Wirecard Had a Wild Run

Wirecard!

Two of the main forms of financial crime are:

1. You have a business that does not make any money, but you’d like people to that it makes money, so that they will give you money. So you write financial statements that say you have a lot of income, but you don’t; the money that you are earning is fake. 
2. You have a business that makes a lot of money, but by doing crime. You would like to be able to spend the money in the legitimate financial system, use it to buy houses or sports teams or Treasury bills or whatever. So you write financial statements that say you have a lot of income from legitimate activity, but you don’t; your income statements — and the legitimate activities they describe — are fake. But the money is real. 

One risk for short sellers or journalists or other sorts of investigators looking into a financial fraud is mistaking Thing 2, money laundering, for Thing 1, regular financial fraud. Thing 1 is more tractable, to the average sort of financial person. Thing 1 is a crime of spreadsheets: The criminal act consists of writing a spreadsheet with fake numbers in it and getting your auditors to believe it. Thing 2 is a crime of, you know, crime; the people doing that crime have done the underlying crime that they are concealing, or at least they work for people who did it. Often that underlying crime took place in physical reality rather than spreadsheets, and the people who do it are scarier than people who mainly manipulate spreadsheets. 1

The risk, for an investigator, is that you find a company with fake accounts and say “aha this company has fake accounts, it didn’t really make all this money, the money isn’t there, I will expose this person who is typing lies in a spreadsheet!” And then you find out that in fact the money there, but it belongs to Russian mercenaries who did not want to be exposed, whoops!

At the New Yorker, Ben Taub has an absolutely rollicking story about the collapse of Wirecard, the fraudulent German payments company that was exposed by Dan McCrum at the Financial Times. Oversimplifying it a bit, the main thing that McCrum found is that Wirecard kept partnering with local businesses in Asia that turned out to be fake; ultimately, in 2020, it “announced that nearly two billion euros was missing from the company’s accounts,” which “amounted to all the profits that Wirecard had ever reported as a public company.” There are competing, partially overlapping theories about how that happened. Here is the traditional one:

Over coffee in London, a hedge-fund manager named Leo Perry shared with McCrum his theory: Wirecard’s primary business model was to lie to the public, claiming huge profits, so that investors would push up its share price. However, “faking profits, you end up with a problem of fake cash,” Perry said. “At the end of the year, the auditor will expect to see a healthy bank balance—it’s the first thing they check. So what you have to do is spend that fake cash on fake assets”—dormant shell companies in Asia, reported as profitable investments.

Report fake profits, generate fake income, use the fake income to buy more fake companies that generate more fake profits: straightforward stuff, financial fraud, a spreadsheet crime. Here is the other theory:

[Short seller Fahmi] Quadir and [her employee Christina] Clementi cultivated confidential sources in the payments industry, and developed a working theory: that the company’s primary business purpose was to serve organized criminal networks and Russian oligarchs—to be a “one-stop-shop” for “large-scale money laundering operations that would require scale to support billions in dirty money, annually,” they wrote, in a presentation for Safkhet investors. The key was Wirecard’s banking license, which enabled it both to accept criminal funds and to obscure their source. …

“You cannot understand Wirecard if you understand Wirecard only as fraud,” Felix Holtermann, a financial reporter at Handelsblatt, told me. “It’s not a Potemkin village, it’s not a Bernie Madoff case.” According to Holtermann, who has also written a book about the company, Marsalek routinely “used his power to override Wirecard’s very, very small compliance department” to issue bank accounts, credit cards, and debit cards to Russian oligarchs who were on European financial blacklists. “Germany was, and still is, the money-laundering saloon of Europe,” he said. “Only the biggest washing machine broke.”

Quadir was eventually “punched in the head by a masked man with brass knuckles while walking her poodle on the Upper West Side,” though it is unclear whether that is related to Wirecard. But Jan Marsalek, the chief operating officer of Wirecard, uh … “helped facilitate a deployment of Russian mercenaries into Libya,” is one thing he did? Or there’s this meeting with Paul Murphy, McCrum’s editor at the FT:

That fall, Marsalek summoned Murphy to Germany for another lunch, in a private dining room, and handed him a stack of documents. They contained official Russian government talking points, addressed to the U.N.’s chemical-weapons body, casting doubt on the British investigation of the Skripal poisoning. The files—marked classified—also contained the chemical formula for Novichok. “Where did you get these?” Murphy asked. Marsalek smiled and said, “Friends.”

Ah! Or:

By now, Marsalek had fully entrenched himself in the affairs of his Russian mercenary friend, Stanislav Petlinsky. Wirecard arranged a deal with the R.S.B. Group’s holding company in Dubai, to sell the mercenaries its prepaid-debit-card software. In an encrypted chat with Dagmar Schneider, a senior member of Wirecard’s finance team, Marsalek wrote that if auditors had questions about R.S.B. they should call Vladimir Putin. As McCrum and Palma closed in on the fraud in the Philippines, Marsalek joked with Schneider about having people “shot by MY Russians at RSB.” The following week, he wrote to her that he had “been struggling with the FT since 5 in the morning.”

“Send YOUR Russians to London,” Schneider replied. “They should give us some peace.”

See if someone came to me and said “there is a company that fools its auditors using dormant shell companies,” I’d be like, ooh, fun, financial shenanigans. But if they said “and its leader has fully entrenched himself in the affairs of his Russian mercenary friend,” I would be worried.

ChatGPT

stereotype of chat-based large-language-model artificial intelligence products in early 2023 is that they are very good at sounding smart but not so good at being correct. If you ask a model like ChatGPT to write up some investment recommendations, it will produce plausible fluent prose that reads like a professional investment recommendation and that includes compelling citations to data points, but the data might be all made up and the recommendations might be worthless. It is good enough to convince the uninformed, but not good enough to act on.

Given that stereotype, you might imagine two ways for big banks to think about these models:

• “Being fluent, confident and wrong is a core job function of a banker or investment analyst, and ChatGPT allows our employees to be much more efficient at it, so we should encourage them to use ChatGPT as much as possible.”
• “Our clients will be annoyed with us if we are constantly fluent, confident and wrong, so we should ban use of ChatGPT until we are more confident that its recommendations are correct.”

Obviously the first approach would be very funny, but the second is more realistic. But in fact there is a third, less obvious, but even more correct way for big banks to think about the use of these models:

• “If our employees type about business on a computer or a phone, it had better be in a software system that we control and that creates a searchable record that we can preserve forever, because otherwise our regulators will get mad at us. ChatGPT is an artificial intelligence model, but it is also a box for typing on a computer, and that’s too big a regulatory risk for us.”

Bloomberg’s Gabriela Mello, William Shaw and Hannah Levitt

Wall Street is clamping down on ChatGPT as a slew of global investment banks impose restrictions on the fast-growing technology that generates text in response to a short prompt. 

Bank of America Corp., Citigroup Inc., Deutsche Bank AG, Goldman Sachs Group Inc. and Wells Fargo & Co. are among lenders that have recently banned usage of the new tool, with Bank of America telling employees that ChatGPT and openAI are prohibited from business use, according to people with knowledge of the matter. 

In a regular, routine reminder of unauthorized apps including WhatsApp, BofA added a reference to ChatGPT specifically, and has repeated in internal meetings that new technology must be vetted before it can be used in business communications, the people said.

We have a few  about the US Securities and Exchange Commission’s crackdown on banks that use anything other than “official channels” to do business: If you text a client from your personal phone, or send her a WhatsApp message, that will get you and your bank in trouble. Not that you texted her about doing crimes, I mean, but sending perfectly innocent businesslike communications over unofficial channels will get you in trouble. You’re still allowed to talk about business in person, over lunch, but give it time. I wrote earlier this month

In like five years, technology — and the SEC’s interpretation of the rules — will have advanced to the point that banks will get fined if their bankers talk about business with clients on the golf course. “You should have been wearing your bank-issued virtual reality headset and recorded the conversation,” the SEC will say, or I guess “you should have played golf in your bank’s official metaverse, which records all golf conversations for compliance review, rather than on a physical golf course.” The golf course is an unofficial channel! No business allowed!

Well, similarly. If you want to get advice from a robot about how to invest — or if you want the robot to help you write a presentation for clients — then you had better communicate with the robot using official channels! Typing in the ChatGPT box isn’t an official channel, so it's not allowed.

standard thesis of environmental, social and governance (but especially environmental) investing is that companies regularly do stuff that causes externalities, and over time laws and norms will evolve so that they will have to internalize those externalities. One way for that thesis to work is something like this:

1. There is some company that makes some product that it sells for a lot of money, but the production process creates a lot of pollution.
2. Right now, that pollution is “free”: The company can dump its poisonous byproducts in the nearest river or whatever. This makes the production process cheap, so the company is profitable.
3. But soon, the pollution probably won’t be free: The local government will probably tell the company not to dump its byproducts, or else customers will refuse to buy the product because they are more attuned to environmental issues and don’t want to encourage pollution.
4. So the company will have to clean up its process, which will be expensive, making the company less profitable or perhaps not viable at all.
5. As an investor, you should think about the likely future restrictions on pollution, and avoid buying companies that are profitable now only because they impose externalities on the world that are not properly priced.

This sort of story makes sense, though you can quibble with specific cases. (Sometimes ESG thinking relies on assumptions about future regulation that are at odds with, you know, the actual regulators.)

Symmetry suggests that there might be companies that produce positive externalities, and over time laws and norms will evolve so that they will get to internalize those externalities: 

1. There is some company that makes some product that it sells for some barely viable amount of money, but the production process somehow cleans up nearby rivers.
2. Right now, nobody is paying the company for cleaning up the rivers.
3. But soon, somebody probably will: Whoever wants rivers to be clean will start writing the company a check for its good behavior.
4. So the company will be much more profitable and can expand its production.

Here is a fun Wall Street Journal story about biochar

Biochar is a black substance similar to charcoal that when buried underground sequesters carbon dioxide, the primary greenhouse gas that causes climate change. It has long been used to improve soil. Now it has suddenly become a lucrative business thanks to carbon credits that companies use to offset their own emissions. …

Among the buyers are JPMorgan Chase and Microsoft Corp. They are attracted to a process that actually removes carbon from the atmosphere and buries it underground, rather than many credits whose impact on emissions isn’t clear. ...

There isn’t much money to be made selling biochar to improve soil. Carbon credits changed that. “When the only potential revenue was through biochar sales, there just really wasn’t much there,” said Josiah Hunt, chief executive of Pacific Biochar Benefit Corp., a California startup that works with biomass power plants to produce biochar, then sells it to farmers. 

Carbon-credit sales now generate millions of dollars for some biochar businesses. “The carbon credits and society’s decision to act on climate change make this a real business,” Mr. Hunt said.

He was working as a landscaper in 2008 when he read an article in National Geographic about biochar’s potential to boost soil health and address climate change. After making his own biochar and testing it in soils, he launched the company that became Pacific Biochar a few years later.

The business struggled because the price was too high, roughly $600 a ton. That changed in late 2020 when the company started selling carbon credits for roughly $150 per ton of carbon dioxide removed to Microsoft and others through a platform called Carbonfuture.

The extra revenue let Mr. Hunt cut prices and sales grew. He now delivers biochar to vineyards and other businesses. Pacific Biochar’s sales are expected to hit a few million dollars this year, the majority of which is money from carbon credits. 

The point here is that this is a real normal business — producers produce biochar and sell it to farmers who want better soil — but it is a barely viable business, because the cost of producing the biochar is higher than most farmers are willing to pay. But it produces positive externalities, and if you can get someone to pay you for those then you’ve got a viable business.

How do you get people to pay you for those externalities? In theory everyone on earth benefits from having less carbon in the atmosphere; I guess you could take up a collection. But in practice the answer is that some companies create negative externalities in the form of carbon emissions, and due to some combination of regulation, customer pressure, shareholder pressure, employee pressure, etc., they have to internalize those externalities. And instead of doing that themselves — by not producing stuff that creates carbon emissions, by telling their employees not to get on planes to visit clients, whatever — they buy carbon credits in a financial marketplace. They internalize the bad externalities by buying good externalities from the biochar people.

Elsewhere in ESG, here is a Wall Street Journal story about anti-ESG that includes the sentences “Conservative activists are coordinating a multimillion-dollar national campaign to make ESG the next CRT” and “A digital ad by the Heritage Foundation’s political-action committee portrays an oil-and-gas driller being denied a small-business loan in part because he has never ‘identified as a woman or even nonbinary.’”

Wormhole 

In general, in the US, most people have the mostly correct sense that if someone scams some money out of their bank account, they can call their bank and the bank will put it back. The intuitive process is roughly:

1. Someone scams you into sending them money from your bank account.
2. You call your bank and say “I was scammed, my transfer of $2,000 last Thursday was a fraud,” and provide some details.
3. Your bank looks at where the money was sent and calls the recipientbank — the scammer’s bank — to say that the transaction was a fraud.
4. The recipient bank takes the money out of the scammer’s account and sends it back to your bank, which puts it back in your account.

This is not a completely accurate description of the process or anything, and there are various imperfections; in particular, knowing this risk, the scammer might sensibly move the money of the recipient account as soon as she gets it. She might move it among a bunch of banks to obscure its provenance, or she might move it to a bank in a less regulated jurisdiction to avoid having to give it back, or she might take it out of the bank in $100 bills before you notice that you were scammed. 2  But broadly speaking bank transactions are reversible: Banks are regulated entities that keep lists of who has money, and if the lists get messed up due to fraud or hacking then people at the banks will try to fix them.

In crypto, things are … I don’t know …. different-ish? A little different? Philosophically, crypto has an ethos of irreversible transactions and immutable code; when crypto platforms are hacked the hackers will sometimes boast that they were just doing what the code allowed them to do. But practically:

1. Crypto transactions are traceable, in many ways easier to trace than transactions in the regular banking system: Blockchain transactions are public and immutable, and removing crypto from the system by turning it into $100 bills or real estate or bank deposits is often challenging. 
2. The code mostly isn’t immutable: In some bits of crypto, somebody probably has the ability to block or freeze transactions, to modify smart contracts, or even to send crypto from one address to another without the permission of the person holding it. This isn’t true of bit of crypto — it’s not true of the Bitcoin blockchain, say — but you just need to find the right bit.
3. In practice the people who have the ability to block or freeze or reverse transactions might be susceptible to the same sorts of appeals as a banker would be. “We were defrauded and that’s unfair, look at the evidence” might work. Or: “Look at this court order we got.” Or: “If you don’t stop this fraud you will be a criminal accessory to money laundering.” Those sorts of appeals.

Anyway last year a crypto bridge called Wormhole was hacked, and about $320 million was stolen; Jump Crypto, a large crypto trading firm, ended up eating most of the loss. Because it is crypto, people — including Jump — were able to track where the money went. Pleasingly it went into crypto gambling; Molly White writes

Rather than trying to launder and then cash out their profits into fiat, they have instead moved the funds through various decentralized finance (defi) protocols. In late January 2023, after a period of dormancy, they began to take highly-leveraged positions on the liquid Ethereum staking derivatives stETH (Lido) and rETH (RocketPool). In fact, between the capital they deployed and the leverage, they became the third-largest holder of wrapped stETH in existence. Some in the crypto industry were a little mystified, and wondered if perhaps the attacker was a crypto-native taking “degen” positions.

But to get that leverage, the hacker went to — not a bank, but to a lending protocol called Oasis. The hacker deposited its crypto in smart contracts on Oasis, but those smart contracts’ code was not quite immutable. White:

The smart contracts for Oasis’s automation tools are what’s known as upgradable smart contracts, meaning they employ a technique to make typically immutable blockchain code mutable. … Upgradeable smart contracts are sometimes controlled by a single entity, but are often managed by a group of some kind, such as a DAO or a multi-signature contract (multisig). … Oasis used a multisig. If Oasis wanted to upgrade a contract, four of its twelve multisig members needed to approve the decision. … Because Oasis is controlled by a company, Oazo, the key holders are likely just a group of Oazo employees. ...

You can probably figure out where this is going. Jump apparently went to Oasis and said “you have money that belongs to us.” They also got a court order to get it back. Oasis obligingly modified the smart contracts to give the crypto back to Jump, and Jump took it:

Once the funds were under Jump’s control, they exited the positions in the Oasis vaults, repaid the $78 million loan that the hacker had taken out from Oasis, and returned the 120,695 wstETH (currently ~$214 million) and 3,214 rETH (~$5.5 million) to their own pockets for a total recovery of a bit more than $140 million at today’s prices. Although ETH prices in USD have come down considerably from the initial hack, those staking derivatives could be exchanged for approximately 137,537 ETH, meaning Jump actually came out of this whole debacle with 17,500 ETH than the 120,000 that was stolen a year ago.

Blockworks, which first reported this story, used the headline “Jump Crypto Just Counter-Exploited the Wormhole Hacker for $140 Million.” Did they? I suppose that in crypto, philosophically, if you got hacked, and you manage to get the money back, you would prefer for the story to be “Jump Crypto cleverly hacked the hacker using hacking tools, because crypto is trustless and decentralized and sometimes you have to hack hackers,” rather than “Jump Crypto called customer service and had the transaction reversed.”

Base/Base

around here about how, if there’s good news about some company or thing, the stock of a public company with a similar name or ticker will go up. So in 2021, when Elon Musk tweeted “Use Signal,” the stock of medical-device company Signal Advance Inc. went up 527%. Presumably Musk was referring to the Signal messaging app, which has nothing to do with Signal Advance, but that doesn’t matter. This is not about the expected value of future cash flows. You are playing a sort of free-association video game, and when the word “Signal” is popular you should buy other things that look like the word “Signal.” 

Crypto is even more of a free-association video game, and even less forcused on the expected value of future cash flows, so here you go

Base Protocol's token skyrocketed [Thursday], reaching a high of nearly $7.50 around 11:30 a.m EST after months of price stagnation below $1.

The spike may have been caused by a misunderstanding.

Earlier today, exchange giant COINBASE announced the launch of Base, a Layer 2 blockchain network built using Optimism's OP Stack.

Despite launching the network with the proviso that "we have no plans to issue a network token," speculators began to buy $base, a token with no direct affiliation to Coinbase.

Coinbase launched a thing called “Base,” which does not involve a token, as it said in the announcement. But there is already a token called “Base.” So.

Things happen

Goldman Turns to ‘Make-or-Break’ Unit as CEO Solomon Put to TestRaiffeisen, a senior executive at the bank told the Financial Times, now handles 40-50 per cent of all the money flows between Russia and the rest of the world.” Deutsche Bank Studied Credit Suisse Deals Before Overhaul. TD Bank to Pay $1.2 Billion to Resolve Suit Tied to Ponzi Scheme. Buyout Firms Looking for Bargains Will Be Left Disappointed. Investors Are Bracing for Surge in Market Volatility. JPMorgan Investment Arm Purges Its ESG Funds of Adani Stocks. Blackstone CEO Schwarzman Reaped Record $1.27 Billion in 2022. How much is Manchester United really worth? Exits Mount at Crypto Venture Firm . The Green Energy Revolution Needs a 211-Mile Road Through Pristine Alaskan WildernessTwitter Cuts More Engineering, Product Jobs to Curb Costs. EY China staff encouraged to wear Communist party badges. Newspapers Drop ‘Dilbert’ After Cartoonist Calls Black Americans ‘Hate Group.’ “If I had to bet on any of the Kushners, it would be him.” Chartreuse shortage. People are worried about bond market liquidity. “That fall, in the Columbia, Maryland, office, a group of agents who'd missed their sales goals had to put on diapers and eat baby food out of a trough.”

If you'd like to get Money Stuff in handy email form, right in your inbox, please subscribe at this link. Or you can subscribe to Money Stuff and other great Bloomberg newsletters . Thanks!

1. Not always. If you do a crypto hack and then launder the proceeds, arguably the original crime was even nerdier than the laundering.

2. Your bank might give you the money back anyway, even if it can’t recover it, but that is a separate issue.

To contact the author of this story:

Matt Levine[email protected]

To contact the editor responsible for this story:

Brooke Sample[email protected]