Graham Butler – Chairman Bitek Group of Companies © 2016 Cyber-laundering: dirty money digitally laundered- Tackling the illegal trade in the Digital world Graham Butler Special Presentation to the Academy of European Law Budapest – March 2016 Co-funded by the Justice Programme of the European Union

Graham Butler – President and CEO Bitek © 2013 Tackling the illegal trade in the Digital world Supporting the Cyber-Security agenda  ERA (Academy of European Law) – Lisbon / Trier / Sofia / Brussels Address: Threats to Financial Systems – VoIP, lawful intercept, money laundering  CTO (Commonwealth Telecommunications Organisation) London Address: Working group on strategic development for  ITU High level Experts Group – Cybersecurity Agenda – Geneva (United Nations) Address: VoIP and P2P Security – Lawful Intercept  ENFSC (European Network Forensic and Security Conference) - Maastricht Address: Risks of P2P in Corporate Networks  CTITF (Counter Terrorism Implementation Taskforce) - Seattle Address: Terrorist use of encrypted VoIP/P2P protocols - Skype  Norwegian Police Investigation Section - Oslo Address: Next Generation Networks – VoIP Security (fixed and mobile networks)  IGF (Internet Governance Forum) – Sharm El Sheikh, Egypt Address: Threats to Carrier Revenues and Government Taxes – VoIP bypass  EastWest Institute Working Group on Cybercrime - Brussels / London Working Groups: Global Treaty on Cybersecurity / Combating Online Child Abuse  CANTO (Caribbean Association of National Telecoms Org) – Belize / Barbados Address: Reversing Declines in Telecommunications Revenue  ICLN (International Criminal Law Network) - The Hague Address: Cybercrime Threats to Financial Systems  CIRCAMP (Interpol / Europol) - Brussels Working Groups: Online Child Abuse – The Fight Against illegal Content 1

Graham Butler – President and CEO Bitek © 2013 The evolution of interception - circuit switched networks Tackling the illegal trade in the Digital world 2 4. Court issues interception warrant 3. Court application for LI warrant 1. Threat to National Security 2. Suspect identified 6. Operator sends LI data to agency 5. Agency provides warrant to Operator Time-Division Multiplexing (TDM) Traditional Circuit Switched Networks 2G / 3G / 4G / 5G TDM ‘numbered’ calls 2G / 3G / 4G / 5G TDM Interconnect Circuit Switch Court Order Lawful Interception

Graham Butler – President and CEO Bitek © VoIP Packets (Encrypted Services?) CLOUD A The World Wide Web CLOUD B National IP Network 2G / 3G / 4G TDM ‘numbered’ call SIM Bank PBX/VoIP Switch Media Gateway IP Gateway Inbound VoIP / OTT SERVICES Unlicensed / Bypass / Fraud Diversity and encryption creates a ‘safe haven’ for crime/terrorism A B WiFi, WiMax 3G, 4G VoIP/OTT app call WiFi, WiMax 3G, 4G VoIP/OTT app call SIM Bank PBX/VoIP Switch Media Gateway 2G / 3G / 4G TDM ‘numbered’ call Broadband Router VoIP/OTT app call (Gaming Console) VoIP/OTT app Broadband Router VoIP/OTT app call (Gaming Console) VoIP/OTT app Next Generation Traffic Challenges (ML) The evolution of interception - packet switched networks ?

Graham Butler – President and CEO Bitek © 2013 Diversity of Internet Activity (Intel) 4 Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 Unlicensed SIP VoIP (RFC 3261 variants) 373 competitors aamranetworks.com, Abovenet Communications, Acess Kenya Group, ACN_DSL, Atlantic Broadband, Airtel Broadband, Akamai, ALGX, Amazon.com, AmazonHosting, Angel Drops, Aruba, ASKTel, ASTA Net, 24/7 Real Media ARTNET, AT&T U-verse, AT&T wireless, Bandcom, Beeline, Beam Telecom, Belgacom Skynet, BellCanada, Bell Mobility, BellSouth, BTS, Bharti Airtel, Bankstown-Clinical-School, BICS, Blast_Comms, Bluewin, Bouygues Telecom, Bright House Networks, Broadvoice, BSNL, BT Italia, Beyond The Network America, Cable 1, Cablecom, Cablevision, Cabel Digital Kabel TV, Cable and Wireless Americas Operations, CANTV services, Century Link, Checkbox, Charter Communications, China Telecom, China Mobile, China Telecom YunNan, China Telecom Jiangsu, China Telecom Sichuan, CJSC Ural Trans Telecom, Completel, Cameroon Telecommunications Ltd, China Tie Tong, CoLoSolutions, Cogent Communications, CommPeak (Amazon Hosted), Canaca.com, China Unicom, Claro Dominican Republic, Claro Peru, Clear Wireless, Comnet, CANL, Choopa, Connexions 4 London, Cogeco Cable, Compass, ComCast, Corgi Tech Ltd, Chunghwa telecom, Consejo Hondureno de Ciencie y Tecnologia, CTBC, Cybercon, CYTA HELLAS, nyc callcenter 1, Datacenter, Dedibox, Dial Telecom, Digital Networks CJSC, Distributel Communications, Dixivox, Deltathree, DIGI Ltd, Digicel Jamaica, Dooel Kavadarci, Donbass Electronic Communications Ltd, DNA Oy, DODO, DTS Ltd, E Networks, Econocall, Ecatel, Ecuador Telecoms, EdgeCast Networks, EGNET, Elion Enterprises GANDI, Eircom, Elisa OYJ Mobile, Emirates Telecom, Enterprise Networks, Entertainment Television, Eweka Internet Services, FibreNet, Fibernetica Corp, FLOW, Fonebee, FORTHnet, Freeport-McMoran, Free SAS, Gateway Communications, Galaxy Communications, Gestora de infraestructursa de telecomm, GetGeorgeMobile, GCA Telecom El Salvador, GCN/DCN Networks, GIO Moblie Ghana, Globalinx, Global Net Access, Global Village, Globe Telecom, googletalk, Godaddy.com, GoandCall, GoGent, Golden Lines Cable, Guandong Molile Communications, Hadara, Haiti Networking Group, Haiti Telecom, Hanaro Telecom, H3G Italy, Home Network Japan, Hong Kong Broadband Networks, Hotwire Communications, Hubei, Hurricane Electric, INDIT Hostings, Infracom Italia, Inphonex, Inei international, Internap Network Services, Icall, IDT Corporation, iweb, Incapsula.com, Inet Limited, Internetcalls/Freecall, Internet Development Company, IPCommunications, Lifeisbetteron, Iscon Internet, Isotropic Networks, Ispro Lietisum, IPTelligentLLC, ITIBITI.COM, Jazz Telecom, Joyent, JSC, JSC Kazakhtelecom, Kabel Deutschland, Kampung Communications, Karib Cable, KEKU (Amazon), Kimsufi.com, Korea Telecom, Krypt Technologies, KPN B>V>, Lankacom, Lbisat, Leaseweb BV, Level 3 Communication, Lexis-nexis, LgDacomCo, Libantelecom, Lightspeed_SBCglobal, Lightyear Network, Limelight Networks, Link Egypt, LG Powercom, LG Telecom, LLP Asket, LowRateVoIp, Mana S>A>, Magma, Maroc Telecom, Magyar Telecoms, LINODE, MobileOne, Mainehealth Medical Centre, Mauritius Telecom, Mediaserv, Mediaring network services, Mediacom Communications, Megapath, merkenmarketeers (BICS), MS Hotmail, Microsoft corporation, Microsoft Hosting, MIR Telematiki, M2 Telecomms Group, Microsoft Ltd, Microsoft Internet data center, MTNBusiness (telkom Hosted), Mobitel, Movistar, Multilink, Multiregional Transit Telecom, MWEB Connect, mycingilar.net, N Layer, Nec Biglobe, NC Nummericable, Netvision, Net2Wholesale, Net2Phone, Netzquadrat, NexG, Nexgen Networks, Nextgen tel, NetstreamTechnology, NetTalk, Netia SA, NOC4HOSTS, ntlworld, NTT&Verio, Nymgo, Net 1, OFFRATEL, Open Market, Onavo, Open Computer network, Oi Internet, Oi Velox, OVH SASOOREDOO, OVH Hosting, Orange Espania, Orange Dominica Power phone, Orange France, Orange Home UK, Orange Palastine Group, OJSC Kyrgyztelecom, OJSC Rostelom, OJSC MegaFon, Ortel Communications M/S, Pakistan Telecommunications Company, Palastine, Packet Exchange, Rackspace Pixius Communications, Primus, Paetec, Peer1, Pinger, Peru_S.a.c, PLDT (Philippine Long Distance Telephone), Republican Unitary Telecommunications, RCS & RDS Residential, RNADTA, Quadranet, Reflected Networks, Rodgers Cable, ROM Telecom, Rostelcom Kaluga, RCN, RSL COM Canada, R Cable y telecomuniciones Galicia ServerCentral, Samjung Data Service, SSDN Communications, sakura internet inc, SaudiNet, SFR, Sedel, SK Telecom, SKY Broadband, Singlehop, Smart Broadband, Softbank Telecom Corp, Softlayer, SoftlayerMGBlock, STS, SONATEL, Sprint, Speedclick, Splendor, Spectrmnet, Starnet, Starhub Internet, Subisu Cablenet (pvt ) Ltd, Switchspace, Syrian Telecommunications, TATA Communications, Telefonica USA, Telecommunications Company, Time Warner Cable, T Mobile, Telebec, Telkom Internet, Telstra Internet, Telecom Algeria, telenet N.V., Telio Holdings, Telefonica De Argentina, Telus Communications, TPG Internet Pty, TalkFree, Telenor, TeliaCarrier, Tikona Digital Networks Pvt, Telefonica De Espana, Telia Network Services, Telecom Internet, Telecom Services Trinidad & Tobago, Tiscali, Telecom Malaysia Berhad, Tricom, Talk4Free, Telgua, Telinta VoIP Company, Telefonica Moviles Panama, Tirpitz, Tim Celular S.A. Telecom Indonesia, TOT Public Company Limited, Turk Telecom, UK Rtelecom, Ubiquity Servers, UCOM, UPC AUSTRIA, UPC Polska, Vonage (Leaseweb.B.V), Voyager Internet Limited, Verat DOO, Verizon, Verizon Sweden, Vivacom, VideoTron, VDC, VIVO, VOO, Vosox, voxsun.net, ViVox, Vitelity, Virtustream, Vonage, VolumeDrive, Vaboomz, Voipms, Yahoo, VoX Communications, Voxee, Wave Internet Services, WebNX, Webair, WholeSale Internet, WindTelecom, Windstream Communications, XO_Communications, Xplornet Communications, YahooSIP, YOU Broadband, ZAMTEL, Ziggo, ZON TV cabo, ZSR-ZT Bratislava, 44Direct, 8 x offshore SIP operators (Haiti telecoms) Unlicensed competition causes false market rates (anti-competitive) Policy decision to remove fraudulent bypass services Create a regulatory environment where SIP operators are licensed SIP operators will pay the appropriate fees and taxes Fair market conditions will establish correct market rates What is the financial model behind each operator? Linked to ML? 5 Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 The diversity of VoIP protocols and applications PROTOCOLS (6)APPLICATIONS (113) – Commercial VoIP Operators SIP (95) Astra, Asterisk (PBX), AIM Phone, AllfreeCalls.net, Broadvoice, BT-Yahoo, BuddyTalk, Calleasy, Chamaleon, Deltathree, Dialpad, Dialnow, Cheap calls to India, Cockatoo, Ding-a-Ling, Earthcaller, Ekiga (old GnomeMeeting), Expresstalk, Fonebee, Freeswitch, Fring, FreeCallPlanet, Free calls to Pakistan, Free VoIP International Calls, FWD.Communicator, Gizmocall, Gizmo Project (Gizmo5), Globalinx, GrandCentra, iCall, intervoip, iSkoot, Jajah, Jangl, Jaxtr, Justvoip, KCall, Kphone, Kutecom, Lingo VoIP, Linphone, LowrateVoip, Lycos, MagicJack, MediaRing, Minisip, Mobivox, MrTalk, MSN Messenger, Nettalk, Nonoh, ooVoo, OpenWengo, PacPhone, Packet8, Paltalk, Peerio, Pennytel, OpenSip, PhoneGaim, PhoneGnome, Sgoope, SightSpeed, SIP Communicator, SIP User Agent, SIPCLI, SipXphone, SJPhone, SMSDiscount, Switchspace, Talqer, TalkPlus, Teltub, Tringme,Truphone, Yaka, Yahoo, VD3Delta, Viber, Vivox, Vonage, Voncp, VoIP Buster, VoIP Cheap, Voipraider, Voipwise, VOX, Voixio, Windows Live Messenger, X- Lite, X-Pro-Vonage, Yate, 3XC, 8x8, 12voip H323NetMeeting, SJPhone, WebTalk, Open H323, CallGen323, Ekiga (old GnomeMeeting), Freeswitch, Yate TLSWhatsapp, Skype, SkypeIn, SkypeOut, Viber, ooVoo GoogleGoogle Talk Net2phoneNet2Phone IAXIAX Phone, Freeswitch, Yate, Kiax, Moziax OTHER VOIP PROTOCOLS (3) Megaco (H248), MGCP, Skinny (SCCP) PROTOCOLS (3) POP, SMTP, IMAP IM PROTOCOLS (10) OSCAR, AIM/ICQ, IRC, iChat, Mac OS X, MobileMe, SightSpeed, Skype, Yahoo! Messenger, XMPP/JABBER VOIP APPLICATIONSLARGEST VOIP SERVICES (Example: US to Caribbean) 6 Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 Tackling the illegal trade in the Digital world PROTOCOLS (11)APPLICATIONS (85) IAXAstrix PBX, Freeswitch, Kiax, Moziax, Yate BitTorrent ABC, AllPeers, Bit Comet, BitLord, BitSpirit, BitTornado, Burst, Deluge, FlashGet, G3Torrent, Halite, Ktorrent, MLDonkey, Opera, QTorrent, rTorrent, TorrentFlux, Transmission, Tribler, Thunder, µTorrent Direct ConnectDirect Connect, SababaDC, DC++, BCDC++, ApexDC++, StrongDC++ AresAresGalaxy, Warez P2P, Filecroc eDonkeye eDonkey2000, aMule, eMule, eMulePlus, FlashGet, Hydranode, iMesh, Jubster, IMule, Lphant, MLDonkey, Morpheus, Pruna, xMule Gnutella Acquisition, BearShare, Cabos, FrostWire, Gnucleus, gtk-gnutella, iMesh, Kiwi Alpha, MLDonkey, Morpheus, Poisoned, Swapper, XoloX Gnutella2Gnucleus, iMesh, Kiwi Alpha, MLDonkey, Morpheus,TrustyFiles FastTrackgiFT, iMesh, Kazaa, Kceasy, Mammoth, MLDonkey, Poisoned NapsterNapigator, Napster ManolitoBlubster, Piolet OpenNAPLopster, Napster, WinLop, WinMX, Utatane, XNap 7 The diversity of P2P file transfer systems

Graham Butler – President and CEO Bitek © 2013 Diversity of social networks URLsSOCIAL NETWORK APPLICATIONS Social Websites (210) Many services encrypted 43 Things, Academia.edu, Advogato, aNobii, AsianAvenue, aSmallWorld, Athlinks, Audimated.com, Badoo, Bebo, BIGADDA, Biip.no, BlackPlanet, Blauk, Blogster, Bolt.com, Busuu, Buzznet, CafeMom, Cake, Financial, Care2, CaringBridge, Cellufun, Classmates.com, Cloob, CouchSurfing, CozyCot, Cross.tv, Crunchyroll, Cyworld, DailyBooth, DailyStrength, delicious, deviantART, Diaspora, Disaboom, Dol2day, DontStayIn, Draugiem.lv, douban, DXY.cn, Elftown, Elixio, Epernicus, Eons.com, Experience Project, Exploroo, Facebook, Faceparty, Faces.com, Fetlife, FilmAffinity, Filmow, FledgeWing, Flixster, Flickr, Focus.com, Fotki, Fotolog, Foursquare, Fuelmyblog, Friendica, Friends Reunited, Friendster, Frühstückstreff, Fubar, Gaia Online, GamerDNA, Gapyear.com, Gather.com, Gays.com, Geni.com, GetGlue, Gogoyoko, Goodreads, Goodwizz, Google+, GovLoop, Grono.net, Habbo, hi5, Hospitality Club, Hotlist, HR.com, Hub Culture, Hyves, Ibibo, Identi.ca, Indaba Music, IRC-Galleria, italki.com, Itsmy, iWiW, Jaiku, Kaixin001, Kiwibox, Lafango, LAGbook, LaiBhaari, Last.fm, LibraryThing, Lifeknot, LinkedIn, LinkExpats, Listography, LiveJournal, Livemocha, LunarStorm, Makeoutclub, MEETin, Meetup, Meettheboss, MillatFacebook, mixi, MocoSpace, MOG, MouthShut.com, Mubi (website), MyHeritage, MyLife, My Opera, Myspace, myYearbook, Nasza-klasa.pl, Netlog, Nettby, Nexopia, NGO Post, Ning, Odnoklassniki, OneClimate, OneWorldTV, Open Diary, Orkut, OUTeverywhere, Passportstamp, PatientsLikeMe, Partyflock, Pingsta, Pinterest, Plaxo, Playahead, PureVolume, Playfire, Playlist.com, Plurk, Qapacity, Quechup, Qzone, Raptr, Ravelry, Renren, ResearchGate, ReverbNation.com, Ryze, ScienceStage, ShareTheMusic, Shelfari, Sina Weibo, Skoob, Skyrock, Social Life, SocialVibe, Sonico.com, SoundCloud, Stickam, StudiVZ, Students Circle Network, StumbleUpon, Tagged, TalentTrove, Talkbiznow, Taltopia, Taringa!, TeachStreet, TermWiki, The Sphere, TravBuddy.com, Travellerspoint, tribe.net, Trombi.com, Tuenti, Twitter, Vkontakte, Vampirefreaks.com, Viadeo, Virb, Vox, Wakoopa, Wattpad, Wasabi, WAYN, WebBiographies, WeeWorld, Wellwer, WeOurFamily, Wepolls.com, Wer-kennt-wen, weRead, WiserEarth, Wooxie, WriteAPrisoner.com, Xanga, XING, Xt3, Yammer, Yelp, Inc. Zoo.gr, Zooppa APPLICATIONS (PSEUDONYM REGISTRATION) No ID Required (23) AIM Mail, BigString.com Service, Care2 , Facebook Messages, FastMail, Gawab.com, HotPOP, Inbox.com Service, iCloud Mail, Lavabit, Mail.com, GMX Mail, My Way Mail Service, MSN Hotmail, MyRealBox, Myspace Mail, Shortmail, Windows Live Hotmail, Yahoo! Mail, Zapak Mail, Zenbe Personal, IMAP, Zoho Mail 8 Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 What is on your national IP network? Example - Viber Media “Call, text, and send photos to each other, worldwide - for free!” 350m downloads / 105m concurrent users / 550k sign ups each day. Viber client will not install unless the user allows access to their contacts list. Development centre located in Israel - hosting at Amazon Cloud / Akamai Cloud (US). Cloud hosting in liberal jurisdictions allows OTT services to bypass national policies. Consistent refusal to provide intercept data to courts and LEAs. Hiding and Trading - Fraud Over VoIP What OTT services are on your network?Are they lawful intercept compliant? 479 Cyber-currencies Crypto-currencies 268 VoIP/P2P/IM (Chat) 33 Real-Time Entertainment 105 Mobile Money Transfer Operators 584 Online Gambling Operators 73 Online Gaming Operators 210 Social Networks OTT Examples 9

Graham Butler – President and CEO Bitek © 2013 Forensic analysis of packet data 10 Hiding and Trading - Fraud Over VoIP Detailed records are individually searchable Actual IP address initiating the call/event Actual IP address receiving the call/event Actual Mac address initiating the call/event(Subject to Protocol*) Actual Mac address receiving the call/event * Actual telephone number initiating the call/event * Actual telephone number receiving the call/event * Actual address initiating the call/event * Actual address receiving the call/event * Time the call/event was initiated Time the call/event was disconnected Traffic statistics to identify signatures of SIM bank, Media Gateway and IBTs Geographic location of IP addresses/suspect can be produced in some cases through registries Selective filtering of VoIP traffic on a call-by-call basis. Allow ‘authorised’ and disconnect ‘un-authorised’ Additional Guardian module – URL control Stop access to inappropriate or offensive websites identified on approved blacklists (Interpol)

Graham Butler – President and CEO Bitek © 2013 Money laundering over VoIP Tackling the illegal trade in the Digital world VoIP Operator Criminal Network Customers VoIP Operator Criminal Network The Laundering Sequence: 1.Fraudsters set up as a VoIP operator 2.Service is typically hosted offshore in a liberal jurisdiction 3.Offshore shell companies hide ownership and accountability 4.Services such as calling cards can be purchased for cash 5.Criminal network can easily insert dirty cash into the system 6.The receiving operator can charge for bulk voice services 7.The authenticity of the services provided cannot be verified 8.VoIP calls running 24hrs a day offers limitless laundering 9.Cleaned cash lands in destinations – typically tax havens 10.Hidden model for funding organised crime and terrorism VoIP Service Agents Firewall Telecommunications Provider Firewall VoIP Services / Calling Cards VoIP Service Host Internet Firewall 11 Dirty Money Offshore Banks Shell Co’s (buffering)

Graham Butler – President and CEO Bitek © 2013 SIP Phone Traffic Pumping - toll fraud targeting VoIP switch and apps Traffic Pumping / International Revenue Sharing Fraud (IRSF) 1.Fraudsters hack into corporate PBX/softswitch resources 2.VoIP apps (multiple installs on devices) = multiple lines 3.Once access is gained the information is typically sold 4.Criminals set up offshore premium rate numbers and SMS 5.Attacks typically take place outside working hours 6.Huge bills can be run up in hours – unnoticed by victims 7.The carrier has provided a legitimate service 8.Corporate receives bill for $1000’s 9.Private user receives bill for $1000’s Case Study: VoIP calls were directed at premium rate $5 per min Fraud remained undetected for 6 hours = $1,800 per line 25 exploited VoIP numbers in 6 hours = $90,000 Toll fraud targeting VoIP PBX VoIP mobile apps 12 International Numbers Fraudsters Zombie Networks Internet Compromised Firewall Firewall Telecommunications Carrier Customer Offshore Bank Small $ amounts keeps below anti-laundering radar Premium SMS Premium Numbers SIP Phone Compromised OTT VoIP App Infected Mobile Device Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 Traffic Pumping – exploiting Sipvicious to hack SIP Tackling the illegal trade in the Digital world Sipvicious “Friendly-Scanner” (not friendly at all) 1.Sipvicious is a mainstream auditing tool for VoIP systems. 2.Exploited by hackers to take control of VoIP servers for fraudulent purposes, such as traffic pumping (toll fraud). 3.A type of botnet which scans IP ranges for SIP servers such as softswitches and PBX which communicate via the 5060 port. 4.If it finds the port open, it attempts to brute force its way into the SIP server by testing sequential SIP account numbers with common usernames/passwords. 5.Typically downloaded through a Trojan (jps.exe) which connects to bot ‘command and control’ servers. 6.Sets User-Agent in the SIP requests to “friendly-scanner” or others. 13 Bitek monitoring of Sipvicious attacks Haiti 7th Feb to GMT (2 hours) 17.5m international inbound registration attempts to IPBBX using Sipvicious 1.0 Suspect User Agents sipvicious siparmyknife iWar sip-scan / sipsak sundayddr friendly-scanner friendly-request CSipSimple SIVuS Gulp / Sipv / Smap VaxIPUserAgent VaxSIPUserAgent

Graham Butler – President and CEO Bitek © 2013 VoIP Missing Trade Intra-Community VAT Fraud (MTIC) Tackling the illegal trade in the Digital world VoIP Operator Criminal Network Customers VoIP Operator Criminal Network VoIP Service Agents Firewall Telecommunications Provider Firewall VoIP Services / Calling Cards VoIP Service Host Internet Firewall 14 MTIC VAT fraud example - Italy: 1.MTIC is essentially the theft of VAT 2.Fraudsters set up as VoIP operators (buffered) 3.Involved companies in Italy, UK, US and Finland 4.EU cross-border B2B transaction is VAT neutral 5.Fraudsters collected VAT on the sale of domestic VoIP services 6.When the tax became due the companies had disappeared. 7.Cost the Italian economy €400m in non-payment of VAT 8.Connected to a scheme to launder €2 billion Complexity of case: Fraud committed in 2003–2007; 50 arrest warrants issued 2010; court hearings Europol: MTIC fraud costs the EU €100b a year or €270m a day Eurojust: Makes MTIC fraud a top priority for period MTIC uses the same model Shell Co’s (buffering) Dirty Money Offshore Banks VAT Paid VAT € Tax Demand

Graham Butler – President and CEO Bitek © 2013 Setting up a vishing scam using VoIP 1.Vishing is a phone call scam utilizing phishing, social media and VoIP 2.Fraudsters set up spoof companies and websites to support the scam 3.Cheap or free VoIP calls allow scammers to set up ‘call centre’ models 4.Anonymity of VoIP/P2P registration avoids LI detection and tracking 5.Stolen identity data provides enough information to sound genuine Large scale vishing scams over VoIP Typical Costs targeting US Citizens Per attack: $5000 to $30,000 Total per year: $100’s millions Scam ? CALL ID UNKNOWN Case Study - Banking 1.VoIP calls to landline numbers - fraudsters posing as bank officials 2.Vulnerable small business owners and the elderly are targeted “We have identified active fraudulent behaviour on your account” “To protect you, we need to transfer your balance into a holding account” “Please call the number on the back of your bank card to authorise” 3.The scammer who has not hung up plays a ‘dialing tone’ and a ‘ringing tone’ 4.A new scammer then appears to answer at the bank – the fraud is completed 15 Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © As vulnerable consumers become more wary of scams they know not to answer calls identified with “Unknown” or “No Caller ID” 2.Fraudsters can now use a new VoIP services called bitphone to get around this problem by spoofing the caller ID. Any number can be used. 3.Low cost call $0.021 per minute + caller-ID spoofing at $ per call. 4.Payment through Bitcoin or other virtual currencies retains anonymity. 5.To help provide legal cover, bitphone includes the FCC’s caller-ID and spoofing guidelines in its T&C’s that each user must accept. 6.Using a public WiFi hotspot adds additional security buffering. Spoofing Caller ID – the evolution of cybercrime Tackling the illegal trade in the Digital world IRS Spoofing

Graham Butler – President and CEO Bitek © 2013 The global trade in identity theft information 17 Tackling the illegal trade in the Digital world The Times Feb 2016 – Online fraud costs Britain’s economy £27 billion per year 1m stolen bank details discovered for sale on Criminals trade with impunity on the internet - not the dark web. Sold for as little as £1.67 each Stolen Identities from 100,000 Britons Source: Symantec 2014 Report

Graham Butler – President and CEO Bitek © 2013 Spear-Phishing and ransom attacks 18 Next Generation Traffic Challenges (ML) Spear-Phishing bypasses spam filters 1.Spear-Phishing is an attack which hacks into our “trusted” or social media contacts lists. 2.Spam filters accept inbound s which appear to be from a work colleague, family or friend. 3.We are more likely to click on a link from a friend – unaware that it is malware. 4.More than 317 million new pieces of malware were created last year, nearly a million a day. 5.Crypto-ransom attacks, where the victim's files are encrypted and held hostage without warning, skyrocketed 4,000 percent. 6.Ransomware attacks grew 113 percent 7.70 percent of social media attacks rely on the initial victim to spread the threat to others. Source: Symantec 2014 Report

Graham Butler – President and CEO Bitek © 2013 Abra – the digital version of Hawala Tackling the illegal trade in the Digital world Money transfer without money movement 1.The Hawala model has been used for centuries for money transfer without physical money movement. 2.Hawaladars are people who collect and hand out funds on behalf of others over long distances, settling with each other via barter transactions. 3.In the US no one is allowed to hold or remit funds on behalf of someone else without being a licensed money transmitter. 4.As tellers are always holding their own money it is extremely difficult to identify or regulate these activities. 5.Abra is a Peer to Peer (P2P) smartphone app designed to bring Hawaladar into the digital age. A B (A) wants to transfer $1000 to (B) 1 2 Hawaladar (Tellers) “Trust” $1000 Reverse money transfers equalise the $ balance between Tellers Teller (1) now owes $1000 to Teller (2 ) 19

Graham Butler – President and CEO Bitek © 2013 Abra P2P service bypasses the regulated money transfer industry (virtual infrastructure = low fees) Abra P2P – bypasses the regulated money transfer market Tackling the illegal trade in the Digital world A B 1. Deposit (domestic) Deposit cash to the app through an Abra Teller - or add with your debit card. 3. Withdraw (domestic) Withdraw cash from the app via any Abra Teller. Users rate tellers on website (trust) Send (virtual transfer) Instantly send any amount of money directly from the app to anyone in the world. “Digital cash” transfers

Graham Butler – President and CEO Bitek © 2013 The Dark Web – the DIY cybercrime toolkit Tackling the illegal trade in the Digital world 21

Graham Butler – President and CEO Bitek © 2013 The Dark Web – the DIY financial toolkit Tackling the illegal trade in the Digital world 22

Graham Butler – President and CEO Bitek © 2013 Taliban Communications VoIP enabled handsets P2P Skype used widely Frustrates SIS / NATO intercept Microsoft purchase Skype in 2011 Microsoft LI patent granted 2012 Mumbai Terror Attack VoIP phones purchased in PK Calls via US provider Co-ordinated from Pakistan Lack of digital evidence frustrated LEA investigations The Dark Web - terrorist communications and funding ISIL Communications Edward Snowdon leaks 2013 Jihadi organizations become more informed about NSA techniques Dark web becomes the preferred communications tool VoIP system developed by Pakistan ISI distributed on dark web by ISIL Tackling the illegal trade in the Digital world

Graham Butler – President and CEO Bitek © 2013 Obama asks congress for $19 billion for Cybersecurity Tackling the illegal trade in the Digital world 24 Obama targets US Cybersecurity 1.$19 Billion includes $3.1 billion for technology modernization at various federal agencies. 2.Cyber threats are "among the most urgent dangers to America’s economic and national security,” 3.Launch Presidential Commission on Cybersecurity to strengthen US cyber-defences over the next decade. 4.Government’s cyber-defense system, known as Einstein, is “ineffective at combating hackers.” 5.Recent high-profile hacks include Office of Personnel Management, Sony Pictures and Target that were “largely met with legislative inaction” Norse cyber-attack data (15 minute sample) – represents a fraction of the total attacks on URLs

Graham Butler – President and CEO Bitek © 2013 The Internet – Cybercrime toolkit (not just the dark web) Tackling the illegal trade in the Digital world 25

Graham Butler – President and CEO Bitek © 2013 You know Sir, you can do this just as easily online! 26 Organized fraud, tax evasion, money laundering Hiding and Trading - Fraud Over VoIP

Graham Butler – Chairman Bitek Group of Companies © 2016 Thank you for your attention Graham Butler Co-funded by the Justice Programme of the European Union