What cybercriminals do with their money (Part 5) – Sophos News

Content warning: Because of the nature of some of the activities we discovered, this series of articles contains content that some readers may find upsetting. This includes profanity and references to drugs, drug addiction, gambling, pornography, violence, arson, and sex work. These references are textual only and do not include images or videos.

Having explored the ‘legitimate’ and not-so-legitimate business interests that threat actors are discussing on criminal forums, we’ve arrived at the concluding chapter of our series. Here, we’ll discuss the implications and opportunities that these activities present.

As we’ve noted throughout this series, threat actors diversifying into other industries and criminal activities can have troubling consequences. It can make disrupting those threat actors more difficult, particularly when it comes to seizing assets, and can make investigations – ‘following the money’ – more complex. Moreover, it can increase threat actors’ wealth, power, and influence, which again can complicate investigations. And it means that their crimes can affect more victims, directly or indirectly.

In the cybersecurity industry, we sometimes treat cybercrime as being in a silo – to consider it a distinct, specialist, and isolated activity, limited to the virtual world of networks and hosts. Not unreasonably, our efforts tend to be focused on the ‘cyber kill chain’; conventional threat intelligence; and bolstering protections, security awareness, and other preventative measures. And in the wake of attacks, our attention usually goes to the victims – whether those are organizations dealing with incidents, or individuals who have been scammed.

Meanwhile, the perpetrators slip back into the shadows, and we don’t typically think about what they do once an attack is over, or where the money goes. This question has not historically been prioritized by security researchers.

But perhaps we should spend more time looking into how cybercriminals are using and investing their profits. Doing so can lead to additional investigative and intelligence opportunities around attribution, motivation, connections, and more.

Moreover, some of the activities we’ve uncovered in this series strongly suggest that we should not put threat actors on any kind of pedestal. They are not just cybercriminals – they are criminals, full stop. They should not be glorified, or celebrated, or portrayed as anything except what they are: people who make money at the expense of victims. Our investigation suggests that at least some threat actors are engaged in exploitative, harmful, and illegal activities, both online and in the real world, from which they are actively profiting.

Proactive intelligence-gathering and investigation at the boundaries of legitimate and illegitimate earnings, and of cybercrime and real-world crime/business, could help hit threat actors where it really hurts – their money. While we don’t claim that this would be easy to accomplish, the information we’ve shared in this series could be a valuable first step in laying the foundations for future efforts and research in this vein.

Attribution and investigative avenues

As shown in our previous articles, the schemes and systems which threat actors outline in detail on criminal forums – sometimes accompanied by screenshots, photographs, and specific biographical information – can provide investigative and attribution opportunities which have previously been underexplored. These can be particularly useful on criminal forums, where participants are often anonymous.

For instance, during the course of our investigation, we noted threat actors revealing the following information in their discussions of ‘legal business’:

• References to the locations (countries/regions/towns) in they reside and/or operate
• Other biographical information, including age, marital status, and whether they had children
• Unredacted or partially redacted screenshots revealing profile pictures, names, addresses, and reference numbers
• Photographs of locations, which could potentially be identified through open-source investigation
• References to specific amounts of money and purchases, sometimes accompanied by dates and times
• References to previous convictions, which could be used for possible identification
• Detailed discussions of legal or illegal schemes and activities
• Details of advice received from lawyers, accountants, and associates.

Knowing thine enemy

Our investigation also demonstrates the breadth and depth of knowledge that threat actors possess about various industries, loopholes, regulations, investigative techniques, and legislation in various territories and countries – as well as what they know about money laundering and legitimizing techniques. All of this can provide investigators with useful information about what threat actors know and what they don’t, which can help to inform future operations. It also provides a broader view of the threat landscape, and how the cyber version of that landscape interacts and overlaps with threat landscapes in other criminal domains – resulting in a richer strategic intelligence picture.

Opportunities for collaboration

We hope that our research may encourage greater collaboration between the cybersecurity industry, law enforcement, and regulators, because it can help link the incidents we deal with and respond to every day, to the real-world offenses, assets, and businesses which law enforcement and regulators have the ability, and mandate, to investigate. Again, we don’t claim that our research will solve this problem, but we think it may provide some useful common ground to encourage collaboration and information-sharing.

The evidence we uncovered – of links between carders and drug dealers; threat actors and various industries and sectors; and threat actors and real-world criminal activity – indicates that we could potentially link some cybercriminals to the flow of the resulting funds into wider economies, whether criminal or legitimate. While this would require openness, willingness, and careful management, we suggest that more could and should be done to investigate, track, and disrupt threat actors using the sort of information we’ve discussed.

Some initial practical suggestions:

• Researchers could flag discussions about new methods of money laundering, legal and illegal investments, insights about threat actor groups (locations, motivations, capabilities, connections, etc.), and financial identifiers to points of contact in law enforcement and financial regulatory bodies
• Law enforcement officers and financial investigators could share identifiers and indicators from their own investigations with researchers, to determine if there are links to campaigns or specific groups
• Both parties may benefit from embedding programs focusing on these areas of crossover.

Adding to the kill chain?

While this is more of a theoretical suggestion, it might be worth considering adding two steps to the end of the kill chain when dealing with financially motivated threat actors:

1. Cashing out and money laundering. Financially motivated threat actors want to realize a profit and disguise the origin of their funds
2. Spending and investment. This step may overlap with the previous one to some extent, but here, threat actors are seeking to spend/invest their illicit gains, and use them to generate further profit, rather than simply disguising the source(s)

Both steps may be useful additions to the kill chain for four reasons:

1. They are areas in which some threat actors might be less familiar/capable, so they may make mistakes or let slip revealing information, leading to opportunities for attribution and further investigation
2. They may involve interaction with financial authorities, a wider financial ecosystem, and/or regulatory agencies, increasing opportunities for monitoring and ‘red flags’
3. These are the points at which we can hurt financially motivated threat actors the most – in the pocket – so it makes sense to devote at least some attention to them
4. As discussed previously, these steps offer potential for collaboration, information-sharing, and cooperation with financial and law enforcement authorities.

Caveats and future research

Our work in this series focused on a selection of criminal forums, but forums don’t tell us everything there is to know about the criminal ecosystem. However, we did choose several prominent forums known to be frequented by prolific threat actors (including ransomware affiliates, initial access brokers, and malware developers), and forums can provide a valuable glimpse into an underexplored area.

Ultimately, though, we only looked at five forums, so our work should be considered more of an initial exploration than an exhaustive survey.

Linking the crimes and business practices discussed in this talk to specific incidents, campaigns, and threat actors represents a challenge, one beyond the scope of this work. However, we noted that in multiple cases, threat actors did not merely hypothesize or provide general details, but admitted to specific activity, sometimes including photographs, locations, and biographical information (although we should also point out that some threat actors could be lying or embellishing their claims).

Future research on this topic could include:

• More detailed investigations, including research into other forums, marketplaces, Telegram channels, etc., comparing the results to ours, and identifying further opportunities for attribution, investigation, monitoring, and collaboration
• Exploration of the feasibility of linking specific attacks and campaigns to specific investments and business practices – which may involve collaboration, information-sharing, financial analysis, and/or tracing cryptocurrency
• Statistical research into the prevalence of various crimes/business interests, to gain an understanding of which are most common among financially motivated threat actors, and whether they differ according to geography and type of threat actor (infostealer campaigns versus ransomware, for example).

Wrapping up

While there has previously been research into specific methods of cryptocurrency laundering used by cybercriminals (particularly ransomware actors), this is, to our knowledge, the first exploration of so-called ‘legal business’ discussions on criminal forums, which have been around for almost twenty years on two very prominent, well-established Russian-language forums, and for a shorter time on others.

These sections have historically been overlooked by researchers, possibly because they don’t appear to contain much of relevance to cybersecurity. We believe this is an oversight, which our work seeks to address by highlighting both the strategic and tactical intelligence benefits that exploring and monitoring these sections can bring.

There is an extensive diversity and plurality of investments, schemes, and business interests – both legal and illegal – that financially motivated threat actors discuss and become involved in after profiting from attacks. We encourage our colleagues in the cybersecurity community to consider financially motivated cybercrime as an integral part of a much broader economy, rather than a siloed and isolated activity.

Specifically, we invite colleagues to:

• Consider where threat actors are investing and spending their money after attacks – and whether this could provide additional context and value
• Share information with peers, law enforcement, and other relevant agencies, such as financial regulators; requesting information in return
• Where appropriate, think of cybercrime not as an isolated activity in and of itself, but as part of a much wider and more complex ecosystem connected to other criminal networks
• Reflect on, and contribute to, our suggestion of including additional steps on the cyber kill chain

As we noted earlier, we consider this research to be a starting point. We’re continuing to look into this topic, and we look forward to sharing additional findings in the future.