Skip to main content
  • English
    Discover SWIFT
  • Español
    Descubra nuestros contenidos en español
  • Français
    Découvrez notre contenu disponible en français
  • 中文
  • 日本語
How cyber attackers ‘cash out’ following large-scale heists

How cyber attackers ‘cash out’ following large-scale heists

Cyber Security,
2 September 2020 | 5 min read

By illuminating the final stage in the money laundering process, BAE Systems & Swift report supports efforts by banks to prevent, detect and respond to cyber-attacks

Swift and BAE Systems Applied Intelligence have published ‘Follow the Money’, a new report that describes the complex web of money mules, front companies and cryptocurrencies that criminals use to siphon funds from the financial system after a cyber-attack.

Swift and BAE Systems - Follow the Money

Swift commissioned BAE Systems to investigate this element of the money laundering process as part of its Customer Security Programme (CSP). The CSP continually helps the financial community to strengthen its cyber defences through a range of measures including mandatory controls, intelligence sharing and thought leadership.

The report highlights the ingenuity of money laundering tactics to obtain liquid financial assets and avoid any subsequent tracing of the funds. For instance, cyber criminals often recruit unsuspecting job seekers to serve as money mules that extract funds by placing legitimate sounding job advertisements, complete with references to the organisation’s diversity and inclusion commitments. They use insiders at financial institutions to evade or undermine the scrutiny of compliance teams carrying out know-your-customer (KYC) and due diligence checks on new account openings. And they convert stolen funds into assets such as property and jewellery which are likely to hold their value and less likely to attract the attention of law enforcement.

Although there has been much research into the methods that cybercriminals use to conduct attacks, there has been less investigation into what happens to funds once they have been stolen. The aim of this report is to illuminate the techniques used by cyber criminals to ‘cash out’ so that Swift’s global community of over 11,000 financial institutions, market infrastructures and corporates can better protect themselves.

Among the other findings in the report:

  • Front companies cyber criminals tend to focus on textile, garment, fishery and seafood businesses to obfuscate funds. They find it easier to operate in parts of East Asia where less stringent regulations make it easier to conduct their activities.
  • Cryptocurrencies – while the number of identified cases of money laundering through cryptocurrencies is low so far, there have been a couple of major incidents involving millions of dollars. Digital transactions are appealing because they are conducted in a peer-to-peer manner that circumvents the compliance and KYC checks conducted by banks, and often require only an e-mail address
  • Experience - The method chosen by cyber criminals to cash out and spend the stolen funds is indicative of their levels of professionalism and experience. Some inexperienced criminals have immediately made extravagant purchases drawing the attention of law enforcement agencies and leading to arrests.

Brett Lancaster, Head of the Customer Security Programme at Swift said: “The threat posed by cyber-attacks to the financial sector has never been greater. Attackers are well-resourced, constantly evolving their modus operandi and using untraceable money laundering techniques. The report highlights how the growth in cyber-attacks is increasing the need for the convergence of anti-money laundering, fraud and cybersecurity processes in financial institutions. It calls for them to increase information sharing, tighten due diligence requirements and smartly invest in maintaining systems to strengthen their defences.”

Simon Viney, Cyber Security Financial Services Sector Lead at BAE Systems Applied Intelligence said: “The activity from cyber criminals and gangs across the world is estimated to result in over $1.5 trillion dollars in annual losses. This report focuses on money laundering related activities necessary for cyber attackers to conduct and ‘cash out’ a successful attack and avoid the money subsequently being traced. As technology and criminals’ techniques evolve at a rapid pace, so will the need for institutions, both private sector and law enforcement, to collaborate and maintain awareness of evolving money laundering techniques, in order to reduce the opportunities for threat groups to benefit from committing high-value cyber heists.”

‘Follow the Money’ is the latest in a series of reports Swift and BAE have jointly published. Previous reports include Three Years on From Bangladesh – Tackling the Adversaries, which provides new insights into the evolving nature of the cyber threats facing the global financial community.

Three years on from Bangladesh - Tackling the adversaries
Swift and BAE Systems - Follow the Money

About Swift’s Customer Security Programme

Designed to support all types of customers, from central banks to commercial banks of all sizes, Swift’s Customer Security Programme provides tools, information and a framework to help the community secure itself. Four years into the programme, the CSP continues to deliver tangible results and innovation to stay ahead of cybercriminals.

The CSP is articulated around three mutually reinforcing areas. Customers must protect and secure their local payments environment; they must work to prevent and detect fraud in commercial relationships; and continuously share threat information to defend against future cyber threats.

The cornerstone of the CSP is the Customer Security Controls Framework (CSCF) – a set of mandatory and advisory cybersecurity criteria that Swift revises annually to continuously raise the security bar. The mandatory security controls establish a security baseline for the entire community, and must be implemented by all users on their local Swift infrastructure.

By 31 December 2019, 91% of customers, representing 99% of Swift’s FIN payments traffic had attested to their level of compliance with the mandatory security controls. Furthermore, data related to compliance with the controls is shared with other financial institutions in the network so they can build it into their counterparty risk management processes.

Swift Customer Security Programme CSP - Reinforcing the security of the global banking system
3 min view

Reinforcing the security of the global banking system