Follow the Money

The activities of all cyber-criminals, whether working individually, as part of a small gang, as organised crime groups, or even for a nation state, have resulted in annual total cyber-crime revenue estimated at USD1.5 trillion. Banks remain a prime target for cyber-criminals because they are critical infrastructure that can facilitate direct access to cash/funds.

The financial industry, however, is not an easy target. Banks, law enforcement and industry bodies continue to evolve cyber defences, improve information sharing, and regularly prevent money from ultimately being stolen even when the first stage of a cyber-attack may have seemed successful. Cross industry efforts such as SWIFT’s Customer Security Programme (CSP), which provides tools, information and a framework to help the SWIFT community secure itself, and payments screening services continue to evolve to mitigate cyber-attacks. For example, 91% of SWIFT customers, representing 99% of SWIFT traffic, attested to their compliance with controls set out by the latest Customer Controls Security Framework, a set of security controls which serve as the cornerstone of CSP. In addition, banks have improved response security controls such as the ability to stop or recall fraudulent payment instructions where these are identified quickly enough.

However, the lure of targeting banks to get ready access to cash remains prevalent, and attackers continue to develop their techniques. In recent years, many attacks have moved from targeting high-value payment systems to targeting ATM networks and related systems. While these may, on the face of it, seem to have a lower inherent value as any ATM inherently holds a limited amount of cash, in terms of successfully obtaining multi-million dollar sums of money across a number of attacks, this has to date proved to be a successful alternate route for attackers.

But irrespective of the cyber-attack method, the challenge all criminals face after a successful cyber-attack is getting hold of cash or other liquid financial assets that are perceived as ‘clean’, i.e. where it is not possible to tell it is from the proceeds of crime. This is where the need for money laundering comes in.

The money laundering and associated techniques described in this report are those considered relevant to large-scale cyber heists against banks’ high-value payment systems and ATM related systems, including backoffice payment systems. Such cyber attacks involve being able to manipulate or subvert the correct operation of high-value payment systems or management systems controlling a number of ATMs. This paper has not specifically considered what happens to money stolen in other financial crime related attacks such as physical attacks against individual ATMs, card skimming and cloning, banking Trojans and malware, authorised push payment or business email compromise type attacks. However, the laundering techniques and controls described are likely to also be relevant in many of these cases.