Money Laundering via Computer Compromise Targeting U.S. Elderly
Malware or RAT Download to Further Cryptocurrency Theft and Money Laundering
This activity is based on reports of elderly victims being exploited for money laundering or funneling purposes that begins when the victim downloads malware or a RAT onto a computer, which then gives the scammers access to the VASP account (see graphic). It is also based on prior incidents of cyber criminals targeting elderly victims using a combination of social engineering and computer intrusion to collect personally identifiable information (PII) to facilitate the conversion of wire fraud proceeds to cryptocurrency.
- More than $330,000 was deposited, used to purchase Bitcoin (BTC), and then transferred to private wallets. An investigation traced the funds to private wallets and peer-to-peer exchanges associated with high-risk trading and fraud activity. An investigation concluded the account was used for money laundering purposes based on several factors, including the download of some type of RAT, allowing the scammers to access the victim’s account or their computer. This bypasses the need to interact with the account holder when logging in to the account.
- More than $415,000 was deposited, used to purchase BTC, and withdrawn from to unknown external wallets. An investigation concluded the account was used for money laundering purposes based on several factors, including the download of some type of RAT, allowing the scammers to access the victim’s account or their computer, which bypasses the need to interact with the account holder when logging in.
- Unknown cyber actors used cyber intrusion techniques together with social engineering tactics, to gain access to the personal computer of an elderly victim, obtained the victim’s PII, and tricked the victim by phone into wiring more than $96,000 to an identified VASP. The unknown actors then facilitated a wire transfer to immediately convert the $96,000 into cryptocurrency. The actors then withdrew the cryptocurrency and placed the funds into a private wallet address.
These indicators should be observed in context and not individually.
- Opening of a virtual asset service provider (VASP) account by an individual over 65 years old (and in combination with one or more of the additional indicators below):
- An unusual number of bank accounts added to the VASP account,
- The maintenance of a fiat-to-cryptocurrency one-way trade platform,
- Email addresses associated with a VASP account that differ from those associated with victim bank accounts,
- Internet protocol (IP) addresses accessing the accounts do not match location of account holder’s state of residence,
- Individual attempting to open an account submits a photo of their driver’s license or other identification document taken against a white background (rather than a more random background) to ensure identification details are clear and to make it less likely for the VASP to decline the application,
- Use of a virtual private network, TOR, or other IP address anonymizing software to access the account, and
- A victim downloading malware or a Remote Access Torrent (RAT) to give fraudsters remote access to the VASP account.