Episode Transcript
[00:00:00] John: Nobody expects that the person on the other side of the line is a victim of human trafficking who's threatened with, you know, being tased for a few days and left without food if they don't hit their quota.
[00:00:12] KB: From KBI Media, I'm Karissa Breen and this is KBKast.
My guest today is John Wojcik, a Senior Threat Researcher at Infoblox Threat Intel who's spent seven years at the UN office on drugs and crime. He argues the real industrial scales threat isn't ransomware or nation states. It's the scam economy and it's now coming for enterprises, not just consumers. So what happens when the people running these scams start targeting a star to get to you?
If you find these conversations useful, hit follow. It's the single best way to make sure the next one lands right into your feed and it helps other execs find the show.
Let's dive in with John.
So John, I really want to sort of start with the industry talks about ransomware and nation state attacks, but you're sort of arguing the real industrial, industrial scale threat is this scam economy. So I want to get into this a little bit more, hear your thoughts. Given your role, your background, your pedigree, why do you believe the industry still sort of underestimates this a lot?
[00:01:15] John: I think maybe give you a short answer a bit longer, I guess a little bit of background about myself too. I've been living and working in Southeast Asia for over eight years now.
I've seen how things have evolved and I've seen how the gaps that have enabled tens, if not frankly, hundreds of billions of dollars in losses have grown exponentially against that kind of a backdrop. So within this context of cyber scams and sort of industrial scale cybercrime in the region, how that's shifted. This was initially a problem that was perceived by governments, enterprises and frankly anybody who cares about cyber as kind of a China against China problem. The first criminal networks that entered this space were predominantly Chinese. It still remains the case. And they were targeting mainland Chinese nationals as well as Chinese companies. This was a Chinese issue. And so when trying to sort of sound the alarms in the early days, again, almost, almost 10 years ago, a lot of the response was like, this doesn't really touch us. This doesn't affect back home. We're not seeing any exposure to this. It doesn't really matter. And I thought that was terribly, terribly shortsighted. And unfortunately most of the world has realized that that has been the case very quickly against, you know, since the onset of the COVID 19 pandemic where we saw a lot of mobility restrictions taking place in the region.
You know, fundamentally the criminal groups that were involved in this stuff were in need of, of funds and ways to innovate their business model. I guess we should also also caveat here that there is a serious component involving victims of human trafficking or forced labor who are deceived and lured into a lot of these industrial scale cybercrime and scam compounds to conduct and perpetrate the actual criminal activity. Right. They're forced against their will to engage in that stuff. They weren't able to source labor and scale their operations in the same way they were previously. Also, I'll mention that this also very much originates as a money laundering kind of an issue. Illegal online casinos, underground, you know, crypto exchanges, all these kinds of services were really the bread and butter that this problem has evolved off the back of. And so when VIP gamblers, which again, might, might not be so, so obvious here, so I'll explain the full story. When VIP gamblers who are using casino infrastructure to launder their money, jumping around from jurisdiction to jurisdiction when they weren't able to travel anymore and go on these like, luxury, you know, casino junket tours with like, you know, helicopter travels and luxury hotels, women like, you know, you can imagine the craziness that these Chinese gangsters got into when they weren't able to travel and engage in that business anymore at scale primarily from China into countries like Australia, Canada. The syndicates at the top had to kind of rethink how they were going to do business. And they did that by doubling down on pretty adjacent infrastructure, illegal online casinos, and started to kind of use that infrastructure, you know, the servers, the it, the labor force that they had to facilitate illegal online gambling into kind of diversified scams. And eventually what we have now, which is increasingly sort of more traditional cybercrime. And so that industry itself has had about three decades to fester and to improve, to refine, and has left us with the situation we have now, which is not only they have the money laundering and underground banking infrastructure kind of perfected to a T, but they have a whole bunch of other criminal industries running off the back of it.
So, yeah, I mean, what we have today is these groups have looked far beyond the region.
Like I said, what was initially targeting mainland China began to evolve into the region itself, right? So countries in Southeast Asia started being targeted. Countries like Australia and New Zealand increasingly began targeted. And now, you know, virtually every corner of the world has been impacted by this. We have financial Losses in North America and Europe that are dwarfing now the, the money that that's generated by the illicit drug economy in Southeast Asia. They've found it's, it's tremendously profitable. There's virtually no accountability. There's very little being done to disrupt at scale. And you know, fundamentally the business conditions are, are good, attractive, you know, attracting new innovators and criminal service providers, driving growth of new illicit online marketplaces that again, are kind of serving as a catalyst, right. Supercharging the illicit economy and the cybercrime economy in the region.
And it's just so big. Right. So that's kind of long, long story. Still long, but it's pretty, it's pretty complicated. So hopefully we can unpack that a bit more.
[00:06:09] KB: Okay, so appreciate you sharing that. So one of the things I want to understand because now obviously with like AI and stuff like that, back in the day, you had to be pretty good at doing this stuff. Now you don't really have to be. You can buy it. There's so many services that different stages of the criminal lifestyle you can purchase, etc. So then are we going to start to see a massive sort of proliferation of all this sort of stuff? Because like I said back in the day, you had to sort of know what you're doing and now you don't have to as long as you know where to go to ask what to get.
I mean, anyone can sort of go and be a cybercriminal now. So given your research sort of mind, what sort of rattles you about that, would you say?
[00:06:50] John: Yeah. So, you know, one thing's really clear. I used to work for the UN office on drugs and crime for seven years. I was leading, leading threat research over there. And I've seen just how rapidly the landscape has shifted, right, the threat landscape and how much more severe it's gotten. A big driver of that is just the fact, as you mentioned, that the barriers to entry to cybercrime and scams has simply come down.
Anyone can pick up a kit, you know, a phishing kit, a scam kit in one of these illicit online marketplaces that I mentioned. You or some of your viewers might be familiar with entities like Huiwon, right, this massive criminal marketplace based on Telegram, I think I was member like 9,000 of that, of that particular platform. It reached like, what was it, 700,000. By the end of it, they're doing like, you know, $70 billion in the span of like a year and a half in transaction volume just to give you and your audience a sense of Scale of this Chinese criminal economy underground, $70 billion in transactions visible on blockchain over the span of like, you know, 2023 to 2025. Huge numbers. And you can, you know, it's a one stop shop where you can pick up whatever you need, whether you're trying to get into phishing, trying to get into, you know, pig butchering or other other diversified scam types. And unfortunately it's only getting worse. Where malware as a service is increasingly being made available to these, you know, oftentimes lower sort of tech capable criminals where that wasn't the case previously. Right. So this kind of like plug and play model where you can now, you know, basically gain access to a remote access Trojan tool that's been kind of commercialized that you can go and try and distribute and push a couple of buttons to exploit an infected device.
That wasn't the case back in 2019. 2020 just wasn't something that we were thinking about. And very rapidly we saw all of these, all of these different factors sort of shift and come together, effectively creating the perfect storm for what some people in my circle call like the Silicon Valley of the criminal underworld, which is again Southeast Asia.
[00:09:09] KB: So recently I interviewed one of the researchers for Mandiant and they had this report and one thing that was interesting to me because I mean, I've come from industry myself and they're moving into interviewing people like you nowadays. And it was sort of saying that back in the day it was about people wanted to, you know, do nation state and like hack things for the sake of it. And it wasn't about financial gain, but now it's sort of going full circle and it is about financial gain. So do you think that if I look at the next sort of wave of cyber criminals and maybe you can speak, speak, speak more about this would be nowadays younger folks, they want things a little bit faster. They don't want to have to go to university slash college and therefore they want to, you know, they're resorting to TikTok and YouTube and these sort of things. And being a cyber criminal now is up there because it's easy. You'd have to leave your house. It's hard to necessarily get penalized if you're doing it overseas. If there's no treaty, are we going to see more of a surge then in that sort of approach? Because like you said, it's about now. Well, I can get all these sort of things that I don't have to work like a normal sort of job for. Are we going to Start to see that wave now through the space or. What are your thoughts?
[00:10:18] John: Yeah, I think, I think we're already seeing it. I think we've been seeing it. It's just been difficult to gain visibility into, into what's happening. Governments are trying to frame this, you know, in some cases even like, oh, this is Chinese state backed or something like that. There might be a dimension of that, but fundamentally this is pretty organic and it's pretty easy to understand. You have at least, you know, let's localize this conversation because it's happening globally. Right. Let's localize this to the region I work, work in, which is east and Southeast Asia. You have a lot of disenfranchised young people who are super talented and just don't have opportunities to make ends meet or let alone, you know, sort of dream to have a future across the region. Right. The population in east and Southeast Asia represents, you know, like the largest chunk of people on the planet and a lot of those people are young. And so since, since COVID 19 took place and you know, this, this great lockdown, the opportunities haven't, haven't, you know, returned. Not that they were widespread prior to that. You had youth unemployment rates like pushing 25% in some countries. People need to live. And until we provide young people with opportunities that are going to supplement the appeal of, of cybercrime and scams, given you have this infrastructure and this business model and this economy, frankly spreading, growing, proving viable. Right. And against the backdrop of law enforcement that isn't really able to cope. Right. I keep kind of returning to the idea that when I, when I speak to partners in government like this isn't an issue that law enforcement is going to be able to prosecute or investigate their way out of. We need preemptive strategies, we need tech driven strategies and I guess that's a nice little segue also into, into protective DNS, which can be really, really effective in sort of tipping the scales, rebalancing things, bringing some power back to law enforcement and government officials who are struggling really to, to cope with what's happening right now.
[00:12:04] KB: Yeah, this is interesting. So given the current climate that we're in, obviously we've seen some of the biggest tech layoffs, if not largest in technology history. Where does that sort of leave people then? Like even people have been in this space for a lot longer, they've got a lot more tenure as opposed to sort of a junior person coming through. They're being dis.
So does that mean now again, it's going to compound Even more, because we're seeing, just like, people have been in the game for 30 years now that are being sort of told like, hey, you don't have a role anymore.
[00:12:31] John: I guess it depends on metrics at the end of the day. And I presume that a lot of these layoffs are probably also taking place due to AI integration and these kinds of things. But equally, I mean, historically, as you know, as well as I do in this industry, cybersecurity and these sorts of measures are often considered as like, a nice to have and not a need to have.
I think there's also something to be said about, like, this binary between consumer facing threats and like, enterprise facing threats. I think that binary is kind of becoming increasingly obsolete. Right. We see examples of this with stuff I'm looking at in Asia, where, you know, we recently published about this remote access Trojan campaign, actor malware as a service that was being distributed to 21 different countries around the world from Cambodian scam centers. And we know that their sort of modus operandi in that context has shifted. They used to be targeting people like you and I, right? Not necessarily for the company that we represent or work for to try and get initial access and those kinds of things, but simply just for financial fraud. We identified in the process of that investigation that they're increasingly shifting their focus onto enterprises and people, individuals who work for big companies around the region and elsewhere to try and leverage their relationship with big companies. I think the faster we realize how quickly this landscape is shifting, the direction it's going and the threat that we need to invest in combating, the better. That's probably not looking like the direction we're going, given the recent widespread layoffs. But sometimes you need those.
Sometimes you need to get slapped in the face before you realize the mistakes you're making, unfortunately.
[00:14:11] KB: So do you think that. I mean, that's a good point. So do you think that now because of AI and all the stuff that comes with it, companies are more bamboozled by that at the moment, and perhaps some of their security focus has gone by the wayside. And I know it's hard necessarily to do these things simultaneously, but it just. In my point of view, from a media perspective, everything seems to be very focused on artificial intelligence, which I understand, but then that doesn't mean security goes away. So where does that sort of question sit with you?
[00:14:40] John: Yeah, I think it all comes down to balance.
Infoblox, the company that I work for and represent, is deep on AI. Right. Frankly, it's made my workflow just so much more efficient. Me and my team can definitely state that we're not so concerned about it from any sort of adversarial type of way, but more, as far as you do need humans in the loop to be able to operationalize this stuff. You need the subject matter expertise to know what to point it at.
And it makes a huge impact. In the context of my sort of day to day with the investigations that we're doing, the analysis we're conducting, it's a force multiplier, right. And it should be used as such. I think any company that's not integrating AI is probably falling behind and looking at this the wrong way, but there's definitely a way to do it. And I think subject matter expertise and knowing just simply knowing how to make the most of it is the right way forward. Whatever balance a certain company needs to strike with respect to the bottom line and the amount of money they can or cann invest in it should be the approach rather than, oh, how many assets, human assets can we cut in order to move this, utilize this funding in a different way? I think that's very likely a short sighted move and there is so much noise and slop kind of being pushed around across different sort of segments of cyber.
It's clearly got huge capacity and huge capability and value for any company in the space. But I think a lot of, a lot of enterprises are also sort of looking at it with respect to like how to cut corners. And that's probably something that everyone needs to be careful about moving forward.
[00:16:15] KB: Okay, so I want to slightly switch gears now and talk to you about pig butchering scams. Now I've interviewed a few folks over the years about this, but now it's sort of gone from more of an isolated fraud campaign to what looks like a full blown operational criminal business model. So talk me through how organized and professionalized sort of has this ecosystem sort of come from to where it's sort of going now. Like it obviously is a lot more sophisticated than where it was started, right?
[00:16:47] John: Yeah, definitely. Again, this kind of brings me back to the, to the initial story that I was, I was describing, right? If you look back 10, 15 years, this was already happening. This was happening in the early 2010s in Southeast Asia. But let me, let me kind of give you the long story here. What happened. And most people won't talk about this or won't know about it.
What happened was that in 2013 14, you have Xi Jinping take power in China. Again. The majority of groups involved in this activity are Chinese. This is Chinese organized crime at a very, very high level. And so what ends up happening is that Xi Jinping takes office and basically one of the first measures that he takes in his new role is to go on an anti corruption and anti organized crime crackdown.
Okay, so that takes place about 12 years ago, 2013, 14. This problem only starts really being talked about by us right around like 2020, 21, 22. So that's a whole lot of time for different things to be taking place. 2014, basically the message is sent to the entire criminal underworld in China. We're coming for you. We're coming for you if you're into methamphetamine production, because that was taking place in the southern parts of China. We're coming for you if you're involved in industrial scale money laundering. And that was happening in place Macau and Fuan, and we're coming after you if you're involved in cybercrime, which was really kind of like telecommunications fraud. And that was, you know, the big hub for that in China was, was a place called Fujian. There was even policies invoked where if you were from Fujian, you wouldn't be able to rent office space because they would be almost certain that you're going to be engaging in telecom fraud. Right. So what's really interesting is like when I was working with the un, we had this transnational organized crime threat assessment. And so at this time it was like 2018, and we had a consultation with all the governments in the region, including China and some other countries who weren't in Southeast Asia. And we basically asked, what's important to you guys across the different crime portfolios, what should we be focusing on in this assessment? And China was the only government at this time to say, you need to focus on telecom fraud, you need to focus on cyber enabled fraud. This is a huge industry, it's coming, we need to focus on this. And every other country was like, nah, not really an issue that we're dealing with right now, not important. So we basically didn't have the mandate to really dig into it. Lo and behold, it turns into very likely 100 plus billion dollar industry in the region that now dwarfs the synthetic drug trade, which alone is like 60 to 80 billion dollars for meth, meth alone. And so the reason, so the context behind what we're seeing today, and I think it's really important that your audience understand this is the way it's evolved and why it evolved, right? We call this a criminal spillover or displacement. So we saw just a huge effort by the Xi Jinping administration to crack down on, on transnational organized crime, drug trafficking, cybercrime and money laundering in these different pockets of China. And so the message was loud and clear. These criminal groups needed to find a new home. They needed to start kind of hedging their, their physical bases of operation beyond mainland China. Because it's just, you know, fundamentally the business conditions were changing. They were no longer safe. The protection rackets that they had developed over time were kind of falling apart because Xi Jinping was actually having a go at his former opposition, right? Who were leveraging this criminal economy, who were leveraging the money laundering and underground banking infrastructure to move money, often stolen money from state owned enterprises by corrupt officials out of the country, right. Into different parts of Southeast Asia. I'm sure you might know about the kind of like casino inquiries in Australia, right? Crown casino, star casino, all those kinds of big cases, right? We have the same thing in Vancouver. We actually coined the Vancouver model of money laundering, which is like a casino based method for moving loads of money.
And nobody seemed to care, right? It was like the casinos were serving as like a point of least resistance. Nobody realized that casinos fundamentally can function like banks. And I started having these consultations with governments around the region and everyone looked at me like, you know, it's just a game, right? And we're like, no, no man, this is moving billions of dollars for the worst of the worst and the most dangerous Chinese organized crime groups. And they know you don't, you know, they know we no one cared about this, right?
So anyways, long, you know, long long story, a little bit shorter here. They all spilled over into a couple of first few touch points that was like the Philippines, Cambodia. And what do those two places have in common is that they suddenly became massive casino cities, right? They basically use the casinos, whether they're like physical land based casinos or you know, online gambling operations as fronts, right? They use these businesses as fronts for diversified cybercrime and scams. Casinos are cool because casinos serve as a oftentimes licensed, regulatory, legal and fiscal cover that's able to justify large amounts of money, right? So it's difficult to tell if someone moving, moving $1 million through an online casino is just gambling for fun or whether they got this money off the streets selling drugs and are now using the casino to move that money between me and you, for instance, online, right? And there's like no auditing of online casinos. Like it's just out of control, Right. We're obviously a DNS company, Infoblox, but When you look at the vast majority of sort of suspicious activity in DNS, it's like overwhelmingly Chinese casinos and porn. Very fun little fact, right? But so basically my job as a researcher back with the UN was like, what the hell is the nexus between these casinos and all of this nasty pig butchering and other stuff? Why do all of the bases of operation where thousands of people are trafficked and stuck and beaten and tortured and tased, why are there always casinos? What the hell is the point of having these, these casinos there? And that was kind of the initial research question that we went after. And you know, you have to tell this whole story to get to where we are today.
Now that's obviously spilled over. You know, I have a map, not that I can show it here, but that shows just like more than 400 different physical scam sites, scam slash casino sites throughout the region. Like, you know, hundreds upon hundreds of industrial scale zones, some created by government officials and protected as a result. Right.
There's so many crazy stories, I think someone should make a movie at some point that's led us to where we are today where like there's really still no, no hope that this is anywhere close to improving. But the threats emanating out of these places, they're getting worse and worse. Our visibility is also not, not significantly improving into what the hell these guys are up to.
[00:23:37] KB: We'll come back to that after a quick word from our sponsor. Enterprise tech leaders know that compliance isn't just about ticking boxes. It's about risk, reputation and revenue. That's why companies trust VANTA to streamline their security and compliance workflows at scale with deep integrations and automated evidence collection. VANTA takes the manual audit grunt work out of the frameworks like ISO 27001, SoC2 and GDPR. Visit vanta.com KBKast v a n t a dot com KBKast to learn more.
All right, back with John.
So, okay, that's okay, that's interesting. So the question that I have for you would be nobody seemed to care, but anyone who's anyone, if you go back to like when people would wash money through casinos, this is seems obvious though to me in terms if I was a criminal, if I wanted to move money, wash money, all that sort of conceal it, that's probably the first sort of place people normally go to. So like what part were they not caring about? Was it that, hey, we're going to turn a blind eye because it makes money, so who cares? You're right, there's a lot of Stuff going on in Australia. Like one of them, I believe. I think they've lost their license now. Walk me through that mindset.
[00:24:55] John: It's not that they didn't care, but I think there's a couple of things to mention here. One is that the scale of money that wasn't being reported or wasn't being identified as suspicious, like that was just exorbitant, right? You might have heard of a guy named Alvin Chow. Alvin Chow was the founder and chairman of a big casino company called Sun City Group out of Macau. He operated in plain sight. He was known for being handsome, for having, you know, Taiwanese model girlfriends around his arm and being a billionaire, right? He was like Macau's poster boy for the casino industry.
His mentor was a guy named Wong Kwok Koi who goes by the moniker Broken Tooth. And Broken Tooth was sentenced to like 12 or 13 years in prison for attempted murder on a Macau cop where he tried to blow up his car. These are both senior triads, very heavy, very high ranking triads.
And in the latter, you know, in the first case, he's, he's literally the poster boy for the industry. He did this by infiltrating the industry. He set the rules in many different jurisdictions, right? And he lobbied to have basically openings, right? Openings and vulnerabilities left open so that dirty money could pass through. And this is like, you know, he is the pioneer of Chinese based money laundering. Really, Right. What's interesting is when you look, you look at this guy and sort of his, his legacy, right? Because I forgot to mention, he's been serving 18 years in prison for being Mao's biggest money launderer in history, where he moved about $104 billion over seven years. $104 billion. And his, his clientele, you know, you might, might be curious who, who, whose money he was moving.
Everybody from North Korea to state backed hackers to cyber scammers based in Southeast Asia, big drug traffickers. Like this guy was a criminal banker. He was the criminal banker and he was operating in plain sight. He was operating in the best, most tightly regulated jurisdictions.
And just, you know, it was too, too complex, it was too sophisticated to really nail him down until China did. And they did that to send a message again in the context of what I said previously, which is like, this ain't going to fly anymore. Also, fun, fun fact. China's.
As of like 2023, 2024, China was losing about $163 billion per year through casinos and adjacent kind of mechanisms. So, you know, when Covid Happened, right? There's kind of one country that stands out as far as, like, scaring the crap out of you if you're in that country. It's kind of China, right? They were like, welding doors and doing all these different kinds of things, making sure the contagion was, was contained. That's kind of a scary thing if you've got all of your life savings tied up in a country that's going to treat you like that, right? So there's like a huge surge that takes place around that time as well, with people just like, doing anything they can to get their money out. And that creates a huge demand overseas for foreign currency, which basically the criminal groups can tap into and be like, you know, we have all this demand for money out of China.
Let's link up with the cartels, let's link up with the bikies in Australia who are like, you know, selling drugs and have all this dirty cash abroad. And they kind of, you know, connect supply and demand that way. But anyways, Alvin Chow, again, is like one of, one of the key, key figures and sort of pioneers of this industry is guys like him who are moving hundreds of billions of dollars for criminals that again, we're setting the rules. We're having relationships with regulators, and we're making it sort of worthwhile for governments and officials to kind of, kind of look the other way. We kind of like this casino money coming in, right? It's generating a lot of money for our constituents. It's making, you know, the local economy happy in places where, like, nobody was really investing and they thought to themselves, why don't we take this model, you know, and apply it to remote parts of the region, like in Laos and Myanmar and Cambodia, right? Where nobody, nobody sensible will invest because it's, you know, it's corrupt countries, right? Corruption is rampant. The business environment there isn't great. Who else is going to invest apart from Chinese criminal investors? That became like a pattern, that and trend that we saw just kind of cascading throughout Southeast Asia, where these guys come out of nowhere. They made billions of dollars in the casino industry, and now they're building a quote, unquote, blockchain smart city special economic zone on the border of Thailand and Myanmar, which nobody knows what the hell they're doing. Nobody knows where the hell the money came from, right? And it's like criminal foreign direct investment.
And they're able to establish these massive, massive scaling compounds, right? Where people get trafficked and people from around the world get victimized by, by cybercrime.
[00:29:38] KB: Super full on. And that, that sort of leads me to my next question, just to push down this a little bit more that I want you to talk through this sinister sort of human side to this, which you just touched on the trafficking, right. So it's just more, I want to just bring it full circle that perhaps people are so narrow minded when it comes to cybercrime, perhaps.
So there's a lot of stuff like forced labor, financial exploitation.
Do you think people in the industry overlook what's happening? I mean you're sort of, you've worked across it, you're doing a lot of research in this space. Yes, in Southeast Asia, but across the world as well.
Do you think it's something that people don't think about each day and they, they know these cyber criminals exist, but there's also another darker side to it as well, right?
[00:30:25] John: Yeah, absolutely. I mean I think it's totally fair that people don't, don't anticipate it, Right.
I think we're all used to getting those, those scam phone calls and just being kind of pissed off, right. And maybe even like trolling them back or something. Nobody expects that the person on the other side of the line is, you know, a victim of human trafficking who's threatened with, you know, being tased for a few days and left without food if they don't hit their quota. So it has been a powerful sort of device with respect to communicating, you know, another serious dimension of this threat.
I think when I, when I had left the UN, we had, we had victims from like 60 different countries around the world being identified in these places, right? And think about that from a, from the perspective of like giving these criminal operations like linguistic capability, right? They're able to target countries like countries you think would have nothing to do with this, right? Russia, Brazil, all around the world. Like it just, it was, it's so weird.
But for some reason they decided to scale the scale, scale this industry on the backs of average people who are being deceived with honestly not even that much money, right. They were just looking for, for a decent salary.
And what would end up happening is that take these jobs and some. And you have to also give them credit because what, what they ended up developing here was like a multi stage H R recruitment process that also legitimized the whole, you know, experience for people. Right. There's stories I've been told by victims where like their recruiter was like a blonde Russian woman who you know, went through a three stage interview process with them and they were hoping they were going to get the job, and when they did, it was great news. Right? And that, that kind of social engineering was what brought them to what they thought was, you know, Bangkok. But then they end up being trafficked into Cambodia or brought on a second flight together with hundreds of other people. Right. So it's insane. And there's also kind of clearly issues on that side of things, right, with different countries being used for transit, airport security, being kind of infiltrated by these criminal gangs who are paying for like vi, you know, expedited service to move their laborers.
Huge scandals around, around the region. With that, in that respect, it's really just like a perverted, toxic, kind of cancerous industry that doesn't just spread with respect to sort of cyber threats, conventional cyber threats, but really kind of taints institutions, period. Right. The integrity of these institutions. You have corrupt politicians just getting bankrolled, you know, different democratic institutions. Airports regulate, you know, regulatory regimes, money laundering frameworks. Like they've created their own banks, they've created their own crypto exchanges that are licensed and regulated. They've moved their money back into countries where they've victimized thousands of people and stolen, stolen hundreds of millions of dollars.
They've bought up top tier, you know, real estate in, in desirable jurisdictions like Vancouver, London, in the U.S. right. And this was kind of like we kind of sleepwalked into this. One of the, one of the reports that I had written back in 2024 was called like the convergence of Transnational Organized crime and sort of breaking the silos and the barriers, which, you know, my old office wasn't the biggest fan of, but it was needed to sort of explain like this doesn't, this isn't a cyber issue, this isn't a human trafficking issue, this isn't a money laundering issue. This is like we need to look at this full picture because it's, it's touching so many different aspects. And that's the response, the conventional response to addressing this like it doesn't work. You need a whole of government approach to be able to disrupt this in a meaningful way.
[00:34:01] KB: Yeah. That is so full on. And then to make it worse, we're adding AI then into it, which is going to like turbocharge all this stuff, right? Make it easier, faster, more accessible.
So then walk me through. Well, like what does that look like now? Because it seemed hard enough before and now we've just added fuel to the proverbial fire here.
[00:34:24] John: Yeah, I mean there's, there's so many different applications and use cases. Right. I mean, I'm sure you're using AI in certain ways. I know I am. You know, as, as this technology diffuses and kind of like democratizes, right. That's it's going to probably create a wider gap between law enforcement and, and these criminal groups who are using it for one very specific way and that's to make money into, you know, fundamentally screw people. This morning I woke up to like the jailbroken co pilot being used by Russian, Russian cybercriminals. Like clearly you can't keep this chained up and behind closed doors. Right. I think we need to kind of accept that new reality. And again it I think brings us back to the value that protective DNS can, can drive in this context. Right. To be able to facilitate disruption at scale, irrespective of, of some of the tooling.
But I guess we can get to that later.
I think the application that the criminal groups in my region, how they're leveraging AI driven tools from having better scripts to social engineer, to being able to increasingly automate a lot of these workflows and processes. So many different platforms being sold effectively like criminal SaaS software as a service being developed and rented out to these criminal groups, from synthetic voice tools and voice cloning to deepfakes. Obviously there's infinite possibility of opportunities for these guys, right. And they're specializing. Right. There's companies that specialize in these AI suites, different applications, platforms and tooling and unfortunately that's probably only set to accelerate for what they're doing. Right. It's, it's very easy to imagine the different application they have for these tools. We're already seeing them frankly. Right. In this investigation that I mentioned involving the, the banking Trojan targeting 21 different countries, right. We, we were able to map out and uncover a lot of their C2 infrastructure. Across that infrastructure we mapped, we were also able to detect like different AI tools. I think there was three or four different ones. The login pages for those we weren't able to really determine, discover what they were up to using them, but we did see that that was a part of their ecosystem in infra. It's clearly growing.
It's going to be interesting to see how creative they get over the next few years, but hopefully it's something that we can respond to as a community. I just had one more thing that I was going to say.
We've spoken about the human trafficking, we've spoken about where we are right now, the status of this kind of frankly, crisis. What's happening now is that the syndicates that are Involved in this space. The Chinese criminal groups who are pushing a lot of this stuff, they're really agile and they do sort of step back once, once in a while and take stock of like lessons learned, right? And so we're having this conversation. We probably wouldn't have been having this conversation six years ago. It wouldn't have been something that was maybe on either of our radars, right? We're having this conversation because it's been politicized, it's been blown up in media. It's pretty topical, right? It's interesting. It's different. The criminal groups who are behind this know that what's burned them to this point is large scale victims of human trafficking, people screaming for help, embassies getting involved, right? Like I mentioned 60 plus countries that victims originated from stuck inside these compounds, right? Like it's a terrible, terrible thing that you could write a movie about, right? How do they pivot from this is very likely by scaling up their efforts to automate, to integrate new AI tools into these operations and ultimately to become more invisible. Right? Because at this point we know where these operations are based, we know where the scam compounds are. We frankly know who's behind them. In many cases, that's made this sort of unpalatable for much of the world, right? You've got increasing, sweeping US sanctions, right? UK sanctions. You've got more and more law enforcement operations throughout the region. You've got basically a pretty good situational awareness of what the hell is going on and again, who's behind it. That's not really a sustainable situation for these groups. And so they're going to want to double down on efforts to regain that anonymity. And they're going to be doing that by moving away from this large scale centralized model and increasingly decentralized. And we're already seeing that play out with respect to the physical basis of operation. These large scale compounds still do exist, the big ones, some of them are still active and everything, but they're increasingly beginning to move into like, like hotel resorts that have a bunch of like small bungalows or like residential property developments that again look like, you know, townhouses or something. And sort of basing those operations in there, continuing that, that wicked game of Whack a mole which is like unstoppable by decentralizing, right? And so with that also will is coming the fact that the proportion of laborers inside these places are increasingly like voluntary participants, right? At this point, a lot of people know, like if you're getting a sketchy job in Southeast Asia, like there is a pretty good chance you're probably going to get deceived. Right. That's definitely been the case in Asia itself. Like the awareness levels about like, don't take a job in Myanmar, don't go into Thailand. It's become quite, quite obvious to a lot of people there's still a lot of people who want to be there, want to participate. Right. The conditions in some of those compounds are changing. They're not always like confiscating your passport. They're treating you better, you have freedom of movement, you can go and come in as you please. It's becoming more viable as a way to get a livelihood.
And so if you take away that human trafficking element, all you really have left is a detection not based on people and victims crying for help and so on, but kind of a more conventional like cyber threat detection. Right.
The capacity in the region is just not there. Like there are governments in the region that still use paper and stamps to move day to day processes in that context. Like this is not a region where, you know, digital evidence is going to be handled correctly or, you know, the judiciary is not going to be able to interpret digital evidence zeros and ones. Right. Like their forensics, they're like, you know, kicking indoors and ripping up a hard drive, imaging, so on and so forth. Like this is not happening, happening. This is not a region where digital forensic evidence is collected really also. Right. Just to be able to detect and identify, let alone prosecute and find justice for people.
It's just not there yet. Right. And so I think that's what they're banking on is like they're going to be way more difficult to disrupt physically moving forward if this trend kind of continues. And again, it's going to bring me back to the value of protective DNS, the value of DNS, threat intel. And some of the work that we're doing, which is really kind of like the, the first solution that I've heard as someone working in this space for like as long as I have that has any, any chance of kind of tipping the scales and allowing, you know, being able to sort of cut through a lot of the different tasks that law enforcement in the region have to deal with on this portfolio and kind of allow them to be able to do what they need to do, you know, focus on what they're good at investigating as opposed to dealing with like an overwhelming case intake. Right. Like at this point in some countries you're going to have to lose over like $400,000 in order to even like Perk up the ears of a lot of an investigator. Right.
There's just no bandwidth, there's no, there's no, there's no resources to be able to deal with this. And I think, you know, blocking at DNS, disrupting at DNS, being able to map, map this criminal infrastructure at DNS is a really powerful force multiplier that's going to be able to help these efforts.
[00:42:08] KB: So John, to wrap this all together, talk me through then, the importance of like protective DNS. I know you sort of talked about it throughout the interview, but I really just want to, you know, conclude today with what is it that people are missing? What do they need to know?
[00:42:21] John: Sure. So I think like a lot of, a lot of organizations and really I'm talking about like the government efforts here, not so much necessarily in the west, right. Like we're seeing national protective DNS programs being adopted and sort of trumpeted as sort of a, increasingly as like a best practice in countries like the US and across Europe and the uk but in Southeast Asia and really in the Asia Pacific, we're seeing a big lag with respect to response. Right. And so maybe just a step back, right? Like DNS being the layer of the Internet where domains resolve to IP addresses and sort of fetching content, right. The Internet's phone book organizations in the region are kind of fighting this issue with lights off. They haven't really been able to appreciate the value of DNS. And with this particular crime type, right, Cyber enabled fraud, we're talking about thousands upon thousands of algorithmically generated domains, right? I'm sure you've received some of these, these text messages, right? Like these domains that look like, don't make any sense, but somehow they're impacting loads and loads of people.
So just by being able to focus on sort of that early stage of the ATTCK chain at DNS, right?
And being able to map out tens of thousands of domains that are attributed to a particular campaign through our DNS telemetry and also oftentimes being able to gain some attribution into that and most importantly build detection for these different actors for these different clusters of domains at scale and then basically not necessarily take them down, although we do do that, but being able to inhibit customer machines and ideally one day the average person's device from being able to connect to suspicious or malicious websites at scale, that's going to be a powerful way to, to like I said, not only protect people and enterprises but you know, make the life of these, these criminal networks more difficult. Right? And it's not just about scams and, you know, pig butchering and the like, but, like, I think the NSA was, Was. Was the one who had had mentioned that, like, 9 upwards of 90% of malware infections have a DNS component at some stage, right? Like, being able to block the C2, being able to block those sort of tailored lure domains that are used to push, you know, a remote access Trojan or whatever. All these threats that we're seeing coming out of the region, right? Being able to not only disrupt, but also, like, learn from that infrastructure, right? And then kind of get. Get in front of it in a preemptive way. That's powerful stuff. And, you know, I think we have one example where when one. One certain country that's engaged in a conflict had invested in this strategy, right? And obviously there's several players in protective DNS, but Infoblox being being among the best, once that was switched on, like, I think it was like a 35% reduction in the first month of phishing attacks coming from the, you know, adversary hitting the country, right? So, like, it. It does work. It could have a profound impact on being able to protect people and disrupt these criminal operations ultimately, kind of taking, you know, taking the wind out of their sails, because right now they're just like they're flying right, would be a very powerful thing to implement throughout the region. And we're already seeing a lot of success taking place in a number of different countries in Southeast Asia and East Asia with their slow development and integration of national protective DNS strategies to do just that.
[00:45:53] KB: That was John Wojcik. What's staying with me is his coin that this 100 billion, that's a billion with a B criminal economy didn't sneak up on us so much as we walk straight past it, because we kept filing casinos, human trafficking, and cybercrime as three separate problems when there were always one. If you're a CISO, the takeaway is to drop the assumption that consumer scams are someone else's problem, because the people running these compounds are now coming after your staff, specifically as a way in, if you haven't already hit follow. It's the difference between you remembering to come back and not.
KBKast - Cyber for the C-suite.
