Underground Financial Networks

Tuesday, June 26, 2012

gaToMaLo r. amores


gATO wanted to find out more about the underground financial network and these are some of my findings. Once again this is from the black underground, so little kittens (gAtIcO’s) do not try this at home...

Reloadable Debit Cards - Basics

Greendot and other Reloadable debit cards can be used in an attempt to allow for anonymous financial transfer between customers and vendors. Vendors need to cash money out. They can accomplish this by setting up Greendot cards with stolen identities and getting them shipped to mail boxes set up with fake identification cards. Customers need to load money in. They can do this by going to any store that sells Greendot.

Summer is here so plant your money garden – mAyBe -sI -nO paks. Customers merely hand the clerk some cash and in return get a cardboard card with a load number on it. The customer can transfer this load number to the vendor via an encrypted and anonymous channel. The vendor then applies the loaded funds to the card via the internet. The loaded funds can then be cashed out at an ATM.


These cards should be viewed as financial networks. The financial information consists of the traffic and the cards are the nodes. Reloadable debit card networks have a high degree of cross network contamination.

One additional network involved is the mail system, the vendor is required to have the card shipped to a physical mail box. This may not be particularly risky due to the fact that it is unlikely the card is being watched at this point as no customers are aware of it yet. However it is important for vendors to remember that the reloadable debit card company will keep their box information on record.

Another network the vendor needs to utilize is the telecommunications network. Vendors are required to talk over a telephone to activate the card. The risk inherent in this can be minimized if the vendor uses a burner phone. Vendors are also required to make an initial visit to a store in order to obtain their temporary card prior to being mailed one.

They will likely be recorded by CCTV cameras. Customers also have to worry about CCTV cameras as they must hand money to a clerk in a store. Customers can not take adequate measures to disguise their identity during this process as there is direct human interaction.

Reloadable debit cards have a distinct disadvantage of being highly centralized. Vendors tend to have many customers send funding to a single centralized card. This means that a single compromised customer can compromise the Greendot card of the vendor. The only way to prevent this is for the seller to use multiple Greendot cards, one for each customer to be perfect. This is not very feasible.

If a malicious customer identifies the card of a vendor it is possible for network analysis to map out the financial network involved with this buyer. Records are kept of funds being transferred from a reload pack into a cash out card. The time and location of reload pack sales that are used to fund cash out cards can be determined.

A single compromised customer can use this information to gather video surveillance of every single person who has loaded funding to the card of the seller. This may not hold up as evidence by itself but it is strong intelligence indicating that a person who has sent funds to a vendor is in fact a drug customer.


Greendot and other Reloadable debit cards are not a safe means of conducting anonymous financial transfer. The financial networks created by these cards are very prone to network analysis. There is an unacceptable amount of cross network contamination for vendors. The load points for introducing finances into the network are also under too much surveillance.


Customers can out source the purchase of reload moneypaks. Good solutions may include utilizing bums and transients.

Vendors should avoid Greendot type reloadable debit cards. If they are used they should be highly compartmentalized (different cards for different groups of people). Compartmentalization is not possible in all cases though. Remember, if a single customer is malicious they can compromise the entire compartment. This puts customers at risk as well!

Greendot cards are prone to being frozen. Triggers include typical patterns associated with narcotics trafficking; cashing out very soon after cashing in, getting payments from diverse geographic areas (geographic based compartmentalization of customers is suggested), particularly large amounts of money going through a card in a short period of time etc.

WU/MG Basics

Western Union and Moneygram money wires involve a customer sending funds to a vendor over the WU or MG financial network. Customers must go to a location that offers one of these services and hand money to a clerk. Depending on the country of the customer they may be required to show identification for any amount of money.

In all locations identification must be shown for amounts of money over a certain limit, usually $500 or $1000. Customers fill out forms that are specially designed for gathering fingerprints and are usually under video surveillance.


Despite their many short comings WU and MG both offer substantial benefits over reloadable debit cards. It is easier to use multiple pseudonyms for pick up from these services, the number of pseudonyms you have is limited only by the number of fake ID cards you can get. Unlike with Reloadable debit cards vendors are not required to use stolen identities.

They are also not required to set up mail boxes or make telephone calls (WU). The ability to easily use multiple pseudonyms makes it easier to decentralize and compartmentalize the financial networks. If a different fake ID is used for each customer, a single malicious customer will not be able to map out the entire network based on transaction records.

It is possible that a single malicious customer could use video surveillance and facial recognition to tie a multiple fake ID pseudonyms to a single person. After identifying the vendor in a single transaction facial recognition could identify them every time they send funding, even if they use a different fake identification document. This attack is possible but it is not likely to be used against drug traffickers at the current time.

One of the primary disadvantages of WU and MG is the fact that there are a limited number of locations a vendor can cash out from. Customers know the rough geographic area a vendor will pick up the wire from because when sending a WU or MG the city of the vendor must be listed on the form.

This allows for surveillance teams to stake out a number of possible locations the pick up may be made at. These surveillance teams can be alerted when the target attempts pick up and then move in on the target. This risk is much smaller with Greendot cards because Greendot funding can be taken out from a large number of ATM’s distributed through out a wide geographic area.


WU and MG have a substantial benefit over Greendot in that they can be used for funding E-currency. E-currency can dramatically increase the security of a financial transfer.

Customers and vendors can and should use fake identification to counter the record keeping of transactions. Even if a vendor is legitimate customers may be flagged if they send large sums of money with their real identification.

In some cases question and answer can be used to remove the need for identification. If this is allowed or not is highly dependent on the particular area of the customer/vendor

Wearing gloves or avoiding finger contact with the forms can countermeasure leaving fingerprints. Using stencils to fill out the forms at a private location can counter hand writing analysis. However, video surveillance is something that can not be countered.

Note: Forms are designed to pick up fingerprints

E-currency Basics

Traditional E-currency systems (LR, PX) are relatively complex systems of financial transfer involving many companies. Usually an E-currency system is structured as follows; a main digital gold company stores gold bars in a vault and creates audited cryptographically secure digital currency units.

The main E-currency company runs a website that allows owners of the currency to manage their accounts as well as send and accept funding. Usually the main E-currency company is not interested in selling small amounts of currency. The main E-currency company will usually only sell large amounts of digital currency to exchanger companies. Average users of E-currency systems only deal with exchangers and use the main digital currency company only to manage their accounts.

E-currency exchangers are located around the world and they accept payment in various ways according to their own policy. Usually E-currency exchangers have no affiliation with the main E-currency company. Some exchangers are even scammers so be careful who you work with!

To load E-currency first you need to set up an account with the parent company. It is free to do this and usually requires no identification at best or at worst easy to forge identification. You should make sure to protect your anonymity when you set up E-currency accounts, at the very least you should use Tor or similar technology to protect from network forensics. Make sure the E-mail data you register with is no tied to you in anyway and was also obtained anonymously.

After you have your account set up you will be given a number which can be used to transfer currency to your account. Now you need to set up an order with an exchanger, it is suggested that you use offshore exchange services. How the exchanger accepts funding is totally up to their policy, many accept western union and some accept cash in the mail. After the exchanger gets the funding you send them they will transfer E-currency to your account minus a transaction fee.

From here you can either send the E-currency to a vendors account or you can cash it out and have it sent to a vendor via another method through another exchanger. Exchangers cash in and out meaning you can not only buy E-currency from an exchanger for cash but you can also sell E-currency to an exchanger for cash.


E-currency can be seen as similar to a financial multi-hop proxy, the first hop being the exchanger and the second hop being the E-currency company. This can add jurisdictional complication to financial network analysis attacks. You must make sure to follow normal operational security procedures when using E-currency, for example make sure to use anonymizers when interacting with the digital website and use fake identification for loading currency if possible. E-currency can also be used to create highly decentralized overlay networks, further adding to security of both customers and vendors.


If a vendor accepts WU but not E-currency customers can use E-currency to send WU. After loading E-currency merely cash it out via another exchanger to the WU details of the vendor.

Vendors can decentralize their financial networks by creating new E-currency accounts for each customer. Although this is time intensive the benefits are very extreme and it is highly suggested. If every customer is presented with a different E-currency account it will make it impossible for financial intelligence to map out customer networks. A malicious customer only knows the E-currency account they sent payment to, since no other customers sent payment to the same account the malicious customer gains no useful intelligence.

Vendors can appear to accept any payment method an exchanger offers while actually layering the funding through E-currency accounts. When a customer places an order merely set up a request for funding with an E-currency exchanger and then present the customer with the funding information of the exchanger. The exchanger gets the funding from the customer and then puts it into the vendors E-currency account. This allows vendors to accept payment to any location they can find an exchanger in.

E-currency can be layered through multiple accounts prior to cashing out. It may be difficult for a legal team to prove an account that cashed out marked E-currency belongs to the same person who was sent the E-currency in the first place.

Online E-currency casinos can be used to cheaply add more jurisdictions to a trace and potentially mix the finances of the vendor with many others. If a vendor loads E-currency to buy digital casino chips and then cashes the casino chips out for E-currency to a new account it will probably make it harder for financial intelligence agents to follow the trail and can unlink accounts from each other.

Trust Networks Basics

Open trust networks are potentially a great way to cash out/in E-currency. Assume that Alice has obtained $10,000 worth of E-currency from her customers. Assume Alice and Bob are in a trusted relationship with each other. Perhaps Bob wants to purchase several thousand dollars worth of E-currency. Rather than go through an independent exchanger Bob may choose to send Alice his cash in return for E-currency. This allows Bob to obtain E-currency with high anonymity and also allows Alice to cash out via a trusted node.

This can present a virtual dead end to financial intelligence teams. If the E-currency was watched they see it go to Bobs account but they do not know who Bob is or how he obtained the E-currency. Even if Bob paid for the E-currency via WU and was on CCTV, the agents will not know where the funding was sent from. Cashing out of this system is eventually required unless the system continues to grow (Open versus Closed). Cashing out of a closed trust network can be done by Bob ordering product from another vendor and then selling it locally.

Borrowed Bank Accounts / Underground ATM cards

Borrowed bank accounts and underground ATM cards are useful for cashing out E-currency anonymously. They are also useful for taking bank wires as a method of payment. You need to be able to get the details of a bank account as well as a skim of the magnetic stripe of the ATM card tied to the account.

If you can do this, you can cash the E-currency out through an exchanger via bank wire to the account you have a card for. You can now cash the money out at any ATM the card is accepted at. If you can get the skim of the ATM card, you can simply encode it to blank card stock for cashing out with.

I suggest not to take money out of the persons bank account unless you put it in. This will reduce the chances that they quickly notice you borrowed their bank account. You could leave extra money in the account as well, the person it belongs to may be less likely to report suspicious transactions if they are afraid they will lose whatever you left behind.

There are various organizations willing to offer ATM cards capable of being funded with E-currency and cashed out with at an ATM. Some of these services are scams and others are legit. Some require identification but these can be countered with fake documents.

Mule Networks

Mule networks can be used to help cash out funding. Obtaining a mule network is a difficult and time consuming task. The most common technique is to offer ‘work at home’ job offers. People accept the job offer and are led to think that they are working for an official company when in reality they are merely picking up money and sending it on.

It is expensive to fund these networks and only very realistic for large vendors. It is possible that feds will accept such offers in an attempt to perform human sybil attacks on the networks formed.


Bitcoin is a newer type of decentralized digital currency. The underlying system of Bitcoin is quite complex and difficult to summarize. It is suggested that you go to the bitcoin[1] website and learn about the system. There are various ways to anonymize Bitcoin transactions.

As of 2011 June 14, bitcoins trade for approximately 20 US dollars per coin. A combination of Bitcoin and blind signature digital currency systems is likely the ideal way to cash in and out, however such systems are still largely experimental and developing. Additional laundry systems were available as a hidden services, however they have gone AWOL.

Cross-posted from US Cyber Labs

Possibly Related Articles:
Security Awareness
Privacy Money Laundering Debit Cards Financial Black Market Merchants Anonymity vendors Greendot Cards
Post Rating I Like this!
Plagiarist Paganini Excellent article GaTo ... thank you!
mahmoud yassin really its education of new kind black market and underground cards and how this used really i like it we need more in the same subject
Sheila Santos Great article, thanks for sharing
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.