This post has already been read 1994 times!
There are many routes and many options to clean dirty money, it’s no wonder AML is such a difficult job. The sheer volume of SARS obfuscates criminals, it doesn’t help law enforcement.
The below helps to understand just a few of the tactics at play via the dark web. Forget smurfing. Forget structuring of cash. Those are small fry. If you really want to clean money get on the dark web. Read on for more…
The drive for Artificial Intelligence to better understand AML trends and generate meaningful enquiries to Law Enforcement is the result of literally millions of false positives, clouding real criminality.
The dark web’s ecosystem is vast and well-coordinated, with a low barrier to entry for those with even limited technical knowledge. But digital crime by its typology leaves a trail for investigators – so what happens when a criminal succeeds in their criminality and turns a profit?
Criminals are still only part way to spending their gain ‘mostly’ anxiety free. Any money secured through illegality where the origin of the gain cannot be explained is referred to in the underground as “dirty” money. This stolen gain is still relatively useless and comes with high risk in any legitimate financial transaction, such as buying goods. This stage is known as ‘Integration’ to AML compliance experts.
There are a plethora of different ML schemes, each with its own risks and benefits. From simple ones related to cryptocurrencies to more complex schemes involving services such as Uber, Airbnb, and even the occasional petrol station.
In today’s cybercriminal world, you either need to fully grasp the nuances of properly laundering money (so it can be integrated) – or trust someone who does.
ML on the dark web has become a criminal network industry, sometimes led by banking and financial experts who know the techniques to obfuscate criminal gain. In fact, a recent investigation shows that criminals have far more sophisticated methods of dealing with this issue.
At CYW we believe this reinforces our view that with ML, banks and investigators should be collecting intelligence and focusing on that, not overly focusing on SARS – to start with the criminal, not the transaction.
It’s worth noting that some of the ML processes used in the underground overlap with what we know from traditional crime. However, due to the nature of cybercrime, unique techniques exist specifically for use with dirty money obtained electronically. We will shed light on how these adapted cyber-schemes work which is essential intelligence for both security and law enforcement practitioners.
What Seems to Be the Problem?
One critical element of ‘cleaning’ money is accounting for the gain without raising the suspicion of law enforcement. ML is the answer to that problem.
Figure 1: The flow of money laundering
ML has been around for as long as crime has and is considered an international problem. According to the UNODC (United Nations Office on Drug and Crime), the estimated money laundered world-wide in a year is two to five percent of global GDP, or $800 billion to $2 trillion US.
“Though the margin between those figures is huge, even the lower estimate underlines the seriousness of the problem”. UNODC
How do criminals launder money when using the dark web? The criminal underground relies on anonymity-focusing on cryptocurrencies in their illegal work. This offers a good start to obfuscate their gain. But, even using “anon” cryptocurrency doesn’t completely secure a criminal from law enforcement. The relatively simple mistake of using a wallet ID (a unique identifier) filled with stolen cryptocurrency to purchase online with delivery to an address could result in a knock from law enforcement not a delivery driver.
Figure 2: A cybercriminal with a mining botnet asking for ML assistance
If they have lots of money at stake, it’s obvious that even experienced malware developers need the help of criminal financial experts to not make expensive mistakes. The dark web is now facilitating solicitation for financial experts who have the ability to ‘clean’ money with less risk than ever before.
Figure 3: Another post on an underground forum asking for money laundering help
Main Idea: Break the Chain
The key is to break the chain. The criminal network’s solution to cleaning cryptocurrency uses features specifically built into digital currency to retain anonymity but unfortunately uses them for criminal ends. The fact that they can create as many cryptocurrency wallets as they wish and these do not require any identity allows cybercriminals to create a fog to obfuscate their criminal transactions in. This is called a “cryptocurrency tumbler,” or more popularly “bitcoin mixer” (or sometimes just “mixer”):
Figure 4: Advertisement for an underground mixer service
Mixers are a well used way of anonymizing and cleaning dirty bitcoins. The concept is to divide the cryptocurrency among multiple accounts, transfer them between several more accounts, and then eventually collect the total amount (minus a fee) to one external, newly created clean account. Doing this across exchanges and country boundaries further complicates the transactions.
Figure 5: Illustration of the bitcoin mixing process
‘Mixers’ provide an infrastructure so that as a “customer” criminals simply provide the dirty funds and receive a wallet with clean funds when the process is complete. The process is to break the starting amount to smaller, unequal pieces of currency to confuse investigators. The final payout will be smaller than the initial because the Mixer requires a percentage for his work. Due to the volume of small transactions made every day within the blockchain, “mixed” transactions are obfuscated in the sheer noise of legitimate activities, making tracing more difficult. Add in cross border exchanges and it creates another layer of difficulty for investigators, especially in non-cooperating countries who do not have an MLAT (Mutual Law Enforcement Treaty).
Figure 6: Underground money laundering service offering
The aim of breaking-the-chain is to side step direct connection between the two ends: placement into the system and integrating it as ‘legitimate’ cash/gain. The objective is to transfer currency from one region to another, more likely numerous times. It bears a resemblance to the “droppers” , in which goods bought with a stolen card are transferred to a final destination – not directly but through a chain of droppers. The purpose of droppers and how they help launder money is shown below.
Figure 7: Simple and advanced money laundering schemes involving droppers
In a dropper scheme, a cybercriminal will use illegal funds to buy goods in an online shop. The money will potentially be discovered as illegal/stolen/carded, and so the delivery address would be checked during any investigation (most cybercriminals will also change drops and addresses occasionally to avoid being caught).
The person receiving the goods on behalf of the criminal is called a dropper (red line). This dropper, having broken the money trail by converting it into goods, will then send the goods to the actor. More advanced cybercriminals or services in this field will use a chain of droppers (blue line) to further obscure the process of tracing the goods back to the dirty money.
Underground ML specialists have developed this scheme even further by adding into the chain an unaware, legitimate buyer:
Figure 8: An advanced ML scheme involving a legitimate buyer
The process works in the same way but now involves actual real buyers. These buyers are lured to an online shop promising unbelievable deals, via adverts on DarkWeb search engines. The shop customers think they’ve landed on a big sale, with goods selling as low as 50% discount compared to the brand’s RRP. A legitimate buyer paying for the items will transfer money to a legal shop created by cybercriminals and considered “clean.” But, the customer receives items bought with illegal funds sent to them by one of the droppers , if they receive anything at all…
Figure 9: iPhones sold on the underground at low prices, with bulk discounts
It is highly likely that the shopper will see neither electronics nor their money.
The same concept is used to break the chain with financial droppers as well. Cybercriminals around the world are ready to assist the transfer of stolen funds to (clean) their pockets:
Figure 10: An underground forum post offering ‘cash-out’ in the UK
Figure 11: Another of the huge number of underground offers for help with ML
Financial droppers are ready for any type of transaction through accounts that are functional and have a wide array of credit options. This is achieved by recruited bank workers who help facilitate some of this infrastructure, for example by modifying an account’s limits so that more money can be cashed out at once. This is another indication of how CYW target ML. By understanding employees within institutions and securing intelligence from within to uncover this type of criminal.
Converting the money into cash alone is not enough, as the trail can still be traced back to its criminality. However, with cash the criminal can proceed to use the more common ML methods used in traditional crime.
Nowadays, cash has no geographical boundaries, a fact leveraged by ML experts. With huge volumes of currency constantly in flux, illegal money is extremely difficult to stop. Cybercriminals can easily convert bitcoin to different currencies and use money transfer services to send it to a dropper as part of an international ML chain.
Figure 12: International money laundering offerings in the underground
Other Money Laundering Techniques:
Anti Money Laundering Gift Cards
Cybercriminals are constantly seeking ways to withdraw cash in ways that are both easy to execute and difficult to trace by law enforcement. Gift cards are one such method.
The process uses stolen credit card data to buy gift cards and then immediately pass the gift cards to the criminal market or purchase legitimate goods with them for reselling. There are also dark web transactions where the ‘customer’ could place an order for a gift card – a sort of gift card-on-demand. This is attractive to the customer because they can buy gift cards for significant discounts, sometimes 70 to 80% off.
13: Gift cards being sold
The gift card scheme does carry risk for both the cybercriminal and purchaser. Gift cards must be used quickly because it is inevitable the store will find out and invalidate them for being fraudulent.
Figure 14: Walmart gift cards for sale on the dark web
In the above image, the advert explains that it can take six hours to deliver the card. This implies that the process employs dark web form fillers who only buy the gift cards once an order has been placed to decrease the risk of the cards being invalidated. Some sites ask for several days to deliver gift cards. This lengthy time may be due to a longer verification process on the legitimate website, but it cannot be ignored the high chance that it is simply a scam, criminals are after all, trading with criminals.
Figure 15: Illustration of the gift card laundering scheme
The adverts for buying gift cards are commonplace in the dark web. Costs vary hugely based on the seller’s confidence in the cards’ validity- the dark web does have a ‘review’ process on some sites so ‘customers’ can base their decisions on an ‘element’ of external trust. Different cards are purchased using different schemes because some methods to illegally acquire cards are more reliable than others. Gift cards less likely to be invalidated are generally sold at a higher price.
Figure 16: A dark web forum posts shops of interest to gift card scammers
Figure 17: A dark web site selling gift cards for various shoes and clothing stores
The wide variety of shops and goods is impressive. Dark web dealers cover any and all shops that a legal consumer might purchase from.
Coupons and cards are not limited to just online purchases. Offers for food and lodging can also be found on the dark web. These cards/coupons are then used at actual physical shops/garages so cybercriminals will buy these for personal use or to resell as part of a different scheme. This is an example of how physical law enforcement can track criminals in the real world. Suspected criminals found with these cards in their possession while having high net worth status doesn’t add up and should identify a suspicion for the law enforcement agent.
Figure 18: Dark website selling gift cards for various restaurants
These cards are even used in gas/petrol stations.
Figure 19: Dark Website selling gift cards for gas/petrol stations.
Gift card fraud/schemes are successful ML techniques, however once a scheme is running smoothly they immediately look for ways to increase profit.
Figure 20: A dark web forum member suggests trying reddit to exchange gift cards
Lots of legitimate web platforms exist where people can trade gift cards they do not want. These are good places for a cybercriminal to try and sell their gift cards quickly – at a great discount.
There is a vast net of droppers around the globe that pose as legitimate sellers. They post illegally sourced gift cards and coupons on legitimate venues. These schemes involve verified cards. They can be sold to unsuspecting buyers for a much higher profit margin.
Figure 21: Gift card schemes
As the gift card industry matures so do the security mechanisms built by online shops. The dark web community watches these trends closely to develop new ways to take advantage.
A new ML technique we are beginning to see is elaborate and involves the creation of a real company.
Figure 22: A job offer on the dark web to become the director of a ML company.
Figure 23: A dark web post looking for a company they can use to launder huge sums.
The criminal is looking for a specific LLC with a history of real operations, but with a turnover of $3 million and profit at least $45,000 pa, it must be a legitimate company with no criminal history or ML suspicions. These dark web criminals are buying real companies – which exist only on paper in most cases – and appointing directors to make the money path more obscure, with the goal of confusing law enforcement.
“Employees” at Legitimate Companies
Service companies have not escaped the attention of cybercriminals. Worldwide services are increasingly being used to facilitate illegal operations. They continue to evolve over time.
Figure 24: Dark web forum post selling a guide to becoming a fake Uber driver
Since this post, Uber has made many changes and updated their system, preventing these schemes. The dark web responded by leveraging the human need for growth, whether illegal or not.
Figure 25: Dark web forum post looking for real Uber drivers to help ML
This method preys on people’s greed, recruiting real Uber drivers to accept and “complete” fake drives on behalf of the cybercriminal, accepting criminal payment and transferring some of their earnings (which are clean funds) back to the criminal.
The same scheme can be applied to other online services. The following example uses Airbnb.
Figure 26: Dark web post looking for real Airbnb hosts to help ML
This recruits people who register as Airbnb hosts, and the cybercriminal will send fake visitors to their housing. The visitors will never arrive, but they will pay for their “stay” to Airbnb using illegal funds. The funds will then go through Airbnb’s systems, being paid to the host in clean money with the criminal taking his cut.
This shows the dark webs ability to adapt using the human factor to recruit people who are not involved in the dark web to be the public face in their illegal activities.
ML is essential for maintaining cybercrime, we see a variety of tactics emerge and evolve. It is equally essential efforts to prevent ML encompass operators understanding the deeper elements of how criminals operate.
CYW believe it is a fundamental requirement of all AML operators, no matter in what field of AML to understand trends and have a working knowledge of ML tactics being deployed globally. It is simply fruitless focusing on SARS with an expectation law enforcement can keep pace with the volume or complexity of them. The key for law enforcement agencies is to focus on the criminal, identified through intelligence; not the transaction from a SAR.
To that end CYW are building a network of agents to provide direct intelligence on criminality. To access it, contact us…