversations I communicate with people is, you know, don't use your debit card for anything, versus your credit card. Yeah, if there's fraud, and it's a fraudulent transaction on your debit card, the bank will get you your money back at some point. Yeah. But are you going to be able to pay your rent while it gets sorted out?

If it's on the credit card, it gets stopped before it hits your bank account, and it still might take a while to get sorted out, but you're not on the hook for it in the meantime. Yeah, yeah, I think that's it. When it's your bank account, you're on the hook for it in the short run. And that could be, you know, for most people, if you're a paycheck away from losing your place of living.

But what's interesting about that is, why do credit card companies do that? How are they able, credit card companies, to do that? Because they make money off of, you know, they charge you interest, they charge you for that. Part of that charge is to say, “Well, yeah, if it goes wrong, we're on the hook, because we officially made the purchase on your behalf.” Maybe banks move to that model of saying, “Well, yeah, if we're going to take on some liability for you making a bad decision, fine, but we aren't going to charge for that.” Maybe bank charges and fees and it feeds into that way of thinking, I don't know.

In the US, we're a little bit backwards here, chip and pin is, chip is new, pin doesn't even happen yet. I don't know why. But part of that migration was the banks then going to the merchants and saying, “If you don't go to chip, if you don't upgrade your hardware to support chips, and fraud happens, it's now on you as the merchant.” The liability is getting pushed further and further to the edge.

Yes, yeah. I have to say, as a reasonably regular visitor to the US, the lack of chip and pin is one thing. Use of checks is still apparently a thing in the US and there's massive fraud going on there. Also the idea that when I pay with my card, my card is taken away from me to somewhere else is swiped. When it comes back, there's a slip of paper where I fill out the tip and the total in pen and sign it and give it back. And apparently that's how much is going to get taken off the card. And I'm reliant on the person doing that to just do the tip that I suggested, rather than just making…this is baffling, the bits about American society to just baffle me, and that's one of them.

My wife and I have traveled abroad a lot. I think the first place we encountered where they brought the card reader to the table was in Canada. I was like, “They brought the card reader to the table. Like, that's really cool. Like, everybody should do that.” It's starting to happen. Maybe 10% of places here in the US now, if you go to a restaurant, your card never leaves your possession. But there is an insane amount of trust in what happens with that little piece of paper and that little piece of plastic.

And you think that that would have accelerated chip in the US but still, there's still a magnetic stripe on every card. As we wrap up here, any kind of parting advice for the consumer, I know we've talked about like, you've really got to slow down and take a breath and pause before kind of any financial transaction happens. Anything else before we wrap up?

No, the only thing I suggest, which I always suggest, is kind of putting yourself through. Hearing stories from other people is always traumatic. I hear a lot of stories from other people. What's useful about those stories, and if you're not hearing them from your friends and family, which probably are, start Googling, start listening to podcasts, start reading some articles. And whenever you see one of those awful stories, one thing you can do, and it's the only positive thing you can get out of that, is looking and thinking, “How would that happen to me? If that happened to me, what would I do?” That's why really good articles and good coverage will explain what happened to the victim, how it happened. You can glean from that and think, “Right. So if I have a mortgage in that way, or my bank savings are there, or I have some cryptocurrency stored in that kind of way…” never let a crisis go to waste. Always let somebody else's bad story help to make your story the good story.

That's what we can all do, I think. Just hear these stories, try and get to the bottom of what happened, and think of your own life and just sort of run it through as a scenario. It's like, “OK, if I did lose my phone, how do I get access to my bank? If somebody took my phone over, is that game over for me?” Just running through, as soon as you hear a scenario and somebody else's story, just run it against your own story and hopefully be a bit more secure in the end.

Yeah, try to reverse engineer it on yourself. What would catch my attention? Yeah. Was it those Taylor Swift tickets that were under market value or something else? If people want to find out more about you, or they've got a story they want to tell you, how can they find you?

Yeah, absolutely. Probably best on my website. It's Geoff, which is the weird U of P in spelling, it's G-E-O-F-F. Geoff White, like the color .tech, T-E-C-H, that's my website. You can find all my stuff there. I'm on LinkedIn as well. If people look up Geoff White on LinkedIn, I'm there as well.

What are the, I think you have two books at least?

I have three, actually. What are the three books? It's funny. The first book kind of has fallen off. It sort of seems to have fallen off the edge of the cliff. That three books, the first one was about cybercrime in general. It's called Crime Dot Com. The second one was called The Lazarus Heist. It's about North Korean hacking, how North Korea became a cyber superpower. Then Rinsed does the third one, the most recent one, which is all about money laundering and how tech is changing the world of money laundering.

Awesome. Geoff, thank you so much for coming on the podcast today. I super appreciate it.

Thanks for having me on. Really enjoyed it.