On October 15, 2020, the DOJ announced the indictment of members of the transnational criminal organization QQAAZZ. According to the indictment, from 2016 to 2019, QQAAZZ provided money laundering services to cybercriminals who gained unauthorized access to victims' bank accounts through computer fraud. DOJ's investigation, which involved law enforcement partners from 15 different countries, found that members of the QQAAZZ network allegedly laundered, or attempted to launder, tens of millions of dollars stolen by cybercriminals from victims in the United States and other countries. For these crimes, 20 QQAAZZ members were charged with conspiracy to launder money.

How does the government allege that QQAAZZ pulled off this money laundering scheme?

QQAAZZ allegedly transferred stolen money received from cybercriminals through hundreds of QQAAZZ-controlled corporate and personal bank accounts in numerous countries. To attract cybercriminal clientele, QQAAZZ advertised itself as a "global, complicit bank drops service" on exclusive, underground cybercriminal online forums.

Allegedly, QQAAZZ's services operated in the following manner. First, cybercriminals with unauthorized access to victims' bank accounts would contact QQAAZZ via a secure instant messaging platform. QQAAZZ would then provide the cybercriminals with the details of a QQAAZZ-controlled bank account to which the cybercriminals could transfer victim funds via electronic funds transfer. Upon receipt of the stolen funds, QQAAZZ either withdrew them, transferred them to other QQAAZZ-controlled bank accounts for withdrawal, or converted them to cryptocurrency using "tumbling" services designed to hide the original source of the funds. Finally, after taking a 40 to 50% fee, QQAAZZ returned the remaining balance of the stolen money to the cybercriminal.

To facilitate this money laundering operation, QQAAZZ coordinated with money mules to register shell companies and open hundreds of corporate and personal bank accounts (using aliases, false identification documentation and, sometimes, true identities) at financial institutions around the world. Corporate bank accounts were used to receive larger amounts of stolen funds without raising the suspicion of bank officials, while personal accounts were used to more easily convert stolen funds into cryptocurrency.

Takeaways

The proliferation of complex transnational criminal enterprises has led to the globalization of law enforcement. Here, the investigations into and prosecutions of the QQAAZZ members were only possible due to a largescale, coordinated effort between law enforcement in the United States, Europol, and numerous municipal law enforcement agencies across Europe. As prosecutors continue to coordinate internationally, the DOJ's Criminal Division has made it clear that crossing international borders will not provide a safe haven for cybercriminals.

It's not just law enforcement that must adapt in response to these cybercriminal enterprises—as cyber thieves become more sophisticated, financial institutions must stay up to date on these evolving threats and fraudulent schemes. To ensure that financial institutions continue to meet their anti-money laundering (AML) obligations, they should incorporate legal and regulatory developments into their ongoing monitoring efforts. This is especially important during the COVID-19 pandemic, as customer onboarding is increasingly conducted over the internet, introducing additional risk and complexities to the customer identification and customer due diligence processes. 

To aid in these efforts, FinCEN recently issued an advisory on imposter scams and money mule schemes related to COVID-19 that provides a list of red flag indicators to help institutions detect, prevent, and report the kind of illicit or suspicious activity carried out by organizations like QQAAZZ. For example, when a customer's personal bank account begins receiving transactions that are inconsistent with expected activity or transactional history—including overseas transactions, the purchase of large sums of convertible virtual currency, or transactions in large fiat amounts—banks should look closely at the account to consider whether suspicious activity exists that would trigger a reporting obligation. Communicating such information throughout banks' organizational structure, including to business lines and compliance functions, will be important as financial institutions continue to adapt to the new business environment.

Questions

For questions about cryptocurrency enforcement, compliance with BSA/AML obligations, or broader investigative and defense issues, please reach out to the authors or any of their colleagues in Arnold & Porter's Financial Services or White Collar Defense & Investigations practice groups.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.