Can you fight BEC popularity in Nigeria by steering youth to legitimate IT jobs?
Last fall, Ronnie Tokazowski, a senior threat researcher at security firm Agari and a well-known figure in the cybersecurity community for his extensive knowledge of business email compromise (BEC) cybercrime, went on YouTube to ask for help in financing a very unique project aimed at experimenting with a new way of fighting BEC crime in Nigeria, the home of most BEC gangs.
Rather than take a hammer approach and go after BEC gangs and their members, Tokazowski pleaded with his followers and industry peers to raise funds for a tech hub aimed at educating Nigerians in various tech disciplines.
Tokazowski, working together with the mastermind of this idea, Nigerian Manasseh "Manny" Udim, reached the conclusion that if Nigerians were to receive training and gain the skills necessary for getting a normal IT job, they would be far less attracted to a career in cybercrime, where the rewards are large, but so is the punishment.
Last week, Tokazowski revealed that after months of fund-raising, the tech lab —named FutureLabs— was not only ready but was already teaching its first classes, and well underway into becoming a success story on the local Nigerian tech scene.
The Record sat down with both Tokazowski and Udim for an interview about their most recent endeavour, how it came to be, and what are their future plans. The interview has been lightly edited for grammar and clarity.
The Record: Tells us where the idea came from and when you decided to have a crack at it?
Manny: After I left paid employment in 2017, I joined Starthub.com.ng, where I learned web development and learned how to freelance on Fiverr. And it drastically changed my life, so I thought of starting one in my hometown.
Ronnie: Like many of the conversations I've been having over the last several months, it started with chatting with strangers on Twitter. I have been tracking Nigerian fraud for around five years or so, including many hours of personal research into studying Nigerian culture and history. It's something where people think Nigerian crime is only bad people doing bad things, but it's something that's more culturally accepted than not. And it's that perception that really has to change.
Manny and I had gotten to chatting over Twitter, and one of the initial sentiments that we both shared is that education (specifically, the lack thereof) is a key component to why these types of crimes happen. For many of the victims I've worked with over the years, many seem to lack the understanding that people lie on the internet, which statistically hits the older crowd harder. While there are obviously ways to make money on the internet, many Nigerians don't realize that there are legal ways to make money with the internet, such as coding or developing software. Some have started to realize this, and Nigeria is at the very beginnings of becoming a technical hub in Africa.
Manny was curious about finding an investor for the hub, so I started socializing the concept to see if folks would be interested. We were able to raise some funding with the Youtuber Pleasant Green (I really like what he's doing and support his mission) and still were a few thousand short. I hit up a few mailing lists to see if anyone wanted to help support, and an investor was able to come through and help fund the rest of the hub! That's how it was born, strangers talking (and listening) to each other's problems on the internet.
The Record: Walks us through the process of translating this from an idea to an actual living and breathing Nigerian organization?
Manny: It all started with a business plan, then somewhere along the line —I think after working with a client on Fiverr— it struck me that a pitch deck was better, so I converted the plan to a deck. Before then, I had sent the plan to a couple of mentors, family, and clients I met on Fiverr, but I couldn't raise yet. Eventually, I ran into Ronnie, and we spoke about BEC, and I pitched digital education as a solution to cybercrime.
We met after I had written about two articles about cybercrime on Medium in preparation for launching a digital info product about romance and business email compromise, which was in itself a result of a tweet by @Asemota after the Invictus Obi scam went viral. The tweet was about a cyber defense course from Nigerians exposing the ins of cybercrime to people who could easily fall prey due to ignorance. After I met Ronnie, as part of my attempt to create awareness for the article and the would-be info product, I started focusing more on bringing the innovation lab to life. I guess hanging around Gumroad, and Twitter had an effect on me. Maybe I might go back to complete and give away the info product soon.
After I sent the pitch deck to Ronnie, who did a Youtube video (embedded below) and appealed for sponsorship and we cumulatively raised about $2,800 with the aid of a Lead Investor—I don't want named yet because I don't have his permission to.
Ronnie: Yes, we had lots of help with folks on the outside. We started off with a fundraiser on Pleasant Green's Youtube channel, where he and I discussed all things Nigerian fraud, how it works, and what some of the actual damages are that happens with victims. We were able to raise around $400 through those efforts but were still short. After hitting up a few mailing lists, we were able to raise the rest of the funding that we needed!
Manny: Once the money came in, bringing the organization to life was the easier part. I happen to know a lot of techies, and just who is required to perform certain functions and roles, I believe it's a gift from God, so a team was already available to hit the ground running. The major challenge we had was finding a suitable space.
We recently partnered with Starthub as a training center to train 21 Ikot Ekpene Youths in Digital Skills under the Ibom 3000 scheme, so we have local partners.
The Record: Where is the center located, and when did it start operating? How many Nigerians have signed up? Are there any requirements for signing up?
Manny: We started operations on January 11, 2021. We currently have 32 people on our books. The requirement for signing up is a smartphone and a laptop, but we recently installed broadband internet in the lab, so the smartphone is no longer a requirement, and we are exploring ways we can buy about 10 - 50 laptops for the next set of applicants, so we can strike that off as a requirement too.
The center is located at No 3 Chubb Road, Ikot Ekpene, Akwa Ibom State.
The Record: How many people have contributed to the center so far? In what way? Only through donations, or have people also donated their time?
Manny: A lot of people have contributed monetarily and otherwise, more than I can count. We currently have a burn rate of $1000/month because our trainers are more like volunteers than staff. I took most of my friends in Uyo who are experts in their fields to become trainers at FutureLabs. People have donated both time and resources.
The Record: What are your relations with the local government?
Manny: We were recently contacted by the mothership (starthub.com.ng) to serve as a training center for the Ibom 3000 project, which is a government-backed project. We don't have any direct links with the government yet. I'm not really making serious overtures to the government because of bureaucracy. And like someone recently said "government involvement always has several layers of interest," and I'm not prepared to deal with that soon.
The Record: Besides training locals into IT topics, will the center help Nigerians find local or abroad employment?
Manny: Short answer: yes. Part of our curriculum involves teaching trainees how to get jobs on freelance platforms like Fiverr and Upwork because that's how we started. The long-term plan is to build a freelance and contractual platform like Fiverr and Upwork but tweaked to our everyday reality. I love what Filipinos have doing with remote jobs. Another plan is placing exceptional individuals in Western organizations, but I haven't fully figured how that will work out.
Ronnie: I really hope so, as many people in Nigeria just want to provide for their families. However, one of the biggest problems we have in Western society is that companies and organizations are hesitant to hire Nigerian due to decades of scamming from the Yahoo Boys. I've heard many locals say: "Well, I had this great job opportunity, but once I mentioned I was Nigerian they called me a scammer and quit talking with me."
To me, this is a more confusing concept than not, as this is a pretty easy problem for a company to work through. Most organizations have two-four weeks before an employee gets paid, so if the employee doesn't do work in 2-4 weeks, wouldn't the company be able to tell? In the day and age of remote work, not hiring someone simply because "they might be a scammer" is pretty silly, as a measurement of "you're not doing work" is easy to check.
The Record: On this note, aren't you afraid you'll just be educating the next generation of BEC scammers and cybercrime groups? Or is the center's training agenda specifically crafted to avoid weaponizable skills?
Manny: Cybercrime is not something random in Nigeria. It's a culture and an ideology that requires an active community to thrive. So everyone that is part of FutureLabs has hopefully been exempted from Yahoo culture. Also, we are about bringing in Nigerian TechStars to share their stories and inspire the next generation of stars. People mostly join cybercrime because of lack of opportunities, so I believe that creating opportunities in tech depletes the would-be cybercrime army.
Ronnie: This is a valid fear for anyone who would be in this situation; however, we have to start making calculated risks such as this in Nigeria if we want to start fixing cybercrime in the country. While there has been interest in teaching things like penetration testing, that really makes me feel uneasy, and I would rather teach skills that can be used to further one's progress through life.
What I mean by that is that in Nigeria, there is a HUGE lack of opportunities for people in Nigeria to make a living with technology outside of scamming. If we start doing things to change that, such as raising awareness and giving the people the right tools they need to succeed, we're going to see some amazing innovations coming out of Nigeria within the next ten years. We already see these innovations within the crypto community, with Nigeria being the number one user of cryptocurrencies across the globe.
The Record: It takes a giant leap of faith to start such a project in a country that has been largely responsible for a wave of cybercrime. Have you and your team had indicators that locals were looking for a chance at a normal life and legitimate living? Where did these signals come from?
Manny: Ikot Ekpene, where the Lab is situated, plays host to four tertiary institutions. The institutions have provided most of our trainees. Also, before we started the Lab, I had to sponsor and relocate a friend and a relative to learn at Starthub, so I knew we had fertile ground to capture. Asides from that, I'm an incurable optimist who only sees how the world can get better in different ramifications.
Ronnie: Not only was it a giant leap of faith, but this was a massive leap outside of my comfort zone. I'm not a risk-taker, so much so that I don't even gamble when we go to hacker summer camp (BlackHat and Defcon in Las Vegas).
Honestly, the signals and discussions come directly from locals themselves, with many being open and willing to share their stories and experiences with folks in the west. We just have to listen. Contrary to popular belief, the people involved in the scams are actually known locally, and one of the main sentiments we've heard from multiple people on the ground is that if they had a different opportunity, they would choose a legit path in life. Life is hard when you're not bringing in money or scraping along, and you see one of your peers working a few hours a day driving a Mercedes. Peer pressure is a big thing too, and having a low-risk way to make money when it's common to pay off a cop, why wouldn't someone go for it?
With that being said, there are people who get into it for the thrill and money, so not everyone will choose the path of crime. It's better to give people a chance than no chance at all, and that's what we're trying to do here.
Ronnie Tokazowski, senior threat analyst at Agari
The Record: How would you quantify the center's success? I presume it will take years for any impact to be seen on BEC attack numbers; if any will be observable? Or are you just looking to open a discussion about the need to integrate Nigeria's enormous IT workforce into the worldwide economy?
Manny: Well, we have had a level of success because people have gone from being total novices to being good at CAD, Product Design, and Frontend Development. But it will take at least two years to notice any remarkable change, and as you asked, I believe if Nigerians are integrated into the American economy like Indians and Filipinos, it will go a long way in stemming cybercrime because lack of opportunity is a driver in the recruitment of foot soldiers. I will write an article soon on how these cybercrime gangs operate. They work like terror cells. Closely knit and faring well, so when young folks see them as successful models in the battle to escape poverty, they might get tempted to join. We are destroying that model by being positive role models. One of our goals is to help each trainee make $2k in the next six months, which is like a million Naira.
Ronnie: Success is easily one of the most difficult things to quantify when it comes to BEC due to how large and geographically spread out the crime and related active activities actually are. What I mean by that is that when people typically think of BEC, they normally think, "Oh, it's just some Nigerians sending a few emails." What they fail to realize is that to get bank accounts, scammers have to socially engineer romance victims in order to obtain bank accounts. Not only are romance scams related, but Nigerian actors are involved in a dozen other things, such as credential phishing, check fraud, advanced fee fraud, document forging, lottery scams, and pretty much everything that falls under the umbrella of a 419 scam. You know, the Nigerian prince scams? All of those are directly related, and by "directly related," I really mean "it's the same actors doing the same crimes."
When you start piecing together all of the moving pieces, it instantly becomes a global jigsaw puzzle, with hotbed countries such as South Africa, Ghana, Kenya, Malaysia, and UAE being a part of the pie. Stolen funds get sent through China, Hong Kong, and some European countries. Cameroon is another place that isn't talked about when it comes to cybercrime; however, if you ever see a fake listing for puppies, there's a good chance that it's a Cameroonian on the other end. Heck, Hushpuppi even laundered bitcoins for North Korea, so DPRK even gets a cut of the pie. And none of this is me trying to inflate the crime. These are all cold hard facts that are just a Google search away.
For those who don't know me, it may come off as somewhat arrogant when I say, "BEC is the largest problem," but I'm just calling the shots as I see them. I hunted APTs. I named crimeware families. I've worked with law enforcement on cases. The sad truth of BEC is that when we're identifying hundreds of thousands of potential actors based on multiple points of affiliations, starting having to dabble in understanding how voodoo plays into the crime, identify suicides, murders, drugs, and human trafficking as tied to this stuff. I really mean, "We need to start fixing this because the truth is absolutely, and they're hacking your widowed grandfather or grandmother out of your inheritance who is now suicidal because they just lost everything."
It's for these exact reasons that measuring BEC becomes extremely hard to quantify. For wins, we can ramble off that we have had almost 1,000 arrests from dozens of law enforcement agencies, field offices, and international law enforcement in the BEC space over the last five years, nuked thousands (probably tens of thousands by this point) of accounts, both email and social media, reversed millions of dollars, have identified (and saved) hundreds, if not thousands of romance victims, have well over 500 people behind the scenes fighting this, and yet we still have $200 billion dollars of COVID relief funds go out in 2020 because states can't de-duplicate a few IP addresses and email accounts? Everyone I've worked with has done amazing things, but damn if it isn't hard to stay optimistic. And to think, I used to be upset about bits and bytes flying across a network.
Very long "success rant" aside, in order to measure success in BEC, we can only do it one way: watch for downward spikes. When we start to see things like romance scams, check fraud, puppy scams, and advanced fee fraud going away, that's when we can start celebrating. In my opinion, poverty and lack of opportunities in Nigeria are a big player in this, so figuring out a way for Nigerians to have legitimate work is one of the ultimate "fixes" to this mess.
BEC, such a small problem, right? Nope. :-/
The Record: What are the center's biggest hurdles/problems right now? What's giving you a headache?
Manny: The major issue now would be funding and patience. Because I observed there's grit to organic growth, and we need to maintain a balance between buying time growing in a healthy way.
The Record: For how long is the center currently funded? Would you still be relying on donations and help in the future?
Manny: We are currently funded for the next six months because we recently raised $6K from our lead investor, which I hoped to multiply with Crypto and DeFi, but it hasn't been as easy as I thought. At a burn rate of $1K per month, $6K will take us six months.
The Record: Talk to us about future ideas for the innovation center?
Manny: We certainly plan to expand to Uyo very soon if we get the funding we are expecting from a Nigerian Foundation. Also, we plan to slowly evolve from being Tech Generalists to being a training center as well as incubation space for world-class software companies. We have plans of expanding within and outside Africa, but that will cost a lot of money and time, and we don't think it's time yet.
Ronnie: I would love to see more people standing up similar hubs as there is a huge gap in computer knowledge right now. There are so many things that people can do and create once they learn a programming language, and it's just a matter of time before all of that takes off!
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.