SWIFT: New report reveals how cyber attackers ‘cash out’ following cyber heists

SWIFT and BAE Systems Applied Intelligence published a new report titled “Follow the Money,” that describes the complex web of money mules, front companies, and cryptocurrencies that criminals use to siphon funds from the financial system after a cyber-attack.

The report highlights the ingenuity of money laundering tactics to obtain liquid financial assets and avoid any subsequent tracing of the funds. For instance, cybercriminals often recruit unsuspecting job seekers to serve as money mules that extract funds by placing legitimate sounding job advertisements, complete with references to the organization’s diversity and inclusion commitments.

They use insiders at financial institutions to evade or undermine the scrutiny of compliance teams carrying out know-your-customer (KYC) and due diligence checks on new account openings. And they convert stolen funds into assets such as property and jewelry which are likely to hold their value and less likely to attract the attention of law enforcement.

Lazarus group suspected of $81-M Bangladesh bank heist persists in attacking banks globally

Data protection ranks as top security issue for businesses in SEA

“The threat posed by cyber-attacks to the financial sector has never been greater,” said Brett Lancaster, head of the Customer Security Programme at SWIFT. “Attackers are well-resourced, constantly evolving their modus operandi and using untraceable money laundering techniques.”

Money laundering

SWIFT commissioned BAE Systems to investigate this element of the money laundering process as part of its Customer Security Programme (CSP). The CSP continually helps the financial community to strengthen its cyber defenses through a range of measures including mandatory controls, intelligence sharing, and thought leadership. Although there has been much research into the methods that cybercriminals use to conduct attacks, there has been less investigation into what happens to funds once they have been stolen.

BAE Systems is a British multinational defense, security, and aerospace company.

The report’s objective is to give light to the techniques cybercriminals use to “cash out” so that SWIFT’s global community of over 11,000 financial institutions, market infrastructures, and corporates can better protect themselves.

SWIFT is a global member-owned cooperative and the world’s leading provider of secure financial messaging services.

The report found that cybercriminals tend to focus on textile, garment, fishery, and seafood businesses to obfuscate funds. They find it easier to operate in parts of East Asia where less stringent regulations make it easier to conduct their activities.


While the number of identified cases of money laundering through cryptocurrencies is low so far, there have been a couple of major incidents involving millions of dollars. Digital transactions are appealing because they are conducted in a peer-to-peer manner that circumvents the compliance and KYC checks conducted by banks, and often requires only an e-mail address.

The method chosen by cybercriminals to cash out and spend the stolen funds is indicative of their levels of professionalism and experience. Some inexperienced criminals have immediately made extravagant purchases drawing the attention of law enforcement agencies and leading to arrests.

“The activity from cyber criminals and gangs across the world is estimated to result in over $1.5 trillion in annual losses,” said Simon Viney, Cyber Security Financial Services Sector lead at BAE Systems Applied Intelligence. “As technology and criminals’ techniques evolve at a rapid pace, so will the need for institutions, both private sector and law enforcement, to collaborate and maintain awareness of evolving money laundering techniques, in order to reduce the opportunities for threat groups to benefit from committing high-value cyber heists.”

Categories: Uncategorized

Tagged as: , , , , ,