There is almost no difference anymore between cybercrime and financial crime. What used to be two enforcement universes, hackers on one side, money launderers on the other, converged and now functions as one integrated criminal economy.
In 2025, North Korean hackers steal $1.5 billion in Ether from Dubai exchange. In less than 48 hours, the proceeds are flowing through crypto mixers on their way to fund a weapons program. A trafficked worker at a Cambodian compound runs a pig butchering scam against a retiree in Texas. The money settles through Tether wallets and shell companies thousands of miles from the keyboard. In Frankfurt, a finance manager sends almost a million euros to a “supplier” whose email was faked by a gang based in West Africa. Three felonies. Three continents. One threat.
This is the face of cyber-enabled financial crime today. That’s why compliance, fraud and security teams can no longer afford to work in silos. The article below looks at how digital threats drive financial fraud, what the latest enforcement data reveals and where compliance teams should be focusing.
- What is Cyber Enabled Crime in Finance?
- Types of Cyber Financial Crime
- The Scale: FBI IC3 and Europol Data
- How Cybercrime and Money Laundering Intersect
- AI as Threat and Defense
- Cyber Financial Crime Types: Methods, Impact, and Detection
- Cyber Financial Crime Red Flags
What is Cyber Enabled Financial Crime?
Put simply, cyber enabled financial crime is any financial crime that is committed, facilitated or scaled through the use of digital technology. The category is at the crossroad of two long distanced disciplines.
On the one hand: Cybercrime pure. Intrusions, malware, breaches, infrastructure attacks where the immediate goal is access, disruption or theft of data. Traditional financial crime, on the other hand. Fraud, money laundering, sanctions evasion, corruption. When the purpose is the illegal movement of value.
Cyber enabled financial crime happens when criminals combine the two. They are stealing or laundering through digital tools, with money as the end. The ransomware operator encrypting a hospital’s servers doesn’t care about the data, they want the Bitcoin payment that fixes the outage. The business email compromise (BEC) crew impersonating a CFO isn’t interested in the email account, what they want is the wire transfer it can authorize. Tech is the vector. The prize is money.
That difference has real world consequences. A security operations center looks for indicators of compromise: Suspicious logins, lateral movement, exfiltration. The anti money laundering (AML) team looks for signs of laundering: Structured transactions, high risk geographies, ownership opacity. Cyber enabled financial crime is in that gap between those two lenses, and criminals exploit that gap.
Today’s most resilient programs bring together fraud signals, cyber security telemetry and AML alerts into a single risk picture. So do regulators. They expect it. FinCEN, U.K. FCA, the EU’s AMLA and the FATF have all published guidance over the past years pointing in one direction: Cyber and financial crime risk are converging and controls have to converge with them.
Types of Cyber Financial Crime
Cyber enabled financial crime is not a menace. It's a family of them. The categories most likely to arise in compliance alerts are:
Business Email Compromise (BEC). Criminals impersonate executives, suppliers, or counsel through spoofed, hijacked, or look alike email accounts to redirect legitimate payments to their own accounts. BEC is low tech, high impact, astonishingly so. Almost no malware is required. Just social engineering and a different wire instruction. The targets are payroll, vendor invoices, real estate closings and M&A transactions, and BEC consistently produces some of the largest per incident losses in all of the cyber fraud landscape.
Ransomware. Lock down the systems. Extract the data. Demand cryptocurrency in exchange for decryption keys and a promise not to publish the stolen files. The financial crime angle is twofold: The ransom itself, and the laundering pipeline that turns crypto into spendable fiat. Groups like LockBit and the successors that fill the void when one is taken down—have industrialized the model with affiliate networks, negotiation desks and even customer service portals.
Phishing and vishing. Social engineering at scale, via e-mail, SMS (“smishing”), voice call or QR code (“quishing”) with the aim of harvesting credentials, payment data or one time passcodes. Phishing is the genesis of a huge percentage of downstream fraud, including BEC and account takeover.
Cryptocurrency theft. Direct attacks on exchanges, bridges, DeFi protocols, individual wallets. The headline example is the 2025 Lazarus attack on Bybit, but protocol exploits and private key thefts on a smaller scale happen weekly.
Online investment fraud. Slaughter of pigs. Scam trading platforms. Fraudulent token launch. Fake high yield schemes These are the ones that dominate U.S. consumer loss data and are increasingly run out of industrial compounds in South East Asia.
Payment fraud. Card not present fraud Authorized push payment (APP) fraud Real time payment abuse Merchant chargeback fraud. The shift to instant payment rails has shrunk the window for spotting and reversing fraudulent transfers to seconds in some cases.
Account takeover and identity theft. Stolen, synthetic, or AI generated identities used to open new accounts, hijack existing accounts, or apply for credit. The hardest synthetic identity fraud to detect is one with a partial real identity where no single victim is reporting it.
These categories do overlap. One criminal operation will often run phishing for initial access, to account take over to move money, to mule networks to disperse it, to crypto rails to cash out. This is precisely what the criminals are counting on, treating them as separate problems.
The Scale: FBI IC3 & Europol Data
The numbers have gone from alarming to historic. In 2024, the FBI’s Internet Crime Complaint Center received 859,532 complaints, with losses reported of more than $16 billion, a 33% increase on 2023. For reference, the 2023 figure was $12.5 billion. In a single year. Cyber fraud losses in the U.S. leapt more than $4 billion.
That loss is where the convergence story is written. Cyber enabled fraud accounted for nearly 83% of all IC3 losses in 2024, $13.7 billion in 333,981 complaints. Investment fraud, especially schemes involving cryptocurrency, was the largest loss, totaling more than $6.5 billion in losses. The heaviest burden, nearly $5 billion, fell on those 60 and older. BEC alone was responsible for almost $2.8 billion in losses in 2024, with the three year BEC total reaching nearly $8.5 billion from 2022 through 2024.
The scale is set by two data points. The first is the Bybit theft . Bybit lost $1.5 billion in Ethereum on February 21, 2025 in the biggest digital heist in cryptocurrency history. The mechanics do matter. Hackers breached a machine of a third party multisig provider and injected malicious Javascript into the transaction signing process, enabling them to siphon 401,000 ETH to wallets that they owned. It was attributed to the North Korea sponsored Lazarus Group. In the days that followed, Lazarus laundered the bulk of the stolen assets through crypto mixers. Classic textbook: Cyber intrusion up front, money laundering operation right behind it.
The second is the Southeast Asian industrial scam economy. Cambodia’s scam operations alone are estimated to generate $12.5 to $19 billion a year, as much as 60 percent of the country’s gross domestic product. The cybercriminal workforce in Cambodia, Myanmar and Laos combined is more than 350,000. A 2024 USIP study estimated that Mekong based syndicates stole more than $43.8 billion annually, nearly 40 percent of the combined formal GDP of the three countries. The U.S. said Americans alone lost at least $10 billion to scams tied to Southeast Asia in 2024.
European data tells a similar story. Europol’s IOCTA and the European Financial and Economic Crime Centre have consistently reported how investment fraud, BEC and ransomware now dominate the EU’s organized crime threat landscape, with proceeds routed through layered networks of money mules, virtual asset service providers and shell entities across jurisdictions. The faces change. The pattern doesn't.
How Cybercrime and Money Laundering Intersect
There's a money laundering problem after every successful cybercrime. Stolen funds, ransom payments and scam proceeds are useless to criminals until they are laundered of their origin and converted into something spendable or, in the case of state sponsored hacks, something a regime can actually use.
Put another way, money laundering and cybercrime risks are not parallel. They are successive stages of the same process. The pipeline varies across typologies, but some patterns recur.
Ransomware Payments and Crypto Mixers Victims pay in Bitcoin or ever more privacy focused coins or stablecoins. Operators then route proceeds through mixers, chain hopping between blockchains, cross chain bridges and non compliant exchanges. The Bybit case is illustrative: A large part of the $1.5 billion stolen was hidden within days, and services like eXch are reported to have processed tens of millions of dollars in proceeds before being caught.
Mule networks and BEC money. BEC typically lands in a domestic receiving account at a regulated bank, the so called first hop and is distributed within hours through a network of money mules. Some mules are knowing accomplices. Some are romance scam victims who are unaware they are moving stolen money. Some are holders of synthetic identity accounts opened for the purpose. The funds are aggregated downstream, usually via pre paid cards, P2P payment apps or crypto on ramps, and channelled offshore. The FBI’s Recovery Asset Team has actually succeeded in freezing first hop transfers, but only if victims report within hours.
Online fraud and account layering. The proceeds of investment scams are typically deposited into apparently legitimate trading platforms, withdrawn into a series of personal accounts, converted into stablecoins and finally end up in wallets controlled by the syndicate operating the compound. FinCEN found that Cambodia’s Huione Group laundered more than $4 billion since 2021, including funds stolen through North Korean cyberattacks and crypto fraud. This is an example of how cyber enabled fraud, sanctions circumvention, and state sponsored hacking all operate through the same financial infrastructure.
Stablecoin rails and scam tokens. The norm in the Southeast Asian compound economy is the adoption of Tether (USDT) on the Tron blockchain. The comparative difficulty of freezing addresses across jurisdictions. The compounds, the recruiters, the laundering platforms now operate as a vertically integrated criminal supply chain.
The practical implication for compliance teams is straightforward. Suspicious activity reports increasingly describe not just an anomalous transaction, but also the cyber context of the transaction. The device fingerprint at the point of login, the IP geolocation mismatch, the velocity pattern, the counterparty’s crypto exposure. AML transaction monitoring and fraud detection signals need to feed into each other, not live in separate case management systems run by separate teams.
AI as Threat and Defense:
Artificial intelligence has transformed the contest on either side. It’s in the attacker’s tool kit as well as it’s in the defender’s tool kit.
WATCH OUR WEBINAR: AI in Financial Crime: Who is Actually Winning?
On the offensive, AI industrializes what was once artisanal. Generative models can now generate convincing phishing emails in any language, without the grammatical tells that once gave away fraudulent attempts. Voice cloning technology replicates an executive’s voice from a few seconds of public audio, enough to power a “deepfake CEO” call that leads to a multi million dollar wire fraud at a multinational. Some remote onboarding systems have failed liveness checks for deepfake video. Thanks to AI generated fake identities, fabricated faces, addresses and credit histories, fraud is now a whole sub industry in its own right. Scam compounds operate AI translation and chat assistance tools to deal with multiple conversations with victims concurrently in multiple languages. Big language models write romance and investment scam playbooks by the truckload. And state aligned groups have started using AI generated personas in fake job applications and schemes to recruit remote IT workers that are used to infiltrate Western firms.
The defence faces a volume problem, which can only be realistically solved by AI. Modern fraud and AML platforms score transactions in milliseconds against patterns derived from billions of previous events. Behavioral biometrics (typing cadence, swipe pressure, navigation patterns) supplement credential checks to detect account takeover, even if the password is correct. Mule networks are invisible to per transaction monitoring but graph analytics uncovers them by finding links between accounts that have devices, IP ranges or counterparties in common. Natural language models can identify adverse media and sanctions hits far more accurately than legacy fuzzy matching, dramatically reducing the false positive burden on compliance teams.
Capability isn’t the frontier challenge. That's explainability. Regulators want institutions to explain why a transaction was blocked or a customer offboarded, and a pure black box model won't meet that bar. The best programs are those that combine machine learning, rule based logic, and human review of cases, AI to triage and enrich, and judgment in the decision loop. Same programs stress test their models against adversarial AI. A fraud strategy that works today may be obsolete in six months as criminals iterate on their own tooling.
Bottom line for financial institutions: AI is no longer optional. But it has to be done with discipline. Teams that treat it as a magic dashboard fall behind. The leaders are those who build a clear governance, risk modelling and human review framework into it.
Cyber Financial Crime Types: Methods, Impact, and Detection
The table below summarizes the major categories of cyber financial crime: How each works, where it connects to downstream financial crime, the scale of impact, the detection methods that hold up in practice.
|
Crime Type |
How It Works |
Financial Crime Connection |
Scale / Impact |
Detection Method |
Sanction Scanner Solution |
|
Business Email Compromise (BEC) |
Spoofed, hijacked, or look alike email accounts impersonate executives, vendors, or counsel to redirect legitimate payments to attacker controlled accounts. |
Generates first hop deposits at regulated banks that are immediately layered through mule networks and crypto on ramps. |
~$2.8B in 2024 IC3 losses; ~$8.5B over 2022–2024. |
Payment instruction anomaly detection, beneficiary verification, behavioral analytics on payment approvers, real time payment screening. |
Transaction Monitoring, Transaction Screening, Fraud Detection |
|
Ransomware |
Threat actors encrypt and exfiltrate data, then demand cryptocurrency payment under threat of disclosure and continued disruption. |
Ransom payments flow into mixers, cross chain bridges, and non compliant exchanges; proceeds fund further attacks and, in some cases, sanctioned regimes. |
Most pervasive threat to critical infrastructure in 2024; complaints up 9% YoY per IC3. |
Crypto wallet screening, sanctions screening of counterparties, blockchain analytics, payment velocity monitoring. |
AML Screening, Transaction Screening, Ongoing Monitoring |
|
Phishing / Vishing |
Mass and targeted social engineering harvests credentials, OTPs, and payment data via email, SMS, voice, and QR codes. |
Compromised credentials enable account takeover, unauthorized transfers, and the downstream BEC, mule, and investment fraud pipelines. |
Top complaint category to IC3 in 2024; primary entry vector for most downstream fraud. |
Device fingerprint analytics, login anomaly detection, behavioral biometrics, real time session monitoring. |
Fraud Detection, Customer Risk Assessment |
|
Crypto Theft (Lazarus Group et al.) |
Exploitation of exchange infrastructure, multisig wallets, DeFi protocols, and bridges; supply chain compromises of wallet UI software. |
Stolen funds laundered through mixers, chain hopping, and stablecoins; proceeds linked to sanctions evasion and WMD financing. |
Bybit hack: ~$1.5B in Ethereum in Feb 2025 — largest crypto heist on record. |
Wallet address screening against sanctions and known illicit actor lists, blockchain transaction analytics, counterparty risk scoring. |
AML Screening, Transaction Screening, Ongoing Monitoring |
|
Online Investment Scams |
“Pig butchering,” fake trading platforms, fraudulent token launches, and bogus high yield programs — increasingly run from industrial scam compounds. |
Victim funds routed via legitimate looking platforms into mule accounts, then converted to stablecoins and consolidated offshore. |
$6.5B+ in 2024 IC3 investment fraud losses; ~$10B in U.S. losses to Southeast Asia scam centers in 2024. |
Counterparty risk scoring, adverse media screening, behavioral analytics on outgoing transfers to crypto / high risk venues. |
Adverse Media Screening, Customer Risk Assessment, Transaction Monitoring |
|
Identity Theft / Account Takeover |
Use of stolen, synthetic, or AI fabricated identities to open new accounts or seize control of existing ones. |
Enables fraudulent credit, money mule activity, and laundering of proceeds from upstream cyber enabled crimes. |
Personal data breaches among the top three complaint categories in 2024 IC3 data. |
Behavioral biometrics, device intelligence, KYC re verification, network / graph analytics on shared devices and IPs. |
Know Your Business (KYB), Customer Risk Assessment, Fraud Detection |
|
Card Fraud |
Card not present fraud, BIN attacks, real time payment abuse, and chargeback fraud — frequently fueled by data from prior breaches. |
Card proceeds laundered via marketplace purchases, gift card conversion, prepaid cards, and crypto on ramps. |
Persistent multi billion dollar global loss category; volume amplified by instant payment rails. |
Real time transaction scoring, velocity rules, merchant category analysis, device intelligence. |
Fraud Detection, Transaction Monitoring |
|
Scam Centers (Cambodia / Myanmar / Laos) |
Trafficked and coerced workers in industrial compounds run mass scale pig butchering, romance, and investment scams under threat of violence. |
Funds laundered via Tether on Tron, regional payment platforms (e.g., Huione), and casino linked channels. |
$43.8B in estimated annual proceeds across the Mekong scam economy; >350,000 person criminal workforce. |
Adverse media and PEP screening on counterparties, ongoing monitoring for high risk jurisdiction exposure, blockchain analytics on stablecoin flows. |
Adverse Media Screening, AML Screening, Ongoing Monitoring |
What the table shows collectively is that the same handful of mechanisms are used again and again in almost every typology, such as counterparty screening, behavioral analytics, real time transaction monitoring, and blockchain analytics. Make them shared services. Those that do, scale far better against the cyber enabled threat landscape than those that are reinventing each capability inside each program.
Cyber Financial Crime Red Flags
Cyber enabled financial crime leaves a fingerprint. It shows up in customer behaviour, it shows up in transaction data and compliance and fraud teams who know what to look for can step in before the money leaves the institution.
The most important signals are:
Suspicious sign in activity. Logins from new devices, new geographies, or anonymizing infrastructure, VPNs, Tor, residential proxies. It is physically impossible to suddenly jump from one country to another. Successful first time authentication attempts immediately after a password reset. All of these are generally precursors to account takeover and subsequent fraudulent transfers.
Fast fund transfer when you login to your account. Within minutes, a dormant customer logs in and adds a new payee, raises a transfer limit and initiates a high value wire. They're definitely compromised. velocity and sequence analytics will pick up this pattern where single transaction rules may not pick it up at all.
Crypto transfers to mixing services or known illicit addresses. Outgoing transfers from a customer’s account to a VASP, and then deposits to wallets associated with mixers, sanctioned entities, or known scam infrastructure, are one of the strongest indicators of either victimization or willing participation in laundering. They are found in real time by blockchain analytics and wallet screening tools.
Transactions that do not fit the digital behavior profile of the customer. A customer who had never used mobile banking before is now doing large transfers from their mobile. A corporate account is sending money outside of business hours from unknown IPs. Payment instructions are sent via email and not through approved workflows. Every deviation must be brought up.
Change of beneficiary or payment instructions. A recurring vendor payment, years in the making, suddenly gets diverted to a new account in a different jurisdiction. That’s the hallmark of vendor impersonation BEC. Most variants are foiled with a quick out of band call back to the phone number on file, not the one in the email.
Mule network indicators . Multiple independent accounts utilizing the same devices, IP ranges, beneficiary information, or transaction timing. Accounts receiving incoming transfers, then paying them out in smaller amounts within hours. Customers with transaction volumes not justifiable by their income profile. Now the way to surface these clusters is standard by using graph analytics.
Poor justification for exposure to risky geography. Transactions to or from jurisdictions linked to scam compound activity, sanctioned regimes or weak AML enforcement, where the customer’s business profile does not provide a reason for the exposure. Better due diligence, every time.
Counterparty adverse media/sanctions hits. A counterparty that has been referenced in adverse media in relation to scams, ransomware or illicit crypto activity. Screen against sanctions or PEP lists Both need to be reviewed immediately. With the compressed timelines of cyber enabled crime, sanctions that hit hours after a transaction is often too late.
The best programs don’t see these signals as individual alerts to be processed queue by queue. They combined them into a single risk score. The criminal economy described in this article is end to end integrated, from the first intrusion to the last laundering. And the defenses against it have to be integrated too.
