Remember those lovable blue cartoon characters, the Smurfs? First created and introduced as a comic strip series of characters by the Belgian artist Peyo (pen name of Pierre Culliford) in 1958, the Smurfs were brought to Belgian television in the early 1970s and then introduced to countries outside Belgium through the full-length feature the Magic Flute soon afterward. Interestingly, the word "Smurf" is the original Dutch translation of the French "Schtroumpf" which, according to Peyo, is a word invented during a meal with fellow cartoonist André Franquin, when he could not remember the word "salt."1 The characters grew into an international phenomenon during the 1980s after the launch of the children's television cartoon, becoming first an American then global sensation. The songs and antics of those little characters may bring back fond memories of childhood for some—they even inspired a popular teen dance in the U.S. during that time. But for professionals who worked in the U.S. banking and Information Technology (IT) business sectors during the go-go 1990s explosion of consumer credit cards and global Internet connectivity, the word "smurf" is a word that evokes not-so-quaint connotations.
The slang use of "smurf" is purported to have originated to describe Colombian drug cartels' use of armies of elderly "blue-haired" old ladies to conduct money laundering transactions.2 To banking and financial service professionals, "smurf" and "smurfing" define a type of low-level money handler and their illicit transactions respectively. Traditionally, smurfs are a group of individuals who have been recruited to either max out or drain stolen credit card accounts, usually at the direction of a higher-level party who stands to benefit from the activity. Individuals or "smurf crews" are tasked to conduct point-of-sale or online retail transactions using stolen physical cards or counterfeit cards created using stolen card account data. The term has also been affiliated with persons known to one another who seek to evade currency transaction reporting (CTR) requirements by breaking up or structuring large dollar transactions into smaller transactions below the reporting threshold.3 For IT professionals the word "smurf" is likewise associated with sinister activities. In simple terms, a "smurf attack" is a type of denial of service attack in which a system is flooded with spoofed "ping" messages from multiple computers. This creates high computer network traffic on the victim's network, which often renders it unresponsive.4
Large-scale global criminal activities involving trafficking and financial crimes of all types grew exponentially during the 1990s, and advances in computer technology magnified the threat to the stability of both the financial services and IT sectors. The convergence of money laundering and computer-based criminal activities is certainly not coincidental, particularly given the potential for large payoffs, the security of anonymity on the Internet, the relative ease of infiltration, and the natural barriers against capture and prosecution despite the risks. Thus, the paradigm of bank robbery changed with technological advances, and the days of physically robbing banks were over.
In hindsight, the phenomenon behind the combination of "smurfing" and "smurf attacks" to perpetrate financial crimes over the Internet was aided in part by the active push by governments and banks worldwide toward more technology-driven, globalized and accelerated financial transaction systems over the last 40 years. Unfortunately, as with any new technology developed throughout human history, advances can yield negative consequences when used to facilitate nefarious activities. Thus, while the 21st century marked the dawn of a technology-based future, "smurfing" and "smurf attacks" became the foundations of a new-age — and arguably more menacing — money laundering technique applied by both individual and organized offenders alike: the "Money Mule" scam. Whereas smurfing was established through credit card theft and fraud, money mules answer to a similar but far higher calling: facilitating coordinated, large-dollar, and often multi-national financial crimes.
According to the U.S.-Computer Emergency Readiness Team (US-CERT), money mules are "people…used to transport and launder stolen money or some kind of merchandise. Criminals may…recruit money mules to use stolen credit card information. Individuals…may be willing participants; however, many…are not aware that they are being used to commit fraud."5 For discussion purposes, the perpetrator/boss of the money mule scam will be referred to as the "driver," and the end transactor/proxy as the "mule."
The concept and use of mules is not new to criminal activity. The practice was established through drug trafficking techniques decades ago, whereby multiple individuals were (and still are) used to transport narcotics domestically or across international borders in small amounts fractured from bulk transactions. Money mules conduct similar tasks when structuring financial transactions. One process of recruiting and "breaking in" a new mule is simple in form, yet effective, and can work as follows:
- First, prospects are recruited by the driver through job vacancy and "work-from-home" ads using email, print media, Internet chat rooms, or job and temp-for-hire web sites;
- Second, the driver convinces the mule to work for their fake company and may go as far as soliciting personal identifiable information (PII) through official-looking contracts or employment forms;
- Third, once recruited and activated, the mule will receive illicit funds into their bank account;
- Finally, the mule receives instruction to remove the funds from their account and send them to another party (typically a cohort) less a commission (salary), generally using wire or automated clearing house (ACH) transfers.6
The extent to which this process is successful has been a direct determinant of the success of large-scale financial crime in the 21st century Internet age.
Herded by both cell-based and individual drivers, cyber-crime mules serve solely to enable the monetization and/or laundering of proceeds derived from criminal activities perpetrated through the Internet. The Federal Bureau of Investigation's (FBIs) "Operation Trident Breach," investigated through 2009 and 2010, was a significant case highlighting foreign nationals recruited as money mules. The victims were U.S. commercial bank customers whose accounts were exploited by international cyber thieves using malware and phishing techniques to successfully steal $70 million of a potential $220 million in funds. The FBI charged upward of 92 individuals and arrested 39, most of whom were young Eastern Europe men and women who were either planning to travel to, or were already present in, the U.S. on J1 student visas. Once the suspects were in the U.S., the organizers of the mule operation gave the recruits fake foreign passports to open accounts at banks across the country. Then days or weeks after those accounts were opened, other actors in the group would transfer money from victims' accounts into the mule accounts, typically in amounts close to $10,000. Mules then withdrew the funds, typically in amounts below the CTR reporting threshold, collected their 8-10% commission, and transferred the funds overseas. Meanwhile, other mules simultaneously conducted continuous ACH transactions through shell business accounts at high velocities, which resulted in the laundering of the funds.7
In this case, the mules bore the immediate brunt of law enforcement response, and although some drivers were captured through international cooperation, the template behind the crime had been laid for others to follow in future exploits.
A more recent large-scale money mule event involved international cybercriminals who perpetrated a global ATM theft in the spring of 2013 where upwards of $45 million was simultaneously drained from hundreds of bank accounts by multiple individuals in 20 different countries over the course of several hours—$2.8 million in New York City alone. In the case of the New York City-based ring, authorities discovered that upon completing their mission, the mules shipped the stolen cash by bus to an individual in Miami, Florida who was to then transport the funds offshore, likely to yet another proxy or the masterminds behind the crime.8 The participants indicted in the scam were complicit in the crime: ATM security photos detailed the dates, times, and locations of each withdrawal as the team scoured Manhattan for machines to use, and their confiscated cell phones revealed incriminating photos detailing their exploits along the way.
These are just two examples of the complexity and the degrees to which cybercriminals have exploited both financial service and IT internal control weaknesses to maximize financial gains while retaining anonymity to avoid capture by using money mules.
Types of Mules
Whether recruited as willing conspirators in the scam or unsuspecting targets of opportunity for exploitation, money mules are crucial to the successful monetization of ill-gotten gains. In another recruiting scenario, mules pre-identified by the driver as "willing" participants are engaged in the plan from the onset, provided guidance on establishing accounts, and may be outfitted with false identifications. Once prepared and equipped, they may remain on standby until given their marching orders. While the risks to both the driver and mule are many, it is the mule that faces the greatest risk as the transactor of the funds and is thus the party most susceptible to capture and prosecution.
Unsuspecting mules used as one-off pawns may have been herded through recruitment tools employed by the drivers including, but not limited to, work-from-home online, print, or targeted email advertisements and could ultimately become targets of the scam themselves. If bogus job applications were transacted using their PII, mules could fall victim to identity theft in the future should the driver and/or their associates retain and leverage this information for such purposes. Furthermore, these individuals can also suffer additional financial harm if captured by authorities, as their participation in the crime could bar them from future access to banking and financial services.
Finally, wholesale victims of identity theft suffer from both the use of their PII in the scam through the manufacture of false identification documents and the personal financial damage caused by the repurposing of their identities for money mule activities.
Organized Crime Links
It stands to argue that the use of money mules to facilitate financial crimes has increased to the point that their activities can now be loosely tied back to organized criminal syndicates. True to their historic pattern in other exploits, organized criminals actively seek and enter the gaps in industries and markets that promise the highest profit margins and lowest chances of investigation and prosecution by authorities over the long haul. This long-term perspective is important when assessing the emergence of their association with money mules.
First, organized crime groups have a legendary affiliation with gambling, and their involvement in the rise of Internet-based gaming worldwide was inevitable, specifically because this relatively unregulated market promises unprecedented profits with nominal oversight from authorities. Second, with this foot hold already well-established over the Internet, the increase in sophisticated cyber-crime achievements has undoubtedly drawn organized criminals' attention, particularly considering the parallels to the freedoms and profits offered by online gaming. Third, whether through direct employment or "general contracting," hackers' capacity to facilitate large-scale identity theft, money laundering, and fraud using "smurf attacks," malware, and money mule networks are services that organized criminals can easily afford to either develop or retain.
Furthermore, consider cybercriminals' deep ties to former Soviet-Bloc countries and Russia itself. The downfall of the Soviet Union in 1991 left a plethora of highly educated science, mathematics, engineering, tactical military, police, and public sector computer talent with few viable legal options to sustain a general standard of living. As the once closed society struggled to move its economy into the global marketplace, the black market economy and corruption that once underpinned the Communist system continued to thrive to meet the needs of ordinary citizens. Meanwhile, this natural talent pool of black market entrepreneurs and computer experts did not languish; rather, some of these individuals seamlessly transitioned to the lucrative businesses of organized and cyber-crime. Russian criminal syndicates thus simultaneously increased in power as a force within the formal and informal Russian economy, reportedly with the aid of corrupt government officials. Investigations have determined that these organizations have come to appreciate, seek, exploit — and in the case of corrupt officials protect—the talents of home-grown hackers and cybercriminals, particularly where bank and securities fraud schemes are concerned.9
Cyber-crime schemes have also been affiliated with traditional U.S.-based organized criminal groups as well as others based in countries such as Turkey.10The extent to which this symbiotic relationship has been successful has not been fully measured to date as data continues to be gleaned from multinational investigations and prosecutions. Only time will tell the true degree to which organized criminals have migrated to the use of cyber-crime. However, given the aforementioned increases in the organization, sophistication, speed, and efficiency of cyber-crimes and the associated use of money mules, the question becomes not whether organized criminal syndicates are a part of the problem, but how deeply they are involved.
Investigations may require interviewing the customer to determine the level of their involvement
Possible Money Mule Red Flags
Although not comprehensive, the following lists possible red flags to the presence of money mule activity at financial institutions:
- Opening of a deposit account with minimal deposit soon followed by large electronic funds transfer (EFT) deposits;
- Suddenly receiving and sending EFTs related to new employment, investments, acquaintances, etc., (especially Internet opportunities);
- New deposit account with unusual amounts of activity (e.g., account inquiries, large dollar or high number of incoming EFTs);
- Incoming EFTs then shortly afterward outgoing wire transfers or cash withdrawals approximately 8–10 percent less than the incoming EFTs;
- Foreign exchange student with a J1 visa and fraudulent passport opening a student account with a high volume of incoming/outgoing EFT activity.11
Ongoing transaction monitoring initiatives targeting ATM transactions, automated clearing house and international transaction (ACH/IAT) transfers, and wires should normally trigger alerts and active responses from an institution's Bank Secrecy Act/anti-money laundering (BSA/AML) compliance function. However, indications of the above-listed mule activities should further alert compliance officers to the possible presence of more complex scenarios warranting further investigation. In addition, if a customer's account was unknowingly accessed by the originating transactor, the institution must consider whether their customer could be the victim of identity theft, account takeover, or hacking committed via computer intrusion and whether the incident occurred in the institution or via compromise of the customer's online banking, email, or other computer-based activity. If the customer is a victim of these activities, then the institutions' IT support should be made aware of the matter and coordinate with the BSA/AML compliance investigation accordingly as well as file an incident report with the appropriate regulatory authorities in accordance with SR 05-23/CA 05-10. 12
Investigations may require interviewing the customer to determine the level of their involvement in the transactions in question. When addressing the customer, the institution should consider treating the interaction as a discussion concerning possible suspicious activity, as the customer may or may not be complicit in what could be an account takeover wire fraud scheme that may not necessarily involve mule activity. Even if the customer states that questionable wires are valid, the transaction could still be considered suspicious if it is outside the customer's normal and expected activity, in which case the bank should contemplate filing a suspicious activity report (SAR) should the customer truly be party to a money mule scam.
History will someday consider the dawn of the Internet as one of the most significant technological leaps forward by mankind. Meanwhile, however, the Internet in its current state seemingly facilitates a "Wild West" environment where rules, regulations, and standards have yet to be established, especially from an international perspective. One must only consider the December 2013 mass cyber-theft of over 70 million customers' credit card data and PII from Target retail stores in the U.S. In this case the perpetrators have yet to be identified, and early news bulletins have pointed to the fact that this information was immediately posted on underground "carder" marketplace forums frequented by cyber-thieves around the world who seek to exploit such information for credit card and identity theft purposes. Possible organized crime links to the theft have been mentioned, and other U.S. retailers were also affected.13 Once this stolen information is put to use, it is inevitable that money mules will be employed to monetize and distribute the bounty. Oh, for the days of "smurfing…."
- McMafia: A Journey Through the Global Criminal Underworld and Dark Market: Cyberthieves, Cybercops, and You, by Misha Glenny
- Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet, by Joseph Menn
- Crime School: Money Laundering: True Crime Meets the World of Business and Finance, by Chris Mathers
- Red Mafiya: How the Russian Mob Has Invaded America, by Robert I. Friedman
Brian Arrington, MBA, CAMS, communications director of the ACAMS Chicago Chapter, examiner with the Federal Reserve Bank of Chicago, Chicago, IL, USA, firstname.lastname@example.org
The views and opinions expressed are those of the author and do not necessarily represent the views and directives of the Federal Reserve Bank of Chicago or the Federal Reserve System.
- The Smurfs Official Website, http://www.schlumpf.com/en/#en/home/?&_suid=511
- "Crime School: Money Laundering — True Crime Meets the World of Business and Finance," Chris Mathers, 2004
- Investopedia, http://www.investopedia.com/terms/s/smurf.asp
- The official CERT Advisory CA-1998-01, http://www.cert.org/advisories/CA-1998-01.html; see also Technopedia, http://www.techopedia.com/definition/17294/smurf-attack
- 2011 US Computer Emergency Readiness Team (US-CERT), http://www.us-cert.gov/sites/default/files/publications/money_mules.pdf
- US-CERT, https://www.us-cert.gov/sites/default/files/publications/money_mules.pdf; see also Financial Fraud Action (UK): https://www.financialfraudaction.org.uk/consumer/advice/money-mule-scams/
- FBI, http://www.fbi.gov/news/pressrel/press-releases/international-cooperation-disrupts-multi-country-cyber-theft-ring; see also FOX News, http://www.foxnews.com/tech/2010/11/22/cyberthieves-human-foot-soldiers-money-mules/
and Krebs on Security, http://krebsonsecurity.com/tag/operation-trident-breach/
- Wall Street Journal, "More Arrests in ATM Cybercrime," November 19, 2013
- "Fatal System Error," by Joseph Menn and "McMafia," by Misha Glenny
- "DarkMarket," by Misha Glenny
- FDIC Special Alert SA-185-2009, http://www.fdic.gov/news/news/SpecialAlert/2009/sa09185.html
- Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12/1/05, http://www.federalreserve.gov/boarddocs/srletters/2005/sr0523.htm
- Wall Street Journal, "Card-Theft Code Grew in the Net's Dark Alleys," January 22, 2014