$8 Million Fraud for Ghost Services

We’ve previously seen ghost cattle and real horses. We’ve seen fraud at the top. We’ve seen fraudulent coders and controllers. We’ve seen fraud in the middle of organizations. So far though, much of it has come through various accounting departments and personnel. For this post, let’s look at IT fraud.

James Gladden started in IT at the Alberta Motor Association in 2008. Think of this as Alberta’s version of AAA. By 2013, James had been promoted to VP of IT. Over three and half years, from early 2013 to mid-2016, James managed to steal about Can$8 million by submitting fraudulent invoices.

As VP of IT, Gladden had approval authority for IT-related invoices. He pled guilty to fabricating or falsifying 55 invoices. Gladden used a couple of methods for his scheme. He submitted genuine invoices for work done for the benefit of his personal company, Sprockit Apps Inc. In other cases, Gladden fabricated invoices. One example was a $500k invoice paid to a company called Datavox. The payment was allegedly for phone hardware. In fact, Datavox did no work for AMA.

None of the articles I could find explained why he did it, beyond simple greed. But we do know he bought a lot of stuff. Those purchases included luxury watches, two Porsches, a BMW, a Maserati, a 2014 Yamaha boat, a home in southwest Edmonton, and a $500k home in Scottsdale, Ariz.

We also know how he was caught. Gladden was allowed to spend some time working from home in August 2015 because of a leg injury. He was slow to recover and he remained out of the office for months, regularly failing to show up for meetings. In 2016 he was asked to go on disability and refused. He was later forced onto disability and his replacement found the fraudulent invoices. This is similar to what we saw with the Queen of Horses where an extended vacation surfaced her fraud.

AMA has said that they’ve improved their controls after this. Certainly, better capital budgeting controls would have helped. Improved vendor and invoice management would have helped prevent this as well. An audit should have surfaced a false invoice like the Datavox one. Finally, we come back to a fraudster again visibly living beyond their means.

If You Stole $4.8 Million, How Much Would You Spend Playing Game of War?

If you stole $4.8 million, how much would you spend playing the freemium mobile phone game, Game of War? For Kevin Lee Co, that answer was $1 million.

From 2008 to 2015, Kevin was the controller for Holt, the northern California dealer for Caterpillar heavy equipment. Kevin managed the accounting department and oversaw the company’s commercial credit accounts. Co abused that authority to conduct hundreds of unauthorized credit card transactions on the company’s account, to manipulate and falsify records regarding the credit account, and to mislead the bank that held the credit account when it made inquiries to Co about suspicious transactions.

This fraud has always been short on details. The focus is always on how the money was spent. For this post, I managed to dig up the plea bargain with more detail.

In short, this was pretty common corporate card fraud on a grand scale. Kevin was responsible for managing Holt’s purchasing card (p-card) program. He would issue cards, review statements, approve invoices, and was also a cardholder. Kevin hid his transactions by coding them inappropriately throughout the ledger.

Holt’s bank, Bank of the West, identified suspicious activity on at least three occasions. Each time the bank called Kevin Co and was reassured that the charges were appropriate.

Like our last fraud, Kevin’s got more sophisticated over time. At first, he simply bought personal items on his p-card and hid the expense. Over time he enlisted a co-conspirator, identified as co-conspirator A, a luxury auto dealer, to use his p-card and the p-cards of two former employees to purchase luxury cars and to buy equipment for the co-conspirator.

A second co-conspirator, who was not an employee, was also given a p-card and permitted to spend almost $50k. I’m speculating here, but it wouldn’t surprise me if this was a card for a love interest. Given the modest amount versus the total, it seems like it could be a “get yourself something nice” arrangement.

Finally, Kevin Lee Co engaged in money laundering. Co-conspirator A would charge the card and then write checks back to Kevin for about half of the money.

This story got wild when it was revealed what the money was spent on. The list includes luxury cars, season tickets to the Sacramento Kings and San Francisco 49ers, plastic surgery, and a golf membership at an exclusive club.

And then there is Game of War. A mobile phone-based, free-to-play game with in-game purchase options. Co reportedly spent $1 million dollars on those in-game options in the Kate Upton-promoted game.

Company credit card fraud is depressingly common. P-cards typically have additional controls and in this case, it appears they were triggered at least 3 times, but when the fraudster is in charge, those controls can only do so much.

I’ve personally seen 3 cases of corporate card fraud after the fact. In each case, it was depressingly similar, a controller who coded the cards and entered transactions into the accounting system. The problem with this type of fraud is that it can run for years. A $200k corporate card fraud is a small one. Getting to a million or two is very doable. Still, almost $5 million over 7 years is a long fraud.

Obviously, segregation of duties would have addressed this, as would an independent reconciliation of card charges, along with better p-card limits and purchase limitations. I also want to make the case that CEO, CFO, and controller jobs are NOT transactional jobs. No one hires a controller for their ability to key payables transactions. They can advise on transactions, help ensure that coding is correct, etc., but not key transactions. They definitely shouldn’t key transactions regularly.

But it didn’t stop there. While out on bail and awaiting sentencing, Co started a company selling generators, solar panels, and windows. During the pandemic, he fraudulently applied for and received Paycheck Protection Program loans from two banks totaling more than $500k. Co was required to disclose on the applications that he had pled guilty to wire fraud and money laundering but conveniently left that out. Co was sentenced to 10 years for the initial fraud. Committing a second fraud while on bail will not help him.

Evolution of a Payment Fraud

This one is a little older but it’s one of my favorites because we have so much detail and we have it in the fraudster’s voice. I’ve actually covered it before, but it’s worth another look. The core source here is Journal of Accountancy’s Lessons from an $8 million fraud.

Nathan J. Mueller worked for a Minnesota insurance company, ReliaStar, that was taken over by global insurer ING. Mueller played a lead role in the transition to a new ERP system and along the way he and a co-worker were given payment approval authority up to $250,000. Mueller didn’t even know he had that authority until two years later.

Red flags were present early in that users often logged in as each other to get something done when a co-worker was out. With a pregnant wife and a salary that wasn’t quite covering the bills, Mueller logged in as a co-worker and requested a check made out to Universal for $1,100. He then logged in with his credentials and approved it. Universal was an insurance company they paid regularly. The word Universal was also part of the name of his credit card. [This is not in the article, but suspect this was the AT&T Universal Card.] The check cleared and his credit card account went down by $1,100.

There was a control point here. It was a different user’s job to receive the checks and mail them out. Mueller was a backup for this process so he waited to request a check until he know the primary person would be out. Occasionally, he gave the primary the day off to make it easier. The organization had a segregation of duties control point here, but it wasn’t functioning as designed.

After his start, Mueller paid off his Universal card and then kept transferring balances from other cards and debt to that card. After stealing $88,000 he was out of debt. Right before this though, there was a chance to catch him. He’d send a $4,500 payment without a payment voucher and without an account number. The check was returned to his work and the AP department, instead of investigating, forwarded it to Mueller. It was a close call and the fraud could have been stopped there.

It took a few months for Mueller to get past the scare and from there he got smarter. Like the term “Universal”, Ace was part of a company name that regularly received payments so Mueller opened a shadow “Ace”, Ace Business Consulting. He would request and approve payments as before, but now he could just deposit the checks. He did this to the tune of $8 million over 4 years.

Mueller needed to cover his tracks. He primarily used two schemes, hiding amounts in accounts with a lot of ledger activity and manipulating foreign currency accounts. He started by simply hiding the payments in high volume accounts.

For every credit (to the bank) there has to be a debit, and my debits needed to be hidden somewhere. Our payments were usually for insurance claims, commission expenses, various refunds, or an administrative expense. In 2003 and 2004, I hid all the debits in ledger accounts that had a lot of reconciliation activity, making sure that my debit helped the account reconcile to zero.

As Mueller’s scheme evolved, he would intentionally weaken the Canadian dollar when calculating the exchange rate for their Canadian subsidiary. Effectively this hid his theft as exchange rate losses. Mueller was the only person to manage the exchange rate calculation for 7 years.

He also had to hide his theft from his wife. He had significantly upgraded his lifestyle so he needed an explanation. Mueller decided that he was a successful gambler. He would take junkets to Vegas and return with his own stolen money. His wife remained suspicious and eventually, they divorced.

What got him caught was that Mueller’s ex-wife became friendly with one of Mueller’s co-workers. His wife said that she didn’t believe the gambling stories. That set off the alarm bells that led to the discovery of Mueller’s scheme.

We know why Mueller did it, financial pressure that morphed into greed. The core issue here is Mueller’s ability to bypass segregation of duties controls. The ability to log in and request payments as a coworker was the key to this scheme. Without that, it might have been possible to redirect a few payments or sneak through a fake Universal invoice, but not to the tune of $8 million.

With that access, he managed to avoid the preventative control of a user creating and approving their own invoices. That access made it possible to bypass the control of check mailing being done by a different user.

Interestingly, no detective controls caught the fraud either. No large, unexplained budget differences that someone investigated. There was no follow-up on the returned check. There was no application of statistical tools or forensic analysis.

Finally, Mueller’s lifestyle of expensive cars, watches, and trips didn’t raise red flags within the company until the very end. Of the $8 million, he paid back $860,000, mostly in seized property. In prison, he paid $75 a month as part of a prison repayment plan. As with other frauds we’ve seen. The money was gone.

Mueller’s scheme started out as simple payment fraud. He just cut an extra check to Universal and simply hid it in a complex account. That got him as far as $88k. From there Mueller had to evolve. He set up Ace Business Consulting. He hid the fraud in exchange rate losses and created a gambling backstory. Each adjustment added complexity. Still, once someone decided to look, the fraud was easy to find.

All the Queen’s Horses – Like Parks & Rec + Fraud

close up photo of brown horse

This one comes with a movie so grab some popcorn. The documentary All the Queen’s Horses moves around to different streaming services so Google it and grab it. It’s about 75 minutes long and worth it.

I try to make sure that every new employee of Fastpath sees this. It helps explain why we matter.

Dixon, IL is a modest city with a population of 15,800. Their annual budget is $8-9 million. Over a number of years, their controller Rita A. Crundwell stole $53 million from 1991 through 2012. I’m going to let that number sink in.

On December 8, 1990, Crundwell set up a secret bank account named the Reserve Sewer Capital Development Account (RSCDA). This was not actually a city account, but it looked like one, and Crundwell was the only signatory. Crundwell would move money into the Capital Development Fund. She would then create false state invoices payable to “Treasurer, State of Illinois” and generate checks payable to “Treasurer”, conveniently leaving out the State of Illinois part. Crundwell was the treasurer of the city of Dixon. Those checks were then deposited into the RSDCA account. Her process made it appear that she was making payments to the state when in fact she was moving money into an account over which she had sole control.

Rita was able to accomplish this because she had full control. She opened the mail, processed invoices, prepared checks, signed checks, managed the accounting system, and performed the bank reconciliation. She did this for 22 years.

Rita started small, stealing only $181k in her first year. But her thefts increased from there. In 2008 she stole $5.8 million from a city with a budget of $8-9 million. She averaged about $2.5 million a year over 22 years.

It gets worse, the city had a budget and was audited every year. Crundwell managed the budget and she managed to fool the auditors.

Rita got caught when she took an extended vacation. Her replacement asked the bank for a list of all bank accounts and found the RSCDA account. Forcing accounting personnel to take vacations is actually a control point. A surprising number of frauds are identified because while the fraudster is out. Often the fraudster is described as “hardworking, they never take vacations”.

What did Rita do with all the money? She didn’t blow it on cattle futures, she bought show horses…expensive show horses, and she ran a horse breeding operation. By all accounts, she was good at her hobby too. Her horses won 52 world championships and she was named a leading owner by the American Quarter Horse Association for eight consecutive years. She also had all the accessories like a farm and a multimillion-dollar motorhome for traveling to horse shows.

There were red flags. The city ran a deficit while surrounding cities ran surpluses. Crundwell blamed budget shortfalls on the state being late with tax revenue shares. She was also living well beyond her means. Living beyond one’s means was the number one fraud indicator in every Association of Certified Fraud Examiners annual study since 2008. People had questions so they filled in with assumptions. She had inherited the money. Her horse breeding operation was very profitable, etc.

Fraud like this should be preventable or at least quickly detected. There are a lot of basic controls for this. First up segregation of duties. Rita Crundwell obviously had too much control of the process. No one person should have complete control of any process. Up next, getting a list of accounts from the bank. The auditors almost certainly confirmed the balances from a list Crundwell gave them. It wasn’t until someone asked the bank that Rita was caught. As an aside, bankruptcy investigators at FTX also had to go find all of their bank accounts.

Additionally, a big part of segregating duties is independent bank reconciliations. This is one of the few independent confirmations of company cash flows and the process is often treated as a chore instead of a critical tool. I’ve seen an otherwise very good controller fired because their team couldn’t produce timely bank reconciliations.

Finally, having a whistleblower option like a phone line, website, etc. is also an important defense here. Not everyone sees someone living beyond their means. People had questions about Crundwell’s lifestyle but no one spoke up.

Where’s the beef? Ghost Cattle Fraud

nature animal agriculture cow

The TV show Yellowstone is all the rage and it’s all about protecting the ranch and the cattle. But what if the cattle doesn’t exist?

In Washington State a cattle rancher has been sentenced to 11 years in prison for scamming Tyson Foods out of almost $250 million with cattle that didn’t exist. You read that number right, almost a quarter of a billion dollars.

I keep saying that fraud at the top is the most expensive fraud. This might be the exception…sort of.

In 2016, Cody Easterday of Mesa, WA entered into an arrangement with Tyson Foods. Easterday ran a family farm and feedlot in Washington. Tyson would front the money for cattle and feed, Easterday would maintain the cattle for Tyson and pay 4% interest on the fronted money when the cattle went to slaughter.

This looks like a typical outsourcing arrangement. Tyson wanted beef, where presumably it has some control over the conditions of the cows, so it outsources. Given Tyson’s size in the marketplace, it fronts the cash to avoid overwhelming the smaller partner. It charges the partner 4% for fronting the cash. Seems reasonable.

The contract totaled more than $2 billion over 4 years. Easterday is accused of padding the number of cattle by more than 10% and billing Tyson for cattle that didn’t exist, to the tune of $233 million. He pulled a similar stunt with another producer and bilked them out of $11 million for a total of $244 million. Easterday was at the top of his organization, so this is still fraud at the top, he’s just defrauding another organization.

Why did he do it? Easterday was trading futures contracts on cattle. We talked about future contracts last time with FTX and I believe I called it really, really, one more really, risky, certainly leveraged future trading is. Easterday managed to lose $200 million trading cattle future contracts. He reportedly started trading cattle futures as a hedge against market fluctuations, perfectly reasonable, but as he took riskier bets it turned into a straight up gambling addiction.

Easterday confessed when Tyson became suspicious and asked for a full inventory of cattle purchases.

The core lesson here is trust but verify. We don’t have information on how Easterday reported cattle to Tyson, but it’s pretty clear that weren’t conducting any type of audit. I have a friend who did audits of agriculture and it can be tough to audit something like a newly planted field, but you can show a up few months later and confirm.

I have another friend who owns a small cattle ranch and cows these days are all tagged , many of them have RFID chips. While cows do move around, they can be counted. If partners are showing red flag like regular invoice corrections, delivery mistakes, etc., it may be time for an audit. If there is already some type of audit in place, review it.

That’s what SOC reports do for online providers. They document the controls in place and whether those controls are being performed appropriately. Company can and should review SOC reports where available to get comfortable with a partner’s controls. On a related note, back to last week, I’ve not found any evidence that FTX had a SOC report in any form.

FTX – How to Do Fraud at a Futures Exchange

I’ve done a lot of research on FTX and I have…opinions. If you haven’t paid attention, FTX was a crypto futures exchange. It had a related/sister crypto hedge fund known as Alameda Research. All of it melted down in late 2022. There are significant fraud allegations and guilty pleas so far. There are also a lot of lurid allegations. Matt Levine’s column, How to Do Fraud at a Futures Exchange is the clearest explanation of FTX. We’re going to try to go there, but first I have to get a few things off my chest.

  1. Sam Bankman-Fried’s “Balance Sheet” that he passed around trying to raise last-minute funds is offensive to me as an accountant. Maybe some investors don’t care, but I’d get fired for showing anything like that to anyone at any job I’ve ever held. A copy of that balance sheet is the image for this post.
  2. Quickbooks is not an appropriate accounting system for a company the size of FTX mostly because of its inability to scale to that size. I suspect Quickbooks would be happy to have no association with FTX given what SBF’s balance sheet looked like.
  3. If our Craigslist Accountant from a few weeks back worked at FTX (and actually did the work) she could steal $15k/day, every working day for a year, and FTX would only be out $4 million instead of billions.

Whew! Ok, where do we start?

FTX was a futures exchange. In a futures exchange, people bet on some proposition, say Bitcoin will go up or down. Some people bet up (long) and some down (short) but they place that bet with the exchange, not with each other. To guarantee these bets, customers deposit cash. On some defined time frame, the exchange checks the results and if Bitcoin went up the exchange takes some money from the short bettors and gives some to the long bettors. If it goes down, the reverse happens.

If an account goes too low, the exchange asks the bettor to put in more money. This is a margin call. If the bettor doesn’t cover, the exchange automatically closes out the position at a loss. If an account gets high enough, the bettor can take some money out. Ideally, the exchange is smart about this and limits the amount to reasonably match the volatility.

If an account goes below zero, that is if a bet on our Bitcoin example falls fast enough that there isn’t time to get more money or close out the position, the bettor owes more than what’s in the account. Collection from the debtor will be problematic at best and the exchange will have to pay out of their own money.

This is straightforward futures stuff. It’s very common and well-understood in traditional financial circles. That doesn’t make it easy or safe, but everyone knows that’s how this works. Notice that there are no actual Bitcoins in here, just bets on whether Bitcoin will go up or down. Much like betting on a football game, you don’t own the team, play for the team, or even get to see a game, you’re betting on the performance of something you don’t own.

Finally, we’re talking about leveraged futures trading here. Something like deposit $2k and the exchange lends you another $15k to bet on Bitcoin. Alternatively, deposit $2k and the exchange lends you $15k in Bitcoin to bet on. The exchange may hold a little of a given asset like Bitcoin, but it doesn’t really have to because it has customers on both sides of the trade so they more or less offset.

Leverage like this is really, really, one more really, risky. That’s a big loan on a small deposit. If prices move in the wrong direction quickly, positions get wiped out leaving the exchange holding the bag. Crypto often moves quickly in the wrong direction for someone.

Future Exchanges control risk by:

  1. Charging high margins.
  2. Tailoring the margin to the riskiness and size of the bets.
  3. Monitoring and closing out losing positions quickly.
  4. Limiting withdrawals. If a position grows and too much is removed, there isn’t enough to cover a reversal in fortune.

At least well-managed ones do. FTX on the other hand:

  1. Setup a futures exchange.
  2. Advertised their impressive risk engine with customized margin factors designed to carefully take into account volatility, liquidity, account position size, and unusual market moves to quickly close out losing positions and limit withdrawals as appropriate.
  3. Did a lot of trades with their own money.
  4. Without telling anyone, exempted themselves and related entities from all the risk management stuff they advertised.
  5. When bets moved in their favor, they withdrew funds for condos, political contributions, whatever.
  6. When bets moved against them, they didn’t put money back in, didn’t close out their bets, just let everything go negative and ignored it.

This is fraud because FTX advertised it had good risk management when it actually had bad risk management. Additionally, taking money out when FTX wins and not putting it back when FTX loses predictably moves money from customers to FTX. Third, FTX might be tempted to speed up this process with its own token. Say, create a bajillion magic beans out of thin air, trade a few magic beans with yourself and some friends to establish a price, then borrow against the remaining bajillion beans at the artificial price.

This is the crux of the SEC complaint against FTX. The infamous “back door” from early news reports was really exempting related firm Alameda from all the risk management constraints.

Also, there was additional comingling going on. FTX’s bank account couldn’t accept some foreign deposits so they went to Alameda who just kept them…apparently. There was some sort of loan(ish) disclosure, but the funds appeared as internal funds, not customer funds.

Eventually, if you take money out when you win and don’t put it back when you lose, you run out of money to play with. And when you borrow based on artificially inflated valuations, there is nothing left when the valuations pop.

Sam Bankman-Fried is going around apologizing, but this was not a mistake. Like Celsius from a few weeks ago, this was a failure to act as a fiduciary of the customer’s money. Being this reckless is not a mistake, it’s fraud.

I’ll try not to do too many of these giant frauds because the lessons are macro lessons. They aren’t actionable for average folks. But, fraud at the top is the most expensive kind of fraud. If you work for a company and see that, run. The tone at the top still matters and people have subsequently shown behaviors by FTX and Sam Bankman-Fried that should have raised red flags. As an FTX user, there doesn’t seem to be much that could have been done, other than quickly withdrawing funds at the first sign of trouble.

FTX appears to have melted down into a giant fraud. I don’t think it started that way. I’m not convinced that was the intent, but whether through hubris, a lack of maturity, or missing respect for the customer, it has ended up there.

As a footnote, FTX was a mess internally. We’ve previously seen that Celsius was a different kind of internal mess. However, both failures were precipitated by credit bubbles and crazy leverage. Richard Rumelt covers this well near the end of Good Strategy. Covering the 2008 housing crisis Rumelt notes that Bear Steans was leveraged by at least 32 to 1. Lehman Brothers were similarly leveraged and it didn’t take much to tip everything over the edge. Before that Worldcom was an earlier example. The crypto winter of 2022 was ultimately a cascading failure of easy credit, probably triggered by the failure of Three Arrows Capital.

It is not unusual for leverage-based failures to devolve into financial statement fraud as management tries to keep the company afloat. FTX and Celsius both also suffered from a lack of internal control that made fraud possible.

Craiglist Accountant Fraud – What a Difference a Day Makes

My colleague Frank Vukovits and I talk about this case a lot. While it seems simple on the surface, there are a lot of unanswered questions and I have not been able to track down answers.

The base story is simple, Angela Phan was hired as an accountant for Triplematic Dispensers via a Craigslist ad. She worked one day and stole almost $15,000. The St. Louis Post-Dispatch story seems to be primary, but it’s behind a paywall. KSDK has an overview for free. Both articles are thin.

With a little digging, we find that we don’t know why Angela only worked one day. We don’t know if she quit or was fired. None of the articles say what day she actually worked. We just know that the fraud started in July 2014 and she wasn’t caught until December 2015.

Let’s back up. This is simple check fraud. Angela worked one day and got a paycheck mailed to her. The paycheck obviously had the company routing number and account number on the check as all checks do.

Angela is alleged to have used that information to pass fraudulent transactions through Triplematic’s bank account to the tune of $14,720.21. If you just read the headline Accountant Worked One Day, Allegedly Embezzled $15k it’s funny. When you realize the fraud went on for 18 months it gets weird. That’s a long fraud for only 15k. Phan gets points added for patience and deducted for stealing small amounts. If you’re going to commit felony identity theft (what she was charged with), don’t skimp.

A lot of people have suggested that Triplematic brought this on by hiring an accountant via Craiglist. I tend to agree, but she was gone after a day. We’re all allowed an occasional mistake. What I don’t understand is how this continued for 18 months. From the St. Louis Post-Dispatch article:

“The company later noticed several unauthorized transactions had been made on the business checking account. The company’s bank said at least one of the transactions was made to an account connected to Phan.”

Assuming the articles are correct, why didn’t they catch these in the July 2014 bank rec and close the account? Why leave this open for 18 months?

I’m intrigued enough by this story that I poked around Missouri CaseNet to see if could find a final disposition. The articles indicate that she confessed to a felony so there should be some kind of resolution, but I couldn’t find anything. That means that Angela Phan could still be out there answering Craigslist ads for accounting jobs.

How do companies prevent this?

  1. Maybe don’t hire accountants off of Craigslist and do a little due diligence on candidates. In fairness, anyone who gets a check has routing and account information.
  2. Use a dedicated payroll account that doesn’t carry extra cash. This makes extra payments stand out.
  3. Perform bank reconciliations in a timely manner and investigate suspicious or missing payments.
  4. Use positive pay on the account to reject unauthorized payments. Positive Pay is a bank feature used as a control for checking accounts. Account holders submit authorized payments to the bank. Unmatched payments are rejected. Alternatively/Additionally, banks may present transactions online with a short timeline to reject unauthorized transactions.

Life imitates Office Space, Fraud and All

I believe you have my stapler

I love the movie Office Space. It’s full of what are now classic nerdy memes and tropes including red staplers, TPS reports, flair, and beyond. But a core piece of the movie revolves around fraud. When Peter finds out that Michael and Samir are going to get downsized, they hatch a plot to steal fractions of cents on each financial transaction. They manage to screw it up. There are other lessons in this movie, but that’s the fraud lesson. Expect to screw it up.

Interestingly, in the movie, they stole over $300k. Remember that number.

In the real world, Ermenildo “Ernie” Valdez Castro of Tacoma, Wash is accused of stealing around $300k from Zulily, the online retailer he worked for. In a reported confession to police, he called his plan the OfficeSpace Project and indicated inspiration from the movie.

Heist 101: Don’t name your heist after famous heists, real or fictional.

Ernie’s plan was a little different though. He didn’t steal fractional pennies. The specifics are a little fuzzy, but based on the GeekWire article, Ernie, a software engineer, wrote code to redirect shipping fees collected from certain customers to a Stripe account he controlled. Additionally, it appears that in some cases, the code double-charged customers for shipping and redirected the additional charge to an account he controlled. Those two schemes netted about $240k.

Not content with just that, Ernie changed pricing to buy items at a substantial discount. Those discounts amounted to about $40k. Potentially these items were purchased at a significant discount for resale. The articles aren’t clear, but a pile of products was found at his house.

Ernie’s price fixing was found first. After his laptop was seized, the company found evidence of shipping fraud. The side hustle fraud to his main fraud got him caught.

So where did all the money go? This is always a fun question because it so often evaporates.

“He clarified that he had used the money to invest in stock options, particularly GameStop stock options, and reiterated that all the money was now gone. He denied purchasing any physical assets with that money.”

Points to Ernie for being creative. Redirecting shipping fees is not your garden variety AP payment fraud or AR lapping scheme. Points are deducted for getting caught because the side hustle to your main fraud was exposed. Sloppy.

So how do companies find or prevent fraud like this?

  1. Segregation of Duties for code changes. It’s pretty clear that Ernie could change production code without a testing and review process. That’s a big no-no.
  2. A good budget and reconciliation process would show either shipping costs well below budget or missing cash depending on exactly how the payments were redirected to Stripe. That should lead to a lot of questions.
  3. Change tracking, like an audit trail on price changes, would show price reductions and an immediate return to the initial price. Definitely a red flag for investigations. Whether that change was done via code or an interface, my assumption is that the price is stored in a database and not solely in code, making change tracking easier. Based on my experience, that is a reasonable assumption.

I see so many companies not wanting to do the work to prevent fraud. It’s work. It takes time. In this case, Zulily is a $200 million dollar subsidiary of a publicly traded, multibillion-dollar entity. Three hundred K is an average fraud and a drop in the bucket. But it could just as easily have been a $3 million startup where a loss of $300k means people get laid off.

At the same time Zulily IS a $200 million dollar subsidiary of a publicly traded, multibillion-dollar entity. SOD for code changes, a robust budget/reconciliation process, and reasonable change tracking should already be in place. They can do better.

Celsius, Crypto, & Commingling Fraud

ripple etehereum and bitcoin and micro sdhc card

We’ll get to FTX eventually, but first, let’s look at Celsius.

Much of this post comes from the Celsius bankruptcy filing here. Celsius was a crypto lending firm founded in 2018. Their primary product was called an Earn account. Customers would deposit crypto asses with Celsius in exchange for rewards. Customers could also borrow against their crypto assets.

Celsius would move assets from bridge wallets tied to a customer to aggregator wallets from which it would invest and make loans. Think of this as similar to cash in a bank. If I deposit $100 it does not sit in an envelope with my name on it waiting for me to withdraw. It is comingled, loaned, etc. There is no way to trace my $100 through the bank, there is just a ledger entry that I’m owed $100 by the bank when I ask for it. (For clarity, each type of cryptocurrency, like Bitcoin or Ethereum, had its own aggregator wallet, like aggregating dollars and Euros in separate accounts.)

Later, US regulators pressured Celsius to change its business model under the theory that the Earn product was a security that should be regulated. As a result, Celsius launched its Custody program for US customers. Custody accounts were not eligible for rewards and would not be transferred, sold, loaned, etc. The custody model was supposed to be closer to a digital safe deposit box.

Because of the regulatory pressure (and their own procrastination), Celsius moved fast to launch Custody accounts and they broke things. A lot of things, Heck everything. Part of this speed run included:

  • Relying on manual reconciliations of crypto assets without robust controls. If you’ve ever tried to reconcile a bank account where bank deposits were aggregated but the individual checks for that deposit were listed in the accounting system, you understand how ugly this can be. Now multiply that times thousands.
  • Creating a 3rd product, Withhold accounts, for states where they weren’t licensed for their Custody accounts. The Withhold accounts had no terms of service.
  • Not creating separate wallets for Withhold accounts and not otherwise separating the funds.

To fund the Custody accounts, Celsius transferred crypto assets from the main or aggregator wallets, but they did not have a process to separate new deposits. Deposits continued to come into the aggregator wallets.

Celsius’s Custody program did not automatically balance the number of coins reflected in Custody accounts to the number of coins held in aggregated Custody wallets. This is essentially making sure the value and currency type in the big custody envelope matches the ledger of all customers. Celsius had to manually reconcile those balances. Celsius performed this reconciliation 53 times during the 83-day period between April 20, 2022 (when it first reconciled the Custody wallet holdings to the Custody accounts) and July 12, 2022 (the day before Celsius filed for bankruptcy). There were no defined rules or policies to guide this process. Finally, Celcius would move money into and out of custody wallets if reconciliations showed a shortfall or overage.

In May 2022, Celsius experienced significant withdrawals leading to a liquidity crisis. They responded by pausing withdrawals. Oddly, because of the speed with which they implemented these products, they had no way to pause deposits, and they kept coming in. As a result, despite a “pause” customer balances still weren’t static. Ultimately Celsius determined that they did not have the capital to fund continued withdrawals or they would take significant losses unwinding positions to fund withdrawals. Remember that Celsius loaned money on cryptocurrencies. Ultimately, Celsius declared bankruptcy.

Essentially, Celsius was a run on the bank. With longer-term loans funded by shorter-term deposits, if enough people decide to withdraw, there isn’t enough to pay them because cash is still tied up in loans. But under the hood, the story of Celsius is a story of missing controls. Missing controls to the point that Celsius was never really sure what they had. Missing controls to the point that they appear to have materially misled customers about how Custody and Withhold accounts were actually managed. A couple of quotes that illustrate this:

Mr. Koprivica summarized management’s message to the product development team as: “[G]o back to blackboard, do the minimum of all minimums, this may be manual for the start, involve less developers, lets discuss deadlines.”

…there was no “common understanding” of the concept of custody between team members with a “finance background”and those without…Celsius did not consider creating a Custody wallet for each Custody customer. In fact, Mr. Noy did not recall that idea ever being suggested.

…there was no “common understanding” of the concept of custody between team members with a “finance background”and those without…Celsius did not consider creating a Custody wallet for each Custody customer. In fact, Mr. Noy did not recall that idea ever being suggested.


Also, Celsius made the decision to initially overfund Custody wallets by 10% as a buffer against mistakes. As a result:

Because of the manner in which Celsius initially funded the Custody wallets—most notably the intentional overfunding—on April 15, 2022, no Custody wallet held exactly the number of coins that were supposed to be a part of the Custody program.

Custody wallet movement and reconciliation process

For Celsius, the reconciliation of Custody accounts wasn’t a mitigating control but the process itself. The reconciliation determined the amount rather than confirming the amount.

Turning to Withhold accounts, Celsius never separately identified Withhold accounts or funds in management reporting. Withhold funds remained in the main accounts available for any use Celsius saw fit. This is contradictory to communication with customers which encouraged them to withdraw these coins (Celsius no longer had a license for the state where those customers lived) and that the coins would be maintained until withdrawn.

When a company tells customers that they aren’t going to loan, sell, or do anything else with their funds, they have a right to rely on that. The company has a fiduciary responsibility to appropriately manage customer assets. Tone at the top continues to be important and fraud at the top of organizations continues to be the most expensive.

Matt Levine of Bloomberg likes to say that crypto keeps rediscovering all the mistakes of banking and finance at an accelerated rate. I agree. I would add that if the crypto community wants the world to quit treating crypto as play money, they should stop managing it like play money.

What are the lessons here?

  1. Controls matter – Like what we are seeing at FTX, there were few if any controls at Celsius.
  2. Process and infrastructure matter too. Just as the control should match the risk, processes, and infrastructure need to be up to the task. Just as we wouldn’t consider a manual quarterly review of a high-value, high-volume bank account to be adequate, we shouldn’t consider a manual reconciliation against thousands of customers a reasonable, repeatable process.
  3. The tone at the top still matters. As much as this is a process failure, it’s also an ethical failure to properly manage customer funds.

Update 2023.02.10: The final bankruptcy report has been released. It’s available here. Honestly, it’s even worse than what I’ve described. It’s ineptitude up and down the organization. It is, however, a heck of a read.

Update 2023.02.16: While FTX gets the press, Celsius is the current story that keeps giving. The latest is that it may not be possible to determine Celsius’ intercompany balances without an army of forensic accountants because more than 7,000 intercompany transactions were never recorded. People like to hate on accountants, but accountants record stuff. Even when it’s recorded wrong, it gets written down, and that is way easier to fix. “Let’s start a complex business maintaining customer money worldwide and not write much down” is not a business model. When people start calling Celsius a fraud from the beginning its because of things like this.

Carlos Ghosn and Fraud at Renault & Nissan

photo of white nissan car

I’m going to be adding a weekly fraud column for 2023. Frankly, I had about a dozen good examples without trying, so this should be fun.

Carlos Ghosn was the highly successful CEO of Renault and Nissan, two independent car makers who teamed up in an alliance driven by Ghosn to make both companies better. He ended up as the CEO of both companies at the same time. He is accused of overpaying himself by as much as $100 million.

Over Christmas I read Boundless: The Rise, Fall, and Escape of Carlos Ghosn by veteran Wall Street Journal writers Nick Kostov and Sean McClain. It has all the details. There is a smaller WSJ article here (subscription required). The book is absolutely worth a full read.

The nutshell version is that Ghosn is accused of manipulating how and what he was paid to hide the amount of his actual pay. Ghosn seemed to have wide latitude in controlling what he was paid, but disclosure of the size could be embarrassing in both France and Japan. Additionally, Nissan paid him in Yen and at one point a swing in currency values left a $20 million hole in his personal finances. Finally, he was required to report his pay to Japanese authorities (a new law at the time) and disclose it in financial statements. The disclosures did not reflect his actual pay and a number of intermediaries were used to hide payments. Kostov and McClain allege that payments to Ghosn were improperly funneled through suppliers. Additionally, there were properties and other items paid for by various Renault and Nissan organizations that may not have been appropriately authorized.

What makes this story even more interesting is that Ghosn was arrested in Japan, a country with a 99% conviction rate. Ghosn felt that he couldn’t get a fair trial in Japan and arranged to flee the country hidden in a box ostensibly designed for a large speaker or amplifier. Ghosn was spirited out of the country via private jet while hidden in the box. He fled to his native Lebanon, a country that doesn’t extradite its citizens. A BBC article here also has escape details.

Ghosn will probably never get his day in court, so there is no way to say definitively say exactly what he did or the extent of the fraud, but there are some lessons in here.

1). Fraud at the top is always more expensive than fraud from within an organization. $100 million is a lot of money. It’s hard to hide that much with garden variety AP or AR fraud. CEOs should still be subject to checks and balances.

2) Resentment over pay remains a key reason for fraud, even at the top.

Carlos Ghosn had been the world’s most prominent car man of the first two decades of the twenty-first century. To the astonishment of naysayers worldwide, he had forged two middling carmakers into a global powerhouse, the Renault-Nissan Alliance. But Ghosn never felt that he had been adequately compensated. Over the years, he had watched as people of lesser talent had made millions more than he did. It had grated on him to the point of obsession.

Since the financial crisis of 2008, he had started to take matters into his own hands, exploring numerous schemes to secretly pay himself what he thought he was worth. Ten years later, he had been ready to push through his last great act as an executive—a merger between the French and Japanese carmakers—before sailing off into the sunset aboard a 120-foot-long yacht. As part of the deal, he would be entitled to a massive payday, one that would enable him to retire as a very wealthy man.”

— Boundless: The Rise, Fall, and Escape of Carlos Ghosn by Nick Kostov, Sean McLain

The fraud triangle is Opportunity, Incentive, and Rationalization. As CEO Ghosn had the opportunity, he was the CEO and had few checks on his pay. He had the incentive, oddities with his pay in multiple currencies created a $20 million hole in Ghosn’s personal finances. Finally, there was rationalization. he felt he was underpaid based on what he had accomplished.

This risk exists at multiple levels in every organization. Strong controls are a key defense and Boundless is must read.

%d bloggers like this: