That's a timely question in the cybercrime underground following the Department of Justice's announcement last week that it had shut down -- after an 18-month investigation -- online payment service provider Liberty Reserve in Costa Rica. Prosecutors have accused the service of laundering $6 billion for 1 million users worldwide, and serving as the bank of choice for the black market, including hackers.
The case "provides something of an update to an old law enforcement adage -- follow the virtual money," U.S. Attorney Preet Bharara said at a press conference last week. "And in this case, we followed it all over the world." Prosecutors said one-fifth of the service's users -- 200,000 people -- are based in the U.S.
Will seized Liberty Reserve systems give prosecutors clues to users' actual identities or any illegal services they may have bought or sold? According to court documents, Liberty Reserve used preapproved vendors -- "third party exchangers" -- that received funds from users via wire transfer. After taking a commission, the vendors would issue "LR" credits to users. Exchangers "operated without significant oversight or regulation in countries such as Malaysia, Russia, Nigeria and Vietnam," Bharara said. Perhaps the money trail stops there; perhaps not.
[ Do you have a cyberwar recovery plan? See Should CIOs Hire Cyber Pinkertons? ]
Thanks to the Liberty Reserve rollup, one self-professed online criminal reportedly lost $300,000. So what alternative will online criminals now adopt? "Even in the underground forums, that isn't clear," Jonathan Leopando, a technical communications specialist with Trend Micro, said Monday in a blog post.
"Gold and Bitcoins have both been mentioned as possible substitutes. Other digital currency services like Perfect Money have been mentioned as well," he said. "Coincidentally, some of these services have explicitly banned users from the U.S., perhaps in an attempt to shield themselves from U.S. law."
Thought exercise: How would you buy and sell cybercrime services online? And when weighing cybercrime risk versus reward, to what extent would you trust services that billed themselves as offering anonymity or untraceability?
For starters, avoid PayPal, as illustrated by last month's arrest of New York Police Department detective Edwin Vargas, 42. Vargas is charged with hiring a service to provide him with login credentials for 43 email accounts, 21 of which related to current or former NYPD employees, at a cost of between $50 and $250 per account. Vargas was reportedly spying on an ex-girlfriend -- and fellow NYPD employee -- with whom he'd had a child.
Investigators told The New York Times that while investigating a hacking-for-hire service in Los Angeles, they discovered evidence that some email accounts for NYPD personnel had been hacked over a two-year period. (Reached by phone, a spokeswoman for the Manhattan U.S. Attorney's Office declined to comment about whether the Vargas case is tied in any way to the Liberty Reserve investigation.) By October 2012, investigators said they'd followed a money trail back to Vargas.
Then again, Vargas would have served himself up on a platter to investigators, since one "proof of payment" he allegedly sent to hackers for services rendered was a PayPal receipt that listed his name, billing address and Yahoo email address. According to court documents, the Yahoo account was created via an IP address that was also used to access the illegally obtained email credentials.
Is the Vargas case an outlier? Arguably, today's most successful cybercriminals -- the ones who never get caught -- practice more advanced techniques for masking money trails. But what might they be?
One option is to use wire transfers, but incoming money would need to be collected in person, thus leaving the attacker exposed to a police sting. Furthermore, buyers might balk at using a payment technique that leaves them no recourse for reimbursement if the advertised service isn't delivered.
Another option, practiced by ransomware scammers, is to require victims to "unlock" their PCs by purchasing a MoneyPak voucher and forwarding the redemption code to the attacker. But as security reporter Brian Krebs has noted, converting these vouchers to cash, at scale, is tricky, especially without using credit card or PayPal accounts, all of which can be traced. Instead, one recent cash-out service appeared to be attempting to launder the funds via a legitimate U.S. betting website and may have moved $7 million to date, earning a 60% commission along the way, Krebs found. But people wielding ransomware -- and its fake warnings of FBI fines for downloading child pornography -- are making themselves targets for U.S. investigators.
A decentralized digital currency such as Bitcoins is another option, but it's likewise a high-profile target. Anyone want to bet that the National Security Agency is working overtime to find ways of tracking digital currency money trails, since they could be used to launder funds for terrorism?
On balance, times appear to be tough for cashing in on cybercrime.