
The Entropy Podcast
Nibble Knowledge is delighted to bring you "The Entropy Podcast"—hosted by Francis Gorman.
The Entropy Podcast centers on cybersecurity, technology, and business, featuring conversations with accomplished professionals who share real-world knowledge and experience. Our goal is simple: to leave you better informed and inspired after every episode.
We chose the name “Entropy” because it symbolizes the constant flux and unpredictability in cybersecurity, technology, and business. By understanding the forces that drive change and “disorder,” we can create better strategies to adapt and thrive in an ever-evolving technology and geo political landscape.
You can also check out our YouTube Channel here: https://youtube.com/@nibbleknowledge-v7l?feature=shared
Disclaimer: The views and opinions expressed on all episodes of this podcast are solely those of the host and guests, based on personal experiences. They do not represent facts and are not intended to defame or harm any individual or business. Listeners are encouraged to form their own opinions.
The Entropy Podcast
The Dark Art of Money Laundering with Matthew Hedger
In this episode of the Entropy podcast, host Francis Gorman interviews Matthew Hedger, a veteran intelligence officer and financial operations specialist. Matthew shares his extensive background in covert operations, including his experience laundering money and working with organized crime. The conversation delves into the intricacies of social pattern recognition, the insider threats within financial institutions, and the evolving landscape of money laundering in the digital age. Matthew discusses the impact of AI on criminal activities and the importance of understanding human behavior in cybersecurity. He also offers advice for aspiring intelligence officers and highlights the need for vigilance in the face of emerging threats.
Takeaways
- Matthew Hedger has over 17 years of experience in intelligence operations.
- He laundered over a hundred million dollars while working undercover.
- Social pattern recognition is crucial for survival in dangerous environments.
- Insider threats are a significant vulnerability in financial institutions.
- COVID-19 has exacerbated human vulnerabilities in organizations.
- Criminals are increasingly using innovative methods for money laundering.
- Digital platforms like Roblox can be exploited for illicit activities.
- AI is transforming the landscape of criminal activity and intelligence gathering.
- The future of cryptography may lead to less privacy and security.
- Aspiring intelligence officers should seek knowledge and learn from experienced professionals.
Sound Bites
- "I laundered over a hundred million dollars cumulatively."
- "You can pocket millions of dollars and walk across borders."
- "We're natural BS detectors as people."
- "Criminals are nothing if not adaptive."
- "They know what they're talking about."
- "Roblox is a billion dollar economy a year."
- "AI has taken scams to the next level."
- "How do you trust anything that you can really keep private?"
- "Learn from those who have done extraordinary things."
Francis Gorman (00:01.505)
Hi everyone, welcome to the Entropy podcast. I'm your host, Francis Gorman. If you're enjoying our content, please take a moment to like and follow the show wherever you get your podcasts from. It really does help us out. Today's guest, Matthew Hedger, is a veteran intelligence officer and financials operations specialist with 17 years at the CIA and NSA. Twice recognized by the NSA director as Pacific Command Performer of the Year. He ran covert funding and procurement missions across Asia, the Middle East and Europe. Moving millions in feed and cryptocurrency through alternative remittance networks.
His undercover work inside Transnational Crime Group helped dismantle a narcotics, weapons and money laundering ring. A former US Navy cryptologist, he holds degrees in cryptography, cryptology and finance, teaches elite units, cover operations and AML. currently works as a partner with the Artemis advisor group and it's great to have you here with us today, Matthew.
Matthew (00:51.286)
It's a pleasure to be here with you. Thanks for having me.
Francis Gorman (00:54.199)
My pleasure, the pleasure is very much mine, Matthew. I've been like a kid at Christmas looking forward to this conversation with excitement. Maybe just to bring this to life, you might give the listeners a little bit of your background and how you ended up where you are today. Just to spice the story, you have a fascinating backstory. So I think it's important that everyone kind of understands where you're coming from before we get into the crooks of the conversation.
Matthew (01:21.442)
of the high notes there with the bio. But to break it down, I spent my first four years with the NSA. I was actually in the military as in the Navy at the time, and I was selected for a bill it a military bill it with the NSA. And so I spent my military time with them. And then I did 13 years as an operations officer with CIA after that. And during that time, I worked, most people work on commercial cover. That's or I'm sorry, with diplomatic cover.
And I worked on the commercial side. And during that time, I posed as a money launderer for those 13 years. And so I worked very closely inside organized crime transnationally, multiple groups, including a Mexican drug trafficking organization, referred to as a cartel by most people. And so I really got to see the inner workings of how criminals approach attacking the financial industry and banks and
As you mentioned, during that time, I laundered over a hundred million dollars cumulatively with those groups. And so I got intimately familiar with how that side of it works.
Francis Gorman (02:34.999)
million dollars. That is big ticket item and a lot of it you launder through Bitcoin at a time when Bitcoin wasn't really as well known or even respected by the financial institutes. Can you give me a little bit of flavor on the crypto side of how you used to bring the money through the different exchanges and banks and the financial system to get it out the far side clean?
Matthew (03:00.558)
Sure. And like you mentioned, it's changed so much when it was first brought up for us, you know, still in the hundreds of dollars a coin, not the hundreds, you know, a thousand plus that it is now. And a lot of it was done face to face. And it was was kind of a shady deal. When I first took over it, there were several people that the organization was buying cryptocurrency off of. And this was kind of like the traditional meet some guy in a hoodie in a park.
and buy Bitcoin off of them. Wasn't exactly how I saw my intelligence career going, know, meeting strange men in parks, but it was very rudimentary back then and almost nobody knew about it. And so it was very easy to slip past some of the financial detection networks globally, because even people in anti-money laundering or financial crime prevention.
you oblivious to how this system worked. And it provided a lot of benefits. It still does for people that move money illicitly. One of which is you can put it on a compartmented thumb drive, you know, in a cold storage wallet, and you can walk through an airport with this thumb drive, you know, holding millions and millions of dollars and not be detected.
And so as far as crossing borders, you know, physically in that way, it was extremely advantageous.
Francis Gorman (04:29.269)
Yeah, I suppose that is. Yeah, you've got your you've got your ledger and you know, it's basically USB drive. Nobody is nobody's taking that out to look at it unless something funny is flashing. the concept of being able to pocket literally millions of dollars and walk across borders, that is that's a fascinating perspective. I actually I actually have never I've never I've never thought of it in that way before that you could stick your your ledger in your pocket and walk your drug money from the US to Europe in essence or elsewhere.
Matthew (04:56.024)
Yeah.
Francis Gorman (04:58.549)
In terms of the landscape, you've often talked about being a shy kid and the importance of social pattern recognition to basically keep you alive under cover. Do want to talk a little bit about that and how can you train your day-to-day muscle memory to pick up on social patterns or cues that may be imperative in dangerous environments like you used to operate in?
Matthew (05:24.8)
Absolutely. You know, I think most people, when they think of somebody that did my job, they think of this extremely extroverted individual. And that's something that I have gained over time. But as, as you say, when I was young, I was extremely shy. I actually had to go to speech classes. I couldn't look anyone straight in the eye at first. I was very, extremely introverted and
What it forced me to do was to observe people around me and mimic their behavior, what we would call mirroring. I would see other kids that seemed like things were going well for them. And I'd say, that's how you're supposed to act. I'll I'll try to do the same. And what I found out later during my psychological evaluations for working in the intelligence field was that that was an extremely useful skill that I unintentionally developed that way.
And that it made me a suitable for working in cover. And so that was kind of taken and layers of training were put on top of that, suit what we would call suitability. And I learned how to do it on purpose. And, you know, the, think the biggest thing that you learn in intelligence training in this vein is how to use rapport and how to build rapport with someone. that's the.
That's the king in the room. Even if you're in a dangerous situation, you you don't want to end up having to fist fight your way through every meeting that you're in. so trying to build those rapport bridges with people so they don't want to hurt you in the criminal world is very important. And what I found for me is I really had to do very little of getting in fights and things like that because the
important criminals wanted to protect me because I was friends with them. And that rapport was extremely valuable in that way.
Francis Gorman (07:28.785)
ask if they still want to protect you.
Matthew (07:30.542)
Probably not. You know, it's funny that you mentioned that though. Some of those relationships do last. You know, I was not sent to infiltrate organized crime like a law enforcement officer would that worked undercover. I wasn't there to prosecute cases or get anybody thrown in prison. And I made some extremely close connections with some of those people. I watched their children when they were away sometimes.
Francis Gorman (07:33.879)
you
Matthew (08:00.994)
you do end up getting very close to people when you have that type of work.
Francis Gorman (08:06.519)
think that's a whole different podcast, We may have to get into it some point to explore the intricacies of how that works. When you talk about social patterns, you've talked before about the sharp line between authentic and unintentional. What sort of cues tape you off as someone shows all the tendency is kind of a calculated con versus, you know.
Matthew (08:09.41)
Thank
Francis Gorman (08:29.879)
It's intentional, be it a CEO or a criminal. there cues that we give out as individuals in positions of power, either in corporate or the criminal world that would allow you to pick on someone being actually authentic to the person that stands in front you or if it's all an elaborate.
Matthew (08:48.59)
Sure. you know, I think a lot of people don't realize how attuned their subconscious is to detecting nefarious behavior. We're much better at it than we think. We're natural BS detectors as people. It's just really, you know, leaning into that. But there are, you know, consistent things that people who are trying to be nefarious or take advantage of you do in social situations. Some of those things are, you know, implying
a guilt on somebody else or implying a sense of what we call a transactional relationship, right? Every time they do something for you in the conversation, they expect for you to, you know, return that to them. People that are trying to manipulate you or con you in conversations always want to go fast, right? They want the brain to not be able to process.
quickly, right? The faster our brains work, the less we're able to actually process and judge. And so you see what we call an implied sense of urgency come up all the time, you know, don't take time and think about what we're talking about. There's a reason that this you have to decide to go my way quickly is a pretty common one. But, you know, people that are also trying to to manipulate our con, they're terrible listeners, usually.
And, they're always circling back around to their point of the conversation, even unnaturally, instead of allowing the person they're communicating with to have their own motivations in their side of the conversation. So that's something I always look for when I'm talking to people is if the conversation is naturally, you know, deviating off and they just keep circling back to that consistent motivation of theirs, that's a pretty good signal.
Francis Gorman (10:42.359)
Okay, it's one to watch out for then. That's a good pointer. When I was doing a level of research on the money laundering aspects and layering within the financial system, I came across the indictments of Chinese money brokers who have moved tens of millions of Sinaloa cash through the US banks with insider help. And that surprised me to a extent because these are robust financial institutions with regulatory oversight and governance, et cetera.
Matthew (11:02.947)
Mm-hmm.
Francis Gorman (11:12.471)
Is there a blind spot in regulation or in governance that allows this to happen? That's a significant amount of money to flow through an institution that's well established in those areas.
Matthew (11:26.254)
There are, but I think that the biggest flaw is that financial institutions aren't looking at their people well enough, you know, what we would refer to as an insider threat. And so the case that you're mentioning that just came out, I think it was a week and a half ago, they exposed one launderer had moved, I think it was $75 million through for large financial institutions themselves. You know, earlier this year we had the TD Bank
instance as well. And that was almost $750 million over several years for them. And it always comes down to the banks have these flags, right? Let's say the $10,000 in cash limit where you're supposed to write that up. There is a compliance issue because there are so many reports of that. think last year there were 20 million cash deposits over $10,000 just in the U.S.
And so that's a lot of reports to shuffle through. But also, as you mentioned, every single one of these instances has someone inside the bank that's complicit in helping it happen. With the TD Bank one, one of the launderers, the Smurf, was bringing in a million dollars a day in cash. And that's hard to hide. It's quite bulky, a million dollars in cash. And they've even discovered some of the tellers
were direct messaging each other. Hey, is there something up with this? Is this money laundering? It kind of looks like that. And they're just saying, haha, yeah, it is. So it was super well known. And I think one of these instances, the banker who was helping to open up a bunch of accounts for them and helping to facilitate this, they got $57,000 in gift cards over several years.
payment for being complicit. And so if you're moving hundreds of millions of dollars and the person helping you only needed to get 57 grand and, you know, free trips to Starbucks, that tells you a lot about how easy it is to penetrate into a system like that.
Francis Gorman (13:40.023)
Sounds like he sold himself a bit shorter.
Matthew (13:41.902)
At least aim higher, right? Be bad better.
Francis Gorman (13:44.887)
If you're going to jail for a long time, yeah, be bad better. Brilliant. In terms of the insider threat, it seems to be something that's coming up over and over again. I'm seeing it across the industry, but also in these conversations that I'm having on a weekly basis with experts in different areas. The insider threat, the human threat aspect is coming more and more to the forefront. We're even seeing it in Ireland.
because of our technology footprint with a lot of the large American companies, we're seeing the Google Trade and Digital support came out to pinpoint North Korean actors as placement in strategic firms across Ireland and Europe to get an advantage to understand, don't know, patent information, you know, how do mechanics work in these companies, et cetera. Why do you think...
Matthew (14:35.8)
Mm-hmm.
Francis Gorman (14:39.223)
there seems to be a shift back to the human element. And I know there always was the human, it was the most vulnerable aspect of it, but the zero day attacks and all seem to have whittled down and the human or the human focus or the intentional malicious intent appears to have increased. And I'm wondering, is there a correlation between COVID remote working and that distance from the human to human contact on a daily basis? What's your perspective on?
what I want to see is as an exponential growth area in fraud and in risk to an organization at the moment in terms of the human element.
Matthew (15:15.85)
I do think that that COVID helped exacerbate this problem. I also think that the leaps and bounds that have been made on the cyber side, you know, we've, we've really in the past turned our attention to, know, how can AI help defeat, let's say money laundering, for example, you know, this is going to catch everything or let's make these very robust machine learning programs or cyber defenses to catch this type of activity. And
The short-sightedness of it is that there always has to be a person that's involved in monitoring this as well. And you can make all of the defenses in the world on a cyber side. If the compliance officer, the person that's running your anti-money laundering program, just says, ignore this because they're working with the criminals, then it really becomes useless quickly. And so I think it's cheaper.
to compromise a person than a system today. I think it's easier to achieve. think it's looked at, I know it's looked at far less. the human vulnerability is just something that at this point in time, companies understand far less than a cyber vulnerability or a physical security vulnerability. so criminals are nothing if not adaptive and they're
very aware that right now this is the soft underbelly of financial institutions specifically, and almost all businesses now, that not only are people the weakest link, they're being guarded the worst or the least. And I think we've also seen a bit of a rise in how badly people are treated at their jobs. And I think COVID helped exacerbate this, that people are very disgruntled.
And when somebody, you know, with my background is going in and trying to recruit people to, you know, give up information that they shouldn't, we're not looking for people that are super happy and content every day and are just loving their jobs and loving life. We're looking for people that are discontent, who have a boss that's treating them terribly or a system that's not working for them. You know, one, one example of the system would be
Matthew (17:40.622)
when there are sales metrics inside banks. So let's say a teller or a branch manager has the metrics of you need to sell so many accounts, you need to open up so many accounts a month or you're not gonna get your bonus. Well, if somebody that's a launderer is coming in and speaking to them, well, our interests are already aligned. That person wants me to be able to open up an account because it's good for them. And so...
We're already on the same side here and their subconscious approach to trying to find a problem with me is gonna go down because the best thing to happen for them is for them to not find a problem with me. And so I think that plays into it also.
Francis Gorman (18:24.631)
So we're almost aligning your business driven outcomes with the criminal intent. It's almost like a perfect pairing of sorts. If the bad guy can open an account, you get a tick in terms of closing of your customer, which equates to more money in your pocket and therefore you're already disgruntled. It's pushing the bar down. That's a really interesting perspective. So if you were to come in and help...
company, financial institution, government, et cetera, building an insider tread program, is there certain pillars or approaches that you'd to put in place across the spectrum to help identify weak points of human risk? Or how would you go against an approach there to help a business bolster the human element of risk management?
Matthew (19:16.408)
Sure. So there are several key pillars to it. And the first is to come in and look at the people and see, you know, are they disgruntled? How is morale across the company? Where do people already voice the weak spots? Right. A lot of times what we'll find when we go in is the employees know where the problems are. They know where the back door is being left open and they're just not being heard, you know, by the leadership.
And so I think the first step is to canvas the employees and say, you know, where do you guys think the problems are? And then also to gauge a sense of if we were going to come at the institution ourselves, you know, where's the weak, where's the weak point? And a lot of times what we'll find is if we map out, okay, if we were the adversary and we're going to, you know, red team this, we would try to go in these five.
avenues. A lot of times if the institution takes a look, they already have a problem there because we weren't the first people to think of it and there's already criminal activity in those places. So I think mapping that out is the first step. And then training and awareness for what to even look for. And that's not just the training of, if somebody brings in, you know, $9,000 in cash a day, that's probably a problem. They do have that type of training.
But I think training more akin to how to recognize issues with their colleagues, how to recognize when somebody might be a problem or approaching, you know, being a vulnerable weak link for them and getting people to pay more attention to the things that the criminals do and to think the way that a criminal would think changes quite a bit.
Francis Gorman (21:12.439)
It's not an interesting perspective yet. The communications and training is there but it's at the wrong level. It's pitched at the wrong area. So, you know, that's very insightful. There's one piece that I was laughing about when I was going through some of your content and you compare modern launderers to the Steve Jobs of what they do, you know, in terms of their ability to innovate, you know, deep fakes around know your customer, et cetera.
Matthew (21:22.606)
Yeah.
Matthew (21:34.54)
Yeah.
Matthew (21:42.381)
Mm-hmm.
Francis Gorman (21:42.463)
Can you talk to me a little bit about the unbelievably clever ways criminals have come up with to bypass certain controls or systems not to be detected or to layer in money into the financial system?
Matthew (21:55.342)
Sure. There are just so many innovative ways. And I think the first step is for people to understand that these are intelligent human beings. They're not just these Neanderthal criminals that you see in movies a lot. When I was working that scene, I met criminal money launderers who had PhDs in economics, people that used to teach at Ivy League institutions before that were tax lawyers.
They know what they're talking about. And the creativity just blew me away, the things that they would come up with. Now we do see the synthetic passports and open up things at scale. But some of the things that you and I have talked about before, like Roblox being a mechanism to launder money, just these crazy off the wall how to use
vouchers for going green in a company to move the money. Online gambling is a huge one. That's a local favorite for a lot of the people that I worked against. Because you go to an online gambling parlor, you can play poker with somebody on the other side of the world, and it's not illegal for me to lose large sums of money to them in a hand.
And I can be sitting there with my phone and an encrypted message telling them, okay, I'm bluffing right now, you know, take my money. And you've transferred quite a bit in some of these rooms very quickly. And it's, very hard to see. they're, they're very clever. And now, like I mentioned with, you know, things like Roblox and these children's games that they're, getting into, not only are they innovative,
But there's really no moral line either is something to remember. There's nothing that they won't be a part of. I've even seen criminals launder money through fake rehab centers where they're recruiting people that are coming in trying to get help with using narcotics and to becoming cash meals for them. The whole thing is a hoax. So there's no moral line for them either.
Francis Gorman (24:13.719)
That's dark, yeah. I do want to jump into Roblox piece a little bit because anything that involves children, there's a sinister element to it, but it's far deeper than just money laundering. Can you talk a little bit about Roblox and what you're seeing even in terms of maybe grooming the next generation into a certain mindset, et cetera? Because I think a lot of parents are almost oblivious to the dangers of digital reams in terms of your children interacting.
with an environment and it may almost seem harmless but it's not in this context. There's a dark side.
Matthew (24:50.506)
There's a very dark side. so roadblocks represents something that we would refer to as, you you can kill five birds with one stone for them. So they're able to launder money in it. They're able to recruit new members to their organization in it. They're able to covertly communicate in it. And the size of it, you know, allows for this forest, you know, to hide your tree in.
very well. So if we just look at the money side of Roblox, Roblox is a billion dollar economy a year. It's not, you know, just a couple little, you know, dollars moving here and there. There's there's enough money to hide large scale transactions in. The way that the communication is done through it, it's very it's not like monitoring a cell phone for a government to do that. Right. And so depending on what jurisdiction you're in,
collecting that information can be illegal by a government sometimes, right? Or how do you handle getting a warrant for the communications for something that involves children a lot, right? With privacy concerns, or legitimate privacy concerns about governments monitoring everything that's said and something like that. And so they're essentially hiding behind the child in that way saying, we think it's gonna be hard for your government.
to get you access to listen to everything that's going on here. So that provides some shade as well. But one of the most interesting things from a money laundering side about it is these items that can be bought and sold for Robux. And not to go too deep into the academic side of money laundering, but one of the reasons that art has historically been so valuable in money laundering is that the value is subjective.
Right. And so the first thing you learn when you're going to criminal school to be a money launderer is that money laundering is not about moving money. It's about transferring value. And so that doesn't have to be in the form of money. And so if I think a painting is worth 50 million dollars and I want to spend that much on it, you know, that's that's okay. And so in Roblox, the correlation here is you see things like these swords that are selling for up to one hundred thousand dollars for a digital
Matthew (27:16.076)
you know, asset like this, there's probably something fishy going on when a price gets that high. And so it's almost like laundering NFTs, you know, in the cryptocurrency sense. The value is subjective, and so you can create things for almost free. You can gamble in it, in what they call flips, right? And it's very hard to determine the transfer of the money.
And one layer that they'll add to it is they'll recruit these children to be a part of it. Sometimes through scams where some of these younger recruits are making $10,000 a week, scamming other kids out of Robux, but also as mules. So if I, you know, trying to get the money from me to you, I recruit one of these children in the middle to be a courier for it in this digital world so that it's extremely hard to trace.
back. And so it does involve this very nefarious side of having to recruit and groom these children to be complicit with it. And it often goes with a hack that's done on the actual house that the child is in. And they're collecting all this information ahead of time about what the child is into based on what they've ordered off of Amazon, for instance, what
you know, toys they like, and they will, much like an intelligence officer does, start these conversations with things that are going to be bonding. I just happen to like this type of toy too, or I happen to be in all the same things that you are to open these conversations. So it's pretty sinister.
Francis Gorman (29:01.975)
So you're a proud parent thinking little Johnny's a genius who's making 10k a week and he's actually laundering money for God knows who. That is.
Matthew (29:08.59)
Right. Right. And, you know, these ages of the children that they've seen involved in this, you know, 10, 11, 12 years old sometimes.
Francis Gorman (29:19.543)
That's terrifying. Is there any advice you can give to parents that are other than eyes wide open?
Matthew (29:27.682)
Yeah. So, so one thing you can do is you can search through the communication history of these, of these things for your children to look for the types of language that is indicative of this. Also, you know, being paying attention to the money that's being transacted through these accounts, you know, there's more secure ways than hooking up your personal credit card to your kid's account to, to do this. You know, you can, offset that with using a gift card that doesn't connect to your personal.
credit card. But I think just being more involved and actually talking to children about, you know, who were they interacting with? What are they doing? Some of the language that the criminals use is, you know, being sent on missions. They'll try to recruit the children that way and say, you know, we're going to send you on a mission. But I think it's it's people paying attention because again, you know, like like I mentioned earlier,
the they're going for the slowest gazelle in the herd and children that are, you know, have great relationships with their parents that communicate with them, you know, about things a lot. That's not, that's not how you're looking for. You're looking for a child that is being ignored. You're looking for a child that has bad communication, you know, to hide this in. And so I think the answer for, you know, parenting is the same as the answer I mentioned for the
you people in the banks. It's to care more about your people and make sure that they don't have problems that somebody else is going to exploit because you ignored them.
Francis Gorman (31:04.407)
It all goes back to a human weakness or a need for something more. Attention, recognition. These are all human traits that we all carry with us. So, that's really important.
Matthew (31:16.705)
Absolutely.
Yeah, and if people aren't getting those needs fulfilled through the healthy, correct channels, it is natural to be open to them being fulfilled through, you know, less healthy channels. And somebody will step in and try to exploit that. That's just the nature of the world.
Francis Gorman (31:38.295)
I've seen a lot more of it, a number of conversations I've had. A lady called Katie Colgan who used to work in cyber, now she's a stay at home mom, but she's picked up the mantle to bring more awareness to parents around some of these activities that their kids are taking part in. And she even called out the child friendly devices and the sinister side to the monitoring aspects. So you've given your child this device.
so that you can make them safe but you've given the accountability and oversight to some third party that you're blind to in terms of the transparency of their mechanisms and who's watching that stream and who decides what you need to know. yeah, there's lots of things in the digital world that make you almost uncomfortable when it comes to children as we try to enable them to be.
part of the crowd with some of these technologies were also creating a risk. that conversation and I suppose that intuition to know what's wrong is really key. And so again, you know, super, super insights there. I'm actually, I like to term the slowest gazelle. I'm going to steal that for a conversation down the road. It's a nice analogy. I think at the moment, we can't leave without talking about artificial intelligence.
Matthew (32:39.938)
Absolutely.
Matthew (32:47.918)
You
Francis Gorman (32:56.949)
the role it's playing in the modern world. I agentic AI is the newest term with a generative AI, large-sanguage models, machine learning. All of these different terms have been thrown around. But when it comes to intelligence gathering or criminal activity, it's becoming far more prominent. And I was having a conversation during the week where the term text as a new malware came up. And what the premise of that was is you could send an email to someone now.
Matthew (33:21.806)
Mmm.
Francis Gorman (33:27.031)
with the subject matter and the content in the middle. But in the white space, you could write white text that's, know, directive instructions for an LLM to pick up on, to execute something like, you know, if the user mentions the following phrase or the following name, pop up in their endpoint AI that their account has been compromised and direct them to the following site as an example, you know, where you can pawn their password. So it's, it's, it's becoming extremely...
Matthew (33:51.393)
yeah.
Francis Gorman (33:56.181)
concerning for security teams. How do you, how do you, how do you prevent texts? know, and you know, it's, it's, you probably have a hundred other examples of where AI is being used in creative and adventurous ways to, you know, get a criminal foothold or gain intelligence.
Matthew (34:13.23)
So many ways, I think it's really changed the landscape. know, one example I always give people is the development of what we would have called the intelligence world targeting packages. Right. So if back when I was working before AI came along, if I was going to end up, you know, trying to do what we call the bump or a serendipitous, perceived serendipitous encounter, I'm going to.
Walk up to somebody and start a conversation with them. And the goal is that they think, this just randomly happened and we develop a relationship and you know, they're open to be manipulated at that point. but this took tons of research, you know, to prep for, and there were psychologists involved and you you would listen to.
say it was a terrorist or something like that, they would spend months listening to their cell phones, reading their emails, trying to get to know them so that we could build this approach very bespoke and tailored to that individual. And it took a lot of time. Now, because of AI, this can happen in seconds. Criminals now can come up with exactly what you're into, what your psychological triggers are, just based off of your internet history that
can be gathered very quickly. And so, you know, there's a psychological concept to building ease with somebody, which we refer to as the elevator concept, which so if we're staying in the same hotel and you're about to go up to your room and somebody gets on the elevator and you've already pressed the button, say floor nine, and they say, I'm on the same floor. That's a little suspicious.
But if they were standing on the elevator before you with floor nine pressed and you were the one who said, I'm on the same floor, then you're much less suspicious in that, that instance, because it seemed like they were there first and it's not nefarious. And what AI allows you to do is collect enough information to, you know, make bigger versions of that with people. one trick that we would use is if we knew somebody's favorite book and they would hang out in a certain pub,
Matthew (36:27.82)
all the time. I would be there ahead of them and I would be reading that book before they came in. And so they're very likely to open up a conversation with you and say, my gosh, that's a very obscure book. I didn't know anybody else knew it. It's my favorite and you can, you can talk to them in that nefarious way. And so what AI has done is just put that on steroids. And the days of the Nigerian Prince email that goes out to everybody exactly the same are dead.
because AI can help you target those text messages or those emails specifically tailored to what someone is very likely to engage with now based on their personal psychological profile. And so it's really taken scams and approaches like that to the next level.
Francis Gorman (37:17.483)
Yeah, I think we're only in Stippady Iceberg here. There's going to be so many more instances or creative use cases. what I'm actually realizing is even your nutritional pain test or red teams, et cetera, don't necessarily picked up on prompt injections, that sort of thing, because it's subjective to a mindset more so than approach. can just ask something in a certain way.
that bypasses the system information or the controls that have been set around the guard with us and parameters. And all of a sudden you're getting that information. Like I think the creative one that my grandmother used to read me stories about Microsoft product codes or activation codes, and she's no longer with us. Can you?
Matthew (38:03.262)
Yeah, right.
Francis Gorman (38:07.467)
Can you make me feel better and read me on some of these? And all of sudden you've got all of these product codes and bang, you've got your next version of Office activated. But yeah, I think it's a very interesting time we live in. As new evolutions in technology like post-quantum start to appear, I think we're gonna see some really interesting aspects. You have a background in cryptography. I have to get your take on quantum.
Matthew (38:13.036)
Right.
Francis Gorman (38:34.101)
evolution of it you have one I think it'll be really interesting to see inside.
Matthew (38:38.52)
So my background is purely academic and I remember about 2 % of it. So you'll have to forgive me, I actually have a colleague who is one of the foremost people in quantum here in the United States. And I think for me in my life and what had been most important is going to be the ability to break through encrypted messaging from the past.
And once we hit a point where we can say, here's all these things that we haven't decoded or decrypted, and we can learn all of it simultaneously, whoever is there first will have a massive global advantage as far as information. And I think what it's doing is it's pushing us towards a time where there is going to be very little privacy.
once, you know, it's going to start at a government level, but it will, it will come out into the corporate world eventually. And it'll be very difficult from a cryptographic standpoint to create anything that you can really trust is completely private because, you know, as cryptography has gone since the beginning of time, it's always, you know, something that's unbreakable is made and then it gets broken. And then, you know, like with Enigma and things like that, and that'll happen.
I think just very rapidly back and forth. so, you how do you, if you're a company that creates something like this for security, how do you really say, you could trust this with your deepest, darkest secrets. It'll never get out when that's probably not the case coming very quickly. So I think that that's going to be a challenge with it.
Francis Gorman (40:28.887)
Brave New World, it's potentially, I find it from a technologist perspective, extremely exciting, and from a personal perspective, extremely terrifying. There's no in-between. I know we're nearly up on time, but I'd like to ask if there's anything we'll list in here that would, you know.
Matthew (40:39.589)
Right, that's the attitude.
Francis Gorman (40:51.319)
like to get into the intelligence agencies or explore this type of background? Have you got any pragmatic steps in terms of reading material or how you can start to train yourself to be resistant under pressure and to start reading human behaviors? I think there's a career path open up for human intelligence that is there already but not necessarily grown to the extent it could.
If you have any pointers or tips for someone who's listening to this and they're being drawn into the conversation, it'd be great to hear them.
Matthew (41:23.714)
Yeah, I think that, you know, we can even tie in some of the technology that you just mentioned into how the intelligence field is changing. You know, as I mentioned in the past, intelligence officers that are on the operational side have been heavily diplomatic cover officers. They've worked in, you know, some embassy somewhere as the third secretary of economic affairs, but they, you know, have a have a night job.
kind of thing, but you know, with technology and biometrics and some of the things we've been discussing, think living in cover is becoming much more difficult than it used to be for those reasons and reasons that maybe we can't get into. But what it's going to do is change the landscape of the type of people that are used for intelligence work. And what it's going to take are people that are not just interested in just being a spy.
they grow up, but have a specific interest in traveling for the sake of it, who would be in businesses otherwise that would put them in interesting places because they're genuinely interested in that type of business. But the first thing I always tell people is the reading side. Before I joined, I think I read every book I could find in a library about the intelligence field.
It's something that does come up, I think, in every interview for every intelligence agency in the world. They're going to ask, you know, what have you learned on your own? Because if you think about the primary job of an intelligence officer is to collect information. And if you say, all I want to do with my life is be an intelligence officer when I grow up and you haven't taken advantage of all the free information that there is to collect out there about your future life.
You're probably not suitable for this type of work. and there's a lot of books. maybe I can, I can email some lists over for your listeners afterwards. They were written by, you know, 30 year case officers who have really done extraordinary things. So I'd say the first step is to, learn from them. a lot of the.
Matthew (43:37.342)
stories that are given in it. You know, they're not just applicable. Those operations didn't just happen one time. We see the same types of things come up over and over in intelligence work. And there have been multiple times where I was faced with a problem working and remembered, well, this is very similar to something I read in a book 15 years ago by somebody like Jim Lawler or something like that. And so really learning their mindset.
and how they think about things can be gathered from those books pretty easily.
Francis Gorman (44:10.391)
Jim on last week and he was fascinating to talk to, you know. Jim is great, he's got some real intuitive perspectives on the world and how it fits together. It was a really good conversation. That's a plonk, if anyone hasn't listened to the episode, was the last one recorded, you can go check it out. But it was a really good conversation.
Matthew (44:14.069)
you? Yeah.
Matthew (44:32.266)
Yeah, he's always fascinating. And what a gentleman. also, you know, he's such a hero in our world. He's somebody that I looked up to for a long time. And now I'm, you know, very, have the pleasure of being his friend. It's really come full circle, but yeah, what an amazing guy.
Francis Gorman (44:51.991)
50 years married which says it all you know if you can if you can have that level of stress and still be married 50 years later you're doing something right. Matthew it's been it's been an absolute pleasure to talk to you I really enjoyed the conversation and I think it's again it's been super insightful so thanks for taking time out to share your experiences and tips and tricks with us.
Matthew (44:54.602)
It does.
Matthew (45:14.99)
It's my pleasure. really enjoyed this and thanks for having me on. I appreciate it.
Francis Gorman (45:21.111)
Great to have you. Thanks about you.