Asset Recovery

Question 1

What are the 6 major domains covered in Asset Recovery?

Answer 1

1) Forensic Analysis of Major Heists (Bangladesh Bank, Bybit), 2) Cyber Attack Patterns & Threat Actors, 3) Legal Framework (UNTOC, UNCAC, FATF), 4) Asset Recovery Process & Stages, 5) Challenges & International Cooperation, 6) Case Studies & Success Rates

Question 2

===CYBER ATTACK LANDSCAPE: Attack Types & Threat Groups===

Question 3

According to Europol 2024, what are the top 5 most common attack types and their percentages?

Answer 3

1) DDoS Distributed Denial of Service: 18.1%, 2) Phishing: 15.8%, 3) Backdoor: 11.3%, 4) Data Theft: 9.0%, 5) Phishing Campaign: 7.3%

Question 4

What are the other 10 attack types identified by Europol 2024 (each 1.7-4.5%)?

Answer 4

Rootkit: 5.6%, Email Phishing: 4.5%, Credential Theft: 3.4%, Man-in-the-Middle: 3.4%, Social Engineering: 2.8%, Banking Trojan: 2.3%, Lateral Movement: 2.3%, Remote Code Execution: 2.3%, Spear Phishing: 2.3%, and 5 types at 1.7% each (ACK Bypass Flood, Double Extortion, Keylogger, Proxyjacking, UDP Flood)

Question 5

According to Europol 2024, what are the top 5 most common hacking groups and their percentages?

Answer 5

1) GhostEmperor: 14.6%, 2) GoldenJackal: 14.6%, 3) Callisto Group: 13.4%, 4) Awaken Likho: 5.4%, 5) KillSec: 5.4% (tied with Volt Typhoon and Trinity Ransomware Group)

Question 6

What are the other 10 notable hacking groups identified by Europol 2024?

Answer 6

APT37: 4.2%, Russian Cyber Army Team: 4.2%, NoName057: 3.8%, Lazarus Group: 3.3%, Carbanak: 2.9%, Qilin: 2.5%, SCATTERED SPIDER: 2.5%, APT45: 2.1%, CeranaKeeper: 2.1%, Kimsuky: 2.1%, KingSkrupellos: 2.1%, Void Banshee: 2.1%, DumpForums Group: 1.7%

Question 7

===LAZARUS GROUP: Attack Methodology===

Question 8

Lazarus Group Attack Methodology: What are the 4 stages of their attack sequence?

Answer 8

1) Entry process based on malware and social engineering, 2) Waiting period for studying security processes, 3) Bypassing Swift and Safe process via impersonification, 4) Laundering and Layering

Question 9

Bangladesh Bank Heist: What was the attack attributed to and what were the key forensic findings?

Answer 9

Attributed to Lazarus Group. Key findings: Used malware and social engineering for entry, studied security processes during dormant period, bypassed SWIFT controls through impersonation, then laundered funds through Philippines casinos and remittance networks

Question 10

===BYBIT HEIST 2025: Supply Chain Attack===

Question 11

Bybit Heist February 2025: What was the attack vector and how did it exploit Safe{Wallet}?

Answer 11

Attack vector: Supply chain compromise. Earlier in February 2025, a Safe{Wallet} developer fell for social engineering attack. Malicious application appeared legitimate (from cryptocurrency trading company), seen on both Windows and Mac, fooled victims into downloading from seemingly legitimate website

Question 12

Bybit Heist: How did attackers gain and maintain access to Safe{Wallet}’s AWS account?

Answer 12

Attackers compromised developer’s workstation, gained access to Safe{Wallet}’s AWS account, timed efforts to coincide with developer’s normal work hours to remain undetected until actual heist

Question 13

Bybit Heist: How did the UI manipulation work and when was the theft executed?

Answer 13

Attackers manipulated the Safe{Wallet} user interface that Bybit employees would see. On February 21, 2025, when Bybit employees went to approve and sign a routine transfer, the UI showed what appeared to be a legitimate transaction with intended destination, but funds were diverted

Question 14

===ASSET RECOVERY: Definitions & Framework===

Question 15

Asset Recovery: What is the UN Convention definition and what are the two key statistics about recovery rates?

Answer 15

Definition: The process by which the proceeds of corruption transferred abroad are recovered and repatriated to the country from which they were taken or to their rightful owners (Source: UNCAC Chapter V, OECD). Statistics: Only ~10% of assets frozen are returned. Huge gap between what goes missing and what is recovered and ultimately returned

Question 16

Asset Recovery Framework: What are the three analytical questions to ask when approaching a case?

Answer 16

1) Fact: What do we know for sure, 2) Meaning: What does it mean for us, 3) Actions: What can we do about it

Question 17

===LEGAL FRAMEWORK: UNTOC===

Question 18

UNTOC (UN Convention Against Transnational Organized Crime): When was it adopted, when did it enter into force, and how many parties has it?

Answer 18

Adopted: November 15, 2000 by UN General Assembly resolution 55/25. Entry into force: September 29, 2003. Signatories: 147. Parties: 194 (as of August 12, 2025)

Question 19

UNTOC Article 12 (Confiscation and seizure): What are the three main requirements?

Answer 19

1) States must criminalize confiscation of proceeds of crime and tools used in crime, 2) Must empower authorities to freeze/seize assets during investigation, 3) Bank secrecy cannot be used to refuse cooperation

Question 20

UNTOC Article 13 (International cooperation for confiscation): What are the three key provisions?

Answer 20

1) A State may request another to confiscate or freeze property, 2) Requires dual criminality, 3) Requested State must take provisional measures pending final confiscation

Question 21

UNTOC Article 14 (Disposal of confiscated assets): What are the three disposition options?

Answer 21

States can: 1) Return proceeds to requesting State, 2) Compensate victims, or 3) Support UNTOC projects. Encourages restitution and international sharing of assets

Question 22

UNTOC Article 16 (Extradition): What offences does it apply to and what are two key protections?

Answer 22

Applies to offences punishable by ≥4 years. Key provisions: 1) UNTOC can serve as legal extradition basis if no bilateral treaty exists, 2) Extradition must not be refused for reasons of fiscal/banking secrecy, 3) States may refuse only if request is politically motivated or discriminatory

Question 23

UNTOC Article 18 (Mutual Legal Assistance): What is the scope and what key ground for refusal is prohibited?

Answer 23

Scope: Broad duty to provide ‘the widest measure’ of cooperation. Covers testimony, evidence, search, seizure, asset freezing, service of documents. UNTOC itself can serve as legal basis even if no bilateral MLA treaty exists. Banking secrecy is NOT a valid ground for refusal

Question 24

UNTOC Article 19 (Joint Investigations): What does it allow and why is it particularly useful?

Answer 24

Allows States to set up joint investigative teams, enabling real-time cooperation between prosecutors, police, and regulators. Particularly useful for transnational cybercrime and money laundering schemes

Question 25

UNTOC Article 20 (Special Investigative Techniques): What techniques does it encourage and under what conditions?

Answer 25

Encourages: controlled deliveries, undercover operations, electronic surveillance. States should permit their use domestically and internationally, subject to their legal systems. Cooperation possible through bilateral or multilateral agreements. Designed to infiltrate organized crime networks and trace illicit money flows

Question 26

===LEGAL FRAMEWORK: UNCAC===

Question 27

UNCAC (UN Convention Against Corruption): When was it adopted, when did it enter into force, and what are the five main areas it covers?

Answer 27

Adopted: October 31, 2003 by resolution 58/4. Entry into force: December 14, 2005. Signatories: 140. Parties: 189 (as of November 18, 2021). Five main areas: 1) Law enforcement, 2) International cooperation, 3) Asset recovery, 4) Technical assistance, 5) Information exchange

Question 28

UNCAC Article 43: What is the core obligation regarding international cooperation?

Answer 28

Obliges state parties to extend the widest possible cooperation to each other in the investigation and prosecution of offences defined in the Convention

Question 29

UNCAC Article 51: What fundamental principle does it establish?

Answer 29

Provides for the return of assets to countries of origin as a fundamental principle of this Convention

Question 30

UNCAC Article 57: What are the three scenarios for asset return?

Answer 30

1) Where property obtained through embezzlement of public funds: must be returned if requesting state has 'final judgment' (waivable requirement). 2) If requesting State demonstrates 'prior ownership' or 'damage' from corruption acts: must return with 'final judgment' (waivable). 3) In 'all other cases': requested State shall give priority consideration to returning confiscated property to requesting State, returning to prior legitimate owners, or compensating victims

Question 31

===ASSET RECOVERY PROCESS: Four Stages===

Question 32

Asset Recovery Stage 1 (Identifying Assets): What are the two requirements?

Answer 32

Requires: a) Prove that assets were unlawfully acquired, b) Follow the money flow from bribes, embezzlement or other diversions of public funds

Question 33

Asset Recovery Stage 2 (Tracing Assets): What does it require and what does FATF recommend?

Answer 33

Requires: Full-scale investigation that follows the asset with 'resources, expertise and effective international cooperation'. FATF recommends: Strong legal frameworks, minimising structural impediments through coordination/communication/resourcing, streamlining procedures, addressing cultural issues

Question 34

Asset Recovery Stage 3 (Confiscation): What is OECD's definition and what are the two confiscation methods?

Answer 34

OECD definition: 'The permanent deprivation of assets by order of a court or other competent authority'. Two methods: 1) Property-based confiscation (requires identification of particular asset), 2) Value-based confiscation (based on monetary value of assets that cannot be materially recovered, e.g., moved on or destroyed)

Question 35

Asset Recovery Stage 4 (Recovering and Returning Assets): What is the goal and what are the three important considerations?

Answer 35

Goal: Return to 'prior legitimate owners' (UNCAC Article 57). Three considerations: 1) Selection of appropriate financial management arrangements, 2) Importance of ongoing monitoring to ensure funds not re-appropriated, 3) Role of civil society in monitoring process

Question 36

===OTHER LEGAL TOOLS: FATF & MLATs===

Question 37

FATF Recommendations for Asset Recovery: What do R.4 and R.38 require?

Answer 37

R.4: Call on countries to adopt laws for freezing, seizing, and confiscating proceeds of crime (including fraud). R.38: Direct international cooperation for asset freezing/seizure. These standards drive national AML/CFT frameworks used in fraud recovery

Question 38

MLATs (Mutual Legal Assistance Treaties): What do they allow and what informal cooperation networks exist?

Answer 38

Allow states to request asset freezing, banking info, and evidence in fraud cases. Informal cooperation networks: CARIN (Camden Asset Recovery Interagency Network, EU & global spin-offs like ARIN-AP, ARINSA, ARIN-CARIB)

Question 39

===US ANTI-MONEY LAUNDERING FRAMEWORK===

Question 40

Bank Secrecy Act (1970): What three categories of requirements did it establish?

Answer 40

1) Established requirements for recordkeeping and reporting by private individuals, banks and other financial institutions, 2) Required banks to report cash transactions over $10,000, 3) Required banks to properly identify persons conducting transactions and maintain a paper trail

Question 41

Money Laundering Control Act (1986): What were the two key provisions?

Answer 41

1) Established money laundering as a federal crime, 2) Directed banks to establish and maintain procedures to ensure and monitor compliance with reporting and recordkeeping requirements of BSA

Question 42

USA PATRIOT ACT (2001): What are the six key anti-money laundering provisions?

Answer 42

1) Criminalized financing of terrorism and augmented BSA framework by strengthening customer identification, 2) Prohibited financial institutions from engaging in business with foreign shell banks, 3) Required due diligence procedures (enhanced for foreign correspondent and private banking accounts), 4) Improved information sharing between financial institutions and US government, 5) Expanded AML program requirements to all financial institutions, 6) Increased civil and criminal penalties for money laundering

Question 43

===CHALLENGES IN ASSET RECOVERY===

Question 44

World Bank Report - Three Categories of Barriers in Asset Recovery: What are they?

Answer 44

1) General barriers and institutional issues: lack of political will to identify asset recovery as priority, failure to attend to AML measures to prevent asset flight. 2) Legal barriers and requirements: onerous MLA requirements, banking secrecy, lack of non-conviction-based recovery procedures, restrictive evidentiary/procedural legislation. 3) Operational barriers and communication issues: difficulty identifying contact points in other countries, delays in processing MLA requests or poorly drafted requests

Question 45

General Issues in Asset Recovery: Match the 7 key issues to why they matter

Answer 45

1) Tracing hidden assets (layering, shell companies, crypto, real estate) → Criminals obscure ownership, funds spread across jurisdictions. 2) Legal fragmentation (civil vs common law, evidentiary standards) → Confiscation rules differ. 3) Slow MLAT processes → MLA requests take months/years. 4) Political will & sovereignty concerns → Some states resist cooperation (sensitive cases). 5) Capacity gaps in developing states → Lack of skilled investigators, prosecutors, asset managers. 6) Private vs. public claims → Creditors vs. victims vs. states = conflicting interests. 7) New asset classes (crypto, NFTs, DeFi) → Harder to trace/freeze, limited expertise

Question 46

===BANGLADESH BANK CASE: Legal Strategy===

Question 47

Bangladesh Bank Case - Why didn't Bangladesh ask North Korea for asset recovery directly?

Answer 47

No legal obligation: No bilateral MLAT or extradition treaty exists. Denial of responsibility: North Korea denies Lazarus Group links despite UN reports. UN Sanctions: Resolutions 1718, 2270, 2397 prohibit financial flows to/from DPRK - even returning money would breach sanctions. Control of funds: Assets were laundered via Philippines (RCBC, casinos), not in North Korean banks. Political risks: North Korea is isolated, under sanctions - direct request would risk escalation, politicize case, yield zero recovery

Question 48

Bangladesh Bank Case - What legal instruments were used against Philippines and US?

Answer 48

Multiple instruments in combination: MLATs with US (re: Fed Reserve/NY courts) and Philippines (re: RCBC and casino accounts) to obtain documents and cooperation. UNTOC Art. 13 (cooperation for confiscation) as basis to request freezing/confiscation in Philippines. UNTOC Art. 14 (disposal) gave Bangladesh normative ground to demand return. UNTOC Art. 18 (MLA) justified requesting evidence and freezing orders abroad. UNCAC Ch. V Art. 51-59 (Asset Recovery) framed stolen reserves as 'public funds' requiring restitution. FATF Rec. 4 & 36-40 provided basis to pressure Philippines, demand cooperation even without direct treaty

Question 49

Bangladesh Bank Case - What specific US laws were leveraged?

Answer 49

18 U.S.C. § 981 & 982 (Civil & criminal forfeiture): Allow US courts to seize property involved in money laundering - Bangladesh Bank lawsuits in US courts leveraged these. Bank Secrecy Act (BSA): Fed Reserve and intermediary US banks' suspicious activity reports fed into tracing funds

Question 50

Bangladesh Bank Case - What was the Philippines legal framework and its key gap?

Answer 50

Philippines AMLA (2001, amended): Sections on MLAT cooperation & money laundering offences allow freezing and recovery of illicit funds. BUT casinos were excluded from AMLA until 2017 - this gap was exploited by Lazarus. Partial legal tool used against RCBC and remittance firms

Question 51

Bangladesh Bank Case - What did US cooperation provide?

Answer 51

1) Bank records & SWIFT logs from Federal Reserve, 2) Cyber and forensic investigations from FBI/DOJ, 3) Use of US evidence in foreign proceedings (Philippines/Bangladesh courts), 4) Indictment of DPRK-linked hackers to attribute responsibility, 5) Stand ready to freeze assets if any touched US jurisdiction

Question 52

UN Security Council Resolutions Against North Korea: What did Resolution 2270 (March 2016) require?

Answer 52

Passed to shut DPRK out of correspondent banking networks. Requires states to: close DPRK bank branches, expel DPRK banking representatives, bar correspondent accounts

Question 53

UN Security Council Resolution 2397 (2017): What did it explicitly recognize?

Answer 53

Explicitly recognized cyber-theft as a sanctions evasion method, directly addressing Lazarus-style operations

Question 54

Legal Basis for International Cooperation - Most Common: What are the top 4 legal bases used in 338 cases?

Answer 54

1) Bilateral Mutual Legal Assistance Treaty: 134 cases, 2) UNCAC: 109 cases, 3) Another legal basis (incl. other multilateral treaties): 62 cases, 4) Reciprocity: 59 cases. N/A: 45 cases

Question 55

===UK CASE STUDY: GFAR Report===

Question 56

UK Asset Recovery Framework - GFAR Overall Assessment: What is the main finding?

Answer 56

Overall recovery rates remain small compared to estimated overall amount of corrupt money in UK economy. Questions remain about law enforcement agencies and prosecutors' capacity to take on higher-risk cases

Question 57

UK Asset Recovery - Four Key Deficiencies identified by GFAR: What are they?

Answer 57

1) Law enforcement agencies undertaking asset recovery face significant capability and resource challenges, whilst exposed to potentially debilitating costs from litigation by defendants. 2) System for reporting suspicious activity (SARs) submitted by private sector needs reforming, including IT infrastructure receiving/analyzing SARs and quality of information submitted. 3) System for overseeing private sector compliance with money laundering rules is not fit-for-purpose, needs complete overhaul. 4) Opacity of companies incorporated in UK's Overseas Territories (OTs) and Crown Dependencies (CDs), and overseas companies owning UK property, prevents businesses and civil society from identifying suspect money entering UK economy

Question 58

UK Asset Recovery - GFAR Four Key Recommendations: What are they?

Answer 58

Recommendation 1: Enable identification of illicit assets - introduce public register of beneficial ownership. Recommendation 2: Resource the use of enforcement powers - ensure Criminal Finances Act measures implemented effectively with proper coordination and resourcing. Recommendation 3: Speed up reform of private sector oversight - strengthen and reform UK's AML supervisory system. Recommendation 4: Improve transparency and accountability in asset recovery process - publish annual updates, publish key court documents, keep authorities in country of origin informed, outline clear roadmaps for asset return

Question 59

===ASSET RETURN DATA & SUCCESS STORIES===

Question 60

StAR Asset Recovery Watch Database: What 13 data points does it track for each case?

Answer 60

1) Case Title (Name of Public Official or Entity Allegedly Involved), 2) Jurisdiction of Origin of Public Official or Entity, 3) Position of Public Official (years in office), 4) Jurisdiction of Asset Recovery, 5) Jurisdiction of Asset Description, 6) Asset Recovery Start, 7) Asset Recovery End, 8) UNCAC Offenses Implicated, 9) Contributing Factors in Asset Recovery, 10) Status of Asset Recovery, 11) Stage in Asset Recovery Chain, 12) Assets Frozen (USD), 13) Assets Adjudicated Not Yet Returned (USD), 14) Assets Returned (USD)

Question 61

Asset Returns 2006-2009: What was the total returned by 30 OECD countries and what were the largest bilateral flows?

Answer 61

Total: ~USD 300 million. Largest flows: United States returned $119.3mn to Italy (largest single flow), Switzerland returned $87.4mn to Mexico, Switzerland returned $51.4mn to Italy, United States returned $0.76mn to Peru, United Kingdom returned total $2.13mn to Nigeria (in two tranches: $1.6mn and $0.32mn), Switzerland returned $8.7mn to Nigeria, Australia returned $0.91mn to Indonesia, Switzerland returned $42.4mn to Taiwan China

Question 62

Asset Returns 2010-2021: What is the general trend and which years had highest returns?

Answer 62

General trend: Significant variation year-to-year. Highest returns: 2019 ($670mn+), 2020 ($640mn+), 2010 ($540mn+). Lowest returns: 2015 ($30mn), 2016 ($40mn), 2012 ($80mn). Total 2010-2021 period shows ~$3.5 billion combined value returned

Question 63

===PETROBRAS CASE 2023: Brazilian Corruption Scandal===

Question 64

Petrobras Swiss Asset Return 2023: What were the key numbers and process?

Answer 64

Total frozen in Switzerland: USD 800 million. Suspicious ML transactions detected: 340. USD 120 million released through out-of-court settlement agreement

Question 65

Petrobras Case - UNCAC Offenses: What three articles were implicated?

Answer 65

Article 15: Bribery of national public officials. Article 16: Bribery of foreign public officials and officials of public international organizations. Article 23: Laundering of proceeds of crime

Question 66

Petrobras Case - Legal Basis for Swiss Authorities: What was their stated interest?

Answer 66

Swiss Office of Attorney General (OAG) stated: 'The Brazilian bribery scandal affects Switzerland's financial centre and its anti-money-laundering strategy, with result that the OAG has a close interest in contributing fully to the resolution of the scandal through its own investigations'

Question 67

===TECHNICAL TOOLS: FIU Powers & Interpol Notices===

Question 68

FIU Power to Block Transactions: Which countries can block transactions and for how long?

Answer 68

Countries with blocking power (maximum time): Barbados (72 hours), Belgium (2 working days), Bulgaria (72 hours), Croatia (2 hours), Czech Republic (72 hours), France (12 hours), Italy (48 hours), Luxembourg (unlimited), Poland (48 hours), Slovenia (72 hours), South Africa (5 days), Thailand (3-10 days). Most common: 48-72 hours

Question 69

FIU Power to Freeze Accounts: Which countries can freeze accounts and for how long?

Answer 69

Only 2 countries listed with freeze power: Barbados (5 days maximum), Thailand (90 days maximum)

Question 70

Interpol Silver Notice: What is it used for?

Answer 70

Issued when there is credible information that individuals or entities are using virtual currencies to conduct illegal activities, such as Financing Terrorism, Money Laundering and drug trafficking. Part of pilot phase for identification and tracing of criminal assets

Question 71

Interpol Notice System: Name all 9 types of Interpol notices

Answer 71

1) Red Notice: Wanted persons, 2) Yellow Notice: Missing persons, 3) Blue Notice: Additional information, 4) Black Notice: Unidentified bodies, 5) Green Notice: Warnings and intelligence, 6) Orange Notice: Imminent threat, 7) Purple Notice: Modus operandi, 8) Silver Notice (Pilot Phase): Identification and tracing of criminal assets, 9) Interpol-UN Security Council Special Notice: Entities and individuals subject to UNSC sanctions