Full Report
A California plaintiff says three banks should have done more to protect him from scammers who took hundreds of thousands of dollars from him.
Analysis Summary
# Incident Report: Cryptocurrency Investment Scam Fueled by Alleged Bank AML Failures
## Executive Summary
A victim initiated a lawsuit against three international banks alleging the institutions exhibited "willful blindness" by allowing fraudulent accounts to be opened and used, facilitating the theft of nearly \$1 million through a cryptocurrency investment scam (romance baiting/pig-butchering). The primary failure involved the banks' alleged non-adherence to Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements, enabling the rapid wiring of funds to offshore entities.
## Incident Details
- **Discovery Date:** August 2024 (Plaintiff notified banks) / December 2023 (Realization funds were stolen)
- **Incident Period:** June 2023 – December 2023 (Wire transfers)
- **Affected Organization:** Ken Liem (Plaintiff/Victim)
- **Sector:** Financial Services (Victim's reliance on banks), Financial Fraud/Scam
- **Geography:** California, USA (Victim); Hong Kong and Singapore (Receiving Accounts)
## Timeline of Events
### Initial Access
- **Date/Time:** June 2023
- **Vector:** Social Engineering via LinkedIn.
- **Details:** Plaintiff (Ken Liem) was approached by an unknown individual on LinkedIn regarding cryptocurrency investment opportunities.
### Transaction/Fraud Progression
- **June 2023 – Approx. December 2023:** Liem made four separate wire transfers, totaling **\$986,000**, via Wells Fargo to accounts registered under three Hong Kong-registered entities held at Chong Hing Bank Limited, Fubon Bank Limited, and DBS Bank.
- **Approx. December 2023:** Liem realized the investment was a scam when his crypto account was "frozen" for supposed money laundering, followed by a demand for a fake tax payment to the IRS to release funds.
### Detection & Response
- **August 2024:** Liem notified the recipient banks of the fraudulent transfers.
- **Post-August 2024:** Banks allegedly either disclaimed responsibility or failed to respond.
- **December 31, 2024:** Lawsuit filed in the Central District of California against the three custodian banks.
## Attack Methodology
This incident primarily leveraged social engineering and systemic financial failures rather than traditional network intrusion methods.
- **Initial Access:** Social Engineering (LinkedIn contact leading to investment solicitation).
- **Persistence:** N/A (Direct financial fraud, not system compromise).
- **Privilege Escalation:** N/A
- **Defense Evasion:** Exploitation of banking systems' weak KYC/AML controls.
- **Credential Access:** N/A
- **Discovery:** N/A (Scammer identified a susceptible victim externally).
- **Lateral Movement:** N/A (Funds moved directly through the banking infrastructure).
- **Collection:** Financial assets transferred via four wire transactions.
- **Exfiltration:** Funds moved out of the victim's control into offshore accounts controlled by the criminal group.
- **Impact:** Significant financial loss to the victim.
## Impact Assessment
- **Financial:** \$986,000 lost by the victim.
- **Data Breach:** No direct data breach of the victim's personal systems; financial records associated with the compromised transactions are involved.
- **Operational:** Disruption of the victim's financial stability and the need for legal redress.
- **Reputational:** Potential reputational damage to the accused financial institutions due to allegations of willful blindness and failure to comply with AML regulations.
## Indicators of Compromise
*Since this is a money mule/wire fraud scenario rather than a network intrusion, IoCs focus on transaction hashes and entity names.*
- **Network indicators:** N/A (Focus is transactional)
- **File indicators:** N/A
- **Behavioral indicators:** Unusual series of large wire transfers to newly established/unfamiliar Hong Kong or Asian entities; requests for subsequent payments (fake tax) after initial transfer freeze.
## Response Actions
The primary response action described is **Legal Recourse**:
- **Containment:** Limited, as funds were already transferred. Liem later realized the scam.
- **Eradication:** N/A (No organizational systems were compromised)
- **Recovery actions:** Filing a lawsuit against the banks asserting failure to adhere to the Bank Secrecy Act and KYC requirements, seeking recovery of the \$986,000.
## Lessons Learned
- **Failure Point:** Financial institutions allegedly prioritized transaction processing over robust verification of account ownership and business activity as mandated by AML/KYC regulations.
- **Scam Sophistication:** The use of "romance baiting" (pig-butchering) scams remains an industrial-scale threat, leveraging social platforms (LinkedIn) to initiate contact.
- **Warning Signs Ignored:** The banks allegedly failed to question the nature of accounts wired substantial sums to offshore entities without adequate due diligence (KYC/AML checks).
## Recommendations
- **Strengthen KYC Enforcement:** Banks must rigorously verify the documented identity and the stated nature of initial business activities for new account holders, especially those receiving international wires.
- **Transaction Monitoring:** Enhanced scrutiny of transfers originating from victim accounts, particularly when moving large sums quickly to international entities where the beneficial owner's activity is unclear.
- **Public Awareness:** Continue to stress that the IRS or legitimate platforms do not hold funds hostage pending fictional "tax payments."