Report reveals how criminals launder money after a cyber heist

A new report explores how cyber criminals, who steal from banks, can cash out and launder the money so that it cannot be traced.

The report, commissioned by SWIFT, was compiled by BAE Systems Applied Intelligence.

Although there has been much research into the methods that cyber criminals use to conduct attacks, there has been less analysis of what happens to funds once they have been stolen, SWIFT said in a press release. The organisation provides the network used by banks and financial institutions globally to send and receive information such as money-transfer instructions.

SWIFT said ‘Follow The Money’ highlights money-laundering tactics to support the efforts by banks to prevent, detect and respond to cyber attacks.

Traditionally money laundering is described in three stages: placement, layering and integration.

First, criminally-acquired funds are introduced into the financial system. Then, the illicit funds are moved through a series of transactions to disguise their origin and ownership. And finally, the laundered funds are re-introduced into the legitimate economy.

Money mules

To make this work in large-scale cybercrime, criminals have to carry out preparatory work even before the actual crime is committed. In order to avoid suspicion, they must set up fraudulent accounts often several months before the attack. Or, in the case of ATM-related heists, the attackers need to recruit and train ‘money mules’ to take the stolen money out of cash machines.

Although banks and financial institutions are not easy targets, the report said, attackers continue to develop their techniques. In recent years, attacks have moved from targeting high-value payment systems to ATM networks.

The report finds that money mules play a key role in the laundering of funds, by serving as intermediaries between the crime and the transfer of illicit money to the criminals.

Accounts used for money-muling can be created by people complicit in the criminal activity or they may belong to unsuspecting individuals tricked into allowing their account to be used for criminal purposes.

In some cases, money mules use fake identities to open accounts, but organised crime groups will also use insiders at financial institutions to evade or undermine the scrutiny of compliance teams carrying out know-your-customer (KYC) and due diligence checks on new account openings.

The effectiveness of a financial institution’s KYC and screening processes are important factors – and is likely why certain institutions in certain jurisdictions are targeted for illicit activity, the report said.

Although mules are often caught, the prospect of easy money is alluring. The recruitment ads that target jobseekers to serve as money mules have also become more sophisticated, complete with references to the organisation’s diversity and inclusion commitments.

While the number of money mules involved in placement activities for a large-scale cyber heist typically involves around 10 individuals, there are exceptions, the report said. For example, an attack against one bank which is considered to be linked to the North Korean Lazarus Group involved 12,000 ATM withdrawals within two hours across 28 countries.

Front companies

‘Front companies’ are another tool used by cyber criminals, who tend to focus on textile, garment, fishery and seafood businesses to obfuscate funds.

Front companies often lack significant assets and have no active business operations. But they can at times have a legitimate purpose. Assigning fake projects and companies to fraudulent accounts provide credibility and explain why, at some point, they will receive large money transfers.

The report found that criminals find it easier to operate in parts of East Asia where less-stringent regulations make it easier to conduct their activities.

The stolen funds are then converted into assets such as bulk commodities, luxury goods and electronic items, as well as equipment, which are likely to hold their value and less prone to attract the attention of law enforcement. The sale and resale of these assets often across borders provides additional layers between the crime and the ultimate beneficiaries.


While there is much focus on money laundering in connection with cryptocurrencies, the use of crypto following a cyber heist remains comparatively rare. However, in one major case, a significant cybercrime group is believed to have converted stolen funds obtained from ATM cashouts into cryptocurrency.

In this case, a crime group mined bitcoin in order to launder the stolen funds and authorities uncovered 15,000 bitcoins valued at US$109 million.

In contrast, the activity from cyber criminals and gangs across the world is estimated to cause more than $1.5 trillion in annual losses.

Brett Lancaster, head of the Customer Security Programme at SWIFT, said the report highlights how the growth in cyber attacks is increasing the need for the convergence of anti-money laundering, fraud and cybersecurity processes in financial institutions. He said, “It calls for them to increase information sharing, tighten due diligence requirements and smartly invest in maintaining systems to strengthen their defences.

Leave a Reply

Your email address will not be published. Required fields are marked *