Cosmos Bank Cyber Fraud: Information on “ALM Trading Limited”

In continuation to our initial blog on the Cosmos Bank cyber fraud incident, Volon’s researchers utilized insights from its own Darknet Monitoring solution to create a timeline of SWIFT based attacks on Indian banks and highlight chatter of threat actors in the Darknet.

Based upon the transaction reports of SWIFT transfer of $1.92 Million to a Hongkong based entity, Volon’s team conducted deep dive research on the entity “ALM Trading Limited” and identified some facts which could help in expanded investigation.

On 13th August 2018, SWIFT transaction was made towards “ALM Trading Limited” (“阿里姆貿易有限公司”), a private limited company supposedly located at Tsuen Wan, Honk Kong, registered by XIAOXING, 33 years old Chinese national and resident of Zunyi, China. This company was established on 13th April 2018. The SWIFT transaction from Cosmos Bank was made 4 months after the formation of the company.

“ALM Trading Limited” was established with the help of a Secretary organization “JL ACCOUNTING SECRETARY LIMITED” (“君林天下會計秘書有限公司”), which was established in July 2016. One interesting observation about “JL ACCOUNTING SECRETARY LIMITED” is that the company’s Director resigned on 20-March-2018 and the firm also did not renew its Website this year, which then expired on 22-July-2018. “JL ACCOUNTING SECRETARY LIMITED” provides various Accounting services including Offshore accounting and Bank account setup.

jl_accounting

Figure 1. JL Accounting served as secretary for ALM


offerings

Figure 2. Offshore Account Services


“JL ACCOUNTING SECRETARY LIMITED” applied for the establishment of “ALM Trading Limited”, and application of the establishment were signed electronically with PIN and not manually. Perhaps it is possible that “ALM Trading Limited” was formed with stolen or illicit credentials.

director_info

Figure 3. Signature on ALM’s incorporation document.


Utilizing Volon’s Darknet Monitoring product, we identified a threat actor in the darknet who was interested and involved in Indian ATM malwares and cash-outs last year. Also, another darknet actor was looking for SWIFT terminal access of Indian banks in January 2018. Actor claimed that he had a ready cash-out mechanism and a toolkit which can be utilized to exploit the SWIFT access. Actor also claimed that operation will be done in a manner that it will take couple of days for the victim bank to notice the fraudulent transactions.

Using Volon’s proprietary Card Leak monitoring system, the research team identified numerous VISA and RUPAY cards being sold in Darknet Markets.

For detailed report, contact us at: intel [at] volon [dot] io.

SWIFT_attack_timeline

Figure 4. COSMOS Bank Fraud Timeline.



Prevent Cyber Attacks with advance intelligence