Who needs VC funding? How cybercriminals spread their ill-gotten gains to everyday business ventures – CyberScoop
Cybercriminals aren’t so different from the rest of us — they live in the real world, and their spending and investment habits, though funded through crime, can look surprisingly ordinary. Luxury cars and lavish vacations may still grab headlines, but those perks are reserved for the most elite cybercriminals.
In reality, everyday businesses — like pizza delivery, construction supplies, or tattoo parlors — are supported by the fruits of the labor that comes from a life of cybercrime.
An extensive investigation by Sophos X-Ops, pulled from thousands of posts on two Russian-language and three English-language cybercrime forums, uncovered the dark underbelly of illegal schemes cybercriminals use to reinvest their money. Yet, researchers also discovered a vast community of chatty cybercriminals seeking to help each other launder their money with more common business pursuits.
According to John Shier, field chief information security officer of threat intelligence at Sophos, alleged cybercriminals on these forums are pursuing an immense range of businesses, investment proposals and startup ideas.
“A lot of this cybercrime is fueled by crypto, and it’s kind of useless in the real world,” Shier told CyberScoop. “So, they need to be able to move that cryptocurrency into some sort of fiat, some sort of valuable something that they can actually spend in the real world.”
The discussion of legitimate businesses as a vehicle for laundering money is brazen, he said. Some guides and detailed instructions shared on these forums also reveal how extensively cybercriminals collaborate to diversify and develop specialized ways to funnel their money.
Sticking to what they know
Businesses that cybercriminals prop up with their ill-gotten gains include everything from drive-thru coffee shops to real estate, education, pharmaceuticals, construction, software development and — wait for it — cybersecurity companies and services.
Users on these forums proposed selling spyware to pentesters and corporations, developing exploits or finding vulnerabilities in local businesses’ networks to then turn that into an opportunity to sell protective services. “I accidentally found myself in this situation, raised a lot of money and got a regular client,” an unnamed user wrote, according to Sophos.
Researchers also observed proposals for security startups specializing in vulnerability research and a hash decryption service using a commercial cloud provider. One user recommended an investment in a prominent cybersecurity vendor.
“Irony aside, this raises the concerning possibility that threat actors could become shareholders of a company that tracks and disrupts threat actors,” Sophos X-Ops researchers said in the report.
“It is concerning that you’d have people with motivations that are criminal, that are investing in businesses that are supposed to be helping organizations withstand cybercrime,” Shier said.
While it’s a positive when someone leaves a life of cybercrime behind, Shier said he doubts that’s the case for individuals communicating within the criminal underground. The potential for insider-type activity is real, where “the protectors are actually the ones that are in the ski masks and pointing a gun at you,” he said.
Crime begets more crime
Some of the guides Sophos found covered step-by-step methods for investing in gold or diamonds, establishing shell companies, money laundering, and importing and exporting.
Researchers described some business interests as “gray,” including pornography and gambling.
Outright illegal activities were abundant on these forums as well. This includes bots, pyramid schemes, sex work, drugs, tax evasion, insider trading and reinvesting in cybercrime.
“Invest it in the business that brought you this income. It’s obvious,” one user said in a forum, according to Sophos.
Researchers observed multiple investment opportunities for malware and campaigns already in progress or development, including botnets, infostealers, phishing tools, SIM-swapping and a year-old DDoS-related project.
In one especially striking post, an alleged cybercriminal shared how they bought properties solely for the purpose of burying large sums of cash underground.
A screenshot of the post Sophos shared with CyberScoop included detailed instructions for preparing the cash and selecting site locations. It was recommended that bank notes should be dry and free of any sign of mildew, arranged in piles, vacuum sealed into plastic bags, and then placed into large airtight bags with silica gel packets, before being sealed into a PVC drum and buried at least five feet deep, away from roots and on higher ground.
“Cover the hole when you’re done and write down the GPS coordinates so you or your descendants can easily find the location in the future,” the post explained.
“If you’ve got so much money that you just need to start burying it like that, that, to me, is a pretty big red flag,” Shier said. “Are they building generational wealth here? Like, how much money are we talking about?”
Follow the money to what end?
Threat intelligence spans both physical and digital realms to help organizations detect and prevent malicious activity. While most of this research focuses on identifying new attacks, and post-compromise activities, far less attention is placed on tracking the money once cybercriminals acquire it.
“We know that money enters the system very often through fraud or through things like ransomware, computer crime, but how it exits the system helps us maybe have a better idea of how we can monitor those different avenues,” Shier said.
“If we can just shine lights on absolutely everything, then it becomes a lot more difficult for them to hide,” he said.
The legitimate businesses and gray-area pursuits that cybercriminals squeeze for additional profit ultimately implicate innocent people, creating more downstream victims, according to Shier.
“Cybercriminals are no different than the mafia, than other organized criminals. They’re going to use every avenue at their disposal,” he said. “We need to be able to shine as many lights on that as possible, so that then law enforcement and the judicial system can do what they need to do to prosecute these people.”
The post Who needs VC funding? How cybercriminals spread their ill-gotten gains to everyday business ventures appeared first on CyberScoop.
–
Read More – CyberScoop