Recorded Future analyzed current data from the Recorded Future® Platform, dark web, and open-source intelligence (OSINT) sources to review money laundering services within underground sourcing and the methodology and operations used by threat actors. This report expands upon findings addressed in the first report of the Insikt Group’s Fraud Series, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”.

Executive Summary

Money laundering services within the dark web facilitate a combination of activities through which threat actors can conceal the origins of their money, transfer cryptocurrency, have funds sent to a bank account or payment cards, or exchange to physical cash via online payment solution platforms like WebMoney or PerfectMoney. Many of these services are linked to the use of cryptocurrency and rely on other mixing services to tumble funds and help threat actors remain anonymous when transferring them. Peer-to-peer (P2P) transactions are a convenient alternative to traditional financial platforms, with support for platforms such as Venmo being touted as key features within popular underground services.

Key Judgments

• Dark web money laundering services facilitate a multitude of combinations through which threat actors can clean their money and can transfer cryptocurrency into virtual currency, have funds sent to a bank account or payment cards, or exchange to physical fiat currency.
• Money laundering services referenced within underground sources over the past year have consistently relied on money mules, cash-out requests, exchangers, or mixers to succeed.
• Despite a high volume of arrests and takedowns of money laundering services or services that support laundering activity over the past year, underground actors generally appear disinclined to cease laundering operations they likely continue to deem profitable.
• Cybercriminals are likely to adopt new technologies such as NFTs and other laundering techniques in response to law enforcement action and growing private sector awareness of their activities.
• Ransomware operators likely use the multitude of dark web money laundering services operated by threat actors on well-known cybercrime forums such as Verified. Bitcoin is likely to continue to be the most widely used cryptocurrency in ransomware and laundering operations.

Editor’s Note: This post was an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.