September 23, 2020

The activities of cyber-criminals, whether working individually, as part of a small gang, as organised crime groups, or even for a nation state, have resulted in annual total cyber-crime revenue estimated at USD1.5 trillion. Banks remain a prime target for cyber-criminals because they are critical infrastructure that can facilitate direct access to cash/funds.

SWIFT recently published a report describing the money laundering relevant to large-scale cyber heists against banks’ high-value payment systems and ATM related systems, including back office payment systems. Such cyber attacks involve being able to manipulate or subvert the correct operation of high-value payment systems or management systems controlling a number of ATMs.


Setting up accounts to be used in a cyber-heist is a key step as these accounts will be the destination of the funds after they have been stolen. The establishment of these fraudulent accounts, by whichever method, might be facilitated by weak or ineffective policies and controls linked to the customer due diligence processes and also by lack of training of front-line staff. In order to avoid suspicion, fraudulent accounts might be set up several months before the heist, and so are empty and unused.

The effectiveness of a financial institution’s KYC and screening processes are important factors – and is likely why certain institutions in certain jurisdictions are targeted for illicit activity. Institutions with a reputation for weak AML controls will be prime targets for professional criminal organisations.

A common denominator that underpins cyber-crime is the essential function of the money-mule. Accounts used for money-muling may be created by those complicit in the criminal activity or may belong to unsuspecting individuals tricked into allowing their account to be used for criminal purposes. The number of money-mules involved in placement activities for a large-scale cyber-heist varies but has often been seen to involve around 10 individuals. However, there are exceptions to this. For example, an attack against one bank which is considered to be linked to the Lazarus Group involved 12,000 ATM withdrawals being performed in approximately a two-hour timeframe across 28 countries, pointing to a large and organised group of money-mules being involved.


Monies withdrawn from ATMs in cyber-crime are often immediately exchanged into US Dollars at money exchanges. This step in the process suggests complicity by employees at money exchanges to support a money laundering process or it could indicate negligence. However, in some instances, especially after cyber-heists relating to nation state actors like the Lazarus Group, it might be the case that the fate of these stolen funds is to be channelled via other layering techniques in order to further hide the path of the stolen funds.
Setting up of front companies is a method used to circumvent the adverse impact of imposed sanctions and to enable covert access to the global financial system. Lax regulations and conditions that govern company registration and reporting requirements in East Asia make especially this region an attractive place to do business, as well as vulnerable to being abused.


Some ‘rookie’ cyber-attack groups still make many extravagant purchases which draw the attention of law enforcement agencies and often leads to the arrest of the cyber-criminals. The methods chosen to cash-out the proceeds of a more sophisticated cyber-heist illustrate greater experience and a strategic approach driven by wanting to maintain a low profile. Property and jewellery are investments that are likely to hold their value and potentially less likely to attract the attention of law enforcement.
Cyber-criminals might also seek to integrate the proceeds of a cyber-heist by reinvesting in crime, especially in the illegal drugs market. Over a third of organised crime groups in Europe, including cyber-criminals, are directly involved in the production or trafficking of illegal drugs.

Identified cases of laundering through cryptocurrencies remain relatively small compared to the volumes of cash laundered through traditional methods. However, the raft of alternative cryptocurrencies that offer greater anonymity, as well as services like mixers and tumblers that help obscure the source of funds by blending potentially identifiable cryptocurrency funds with large amounts of other funds, could however boost the appeal of cryptocurrency for illegal purposes.

The concern for the financial system is that these digital transactions are conducted in a peer-to-peer manner that circumvents the checks and processes by banks, and often require only an e-mail address to make the purchase.

Information sharing

A central initiative in empowering banks to be better able to detect illicit activity refers to them having more visibility of a greater pool of data. This is not only with regards to enhancing public-private sharing initiatives that foster better timely exchanges between financial institutions and law enforcement agencies, but also between financial institutions.

Without amendments to legal and regulatory frameworks to enable banks to embrace advances in technology and data science to facilitate the safe sharing of AML information, identifying illicit behaviour will remain in their blind-spot until it’s too late. One approach that has been investigated by several banks is the use of Privacy Enhancing Technology, including homomorphic encryption, as a method of allowing queries to be run by one organisation on encrypted or open data sets held by other organisations in a privacy enhancing manner to protect the nature of the queries being made.

A pervasive issue across financial institutions is a reliance on legacy systems and processes. Often they have been spliced together through mergers, leaving them vulnerable to cyber-threat actors. Financial institutions will continue to be vulnerable if they fail to identify and remediate network and application vulnerabilities before criminals have a chance to exploit them.

Crime groups will continue to collaborate throughout the money laundering lifecycle, leveraging the global criminal skillsets available and the willingness of many people to be tempted by the lure of an apparent quick and easy payday. Particular focus therefore should apply to the money-muling activities and also to the use of front companies. Collaboration will be key in these areas, both inter-organisational, within jurisdictions and internationally. In addition, awareness of new money laundering techniques, such as those involving cryptocurrency, will be key to staying ahead of the challenge of reducing the opportunities for threat groups to benefit from committing high-value cyber-crime.