Japan: Sony Insurance USD 150M Fraud Case: Successful International Cooperation To Seize Embezzled Funds Converted To Bitcoin

Abstract

In this article, Hiroyuki Kanae, and Hidetaka Miyake, Partners at Anderson Mori & Tomotsune discuss a recent significant fraud case in Japan. There were many noteworthy points in this case, such as the fraudulent transfer of a huge amount of illegal money by an employee who was working remotely, the conversion of the stolen funds into cryptocurrency, and the prompt recovery of all assets through international cooperation between the Japan and U.S. authorities.

1. Introduction

Sony Life Insurance Co., Ltd. ('Sony Life') publicly released on August 4, 2021 that its overseas consolidated subsidiary, SA Reinsurance Ltd. ('SAR'), learned that approximately JPY 17 billion (approximately USD $155 million) had been transferred from its bank account without approval. On December 1, 2021, Sony Life stated that its employee ('Mr I') was arrested by the Tokyo Metropolitan Police Department on November 29, 2021 on suspicion of fraud. Furthermore, on December 21, 2021, Sony Life revealed that another case concerning Mr I had been sent to the prosecutor's office on suspicion that he had violated the Act Concerning Punishment of Organized Crimes, Control of Crime Proceeds and Other Matters.

In the meantime, the U.S. Department of Justice ('U.S. DOJ') announced on December 20, 2021 (local time) that it had filed a civil forfeiture complaint to protect and return to Sony Life more than USD $154 million seized by the FBI on December 1, 2021. The U.S. DOJ's public announcement revealed that Mr I had carried out the fraud in May 2021, and that the stolen funds had been converted into approximately 3,879 bitcoins worth more than US $180 million at the time of the public announcement.

There were many noteworthy points in this case, such as the fraudulent transfer of a huge amount of illegal money by an employee who was working remotely, the conversion of the stolen funds into cryptocurrency, and the prompt recovery of all assets through international cooperation between the Japan and U.S. authorities.

In this article, we review this case based on publically available information and discuss the lessons that can be learned from it.

2. Massive illegal money transfers carried out during remote work

SAR was engaged in the reinsurance business in Bermuda and was in liquidation with a view to being dissolved at the end of September 2021. Mr I was seconded to SAR from Sony Life and was in charge of the liquidation procedures such as converting SAR's financial assets into cash and returning them to Sony Life. Three persons including Mr I were seconded from Sony Life to SAR, and Mr I had only one supervisor.

SAR held funds in multiple accounts, and Sony Life transferred those funds to banks in Japan through a pattern of transactions. Specifically, Sony Life transferred Japanese yen to its Citibank account in Bermuda and converted it into U.S. dollars. Mr I was in charge of these currency exchange and fund transfer transactions. Sony Life handled the international remittance process securely through Citibank's Secure Financial Transfer Portal/Protocol ('SFTP'). The money transfer process by SFTP required double authentication through the email accounts of Mr I and his supervisor.

From December 2020 to February 2021, Mr I changed the email account of his supervisor in the SFTP authentication process from the official email account of Sony Life to another email address controlled by Mr I without permission. In March 2021, Mr I opened an account without permission in the name of SAR with a crypto asset company, Coinbase, by using false information that gave the impression that his supervisor was the individual associated with the Coinbase account, and in April of the same year, he set up a cold wallet and established a rule that would cause all funds deposited into the Coinbase account to be transferred into the cold wallet.

Following these preparatory actions, from May 18 to 20, 2021, Mr I fabricated his supervisor's approval in the SFTP authentication procedure and transferred JPY 16,962,800,068 to the Citibank account in Bermuda, and converted the amount from Japanese yen to USD 154,932,103.17. In addition, Mr I instructed Citibank to remit the converted US dollars in full to a Silvergate Bank account in California which he managed. The account was a Coinbase credit account, and the entire dollar amount was converted into approximately 3,879 bitcoins and transferred to Mr I's cold wallet as configured under the abovementioned rule. It appears that Mr I thought that if the stolen money was converted to cryptocurrency, it would not be frozen even after the discovery of the crime, so he exchanged it for Bitcoin.

3. Prompt asset recovery via international cooperation

On May 20, 2021, Sony Life confirmed the illegal fund transfer and reported the incident to the Financial Services Agency and the Tokyo Metropolitan Police Department. Furthermore, Sony Life filed a criminal complaint with the Tokyo Metropolitan Police Department after it found in its investigation into the incident that no unauthorized access or system malfunction had occurred.

On May 25, 2021, 5 days after the illegal money transfer was executed, Mr I sent an anonymous email in both Japanese and English to his supervisor's official email address with the message, "If you accept the settlement, we will return the funds back." Over the next two days, May 26 and 27, Mr I sent anonymous e-mails to his supervisor and certain executives of Sony Life threatening them not to report the incident to the police.

In the meantime, the Tokyo Metropolitan Police Department asked the FBI to cooperate in the investigation and identified the final recipient of the money from Mr I's Bitcoin address. The U.S. DOJ announced that it had seized all of the approximately 3,879 bitcoins and that it had filed a civil forfeiture complaint with a local US court to protect and refund the funds to Sony Life. The bitcoins were kept in Mr I's cold wallet, but the Tokyo Metropolitan Police Department conducted a search of his house and other places and obtained evidence leading to the discovery of the private key to the wallet, and conducted an analysis in cooperation with the FBI. The U.S. DOJ stressed that the stolen funds were successfully seized in full because Sony Life and Citibank had immediately contacted and cooperated with the authorities after discovering the fraudulent money transfers and because of the FBI's international cooperation with foreign authorities.

4. Criminal charges and preventive measures

After conducting the necessary investigations, the Tokyo District Public Prosecutors Office indicted Mr I on fraud and other charges. On June 7, 2022, the first public hearing was held at the Tokyo District Court where Mr I admitted to the criminal charges. On November 18, 2022, the Tokyo District Court imposed a jail term of 9 years on Mr I.

On July 20, 2022, Sony Life announced measures to prevent a recurrence of this incident. In particular, Sony Life announced that it will strengthen its management of employee information, based on its analysis that one of the causes of this incident was that copies of the ID documents related to the persons who were authorized to authenticate transactions through SFTP were stored in a location that Mr I could access and use illegally, and that appropriate measures such as setting a password to restrict access were not taken.

Sony Life also emphasized that SAR did not conduct its own ID management through online banking since it ceased its reinsurance operations in April 2021, and that SAR did not conduct daily checks of its bank account balances since April 2021, when daily fund transfers ceased to occur. In addition to thorough checking of bank account balances on a daily basis, Sony Life also decided to conduct regular checks of ID registrations by overseas subsidiaries, and to have the results verified by the overseas subsidiaries management division and headquarters management division of Sony Life.

Sony Life also announced on July 20, 2022 that, following judicial proceedings in the United States, the bitcoins were converted to US dollars for the purpose of protecting assets, and on July 12 of the same year, a court ruled that approximately USD 161 million would be returned to SAR. It was suspected that Sony Life recovered approximately JPY 22 billion, which is JPY 5 billion more than Mr I fraudulently transferred, due to the weaker Japanese yen.

5. Lessons learned from this case

While remote working practices create environments that facilitate employee access to company materials and information to improve operational efficiency, it is also important to note that this increases the risk of fraud.

This case has a significant precedential value in the sense that funds converted into cryptocurrency were successfully recovered. This means that the conversion of stolen funds into cryptocurrency does not allow a perpetrator to escape the authorities' pursuit. However, considering the fact that the rapid response of companies and international cooperation among authorities contributed significantly to the early recovery of assets in this case, companies need to bear in mind the importance of responding quickly at the initial phase of an incident.

Originally published by ICC FraudNet.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.