3. Stealing Money Isn’t Enough
3
• You have to be able to use it too
• Cyber criminals can take steps to be less public
• E.g. Diffuse services, less commercial criminal software offerings
• But all cyber criminals must at some point convert their criminal
gains into money that they can use. i.e. that is integrated with the
global financial system
• Money laundering a particular concern for cyber criminals because it
ties into larger anti-crime, anti-terrorism and political efforts
• Receives more official and private sector resources than purely anticyber crime efforts
• Laws and cooperation mechanisms older, more established, simpler
and less time sensitive than ant cyber crime efforts
• Private and public sectors older, more established, than anti cybercrime
• Transactions can be traced
• Assuming that officials are sufficiently motivated
• People talk
5. Electronic Currencies
5
• Popular choice for a reason
• Some have a history of offering clients anonymity
• Or at least not asking too hard for true proof of identity
• Third-party and personal exchanges also help provide anonymity
• Quick, online, (mostly) separate from the formal financial system
• Relatively easy to establish
• Limited truly reliable and secure options
• Vulnerable to betrayals, LEO, internal failures
6. Liberty Reserve
6
•
Leader until takedown
•
•
US DOJ: A money laundering case, not a cyber crime case
•
•
•
•
High profile customers, including 45 million USD Unlimited Operations ATM scammers
More than 6 billion USD laundered through 55 million transactions
25 million USD and 45 bank accounts seized
More effectively frozen - customers able to appeal for access to their accounts –
not too many forthcoming
Costa Rican base not sufficient legal protection
•
•
Leader Arthur Budovsky arrested in Spain, others arrested in US and Costa Rica
US DOJ could pursue the case
• 200,000 US users
• Presence of Liberty Reserve members Vladimir Katz (co-founder) and Mark Marmilev
(helped design technical infrastructure) in the Untied States
• Presence of infrastructure in US
• Transfer of funds through US financial institutions
•
•
Iran has this problem too
International anti-money laundering cooperation relatively straightforward
• 45+ domestic and foreign searches & seizures, 36 MLAT requests in 15 countries
• LEO Cooperation in: US, Costa Rica, Russia, China, Latvia, Cyrus, Hong
Kong, Norway, Sweden, Australia, Cyprus, Latvia, Switzerland, Luxembourg, Morocco,
Spain, Netherlands, United Kingdom, Norway, Canada, US, Costa Rica
7. Alternatives to Liberty Reserve
7
•
Perfect Money
•
•
•
Increase in use following LR takedown
In business since at least 2007
Claimed to be in Panama
• January 2013: Panamanian government stated that Perfect Money has no offices or
licenses in the country
•
Now provides a Hong Kong address
• Shared by many other businesses
•
But… Security press anointed Perfect Money as the Successor to Liberty
Reserve
•
•
Also successor to legal attention?
Announced the US citizen could not participate following LR takedown
• Difficult to police, infrastructure even harder
•
Turned away some visibly criminal customers
8. Further Electronic Currency Options
8
• WebMoney
• Founded in 1998, previously the front runner
• Claims 14 million users
• Strong global footprint, expanding
• Began in CIS, Latin America and Pacific Asia (not to USA)
• Traditionally popular among cyber criminals
• Use by legitimate small and medium sized businesses protected
WMZ from regulation efforts
• Now large legitimate presence encourages law enforcement
cooperation, especially in Russia
• May still be possible to “fly under the radar”
• Other electronic options of varying trustworthiness
• Payza/AlertPay, EgoPay, LiqPay, Paxum, PayWeb, SolidTrustP
ay, ePayments, Yandex.Dengi, RedPass, etc.
9. BitCoin: An Acceptable Option?
9
•
•
Volatile – speculation an issue
Mining losing utility
•
•
•
•
Handy for cyber criminals who can use botnets (like ZeroAccess)
As the rate of block generation (unencrypting a BitCoin) increases, difficulty rises – reaching maximum total
utility
BitCoin seems attractive because it is “anonymous”
But is BitCoin Anonymous?
•
•
•
•
Not big enough to hide truly large transactions
Transactions can be tracked in each BitCoin
Multiple BitCoin transaction chains combined and transformed into international currency
through exchanges
Exchanges can and will operate with authorities – US ahead of the BitCoin game
•
•
•
•
Mt. Gox account at Wells Fargo seized over paperwork, DHS prohibits Dwolla to exchange BitCoins
(total five million USD accounts)
IRS subpoenaed 24 exchanges. GOA office report on money laundering risks, US Treasury unit
Financial Crimes Enforcement Network (FinCEN) has BitCoin rules, IRS to follow
LEO (especially the FBI more aggressive about anonymity in general, e.g. Tor CP arrests and Silk
Road closure (which included the seizure of 3.6 million USD in BitCoins)
Other crypto currencies insufficiently popular, e.g. Litecoin, Namecoin, PPCoin, even
Ripple
•
May be scams themselves
10. Credit Cards
10
• Cash onto Credit Cards: Possible
• Prepaid debit and credit cards are available
• Some limitations
• Depend on the exchanges
• Limited totals
• Daily Withdrawal Limit – 1000 USD
• Maximum Daily Balance – 10K USD
• Total Loading Limit/Month – 20K USD
• Cash from Credit Cards: More difficult (but still possible)
• Credit card companies and acquiring banks increasingly picky
• Will cut off processors if caught violating TOS
• Copyright particularly valuable tool – instant TOS violation
• Copyrighted software sales, pharma particularly affected
• Small shift to prepaid payment cards for accepting fraudulent payments
a la rogue AV and ransomware
• E.g. Green Dot MoneyPak, can be purchased at major retailers such as
Wal-Mart, CVS, Walgreens, Kmart, etc.
11. Credit Cards (and other Money Mule Options)
11
• Prepaid credit cards and certificates also a growing alternative to
money mules
• Not just in accepting payments, also in sending money or goods for
resale
• Western Union et. al. are watching
• Human mules problematic
• Difficult to recruit enough – constant efforts required (or high payments to
services who must engage in constant efforts)
• Relatively easy to identify, arrest (especially if they must appear in person or
accept delivery at their actual address)
• Some mules will rob the thieves
• Brian Krebs: “mules are dumb,” make mistakes
• Big mules = big attention, e.g. General Valeriu Gaichuk in Romania
• Old methods still in use though
•
•
Can still use CCs to purchase goods, ship them near home country (in the case
of Eastern Europe, sometimes via a EU country such as Poland near the
Ukrainian border), sell them for cash
Can still use human mules for that matter
12. So… Is There Any Hope of
Getting Away With It?
12
13. Keeping Dishonest Money
13
• Money laundering already was an LEO priority, and cyber crime is a
growing one
• Each LEO success increases capacity for and interest in the next
• The dominance of the United States in the international financial
system helps make it a dominant, and potentially
unavoidable, player in anti money-laundering efforts
• Avoiding US victims and customers is not enough to avoid US attention
• So, really, what is a cyber criminal to do?
• Stay under the radar, it’s still a numbers game
• LEOs are better able to target money laundering than cyber crime, but are
still constrained by capacity issues and the need to prioritize
• So many “ we gave it to LE” stories
• The noticeable and stationary get targeted – just ask LR, Mt. Gox, Silk
Road, Gozi, Citadel, Carberp, etcetera
• The more automation, the better
• Risk still higher
Ten days ago British police announced the April arrest of a 16 year-old boy in connection with the large DDoS attack targeting Spamhaus and its hosting provider CloudFlare. The police’s statement seemed to say that the boy first attracted law enforcement attention due to the “significant amount of money flowing through his bank account” .Although the 16 year old in question appears to have been particularly reckless, his situation highlights one confronting all financially-motivated cyber criminals – the need to connect to the legitimate financial world at some point.http://www.standard.co.uk/news/crime/london-schoolboy-secretly-arrested-over-worlds-biggest-cyber-attack-8840766.html
Botnet update example
Note: Arthur Budovsky was of Ukrainian extraction, was a US citizen, on probation since 2007 for running an electronic currency connected to e-gold, renounced US citizenship to take Costa Rican (thought that being in Costa Rica would protect him)http://www.justice.gov/usao/nye/pr/2013/2013may09.htmlMLAT = Mutual legal assistance treaty
Note: Arthur Budovsky was of Ukrainian extraction, was a US citizen, on probation since 2007 for running an electronic currency connected to e-gold, renounced US citizenship to take Costa Rican (thought that being in Costa Rica would protect him)
Note: Arthur Budovsky was of Ukrainian extraction, was a US citizen, on probation since 2007 for running an electronic currency connected to e-gold, renounced US citizenship to take Costa Rican (thought that being in Costa Rica would protect him)
Author is anonymousCreated by “Satoshi Nakamoto” in 2009 Real author may be Michael Clear from Trinity University in Ireland, may be Neal King, and Charles Bry in Germany and/or Vladimir Oksman in NY, or someone else entirelyhttp://www.gwern.net/docs/2011-davishttp://www.fastcompany.com/1785445/bitcoin-crypto-currency-mystery-reopenedSymantec took down About 500,000 bots out of the 1.9 million strong ZeroAccess botnethttp://www.gao.gov/assets/660/654620.pdf exchanges including Coinbase BitInstant and Coinsetterhttp://cryptome.org/2012/05/fbi-bitcoin.pdf
Botnet update example
Romanian authorities, working with the FBI and Italian special forces, were tipped off by banks in Italy, which denied a request allegedly by the accused to transfer $400,000 from a victim company there to a fictitious firm. According to documents released by prosecutors, the men were caught red handed on Dec. 9 trying to withdrawn nearly $1 million stolen from the American company.A U.S. law enforcement investigator familiar with the case who spoke on condition of anonymity said keystroke logging Trojans were used to steal the online banking credentials of the victim organizations, and that the case is connected to at least one other cyber fraud investigation that is still pending. The judge overseeing the case approved the prosecutor’s request to have the men detained for at least 29 days pending further investigation, saying that authorities have information that the defendants belong to much larger organized criminal group.