Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.

I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it. This is sort of thing that the federal government should do and provide a portal for each state to use so that they can track and do stuff across states to look for fraud. However i don’t know if states rights and separation of duties screws this up.



> I am amazed at how well these criminals from another country know the details of the systems in the US when we in the US have probably a handful of people who understand the end-to-end line they do.

It’s quite literally a criminals job to understand and abuse these systems, and there’s very clear link between their performance and their reward. Makes for a good motivator.

People frequently underestimate criminals because they don’t appreciate that these individuals are doing this work as full time job. I’m sure if you spent 8 hours a day for week, you’ll have an equally good understanding.


I always find it ironic that for all but the most lucrative criminal enterprises, if the criminal applied the same amount of effort towards pursuing legitimate employment, they would come out ahead (adjusted for risk of course).

Some people just enjoy "getting over" more, to the point that they will discount their labor used for such schemes.


I don't think that's true. The criminals you hear are the only ones who get caught.

In fact, I would say criminal activities have a higher risk-adjusted return than legitimate activities, simply because there's less "supply" in this labour market due to moral reasons and risk-aversion.

As an example, let's say you find a zero-day that gives you access to any FAMG account. Their responsible disclosure programs will pay you probably ~$31,337 (real example from Google).

If you sell that on the darkweb as a "hax any Google account as service", while it is more effort, you could absolutely clear multi-millions from it (charge $50k per account hijack; which itself can lead to millions in fraud profits or selling intellectual property; etc; can maybe pull this off 50 times before it gets patched = $2.5 million).

Not to mention you'd probably be able to sell it to Saudi Arabia and Israel for anywhere from six to eight digits too depending on their operational needs.

So that's a >80x increase in earnings if you go the criminal route. It's more work, but there are brokers who will happily do the heavy lifting for you in exchange for taking a cut of the profits.

And if you reside in a country where the government essentially encourage hacking Western companies as long as you don't hack properties of your own nation (e.g. China; Russia), then the risk to you is virtually zero (as long as you don't plan to travel to a western-extradition country).


  for all but the most lucrative criminal enterprises
What you described is top-notch hacking and super high risk (99,99% of such criminals probably never deal directly with governments).

Seems similar to claim that acting pays well and take the example of Tom Cruise to prove it.

The recent interview of Marcus Hutchins says something else: he's been working full time as black hat and realized afterwards that being a white hat pays better.


Marcus Hutchins simply didn’t understand the business side of things.


He had his fingers in his ears singing la la la


I work in preventing financial crime, so I have some useful context on this.

Unless your hitting the big leagues (stealing millions to tens of millions of dollars) then the odds of you actually getting caught and prosecuted are basically 0.

This sounds silly, but it’s mostly driven by the fact that most traditional law enforcement agency (i.e. the police) don’t understand or are interested in preventing financial crime. It’s too abstract, doesn’t have a physical component, and frequently the criminals will be completely different jurisdictions to victims.

Even when you provide the police with the home address and photo ID of a financial criminal to the police, they usually won’t do anything. Again they don’t understand the crime, they don’t have the training to investigate and they don’t know what evidence is needed to prosecute. Finally the police are usually rated by the public on the number of shootings and stabbing that didn’t happen, rather than dollars not stolen.

So the only agencies that actually pursue financial criminals are people like the secret service in the US, and the City of London fincrime team in the UK.

Both relatively small agencies compared to a national police force. The end result is they only pursue whales, people and organisations that have stolen millions from one person or organisation.

If you’re not a whale, then no ones gonna chase you. You can spend years ripping off grandma‘s at $10k a pop, and no law enforcement agency will care.


How do you know that to be true?

Social engineering, much hacking, scamming, etc. don't care about race or gender or connections or degrees, all of which are very real things limiting people's professional success. Many can be done without interacting with a team and without any kind of interview, both of which are skills.

I doubt these people are discounting their time or labor. They might be optimizing for the opportunities available to them. Willingness to do something illegal could reasonably be seen as an arbitrage opportunity—something seen in business all the time.


The case for crime is, in fact, pretty clear-cut you have a bright mind, an appetite for risk, and resist societal expectations about orderly conduct - i.e. it is another flavor of "startup founder".

You only need one big score where you get away clean and you're done, your criminal career is complete in one go and you can retire. Compare that to all the fuss of operating within society, the social signalling and bargaining and courting of gatekeepers - that's only worth it if you've been groomed for it in some way.

And computer crime is as clean as it comes, in terms of the kind of damage done. The ultimate purpose is simple - change some database rows! No bashing of heads or physical entry to property needed. With appropriate choice of targets, you pass the resulting crisis over to some figurehead executive who mumbles for a bailout from the government. Numbers are shifted around again after some delay and everyone is happy.

By contrast the SV startup dynamic is one of gaining overt power over others, not just getting a high score. The product and platform acts as a Trojan Horse for this subjugation, powered by a belief(oftentimes a sincere one) that this is a grand humanitarian project, which in turn inspires cult thinking. Then to even get in as a worker, you have to fit into the cultural mold. Your userbase is likewise fostered towards dependence and ushered to mega-scale, data-driven extraction, if not immediately, then later, after the company is acquired. It's all quite a long schlep if you just like working with technology to help people.


>You only need one big score where you get away clean and you're done

The laughable part is here. People bring their problems with them. The kind of person who would pull off a big score, such as a brilliant hack or a bank robbery, won't retire to the Oregon coast and drive at or below the speed limit for the rest of their lives. A lot of those traits are traits of antisocial personality disorder. People like that are magnets for trouble. They won't lie low and relax for the rest of their days.


It's a lie criminals are not professionals. It comes with a set of other rules, rituals and codes. The money is not a big score but an unlimited amount of cashflow. The antisocials are the ones blowing up a money printing machine just for the sake of their ego. Have you ever seen estimates of the grey economy? That world is running way more efficient than civilian life because of the stakes. Guys like Pablo get that famous because he had an antisocial personality and had to blow up an airplane while he was one of the most richest billionaires in the world.


Antisocial personality disorder is almost a prerequisite for career criminals. Disagreeable enough to commit crime and not feel bad about it, extroverted enough to enter or form a gang, and low enough in neuroticism to keep your cool under pressure. I'm not trying to paint all antisocial people as "bad". It's also a personality configuration that works well in certain military positions.


There's a famous bit of research done by the guy who wrote Freakonomics.

He tracked how much drug dealers were actually making and found that if they just got a job at McDonald's they'd have a higher income.


If I remember correctly, that was for low level weed dealers, not scamming financial systems. A successful identify theft of a middle or upper income family will reap a payout much greater than a fast food worker.


Dealing drugs can also offer a much higher degree of flexibility to conventional work


I can say, based on my own observations, that is absolutely nowhere near true. Many people selling drugs to their friend groups make profit in excess of $400 a day, tax free.

I can't speak for a larger group, of course. Perhaps the average is weighed down by more casual actors.


It's only tax free if you're stupid enough not to launder the money.


I don't think that an individual proprietor earning only 100k would have a motivation to do that. One can pay rent, buy vehicles, and purchase most everything else with cash. Why give 40% to the government? Social responsibility is great, but not if it's going to get you interdicted as a drug dealer.


You can do that, but at some point you might be asked to explain how you manage to rent a nice apartment and own a car without earning any income. Outright tax fraud isn't really any more of a sensible risk to take if you're a career criminal than it is if you work a regular job. After all, they got Capone for tax evasion.


It's more likely that they'll be caught up in enforcement of controlled substance trafficking laws, and those are the more severe charges the authorities tend to pursue.


Is it? It's quite difficult to prove that someone is involved in trafficking controlled substances, if they're careful. It's not difficult to show that someone is committing tax fraud if they have a big house and a car and zero declared income.


Most people involved in such activity have incriminating communications that are very easily used in court such as text messages. The bar for proving that various messages are evidence of illegal activity is surprisingly low. One individual not only has to be very careful, but also enforce the same level in everyone who communicates with them while providing customer service (e.g. making customers happy, feel good l, not offending them and so forth).

The issue of tax fraud is only an issue if they investigate you - someone in the tax department would have to find a reason to take notice. In the case of a narcotics trafficker it's more likely that activity would be observed by drug investigators than for the tax department would determine there's someone paying a mortgage or rent that isn't a significant income tax payer. That's not really how tax investigations work.


Freakonomics is an awful representation of economics. It's literally a collection of anecdotes and uncontrolled experiments.


When I was a teenager, I tried to work at McDonald's over one summer break.

They turned me down.


I think you overestimate the lucrative opportunities available to hard-working honest people especially in developing countries where a lot of these operations are based


Maybe. I don't have faith that the world is that meritocratic. I don't know many criminals, but I know people who are smart and competent, but who've fallen into careers with low pay and no room for advancement. Crime is something that doesn't require the resume or capital of legitimate options.


It’s very very easy in the modern world to end up in a situation where you’re not allowed to contribute positively and have very few options other than crime.


You mean with some kind of criminal record, or just a dead end career? Because the latter is your starting point, not your end point, when it comes to deciding whether it pays better to put subsequent effort into figuring out how to profit via crime versus finding better legitimate ways to make money.


Adjusted for location as well. I'm very skeptical that these Nigerians can find anything this lucrative within their own country.


> we in the US have probably a handful of people who understand

When I moved to the US from Canada and HR was helping me setup my health insurance on the first day, I was overwhelmed trying to understand it and said "Sorry, I don't really understand how health insurance works here."

The HR person responded:

"That's ok. Most Americans don't understand how it works either."


> Most Americans don't understand how it works either.

When I dislocated my jaw and went to an in-network ER for treatment (it popped back in as I was sitting on the bed), I wasn't surprised to get a call from a collections agency regarding bills I never received from an "out of network" shell corporation for "consulting physicians" (never even saw a doctor, only a nurse), but I definitely didn't see it coming.

Count me an average American, I guess.


My hospital now had a very easy to use portal for bills.

And I’ve still been sent to collections for a bill that wasn’t on that portal.


Sorry, can't decide if it was a scamming attempt or it was a legit request?


That’s just a matter of perspective :)


I think a lot of US immigrants are more well versed in the workings of the US government than native born citizens.

This is because they have a source of comparison, and it is on the test! (if they go for citizenship)

Although some US citizens get how well some things work in the US compared to other countries, they have blind spots for some things that don't.

I got sick in Mexico once and went to a doctor there. I paid in cash and it was something like $2. If I wanted, I could get my medicine in pill or hypodermic form.


I know there's some controversial history adjacent to this idea, but I think everyone (native born included) should pass the test before they can vote. I also think we should throw out the voting age and the felony condition and ONLY have a voting test.


Who gets to decide what’s on the test? Also, what languages would it be available in? Seems hopelessly fraught (and likely illegal).

https://slate.com/human-interest/2013/06/voting-rights-and-t...


I have a long answer to this which I can dredge up and copy paste. Here's the short version.

1/3 random questions from the immigration test as it exists today (so that no one can disenfranchise others by changing the test).

2/3 questions chosen by each candidate on the ballot. Questions must have an objectively correct answer and must be pertinent to the powers of the office itself.

The long version of this answer just adds defining objective, correct, and pertinent in a legally unambiguous way and sketches out scenarios like trick questions to show that the only reliable way to gain favor in this system is to actually be knowledgeable.


Oh gosh. Why do candidates have any business filtering voters?


Why do people who don't even know what the candidates said have any business voting?


There is already plenty enough built-in momentum to not properly educate the public - "if we fuck up they don't get to vote" is some next level shit.


Just curve the test so that 80% pass.


At face value, that means 20% of the people (in a "democracy") will be unable to vote.

Basically you are saying that some people will not have the ability to decide who will govern them.

I just think it would be gamed somehow, like the games played with gerrymandering.


Are you ok with children not voting? That right there is ~20% of the population.


I assume that it works more like a filter - does the voter know the promises and policies of each candidate in his region? Or is the voter voting blindly?

There was an idea going around that instead of voting for candidate, you would answer a questionnaire about policies, and would be matched with best fit candidate.

The questions itself would be compiled from candidates' policies, and candidate would assign the weights to each of the answers.


That will play into the hands of certain parties, as it will serve to eliminate certain demographics.


And not having a test plays in the hands of others that have a large pool of people who don't understand the system and what they're voting for.


The problem is that this system will gradually mean that people who get to vote entrench their privilege and keep out others who do not get to vote. Gradually, you'll have a permanent underclass of people who have never known voting. The effects of unequal schooling etc will be even worse than they are today and politicians will have no incentive to even consider people who can't vote.


I really should dredge out my old comment because I already address this concern. Curve the test so that 80% pass. In this way it is impossible to get a feedback loop that miniaturizes the electorate.


This is so True, as an immigrant - I have changed jobs and every orientation when talking about benefits does not break down the cost to the employee - resulting in "just sign here" so we can be done with everything mentality


That HR representative appears quite talented. Nobody knows how it works, or there would/could not be significant "administrative" changes daily as insurance companies (and really any businesses) find new ways to take more of your money without any risk or possible recourse. They do whatever they want.. at least that they believe they can get away with long enough to make a profit.


> when we in the US have probably a handful of people who understand the end-to-end line they do.

Is it a hard thing to understand or is it just something that doesn't get done?

I work for a municipal government (not in social assistance though). Very little is documented, not because it would be hard to do so, but because first everything from budget to approved software for documentation to time allocation to 5 different approvals would be required to do it. We are terrible at sharing information internally, so every thing would require meeting after meeting to chase down who knows what as well.

Actually documenting the system I work on would take 1-2 days. But we initiated an overarching documentation plan in November and it is still being worked on (if it has not died from neglect).


Many of the US systems were/are very trust based. Unfortunately trust based systems are too vulnerable to fraud these days.

It will take time to redevelop the systems and thinking to be more fraud resistant.

However, many in the US equate validation or verification as too intrusive, too discriminatory, or both.


> However i don’t know if states rights and separation of duties screws this up.

The history of the US shows that such things matter only when there is no bipartisan support.

See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).


> See for example the Commerce Clause that explicitly grants the Congress the power to regulate interstate trade, yet it is used as a basis to justify intrastate regulations (e.g. drug prohibition).

If anyone is curious, this is due to Wickard v. Filburn (https://en.wikipedia.org/wiki/Wickard_v._Filburn), a very unfortunate Supreme Court decision made in 1942. This decision was cited as precedent in Gonzales v. Raich (https://en.wikipedia.org/wiki/Gonzales_v._Raich)


This seems to e a general cultural thing where rules are seen as malleable. See how well the lockdown is (not) being adhered to.


> I am not surprised this is happening. The small offices in each state are responsible for 100s of millions of dollars and they awfully unequipped for it.

But trust us when we tell you that voter fraud isn't happening, that mail-in ballots offer no increased risks, and that non-citizens aren't voting.


[Citation Needed]

Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.

Multiple states have been using mail-in ballots for literally decades. No widespread voter fraud has ever been reported.

Here's an anecdote for you: a few elections back, my signature didn't look quite right on the envelope of my ballot. Got a call from elections officials to verify that I had in fact filled out the ballot.

There's a lot more control involved in mail-in voting than there are in fraudulently filling-out an online form and receiving an electronic funds transfer.


> Not that it's either relevant or germane to a discussion regarding an organization using stolen identity to wire funds electronically.

It's absolutely relevant, particularly when the article discusses "mules" in the US (with US mailing addresses) being used in furtherance of the scheme on behalf of foreign individuals.

If it can be done to steal hundreds of millions of dollars by Nigerians using recipients' PII, it's difficult to imagine how it couldn't be done with mail-in ballots. If it isn't already, it's only a matter of time until it's worth doing to someone.


Every piece of mail must enter the system and be postmarked correctly. The US postal service certainly will not accept or deliver a piece of mail with a "Miami Beach, FL" postmark addressed to the "Sacramento Board of Elections" if it comes in with a batch of Par Avion mail off a plane from Nigeria.

You understand that the standard ML training data for OCR is from the US postal service, right? They've been routing mail electronically for decades.

The election system in the US is ridiculously decentralized, which makes it really hard to commit large-scale voter fraud at the ballot level.


people in business in the USA hire outsiders to do the dirty work, or afterwards such relationship leaks the details provided, to others who are just willing.. Why is USA federal IT work outsourced three times before it is done? What USA business owners, former owners, their accountants and others, are just in it for the money and tired of others winning while they work so hard and lose, etc.. SO .. there is some collusion across borders, most likely


What details?

> The investigator said in some states fraudsters need only to submit someone’s name, Social Security number and other basic information for their claims to be processed.

This is the problem, a complete lack of security. Why doesn't the US use an electronic signature supported by a digital certificate as we do in Europe?


Has there been a real profitable incentive to implement the technology? Then why spend the money for a risk that may not have an impact tends to be the mindset.


Well you have an incentive when you read stuff like this:

- Hackers from China are believed to have stolen the social security number for every US federal employee in a cyber-attack much larger than it first seemed (2015)

- For the first time ever, data breaches compromised more Social Security numbers (35 percent) than credit card numbers (30 percent). The Equifax breach was largely responsible for that. (2017)

- If a cyberthief has your name, address and SSN, he is not far from being able to steal your identity. (2018)


It seems strange to me to fight corruption and fraud by creatiung an even larger institution with more cash to manage.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: