The Authority for the Prohibition of Money Laundering and Terrorist Financing in the Ministry of Justice publishes a broad overview of the area of ransom payments following cyber incidents, and the ways of money laundering derived from them into the misuse of the financial system Cryptographs, examples of reports to the PA, exposure of an economic investigation conducted by the PA, in which tracing of the ransom money led to Iran and may indicate the nature of the attack and more. The review includes “red flags” for use by the financial sector to identify ransom payment cases.
.
The field of ransom attacks is growing as a global phenomenon, estimated at about $ 20 billion a year and growing at an increasing rate in recent years, especially after the outbreak of the corona plague. An analysis of the cases of ransoms in Israel shows an increasing level of sophistication and a significant increase in the extent of the phenomenon in recent years in this context:
- In the past year, the number of cyber attacks has increased significantly (by an estimated up to 7 times), to millions of cyber attacks each year.
- Many of the attacks are aimed at significant targets, with 42% of large businesses in Israel experiencing cyber attacks.
- 91% of victims of online offenses do not report to the law enforcement authorities the cyber attack they have experienced (enforcement in the field is limited in light of the under-reporting phenomenon).
- About 80% of the organizations that decided to pay the ransom demand experienced a ransomware attack (according to surveys by technology and information security companies).
.
In light of this, the Ministry of Justice’s Anti-Money Laundering and Terrorist Financing Authority publishes a review regarding the utilization of the financial system for making ransom payments. The guide presents prominent typologies and practices identified in Israel and around the world as implemented by hackers, including payments in virtual assets (with an emphasis on bitcoin), use of “disposable” digital wallets and service providers in virtual assets, registered in Israel to make payments, including for foreign victims.
The document contains a great deal of information regarding the nature of the ransom payments and the mechanisms of the system, examples of reports received by the Authority on the subject, and an affair in which the Authority conducted an economic investigation into the ransom money paid, led to Iran.
According to the authority’s estimates, in most cases of ransom, the victims try to make transfers of tens of thousands of shekels up to payments of over a million dollars for a single payment to the ransom seekers. The average damage from a cyber attack in Israel indirectly is about half a million dollars per attack. In addition, it is evident that all the ransom payments reported to the Authority in Israel were made through transfers in Bitcoin currency.
.
.
The main ways of operating the transfer of the ransom money identified by the Authority focus on these main patterns of action (typology):
Use by foreign nationals of financial services providers (changers) who are not in the victim’s country, including the payment of ransom payments in Israel by foreigners (without affiliation to Israel); Use of international crypto trading platforms; Use of Money Mules, often by “rowers” who do not know the source and purpose of the transfers; Payment through crisis management companies, insurance companies or attorneys, with / without a full statement regarding the identity of the customer for whom the ransom is paid; conversion of fiat currency into an unsupervised exchange; transfer to “disposable” wallets; use of distributed exchanges (DeFi); and use of cards; Gift and exchange of funds for the purchase of sustainable products. Most of the use is made of virtual assets, which are easy to convert (such as Bitcoin), along with the use of higher anonymity coins, as well as buds for NFT use. Chain Hopping “to blur the path of transferring funds and” removing “them from the ransom event, for example by making transfers between multiple wallets in the same currency; transferring the ransom payment between multiple virtual coins (Chain Hopping) to the point of departure; Virtual in “Mixer”, with the aim of blurring its trajectory and purpose.
.
Red flags:
The document includes a series of red flags for the financial sector to identify activities in the field, including, for example, flags indicating a suspicious wallet address; Transfer to a “one-time” wallet; Use of an intermediary (including use of a crisis management company / cyber company / law firm / insurance company with / without a statement regarding the nature of the action and / or the person for whom the action is performed); exceptional information provided by the client; Lack of familiarity of the customer with virtual currencies; Use of technological means to perform an operation anonymously; Customer’s sense of pressure / urgency; Transfers in cryptocurrencies to high-risk countries including aspects of infidelity; Transfers to countries with which the customer has no financial connection; Use of mixers; Multiple transfers in a short period of time of virtual currencies to a customer’s wallet without an explanation of the source of the funds; Use / conversion for coins with high anonymity; Use of suspicious words in the description of the transfer and more.
.
The head of the Anti-Money Laundering and Terrorist Financing Authority, Dr. Shlomit Wegman-Ratner, said: “The scope of the infidelity attacks is growing very rapidly. This is a phenomenon in which the original offense (extortion) and money laundering that is extorted – overlap and coalesce almost completely. Tracing the ransom money can allow criminals to reach and sometimes even seize the ransom money before it is realized. The Authority’s staff is at the forefront of the global work of conducting economic investigations in the areas of growing and innovative crime, including dealing with the effects of online crime, virtual assets and ransom payments. The Authority analyzes and transmits the financial intelligence it exposes to law enforcement and security bodies for further treatment of the issue, including in the field of virtual assets. “The entry into force of the anti-money laundering regime on virtual assets in Israel expands the circle of financial intelligence available to the Authority, and with the red flags we publish today we expect to have more accurate and quality intelligence that will help us crack more cases in this area.”
.
.
February 15, 2022, published by the Israel Government, Department of Justice, The Authority for the Prohibition of Money Laundering and Terrorist Financing.