>> A prosecutor, Micah Fergenson, though, said JPMorgan “didn’t get a functioning business” in exchange for its investment. “They acquired a crime scene.”
I do not understand how an acquisition this big got thru due diligence without noticing all the fake users. Anyone in corporate M&A know if it is normal to spend this much money without inspecting the goods? Seems like the most basic of OLAP queries and two days of effort would reveal very suspicious userbase.
Back in the nineties, Philips was days away from signing a licensing deal for a revolutionary video compression technology that compressed whole movies down to 8KB. The former Philips CTO was a strong believer. And then the inventor died and nothing ever came of it.
To be a fly on the wall during due diligence meetings between Philips engineers and management.
Video codec compression scams remained popular even in early 2000s. I worked for a very large public tech company. One of the top 10 in that era. And they fell hard for scammers from Las Vegas that promised revolutionary audio/video compression. We had to sign all sorts of NDA and couldn't look under the hood of what they delivered to us under penalty of breach of contract and all that stuff. I "accidentally" ended up looking under the hood and couldn't believe what I found. I reported the findings to my manager and told him to do what he wanted to with that information.
Long story short, the whole project got shut down and about 200 people working on project lost their jobs. Myself included. Luckily I quickly landed at a better place working on more meaningful things.
> I reported the findings to my manager [...] the whole project got shut down and about 200 people working on project lost their jobs. Myself included.
Good for you for reporting the threat. But I'm a little surprised that they let the messenger get killed along with all the other innocents.
I knew someone who whistleblew to C-suite, about misrepresentations they realized, on something that was then an existential threat to one of the top companies in its market. A series of layoffs and (IIUC) some M&A later, most of the employees were gone, but that one middle-aged engineer who warned C-suite (averting an even worse fate for the company) escaped all the layoffs, and was still there.
I’m sure that that one line manager who reported the fraud to the CEO was well rewarded. How he learned what he did? We’ll never know. Too bad his team had to be let go.
> But I'm a little surprised that they let the messenger get killed along with all the other innocents.
There was bad blood between the managers. My immediate manager bypassed his immediate manager and went above a few levels. Top management lost all confidence in the team and decided to can the project. We were all treated as peasants and told to find other jobs inside or outside the company.
> I "accidentally" ended up looking under the hood and couldn't believe what I found. I reported the findings to my manager and told him to do what he wanted to with that information.
What did you find? Low bitrates? Smaller resolutions? Enquiring minds want to know.
It was not a very sophisticated scam. The vendor had rebadged an opensource software I was very very familiar with. The only changes they had made were to rename things and fudge the reported stats.
It was not all that dissimilar from what Nikola Motors did when they pushed a non-working Hydrogen truck down a hill and filmed it and said look, the truck is working great. They too were caught. And eventually got an Italian company to produce a truck and put their name on it. And then eventually went bankrupt. But not before the officers, including the founder made bank on the entire scam. CEO was convicted of fraud. But he paid/donated $1m to Trump and was swiftly pardoned.
I mean, that would work. It's going to be the reason AI video compression works; people are okay with an AI model being 1GB but they wouldn't put up with libavcodec being 1GB.
It's a valid codec move to have 1GB in the codec but to be able to compress arbitrary video with it, or even just arbitrary video within a certain specialized domain. Having those requirements will affect all the cost/benefit decisions that get made when people decide whether to use it, but if it outperforms on other metrics it may be something that wins in some places.
I believe lumost is referring to the actual video being used for testing being embedded in the codec. That is not a valid move; it compresses just that one exact video arbitrarily small (honestly anything above zero bytes is just sandbagging, you can always map the empty file to your test video, for INFINITE COMPRESSIONS!!!1!) but nothing else.
>> people are okay with an AI model being 1GB but they wouldn't put up with libavcodec being 1GB.
If people are happy with the results of the libavcodec, you could rebrand it as "libavcodec-ai" and now you have a more effective codec that might be bigger, but is now palatable to users :-)
Between this and the other compression scams mentioned in the thread, is there any connection to the show Silicon Valley? I haven’t heard of this genre of scam before but it sounds a lot like the premise of pied piper!
I did DD on that for another group of investors and caused them to walk away. Interestingly, they too were scammers but of a completely different level.
I think the 'inventor' (loose use of the term, nothing really got invented) was a true believer, he basically thought that if only he could get his hands on some capital that he would be able to make it work. He simply did not have the background required to see that it could never work in the way that he proposed. Nicely faked demo though :)
I would do a write-up if I didn't think the case was more of a sad one than of someone trying to rip off investors, Jan Sloot just wasn't that kind of guy from my interaction with him. Maybe he did invent something: "Fake it before you make it".
I've occasionally been asked by an investor to do DD on some inventor's idea. Whenever it's an obvious scam I turn down the job. If I tell the truth and say it's a scam, the "inventor" will sue me. If I lie and say the technology has promise, the investor will sue me when he loses his investment.
>> I've occasionally been asked by an investor to do DD on some inventor's idea. Whenever it's an obvious scam I turn down the job. If I tell the truth and say it's a scam, the "inventor" will sue me. If I lie and say the technology has promise, the investor will sue me when he loses his investment.
Wouldnt the non-confrontational approach here be to agree with everyone on a benchmark, build up the benchmark, and showcase results?
Probably. The problem is that scammers are very clever with demos e.g. there's always a battery hidden inside the free energy device and they won't let you take it apart. One can work around such obstacles with very carefully designed tests, but then the scammer makes up some excuse not to agree to those conditions so you have to go back and forth and it becomes so expensive to do the DD exercise that the investor cancels the project.
Some people might be able to make this kind of business work but I don't have the patience or the political skills for it.
A key part here is that your advice to your customer is confidential. They simply should not release it unless it is under your letter of non-reliance. That said, yes, scammers are - by far - the most aggressive (they know they're scammers, after all, and you are between them and their goal, which is to get funded, not to provide a product or a service) but it is up to your customers to hold the line there. Weak customers may end up being intimidated, that can be an issue.
He's a windbag. I never understood how they could even think of making him head of Philips. And to this day he claims that Sloot's box worked. The group I worked for was a bunch of wealthy Dutch guys, several of whom ended up defrauding other investors. Great little world...
I came up with a similarly impressive compression scheme as a young teen, shortly after I started programming.
It was beautiful in its simplicity. Take 5 bytes, compute a 4-byte checksum, and just store the checksum. After all the chances of a checksum collision is miniscule.
When decompressing just iterate over all 5-byte values until you get the correct checksum.
The fantastic feature was of course that you could apply this recursively if you needed higher compression ratios.
Took me a good hour or so before I caught up with reality.
DOS International was a German magazine in the early nineties with excellent technical explanations and program listings. One of them was a super compressor that used your recursive technique. I didn't quite understand the details that were given in the description of the algorithm (I blamed my mediocre understanding of German), but it sounded legit.
So I spent a good hour to type in a page of impossible to follow C code with obscure numbers in lookup tables and all it did when I ran the program was to print out "April 1., April 1.".
I had another hairbrained idea once. Let's say you want to compress the number 5384615385. Find two numbers x and y so that x/y equals some number whose decimal part is 5384615385. In this case, that's 7/13. So the compressed output is just 7 and 13, which could be encoded very succinctly, thus saving lots of storage space; and decompression is just multiplying numbers.
Unfortunately, while the idea works for some input sequences, most numbers aren't rational, and most sequences would require numerators/denominators that would be larger than the input. So not practically feasible.
A variation on this would work, but alas we don't have the math tools as yet.
The idea (not mine) is that you can think of data as "very large numbers". So a 4096 bit number is just a big number.
Well, we have a short way to generate big numbers. x^y.
So given a big number (say 800 000 bits) we could generate a (Hopefully short) expression of the form a^b + (or minus) c^d + ... etc.
Unfortunately the "factorizing" (and indeed ecpansion) of a large number in this way can't (currently) be done quickly.
But in concept enormously large binary files could be compressed to tiny strings.
It would not work for arbitrary inputs. See the pigeonhole principal: you can’t represent all possible n-bit values with fewer than n bits, because otherwise you’d have at least one case where multiple input values map to the same output value. On decompression, which one do you go with?
And if that’s not convincing, then consider that any perfect compression scheme would be able to compress its own output even smaller, until you end up with a single bit output for any possible input.
So no, that wouldn’t work in general. Some specific values may compress well, but most others can’t. It’s not a matter of difficulty of finding the right answers, as much as you probably can’t do it.
To add to this, useful compression algorithms exploit patterns in the input data. A common pattern to target is repetition, since most files contain lots of repeated byte sequences.
The pattern that factorization targets are numbers that factor well. I doubt this is a pattern you’d find in any file worth compressing, it doesn’t have a clear relationship to file data.
Aside from the factorizing cost, I suspect decompression will also be prohibitively slow. Exponentiation, multiplication and addition such large range numbers could still end up prohibitively expensive.
In addition to the performance problems there's the basic fact that no such scheme can possibly work (as proven by the pigeonhole principle).
High compression rate schemes that actually work compress high likelihood inputs and expand low likelihood inputs by accounting for the characteristics that make inputs high likelihood--e.g., redundant highly patterned texts. Schemes that are agnostic about the input, like the one described here, are as likely to expand any given input as they are to compress it.
Once upon a time, I was strenuously recruited by a startup with similar, if not quite as extreme, codec promises. When I understood that my job would be rigging demos while trying to realize the non-software founder’s “algorithm”, I pretty much had to fake my own death to escape them. Shudder…
Perhaps you can help me; I can't find the original story of the following.
A similar scam was being demonstrated to transmit data wirelessly at a very high speed due to some fancy compression. The demo was between stations with a river in-between.
The investigators lifted the box and found an optical cable which was buried and went under the river.
If I hadn't seen something like this myself I would never believe it. In the late 90s I worked at a very large tech company, for the CTO. The company was considering investing in a startup that claimed to be able to transmit fiber-like data rates on high voltage transmission lines, somehow by using microwave. I was asked to comment on this. Within a few seconds I said it had to be a scam per Shannon, and at any rate said high voltage lines typically already have fiber on the ground wire at the top of the towers. The company went ahead with the investment.
I think I remember this, or a similar scam around the same time. What stood out to me is that one of the big six was hired to certify the legitimacy of the "black box", despite the obvious mathematical impossibility. I'm trying to find the firm ... Hm, according to Google AI it was Ernst and Young (I did a search for Ernst certifies compression technology 1990s). They apparently did two different "audits or demonstrations.
I was working at Andersen Consulting at the time, offshoot of Arthur Andersen. The Arthur Andersen that signed off on Enron (AC had before then become Accenture and separated from the audit partnership).
I chuckled to myself a few years later when the NBA draft lottery was signed off on/audited/witnessed by another Big6 firm. Yeah, give them enough money and they'll "audit" anything within some degree of plausible deniability.
So bizarre! It really shook my belief in Philips' competence at the time.
I mean, take a 100 minute movie, sliced into 1-second clips. 8kB is not even enough to store all possible orders you could put those clips in. I would hate to think so ill of any of my friends or colleagues to think that they could believe such an obvious fraud.
> I mean, take a 100 minute movie, sliced into 1-second clips. 8kB is not even enough to store all possible orders you could put those clips in.
Using a low hurdle to show it still failing is a good rhetorical technique, but you lowered your hurdle too far here. Yes technically specifying the order of 6000 segments takes more than 8KB. Because it takes 8.14KB. That's a rounding error. What could have been a useful argument is now a nitpick. And what if the movie was only 98 minutes, now it fits? What a mixed message.
It's a good reference point, but I'd replace "is not even enough" with "would only be enough".
Is it a sort of reversible pseudo-hashing function even possible? Or something like a seed in a deterministic procedural generator. You could store arbitrary data in a few bits. 8kb for all the redundancies and metadata even.
On a second thought, the compression alone would destroy information. NVM.
She pushed back on any direct vetting of the list using privacy laws as a shield and JPMorgan didn't challenge it due to competitive pressure to get the deal done ASAP.
Clearly, if only 10% of the list was real, it would be pretty easy to validate that with a small random sample.
The way that due diligence would have discovered this was not to take the list and start doing spot checks on it.
The way due diligence should have found this is that it should have been written all over the financials. What do you mean you have 4 million customers and a support staff of 20? What do you mean you have 4 million customers but your revenue is {clearly too low}? What do you mean you have 4 million customers but your website spend is {clearly too low}?
It's over an order of magnitude. It should be written all over the company. Experienced DD should have smelled a rat within about 2-3 hours, although nailing it down could take much longer. The logical conclusion I draw is that there was no experienced DD done. In isolation this would a tough claim, however, I look around and I see a lot of Wall Street activity on this time frame that shows no evidence of Due Diligence being done and it seems to be part of a pattern.
(The question of why there was no DD is a separate one.)
> What do you mean you have 4 million customers and a support staff of 20?
Sure to the rest, but: Whatsapp had 55 employees and 450 million users when it was acquired. It's at least conceivable to tell a story (lie) that's two orders of magnitude smaller. (And the real number was "only" off by one zero.)
Whatsapp elaborately explained how it was doing this to the public, it was with a technology (Erlang/OTP) that had rarely been used before, and that technology had been designed for and very successful in an almost identically shaped context (telecom switches.)
Also, more obviously, people you knew were using it every day. 450M is different than 4M, and way different than 300K. If Whatsapp were lying and saying they had 4.5B users, I'd expect JP Morgan to catch that within a few hours, too.
> Whatsapp elaborately explained how it was doing this to the public, it was with a technology (Erlang/OTP) that had rarely been used before, and that technology had been designed for and very successful in an almost identically shaped context (telecom switches.)
Sure. But the point is, Whatsapp had 0.5 total employees per 4 million users, and Frank had 20 support employees per 4 million supposed users.
Even if you think Whatsapp has a massive advantage, those numbers don't make it look like Frank is the one that's lacking in staff.
> Also, more obviously, people you knew were using it every day. 450M is different than 4M, and way different than 300K. If Whatsapp were lying and saying they had 4.5B users, I'd expect JP Morgan to catch that within a few hours, too.
For these reasons it would be much harder for Whatsapp to lie that way.
The corollary of that is it would be much easier for Frank to do it.
WhatsApp doesn’t need staff because they weren’t processing regulated financial transactions. Thr app operated in a best efforts basis since it was mostly free. You don’t need customer support staff for that — there is no support.
FWIW, around 1/3 of the 55 were customer support. That's not a lot of support per user, but it's not none. And it is enough to get lots of feedback to engineering about things users are having trouble with, because the better you make the product, the less overloaded customer support is.
> Whatsapp had 55 employees and 450 million users when it was acquired.
WeWork had the opposite problem. A lot of employees and expenses and not enough paying users. Having lots of employees and lots of expenses by itself doesn't mean much. WeWork still got billions in funding. Due diligence was an issue there as well.
Consider it holistically, rather than one at a time. Every company has its own footprint of "per customer" resource usage, and every company probably has unusually low aspects one way or another, but when a company comes back as "low" to "very low" for every such metric, it's time to investigate harder. Maybe they're just that genius, or maybe there's something about the company you don't understand yet, or maybe they're cheating you... the whole point of due diligence is to resolve those "maybes" into "certainlies", because they all factor in to your decisions.
> Sure to the rest, but: Whatsapp had 55 employees and 450 million users when it was acquired.
JPM regularly acquires businesses that do not look like WhatsApp and look more like Frank. For 99% of the acquirers out there, seeing a business with $450m in ARR with 55 employees definitely makes your eyes bulge.
The problem here is this wasn’t about MAU. JPMorgan wanted a verified student data asset they could market to, so stale accounts were fine. Diligence focused on whether Frank had “records” (name, email, DOB, etc.), not whether those records were active.
Beyond that, JPMorgan didn’t want to push too hard and risk blowing up the deal as there was competitive pressure. Calling out “these numbers seem odd” could have spooked Jauvice, and they figured the reps & warranties in the contract gave them enough protection if things went south.
Funny how that has the exact same shape as a typical scam targeted at individuals. They usually rely on creating a sense of urgency and the sense that you could blow the whole thing if you aren't careful. A warrant scam will tell you that they need payment (in gift cards, of course) right now or you're going to jail, and likewise if you hang up or tell anyone what's going on (and thus might have someone tell you that you're being had) you're going to jail.
Not far off from "you can't inspect the business you're buying too hard, or the deal is off." And just like with individual scams, that should be a sign that it's shady and you should bail out.
Of course, but this is basic human psychology when power asymmetry is at play. Frank "held the cards" in this deal, so to speak, and was helmed by a CEO that demonstrated sociopathic tendencies willing to do whatever it took.
You can of course hold to a particular standard, but if a competitor is willing to relax that standard, you lose a distinct advantage.
> they are now vulnerable to scams and you are not.
if the scam is not going to hurt the agent (in this case, the CEO responsible for the buy out), and the success is going to reward the agent, then the incentives are not completely aligned between the agent and the principle.
So signing the deal with less due diligence, then correcting it later (if needed) seems more profitable to the agent, while the principle takes all of the losses (if any).
>> The problem here is this wasn’t about MAU. JPMorgan wanted a verified student data asset they could market to, so stale accounts were fine. Diligence focused on whether Frank had “records” (name, email, DOB, etc.), not whether those records were active.
This isnt about inactive data, they had an outside data scientist create an artificially generated usage dataset!
JPMorgan thought they were getting legitimate users of the product at some point in time - they didn't care whether or not they were currently active, hence vetting ops didn't really matter much.
A good fraudster has a good chance in any space where users don't pay for the service. Users, traffic, basically everything that isn't cold hard cash can be faked very well these days.
Is it just me, but doesn't it seem like the concept of Frank as a business just sounds like it wouldn't have lived that long and that it might even be predatory? Frank got in trouble with the Department of Education because they used the term "FAFSA" in their domain name. I was lucky enough to have mentors in my life who warned me away from clicking on sponsored links to paid preparers if I ever decided to Google search "FAFSA". So it makes me suspect like part of their business strategy was to convince low-income students who have great difficulty submitting the FAFSA to pay them to submit it for them. I don't recall what the environment was like years ago, but there had always been a desire on the part of ED to make the FAFSA easier to fill out, and this would have totally eroded the value of Frank even if it was a legitimate business. What's also confusing is that at some point they apparently had a `.org` domain, so maybe they were also a non-profit?
Apparently they also had some kind of service to submit an aid appeal letter to the student's financial aid office. This is also a ridiculous service for low-income students to pay for because I can almost guarantee that Frank wouldn't have the context necessary to actually convince a college's financial aid administrators to give more money to one of their users.
It's almost as if the people considering the deal might have been focusing more on the financial education aspects of Frank instead of how they actually would interface with the FAFSA.
As I mentioned a bit further down, the blind spot here is they really only cared about the user list. The product itself was immaterial, so they might have overlooked or simply not cared about some of the shadier tactics to acquire it.
Agreed. FAFSA is a bit tedious to fill out but it’s not difficult. No need to pay someone to do it. They’re just going to have to ask you for all the same information anyway.
> She pushed back on any direct vetting of the list using privacy laws as a shield and JPMorgan didn't challenge it due to competitive pressure to get the deal done ASAP.
DD guy here.
This is more common then people think. M&A deal dynamics are funny and this is usually a tactic that investment bankers who represent sellers use. According to my cursory research she didn't use an investment banker. For someone fresh out of biz school with no M&A/banking experience that's umm...BOLD.
You could also obfuscate all PII and just join the user table with the website clickstream table and notice that only 10% of the users had any associated clickstream.
Presumably JPM didn't have prod db access to run whatever queries they want, and had to ask for access. They also faked user tables. What makes you think they wouldn't have faked the user activity table as well?
Ok so sometimes when people come to me for an angel investment I ask to look at their Pendo/GA records. I mean you could fake those, but that’s a lot of work and possibly harder than actually getting the business in the first
Right, it doesn't change the direction of criminality. But nonetheless JPM is out that money regardless (maybe some will get clawed back, but probably most of it was spent). "I got scammed and the perp is going to jail" isn't a good excuse to tell your boss about you lost $175M, either.
Lessons abound here. Slow down on the tech habit folks, especially if you're an investment bank and not a VC incubator.
>JPM is out that money regardless ... probably most of it was spent
an MBA entrepreneur who starts a business and sells it to you for $175 million through normal channels is not likely to spend the money. this wasn't a fund wiring scam.
She never had the full proceeds in her possession. Remember, she had investors. She was venture-backed startup. She likely only had somewhere between 10% and 25% of the equity at the time that she sold the company.
>> She never had the full proceeds in her possession. Remember, she had investors. She was venture-backed startup. She likely only had somewhere between 10% and 25% of the equity at the time that she sold the company.
How does this work for the VCs? Does JPMorgan claw back money from the VCs? What if the VCs distributed to their LPs...does money get clawed back from the LPs?
I wonder if there was an aspect to it where the scam was so audacious that they figured it wasn’t a scam. Like a “there’s no way they would generate millions of fake users which would obviously get caught post-acquisition, we must be missing something”
I dont think they had to lie to Yahoo to do it though. Everyone believed in the froth of dot-com and plenty of dumb money just there for the taking from the likes of Yahoo. Kinda like today with all the AI froth.
One previous company I was CTO of got acquired by Amazon and they spent 60 days going through everything, including every line of code. I doubt a fraud of this caliber would have gone unnoticed with that kind of due diligence.
Sometimes I wonder if there is a lot of scrutiny in small things but when things get large and complex they basically give up and wave it through.
I see a similar thing at my work in medical devices. In theory we have to validate all libraries we are using. So if you want to share some code you have to create a ton of documents. But when we use something like nodejs with hundreds of dependencies the whole process basically gets handwaved away because validating everything would be too much work.
I wouldn’t be surprised if they waved it through because “who would be dumb enough to provide us a fraudulent list of customers?” She was always going to be discovered once they tried to market to the list. So I could see them speedrunning due diligence under the assumption that, if it’s totally fraudulent, it will be obvious eventually and then we’ll sue her. The deal is not large enough to affect our bottom line, and the obvious risk of defrauding us makes it unlikely she’s defrauding us.
It's not that complex, there was nothing technical here. You could say this was 'social engineering' at some level.
She pushed back against access to the customer list claiming privacy laws as a shield. JPMorgan was overly eager and didn't want to blow up the deal by challenging her.
In programming, this is called bikeshedding. You present plans for some massively complicated industrial plant, and people will mostly skim it. Then you want to build a small bike shed for construction workers to use during the project, and now that they're presented with something understandable, everyone involved has to have input and the whole process drags out.
If you read the details in some of the earlier articles about this, they avoided plenty of due diligence. But she also went to great lengths to prevent them from completing that due diligence. And for the minimal due diligence she did permit them to undertake, she only ever sent them fraudulent data and documentation.
There was an article on Bloomberg or WSJ that said the Director in the acquisition had a Teams chat where she said "sometimes you don't need to do due diligence at all" lol
I'm sure there are those that have had different experiences, but I've been party to several M&A due diligence exercises (including >$1B) at a large financial and there is *tremendous* pressure (on both sides) to move quietly (MNPI baby), quickly and not destroy your relationship with the acquired entity in the process. The business wants the sale to close, you're looking for issues that could be leveraged in the deal and/or actual show-stoppers. The interactions are clumsy as they are managed through third party portals that keep the data locked down and in escrow. The sell-side entity still has every right to protect their intellectual property until it's parceled in a contract, so you're not going to get access to shit (unless they are stupid I suppose). It's going to be in an audit-like situation where you are going to ask someone for samples (which obviously can be groomed) or doing screen shares and taking screenshots or similar.
The fact that the acquirer is large is somewhat immaterial, the teams 'under the tent' doing the investigation are going to be relatively small on both sides, including folks from the business trying to close the sale, internal/external counsel and singular SMEs from relevant domains.
I've been involved in a lot of due diligence efforts, from the tech side but I've seen all angles of it as the deals are often fast and intense and the various teams have to often coordinate to a degree (tech, legal, financial, tax, etc).
It is fairly common for the people initiating the acquisition to really want to close it in a hurry, and they do due diligence only as a check mark in someone's list. As someone else here mentioned, there is enormous pressure to close, and any red flags are often redirected, reworded, or even occasionally just squashed.
The further away a company is from something like private equity, who does acquisitions like we eat breakfast every day, the more likely you are to see rushed and potentially botched due diligence. Someone like a big bank may well have the main proponent not know anything at all about acquisitions or due diligence, and just wants to "get 'er done".
It is also very common for people to come in after-the-fact and do a second diligence, and while doing that diligence to hear one or more people opening the conversation with "I warned them about this before the acquisition...".
At the end of the day, particularly in a big public corp, people are focused on their bonuses and total comp, and people like that aren't going into a due diligence looking for red flags and "no's".
This. Why bother going through DD properly if you can just sue the seller later if it turns out everything isn't what you expected?
I get that this is about the seller lying during the sale process, which is appropriate imho, you shouldn't be able to just lie about stuff like this. But it's the DD team's job to spot this stuff, that's what DD is all about. I notice the judge criticised the bank as well, which is a step in the right direction.
I've been part of due diligence from both sides of the table both in investment situations and cases of M&A activity. You're not really set up to detect out and out fraud like this. For one thing there might be a limited subset of data you really have access to (eg in this type of situation they may not have been in a position to see all the row level customer records before signing because they were competing for business in those customer segments so it is reasonable to restrict access. You might get aggregate data that looks sane and have to go on that for instance.
Secondly you may not actually have the time needed to check things out properly. There's often deadline pressure where the deal has to complete by a certain date or it triggers break clauses or some other party gets a right of refusal or whatever so often the clock runs out even if you would otherwise be able to do the analysis.
> Meanwhile, Amar purchased a list of 4.5 million real college students and their data from ASL Marketing for $105,000. Frank executives later supplemented that list — which only had email addresses for a portion of the students — by purchasing more data from an information services company.
- a fraction of the board gets all gung ho on buying something
- board-1 gets marching orders to do due diligence. those people are typically aware of the sentiment in the board. they delegate to their underlings and share what they think the board wants,
- if you say no, you are guaranteed to upset one of your bosses. if you say yes, its typically a positive (your boss is happy),
- most M&As are typically bad ideas. Its typically nobody's fault when the thing is written off by the next management and nobody seems to mind that much. People who waved through the due dilligence are proper executives by then and the cycle continues.
Incentives are mis-aligned, and on top of this there is usually (a) not a lot of time and (b) a veil of secrecy. Missing those fake emails does not surprise me.
I remember when HP announced their plan to acquire Autonomy. I was very familiar with their tech and their status in the industry at the time and knew they were approaching irrelevance with no chance to boost sales of anything. They completed the deal anyway, which was followed by HP firing their CEO, lawsuits for misrepresenting their financial status and a complete writedown of the total acquisition cost. It seemed so obvious to me and my colleagues were doing integrations and software procurement and yet HP was completely blinded by everything besides their fabricated balance sheet.
Different burdens of proof. The fraud charges in the US were criminal in nature which required a showing of guilt beyond a reasonable doubt. The fraud in the UK arose in the course of a civil trial with a lower burden of proof (balance of probabilities).
You often don't get to "inspect the goods" at a user by user level.
Put yourself in the shoes of a non-fraud company where the asset is your customer set. Do you let JPM go through line by line confirming each one? No, you do not. You give redacted data or aggregate data.
In eyeballs/non-paying user businesses, this is just going to happen sometimes. In practice you don't get to do the diligence you want to do sometimes.
There is no magic in buying/selling businesses, just put yourself in the shoes of the seller. JPM promise not to ever use that customer list you put in the data room should the deal fall over? How would you ever know if they did? You wouldn't trust a potential buyer and in practice companies do not. They'll put information in the data room, but not customer level details unless anonymized at which point you are back where you started as far as validating users.
So you are left with various legal/contractual solutions - things like "representations and warranties" (ask chatgpt about them), escrow agreements etc etc. And when it all goes to hell you go to court with your contract and attempt to get the money back. Such is life.
I'm not surprised. Was part of an acquisition by a large F100 company. There were some "interesting" accounting calculations that we discovered 2 years after.
I'm involved with a company taking some investment from the outside. We're really just sending them copies of our documents and data.
IF someone chose to blatantly lie on that paperwork (we're not), I'm not sure how much they could spot.
In the meantime this outside group isn't querying out DB that's for sure, but even then in the example of this case, they actually generated fake user data and records.
I'm not saying you're wrong generally, but I think a lot of due diligence really does trust that someone wouldn't blatantly fake ... everything.
I do not understand how an acquisition this big got thru due diligence without noticing all the fake users. Anyone in corporate M&A know if it is normal to spend this much money without inspecting the goods? Seems like the most basic of OLAP queries and two days of effort would reveal very suspicious userbase.