When talking about cyberattacks, the theft of money is often treated as the end of the story. However, the moment the money leaves the bank account is actually the beginning of a new story, one that involves a shadowy web of money mules, intermediate accounts, and front businesses.
An analysis of the money’s winding journey from victim accounts to criminal hands found that criminals rely on traditional money laundering methods of money mules, front companies, cash businesses, and investments in high-end items, according to a joint Follow The Money report from BAE Systems and SWIFT [the Society for Worldwide Interbank Financial Telecommunication]. While some groups prefer one method over another, many combine different techniques in their quest for converting the money they stole into “clean” cash that can’t be traced by law enforcement, the report said.
The stolen money in this analysis typically came from attacks on a bank’s money transferring system (such as SWIFT’s messaging system, for example), or attacks against banking infrastructure such as ATMs and personal accounts. The goal is to transform the origin of the money to something legitimate, such as employee payroll or proceeds after selling property.
“This report focuses on money laundering related activities necessary for cyber attackers to conduct and ‘cash out’ a successful attack and avoid the money subsequently being traced,” said Simon Viney, cybersecurity financial services sector lead at BAE Systems Applied Intelligence.
Criminals heavily rely on money mules to move the stolen funds around until they can be safely cashed out. The most common method remains withdrawing money from ATMs and spending them in cash businesses controlled by the criminals, or buying and selling expensive items.
These money mules take on other roles, as well, such as using their own personal accounts to receive money and transfer them to other accounts; opening new accounts using fake IDs; and re-shipping expensive items purchased with stolen money to someone else.
Criminals often use legitimate-sounding job advertisements to recruit unsuspecting job seekers into the money mule operation, and these individuals generally are unaware they are being used to transform the stolen money into legitimate income streams. Recruitment efforts increasingly target young adults looking for a way to pay for higher education (college, graduate school, etc), and adults who had recently lost their jobs.
In cases where banks verify new accounts with know-your-customer checks, criminal groups may recruit insiders at the financial institution to help avoid or undermine the process.
Some gangs plan ahead of time and set up the bank accounts which would be used to transfer money, months in advance to make them seem more legitimate. It’s also possible to buy compromised bank accounts, which criminals use to transfer money in and out without the original owner noticing.
ATM cashouts remain common, but some criminal gangs set up front companies to pass the money through the business. Tracing the origin of funds in a business with multiple revenue streams and outgoing expenses is downright difficult. The report noted that cybercriminals seem to prefer setting up textile, garment, fishery, and seafood businesses as their fronts, especially in parts of East Asia.
Casinos are also popular, as criminals use the stolen money to buy chips for gambling. When the chips are returned to the casino’s cashier to receive the money—the gambling winnings—the illegal money is transformed into money obtained legitimately from a legal source.
Stolen funds can be converted into any number of things other than cash, as there are things that can retain their value and also be less likely to raise red flags with law enforcement. The report identified high-end items such as expensive watches and jewelry, gold bars, fine art, luxury penthouses, and even, tropical islands.
How cybercriminals cash out and spend stolen funds says a lot about the gang’s level of professionalism and experience, SWIFT and BAE Systems said in the report. Inexperienced criminals often make extravagant purchases, which law enforcement authorities are more likely to notice.
Cryptocurrencies may be hot in certain criminal circles, but when it comes to money laundering, traditional methods are still preferred.
"Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods," SWIFT said in the report.
However, digital transactions have their own allure because it is easier in some cases to open up new accounts, especially since most exchanges don’t bother with know-your-customer checks that banks perform during account creation. It becomes harder to track the origin of the transactions on a high-activity account, especially after the money has moved around multiple times. Criminals are increasingly using services such as mixers and tumblers, which obscure the source of cryptocurrency transactions by blending stolen money with large amounts of legitimate transactions. There are also many ways to convert cryptocurrency to flat currency other than linking a bank account to the exchange account. One example is buying debit cards loaded with cryptocurrency, and those cards can be used with special ATMs to withdraw cash or in regularly card transactions.
SWIFT said there are online marketplaces where users with nothing but an email address can use cryptocurrency to buy high-end products, land, and real estate.
A criminal gang adapted the traditional ATM cashout attack to buy cryptocurrency with the withdrawn money, rather than buying something with the stolen cash. An Eastern European gang used the stolen money to set up its own Bitcoin farm in East Asia and generate Bitcoins. The newly-minted Bitcoins were spent in Western Europe. When the gang was arrested, authorities found 15,000 Bitcoins valued at over $109 million, two sports cars, and jewelry worth $557,000 in the group leader’s house, SWIFT said.
Cryptocurrency appears to be the laundry method of choice for the Lazarus Group, a well-known attack group believed to be sponsored by the North Korean government. Lazarus typically passes cryptocurrency through accounts on different exchanges multiple times to “obfuscate the origin of the funds.” The money—in cryptocurrency form—is eventually converted to cash via the bank account linked to the exchange account, or used to purchase gift cards, which are then used at other exchanges to buy more cryptocurrency. Eventually, once it is harder to trace all the transactions, the money is converted back to regular currency and transferred to North Korea. The Lazarus Group has been linked to 2016’s massive heist against Bangladesh Bank, although the report doesn’t explicitly say this method was used for any of that stolen money.
Traditional is still best, but SWIFT said it expects to see more examples of cryptocurrency being used for money laundering.