Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Money Laundering: Washing Your Greens in the Underground - Part 3 of 3

“Not having to worry about money is almost like not having to worry about dying.”
 - Mario Puzo

In the first two parts of our investigative series into the cybercriminal underground, we examined its social structure as well as the types of jobs and opportunities that exist for those with ill intent.

We have learned that the dark web’s ecosystem is vast and well-coordinated, with a low barrier to entry due to widely available hacking and malware distribution tools for those with limited technical knowledge. But a life of digital crime by its very nature leaves a long trail for investigators – so what happens once a cybercriminal succeeds in their nefarious schemes and turns a profit?

Truth be told, they are only halfway to spending their bounty relatively anxiety free.

Any money earned through carding, fraud or other illegal schemes where the origin of the money cannot be explained without revealing the criminality behind it is referred to in the underground as “dirty” money. As such, this stolen treasure is essentially useless and comes with high risk for the criminal in any kind of forthcoming legitimate financial transaction, such as buying goods.

There are many different money laundering schemes out there, each with its own risks and benefits. From simple ones related to cryptocurrencies to more complex schemes involving services such as Uber, Airbnb, and even the occasional gas station.

As a result, in today’s cybercriminal climate, you either need to fully understand the intricacies of properly laundering money (so it can be spent) – or trust someone who does.

Money laundering on the dark web has become a cottage industry of sorts sometimes led by those with extensive banking and financial backgrounds who know the ins and outs of keeping criminals ahead in the game. In fact, our recent investigation shows that members of the underground have far more sophisticated methods of dealing with this issue.


CNN news


It’s worth noting that some of the money laundering schemes used in the underground overlap with concepts we know from traditional crime. But due to the nature of cybercrime, unique techniques exist specifically for use with dirty money obtained electronically. This post will shed light on how these adapted cyber-schemes work which is essential intel for both security and law enforcement practitioners.


What Seems to Be the Problem?

One critical caveat of criminal activities is accounting for the proceeds without raising the suspicion of law enforcement agencies. Money laundering is the answer to that problem.


Laundry flowFigure 1: The general flow of money laundering


Money laundering has been around for as long as financial crimes have and is considered an international problem. According to United Nations Office on Drug and Crime (UNODC), the estimated amount of money laundered globally in one year is two to five percent of global GDP, or, in dollars, $800 billion to $2 trillion US. “Though the margin between those figures is huge, even the lower estimate underlines the seriousness of the problem,” the Office wrote.

So how do criminals launder money when leveraging the internet? The underground relies on heavy use of anonymity-focused cryptocurrencies in their illegal ventures. This offers a solid start on money laundering. However, even utilizing “anonymous” cryptocurrency doesn’t fully protect a criminal from the law. For example, the simple mistake of using a wallet ID (a unique identifier) filled with stolen cryptocurrency to shop online with delivery to a home address will likely result in a different kind of knock on the door.


launder mining botFigure 2: A cybercriminal with a mining botnet asking for laundering assistance


When you have large sums of money at stake, it’s clear that even well-seasoned malware developers need the help of criminal financial experts to avoid making costly mistakes. The dark web community is now seeing more solicitation for financial talents who have the know-how to wash money with less risk than ever before.


new and openFigure 3: Another post on an underground forum asking for money laundering help


Main Idea: Break the Chain

As it turns out, Fleetwood Mac was wrong: It is, in fact, possible to break the chain. The underground’s solution to laundering cryptocurrency utilizes some features inherently built into digital coinage to retain privacy and anonymity but unfortunately uses them for fiendish purposes. The fact that one can create as many cryptocurrency wallets as they wish, and that these do not require any sort of identity to be tied to them allows cybercriminals to create a lot of noise to drown their illegitimate transactions in. This method is called a “cryptocurrency tumbler,” or more popularly “bitcoin mixer” (or sometimes just “mixer”):


bitcoin mixerFigure 4: Advertisement for an underground mixer service


Mixers are a popular way of anonymizing and cleaning dirty bitcoins. The main idea is to divide the currency among multiple accounts, transfer them among several more accounts, and eventually collect the total amount (minus a fee) to one external, newly created clean account.


Mixer principals
Figure 5: Illustration of the bitcoin mixing process


Mixer services provide an infrastructure so that as a “customer” you simply provide the dirty funds and receive a wallet with clean funds when the process is complete. The trick here is to break the initial amount to smaller, unequal pieces of currency to confuse investigators. The final amount will be smaller than the initial because the mixing service requires a percentage for its efforts. Because of the sheer volume of small transactions made daily within the blockchain, “mixed” transactions drown in the noise of the legitimate activities taking place, making tracing more difficult, and many cybercriminals are willing to take the risk.


break the chainFigure 6: Underground money laundering service offering


The main objective of the breaking-the-chain process is to avoid direct connections between two events: obtaining illegal funds and receiving clean income on the cybercriminal’s personal account. The idea is to transfer currency from one state to another, more likely a couple of times. It bears some resemblance to the “droppers” scheme described in our previous underground blog, in which carded goods are transferred to a final destination – not directly but through the chain of droppers. We didn’t really cover the purpose of these droppers and how they help launder money, so this is a good time to elaborate.


common dropper flowFigure 7: Simple and advanced money laundering schemes involving droppers


In this scheme, a cybercriminal will use illegally obtained funds to pay for goods in an online shop. The money will potentially be discovered as illegal/stolen/carded, in which case the delivery address would be checked during any investigation (most cybercriminals will also change drops and thus addresses occasionally to avoid being caught).

The person receiving the goods on behalf of the actor is called a dropper (red line). This dropper, having broken the money trail by converting it into goods, will then send the goods to the actor. More advanced cybercriminals or services in this field will use a chain of droppers (blue line) to further encumber the process of tracing the goods back to the dirty money.

Underground money laundry specialists advance this scheme even further by adding into the chain an unaware, legitimate buyer:


legitimate buyer involved to the drop schemaFigure 8: An advanced money laundering scheme involving a legitimate buyer


The scheme works in the same way as before but now involves actual buyers. These buyers are lured to an online shop promising great deals, typically via advertisements on DarkWeb search engines. The shop customers think that they landed on a big sale or a shop’s advertising event, with goods selling as low as 30 to 50 percent discount compared to the brand’s MSRP. A legitimate buyer paying for the items will transfer money to a legal shop created by cybercriminals and considered “clean.” However, the customer receives items bought with illegal funds sent to them by one of the droppers (that is, if they receive anything at all, as there are scams in this field too).


underground Iphone storeFigure 9: iPhones sold on the underground at low prices, with bulk discounts


It is highly possible that the shopper will see neither electronics nor their money.

The same breaking-the-chain concept is used with financial droppers as well. Cybercriminals around the world are ready to assist the transfer of stolen funds to their (clean) pockets:


laundry bank serviceFigure 10: An underground forum post offering a cashout service in the UK


laundry cashout serviceFigure 11: Another of the many underground offerings for help with money laundering


These financial droppers are prepared for any type of transaction through accounts that are fully functional and have a wide array of credit options. This is achieved by recruited bank workers who help facilitate some of this infrastructure, for example by modifying an account’s limits so that more money can be cashed out at once; How these workers are recruited is something we covered in our previous blog. Withdrawing the money into cash alone is not enough, as the trail can still be traced back to its illegal origins. But with cash in hand the criminal can proceed to use the more common money laundering methods used in traditional crime.

Today, the flow of cash has no geographical boundaries, a fact leveraged by launderers. With so much currency constantly in flux, illegal money is extremely difficult to stop. Cybercriminals can easily convert bitcoin to different currencies and use money transfer services to send it to a dropper as part of an international laundry chain.


Long chain international money laundryFigure 12: International money laundering offerings in the underground


Other Money Laundering Techniques: 

Gift Cards

Cybercriminals always seek to find withdrawal solutions that are both easy to execute and difficult to trace by law enforcement. This next method involves gift cards.

The idea is to use stolen credit card data to buy gift cards and then immediately push the cards to the underground market or purchase goods with them for reselling. There are also dark web services where the customer could place an order for a gift card, specifying the store and amount they require – a gift card-on-demand of sorts. The reason this is attractive to the buyer is that they can buy these cards for significant discounts, sometimes paying as low as 20 to 30 percent of the card’s value.


Apple Gift CardsFigure 13: Apple gift cards being sold on the underground


This scheme does have risks for both the cybercriminal and purchaser. These gift cards must be used quickly because it is inevitable the store will find out and invalidate them for being fraudulent.


Walmart gift cardsFigure 14: Walmart gift cards for sale in the underground


In this example, the ad mentions that it takes up to six hours to deliver the cards. This implies that the process likely employs underground form fillers who purchase the gift cards once an order has been placed to decrease the risk of the cards being invalidated. Some sites ask for several days to deliver the cards. This extended duration may be due to a longer verification process on store sites, but we cannot ignore the high possibility that it is simply a scam and you will never receive your gift card.


Gift cards laundering schemeFigure 15: Illustration of the gift card laundering scheme


The advertisements for buying gift cards are commonplace in underground communities. Prices vary greatly based on the seller’s confidence in the cards’ validity. Different cards are purchased using different schemes because some methods to illegally acquire cards are more reliable than others. Gift cards less likely to be invalidated are generally sold at a higher price.


Shops that has interest for underground buyersFigure 16: An underground forum post shops of interest to gift card scammers


shoes and dress Figure 17: An underground site selling gift cards for various shoes and clothing stores


The wide variety of shops and goods is impressive. Underground dealers cover any and all shops that a legal consumer may be interested in.

Gift cards and coupons are not limited to online shopping. Services such as food and lodging can also be found in underground markets. These must be used at an actual physical location so cybercriminals will buy these either for personal use or to resell as part of a different scheme.


underground offer of restaurant cardsFigure 18: An underground site selling gift cards for various restaurants


Even though the above services exist in almost every U.S. city, not everyone travels or goes out to eat often. But most of us do own or drive cars:


gasoline vehicle gift cardsFigure 19: An underground site selling gift cards for car-related stores and services


Gift card schemes are well-practiced (and successful) money laundering techniques, but once a criminal operation is running smoothly they immediately look for ways to maximize profits and improve the scheme.


new way of gift cards exchangeFigure 20: An underground forum member suggests trying reddit to exchange gift cards bought with stolen funds


Plenty of open web platforms and markets exist where people can trade gift cards they do not need. These are also great places for a cybercriminal to try and sell their gift cards quickly – at a great discount.

There is a huge net of droppers around the world that pose as legitimate and post gift cards and coupons on legitimate venues. These schemes involve verified cards. Thus they can be sold to unsuspecting buyers for a much higher profit margin.


money laundry based on gift cards schemes

Figure 21: Illustration of gift card schemes


As gift cards evolve so do the security mechanisms put in place by online shops. The underground community follows these trends closely to invent new ways to take advantage.


“Legit” Companies

A novel money laundering technique we are beginning to see is rather elaborate and involves the creation of a real company.


underground job offer a directorFigure 22: A job offer on the underground to become the director of a company to be used for money laundering


underground member is looking for legit company to buy itFigure 23: An underground forum post by someone looking for a company they can use to launder large sums of money


The advertiser is looking for a fairly specific LLC with a history of real operations, but with a turnover of $3 million USD and profit at least $45,000 USD per year, it must be a company with no history of suspicious activities. The underground marketers are buying real companies – which exist only on paper in most cases – and appointing directors to make the money path significantly longer, with the goal of duping investigators.


“Employees” at Legit Companies

Service companies have not escaped the attention of cybercriminals. Worldwide services are increasingly being used (and abused) to spin up illegal operations, and they continue to evolve over time. The following example is a little bit older where the idea is to become a fake Uber driver.


guide to earn money on Uber from 2016Figure 24: A 2016 underground forum post selling a guide to becoming a fake Uber driver


Since this post, Uber has made many changes and updates to their systems, making such schemes impossible. The underground responded to these changes with new tactics, this time leveraging the human element.


Real Uber drivers

Figure 25: An underground forum post looking for real Uber drivers to help launder money


This method preys on people’s greed, recruiting real Uber drivers to accept and “perform” fake drives on behalf of the cybercriminal, accepting payment made with illegal funds and transferring parts of their Uber earnings (which are clean funds) back to the cybercriminal.

The same type of scheme can be applied to other online services. The following example utilizes the Airbnb hospitality service:


AirBnB members recruitingFigure 26: An underground forum post looking for real Airbnb hosts to help launder money


This scheme recruits people who will register as Airbnb hosts, and the cybercriminal will send fake visitors to their housing. These visitors will, of course, never actually show up, but they will pay for their “stay” to Airbnb using illegal funds. The funds will then go through Airbnb’s systems, ultimately being paid to the host in clean money, part of which will then be sent back to the cybercriminal.

With these schemes, we see the underground community’s strengths in using and abusing the human factor to recruit people who are not deeply involved in dark web operations to be the public face in their illegal activities.

Cybercrime headlines tend to focus on new variants of malware or gross negligence resulting in large data breaches. It’s a proverbial game of cat and mouse, with white hats fortifying defenses and black hats adjusting to bypass. However, missing from these stories and just as important for grasping how cybercriminals operate is what takes place post-breach or when funds are acquired illegally.

Money laundering has become essential for keeping the engines of cybercrime going, and we have seen a variety of tactics emerge and evolve. By having a deeper understanding of how money is washed, law enforcement can keep pace and find new ways to disrupt the cycle.


Continue Reading

Underground Code of Honor - Part 1 of 3

Underground Job Market - Part 2 of 3

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More