Boots on the Ground with Mark Arena
Joining us from the fantastic vista of Monaco is Mark Arena. He’s the CEO at Intel 471 – and he has a great story to tell about the origins of the company name, Boots On the Ground! He also breaks down the ransomware threat over the last couple of decades and how they have evolved with the availability of new, faster, better technology as well as a business acumen in creating affiliate programs and Ransomware-as-a-Service.
He shares insights on cryptomixing as yet another path ransomware gangs can utilize to anonymize their ransom bounties received. (HINT: this is more like money laundering of cryptocurrency) So many great insights in this episode – including the importance of boots on the ground - you don’t want to miss it!
Boots on the Ground with Mark Arena
[01:48] The Founder of Intel Gets His Boots on the Ground
Rachel: So we have Mark Arena, the chief executive officer and founder of Intel 471. Mark, you live in Monaco. You were telling us how you came up with the name of the company. Can you share about that?
Mark: It's a part of the test. You can't listen to the rest of the podcast unless you get the test right.
Eric: Intel 471.
Mark: I'm not sure which one it is, but whichever works. When I started the company seven or eight years ago, we did threat intelligence. We need to have intel, meaning for intelligence. There's another company that has a letter in their name in Intel. I was like, "We'll have a number." 471 was the first number that came to mind at the time. I checked, intel471.com is free. I'm like, "Let's do it," and that was it.
A lot of people spent a lot of time and money thinking about their company. We didn't, I didn't. I always get asked about it. Even all the marketing people were like, "You need a real story behind it." I can tell a funny story though. Somebody, a prospective customer, once looked up the number 471. Found a United Nations resolution against Israel that ended in the number 471 and asked if I was anti-Israel. I was like, "No. Random number."
Eric: We're now 472, thank you for the advice. So everybody else spends more time on the number and the name than you did setting it up?
Mark: Exactly. We always make jokes like, "In the future, we're going to make another company. We'll call it Intel 472." It'll only be a little bit better than 471. Not much. It's just a little bit better.
Rachel: It's absolutely genius. People will write about it.
Eric: Now, we do need to get Margaret Cunningham on this one to do the real analysis of Mark's brain. Why was that the number that came to his mind and what does that mean? Dr. Margaret Cunningham is our lead behavioral scientist at Forcepoint. I always wonder when she's talking to me, what's going on in this little rattle trap box of mine. We'll have you analyzed, Mark, and we'll get you some results sets there.
Mark: She'll probably come up with a result, "What was he thinking? Not much."
Rachel: I was peeking on your website and I love the brand video that you have. It’s a robot or the AI thing, and it's just so well executed. You call out a lot of the folks that work with you, the government, the military police. I know you're a former Australian Federal Police. I’d love to hear about how you came with that. What difference does that make for boots on the ground, as your site says?
Mark: My background was originally soft engineering programming. I worked as a programmer at university. After working as a programmer, I joined the Australian Federal Police. I was a technical specialist there, not a police officer. So I was focused on technical support for investigations where the offenders were technical or there was a cyber-nexus.
Mark: It is everything now, but a decade ago, it was slightly less than everything. So it wasn't just cybercrime, I was looking at child exploitation online, counter-terrorism, even murders. At law enforcement and other intelligence services, the focus is always the adversary. Your adversary is the government agency, some criminals of some sort. It's very hard to learn that skill set and to track the bad guys.
Think in your head, "Here's all my knowledge or the information gaps that I have. How am I going to try and meet them?" I still might have some gaps. But based on incomplete information, I need to make an assessment of it and put a confidence level on it. Obviously, there's a process involved and that's what intelligence is like. It's totally different to the kind of forensics data-driven, incident response-type mindset that you see mostly in technology.
Good tech people are very smart, technically. But they struggle to understand more from, "These are my gaps," and I see it in attribution-type cases. A lot of security researchers, I've seen stuff too with the North Koreans. There are attacks and they're like, "Show me the evidence." They think if something is a 100% done deal, like Cluedo, you have all the clues. You know what the outcome is. There's no skill required to look at something as 100% and be like, "A equals B." That's easy, and you miss the set.
That goes into me coming from a threat background, focusing on the bad guys, I left it there. I worked at iSIGHT Partners, the threat intelligence company FireEye acquired. Now, it's part of Mandiant. I was a chief researcher there.
Boots on the Ground and Building Relationships
Mark: Then, I started Intel 471. That's the genesis of where I came from. You said about boots on the ground. There's only so much you can learn from being remote from the adversary. It's the reason why the US government and others have the CIA. It is boots on the ground, building relationships versus NSA, which taps things and listens.
There's only so much you can do and learn. Say, Russian as a second language. Obviously, if you’re very smart, you can learn multiple languages. I only know English and poorly at that. But have somebody in Eastern Europe who understands the local context, local behavior. He can engage, talk, and build relationships with the bad guy. Ultimately, that's the adversary. That's what we do day-in and day-out.
There's a massive differentiator between that versus somebody living in New York or London who speaks Russian as a second language. You'd be found out in a second by the bad guys as well. So that was a long-winded answer. Hopefully that kind of gives you a bit of insight into it.
Rachel: It's so smart because we talk so much about cyber and the geopolitical landscape. You really have to understand those dynamics today to start thinking. If you don't think like the adversary, then you're never going to get ahead of the adversary.
Eric: But most people don't. We've talked about it a lot on the podcast. Most practitioners we speak to and the ones that I interface with, they do look at it as data more than anything. They haven't been the adversary, they haven't been in the minds of the adversary. What was that movie with Seth Rogen?
Mark: Sony Pictures.
[09:51] Incredibly Impactful Insight
Eric: I had a North Korean speaker who has done work in North Korea. He hasn’t been physically in North Korea. From a prior organization I worked at, we were observing the markers of that campaign. His insight was incredibly impactful to the analysis compared to what just regular reverse engineers or malware people were looking at. He had more insight into the culture and the language, even though he hadn't lived there. I understand what you're saying, but that's got to be hard.
Mark: It's especially hard when you see, whether it's internal or external, you want to encourage people to be bold. You have incomplete data set, incomplete information and you're trying to judge what's highly likely, possibly happened. Then judge it and have data supporting that, like criminal profiling. Criminal profiling is you look at what happened, a profiler from a law enforcement says, "Based on what I'm seeing, this is likely profile of the offender."
If you're an investigator that that's feeding into, you act on that as 100% fact. The advantage of doing so is worth it, even for the percentage that you're wrong. Intelligence is the same. I wish the whole cybersecurity committee would be better at this kind of analysis. Dealing with incomplete information than what they are, certainly.
Eric: It's really tough. I pushed the team to get to attribution for years. I had 500 reasons why we would never get to attribution. Finally, we agreed. This is probably three or four years to get them to agree to something we call basic attribution. It was, "Hey, I think, and this is why," and it's a hard space. It's very difficult.
Estimated Probability of Getting Your Boots on the Ground
Mark: Even the intelligence agencies and us, we use these words of estimated probability. It's highly likely for me to be 70% and above, certain is 100%. Then you have a table and you're like, "All right. These are the qualifiers we're going to use. All right, team, you have these qualifiers. So you're going to say attribution to X, here's the qualifiers you've got. Obviously at some point, you can do multiple things at different levels." That's what we encourage.
Eric: You probably don't want to drop a nuke on somebody with 40% probability of success and 452 qualifiers. Maybe we'll hold off a little bit longer.
Mark: Definitely. The other thing that annoys me a bit is the attribution piece. People in information security are like, "I don't care about attribution." I don't understand how that can be true. And I always do the example of, "Hey, you're an oil company, you're doing a deal, or a mining company," and this actually happened in Australia. An Australian mining company is doing a deal negotiating tenure price with the Chinese. Their CEO and their executives get compromised.
So the business impact of that is Chinese cyber espionage versus some random cyber criminal that wasn't targeted. The business impact of that organization is massively huge, depending on who the attribution was. I always give this example. The reality is who did it gives you the the why and the motivation. That gives you the understanding of what the business impact is. That's always massively important from anyone in information security.
Why China Would Be Targeted
Eric: We were working with a pharma company. We saw China actually making efforts to steal intellectual property. They didn't understand why they would be targeted. We pushed the team and it turns out, China has the biggest cancer problem in the world.
They have a problem they're trying to solve. There's motivation there. The who, the what, the why, the how, getting to that motivation is important because people only do things. They do them for a reason. A lot of people don't put effort into something just because.
Rachel: There's usually an outcome they're trying to drive, for sure. Speaking of business, and I love your depth and insights of ransomware. I'm so fascinated about affiliate programs and ransomware as a service. I've seen some statistics that it's been up 150%, ransomware attacks. So why do you think that is? Why is it ramping up, why is it the attack of the month during this timeframe?
Mark: You gotta look back to where we came from. At that wider level, the cyber crimes, financially-motivated cybercriminals track or evolve how they operate. Their TTPs tactics, techniques, and procedures are a couple of years behind nation states and what they're doing on the espionage side. Maybe five, 10 years back, if you had a cybercriminal go into an organization, they'll get into one system.
They wouldn't typically be able to move to other systems or move laterally within a compromised network. That was the realm of nation states. In the vast majority of cases, that’s the truth. Over time, you can see what cyber espionage TTPs are. They're openly published these days by security companies talking about it, putting out public reports. Cybercriminals are evolving a couple of years behind that.
The Boots on the Ground Steps Into the Deep Dark Web
Mark: At one point, this skill set where a cybercriminal got into an organization, compromised an organization and moved laterally within the organization was restricted to the retail sector. It was very focused on getting into retail organization. Getting at the systems that handle credit card payments, and using it to steal huge amounts of credit card information. Then selling it to criminals in the criminal underground, or deep dark web.
Hate that term, but people call it that. So it started with that. You think of that kind of skill set, suddenly the cybercriminals have the skillset to move laterally within a compromised organization. Then at that point, you can only target the retail sector and go after credit cards. That's how you monetize it.
Ransomware comes along where suddenly, you can monetize access to any organization within a certain size. The way it is usually used to work with retail is, the criminals’ way of working is spray and pray. Spam out, do whatever, do it en masse. It's a numbers game. There's a certain percentage of people who click the link, open the door, get compromised. Then you look through your pool of compromised systems.
Obviously, back in the day, they would look for retail organizations to start working. Now they look to any organization that they think could pay. Obviously, that's a huge number of organizations, but they do research them very well. They use online, they look at the revenue, and look at the executives. How likely is it that this organization will pay a multimillion dollar ransom? That's what they're really looking for. Ideally, they don't want to publish the compromised organization's information.
[17:14] How Cybercrime Works
Mark: They just want the customer to quietly pay. They send them the tooling and then they move on to the next one. They're awash with victims and they always have been. That's what the move towards ransomware has been. You mentioned affiliates and this goes into how cybercrime works. A lot of people think cybercrime works like the mafia. Like The Godfather or The Sopranos where there's the boss and it's hierarchical, but it's not.
There might be a very small element of a group that does that, but cybercrime is not cyber espionage.
Cyber espionage are groups of government folks working together, building tools for operations.
Eric: They got plans and they're going to go in. They know exactly what they're going after.
Mark: Cybercrime is less group-based, and more group built by specialization. You think of Italian-American mafia, stereotypical organized crimes built on a culture of secrecy, hierarchy, etc. Cybercrimes built on a culture of I don't trust who I'm dealing with. If they have personal problems or they get arrested, I need to replace them quickly. It is built on enablers all joined together. It's like the person carrying out the ransomware attack is an affiliate of one service.
Probably bought the access to a compromised organization from somebody else. Maybe worked with another hacker who moved laterally within the organization, who's different from the one negotiating with the victim to pay. That's how it's done. It literally is like SaaS, Software as a Service model where everything's moved to the cloud. Cybercrime is a service. Everything's moved to the cloud. You're a customer of the service, they run the service, a percentage of it. It literally mimics the security or the legit SaaS industry.
Moving Your Boots on the Ground From Street Crime
Eric: What you're saying is they've moved from street crime, mugging people, and knocking them off. A guy walking into a restaurant, "Give me your wallet, or I'm going to crack you over the head, pistol whip you," to corporate crime. White-collar crime, taking down businesses, banks, but you're also describing almost like a typical movie where there's a bank heist or something.
A bunch of bank robbers come together to take down the biggest score ever. But they don't trust each other, and they may be angling to get over on the other one. "If I do this, I'll get them to help me, but I'll take the money and they'll end up being caught." It's really interesting the way it's evolved.
Mark: A lot of it is built just on reputation as well. They don't necessarily want to screw the other person out of money or anything. There's definitely reputation involved, but it's very much all still built on mistrust. If the person providing the ransomware service gets arrested, they'll have another ransomware service bring it in.
So the underpinning of all of this is the criminal underground. It is like an underground marketplace where criminals buy, sell, trade, and that's the underpinning of everything. That is where they get connections. That's where they get the services and they find people to replace and fit in.
Eric: There's no easy answer. We don't have a way to say, "Okay, let's shut them down," because it's such a fragmented organizational structure. It's very distributed.
Mark: I would just say up until Colonial Pipeline, Western governments primarily dealt with financially motivated cybercrime as a criminal issue.
Colonial Pipeline Changed Things
Mark: It's law enforcement after the fact and Colonial Pipeline changed things almost overnight. It's like, "Cybercrime is so impactful on economies now it's a national security threat." As a result, intelligence and military organizations are being pivoted to focus on cybercriminals.
A couple of years ago, I never would've thought that would be happening. That's what the response has been. I still think if you look at the impact of cybercrime on economies globally versus say another crime type. Like you said, you mentioned bank robber or any other fraud. Still cybercrime from a law enforcement side is massively under-resourced globally. The US is, far and beyond resourcing other countries.
Eric: It's still well high.
Mark: For the impact, it's massive. It's very hard to gauge the impact other than we all know it's huge. But in general, globally, the law enforcement is massively under-resourced versus the problem that we have.
Eric: DarkSide was the organization that went after Colonial Pipeline.
Mark: That was the ransomware service, but again, it might have had one of the affiliates.
Eric: I have this premise that the individual who selected Colonial Pipeline as a target was probably not liked by their peers in the group once the United States of America government came after them. But what you just said is, it may have harmed them.
Mark: But I would just say that they wouldn't know. I'd never heard of Colonial Pipeline before. I'm sure they wouldn't have known.
Eric: Random stupid mistake. Who knew the President of the United States was going to put his sights on you when you hit Colonial. I'm sure you were still ostracized from the group.
The Reputation Within the Industry
Eric: What you're saying is based on the way this works and the reputation within the industry. Let's say the person's name was Yuri. Yuri's not a fan. Most of the people in the group don't like Yuri. Yuri's reputation across the ransomware as a service space probably took a big hit too. Like, "Oh, that's the guy who got the whole industry additional inspection and cut down on our monetization."
Mark: Yuri's going to use the name Eric the next week, or his profile or his reputation online is damaged. He'll have a little break just like the ransomware families.
Eric: You're saying it really doesn't matter because few people probably knew who Yuri was anyway. There's such an ease of shifting, of changing your persona, that Yuri had a problem. Yuri just disappears and Eric becomes the new Yuri. There really isn't even a consequence in that case.
Mark: Unless obviously identified in person or there's law enforcement action. Even with the ransomware families, they originated from somewhere else. Someone claims they're going down, they're shutting the service down. You think, "Are they really? Or they’re just going to shut down for a couple of months, rebrand, and pop up as something different."
Exactly, and it's changed a little bit. But as security researchers, you can look at the malware, the ransomware executables. Say, "This is 70% of what this one was. It's probably just rebranded." This is what happens.
Eric: But these people are intelligent and they're able to do that. Unless they're incarcerated, there's really little ability to stop them. You can slow them down, you can impact their operation speed bumps here in the States. But there's really little ability to stop them short of incarceration.
[24:59] Things You Could Do With Your Boots on the Ground
Mark: There's obviously things you could do. Maybe you find out who their identity is, who they are, and where they live publicly. That's been done in a number of criminal cases where public indictments have been released years after the fact. Ultimately, there has to be a cost applied against these people and so much so. But maybe the cost is these guys are making a lot of money.
Maybe in response, they're just like, "I'm going to still do cybercrime. But I'm not going to hit US organizations if the US response is so high," then that's what you'll start to see.
Eric: I'll move to easier, softer targets.
Mark: Exactly, or I just won't target the US. I'll be pretty open about it, so then hopefully, I don't bring the US government against me. The US government's response to cybercrime has significantly more resources than other Western countries today. So maybe that might be the response, which would still be a good one from the US perspective.
Eric: But not if you're Brazilian maybe.
Mark: I've not seen cybercriminals that have done that. Now they're just more careful about researching their targets and not having another Colonial Pipeline. There were two targets, it was Colonial Pipeline and JM, some food company that has to do with barbecue. So obviously, don't get in the way of Americans and oil and barbecue.
Eric: It's scary. All these attackers and ransomware toolsets and everything. Siri heard that. It just blends together. There's so many attacks these days, you can't even remember it as a practitioner in the industry.
The Thing That Broke the Camel’s Back
Mark: I would say it was even funny with the oil. It was more interesting that it was Colonial Pipeline, which is the thing that broke the camel's back. But they were hitting and impacting hospitals and surgeries, and that's super impactful.
Eric: Ireland got hammered.
Mark: Yes, people could die and suddenly an oil company, that is the oil pipeline. That was the one that broke the camel's back. Made the president talk about it and let loose other government agencies. You never know what the future holds.
Eric: We got to be able to drive to the beach.
Rachel: We love our gas here.
Eric: We're not all living by the med. We've got to drive hundreds of miles to the beach sometimes here.
Mark: Love your gas and love your barbecue. Probably should have seen that one coming.
Eric: They're not local. They didn't see that.
Rachel: They didn't have boots on the ground to understand the local culture.
Mark: I don't think any of our Americans saw that one either. Honestly, I would've thought the hospitals would've done it, getting hospitals, putting people's lives at risk that way. Surgery was delayed or had to be moved.
Eric: I don't think so because it's a drip. It is a water leak, but it's a drip. It's a hospital here, it's a hospital there, it's a state government. We've seen it over and over again. But the gas pipeline or the food side right was a little more than a drip. That was shutting down and creating fear on the East Coast, that was potentially food from across the country. The press really grabbed onto that.
The Press Drives Behavior
Eric: The press drives behavior a lot of times, which is a good part of their job. That was the difference. Now, if people had started dying across hospitals, we would've seen more press.
Rachel: You'd have to have significant numbers. I've only read one article where they were able to directly tie the ransomware incidents to a death. That's the problem. You can't make the direct connection, so then people are like, "Well, maybe it's not."
Eric: It's not like Eric died because of this ransomware attack. It is tough. I do have a ransomware question and I have no experience here. What is the level of ransomware attacks being inflicted on China? You read nothing about it. Is there any? You hear a little bit about Russia. It's probably a little overspray, but is anybody attacking China, the second-largest economy in the world?
Mark: It would have to be. I know the Russian government takes a very dim view on any Russian criminal impacting Russian victims. So, there's that.
Eric: To the extent where we've seen people remove Russian language attributes.
Mark: Yes, and even the criminal forums, the marketplaces don't allow you. You'll be banned if you talk about anything to do with impacting the former Soviet Union or Russian-speaking countries. We don't sell to any Russian or Chinese companies, we never would. So we don't really have visibility into that. But, I guess it would have to be, just like any country has. There are Americans committing cybercrime against other Americans. I'm sure there are Chinese people committing cybercrime against other Chinese.
The Chinese Don’t Have Their Boots on the Ground
Eric: You never read about it though. I was just wondering as we're talking, "You never hear anything about ransomware in China." The Chinese don't have to be huge on the ransomware side either, at least in my limited experience.
Mark: It sounds like they're starting to mold. We did some research. It was about a year ago, talking about the North Koreans and how the North Koreans were working with the Russian cybercriminals. They're starting to mold because the most mature cybercriminals are Russian-speaking. The most impactful cybercriminals are Russian-speaking.
They're starting to mold into that. There's no doubt that there's Chinese cybercriminals in that kind of underground space where the Russians and others engage. But as a whole, I can't pinpoint any specific Chinese actors to say they're involved in these kinds of things. Although I have no doubt they are there.
Rachel: So ransomware, financial motivations, that seems like the big rock everyone wants to talk about. How do we mitigate the financial incentives? You have these crypto mixing companies out in the world. I was reading your blog posts on your website and it's fascinating. I’d love for you to break down how they're able to operate. It seems like it's just free for all. They can do whatever they want and no one's looking at them. I'm trying to understand how it’s possible that they can launder cryptocurrency for ransomware gain.
Mark: People always ask me. I have a lot of friends that work in finance. Anyone who's actually traditionally grown up studying finance, cannot believe Bitcoin and the price that it is.
[32:13] Why Bitcoin Will Never Go to Zero
Mark: They always hate the fact that it is a store of value but it doesn't have any backing behind it. I tell them that Bitcoin is never going to go to zero. They say these meme coins, Dogecoin, Dog Queen, probably go to zero. But the underlying factor why Bitcoin is never going to go to zero is criminality.
That is like the underpinning of it, whether you're buying drugs, cyber crime, whatever. Bitcoin as well is anonymous, but it's not secure. I say it's anonymous in that anybody can create a wallet, there's no KYC. Know your customer checks, or anything behind it. But if I can tie that unique wallet to yours, then obviously it's not anonymous anymore. Then the blockchain or the transactions happening in wallet to wallet, the Bitcoin or money moving, are all trackable and all public. That's the point of it.
Eric: By definition.
Mark: That's how it works. This company's chain analysis and others which focus on analyzing the blockchain, they're worth billions of dollars now. Apparently, that's business. But then there are other cryptocurrencies, which are way more tailored for criminality, Zcash for example. Zcash allows you to do transactions and not have a record of it.
You can't trace the transaction so much so that the Russian government allegedly used it when they took NSA tools and started selling them online, “allegedly NSA tools”. They did that, and so they use Zcash and it's anonymous. Then the question is why don't the criminals use something like that that's more anonymous? I think in some cases now, they have. In some ransomware, you can get a discount if you do it.
Getting Your Boots on the Ground Is How You Encourage Good Behavior
Mark: If you use a cryptocurrency that's easier, it's less likely to be tracked. Because Bitcoin, you can track it from wallet to wallet, and there's these mixing services.
It’s like, "I pool everybody's money together, and then I start harming it to break the connection." So there's things like that, but I don't think you can really stop it. I know some people have said, "Oh, we should ban ransomware payments." You'll just sign up with a foreign company for consulting and send the money over there.
It's more of how you stop enforcing standards around publicly breaching. You need to share, you need to make that public that you got breached. Tell your customers in a certain period of time. Maybe you're going to get fined if your security wasn't up to scratch.
That's how you encourage better behavior rather than smash people after the fact. I don't think we can ban it. People will try, but I don't think you can ban ransomware payments. They will find a way to make that. You're better off banning them for their lack of investment in security.
Eric: You almost have to harden the targets to some extent. There's more to do, but you'll never ban crime which is essentially what this is.
Mark: You can't ban it, you can stop it. All you can do is encourage all of us and companies to be better secure now. It's a hard slog when you see some of the biggest companies in the world spending the most money on information security still have incidents.
It’s Getting Worse
Mark: That's why the whole cybersecurity industry is booming right now. We've been doing this in Intel 471 for seven or eight years. It feels like the problem's getting worse every year. So sometimes it's like you trying to think inside, "Are we actually good at our jobs or not? Because it's getting worse."
Eric: That's the story of the whole industry. With the creation of information technology, we've become more capable. The ease of communication, transactions, everything has decreased or increased. But the ease for crime, which leverages the same exact technologies and toolsets has increased. We're doing a good job, but the attack surface is getting bigger. The number of attackers, the incentives, and everything else are growing at the same rate.
Rachel: Quantum computing’s around the corner. How do we feel that is going to enable the attackers in any perspective?
Mark: We'll see in a couple of years. People have been saying that quantum computing, for as long as I can remember, "It’s just around the corner." I'll believe it when I see it. If modern cryptology is no longer safe, I don't know what's going to happen. That's a massive impact across the board. Who knows? I don't know what the world's going to look like then.
Eric: It's a tech rep. We can use it for good, or we can use it for bad.
Rachel: There's always the yin and yang. It's always going to be both.
Eric: It's like fire or the aircraft. They can be used for good or they can be used for bad.
Rachel: What a crazy world we live in today.
Mark: I don't think we're going to be out of a job anytime soon.
The Reality of the Threat
Eric: I always say that, I'd be happy to be unemployed and have to seek work elsewhere. That means the industry would be entirely secure, which is not something I will ever see.
Mark: I don't think we ever will. The level of investment is still not there across government and commercial to match the reality of the threat. There's a huge opportunity if you can get a company, you can do it in the cloud. You can scale up quickly, you can sell it to anybody across the globe very easily and very small. It's almost like, that's the positive. The negative is you can get your customers from anywhere, you can get your threats from anywhere.
Eric: You want Amazon and you want to be able to communicate over WhatsApp with anybody anywhere? That's awesome, but you can also be susceptible to ransomware and everything else. Same technology, same types of toolsets.
Rachel: Then you get charged twice for the ransomware. They give you the decrypt key, but they're like, "Oh. Well, we already have your documents anyway, so we're going to leak them online. Pay us again."
Eric: You're still dealing with an untrustworthy criminal element.
Rachel: They're so greedy. Why do you gotta be so greedy?
Mark: I don't know if it's the right thing. I don't know how often the cybercriminals actually do that. Usually, they're awash with victims and they can only handle negotiations with so many victims at a time. They want to get the money out of the pay, and be known as we're the honest criminals. We say we delete it, you pay us the money, we agree, we're going to delete it, we're going to move on.
[39:24] Not Good for Business
Mark: Usually, they want to be like that. Although, I've read a few stories online of them doing a double ransom and stuff. I'm like, "Maybe they want to retire soon or something like that," because generally that's not good for business. These guys are business people right at the end of the day.
Eric: Just like the mob, you can't kill all of your customers or you're out of business. You got to meter out the punishment. Crypto mixing, not a term a lot of our listeners are familiar with. Can you spend a couple of minutes on what it is, what's the relevance here? Why should we care?
Mark: Think of Bitcoin, all the transactions of the public. Let's say I want to give money to Eric, but I want nobody to connect me and Eric together.
Eric: That would be a good thing.
Mark: Sure, Rachel, I'm going to give you $100 and you're going to put it in your wallet, and then you're going to go get $100 from the bank or from somebody else and give that $100 to Eric. So Eric still made $100, but there's no connection. So think of all that money, that same note, I give you a $100 note, you give a different $100 note. There's no transactional connection. A Bitcoin mixer works like that.
Basically, it's a centralized middle man. You send the money to the middle man, who's the mixer, who will then send a bit of the money from somebody else. If you look at it in the blockchain, this Bitcoin wallet, which is like your wallet, sends money from this amount of Bitcoin or from A to B. You're basically putting a middle man in between.
That Missing Piece Where You Keep Your Boots on the Ground
Mark: I can't track that Mark Arena gave X amount of money to Eric. So that's the mixing of that piece.
Eric: Old money laundering is the easy way to describe it.
Rachel: I read in your blog they offer options too. If you want to make it even harder to trace, you can have dynamic fees. Could you talk a little bit more about that?
Mark: You can figure that out, if you can trace it, if I'm going to send you one Bitcoin. Maybe the fee is always 10%, then I'm going to look for a transaction around a similar time of 0.9 of a Bitcoin. They want to make it harder. Obviously, blockchain has a huge amount of transactions going all back and forth. They want to make it harder to track that.
So then it's not a fake straight 1%, it might be 0.4%, it might be 0.8%, or it might be 1.3%. I'm just randomly picking these numbers. Make it harder to do it, but these mixing services have been around since almost the start of Bitcoin. It's plain old money laundering, and it's all about breaking the chain of the transaction. It can be followed and tracked.
Obviously, some of these companies, Chain analysis and others can actually look at a wallet and say, "Okay, this transaction is going into a service of some sort."
Eric: We know that, but maybe they lose that chain after that.
Mark: Maybe they're able to then identify, "All right, that mixing service is that underground. There's characteristics around that mixing service versus mixing service A versus mixing service B," and obviously these are hubs.
Who Runs the Mixing Service
Mark: So if law enforcement can identify that mixing service and who's behind it and take it out, maybe they can build the chain. So they find who runs the mixing service, they still have the history of the transactions that were done. They can actually see who put in money and where it goes.
Eric: Is there a purpose for the mixing service other than laundering the money?
Mark: I don't know of any.
Eric: In traditional money laundering, you're talking strip clubs, casinos, pizza parlors, nail salons. They're typically cash-oriented businesses where you can take dollars on one side, send them out the other. Everything's obfuscated, but they still have a purpose. You're getting your nails done or you're gambling for entertainment, whatever it may be. Do these have a separate purpose? If not, it seems like that would be a very easy thing to regulate or control to some extent.
Mark: They already are regulated, but these are criminal-run criminals.
Eric: Criminal enterprises.
Mark: There's no hiding about it. You can't be a transaction service without a license or without knowing your clients and doing all this.
Eric: It's more like a speakeasy in times of prohibition in the United States where you're laundering money, but you're even illegally doing it.
Mark: They know it's illegal, they're targets of law enforcement. Also because of the interesting data and information they have of the different transactions of who their customers are, who the top people are. These ransomware organizations are using these mixing services. They need to find out who the mixing services are and how they're being used. Start building the profile of the customers of the service, just like affiliates of ransomware service.
Fight the Good Fight and Keep Your Boots on the Ground
Mark: Those customers have a mixing service and that's the massive target of law enforcement. If you're running a mixing service, watch out. I'm sure a huge amount of resources are being spent trying to track you down and bring you to justice.
Eric: Trying to understand you and find you. So modern-day money laundering.
Rachel: Mark, we want to be respectful of your time. Thank you so much for digging into my favorite topic today. I love these conversations and all the great insights you shared with our listeners. We’d love to have you back at some point as we see more ransomware activity jumping out. It'd be fun to talk about things as they're happening as well.
Mark: Happy to come back and thanks very much for the opportunity.
Eric: Keep doing what you're doing because it does help, even though we're all falling behind.
Mark: I'm putting my fingers in a leaking boat.
Eric: Bruce Schneier from NSA, the cryptologist once said, "We're getting better, but we're getting worse faster." Something to that effect, and that's absolutely what happens here. But we need to keep trying.
Rachel: Fight the good fight. Thanks everyone for joining us for this week's episode of To The Point podcast. Be sure to smash that subscription button, get a fresh episode every Tuesday to your inbox. Until next week, stay safe.
About Our Guest
Mark Arena is the Chief Executive Officer and founder of Intel 471. Mark was previously employed by iSIGHT Partners (now FireEye) as their Chief Researcher. Prior to this, Mark worked at the Australian Federal Police as a technical specialist within the High Tech Crime Operations function.
He worked on a number of different crime types when new, unique or emerging technologies were used by criminals that required a solution when no commercial/out of the box solution was available. Prior to the Australian Federal Police, Mark worked as a Software Engineer on embedded systems for public transportation systems.
Listen and subscribe on your favorite platform