Special Counsel Unravels Embezzlement Scheme with a Single Chinese Character
How did they do it?
- Used keyword expansion in Analytics to surface the smoking gun: a Chinese character being used as a code word
When a Confession’s Not Enough
When a new case from a Chinese company hit Tom Groom’s desk, the managing director at Special Counsel got his first glimpse into a complicated web of deception and red tape. A company employee had created fake accounts in his company’s CRM system, repeatedly billed one of their customers for the fake accounts, and pocketed the money for himself.
"After the customer reported unrecognizable charges on their billing contracts, the employee under investigation came clean to his employer about the scandal, admitting to the off-the-books billing spanning two years," Tom said.
Not only did the employee admit to his scheme, but he also tried bribing his way out of potential consequences—from repaying the money he owed to possible jailtime. In many jurisdictions, the employee’s confession might be grounds to file suit. Not so for Chinese courts.
"Under China’s civil law system, plaintiffs must have solid evidence they need to move forward before filing suit," Tom explained.
"Most Chinese corporations follow a BYOD, or bring-your-own-device, policy wherein employees access both work and personal data on the same personal device," Tom said. The employee refused to surrender his mobile device.
“Most Chinese corporations follow a BYOD, or bring-your-own-device, policy wherein employees access both work and personal data on the same personal device.”
It was a chicken-and-egg scenario: without evidence showing cause for it, Special Counsel wouldn’t get access to the employee’s personal device, where they suspected they’d find key evidence in WeChat, a Chinese multi-purpose social media mobile application. That left only the employee’s work-sanctioned desktop as a data source.
A Great Wall of WeChat Files
Tom and the Special Counsel team collected data from the employee’s company computer, including unstructured data from email and—as luck would have it—thousands of the employee’s messages on WeChat.
With 38 billion daily messages sent, WeChat enables its billion users to send encrypted end-to-end messages, making the platform nearly impossible to capture from a discovery standpoint. To his demise, the employee’s messages were recorded and saved because he had logged in via the desktop surface—a boost of confidence for the D4 team. The WeChat messages were parsed out as individual messages—along with key metadata such as sent date and time—and converted into a load file before processing into Relativity.
But with hundreds of thousands of records to sift through, they needed a way to cull the size of the data set into something more manageable. To start piecing together a timeline of events, Tom ran email threading to tie together related conversations, hoping to home in on any potential evidence—but found nothing.
"His tone throughout his emails was immaculately polished, and we couldn’t pinpoint anything out of the ordinary,” Tom said. “We knew the evidence would be on WeChat."
After nothing suspicious came up on the employee’s email, Tom applied search terms to compare the language between email and WeChat to try and identify anything out of the ordinary.
"Once we got the results back, we leveraged the conceptual index via keyword expansion and sorted by the order of frequency. We kept noticing one character popping out, and it wasn’t relevant at all," Tom explained. "It was especially noticeable when we sorted the email and WeChat messages together by date."
“Once we got the results back, we leveraged the conceptual index via keyword expansion and sorted by the order of frequency. We kept noticing one character popping out, and it wasn’t relevant at all. It was especially noticeable when we sorted the email and WeChat messages together by date.”
This method, one that Tom referred to as “blocking and tackling,” ultimately led them to the smoking gun: a single Chinese character the employee was using as a code word when referencing his scheme.
No More Mr. Nice Guy
Fueled by the discovery of this code word, Tom parsed together multiple sets of data into a timeline to piece together the course of events—all tracked by time stamps.
"In his email, the employee was using niceties and friendly salutations. But with Relativity, we located within WeChat the raw messaging divulging his plan and found out exactly how long the mission had been going on," Tom explained. "And perhaps even more importantly, we now had the context we needed to calculate how much money he owed back to his employer, which had reimbursed the wronged customer."
Within just a few days of searching across disparate sets of data, including a mix of Chinese and English documents, Tom located each occurrence of the employee’s off-the-books billing. As a final validation, he created a heat map within Analytics to help visualize the hot documents to ensure they weren’t missing anything else. When the D4 team shared the final results with their client, the company was confident they had what they needed to move forward.
"Without the scalability and flexibility of Relativity, we would have been reviewing these files for months," Tom said. "Being able to handle, and manipulate, these unique data sources like WeChat is imperative. Relativity flawlessly handled the sources just like text, and within just a few days of searching, we had the evidence needed to move forward with bringing the bad actor to justice."
“Without the scalability and flexibility of Relativity, we would have been reviewing these files for months. Being able to handle, and manipulate, these unique data sources like WeChat is imperative. Relativity flawlessly handled the sources just like text, and within just a few days of searching, we had the evidence needed to move forward with bringing the bad actor to justice.”