Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
0:02
The Australian Federal Police, or
0:04
AFP for short, is Australia's
0:06
national policing agency. It's
0:08
aim? To outsmart serious crime
0:11
with intelligent action. Officers
0:13
from the AFP work with local, national
0:16
and international agencies to combat
0:18
serious criminal threats. Their
0:21
work includes counter-terrorism, serious
0:23
organised crime, human trafficking,
0:26
cybercrime, fraud and
0:28
child exploitation. The
0:31
AFP exists to disrupt major
0:33
criminal operations. In
0:35
2020-21, they did that over 400 times. They
0:41
seized 38 tonnes of illicit
0:43
drugs and precursors and assisted
0:45
overseas police services in seizing 19
0:47
tonnes of drugs. The
0:50
AFP charged 235 people
0:52
with child exploitation and
0:55
charged 25 people following
0:57
terrorism investigations. The
1:00
Australian Federal Police is opening its
1:02
doors to give you a glimpse of how their
1:04
officers investigate the most serious
1:06
of crimes and stay one step ahead
1:09
to keep Australia safe.
1:21
The Australian Federal Police Department is now in the middle of a serious crime.
1:31
In recent times, Australia has
1:33
had a number of well-publicised security
1:35
breaches in big companies that hold a vast
1:38
amount of personal information. Operation
1:41
Burks provides insights into how
1:43
cybercriminals can use data from such
1:46
breaches to steal millions of dollars
1:48
from unsuspecting victims and how
1:50
the AFP can catch them.
1:53
Jim is a Detective Leading Senior Constable
1:56
with Cybercrime Operations at the
1:58
AFP. Before
2:00
cybercrime, Jim worked in counter-terrorism,
2:03
and part of his job was to track down persons
2:06
of interest using tools that exploited
2:08
open-source intelligence. Doing
2:11
this work led to an interest in exploring
2:13
cybercrime, which was a challenge in
2:16
the time of VPNs, the darknet,
2:18
cryptocurrency, and virtual servers.
2:21
Law enforcement officers needed to keep a
2:24
step ahead in the virtual space. Despite
2:27
not having a background in this area, Jim
2:30
decided to move outside his comfort zone
2:32
and give cybercrime a try.
2:35
Working at cybercrime is really good in
2:37
the AFP because unlike security
2:39
agencies and people in the private sector,
2:42
at cybercrime we get to do the cybercrime
2:44
investigation, we then get to execute
2:46
warrants, debrief the offenders,
2:49
and actually get access to their devices. So
2:52
in that regard, it's really challenging
2:54
and a really good place to work if you're involved
2:57
in cyber.
2:58
Jim started in cybercrime in Canberra
3:00
in January 2019. One of his first jobs was a
3:03
referral
3:05
from Report Cyber.
3:08
Report Cyber, located at cyber.gov.au,
3:12
is the national cybercrime reporting
3:14
system run by the Australian Cybersecurity
3:17
Centre, ACSC, on
3:19
behalf of all Australian police.
3:22
Reports submitted through Report Cyber
3:25
are allocated to the Australian Police Force
3:27
with the jurisdiction and responsibility
3:29
for investigating them.
3:31
While the frauds investigated in Operation
3:34
Burks had been referred to state police,
3:37
it wasn't until an analyst at the AFP
3:39
examined them altogether that a frightening
3:41
pattern emerged.
3:43
We received a referral regarding
3:46
a syndicate who were targeting money
3:48
held in superannuation funds and
3:51
this syndicate had stolen millions of dollars from
3:53
Australians in a relatively short
3:55
amount of time and it was obviously a
3:57
concern to us.
3:58
Now all of these crimes have been reported
4:01
to state police partners and the AFP
4:03
in isolation. But it wasn't until a
4:05
colleague from the AFP working at the cybersecurity
4:08
centre looked at them altogether
4:10
and realised that this wasn't just isolated
4:12
incidents, he realised that it was actually
4:15
a serious organised crime syndicate who
4:17
was targeting superannuation and so
4:19
he escalated the matter and that's how it landed with
4:21
cyber investigations in Canberra.
4:24
Part of the reason for the early success
4:26
of the hacking syndicate was that banks
4:28
were not traditionally targeted in this
4:30
way.
4:31
Working out what they were doing was
4:33
really important. I think historically offenders
4:36
didn't target banks and they didn't target superannuation
4:39
companies because they were perceived to be
4:42
infallible, just too hard to get into. But
4:45
technology has changed and there's
4:47
a bit of insider knowledge and
4:50
there's a lot of trial and error and a lot
4:52
of tools out there that weren't available to
4:54
cyber criminals many years ago. So all
4:56
of a sudden people have started to try
4:58
and hack accounts and
5:01
take money from superannuation companies and
5:03
when they discover that formula, when they hit
5:05
on that formula,
5:06
that's basically opening the door to
5:09
offending. So the superannuation companies
5:12
were very keen to firstly have the offenders
5:14
arrested
5:15
and also to work out what their vulnerabilities
5:18
were so that they could patch those vulnerabilities,
5:20
which they did. Investors
5:22
for Operation Burks needed to identify
5:24
how the offenders in this case acquired
5:27
the stolen personal identification information
5:29
that they used to access superannuation
5:32
accounts.
5:34
One common way is using IDs
5:36
stolen in large scale hacks. If
5:39
you have stolen identification
5:41
documents, you can set up an
5:43
online account within minutes. We've
5:46
heard about hacks and the fact
5:48
that a lot of data has been stolen
5:50
and a lot of personal information has been stolen.
5:52
This is how the criminals make money.
5:55
So they're using those documents, the
5:57
license numbers, the Medicare cards,
5:59
the
5:59
other documents that people have and
6:02
they're setting up fake bank accounts using
6:04
phones and fake email addresses.
6:07
The way this fraud worked was,
6:10
the offenders used the dark web to
6:12
buy stolen personal data, then
6:15
set up fake or mule accounts
6:17
in which to transfer people's superannuation.
6:21
Initially what they were doing is they were taking
6:23
that stolen personal identification information,
6:26
working out whether or not someone had a superannuation
6:29
account with a particular superannuation
6:32
fund. They would then make contact
6:35
with the superannuation fund either through
6:37
the chat function or through
6:38
phone calls and just
6:40
change some of the details like change the phone
6:42
number or change the email address. They
6:44
would then let that sit for a couple of weeks. They
6:47
would then use the stolen identification
6:49
information and put
6:52
through fraudulent claims
6:55
to have superannuation
6:57
deposited into a mule bank
6:59
account.
7:01
Sometimes the amounts of money going
7:03
into these mule accounts were significant.
7:06
They had to deposit the money into bank
7:08
accounts and that's what these mule accounts were
7:10
for. So they'd do fraudulent withdrawals
7:13
from a super account, in some cases $400,000 in a go,
7:17
and they would transfer that money into a mule account.
7:20
Once the money was in the mule account they'd send
7:23
a debit card offshore to a colleague in
7:25
Hong Kong
7:26
who would then buy electronics or jewellery
7:29
or gold bullion
7:30
and sell that and then return the
7:32
money or the funds back to Australia as cryptocurrency
7:35
that was much harder to trace.
7:38
It became obvious to the investigators
7:40
that the syndicate behind these thefts was
7:42
operating on the dark net. That
7:45
meant scammers from around the world
7:47
were connecting with each other but only
7:49
performing one component of the fraud.
7:57
computers.
8:01
In some cases, there would be people who actually
8:03
made calls to the superannuation funds.
8:06
These callers specialise in one
8:08
thing and they get a cut of the
8:10
amount of money.
8:11
And in many cases, the people
8:13
don't even know who they are. So they
8:16
agree to commit offences together
8:18
without knowing who else they're in bed with.
8:21
And as long as the people
8:23
get paid or pay the money and
8:25
get their fair share, they will continue to work
8:27
with those people.
8:29
So there are, for example, the person who
8:31
compromised many of the computers and set
8:33
up a phishing website was based in America.
8:37
It's timely to explain here what phishing
8:39
is. That's phishing with a pH.
8:42
Phishing is one of the evolutions in
8:45
this crime type. So initially, they
8:47
started off with a lot of personal identification
8:49
information that they'd acquired from
8:52
a company that had been compromised. That
8:54
company also had records of people's superannuation
8:57
accounts.
8:58
So they were able to get the personal identification
9:00
information and the details of the super accounts
9:02
from the one company. But as time
9:05
went on, they evolved. They got
9:07
more sophisticated. So what they
9:10
did was they set up a phishing website
9:12
where they basically copy
9:15
or mimic a legitimate website.
9:18
And when the user goes and looks
9:20
up that website and puts their username
9:23
and password in, that information
9:25
is stolen by
9:27
the offenders and automatically
9:30
the victim is diverted to the actual legitimate
9:32
website. So what that means is
9:34
that you go to a website you think is
9:36
legitimate that harvests your passwords
9:39
and then diverts through to the legitimate
9:41
website.
9:42
They can then get access to your superannuation
9:45
account.
9:46
Once they have that access, they can do things
9:48
like change the address, change
9:51
the email address, change the phone number and
9:53
that sort of thing. So that's how they used
9:55
a phishing site. And in this case, they
9:58
actually paid for their phishing website.
9:59
website
10:00
to be promoted so that when you did
10:03
a Google check on that particular superannuation
10:05
fund, the phishing website came up
10:08
before the legitimate website and that
10:10
was not detected at the time. So,
10:12
it was active for, I don't know, a month or so.
10:14
And in that month, they got dozens of
10:16
account credentials, which meant that they were
10:18
able to access people's accounts.
10:21
For the offenders, it was most desirous
10:23
to have people who had reached retirement
10:26
age because they could actually do
10:28
vast lumps on withdrawals of superannuation.
10:32
So that's what they were aiming for. And in many
10:34
cases, that's what they got.
10:36
The AFP often works in partnerships
10:39
with other agencies. Before
10:41
the superannuation fraud came onto the
10:43
AFP's radar, it had come onto
10:45
the radar at ASIC, where Scott
10:47
Bowie works as a lawyer.
10:50
The Australian Securities and Investment Commission
10:52
is referred to, in short, as ASIC. We
10:56
regulate the corporate sector
10:58
across Australia. So we're a Commonwealth agency
11:01
and we also regulate the financial
11:04
markets.
11:05
I'm attached to an area of that
11:07
referred to as markets enforcement. We're
11:10
mainly involved in the regulating
11:12
of the
11:13
financial market participants, looking
11:15
for misconduct and investigating it and
11:18
ensuring that the participants comply
11:20
with the Corporations Act.
11:22
The case that came across Scott's desk
11:24
at ASIC was not superannuation funds
11:27
fraud.
11:28
His case involved share trading.
11:31
Going back
11:33
to 2018, retail investors
11:36
were reporting misconduct
11:39
to ASIC through the system that
11:41
we have there. They were complaining
11:44
of having their share portfolios
11:47
stolen without their knowledge. With
11:50
these earlier cases, investors
11:52
reported their shares had been stolen,
11:54
then sold.
11:56
ASIC discovered the money had been transferred
11:59
into accounts set up.
11:59
up using stolen identification.
12:02
The sales were occurring through
12:05
large share brokers in
12:07
Australia
12:09
and that was mainly happening through
12:12
the use of
12:14
stolen identification information. So
12:17
the organised crime syndicates were
12:19
using the stolen identification
12:22
information such as driver's licence,
12:24
Medicare cards, all of that
12:26
information that you can obtain when you
12:29
hack a company
12:30
and steal their HR or payroll
12:32
database, that sort of information. They
12:34
were using that to set up bank accounts
12:37
with the stolen identification, then complete
12:41
forms with the brokerage
12:44
facilities to do
12:48
one-off sales of people's portfolios.
12:51
And that's how ASIC then got
12:54
involved because we started to obtain
12:56
this information from the brokers
12:58
and look at all of
13:00
that data.
13:02
Before ASIC and the AFP
13:04
realised they might be looking at the same
13:06
set of offenders, Jim at Cybercrime
13:08
was busy finding links between the superannuation
13:11
accounts that had experienced fraud.
13:14
He knew that even though the syndicate had
13:16
worked out how to steal money from superannuation
13:18
accounts around Australia
13:20
because of the nature of cybercrime, they
13:23
could be doing it from anywhere in the world.
13:26
One of the challenges with cybercrime
13:28
is that the offenders could be based anywhere in Australia
13:30
or anywhere in the world. In the era of VPNs
13:34
or virtual private networks, virtual private
13:36
servers, the offenders could and were
13:38
in fact in many countries in the world
13:40
and we had no idea. Because it's so
13:43
easy in cybercrime with cryptocurrency
13:45
and technology to hide your location, when
13:47
the referral came through to us, we actually didn't
13:50
know where the offenders were and that's why it was
13:52
referred to a team in Canberra as opposed to one
13:54
of the regional teams in Sydney, Melbourne, Perth
13:57
or Brisbane.
13:58
at the Australian
14:01
Cybersecurity Centre identified 35
14:03
accounts that had been targeted
14:05
at a major superannuation fund.
14:08
The investigator also identified a
14:10
number of bank accounts that had money transferred
14:13
into them from superannuation.
14:16
Some of the superfunds cyber security
14:18
had worked, so while the Syndicate
14:20
had attempted to steal $7 million, they
14:23
only ended up with $1.4 million
14:26
because the fund had strengthened their security
14:28
measures. A
14:29
colleague from the ACSE
14:32
approached me and said, look, we've identified
14:35
that it's not one offender and
14:37
a couple of accounts, it's actually 35 accounts
14:40
that they've tried to hack and they've been successful
14:42
in a very short time in getting $1.4 million.
14:46
This is not one person, this is an organised
14:48
Syndicate.
14:49
We have to look into this. My
14:51
colleague did some really good work
14:53
in identifying that it was the same people.
14:56
The methodology was the same, they
14:58
were using the same IP address. In
15:00
many cases, they used the same fake
15:03
bank accounts
15:04
and they also used JP stamps or Justice
15:06
of the Peace stamps to falsify documents
15:09
that are then submitted to the superannuation
15:11
companies
15:12
to make fraudulent withdrawals.
15:15
He worked out that in fact it was the same
15:17
group of people, it wasn't just one or two
15:20
offenders who are being opportunistic,
15:23
this was organised and they knew what they were doing.
15:26
Justice of the Peace are used for the
15:28
certification of some documents.
15:31
The JP stamps, it seemed,
15:33
were easy to duplicate. And
15:36
this was necessary because in order
15:38
to move money out of the superannuation
15:40
accounts, the Syndicate needed to
15:42
set up accounts in the same names
15:44
as the original accounts to avoid
15:47
too much scrutiny.
15:48
It was virtually unheard of that people would
15:51
actually be so audacious as to do
15:53
this, so the superannuation
15:55
funds weren't really on high alert and
15:57
looking for this. So quite often, the
15:59
The offenders were able to change the
16:02
email address, the phone number
16:04
and the account details and in some
16:06
cases the date of birth on the superannuation
16:09
account. I had to submit paperwork
16:11
to do this and they would use fake
16:14
JP stamps.
16:15
When the offenders set up fake bank
16:17
accounts using stolen data, they also
16:20
needed two other components. Firstly,
16:22
a fake account needs
16:24
a postal address. And secondly,
16:27
with two-factor identification which is
16:29
now widely used, they needed
16:32
phone numbers for each account. With
16:35
such large-scale fraud, that meant
16:37
the offenders needed a lot of SIM cards
16:39
which they could use in burner phones. Even
16:43
though these fraudulent accounts were linked to
16:45
post office boxes rather than residential
16:47
addresses, this gave the investigators
16:50
a starting point.
16:51
Scott from ASIC explains.
16:54
We had analysts and investigators
16:57
combing through that information, looking at
16:59
the addresses listed, the post
17:01
office boxes, the phone
17:04
numbers provided on the forms.
17:08
And there was a lot of information there. From
17:10
that, we then identified that there
17:12
was clusters of offending going on
17:14
here. Ultimately, there was more than
17:17
one criminal syndicate that was active
17:19
and it led us to make some inquiries
17:22
with the pharmacist
17:24
based in Sydney. And when we made those inquiries,
17:26
clearly that
17:27
pharmacists had their identification used
17:30
to facilitate the crime, so it
17:32
wasn't actually them. It then
17:34
led
17:35
ASIC to make
17:38
inquiries with a
17:40
person of interest based in Victoria.
17:44
After the AFP and ASIC teamed up
17:46
to investigate both the share trading fraud
17:49
and the theft from superannuation accounts,
17:51
they got in touch with the Australian Transaction
17:54
Reports and Analysis Centre, OSTRAC.
17:57
Natasha from OSTRAC explains exactly.
18:00
what they do.
18:01
AUSTRAQ, we serve a dual role.
18:04
We're a financial intelligence regulator.
18:07
And so what that means is we regulate
18:10
the financial sector and require
18:13
them to submit certain types of
18:15
financial transaction reports. And
18:18
we are also a financial intelligence
18:21
unit. And so we take those
18:24
transaction reports and we
18:26
analyse those for intelligence
18:28
purposes. So what
18:30
that means is that everyday
18:33
transactions can shed a lot of valuable
18:36
insights into why somebody
18:38
might be moving money or how
18:40
they might be involved in something
18:43
that is either unusual, suspicious
18:46
or part of a crime.
18:48
The analysis of financial transactions
18:50
is a critical part of any investigation,
18:53
revealing who the offenders might be
18:55
and where they are.
18:57
The AFP in ASIC undertook
19:00
the investigation and
19:03
had a look at some of the finances,
19:05
what went wrong and how
19:08
some of the funds involving the superannuation
19:10
funds and share funds were
19:13
moved from one account to another. And
19:16
so they approached AUSTRAQ
19:18
at that point for some assistance
19:20
with working with some of the financial institutions.
19:23
And so what AUSTRAQ
19:26
did at that time was
19:28
really drill down into
19:31
step-by-step what happened in
19:33
terms of how these
19:36
criminal groups manage to gain
19:38
access to customers'
19:40
identification details, how
19:43
the criminal groups manage to create
19:46
different types of accounts, whether it be bank
19:48
accounts or superannuation
19:50
accounts, and then how they manage
19:53
to remove the
19:55
customer's funds from those
19:57
accounts and then move them offshore.
20:00
Superannuation funds are designed not
20:02
to be accessed until retirement age.
20:06
Jim explains how the scammers
20:08
got around this. Once
20:10
these people realised that they had access
20:12
to super funds with large sums of money
20:14
in them,
20:15
but the people weren't over the age of 60,
20:18
they had to work out a way around
20:20
that. So what they did was they used the stolen
20:22
personal identification information
20:25
and set up a second super fund.
20:27
So for example, if you're with Superfund A, which
20:30
records your date of birth as being born in 1975,
20:33
you
20:35
might go to Superfund B and set
20:37
up a super fund using the stolen
20:40
identification documents that have been altered
20:42
so that it appears that you're born in 1955. And
20:46
so you transfer your super funds from fund
20:49
A to fund B, and
20:51
that means you can then withdraw from fund
20:53
B, and that's something that they were doing. So it was
20:55
quite complex. A lot of trial and error,
20:58
and once they land on a formula that
21:00
works, they exploit it.
21:02
One of the reasons this method was really
21:04
successful in the beginning was because super
21:06
funds had never seen anything disordacious.
21:10
Historically, their security protocols
21:12
had worked, but with the evolution
21:15
of cybercrime, they quickly realised
21:17
that they had to improve their cyber security.
21:20
Bear in mind that this was five years ago and
21:23
the superannuation accounts had never had
21:25
fraud like this. Thankfully, the super
21:27
funds are very reactive and responsive
21:29
and take this very seriously. So they've now
21:32
beefed up security. So this is much harder.
21:35
As soon as the fraud was identified, Oztrack
21:38
helped the financial sector understand
21:40
the patterns of offending.
21:42
The AFP undertook all the investigation
21:45
and they then approached Oztrack
21:47
with, these are our findings. These are
21:49
the patterns or the consistencies that
21:52
we've noted among these cases.
21:55
And so it was those patterns that
21:58
Oztrack compiled.
21:59
and then shared with the broader superannuation
22:02
sector so that they were then able to
22:05
look out for similar patterns. So if
22:07
all of a sudden they were starting to receive
22:09
an update of identification
22:12
information, particularly relating to
22:14
dates of birth, where a JP
22:17
had signed off on that change, then
22:20
that would be considered a red flag or
22:22
something that would generate
22:24
further questions or enhance customer
22:27
due diligence checks to be undertaken.
22:30
Working with the financial sector to reduce
22:32
vulnerability was a pressing need, but
22:35
finding those responsible was also
22:37
a top priority. With burner
22:39
phones and post office boxes, there
22:42
was a lot of information that could lead investigators
22:44
to the culprits.
22:46
At ASIC, Scott found
22:48
that one bank account was being used to
22:50
finance a number of burner phones.
22:53
That bank account was used to recharge
22:56
burner phones because
22:58
this syndicate was very good
23:00
at hiding under layers of identification
23:03
fraud. They used identification to set everything
23:05
up, so nothing was in their real name.
23:08
What we needed to do was do
23:10
a lot of analysis of banking
23:12
and telecommunications information, also
23:15
cryptocurrency transactions, to
23:18
try and find a lead which
23:20
would lead to the real world and
23:23
then identify a person of interest
23:25
that we could then look at a little closer.
23:29
So at that point, we managed
23:31
to find some banking accounts
23:33
that were of particular interest which had recharged
23:36
some of these burner phones.
23:37
The burner phones had been used
23:40
on the application forms to commit
23:42
these offences.
23:43
While this particular offender was generally
23:46
careful using different SIM cards
23:48
for each account they were hacking, it
23:50
only took one mishap to lead investigators
23:53
at Operation Burks to her door.
23:55
The offender was using SIM
23:58
cards and I think they put 200 SIM cards. through
24:00
a particular phone, and on one
24:02
occasion they had done some offending, but
24:04
then foolishly made a phone
24:07
call to a business that
24:09
would allow us to track them.
24:12
This is more common than you might think, and
24:14
we have even covered this in Season 1
24:16
of Crime Interrupted. The
24:18
most careful of criminals can occasionally
24:21
forget and use their burner phones
24:23
toward a takeaway. In
24:25
Season 1 it was a ham and pineapple
24:28
pizza.
24:29
In Operation Burks it was kebabs.
24:33
Scott explains how one order of kebabs
24:35
could bring down the house of cards.
24:38
We were then able to identify
24:41
some particular
24:43
calls of interest. One of those
24:45
was to a kebab
24:46
shop based
24:48
in Melbourne, and we
24:51
thought this could lead to us identifying
24:54
the real person who had called
24:56
up the shop to make an order
24:58
for some
24:59
kebabs, and the owner
25:02
of the kebab shop had written down on
25:04
a piece of paper the name of the person,
25:07
the address where it was to be delivered to, and
25:11
one of our investigators
25:14
followed up on that transaction, and
25:16
we then went down there and obtained that information,
25:19
and we got that person's name and address where the food
25:21
was delivered. So that then allowed us
25:23
to then make further inquiries, look
25:26
at the person at the address, identify
25:28
exactly who they were.
25:30
From that we did further telecommunications
25:33
analysis of more burner phones,
25:36
and what we found is
25:39
the phone
25:40
that that person was using in real
25:42
life, they had a phone that they were using for
25:44
their personal communications, and
25:47
that phone worked in lockstep
25:49
with
25:50
one of these burner phones that had been
25:52
used in some of the offending. That
25:55
then cemented our case theory
25:57
that it was this person who
25:59
was
25:59
the main suspect
26:01
in this offending.
26:03
It turned out that the Melbourne part of the syndicate
26:06
was a 21-year-old woman who we are
26:08
going to call
26:09
Hannah.
26:10
Investigators began monitoring her
26:12
closely.
26:14
What we then did is, through
26:17
further analysis, we found that
26:19
the person of interest was
26:22
then making calls through
26:24
a travel agency and was booking
26:26
a holiday overseas.
26:29
Once Hannah was identified, Jim
26:31
and his team at Operation Burks had to
26:33
find the best way of investigating her
26:35
and stopping her. In
26:37
the end, her overseas holiday
26:40
provided the perfect solution.
26:42
Well, there wasn't a great deal out there
26:45
regarding Hannah. We knew
26:47
that she lived in North Melbourne, but she had
26:49
no criminal record. She had some interesting
26:52
associates, but there was nothing that
26:54
indicated that she was involved in cybercrime.
26:57
Having said that, the information from
26:59
ASIC was very good, and that
27:02
led us to progress to the next stage of
27:04
the investigation, which was resolution. Now,
27:07
when that happened, we had a couple of options that we
27:09
needed to consider. The first is
27:11
to use what we call special projects, so using
27:14
technical solutions that we don't really
27:16
talk about. However, that is very resource-intensive
27:19
and quite often is very limited in
27:21
its value.
27:22
We thought about doing things like where we kept someone
27:25
under surveillance,
27:26
but we could be doing this for months before we actually
27:29
captured the evidence that we
27:31
needed to be able to prosecute. So
27:33
the third option was
27:34
a disruption option. We just dam the
27:36
torpedoes, we roll the dice, and we do
27:39
a search warrant and hope that
27:41
we find enough evidence when we
27:43
do the search warrant to be able to prosecute.
27:45
And that is a big risk, because if you go in
27:47
there and you don't find what you're after, the
27:50
case is blown, and it might lead
27:52
to you missing several other targets.
27:54
So it was a big decision that we had to
27:56
make as to how to proceed what the next step
27:59
was.
27:59
Fortunately for us, one of the analysts
28:02
from ASIC had identified
28:04
out of the blue that Hannah had gone offshore
28:06
and would be returning in three weeks.
28:08
Now that to me was a really good opportunity
28:11
to execute search warrants because
28:14
she would have her devices in
28:16
her possession at the time.
28:18
One of the challenges in cybercrime is attribution.
28:21
So you might have a computer or a phone
28:23
at a house, but it's open for the person
28:25
who lives at that house to say, hey, that's not mine.
28:27
That's my flatmates or whatever. It's
28:29
much harder to deny that you are in
28:32
control of a phone or a computer
28:33
if it's found on your person.
28:36
So we made a decision to dam
28:38
the torpedoes. Worst case scenario,
28:41
it would be a great disruption and a great disincentive
28:43
to continue this offending.
28:45
We made a decision to proceed with
28:47
warrants when Hannah returned to the
28:49
country.
28:51
The golden opportunity to seize Hannah's
28:53
computer and phones was an example
28:55
of the good luck that sometimes comes
28:57
the investigators way.
28:59
It's hard to deny that a phone and a computer
29:02
are yours when you're travelling with them in your
29:04
carry-on luggage.
29:07
Once the investigators at Operation Burks
29:09
found out the date Hannah was returning to
29:11
Australia, they enlisted the help
29:13
of their partners at Border Force.
29:16
As soon as we realised that Hannah was
29:18
returning to Melbourne, we spoke
29:21
to our partners at Border Force who were,
29:23
as usual, fantastic. They were able
29:25
to pull Hannah and her devices
29:28
and her luggage
29:29
into a small room and with our
29:31
colleagues from ASIC, we started
29:34
executing search warrants. So we were able to get access
29:37
to the devices, which was very
29:39
useful. Hannah spoke to a lawyer very
29:41
quickly who gave her advice not to
29:44
speak to the police and that was fine. We
29:46
had access to the devices and so
29:48
we were happy with that.
29:49
The stopping of Hannah as soon as she returned
29:52
to the country was the culmination of
29:54
a year's work for ASIC.
29:56
The AFP strategically...
30:00
stopped Hannah
30:02
when she came back into Australia and that
30:04
worked
30:05
extremely well in this case. Some
30:08
of it I guess is good planning and strategy
30:10
and some of it it's a little bit of luck in
30:12
these cases but it all came together
30:14
quite nicely. So ASIC was also
30:17
present, we wanted
30:19
to do a search warrant at
30:21
Hannah's premises but
30:24
it was also extremely beneficial
30:27
if we could
30:28
obtain the devices that
30:30
Hannah was in possession of when she came
30:32
back into the country that would allow us to then
30:35
get hold of these devices which we hoped
30:37
had a lot of evidence on them.
30:40
After taking Hannah's devices for
30:42
examination the search of her home
30:44
began. When
30:46
the investigators first entered the house
30:49
it did not immediately look like the house
30:51
of someone steeped in cybercrime
30:53
activities.
30:54
When we walked into the house it was very neat
30:57
and initial inspection we didn't
30:59
find anything that would suggest that
31:02
this house was used for cybercrime. There
31:04
were no computers, there were no devices,
31:06
there was nothing other than what we actually found
31:09
on Hannah at the time of the warrants. However
31:13
when we walked in we noticed a couple of things.
31:15
The first was a big box of SIM cards,
31:18
hundreds and hundreds of Optus SIM cards
31:20
and many of those SIM cards had numbers
31:23
and names written on the labels.
31:26
So that was the first clue that we're on the money.
31:28
We also found on the desk a box of gloves.
31:31
So the gloves were used to prepare the
31:33
documents that were then sent to the
31:35
Superfunds to make the fraudulent
31:38
withdrawals and this was consistent with what
31:40
we knew because we had fingerprinted
31:42
and done DNA testing on the documents that had
31:44
been sent in
31:46
and they all had smudge marks and no fingerprints.
31:48
So that was consistent with gloves
31:51
being used to prepare the documents.
31:53
Something else that we found on the printer was
31:55
a withdrawal from a particular Superfund
31:58
for several hundred thousand dollars.
32:00
in the name of Neil, and that was already
32:02
in train. So that was sitting on the printer,
32:04
and that is something that Hannah
32:07
had forgotten to take off the printer in disposal
32:09
of before she left.
32:11
It appears that she left in a rush, as we
32:13
all do when we go to the airport, and she sent
32:15
a text to a friend saying, look,
32:17
I really need you to do me a favor.
32:20
Can you empty the bins?
32:21
Well, the friend never got around to emptying the
32:23
bins by the time we went through the door.
32:26
And in the bins, we found loads
32:28
of documents that had been used
32:30
to defraud numerous superannuation
32:32
accounts. So much of the evidence
32:35
that we found, in fact, was in the bin.
32:37
And if that had been taken out on the
32:39
day, we never would have found it. So
32:41
that was a bit of a coup for us.
32:44
It also speaks to the fact that if we do search
32:46
warrants, we search everything, we take
32:48
everything to pieces. Absolutely
32:51
everything. And I think the searches took 20
32:54
hours on that occasion.
32:56
It is common for online scammers to
32:58
use encryption software to communicate with
33:00
each other.
33:01
And this is what the investigators found in
33:03
this case.
33:05
At the search warrant at the premises, it
33:07
was a
33:08
treasure trove of evidence for
33:10
us. Not only was there documentation
33:13
related to the offending inside the premises,
33:16
including
33:17
SIM cards, which were used in
33:19
burner phones, but there
33:21
was also some documentation which
33:24
had a fingerprint on it, which was in the rubbish
33:26
bin.
33:27
It certainly paid dividends to BeThorough,
33:30
and the AFP did a thorough job
33:32
in conducting
33:34
the search and seizure at the premises.
33:36
We also had
33:38
the good fortune of digital
33:40
forensics, and they were
33:42
very experienced. So they
33:45
were then able to access
33:48
encrypted telecommunications between
33:50
syndicate members using,
33:53
like, the encrypted apps, such as Telegram.
33:56
There's a number of these different communication apps
33:58
out there, but in this case, Telegram. and
34:01
then download those communications,
34:03
which was extremely beneficial
34:05
for our case because ultimately we
34:08
ran a case of conspiracy. So
34:10
we needed to show the different roles the different
34:13
people were playing, the acts,
34:15
which contributed to the ultimate offense.
34:18
Hannah's devices turned out to be
34:20
a treasure trove.
34:22
We found a lot of stolen personal identification
34:24
information.
34:26
We found access to darknet marketplaces
34:28
that Hannah was using.
34:30
We found cryptocurrency accounts.
34:32
It was about 2 a.m. by the time we actually
34:35
managed to get access to all of those devices.
34:37
And I remember once we did get access and we
34:39
could see those telegram accounts, the
34:41
darknet interactions, the cryptocurrency.
34:44
It was a really nice moment in the investigation.
34:47
3 a.m., very tired. I think we'd all worked for about 15
34:49
or 20 hours by that stage, but
34:52
we got what we needed.
34:54
The investigators were able to track Hannah's
34:56
communications with other members of the syndicate.
34:59
Information such as this helped them
35:01
see how these alliances worked.
35:04
It was interesting to see that Hannah
35:08
appeared to meet some of these co-conspirators
35:11
through forums and
35:13
also through the dark web marketplace
35:16
that she was operating. So Hannah
35:18
was not only involved in assisting
35:21
with the
35:22
defrauding of people's share portfolios
35:25
and superannuation funds, but also in dealing
35:27
in identification information on the dark web.
35:30
So how that works is
35:32
other persons who are interested in
35:35
buying identification information
35:37
and then using that to help facilitate
35:39
frauds and those types of offending, they'll
35:42
go onto the dark web and source that information
35:44
and pay for it. She's then connected
35:46
with other persons who are interested and also
35:48
involved in operating on the dark web. And
35:51
then through the forums, they then connect
35:54
and source different
35:56
skillsets, which can help them commit
35:59
the crime. So one
36:01
example of that would be at
36:03
some particular point they decided
36:06
they wanted to make a website that
36:08
basically looked identical
36:10
to the real website
36:13
of a superannuation fund.
36:15
And they recruited into the syndicate
36:18
a person who had that skillset to design
36:20
a website that basically looked identical
36:23
to the website. They then
36:26
obviously were in control of that website and
36:28
then every member who
36:30
was tricked and went to that
36:32
website, they put in their login
36:34
details and member information,
36:37
password,
36:38
and the criminal syndicate then harvest
36:41
a large database of that information
36:43
which they then used to
36:45
access that person's member
36:48
account
36:49
through the legitimate website. So
36:51
yes, at different points they were reaching out and
36:53
connecting with different members who could
36:55
assist them in different aspects
36:58
of it. Another aspect would be
37:00
the laundering of the money that they've stolen. They
37:02
generally needed to get that out of a bank account
37:04
that was held in Australia
37:07
and then they would launder the money overseas,
37:09
say in Hong Kong,
37:11
and they'd use somebody over there
37:14
post bank account information
37:16
over to them and then they would then go
37:18
and remove the money from the accounts
37:21
using debit cards and buying
37:23
large items or expensive jewellery.
37:26
It was interesting from that perspective because
37:29
these syndicate members may not
37:31
have ever met each other and probably didn't
37:34
necessarily know what each other looked
37:36
like or their real name. They all had a different
37:38
alias, such as Binge of Bob,
37:41
H, Money Monkey, that's just
37:43
to name a few, but they all had these different
37:45
names
37:46
and they operated like that. I guess it helped
37:48
them avoid
37:50
being easily detected by law enforcement.
37:53
After the arrest of Hannah handed the examination
37:56
of her devices and home, the investigators
37:58
of Operation Burks had to...
37:59
the case together for court.
38:02
One of the more complex jobs was to
38:04
piece together just how much she and her
38:06
syndicate had stolen. The
38:08
amount of money, it's hard to
38:11
be absolutely certain because we
38:14
were mainly focused on pulling
38:16
a brief together against Hannah, so
38:18
we're mainly looking in the offending relation to that.
38:21
But
38:22
certainly a lot, so they don't just do
38:24
chair sale frauds and superannuation, they're also
38:27
committing frauds on people's credit cards,
38:29
potentially taking out loans in
38:32
people's names without them knowing.
38:34
So there was a lot of offending but we had to
38:37
really scope it in so we could get
38:39
an outcome in relation to Hannah. Look,
38:41
you're talking into tens of
38:43
millions of dollars
38:44
of money that would have been targeted,
38:47
they don't get away with all of that because
38:50
some of that gets stopped by the banks
38:52
if it's identified as a suspicious transaction
38:55
or if say the victim rings up and says put
38:58
a hold on the money
38:59
or if one of the
39:02
share registry superannuation companies
39:04
uses some of their cyber resilience
39:07
type of software there to identify
39:10
that the money that they're
39:12
trying to transfer out of superannuation
39:14
is suspicious and they'll put a stop to that and make
39:16
further inquiries.
39:18
Even though Hannah was arrested after she
39:20
returned to Australia, she was released
39:23
while the investigators put their case together
39:25
using the huge amounts of data they found
39:28
in her devices.
39:29
Hannah was arrested at the time but
39:32
we had no reason to keep her in custody,
39:34
it wouldn't have been fair to her and it would have
39:36
meant that the clock starts ticking and we
39:38
have about six weeks to go
39:40
through terabytes of information which
39:43
plainly we couldn't do. We had to make inquiries
39:45
with all the super funds, we had dozens
39:48
and dozens of victims, we had to get
39:50
statements and we couldn't have done that in six weeks.
39:53
So Hannah was released from
39:55
custody that evening, we were very confident
39:57
that she wasn't going to travel anywhere.
39:59
use their powers to
40:01
ensure that her passport could not be used
40:03
to travel.
40:04
And we had to hold off. We had to get
40:06
the brief of evidence done,
40:09
but we couldn't get through terabytes. So Hannah
40:11
was released
40:12
and we went about collecting
40:14
all the evidence and going through terabytes of data,
40:17
which we duly did. So I think Hannah
40:19
was arrested in April 2019 and
40:23
we had enough of the brief prepared
40:26
by about September. So at that
40:28
point, we went back and arrested
40:30
her and took DNA evidence and
40:33
charged her with the offences and served
40:35
the brief on the defence.
40:37
The
40:38
thing that really got us was initially
40:40
we were dealing with one superannuation
40:43
provider
40:44
and also one share trading platform. Once
40:46
we went in the door, we realised that this wasn't
40:49
just one superannuation company. It was
40:51
about half a dozen.
40:53
And we realised the magnitude and the scale
40:55
of this offending. And once superannuation
40:57
company detected the offending and put the
41:00
roadblocks down, they just pivot
41:02
to another superannuation fund or share trading
41:04
fund.
41:05
The case went to trial and in the face
41:08
of overwhelming evidence against her, Hannah
41:10
pleaded guilty to three charges, conspiring
41:14
to defraud superannuation funds, conspiring
41:17
to defraud share trading funds and
41:19
conspiracy to deal in proceeds of
41:21
crime to the value of more than $1 million. In
41:25
December 2022, she was
41:28
sentenced to five years and six
41:30
months imprisonment with a non-parole
41:32
period of four years.
41:34
Shame of it is that
41:36
Hannah was pretty bright.
41:38
She was pretty articulate. She was quite
41:40
motivated. She took the initiative.
41:43
If she'd gone into the private sector, she'd
41:45
have made more money in a couple of years than
41:47
she could make from these scams.
41:49
But now she's in jail.
41:51
Despite the amount of money stolen
41:53
by the syndicate, because it was shared
41:55
out, Hannah did not grow rich
41:57
from her crimes.
41:59
was working this almost like
42:02
a full-time job, and the amount of
42:04
money that she earned from this
42:06
was, in all account,
42:08
not that significant, considering the risk,
42:11
and I don't really think she weighed up
42:14
the consequences and risk of
42:16
getting involved. It was a slippery slope,
42:18
and she became more and more
42:20
involved into a point where she became
42:22
a key player, and ultimately,
42:25
that was illustrated in court, and
42:28
she ended up with a significant
42:30
term of imprisonment. I guess
42:33
if it wasn't for the mitigating
42:35
circumstances that were taken into
42:37
account, then she would have ended
42:39
up
42:40
in jail for an even longer period of
42:42
time.
42:43
Natasha from Austrac says that, wherever
42:46
there are large sums of money, scammers
42:48
will target it.
42:50
What we tend to see is that,
42:52
wherever there is money that is available,
42:55
for example, the large amount
42:57
of money that's contained within our superannuation
43:00
funds, approximately $3.1 trillion,
43:04
wherever these funds are available, that
43:06
is where the scammers will start to target.
43:09
Given that Operation Burks uncovered
43:11
a syndicate opening false bank accounts
43:14
in order to siphon money out of legitimate
43:16
superannuation funds, Austrac
43:19
was able to pass that intel on to the finance
43:21
community.
43:23
When a customer changes their address,
43:25
phone number and email address, it
43:27
should be a red flag.
43:30
If you think about your own personal
43:32
bank accounts, it's rare that
43:34
you would change your phone number, your
43:37
email, your address, even
43:39
your title or part of your name all
43:41
at once. If you are moving,
43:43
you would generally only change or update
43:46
your address details, and everything else would
43:48
tend to stay the same. If you change
43:50
your phone number, everything else would stay
43:52
the same except for that phone number. So
43:55
if there is a customer that has opened
43:57
up an account or even multiple accounts,
44:00
in a short period of time and then
44:03
at the same time updated
44:05
their address, their
44:08
phone number, their email address
44:10
and even removed a previous
44:13
phone number or previous device that's
44:15
connected to their online account that
44:18
could potentially point
44:20
to identification takeover.
44:22
The investigators in Operation Burks
44:25
found the financial institutions were
44:27
more than willing to accept their advice.
44:30
No finance provider,
44:32
no financial institution wants
44:35
their customers to be scammed. I think
44:37
everybody is doing their best to protect
44:40
their customers and so if there
44:42
is any way of ensuring that
44:44
that doesn't happen then generally
44:46
we find that yes those
44:49
that we work with, the different financial institutions,
44:51
the different banks, they are certainly
44:54
willing to do what they can to protect
44:56
customers and to protect their customers
44:58
money.
44:59
As with so many of the cases we have
45:01
covered in season two of Crime Interrupted,
45:04
it is the combined powers of a number of different
45:06
agencies that allow the AFP to successfully
45:09
target and prosecute those who
45:11
commit crimes.
45:13
The AFP or Austrak or ASIC,
45:16
they each have access to different
45:18
types of information.
45:20
They've each got different remits in
45:22
terms of their purpose and so
45:24
it's sharing all of that information
45:27
together that allows you to
45:29
really see the extent of
45:31
a crime or a problem that is
45:33
occurring. Sometimes from
45:35
Austrak's perspective you can only see
45:37
a portion of that crime but by
45:40
sharing all of our information together it provides
45:43
you with a clearer picture.
45:46
While some people double with the dark net
45:48
for fun, the minute they cross the
45:51
line, Operation Burks is a
45:53
good reminder that Australian law enforcement
45:55
has a powerful team behind it.
45:58
It's one thing to get out.
45:59
access and to be mischievous and
46:02
use the skills that you have to
46:04
test yourself. It's quite another to
46:06
use those skills to steal from other
46:08
people.
46:09
And that's where it really kicks up another notch.
46:11
And that's what happened in this case. That's when
46:13
it's taken very seriously. That's
46:15
where you have resources like the AFP,
46:18
ASIC, the cybersecurity center and
46:20
border force pulling resources
46:23
to go after you.
46:25
What we've shown is that
46:27
even with an extremely complicated,
46:30
sophisticated, organized crime
46:32
syndicate and the way they operated
46:35
from different areas of the globe
46:37
hiding under technology
46:40
and a lot of fake accounts, it
46:42
can be thoroughly investigated
46:45
and ultimately we can identify the people
46:48
and hold them to account. So they
46:50
think that they can hide out there and
46:52
target Australia
46:53
or particular areas
46:56
of the Australian industry. Then they need
46:58
to know that we can get to the bottom of it. We
47:00
do have the capability
47:02
and working with our partner agencies. We
47:04
can ultimately
47:05
put briefs together and put people before the court,
47:08
successfully prosecute them.
47:10
We've got law enforcement and intelligence
47:12
agencies working together with
47:15
the financial sector and the superannuation
47:18
sector to protect customers, to
47:20
protect customers' money. All
47:22
in all, it's the government's key
47:24
priority to protect our community.
47:27
Jim has a final word for anyone
47:30
with the skills demonstrated by the offenders
47:32
in Operation Burks.
47:34
So highly sought. We
47:37
can't get enough people to help
47:39
us with these investigations.
47:41
Yeah, you could go down the path of the dark net.
47:43
Reality is you're going to get caught.
47:46
But if you use your skills to become a
47:48
penetration tester
47:49
or work with authorities or the banks
47:52
or whatever, you're going to make a lot more money.
47:54
You're going to have a far easier life and
47:57
it's going to be really rewarding. I
47:59
love what I do.
47:59
do and there's no reason why
48:02
people
48:02
with those technical skills couldn't
48:04
land in a job where
48:06
they're targeting hackers to
48:08
prevent this sort of thing. That's the flip
48:10
side. That's what you could be doing.
48:16
Since Operation Perks, the AFP,
48:19
ASIC and OSTRAC have continued
48:21
their work with the financial sector to
48:23
strengthen their cybersecurity and
48:26
ability to detect and disrupt scams
48:28
targeting their customers. If
48:31
you are interested in learning more about how
48:33
the AFP works to protect Australians
48:35
against cybercrime and fraud, and
48:37
how Jim, Scott and Natasha investigated
48:40
this case, visit afp.gov.au.
48:44
The AFP
48:47
is all about protecting Australians and
48:49
Australia's way of life. Stay
48:52
tuned for the final instalment of this
48:54
season of Crime Interrupted as we
48:56
take you behind the scenes of an international
48:59
drug smuggling syndicate.
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More