SWIFT’s Research reveals new levels of Money Mule Activity

For those looking to prosecute cybercriminals and the organizations they belong to, it is not just the malware used that can help officials arrest and try alleged criminals. Being able to determine how illicit funds were laundered and used is an important part of proving those charged with crimes actually guilty of said crimes. We have covered a number of occasions where research is shined a light into how cybercriminals profit from the funds, stolen, extorted, or mined, whether funds, typically cryptocurrency, earned from sextortion or ransomware. In a white paper published by the Society for Worldwide Interbank Financial Telecommunications (SWIFT) in collaboration with BAE Systems has shone new light into this facet of the criminal underworld. Their findings may come as a surprise to those who see cryptocurrencies as the currency of cybercrime.

Much of the research conducted by SWIFT and BAE was focussed on money stolen during hacking campaigns that targeted banks and other financial institutions. Given how often cryptocurrencies like Bitcoin are mentioned in regards to cybercrime it would be assumed that proceeds from bank hacks would be turned into cryptocurrency as soon as possible and then laundered from there. However, the research paints a different picture with SWIFT noting,  “Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods,”, with traditional methods including money mules, front companies, cash businesses, and investments back into other forms of crime, such as drug trade or human trafficking. That being said, while the use of cryptocurrencies to further launder money stolen from banks is still a minor percentage when compared to the more traditional methods used to launder money they do expect this small percentage to rise in the future.

This potential to be used more in the future comes down to a number of factors. First, we are seeing a growing number of alternative cryptocurrencies, commonly referred to as altcoins, and is a blanket term used to describe any cryptocurrency other than Bitcoin. As of 2020, there were more than 5,000 cryptocurrencies by some estimates. According to CoinMarketCap, altcoins accounted for over 34% of the total cryptocurrency market in February 2020. What is appealing to cybercriminals is that recently released altcoins have a new emphasis on privacy and allow for full transaction anonymity.

swift research on money mules

Secondly, criminals are increasingly using services referred to as mixers or tumblers that greatly obscure the source of cryptocurrency transactions by blending stolen or laundered funds with large amounts of other legitimate transactions. Lastly, researchers have noticed the emergence of online marketplaces that only require an email as “proof” of identity, and forgo all others know your customer rules. These marketplaces specialize in selling high-end products, land, and real-estate assets across the world, such as expensive watches, jewelry, gold bars, fine art, luxury penthouses, and tropical islands.

These three factors provide increased anonymity to criminal groups that traditional methods like money mule gangs and front companies can never provide, and the reason why SWIFT believes more groups will eventually adopt cryptocurrencies to launder stolen bank funds.

The Money Mule

Much of the white paper is dedicated to how cybercriminals launder money with the help of money mules. According to the white paper, cybercriminals steal the funds by one of two ways generally speaking. The first being an attack on the bank's transferring system and the second being an attack on the bank's ATM infrastructure. The heist does not grant the attacker automatic access to the stolen funds and in order to benefit from the illicit proceeds, the money has to be laundered.

A favored method for this is by using money mules who are individuals employed and trained by cybercriminals and organized crime groups to cash out stolen funds more often than not from ATMs. Another avenue available is to use bank accounts set up by the money mule so that funds can be transferred in and out of them. This can happen a number of times through several accounts until they reach the end-beneficiary, namely the group that will ultimately profit from the heist.

The money mule performs a critical step in the laundering process. In many cases, if the funds stolen cannot get past the mule then all other steps to launder the money, be they reinvestment into a legitimate financial institution, buying of assets, or reinvestment into other criminal activities are rendered useless. Recruiting these individuals is of the utmost importance. As a result, cybercriminals have become more creative regarding this process often using individuals who are unaware that they may be complicit in criminal activity. SWIFT notes,

“Cyber-criminals have become more creative with their methodologies for recruiting money-mules. Some cyber-criminals often dupe innocent victims into laundering money on their behalf with the promise of easy money by using seemingly legitimate job adverts, online posts, social media and other methods. This includes incorporating aspects like diversity and inclusion (D&I) into job adverts to encourage a person to believe the company is real, as well as creating fake management teams. Some job adverts appear to be targeted towards people based in countries that are not typical financial targets, (e.g. UK, US, and Australia). For cyber-criminals in Eastern Europe this recruitment technique serves as further obfuscation, due to international transfers increasing the complexity.”

It is often young adults out of work or struggling to come up with the relevant funds to pay for higher learning that is so often targeted during the recruitment process. Further, the cybercriminal will not recruit people close to themselves, this has the obvious benefit of increasing anonymity and makes it harder for investigators to pinpoint who was behind the bank heist. It has also been seen that a number of nation-state hacking groups will use their links with the criminal underworld to launder funds.

In these instances, the criminal aspect is responsible for recruiting mules while the nation-state actor will be the end beneficiary with the criminal organizations being used receiving a cut of some kind from the proceeds. Given how Lazarus will often look to perform more financially motivated attacks they would need to use similar tactics to bypass sanctions placed on North Korea.

Not Just Mules

Based on SWIFT’s research, mules are a critical link in the money laundering chain, however, organizations will often employ a variety of methods to launder stolen funds. Understanding what is done with the money once the mule receives it is vital in trying to limit and hopefully stop the laundering of money. In a number of instances, the money is converted to US dollars, often by bribing employees who work at currency exchanges. The newly exchanged dollars could then pass to an intermediary who then passes it on to the cybercriminal organization. Further, the use of front companies and cash businesses can be used to reintroduce the stolen funds into the legitimate economy. Researchers noted,

“The setting up of front companies can be used by some jurisdictions as a method to circumvent the adverse impact of imposed sanctions and to enable covert access to the global financial system. It also facilitates the potential for obfuscating the flow of money and concealing various techniques for money laundering. Front companies are corporations that act as a ‘cover’ for the laundering of illicit funds and typically lack significant legitimate assets. They either do not maintain active business operations, or, in some instances, the front company can have a legitimate purpose, which is used as an effective way of concealing the true ownership of businesses and accounts, as well as associated assets and parties. In this way, front companies can be an effective entity through which illicit transactions can be circulated and consequently obfuscated. Front companies are often set up in jurisdictions that are known for strong banking secrecy laws or for poor enforcement of money laundering regulations, as these are preferable for individuals with illicit intentions.”

The process of laundering funds is complicated and depends on an existing network of criminal organizations to carry out specific roles in order for the end beneficiary to eventually profit from the initial heist. As was seen above, money mules, either willing or ignorant of their role, are a critical step for attackers to consider if they hope to profit from their attacks on banks and other financial institutions.

Ultimately, it is dependent on a high level of collaboration between different organizations in different jurisdictions and across international borders that enable cybercrime to profit in this way.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal