
‘White Label’ Money Laundering Services - panarky
http://krebsonsecurity.com/2014/08/white-label-money-laundering-services/
======
patio11
There's a Bitcoin company which I will elide naming that is, perhaps
unintentionally, a carder cash out bonanza. It will continue being so until
Amazon cracks down.

The gist: the site lets you buy BTC with credit cards, at a substantial markup
to the market price for Bitcoin (10 to 20%). The actual mechanism is by buying
wish listed items on Amazon picked by the BTC "sellers." This lets the sellers
use BTC on Amazon and also get a discount. The site keeps a spread.

Why is this a carder paradise? Because the only reason to ship a random
address a $300 camera for $240 of consideration is the $300 you paid is not
your $300. When the chargeback/fraud investigation comes in, the carder
doesn't have the stolen goods and has no IRL nexus to the crime. They just
have their illicit profits laundered to BTC.

~~~
sanswork
I wouldn't say unintentionally it is brought up every time I've seen them
discussed. It seems pretty wilful. They always claim they are ok because
Amazon has really good fraud detection and wish list purchases with fraudulent
credit cards aren't held against the user with the wish list.

To me that sounds like a) holding your hands over your eyes to ignore the
fraud and b) like a disaster waiting to happen for anyone that uses the site
regularly and ends up with a few fraudulent purchases sent to them.

Imagine regularly having goods shipped to your house from stolen/fraudulent
credit cards. I see someone having the police show up at their door due to
this site by the end of the year.

~~~
judk
This is inherent in BTC. How can you have anonymous transactions and still
avoid fraud?

~~~
nitrogen
This isn't BTC fraud, it's CC fraud with a traceable shipping address.

~~~
dublinben
The recipient associated with the shipping address hasn't committed any fraud
though.

~~~
sanswork
Best case scenario they get the stolen property taken off them and they are
out the bitcoins. Worst case how do they prove they weren't the buyer?

~~~
dublinben
It's not stolen property though, it's property purchased with (presumably)
fraudulent credit card details. They can prove they're not the buyer, because
the buyer has a completely different name.

~~~
sanswork
It's property that has been sent without payment received. It's stolen.

>They can prove they're not the buyer, because the buyer has a completely
different name.

It doesn't matter the fraudulently purchased goods were shipped to your house.
You are in possession of them and you're the person most likely to have
committed the credit card fraud. Either way you are out the property even if
you don't get investigated for credit card fraud.

Do it a few times though and it will be difficult to explain away.

~~~
dublinben
If it ever came to trial, there would be no proof that you'd been the one that
committed the fraud. That's where the burden of proof lies, and there's simply
no evidence.

~~~
sanswork
There would be a lot of evidence though. The fact that on multiple occasions
items purchased with stolen credit cards were sent to you and you had not
returned those items implying you were expecting them.

You'd have to come up with evidence to prove it wasn't you that ordered it and
good luck with that.

~~~
newaccountfool
Your assuming that the buyer(Purchase of say electronics) is aware how the
sellers get there goods, and your just assuming all items are carded.

What happens if you linked the website on Facebook and people were like "Oh
crap this is cheap" and go buy buy buy. The whole 'if its to good to be true
it is' isn't going to stand up in court. The prosecution will have to prove
that you knew the good where fraudulently purchased. Who know some people may
use this as a legit alternative to Amazon, thinking all the items are legit
(which they may well be).

~~~
sanswork
I'm not assuming they are all carded. I'm assuming most will be. The discounts
asked for on the site make it stupid for people to buy bitcoin with it with
legitimate cards.

Then they'd likely end up with a bunch of carded stuff too.

As I said before best case situation you have to return everything you were
sent and you lose your bitcoins in the process. Worse case you get an
overzealous prosecutor that goes after you and tries to make the case that the
number of carded things showing up at your address and claimed by you proves
you were the one doing the carding. Would they win? Who knows but it'd
certainly cost you more than you'd ever save to win yourself and you'd still
lose the products in the short term.

------
chatmasta
A lot of these Brian Krebs articles seem to be little more than exposés of
popular services from carding forums. Of course, I don't mean to knock his
investigative reporting -- he is performing a valuable public service, and
some of his stories require far more complex investigative journalism than
simply reading forum posts.

But I am wondering, where are all these forums that Krebs is signed up for and
reading? Also, is he fluent in Russian? I know revealing the URL's might tempt
would-be cyberthieves, but personally I have my own curiosity that I would
like to satisfy by reading them. I suspect there is a lot to be learned just
by reading those forums (which I assume are member-only and require some kind
of vetting process, anyway).

~~~
diziet
Brian Krebs is said to have learned Russian
[http://www.npr.org/blogs/alltechconsidered/2014/07/08/329838...](http://www.npr.org/blogs/alltechconsidered/2014/07/08/329838961/the-
hazards-of-probing-the-internets-dark-side)

His translations have been spot on (even capturing nuance of language online),
ie: [http://krebsonsecurity.com/2013/07/mail-from-the-velvet-
cybe...](http://krebsonsecurity.com/2013/07/mail-from-the-velvet-cybercrime-
underground/)

He very often also links to those sites that he investigates.

~~~
zapu
The criminal organizing the "drug fund" ended up being arrested:
[http://krebsonsecurity.com/2014/06/the-fly-has-been-
swatted/](http://krebsonsecurity.com/2014/06/the-fly-has-been-swatted/)

Truly an example of exceptional journalism.

------
alister
> _Buying luxury goods that can be resold overseas at a significant markup
> amplifies the fraudster’s “profit.”_ > _where electronics and other luxury
> items typically sell for a much higher price than in the United States
> (think new iPads and iPhones, e.g.)_

iPhones and iPads are indeed much more expensive in (for example) Brazil than
in the U.S.:

[http://brazilsense.com/index.php?title=Items_more_expensive_...](http://brazilsense.com/index.php?title=Items_more_expensive_and_less_expensive_in_Brazil)

because the government of Brazil imposes a 50-100% luxury tax.

So I think there is validity in the article's claim that this difference
amplifies the thieves' profits. However, this claim is always getting
exaggerated in news reports; it's as if every stolen item gets shipped
overseas because there's much more money to be made.

A variation I heard purports to explain what happens to all those stolen
bicycles: the crooks ship containers full of stolen bicycles overseas where
they can be sold for triple the price. If it were so much profit to be made, a
legitimate business could simply _buy_ the merchandise and export to these
countries legally.

Also, in some cases, it would be very difficult to exploit the price
difference whether the goods were exported legally or illegally. For example,
in Singapore cars are massively more expensive than in the U.S. The government
auctions off the right to put cars on the road each year. If thieves managed
to get cars into Singapore, they'd still have to somehow get past a strict
registration system.

~~~
lucaspiller
Even in Europe the difference is quite astonishing. A 32GB iPhone 5S in
Ireland costs €799. In the US it is $649* or €480. In the case of a Mac, the
difference will cover a return flight to the US.

*Without taxes, but as a tourist you can claim those back. Even taking into account taxes of both it's still a lot cheaper in the US.

~~~
gioele
> A 32GB iPhone 5S in Ireland costs €799

And includes a two-year warranty package that is not included in the US price.

~~~
judk
That can't account for the cost difference.

------
robrenaud
> Traditionally, fraudsters get around this restriction by turning to
> reshipping services that rely on “mules,” people in the United States who
> get recruited to reship packages after responding to work-at-home job scams.
> These reshipping mules are sent multiple packages containing electronics
> that have been purchased with stolen credit and debit cards.

Is it possible to fraud the fraudster here? You sign up for the work at home
job, get a bunch of high end electronics sent to you, and then just keep it
(or resell it locally).

~~~
iron_ball
It is certainly possible, but it hardly seems advisable. The worst-case
scenario is exceedingly bad.

~~~
sireat
I would even argue that the most likely scenario would be you being prosecuted
as a willing participant and beneficiary in the fraud and going to PIA prison
in US.

Even in those case where people were innocent(did not keep the merchandise),
they still had to go to court.

The other scenario (being hurt by the scammer) is less likely but equally
unappealing.

