“Follow the money” was the whispered comment by Deep Throat in an underground car park to the Washington Post reporter Bob Woodward in 1973 during the Watergate investigation. Today this famous phrase remains as important as ever as billions of pounds are increasingly being stolen, laundered and hidden by dictators, oligarchs and fraudsters.

My sources tell me that Crown Prince Mohammed bin Salman, the de facto ruler of Saudi Arabia, has recently revived his investigation into what he says are stolen funds by Saudi Princes, businessmen and officials. The tracing of secret bank accounts is a top priority for investigators hired by the Crown Prince’s regime.

But tracing dirty money remains extremely difficult. This is primarily because corrupt individuals deploy a raft of data protection and banking secrecy laws to hide their ill-gotten gains. They are rich enough to hire the best lawyers and accountants to protect them – and their loot – from exposure and prosecution. The trail often runs cold and key bank accounts are emptied long before the prosecutors can freeze their assets. And law enforcement agencies and lawyers running multi-million pound asset recoveries insist that information must be obtained legally.

But now a new asset tracing software could provide a breakthrough to track down stolen funds in secret bank accounts and send a shiver down the spine of global plutocrats and kleptocrats. Known as the ‘GreyList Algorithm’, the method is deceptively simple.

“We can legally trace hidden accounts by testing email addresses for direct contact with every bank in the world”, said Robert Duffield, Chairman of GreyList Trace Ltd which has developed the new algorithm. “At the heart of our technique is the fact that email addresses are used worldwide to register new bank accounts”
Since 2013 GreyList Trace has built up a database of 200,000 banks and branches – approximately 98% of every bank in the world. According to Duffield, this is how the operation works: a client supplies GreyList with an email address of a Person of Interest – suspect or defendant – which is stripped of personal data and loaded as a digital string into the GreyList Algorithm.

This is then dispatched – rather like an anonymous email – to every bank in their database. When the string arrives at a bank it is intercepted for processing by the spam filter which is set up to protect email servers from junk emails. By international agreement and common sense, every bank in the world maintains these digital shields.

Every email received at any spam filter asks this key question “Have I been here before”? The answer determines how it will be treated before being accepted into the email server. If the answer is “Yes” then, by definition, the incoming email address will be on the bank’s ‘Whitelist’ and given permission to be delivered to the server. If the answer is “No”, then the incoming email address will be given ‘Pending’ status which is called the bank’s “GreyList’.
There is a measurable time difference between Yes and No which the algorithm can calculate. If the answer to the question is “Yes” (ie. the email address is on the bank’s WhiteList) then there is a 98% probability that the email address was used to register an account at the bank.
All potential clients of GreyList, notably lawyers, law enforcement agencies, business intelligence executives and forensic accountants, ask the same question: “Is this legal and surely this is hacking?”.

Duffield, a former investigative journalist and business intelligence investigator, already has a QC’s opinion to counter this concern. “The algorithm is legal because it calculates time differences at the spam filter without inserting or subtracting any information into any computer system”, he said. “Crucially, strings of code are programmed to self-destruct. We have deployed hundreds of millions of strings to every spam filter in the global banking system and there is no evidence that any have entered any email server”

A search of the GreyList global database of banks takes about a month and for each target email address it deploys around a million strings of code. “Our Output Reports are simply lists of positive ‘hits’ – banks that have ‘whitelisted’ a target email address”, said Duffield . “They do not contain any financial, personal or account information”

The GreyList Algorithm reduces a set of 200,000-plus banks and branches in the world to a handful of high probable locations of hidden money. As it appears to be legally obtained, the intelligence contained in GreyList Output reports can be deployed through the courts to force banks to disclose account information linked to defendants who are being prosecuted or sued for stealing billions of dollars from companies and governments.

The potential of Greylist is enormous, especially in the post Cov-19 world when nation states and companies are short of money. Government agencies, like HMRC and the National Crime Agency have strong legal powers to trace stolen money. But as soon as it leaves their national jurisdiction they often find themselves blind and/or powerless. Even if there is a route via international cooperation, it is a frustrating, time-consuming and long and winding road.

Case Histories

1. Greylist was instructed to trace 20 email addresses linked to three individuals in 13 countries, mostly UK tax haven countries. The clients had judgments against all three individuals who claimed they had disclosed all their assets. The case had been rumbling on for years and the clients had nearly exhausted their funds chasing many millions of pounds. In just two weeks Greylist found 15 new banks in eight countries. GreyList was prepared to give evidence in court. But after reviewing their report, the defendants settled immediately.

2 Three South American criminals were the focus of a $4 billion freezing order linked to a long-standing drug smuggling investigation. Within six weeks GreyList identified 11 new banks – several of which were unknown to the client. Asset recovery proceedings are ongoing.

At the outset the client did not have any email addresses for their targets. It is a feature of many of their cases that clients supply GreyList with a certain number of email addresses which they then validate. But in this case the software identified a number of additional email addresses linked to the target.

3. GreyList was instructed by a firm of investigators with a mandate from a Sovereign government to trace and recover several billions of dollars in assets stolen by a family group. GreyList identified seven banks in five countries. Further work revealed a number of additional banks. Legal action to recover assets is now underway.