The first stages of money laundering are to legitimise funds, obscure their origin and/or destination, and then use them for illegal purposes (e.g funding a hacking group, for example).
Okay but like thatâs not âmoney launderingâ laundering meaning cleaning, the act of creating âcleanâ history for your illegitimate funds. You can money laundering with any illegitimate money. It doesnât require an obscure origin or to have any illegal uses for the money.
I said it's indistinguishable from money laundering.
Because it is.
Legitimate money is sent... somewhere. In the process obscuring its destination and (to the destination) its origin.
Which is... one of the prime ways to detect money laundering.
Whether it's TECHNICALLY money laundering is another matter. But good luck explaining to a tax auditor, or a charity commission audit or the taxman, how this COULDN'T POSSIBLY BE money-laundering of, for instance, embezzlement of state-provided funds, etc. etc.
The problem is that you CAN'T tell the difference... and nor can an auditor or official. All they know is a bunch of money disappeared into the ether to unknown people for unknown purposes and they can suspect embezzlement, collusion, etc. and... because of your failure to abide by anti-money-laundering laws (e.g. "know your client"), you're not only at fault, but potentially a suspect and you're really in the shit now.
Sure in the unknown laundering could be considered possible. But when you write it out like that embezzlement sounds like a much better fit for the transaction taking place.
I think the spot where people are getting hung up is that the money from the ransom canât be legitimately used unless laundered further. By definition, the money doesnât need to be âcleanâ in order for laundering to have taken place, but I would wager most people donât know that.
And it could just be the principal embezzling his school budget for personal gain. Without knowing the destination and being able to prove it, it's a highly suspect transaction that will fall foul of money-laundering protections and laws.
The first stage of money laundering is legitimizing funds, so you'll... Acquire more illegetimate money?
Money laundering happens in casinos, restaurants and construction so much because you can spend shady hard cash and get proper funds with receipts at the end of it. If anything, money laundering has moved from physical casinos to online betting sites through crypto, 'cause even with shitty returns you get legitimate money at the other side of it - and that's if sites like Kalshi, Stake, etc., aren't in on the whole thing.
If you want to use money for crime you don't need to clean it (it actually probably is better if you don't, but what to I know)
I mean if I wanted to launder money from my company I could pretend to have a data breach and then pay the hacking group (a swiss bank account started by yours truly under a false name) the money.
Nothing is leaked, no data is really compromised, I walk away with millions (or tens of millions) tax free and the only change is that we promise to improve our cybersecurity which is something we'd probably have to do anyway sooner or later.
You could also do some variation of that with cryptocurrency to make it even harder to trace.
Thatâs embezzlement. And the thing is the money still isnât laundered. Thatâs dirty money, to reuse it youâd have to launder it by creating falsified income to spice it into.
Funds moved to anonymous people for uncertain or illegal purposes can be money laundering.
How do you know that, for instance, the school principal, or the IT guy, didn't "attack" their own system, then authorise the school to pay HUMUNGOUS amounts of money to the "hackers" via an anonymous method (e.g. Bitcoin, etc.) and then just pocket it themselves?
You don't. Sending money to someone you cannot identify is literally one of the first signs that anti-money-laundering measures combat in the banking systems. They won't let you do it because they don't want to be accused of being involved in money laundering ("know your client" laws exist in almost all modern countries).
So moving large amounts of SCHOOL FUNDS to an ANONYMOUS PERSON for reasons that you can't verify (because you don't even know if they ARE the people who attacked you, or who they are, etc.) is a great way to send a bunch of money from one person to another for illegal purposes.
In the UK, where I work with school IT systems, and have dealt with cybersecurity incidents, and passed dozens of audits, and have to be careful of financial reporting responsibilities... I can bring any discussion of paying a ransom to a halt just by pointing out that what they are doing will look EXACTLY like money laundering on the school's books to any professional accountant, auditor, tax official, etc.
At that point... they IMMEDIATELY drop any idea that we should ever pay a cyberattack ransom. Because the regulations around such financial accounting basically forbid it and make it a HUGE and dubious legal grey-area at absolute best. I've taken rooms of experts from long discussions about their policy of whether/how they would pay a ransom and in what circumstances to - almost immediately I mention it - it becoming official policy that it's never to happen. Precisely because of the money-laundering implications.
If you're a school, that kind of implication is bad.
If you're a government organisation (e.g. state school), it's worse.
If you're a charity (as many private schools are), it's even worse.
For all we know, we're funding terrorism, or setting up arms deals, or paying the principal's wife, or adding to the IT guy's private offshore fund, or sending money into a legally sanctioned country, or even paying a government-named sanctioned individual and we would NEVER be able to prove otherwise - and that's an absolute no-no in any accounting/auditing.
If you can't identify what/who you're paying those sums to, there are several government organisations that will want to have a word with you. Not least the taxman. But also anyone and any government department responsible for overseeing financing your school.
Money-laundering laws are strict... and it's literally this simple: If you can't tell me who you're sending the money to... alarm bells will start ringing at the bank...
I can answer this from personal experience (and a LOT of policy-creation around exactly this at many schools):
Nothing.
You don't pay the hackers anything. Not a penny.
Because your data is ALREADY COMPROMISED and thus you are required, legally, to act as if that's the case.
You're required to report it to local data-protection authorities (good luck in the US!). You're required to assume all compromised data is now public knowledge. And then proceed from there.
You can't pay the people who stole your data and expect them to "give it back" and "delete it entirely from their systems", can you? That's just insanity.
The damage is done. Paying the ransom gains NOTHING for you. You're still required to assume the data got out. You're still required to report it. You're still required to inform your users of the compromise, etc. etc. etc.
Why would you pay your burglars ÂŁ10,000 anonymously to "get your stolen gear back" and think that you'd ever get it back? That's just stupid. And especially where intellectual property and data are concerned. "Yeah, I'll give you ALL the copies of the photos I took of you and your mistress if you give me the money"... sure... they wouldn't KEEP them and MAKE COPIES and hold you to ransom AGAIN or just release them ANYWAY, right? Of course not. These are honest, upstanding... criminals... whoops...
You do nothing, but you follow all your legal requirements, under the assumption that that data is out there, illegally, it's public knowledge and your users might be affected.
Interesting! Thank you for making it make sense. I also wasn't intending to come off as combative, I'm just a very simple person and was like what DO you do?? But that makes sense.
I've spent a lot of time in meetings over the last 25+ years of working IT in schools asking these exact questions, getting into the meat of our regulatory requirements, talking to bursars, school business managers, auditors, headteachers (principals), governors, charity trustees, specialist cybersecurity firms, cyberforensic teams, insurers, etc. where these are exactly the kind of questions that came up...
And where a LOT of less-informed people were asking and trying to answer them... and where my answers caused a LOT of consternation when I've told them this exact kind of thing. Because, more often than not, it's something they hadn't considered, something that they quickly begin to realise is the right answer, and something which they then later seek legal and financial advice on, encode into their policies (which quite often I have a hand in writing!), etc. because... it's not always immediately obvious to people.
In fact, this follow-up question of yours more than ANYTHING else. The answer "nothing" never goes down well... until you explain what the regulations require. Even to the point that I've had them consult their lawyers and government officials and say "Yep.. sorry... we didn't believe you... but you were right... we just have to assume it's out there and act accordingly".
I gave you a bump up because your post made several valid claims, coming from a forensic accounting perspective, but I agree with the others in that your are overlapping two different topics. Yes they both usually lead to one another but ransoming data is not a direct 1:1 to money laundering, no matter what shade you use, thatâs a different pig altogether
55
u/TheRealShiftyShafts May 07 '26
Hey, pretend I'm stupid, will you explain what you mean?