Hello, I'm currently writing a novel in which the criminals commit the following crime: They infiltrate a large company (à la Google) and start to create havoc on thousands of accounts. This screws up completely the operations for that company and the stock will go down fast. Before putting this to execution, the crooks have setup a multitude of accounts, in which they have placed 30 mln. When they execute their mess up, they short the stock with a leverage of 80.(which would represent 10% of the market cap) The stock tanks 20% and the crooks cash in 480 mln. So far the theory. Now I realize that there might be some loopholes in this scenario. One remark that I got was, that the liquidity banks would never cash out that amount and that it would be shrunked back to approximately the money that was put at stake . I have some trading experience, but of course, I have never traded 30 mln in such an invented scenario. But I've never heard talking about this thing of liquidity banks shrinking back gains. Please feel free to shoot holes in this scenario.
To short 10% of the really big company will create investigation, true? In your novel you have to explain how the criminal can be secret to how they hack google.
Obviously you need to do more research... Which accounts - internal employee and systems (HR, Payroll, Engineering?), employee accounts on public-facing systems, or public accounts on public-facing systems - Gmail, Google+, Google Pay, Google Play, ??? Who is your audience? General public with little knowledge of technology? Clancy fans who love a good story with lots of facts? Or geeks who love a good story, preferably one where they don't have to turn off their brains and suspend disbelief for 4-10 hours??? How are you going to infiltrate? Easiest way to wreak havoc is from the inside out. Which means you need to get access as an employee, preferably in operations so that you can have access to critical systems. Breaking in from the outside is messy - good admins will turn off every unneeded, exploitable service. Plus, the architecture is likely designed as an onion. You have to penetrate layers and layers of systems to finally reach the databases. Plus, more than a few systems are honey pots - sacrificial lambs to trap the script kiddies. You won't notice you're in a virtual wormhole, but their operations folks will... to their amusement... All their systems are Linux-based. Look up Metasploit, buffer overflows, BIND, Sendmail, etc. Research the hoopla this year over the SSL bug and the bash bug to gain insight into Unix exploits.. A possible (believable) exploit arc utilizes an attached PDF or image that infiltrates the system when the file is opened. Or a fake Facebook or Twitter page with javascript exploits. Likely doesn't work on Linux, but most of your readers won't know that... Honestly, I think a better idea (or your 2nd book after you make all your mistakes on the first book) is to attack an investment bank, a fictional Goldman Sachs... Much easier believing someone willingly clicks on PDFs or images and get's their systems owned. Then applies MacArthur's island hopping strategy by owning systems one by one.... Afterwards, your criminals easily gain access to deal pipeline, and exploit, blackmail, or outright ruin the deals, and frame someone else for the dastardly deeds. Plus it's easier to believe you can wire funds all over the world from within an IB without anyone catching on. Not so with a Google-type company. And why are your criminals doing this? What's their motivation? Make money? (that'll be a short book) Stopping an evil corporate empire, like a Big Pharma company that wants to turn the entire population into addicts? Are your criminals the good guys or the bad guys? If their the bad guys, who are the good guys?
Thank you all for your feedback. Ok, let me try to fill in some blanks, without giving away the whole story. The basic idea was, to write a story about 'the perfect crime'. (if that exists). The target audience is the large public. So there will be no deep explanations about firewalls, encryption, tarding strategies and what have you. But.... the scenario should be 'plausible'. I don't want to turn this into a science fiction James Bond scenario, where the 'victim' sends a ransom of 50 tons of gold with a rocket to the moon, which gets intercepted by the crooks behind the moon . Think of something like oceans 11/12/13. It are scenarios that have some credibility. That people can identify with, because it plays in an environment that they know/understand (casinos). Ok. The story plays in the future. 20-30 years from now. That gives me some freedom about what is possible and not. (So there will be no tele-transportation and other science fiction gadgets). The main characters are the head of security systems of this large 400 billion communication company, and his right hand. Their motivation is , well, to make 'the perfect crime'. A sort of challenge because they are bored with their jobs. This solves already the problem: How do they get access to these systems? They define the perfect crime as : 1. No blood, no dead, no injuries. Which excludes all scenarios of robbing a bank/museum/vault where there possibly could be victims when things don't go as planned. 2. Get away with 500 mln. This should be enough for the rest of their lives, even if they have to split with 5-10 team members. 3. a viable exit strategy. Which means, they should end up with 500 mln that they can spend. Because what's the point of ending up with 500 mln into a legal bank account if you cannot withdraw it. And walking up to a bank asking to withdraw 500 mln using the truck at the front door is not really a plausible scenario. Some people talked about using bitcoins or encrypted currency. I'm not familiar enough with that, but my reasoning is: All electronic currency is traceable. I mean, at the end when you want to turn your bitcoins/futurecoins into hard cash, there will be a trace. 3. Of course, no traces. It should be impossible to trace back who did it. To answer a previous reply: You could imagine that all activities (opening accounts, trading, etc.etc.) will be done using 'perfect fake' identities. This is plausible. 4. and last but not least: Most big robberies in the past fell apart, because the people that participated started talking or got caught. So the scenario should be such that individual participants cannot blow up the job afterwards and expose the others. (I think I already have a solution for that). Notice that you cannot eliminate them, because that would be in contradiction with rule 1. To answer to the first post about options trading. For the average layman it is already difficult enough to understand that you can make money by selling stock that you don't own and which goes down (I would have to explain that in simple terms). So, getting into a technical explanation how options work would be even more complicated. About the last remark about hacking into an (imaginary) bank : What about the exit strategy? Imagine you could hack into a bank and start wiring money all over the place. Whatever you do , there will always be a trace on either the sending or receiving side. Of course, when you do all this under 'perfect fake identities', you can wire it around as long as you wish. But how do you turn it finally into cash that you can really spend anonymously? Keep up the good thinking
Think out the prerequisites needed to carry out the perfect crime: foreign citizenship in non-extraditable countries (eventual retirement home as well as travel-through points) bank accounts in various countries, with easy means to transfer the funds via phone (voice) or smart phone (electronic) fake ids/passports/credentials social engineering skills personality and lifestyle that does not allow for the formation of habits or predictable routines The head of security often means the head of physical security. They guys usually have zero access to systems (even on Leverage). I've read a little bit about the black markets, money laundering, and computer crime in the last year. I've deciphered 3 primary causes why ops fail and criminals get caught: (1) the talking/bragging you mentioned; (2) habits, habits, habits. patterns, patterns, patterns. Using the same systems/laptops, staying in the same location, using the same IPs, same wireless connection, etc, etc. over and over; and (3) planning an op that's a gusher instead of a dribble - that is going for a single big score and instead of a large number of innocuous $10K hits over a large number of targets. With this, I think the perfect crime is one that appears to be ordinary business to the naked eye. The one idea I thought about takes advantage of how businesses truly operate. Every manager has a budget, and spending limit. The all use the same software - SAP or Oracle to manage the financials. The idea is to offer consulting services to the Fortune 1000. Gain entry to the company by finding 1-2 managers high enough up the chain (via Linked In), learn their interests, create a relationship (the social engineering part) so they trust you to open a bad PDF that owns their system as soon as its clicked. Install keystroke software to obtain their SAP/Oracle credentials. Also sniff the system, and gain lists of other managers and their budget/spending limits. Then create consulting contracts and approved POs under their spending limits. Each contract is a unique company with a unique fake id with a unique bank account in different states. Make sure the contracts are spread out among different divisions, and they auto-renew. But limit it to 10 per company. Don't get hoggish and try to get a big score with a single company. The goal is relatively small scores (10 - 10K contracts) from a large number of big companies for a number of years. 100K per company * 100 multi-billion dollar companies = $10M/year recurring, untraceable income. The "unique contacts" would be the 10 marks in each company. Make it look like a conspiracy from the inside. Use their identities to hire the lawyers to create the shell companies and open the bank accounts. Never do anything yourself that requires your physical presence - outsource it. Have the funds wired to your bank accounts (no checks), then immediately shuffle the funds among different accounts before they land off-shore in a single account. Wash, rinse, repeat. From there, shuffle the funds among accounts in different countries so the trail goes cold. Then you can repatriate the money by starting a hedge fund with investments from foreign corporations you control. Then roll the dice and play the markets or find undervalued commercial real estate that can be improved and turned into a reliable income stream, and can be resold in 5-15 years for a sizable profit. A lot of work involved, but I don't think its unreasonable to believe that this scheme is already taking place in the Fortune 1000. And because nobody's heard of it is the reason why it's been successful.
An example of why the "perfect crime" is hard to execute: http://krebsonsecurity.com/2014/12/alleged-counterfeiter-willy-clock-arrested/ It only takes a couple of the "little" details to trip you up...
Who said that it would be easy ? And this makes that I can write a decent novel about it, instead of a 10-pager. It also shows what I already covered in a previous post: when you end up with some kind of goods like jewelry, diamonds, gold, fake currency, you still have to come up with a solid exit strategy to monetize it. Something that this guy apparently didn't think over. It also shows that you have to be very careful with internet and phone communications. But that isn't hard to circumvent in a 'plausible' way. Regularly change phones. Don't use internet from any of your usual locations (home, work), but rather in cybercafés (preferably abroad). As for your previous post, I agree with point 1 and point 2 . And I think I have covered these in my scenario. But I don't fully agree with point 3. Now if the scenario is : in one go , rip 10k out of 50.000 accounts, I would consider that as 'one operation'. However, if it is: taking 10k out of an account every day somewhere and repeating this for 50.000 days (that's 135 years) I don't think that's a good scenario for a 'perfect crime'. Or even cashing in 10mln in some way, and repeating every 3 months or so. Why? Because every time you execute it again, you still run some risk. So why take 50 times a risk if you can limit it to one? (even if the execution becomes more difficult). Also, you don't want to turn this into a lifetime occupation. You want to execute it once, and run with the money. When I was referring to "head of security" , I was referring to the guy that is responsible for all security systems, firewalls, passwords and what have you. That would make it plausible how they got into the victim's systems. For the SAP/Oracle scenario: That's way to complicated to follow for the average reader. But it may be a nice scenario if the book was targeted specifically to finance people and traders. I'm not too familiar with offshore banking and accounts. So maybe you can expand a bit on this? I mean, ok through some sort of gig, you end up with X in a legal bank account (let's assume a US trading account in my scenario). Ok, I could wire that into a bank offshore. But is that untraceable?? I would guess that the FBI/CIA or whoever is after you, could figure out that the money was wired to account Y in offshore country Z. And if that's the case, you still cannot touch it. If it is really anonymous, then there is no need to shuffle it around to other accounts. Is it? And it's a bit to simple to state "shuffle it around so the trace goes gold". As long as you're shuffling it around through 'legal' accounts, it's just a matter of time for the cops to figure out the trace. I agree: can me cumbersome but finally they will trace it back. I think I have a 'plausible' exit strategy for my novel, but I'm open for other ideas.