Security researchers investigating dark markets and criminal forums have uncovered an alarming trend in which stolen cash is sold for Bitcoin at as much as a 90% discount.
Details of the Bitcoin for cash scheme were revealed in the Armor Black Market Report, an annual compendium of current and emerging criminal threats.
The report, published by cloud security service provider Armor’s Threat Resistance Unit (TRU), details an array of criminal ventures, from hackers for hire to corporate network credentials for sale.
This year, TRU researchers have noted a new Bitcoin to cash conversion scheme that is quickly gaining traction.
The scheme promises dark market customers as much as $10,000 in cash for a mere $800 in Bitcoin.
Once a novelty, the scheme is now a key offering on the dark web.
— Armor (@Armor) September 12, 2019
How Bitcoin for cash works
In a Bitcoin for cash scheme, the seller offers bundles of stolen cash for 10 to 12 cents on the dollar, payable in Bitcoin.
Once the buyer makes the payment, they notify the seller of how they would like to receive the cash – bank transfer, PayPal, Western Union, etc…
Based on TRU’s data, one could buy US$10,000 [AU$14,554] for as little as $800 in Bitcoin.
The scheme provides another way in which stolen financial data can be easily monetized.
“With the glut of online bank credentials and credit cards (which can be used to wire money via Western Union) for sale on the underground markets, it came as no surprise to the TRU team that the cybercriminals would figure out additional ways to monetize these illicit goods,” the report states.
Transferring criminal risk
Being too-good-to-be-true, such offers help cybercriminals gain attention and additional business. They’re primarily used, however, as a way to quickly dump funds gained from stolen account credentials.
By being able to immediately transfer ill-gotten funds, cybercriminals substantially reduce the risk of getting caught.
The report notes that “this arrangement works well for the cybercriminal selling the stolen funds because, ultimately, he or she is not taking possession of the funds but merely transferring them.”
In short, this scheme is a high-tech form of illegal money laundering. Consequently, the majority of risk falls on the scammer taking possession of the funds.
Avoiding the ‘money mule’ requirement
Ordinarily, a criminal would hire a ‘money mule’ – a person whose job it is to transfer the stolen funds between accounts in exchange for a percentage of the funds transferred.
However, these funds need to funneled to legitimate business bank accounts so as not to trigger fraud alerts.
As a clip from the popular TV show Better Call Saul explains, money laundering can be a complicated process:
A Bitcoin for cash scheme avoids these requirements altogether.
Armor TRU director Chris Hinkley noted that such a service would be appealing to criminals who lack the technical acumen and/or resources to “monetize” stolen bank account and/or credit card information.
“For those scammers who don’t possess the technical skills and a robust money mule network to monetize online bank account or credit card credentials, this is an offer that can be very attractive,” he said.
“The threat actors are still selling financial account and credit card credentials outright, but this clever service gives them an additional channel for monetizing the large amounts of financial data available on the underground.”
Dark market criminals are adept at facilitating money laundering through traditional bank accounts as well.
Since setting up a business bank account requires an IRS-assigned Employer Identification Number (EIN), the dark web provides the necessary documentation to create shell companies (for over $1000).
Although money laundering takes a variety of shapes and forms, its recent news articles about several Bitcoin-based laundering rings helps to perpetuate the myth that cryptocurrencies are primarily associated with criminal activity.