You may have heard about the Panama Papers
—documents from a Panamanian law firm that revealed politicians, businessmen, and prominent individuals from countries all over the world were using offshore companies to cut their tax bills. It occurred to us to ask: Do cybercriminals avail of these services? Our research revealed that ads for offshore banking can also be found in underground forums. Offshore companies in Panama, the British Virgin Islands, and the Dominican Republic are used to hide the proceeds from cybercrime.
How did we learn about these? Once we heard about the Panama Papers, we decided to check our sources to see if we could find anything related to shell companies in the various underground communities we monitor. At the end of the day, the same person who is trying to infect your computer and/or impersonate you is getting tons of money from victims all over the world. Are cybercriminals using offshore companies to hide their ill-gotten gains? We took a closer look.
Shell companies have been popular for some time now. Their purpose is clear: to allow individuals to operate outside their home countries, hide their real identities, and make funds inaccessible to tax agencies. Cybercriminals have been using money-laundering services to move funds around without raising red flags, so offshoring funds should be a no-brainer for them.
A quick look in underground communities revealed a variety of ads promoting money laundering in offshore countries. Several players on these underground forums offer off-the-shelf services to set up offshore shell companies.
What do these ads offer? They will set up a fake company for you, which will have a named representative. They will handle all paperwork and open bank accounts, and you will receive a set of credit cards. Here is what one can expect as part of this offer:
- A person or company will be named as the nominal owner of the cybercriminal's new offshore company.
- A "trust" agreement will be signed, specifying that the nominal owner is not in control of the assets of the offshore company.
- A set of banking accounts in the offshore country will be registered to process any funds.
- False monetary transactions will be carried out on these accounts to prove that the company is alive.
- A set of credit cards tied to the bank accounts will be provided.
- A formal WebMoney (WM) passport which binds these cards to WM wallets will be given to the "customer." Although they are a legitimate financial service, WebMoney is often abused by cybercriminals to illegally move money around.
A good example of these ads is from a vendor nicknamed A6.
He offers a full range of services from money laundering to offshoring accounts.
Figures 1 and 2. Posts from A6 advertising his services, claiming 10 years of experience (Click to enlarge)
When we compared the offshore account offerings to simple money-laundering services, we found big differences. Money-laundering ads usually offer money exchange services, as well as pickup/store/placement. For instance, a user named Seva
has been offering these services since 2011. He is even considered one of the most reliable sellers in the underground market. His activity log includes hundreds of thank you notes for “great and fast service". One poster claimed to have laundered millions of dollars via Seva's services.
Figures 3. The official banner for money exchange services by Seva (Click to enlarge)
Figures 4. The page where users post "thank you" to Seva (Click to enlarge)
Figures 5. One of the "thank you" posts (Click to enlarge)
Most of the offshoring services found on German and Russian underground forums seem to use companies located in Panama, the British Virgin Islands and the Dominican Republic. Apparently, these three countries are the most requested offshore locations in the cybercriminal community.
We have not seen much user feedback about these offshoring services on underground communities. This may be because cybercriminals who move a lot of money are already
customers of these services, but want to behave in a discreet manner and so don't provide feedback. On the other hand, beginners and other small players don't need these and use simpler money -laundering services instead.
Based on what we've seen, it's clear that some cybercriminals are also offshore account holders. This is a good thing to keep in mind if you're interested in the topic. We certainly are.