When it comes to hiding dirty money, itâs not just cryptocurrency we have to worry about, according to author, speaker, and investigative journalist Geoff White.
White, who wrote the book Rinsed: From Cartels to Crypto: How the Tech Industry Washes Money for the World’s Deadliest Crooks, talked with 1Password’s Matt Davey on the Random But Memorable podcast about how cybercriminals are getting more and more creative in hiding their tracks.
Read highlights from the interview or listen to the full podcast episode as White reveals the intricacies of money laundering networks and dives into a fascinating overview of criminal tactics to wash stolen funds, from using real-world mule networks to volunteersâ bank accounts.
Editorâs note: This interview has been lightly edited for clarity and brevity. The views and opinions expressed by the interviewee donât represent the opinions of 1Password.
Matt Davey: Could you give a brief overview of your new book, and what inspired you to write it?
Geoff White: Rinsed is about money laundering and specifically how technology has started to change the industry of money laundering. Itâs an industry. Itâs a very professionally set up network of criminals who launder money. The reason I wrote the book was because I’ve done a lot of stuff on North Korean computer hacking. Notably, a podcast series and book called The Lazarus Heist, which is about North Korea and how North Korea became a computer hacking superpower.
North Korea, for various reasons, has been sanctioned by the international community, so it’s been cut off from international trade and finance. North Korea struggles for money. The accusation is that North Korea has tasked its government computer hackers with pulling in cash for the regime.
When I investigated this, what I found was that they were very good at breaking into cryptocurrency companies and banks and insurance companies. But when they get their hands, digitally, on the money, moving, hiding, and extricating it was something that they relied on a whole different set of characters for. These people are equally technologically savvy but in a different way. They understand international finance, how to set up money mule accounts, how to move money from one jurisdiction to another, and how to launder cryptocurrency.
“Money is increasingly being digitized and washed through high-tech money laundering networks."
What I found was this cybercrime community â it’s not just North Korea but cybercriminals in general â were reliant on these money laundering networks. Many types of organized crime, like cartel drug dealing, large-scale prostitution, and fraud rings exist to make money. That money is increasingly being digitized and washed through these high-tech money laundering networks. That’s what made me want to write a book about it.
MD: How has the transition to a digital economy impacted money laundering?
GW: There’s a couple of things that have happened. It’s happened in both traditional finance and what you might call ânew financeâ. In traditional finance, including normal, standard banks and very old financial institutions, we’ve had this sudden rush towards digitization, virtualization, and a frictionless, faster economy. Look at things like online account creation, faster payments, contactless payments, and so on. The idea of all these innovations is: make it easy, smooth, and quick.
The COVID pandemic really pushed that forward. Banks were largely closed â we weren’t going out. Online account creation and management had to be part of the deal. That fast-forwarded a trajectory that was already happening. For money launderers, what that means is you can bounce your money through many banks very quickly, which makes it potentially hard for law enforcement agencies to keep up.
You’ve also got the emergence of what you might call ânew financeâ. Youâre probably familiar with cryptocurrencies like Bitcoin. But there’s also things like NFTs and video game currencies. There are huge amounts of money sloshing around video games like Call of Duty. Money launderers have spotted these new fringe bits of the financial community that a lot of people don’t really think of as âmoneyâ.
“There are huge amounts of money sloshing around video games like Call of Duty."
The money launderers are thinking: “If I can put some of my funds into that, great. It’s international. It’s not particularly well regulated and it moves at lightning speed. That’s ideal territory for me as a money launderer to get involved in.”
Both on the traditional finance side and the new finance side, we’ve seen innovations that, mostly inadvertently and unwittingly, assist the kind of high-tech money laundering that I’m talking about.
MD: I’ve never really thought about video game currency being a way to do that. It’s kind of fascinating.
GF: Absolutely, yeah. I mentioned Call of Duty. The way these games work is there’s often an in-game market. With Call of Duty, there was a sort of side market where you could buy and sell assets for the game.
At one point, that side market was suspended because the makers of the game said: “Look, we believe this entire market has been taken over by criminals, people washing money through this marketplace.” Millions and millions of dollars were being laundered through the game without anybody realizing it.
MD: Your book describes how organized criminals and cybercriminals are joining forces. Can you elaborate on how these alliances operate?
GF: I think people have the idea that cybercrime happens in cyberspace. It’s ethereal, it’s ones and zeros. And often, they feel it’s almost a victimless crime. I think that’s particularly the case with crimes around cryptocurrency. I think a lot of people think: ‘If a person loses their stash of bitcoins, a) Have they really lost anything? It was never real in the first place, and b) more fool them because they were speculating on this bizarre cryptocurrency.’ However, all that stuff is real money, it has real value.
Whatâs interesting is, at a certain point, digital cybercrime starts to hit street level. Because at some stage, criminals (I include North Korea in this and the allegations against it) and also cybercrime gangs, they want to buy a yacht, a nice apartment, a nice dinner in a fancy restaurant. In North Korea’s case, they might want to buy nuclear weapons and missiles, which is obviously the very serious side of this.
“At a certain point, digital cybercrime starts to hit street level."
You need to pull your money into some kind of real-world environment. Often, whatâs going on there is street-level money muling gangs. You need people who’ve got dudes who go round to ATMs and withdraw the money for you.
In one of the North Korean cases in 2018, they hacked into a bank in India. They managed to compromise the bank’s ATM software. What that meant was anybody at an ATM or cashpoint, anywhere around the world with one of this bank’s cards, could put it into a machine and withdraw as much money as they liked.
That’s fantastic for the North Korean hackers who allegedly were behind this, but, of course, they’ve got a problem. They’ve got to get people around the world to go to cashpoints. They managed to pull out, I think it was $11 million in 29 different countries, and all within two hours. They had a street team of people, hundreds of people, going from cashpoint to cashpoint.
It needed to be coordinated in multiple different countries, with people speaking multiple different languages. It was an immense operation to configure and to get on the go. It’s an absolutely fascinating story.
Of course, at that point, you’ve got dudes running around in 29 countries with wads of physical cash. How do the hackers in Pyongyang, the capital of North Korea, get the money reconciled back to them? I found that really fascinating, this sort of border space between very, very high-tech cybercrime, but also street-level gangs and money launderers.
MD: There’s a bunch of wild stories in your book. Could you share one or two that really stood out to you during your research?
GW: The one I think that really stunned me was a very bizarre journey that ended up in a very strange space. Again, it’s an alleged North Korean job. They were accused of breaking into a video game that was popular in Southeast Asia called Axie Infinity, back in 2022.
At one point, the company behind it was valued at about $2 billion, so it was hugely successful. In the game, you were playing with these little characters called Axies, which were based on salamanders. You were wrestling them and fighting them in the game. That was the gameplay, but what was actually behind it was a cryptocurrency marketplace. You could buy and sell your little characters in the game, and what you were effectively buying and selling was cryptocurrency.
Hackers spotted the massive amounts of money sloshing around in this game and decided to steal as much of it as they could. They broke into the game by sending an employee of the company a phishing message, pretending to recruit them for a really highly paid, fancy job. The employee of the company thinks, “Well, that’s great. I’ll get more salary.” They fall for the phishing attempt and download a document laced with the virus, which allowed the hackers access to the game and the game’s servers.
“They broke into the game by sending an employee of the company a phishing message."
After a bit of chicanery, they managed to pull out $625 million. I think thatâs the largest amount of money stolen in one go from one victim.
And this is certainly the fastest heist of all time, because stealing that cryptocurrency â which was in the form of crypto and could be transferred out digitally â took 1 minute and 55 seconds.
You know that you can trace cryptocurrency transactions through this publicly available online ledger called the blockchain. So, the hackers can steal the money, but it’s obvious where it’s gone â it’s gone into particular crypto wallets. So, what they did next was to take the currency and put it into what’s called a mixer, a thing called Tornado Cash. As the name suggests, it mixes the incoming crypto with existing crypto and then spits it back out to a fresh wallet address. The idea is to sever the connection between the incoming money and the outgoing money.
"[Tornado Cash] mixes the incoming crypto with existing crypto and then spits it back out to a fresh wallet address."
About half a billion dollars of the stolen Axie Infinity money goes through Tornado Cash, is mixed, and is now out there in the wild. We have no idea who’s got it or where it went. You could think: “Well, what a terrible thing Tornado Cash is, what a terrible thing they’ve done to launder half a billion dollars for the North Koreans.”
But a lot of people in the crypto community and tech community have actually defended Tornado Cash and said, “Well, look, that’s not great, but we need services like Tornado Cash to preserve our privacy, to preserve basic freedoms and liberties when we’re using cryptocurrency, which is, after all, all traceable.”
We now have this amazing freedom of speech, privacy-type debate at the heart of the U.S. government, stemming from this attempt to launder the money from the North Koreans, based on a video game involving salamanders. If you wrote it as a fiction, people probably wouldn’t believe it happened, but it’s all true.
MD: Do you think there’s movie scripts for this in the process of being made into a movie? In The Beekeeper, I enjoyed how they made the ransomware company almost like multi-level marketing, like sales-driven. They had bells and cheering and that type of thing. It was a good way to kind of visualize it.
GW: It was. It was sort of like The Wolf of Wall Street meets cybercrime. That’s actually based on reality. These scam organizations and ransomware organizations, they are professional Monday to Friday, 24-hour operations. They have workers who clock in and out. They have recruitment, they have payroll, they have, to a certain extent, marketing. That is how it works.
MD: Do you think we stop at some point using the term âcybercriminalâ and instead just use âorganized crimeâ? Because it does seem like both are very organized.
GW: Yes, cybercrime is almost always a branch of organized crime. Here’s something I’ve started thinking about quite a lot recently: when you or I work for a legitimate organization, if something goes wrong, you can complain. You can maybe sue in the courts. You might go to the police or the government or whatever. If you’re in an organized crime gang, you can’t do that. If a drug gang stitches you up and doesn’t pay you, you can’t go to the police.
Organized crime has to organize people together who are innately untrustworthy. They’re all crooks. How do you trust people who are fundamentally not to be trusted? The answer to that, traditionally, has been violence. If you rip me off, I will break your legs.
Increasingly, in organized cybercrime particularly, and also in a lot of organized financial crime, you don’t have that. You’re not working in the same country. You’re not physically close enough to somebody to do violence to them. A lot of these cybercrimes, people are working under pseudonyms. You don’t even know, even if you could work out where they are, whose legs to break.
“Organized crime gangs are starting to use intricate trust networks and trust systems."
As organized crime becomes more distributed, as it becomes more digitized and more virtual and the money becomes more virtual, more of those organized crime gangs are starting to use intricate trust networks and trust systems. It’s working: fraud rings are happening across the world. Clearly, they’re prepared to cooperate together and there’s a level of trust there that allows all this to happen that goes way beyond the trust you would get just from being able to inflict violence on people.
MD: Going back to Tornado Cash, wasn’t the founding principle of Bitcoin supposed to be this kind of open ledger that everybody could track?
GW: Yes, it’s a good question. The issue that virtual currencies had prior to Bitcoin was what’s called the double-spend problem. That means, if I’m sending a virtual currency, I could send that to two people at the same time simultaneously. Both of them would apparently have received a transfer from me, and I’ve effectively spent one of my virtual coins twice on two people.
The way Bitcoin got around that was the blockchain, this open-source ledger where you could instantly see who’d sent what money to whom. There were voluntary auditors who would check all those transactions, make sure nobody had pulled the fast one, and in return, be rewarded with virtual currency. That was the massive innovation of Bitcoin and the blockchain behind it.
Now, obviously, you can see the transaction go from a wallet to a wallet, but you can’t necessarily know who owns those wallets. There’s no names attached to them. It was always meant to be pseudonymous. There were arguments about whether it’s anonymous because your wallet address is kind of a pseudonym for you.
Increasingly, the game is, can we link those wallet addresses to individuals? On the dark web, for example, if I set up shop and I say: “Hey, if you want to pay me for stolen credit cards or whatever, pay me into this Bitcoin wallet address.” Well, from then on, you know that my dark web identity is linked to that Bitcoin wallet address. If I get arrested and exposed, you can link my name to that Bitcoin wallet address. Deanonymizing this network’s been part of the game.
“if you use it correctly, you can use Bitcoin anonymously."
But if you use it correctly, you can use Bitcoin anonymously. It’s just for a lot of people, that’s not necessarily what they’re after. And for some people, they try and be anonymous, but they get caught out.
What’s interesting now is the debate within the crypto community of people saying: “Well, yeah, I understand all of that, but I want anonymity. I get that with cash. I can withdraw cash and no one can attach it to me. I want the same thing from cryptocurrency. I want privacy. I don’t want to be tracked.”
Interestingly, we’re seeing this around this thing called Central Bank Digital Currencies, CBDCs. This is the idea that, at a government level, these blockchain ledgers and these tracking systems will be used. There are some people who are very concerned about that in terms of government surveillance and privacy. That side of the debate is saying: “We need privacy and we need these sort of mixers like Tornado Cash.” So yeah, the debate is super fascinating and a lot wider, I think, than people would think at first blush.
MD: What are some of the other techniques and technologies that cybercriminals are using to launder money in today’s digital age?
GW: One of the cases I’ve covered in the book is a crime group called The Black Axe, which originated in Nigeria in the 1970s. It’s become an international conglomerate. I think I describe it in the book that they have people everywhere. Wherever you want to launder money, there’s usually a Black Axe operative who can help you out.
What’s fascinating is the ground operation that they’ve got. People like you and me who, in exchange for a small fee, will hand over their bank details and allow their bank account to be used for money to be washed through.
You might think: “Well, that’s street level, that’s not particularly advanced or sophisticated.” First, you need those street-level operatives, because changing it into cash is the ultimate step of obscuring the money trail and laundering the money.
“Changing it into cash is the ultimate step of obscuring the money trail."
Second, there is a very high-tech aspect to this because social media is being used as the recruiting tool. If you go on Instagram and Snapchat and you follow the right hashtags and accounts, you’ll see, I don’t know what the figure would be, it’s certainly in the hundreds or thousands worldwide, possibly even millions of accounts that are encouraging people into this. They say: “Look, you can make big money. Here’s the expensive watches you can buy if you take part in this exercise.”
There’s this use of advanced social media recruitment tactics to pull people in. And of course, if your money mule gets caught weeks, months, or years later, who cares? You’ve rinsed the money to their account, it’s their problem, they’re the ones getting taken to court. I find that super fascinating in terms of using high-tech means of social media for what is quite, in the end, a low-tech exercise.
MD: Fascinating that people do it, especially coming from social media. I think the inherent untrustworthiness of the number of scams, you’d really avoid it. But I guess the watches and the cars really draw people in.
GW: Gangs are extremely used to convincing people. One of the interesting things they will say is: “Empty your bank account of money, then give us your bank account login, and there’s no money there for us to steal. We’re just going to push money through your account. By the way, once we’re done, you’ll be left with ÂŁ500,” or whatever it is.
MD: In terms of the authorities, what do you think is the biggest challenge they face when trying to crack down on these networks?
GW: First, it’s knowledge. There’s this interesting cultural aspect, certainly in British policing, and it might be the case in other countries as well. I feel like people join the police because they want to jump in a fast car with blue lights and sirens flashing and put someone in handcuffs who’s an evil wrongdoer. I think that’s still a motivation for a lot of people signing up for the police.
Increasingly, crime is being virtualized, it’s becoming economic. We have epidemic rates, I believe, of fraud in the UK and worldwide at the moment. With those fraud gangs, you’re not going to jump in a car, bash down a door and put that person in handcuffs because they’re based in different jurisdictions. We talked earlier about that case, the 29 different countries. That’s a deliberate tactic by the crime gangs. The more countries you base yourself in, the harder it’s going to be for any one country’s law enforcement team to track you down.
“The more countries you base yourself in, the harder it’s going to be for any one country’s law enforcement team to track you down."
There are efforts to coordinate this. In the UK, we have the National Crime Agency that does international operations. They will work with the FBI. There’s, of course, Interpol and Europol who do work around this. But so many of these scams are happening to individuals at a local level. From a lot of people’s experiences that I hear about, going into your local police station to report this, you just don’t feel you’re getting anywhere.
That’s the other issue: if you report it to your local police station, they will log it, they will record the details. It could be years down the line â your case and your evidence helped with the prosecution of some massive case. But by that stage, your local police officer is not going to phone you up and say, “Oh, by the way, you reported two years ago. It turns out we arrested the person … By the way, you’re not going to get your money back, but thank you for your help.” That just doesn’t happen.
I think the public for the most part thinks: “What’s the point of reporting? I’m not going to get my money back. I’m not going to be seeing my perpetrator in handcuffs.” For all of these different reasons, cybercrime is a difficult one to crack for law enforcement.
MD: What is the best way that the average person or organization can prevent themselves from becoming targets of cyber attacks?
GW: You may not be tempted in with the promise through social media of a few hundred pounds or dollars or euros or whatever to make your bank account available. But you will have younger friends, maybe sons or daughters who might be. It’s worth alerting them and saying: “Look, there’s a scam going round where they try and get access to your bank account. You do realize that’s a criminal offense, you’ll go to jail for that.”
More generally, be wary of fraud and impersonation crimes. Youâll see phishing messages coming into your Facebook account, Instagram, Twitter direct messages, LinkedIn, and that kind of thing. Itâs increasingly difficult to really know that a message actually came from the person who appeared to send it. Particularly, the scaling up of artificial intelligence and the use of deep fakes. Voice calls in the voice of the person that you think you know are increasingly doable. Next, you’ll be able to get a video call from somebody who really does look like your friend on a video call.
We all have to up our defenses. To start, if there’s a message you receive that has anything to do with money, credit card details, bank account transfers, passwords, anything like that, the alarm bell should ring to say, “I think this is my friend or my colleague or my son or daughter or whatever, but I need to check. I just need to put some extra thing in place to check.”
We’re seeing cases all over the place. We’re seeing elderly relatives getting calls apparently from their younger family members saying, “I’m trapped in this country. I’ve lost my passport. Can you send me money?”
We’re seeing it at a really high level as well. In Hong Kong, a big firm called Arup was caught out losing $25 million because there was a fake video of not just the chief executive, but senior members of the team that a senior finance person fell for and transferred $25 million. I think basically any conversation, any contact that you get that has anything to do with money, the alarm bell just immediately needs to ring for us, whether it’s in our private life or professional life.
MD: Where can people go to learn more about you or purchase the book?
GW: My website’s geoffwhite.tech. And the book, Rinsed, is on Amazon and also bookshop.org, for those in the UK.
Subscribe to Random but Memorable
Jenn Marshall
Contributing Writer
Tweet about this post