September 29, 2016

Fraudsters who hack corporate bank accounts typically launder stolen funds by making deposits from the hacked company into accounts owned by “money mules,” willing or unwitting dupes recruited through work-at-home job scams. The mules usually are then asked to withdraw the funds in cash and wire the money to the scammers. Increasingly, however, the mules are being instructed to remit the stolen money via Bitcoin ATMs.

I recently heard from a reader in Canada who said she’d recently accepted a job as a customer service officer for a company called LunarBay. This company claims to be a software development firm, and told this reader they needed to hire people to help process payments for LunarBay’s clients.

LunarBay’s Web site — Lunarbay[dot]biz — claims the company has been in business for several years, and even references a legitimate business by the same name in the United Kingdom. But the domain name was registered only in late August 2016, and appears to have lifted all of its content from a legitimate Australian digital marketing firm called Bonfire.

The Canadian reader who contacted KrebsOnSecurity about this scam was offered $870 per week and a five percent commission on every transaction she handled. After providing her bank account information to get paid, she became suspicious when she received instructions on how to forward funds on the LunarBay.

The scammers told her to withdraw the money from her account by going into the bank itself — not from the ATM (mainly due to daily withdrawal limits at the ATM). They also sent her a QR code (pictured below) that she was instructed to save as an image on her smartphone. The crooks then proceeded to tell her the location of the nearest Bitcoin ATM:

a) The nearest Bitcoin ATM is located at: 6364 Rue Pascal, Montréal-Nord, QC H1G 1T6, Canada (Bitcoin ATM is located at Dépanneur Pascal 2003 convenience shop in Montreal).

b) You can find the instructions of how to make payment using Bitcoin ATM in this video

c) Please find the image attached to this message. This is a QR code – an unique identification number for a transaction. I ask you to save this image to your smartphone beforehand.

4. The payment must be processed within 3 hours. The Bitcoin rate is constantly changing in relation to CAD, USD and other currencies. That’s why the payment must be made during this time interval.

As the above Youtube video demonstrates, sending funds merely requires the user to scan a QR code shared by the intended recipient, and then insert cash into the Bitcoin ATM. Because Bitcoin is a non-refundable form of payment, once the money is sent the transaction cannot be reversed.

It’s not immediately clear why these thieves are avoiding tried-and-true methods of disbursing cash — like Western Union and MoneyGram — in favor of Bitcoin ATMs. I suppose it’s possible that the wire transfer companies are getting better at detecting and blocking suspicious transactions, but I doubt that’s the reason. More likely, sending cash via Bitcoin results in a more immediate payday for the scammers, and avoids the costs and hassle associated with hiring “far-end” mules to collect fraudulent wire transfers in the scammer’s home country.

The QR code used by the scammers at the fake LunarBay company.

The QR code used by the scammers at the fake LunarBay company.

It may seem difficult to believe that people might be gullible enough to get embroiled in such money laundering scams, but countless individuals do every day. The crooks operating this scam no doubt use multiple QR codes linked to many different Bitcoin addresses. The one given to the reader who contacted me links to this Bitcoin account, which has received a total of eight transactions over three days this past week totaling more than 6.3 Bitcoins — roughly $3,823 at current exchange rates.

Word to the wise: Money mule scammers specialize in hacking employer accounts at job recruitment Web sites like, and other popular employment search services. Armed with the employer accounts, the crooks are free to search through millions of resumes and reach out to people who are currently between jobs or seeking part-time employment.

If you receive a job solicitation via email that sounds too-good-to-be-true, it probably is related in some way to one of these money-laundering schemes. Even if you can’t see the downside to you, someone is likely getting ripped off. Also, know that money mules — however unwitting — may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.

For more on the crucial role of money mules in facilitating cybercrime, check out these stories.

31 thoughts on “‘Money Mule’ Gangs Turn to Bitcoin ATMs

  1. pookie

    I wonder how often the mule makes the scammer the mark, and simply forward to their own bitcoin wallet. Would only work once after being burned, but if you attempted to mule 3-5x week, for different scammers, you could get a little side money, I would think, and no one’s going to complain that Peter’s robbing Paul.

    1. Techno

      Let’s hope these schemes aren’t being run by the Mafia…personally, I suspect they are. You’ll have to keep looking over your shoulder for the rest of your life.

    2. Andrew

      Brian says as a mule you “may find themselves in hot water with local police, and may be asked by their bank to pay back funds that were illegally transferred into the mules’ account.”

      So the scammer had money fraudulently sent from a victim account such as through a compromised payroll system to your own bank account. The scheme is that the stolen funds are removed from your account in the laundering process to bitcoins or through overseas transfer before the victim discovers the theft and your own bank is notified of the fraud.

      Essentially the idea of ‘scamming the scammer’ as a rogue mule to get bitcoins is the same as going to the BitCoin ATM and spending your own money, except it takes a lot more time and risks a rap sheet. If you want to speculate on bitcoins I think there are quicker and safer ways to get started!

  2. The Barrister

    How could anyone be fooled by a scam that begins: “In order to get paid, you have to pay us first”?

    1. Mike

      I think it’s the routine, “We give you money, you keep some and deposit the rest in a different account.” The mule him/her self is a risk, but that part of doing business.

      Without accepting any money first, this woman needs to (and probably has) go to her bank and get new account numbers.

    2. Net Denizen

      “Learn how to be [insert job title here]. For a low initial investment of $[insert reasonable cost here], you can be on your way to earning $[insert unrealistic weekly income here]!!”

    3. Net Denizen

      “Learn how to be [insert job title here]. For a low investment cost of $[insert reasonable cost here] you can be well on your way of earning $[insert unreasonable weekly income value here]!! Start today!”

    4. MoneyMule

      They would have people send me money via interac system to my email address and they asked me to act within 3 hours to empty my bank account and transfer an amout -5% to them.

      Of course I thought it was fishy so I contacted Brian Krebs

  3. ITUNE cards

    Good article Brian, I am playing with the IRS scammers in India as of late

    1. Jim

      With the voice changing technology, and phone spoofing available now, it could be your neighbor. The only one that would really know, doesn’t even have to respect a court order anymore.

  4. NorthernGateway

    the Bitcoin twist is new for the “work from home scam”.
    Most of the scams involve fake cheques – the mule / dupe deposits check and waits a few days, the check “clears” and the dupe transfers the money out, often overseas. the fake check bounces, the bank reverses the deposit and the customer (dupe) is left with a negative bank balance to cover. There never was any money – only a fake cheque.

    Unscrupulous because it rips people off, and it rips people off who are often the most vulnerable – no job. And then the anti-money laundering team reviews the account…

  5. vb

    Don’t count on detecting the scam by looking at the scammer’s domain name. I know someone who fell for a scam. The scammer claimed to be an manager of a legitimate company. The scammer used an email domain name that was perfectly plausible for the company. The company was good, the domain name seemed good, etc.

    That was a work from home scam, doing tech support. After sending the first salary payment, the scammer requested some of the salary payment be returned – to pay for training or over-payment, whatever. My friend returned some of the salary payment, and then it became known that the salary payment was fraudulent.

  6. vjod

    Whos criminal??? Criminal is uneducated without no money no hope ….really??? But in reality they are educated and living luxury life. I wonder just telling to criminalsvsuche good ideas??? To they have vision? Or dream or something to know exacly wich bank to attack and when and how?….
    !all this smells and smells very bad

  7. vb

    One reason that the scammers told her to withdraw the money at the bank itself is that the Bitcoin ATM probably takes only notes in very good condition. They are trying to minimize the chance that the Bitcoin ATM bill validator rejects the notes.

    1. MoneyMule

      The reason they asked me to do so it’s because I would have received many payments and would have to withdraw lots of cash, more than the regular daily limit. Therefore I need to go directly at the cashier at the bank not through the ATM.

  8. Macu nthurts

    I’ve used over 10 Bitcoin ATMs in 4 provinces, every location had a camera facing the ATM and some had built in Cameras. You would have to be the dumbest criminal alive to think this is a good idea.

    1. Scarboni

      The actual criminal’s face never ends up on that camera, only the sacrificial mules’ does. And the criminal doesn’t care about its mule going to jail because there are plenty more where that came from!

  9. bitcoiniacs

    How did our company’s customer help video find its way to this scam? Was that on the email? Or did you find it yourself? Please let me know so I can put a warning in the description or edit the video.

    1. 789

      Judging by the context, the criminals found it and sent it to their money mule.

    2. fin-man

      Heh. The following advice comes with the video:
      “…Do not buy Bitcoins to send to someone else or another company you don’t know. If they emailed you money, it’s probably a stolen account and you could get into serious trouble.”

    3. MoneyMule

      They emailed me this video to show me how to do the transfer.

  10. Om Krishna Uprety

    With the rise of internet that has been drastic changes on money making. Same applies for the duping methods. There is always the loop hole for an unethical activities. Now cheater are using bitcoin ATM for own profit.

    1. Darron Wyke

      There really isn’t any change here. This is a scam that’s as old as time. Just that the internet gives better reach to find marks, and faster return for the scammers. Plus they can operate from a country that won’t extradite them for various reasons (laws, corruption, both, etc.).

  11. IA Eng

    They probably figured out that most of their comrades that were busted had western union or other accounts. They probably figure that the bitcoin angle is a bit more secure and a little bit more anonymous. No need to stand in line and have video footage of the crook standing in a WU line.

    Pay rates are pretty high for simple steps. If one thinks about it, the “other end” could simply do all of these steps in no time, saving a huge amount of profit. As for processing payments for a business, places that handle online transactions for a small fee can do all of this behind the scenes.

    Being the middle-person in any money transfer or item purchase is asking for trouble. Simply ask yourself….. why cant they do this? Why am I stuck in the middle? The person in the middle is breaking the chain of custody, making it a bit more difficult to pin the action on the crook.

    The local employment offices should have a flier available about this sort of trap.

    The other thing is, most of these people never get paid, and if they offered any of their info, its probably going to used by some one else.

    1. MoneyMule

      I actually applied for a customer service officer, it all seemed legit although too good to be true at a certain point.

      I was asked to

      1) accept payments
      2) process requests
      3) make reports
      4) maintain records
      5) keep documents

      Which I did not accept. I contacted Brian Krebs and he told me about money laundering. I never accepted any payments from them nor their customer and I told them I was contacting a lawyer so I have not heard of them afterwards.

      I was just looking for a job.

  12. vb

    I think these crooks are underestimating the risk of using Bitcoins for criminal activity.

    Anyone, anywhere, can see the flow of Bitcoins from address to address (wallet to wallet). Brian noted that this particular Bitcoin account received 6.3 Bitcoins in eight transactions over the last three days. This is public information.

    There is no easy way anonymize bitcoin payments as long as the blockchain can be traced by everyone in the world. Tying Bitcoin activity to individuals is possible. With each transaction, the possibility of losing anonymity increases. Even using multiple wallets is no guarantee of anonymity.

    All it takes is one transaction, at any point in time, that identifies the person to the wallet and every transaction since that wallet was created becomes publicly identifiable to that individual.

Comments are closed.