“An internal investigation revealed that Javice and Frank chief growth officer Olivier Amar — referred to as "CC-1" in the federal charges — paid a New York data science professor $18,000 to create nearly 4 million fake accounts in order to juice Frank's user numbers, JPMorgan alleged in its lawsuit. Amar later bought a list of student email addresses from a marketing firm for $105,000 in order to make those accounts seem more credible, JPMorgan alleged”.
If they’re that incompetent that they need to fake their database and think it’s a good idea, there’s little surprise that they’re also too incompetent to realize that task is only a couple hours of coding.
"""
After the August 3, 2021 Zoom meeting, the Data Science Professor returned a
signed version of Frank’s NDA. The Data Science Professor’s usual hourly rate was $300.
Javice unilaterally doubled the Data Science Professor’s rate to $600.
[...]
Specifically, on August 5, 2021 at 11:05 a.m., the Data Science Professor
provided Javice an invoice for $13,300, documenting 22.17 hours of work over just three days.
The invoice entries show that the bulk of his time was spent on the main task that Javice retained
the Data Science Professor to perform – making up customer data. The Data Science Professor’s
invoice indicated that he performed “college major generation” and “generation of all features
except for the financials” while creating “first names, last names, emails, phone numbers” and
“looking into whitepages.”
In response to the initial invoice, Javice demanded that he remove all the details
admitting to how they had created fake customers – and added a $4,700 bonus. In an email to
the Data Science Professor at 12:39 p.m. on August 5, 2021, Javice wrote: “send the invoice
back at $18k and just one line item for data analysis.” In total, Javice paid the Data Science
Professor over $800 per hour for his work creating the Fake Customer List, which is 270% of his
usual hourly rate.
The Data Science Professor provided Javice the revised invoice via email seven
minutes later at 12:46 p.m., commenting “Wow. Thank you. Here is the new invoice.”
"""
it sounds like his initial invoice was quite clear in the work completed, then updated at the client's request. So while you can argue moral grounds for not doing this work, I don't think there's illegality, i.e. conspiracy.
I mean if you are a professor and knowledgeable in how the startup uses the data, it’s hardly justifiable that “oh crap i didn’t know they were using it for illegal purposes”.
This is spoken to [in the full complaint][1]. The data scientist was told Frank really did have 4 million users, and the scientist only needed to generate this "synthetic data" as a way to "anonymize" their "real" data. I.e. the scientist was duped:
JAVICE told Scientist-1 [...] that she had a database of approximately 4 million
people and wanted to create a database of anonymized data that mirrored the
statistical properties of the original database (the “Synthetic Data Set”).
[After JAVICE sends Scientist-1 the data], Scientist-1 understood that the data
available via the Access Link Email -
**a data set of approximately 142,000 people** (emphasis added) -
was a random sample of a larger database which contained data for approximately
4 million people. In fact, that data represented every Frank user who had at
least started a FAFSA.
I read in an earlier report that their own developers refused to do the task. [1] Not clear if the professor knew what the fake data was being used for.
That's pretty reasonable imho. Probably took several days of back and forth to establish what they wanted. Then a day to knock up the script, generate the output. Now several more days of back and forth about whether it's what they really wanted. Pad a bit for the risk that they never pay, possibility of legal action in the future, etc.
This is what everyone should be reading, including their attached full complaint.
A key piece of evidence is around whether Frank had 4.25 million users or 300k. Javice (Frank's CEO) alleges JPMorgan Chase (JPMC) is misrepresenting what she provided, saying she merely anonymized the data by making it "synthetic" to a third party for verification to avoid sending PII to JPMC before the deal closed.
Here's the problem though: it (allegedly) wasn't anonymized data - it was fake data, and later when JPMC asked for the real data after the company was bought, Javice bought data for ~4 million students from a third party vendor for ~$100k, combined the data to build the "final database," and JPMC very quickly realized that most of the data was no good.
And it is a wild story! It's probably going to get the miniseries treatment. The Uber/Theranos/WeWork shows were pretty popular, after all, so I'd bet that a second batch is coming with FTX, Frank, and that Korean guy who went on the lam in Montenegro. Hah.
This exact kind of fraud, is just what AI should be good for.
I made 10K fake users for testing the app I'm developing now. I used thispersondoesnotexist.com, and about a half hour's worth of PHP programming, to make an open-ended user generator.
I only need 10K users, and it takes about an hour or so to generate them, but I'm sure that this type of thing could be easily scaled.
"Hey, ChatGPT, can you give me the SQL for five million users, with the schema published here?"
I'm working on a platform that lets you generate fake users, but for the purpose of product research: https://notionsmith.ai/
You describe an idea and get very realistic users that you can chat with. Hooking that up to an email account could have been very convincing...
Typing in Frank's elevator pitch:
"Frank is a financial platform that helps college students manage their financial aid and student debt. Frank offers a free solution that allows you to streamline your FAFSA application, educates you about what FAFSA does and what parts of the application are important, and helps you potentially get additional money."
I mean you can go even further, you can use ChatGPT to make these fake people answer real emails from JP Morgan. You can completely fake people online. Of course JPM wouldn't have gotten any business from these bots, but it would have been harder to prove that these 4 millions emails were fraudulent.
100% Fake business, fake customers. $175M valuation. What I don't get is why JPM didn't realize that this company had no revenue, unless they completely cooked the books.
What would be the email domains of all these fake users? I'm presuming Gmail has defenses against someone creating millions of fake addresses via automated means. Maybe you'd have to buy a bunch of email addresses on the black market from some hacker. Sounds like a lot of effort and fraud for something that will certainly be found out sooner or later and result in you going to jail.
> began to question the authenticity of the startup's purported 4 million users after an email marketing campaign ended in "disaster," according to the bank's lawsuit and a filing by prosecutors. Out of 400,000 emails sent to Frank users, more than 70% bounced back and only 103 were opened, the bank claimed.
This seems entirely inevitable since the emails were largely not actual customers…
> $175M could have easily paid for a bunch of domains to run MX servers. You don’t even have to keep the email. Just accept it and send it to /dev/null.
You don't think it would be at all suspicious that most of the emails in the customer list are using weird custom domains rather than the popular ones like gmail.com or outlook.com?
Could even end up like that movie plot where the bank robbers setup a bake shop next door to drill into the vault, but the front ends up being profitable.
The first vendor I found via Google offers 500 phone-verified gmail accounts for $150, so about $1.2M to fake all 4M users. At that volume you can probably get a discount and have them generate gmail addresses according to your specifications (to make them plausible matches for the rest of your fake data). Mix in some bought outlook accounts and some obscure domains you run yourself for extra plausibility.
Actually opening the emails without triggering Google is a bit more difficult, but I imagine a good residential proxy service (either legitimate or botnet) and a bit of scripting can solve that for another couple thousand USD.
Of course doing all of this makes you look more criminal and JPM look less dumb, so I'm not sure if this is actually a good idea even if you start off with the idea of defrauding the buyer.
Really surprised at lack duedeligenoe on the part of acquirers, JPM team!!!
My immediate reaction to when JPM found out they'd be duped after running an 'email campaign' was, hmmm, maybe well deserved, should have done your homework!
I want to put the blame solely on the executives, lawyers and team that drove the acquisition forward.
Obviously we can open the floodgates of conspiracy theories. Maybe, some from JPM team may have been on this...
I wondered about that when reading the Money Stuff article about it a while ago. What should they actually have done differently?
One of the issues was that "she could not share her customer list
due to privacy concerns". So maybe JPM could have pushed back against that more?
"""Javice also cited privacy concerns in sharing Frank’s customer data directly with
JPMC. After numerous internal conversations, and in order to allay Javice’s concerns, JPMC
agreed to use a third-party data management vendor, Acxiom, to validate Frank’s customer
information rather than providing the personal identifying information directly to JPMC."""
I was involved in some diligence when a prior company was considering an acquisition. The numbers they claimed vs the numbers we could trust from their various SaaSes were pretty fishy. It was a small deal - more like $1M. We didn't pursue them, they don't exist any longer.
The gap here was _huge_. If I was the JPM diligence team, I might have asked them for read-only access to their product analytics. They claimed something like 10K FAFSA applications/day. This should show up nicely in their analytics tools. Yes, they could fake these visits--but it would be much harder to fake that you're getting 10K visits from appropriate regions, at appropriate times of day, with appropriate dwell times, with appropriate distribution of completion rates.
In most jurisdictions it would generally be possible for the seller to hire outside counsel to validate customer metrics claims under attorney-client privilege without violating consumer privacy laws or customer agreements. The outside attorney could then provide a letter to the buyer attesting to what they found without revealing any specifics about individuals. Of course that would delay the deal, and the buyer here seems to have been irrationally eager to close the acquisition.
Sounds very clearly that JPMC was defrauded, and at the same time did a very poor job of due diligence in a 9 figure acquisition.
How did a financial audit not uncover the dramatic mismatch in actual vs. purported activity? How does a transaction value of $41 per user (x 4.25M users) not translate to an auditable revenue stream?
Javice interfered in due diligence in a very sophisticated way. JPMC tried to verify user data but Javice claimed they couldn't provide user personal information "due to privacy concerns". In the end Javice was able to convince due diligence team by engaging in multiple layers of fraud. Sure due diligence team could've done a better job, but Javice was a sophisticated adversary. It's not like due diligence team didn't have any concerns. But they wanted to balance their concerns against possibility of passing a good deal due to formality.
> JPMC tried to verify user data but Javice claimed they couldn't provide user personal information "due to privacy concerns".
DD guy here. This is the most plausible explanation.
When you're under LOI there is a lot of back and forth, which ultimately guide how the purchase agreement gets formulated. So if this was the case, then they would have made the trade off of "ok she's not letting us see the list, but we'll make sure the SPA is ironclad about this". Ultimately deals then get some money locked into escrow or RWI to soften the blow of the cost implication.
At the end of the day, let's say you're JPMC and the company that you acquired did exactly what Javice did. You have an SPA that binds you legally (meaning, if they caught lying post close, they'll get sued), how on earth would you think someone was dumb enough to try to get through diligence, then operate the company post close, and NOT expect to be found committing fraud.
I think the author is just talking like they normally do.
There is generally a lot of jargon and acronyms used here. All the time. Just that most of it is regarding programming/development, so people don't notice it.
Also, even if they were spelled out, you'd still need to google the term to understand what it means. I.e., LOI and "Letter of Intent" are still just tokens that represent a concept.
In a comment you won't see unless you have "show dead" enabled, he says:
DD = due diligence
LOI = letter of intent
SPA = stock purchase agreement
RWI = reps & warranties insurance
That was in answer to someone earlier asking about those acronyms, but in a rude way that got their comment flagged to death, which also hides replies. I tried vouching for it to revive it so people could see the reply with that explained the acronyms, but it did not help.
“ Javice claimed they couldn't provide user personal information "due to privacy concerns””
That’s pretty much what Theranos did. The due diligence people walked away and threw a few hundred million more at Theranos. That’s compares to the due diligence we went through when I worked at a small startup years ago. It was only for a few million but they made us go through hell with all their information request.
Seems if you want to commit fraud it’s best to go really big. The bigger you are the less scrutiny and less consequences.
Isn't it more likely that it's just the bigger the fraud the more likely we are to hear about it, whereas even if 50% of deals the size you went through turned out fraudulent most of them wouldn't make the news and the ones that did might still not make the front page of HN?
> That’s compares to the due diligence we went through when I worked at a small startup years ago. It was only for a few million but they made us go through hell with all their information request.
I went through this as an exec at a startup for a deal in the "few 10's of millions" range and the level of effort for the due diligence process was astounding. I'm pretty sure that by the end of the process, the acquiring company knew more about us than we did ourselves.
I listened to a documentary about the Crazy Eddie electronic chain, which was fraudulent to the core but passed audits. The ex-CFO made an interesting comment: when large accounting firms do an audit, they're checking what the business has recorded on its accounts adds up, they're not checking if the reality behind the accounts are correct. As long as your books balance, you look healthy.
> they're checking what the business has recorded on its accounts adds up, they're not checking if the reality behind the accounts are correct.
Not necessarily true. Depending on the type of audit, part of the audit is to cherry pick (or randomly pick) recorded accounts and confirm whether they are backed up by various documents. For example - anyone can put in a receipt for a plane ticket and then have that plane ticket hit the P&L as a journal entry. But an auditor may look at the plan ticket receipt and check for the date, name of person on it, what date they were flying, what was their origin an destination, etc. etc.
Source - currently under audit, and auditors are asking for confirmed records that support what is in an accounting system.
A 9-figure acquisition sounds like a lot, but consider that this is less than 0.05% of JP Morgan's market cap. Their market cap is down $6 billion today, and it's not even a particularly notable day.
And it's not like that money is completely gone. JPM will sue and probably recover a very large chunk of it. Say that of the $175 million, they get back $150M, so they are out $25M. It's just not that much money to them. Sure, someone didn't do their job and will probably get fired over this, but Jamie Dimon and the executive suite don't really think about $25M losses.
It seems quite plausible that most of the money paid for the company was placed in escrow for some time, exactly to cover scenarios like this where the seller misrepresents something material about the company.
> A 9-figure acquisition sounds like a lot, but consider that this is less than 0.05% of JP Morgan's market cap.
It's far less about the percentage of JPMC's market cap, and more about the fact that a competent due diligence effort would cost less than $250k, which is insignificant against the cost of the acquisition.
I'd reckon all that money slushing around didn't help either. The company was acquired in Sep 2021, right near the peak of the insanity unfolding across markets.
Deals between 2 parties are usually entered with the idea that both parties are acting in good faith. It sounds naive after a fraud has been uncovered but we usually expect good things if we enter into a deal. Frank looked like a great aquacition from the outside so the audit was a formality that they had to "endure." Well, this time it was a complete fraud. Which Frank was able to cover up. I bet no one expected it to be so big.
Bottom line it's human to trust. It will always be very hard to uncover deceit when it's part of your business to make sure it continues and work hard to cover it up. Looks to me like the auditors never had a chance.
I'm surprised that the founder didn't just grab the money and moved to a country where there's no extradition. Last I read she was still claiming that the business was 100% legitimate.
People really need to learn if you get a huge pay day via fraud, then take your cash and head over to a country on rocky diplomatic terms with the US and no extradition treaty, and be generous with your hosts.
This is one person who basically fabricated their entire user base and got a $175 million acquisition. They got caught because the degree of the fraud was egregious and obvious. JPM it seems didn’t do almost any due diligence. The lesson to me here is that there are probably plenty of people faking it until they make it and doing just fine.
I have no problem with charges being filed, but seriously... it's not like the buyer was some kind of low-budget mom and pop shop or community bank. I'm just not very sympathetic to JPMorgan for being scammed in a situation where being wary should be standard.
You need to do more than "peek at" the real data, at least if you are buying a business for actual revenue and not for it's potential as an idea.
You need to follow at least some threads all the way down to the ground truth.
First, ask for 20 references of successful happy customers, talk to all of them, and do some verification. Then demand to see all the "real" data and select a random sample of 50 emails and track them all down to real people (or not), and ask the people at those endpoints what is going on.
Yes, this would take a week for a handful of interns/junior employees and one senior staffer. But you are about to invest $175 million. It is worth a bit of actual effort, not just a bunch of handwaving over expensed dinners.
This should be a career-ending move for anyone involved at Chase.
> Then demand to see all the "real" data and select a random sample of 50 emails and track them all down to real people (or not), and ask the people at those endpoints what is going on
Apart from the privacy/compliance/legal reasons that make this very difficult. A very low proportion of 50 real paying corporate customers are likely to respond to an email from a seemingly random source, change that to 50 students you’d hardly get any.
Not to mention, if you really did have a mailing list that was effectively worth $175m, why would you give the whole thing to anybody before you get paid?
For sure, you do NOT give them the whole thing. You let a (presumably skilled) data analyst run a few queries. Letting out 100 or even 1000 names/profiles out of 4 million is effectively commercially worthless beyond verification.
Even if you don't get responses & interviews, you can also use the profiles to do verification - just find correlated data in the wild showing that these people exist -or don't. Check the physical addresses - is the same family name resident? Check school records, does the student exist? Etc. Etc. Etc. Sure, you'll find a few failures, but when they all turn uo bad, you will have saved your team $175 million - worth a weeks effort.
When I say real data I mean data that was not handed to you by people who have 175 million reasons to fake it. Like another commenter added try to talk to some of their customers, in this case even trying to email them seems like it would have been enough.
VCs, yes, they should have done more due diligence. But putting the NYTimes on the same playing field, as if they can be expected to have the same access to business records as investors, is dumb.
Then take this up with your local government then. There is a quantitative risk versus reward they take, and you should be glad that they take this bet. FYI - their portfolio mix for VC assets is usually like less than 5~10%. If a GP makes one bad bet, they hardly feel this.
> Not sure how much VCs coinvest in their own funds but I'm willing to bet most of their retirement funds are not in VC investments.
(1) most co-invest (2) no one in their right mind would put all of their assets in one VC fund. (3) if you're a partner a firm like Sequioa, you likely have a family office setup, which would follow a similar model to that of a pension fund.
When VCs skip diligence and invest in a bunch of frauds like Wirecard, Greensill, FTX, etc., it creates an externality we all have to deal with - we're basically subsidizing their credulousness by getting defrauded.
Since huge frauds propped up by VCs seem to collapse several times a year, it doesn't seem like losing their money is incentive not to invest in frauds. It seems like they've just priced it in.
Granted, this might be yesterday's war, money might be tight in the next few years and that might better align incentives.
My mistake, I thought you were interested in a discussion about interesting topics, I see you're more interested in being patronizing on the internet. That's not really what I'm here for, so take care.
> it creates an externality we all have to deal with - we're basically subsidizing their credulousness by getting defrauded.
and I commented on why I thought it was wrong (e.g. "you don't have to deal with these externalities unless YOU choose to"). How is that not a discussion?
> That's not really what I'm here for, so take care.
Eh, optimal amount of fraud is not zero - they as a bank should know that better than anyone - and they are going back to sue and press charges against the fraudulent founder. If JP Morgan Chase is being defrauded all the time, it's a different matter, but there's no indication of that here - they're not Credit Suisse.
I'll quote another comment:
> Javice interfered in due diligence in a very sophisticated way. JPMC tried to verify user data but Javice claimed they couldn't provide user personal information "due to privacy concerns". In the end Javice was able to convince due diligence team by engaging in multiple layers of fraud. Sure due diligence team could've done a better job, but Javice was a sophisticated adversary. It's not like due diligence team didn't have any concerns. But they wanted to balance their concerns against possibility of passing a good deal due to formality.
> What was the end game here? Is there any universe where someone does something like this and gets away with it?
The Frank founder went to work for them after this closed. It doesn't look like she thought she did anything wrong here otherwise you'd think she'd get as far away from the mark as possible.
When fake it until you make it and hustle culture goes horribly wrong.
People get away with lesser versions of this type of scam all the time. Buyers don't want the bad publicity so if the loss isn't material then they just write it off and salvage whatever value they can find. You hear rumors about this kind of stuff that never shows up in the news, and when large companies buy startups it's even kind of expected that the financials are at least a little bit fake. This case was particularly egregious because the loss was material enough that even JPMorgan would have to publicly disclose it rather than sweeping it under the rug.
Previous reporting on this (when the JPM civil suit was filed) mentioned that JPM didn't care about the fafsa forms business at all. They bought them entirely to get a big pile of marketing leads to sign up young people for banking services early in their adult life before they're signed up with other banks, through a brand they're already familiar with. Considering how many "$200 to open a new checking account!!" junk mail fliers Chase sends me, $41/lead must've seemed like a bargain.
She probably thought they would just be subsumed into a massive corporation, that JPM had shitty metrics and monitoring on their marketing campaign, and nobody would notice most of their emails were going nowhere.
I think over a long enough term they would. It's about ~$44 a customer (assuming 100% retention). Once they're in the Chase ecosystem, it's easier for Chase to get them to add Chase credit cards, use Chase for a mortgage, interchange fees, minimum balance fees and so on.
Frauds like this one all-too-often wrap and camouflage themselves in some social good. Its so revolting, and brings down not only the cause but the people suffering from whatever the subject is (e.g. students applying for financial aid, cancer patients getting their blood tested, etc.)
Its unfair and awkward but ventures which heavily push the mission like this one should be pushed harder on their fundamentals by the investor / startup community.
First: the worst name for a company ever? Is it a person named Frank? Or a founder with a frank personality? Or a story about the kind of sausage called a Frank?
Anyway, wasn't there some business behind the supposed 4M users? You can fabricate 4M users in a csv file and insert them into your production DB, but shouldn't there be some revenue associated with those users, and couldn't the acquirers have looked to see if that revenue existed?
I don't understand this fraud. The whole point of a fraud is to try to "get away with it", but I'm missing that part of the story. What did this girl think was going to happen?
reply