Like any economy, the digital underground relies on the possibility to transfer funds in exchange for goods or services. These can involve paying for those tools needed to commit the crime, or those that enable the distribution and storage of the proceeds of crime. Which of the diverse selection of available payment mechanisms is used for any particular transaction depends on a range of factors. Are they operating in an environment where a particular payment mechanism is preferred or enforced? Is the payee or payer likely to have a corresponding account? How anonymous do they require it to be? There are many such questions, the answers to which will be partly decided by the nature of the transaction.
When making payments to other cybercriminals, for example to pay for a criminal service or commodity, payments need to be secure and as anonymous as possible. In some online environments that payment mechanism is largely dictated to them. Darknet markets for example almost exclusively use Bitcoin, with the payment mechanism incorporated into the market structure. Where cybercriminals have greater freedom to choose, despite the huge array of options available to them, the selection used is actually somewhat constrained and in many cases fairly unsophisticated.
Many payments still occur within the realm of the regulated financial sector. The use of simple wire transfers is common. It is likely that this reflects the use of either compromised accounts or money mules. Credit cards and pre-paid cards are also commonly used, although again it is likely that this refers to compromised or stolen cards. The abuse of money transfer services such as Western Union or MoneyGram also account for a substantial proportion of ‘real world’ C2C payments.
Much transactional activity between cybercriminals remains entirely within the digital realm however. Here the most commonly used single currency for C2C transactions is Bitcoin. Perhaps evolving from its popularity on the Darknet, Bitcoin has become the currency of choice for much of cybercrime. A primary concern for criminal users of Bitcoin has been the transparency of the blockchain, however the increasing availability of Bitcoin mixing services – which pool and redistribute multiple transactions to confuse transaction trails - has given them increased confidence by understanding the additional layers of anonymity. While the cryptocurrency landscape is constantly evolving, and there are a growing number of alternate currencies which offer more anonymity, none have yet attained the level of popularity or attention of Bitcoin.
The abuse of centralised digital currencies such as WebMoney is still reported, although in a much smaller number of cases. While such payment systems were historically believed to be a preferred mechanism, this is certainly no longer the case as more and more cybercriminals migrate to Bitcoin. Like any currency, criminals can be expected to migrate to whatever others are using.
Where victims are voluntarily (even if reluctantly) making payments to criminals, either as a result of extortion or fraud, the payment system requirements differ only slightly. Here anonymity only needs to be uni-directional, and simplicity and accessibility are key, in order to maximise the victims’ likelihood of paying. Still, it is commonplace for criminals to have to provide detailed instructions on how to obtain the necessary currencies.
Fraud relies on a semblance of normality and legitimacy, therefore the use of conventional payment mechanisms is more likely. The more unusual a payment system is, the more likely a scam would be to arouse suspicion. Consequently, wire transfers are common, as is the use of money transfer services.
Conversely, in cases of extortion there is no need for pretence, and criminals again resort to payment mechanisms which maximise their own security. Pre-paid voucher-based systems such as paysafecard are still popular. However Bitcoin is again the preferred option, and the primary payment mechanism for most current ransomware as well as other extortion schemes. The prominent DDoS groups of the past years likewise demanded payment in Bitcoins.
Even when using centralised and ostensibly traceable payment systems, such as paysafecard, the service-based digital underground provides a range of opportunities to safely cash out, convert or otherwise clean (launder) criminal proceeds. There is no shortage of individuals offering these services for a suitable commission. While criminals can, in relative safety, transfer and circulate funds within the digital economy, there comes a time when it is necessary to monetise these funds so that the criminal can make use of them in the real world. In some cases, particularly when the funds sit with a compromised card or account tied to an entity within the regulated financial sector, specialised services are required – money mules.
Money mules are individuals recruited, often by criminal organisations, to receive and transfer illegally obtained money between bank accounts and/or countries. The recruited individuals may be willing participants, however some may, initially at least, be unaware that they are engaging in criminal activity and believe they are performing a legitimate service.
The investigation of money mule networks is a top priority for both law enforcement and the financial sector.
In February 2016, law enforcement agencies and judicial bodies primarily from Belgium, Denmark, Greece, the Netherlands, the United Kingdom, Romania, Spain and Portugal joined forces in the first European Money Mule Action (EMMA). The operation was also supported by Europol, Eurojust and the European Banking Federation (EBF). Over one week nearly 700 money mules were identified across Europe and 81 individuals were arrested after 198 suspects were interviewed by law enforcement agencies. With the support of over 70 banks, significant financial losses were discovered and prevented, and over 900 victims of this crime were identified. More than 90% of the reported money mule transactions were linked to cybercrime. The following week was devoted to raising awareness of this threat and to attempt to dissuade people from getting involved in this type of crime.
Rather than receiving and retransmitting stolen funds some mule services instead receive goods fraudulently ordered online using compromised credit cards, and then forward these onto their customers. This service is also referred to as providing “drops” or as “reshipping”. The mule effectively takes on the risk of being in receipt of the goods instead of those committing the fraud. A new trend in this area is the use of automated packet stations. Only available in some countries, these are stations consisting of a number of mailboxes. The stations are un-manned and require a registered user to login and open their box via a terminal. While they have a number of security features to minimise such abuse, these stations can be used in place of, or by, packet mules to reduce the risk of directly receiving fraudulently obtained goods.
Virtual currencies continue to gain wider acceptance as the community grows and matures. With it comes the development of new currencies, building on the foundations of Bitcoin. Many of these new currencies focus on innovation and utility, making them more accessible or useful for business, but even these show potential for criminal use.
Officially launched in July 2015, Ethereum has taken the #2 spot in the virtual currency market134. Amongst its other innovations, Ethereum focuses on the use of smart contracts – contracts able to self-verify their own conditions using both blockchain as well as external data, and self-execute by releasing payment, while remaining tamper resistant135. While smart contracts naturally have a wide range of legitimate and positive uses, they also reinforce the crime-as-a-service model of the digital underground. Assuming the contract creator had the skill to create a contract able to detect the fulfilment conditions, any criminal service from website defacement to illicit data exfiltration could be dealt with via smart contracts. Such uses have already been demonstrated to be quite possible136. This is of course an issue of smart contracts themselves, rather than any particular currency. If smart contracts do indeed become a tool for the cyber underground, we can no doubt expect to see the appearance of criminal cyber-notaries, drawing up smart contracts for criminal customers as a service.
While many new cryptocurrencies are clearly focussing on benefits to enterprise and business, some continue to focus on issues of privacy and anonymity. Bitcoin is only pseudonymous, meaning that there is some potentially traceable data (namely a Bitcoin address) that could be used to link a transaction to an individual. Additionally, the blockchain itself is relatively transparent. There are currencies in development that seek to redress this issue. The philosophy behind many of these projects is the protection of the privacy of those who perhaps need it most, such as activists or those outspoken against oppressive regimes. However, it is not hard to imagine who would be the primary benefactors of a currency which was entirely anonymous and resistant to law enforcement surveillance137.
In 2014 we reported that some small online criminal communities had developed their own in-house currencies138. We have not seen an expansion of this phenomenon, perhaps due to the availability of alternate currencies. The majority of law enforcement currently has its attention focused on Bitcoin, a fact which is not lost on the criminal community. It is therefore logical to assume that some smaller criminal communities may be abusing lesser-known cryptocurrencies in order to stay under the radar.
Blockchain technology also attracts considerable interest from industry and academia. It has potential applications for many transactional activities such as voting, identity management, digital assets and stocks, smart contracts, file storage and record keeping, to name just a few139,140. While there have been previous indications that the blockchain itself could be abused for criminal purpose, such as for storing child abuse images, or malware code141, there is little evidence of this currently happening. However, a new variant of the CTB-Locker malware does use the blockchain to deliver decryption keys142. As entrepreneurial cybercriminals become more familiar with blockchain technology and its potential, it can be expected that we will see more creative use of its capabilities.
Many in the Bitcoin community consider exchanges as a single point of failure, and the need for a decentralised solution has been a topic within the Bitcoin community for years143. Such platforms would be unlikely to implement any KYC144 measures and would therefore provide users with an additional level of security and anonymity.
In 2016, a functional beta version of Bitsquare145 was released. This is the first decentralised exchange that brings together buyers and sellers of dozens of virtual currencies. It uses a P2P network built on top of Tor, where every user is given a dedicated .onion address. Payment methods used on the platform include Single Euro Payments Area (SEPA)146 transfers but the data is only shared with the trading counterparty. The current implementation suffers from liquidity issues, and the amount of daily trade is limited to several thousands of euros, nevertheless its popularity is on the increase.
Internet crowdfunding campaigns are an increasingly popular method of raising funds for the development of new products or technologies. Criminals have also taken advantage of this trend, using them not only as a means of laundering criminal funds by investing them in the project, but additionally subsequently defrauding investors who believe they are funding a legitimate project147.
