What cybercriminals do with their cash (Half 3) – Sophos Information

Content material warning: Due to the character of among the actions we found, this collection of articles accommodates content material that some readers could discover upsetting. This consists of profanity and references to medication, drug dependancy, playing, pornography, violence, arson, and intercourse work. These references are textual solely and don’t embrace photographs or movies.

Following on from the primary chapters of our investigation into what cybercriminals do with their earnings, we now study varied types of enterprise and earnings technology which might be, in threat-actor parlance, ‘gray’ (on the boundaries of legality, and/or of questionable ethics and morality).

We acknowledge that legality can fluctuate relying on jurisdiction. Nonetheless, the breadth and depth of those actions are such that we’ve to categorize them someway, and utilizing the risk actors’ personal classes is a logical if imperfect selection.

Key findings of Half 3

We noticed risk actors discussing all kinds of ‘gray’ enterprise pursuits on cybercrime boards
A number of of those – together with promoting adware and vulnerabilities – could also be of concern to the safety business
Different enterprise pursuits on this class embrace site visitors technology, pornography, playing, prescription drugs, import and export, drop-shipping, and promoting antiques
Different schemes of notice embrace a proposal to outsource software program improvement to Russian jail inmates, residency permits, and promoting intelligence
In some circumstances, discussion board discussions revealed info and pictures that would probably be used to trace, geolocate, and/or determine risk actors.

‘Authorized’ malware and cybersecurity companies

Spy ware

A person proposed “legally” promoting adware to “pentesters and costly firms” and requested “if there are loopholes.” Different customers famous that “legal professionals…are wanted” however that “someway Cobalt [Strike] and others exist.” Different commenters cited FinFisher and NSO Group, and suggested the risk actor to contact a lawyer.

Determine 1: A risk actor asks whether or not it’s doable to “legally promote” malware to “pentesters and costly firms”

Vulnerabilities

A person posted a thread in search of “a comrade-in-arms” who’s “concerned in hacking, looking for vulnerabilities, and IT safety.” The person, purportedly based mostly in Moscow, defined that they meant to search out vulnerabilities in native companies’ networks, contact them, present proof, “and supply one-time companies to place the infrastructure so as or tackle ongoing upkeep…our purpose is to supply safety companies and to not extort cash.” The risk actor additionally talked about that “I don’t set myself the duty of blackmailing anybody, extorting cash, or inflicting any harm in any respect.”

Determine 2: A risk actor seeks a enterprise associate for a vulnerability enterprise

The person claimed that “I by accident discovered myself on this state of affairs, raised some huge cash, and obtained an everyday consumer,” suggesting that the enterprise is already up and working.

Different customers famous that “there may be nothing white about this, abnormal blackmail…identical as the way it’s good to beat somebody up on the road, after which provide him your karate class.”

Site visitors technology

We famous a number of situations of schemes regarding synthetic inflation of site visitors, both regarding web promoting, or to laundering/producing cash. Schemes included:

A person who was receiving $10,000-20,000 passive revenue from spending $3,000-4,000 on “adverts on standard boards and mails to corps”
A plan to artificially inflate Spotify streams to generate income
A plan to drive site visitors to OnlyFans profiles
“Lead technology” utilizing Fb
Registering Telegram accounts “utilizing a bug” to generate passive earnings of 20,000-500,000 rubles a day)
TikTok promotions associated to affiliate internet marketing.

Determine 3: A part of an in depth information on a way for artificially inflating Spotify streaming income; the risk actor claimed to have “roughly efficiently mastered it and, one would possibly say, refined it” after discovering it “on one other discussion board six months in the past”

We additionally noticed a proposal to arrange a advertising and marketing/promoting company on a Tor hidden service. Whereas the proposer didn’t make the character of this company or its clientele clear, they did discuss with “your individual service in a darkish theme.” This might point out that the company can be meant to advertise illicit companies, significantly these on hidden companies.

Pornography

Webcam studios

We noticed an funding alternative (ROI: refund of deposit plus 25% of earnings) to assist scale up a webcam studio. The risk actor outlined the prices, defined how promoting would work, and acknowledged that the output can be “English for Western audiences.”

One other webcam studio proposal was from a risk actor who had “5-6 rooms…in search of a franchise or enterprise plans…with approximate calculations.” Some customers debated the legality of this (“I learn a number of articles and judicial observe underneath Article 242 of the Prison Code of the Russian Federation. It appears tough to prosecute her for this exercise”) and suggested talking to legal professionals. Others gave particular recommendation on how to join affiliate applications for promoting.

Determine 4: A risk actor seeks franchise or enterprise plans “for opening webcam studios”

OnlyFans

We noticed a number of threads on laundering cash/diversifying through OnlyFans. Some have been targeted on low-level laundering and cashing out (“create an OnlyFans account the place you add AI-generated foot fetish porn…you can begin shopping for subscriptions utilizing your stolen bank cards/PayPal accounts”); others on making a revenue.

Determine 5: A risk actor outlines a scheme for making “straightforward cash” with OnlyFans

We additionally famous one risk actor, seemingly a ransomware affiliate, who famous that OnlyFans is a “superb option to launder with native ladies, we use for 10-20% of laundering ransom fee however when there may be sanctions it’s robust…greatest to make use of an LLC formation in America…purchase bitcoin with proceeds to financial institution and you might be good.”

Determine 6: A risk actor (presumably linked to ransomware) suggests utilizing “native ladies” for laundering cash

We noticed an in depth proposal about “site visitors administration” for OnlyFans, Frisk, Fansly, and ManyVids, suggesting “creating copies of highly effective porn websites that seem in searches for a lot of key phrases.” The put up outlined the associated fee, promotional actions, estimated site visitors per day, and extra.

Determine 7: A part of an in depth proposal for “investing in site visitors administration instruments for working with OnlyFans, Frisk, Fansly, Manyvids”

‘Camming’

We discovered a prolonged thread by a person on how they made $2,000 a month “ewhoring” for a number of years. This included methods to cope with reward playing cards and presents, methods to cover your handle from prospects, methods to make interesting content material, tips about reselling content material from different fashions, and methods to appeal to and retain prospects.

Determine 8: A part of an in depth put up wherein a person shares their expertise of “ewhoring”

Making the most of pornography

We famous a protracted dialogue about taking advantage of pornography. This included:

Recommendation on methods to recruit actors
Recommendation on contracts
Specific discussions about how “taking pictures pornography is just not a very nice course of”
Discussions on legality, together with references to “unlawful strategies” and area of interest and unlawful types of pornography, together with bestiality
An admission from a person that “we’re in search of our fashions, registering them on present standard webcams and getting a % of their actions”
Detailed explanations of how affiliate applications and commercial schemes work – together with percentages, quantities, fee strategies, ROI, and extra.

We additionally noticed the next remark:

Typically they promote ‘a web-based retailer administrator is required. A sociable lady with data of English.’ Candidates come, they’re instructed that they’ll grow to be directors, however first they should learn to talk with individuals through the Web, sit in chat rooms, correspond in English, speak, blah blah blah, they’re put in entrance of computer systems and for a few month they’re trampled and so they result in the truth that there is no such thing as a retailer, and so they need to be porn fashions. Some individuals study this and go away, whereas others keep.

A few of this info could also be the results of insider data; one person famous that they “had talked to the fashions of this studio, and so they instructed me.”

Playing

Funding proposals

We noticed a number of gambling-related funding proposals, together with:

A web site devoted to betting on the NBA for residents of the US and China
A proposal to develop a poker bot much like the Pluribus AI bot
An funding alternative (ROI: 50%) to “construct and launch a large-scale Bitcoin P2P betting platform.” As a bonus, the person famous that the discussion board group would carry out pentesting on the platform.

Determine 9: A risk actor seeks funding for his or her “giant scale bitcoin P2P betting platform”

A cryptocurrency lottery

One risk actor shared their experiences of collaborating within the moonpot.com lottery (the place customers deposit cryptocurrency right into a financial savings pot, earn curiosity, and are entered right into a prize draw), noting that it’s “like yield farming.” That they had gained round $2000 to date, and sought different customers so as to add funds to extend their possibilities of successful (“In case you…are afraid that I’ll run away along with your cash, I’m able to make a deposit on the discussion board equal to your switch”). The person included a screenshot displaying the precise quantity they gained on a selected date.

Determine 10: In a thread explaining a cryptocurrency lottery, a risk actor posts a screenshot displaying the cash they gained on a selected date

Prescription drugs

A risk actor famous that “there are numerous affiliate applications for promoting prescription drugs in Europe and the US.” They expressed a want “to open my very own warehouse within the EU” and requested for recommendation on jurisdictions, pitfalls, “how shortly will the cops react…in spite of everything, that is the sale of prescription drugs with out prescription,” and which fee gateway/financial institution to make use of.

Determine 11: A risk actor asks their friends varied, particular questions on “affiliate applications for promoting prescription drugs in Europe and the US”

One other person famous that “you may simply switch pharma from Russia to EU,” and that “cops are usually not significantly within the actions of pharmaceutical hucksters.” This person additionally acknowledged that “an acquaintance even ordered Xanax from the Czech republic to the Russian Federation.”

Determine 12: In the identical thread, different customers debate professionals, cons, and potential pitfalls

We additionally noticed a obscure provide to promote “sports activities chemical substances” (presumably steroids/enhancement medication) wholesale.

Import and export

Automobiles

We noticed two threads on the import/export of automobiles: First, a person provided to “bypass customs clearance” and ship 5-10 automobiles per week from Europe “at European costs + my curiosity.”

Second, a risk actor provided “clear supercars/luxurious automobiles…on the market within the US for 50%…with full authorized paperwork and certificates of possession. The automobiles can be utilized for reselling/exporting/private use.”

Determine 13: A risk actor affords “clear supercars” on the market within the US

Items

A risk actor was eager about getting concerned within the “Tajik community of Chinese language items” – “low-cost Chinese language garments, sneakers and equipment with a markup of 200-400%,” a scheme which is “dominated by the Tajik diaspora.” Different customers advised speaking to “drop-shippers” (third-party order fulfilment specialists). One acknowledged “I do know the place to get counterfeits from totally different manufacturers…should you’re , write to me in PM.”

One other person mentioned: “I used to be as soon as carefully related to this” and offered intensive, particular particulars on areas, prices, and the way the method works.

Uncommon schemes

We noticed some uncommon import/export companies, together with vintage Japanese katanas on the market. The person acknowledged that “scanned copies of certificates and images” might be despatched on request, “however solely in case you are actually able to buy.” The person listed six swords, together with one from the fifteenth century. “Every part is confidential, purchaser anonymity assured.” The provenance of the swords was unclear. (It’s price noting that artwork and antiquities could also be engaging propositions for cash laundering, significantly provided that some well-known public sale homes settle for cryptocurrency at chosen auctions).

Determine 14: A risk actor lists the varied vintage Japanese katana swords they’ve on the market

We additionally famous the next fairly cryptic put up in one other thread: “I’m in search of an individual/firm to move items from Russia to Turkey. Not medication and never individuals!”

Miscellaneous schemes

License plates

We discovered an funding alternative in a automotive license-plate manufacturing outfit “in accordance with all the necessities of the site visitors police!” Alternatives included a joint share, or a franchise (“I’ll present an internet site, a advertising and marketing plan, promoting materials, accompanying documentation, gear, and determination of any points with the federal government. Enterprise entry from $20,000”).

Intelligence

We noticed an funding alternative from a recognized risk actor who claims to be an “intel dealer.” The undertaking is “WikiLeaks-inspired” with the purpose of “publishing delicate intel for varied political causes to reveal corrupt regimes and to make clear sure injustices…along with all that, to fund my trigger and to maintain myself I promote sure units of unpublished intel as nicely.”

Determine 15: A risk actor seeks funding for his or her “Wikileaks-inspired undertaking”

One other risk actor claimed to have “a number of secrets and techniques able to promote” in regards to the Colonial Pipeline assault in 2021, together with “very darkish issues about corruption with politicians…all the pieces is in paperwork and screenshots…I ask for this info: 15,000 USD in XMR.”

Jail inmates

We famous one unconventional proposal from a distinguished discussion board person who claimed to be concerned in a wide range of ‘white’ and ‘gray’ companies, together with building and actual property. The thought was to outsource software program improvement, {hardware} manufacturing, and cybersecurity to Russian jail inmates.

This proposal met with some derision (together with from one risk actor we suspect from unrelated investigations to be a malware developer), however others advised that it may work in some circumstances (e.g., writing crude malware).

Determine 16: A risk actor proposes utilizing jail inmates for “software program, info safety, devices, design”

Curiously, contemplating that many discussion board customers use ‘fenya’ (a dialect standard in Russian prisons), some have been disparaging about prisoners on this thread. Whereas some customers may see advantage within the proposal, others thought it will be unfeasible (we famous equally cut up reactions to concepts by this identical person in different threads).

On this thread, customers uploaded three images of what have been purportedly the interiors of Russian correctional services. We have been capable of finding two of the images elsewhere on open supply, though the provenance of one other was unclear.

Determine 17: A picture uploaded by a discussion board person, presumably displaying a room in a Russian correctional facility

Undertaking administration

We noticed an advert from a “undertaking supervisor with intensive expertise in creating varied black and white initiatives…I’ll assist you implement your undertaking at the most effective worth.”

OPSEC: Who they’re

In the course of the course of our analysis we gained an perception into what risk actors inform others they do for a dwelling (we famous a couple of threads about this throughout varied boards). Solutions included:

Programmer
IT specialist
Freelancer
Unemployed
Web promoting
Sports activities bettor
search engine marketing
Safety guide

Residence permits

We noticed a number of customers providing to promote everlasting and short-term residence permits and citizenship for varied international locations, together with Poland, Slovakia, Belgium, Portugal, Eire, UK, Bulgaria, Romania, Greece, USA, UAE, Cyprus, Malta, and extra.