Casinos to Crypto: how cybercriminals launder money

Bengaluru

About two months ago, Manjunath (name changed), a cab driver from Hyderabad, had the shock of his life when he received summons from the Bengaluru South East Division Cyber Crime Police asking him to appear for questioning in a cyber crime case. “Your response is required regarding a money transaction to your account. Appear before the investigator at the Bengaluru Southeast CEN Police Station,” the summons read.

Manjunath rushed to Bengaluru as he had received the letter late and had already missed the deadline. The police, meanwhile, were preparing to send a team to Hyderabad, but eventually detained Manjunath in Shanthinagar after tracking his location.

“His account had received money transferred by a resident of South Bengaluru, who had been duped by a cyberfraudster in a courier fraud,” the investigator handling the case told The Hindu.

A courier fraud or a FedEx fraud is one where cyberfraudsters claiming to call from Customs or one of the law enforcement agencies claiming they had intercepted a courier in their name with contraband, subject them to ‘interrogation’ on video, seek their bank details and siphon off money, or sometimes subject gullible citizens to even “digital arrest”.

Manjunath was summoned as the money siphoned off from the victim in South Bengaluru had landed in his account. However, further investigation revealed that Manjunath’s landlord in Hyderabad, one Eshwar, had “borrowed” his account for a transaction to avoid “tax issues”, and that is how the money siphoned off from the Bengaluru-based cyber crime victim landed in Manjunath’s account.

The police then began pursuing Eshwar, a businessman and a casino enthusiast, suspecting him to be part of a cyber fraudsters’ gang. But he was also not.

Investigations found that Eshwar had visited a casino in Sri Lanka after which the transaction was initiated. “During his visit, Eshwar stopped gambling midway and returned to India. He surrendered all the casino chips he had purchased using real money and asked for a refund,” the investigator explained. To receive the refund, Eshwar requested Manjunath’s bank account details and provided it to the casino. The police connected the dots and concluded that the Sri Lankan casino had links with cyber fraudsters operating in India. The refund was made through proceeds of cyber crime.

Money laundering networks 

This is not an isolated case. Senior police officials say such links between cyber criminal networks and various networks, including hawala, crypto currencies, casinos, online betting apps and the likes, are increasingly common. This indicates how several networks are converging to launder illicit money and in many instances also converting black money to white money.

This has posed serious challenges to law enforcement agencies, as the money trail has become more complex, spread over not just multiple States in the country, but also overseas. As an indication of this, the Directorate of Enforcement (ED), the specialist federal agency to check money laundering and violations of foreign exchange rules, has been joining several cyber crime investigations across the country. 

This has complicated an already herculean task of recovering swindled money from cyber crime victims.

The Casino Route

Like in the case illustrated above, following the money trail in several cyber crime cases have recently led investigators to casinos, often overseas. 

Indian cyber fraudsters often have accomplices abroad, while agents representing foreign casinos operate in India. When cybercriminals need to transfer money to their overseas counterparts, they pay casino agents in India using money mules or proceeds from cyber crime. The foreign casino agents then disburse equivalent funds to the fraudsters’ partners abroad. Likewise, whenever casinos have to pay someone, like in the above case, there are instances where they have used cyber crime networks to pay them.

Online Betting Apps

Recently, the ED summoned over 25 celebrities in connection with a money laundering case registered under the Prevention of Money Laundering Act (PMLA), 2002, related to online gaming platforms.

Pronab Mohanty, Director-General of Police (DGP) and head of the newly formed Cyber Command Unit (CCU), confirmed that several cyber crime investigations have unearthed links to money laundering through online betting platforms. “In many cases, the stolen money was laundered through online betting and cryptocurrency,” Mr. Mohanty told The Hindu.

Betting applications provide virtual coins or chips in exchange for real money. Winners are paid in cash or through accounts that are untraceable to them by these platforms. Since these gaming apps do not use their nodal accounts to pay winners, there is no proof that a payment was made to a particular user. Such payments are outsourced to cyber criminal networks, who pay winners using proceeds of cyber crimes, often transferring money from victims to the accounts who need to be paid. These cyber criminal networks are reimbursed with an additional cut later through other means, often abroad and in white.  Meanwhile, the money collected from other players by the betting app is legitimate, effectively converting black money into white, an officer explained.

According to the officer, many of these betting apps are unverified. “PlayStore won’t permit such apps. They are floated online and advertised via social media and Telegram channels,” the officer said, advising users to avoid unverified apps and not to install them via APK files.

The Crypto Route

Cryptocurrencies are another often chosen avenue to launder proceeds of cyber crimes.

A senior CID officer described how some foot soldiers open wallets on crypto currency exchanges and deposit stolen funds. In return, they receive cryptocurrency equivalent to the amount deposited, which they then transfer to ringmasters abroad.

In other instances, the fraudsters transfer stolen funds into a specific mule account that appears legitimate and holds proper documentation. Using those credentials, they send a large sum of defrauded money to a crypto currency exchange and receive the corresponding cryptocurrency.

“Crypto exchanges are secure and transactions are hard to trace, even though technically it is possible. But we cannot freeze a crypto wallet, as current laws do not allow it. In cases where fraudsters use their own secure wallets not linked to any exchange, it becomes virtually impossible to trace or track subsequent transactions,” the officer said. 

Even when the police identify the wallet receiving the stolen funds, they are unable to determine its ownership due to encryption and anonymity.

Gaps in banking system 

However, this kind of money laundering is possible due to gaps in our banking system, say cyber crime investigators. Investigators frequently blame the banking system for allowing fraudsters to get away with siphoned funds. According to them, such laundering can be curbed only through a broader and streamlined banking system.

“Banks should enforce stricter Know Your Customer (KYC) protocols and conduct thorough checks while opening accounts. These checks are currently lacking, leading to the creation of lakhs of mule accounts,” said a CID officer. According to data from the Indian Cyber Crime Coordination Centre (I4C), a federal agency coordinating cyber crime investigations in the country, nearly 4,000 mule accounts are created in India every day. Creation of every mule account is a testament to gaps in the banking regulations, officers argue.

Not just that, as per Reserve Bank of India regulations, banks are mandated to monitor suspicious transactions and flag them. However, this rarely happens. These shortcomings are indirectly aiding cyber criminals.

Moreover, banks are slow to respond when police seek information. Data accessed by The Hindu shows that major private-sector banks in the State took up to 30 days to reply to police queries in 2024, when the golden hour to freeze an account to prevent the swindled money, proceeds of cyber crimes is around two hours. The Bengaluru City Police’s Cybercrime Information Report (CIR) helpline has been a pioneer in this real time intervention. However, it depends on victims reporting crimes to the helpline within the golden hour and the banks also responding and acting with alacrity in the same time window. 

Mule accounts

In addition, victims face larger problems because of the existence of mule accounts. 

For example, a fraudster scamming a victim in Karnataka may use mule accounts based in another State to make police investigations more difficult. Likewise, the money withdrawal would occur in a third State, further complicating the trail.

“A foot soldier in the third State would withdraw the stolen funds and deposit them with a local money laundering agent. The agent’s counterpart in Karnataka would then pay the original fraudster,” the officer explained.

Cyber crime investigators also say that these foot soldiers choose ATMs with low surveillance or those that witness high foot traffic to avoid detection during withdrawals. According to Ministry of Home Affairs documents accessed by The Hindu, several ATMs in Bengaluru, Mysuru, Shivamogga, and Kalaburagi have become hotspots for money mules withdrawing illicit funds. Among the top 10 locations, over five ATMs in Yelahanka alone have seen the highest volume of withdrawals. Banks in Bengaluru have also become key points where cheques are deposited and funds siphoned off from mule accounts.

According to the CID officer, once investigators trace a victim’s money to a particular bank account, they must request the bank’s Law Enforcement Agency (LEA) officer to freeze it.

“After that, the victim must approach the court for an order, which is sent back to the bank through the investigator,” the officer explained. Upon receiving the court order, the bank transfers the funds to the account specified in the order.

However, complications arise when multiple victims are connected to the same mule account. “Mule accounts are often used for several frauds. When such an account is frozen, multiple victims submit court orders for the same funds,” the officer said. In such cases, banks are stuck. They may release funds on a first-come, first-served basis or, sometimes, not at all.

There have also been instances where victims received refunds from a mule account only to have their own accounts frozen later. “When the victim gets his or her money, their account becomes the last transaction point for that mule account. Investigators from other cases linked to the same mule account may see the last transaction also as a fraudulent one and freeze the first victim’s (the one that got a refund) account,” the officer added.

To address this, the Karnataka police issued a standing order stating that only the first layer of mule accounts should be frozen, while the money in the others should be lien-marked and not entirely frozen. However, investigators argue that this allows the second and third layers to remain active, despite their involvement in cyber crimes.

“When an account is frozen, no activity is allowed. However, when a specific amount is lien marked in the account, then that money will be frozen, but the account can function normally,” the officer explained.

These irregularities expose a lack of a standard operating procedure and highlight gaps in policing. Investigators believe the MHA must step in to rectify the issue. While the Indian Cybercrime Coordination Centre (I4C) oversees such matters, many of these issues remain unaddressed.