Cyber Criminal Networks and Money Mules: An Analysis of Low-Tech and High-Tech Fraud Attacks in the Netherlands

Abstract

IntroductionMoney mules can be seen as a crucial part of the criminal network. They are of great importance for the core members of these networks because money mules are used to interrupt the trail that may lead law enforcement agencies to the top of the network. Money mules, for example, register bank accounts or businesses under their names, which are actually exploited by the criminal network.Several studies acknowledge the important role of money mules in the diversion of money stolen by cyber criminals who are engaged in financial cyber crimes, such as carding3 or phishing4 attacks (Choo, 2008; Moore & Clayton, 2009; McCombie, 2011;Aston et al., 2009; Soudijn & Zegers, 2012; Leukfeldt, 2014; Leukfeldt et al., 2016b, 2016c). Most of these studies, however, concentrate primarily on the core group of the criminal networks and only focus indirectly on money mules. Empirical studies into characteristics of internet money mules are lacking. Only Aston et al. and McCombie carried out some exploratory analyses of money mules used in Australian phishing attacks.In order to fill this knowledge gap, this paper focuses on money mules who are used by cyber criminal groups that carry out attacks on financial institutions. To gain insight into this group of criminals, which we believe plays a vital role in the crime process; we analyzed unique data from a fraud registration system of a major Dutch bank. We obtained 600 fraud incidents from the period 2011-2013. Based on these data, this paper provides insight into the characteristics of money mules and the way in which this group is used by criminal networks to transfer money from victim bank accounts. More specifically, we present background characteristics, the socioeconomic status of money mules, and the value and number of transactions to money mules.Review of LiteratureThe present study advances the work of Leukfeldt et al. (2016a, 2016b, 2016c). These studies provide insight into the composition, origin and growth, and criminal capabilities of criminal networks carrying out financial cyber crimes. Forty cyber criminal networks were analyzed in the Netherlands, Germany, UK and the US. The Dutch cases provided the authors with information about cyber criminal networks and their members largely as a result of investigative methods such as wiretaps, IP taps, observations, undercover policing and house searches. The authors reviewed the financial cyber crime cases systematically using an analytical framework. In the other three countries, the authors relied on interviews with case officers and public prosecutors involved in the criminal investigations against cyber criminal networks since no police files were available to them. This section briefly describes the main results of these three studies.Criminal CapabilitiesAll networks that were analyzed by Leukfeldt et al. are involved in attacks on online banking. The crime scripts of the Dutch networks have many similarities. Step one is obtaining login credentials from victims. Cyber criminals use phishing e-mails, phishing websites and malware to intercept these credentials. However, in order to transfer money from the account of the victims, so-called 'one-time transaction authentication codes' are needed. Hence, step two is obtaining these codes. Various methods are used to obtain these codes. In some cases, the criminals posed as bank employees and made telephone calls to the victims. In other cases, malware adapted the transaction that victims made without them knowing or being able to see it. Step three is related to the topic of the present study, i.e., transferring money to money mule accounts. Money from victims' accounts is not transferred to the accounts of core members directly. Rather, in order to obscure the trail to the core members, money mule bank accounts are used.5 Once money is transferred to the money mule account, the money is taken out in cash as fast as possible and via various links given to the core members. …