The current state of crypto crime

CAT Labs CEO and founder Lili Infante worked as a special agent for the U.S. Department of Justice for 10 years specializing in cryptocurrency’s use in dark web investigations. Infante gives us the insider’s view of dark web investigations, why it’s so difficult to prosecute dark web actors when anonymity extends all up and down the hierarchy, the current state of dark web markets, and the rise of state-sponsored crypto crime organizations like North Korea’s Lazarus Group. Plus, Infante gives you some expert advice on getting started in crypto crime investigation and forensics research! You don’t need a Tor browser for this info.

0:00 - Crypto crime in 2023

2:46 - How Lili Infante began in cybersecurity

4:50 - Economics, bitcoin and crypto

9:20 - Liberal arts education and cybersecurity

14:05 - Taking on dark web cases

17:30 - What the dark web market is like

20:24 - Neutralizing a dark web market

24:00 - Main threats of crypto threats and fraud

26:50 - State-sponsored crypto theft

28:45 - Why begin CAT Labs

35:40 - Day-to-day CAT Labs CEO work

41:30 - How to work in crypto crime

45:40 - CAT Labs' future

46:58 - Learn more about Infante

47:43 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free

– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

[00:00:00] Chris Sienko: Is Cinderella a social engineer? That terrifying monster trying to break into the office. Or did he just forget his badge again? Find out with Work Bytes, a new security awareness training series from Infosec. This series features a colorful array of fantastical characters, including vampires, pirates, aliens and zombies as they interact in the workplace and encounter today's most common cybersecurity threats.

Infosec created Work Bytes to help organizations empower employees by delivering short, entertaining and impactful training to teach them how to recognize and keep the company secure from cyber threats. Compelling stories and likable characters mean that the lessons will stick.

So go to infosecinstitute.com/free to learn more about the series and explore a number of other free cybersecurity training resources we assembled for Cyber Work listeners just like you. Again, go to infosecinstitute.com/free and grab all of your free cybersecurity training and resources today.

Today on Cyber Work, I have an amazing guest for you. CAT Labs' CEO and founder, Lili Infante, worked as a special agent for the US Department of Justice for 10 years specializing in cryptocurrency's use in dark web investigations.

Lili gives us the insider's view of dark web investigations. Why it's so difficult to prosecute dark web actors when anonymity extends all up and down the hierarchy, the current state of dark web markets and the rise of state-sponsored crypto crime organizations like North Korea's Lazarus Group.

Plus, Lili gives you some expert advice on getting started in crypto crime investigation and forensic research. You don't need a Tor Browser for this info. You just need to keep it right here or Cyber Work.

[00:01:46] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cyber security industry.

Lili Infante is the CEO of CAT Labs, a crypto forensics and cyber security company building tools to fight crypto crime. Formerly as a US Department of Justice, DoJ, special agent, Lilly pioneered an early federal task force focusing exclusively on the use of cryptocurrencies and dark web in criminal investigations.

Lili has led major crypto-related investigations for the DoJ in partnership with international intelligence and law enforcement organizations. And so, today for our show, we are going to be talking with Lili all about crypto crime and her work in that field.

Lili, thank you so much for joining me today. And welcome to Cyber Work.

[00:02:44] Lili Infante: Thanks so much for having me. It's my pleasure.

[00:02:47] CS: Uh. Okay. My first question for our guests is usually I ask how they got an interest in computers, and tech and cyber security. And it's pretty clear you have a massive talent for and dedication to all things cybersecurity. So what was the initial spark that brought you down this path? Have you always been kind of an inveterate technophile or [inaudible 00:03:04]? Or did that come later in life?

[00:03:07] LI: So I kind of had a very non-traditional foray into cyber security, I would say. I actually have an economics background. I studied economics in college and then found out about Bitcoin shortly a couple of years after graduating and realized that it was, yeah, a very revolutionary technology especially in the context of economics.

Then I went into Department of Justice and my foray into specifically cyber security went through my investigations into crypto crime and dark web. And then in the past couple of years, when crypto exploded into the mainstream, and I was one of the subject matter experts in crypto-enabled crime and investigating crypto-enabled cases, I realized that a lot of the tax scams and frauds that were coming in were actually crypto-enabled, right?

And the explosion of cryptocurrency into the mainstream caused a lot of these crimes to happen because it brought crypto into kind of the public radar. And crypto also made it very easy to monetize hack scams and fraud, right? That was just maybe two or three years ago is when I started really looking into Hox scams and fraud because of its relationship to cryptocurrency and my expertise in crypto.

[00:04:51] CS: Okay. Well, that dovetails nicely into my next question. And I want to make one quick jump before that. You said you graduated with a degree in economics. Was there something – did your Spidey senses tingle with your sort of economics background about Bitcoin and cryptocurrency? What did that seem like at the time in terms of – compared to like the traditional sort of economic markets that you had like studied in college?

[00:05:18] LI: Well, I think the fact that I graduated in 2009 with my economics degree into a very dead job market, right? That was the heart of the recession, right? And even though I had a great degree, great grades, a good major from an Ivy League school, I still found it very difficult to find meaningful work and a good job. So I ended up going back to school. And many of my colleagues ended up going back to their parents' basements because no jobs even from Ivy League schools.

And when I actually first heard about Bitcoin in 2012 from an episode of The Good Wife.

[00:06:13] CS: Oh, yeah. Yeah.

[00:06:14] LI: And – excuse me. This is my cat. This is my company mascot.

[00:06:20] CS: This is our favorite crypto criminal here.

[00:06:24] LI: Exactly.

[00:06:24] CS: Jumping in to give the counterpoint. Anyway. I'm sorry.

[00:06:29] LI: Yeah, company mascot.

[00:06:30] CS: Yes.

[00:06:31] LI: Yes. Found out about Bitcoin from The Good Wife, which I think is pretty funny. It was an episode called uh Bitcoin for Dummies. And started down a rabbit hole about the technology and quickly realized that it was so revolutionary and especially in the context of economics, right? In a context of money and how money is being managed, right? Because the global monetary system depends on countries, right? It's a very trust-based system. It depends on countries. It depends on banks. Many countries, some more than others, are very corrupt, right? They don't have their citizens' interests in mind.

And of course, bankers tend to be greedy. Also, don't necessarily have the people's interest in mind, right? And a lot of this we saw with the US financial crisis, right?

[00:07:34] CS: Yes, for sure.

[00:07:34] LI: People that didn't do their jobs, right?

[00:07:39] CS: Yeah. Yeah, it was not an accident. It was a systemic – the thing of people deliberately saying, "No. This is where we can make a little extra money and stuff." Yeah, I understand the – yeah, the sort of lack of trust in that regard.

[00:07:55] LI: Exactly. My background in economics told me, "Okay, know this is not a trustless system, right? We have to trust entities and governments. And if we're lucky, we live in a country where corruption is not as pervasive and prevalent. And we can trust that our government's currency won't go into hyperinflation tomorrow, right?

But that's not the case for everybody. And even the US wasn't immune to these features of the economic system and this trust-based system. When I started digging into the trustless nature of money as was proposed by Satoshi Nakamoto in the Bitcoin white paper, I was just absolutely mind blown. I thought this was the future, right? Because how do we take that human element, right? The element of greed and corruption from money, right? And create a global monetary system based on a standard that doesn't depend on a single entity, right? I thought that was mind-blowing. And that's what started my interest in this field.

[00:09:18] CS: Right. All right. I'm sorry. Before we go on to like the coolest of all stories, one of my most reliable ways to get a sense of person's career arc is to look through their LinkedIn profile. And as you said, you received a Bachelor of Arts in Economics and Master's of Liberal Arts, Extension Studies, General Management. And I bring this up personally just because it's kind of a sticking point for me. A lot of people I know in tech kind of downplay the real benefits of a liberal arts education and they speak sort of positively of college only as like a place to absorb vocational information as quickly as you can and get on with your career.

But I wanted to ask you as a fellow liberal arts degree have-er, how was your educational career influenced or enhanced – how that enhanced your deep dive into cyber security, and crypto crime and blockchain if at all?

[00:10:06] LI: Well, I think just a degree in economics, as I mentioned before, gave me a good base into – a base of knowledge, right? In terms of how the world economic system works, right? And economics is a very interesting degree. It combines quantitative and qualitative skills.

When I entered college, I had no idea what I wanted to do with my life, right? I had no idea. As a matter of fact, when I was in high school, I've always wanted to be a federal agent. That was the thing I wanted to be as a little girl. Then when I was in high school, I looked up how much an FBI agent makes and didn't like the number. And then I kind of dropped that plan for a little bit. And once I entered college, I had no idea what I wanted to do.

I did know that I like solving puzzles. I like solving problems. So something in that regard. But I wanted to get a degree that would signal to a potential employer that I have both quantitative and qualitative skills, right? An economics degree would provide me with that. Because economics is very interesting as it has hard-coded math, right? Applied math, right? So you do need to have quantitative skills.

But it also has a lot of philosophy, and anthropology and qualitative features to it that makes you think as well and makes you a good writer. It gives a really good range of skills, right? And good for signaling to potential employers that you can do this kind of work. Whether it'd be quantitative or qualitative.

But in terms of whether my degree in economics really helped, I don't – I wouldn't say that my career ended up going in the direction where I really used a lot of my economics –

[00:12:09] CS: Oh, no. Sure. Sure.

[00:12:10] LI: – you know, degree. But I think it informed my view of the world, right? Which kind of threw me into Bitcoin. Threw me into that rabbit hole of going into – of studying this technology. And then once I got into the DoJ, the first real use case for Bitcoin was criminal activity on the dark web, right?

[00:12:33] CS: Yeah. Yeah.

[00:12:34] LI: So I wanted to look at it from that perspective, right? Even though I had, and I still do, have faith in the technology to be a good force for humanity, right? In general, there are still bad actors out there and I wanted to start looking at that from the DoJ perspective. Yeah, I think that my education definitely gave me a good overview of economics and how the world works. And then after that, it's learned by doing, you know?

[00:13:07] CS: Yeah. Oh, absolutely. Yeah. I wasn't necessarily looking for sort of like one-to-one connections. But I think that it gets very much downplayed as we talk about, get your master's degree in computer science or you get – just get your certifications and get into the job market. That if you don't have this sort of grounded thing where you're having to sort of take a thesis and follow it through to completion, I think there's a lot to be still had.

We always talk to our guests and they say that communication skills and writing skills are so important. But if you're just doing it as like a vo-tech thing where you're like, "Okay, now I've got this CISSP. And I got this. And I got that. And I got that." Where are you going to get the writing skills from? You know? That's all. That's all. It was just a little diversion. Yeah, I'm sure my listeners are sick of me hammering on that point. But it's very important to me.

Lili, let's talk about your work investigating and taking down dark web markets. Because I know that's what everyone here is very excited to hear about this. What are the moving parts that go into a campaign like that? Like how long is the process? And what are some of the major skill sets of the team that you worked with to achieve these kind of campaigns from the people actually infiltrating and getting info from the dark web to those that worked on creating evidence and testimony for court?

[00:14:26] LI: Yeah. Dark web cases are very unique and have a lot of features that are different from traditional cases. One of the main features is that the criminal players in the dark web case are faceless, right? They're all anonymous. That kind of brings in a whole layer of investigative activity that you have to break through that anonymity, right?

Not only is a dark web market anonymous in the sense that we don't know where it's located, right? Where the servers are located. Whether they're hosted on – it's a hidden service hosted on Tor usually.

But, also, the players themselves, not only are they individually anonymous. They also don't know each other, right? Oftentimes, the co-conspirators, right? Like let's say you have market administrators, right? These are the individuals that would develop the market, maintain the integrity of the market, provide customer service. It's a whole enterprise. It's like Amazon, right? Amazon has employees, and CEO, and a COO and a CFO. Same thing with dark web markets, right? Because these are giant enterprises. But sometimes billions of dollars worth.

But none of these people know each other. None of these people know who each other is. A lot of times they don't even know where the other person is, their co-conspirator is in the world, right? So it brings in an extra layer of complexity because of that.

Where in a traditional case, where let's say take a drug case, right? You take a low-lever drug dealer. You arrest them. You flip them. Then they flip against their source of supply. And then you keep going on the chain until you get to the Sinaloa cartel or whatever it is, right?

[00:16:22] CS: Right. Sure.

[00:16:22] LI: And then you look at all their different co-conspi – money launderers. But they all know each other, right? Whether they communicate through a phone. They communicate – they send each other money. A lot of them have met each other in person. In the case of dark web, that's not the case, right? None of them know each other. We don't have that like step-by-step where we can flip someone against someone else. And then, all of a sudden, now we got to the big guy. No. We have to target the big guy right away, right?

[00:16:54] CS: Interesting. Okay. Yeah. They couldn't flip even if they wanted to basically. They're just like, "I take orders from dark web guy23, 24 or whatever." Yeah.

[00:17:04] LI: That's exactly right. And it's very frustrating. Because I've taken down many dark web administrators. I would interview them and they would have nothing to say usually about the other co-conspirators, you know?

[00:17:16] CS: Right. Yeah. Yeah. That's really interesting. Well, yeah, between Bitcoin being the sort of like autonomous money form and then dark web market says this autonomous – boy, you really do feel like you're just like in this sort of like alternate reality or something, I suppose.

[00:17:34] LI: Oh, absolutely. First of all, for anybody who's never been in a dark web market, it's mind-blowing when you first go on and you see how openly people talk about selling drugs and crimes against children. And just everything in the open. Like they're not afraid to talk about any of it.

And it's like an Amazon for drugs and Amazon for illicit goods. And you have reviews. You get five stars. All of that. Reputation building for vendors. It's crazy. It's like a totally different world.

But when I first saw it, I was like a kid in a candy store. Because in a traditional case, generally we would need – we depend highly on confidential sources, right? Or usually difficult to work with. Difficult to obtain to actually infiltrate in a criminal organization, right? Especially a large ciriminal organization.

In this case, we don't need a confidential source. We can do all of our own undercover work. Get directly to the target, right? Because that target doesn't know who I am. Just as I don't know who they are, they don't know who I am. So it actually takes out a level of complexity, which is dealing with confidential sources. But it also brings in a new level of complexity, which is identification, right? That's a huge thing part about doing a dark web case.

And that can take years. I mean, I've had dark web cases running for four years, you know? And these are long-term investigations. Usually the way I structure my cases with dark web is I look at the different uh features of the organization, right? Different co-conspirators. One being the administrators of the market. Two being the largest vendors, of course, on the market that are actually selling illicit goods and services. And then mixing service. This is the crypto component, right? Because there's a whole money laundering component.

Any mixing services that help obfuscate the flow of funds on the blockchain, and money learning organizations in general, and entities and individuals that facilitate the money laundering of dark web proceeds, right? Those are all co-conspirators, right? I look at them as one organization, right? I go after them as different parts of one organization. Which is interesting. There's so many facets of a dark web case, right? The vendor case is very different from an administrator case, from a mixer case, or an exchange, or a money launderer case. Yeah.

[00:20:24] CS: Yeah. Now as you say that, as we talk about you have to target – you know, the one target at a time. And you might have to do multiple campaigns in the same organization. My first thought of course is like cutting a leg off a starfish. It's just going to grow back. Or like how do you – even if you take down the top person in this organization, is there a way of kind of neutralizing the organization through that breach? Or are you just just continuing to like poke holes into it until it eventually deflates?

[00:21:01] LI: It really depends on the case. But usually, the goal is to find the location of the server. Obviously, we want to take the market down and also identify and prosecute the administrators, individuals that are running the market, right? Because if you just take the market down, the same individuals can just like spin up another market, right?

[00:21:24] CS: Exactly. Yeah.

[00:21:25] LI: So we really aim to look at the administrators and the people actually running the show, right? Behind closed doors. Most of these people are like they're tech people. They're computer scientists. They're super – a lot of them are super young. A lot of them don't even buy or sell anything on their own dark web market. They're just doing the infrastructure and raking in the rewards. They make millions upon millions of dollars from commission funds or commission fees from each transaction that happens on the market. Yeah, it's definitely a holistic approach to investigating these kinds of markets.

[00:22:15] CS: Have you figured out a consistent way of sort of pulling the big person out of the group and then sort of isolating them enough where they can't just spin up a new store? Or is this still kind of like – yeah, I guess I'm trying to get a sense of like how thorough your attack methods. Are you having luck actually like shutting things down? Or is there kind of a shooting gallery aspect to it at this point?

[00:22:45] LI: Um, I think we usually have a shotgun approach, right? We want to attack all of the vectors of the investigation all at once, right? We attack the money laundering group. We attack the potential administrators, vendors.

When we do dark web cases, we have to do – part of that is always a vendor case, right? We always go after um at least one vendor on the market and try to identify them and prosecute them. And one of the reasons too is because we need venue, right? We need to prove that the crime is occurring in the United States in whatever jurisdiction you're prosecuting the case out of, right?

If you just go on after the administrator, you can't get enough – a lot of times, you can't get enough evidence for venue for this kind of case. A vendor case is always part of a dark web, of an overarching dark web administrator case.

[00:23:53] CS: Okay. Well, thank you. Yeah, that helps that makes a lot more sense. And I could ask you a trillion more questions and I'm sure most of them you would say not allowed. But I want to talk more about like a sort of 10,000-foot view here last few years. Especially in the last 6, 12 months, we've seen so many new stories about crypto threat theft and crypto fraud and people in companies who put essential money sources as retirement funds and payrolls into the blockchain. Having the whole thing be swept away in the blink of an eye.

I suppose that depending on which news sources you read, a big chunk of these thefts are rooted in social engineering. But it also sounds like there's other technical methods to steal crypto especially as quantum computing begins to sort of ramp up in its processing arms race against these types of distributed ledger technology.

But I don't know anything. I'm here to learn. I'll ask you. Based on your research and work, Lili, what are the main drivers of crypto theft and crypto fraud at the moment? Also, if you can do such things, how do you think these indicators of compromise or attack methods are going to change in the next couple years?

[00:25:00] LI: There are traditional vulnerabilities that are being exploited. I would say web 2 vulnerabilities, right? For example, content delivery networks, right, is a big one. And others, right? There are traditional kind of web 2 attack vectors that are still being used against crypto protocols and companies.

Yeah, social engineering is a huge factor, of course. And I would say improper key management is a huge factor as well. Basically, gaining access to seed phrases and private keys, that's a big problem and it's one of the main ways that people lose money in crypto.

Some of the more blockchain crypto-specific ways would be price oracle attacks, governance attacks. And there are also a lot of zero-day exploits as well, especially from networks that have a lot of resources to conduct such an exploit. For example, like the Lazarus Group, right? They do a lot of zero-day exploits.

But, yeah, I think that it's changing. It's very dynamic, right? The blockchain security space is very dynamic. There are new vulnerabilities that are coming up all the time. We're trying to look into the most common ways, right? The most common ways we think. Definitely, social engineering. And, definitely, key management are the two main things that we're looking at.

[00:26:45] CS: Okay. Well, I'm glad you brought up Lazarus Group because I had a question about them as well. Can you talk, Lili, about how prevalent these types of state-sponsored crypto theft groups are – Lazarus Group being founded and managed by the government of North Korea. Is this a major source of economy for these countries? And is this a common thing? And are you seeing them pop up elsewhere in the world?

[00:27:09] LI: Yes, it seems to be now, especially lately, that crypto exploded into the mainstream and has become more liquid. And it's become a lot easier to convert crypto into fiat currency in many different countries. Absolutely.

And crypto being used by malicious state actors, cryptocurrency exploits are an easy way for them to fund their operations, of course, right? Because it's easier to hack into a bridge that has – crypto bridge that has vulnerabilities and get half a billion dollars out of it, which has happened, right? To do the same thing with a bank, right?

Just because the nature of crypto of being global, right? Of the ease at which we can transfer value across borders. And also, it's immutability, right? The fact that once the transfer happens, that's it. You cannot do anything about it. All of those things have made it pretty attractive for state actors to target crypto as a source of funds. And now with Russia being sanctioned as well, Russia is using crypto quite a bit to evade sanctions as well. Yeah.

[00:28:31] CS: Yeah. Okay. So you were with the US Department of Justice for 10 years. And at the end of last year, you founded your own company. Is it CAT Labs or CAT Labs? CAT Labs, I assume?

[00:28:44] LI: CAT Labs. Yes.

[00:28:44] CS: Yeah, which is "building digital asset recovery and cyber security tools to fight crypto-enabled crimes." What was part of your decision to start CAT Labs? What was it about this moment that made you realize you needed to do this work via your own startup agency rather than with the DoJ?

[00:29:04] LI: In the last few years, we've had a massive influx of cases especially hacks, scams and fraud in crypto. And the government has been very overwhelmed. And there are several bottlenecks, I think technological bottlenecks, that could be solved especially in the area of digital asset recovery. That would allow the governments to effectively target these crimes.

And from what I've seen, so many people are losing their life savings. And these tips that we have coming in of an old man just getting scammed, the pig butchering scam. Losing his life savings. We've had cases where people even committed suicide. It's very heartbreaking.

And I think it's important to build tools, proactive tools and reactive tools, to really effectively address this problem, right? Proactive tools being security tools. And reactive tools being tools for the government, right? That allow the government to effectively more easily address these crimes and remove some of the technical bottlenecks that they're facing while trying to address these crimes.

Yeah, I thought kind of hitting the problem from these two angles is the best way to go about it, is to create these tools for the government as well as for the private sector to prevent these crimes, hack scams and frauds especially from happening in the first place.

[00:30:48] CS: The last part is really deliberate. You're kind of like a tool-making lab of sorts that – was there a sense that like, with the government especially, that you have the tools that you have on-hand and you're just trying to get the cases but you don't – there's probably not enough resources within the government necessarily to sort of like upgrade the tools. It's just like you're just going day-to-day like that going after these actors. Is that sort of the idea that you're able to sort of sit maybe at a slight remove and work sort of on these tools that can help in all these different sectors?

[00:31:29] LI: Yeah. And that's definitely a big part of it. But generally, just removing – I know what the bottlenecks are with these cases, right? And I feel like going outside and building tools to address those bottlenecks is the best path forward for me. And also, intellectually speaking, it's something new for me to do. I've been in the government for decades. I like puzzles. I like solving new problems. This is definitely something a way in which I could address the problem from both ends, right? Not just from the government side, which is very limited.

[00:32:19] CS: Can you tell me a little bit more about the workings of these proactive and reactive tools and how they contrast with the sort of perimeter fence endpoint security-oriented hack-and-scam-based softwares?

[00:32:32] LI: Yeah. We're not really contrasting with existing tools. Actually, I would say we're augmenting existing tools. Because existing tools still need – there's still place for them out there. But we are building a lot of kind of, specific tools that are based on photography and research, right?

We're looking into the next frontier of cryptography, one of which is a fully homomorphic encryption. And so, our tools, a lot of our tools, revolve around securing cryptographic systems, right? [inaudible 00:33:22] technology.

Our team is really well-positioned for that because we have a really good research firm and research talent as well. Deep tech based on cryptography, securing cryptographic networks [inaudible 00:33:40]. Whilst AI and machine learning [inaudible 00:33:48].

[00:33:51] CS: Yeah. Sorry, Lili, you're kind of breaking up a little bit there. So I wasn't able to get some of that answer. I think your Wi-Fi might be getting a little unsure. Is there anything you can sort of like do to boost it up a little bit?

[00:34:08] LI: Is it better now? I think –

[00:34:09] CS: It is better now. Yeah. Yeah.

[00:34:11] LI: Okay. I apologize for that.

[00:34:14] CS: Oh, that's okay. Okay. Yeah. I'm sorry. I hate to ask you the same question. But can you again tell me a little bit about the tools that you're specifically designing both the sort of proactive and reactive sides of them?

[00:34:28] LI: Yeah. On the reactive side, our tools are focused primarily on digital asset recovery and automating the process of digital asset recovery for specifically law enforcement. And also, in the private sector, asset recovery professionals.

And on the security side, which we call our proactive tools on the security side, we are working on cryptographic methods to secure cryptographic systems, right? We're working on the next frontier of cryptography, which is fully homomorphic encryption or one of the next frontiers. And we're looking at creating products around fully homomorphic encryption to secure cryptographic systems, right?

Because a lot of distributed ledger technology depends of course on cryptography, and that's our biggest focus. And we're also working on some AI and machine learning algorithms to combat social engineering as well.

[00:35:38] CS: Nice. Okay. Thank you very much for that. I could talk to you about this all day. But I want to get to a little bit of the sort of day-to-day work of what you do. First off, I wanted to ask about your average day as CEO of CAT Labs. It sounds like you're pretty tightly involved in the sort of creation of these tools and methods. But how does overseeing your own company differ in terms from the tasks and obligations from your work with the DoJ? Do you do a lot of the big research work yourself? Or is there a lot more delegation and sort of meeting with government and agencies and stuff to get a sense of what they need?

[00:36:18] LI: Well, it's very, very different. And I wouldn't say better or worse. To me it's exciting because it's new, right? It's another problem to solve, right? The government, I didn't have the business element, right? In the government, the work is very much mission-driven. I don't get compensated for you know the big cases that I do. The bigger the compensation –

[00:36:45] CS: Right. You're not getting a commission on them. Yeah.

[00:36:46] LI: Right. Exactly. Exactly. It's kind of the psychology of it and the culture is very different, right? Here, not only am I building mission-driven products, right? Because I'm still building mission-driven products. But I'm also trying to run a business, right? Monetize the business. Make sure we survive. Build a team.

The team building is very different, right? Because in the government, when I was building the task force, it's not like I can interview a bunch of people, right, and say, "Okay [inaudible 00:37:26]." A lot of times you don't really have a choice. You're given – let's say if I go to IRS and I say, "Hey, do you guys want to join the task force?" Usually, they won't give me the person that – a specific person that I would interview. Or I wouldn't interview like 10 people from the IRS to see who I want, right? Many times, the IRS will give me whoever they want to give me, right? And we have to kind of build that team around that.

In the private sector, it's a lot different. I can interview and I can pick the right person for the job. So it's very different. And, I mean, I think in a good way too. Because I'm a lot more – I have a lot more freedom on who I bring into to the company, right, and who's going to add value to the company.

[00:38:18] CS: Yeah, as I was reading your – your press release is about CAT Labs. I noticed some pretty big and important names as key team members. Can you tell our listeners about this kind of legion of superheroes that you've assembled and what each person brings to the team?

[00:38:33] LI: Yeah, absolutely. And that's something that I'm super proud of. And that's one of the biggest jobs of the CEO, right? Is to attract the right talent to get the job done, right? First is vision and second is build a team that can actually turn that vision into action.

And I think I'm on a really good start here. Our chief security officer is Uri Stav. He has been in the crypto industry since basically since Bitcoin was first created. And he was formerly chief security and development officer of a digital currency group and all of its wholly-owned subsidiaries. And he's a cryptographer and mathematician and a very prominent security professional in the crypto industry, right? Could not have hired a better person for crypto security, right?

[00:39:28] CS: Sure.

[00:39:30] LI: Then we have Roger, Roger Hallman, who is a Dartmouth PhD candidate. And his area of study is fully homomorphic encryption. And he was formerly in the Navy as a computer scientist and cyber security researcher. Also, an amazing hire.

A lot of research is coming out of Roger and a lot of really great IP is coming out of Roger as well. And also, Monica Arias. She's formerly from Chainalysis. She also has DoD and IC experience and consulting for government agencies. And so, she's our head of growth. Misha Hanin, who is our head of technology, who ran three different companies previously, service companies, building blockchain software, building IT architecture, as well as cyber security. He has experience in all of the level – basically, all of the areas that we're touching in our company.

Yeah. And, also, one of our most exciting hires is John Hayss who – he's our head of digital forensics. And he was basically the main person in DoJ that would go around the country on search warrants and recover cryptocurrency assets from digital evidence, right? For the past seven years, that's been his job, right? He's one of the premier crypto recovery experts probably in the world. We're very well positioned for building the tools that we're promising to build with this amazing team.

[00:41:23] CS: Man, I got chills. That sounds amazing. It sounds like you got like – yeah, like the best at every single thing here. And I'm excited to see where you're all going to go. Before I let you go, I want to talk to you about the work you do with CAT Labs and get your advice for students and young professionals who want to move toward this type of work in the future.

Like you said, you started out in a decidedly non-tech sector and you were able to kind of get into crypto scams and cryptocurrency very early on. But it feels like, at this point, methods of securing and defending crypto feels like we're changing in complexity and challenge like every 30 days. Do you have any advice for students or young aspirants who are trying to get into this type of field to get themselves up to speed very quickly? Because it seems like you're – it's like trying to like go from zero to 70 to get onto a highway or something like that. But if you're studying to get into this now, what should you be doing to make sure that you're sort of future-proofing your skills?

[00:42:24] LI: Well, my advice, and this is how I learned, is learn by doing, right? Go on the forums. Participate in bounties. Take network offensive security course, of course, as a base. But I'm going to say something that's non-traditional.

[00:42:47] CS: Okay.

[00:42:49] LI: I would recommend actually working for the government in the very beginning, right? After college. The amount of intelligence and knowledge that I gained working from the government. And working from the government is mission-driven, right? You don't have to worry about making money, making your commissions, making your numbers. All you have to worry about is doing the work, right? Your work supporting the mission, which is what I loved about working for the government. Not having to worry about the money, right, and the business side of this.

And I think when I worked for the government, I was privy to just so much information. The stuff that you see on hack, scams and fraud in the media is just a tip of the iceberg.

[00:43:34] CS: Oh, yeah. I can imagine.

[00:43:36] LI: And that was just learn by doing times 100, right? I'm seeing these cases coming in and I have to address each one of them. And throughout the years, I basically now have an arsenal of knowledge of every single way in which people can get scammed, hacked, defrauded in different areas of crime, money laundering. Yeah. Law enforcement, cyber squads, even intelligence are some really good options. And a lot of people don't think about this because the money, right?

But I think government work, especially in the very beginning. Maybe not a decade like me. But maybe like three to five years. It gives really nice base, right? And then to go out into the private sector later on and do what interests you.

[00:44:33] CS: Yeah. And I think a lot of students who just graduate and get their first tech job are – certainly, we heard it from pen testers and red teamers that you just keep doing the same three tasks over and over. And it sounds like, in that, you're doing these – you're never going to be, I imagine, abandoned by your supervisors. And like I haven't talked to my boss in three weeks. And I don't know if I'm doing the right thing or not. I imagine that you're pretty tightly integrated into every team that you're working on when you're doing this kind of government work, right?

[00:45:03] LI: Exactly. Exactly. And you have all the research sources of the government, right? You don't have to struggle with resources trying to raise money or company laying you off. No. You have all the resources, the government. You need internal analysts to do your work. You need headquarters support. You need tools. Just the sky's the limit. It's a really great gig.

[00:45:24] CS: Yeah. Yeah. Now that's awesome. And I think that's really good advice. And for us, it's certainly not non-traditional because we have a lot of students who are in government or moving toward government and stuff like that. As we wrap up today, Lili, I'll let you go here pretty quick. But if you want to tell your listeners any more about CAT Labs? Any big projects you have coming up? We talked about the team. We talked about the statement of intent. But like what's the future with CAT Labs? What are some things that people can do to follow along with you or to get involved? Tell us more about that.

[00:45:59] LI: Yeah. I mean, our goal is to fight crypto crime. We're trying to address the problem from different angles. Hopefully, we succeed with all the tools that we're building. We're super excited about the deep technology and the cryptographic work that we're doing to help secure our future and not just crypto, right? Because a lot of our world depends on cryptography and mathematics. And it's going to be more so in the future.

We're excited to be a thought leader in this and building products and services around this area. Yeah. And just keep updated on our progress. Go to our website and to learn more about what we're doing and how we're progressing with our build and our services.

[00:46:52] CS: Is that catlabs.com?

[00:46:55] LI: Catlabs.io.

[00:46:56] CS: .io. All right. And one final question, if our listeners want to know more about Lili Infante, where should they go online? Should they hit you up on LinkedIn? Or do you do a Twitter? Or a blog? Or do you anything like that?

[00:47:11] LI: My teammates told me to tell you Netflix soon.

[00:47:19] CS: What's that now?

[00:47:20] LI: Netflix soon.

[00:47:21] CS: Oh, Netflix soon. Oh, okay. All right. All right. Watch for the pilot, huh? All right.

[00:47:26] LI: No. I'm actually working on a show based on my life story.

[00:47:31] CS: Really?

[00:47:32] LI: So that should be coming out at some point. Yeah.

[00:47:34] CS: Okay. Okay. Well, when that happens, we'll have you back on and we can talk about the process of making your life story. All right. Well, Lili, thank you so much for joining me today. I learned so much and this was an absolute blast. I really appreciate it.

[00:47:48] LI: Thank you so much for having me.

[00:47:49] CS: And thank you to all of you who have been listening to and watching the Cyber Work podcast on a massive scale. I just found out we hit 70,000 subscribers on YouTube and we're so glad to have you along for the ride. Before I let you all go, I want to invite you to infosecinstitute.com/free to get a whole bunch of free stuff for Cyber Work listeners.

We've got our new security awareness training series called Work Bytes, which is a live-action skit based thing featuring a host of fantastical employees, including a zombie, a vampire, a princess and a pirate making security mistakes and hopefully learning from them. And you can also get our free Cybersecurity Talent Development eBook. It's got in-depth training plans for the 12 most common roles, including SOC analysts, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. Lots to see. Lots to do. Just get to infosecinstitute.com/free. And, yes, the link is in the description below.

Thank you once again to Lili Infante and CAT Labs. And thank you all so much for watching and listening. And until next week, take good care out there.

How does your salary stack up?

Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.