How cybercriminals launder money stolen from banks

For some cybercriminal groups, attacks on banks and other financial institutions are like an assembly line. Many people know tracing stolen funds is usually impossible, but not everyone knows why. A joint report by BAE Systems and researchers from the payment system SWIFT details how cybercriminals launder stolen money.

Money source and destination

There are two bank attack scenarios — against infrastructure and accounts, or against ATMs and related systems. The various schemes for extracting and then laundering money all differ slightly, but the essence and goal are the same: to put criminally derived funds back into the legitimate financial system.

Traditionally, the money laundering process consists of three stages:

Placement: the first transfer from a victim’s account to fraudsters’ accounts, or a deposit of stolen cash; Layering: a series of transactions designed to conceal the origin of the funds and their real owner; Integration: investment of the now-laundered money in legal or criminal business.

The final stage — reintegration of the laundered funds back into the economy — could fill a separate post, so we shall not consider it in detail here. However, a successful attack requires careful planning beginning long before the funds are stolen and the legalization mechanisms are in place. That’s an additional stage: preparation.


To enable the fast movement of stolen funds, cybercriminals usually set up many accounts owned by individuals or legal entities. They can belong to unsuspecting victims hacked by intruders, people duped into taking part in the fraudulent operation, or volunteers.

The latter are commonly known, unflatteringly, as mules. Some employ mules to open accounts using fake or stolen documents (a complex task requiring a bank insider). Recruiting agencies may hook up the parties with job description wording such as “facilitating the investment of funds” or something equally vague. In many cases, mules know full well what they’re doing is less than legal but are blinded by the payout. But often, the “accomplices” end up getting deceived as well.


Once the cybercriminals have transferred stolen money to an account (using malware, social engineering, or an insider), the mules come into play:

They may move funds to other accounts to throw potential trackers off the scent; They may order goods — to their own or another address; They may withdraw money from ATMs.

One ruse to attract unwitting mules involves hiring them to work for a company that supposedly helps foreigners buy goods in stores that don’t deliver abroad, receiving and forwarding parcels by international mail. That kind of work lasts for a month or two, until the local police come knocking.


When accomplices who are in the loop receive the goods or money, they use long-established criminal practices to legalize the booty. For example, money may be exchanged for freely convertible currency (typically dollars); goods (typically electronics) are sold directly to buyers or to second-hand shops. Of course, currency exchange offices and stores that buy items are supposed to have mechanisms in place to detect illegal transactions, but either negligence or insiders can bypass them. Then, a third party transfers the money to the organizers of the scheme.

Although mules can be caught and their percentage seized, the bulk of the proceeds — and the masterminds — remain elusive.

Next, the crooks employ “classic” criminal methods such as purchasing

Continue reading

This post was originally published on this site