1July 2018, Vol. 38, No. 6 RUSI Newsbrief

Cybercrime and Money Laundering

In March 2018, the Spanish National Police arrested a man in Alicante suspected of masterminding a series of successful cyber

attacks to steal over €1 billion from financial institutions worldwide. The arrest capped a Europol-supported investigation that spanned Asia, the US and Eastern Europe. According to a recent Bloomberg report, the criminal conspiracy unravelled once Taiwanese police managed to apprehend two ‘money mules’, whose task it was to transport cash withdrawn from hacked ATMs. The analysis of communications data on their mobile phones led the investigators to the alleged leader of the criminal group that had used the Carbanak and Cobalt malware to carry out the heists.

There is evidence that crime generating proceeds in cryptocurrency is on the rise

While the scale of the Carbanak/Cobalt criminal enterprise is exceptional, it underscores the economic underpinnings of much of today’s cybercrime. Although such assessments are inherently imprecise, a recent report estimates global profits from trading in stolen data to be $160 billion, $1.6 billion from selling malware and $1 billion from ransomware extortion.

Since the profit motive is the chief driver of cybercrime, there is a strong

argument in favour of applying anti-money laundering (AML) rules to target the finances of cybercriminals. In essence, ‘money laundering’ refers to any use of the proceeds of underlying crime, and constitutes a separate crime under most legal systems.

However, the global AML framework was designed in the late 1980s with the proceeds of drug trafficking in mind. For it to be effective in the age of cybercrime and cryptocurrency, the framework must reflect the threat landscape of a brave new world, where malware coders can have as much dirty cash (or dirty cryptocurrency) as drug dealers. Addressing the challenges posed to existing AML efforts by cybercrime should been seen as an opportunity to develop more creative AML approaches, which can ultimately be applied to all crimes with a significant digital footprint.

Diversity of CybercrimeThere is no one type of cybercrime. UK governmental publications, such as the Serious and Organised Crime Strategy 2013, distinguish between cyber-dependent crime, which can only be committed using computers or the internet, and cyber-enabled crime, which is facilitated by their use but does not require it, such as romance scams. Hacking, malware infections and distributed denial of service (DDOS) attacks, all types of cyber-dependent crime, accounted for most cyber security breaches in 2017.

Even these subsets of crimes can be committed in a variety of ways. The Carbanak/Cobalt malware campaign is

a fitting example. Based on a banking Trojan known as Carberp, whose code had been leaked into the open in 2013, early Carbanak attacks predominantly targeted Russian banks. The perpetrators tricked bank employees into opening email attachments that contained the Carbanak Trojan, for instance by sending emails that purported to come from the Central Bank of Russia.

The incidence of cryptojacking malware ‘grew a stunning 629%’ between late 2017 and June 2018

Having gained control over the bank’s payment processing system, the perpetrators were able to do one of the following: make payments to companies they had created; force ATMs to spit out cash that money mules would pick up; or manipulate balances on accounts previously opened by money mules in the victim bank so as to enable large cash withdrawals. In 2016, the criminals started using a different type of malware based on Cobalt Strike, a legitimate software tool used to detect system vulnerabilities, and focused to a greater extent on ATM withdrawals.

The Carbanak/Cobalt attacks generate funds in fiat currency (any government-issued currency such as dollars and pounds), either in physical cash or electronically. However, there is evidence that crime generating

When Bankers Need to be More Creative than Hackers: Cybercrime and Money Laundering Anton Moiseienko and Olivier Kraft

The rise of cyber-dependent crime highlights the challenges facing the anti-money laundering framework in a digital era. This should be viewed as a wake-up call as well as an opportunity to update and improve the antiquated regime.

2July 2018, Vol. 38, No. 6 RUSI Newsbrief

proceeds in cryptocurrency is on the rise. This includes: ransomware extortion, which typically involves a demand of payment in cryptocurrency, usually bitcoin, in exchange for decrypting the affected files; theft of funds from cryptocurrency exchanges, such as the theft of $550 million worth of NEM coins from Japan’s Coincheck in January 2018; and cryptojacking, the surreptitious hijacking of another person’s computer to mine cryptocurrency for the criminal’s benefit. Even before the hacking of Coincheck, the theft of cryptocurrency had increased seven-fold between 2015 and 2016. Likewise, the incidence of cryptojacking malware ‘grew a

stunning 629%’ between late 2017 and June 2018.

Additionally, there is a vibrant cybercriminal economy where criminal goods and services – such as stolen data or previously undetected security vulnerabilities – are traded. These transactions are mostly made in cryptocurrency, itself a type of virtual currency that has no central issuer, although some centralised virtual currencies (especially WebMoney) are also used. A large proportion of ‘digital goods’ on offer involve credit card or account details, which can be used for channelling the proceeds of cybercrime, as well as the services of specialised money launderers. A sting

operation by US law-enforcement agencies, announced in June 2018, involved federal agents posing together as ‘a money launderer on Darknet market sites, exchanging US currency for virtual currency’.

Although this particular enforcement action is unrelated to cybercrime, cybercriminals also seek expert services online, whether for money laundering or for committing a cyber attack. Known as a ‘cyber-crime-as-a-service’ business model, this phenomenon has lowered entry barriers to the cybercriminal profession. In large part, this is a consequence of the pseudonymity or anonymity that cryptocurrencies

Money mules are a staple of the cybercriminal economy and may undertake different activities in different contexts to facilitate money laundering. Cash-strapped students are particularly suseptible to being enticed into quick-money schemes by ‘mule herders’. Courtesy of Wikimedia

3July 2018, Vol. 38, No. 6 RUSI Newsbrief

provide to transactions among cybercriminals.

Money-laundering TechniquesAn understanding of the money-laundering techniques used by cybercriminals is critical to the UK government’s objective of ‘adding friction to the criminal business model’ and can eventually help reduce the profitability of cybercrime. In practice, the choice of laundering techniques depends on the form of criminal proceeds (cryptocurrency, fiat currency in bank accounts, or fiat currency in cash, as described above) and their amount.

As regards the amount of funds at hand, there is a difference between targeted attacks (often, against a financial institution or a cryptocurrency exchange) and indiscriminate high-volume, low-value crimes that generate small individual sums from a wide pool of victims. In the latter case, nonetheless, total amounts can be considerable.

The provenance of tainted cryptocurrency can also be obfuscated through the use of ‘mixers’ such as the suggestively named BitLaundry, which mix clean and tainted coins

Perhaps the best-known example of a targeted attack is the theft of $81 million from the Bank of Bangladesh in February 2016 by a group reportedly affiliated with North Korea. The perpetrators used the SWIFT interbank payment system to request the Federal Reserve Bank of New York, where part of the foreign currency holdings of the Bank of Bangladesh were deposited, to make 35 payments worth $951 million from the account of the Bank of Bangladesh, but only five of those payment orders went through. The stolen $81 million passed through bank accounts opened with fake IDs

in the Philippines and was eventually laundered via casinos.

Other instances of successful attacks using the SWIFT system include Carbanak’s thefts in Hong Kong and Ukraine, the hack of Ecuador’s Banco del Austro in 2015 and the hacking of Banco de Chile in May 2018. These attacks involved a number of unauthorised payments of several million dollars each. Since channelling these sums through individual bank accounts is more likely to trigger banks’ AML alerts, cybercriminals incorporate companies to avoid this, although individual accounts are also used at times, as in the Banco del Austro case.

However, very few cyber-criminal groups are capable of carrying out attacks of this magnitude. The use of banking Trojans to take over individual customers’ bank accounts is therefore more widespread. Some of the well-known Trojans, such as Zeus, can be purchased online from their developers. Once they take over a bank account, cybercriminals typically make a payment to the account of a witting or unwitting money mule, who withdraws the funds in cash and wires them on to an overseas destination, often via a money service business.

In general, money mules are a staple of the cybercriminal economy, with Europol assessing that over 90% of money mule transactions are linked to cybercrime, although that includes cyber-enabled crime. Depending on the context, the term ‘money mule’ may refer to a person who: receives funds in their bank account and transfers them to a cybercriminal; reships goods that have been purchased by a cybercriminal using stolen credit card details; sells control over their bank account to a cybercriminal; opens a bank account for the benefit of a cybercriminal using a fake ID; or picks up cash from ATM hackings or attacks that involve the manipulation of account balance or cash withdrawal limits.

People managing money mule networks – ‘operators’, or ‘mule herders’ – advertise their services on the dark web. While some cybercriminal groups go to great lengths to set up their own networks of money mules, such as the gang behind the Shylock banking Trojan, others rent the services of

third-party networks. One example is a group of malware coders from Berlin that ‘relied on members of an outlaw motorcycle club to manage money mules (in the physical world)’. This approach may increase costs, but also bolsters the criminal group’s resilience if law enforcement officials are able to disrupt its money mule infrastructure through, for example, arresting the herder.

The money-laundering risks posed by e-commerce and e-gambling industries should not be dismissed out of hand

While money mules and corporate accounts are used to launder the fiat currency proceeds, criminal revenues in cryptocurrency must be laundered via the cryptocurrency infrastructure.

Although Bitcoin continues to dominate the cryptocurrency world and is easiest to convert into fiat currency, cryptocurrency laundering can involve a process known as ‘chain-hopping’, the conversion of funds from more transparent cryptocurrencies (like Bitcoin) into those that are more difficult to trace (such as Monero) and vice versa. For instance, the $550 million-worth of NEM coins from Coincheck were exchanged for Bitcoin and Litecoin at a 15% discount via a peer-to-peer dark web exchange set up by the hackers. The provenance of tainted cryptocurrency can also be obfuscated through the use of ‘mixers’ such as the suggestively named BitLaundry, which mix clean and tainted coins.

Finally, there is some evidence of cybercriminals laundering funds via e-commerce, e-gambling and online gambling, for example, by paying for fictitious services to create the appearance of a legitimate income. It has been suggested that gambling websites that accept cryptocurrency may pose particular risks, although the extent to which these methods can be scaled up to launder large amounts of funds is not entirely clear at the moment.

Cybercrime and Money Laundering

4July 2018, Vol. 38, No. 6 RUSI Newsbrief

Cybercrime and Money Laundering

Challenges of Cybercrime for AML EffortsThe ways in which the proceeds of cybercrime are laundered present several challenges for the existing AML framework. First of all, laundering often takes place in sectors outside the conventional financial system. The most important of these sectors is the cryptocurrency infrastructure, which includes cryptocurrency exchangers and mixers. However, the money-laundering risks posed by e-commerce and e-gambling industries should not be dismissed out of hand either.

While the EU’s Fifth Money Laundering Directive will cover crypto-to-fiat exchanges and custodian wallet providers, it will not apply to crypto-to-crypto exchanges, despite the risks presented by chain-hopping. Then, there is the significant issue of how the law should treat cryptocurrency mixers and how regulated exchanges should deal, if at all, with coins that have gone through a mixer. Finally, it is worth considering the ways of addressing money-laundering risks in other sectors such as e-commerce, while keeping an open mind as to whether the existing AML regime – based on the reporting of suspicious activities by regulated entities – is the best model to follow.

Ironically, for technological crime, much of cybercrime relies on low-tech money-laundering techniques such as money mules. While not technologically sophisticated, the use of money mules presents genuine prevention challenges. For instance, it can be extremely difficult for a bank to detect whether a bona fide customer has at some point sold their account to a cybercriminal.

Financial institutions often rely on typologies and red flags to detect potential instances of financial crime. The rise of cybercrime warrants a reconsideration of whether current typologies and red flags are well-suited to tackling the finances of cybercrime, or if they could be enriched by analysing the digital footprint of known money mules and cybercriminals.

Financial institutions have been using digital indicators such as IP addresses and device IDs to prevent fraudsters from logging in to their customers’ accounts. But this

information could also be used to establish whether a customer is linked to a known cybercriminal actor or is acting in a way that indicates possible involvement in cybercrime. The same principle applies to the proceeds of other crimes that leave a digital footprint, such as human trafficking that entails advertising ‘escort services’ on the internet. Certain banks have begun investing in this area, but it is still early days. Clear communication of outcomes will be key to industry-wide adoption of those practices that work.

Targeting the financial nodes of cybercrime may at times have as much impact as focusing all efforts on going after the ‘masterminds’

In any case, the challenge remains that money mules are often used once for a particular transfer and then discarded. The work done by various stakeholders to prevent money mule recruitment in the first place, including awareness campaigns, is therefore essential. Law enforcement agencies are increasingly seeking to disrupt the activities of mule herders, such as in the framework of Europol’s Third European Money Mule Action (EMMA3), which ran in 2017 and led to 159 arrests and the identification of 59 mule herders.

Aside from the activities of mule herders, the world of professional money launderers who provide services to cybercriminal groups, such as establishing companies for them, is not yet well-understood. Developing a better intelligence picture of who these money launderers are and how they operate may help law enforcement agencies better target their efforts by focusing on key nodes in the cybercriminal infrastructure. The practical utility of this knowledge may well depend on where those key nodes are located, since much of cybercrime originates from less cooperative jurisdictions. But targeting the financial nodes of cybercrime,

for instance by arresting professional money launderers, may at times have as much impact as focusing all efforts on going after the ‘masterminds’.

Bringing AML into the Digital AgeThe emergence of cybercrime throws into relief some of the challenges that the AML regime should address to ensure its effectiveness in the digital age. These range from the risks posed by the internet-based economy, including cryptocurrency, to the well-known but unresolved problem of money muling. Creative solutions to these issues must be sought. Some of these are to be found at the regulatory level, for instance by designing an AML regime that will be appropriate for crypto-to-crypto exchanges and other sectors such as e-commerce or e-gambling. Others require injecting greater ingenuity into existing compliance practices, such as by integrating digital indicators with financial intelligence to match the digital profiles of bank customers with those of cybercriminals. As public and private stakeholders explore these and other approaches, there is a chance that the rise in cybercrime will foster precisely the kind of update that the current AML framework dearly needs.

Anton MoiseienkoAnton is a research analyst at RUSI’s Centre for Financial Crime and Security Studies.

Olivier KraftOlivier is a research fellow at RUSI’s Centre for Financial Crime and Security Studies.

This article is based on research completed as part of RUSI’s ‘Financial Crime 2.0’ programme, which aims to examine how the anti-money laundering regime can be updated to be more effective and to reflect today’s technological landscape. The programme is funded by EY, Lloyds Banking Group and Thomson Reuters. For more information, please visit https://rusi.org/projects/financial-crime-20.

The views expressed in this article are the authors’, and do not necessarily reflect those of RUSI or any other institution.