67

An employee has been mining cryptocurrency for 5+ years. They installed mining software on most of our company PC's (approximately 40), and purchased items stating they were required by the company but in fact were for the mining rig. They used a work email to set up a cryptocurrency account.

How should we deal with this situation? Should this be a police matter?

DJClayworth
  • 84,823
  • 25
  • 192
  • 283
Crushed
  • 497
  • 1
  • 2
  • 4
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on [meta], or in [chat]. Comments continuing discussion may be removed. – Kilisi Sep 18 '23 at 19:21
  • 20
    Could you please post an answer or update your question if this is resolved? I'm curious what will happen next. – Martijn Sep 19 '23 at 12:26
  • 16
    This question needs more information on the location in the world that this all happened as local laws will have a major impact on how this is handled. – Joe W Sep 19 '23 at 13:06
  • 2
    Info requested: does the employee know they've been found out? – GB supports the mod strike Sep 20 '23 at 02:40

9 Answers9

125

Don't touch anything.

Document what you know, what you've done so far, and then talk to HR, your legal department or lawyers. They will probably advise you to suspend this employee (and their access) while they investigate.

Depending on the exact details and laws in your area, this almost certainly constitutes computer misuse and fraud, and possibly even theft depending on where those purchased items ended up.

This is a matter for lawyers and the police, not for you.

And once things have been sorted, have a serious look at your internal security and how the company is managed. Because if someone can install dodgy software on all your systems (that connects out to the Internet on unusual ports), use a huge amount of extra power, and fraudulently purchase a load of stuff with no one noticing for five years, that's pretty damning. And also raises the question of what else they might have done in that period that you don't know about..

Gh0stFish
  • 19,276
  • 8
  • 44
  • 61
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on [meta], or in [chat]. Comments continuing discussion may be removed. – Kilisi Sep 20 '23 at 08:47
36

I'd like to build on the previous answers submitted here.

You need to work IN CONCERT with your network administrators, HR, and law enforcement. The employee needs to be arrested, and SIMULTANEOUSLY, internet access for the mining rigs must be suspended. You don't know if the employee has accomplices, and you don't know if the rigs are remotely accessible from outside your company.

  • If you suspend the employee before the arrest, there's a chance for the employee to remotely access the rigs and wipe incriminating data.
  • If you arrest the employee but don't cut off internet access, then potentially, accomplices could also wipe the rig.

You want to SUSPEND the employee email account such that incoming email still comes in, but no one can log in to it. This might be accomplished by just a password change. But don't do this until you contact law enforcement. Be advised that if you're in the US, this might be a federal crime so you'd end up dealing with the FBI if it is.

And yes, have those attorneys ready. I wouldn't worry about recovering any financial gains, at least not immediately.

Until you make a concerted move, DO NOT suspend the employee or make the employee aware that you know what you know. Play dumb.

Xavier J
  • 42,848
  • 10
  • 86
  • 146
  • 46
    The only way the employee can be arrested is if he committed a criminal act. What they have committed is a form of embezzlement. Whether this is treated as a criminal act will depend on the jurisdiction, and the amount of money embezzled. Thus you can't instantly say "Arrest him!!!". You will need to collate all the evidence first to support a criminal charge (if it is one), and that is likely to be obvious to this employee. They need to be canned first, and then work out the details. – Peter M Sep 17 '23 at 19:21
  • 21
    Seriously, arrest them for what? You're acting like this is murder case, and not on the level of an employee stealing toilet paper rolls and taking them home. At best, they will be able to sue to guy for a few thousand dollars of damages, but will probably never see a dime even if they win. – Davor Sep 18 '23 at 10:15
  • 21
    Fraud and embezzlement are both crimes. – Matthew Whited Sep 18 '23 at 10:35
  • 2
    @PeterM Collecting evidence and figuring out the details is the job of law enforcement, and they likely won't thank you if you first alert the employee by firing them. Go to the police first, then do what they say. – TooTea Sep 18 '23 at 11:58
  • 20
    @Davor Except that we're talking about hundreds or potentially thousands of €/$/£ worth of toilet rolls. That's more than enough to be considered a crime (at least in those EU countries I know well enough). – TooTea Sep 18 '23 at 12:00
  • @TooTea There are risks by firing the fraudster, and there are risks in not firing the fraudster. But If they are still on the inside while any investigation is ongoing, and they notice that investigation (Hey, why is the FBI here, and going through my computer?!?!?), then they will be in a position to do a lot more damage to the company than if they were on the outside. – Peter M Sep 18 '23 at 13:28
  • @PeterM Well, if you report it to the police including the information that you reasonably suspect employee XY to be behind all this, most likely employee XY will find themselves having to answer some questions at the police station at the same time as five other police officers load those 40 computers into a van for expert examination. So indeed, there are business risks in terms of the disruption of company operations, but those are hopefully limited in comparison to what damage XY could deal in retaliation. – TooTea Sep 18 '23 at 13:35
  • There are many crimes that involve both civil and criminal violations of law; often, the police do not have the resources to invest in the criminal side of these behaviors unless they are exceptionally egregious. If the victim is a company and not an individual, it's quite reasonable for the police to leave it up to the company to pursue it civilly and to apply their resources elsewhere. – Bryan Krause Sep 18 '23 at 15:58
  • The police isn't going to focus on recovering the money. A cyber security company or PI can be much more effective. – Therac Sep 18 '23 at 22:14
  • 4
    @Davor A few thousand dollars is grand theft in the United States. That's a felony and could result in a prison sentence. Also, some armchair calculations I've made suggest the total theft could be more like $500,000 over five years, not counting the improperly procured equipment and lost productivity. In some jurisdictions that could be a 1st degree felony with a maximum sentence of 30 years in prison. – Todd Wilcox Sep 19 '23 at 04:21
  • I agree, I don't see where the employee is guilty of anything more than stealing electricity, which is exactly the same crime as if they plugged in their EV at work. – Harper - Reinstate Monica Sep 20 '23 at 04:03
  • 4
    @Harper Not necessarily. It's all a question of scale. Stealing 10 dollars from an office donation box gets you into very different legal trouble than embezzling tens of thousands of dollars. Many offences that deal with money have various thresholds where they get more serious. – Voo Sep 20 '23 at 07:34
  • @Voo You're confusing Bitcoin and USD, and "assets taken" vs "assets created using company tooling". Suppose you work at a state DOT sign department, and your side gig is selling "Speed Limit 99" signs on Etsy that you make in DOT facilities, DOT equipment, DOT Clearview font license, DOT electricity etc.... (but your own aluminum and vinyl so you aren't stealing atoms, just to equalize the metaphor). You are MAKING things that are not USD but are fungible to USD. You say "scale", OK, suppose I'm doing $50,000/year this way? – Harper - Reinstate Monica Sep 20 '23 at 19:38
  • @Harper-ReinstateMonica the profit is a civil matter. That's called an unjust enrichment. The other components are theft, including potentially wage theft – Xavier J Sep 20 '23 at 19:45
  • @XavierJ Our antihero is doing this off the clock. Which atoms were stolen? What would you say straight-faced to the police officer who comes to take your report? – Harper - Reinstate Monica Sep 20 '23 at 19:52
  • 1
    @Harper I'm confusing nothing. I'm simply stating that the value being embezzled makes a big difference in the severity of a crime. So saying "exactly the same crime as X" is not necessarily true if you haven't established damage. – Voo Sep 20 '23 at 20:25
  • @Voo I don't think the term "embezzled" fits this set of facts. Point to the company asset which the company has been deprived of. I can't honestly find it: they seem entirely whole, except for the video cards, which are a wobbler at best, as there's good reason to standardize IT-supported hardware. The only smoking gun I see is electricity, thus my "charging their EV" metaphor. – Harper - Reinstate Monica Sep 20 '23 at 20:52
  • @Harper Well yes, the problem is the thousands of dollars of electricity bills this caused over the years (apart from the unauthorized modifications of the PCs involved which is a whole other can of worms) – Voo Sep 20 '23 at 21:29
  • @Voo exactly, and that's why I think my EV metaphor is the thing that could stick. EVs take 3-15 cents a mile of electricity depending on the car and the tariff. 5 years could be 100,000 miles if the guy drives a lot. – Harper - Reinstate Monica Sep 20 '23 at 21:57
20

Congratulations, you've been robbed! Or more accurately, a victim of embezzlement.

This is a criminal matter. You may want to decide if you want a public record of having had this issue, which will happen if you report the crime and come after the perpetrator for the illicit gains. If you're a physical store, it will show you take security seriously. If you're a security consulting company, you might as well liquidate.

The best course of action to recover the stolen funds will have to be determined with a lawyer's assistance, one familiar with you local law and this kind of cases.

Crypto mining uses a lot of energy, it comprises over 50% of the coin's price. It's a way to turn energy into money. The coins mined with company equipment and power should legally be the property of the company. However, recovering crypto is difficult - it's been designed to prevent just that. A threat of criminal action is about the only way you can give the offender any incentive to give up the goods.

Once you start the criminal action, your leverage is reduced. Talk it out with a lawyer. They'll know what to do, considering your exact situation. There could be a significant amount to recover, if you can prove enough.

It might make sense to contact a private security company with pentest skills or a PI agency working in cyber. They will not necessarily be able to help, but it's possible that they could trace or get hold of some of the money that hasn't been deliberately hidden. As the owner of the hardware, you're allowed to "hack" it. If not, at least you'll get a second opinion.

Therac
  • 5,048
  • 2
  • 16
  • 35
  • You wouldn't go after him for the value of the crypto, but rather, the electricity. That will be more money anyway. Mining at typical commercial daytime electric rates is not profitable, you need to get a favorable rate plan. – Harper - Reinstate Monica Sep 20 '23 at 00:23
  • @Harper-ReinstateMonica Recovering costs through a civil suit could take years, especially if there's also a criminal prosecution. It's also a challenge to collect. Depending on how much crypto has been mined (could be a lot), and if some's left unspent, making a return and repayment deal could be more effective. Though you'd still want to warn others about this person and not work with them again. – Therac Sep 20 '23 at 01:32
  • that's the best part. For them, their balls are in a vice for years, making them spend thousands on attorneys, and the nightmare never ends. Whereas for you it's just one little file folder in your counsel's file cabinet. As for collections, a technical professional will have an attachable wage. – Harper - Reinstate Monica Sep 20 '23 at 01:39
  • @Harper-ReinstateMonica Not after a criminal conviction. They just have to earn enough to get out of the country, and remember the passphrase. – Therac Sep 20 '23 at 02:27
8

TL;DR Taking the crypto was probably theft and breach of contract.

I would like to add something that the other answers haven't addressed. Check his employment contract - if he signed up for the account using a work email and was doing the mining using company computers, the crypto is company property under the terms of any sane employment agreement.

If the employee took the crypto for their own personal use, that constitutes theft (because the crypto was never theirs in the first place, which they presumably knew - or, at least, should have known - based on their employment contract). Also, failure to return the crypto to the company constitutes breach of contract.

EJoshuaS - Stand with Ukraine
  • 6,362
  • 1
  • 21
  • 51
  • 1
    I think breach of contract is a very minor issue compared to everything else and it would be considered theft/embezzlement both of which are actual crimes unlike breach of contract. – Joe W Sep 18 '23 at 17:29
  • 6
    @JoeW It's still a legitimate avenue for the company to recover their damages. Also, I'm not a lawyer, but given that the crypo almost certainly belonged to the company from the outset, the employee taking it would be another form of theft. – EJoshuaS - Stand with Ukraine Sep 18 '23 at 17:32
  • If the crypto currency does belong to the company, especially if it is a large amount) criminal theft/embezzlement charges are much more likely to get results then a civil breach of contract will. Such a minor issue will not be used when we are talking about large amounts of money in the criminal realm. Breach of contract will get nothing if the employee has already moved the money to other places to hide it or make in inaccessible. – Joe W Sep 18 '23 at 17:49
  • 3
    In the US, the any crypto mined with company equipment very likely belongs to the company regardless of the presence of any contract. – Todd Wilcox Sep 19 '23 at 04:27
  • Good luck with waterboarding the employee to get his private key/passphrase to get to the crypto! The crypto is his as long as he does not reveal those. – stackoverblown Sep 19 '23 at 14:55
  • 2
    @stackoverblown The court could still order the employee to pay the monetary equivalent in damages. – EJoshuaS - Stand with Ukraine Sep 19 '23 at 17:21
  • If the $500k estimate above is close to the truth, it might be possible to collect maybe a few percent of that. Unless they've invested in lots of liquid traceable assets under their own name. – Therac Sep 20 '23 at 01:36
4

I'm not really sure why you think there's anything to ask here - you fire them ASAP (assuming you have authority to do this and your evidence is undeniable).

You then discuss with your company's legal advisors (either in house if you have them, or talk to some external ones if you don't) as to what you can do in terms of legal action, both with regards to recovering any damages and whether a criminal offence has been committed.

You probably then also need to look at your internal controls, because the fact that an employee could do this for 5 years without anyone noticing implies a fairly big hole.

Philip Kendall
  • 110,342
  • 65
  • 264
  • 337
  • 9
    Firing them will remove evidence. They'll move funds from their bitcoin wallets. – Nelson Sep 18 '23 at 00:43
  • 4
    @Nelson Doesn't the entire transaction history remain visible? – HolyBlackCat Sep 18 '23 at 07:47
  • 6
    @HolyBlackCat, yes Bitcoin and other crypto are long stored journals. All of the history is recorded. But most criminals and crypto bros don’t understand that. – Matthew Whited Sep 18 '23 at 10:37
  • 4
    @HolyBlackCat It remains visible but it is not necessarily obvious who owns or controls the wallets. Even if you do know it might be a person in a hard to access jurisdiction whereas your own employee is a lot more reachable. – quarague Sep 18 '23 at 11:41
  • Exactly. Fire them, run an ad in the paper for their replacement, and entirely qualified people will be lined up around the block to fill their seat. Worked for Henry Ford! – Harper - Reinstate Monica Sep 20 '23 at 20:54
3

This is the time that you gather all parts of the management team together. There are legal issues, security issues, infrastructure issues, accounting issues. There may be multiple people involved, including those who approved the purchases. You may need to seek outside help.

Technically it all belongs to the company. It was either purchased with company funds, produced with company funds, or added to company equipment.

Destroying everything before the investigation can be completed might allow some of the guilty party to escape. There may even be criminal charges so the police might need to be involved.

mhoran_psprep
  • 72,299
  • 8
  • 131
  • 233
3

These answers are WAY over the top.

Should the person in question be fired? Yes. Should the IT department do a full investigation and follow-up with a deep audit of what's installed on company computing infrastructure? Yes. Should a plan be developed by the IT department to prevent stuff like this from happening again? Yes. Should procurement practices be examined and audited carefully from now on? Yes.

Is this an "arrest-worthy" crime? Maybe in a mall-cop-turned-IT-pro's dream, but in real-life, NO!

This kind of thing happens a lot. It's an abuse of trust, certainly very sketchy, but it's more of an embarassment than a crime.

teego1967
  • 22,553
  • 7
  • 57
  • 81
  • 6
    You're saying that the theft of $35,000+ in electricity is an embarrassment rather than a crime? – Mark Sep 18 '23 at 23:33
  • @Mark, where is this figure of $35K coming from? 500W PC's running at 100% for 5 years? – teego1967 Sep 18 '23 at 23:55
  • 2
    @Mark Context matters. Is this a cash-strapped startup or a Google/Facebook/Twitter? Sounds somewhere in-between, but if the employee was able to fly under the radar for 5 years while buying and misusing 40 computers and misc. crypto accessories it's probably fairly large and well-established. And the employee is/was probably paid a reasonable salary for someone with authority to purchase and administer IT equipment for an entire company. Technically a crime, but also probably true both that the company will barely miss $35k and the employee can easily repay it. – aroth Sep 19 '23 at 01:49
  • 7
    @teego1967, 200 watts of excess draw for each of 40 computers running 24/7 for five years, at a rate of $0.10 per kilowatt-hour. Works out to about 350 megawatt-hours, costing $35,000. If the company isn't in a part of the world with cheap electricity, the loss could be considerably more ($200,000+ in some place like Hawaii). – Mark Sep 19 '23 at 02:42
  • 6
    A single crypto miner running for one day costs approximately $3 in electricity. That's almost $5500 after five years. Scale that up to 40 miners and you're talking serious money, even if you cut the power costs of each miner by a lot. And that's only the power draw. It could be argued that the mined crypto belongs to the company and therefore it having been diverted to the employee's personal account is theft of that amount. That could be another $10,000/miner/year. Now tack on improperly procured equipment and lost productivity. Could be a 1st degree felony. – Todd Wilcox Sep 19 '23 at 04:26
  • 5
    Even if all he did was procure $1000 GPUs for 40 computers and did no mining and used no electricity, that's still $40,000. – Todd Wilcox Sep 19 '23 at 04:30
  • @Mark, 200w is possibly more than an entire workstation would draw - the excess draw is unlikely to be such. – Steve Sep 19 '23 at 09:44
  • As indicated, these are office PC's. Only the OP can clarify but there's a difference between "a mining rig" and some software running sureptitiously in the background. It absolutely warrants a firing but the handcuffs are a stretch. – teego1967 Sep 19 '23 at 10:08
  • It may or may not be something that can be brought into a criminal court, though it is arguably embezzlement and that would certainly qualify as criminal (though perhaps not "arrest-worthy".) It can certainly be brought into civil court. – keshlam Sep 19 '23 at 14:13
  • 1
    As described, the accused is stealing many thousands of dollars of electricity and hardware in order to produce a similar order of magnitude liquid "currency" for themselves. I'm aware that white-collar crime is often under prosecuted, but really? Really? Not worthy of arrest? – Yakk Sep 19 '23 at 21:06
  • The employee also stole the crypto, which legally belongs to the company. – EJoshuaS - Stand with Ukraine Sep 20 '23 at 12:50
  • Ahhh, the old "white collar crime" isn't real crime argument. If a blue-collar worker stole $35,000+ of goods from a company, would someone be arguing "it's more of an embarassment than a crime." – matt freake Nov 09 '23 at 14:19
  • @EJoshuaS-StandwithUkraine But you cant say he stole both the electricity and the crypto. Because if he was forced to pay for both then the company would now have the crypto without paying for electricity. – gnasher729 Nov 11 '23 at 18:56
  • @gnasher729 He definitely stole from the company either way, though. This answer is incorrect in claiming that this isn't a crime. – EJoshuaS - Stand with Ukraine Nov 11 '23 at 23:06
  • @EJoshuaS-StandwithUkraine, never said it wasn't a crime but attempting to prosecute it as a crime is going to be more trouble than it's worth for the victims. Much better to fire the person immediately, and take actions to prevent it from happening in the future. – teego1967 Nov 14 '23 at 12:35
1

This question has really brought out the armchair lawyers!

In my view, the most straightforward way of dealing with this is as gross misconduct.

I don't necessarily agree with all the fuss about internal security in the other answers.

The most senior IT staff in a business are always in a position to configure the computers like so, and there is no oversight because they are the overseers.

There's absolutely nothing extraordinary about it, especially if a single person handles the entire IT function (quite plausible in a business with 40 PCs).

Just because a particular wily scheme has been discovered does not establish that there is wider irresponsibility or maliciousness against the employer.

The most likely justification they will have in their own minds is that they are using "spare" or idle processing capacity in the company equipment for mining. The question isn't clear about how much spend there was on additional equipment, or how the OP is clear that the equipment in question had no business purpose whatsoever.

I think the answers saying "don't touch anything" are laughable, as if a business is going to tolerate its entire IT estate being impounded, whilst they hire and apply a battery of lawyers and forensic computer experts.

In terms of seriousness, if the staff member responsible is a teenager or in their 20s, and probably not paid very well, I'd be inclined to think this is the kind of irresponsibility and nerdish cunning plan that could be expected. Having discovered the situation, it might be best just to tell them to unwind it all and give a written warning.

If you're dealing with someone much older who has the proper status of a manager in the business with serious responsibilities, it's perhaps a sacking offence.

Steve
  • 11,560
  • 1
  • 16
  • 42
  • Comments have been moved to chat; please do not continue the discussion here. Before posting a comment below this one, please review the purposes of comments. Comments that do not request clarification or suggest improvements usually belong as an answer, on [meta], or in [chat]. Comments continuing discussion may be removed. – Kilisi Sep 20 '23 at 20:20
0

The (many) justice warriors on this thread will be sad to find out that often in western jurisdictions mining crypto at work is mostly legal and will "merely" constitute grounds for a dismissal.

Basically you are going to have to make the decision about whether to fire or retain the employee. This comes down to a question of cost/benefit: Is the employee otherwise productive? Will the firing hurt morale in the organisation? Will it set a positive precedent? Is this an individual who the company is looking to get rid of for other reasons?

Personally I would look at the big picture and avoid making rash accusations of criminality that could end up backfiring.

Fergie
  • 141
  • 3
  • A case can be made that the mining is theft of services. Whether that will fly in court, deponent sayeth not. The other items listed, unauthorized purchase with company funds for personal use, may be easier to convince the court to act upon – keshlam Sep 19 '23 at 14:07
  • 1
    This "justice warrior" would fire anybody who spent company resources on their own unapproved activities. I can collect evidence after the individual is fired. I also don't care if the employee is productive, if they have wasted potentially thousands of dollars on electricity powering these devices, I don't want them anywhere near my company. IT logs will prove any criminal activity. – Donald Sep 20 '23 at 00:04
  • Guys, you are missing the point: mining crypto on company hardware is generally not considered a crime (see the link to an actual legal optinion in the answer). This means that the question is whether to retain or release the employee. If its somebody you want to get rid of: no problem. If its somebody who is valuable for the company- you need to make that decision on a cost/benefit basis. – Fergie Sep 20 '23 at 06:37
  • "A 34-year-old man [..] has been sentenced for using the Commonwealth Scientific and Industrial Research Organisation’s (CSIRO) servers and supercomputers to carry out cryptocurrency mining. [..] The 34-year-old pleaded guilty on 28 February 2020 before the Downing Centre Local Court to the charge of unauthorised modification of data to cause impairment, contrary to section 477.2 of the Criminal Code Act 1995 " (source). – Voo Sep 20 '23 at 09:02
  • Note that the criminal code he was sentenced for is not limited to public sector and government employees. So there's no reason to assume that this would not apply to private sector employees just as much. It's also pretty much exactly what's happening here. – Voo Sep 20 '23 at 09:04
  • The links provided SPECIFICALLY state that crypto mining can be criminal in public or federal organisations but not in private organisations such as OP's. – Fergie Sep 20 '23 at 09:19
  • 2
    @Fergie And now please tell me where the criminal code I referenced says anything about public or federal only? You won't be able to, because it doesn't and there's been lots of people over the years being convicted that had nothing to do with any federal or public organisation because of it. – Voo Sep 20 '23 at 14:05
  • Also if you reread your own article you'll see that they only reference the "Independent Commission Against Corruption Act 1988" and say nothing about the law due to which the person was actually convicted. So their analysis of the situation was also wrong for public employees. – Voo Sep 20 '23 at 14:08