What hackers do with their stolen money? Turns out they like brick-and-mortar businesses
Everyday businesses, from dating sites, cafes, restaurants, to taxi services, represent the potential investments for cybercriminals. They often direct stolen money as investments to brick-and-mortar and online companies.
Cybercriminals like to own businesses that you can visit, according to a report by the cybersecurity company Sophos. They often invest in a variety of online and brick-and-mortar businesses, including restaurants, retail shops, real estate, education services, and even cybersecurity companies.
“Turns out, threat actors increasingly operate a wide and growing variety of online and brick-and-mortar businesses to launder the ill-gotten proceeds of their activity,” the Sophos X-Ops researchers said.
The researchers examined thousands of posts discussing money laundering and real-world opportunities.
They “discovered a dark underbelly of fraud, theft, money laundering, shell companies, stolen and counterfeit goods, counterfeit currency, pornography, sex work, stocks and shares, pyramid schemes, gold, diamonds, insider trading, construction, real estate, drugs, offshore banking, money mules, smurfs (people hired to conduct small transactions in order to launder a larger amount), tax evasion, affiliate advertising and traffic generation, restaurants, education, wholesaling, tobacco and vaping, pharmaceuticals, gambling – and, believe it or not, cybersecurity companies and services.”
The investigation into online criminal forums dedicated to what threat actors call ‘legal business’ unveils that cybercriminals operate well beyond hacking and malware. The hackers are driven by the need to diversify, increase profits, and avoid disruption when their cyber operations might eventually be taken down.
A founding member of the LockBit ransomware group in 2022 admitted to vx-underground that they own three restaurants in China and two in New York. Later, the gang’s infrastructure was disrupted by law enforcement.
“We observed various forum threads about shell companies. Topics ranged from basic questions (how to find someone to sign on as director/shareholder, how to use a lawyer to set up a shell company, or the best jurisdictions to create one) to more elaborate schemes,” Sophos report reads.
Threat actors look for information such as how to set up a shell company in North Korea, clean cryptocurrency, use a Limited Liability Company (LLC) as a “shipment front”, create anonymous companies or multi-layer structures with trusts, recommendations for best jurisdictions for shell companies, and related services.
Additionally, they use offshore banking and “no questions asked” consultants, sharing common mistakes and other guides.
“We saw several posts about mule recruitment. Among the topics were general questions about where to find mules (answers included Craigslist or Facebook Marketplace); or how to move money from one specific country to another,” the researchers said.
In one example of the complex schemes, a threat actor seeks to recruit people in Finland to work with bookmakers or casino operators to transfer Russian rubles from one person to another, using crypto.
“We found several guides on cashing out and money laundering, many of which were well-written, detailed, and sophisticated,” Sophos X-Ops researchers noted. “We observed guides on how to find lawyers and accountants willing to help criminals launder money.”
Hackers that share tips on these forums seemingly avoid expensive purchases or flashy parties – the exact opposite behavior exhibited by some ransomware actors.
Some threat actors even complained about having too much legitimate money in the banking system and looked for US-based business accounts and a physical office presence.
Sophos' report is the first in a series of five, detailing how cybercriminals blend into legitimate sectors, making it harder to trace and disrupt their operations.
