How to Cash In Stolen Bank Account Credentials Using Bitcoin

Siphoning money from banks accounts has always been challenging for cyber criminals. A new tutorial exposed by IntSights Cyber Intelligence Analysts reveals some novel methods of accomplishing this.

When it comes to cybercrime, no one pulls a gun, breaks into a physical safe or picks a wallet from someone’s pocket. Crimes are committed in the virtual domain, and cybercriminals enjoy the safety of operating at their pajamas, stealing money from people thousands of miles away, at relatively low risk. There is, however, one drawback to this otherwise “perfect” crime scheme: in the end, criminals want to get the money into their own wallets. Until very recently, this meant actual, physical money.

The tutorial, from the aptly named site: siph0n
The tutorial, from the aptly named site: siph0n

Crossing the virtual/physical barrier has always been complicated, not to mention risky. In the early days of cybercrime, criminals discovered that buying things online (using stolen money), and shipping it to their actual addresses was not a good idea. So, they developed other ways to monetize cyber criminal activities - first and foremost: the cash mule. The cash mule is at the bottom of the cybercrime food chain - the worst off individual who takes the greatest risks.

These poor (literally - some cash mules recruited were homeless) individuals were given the task of withdrawing money from ATMs using stolen credit cards and credentials (stolen from people around the world, sold on underground carding stores, printed on plastic cards and sent to the cash mules). Mules were at higher risk of being caught because they frequented bank branches with video security camera. Plus, if they withdrew large amounts of cash which did not seem compliant with their poor exterior (for more information see the following link).

The last couple of years has seen a shift in the methods of exploiting cybercrime. The emergence of virtual currencies allow cybercriminals to change currencies, send money abroad, and convert it to another currency using various services, semi-legitimate currencies (such as virtual currencies used for online gaming or gambling), and wire services. The conversion between actual currencies and virtual ones, or from one virtual currency to another generally takes place via online exchanges. Most of these services are legitimate, operating within the digital underground economy, with additional security for their customers.

Assuming one gained access to an actual, live bank account, however, there remained the challenge of transferring money out. Recently, IntSights’ Cyber Intelligence analysts have discovered a site on the dark web which provides a detailed tutorial on how to cash-out bank accounts to bitcoin. According to the site, to accomplish this one needs:

  1. A hacked bank account – they suggest an account with 5,000 US$ or more, to verify it’s active. The site has a tutorial explaining how to obtain this.
  2. A throwaway email account
  3. A burner (one time) phone number

The process is simple: head to a darknet cybercrime store and buy the credentials to a legitimate bank account. Then, open an account on, or All three sites offer a similar service. They allow someone to purchase bitcoins with a stolen bank account.

On, one can monitor their account and be notified via email when deposits are made. Acknowledging the automatic fraud detection mechanism employed by banks and bitcoin exchange services, the site suggests to keep the first withdrawal low (around $50). It also states that the “chances that Coinbase will flag your transaction will be VERY low. After a successful first transaction, feel free to bump up the withdrawal to $100 and keep bumping it up after every successful transfer”. Once the money has been converted to bitcoins it can be sent to any other bitcoin wallet and is virtually untraceable.

The site also provides handy tips for successful withdrawals, such as:

  • When buying bitcoins, make sure to buy amounts that look like random purchases; E.g., $39.95 or $44.23 instead of $40 or $50. This will look less suspicious to the account owner if they notice the charge, ensuring that they will be less likely to suspect fraud and reverse the transaction.
  • Target accounts that hold $1,000-$5,000. People with more money are less likely to be proactive when they see random charges. If they spot the transaction, they tend to take a couple days before they investigate and report it, which allows enough time to receive BTC and transfer out of the account.
  • The best days to initiate transfers are Friday, Saturday, Sunday and Monday. After making a purchase, the charge will show up on a bank statement within two days. BTC will hit the Coinbase account two days after that.
  • Be sure to anticipate when you will receive the bitcoins so you can immediately transfer them to your wallet.
  • Business accounts are the best because owners are less responsive when they spot random charges. Plus, usually, they only check their online statements a couple times a month.

Overall, this is a fairly simple method, and will generally allow for safe, quick utilization of stolen bank credentials. That’s great for the cybercriminals, but does mean that anyone who suspects they have been a victim of such activity should request that their bank inspect their accounts immediately.

Want to learn more about Dark Web Black Markets?

Download our Complete Dark Web Black Market Glossary

This post was written by IntSights Intelligence Analyst, Agam Gabay.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.