From Money Mules to Chain-Hopping: Targeting the Finances of Cybercrime
This Occasional Paper discusses the ways that cyber-criminals manage the proceeds of their crimes, from employing money mules to using services such as mixers to obfuscate the proceeds' origins. It offers recommendations for policymakers, law enforcement professionals and regulated entities to target and reduce these activities.
This paper examines money-laundering techniques used by cyber-criminals and proposes measures that should be taken by UK policymakers, law enforcement agencies and regulated businesses to make it more difficult for such activities to go undetected.
Cybercrime has become a major category of financially motivated crime. It generates proceeds that in some cases amount to hundreds of millions of pounds. Moreover, it engenders a bustling underground economy where stolen data and services that facilitate cybercrime are traded.
Money forms a key part of cyber-criminals’ motivation to engage in criminality. It is also their vulnerability. Since financially motivated crime inevitably involves money laundering, which refers to any use of the proceeds of crime, anti-money laundering (AML) measures can be used to target cyber-criminals. Financial investigation can be used to trace transactions and identify their beneficiaries. Criminal prosecution can target money launderers who help cyber-criminals transfer and use the proceeds of crime. Based on a review of publicly available information and interviews with subject-matter experts, this paper proposes ways of further strengthening these financial efforts against cybercrime.
Scope of the Paper
Cybercrime is a broad concept. This paper focuses specifically on the proceeds from hacking, malware infections (including ransomware) and distributed denial of service (DDOS) attacks. These are enabled by the existence of an underground criminal economy of services that facilitate cybercrime. In view of this, the paper also covers the proceeds of ancillary services that range from the provision of hacking, malware or DDOS attacks ‘as a service’ to money-laundering services.
Generation of Cyber-Criminal Proceeds
Since the form and amount of the proceeds often determine how they will be laundered, it is necessary to consider how cyber-criminals generate proceeds. This happens in a variety of ways, including:
- Taking over a bank customer’s account or interfering with inter-bank payments, typically via Society for Worldwide Interbank Financial Telecommunication (SWIFT) intrusions, which leads to unauthorised electronic transfers of fiat currency (government-issued money such as US dollars or British pounds).
- Hacking ATMs or attacking banks’ card-processing systems, which generates proceeds in cash. Attacks on card processing involve the deactivation of withdrawal and overdraft limits on cards held by criminals.
- Ransomware extortion, ‘cryptojacking' or theft of cryptocurrency, which all depend on cryptocurrency, such as bitcoin. The market in ancillary services is also dominated by cryptocurrency due to the perceived anonymity of transactions.
Laundering the Proceeds
Proceeds in Fiat Currency
The proceeds generated in government-issued fiat currency can either be digitally represented – for instance, funds in a bank account – or exist in physical cash. Proceeds from low-value, high-volume attacks that generate digitally represented fiat currency, such as account takeovers, are typically moved through several consumer bank accounts, which either belong to witting or unwitting ‘money mules’, or have been hacked. In contrast, transferring large amounts of funds, such as those that originate from intrusions in inter-bank payments systems, requires corporate bank accounts and therefore involves the establishment of companies. In turn, cash-generating ATM hacking and attacks on card processing rely on a particular type of money mule to launder funds, namely individuals who pick up and transfer the cash.
Depending on the money-laundering scheme used, regulated entities and law enforcement agencies face different detection and investigation challenges. In particular, the use of money-mule accounts and high-velocity transactions by criminals requires financial institutions to identify such accounts and freeze the proceeds before they are withdrawn in cash. As discussed below, this requires a continuous reappraisal of approaches to data analysis and information sharing in relation to cyber indicators.
Proceeds in Cryptocurrency
The criminal provenance of cryptocurrency transfers is obscured through the use of mixers; online gambling outlets that accept cryptocurrency; and, occasionally, rogue virtual currency exchanges. Although businesses that exchange cryptocurrency into fiat currency or vice versa will become regulated across the EU once member states implement the 5th Anti-Money Laundering Directive (5AMLD), member states are not required to extend the same rules to crypto-to-crypto exchanges. Such exchanges are open to abuse because they can convert traceable cryptocurrency such as bitcoin into privacy coins that are at the moment exceedingly difficult to trace (a process known as ‘chain-hopping’). Furthermore, as the use of peer-to-peer (decentralised) exchanges, where users transact directly with each other, increases, so may opportunities for laundering funds through them. Whether such exchanges fall within the scope of 5AMLD is questionable given that they only operate as intermediaries that connect users. Similarly, the use of mixers so far is not addressed in either the EU or the UK.
Key Areas for Further Action
Building the Knowledge Base
Improved understanding of how cyber-criminals launder the proceeds of their crime can produce a clearer intelligence picture of how they operate and, in particular, help identify key nodes of the enabling financial infrastructure. This will assist in focusing law enforcement and regulatory efforts. Additional analysis is needed to better understand:
- The modus operandi, identity and location of money launderers who provide such services as company incorporation to cyber-criminals.
- The modus operandi, identity and location of individuals who specialise in facilitating anonymous cryptocurrency transactions (for example, via mixers) and thereby wittingly or unwittingly facilitate the laundering of cyber-criminal proceeds.
- The ultimate use of the proceeds of cybercrime and their contact with the regulated sector, which can constitute a focal point for law enforcement and regulatory intervention.
Detecting Money-mule accounts
The use of money-mule accounts is ubiquitous in cybercrime involving fiat currency. Their detection poses challenges, especially if those accounts are several steps removed from the predicate crime. It is particularly difficult for financial institutions to identify accounts that cyber-criminals purchase from initially legitimate users. In view of these challenges, some financial institutions are exploring innovative methods of detecting money-mule accounts, such as:
- Real-time information sharing to trace criminal proceeds, including the proceeds from using stolen card data, down the chain of money-mule accounts after a known fraudulent transfer has taken place.
- Analysing a wide range of data points, including cyber indicators such as IP addresses and device IDs, to link related accounts. For instance, establishing that several ostensibly unrelated accounts are accessed from the same device can indicate money muling. Various data points, including cyber indicators, have already been used for those purposes, although the details cannot be disclosed in a public document. In this context, the reliability and standardisation of data points are crucial.
Whenever possible, the results of these initiatives should be communicated throughout the industry to share best practice, subject to necessary limitations on the sharing of confidential information or the details of an institution’s business processes. If a particular type of information proves useful for analysis (for instance, cyber indicators), UK government stakeholders (especially the Home Office and the National Crime Agency [NCA]) and regulated entities should verify to what extent it can be effectively shared via existing information-sharing arrangements. In addition, the NCA should consider introducing a standardised format for the inclusion by regulated entities of cyber indicators (such as IP addresses) in suspicious activity reports where available. This will facilitate the analysis of such data by law enforcement agencies.
Addressing Cryptocurrency-Related Risks
In line with the EU’s 5AMLD, the UK will extend its AML regime to virtual currency exchanges and custodian wallet providers. Moreover, in October 2018 the Financial Action Task Force (FATF) extended its recommendations to ‘virtual asset service providers’, which include a broad range of cryptocurrency businesses beyond those to be regulated under EU law. This represents an appropriate moment for considering how the UK regulatory framework should extend to other cryptocurrency-related business models posing money-laundering risks, such as crypto-to-crypto exchanges, peer-to-peer (decentralised) exchanges and, potentially, mixers. Potential responses include either expanding the list of businesses subject to AML obligations on a case-by-case basis, as and when new business models arise, or using a flexible definition – for instance, of a ‘money-service business’ – that is capable of covering novel cryptocurrency businesses.
In addition to these measures, the UK government should provide guidance to regulated virtual currency exchanges on dealing with higher-risk counterparties, such as mixers of unregulated exchanges, and transacting in higher-risk cryptocurrencies, such as privacy coins. Such guidance will help exchanges assess the risks they face and prioritise mitigation measures.