Criminal-to-criminal payments

This category of payment includes any transaction where one cybercriminal makes a payment to another for purchase of or access to a crime-related product or service – a common scenario within the CaaS business model of cybercrime.

For such payments the nature of the service or product paid for is also an influencing factor. For instance, where the sale of compromised data (such as stolen credit card details) is concerned, the use of Bitcoin or money service bureaus (typically Western Union) is common; however the use of voucher systems (Ukash) or WebMoney is also noted.

Hidden services on the Darknet such as Agora or the now defunct Evolution almost exclusively use Bitcoin for payment, with the mechanisms to handle payment and escrow functions built into the market interfaces.

Overall, Bitcoin is beginning to feature heavily in many EU law enforcement investigations, accounting for over 40% of all identified criminal-to-criminal payments. PayPal is another notable payment system used for transactions of this nature, accounting for almost one quarter of identified payments. To a lesser extent paysafecard, Ukash, Webmoney and Western Union were also used.

Payment for legitimate services

Transactions in this category represent scenarios where a cybercriminal is required to make a payment to a legitimate, public facing company for such things as hosting, hardware, software or travel and accommodation. The nature of the payment mechanism used in these scenarios indicate that cybercriminals rarely feel the need to hide their identities, or do not have the skill set to do so, as over 60% of transactions use traditional financial instruments such as credit cards or transfers from bank accounts. However, whether these cards or accounts are legitimate, compromised or fraudulently obtained is unknown.

Victim payments

Where a cybercrime victim is not simply subject to a malicious, destructive attack there will frequently be an attempt to obtain funds from the victim. Cyber-extortion is becoming increasingly common, particularly with the growing pervasiveness of ransomware, however more 'traditional' methods of cyber-extortion such as the threat of DDoS attacks are still commonplace¹. Again, Bitcoin features as the most common single payment mechanism used in extortion payments, accounting for approximately one third of cases. Voucher systems such as Ukash, paysafecard and MoneyPak also accounted for over one quarter of cases. Direct bank transfers and money service bureaus also accounted for notable volumes of such payments.

Victims also make payments to attackers in less flagrant attacks if they are victims of fraud, either as a result of social engineering or when paying for non-existent or bogus goods or services such as fake anti-virus software. In these instances real world financial services (money service bureaus and bank transfers) account for half of all fraudulent payments, however Bitcoin is also used in almost one third of payments.

Money movement/laundering

There are naturally instances where a cybercriminal does not transfer funds to a third party, but simply moves money from one location or payment system to another. This can include the ‘cashing out’ of compromised financial accounts and credit cards and the use of exchangers to exchange to, from or between virtual, digital and fiat currencies.

As with victim payments, over half of transactions are carried out via money service bureaus and bank transfers. In this scenario however, Bitcoin and other payment mechanisms such as WebMoney only account for a small proportion of transactions.

Future threats and developments

Although there is no single common currency used by cybercriminals across the EU, it is apparent that Bitcoin may gradually be taking on that role. Bitcoin features as a common payment mechanism across almost all payment scenarios, a trend which can only be expected to increase.

Cryptocurrencies are slowly gaining acceptance at government level, with a number of EU jurisdictions either proposing regulation of cryptocurrencies² or already recognising them under existing legislation^{3 4}. It is inevitable that more jurisdictions will follow suit although it would appear that there is currently a lack of harmonisation in approaches.

Any regulation of cryptocurrencies would likely only be applicable and enforceable when applied to identifiable users such as those providing exchange services. The inability to attribute transactions to end users makes it difficult to imagine how any regulation could be enforced for everyday users.

It is clear that cybercriminals will continue to use whichever payment mechanism is convenient, familiar or perceived to be safe, including those that are already regulated and maintain anti-money laundering controls.

In the 2014 Internet Organised Crime Threat Assessment it was anticipated that more niche, privately controlled currencies would come to the fore. However these have either yet to be discovered or have simply not materialised. That said, there are currently over 650 recorded cryptocurrencies⁵ with new variants being released almost daily. Many focus on developing features which further enhance their anonymity, thereby making them more attractive for illicit use. However, with so many existing options available to conduct illicit transactions securely online there seems to be little need.

Recommendations

• Investigators must familiarise themselves with the diverse range of account and payment references and file formats of digital wallets used by the different payment mechanisms in order to recognise these in both standard and forensic investigations.
• Law enforcement must continue to cooperate and share knowledge, expertise and best practice on dealing with Bitcoin and other emerging/niche digital currencies in cyber investigations.
• Law enforcement should continue to monitor the alternate payment community for emerging payment mechanisms, to assess their potential or likelihood of being used in cyber-enabled crime.
• It is essential for law enforcement to build and develop working relationships with the financial sector including banks, money transfer agents, virtual currency scheme operators and exchangers in order to promote the lawful exchange of information and intelligence.
• There is a need for harmonised legislative changes at EU level, or the uniform application of existing legal tools such as anti-money laundering regulations, to address the criminal use of virtual currencies.