Money Laundering 2.0: Crime-as-a-Service Exposed

In an increasingly digitised world, the intersection of technology and crime has given rise to new threats. Among them, money laundering and Crime-as-a-Service (CaaS) have emerged as pervasive issues that are reshaping the landscape of financial crimes. While both phenomena are not new, their sophistication and accessibility have reached unprecedented levels in the digital era, posing significant challenges to law enforcement and regulatory bodies.

What is Money Laundering?

Money laundering is the process of concealing the origins of illegally obtained money, typically by passing it through a complex sequence of banking transfers or commercial transactions. The goal is to make the 'dirty' money appear 'clean' and integrate it into the legitimate economy. This practice underpins a wide range of criminal enterprises, from drug trafficking and organised crime to cybercrime and corruption.

Traditionally, money laundering involved methods like smurfing (breaking down large sums into smaller amounts to avoid detection), shell companies, and real estate investments. Today, however, the methods have evolved to include cryptocurrency, online casinos, and sophisticated trade-based laundering schemes, leveraging the anonymity and borderless nature of the internet.

The Emergence of Crime-as-a-Service (CaaS)

CaaS refers to the outsourcing of criminal activities to specialists who offer their illicit services for a fee. This business model has flourished in the cybercrime world, where everything from ransomware-as-a-service to hacking toolkits is available on underground marketplaces.

CaaS lowers the barrier to entry for criminals who may lack the technical expertise to conduct complex schemes. For example, a novice cybercriminal can purchase phishing kits, malware, or even rented botnets to execute attacks. Similarly, money laundering services are now readily available, offering complete "laundering packages" that include bank account setups, cryptocurrency tumbling, and offshore shell company creation. Specific examples include:

• Ransomware-as-a-Service (RaaS)

The REvil ransomware group ran one of the most infamous RaaS operations before being disrupted by law enforcement. Their platform allowed affiliates to launch ransomware attacks, including the high-profile Colonial Pipeline attack in 2021 that caused fuel shortages across the eastern United States.

• Phishing-as-a-Service

Services like Bulletproof Email have facilitated large-scale phishing attacks, including the 2020 Twitter hack where attackers used phishing tactics to gain access to employee accounts and execute a Bitcoin scam through high-profile accounts.

• Distributed Denial of Service (DDoS)-for-Hire

WebStresser, one of the largest DDoS-for-hire services, was responsible for millions of attacks globally before it was shut down in 2018. This service enabled criminals to disrupt websites and extort businesses by threatening further attacks.

• Cryptocurrency Tumblers

The Helix cryptocurrency tumbler was linked to laundering proceeds from the dark web marketplace AlphaBay. Before its takedown, Helix laundered over $300 million in Bitcoin from various illegal activities.

• Fraudulent Document Service

The SSNDOB Marketplace, which operated through various websites, sold personal data of approximately 24 million US citizens, including names, dates of birth, and Social Security numbers. This information was used to create fake IDs, open fraudulent bank accounts, and facilitate large-scale fraud schemes. The FBI seized this marketplace in June 2022.

• Botnet Rentals

The Emotet botnet, taken down in 2021, was one of the most notorious malware distribution services. It infected millions of devices worldwide and was often rented by cybercriminals to steal credentials and deploy ransomware.

Countries Actively Engaged in CaaS

Several countries have been identified as hubs for CaaS, either due to lax regulatory environments, high levels of corruption, or advanced cybercriminal ecosystems. These include:

• Russia

  Frequently linked to ransomware groups like REvil and Conti, Russia has become a central hub for cybercrime. The country’s lack of extradition treaties with Western nations and permissive stance on cybercriminals targeting foreign entities have made it a haven for CaaS operators. Between 2006 and 2013, the Troika Laundromat, a complex money laundering scheme, enabled Russian elites to move over $4.8 billion out of Russia. This network involved a series of shell companies and bank accounts across multiple countries, facilitating the concealment and movement of illicit funds. The operation exploited weaknesses in international financial systems, allowing perpetrators to invest in luxury assets and real estate, thereby integrating illicit funds into the legitimate economy.

  
  

• China

  Known for cyber-espionage and large-scale hacking campaigns, China also harbours criminal networks involved in online fraud, DDoS-for-hire services, and cryptocurrency laundering. These services are often advertised on underground forums or through encrypted messaging apps like QQ and WeChat, allowing individuals or businesses to launch disruptive cyberattacks without technical expertise.

  
  

• North Korea

  The North Korean regime is believed to sponsor cybercriminal groups like the Lazarus Group has been implicated in numerous cyber-attacks and financial crimes, including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where $81 million was stolen. The group utilises ransomware attacks and cryptocurrency theft to fund the regime's operations, employing complex money laundering techniques to obfuscate the origin of the illicit funds.

  
  

• Ukraine

  Whilst law enforcement in Ukraine has made strides in combating cybercrime, the country remains a hotspot for ransomware development, phishing services, and other CaaS activities, partly due to its skilled but underemployed tech workforce.

  
  

• Nigeria

  Known for its email and romance fraud schemes, Nigeria has expanded into other CaaS offerings, including phishing kits and money mule recruitment services. In 2024, Operation Jackal III targeted West African organised crime groups involved in online financial fraud. Coordinated by Interpol across 21 countries, the operation led to approximately 300 arrests and the seizure of $3 million in assets. These groups utilised sophisticated cyber tools and money laundering techniques to defraud victims globally, highlighting Nigeria's role as a base for such criminal networks.

  
  

• Brazil

  Brazil has become a regional hub for cybercrime in Latin America, with organised groups offering tools for bank fraud, identity theft, and other online scams. Operation Car Wash ("Operação Lava Jato") was a massive investigation in Brazil that uncovered a corruption and money laundering scheme involving the state oil company Petrobras and construction firms. The scandal implicated high-ranking politicians and business executives, revealing how organized crime and corrupt officials exploited financial systems for personal gain, leading to significant economic and political instability in Brazil.

  
  

• India

  In India, fraudulent call centres have been involved in scams targeting victims worldwide, particularly in the United States. These operations often involve impersonating tax or tech support officials to extract money from victims. The illicit proceeds are then laundered through various channels, including cryptocurrency exchanges and shell companies, to integrate them into the legitimate financial system.

How Money Launderers Leverage CaaS

The symbiotic relationship between money laundering and CaaS has created a thriving ecosystem of illicit activity. Criminals can now outsource specific components of their laundering operations, such as:

• Cryptocurrency Tumbling Services

  Cryptocurrency tumblers, also known as mixers, are services that blend potentially identifiable or tainted cryptocurrency funds with others to obscure the trail back to the original source. These services operate by pooling multiple transactions, scrambling the coins, and redistributing them to different addresses, often in randomised amounts and time delays. For a fee (typically 1–3% of the transaction), launderers can clean Bitcoin, Ethereum, or privacy coins like Monero, which are then much harder to trace by blockchain analytics tools. Some tumblers even claim to offer guarantees against blockchain tracking, providing false comfort and a sense of impunity to criminals.

  
  

• Offshore Shell Companies

  CaaS providers offer ready-made offshore shell companies that exist only on paper but appear to be legitimate entities. These companies are often set up in secrecy-friendly jurisdictions like the British Virgin Islands, Belize, or Seychelles where regulatory oversight is minimal and beneficial ownership disclosure is not required. Criminals use these entities to open international bank accounts, funnel dirty money through fake trade invoices or consulting services, and mask the true beneficiaries of the funds. Some services also include nominee directors and shareholders to add another layer of anonymity, all available for a price. This corporate veil is crucial in the placement and layering stages of money laundering.

  
  

• Dark Web Financial Services

  On the dark web, entire marketplaces cater to financial criminals, offering a range of services akin to a digital underground bank. These include counterfeit passports and utility bills, 'fullz' (complete identity kits), and access to clean bank accounts with fabricated transaction histories. Some sellers even provide login credentials to mule accounts that have been prepped for high-volume transactions. These tools enable money launderers to create synthetic identities and conduct transactions that appear legitimate. Vendors often operate with customer reviews and escrow systems, mimicking legitimate e-commerce practices to build trust in their illicit services.

  
  

• AI-Driven Laundering Tools

  Artificial intelligence (AI) and machine learning (ML) are now being exploited by tech-savvy criminals to enhance the sophistication of laundering schemes. These tools can analyse banking patterns to mimic legitimate transactions and reduce the risk of detection by automated monitoring systems. For example, AI can be used to split large transfers into microtransactions across thousands of accounts (a tactic known as smurfing), time them to mimic payroll deposits, or select optimal transaction routes across borders. More advanced services even offer 'laundering-as-a-service' platforms with built-in AI modules that automate the layering and integration phases—further shielding illicit funds from scrutiny.

The Impact on Society

The rise of money laundering and CaaS has far-reaching consequences. Beyond enabling criminals to profit from their illicit activities, these practices have widespread societal effects:

• Economic Instability

  Money laundering distorts economic data and misallocates capital, leading to inefficient markets and unstable financial systems. When illicit funds are injected into an economy often through real estate, luxury goods, or shell investments, it can drive up asset prices and create artificial inflation. Legitimate businesses may be edged out by criminal enterprises that operate without the same cost or tax obligations, skewing competition. In some regions, entire industries become dominated by dirty money, weakening productivity and investor confidence, which can discourage foreign direct investment and economic growth.

  
  

• Corruption & Governance Erosion

  Money laundering provides the financial means to perpetuate and entrench corruption. Criminal proceeds are often used to bribe public officials, influence elections, or infiltrate regulatory and law enforcement agencies. This undermines institutional integrity, erodes the rule of law, and creates environments where crime flourishes unchecked. In countries plagued by weak anti-money laundering frameworks, governance suffers as power shifts into the hands of organised crime networks, eroding public trust in democratic institutions and discouraging civic engagement.

  
  

• Loss of Public Funds

  The misuse of financial systems through laundering often goes hand-in-hand with tax evasion, embezzlement, and procurement fraud, directly reducing government revenue. When billions are siphoned off into offshore accounts or moved through shell companies, governments are deprived of essential tax income that would otherwise fund infrastructure, healthcare, and education. To compensate, authorities may raise taxes or cut public services, shifting the financial burden onto law-abiding citizens and disproportionately affecting low-income communities.

  
  

• Victimisation of Individuals

  CaaS often fuels crimes that directly impact individuals such as ransomware attacks, phishing scams, identity theft, and financial fraud. These crimes not only cause financial loss but can lead to significant emotional distress and long-term reputational damage. Victims may face challenges reclaiming stolen identities, repairing credit scores, or recovering from financial setbacks. In more severe cases, such as sextortion or financial blackmail, the psychological toll can be devastating and lifelong.

  
  

• Increase in Costs for Businesses

  Businesses are under constant pressure to strengthen cybersecurity and compliance frameworks to keep pace with increasingly sophisticated threats. The financial and operational toll of responding to fraud, data breaches, or regulatory penalties is substantial especially for small to medium-sized enterprises. These costs are often passed on to customers through price increases, insurance premiums, or reduced service offerings. In some industries, the cost of anti-fraud and AML compliance now rivals that of core business operations.

  
  

• Global Inequality

  Illicit financial flows often move wealth from the less economically developed countries of the Global South to tax havens or criminal entities based in wealthier nations. This exacerbates inequality by depriving developing countries of critical resources needed for economic and social development. When funds are laundered instead of taxed, or diverted through corruption, governments struggle to provide basic services, invest in infrastructure, or improve living standards. Meanwhile, illicit actors accumulate power and wealth, widening the gap between rich and poor on a global scale.

Conclusion

The convergence of money laundering and Crime-as-a-Service represents one of the most urgent threats to global financial integrity in the digital age. What once required networks of insiders and years of experience can now be outsourced with the click of a button, democratising crime and lowering the barriers for entry. The result is a thriving underground economy where criminal services are packaged, priced, and sold like legitimate business offerings leaving law enforcement and regulators struggling to keep up.

The consequences extend far beyond financial loss. Economic instability, weakened governance, exploitation of vulnerable populations, and the erosion of public trust all stem from these interconnected threats. Developing nations suffer the most, as illicit financial flows drain resources that should fuel growth and development, exacerbating inequality and social unrest.

To combat this evolving menace, a coordinated global response is essential; one that blends technology, cross-border collaboration, stronger regulatory frameworks, and robust public-private partnerships. As technology continues to outpace regulation, so too must our collective efforts to defend against those who weaponise it for criminal gain. Ultimately, tackling money laundering and CaaS is not just about fighting financial crime; it's about protecting the integrity of societies, economies, and the digital future we all share.

Rethinking risk & cybersecurity in the digital age: Are you prepared to navigate this new reality?

The growing intersection between financial crime and cybersecurity presents significant challenges for financial institutions. As digital threats evolve, cybercriminals exploit vulnerabilities to facilitate fraud, money laundering, and other illicit activities. Traditional approaches are no longer enough - integrating cybersecurity with financial crime prevention is critical.

Stay ahead of emerging threats by downloading our exclusive white paper Rethinking Risk: Financial Crime & Cyber Security now.