Crooks aim to gain access to e-wallets used for betting on bookmaker platforms in order to withdraw funds. However, experts doubt the widespread nature of this theft method.
Amidst the crackdown on `dropper` cards (accounts used for illicit money transit), fraudsters have developed a new tactic for conducting illegal operations. According to reports, they have started using Russians` accounts on betting websites. An employee of a publication reportedly encountered this scheme.
The scheme begins with a call impersonating a marketplace representative. Fraudsters ask for a verification code from an SMS, which actually comes from a bookmaker company. Using the victim`s confirmed personal details (full name, date of birth), they register an account. However, topping up the e-wallet or withdrawing funds requires verification through `Gosuslugi` (State Services portal) or TsUPIS (Unified Interactive Bets Accounting Center).
This requires passport data. Experts note that this data can be obtained either from leaked databases or by using social engineering tactics to trick the victim. Once access is gained, criminals can launder stolen money through the e-wallet. Nevertheless, Fyodor Muzalevsky, Director of the Technical Department at RTM Group and information security expert, is skeptical about the method becoming widespread:
«In reality, account theft on bookmaker platforms has existed for as long as the accounts themselves. Using them to withdraw money is very strange, because ultimately the money is withdrawn to some card. That is, for fraudsters, it is actually an extra step. Accounts are stolen to steal money *from* them. Since the number of such accounts in the country is relatively small, and the people who use them are quite often paranoid about security, this scheme is unlikely to become widely popular.»
Financial expert Andrey Chirkov, author of the CardReview Telegram channel, adds that previously, fraudsters registered e-wallets in other people`s names to receive welcome bonuses (free bets) from bookmakers.
«In our country, to place legal online sports bets on the internet, it must be done only through the wallet of the unified TsUPIS. This is the Center for Accounting of Transfers and Bets based at the non-credit financial organization `Mobilnaya Karta`, chosen by presidential decree as the authorized organization. People can open e-wallets in their own name, deposit funds, and then place bets and receive winnings through them. To open this wallet in the simplest case, it is sufficient to register any phone number, absolutely any, provide passport details, full name, date of birth, passport number, and either TIN (Taxpayer Identification Number) or SNILS (Individual Insurance Account Number). As you understand, this data has leaked from various organizations, which problem gamblers actively used before. Knowing the passport data of a client who had not yet registered with this TsUPIS, they would register e-wallets in people`s names to get the welcome bonus in the form of additional funds credited to their account, spend it, and then abandon the wallet. Now, due to the tightening of screws on fraudsters and droppers, apparently, this possibility of opening wallets in a simplified form has also attracted fraudsters, but such a simplified wallet has significant limitations on the amount of a single transaction that can be processed through it. Therefore, schemes may be used to link this wallet, already opened in your name, also to `Gosuslugi`; that is, this identification through `Gosuslugi` allows fraudsters to expand the possibilities of using this wallet. I recommend to all citizens: on the tax service website, there is a function `request certificates`, and there is a certificate about bank accounts and electronic payment means opened in your name in credit organizations of the Russian Federation. If you find electronic payment means opened by you there, in particular, `Mobilnaya Karta` NCO, this is exactly the wallet for bets. In this case, I recommend sending a claim through the Central Bank website stating that this wallet does not belong to you and that it must be closed.»
Since mid-June, legislation has been strengthened introducing criminal liability for droppers (up to 6 years imprisonment and significant fines). Experts do not rule out that an innocent victim of fraudsters, whose account was registered on a bookmaker`s website, could also be recognized as a dropper if their e-wallet was used for the transit of stolen funds.
