Internet Crimes: FinCEN Finds Cambodia-Based Huione Group to be of Primary Money Laundering Concern, Proposes a Rule to Combat Cyber Scams and Heists–BONUS, recent scam alerts

WASHINGTON — Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a finding and notice of proposed rulemaking (NPRM) pursuant to Section 311 of the USA PATRIOT Act that identifies Cambodia-based Huione Group as a financial institution of primary money laundering concern and proposes to sever its access to the U.S. financial system.

Huione Group serves as a critical node for laundering proceeds of cyber heists carried out by the Democratic People’s Republic of Korea (DPRK), and for transnational criminal organizations (TCOs) in Southeast Asia perpetrating convertible virtual currency (CVC) investment scams, commonly known as “pig butchering” scams, as well as other types of CVC-related scams. Given the money laundering risk posed by Huione Group, FinCEN is proposing to prohibit U.S. financial institutions from opening or maintaining correspondent or payable-through accounts for or on behalf of Huione Group.

“Huione Group has established itself as the marketplace of choice for malicious cyber actors like the DPRK and criminal syndicates, who have stolen billions of dollars from everyday Americans,” said Secretary of the Treasury Scott Bessent. “Today’s proposed action will sever Huione Group’s access to correspondent banking, degrading these groups’ ability to launder their ill-gotten gains. Treasury remains committed to disrupting any attempt by malicious cyber actors to secure revenue from or for their criminal schemes.”

As described in the NPRM, for years, Huione Group has laundered proceeds of CVC scams, including CVC investment scams, and heists. Huione Group has set up a network of businesses, each playing a different role in its money laundering enterprise, that includes Huione Pay PLC, a payment services institution; Huione Crypto, a virtual assets service provider (VASP); and Haowang Guarantee, an online marketplace offering illicit goods and services. This network offers services ranging from an online marketplace selling items useful for carrying out cyber scams, to payment services in fiat currency and CVC frequently used for money laundering, as well as a recently developed stablecoin. FinCEN’s investigation identified that, in aggregate, Huione Group laundered at least $4 billion worth of illicit proceeds between August 2021 and January 2025. Of the $4 billion worth of illicit proceeds, FinCEN found that Huione Group laundered at least $37 million worth of CVC stemming from DPRK cyber heists, at least $36 million from CVC investment scams, and $300 million worth of CVC from other cyber scams.

The risks presented by Huione Group’s association with illicit actors and transactions linked to illicit activity are compounded by either an absence of, or ineffective, anti-money laundering/know your customer (AML/KYC) policies and procedures among Huione Group’s components. Despite publicly available information describing the use of Huione Group’s various services by TCOs for scam activity, none of the three Huione Group components had published AML/KYC policies. Huione Group itself has even recognized this deficiency, detecting that the company’s KYC capabilities were seriously insufficient after failing to identify that one of its components indirectly received funds from a DPRK heist.

The NPRM as submitted to the Federal Register is currently available here. Written comments on the NPRM may be submitted within 30 days of publication of the NPRM in the Federal Register.

Brief List of Recent Scam Alerts

The Social Security Administration (SSA) recently announced the implementation of enhanced fraud prevention tools for claims filed over the telephone, further modernizing the agency’s services and strengthening program integrity. Beginning April 14, 2025, SSA will allow individuals to complete all claim types via telephone, supported by new anti-fraud capabilities designed to protect beneficiaries and streamline the customer experience.

The enhanced technology enables SSA to identify suspicious activity in telephone claims by analyzing patterns and anomalies within a person’s account. If irregularities are detected, the individual will be asked to complete in-person identity proofing to continue processing their claim. These advancements allow SSA to maintain the security of its services while continuing to expand access for customers who may be unable to file online or visit an office in person. The agency will continue to conduct identity verification for all in-person claims.

“We are modernizing how we serve the public—enhancing both security and accessibility,” said Leland Dudek, Acting Commissioner of Social Security. “These updates improve our ability to detect and prevent fraud while providing more flexible options for people to access their benefits.”

The updated policy reflects SSA’s broader commitment to customer service, program integrity, and responsible stewardship of taxpayer resources. SSA has worked around the clock to develop and deploy these improvements, driven by the return of employees to full-time in-office operations.

Surge capacity is being put in place to support higher demand starting on the 14th and last month, SSA spent $16.5 million to modernize telephone services nationwide.

This update supports the Administration’s broader efforts to protect Social Security and ensure higher take-home pay for seniors by ending the taxation of social security. For more information on the President’s commitment to preserving Social Security, visit here.

---

HSI’s mission is to protect the United States by investigating global crimes that impact our local communities. We have over 10,000 employees stationed in over 235 U.S. cities and more than 50 countries worldwide. This gives us an unparalleled ability to prevent crime before it reaches our communities. HSI encourages the public to report suspected suspicious activity through its Tip Line. You may remain anonymous.

The Emergence of Impersonations

Deepfake Business Email Compromise (BEC)

As the rise of technology has vastly grown over the last couple of decades, criminals have continued to develop new methods to commit fraud and gain access to classified personal information. Deepfake Business Email Compromise (BEC) has become one of the more popular cyber attacks over the last few years. The expansion of Deepfake BEC attacks can be credited to the advancements in AI and Machine Learning, making it easier for attackers to create realistic but fake communications that deceive their targets. These attacks are often harder to detect than traditional email attacks because the deepfake content mimics familiar voices or images, making the requests seem more legitimate.

What is a Deepfake?

Deepfake BEC Explained

Deepfake Business Email Compromise (BEC) is a growing cybercrime trend where cybercriminals use deepfake technology—artificially generated or altered media, including audio and video—to impersonate company executives or trusted individuals at lucrative businesses. This tactic is used in email phishing attacks to mislead employees into transferring funds or sharing sensitive information. Deepfake BEC attacks are carried out when an individual compromises / obtains the account through social engineering / computer intrusion to conduct unauthorized transfer of funds (1).

The most commonly used keywords in Deepfake BEC attacks are “Request” (25%), “Payment” (15%), and “Urgent” (10%). The consequences of deepfake BEC attacks can be severe, including significant financial losses and reputational damage. Organizations are responding by improving cybersecurity measures, training employees to recognize suspicious activities, and using AI-based tools to detect deepfake content. However, the sophistication of these attacks is constantly evolving, presenting an ongoing challenge for businesses worldwide. These attacks have become more intricate than just a typical phishing email; they can come in numerous different ways, such as manipulation of video/audio to impersonate a trusted employee. The primary use of a Deepfake Audio/Video swapping is to enhance Business Email Compromise (BEC) to falsely authorize payments.

Deepfake Video is the invention, using digital software and machine learning programs, of face- swapping images and videos in order to create messages and statements that are not accurate against the original. Since the vast majority of people around the world create their opinions from the information they see online, Deepfake can be missed by the common eye. Anyone with the right technology has the ability to create / distribute false information online and can influence a mass group of people. While AI can be the answer to detecting deepfakes and false information, AI is also the reason how Deepfakes are created. Deepfake Audio is the creation of mimicking the voice of a real person on the phone / on a video. An audio deepfake attack is one of the more advanced forms of AI attacks. The technology takes voice samples that are obtained, from speeches, presentations, interviews, by the hacker. It will use whatever text that hacker creates and spin it into a fake voice that is almost identical to the real audio. Voice phishing (vishing) is the criminal practice of using social engineering over the telephone to gain access to, or trick people into providing, private, personal, or financial information, usually with the promise of financial reward. The cybercriminal makes a phone call or leaves a voice message purporting to be from a reputable company in order to induce individuals to reveal personal information, such as bank details and credit card numbers. Vishing uses the same techniques as in phishing emails but is done over the phone instead (2).

This technology has allowed attackers to create highly realistic representations while combining that with tactics to make the victims further engage in the fraud. Attackers will use any personal information that is public knowledge and script the attack based on the individual victim.

How Deepfake BEC Is Being Used for Cryptocurrency 

Over the last decade, cryptocurrency has grown to astronomical heights and with those heights come values in the road. Chainalysis reported that nearly $2.2 billion worth of cryptocurrency funds were stolen from hacks/frauds in 2024 (3). The average loss from Deepfake BEC frauds involving Cryptocurrency in 2024 was estimated to be around $400,000 per company that was affected by the impersonation. These frauds and attacks are being designed around creating fraudulent videos/audio from prominent figures in the company, such as a CEO, to trick users into sending their funds to fraudulent addresses of the hacker. Popular ways such as fake endorsements or social engineering/phishing attempts are how attackers can gain control of your funds. Cryptocurrency is more vulnerable to deepfakes than regular currency because cryptocurrency is harder to trace and the volatility of the markets incentivizes users to make faster decisions than expected, leading to more mistakes and more frauds. All communication on cryptocurrency markets happens online, thus a greater chance the deepfake video/audio attack will be successful. Deepfake Frauds featuring current presidents and wealthy entrepreneurs on the internet have been tricking users to send various amounts of cryptocurrency to a single address with expectations of doubling the funds given.

Real Life Example of Deepfake BEC-Driven Cyberattack

A real-life example of a Deepfake BEC attack happened in June of 2024 where the CEO of Ferrari, Benedetto Vigna, was impersonated. The fraud was initiated by several messages being sent to a Ferrari executive over WhatsApp from the hacker mimicking the CEO. The contents of the message were for a confidential acquisition for Ferrari, requiring a hedge fund transaction, and insisted the executive sign a Non-Disclosure Agreement (NDA). Afterward, a phone call followed from the same number as the messages, impersonating Mr. Vigna’s voice to the executive. The executive grew worrisome and asked the suspected CEO a specific question regarding a book recommendation that Mr. Vigna had made to him recently. This small verification method spooked the hacker from his BEC attack and prevented harm to the company, saving millions of dollars (4). The executive’s intuition was one of the many ways employees can help prevent BEC attacks

Preventative Measures

Some helpful measures companies and employees can take to prevent BEC attacks:

• Adding a “Zero Trust” security model, requiring verification at every access point and assuming potential threats from any source
• Implementing strong email authentication protocols like DMARC, SPF, and DKIM
• Educating employees with trainings to identify suspicious emails and verify requests through alternative channels
• Utilizing AI-based deepfake detection tools
• Enabling multi-factor authentication
• Conduct periodic assessments of your security posture to identify vulnerabilities and address potential risks related to deepfake attacks
• Prioritize training for employees in critical roles like finance or accounting who are more likely to be targeted by BEC attacks
• If / when an attack happens, develop a comprehensive plan to respond effectively to a deepfake attack, including containment and remediation steps

Red Flag Indicators

FinCEN identified the following red flag indicators to help financial institutions detect, prevent, and report potential suspicious activity related to the use of GenAI tools for illicit purposes (5):

• A customer’s photo is internally inconsistent or is inconsistent with their other identifying information.
• A customer presents multiple identity documents that are inconsistent with each other.
• A customer attempts to change communication methods during a live verification check due to excessive or suspicious technological glitches during remote verification of their identity.
• A customer declines to use multifactor authentication to verify their identity.
• A reverse-image lookup or open-source search of an identity photo matches an image in an online gallery of GenAI-produced faces.
• A customer’s photo or video is flagged by commercial or open-source deepfake detection software.
• GenAI-detection software flags the potential use of GenAI text in a customer’s profile or responses to prompts.
• A customer’s geographic or device data is inconsistent with the customer’s identity documents.

---

Beware of Warrant-Clear Scam

A local woman fell victim to a warrant-clear scam and Las Cruces police are warning others to be aware of this and other deceitful ruses.
 
The woman claimed to receive a private-number telephone call from someone who identified himself as a law enforcement officer and provided a realistic name and badge number. The caller said the woman had an outstanding warrant, for failing to appear to jury duty, that could be resolved if she transferred $400 to him. Otherwise, she faced the possibility of being arrested.
 
Unfortunately, the woman complied with the caller and electronically transferred $400 to him using a method that’s difficult to track. It wasn’t until after the call ended that she realized the interaction was likely a scam.
 
Police and courts will never call and demand money to resolve a warrant. Anyone who receives such a call is encouraged to simply hang up. Individuals can call Central Dispatch at (575) 526-0795 to verify if any call or contact from law enforcement is legitimate.
 
In the last few days, Las Cruces police have received reports of other incidents that have scammed – or attempted to scam – residents.
 
Tips that can help keep you safe from financial scams: 

• Never provide personal or financial information to anyone you do not know.
• Always reconcile checkbooks and review financial transactions. Report any suspicious activity to your financial institution.
• Do not provide personal or financial information to anyone who calls, messages or otherwise contacts you unsolicited.
• Never give your passwords or personal identification numbers to anyone.
• Do not send cash, checks or otherwise wire-transfer funds to anyone you do not know and trust.
• Do not engage in conversation with unsolicited callers.
• If some unknown person, claiming to be from a financial institution or utility, provides a phone number for you to call, do not call that number. Instead, call the number on your billing statement or a known phone number for that organization.
• Do not open attachments or links sent to you via text or direct message unless you are certain of the source.
• Block telephone numbers and social media pages that appear to be suspicious.
• Report suspicious social media accounts using the platform’s security tools.
• Share these tips with friends and relatives – especially the elderly – to ensure they understand and avoid financial pitfalls.
• Check often with older relatives to ensure their finances are in order.
• Call police immediately if you have fallen victim to a scam or fraudulent activity.

---

Don’t Give Your Information Away 

The Drug Enforcement Administration is warning the public of fraud where scammers impersonate DEA officials. Scam tactics may change, but they share many of the same characteristics.

Callers often use fake names and badge numbers. They also use the names of well-known DEA officials or police officers in local departments. Additionally, they may:

• Use an urgent and aggressive tone
• Threaten arrest, prosecution, or imprisonment
• Demand money via wire transfer or gift card numbers 
• Ask for personal information (Social Security number or date of birth)

Don’t give your personal information away. If you are contacted by someone claiming to be with DEA, report the incident to the FBI at www.ic3.gov. 

---

Overview of Online Child Victimization

United States federal law defines child pornography as any visual depiction of sexually explicit conduct involving a minor (a person less than 18 years old). Outside of the legal system, NCMEC chooses to refer to these images as Child Sexual Abuse Material (CSAM) to most accurately reflect what is depicted – the sexual abuse and exploitation of children. Not only do these images and videos document victims’ exploitation and abuse, but when these files are shared across the internet, child victims suffer re-victimization each time the image of their sexual abuse is viewed. In a recent survey led by the Canadian Centre for Child Protection, 67% of CSAM survivors said the distribution of their images impacts them differently than the hands-on abuse they suffered because the distribution never ends and the images are permanent.

It’s important to remember CSAM consists of much more than just images and video files. While CSAM is seen and transmitted on computers and through other technology, these images and videos depict actual crimes being committed against children. The human element, children at risk, must always be considered when talking about this offense that is based in a high-tech world.

The disturbing reality is that the internet platforms we use every day to connect with each other and share information, including social media, online gaming, and e-mail, are now being used to disseminate and collect CSAM. CSAM can be found in virtually any online realm.

^{1 – Seto, M. C., Buckman, C., Dwyer, R. G., & Quayle, E. (2018, March 28). Production and Active Trading of Child Sexual Exploitation Images Depicting Identified Victims(Rep.). Retrieved April 1, 2018, http://www.missingkids.org/content/dam/pdfs/ncmec-analysis/Production%20and%20Active%20Trading%20of%20CSAM_FullReport_FINAL.pdf}

^{2 – Ibid.}

^{3 – Ibid.}

^{4 – Online enticement is a broad category of online exploitation, including sextortion, and involves enticing a child to take sexually explicit images, and/or ultimately meeting in person for sexual purposes, engaging the child in a sexual conversation online or, in some instances, to sell/trade the child’s sexual images.}

^{5-ECPAT International and INTERPOL. (2018). Towards a global indicator on unidentified victims in child sexual exploitation material.  Retrieved from http://www.ecpat.org/wp-content/uploads/2018/03/TOWARDS-A-GLOBAL-INDICATOR-ON-UNIDENTIFIED-VICTIMS-IN-CHILD-SEXUAL-EXPLOITATION-MATERIAL-Summary-Report.pdf} 

Who are the Victims?

While there is limited research regarding victims of child sexual abuse material, it is a growing field of research and study to better understand the child victims and the offenders.

In March 2018, two studies on this topic were released. The first study is Production and Active Trading of Child Sexual Exploitation Images Depicting Identified Victims, which is based on data collected by NCMEC’s Child Victim Identification Program through 2014. The second study is Towards a Global Indicator on Unidentified Victims in Child Sexual Exploitation Material⁵, which is based on data in Interpol’s global system.

---

ALERT for Certifiers and Certified Operations:

Be Aware of Email Phishing Scam
Falsely Using the USDA Logo 

The National Organic Program (NOP) is aware that certifiers and certified operations have received emails from sources pretending to be the USDA. These emails, referred to as phishing emails, have been sent using the following information:

• Fake Sender: `NOP.guidance@usda.gov` <`xxxx@stceciliafc.com`>
• Email Subject: USDA-NOP Certificate Holder Information verification

Phishing is a common type of cyber attack that targets individuals through email or text messages to attempt to acquire sensitive data, such as email passwords. These messages are often designed to look like they come from a trusted person or organization, to get recipients to open malicious links or enter information on malicious websites.

The recent emails contain the USDA logo and NOP contact information to make the sender appear valid. Each email asks the recipient to confirm information, click on a button or link, and enter sensitive information in a location the fake senders provide. The emails also threaten to suspend or revoke the operation’s organic license, which some readers may believe refers to their USDA organic operation certificate. However, it does not.

USDA did not send the emails – certifiers 
and certified operations should not respond to 
them, click on any links in them, or send
sensitive personal or business information.

Emails sent by the USDA, AMS or NOP are from the “usda.gov” email domain. To verify email authenticity, look at the information included between the carats <`sample.email@domain.com`> or brackets [sample.email@domain.com] shown next to the sender’s name. It is possible for the sender to falsely use “usda.gov” in its name. However, it is not possible for a non-USDA government entity to show its email domain (the information between the carats or brackets) as “usda.gov.”

When reviewing emails for authenticity, look for the following cues to help identify phishing emails:

• Includes a suspicious sender’s address that may imitate a legitimate business or government entity.
• Demands you take urgent action.
• Offers generic greetings and signature. Excludes contact information from the signature block.
• Spoofs hyperlinks and websites in body text that do not match the URL text shown when hovering over links.
• Contains spelling errors, poor grammar, or poor sentence structure. Uses inconsistent formatting.
• Includes suspicious attachments with requests for you to download and open the attachments.

If you are a certifier or certified operation and receive an email that claims to be from the USDA, AMS or NOP, and you are concerned about its authenticity, you may contact your Accreditation Manager (for USDA certifiers) or your certifier (for certified operations) to verify the email’s validity.

If you received such an email and have already clicked on the link or provided sensitive information, we encourage you to report it to your organization’s information technology department, reset your passwords, and scan your computer/device for malicious viruses/malware.

---

The Federal Bureau of Investigation is warning the public about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees to deceive and defraud individuals

Alert Number: I-041825-PSAApril 18, 2025

FBI Warns of Scammers Impersonating the IC3

---

The Federal Bureau of Investigation (FBI) warns the public about an ongoing fraud scheme where criminal scammers are impersonating FBI Internet Crime Complaint Center (IC3) employees to deceive and defraud individuals. Between December 2023 and February 2025, the FBI received more than 100 reports of IC3 impersonation scams.

HOW IT WORKS

Complainants report initial contact from the scammers can vary. Some individuals received an email or a phone call, while others were approached via social media or forums. Almost all complainants indicated the scammers claimed to have recovered the victim’s lost funds or offered to assist in recovering funds. However, the claim is a ruse to revictimize those who have already lost money to scams.

A recent example of the impersonation scheme variant indicates scammers create female persona profiles on social media networking sites and join groups for financial fraud victims, representing themselves as fellow financial fraud victims. Scammers then recommend actual victims reach out to male persona, “Jaime Quin” (Quin), the alleged “Chief Director” of IC3, via Telegram. Once contacted, “Quin” claims to have recovered the lost funds, but uses this as a ruse to gain access to their financial information and revictimize them.

TIPS TO PROTECT YOURSELF

• The IC3 will never directly communicate with individuals via phone, email, social media, phone apps, or public forums. If further information is needed, individuals will be contacted by FBI employees from local field offices or other law enforcement officers.
• Scammers will change aliases and tactics; however, the scheme generally remains the same.
• Never share sensitive information with people you have met only online or over the phone.
• The IC3 will not ask for payment to recover lost funds, nor will they refer a victim to a company requesting payment for recovering funds.
• Do not send money, gift cards, cryptocurrency, or other assets to people you do not know or have met only online or over the phone.

REPORT IT

The FBI requests victims immediately report fraudulent or suspicious activity to the FBI IC3 at www.ic3.gov. Be sure to include as much information as possible:

• Identifying information about the person or company that contacted you.
• Methods of communication used, including websites, emails, and telephone numbers.
• Financial transaction information, such as the date, type of payment, amount, account numbers involved, the name and address of the receiving financial institution, and receiving cryptocurrency addresses.
• Description of your interaction with the individual, including how contact was initiated, such as the type of communication, purpose of the request for money, how you were told or instructed to make payment, what information you provided to the scammer, and any other details pertinent to your complaint.

Victims aged 60 or over who need assistance filing an IC3 complaint can contact the DOJElder Justice Hotline, 1-833-FRAUD-11 (or 833-372-8311).

For additional information on similar scams, please see previous Public Service Announcements:

• IC3 | “FBI Warns of the Impersonation of Law Enforcement and Government Officials“
• IC3 | “Scammers Using Computer-Technical Support Impersonation Scams to Target Victims and Conduct Wire Transfers“

---

FBI and our partners raised the alarm about China’s hacking of US telecommunications infrastructure

Alert Number: I-042425-PSAApril 24, 2025

FBI Seeking Tips about PRC-Targeting of US Telecommunications

FBI is issuing this announcement to ask the public to report information about PRC-affiliated activity publicly tracked as “Salt Typhoon” and the compromise of multiple US telecommunications companies, especially information about specific individuals behind the campaign. Investigation into these actors and their activity revealed a broad and significant cyber campaign to leverage access into these networks to target victims on a global scale. This activity resulted in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests.

FBI and US Government partners have previously released public statements on Salt Typhoon activity on 25 October 2024 and 13 November 2024, and published the guide, “Enhanced Visibility and Hardening Guidance for Communications Infrastructure,” on 3 December 2024.

FBI maintains its commitment to protecting the US telecommunications sector and the individuals and organizations targeted by Salt Typhoon by identifying, mitigating, and disrupting Salt Typhoon’s malicious cyber activity. If you have any information about the individuals who comprise Salt Typhoon or other Salt Typhoon activity, we would particularly like to hear from you.

In addition, the U.S. Department of State’s Rewards for Justice (RFJ) program is offering a reward of up to $10 million (USD) for information about foreign government-linked individuals participating in certain malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA).

If you have any information on Salt Typhoon, contact your local FBI field office, file a report on the FBI’s Internet Crime Complaint Center at www.ic3.gov, or submit your tip to RFJ on Signal at +1-202-702-7843 or via the RFJ Tor-based tip line: he5dybnt7sr6cm32xt77pazmtm65flqy6irivtflruqfc5ep7eiodiad.onion (Tor browser required).