Cosmos Bank Cyber Fraud: Information on “ALM Trading Limited”

In continuation to our initial blog on the Cosmos Bank cyber fraud incident, Volon’s researchers utilized insights from its own Darknet Monitoring solution to create a timeline of SWIFT based attacks on Indian banks and highlight chatter of threat actors in the Darknet.

Based upon the transaction reports of SWIFT transfer of $1.92 Million to a Hongkong based entity, Volon’s team conducted deep dive research on the entity “ALM Trading Limited” and identified some facts which could help in expanded investigation.

On 13th August 2018, SWIFT transaction was made towards “ALM Trading Limited” (“阿里姆貿易有限公司”), a private limited company supposedly located at Tsuen Wan, Honk Kong, registered by XIAOXING, 33 years old Chinese national and resident of Zunyi, China. This company was established on 13th April 2018. The SWIFT transaction from Cosmos Bank was made 4 months after the formation of the company.

“ALM Trading Limited” was established with the help of a Secretary organization “JL ACCOUNTING SECRETARY LIMITED” (“君林天下會計秘書有限公司”), which was established in July 2016. One interesting observation about “JL ACCOUNTING SECRETARY LIMITED” is that the company’s Director resigned on 20-March-2018 and the firm also did not renew its Website this year, which then expired on 22-July-2018. “JL ACCOUNTING SECRETARY LIMITED” provides various Accounting services including Offshore accounting and Bank account setup.

Figure 1. JL Accounting served as secretary for ALM

Figure 2. Offshore Account Services

“JL ACCOUNTING SECRETARY LIMITED” applied for the establishment of “ALM Trading Limited”, and application of the establishment were signed electronically with PIN and not manually. Perhaps it is possible that “ALM Trading Limited” was formed with stolen or illicit credentials.


Figure 3. Signature on ALM’s incorporation document.

Utilizing Volon’s Darknet Monitoring product, we identified a threat actor in the darknet who was interested and involved in Indian ATM malwares and cash-outs last year. Also, another darknet actor was looking for SWIFT terminal access of Indian banks in January 2018. Actor claimed that he had a ready cash-out mechanism and a toolkit which can be utilized to exploit the SWIFT access. Actor also claimed that operation will be done in a manner that it will take couple of days for the victim bank to notice the fraudulent transactions.

Using Volon’s proprietary Card Leak monitoring system, the research team identified numerous VISA and RUPAY cards being sold in Darknet Markets.

For detailed report, contact us at: intel [at] volon [dot] io.

Figure 4. COSMOS Bank Fraud Timeline.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Kapil has over 19 years experience performing multiple consulting, business development and operations profile in technology & finance sector.

Before founding Volon, he was based in Stockholm, Sweden and worked at Capgemini as Client Director and Business Development leader in Nordics.

Previously he worked at a PE (India Value Fund) owned Digital Media firm in London and also at Steria, a European listed company as a Member of India Operations Board. He spent his early career in M&A and Corporate Finance advisory at Ernst & Young and GE Capital in United States.

Kapil studied at London Business School and is also a qualified Chartered Accountant.

Sagar has over 23 years experience and has performed senior Finance and HR roles in various technology companies.

Before Volon, he worked as Head of Operations, India/Thailand at Scan-IT Pte. Ltd. (Subsidiary of ‘Scan-Group’, Danish Shipping and Logistics Company).

Sagar holds Diploma in Computer Science from Pune University.

Muslim has over 20 years of Information Security Experience with core focus on Cyber Threat Intelligence, Cyber Risk Management and Cyber security consulting.

Before Volon, he worked at FireEye Inc (US listed Cyber Security Firm) where he headed their Cyber Threat Intelligence Research team. Muslim also worked at iSIGHT Partners (later acquired by FireEye Inc) as one of the initial employees and set up their Cyber Threat Intelligence research team from scratch.

Previously, Muslim was based in Malaysia where he led the information security consulting practice for Network Security Solutions. Muslim is also credited with establishing national level CERT (and also a foreign) and consulting for various corporate CSIRTs.

Muslim holds Masters in Electronic and Communication from Devi Ahilya University.

Prabir has over 35 years of experience performing multiple operational, leadership, business development and sales profile in Government and Enterprise segments. He has more than 13 years of corporate experience, held multiple top-management positions including being on Board of Directors with exhibited Strategic & Sustainable business development traits, client acquisition skills & Sales achievements in domestic market. He comes from a versatile Military communication & IT background having served the Indian Army (Corps of Signals) for two decades before transiting to corporate sector.

Before taking up consulting assignment with VOLON, he led business development of Startup companies engaged in Info-Sec products, Software services and strategic sales in mid-sized IT system Integration Company in Delhi & NCR

Prabir is a full-time MBA from Faculty of Management Studies, Delhi University and also a B.Tech (Electronics & Communication) from JNU (MCTE).