Cyber Laundering (Part III) PayPal

Example
BY S B O E H M E ON N O V E M B E R 3 , 2 0 1 2 2 C O M M E N T S

Today we want to use PayPal as an example to show how Internet Payment Services (IPS) work to
defend against money laundering and how actual attacks look like.
For PayPal to operate, it has a comprehensive KYC (Know Your Customer) sign-up system. Which if
someone is to use purely for money-laundering purposes, would think twice. Laundered money
operators try to avoid extensive KYC checks.
In addition to this, PayPal does the following:

All payments in the PayPal system (especially overseas payments) go through an AML (AntiMoney Laundering) check. PayPal can very easily detect multiple payments (velocity checks),
payments made using different financial instruments, payments to multiple people / same
people by multiple people (1-to-1, Many-to-1, 1-to-Many) etc.

The AML setup can easily detect patterns that are common within the money laundering
space.

PayPal is also required to do SAR checks (Suspicious Activity Reports) and report to FinCEN

PayPal also does OFAC (Office of Foreign Assets Control) checks again with Department of
Treasury

It also does CTR (Currency Transaction Report) checks and reports the same.

All of the above aid PayPal in reducing money laundering. Very slow (low velocity) payments or
money laundered is very difficult to stop, but then again on a KYC based system like PayPal, low
velocity based payments, would have a very poor performance on the money being laundered (not
enough would be able to go through without raising suspicion).
Most professional money laundering outfits, first recon the institution they use. By providing on both
end (Remitter/Beneficiary) with genuine transactions (bona fide credentials) and starting low
velocity transactions and slowly increasing the transaction rates till they get flagged. They do this
multiple times to have a thorough understanding of the financial institution / network they are
rummaging through, especially to find out what the threshold levels are.

From PayPals website

As a global financial institution, PayPal is committed to full compliance with all applicable laws and
regulations regarding Anti- Money Laundering (AML). PayPals policy is to prevent people engaged
in money laundering, fraud, and other financial crimes, including terrorist financing, from using
PayPals services.
PayPal has robust policies and procedures to detect, prevent and report suspicious activity. To
comply with OFAC (Office of Foreign Asset Control) requirements, and global sanctions, we screen
our customer accounts against government watch lists. In addition, we may request that you provide
us with documentation to help prove your identity or for business verification purposes. We report
suspicious transactions to the financial intelligence unit in the respective country.
How does this impact me?
As part of our AML procedures, we collect information from you to satisfy our Know Your Customer
requirements. This means that we may request information from you due to a specific identification
requirement or as a result of our watch list screening process. We may ask you to provide
documentation to help confirm your identity or provide additional information regarding your
business. We may also request that you seek pre-approval for utilizing the PayPal service if your
account falls within a high risk compliance category, as listed in our Acceptable Use Policy (AUP).
[1]

Cases
Here are two real life case examples for money laundering on PayPal [2]:
Case study 1: Identity theft and money laundering
A Pay Pal account was opened in a branch of a foreign bank. The account was debited with many
transfers into accounts of a number of beneficiaries (according to order).
Modus operandi of the shady business consisted in changing middle (i.e. from 12th to 17th) digits of
the account, checksums (check digits), names of beneficiaries and their addresses, while the last 9
digits and the bank code (digits from 3rd to 11th) remained the same. There were a few (max. 10)
transfers, the value did not exceed 3000 PLN (equivalence of ca 1000 USD).

After a couple of days, the accumulated funds were wired into accounts of a few organizers or were
withdrawn in cash.
As it was established, the funds originated from the American Pay Pal accounts belonging to different
individuals. Having stolen their identity (identity theft), the criminals opened Pay Pal accounts on
their behalf, then a motion to open a credit line was made on the behalf of victims. Material was sent
to public prosecutors office.
As a result, the bank implemented a system of automatic verification of the beneficiaries accounts in
case of incoming transfers, and this preventive measure forced offenders to change their modus
operandi. The criminals started to open lots of Internet-access accounts in different banks (a recordholder opened 1 main and 261 auxiliary accounts). The accounts were credited with wire transfers
coming from the Pay Pal account. Accumulated funds were transferred into accounts of few
organizers from which were withdrawn in cash.
Follow-up material was sent to the Public prosecutors office. 48 accounts belonging to one of the
criminals were blocked. Police found out that the shady business was organized and controlled by a
person who was a sort of specialist in banking and/or IT systems. The participants lived in the same
district of the town and were well-known to the local police. As for the technical details, the identity
theft crime was committed using botnet.
Source: Poland
Case study 2: Use of digital goods and defrauding their seller in a way that allows
criminals to obtain directly legitimate funds
The victims: a set of Credit Cards holders, an e-payment company, and a VoIP Company
The scheme: Fraudsters own several companies that offer Premium Phone Numbers. They set a large
number of relays around the world, mostly in poorly regulated countries, and they start calling these
relays from zombie PCs, using VoIP accounts funded with fraudulent Credit Cards used through the
e-payment system.
Comments: The calls generate actual revenue for the Premium Numbers providers. These
companies can legitimately assert that they have no ways to check that calls to their destinations are

fraudulent or not. Moreover, if these calls come from all over the world, it is very difficult to find a
commonality.
The e-payment system sees transactions with VoIP providers, but has no way to check if these are
fraudulent or not, beyond its usual anti-fraud checks. And the VoIP Company sees only the relays,
but not the final destinations. If the relaying infrastructure is built prudently enough, there is almost
no risk for the fraudsters to be uncovered.
And as a result, from an ML/TF perspective, we have the proceeds of a crime, the theft of Credit
Cards details, which are transferred to the legitimate economy of a given country without having to
go through the Financial System, and be exposed to its anti-money-laundering controls.