Fincrime Briefing: UBS pays to settle laundering probe, U.S., South Korea take down largest crypto-fueled child exploitation site, DOJ guidance on fines when you can’t pay, and more

By Brian Monroe
bmonroe@acfcs.org
October 17, 2019

Quote of the Day: “To be yourself in a world that is constantly trying to make you something else is the greatest accomplishment.” – Ralph Waldo Emerson

In today’s ACFCS Fincrime Briefing, UBS pays more than 10 million euros to settle tax, laundering probe, U.S., South Korea, Chainalysis and others team up to take down a crypto-enabled darknet market exploiting children, one of the world’s largest, DOJ offers peek behind the penalty negotiating curtain for fines against firms that say they can’t pay, and more. 

Please enjoy this unlocked story, part of the many benefits of being an ACFCS member. 

Want to talk about industry trends, story ideas or get published? Feel free to reach out to ACFCS Vice President of Content Brian Monroe at the email address above. Now, on to more sweet sweet content! 

Enforcement

UBS pays $11 million to settle Italian money laundering probe, tied to tax fracas 

An Italian judge has accepted a request by UBS to pay more than 10 million euros ($11 million) to settle a money-laundering investigation, ending one of the Swiss bank’s biggest legal headaches in Europe, just the latest in a series of international probes and settlements tied to financial crime and compliance failures.

UBS has been grappling with two separate probes in Italy and a court case in France over allegations it enabled cross-border tax cheats to hide assets in Switzerland.

The judge on Thursday accepted the payment of 2.125 million euros as “agreed penalty” to close the case while also seizing 8.175 million euros as profit from the alleged money-laundering, two sources with direct knowledge of the matter said.

The settlement, which by Italian law is not an admission of guilt, was requested by UBS in July, after a deal with Italian prosecutors.

Last June, the Swiss bank paid 101 million euros to settle its other Italian case, a related financial investigation, with tax authorities.

In the criminal probe, prosecutors had alleged unidentified UBS managers were responsible for money-laundering because they invested client funds that were the fruit of tax evasion.

Last July, the Swiss Supreme Court ruled that data on 40,000 UBS clients had to be handed to French tax authorities in a landmark case that could set a precedent for foreign governments seeking information from Swiss banks.

In France, UBS is appealing a 4.5 billion euros penalty for alleged tax evasion. UBS has denied wrongdoing, (via Reuters).

Monroe’s Musings: Since 2000, UBS has paid nearly $17 billion in penalties for a variety of financial crime and compliance violations, including manipulating interest rates, tax violations, sanctions failures and more, according to Violation Tracker. To see the full list, click here

But the bank, like other EU, UK and Asian banks that have paid historic penalties for similar failures, has no doubt come to the realization that stronger compliance standards, implementation and effectiveness is not just a U.S. regulatory expectation – it’s a global one. 

This is most glaringly obvious in the European Union, which in recent months has laid out a bevy of plans to strengthen oversight of member state banks – and those selfsame member state regulators – in the wake of the embarrassing Danske Bank scandal, which saw some $230 billion of suspicious Russian funds move through the now-defunct Estonian branch. 

So look for UBS, and other EU institutions, to more aggressively settle these types of tax, compliance and money laundering investigations and cases so they can remediate quickly, strengthen fincrime broadly and get back to business while cognizant of the new reality of financial crime. 

Cryptocurrency

U.S., South Korea follow crypto trails, take down largest darknet child exploitation site, arresting hundreds in global sweep, saving nearly two-dozen victims 

An international task force spearheaded by U.S. and Korean investigators, working with a company that tracks crypto transactions, have broken up one of the world’s largest darknet marketplaces for child exploitative materials, arresting nearly 340 site users in a coordinated global sweep – in the process saving dozens of victims. 

The U.S. Department of Justice (DOJ) detailed the bust Wednesday in an unsealed indictment against Jong Woo Son, 23, who prosecutors say operated a hidden Darknet market, using Bitcoin in a bid to ensure anonymity, while distributing more than 1 million sexually explicit videos involving children. 

Regional authorities have already convicted Son, a South Korean national, and he is serving 18 months in prison. 

Investigators have also arrested and charged site users in some 24 states – including California, Florida, New York, Texas and Washington, D.C. – as well as individuals in the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia.

“Darknet sites that profit from the sexual exploitation of children are among the most vile and reprehensible forms of criminal behavior,” said Assistant Attorney General Brian A. Benczkowski of the Justice Department’s Criminal Division.  “This Administration will not allow child predators to use lawless online spaces as a shield.” 

According to the indictment, on March 5, 2018, agents from the IRS-CI, HSI, National Crime Agency in the United Kingdom, and Korean National Police in South Korea arrested Son and seized the server that he used to operate a Darknet market that exclusively advertised child sexual exploitation videos available for download by members of the site.  

The operation resulted in the seizure of approximately eight terabytes of child sexual exploitation videos, which is one of the largest seizures of its kind.  

The images, which are currently being analyzed by the National Center for Missing and Exploited Children (NCMEC), contained over 250,000 unique videos, and 45 percent of the videos currently analyzed contain new images that have not been previously known to exist.

Welcome To Video offered these videos for sale using the cryptocurrency bitcoin. Typically, sites of this kind give users a forum to trade in these depictions.  

This Darknet website is among the first of its kind to monetize child exploitation videos using bitcoin.  

In fact, the site itself boasted over one million downloads of child exploitation videos by users. Each user received a unique bitcoin address when the user created an account on the website.  

An analysis of the server revealed that the website had more than one million bitcoin addresses, signifying that the website had capacity for at least one million users. 

Key private sector entities also played a vital role in the investigation. 

Commenting on the investigation itself, IRS-Criminal Investigations Chief Don Fort mentioned the importance of the sophisticated tracing of bitcoin transactions in order to identify the administrator of the website, an effort bolstered by crypto analytics firm, Chainalysis.

The firm’s products provided assistance in this area, helping investigators analyze the website’s cryptocurrency transactions that ultimately led to the arrests, according to a company statement, with one top company official calling the collaboration his “proudest moment.” 

Welcome to Video (WTV) was a child pornography website that operated out of South Korea and allowed users to buy content with Bitcoin or to upload their own. Upon signing up for the site, users received a unique Bitcoin address where they could send funds to buy content to view. 

Between 2015 and 2018, the site received nearly $353,000 worth of Bitcoin across thousands of individual transactions. 

Welcome to Video had a global customer and contributor base requiring cross-border collaboration among law enforcement agencies across the world. IRS-Criminal Investigations (IRS-CI), Homeland Security Investigations (HSI), and other agencies used Chainalysis software to analyze blockchain transactions and map out contributors and users of the site. 

This enabled them to disseminate the blockchain evidence to their partners in the United Kingdom, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland, Spain, Brazil and Australia, and ultimately make arrests.

With the site’s listed Bitcoin address, IRS-CI and HSI used Chainalysis Reactor, an investigations product, to analyze transactional activity and build a graph showing the flow of funds in and out of the WTV address. 

The agencies have shared data from the seized server with law enforcement around the world to assist in identifying and prosecuting customers of the site.  This has resulted in leads sent to 38 countries and yielded arrests of 337 subjects around the world.  

The operation has resulted in searches of residences and businesses of approximately 92 individuals in the United States.  

Notably, the operation is responsible for the rescue of at least 23 minor victims residing in the United States, Spain and the United Kingdom, who were being actively abused by the users of the site.

In the Washington, D.C.-metropolitan area, the operation has led to the execution of five search warrants and eight arrests of individuals who both conspired with the administrator of the site and were themselves, users of the website.  

Two users of the Darknet market committed suicide subsequent to the execution of search warrants, (via DOJ).

Monroe’s Musings: This is a powerful example of the incredible good that can come with public and private sector groups work together, share information and use that knowledge and expertise to take down a horrific group that thought itself anonymous and above the law. 

Guidance

In latest move to improve enforcement transparency, DOJ lifts curtain on factors involved when evaluating penalty claims of ‘inability to pay’

In recent weeks, the U.S. Department of Justice (DOJ) has pulled back the curtain on previously closely-guarded secrets at-play in the negotiating table for operations – be they corporates, banks and other entities – facing monetary enforcement actions for compliance and other potentially egregious failures, but the wrinkle is that these firms state they aren’t able to shoulder the fine. 

The DOJ missive is its latest installment of expanded policies meant to provide more transparency in how the Criminal Division will evaluate corporate compliance and culpability and comes on the heels of prior guidance coming out in the last year tied the structure and expectations around corporate compliance programs and how, when and why monitors may be part of a penalty settlement. 

This New Guidance, entitled “Evaluating a Business Organization’s Inability to Pay a Criminal Fine or Criminal Monetary Penalty” (the “Guidance”), specifically addresses the Criminal Division’s approach to criminal fines and monetary penalties and follows DOJ’s May guidance on the “Evaluation of Corporate Compliance Programs” and its October 2018 guidance on “Selection of Monitors in Criminal Division Matters.”1 

Taken together, these announcements reflect a deliberate attempt to reassure companies that the Criminal Division will treat them fairly on issues ranging from the size of any penalty to whether a monitor is imposed and represent a trend toward a more balanced message on corporate enforcement generally.

In addition to considering information submitted in the Company’s Inability to Pay Questionnaire, DOJ will consider the following additional factors:

  •  Background on Current Financial Condition: DOJ will consider the circumstances that gave rise to the company’s current financial condition, such as investments in improvements, acquisitions, or significant third-party transactions. Whether leadership has recently removed capital from the company in the form of dividends, distributions, loans, or other compensation is also relevant.
  •  Alternative Sources of Capital: DOJ will consider the company’s ability to raise capital, as well as the existence of insurance or indemnification agreements.
  •  Collateral Consequences: DOJ will consider a variety of “collateral consequences” that may arise from the imposition of a significant criminal penalty. Examples include “impacts on an organization’s ability to fund pension obligations or provide the amount of capital, maintenance, or equipment required by law or regulation” and “whether the proposed monetary penalty is likely to cause layoffs, product shortages, or significantly disrupt competition in a market.” Certain collateral consequences are typically not considered, such as the effect on dividends, executive compensation, and hiring and retention.
  •  Victim Restitution Considerations: DOJ “must” consider how the imposition of a penalty will affect the company’s ability to pay restitution to any identified victims.

The Guidance reflects the more pragmatic approach the Criminal Division had already taken in recent resolutions in which it had reduced penalties to accommodate companies’ inability to pay. 

For example, in December 2018, a plea agreement between IAV GmbH and DOJ resulting from the Volkswagen-emissions matter resulted in a reduced penalty based upon the company’s “inability to pay a higher fine amount without jeopardizing its continued viability.” 

Similarly, a March 2018 plea agreement between Transport Logistics International and DOJ explained that a penalty exceeding $2 million dollars “would substantially jeopardize the continued viability of the Company.” 

DOJ’s consideration of inability to pay is not limited to voluntary disclosures. In the largest bribery case prosecuted by the DOJ to date, DOJ agreed to conduct an inability to pay analysis after the announcement of a $4.5 billion penalty assessed against Odebrecht S.A, (via OMM).

Monroe’s Musings: This was a very interesting, rich and relevant piece of guidance with fantastic analysis by Laurel Rimon and the team at O’Melveny & Myers LLP, which they shared on LinkedIn here

This piqued my interest, but also reminded me of a recent penalty involving the U.S. Treasury’s Office of Foreign Assets Control (OFAC), that was a massive reduction in the final fine figure when the firm stated it couldn’t pay, and even enlisted the help of its home country regulator in the United Kingdom, a longtime U.S. ally in the fight against financial crime. 

Here is what I wrote to her about this: Laurel, this is a very interesting issue, particularly in light of the British Arab Commercial Bank OFAC case, where the bank faced a nearly $230 million sanctions penalty, that was later dropped to less than $5 million after the institution asked for its home country regulator to intervene. 

Part of the argument was, you guessed it, the bank could be hit too hard and couldn’t pay OFAC.  

We covered it here in a recent Fincrime Briefing: https://www.acfcs.org/fincrime-briefing-house-approves-cannabaking-bill-death-in-danske-bank-scandal-ofac-dings-u-k-bank-and-more/ 

At issue, there are still various vagaries related to the standards or parameters of when or how a company can negotiate down a penalty from DOJ or OFAC based on payment ability.

But this guidance and related analysis could give vital insight to companies to leverage a better outcome when they legitimately don’t have the capital, revenue or assets to absorb a hefty government penalty and, likely, equally or more expensive compliance remediation engagement. 

Cybersecurity

Cyberattack Snapshot: The top 10 Ransomware types hitting businesses in 2019

The ransomware landscape in 2019 has remained alarmingly lively, with hackers continuing to see value in targeting enterprises, public bodies and governments. 

Sometimes these virtual assaults are done with targeted, sometimes spray-and-pray approaches – but with similar disastrous results all the same: locked out systems, hamstrung organizations and payments to crypto criminals in the millions of dollars.  

Now, analysis by anti-malware firm Emisoft has reviewed 230,000 incidents between April 1 and September 30, 2019, revealing the top 10 ransomware strains to look out for if you are a bank, corporate or individual. Here are some of the details related to the virulent volleys:  

1. STOP (DJVU): The STOP ransomware strain, also known as DJVU, has been submitted to the ID Ransomware tool over 75,000 times, which only represent a sliver of the systems it may have affected worldwide.

STOP affects the systems of home users and can be easily picked up by downloading unsecure files from torrent sites. Once the infection begins the STOP malware will use the AES-256 encryption to lock the system files, followed by a payment demand issued to the user. It is by far the most common submission to ID Ransomware as it accounts for 56 percent of all submissions.

2. Dharma: The Dharma variant not only will lock a system, but it will instruct the victim to contact a specific email where they are expected to negotiate the release of their files. Dharma is a cryptovirus which is pushed onto system via malicious download links and email hyperlinks.

Operating in the threat landscape since 2016, Dharma is part of the.cezar family. It mainly targets enterprise targets. Dharma accounted for 12 percent of submissions.

3. Phobos: Phobos, either named after the Martian moon or its namesake the Greek god of fear, is a ransomware variant that makes up 8.9 percent of all submissions.

It is mainly spread via exploits of insufficiently secured Remote Desktop Protocol ports. Phobos has been seen in the wild attacking corporations and public bodies indiscriminately. 

In a similar manner to Dharma this ransomware locks your files and then request you contact the attacker directly to negotiate their release.

4. GlobeImposter: GlobeImposter makes up 6.5 percent of all submissions to the ID Ransomware tool. GlobeImposter is the next evolution on pervious strains of the variant. What makes it different is it uses AES-256 cryptography to encrypt a victim’s files before it issues a bitcoin payment demand.

5. REvil: REvil also known as Sodinokibi was first discovered in 2019 and security research believe that it was developed by the same threat actors who created GandCrab.

Emisoft notes that Sodinokibi is seen as a “Ransomware-as-a-service that relies on affiliates to distribute and market the ransomware. It is extremely evasive and uses advanced techniques to avoid being detected by security software.”

The attack vectors for this variant include exploiting a vulnerability in Oracle WebLogic and more traditional methods such as phishing campaigns. It makes up 4.5 percent of submissions, (via CBR Online).

Monroe’s Musings: With October being a month devoted to highlighting cybersecurity – both defenses and attack vectors – I thought this would be a nice addition to help remind banks, compliance teams, fraud teams and cyber professionals of the creativity, aggressiveness and sheer scary scope of the cyber threats we face.