How cybercriminals launder money stolen from banks


For some cybercriminal groups, attacks on banks and other financial institutions are like an assembly line. Many people know that tracking stolen funds is usually impossible, but not everyone knows why. The report,  produced jointly by BAE Systems and SWIFT researchers, explains how cybercriminals launder the stolen money.

Source and destination of money

There are two scenarios for an attack on the bank – on infrastructure and accounts, and on ATMs and related systems. The schemes for obtaining and laundering money are slightly different, but the essence and purpose are the same: to integrate criminal funds back into the legal financial system.

The money laundering process usually consists of three steps:

  • funds placement: the first transfer from the victim’s account to the fraudsters' accounts or the deposit of stolen money,
  • layering: a series of transactions designed to hide the origin of funds and their beneficial owner
  • integration: Investing money laundering in legal or criminal activities.

The final step – getting money laundering back into the economy – is a very large topic, so we won’t go into it in detail here. A successful attack requires careful planning well before theft and legalization mechanisms are in place. This is an additional step: preparation.


In order to enable the swift flow of the stolen funds, cyber criminals typically collect multiple accounts belonging to natural and legal persons. They can belong to the unsuspecting victims who have been hacked, those tricked into participating in a fraudulent operation, or volunteers.

The latter are commonly called, unflatteringly, poles . Sometimes their job is to open accounts using false or stolen documents (a complicated task requiring a bank employee to act to its detriment). Recruitment agencies can put both interested parties in contact by describing the position, for example, as „investment aid”. In many cases, the poles know well that they are acting against the law, but are blinded by the vision of earnings. However, it happens that in the end these „accomplices” also get deceived.


Once cybercriminals have already transferred the stolen money to your account (via malware, social engineering, or confidential information), poles enter the game that can:

  • transfer funds to other accounts to cover potential traces,
  • order some goods to your own or other address,
  • withdraw money from ATMs.

One of the tricks used to attract ignorant poles is to hire them to work for a company that allegedly helps foreigners buy goods in stores that don’t ship overseas. Such persons must collect packages and post them via international mail. This type of work usually takes a month or two until the local police step in.


When participants receive goods or money, they use long-known criminal practices aimed at legalizing the loot. For example, money can be exchanged into a convertible currency (usually dollars); goods (usually electronics) are sold directly to buyers or second-hand stores. Of course, currency exchange offices and shops that buy such items should have mechanisms to detect illegal transactions, but they either ignore them or are avoided by employees acting to the detriment of the organization. Then a third party transfers the money to the organizers of the entire action.

While those working as poles can be caught and some of their profit seized, much of the income – like the brains of the entire operation – remains elusive.

In the next step, fraudsters use „classic” criminal methods to launder money, such as buying jewelry, metals (cash is still often preferred in this business), or buying and selling casino chips.

If the money remains non-cash in further transfers, companies operating around the world as a front are involved in the process. Such companies are usually located in countries that do not strictly control financial transactions or have strict laws protecting the secrecy of money transfers. The origin of the money is obscured by successive transfers that involve breaking it down and exchanging it into different currencies. These companies are not necessarily entirely illegal.

Cryptocurrencies have recently joined the money laundering tools. Cyber ​​criminals use them because users do not have to provide personal information to complete transactions. However, using cryptocurrencies for money laundering is not ideal: Since user anonymity is related to blockchain transparency, withdrawals require multiple transactions. For example, in 2018, Lazarus spent four days breaking into the cryptocurrency exchange, withdrawing $ 30 million from it, and then making 68 transfers between different wallets.

Practical advice

As you can see, cyber criminals have created complex, multi-stage money laundering systems where they juggle accounts, companies, legal forms, currencies and jurisdiction – in just a few days, during which some companies don’t even know they have been attacked.

Therefore, banks should take matters into their own hands and create a cybersecurity infrastructure that minimizes the chances of hacking and hijacking financial systems.