Cybercrime En Witwassen: Bitcoins, Online Dienstverleners En Andere Witwasmethoden Bij Banking Malware En Ransomware (Cybercrime and Money Laundering: Bitcoins, Payment Service Providers and Other Methods of Laundering Banking Malware and Ransomware Profits)
Oerlemans J.J., Custers B.H.M., Pool R.L.D. & Cornelisse R. (2016), Cybercrime En Witwassen: Bitcoins, Online Dienstverleners En Andere Witwasmethoden Bij Banking Malware En Ransomware. Onderzoek en beleid WODC no. 319. Meppel: Boom Criminologie
152 Pages Posted: 1 Mar 2018
Date Written: February 5, 2006
Dutch abstract: Over het witwassen bij cybercrime is, vergeleken met witwassen bij andere delicten, relatief weinig bekend. Bij veel delicten verdienen criminelen geld in contanten. Bij het witwassen van verdiensten uit cybercrime lijken echter in toenemende mate andere digitale betalingsmiddelen te worden gebruikt dan contant geld dat bijvoorbeeld uit drugshandel wordt verkregen. Met de groei van cybercrime in de laatste jaren neemt de urgentie toe om zicht te krijgen op het witwasproces en de betrokken actoren in dit proces. Dit onderzoek richt zich om die reden op het witwasproces, en het in kaart brengen van de betrokken actoren bij banking malware en ransomware. Banking malware is, kort gezegd, kwaadaardige software die bedoeld is om slachtoffers geld afhandig te maken via betalingen met internetbankieren. Ransomware is kwaadaardige software waarmee iemands computersysteem (of bestanden die zich daarop bevinden) wordt ‘gegijzeld’ en losgeld wordt geëist om het systeem te ontsleutelen. Sinds een paar jaar is een variant van ransomware in opkomst, genaamd cryptoware, waarbij bestanden op een computer versleuteld worden en het losgeld in de virtuele valuta Bitcoin wordt geëist. De centrale vraagstelling in dit onderzoek is: op welke wijze en door welke actoren wordt geld verkregen uit banking malware en ransomware (al dan niet digitaal) witgewassen?
English Abstract: Compared to money laundering in traditional offenses, like drug trafficking, relatively little is known about money laundering in cybercrime. The major difference is that, contrary to traditional offenses, in which criminals usually acquire money in cash, cybercrime profits increasingly appears to be made via new payment methods. With the growth of cybercrime in recent years, there is an urgency to gain insight into the money laundering process and the actors involved. This study focusses on the money laundering process and maps the actors involved in banking malware and ransomware. Banking malware, in short, is malicious software that is intended to steal money through online banking payments. Ransomware is malicious software that keeps a computer system (or all files on it) ‘hostage’ and demands a ransom payment to unlock the system. In recent years, a new form of ransomware has emerged. This so-called cryptoware encrypts files on a computer and demands a ransom payment, often by paying with the virtual currency Bitcoin to decrypt the files. The key question of this research report is: in what way and through which actors are profits of banking malware and ransomware laundered?
In this study various models of money laundering are identified and described. The research results show that banking malware and ransomware profits are laundered in several different ways. Money mules are often, but not always, involved in the laundering of banking malware profits. The electronic money is transferred from the account of the online banking account of the victim to an online banking account of a money mule. Subsequently, the money mule performs a so-called cash-out of the money as soon as possible at an ATM. This method of money laundering can partly be explained by the preference of criminals to have cash. However, from the police file analysis and quantitative analysis it also became clear that goods, services or bitcoins are purchased directly via the account of victims of banking malware, using their financial data. Criminals typically use multiple online services in this process. The ransom that is demanded after infection with ransomware is usually in the form of online vouchers or bitcoins. Vouchers are generally credited to an online account with an e-wallet service, after which the money can be laundered digitally. It is also possible to sell the vouchers or directly pay for an online service. Criminals tend to use a combination of money laundering methods. The origin of bitcoins can be disguised using a mixing service. Mixing services allow bitcoins to be swapped for other bitcoins in exchange for a fee. The bitcoins can then be used for purchases or converted to other currencies via Bitcoin Exchanges. Finally, there are also illegal online service providers who are prepared to exchange digital and virtual payment systems for a fee. In these models, the following actors can be identified as part of the money laundering process: (1) banks, (2) money mules, (3) money transfer offices, (4) Payment Service Providers (5) e-commerce, (6) voucher services, (7) e-wallet services, (8) Bitcoin exchanges, (9) mixing services, and (10) bitcoin dealers. The characteristics of these actors are described in this report to identify which parties are likely to appear in police investigations. By using the transaction data with regard to phishing and banking malware, it has been possible to map the characteristics of money mules in the Netherlands. The picture that emerges from the analysis of the data sets, shows that money mules are mostly young adults between 18 and 22 years from relatively poor neighbourhoods who allow criminals to use their debit cards. While these young adults in the relatively poor areas of the three major Dutch cities (Amsterdam, Rotterdam and The Hague) are overrepresented, money mules come from all municipalities in the Netherlands. Furthermore, there is an overabundance of juveniles with an Eastern European nationality.
Note: Downloadable document is in Dutch.
Keywords: bitcoins, money laundering, aml, ransomware, banking malware
Suggested Citation: Suggested Citation