What 6 Years of Success in a Global Takedown Operation Looks Like, and How You Can Do It, Too
If you’ve ever chatted with me in person, you’ve probably heard this story before. Or at least, bits and pieces of it. “You say you fight fraud…but what does that even mean?” Well…I run one of the largest TLP:Red mailing lists focusing on all things BEC (Business Email Compromise), and collaborate with industry partners across the globe. Initially we flew under the radar for 3 years to get a grasp on the dumpster fire of a mess known as 419, BEC, AFF, Romance Scams, or more commonly (but partially inaccurate) known as Nigerian Fraud. You know, that thing where princes ask your grandmother for money? The scams that “no one would fall for” yet billions of dollars and a pile of corpses later is still here? That one.
Solve BEC they said. It would be easy they said. God I’m such an idiot.
The story of “the list” starts in 2015. Industry wide, a new trend of companies being targeted with a new type of phishing email started to emerge. The lure was simple, pretend to be someone in authority, ask for money, and…profit. It really was (and is) that simple. In these attacks, scammers used no malware, no links, or anything that was traditionally “malicious” that could be detectable. Across the industry we had more questions than answers. Who’s behind these attacks? What is their end goal? Where are they getting these bank accounts from? Do they own the accounts, did they steal them, or was it an option that we hadn’t accounted for? What intelligence gathering techniques were scammers using to know who the CEO, CFO, or HR personal is in the company? These are pretty easy answers to guess, but we didn’t know. And the more we looked the murkier the answers got.
Fast forward, December 2015.
I don’t even remember how I got Eric’s (name changed) number, but a mutual contact put me in contact with an agent who was working BEC cases in a fairly populated state. Our phone calls were normally short, and it went something like this.
Me: “Hey, a lot of us in the industry are seeing this. What would be your thoughts of starting a mailing list to track this stuff? We would love to engage with actors and pass ya’ll the intelligence because we really can’t do anything with the data.”
Eric: “Yea sure, feel free to talk to a few of your hacker friends.”
This wasn’t exactly how the conversation went, but I’m trying to capture the sentiment. Bear with me for 30 more seconds.
A few days later I called Eric back.
Me: “[Very smug Ronnie] So….are you ready?”
Eric: “??? Ready for….???”
Me: “I’ve got over 100 security researchers who are ready to engage with the BEC actors and start passing over intelligence. Are ya’ll ready? [smirky face]”
I could literally hear Eric’s jaw hit the floor on the other end of the line, and I like to imagine he looked something like this.
And that’s how the BEC list was born. A conglomerate of 110 misfit toys, many whom had never touched Nigerian fraud before then. Sadly many were “given” the task of tracking BEC because it wasn’t as sexy as hunting Bears or Pandas, but we all rolled with it. We were off on the fools quest of combatting fraud, and oh what fools we were taking on the world! (Literally…)
TLP:White: You can tell anyone.
TLP:Green: You can tell your colleagues.
TLP:Yellow / TLP:Amber: You can tell trusted colleagues.
TLP:Red: For you and you alone. STFU and don’t say anything.
6 Years Running — The Takedown Impacts
Fast forward to now and on the TLP:Red side, we’re a collection of over 500 global members spanning multiple industries, verticals, law enforcement, and government colleagues. We’ve held multiple conferences to discuss takedowns, impacts, laws to use when going after actors, and most importantly: to explain our perspective in what we see as it relates to fraud. It’s like building a house, where one person works on the windows, another person does the electricity, or lays the floor joists.
The great thing is that by setting a single focal point (stopping and understanding all things BEC) it opens individuals up to creativity, where they can fight things from their perspective. While respecting the TLP:Red nature of the information, here’s what a 6 year fire looks like, with leading experts across the world collaborating to make an impact.
- Actioned between 5–10 million social media and dating profile accounts, many of which were identified directly by romance victims.
- Identified thousands of illicit bank accounts used by scammers to facilitate fraud.
- Identify thousands of email accounts (across many providers, ISP’s, etc.) and action them for takedown.
- Assist government partners on unemployment, FEMA, PPP, W2, tax, and several other types of government fraud.
- Sent thousands of fake W2’s to actors purely out of spite. Good luck working with that false information. ❤
- Thousands arrested across the globe as a result of BEC and related crimes.
- Worked with major service providers to action massive hives of BEC domains registered by actors.
- Assist thousands of romance victims, providing resources and assistance as we can.
- Create a TLP:White Slack channel, currently consisting of over 1,100 members. A big win there: we helped a mom-and-pop shop return over $700,000 in a BEC attack. They would have had to close if we didn’t get the money back, but instead they celebrated with champagne when the money was successfully returned.
- Discovered that calling this “Nigerian fraud” is insanely inaccurate, because not all Nigerians are scammers. It’s just the bad apples ruining it for the bunch.
- Members identified international criminal syndicates and other confraternities who are responsible for many types of fraud we see, as well as some of the most vicious crimes I have ever witnessed. Don’t believe me? Watch the link above, you’ll hate it. I guarantee it.
- Tens of thousands of fake checks identified, tried to get the intelligence to the people who could action it, but unfortunately failed because it was “too much data” to work with. We naively thought “here’s where fraud is going to happen” on a silver platter would work, but it didn’t.
- TONS of accounts and visibility into advanced-fee fraud, and you’ve probably seen it. If you’ve ever tried to sell something on Craigslist or Facebook market place and were offered a check for more than you were asking for: this is what it’s called.
- Puppy scams, SCameroonians, and you. Yes, people sell fake puppies to people for fraud. Jerks.
- Human sacrifices, murders, and suicides tied back to this stuff. Yuck.
- Billions reversed by members. No that’s not an exaggeration, yes we’ve had billions more stolen that isn’t accounted for.
- And the honorable mentions, like the times where actors leaked hundreds of bank accounts because they don’t know how to forensics. And no, we aren’t saying how we found it.
None of this wouldn’t have been successful with the hundreds of people working behind the scenes day and night to help make a safer internet. Collectively we have gained an immeasurable amount of knowledge around how this dumpster fire burns, as well as creating an impact that is just that is virtually immeasurable.
You Can Do This Too — The Keys to Successful List Administration
What made this successful can be summed up in two simple words: the people. The people you work with have a direct impact on whether or not you’ll be successful, fail, or end up in a stress spiral of toxicity and funk because people don’t think it’s important. Reflecting back, the reason we have been so successful over the years (and we ain’t stopping!) are for the following reasons:
- Find passionate people who like solving problems.
- Set a common goal. In our case, it was “to fight and understand all things BEC”
- Work together. You’re fighting the same fight, so why fight amongst each other?
- When problems arise, hear all sides, check intent, handle issues quietly, communicate the problem and resolution, and move on. Do not let them fester.
- Be awesome to each other.
Measure your successes, even when you don’t want to. A group of misfit toys helped stop billions of dollars in fraud, saved countless fraud and romance victims, helped lead to thousands of arrests, and destroyed millions of intelligence data points tied to infrastructure. We fight for the victims, living and dead, simply because it’s right.
What fires are you lighting in 2022? Because there’s plenty of fire still out there.