“Not having to worry about money is almost like not having to worry about dying.”
In the first two parts of our investigative series into the cybercriminal underground, we examined its social structure as well as the types of jobs and opportunities that exist for those with ill intent.
We have learned that the dark web’s ecosystem is vast and well-coordinated, with a low barrier to entry due to widely available hacking and malware distribution tools for those with limited technical knowledge. But a life of digital crime by its very nature leaves a long trail for investigators – so what happens once a cybercriminal succeeds in their nefarious schemes and turns a profit?
Truth be told, they are only halfway to spending their bounty relatively anxiety free.
Any money earned through carding, fraud or other illegal schemes where the origin of the money cannot be explained without revealing the criminality behind it is referred to in the underground as “dirty” money. As such, this stolen treasure is essentially useless and comes with high risk for the criminal in any kind of forthcoming legitimate financial transaction, such as buying goods.
There are many different money laundering schemes out there, each with its own risks and benefits. From simple ones related to cryptocurrencies to more complex schemes involving services such as Uber, Airbnb, and even the occasional gas station.
As a result, in today’s cybercriminal climate, you either need to fully understand the intricacies of properly laundering money (so it can be spent) – or trust someone who does.
Money laundering on the dark web has become a cottage industry of sorts sometimes led by those with extensive banking and financial backgrounds who know the ins and outs of keeping criminals ahead in the game. In fact, our recent investigation shows that members of the underground have far more sophisticated methods of dealing with this issue.
It’s worth noting that some of the money laundering schemes used in the underground overlap with concepts we know from traditional crime. But due to the nature of cybercrime, unique techniques exist specifically for use with dirty money obtained electronically. This post will shed light on how these adapted cyber-schemes work which is essential intel for both security and law enforcement practitioners.
What Seems to Be the Problem?
One critical caveat of criminal activities is accounting for the proceeds without raising the suspicion of law enforcement agencies. Money laundering is the answer to that problem.
Money laundering has been around for as long as financial crimes have and is considered an international problem. According to United Nations Office on Drug and Crime (UNODC), the estimated amount of money laundered globally in one year is two to five percent of global GDP, or, in dollars, $800 billion to $2 trillion US. “Though the margin between those figures is huge, even the lower estimate underlines the seriousness of the problem,” the Office wrote.
So how do criminals launder money when leveraging the internet? The underground relies on heavy use of anonymity-focused cryptocurrencies in their illegal ventures. This offers a solid start on money laundering. However, even utilizing “anonymous” cryptocurrency doesn’t fully protect a criminal from the law. For example, the simple mistake of using a wallet ID (a unique identifier) filled with stolen cryptocurrency to shop online with delivery to a home address will likely result in a different kind of knock on the door.
When you have large sums of money at stake, it’s clear that even well-seasoned malware developers need the help of criminal financial experts to avoid making costly mistakes. The dark web community is now seeing more solicitation for financial talents who have the know-how to wash money with less risk than ever before.
Main Idea: Break the Chain
As it turns out, Fleetwood Mac was wrong: It is, in fact, possible to break the chain. The underground’s solution to laundering cryptocurrency utilizes some features inherently built into digital coinage to retain privacy and anonymity but unfortunately uses them for fiendish purposes. The fact that one can create as many cryptocurrency wallets as they wish, and that these do not require any sort of identity to be tied to them allows cybercriminals to create a lot of noise to drown their illegitimate transactions in. This method is called a “cryptocurrency tumbler,” or more popularly “bitcoin mixer” (or sometimes just “mixer”):
Mixers are a popular way of anonymizing and cleaning dirty bitcoins. The main idea is to divide the currency among multiple accounts, transfer them among several more accounts, and eventually collect the total amount (minus a fee) to one external, newly created clean account.
Mixer services provide an infrastructure so that as a “customer” you simply provide the dirty funds and receive a wallet with clean funds when the process is complete. The trick here is to break the initial amount to smaller, unequal pieces of currency to confuse investigators. The final amount will be smaller than the initial because the mixing service requires a percentage for its efforts. Because of the sheer volume of small transactions made daily within the blockchain, “mixed” transactions drown in the noise of the legitimate activities taking place, making tracing more difficult, and many cybercriminals are willing to take the risk.
The main objective of the breaking-the-chain process is to avoid direct connections between two events: obtaining illegal funds and receiving clean income on the cybercriminal’s personal account. The idea is to transfer currency from one state to another, more likely a couple of times. It bears some resemblance to the “droppers” scheme described in our previous underground blog, in which carded goods are transferred to a final destination – not directly but through the chain of droppers. We didn’t really cover the purpose of these droppers and how they help launder money, so this is a good time to elaborate.
In this scheme, a cybercriminal will use illegally obtained funds to pay for goods in an online shop. The money will potentially be discovered as illegal/stolen/carded, in which case the delivery address would be checked during any investigation (most cybercriminals will also change drops and thus addresses occasionally to avoid being caught).
The person receiving the goods on behalf of the actor is called a dropper (red line). This dropper, having broken the money trail by converting it into goods, will then send the goods to the actor. More advanced cybercriminals or services in this field will use a chain of droppers (blue line) to further encumber the process of tracing the goods back to the dirty money.
Underground money laundry specialists advance this scheme even further by adding into the chain an unaware, legitimate buyer:
The scheme works in the same way as before but now involves actual buyers. These buyers are lured to an online shop promising great deals, typically via advertisements on DarkWeb search engines. The shop customers think that they landed on a big sale or a shop’s advertising event, with goods selling as low as 30 to 50 percent discount compared to the brand’s MSRP. A legitimate buyer paying for the items will transfer money to a legal shop created by cybercriminals and considered “clean.” However, the customer receives items bought with illegal funds sent to them by one of the droppers (that is, if they receive anything at all, as there are scams in this field too).
It is highly possible that the shopper will see neither electronics nor their money.
The same breaking-the-chain concept is used with financial droppers as well. Cybercriminals around the world are ready to assist the transfer of stolen funds to their (clean) pockets:
These financial droppers are prepared for any type of transaction through accounts that are fully functional and have a wide array of credit options. This is achieved by recruited bank workers who help facilitate some of this infrastructure, for example by modifying an account’s limits so that more money can be cashed out at once; How these workers are recruited is something we covered in our previous blog. Withdrawing the money into cash alone is not enough, as the trail can still be traced back to its illegal origins. But with cash in hand the criminal can proceed to use the more common money laundering methods used in traditional crime.
Today, the flow of cash has no geographical boundaries, a fact leveraged by launderers. With so much currency constantly in flux, illegal money is extremely difficult to stop. Cybercriminals can easily convert bitcoin to different currencies and use money transfer services to send it to a dropper as part of an international laundry chain.
Other Money Laundering Techniques:
Cybercriminals always seek to find withdrawal solutions that are both easy to execute and difficult to trace by law enforcement. This next method involves gift cards.
The idea is to use stolen credit card data to buy gift cards and then immediately push the cards to the underground market or purchase goods with them for reselling. There are also dark web services where the customer could place an order for a gift card, specifying the store and amount they require – a gift card-on-demand of sorts. The reason this is attractive to the buyer is that they can buy these cards for significant discounts, sometimes paying as low as 20 to 30 percent of the card’s value.
This scheme does have risks for both the cybercriminal and purchaser. These gift cards must be used quickly because it is inevitable the store will find out and invalidate them for being fraudulent.
In this example, the ad mentions that it takes up to six hours to deliver the cards. This implies that the process likely employs underground form fillers who purchase the gift cards once an order has been placed to decrease the risk of the cards being invalidated. Some sites ask for several days to deliver the cards. This extended duration may be due to a longer verification process on store sites, but we cannot ignore the high possibility that it is simply a scam and you will never receive your gift card.
The advertisements for buying gift cards are commonplace in underground communities. Prices vary greatly based on the seller’s confidence in the cards’ validity. Different cards are purchased using different schemes because some methods to illegally acquire cards are more reliable than others. Gift cards less likely to be invalidated are generally sold at a higher price.
The wide variety of shops and goods is impressive. Underground dealers cover any and all shops that a legal consumer may be interested in.
Gift cards and coupons are not limited to online shopping. Services such as food and lodging can also be found in underground markets. These must be used at an actual physical location so cybercriminals will buy these either for personal use or to resell as part of a different scheme.
Even though the above services exist in almost every U.S. city, not everyone travels or goes out to eat often. But most of us do own or drive cars:
Gift card schemes are well-practiced (and successful) money laundering techniques, but once a criminal operation is running smoothly they immediately look for ways to maximize profits and improve the scheme.
Plenty of open web platforms and markets exist where people can trade gift cards they do not need. These are also great places for a cybercriminal to try and sell their gift cards quickly – at a great discount.
There is a huge net of droppers around the world that pose as legitimate and post gift cards and coupons on legitimate venues. These schemes involve verified cards. Thus they can be sold to unsuspecting buyers for a much higher profit margin.
Figure 21: Illustration of gift card schemes
As gift cards evolve so do the security mechanisms put in place by online shops. The underground community follows these trends closely to invent new ways to take advantage.
A novel money laundering technique we are beginning to see is rather elaborate and involves the creation of a real company.
The advertiser is looking for a fairly specific LLC with a history of real operations, but with a turnover of $3 million USD and profit at least $45,000 USD per year, it must be a company with no history of suspicious activities. The underground marketers are buying real companies – which exist only on paper in most cases – and appointing directors to make the money path significantly longer, with the goal of duping investigators.
“Employees” at Legit Companies
Service companies have not escaped the attention of cybercriminals. Worldwide services are increasingly being used (and abused) to spin up illegal operations, and they continue to evolve over time. The following example is a little bit older where the idea is to become a fake Uber driver.
Since this post, Uber has made many changes and updates to their systems, making such schemes impossible. The underground responded to these changes with new tactics, this time leveraging the human element.
Figure 25: An underground forum post looking for real Uber drivers to help launder money
This method preys on people’s greed, recruiting real Uber drivers to accept and “perform” fake drives on behalf of the cybercriminal, accepting payment made with illegal funds and transferring parts of their Uber earnings (which are clean funds) back to the cybercriminal.
The same type of scheme can be applied to other online services. The following example utilizes the Airbnb hospitality service:
This scheme recruits people who will register as Airbnb hosts, and the cybercriminal will send fake visitors to their housing. These visitors will, of course, never actually show up, but they will pay for their “stay” to Airbnb using illegal funds. The funds will then go through Airbnb’s systems, ultimately being paid to the host in clean money, part of which will then be sent back to the cybercriminal.
With these schemes, we see the underground community’s strengths in using and abusing the human factor to recruit people who are not deeply involved in dark web operations to be the public face in their illegal activities.
Cybercrime headlines tend to focus on new variants of malware or gross negligence resulting in large data breaches. It’s a proverbial game of cat and mouse, with white hats fortifying defenses and black hats adjusting to bypass. However, missing from these stories and just as important for grasping how cybercriminals operate is what takes place post-breach or when funds are acquired illegally.
Money laundering has become essential for keeping the engines of cybercrime going, and we have seen a variety of tactics emerge and evolve. By having a deeper understanding of how money is washed, law enforcement can keep pace and find new ways to disrupt the cycle.