How cybercriminals launder money stolen from banks

For some cybercriminal groups, attacks on banks and other financial institutions are like an assembly line. Many people know tracing stolen funds is usually impossible, but not everyone knows why. A joint report by BAE Systems and researchers from the payment system SWIFT details how cybercriminals launder stolen money.

Money source and destination

There are two bank attack scenarios against infrastructure and accounts, or against ATMs and related systems. The various schemes for extracting and then laundering money all differ slightly, but the essence and goal are the same: to put criminally derived funds back into the legitimate financial system.

Traditionally, the money laundering process consists of three stages:

Placement: the first transfer from a victim’s account to fraudsters’ accounts, or a deposit of stolen cash;

Layering: a series of transactions designed to conceal the origin of the funds and their real owner;

Integration: investment of the now-laundered money in legal or criminal business.

The final stage, reintegration of the laundered funds back into the economy could fill a separate post, so we shall not consider it in detail here. However, a successful attack requires careful planning beginning long before the funds are stolen and the legalization mechanisms are in place. That’s an additional stage: preparation.


To enable the fast movement of stolen funds, cybercriminals usually set up many accounts owned by individuals or legal entities. They can belong to unsuspecting victims hacked by intruders, people duped into taking part in the fraudulent operation, or volunteers.

The latter are commonly known, unflatteringly, as mules. Some employ mules to open accounts using fake or stolen documents (a complex task requiring a bank insider). Recruiting agencies may hook up the parties with job description wording such as “facilitating the investment of funds” or something equally vague. In many cases, mules know full well what they’re doing is less than legal but are blinded by the payout. But often, the “accomplices” end up getting deceived as well.


Once the cybercriminals have transferred stolen money to an account (using malware, social engineering, or an insider), the mules come into play:

  • They may move funds to other accounts to throw potential trackers off the scent;
  • They may order goods to their own or another address;
  • They may withdraw money from ATMs.

One ruse to attract unwitting mules involves hiring them to work for a company that supposedly helps foreigners buy goods in stores that don’t deliver abroad, receiving and forwarding parcels by international mail. That kind of work lasts for a month or two, until the local police come knocking.


When accomplices who are in the loop receive the goods or money, they use long-established criminal practices to legalize the booty. For example, money may be exchanged for freely convertible currency (typically dollars); goods (typically electronics) are sold directly to buyers or to second-hand shops. Of course, currency exchange offices and stores that buy items are supposed to have mechanisms in place to detect illegal transactions, but either negligence or insiders can bypass them. Then, a third party transfers the money to the organizers of the scheme.

Although mules can be caught and their percentage seized, the bulk of the proceeds and the masterminds remain elusive.

Next, the crooks employ “classic” criminal methods such as purchasing jewelry or metals (those businesses still often prefer dealing in cash), or buying and selling chips in a casino, to launder the cash.

If the money remains in noncash form through further transfers, then the process involves shell companies operating globally. Such businesses are usually located in countries that lack tight control over financial transactions, or where strict laws protect money transfer secrecy. A few more transfers, involving splitting and converting into different currencies, obscure the origin of the money. The firms are not necessarily fly-by-night operations but rather organizations whose businesses are partially legal.

Fairly recently, cryptocurrencies joined the list of money-laundering tools. Cybercriminals are drawn to them because users need not provide personal data to complete transactions. However, using cryptocurrencies for laundering money is not ideal: Because the user anonymity comes with blockchain transparency, withdrawing funds requires a lot of transactions. In 2018, for example, the Lazarus group withdrew $30 million after hacking a cryptocurrency exchange, then made 68 transfers in four days between different wallets.

Practical takeaways

As we can see, cybercriminals have built complex, multistage money-laundering schemes in which they juggle accounts, companies, legal form, currency, and jurisdiction all within a matter of days, during which some companies don’t even know they have been attacked.

Therefore, it makes sense for banks to take matters into their own hands and create cybersecurity infrastructures that minimize the chances of financial systems being hacked and hijacked. We offer a platform tailored specifically for banks and other financial institutions: Kaspersky Fraud Prevention. Not only does it provide user behavioral analysis and financial transaction monitoring, but it also tracks attempts to launder stolen money through users’ institutions.

Comments are disabled.