0:02

The Australian Federal Police, or

0:04

AFP for short, is Australia's

0:06

national policing agency. It's

0:08

aim? To outsmart serious crime

0:11

with intelligent action. Officers

0:13

from the AFP work with local, national

0:16

and international agencies to combat

0:18

serious criminal threats. Their

0:21

work includes counter-terrorism, serious

0:23

organised crime, human trafficking,

0:26

cybercrime, fraud and

0:28

child exploitation. The

0:31

AFP exists to disrupt major

0:33

criminal operations. In

0:35

2020-21, they did that over 400 times. They

0:41

seized 38 tonnes of illicit

0:43

drugs and precursors and assisted

0:45

overseas police services in seizing 19

0:47

tonnes of drugs. The

0:50

AFP charged 235 people

0:52

with child exploitation and

0:55

charged 25 people following

0:57

terrorism investigations. The

1:00

Australian Federal Police is opening its

1:02

doors to give you a glimpse of how their

1:04

officers investigate the most serious

1:06

of crimes and stay one step ahead

1:09

to keep Australia safe.

1:21

The Australian Federal Police Department is now in the middle of a serious crime.

1:31

In recent times, Australia has

1:33

had a number of well-publicised security

1:35

breaches in big companies that hold a vast

1:38

amount of personal information. Operation

1:41

Burks provides insights into how

1:43

cybercriminals can use data from such

1:46

breaches to steal millions of dollars

1:48

from unsuspecting victims and how

1:50

the AFP can catch them.

1:53

Jim is a Detective Leading Senior Constable

1:56

with Cybercrime Operations at the

1:58

AFP. Before

2:00

cybercrime, Jim worked in counter-terrorism,

2:03

and part of his job was to track down persons

2:06

of interest using tools that exploited

2:08

open-source intelligence. Doing

2:11

this work led to an interest in exploring

2:13

cybercrime, which was a challenge in

2:16

the time of VPNs, the darknet,

2:18

cryptocurrency, and virtual servers.

2:21

Law enforcement officers needed to keep a

2:24

step ahead in the virtual space. Despite

2:27

not having a background in this area, Jim

2:30

decided to move outside his comfort zone

2:32

and give cybercrime a try.

2:35

Working at cybercrime is really good in

2:37

the AFP because unlike security

2:39

agencies and people in the private sector,

2:42

at cybercrime we get to do the cybercrime

2:44

investigation, we then get to execute

2:46

warrants, debrief the offenders,

2:49

and actually get access to their devices. So

2:52

in that regard, it's really challenging

2:54

and a really good place to work if you're involved

2:57

in cyber.

2:58

Jim started in cybercrime in Canberra

3:00

in January 2019. One of his first jobs was a

3:03

referral

3:05

from Report Cyber.

3:08

Report Cyber, located at cyber.gov.au,

3:12

is the national cybercrime reporting

3:14

system run by the Australian Cybersecurity

3:17

Centre, ACSC, on

3:19

behalf of all Australian police.

3:22

Reports submitted through Report Cyber

3:25

are allocated to the Australian Police Force

3:27

with the jurisdiction and responsibility

3:29

for investigating them.

3:31

While the frauds investigated in Operation

3:34

Burks had been referred to state police,

3:37

it wasn't until an analyst at the AFP

3:39

examined them altogether that a frightening

3:41

pattern emerged.

3:43

We received a referral regarding

3:46

a syndicate who were targeting money

3:48

held in superannuation funds and

3:51

this syndicate had stolen millions of dollars from

3:53

Australians in a relatively short

3:55

amount of time and it was obviously a

3:57

concern to us.

3:58

Now all of these crimes have been reported

4:01

to state police partners and the AFP

4:03

in isolation. But it wasn't until a

4:05

colleague from the AFP working at the cybersecurity

4:08

centre looked at them altogether

4:10

and realised that this wasn't just isolated

4:12

incidents, he realised that it was actually

4:15

a serious organised crime syndicate who

4:17

was targeting superannuation and so

4:19

he escalated the matter and that's how it landed with

4:21

cyber investigations in Canberra.

4:24

Part of the reason for the early success

4:26

of the hacking syndicate was that banks

4:28

were not traditionally targeted in this

4:30

way.

4:31

Working out what they were doing was

4:33

really important. I think historically offenders

4:36

didn't target banks and they didn't target superannuation

4:39

companies because they were perceived to be

4:42

infallible, just too hard to get into. But

4:45

technology has changed and there's

4:47

a bit of insider knowledge and

4:50

there's a lot of trial and error and a lot

4:52

of tools out there that weren't available to

4:54

cyber criminals many years ago. So all

4:56

of a sudden people have started to try

4:58

and hack accounts and

5:01

take money from superannuation companies and

5:03

when they discover that formula, when they hit

5:05

on that formula,

5:06

that's basically opening the door to

5:09

offending. So the superannuation companies

5:12

were very keen to firstly have the offenders

5:14

arrested

5:15

and also to work out what their vulnerabilities

5:18

were so that they could patch those vulnerabilities,

5:20

which they did. Investors

5:22

for Operation Burks needed to identify

5:24

how the offenders in this case acquired

5:27

the stolen personal identification information

5:29

that they used to access superannuation

5:32

accounts.

5:34

One common way is using IDs

5:36

stolen in large scale hacks. If

5:39

you have stolen identification

5:41

documents, you can set up an

5:43

online account within minutes. We've

5:46

heard about hacks and the fact

5:48

that a lot of data has been stolen

5:50

and a lot of personal information has been stolen.

5:52

This is how the criminals make money.

5:55

So they're using those documents, the

5:57

license numbers, the Medicare cards,

5:59

the

5:59

other documents that people have and

6:02

they're setting up fake bank accounts using

6:04

phones and fake email addresses.

6:07

The way this fraud worked was,

6:10

the offenders used the dark web to

6:12

buy stolen personal data, then

6:15

set up fake or mule accounts

6:17

in which to transfer people's superannuation.

6:21

Initially what they were doing is they were taking

6:23

that stolen personal identification information,

6:26

working out whether or not someone had a superannuation

6:29

account with a particular superannuation

6:32

fund. They would then make contact

6:35

with the superannuation fund either through

6:37

the chat function or through

6:38

phone calls and just

6:40

change some of the details like change the phone

6:42

number or change the email address. They

6:44

would then let that sit for a couple of weeks. They

6:47

would then use the stolen identification

6:49

information and put

6:52

through fraudulent claims

6:55

to have superannuation

6:57

deposited into a mule bank

6:59

account.

7:01

Sometimes the amounts of money going

7:03

into these mule accounts were significant.

7:06

They had to deposit the money into bank

7:08

accounts and that's what these mule accounts were

7:10

for. So they'd do fraudulent withdrawals

7:13

from a super account, in some cases $400,000 in a go,

7:17

and they would transfer that money into a mule account.

7:20

Once the money was in the mule account they'd send

7:23

a debit card offshore to a colleague in

7:25

Hong Kong

7:26

who would then buy electronics or jewellery

7:29

or gold bullion

7:30

and sell that and then return the

7:32

money or the funds back to Australia as cryptocurrency

7:35

that was much harder to trace.

7:38

It became obvious to the investigators

7:40

that the syndicate behind these thefts was

7:42

operating on the dark net. That

7:45

meant scammers from around the world

7:47

were connecting with each other but only

7:49

performing one component of the fraud.

7:57

computers.

8:01

In some cases, there would be people who actually

8:03

made calls to the superannuation funds.

8:06

These callers specialise in one

8:08

thing and they get a cut of the

8:10

amount of money.

8:11

And in many cases, the people

8:13

don't even know who they are. So they

8:16

agree to commit offences together

8:18

without knowing who else they're in bed with.

8:21

And as long as the people

8:23

get paid or pay the money and

8:25

get their fair share, they will continue to work

8:27

with those people.

8:29

So there are, for example, the person who

8:31

compromised many of the computers and set

8:33

up a phishing website was based in America.

8:37

It's timely to explain here what phishing

8:39

is. That's phishing with a pH.

8:42

Phishing is one of the evolutions in

8:45

this crime type. So initially, they

8:47

started off with a lot of personal identification

8:49

information that they'd acquired from

8:52

a company that had been compromised. That

8:54

company also had records of people's superannuation

8:57

accounts.

8:58

So they were able to get the personal identification

9:00

information and the details of the super accounts

9:02

from the one company. But as time

9:05

went on, they evolved. They got

9:07

more sophisticated. So what they

9:10

did was they set up a phishing website

9:12

where they basically copy

9:15

or mimic a legitimate website.

9:18

And when the user goes and looks

9:20

up that website and puts their username

9:23

and password in, that information

9:25

is stolen by

9:27

the offenders and automatically

9:30

the victim is diverted to the actual legitimate

9:32

website. So what that means is

9:34

that you go to a website you think is

9:36

legitimate that harvests your passwords

9:39

and then diverts through to the legitimate

9:41

website.

9:42

They can then get access to your superannuation

9:45

account.

9:46

Once they have that access, they can do things

9:48

like change the address, change

9:51

the email address, change the phone number and

9:53

that sort of thing. So that's how they used

9:55

a phishing site. And in this case, they

9:58

actually paid for their phishing website.

9:59

website

10:00

to be promoted so that when you did

10:03

a Google check on that particular superannuation

10:05

fund, the phishing website came up

10:08

before the legitimate website and that

10:10

was not detected at the time. So,

10:12

it was active for, I don't know, a month or so.

10:14

And in that month, they got dozens of

10:16

account credentials, which meant that they were

10:18

able to access people's accounts.

10:21

For the offenders, it was most desirous

10:23

to have people who had reached retirement

10:26

age because they could actually do

10:28

vast lumps on withdrawals of superannuation.

10:32

So that's what they were aiming for. And in many

10:34

cases, that's what they got.

10:36

The AFP often works in partnerships

10:39

with other agencies. Before

10:41

the superannuation fraud came onto the

10:43

AFP's radar, it had come onto

10:45

the radar at ASIC, where Scott

10:47

Bowie works as a lawyer.

10:50

The Australian Securities and Investment Commission

10:52

is referred to, in short, as ASIC. We

10:56

regulate the corporate sector

10:58

across Australia. So we're a Commonwealth agency

11:01

and we also regulate the financial

11:04

markets.

11:05

I'm attached to an area of that

11:07

referred to as markets enforcement. We're

11:10

mainly involved in the regulating

11:12

of the

11:13

financial market participants, looking

11:15

for misconduct and investigating it and

11:18

ensuring that the participants comply

11:20

with the Corporations Act.

11:22

The case that came across Scott's desk

11:24

at ASIC was not superannuation funds

11:27

fraud.

11:28

His case involved share trading.

11:31

Going back

11:33

to 2018, retail investors

11:36

were reporting misconduct

11:39

to ASIC through the system that

11:41

we have there. They were complaining

11:44

of having their share portfolios

11:47

stolen without their knowledge. With

11:50

these earlier cases, investors

11:52

reported their shares had been stolen,

11:54

then sold.

11:56

ASIC discovered the money had been transferred

11:59

into accounts set up.

11:59

up using stolen identification.

12:02

The sales were occurring through

12:05

large share brokers in

12:07

Australia

12:09

and that was mainly happening through

12:12

the use of

12:14

stolen identification information. So

12:17

the organised crime syndicates were

12:19

using the stolen identification

12:22

information such as driver's licence,

12:24

Medicare cards, all of that

12:26

information that you can obtain when you

12:29

hack a company

12:30

and steal their HR or payroll

12:32

database, that sort of information. They

12:34

were using that to set up bank accounts

12:37

with the stolen identification, then complete

12:41

forms with the brokerage

12:44

facilities to do

12:48

one-off sales of people's portfolios.

12:51

And that's how ASIC then got

12:54

involved because we started to obtain

12:56

this information from the brokers

12:58

and look at all of

13:00

that data.

13:02

Before ASIC and the AFP

13:04

realised they might be looking at the same

13:06

set of offenders, Jim at Cybercrime

13:08

was busy finding links between the superannuation

13:11

accounts that had experienced fraud.

13:14

He knew that even though the syndicate had

13:16

worked out how to steal money from superannuation

13:18

accounts around Australia

13:20

because of the nature of cybercrime, they

13:23

could be doing it from anywhere in the world.

13:26

One of the challenges with cybercrime

13:28

is that the offenders could be based anywhere in Australia

13:30

or anywhere in the world. In the era of VPNs

13:34

or virtual private networks, virtual private

13:36

servers, the offenders could and were

13:38

in fact in many countries in the world

13:40

and we had no idea. Because it's so

13:43

easy in cybercrime with cryptocurrency

13:45

and technology to hide your location, when

13:47

the referral came through to us, we actually didn't

13:50

know where the offenders were and that's why it was

13:52

referred to a team in Canberra as opposed to one

13:54

of the regional teams in Sydney, Melbourne, Perth

13:57

or Brisbane.

13:58

at the Australian

14:01

Cybersecurity Centre identified 35

14:03

accounts that had been targeted

14:05

at a major superannuation fund.

14:08

The investigator also identified a

14:10

number of bank accounts that had money transferred

14:13

into them from superannuation.

14:16

Some of the superfunds cyber security

14:18

had worked, so while the Syndicate

14:20

had attempted to steal $7 million, they

14:23

only ended up with $1.4 million

14:26

because the fund had strengthened their security

14:28

measures. A

14:29

colleague from the ACSE

14:32

approached me and said, look, we've identified

14:35

that it's not one offender and

14:37

a couple of accounts, it's actually 35 accounts

14:40

that they've tried to hack and they've been successful

14:42

in a very short time in getting $1.4 million.

14:46

This is not one person, this is an organised

14:48

Syndicate.

14:49

We have to look into this. My

14:51

colleague did some really good work

14:53

in identifying that it was the same people.

14:56

The methodology was the same, they

14:58

were using the same IP address. In

15:00

many cases, they used the same fake

15:03

bank accounts

15:04

and they also used JP stamps or Justice

15:06

of the Peace stamps to falsify documents

15:09

that are then submitted to the superannuation

15:11

companies

15:12

to make fraudulent withdrawals.

15:15

He worked out that in fact it was the same

15:17

group of people, it wasn't just one or two

15:20

offenders who are being opportunistic,

15:23

this was organised and they knew what they were doing.

15:26

Justice of the Peace are used for the

15:28

certification of some documents.

15:31

The JP stamps, it seemed,

15:33

were easy to duplicate. And

15:36

this was necessary because in order

15:38

to move money out of the superannuation

15:40

accounts, the Syndicate needed to

15:42

set up accounts in the same names

15:44

as the original accounts to avoid

15:47

too much scrutiny.

15:48

It was virtually unheard of that people would

15:51

actually be so audacious as to do

15:53

this, so the superannuation

15:55

funds weren't really on high alert and

15:57

looking for this. So quite often, the

15:59

The offenders were able to change the

16:02

email address, the phone number

16:04

and the account details and in some

16:06

cases the date of birth on the superannuation

16:09

account. I had to submit paperwork

16:11

to do this and they would use fake

16:14

JP stamps.

16:15

When the offenders set up fake bank

16:17

accounts using stolen data, they also

16:20

needed two other components. Firstly,

16:22

a fake account needs

16:24

a postal address. And secondly,

16:27

with two-factor identification which is

16:29

now widely used, they needed

16:32

phone numbers for each account. With

16:35

such large-scale fraud, that meant

16:37

the offenders needed a lot of SIM cards

16:39

which they could use in burner phones. Even

16:43

though these fraudulent accounts were linked to

16:45

post office boxes rather than residential

16:47

addresses, this gave the investigators

16:50

a starting point.

16:51

Scott from ASIC explains.

16:54

We had analysts and investigators

16:57

combing through that information, looking at

16:59

the addresses listed, the post

17:01

office boxes, the phone

17:04

numbers provided on the forms.

17:08

And there was a lot of information there. From

17:10

that, we then identified that there

17:12

was clusters of offending going on

17:14

here. Ultimately, there was more than

17:17

one criminal syndicate that was active

17:19

and it led us to make some inquiries

17:22

with the pharmacist

17:24

based in Sydney. And when we made those inquiries,

17:26

clearly that

17:27

pharmacists had their identification used

17:30

to facilitate the crime, so it

17:32

wasn't actually them. It then

17:34

led

17:35

ASIC to make

17:38

inquiries with a

17:40

person of interest based in Victoria.

17:44

After the AFP and ASIC teamed up

17:46

to investigate both the share trading fraud

17:49

and the theft from superannuation accounts,

17:51

they got in touch with the Australian Transaction

17:54

Reports and Analysis Centre, OSTRAC.

17:57

Natasha from OSTRAC explains exactly.

18:00

what they do.

18:01

AUSTRAQ, we serve a dual role.

18:04

We're a financial intelligence regulator.

18:07

And so what that means is we regulate

18:10

the financial sector and require

18:13

them to submit certain types of

18:15

financial transaction reports. And

18:18

we are also a financial intelligence

18:21

unit. And so we take those

18:24

transaction reports and we

18:26

analyse those for intelligence

18:28

purposes. So what

18:30

that means is that everyday

18:33

transactions can shed a lot of valuable

18:36

insights into why somebody

18:38

might be moving money or how

18:40

they might be involved in something

18:43

that is either unusual, suspicious

18:46

or part of a crime.

18:48

The analysis of financial transactions

18:50

is a critical part of any investigation,

18:53

revealing who the offenders might be

18:55

and where they are.

18:57

The AFP in ASIC undertook

19:00

the investigation and

19:03

had a look at some of the finances,

19:05

what went wrong and how

19:08

some of the funds involving the superannuation

19:10

funds and share funds were

19:13

moved from one account to another. And

19:16

so they approached AUSTRAQ

19:18

at that point for some assistance

19:20

with working with some of the financial institutions.

19:23

And so what AUSTRAQ

19:26

did at that time was

19:28

really drill down into

19:31

step-by-step what happened in

19:33

terms of how these

19:36

criminal groups manage to gain

19:38

access to customers'

19:40

identification details, how

19:43

the criminal groups manage to create

19:46

different types of accounts, whether it be bank

19:48

accounts or superannuation

19:50

accounts, and then how they manage

19:53

to remove the

19:55

customer's funds from those

19:57

accounts and then move them offshore.

20:00

Superannuation funds are designed not

20:02

to be accessed until retirement age.

20:06

Jim explains how the scammers

20:08

got around this. Once

20:10

these people realised that they had access

20:12

to super funds with large sums of money

20:14

in them,

20:15

but the people weren't over the age of 60,

20:18

they had to work out a way around

20:20

that. So what they did was they used the stolen

20:22

personal identification information

20:25

and set up a second super fund.

20:27

So for example, if you're with Superfund A, which

20:30

records your date of birth as being born in 1975,

20:33

you

20:35

might go to Superfund B and set

20:37

up a super fund using the stolen

20:40

identification documents that have been altered

20:42

so that it appears that you're born in 1955. And

20:46

so you transfer your super funds from fund

20:49

A to fund B, and

20:51

that means you can then withdraw from fund

20:53

B, and that's something that they were doing. So it was

20:55

quite complex. A lot of trial and error,

20:58

and once they land on a formula that

21:00

works, they exploit it.

21:02

One of the reasons this method was really

21:04

successful in the beginning was because super

21:06

funds had never seen anything disordacious.

21:10

Historically, their security protocols

21:12

had worked, but with the evolution

21:15

of cybercrime, they quickly realised

21:17

that they had to improve their cyber security.

21:20

Bear in mind that this was five years ago and

21:23

the superannuation accounts had never had

21:25

fraud like this. Thankfully, the super

21:27

funds are very reactive and responsive

21:29

and take this very seriously. So they've now

21:32

beefed up security. So this is much harder.

21:35

As soon as the fraud was identified, Oztrack

21:38

helped the financial sector understand

21:40

the patterns of offending.

21:42

The AFP undertook all the investigation

21:45

and they then approached Oztrack

21:47

with, these are our findings. These are

21:49

the patterns or the consistencies that

21:52

we've noted among these cases.

21:55

And so it was those patterns that

21:58

Oztrack compiled.

21:59

and then shared with the broader superannuation

22:02

sector so that they were then able to

22:05

look out for similar patterns. So if

22:07

all of a sudden they were starting to receive

22:09

an update of identification

22:12

information, particularly relating to

22:14

dates of birth, where a JP

22:17

had signed off on that change, then

22:20

that would be considered a red flag or

22:22

something that would generate

22:24

further questions or enhance customer

22:27

due diligence checks to be undertaken.

22:30

Working with the financial sector to reduce

22:32

vulnerability was a pressing need, but

22:35

finding those responsible was also

22:37

a top priority. With burner

22:39

phones and post office boxes, there

22:42

was a lot of information that could lead investigators

22:44

to the culprits.

22:46

At ASIC, Scott found

22:48

that one bank account was being used to

22:50

finance a number of burner phones.

22:53

That bank account was used to recharge

22:56

burner phones because

22:58

this syndicate was very good

23:00

at hiding under layers of identification

23:03

fraud. They used identification to set everything

23:05

up, so nothing was in their real name.

23:08

What we needed to do was do

23:10

a lot of analysis of banking

23:12

and telecommunications information, also

23:15

cryptocurrency transactions, to

23:18

try and find a lead which

23:20

would lead to the real world and

23:23

then identify a person of interest

23:25

that we could then look at a little closer.

23:29

So at that point, we managed

23:31

to find some banking accounts

23:33

that were of particular interest which had recharged

23:36

some of these burner phones.

23:37

The burner phones had been used

23:40

on the application forms to commit

23:42

these offences.

23:43

While this particular offender was generally

23:46

careful using different SIM cards

23:48

for each account they were hacking, it

23:50

only took one mishap to lead investigators

23:53

at Operation Burks to her door.

23:55

The offender was using SIM

23:58

cards and I think they put 200 SIM cards. through

24:00

a particular phone, and on one

24:02

occasion they had done some offending, but

24:04

then foolishly made a phone

24:07

call to a business that

24:09

would allow us to track them.

24:12

This is more common than you might think, and

24:14

we have even covered this in Season 1

24:16

of Crime Interrupted. The

24:18

most careful of criminals can occasionally

24:21

forget and use their burner phones

24:23

toward a takeaway. In

24:25

Season 1 it was a ham and pineapple

24:28

pizza.

24:29

In Operation Burks it was kebabs.

24:33

Scott explains how one order of kebabs

24:35

could bring down the house of cards.

24:38

We were then able to identify

24:41

some particular

24:43

calls of interest. One of those

24:45

was to a kebab

24:46

shop based

24:48

in Melbourne, and we

24:51

thought this could lead to us identifying

24:54

the real person who had called

24:56

up the shop to make an order

24:58

for some

24:59

kebabs, and the owner

25:02

of the kebab shop had written down on

25:04

a piece of paper the name of the person,

25:07

the address where it was to be delivered to, and

25:11

one of our investigators

25:14

followed up on that transaction, and

25:16

we then went down there and obtained that information,

25:19

and we got that person's name and address where the food

25:21

was delivered. So that then allowed us

25:23

to then make further inquiries, look

25:26

at the person at the address, identify

25:28

exactly who they were.

25:30

From that we did further telecommunications

25:33

analysis of more burner phones,

25:36

and what we found is

25:39

the phone

25:40

that that person was using in real

25:42

life, they had a phone that they were using for

25:44

their personal communications, and

25:47

that phone worked in lockstep

25:49

with

25:50

one of these burner phones that had been

25:52

used in some of the offending. That

25:55

then cemented our case theory

25:57

that it was this person who

25:59

was

25:59

the main suspect

26:01

in this offending.

26:03

It turned out that the Melbourne part of the syndicate

26:06

was a 21-year-old woman who we are

26:08

going to call

26:09

Hannah.

26:10

Investigators began monitoring her

26:12

closely.

26:14

What we then did is, through

26:17

further analysis, we found that

26:19

the person of interest was

26:22

then making calls through

26:24

a travel agency and was booking

26:26

a holiday overseas.

26:29

Once Hannah was identified, Jim

26:31

and his team at Operation Burks had to

26:33

find the best way of investigating her

26:35

and stopping her. In

26:37

the end, her overseas holiday

26:40

provided the perfect solution.

26:42

Well, there wasn't a great deal out there

26:45

regarding Hannah. We knew

26:47

that she lived in North Melbourne, but she had

26:49

no criminal record. She had some interesting

26:52

associates, but there was nothing that

26:54

indicated that she was involved in cybercrime.

26:57

Having said that, the information from

26:59

ASIC was very good, and that

27:02

led us to progress to the next stage of

27:04

the investigation, which was resolution. Now,

27:07

when that happened, we had a couple of options that we

27:09

needed to consider. The first is

27:11

to use what we call special projects, so using

27:14

technical solutions that we don't really

27:16

talk about. However, that is very resource-intensive

27:19

and quite often is very limited in

27:21

its value.

27:22

We thought about doing things like where we kept someone

27:25

under surveillance,

27:26

but we could be doing this for months before we actually

27:29

captured the evidence that we

27:31

needed to be able to prosecute. So

27:33

the third option was

27:34

a disruption option. We just dam the

27:36

torpedoes, we roll the dice, and we do

27:39

a search warrant and hope that

27:41

we find enough evidence when we

27:43

do the search warrant to be able to prosecute.

27:45

And that is a big risk, because if you go in

27:47

there and you don't find what you're after, the

27:50

case is blown, and it might lead

27:52

to you missing several other targets.

27:54

So it was a big decision that we had to

27:56

make as to how to proceed what the next step

27:59

was.

27:59

Fortunately for us, one of the analysts

28:02

from ASIC had identified

28:04

out of the blue that Hannah had gone offshore

28:06

and would be returning in three weeks.

28:08

Now that to me was a really good opportunity

28:11

to execute search warrants because

28:14

she would have her devices in

28:16

her possession at the time.

28:18

One of the challenges in cybercrime is attribution.

28:21

So you might have a computer or a phone

28:23

at a house, but it's open for the person

28:25

who lives at that house to say, hey, that's not mine.

28:27

That's my flatmates or whatever. It's

28:29

much harder to deny that you are in

28:32

control of a phone or a computer

28:33

if it's found on your person.

28:36

So we made a decision to dam

28:38

the torpedoes. Worst case scenario,

28:41

it would be a great disruption and a great disincentive

28:43

to continue this offending.

28:45

We made a decision to proceed with

28:47

warrants when Hannah returned to the

28:49

country.

28:51

The golden opportunity to seize Hannah's

28:53

computer and phones was an example

28:55

of the good luck that sometimes comes

28:57

the investigators way.

28:59

It's hard to deny that a phone and a computer

29:02

are yours when you're travelling with them in your

29:04

carry-on luggage.

29:07

Once the investigators at Operation Burks

29:09

found out the date Hannah was returning to

29:11

Australia, they enlisted the help

29:13

of their partners at Border Force.

29:16

As soon as we realised that Hannah was

29:18

returning to Melbourne, we spoke

29:21

to our partners at Border Force who were,

29:23

as usual, fantastic. They were able

29:25

to pull Hannah and her devices

29:28

and her luggage

29:29

into a small room and with our

29:31

colleagues from ASIC, we started

29:34

executing search warrants. So we were able to get access

29:37

to the devices, which was very

29:39

useful. Hannah spoke to a lawyer very

29:41

quickly who gave her advice not to

29:44

speak to the police and that was fine. We

29:46

had access to the devices and so

29:48

we were happy with that.

29:49

The stopping of Hannah as soon as she returned

29:52

to the country was the culmination of

29:54

a year's work for ASIC.

29:56

The AFP strategically...

30:00

stopped Hannah

30:02

when she came back into Australia and that

30:04

worked

30:05

extremely well in this case. Some

30:08

of it I guess is good planning and strategy

30:10

and some of it it's a little bit of luck in

30:12

these cases but it all came together

30:14

quite nicely. So ASIC was also

30:17

present, we wanted

30:19

to do a search warrant at

30:21

Hannah's premises but

30:24

it was also extremely beneficial

30:27

if we could

30:28

obtain the devices that

30:30

Hannah was in possession of when she came

30:32

back into the country that would allow us to then

30:35

get hold of these devices which we hoped

30:37

had a lot of evidence on them.

30:40

After taking Hannah's devices for

30:42

examination the search of her home

30:44

began. When

30:46

the investigators first entered the house

30:49

it did not immediately look like the house

30:51

of someone steeped in cybercrime

30:53

activities.

30:54

When we walked into the house it was very neat

30:57

and initial inspection we didn't

30:59

find anything that would suggest that

31:02

this house was used for cybercrime. There

31:04

were no computers, there were no devices,

31:06

there was nothing other than what we actually found

31:09

on Hannah at the time of the warrants. However

31:13

when we walked in we noticed a couple of things.

31:15

The first was a big box of SIM cards,

31:18

hundreds and hundreds of Optus SIM cards

31:20

and many of those SIM cards had numbers

31:23

and names written on the labels.

31:26

So that was the first clue that we're on the money.

31:28

We also found on the desk a box of gloves.

31:31

So the gloves were used to prepare the

31:33

documents that were then sent to the

31:35

Superfunds to make the fraudulent

31:38

withdrawals and this was consistent with what

31:40

we knew because we had fingerprinted

31:42

and done DNA testing on the documents that had

31:44

been sent in

31:46

and they all had smudge marks and no fingerprints.

31:48

So that was consistent with gloves

31:51

being used to prepare the documents.

31:53

Something else that we found on the printer was

31:55

a withdrawal from a particular Superfund

31:58

for several hundred thousand dollars.

32:00

in the name of Neil, and that was already

32:02

in train. So that was sitting on the printer,

32:04

and that is something that Hannah

32:07

had forgotten to take off the printer in disposal

32:09

of before she left.

32:11

It appears that she left in a rush, as we

32:13

all do when we go to the airport, and she sent

32:15

a text to a friend saying, look,

32:17

I really need you to do me a favor.

32:20

Can you empty the bins?

32:21

Well, the friend never got around to emptying the

32:23

bins by the time we went through the door.

32:26

And in the bins, we found loads

32:28

of documents that had been used

32:30

to defraud numerous superannuation

32:32

accounts. So much of the evidence

32:35

that we found, in fact, was in the bin.

32:37

And if that had been taken out on the

32:39

day, we never would have found it. So

32:41

that was a bit of a coup for us.

32:44

It also speaks to the fact that if we do search

32:46

warrants, we search everything, we take

32:48

everything to pieces. Absolutely

32:51

everything. And I think the searches took 20

32:54

hours on that occasion.

32:56

It is common for online scammers to

32:58

use encryption software to communicate with

33:00

each other.

33:01

And this is what the investigators found in

33:03

this case.

33:05

At the search warrant at the premises, it

33:07

was a

33:08

treasure trove of evidence for

33:10

us. Not only was there documentation

33:13

related to the offending inside the premises,

33:16

including

33:17

SIM cards, which were used in

33:19

burner phones, but there

33:21

was also some documentation which

33:24

had a fingerprint on it, which was in the rubbish

33:26

bin.

33:27

It certainly paid dividends to BeThorough,

33:30

and the AFP did a thorough job

33:32

in conducting

33:34

the search and seizure at the premises.

33:36

We also had

33:38

the good fortune of digital

33:40

forensics, and they were

33:42

very experienced. So they

33:45

were then able to access

33:48

encrypted telecommunications between

33:50

syndicate members using,

33:53

like, the encrypted apps, such as Telegram.

33:56

There's a number of these different communication apps

33:58

out there, but in this case, Telegram. and

34:01

then download those communications,

34:03

which was extremely beneficial

34:05

for our case because ultimately we

34:08

ran a case of conspiracy. So

34:10

we needed to show the different roles the different

34:13

people were playing, the acts,

34:15

which contributed to the ultimate offense.

34:18

Hannah's devices turned out to be

34:20

a treasure trove.

34:22

We found a lot of stolen personal identification

34:24

information.

34:26

We found access to darknet marketplaces

34:28

that Hannah was using.

34:30

We found cryptocurrency accounts.

34:32

It was about 2 a.m. by the time we actually

34:35

managed to get access to all of those devices.

34:37

And I remember once we did get access and we

34:39

could see those telegram accounts, the

34:41

darknet interactions, the cryptocurrency.

34:44

It was a really nice moment in the investigation.

34:47

3 a.m., very tired. I think we'd all worked for about 15

34:49

or 20 hours by that stage, but

34:52

we got what we needed.

34:54

The investigators were able to track Hannah's

34:56

communications with other members of the syndicate.

34:59

Information such as this helped them

35:01

see how these alliances worked.

35:04

It was interesting to see that Hannah

35:08

appeared to meet some of these co-conspirators

35:11

through forums and

35:13

also through the dark web marketplace

35:16

that she was operating. So Hannah

35:18

was not only involved in assisting

35:21

with the

35:22

defrauding of people's share portfolios

35:25

and superannuation funds, but also in dealing

35:27

in identification information on the dark web.

35:30

So how that works is

35:32

other persons who are interested in

35:35

buying identification information

35:37

and then using that to help facilitate

35:39

frauds and those types of offending, they'll

35:42

go onto the dark web and source that information

35:44

and pay for it. She's then connected

35:46

with other persons who are interested and also

35:48

involved in operating on the dark web. And

35:51

then through the forums, they then connect

35:54

and source different

35:56

skillsets, which can help them commit

35:59

the crime. So one

36:01

example of that would be at

36:03

some particular point they decided

36:06

they wanted to make a website that

36:08

basically looked identical

36:10

to the real website

36:13

of a superannuation fund.

36:15

And they recruited into the syndicate

36:18

a person who had that skillset to design

36:20

a website that basically looked identical

36:23

to the website. They then

36:26

obviously were in control of that website and

36:28

then every member who

36:30

was tricked and went to that

36:32

website, they put in their login

36:34

details and member information,

36:37

password,

36:38

and the criminal syndicate then harvest

36:41

a large database of that information

36:43

which they then used to

36:45

access that person's member

36:48

account

36:49

through the legitimate website. So

36:51

yes, at different points they were reaching out and

36:53

connecting with different members who could

36:55

assist them in different aspects

36:58

of it. Another aspect would be

37:00

the laundering of the money that they've stolen. They

37:02

generally needed to get that out of a bank account

37:04

that was held in Australia

37:07

and then they would launder the money overseas,

37:09

say in Hong Kong,

37:11

and they'd use somebody over there

37:14

post bank account information

37:16

over to them and then they would then go

37:18

and remove the money from the accounts

37:21

using debit cards and buying

37:23

large items or expensive jewellery.

37:26

It was interesting from that perspective because

37:29

these syndicate members may not

37:31

have ever met each other and probably didn't

37:34

necessarily know what each other looked

37:36

like or their real name. They all had a different

37:38

alias, such as Binge of Bob,

37:41

H, Money Monkey, that's just

37:43

to name a few, but they all had these different

37:45

names

37:46

and they operated like that. I guess it helped

37:48

them avoid

37:50

being easily detected by law enforcement.

37:53

After the arrest of Hannah handed the examination

37:56

of her devices and home, the investigators

37:58

of Operation Burks had to...

37:59

the case together for court.

38:02

One of the more complex jobs was to

38:04

piece together just how much she and her

38:06

syndicate had stolen. The

38:08

amount of money, it's hard to

38:11

be absolutely certain because we

38:14

were mainly focused on pulling

38:16

a brief together against Hannah, so

38:18

we're mainly looking in the offending relation to that.

38:21

But

38:22

certainly a lot, so they don't just do

38:24

chair sale frauds and superannuation, they're also

38:27

committing frauds on people's credit cards,

38:29

potentially taking out loans in

38:32

people's names without them knowing.

38:34

So there was a lot of offending but we had to

38:37

really scope it in so we could get

38:39

an outcome in relation to Hannah. Look,

38:41

you're talking into tens of

38:43

millions of dollars

38:44

of money that would have been targeted,

38:47

they don't get away with all of that because

38:50

some of that gets stopped by the banks

38:52

if it's identified as a suspicious transaction

38:55

or if say the victim rings up and says put

38:58

a hold on the money

38:59

or if one of the

39:02

share registry superannuation companies

39:04

uses some of their cyber resilience

39:07

type of software there to identify

39:10

that the money that they're

39:12

trying to transfer out of superannuation

39:14

is suspicious and they'll put a stop to that and make

39:16

further inquiries.

39:18

Even though Hannah was arrested after she

39:20

returned to Australia, she was released

39:23

while the investigators put their case together

39:25

using the huge amounts of data they found

39:28

in her devices.

39:29

Hannah was arrested at the time but

39:32

we had no reason to keep her in custody,

39:34

it wouldn't have been fair to her and it would have

39:36

meant that the clock starts ticking and we

39:38

have about six weeks to go

39:40

through terabytes of information which

39:43

plainly we couldn't do. We had to make inquiries

39:45

with all the super funds, we had dozens

39:48

and dozens of victims, we had to get

39:50

statements and we couldn't have done that in six weeks.

39:53

So Hannah was released from

39:55

custody that evening, we were very confident

39:57

that she wasn't going to travel anywhere.

39:59

use their powers to

40:01

ensure that her passport could not be used

40:03

to travel.

40:04

And we had to hold off. We had to get

40:06

the brief of evidence done,

40:09

but we couldn't get through terabytes. So Hannah

40:11

was released

40:12

and we went about collecting

40:14

all the evidence and going through terabytes of data,

40:17

which we duly did. So I think Hannah

40:19

was arrested in April 2019 and

40:23

we had enough of the brief prepared

40:26

by about September. So at that

40:28

point, we went back and arrested

40:30

her and took DNA evidence and

40:33

charged her with the offences and served

40:35

the brief on the defence.

40:37

The

40:38

thing that really got us was initially

40:40

we were dealing with one superannuation

40:43

provider

40:44

and also one share trading platform. Once

40:46

we went in the door, we realised that this wasn't

40:49

just one superannuation company. It was

40:51

about half a dozen.

40:53

And we realised the magnitude and the scale

40:55

of this offending. And once superannuation

40:57

company detected the offending and put the

41:00

roadblocks down, they just pivot

41:02

to another superannuation fund or share trading

41:04

fund.

41:05

The case went to trial and in the face

41:08

of overwhelming evidence against her, Hannah

41:10

pleaded guilty to three charges, conspiring

41:14

to defraud superannuation funds, conspiring

41:17

to defraud share trading funds and

41:19

conspiracy to deal in proceeds of

41:21

crime to the value of more than $1 million. In

41:25

December 2022, she was

41:28

sentenced to five years and six

41:30

months imprisonment with a non-parole

41:32

period of four years.

41:34

Shame of it is that

41:36

Hannah was pretty bright.

41:38

She was pretty articulate. She was quite

41:40

motivated. She took the initiative.

41:43

If she'd gone into the private sector, she'd

41:45

have made more money in a couple of years than

41:47

she could make from these scams.

41:49

But now she's in jail.

41:51

Despite the amount of money stolen

41:53

by the syndicate, because it was shared

41:55

out, Hannah did not grow rich

41:57

from her crimes.

41:59

was working this almost like

42:02

a full-time job, and the amount of

42:04

money that she earned from this

42:06

was, in all account,

42:08

not that significant, considering the risk,

42:11

and I don't really think she weighed up

42:14

the consequences and risk of

42:16

getting involved. It was a slippery slope,

42:18

and she became more and more

42:20

involved into a point where she became

42:22

a key player, and ultimately,

42:25

that was illustrated in court, and

42:28

she ended up with a significant

42:30

term of imprisonment. I guess

42:33

if it wasn't for the mitigating

42:35

circumstances that were taken into

42:37

account, then she would have ended

42:39

up

42:40

in jail for an even longer period of

42:42

time.

42:43

Natasha from Austrac says that, wherever

42:46

there are large sums of money, scammers

42:48

will target it.

42:50

What we tend to see is that,

42:52

wherever there is money that is available,

42:55

for example, the large amount

42:57

of money that's contained within our superannuation

43:00

funds, approximately $3.1 trillion,

43:04

wherever these funds are available, that

43:06

is where the scammers will start to target.

43:09

Given that Operation Burks uncovered

43:11

a syndicate opening false bank accounts

43:14

in order to siphon money out of legitimate

43:16

superannuation funds, Austrac

43:19

was able to pass that intel on to the finance

43:21

community.

43:23

When a customer changes their address,

43:25

phone number and email address, it

43:27

should be a red flag.

43:30

If you think about your own personal

43:32

bank accounts, it's rare that

43:34

you would change your phone number, your

43:37

email, your address, even

43:39

your title or part of your name all

43:41

at once. If you are moving,

43:43

you would generally only change or update

43:46

your address details, and everything else would

43:48

tend to stay the same. If you change

43:50

your phone number, everything else would stay

43:52

the same except for that phone number. So

43:55

if there is a customer that has opened

43:57

up an account or even multiple accounts,

44:00

in a short period of time and then

44:03

at the same time updated

44:05

their address, their

44:08

phone number, their email address

44:10

and even removed a previous

44:13

phone number or previous device that's

44:15

connected to their online account that

44:18

could potentially point

44:20

to identification takeover.

44:22

The investigators in Operation Burks

44:25

found the financial institutions were

44:27

more than willing to accept their advice.

44:30

No finance provider,

44:32

no financial institution wants

44:35

their customers to be scammed. I think

44:37

everybody is doing their best to protect

44:40

their customers and so if there

44:42

is any way of ensuring that

44:44

that doesn't happen then generally

44:46

we find that yes those

44:49

that we work with, the different financial institutions,

44:51

the different banks, they are certainly

44:54

willing to do what they can to protect

44:56

customers and to protect their customers

44:58

money.

44:59

As with so many of the cases we have

45:01

covered in season two of Crime Interrupted,

45:04

it is the combined powers of a number of different

45:06

agencies that allow the AFP to successfully

45:09

target and prosecute those who

45:11

commit crimes.

45:13

The AFP or Austrak or ASIC,

45:16

they each have access to different

45:18

types of information.

45:20

They've each got different remits in

45:22

terms of their purpose and so

45:24

it's sharing all of that information

45:27

together that allows you to

45:29

really see the extent of

45:31

a crime or a problem that is

45:33

occurring. Sometimes from

45:35

Austrak's perspective you can only see

45:37

a portion of that crime but by

45:40

sharing all of our information together it provides

45:43

you with a clearer picture.

45:46

While some people double with the dark net

45:48

for fun, the minute they cross the

45:51

line, Operation Burks is a

45:53

good reminder that Australian law enforcement

45:55

has a powerful team behind it.

45:58

It's one thing to get out.

45:59

access and to be mischievous and

46:02

use the skills that you have to

46:04

test yourself. It's quite another to

46:06

use those skills to steal from other

46:08

people.

46:09

And that's where it really kicks up another notch.

46:11

And that's what happened in this case. That's when

46:13

it's taken very seriously. That's

46:15

where you have resources like the AFP,

46:18

ASIC, the cybersecurity center and

46:20

border force pulling resources

46:23

to go after you.

46:25

What we've shown is that

46:27

even with an extremely complicated,

46:30

sophisticated, organized crime

46:32

syndicate and the way they operated

46:35

from different areas of the globe

46:37

hiding under technology

46:40

and a lot of fake accounts, it

46:42

can be thoroughly investigated

46:45

and ultimately we can identify the people

46:48

and hold them to account. So they

46:50

think that they can hide out there and

46:52

target Australia

46:53

or particular areas

46:56

of the Australian industry. Then they need

46:58

to know that we can get to the bottom of it. We

47:00

do have the capability

47:02

and working with our partner agencies. We

47:04

can ultimately

47:05

put briefs together and put people before the court,

47:08

successfully prosecute them.

47:10

We've got law enforcement and intelligence

47:12

agencies working together with

47:15

the financial sector and the superannuation

47:18

sector to protect customers, to

47:20

protect customers' money. All

47:22

in all, it's the government's key

47:24

priority to protect our community.

47:27

Jim has a final word for anyone

47:30

with the skills demonstrated by the offenders

47:32

in Operation Burks.

47:34

So highly sought. We

47:37

can't get enough people to help

47:39

us with these investigations.

47:41

Yeah, you could go down the path of the dark net.

47:43

Reality is you're going to get caught.

47:46

But if you use your skills to become a

47:48

penetration tester

47:49

or work with authorities or the banks

47:52

or whatever, you're going to make a lot more money.

47:54

You're going to have a far easier life and

47:57

it's going to be really rewarding. I

47:59

love what I do.

47:59

do and there's no reason why

48:02

people

48:02

with those technical skills couldn't

48:04

land in a job where

48:06

they're targeting hackers to

48:08

prevent this sort of thing. That's the flip

48:10

side. That's what you could be doing.

48:16

Since Operation Perks, the AFP,

48:19

ASIC and OSTRAC have continued

48:21

their work with the financial sector to

48:23

strengthen their cybersecurity and

48:26

ability to detect and disrupt scams

48:28

targeting their customers. If

48:31

you are interested in learning more about how

48:33

the AFP works to protect Australians

48:35

against cybercrime and fraud, and

48:37

how Jim, Scott and Natasha investigated

48:40

this case, visit afp.gov.au.

48:44

The AFP

48:47

is all about protecting Australians and

48:49

Australia's way of life. Stay

48:52

tuned for the final instalment of this

48:54

season of Crime Interrupted as we

48:56

take you behind the scenes of an international

48:59

drug smuggling syndicate.