en
Back to the list

Outsmarting the Dark Web: Wirex’s strategy to unmasking Mule accounts

source-logo  en.cryptonomist.ch 06 February 2024 08:41, UTC

Three years ago, Wirex, a major UK-based cryptocurrency platform, joined forces with ZeroFox, a leading US cybersecurity company. This collaboration kickstarted a joint effort to safeguard Wirex’s brand integrity. ZeroFox played a key role by providing protective measures and actively addressing issues related to scammers.

According to Wirex’s analysis of alerts based on ZeroFox’s Dark Web monitoring, the predominant issue in 2023 is the number of offers to sell accounts on the Dark Web. Over time, malicious actors altered their behaviour, prompting Wirex and ZeroFox to extend their partnership in order to combat the growing threat.

The investigation showed an overwhelming number of proposals, connected to Wirex accounts and other well-known fintech products. Based on the data from ZeroFox alerts, nearly 7,000 alerts were escalated to Wirex during 2023. These statistics affirm that black markets, such as Telegram, pose significant risks for fintech companies.

The information presented below provides a visual representation of the frequency of mentions of different services in Telegram posts where Wirex accounts were promoted for sale in 2023. It’s crucial to emphasise that these figures do not include posts where accounts of other services are advertised for sale without mentioning Wirex. However, this data offers an overview of the magnitude of the issue.

This discovery led to a careful investigation to understand how deep and complicated the threat was.

Both companies took a proactive approach to tackle the issue of money mule accounts and today, we take a close look at the details of this journey, uncovering a complicated network of cybercrime and delving into the sophisticated strategies used by those causing harm.

During October and November 2023, ZeroFox attempted to contact the top Dark Web sellers of

Wirex accounts without any success in obtaining a genuine account. The selling of accounts on the dark web appeared to be just another scam approach.

In December 2023, ZeroFox team found a moderately credible threat actor known as “bear_gummy” who advertised verified accounts for various financial platforms, including Wirex, on the Dark Web forum “Exploit.” This marked the beginning of an intense investigation into the modus operandi of this threat actor.

The screenshot of the verified accounts advertisement

In an attempt to confirm the legitimacy of the threat, ZeroFox operatives reached out to “bear_gummy” through the Exploit forum’s private message system, Jabber, and Telegram messengers. ZeroFox operatives have been communicating anonymously with the actor of interest.

The person behind this seems likely not to be a native English speaker, evident from some language errors during chats.

The screenshot of the conversation with the actor via Telegram messenger

During the investigation, an interesting fact was highlighted: the malicious actor was building a positive reputation, as indicated by the seven positive feedbacks they’ve received, demonstrating a consistent commitment to maintaining the service model.

ZeroFox operatives successfully concluded a deal to purchase a Wirex account. Continuing with the case, Wirex requested to buy another account from the seller to understand where the malicious actor operates and to detect patterns in the registration of money mule accounts.

The results of the investigation strengthened Wirex’s user verification processes across all markets where Wirex provides financial services.

At the time of writing, Wirex has successfully upgraded its Customer Verification Risk Framework related to money mule accounts and is monitoring the improvements. ZeroFox will continue to assist Wirex in 2024 in combating Dark Web threats connected to money mule accounts and other risks associated with Wirex’s business.

It’s worth mentioning another area where Wirex utilised ZeroFox Dark Web monitoring for its clients to reduce the risk of stolen funds. Several dark web resources are selling botnet logs containing compromised credentials for various services, including Wirex. The stealer malware

was identified as the culprit responsible for extracting login credentials from compromised devices.

The page with logs containing Wirexapp.com compromised credentials being sold

Wirex makes sure to thoroughly check all leaked accounts. If an account is verified, the dedicated Wirex team promptly notifies and supports the clients through their Customer Support.

To summarise, the collaborative efforts of Wirex and ZeroFox have uncovered a sophisticated network of cybercrime involving the creation and sale of nearly 200 money mule accounts on Wirex. Furthermore, Wirex consistently identifies accounts through existing fraud and other controls, leading to investigations and appropriate actions. This proactive approach resulted in closing down 153 mule accounts in 2023. As leaders in the field, both companies remain committed to staying ahead of evolving threats and ensuring user safety in the digital landscape.

en.cryptonomist.ch