Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Money Laundering. Show all posts

Mule Recruitment Scheme: Scammers Making Innocents Accomplices Into Money Laundering

Mule Recruitment Schemes

If an online offer seems too good to be true and needs managing money, it is a possible mule recruitment scam

RBI and NPCI warn users

The National Payments Corporation of India (NPCI) and RBI regulations advise not using Indian payment systems for banned or blacklisted website categories such as porn sites, gambling, Chinese laundering/loan apps, Forex trading sites, or other shadowy websites. 

To escape this restriction, scammers use Mule accounts to receive money through Indian payment ways like bank accounts, credit cards, UPI, debit cards, and VPA. 

What is a Mule account?

A Mule account is a famous term in cybercrime that looks for any account used for moving money illegally received through illegal activities. These accounts mostly belong to those who, intentionally or unintentionally, have been tricked into playing the illegal money laundering act.

Not aware of being part of a bigger scam, these individuals or “money Mules” are tricked into letting unknown scammers use their accounts to hide the source of laundered money. Scammers make these payments look legit through sly schemes and baits, hiding the money’s shadowy inheritance before it goes to the final destination. 

“We detect 18 to 20 thousand cases every single day for a National Bank. These mule accounts are usually owned by regular people who are either tricked into opening them or knowingly use them at the behest of some monetary payments. We advise people not to share their account details or give access to anyone. Fraudsters can use your credentials for such illegal activity” said Amit Relan, Co-founder and CEO of mFilterit. 

Tricking of customers

Money Mules fall into two categories: willing participants and duped participants. The scammers approach the Mule account customer online via emails, social media, websites, etc. Customers are fooled into believing they will get money in their bank account through commissions or incentives. After that, the scammer transfers laundered money into the Mule account. 

Scammers attack vulnerable and naive individuals, using lucrative job scams or fake online relationships to scam people. The victims are fooled through false promises of easy money for not-so-harmful activities like transferring goods or money. If an online job opening seems too good to be true or needs managing money or services, it is most likely a Mule recruitment scam. 

“Fraudsters might pose as authentic organizations like banks or government agencies to deceive victims into divulging personal or financial details. Phishing emails frequently include hyperlinks or attachments that, once clicked or opened, can deploy malware or direct users to fake websites crafted to steal sensitive information” said Dhiren. V. Dhedia, Head- Enterprise Solutions, CrossFraud. 

How to be safe?

Be cautious, if someone else controls your bank account, you are risking your savings and facing possible criminal charges. You should stay updated and informed to not fall for the mule scam. 

Sharing your personal banking details with people you don’t trust is a big no, even if they have a believable story or offer.


North Korean Hackers' $12M Ethereum Laundering Via Tornado Cash Unveiled

 


It has been reported that North Korean hackers associated with the Lazarus Group have exploited Tornado Cash in a recent development to launder approximately $12 million worth of stolen Ethereum (ETH) in the last 24 hours, using the coin mix-up service Tornado Cash. 

According to blockchain analytics firm Elliptic and experts from other organizations, the Lazarus Group was responsible for the theft of $100 million in cryptocurrency from HTX and its HECO Bridge in November of 2023, according to blockchain analytics firm Elliptic. HTX, a cryptocurrency exchange, and its cross-chain bridge, HTX Eco Chain, or HECO, have been flagged by the analytics firm Elliptic as being engaged in on-chain activity since March 13 indicating that Lazarus Group hackers have transferred cryptocurrency worth $12 million to Tornado's wallets. 

A decentralized and non-custodial privacy tool, Tornado Cash was stolen in November from the cryptocurrency exchange HTX and its cross-chain bridge, HTX Eco Chain. Tornado Cash is a blockchain-based decentralized, non-custodial cryptocurrency. It is a smart contract-based system that allows users to deposit ETH and ERC-20 tokens at one address and then withdraw them at another address with the help of smart contracts. 

This service and others that blend tokens from different sources to disguise funds are known as Tornado Cash and other mixers. The US Treasury blacklisted the service in August 2022 after it had been used to launder more than $7 billion in cryptocurrency since it was established in 2019. 

The department has alleged that the mixer has been used to launder more than $7 billion over the past two years. Nevertheless, Sinbad.io itself was seized in November 2023 by US authorities, which eliminated another avenue by which hackers could commingle. Consequently, the group appears to have returned to Tornado Cash to launder funds at scale and obscure the transaction trail while using Tornado Cash's decentralized architecture and resistance to raids. 

Finally, Elliptic suggests that it is possible to explain the resurgence of Tornado Cash reliance by the Lazarus Group due to law enforcement activities targeting services such as Sinbad.io and Blender.io, which has reduced the availability of large-scale mixers. The group has opted to take advantage of Tornado Cash's continued operation despite sanctions to take advantage of smart contracts' security and decentralized nature on blockchain networks, as they have few viable alternatives. 

As part of this effort, the authorities are also targeting the developers of such mixers as well. In a recent U.S. investigation, Tornado Cash's developers, Roman Storm and Alexey Pertsev, were charged with numerous offences, including conspiracy to commit money laundering, conspiracy to violate sanctions, and conspiracy to operate an unlicensed money-transmitting business. 

A similar development occurred on March 12 with the conviction of Bitcoin Fog's founder of money laundering. There have been several Lazarus Group operations going on for more than ten years now. As far as U.S. officials are concerned, they have stolen over $2 billion worth of cryptocurrency that was used to help fund North Korean programs for the development of weapons of mass destruction as well as ballistic missiles. In 2019, the United States government sanctioned the group by issuing sanctions against them.

Crypto In Trouble: A US Money Laundering Scandal Has Charged The Latest Exchange

Crypto currency

In the recent crackdown on crypto-associated cybercrime, the U.S. Department of Justice issued charges against Aliaksandr Klimenka.

Klimenka is accused of working with Alexander Vinnik and other individuals from July 2011 to July 2017 to operate BTC-e, an unregulated digital currency exchange, and to participate in a money laundering scheme, according to unsealed indictments.

The US Targets Another Cryptocurrency Exchange

The US Justice Department has accused BTC-e of being a hub for money laundering and cybercrime. The company is said to have provided high anonymity trading services that drew in customers who were heavily involved in illicit activities.

The news statement states that the site allegedly enabled financial transactions resulting from a variety of illegal activities, including computer hacking, fraud, identity theft, and drug trafficking.

Authorities emphasize BTC-e's involvement in cybercrimes and point out that it operated on American servers reportedly in violation of mandatory anti-money laundering procedures and "know your customer" (KYC) guidelines.

Furthermore, according to the government agency, BTC-e violated federal regulations mandating strict anti-money laundering protocols by failing to register as a money services organization, despite its substantial operations within the United States.

The arrest of Klimenka in Latvia last December, according to the US Department of Justice, was a significant milestone in their "efforts to combat cryptocurrency-facilitated crimes."

After making his first court appearance in San Francisco, Klimenka is being kept in detention and could receive a hefty 25-year maximum term if found guilty. The accusations highlight the U.S. government's increased emphasis on crimes involving digital assets, with the National Cryptocurrency Enforcement Team (NCET) leading inquiries into cryptocurrency misuse.

The press release stressed that the joint actions of the FBI, Homeland Security Investigations, IRS Criminal Investigation, and U.S. Secret Service underscore "the federal commitment to dismantling networks that leverage digital currencies for illegal activities."

Use of Cryptocurrency in Illegal Activity Falls to Record Lows

Despite the US government's claim, new research from the cryptocurrency analysis company Chainalysis suggests that just a tiny portion of blockchain transactions are utilized for illicit purposes.

$24 billion was received by "illicit addresses" in 2023, mostly from "sanctioned entities" according to US government records. This is a significant decrease from its 2022 value of approximately $40 billion, as shown in the following chart.

Canadian Financial Intelligence Agency Predicts Crypto Crime to Surge Rapidly

 

As the use of cryptocurrency grows, more criminals are likely to start using it to raise, move, and conceal money outside of the established banking system, according to Canada's financial intelligence agency. 

In a report published on Monday, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) stated that ransomware attacks and the concealment and cleaning of fraudulent profits are the most frequent types of criminal activity involving cryptocurrencies. 

Fintrac expanded its strategic intelligence programme to increase its knowledge and comprehension of the risks and vulnerabilities related to virtual currencies by building on the funding it had received in the previous two years' budgets. 

“Fintrac continues to operate in a challenging environment with new and evolving technologies and financial products, rapidly shifting global financial systems and geopolitical events constantly shaping our work,” agency director Sarah Paquet stated in the report. 

Every year, the agency sifts through millions of pieces of data from insurance firms, banks, money services enterprises, securities dealers, real-estate brokers, casinos, and others to track down money linked to illegal activities. It then actively shares details on suspected cases with police and other law enforcement agencies. 

Businesses that exchange foreign currencies, transfer money, cash, or buy or sell money orders or traveler's cheques, or deal in virtual currency must first register with Fintrac before offering these services to the general public. 

According to the report, the continued use of unregistered money services businesses creates challenges for those attempting to discover money laundering and terrorist financing via traditional financial channels. 

“Suspicious transactions reported to Fintrac have highlighted the significant role of third-party intermediaries, such as professional money launderers and money mules, in facilitating underground banking and the laundering of criminal proceeds,” the report further reads. 

While the majority of illicit cryptocurrency transactions involve the laundering of criminal proceeds—a small proportion of total virtual transactions—Fintrac has observed that terrorist groups around the world are increasingly using virtual currencies to finance their operations. 

This trend is especially visible among those associated with ideologically driven violent extremism, who distrust regulated and centralised financial systems. There has also been an increase in loosely connected entities within expansive movements that transcend national boundaries in recent years, as well as the persistence of cross-border funding networks and online fundraising efforts. 

Additionally, the report discovered that there is a significant reliance on mixing services and high-risk exchanges for laundering cryptocurrency and converting ransoms back into cash.

Europol Warns of a Potent Criminal Economy Fostered by New Technological Tools

 

Europol's inaugural report on financial and economic crime highlights the alarming extent to which money laundering techniques employed by ransomware groups and cryptocurrency scammers are now cleaning the cash of nearly 70% of the world's organized crime networks. 

Despite concerted efforts by international law enforcement agencies to combat cybercrime, progress has been sluggish, resulting in European criminals reaping profits of up to €188 billion.

The report underscores how advancements in fintech are exacerbating financial malfeasance. The widespread adoption of online banking and digital-only 'neo banks' has led to disproportionately high rates of financial fraud and money laundering. Innovations like virtual international bank account numbers (IBAN) and 'buy now pay later' financing have further fueled online fraud.

Europol also points out that encrypted messaging apps, dark web marketplaces, cryptocurrencies, and other privacy-enhancing technologies shield criminals' identities, presenting significant challenges for law enforcement agencies. Criminals can now easily access illicit digital products and technical services, even without advanced technological skills, thanks to a burgeoning "crime-as-a-service" model.

The report highlights how money laundering has become increasingly streamlined with the emergence of new types of digital assets. Professional money launderers have established a parallel underground financial system that processes transactions away from the watchful eye of legal financial mechanisms. 

High-level money brokers play a pivotal role in this criminal ecosystem, providing a range of unregulated global banking and escrow services to numerous criminal organizations. This facilitates the laundering of billions of euros worth of illicit profits annually through the EU, rendering money laundering a significant criminal threat.

Europol underscores that most countries lack the requisite experience and specialized expertise needed for tracing cash, analyzing blockchain data, establishing actual ownership, managing seized assets, and facilitating recovery. Digital assets held outside of financial institutions pose an even greater challenge in terms of tracing, seizure, and confiscation.

“Organised crime has built a parallel global criminal economy around money laundering, illicit financial transfers and corruption,” explained Europol’s executive director, Catherine De Bolle. “With modern technology, they have diversified their modi operandi to evade detection.”

Ransomware Actors are Using Crypto Mining Pools to Launder Money

 

According to a recent analysis by the blockchain forensic company Chainalysis, the use of cryptocurrency mining as a technique to improve money laundering skills extends beyond nation state actors and has particular appeal to regular criminals. 

As per reports, sanctioned nation-states like Iran have turned to cryptocurrency mining as a way to amass money away from the traditional banking system. In a recent development, cybersecurity firm Mandiant also disclosed how the Lazarus Group, a notorious North Korean hacker group, has been utilising stolen cryptocurrencies like Bitcoin to buy freshly-mined cryptocurrency through hashing rental and cloud mining services.

Simply explained, online criminals mine "clean" coins using stolen crypto and then utilise different businesses to launder them. One of these sites, according to Chainalysis, is an unnamed "mainstream exchange" that has been acknowledged as having received "substantial funds" from wallets and mining pools connected to ransomware activity. 

In total, $94.2 million was sent to one of these recognised deposit addresses, of which $19.1 million came from ransomware addresses and the remaining $14.1 million from mining pools. However, Chainalysis found that the ransomware wallet in question was occasionally sending money to a mining pool "both directly and via intermediaries." 

“This may represent a sophisticated attempt at money laundering, in which the ransomware actor funnels funds to its preferred exchange via the mining pool in order to avoid triggering compliance alarms at the exchange,” the report reads. 

Chainalysis further asserts that "ransomware actors may be increasingly abusing mining pools"; citing its data, the company stated that "since the start of 2018, we've seen a large, steady increase in value sent from ransomware wallets to mining pools." 

A total of 372 exchange deposit addresses have received cryptocurrency transfers totaling at least $1 million from mining pools and ransomware addresses. Instances like these, in the opinion of the company, point to ransomware criminals trying to pass off their stolen money as earnings from cryptocurrency mining. 

Chainalysis said that "this sum is certainly an underestimate," adding that "these exchange deposit addresses have received a total of $158.3 million from ransomware addresses since the beginning of 2018. 

Illegal money transfers 

Chainalysis cites BitClub as an additional noteworthy instance of cybercriminals using mining pools. BitClub was a notorious cryptocurrency Ponzi scheme that deceived thousands of investors between 2014 and 2019 by making claims that its Bitcoin mining operations would generate significant returns. 

The company claims that BitClub Network transmitted Bitcoin valued at millions of dollars to wallets connected to "underground money laundering services" allegedly based in Russia. These money laundering wallets then transferred Bitcoin to deposit addresses at two well-known exchanges over the course of three years. 

The same period, between October 2021 and August 2022, saw the transfer of millions of dollars' worth of Bitcoin to the identical deposit addresses at both exchanges by an unidentified Russian Bitcoin mining company. 

The cryptocurrency exchange BTC-e, which the U.S. authorities accuse of promoting money laundering and running an illegal money service business, sent money to one of the wallets allegedly linked to the alleged money launderers. Additionally, it has been claimed that BTC-e handled money that was stolen from Mt. Gox, the biggest Bitcoin exchange in the early 2010s. 

These accusations led to the seizure of BTC-e by American authorities in July 2017, the removal of its website, and the arrest of its founder, Alexander Vinnik, in Greece the same month. 

Prevention Tips

According to Chainalysis, mining pools and hashing providers should put strict wallet screening procedures in place, including Know Your Customer (KYC) protocols, in order to "ensure that mining, which is a core functionality of Bitcoin and many other blockchains, isn't compromised."

The company also believes that these verification processes can successfully stop criminals from using mining as a means of money laundering by using blockchain analysis and other tools to confirm the source of funds and rejecting cryptocurrency coming from shady addresses.

Genesis Market: The Fall of a Cybercrime Website

Law enforcement agencies worldwide have dealt a blow to the criminal underworld with the takedown of Genesis Market, a notorious website used to buy and sell stolen data, hacking tools, and other illicit goods and services. The investigation involved coordinated efforts by the FBI, UK National Crime Agency, Dutch Police, Europol, and other partners.

According to BBC News, Genesis Market had over 500,000 users and 250 vendors, with estimated earnings of $1 billion. The site operated on the dark web, using sophisticated encryption and anonymity technologies to evade detection. However, its operators made a critical mistake by reusing passwords and allowing law enforcement to seize control of the domain.

The shutdown of Genesis Market is a significant victory for law enforcement agencies in the fight against cybercrime. A spokesperson for the FBI said, "This operation sends a clear message to cybercriminals that law enforcement will work tirelessly to identify, investigate and bring them to justice."

As reported by Radio Free Europe, the bust also resulted in the arrest of several individuals linked to the site, including its alleged administrator, who was apprehended in Ukraine. The suspects face charges of cybercrime, money laundering, and other offenses, and could face lengthy prison terms if convicted.

The investigation into Genesis Market highlights the ongoing threat of cybercrime, which has become a lucrative and increasingly sophisticated industry. The site was just one of many platforms used by criminals to exploit vulnerabilities in technology and networks and to profit from the theft and abuse of sensitive data.

However, the successful takedown of Genesis Market also demonstrates the power of collaboration and technology in fighting cybercrime. Europol praised the joint efforts of law enforcement agencies, which utilized advanced tools such as blockchain analysis, malware reverse engineering, and undercover operations to infiltrate and disrupt the site.

ChipMixer: Cryptocurrency Mixer Taken Down After ‘Laundering $3bn in Cryptocurrency’


Darknet cryptocurrency mixer, ChipMixer has been shut down as a result of a sting conducted by Europol, the FBI, and German police, which investigated servers, and internet domains and seized $46 million worth of cryptocurrency. 

During the raid, it was discovered that wallets connected to North Korean cybercriminals and Russian intelligence services had evidence of digital currencies. 

The US criminal prosecutors have booked a Vietnamese man they claim to have run the service since its August 2017 creation. Potentially contaminated funds are gathered by mixers and sent at random to destination wallets. 

Minh Quoc Nguyen, 49, of Hanoi has been accused of money laundering, operating an unlicensed money-transmitting business, and identity theft. The FBI has included him on the wanted criminal list. 

Criminals laundering more than $700 million in bitcoin from wallets identified as stolen funds, including money taken by North Korean hackers from Axie Infinity's Ronin Bridge and Harmony's Horizon Bridge, were among the service's customers. 

It has also been reported that APT28, the Russian military intelligence, and Fancy Bear also utilized ChipMixer in order to buy infrastructure used from Kremlin Drovorub malware. Moreover, according to Europol, the Russian RaaS group LockBit was also a patron. 

ChipMixer joins a relatively small group of crypto mixers that have been shut down or approved, enabling criminals to conceal the source of the cryptocurrency obtained illegally. The list presently includes Blender.io, which was probably renamed and relaunched as Sinbad, and Tornado Cash, a favorite of cybercriminals that helped hackers launder more than $7 billion between 2019 and 2022. 

The Federal Criminal Police Office of Germany seized two ChipMixer back-end servers and more than $46 million in cryptocurrencies, while American investigators seized two web domains that pointed to the company. 

According to court documents, ChipMixer has enabled customers to deposit Bitcoin, which would then be mixed with other users’ Bitcoin in order to anonymize the currency. 

Court records state that ChipMixer allowed users to deposit Bitcoin, which was then combined with Bitcoin from other users to make the currency anonymous. But, this mixer took things a step further by converting the deposited money into tiny tokens with an equal value called "chips," which were then combined, further anonymizing the currencies and obscuring the blockchain trails of the funds. This feature of the platform is what attracted so many criminals. 

The domain now displays a seizure notice, stating: “This domain has been seized by the FBI in accordance with a seizure warrant.” 

“Together, with our international partners, we are firmly committed to identifying and investigating cybercriminals who pose a serious threat to our economic security by laundering billions of dollars’ worth of cryptocurrency under the misguided anonymity of the darknet,” adds Scott Brown, special agent in charge of Homeland Securities Investigations (HSI) Arizona.  

How Threat Actors Are Changing Money Laundering Campaigns


Change in the money-laundering game

It is next to impossible to locate the exact amount of money that's been laundered globally, conservative estimates suggest anywhere between $800 million to $2 trillion. This is just the tip of the iceberg. It's a crime that fuels some of the world's most dangerous criminal operations. 

It's also a tactic threat actors use to cover up their tracks and the profits they make from campaigns like large-scale ransomware attacks. The increase of cryptocurrency has also allowed cybercriminals to avoid getting caught. 

Financial enterprises, cryptocurrency companies, and other institutions have to pay fines for not being able to root out money laundering as regulators and government agencies worldwide try to crack down on this major challenge. 

The bad news is that as we move toward 2023, automation is going to make the situation only worse. We can expect a rise in money laundering as-a-service. The good news is that there are ways to fight this problem and collectively mitigate cyber criminals' ability to operationalize. 

The Crypto money laundering case

A go-to tactic by threat actors looking to advance in ranks is using 'money mules.' Money mules are individuals that help launder money- sometimes, unknowingly. They're often baited under promises of legitimate jobs and false pretenses, only to find later that the job is to help launder profits from cybercrime. 

Traditionally, money laundering was done through anonymous wire transfer services. These transfers can be tracked easily by law enforcement agencies and regulators. Nowadays, cybercriminals have shifted to using cryptocurrency. 

A lack of regulatory supervision along with anonymous transactions, make it the ideal platform for money laundering. A Chainalysis report discovered that cybercriminals laundered $8.6 billion in cryptocurrency in 2021. It's a 30% increase since that year. 

Rise in money-laundering recruitment campaigns

Making recruitment campaigns for money mules takes a lot of time and resources. To hide their true purpose, threat actors will sometimes go to great extents and build genuine-looking websites for fake companies and also post fake job openings to make the business look authentic. 

But machine learning (ML) and automation will make the process much easier and quicker. ML can effectively target potential recruits in less time. We can also expect a few manual campaigns replaced with automatic services that will allow cybercriminals to launder money through layers of crypto exchanges- it's going to make the process fast and difficult to track. It also means that it will be hard to recover stolen money. 

Together, these tactics make 'money-laundering-as-a-service' (MLaaS), and it's going to be another weapon in the cybercrime inventory. 

Combatting new money-laundering challenge

While threat actors will look for any means possible to launch an attack and launder money easily, it doesn't mean that we have to accept the situation as it is. 

The biggest factor in fighting the MLaaS is going to include public-private collaboration on a massive scale. Companies across the globe can share threat intelligence with each other, helping to build a secure defense. 

Dark Reading says, "it must be reiterated that cyber hygiene and education must be prioritized as well. No matter the type of organization you're in or the role you're in, this is essential for everyone. Everyone can play a key role in helping keep organizations safe from bad actors. This includes things like more digital literacy — and how to recognize a too-good-to-be-true job ad for the scam it really is. And of course, there's the concept of fighting fire with fire — as bad actors adopt more automation and ML-based approaches, so, too, must defenders."




Ex Uber Employee Made 388 Fake Driver Profiles, Duped Company of Rs 1.17 Crore


Ex Employee dupes Uber of Rs 1.17 Crore

A former Uber employee has been charged for duping the company of Rs. 1.17 crore by making 388 fake driver profiles and putting them on the company's server. The money was then transferred to only 18 bank accounts linked with these fake profiles. The accused was working with the company till December 2021 as a contractor. Uber's authorized signatory lodged the complaint in April last year. The accused's job was to look over driver payments and update the information of the authorized drivers in the company's spreadsheet so that the money could be transferred to the respective accounts.

FIR registered

Uber during its inquiry, discovered that out of the 388 fake driver profiles, 191 profiles were made using the same IP addresses associated with the accused man's system. 

"To avoid inconveniencing driver partners, a spreadsheet is automatically uploaded regularly. A large number of transactions were processed by this automated spreadsheet and the accused was responsible for updating the details of the driver-partner accounts to be paid," Uber said in the complaint. The man created and made various fake driver partners’ accounts in the spreadsheet.

According to the police, the accused has been booked under sections 408 (criminal breach of trust by a servant), 420 (cheating), 477-A (falsification of accounts), and 120-B (criminal conspiracy) of the IPC. 

The Uber complaint further read "191 cases out of 388 cases matched with the IP addresses used by Viney Gera to log into his work computer on the same day as the creation of the accounts. In the above manner, a total amount of Rs 1,17,03,033 has been fraudulently paid to these fake driver partners into only 18 bank accounts."

PTI quotes Inspector Deepak Kumar, SHO, Sushant Lok Police Station said "we are investigating the matter and the accused will be arrested as soon as possible," PTI reports.  

Handling of driver partner payments

An Indian Express report explained how Uber handles driver payments when their accounts show a negative balance. A negative balance in an Uber driver's account means payment is overdue. This is removed when the driver pays the amount to the company. After this, a positive payment is credited to the partner's account, and the details of the transaction are updated in a spreadsheet. 

The data (company spreadsheet) is then "uploaded to an Uber Payment Tool through an automated python script." The upload adds a positive balance to the driver partner's account to remove arrears that allow the driver to drive again. 


Expansion of the LockBit Ransomware

 

To keep the masses notified about potential threats, the Cybereason Global Security Operations Center (GSOC) Team publishes Cybereason Threat Analysis Reports. The Threat Analysis Reports examine into such threats and offer suggestions for how to defend against them. 

LockBit, which was first identified in September 2019, uses the ransomware-as-a-service (RaaS) attack method and targets businesses. The ransomware operators are improving their techniques to disable Endpoint detection and response (EDR) tools and other security solutions. 

Variables of the Virus 

Using the infrastructure and tools already in place for ransomware, Lockbit RaaS enables affiliates to conduct their own attacks while splitting a portion of the money received.

The affiliates associated with the LockBit gang utilized their own malware and tools to exploit the targets in the first attack that the researchers were able to document, which happened in Q4 2021. The majority of the infections that the researchers examined involved threat actors infiltrating the target networks by taking advantage of a misconfigured service, particularly an RDP port that was left accessible to the public. 

The attacker started the reconnaissance work and credentials extraction after gaining the first foothold on the vulnerable network. In this instance, the attackers employed advanced network monitoring tools like Netscan and Mimikatz to find the network's structure and valuable assets. 

The researchers describe a second infection that happened in Q2 of 2022. The researchers described the attack's many phases, including the initial compromise, lateral actions, creating durability, upgrading of privileges, and the generation of the ransomware in its final stages. 

The attackers made use of net.exe to create domain accounts and grant themselves 'domain administrator' rights. They then exploited these accounts to propagate throughout the victim's network and maintain persistence. The researchers also discovered that the attackers were using Ngrok, a reliable reverse proxy tool that enables them to build a tunnel to servers protected by firewalls.

Additional PCs in the target network were also infected by the threat actors with the malware 'Neshta', a file infector that inserts malicious code into targeted executable files. 

Exfiltration of Records

The data was collected and exfiltrated when the LockBit affiliate secured persistent remote access and the necessary credentials. For this, the actors employed three different tools: 
  • Filezilla.exe is used to establish a connection to attacker-controlled remote FTP service. 
  • Data exfiltration using Rclone.exe to a cloud hosting provider associated with 'Mega'.
  • Data exfiltration tool Megasync.exe to a "Mega"-related cloud hosting provider .
The LockBit affiliate has now fulfilled all the steps required to run the LockBit payload and start encryption:
  • Through several hacked devices, persistence in the system.
  • Access to accounts with high privilege.
  • Gathered and leaked victim info.
  • List of the most valuable assets discovered through network scans .
Along with Mitre mapping, the experts also discussed signs of vulnerability. LockBit 3.0, which includes significant innovations like a bug bounty program, Zcash payment, and new extortion techniques, was just launched by the Lockbit ransomware operation. The group is now one of the most active ransomware gangs and has been active at least since 2019.

DeepDotWeb Operator Sentenced to Eight Years for Role in $8.4 million Kickback Scheme

 

An Israeli national was sentenced to 97 months in prison in connection with operating the DeepDotWeb (DDW), a website that connected internet users with darknet marketplaces.

From 2013, Prihar (37) and co-defendant Michael Phan (34), started operating DeepDotWeb and provided a platform for Dark Web news and links to marketplaces, redirecting visitors to their .onion addresses -- websites that are not available via standard search engines in the clear web.

The conviction of Tal Prihar, 37, was announced last week by the U.S. Department of Justice and U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania for money laundering and was ordered to forfeit $8,414,173, ASUS laptop, iPhone, and accounts at various cryptocurrency exchanges such as Kraken, Binance and OKCoin. 

Prihar had pleaded guilty to conspiracy to commit money laundering in March 2021, almost two years after his arrest and the site's seizure, while Phan remains in Israel and is currently undergoing extradition proceedings.

For linking users with the illegal darknet marketplaces, Prihar received a total of 8,155 bitcoins from his affiliate marketing deals with marketplace operators. To conceal the sources of these payments, Prihar converted them to fiat currency and laundered it through other Bitcoin and bank accounts he controlled in the name of shell companies. 

"To conceal the nature and source of these illegal kickback payments, Prihar transferred the payments from his DDW bitcoin wallet to other bitcoin accounts and to bank accounts he controlled in the names of shell companies." explains the DoJ announcement. 

The investigation into DDW involved the FBI's Pittsburgh Field Office, French authorities, Europol, the IRS, German law enforcement, the Israeli National Police, and the UK's National Crime Agency (NCA), among other organizations. 

Additionally, the DoJ also announced the sentencing of an associate of the Dark Overlord hacking group for his role in possessing and selling more than 1,700 stolen identities, including social security numbers, on the dark web marketplace AlphaBay. 

Slava Dmitriev, a 29-year-old Canadian citizen who was arrested in Greece in September 2020 and extradited to the U.S. in January 2021, was sentenced to a jail term of three years after he pleaded guilty in August 2021 to fraud charges.

French Authorities Have Detained a Suspect in Case of Money Laundering of €19 Million

 

This week, French authorities apprehended a suspect under suspicion of laundering more than €19 million ($21.4 million) in ransomware extortion payouts. 

Law enforcement agencies have not revealed the accused's name, which has only been recognized as a person from the Vaucluse area in southeast France, and neither the title of the ransomware organization with which he worked. 

The detention this week follows as law enforcement agencies throughout the world have started to collaborate and crackdown on ransomware activities following years of recurrent attacks, most of which have disrupted government agencies and private sector organizations on many occasions. 

This year has seen several crackdowns targeting ransomware gangs, including: 

  • February – The arrest of Egregor/Maze members in Ukraine. 

According to French radio station France Inter, participants of the Egregor ransomware cartel were apprehended in Ukraine. The existence of a law enforcement activity was already verified by sources in the threat intelligence community. The Egregor gang, reportedly began operations in September 2020, follows a Ransomware-as-a-Service (RaaS) strategy. They rent ransomware strain access, but they depend on some other cybercrime gangs to organize attacks into corporate networks and distribute the file-encrypting ransomware. 

  • March – The arrest of a GandCrab affiliate in South Korea. 

The arrest of a 20-year-old accused on allegations of spreading and infecting victims with the GandCrab ransomware was announced by South Korean national police. The accused, whose identity has not been revealed, was a client of the GandCrab Ransomware-as-a-Service (RaaS) cybercrime organization. Police described the suspect as an associate — or a distributor — who operated by obtaining copies of the GandCrab ransomware and spreading them via email to victims around South Korea. 

  • June – The arrest of a group of Ukrainian money launderers who worked with the Clop gang.

Representatives of the Clop ransomware gang, who were apprehended in Ukraine as part of an international law enforcement operation, also provided money-laundering facilities to other cybercrime organizations. The group was involved in both cyber-attacks and "a high-risk exchanger" that laundered funds for the Clop ransomware gang and other criminal groups, according to cryptocurrency exchange portal Binance. 

  • September – Sanctions against Suex, a Russian crypto-exchange used to process ransomware 

Suex, a cryptocurrency exchange incorporated in the Czech Republic but managed by Russia, was sanctioned by the US Treasury. According to a blockchain analysis company, Suex has assisted ransomware and other cybercrime organizations in laundering more than $160 million in stolen assets. Suex has aided in the processing of ransom payments to gangs like Conti, Ryuk, and Maze.

  • October – The arrest of 12 suspects behind the LockerGoga ransomware. 

According to Europol, twelve members of a ransomware cell were apprehended in Ukraine and Switzerland. The accused are suspected of orchestrating the ransomware attack that damaged Norsk Hydro in 2019, the organization was linked to 1,800 ransomware assaults in 71 countries.

  • November – The arrest of a REvil affiliate in Ukraine for the Kaseya attack. 

The US Department of Justice charged a 22-year-old Ukrainian national with coordinating the ransomware assaults against Kaseya servers on July 4th of this year.

  • December – The arrest of a Canadian citizen for the attack against an Alaskan healthcare provider. 

Since 2018, Canadian authorities had jailed an Ottawa resident on suspicion of organizing ransomware attacks on commercial companies and government agencies in Canada and the United States.

Interpol Collaborated International Operation- 'HAEICHI-II'

 

The International Criminal Police Organization commonly known as the Interpol has run a collaborated international operation, ‘HAECHI-II’ that led to the arrest of 1,003 criminals while intercepting a total of nearly USD 27 million of illicit funds, which were found to be linked to various cyber-crimes such as investment frauds, romance scams, online money laundering, and illegal online gambling. The organization has published more than 50 notices relating to Operation HAECHI-II and discovered 10 new fraudulent schemes. 

The operation that ran for over four months from June to September 2021  according to the sources  collaborated between specialized police forces coming from 20 countries including the Hong Kong police unit, Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, Vietnam, and Macao. 

During the operation, Interpol researchers used a new global stop-payment mechanism named as Anti-Money Laundering Rapid Response Protocol (ARRP), which allows researchers to intercept and recover illicit funds. 

The officers blocked 2,350 individuals’ bank accounts that were linked to the illicit proceeds of online financial crime and intercepted over 27 million dollars.

“The results of Operation HAECHI-II show that the surge in online financial crime generated by the COVID-19 pandemic shows no signs of waning,” said INTERPOL Secretary General Jürgen Stock.

“It also underlines the essential and unique role played by INTERPOL in assisting member countries combat a crime which is borderless by nature. “Only through this level of global cooperation and coordination can national law enforcement effectively tackles what is a parallel cybercrime pandemic,” added Secretary General Stock.

HAECHI-II is the second operation in a three-year effort to take down certain types of financially motivated cybercrimes, such as illegal online gambling and romance scams. 

Headquartered in Lyon, France — Interpol is popularly known for its work and operations relating to the prevention and suppression of crimes. The organization provides worldwide police cooperation and crime control, it is the world's largest international police organization, with seven regional bureaus worldwide and a National Central Bureau in all 195 member states.

Cyber Criminals Using a New Darknet Tool to Escape Detection

 

There has been an ongoing war between criminals and authorities in cyberspace for years. Although cryptocurrencies are anonymous in nature, new techniques for tracking funds around the cryptocurrency blockchain have led to the arrest of dozens of cyber-criminals in the previous two years. 

But recently a new website has surfaced on the darknet that allows criminals to assess how "clean" their digital currencies are. 

Dr. Tom Robinson, chief scientist and founder at analysis provider Elliptic, who discovered the website explained, "We're seeing criminals start to fight back against blockchain analytics and this service is a first." 

"It's called Antinalysis and criminals are now able to check their own Bitcoin wallets and see whether any association with criminal activity could be flagged by authorities." 

According to Elliptic, the finding demonstrates how complex cybercrime networks are becoming and how concerned criminals are about being detected. 

"It's a very valuable technique. If your funds are tainted, you can then do more laundering and try to remove that association with a criminal activity until you have clean coins," he said. 

According to Dr. Robinson, this new trend is concerning that could make their work and law enforcement difficult. However, as per the researchers who examined it, the service isn't functioning very well right now. 

"It actually wasn't very good at identifying links to criminal sites. However, it will inevitably improve over time. So I think this is going to be a significant capability for criminals and money launderers in the future." 

Authorities all across the world, including China, the United Arab Emirates, and the United Kingdom, are attempting to address the rising problem of money laundering using cryptocurrencies. Cryptocurrency monitoring has resulted in several high-profile arrests, such as US teenager Graham Ivan Clark, who is presently in prison for plotting one of the largest-ever social media hacks. 

Last year, on July 15, Clark hacked into the accounts of dozens of celebrities, including Kim Kardashian, Elon Musk, Bill Gates, and Joe Biden, on Twitter.

"Everyone is asking me to give back," Mr. Gates stated in a tweet purportedly sent from his account. "You send $1,000, and I send you $2,000 back." After that, Clark and his hacking team tweeted an ad for a cryptocurrency fraud, which resulted in hundreds of transfers from people wanting to profit from the fraudulent giveaway. 

Clark gained more than $100,000 (£72,000) in only a few hours and began the process of transferring the money around to cover his tracks. He is now 18 years old, pleaded guilty, and is currently serving a three-year sentence in a Florida jail. 

The growing usage of so-called privacy coins is another trend that authorities are concerned about. Cryptocurrencies like Monero, for example, provide more secrecy than popular coins like Bitcoin. 

Hackers are now urging victims to pay with these currencies in return for a discount in some extortion incidents. This is a trend that is yet to completely take off, and Kim Grauer, director of research at bitcoin monitoring firm Chainalysis, believes that this technique offers disadvantages for criminals. 

"Privacy coins haven't been adopted to the extent that one may expect. The primary reason is they aren't as liquid as Bitcoin and other cryptocurrencies. Cryptocurrency is only useful if you can buy and sell goods and services or cash out into mainstream money, and that is much more difficult with privacy coins."

Uttarakhand, India Special Task Force Exposed a China Based Money Laundering Racket

 

The Police of Uttarakhand, India claimed that the web racket has duped naïve investors with at least 250cr Rs by guaranteeing to almost double their money in just 15 days but rather by turning it out in the cryptocurrency. 

Pawan Kumar Pandey was detained on a Monday night from Gautam Buddh Nagar, Noida a district in Uttar Pradesh, who is accused of running a ghost corporation to transfer his defrauded money to his alleged "handler in China." He has been caught with his 19 laptops, 592 SIM, 5 mobile phones, 4 ATM cards, and a passport. 

Uttarakhand police chief (DGP) Ashok Kumar said that after two Haridwar locals, Rohit Kumar and Rahul Kumar Goyal had complained about this scam the racket was scrutinized. 

“A week ago, they claimed that one of their friends told them about a mobile app on Google Play Store named Power Bank, which doubled returns on investment within 15 days. Believing him, they downloaded the app and deposited ₹91,200 and ₹73000,” said Kumar. 

However, after one month of making the deposit, when they didn't receive any returns, they realized that they were tricked, he added. 

The special task force launched a test to find out that the relevant mobile app was available on the Google Play Store from February 2021 to May 12, 2021, during which a minimum of 50 lakh individuals installed the application. Police also established that the money deposited through the app was moved to the detained person's bank accounts via payment gates. 

He said the money was subsequently converted into cryptocurrencies. The application was connected to China during the cyber forensic examination, where Pandey's operators reside. They used to cash the cryptocurrencies into their local currencies to complete the money laundering chain, that began with the Indians being duped by the app. 

“In this case too, they partnered with Pandey and used his identity documents to register a shadow company with the Registrar of Companies (RoC) and to open two bank accounts, where the money siphoned off from the victims was deposited. They opened a shadow company in Noida named Purple Hui Zing Zihao. Pandey was registered as the company’s owner and the firm was shown as the developer of the fraudulent app,” said Bharne, Uttarakhand’s deputy inspector general (law & order). 

Pandey added that though he earned commissions from the Chinese accused, the bank accounts and the business was handled remotely. He had received a salary payment of 1.50 lakh from the Chinese. He also told cops that his operators are using the same modus operandi, as there are many other identical apps. Initially, however, the accused doubled certain investments to win the confidence of future investors. 

“We have taken at least 20 such shadow companies under our radar for suspected fraudulent activities like the above-mentioned one. We have received 20 other similar complaints from people in the state and they [the complaints] are under probe,” the senior police officer said.

Creator of McAfee Antivirus Software Charged For Conspiracy?

 

Creator of McAfee antivirus software, Businessman John McAfee is charged under a conspiracy to commit fraud and money laundering in the U.S. McAfee and his bodyguard Jimmy Gale Watson Jr are found guilty of advertising cryptocurrencies on Mr. McAfee's huge Twitter follower base to inflate prices. As per prosecutors, these currencies were then sold, earning a total of $2m (€1.45 M). The accused have not issued any response to the charges made.  Currently, McAfee (age 75) is under detention in Spain due to separate charges relating to tax fraud, that he is denying. 

The fresh charges were filed in the Manhattan Federal Court, New York. He is facing potential extradition to the U.S, whereas Watson was captured earlier this week. According to BBC, "in 2012, he made headlines after police in the Central American country of Belize investigated the death of one Mr. McAfee's neighbors and named him as a 'person of interest'. Mr. McAfee left the country saying he feared for his own safety. Officials ultimately said he was not a suspect." McAfee and his bodyguard are accused of buying promoting the cryptocurrency assets on Twitter, where Mr. McAfee has millions of followers. 

As per the US justice department and the Commodity Futures Trading Commission, the plan was to sell these assets the moment the asset's price rose. The pair is said to make $11M (€8m) from the cryptocurrency startup payments via promoting the assets on Twitter, while the investors who bought them were unaware of the payments. As per the federal prosecutor, this equals exploiting a widely used social media platform (in this case Twitter) and the enthusiasm of investors in the growing cryptocurrency sector to profit millions via deceit and lies. In the former case which was disclosed the previous year. 

Mr. McAfee was charged for not filing tax returns from 2014-2018. He is also accused of using different people's names to hide his assets which include a yacht and property. "The entrepreneur, who was born in the UK, also launched unsuccessful bids to become the Libertarian Party's candidate for the US presidential elections in 2016 and 2020. Mr. McAfee has previously expressed his disdain for taxes, tweeting in 2019 that he had not filed tax returns for years because "taxation is illegal", reports BBC.  

3 Unique Procedures to Counter Money Laundering in India

 

The main weapon used by money launders to launder cash is bitcoin and other cryptocurrencies alternatives. India’s cryptocurrency exchanges deployed their own KYC regulations and anti-money laundering protocols for users.

Nishal Shetty, CEO of India’s largest cryptocurrency exchange WazirX said we follow all the necessary protocols such as asking users for ID and address proof like Aadhar and PAN Card. Our platform also emphasizes that money must come from the concerned customers' bank account and not from the third party bank account.

Cryptocurrency exchanges use various procedures to conduct KYC, one such method is penny drop. Penny drop method helps in verifying the user’s personal information and bank details, for example, a token of 10 rupees is transferred to the user’s account to confirm bank account details. This method confirms the account holder’s name as registered with the bank, to the transferor.

Neeraj Khandelwal, co-founder of CoinDCX stated that “for corporate clients who are given higher trading limits, more documents like articles of association, board resolutions authorizing crypto investment, etc. are needed”.

Chainlink is one of the most familiar software among cryptocurrency exchanges which helps in identifying rogue addresses. Khandelwal further stated “we use a globally renowned crypto AML tool to check for blacklisted crypto addresses. If a legitimate user has got crypto from such an address, maybe through peer-to-peer and he or she wants to transact on our exchange, we ask for additional KYC such as source of funds and profession”.

Bitcoins and other cryptos are not held in bank or demat accounts contrary to other financial assets such as stocks, bonds, and FDs. The cold wallet is the method that can be used for holding on to the bitcoins and other cryptos, it is the hardware device or even paper that is not linked to the internet. Therefore, cold wallets cannot be easily seized by law enforcement authorities.

In 2020, cybercriminals started laundering four times more money

According to the Kaspersky Fraud Prevention report, in 2020, attackers most often tried to make unauthorized money transfers by using a compromised account (in 36% of cases) or by infecting the device with malware (31%).

In 2019, malware attacks were the absolute leader, 63% of the total number was recorded. The share of incidents related to money laundering increased fourfold this year and amounted to 12%.

Hackers use complex and multi-stage money laundering schemes: they change accounts, companies, presentation, currency, and jurisdiction many times. In this regard, financial organizations need to build a cybersecurity system in such a way as to minimize the possibility of hacking, as well as to promptly monitor any illegitimate actions.

In e-commerce, the most common form of fraud is the abuse of welcome bonuses in loyalty programs. The scheme is quite simple: attackers massively register accounts in the marketplace, receive welcome bonus points, and buy products with a discount under the bonus program. For example, in one case, a fraudster bought diapers and candy and then sold the purchased goods at a profit on popular trading platforms. In the future, the created accounts were not used, their average life was 1-2 days.

"As before, one of the most common methods of fraud is the use of applications with remote access tools. Also, the attackers have mastered the scheme of spoofing numbers for incoming calls. Bank customers, unfortunately, are often deceived, because they are used to the fact that a real call from a financial institution can be made from different numbers. The Kaspersky Fraud Prevention platform, aimed specifically at banks and other financial institutions, allows tracking the activity of hackers by analyzing a variety of parameters, including user behavior, device parameters, and the presence of malicious or dangerous programs," said Ekaterina Danilova, Business Development Manager at Kaspersky Fraud Prevention.