What is a Cashout in Cybercrime?

In the cybercrime context, cashout refers to the final monetization phase of fraud operations: converting stolen digital assets, whether card data, compromised credentials, or bank account access, into untraceable cash. Cashout completes the crime. Without it, stolen data has no immediate financial value to the attacker.

ThreatFabric documented the Ghost Tap technique in late 2024, enabling cybercriminals to relay NFC payment data from stolen cards to remote money mules at scale, representing a significant evolution in cashout methodology.

Cashout Definition in Cybersecurity

In cybersecurity and fraud contexts, cashout describes the process by which cybercriminals convert the proceeds of their attacks, typically stolen payment card data, account credentials, or fraudulently transferred funds, into cash or cryptocurrency that can be used or withdrawn without easy tracing.

This term distinguishes the cybercrime meaning from the general financial term “cashout,” which simply refers to withdrawing or liquidating assets. In cybercrime discussions, cashout specifically means the final step in converting stolen digital assets to usable value.

Different ATM Cash-Out Schemes

ATM fraud is one of the most direct cashout methods, particularly for large-scale organized operations.

Jackpotting

Physical attackers with physical access to an ATM install malware that commands the machine to dispense cash on demand. Teams of money mules collect the cash from multiple machines simultaneously.

Backend network attacks

Rather than physically tampering with ATMs, attackers compromise the bank’s backend network and issue fraudulent authorization commands. A coordinated team of mules then collects cash from ATMs across multiple cities or countries simultaneously.

Prepaid card schemes

Stolen card data is loaded onto prepaid debit cards, which are then used for cash withdrawals or retail purchases. The prepaid cards add a layer of separation between the stolen data and the cashout event.

In OPERA1ER attacks documented by Group-IB, weekend timing was deliberately chosen for ATM cash-out operations because bank fraud teams had reduced weekend staffing, allowing operations to run longer before being detected and shut down.

Cryptocurrency Cash-Out Methods

Cryptocurrency has become an increasingly important cashout channel because it enables borderless transfers with greater pseudonymity than traditional banking.

Bitcoin ATMs

Physical cryptocurrency ATMs allow conversion of cash to cryptocurrency and vice versa, often with minimal identity verification requirements. They are frequently used for the final conversion step.

Cryptocurrency mixers

Services that pool multiple users’ cryptocurrency transactions to obscure the trail from source to destination. Tornado Cash was a prominent example before regulatory action.

Exchange-based conversion

Fraudulent proceeds deposited into cryptocurrency exchanges, either through hacked accounts or newly opened accounts with synthetic identities.

How Cybercriminals Use Money Mules for Cash-Out?

Money mules are the human infrastructure of the cashout operation. In ATM schemes, crews of mules receive cash cards or account access and conduct synchronized withdrawals from multiple machines. In bank transfer fraud, mules receive funds into their accounts and forward them onward, taking a percentage commission.

The use of mules creates geographic distribution that complicates law enforcement action. A single fraud operation may use mules in dozens of countries simultaneously, making seizure and prosecution across all of them difficult even when the core operation is identified.

Emerging Cash-Out Tactics: Ghost Tap and NFC Relay

Ghost Tap, documented by ThreatFabric in 2024, represents a notable evolution in mobile payment fraud. The technique uses NFCGate, a tool that relays NFC payment signals over the internet.

A money mule at an ATM or point-of-sale terminal holds an NFC-capable phone near the reader. Simultaneously, an attacker elsewhere holds a phone loaded with stolen card data near another NFC reader. The NFC signal from the stolen card is relayed over the internet to the mule’s phone, which transmits it to the local reader. The transaction completes as if the stolen card were physically present at the mule’s location.

This technique removes the need for physical cloned cards and allows a single attacker with access to stolen digital card data to direct multiple mule teams conducting simultaneous transactions across different locations.

Dark Web Cashout Services and Telegram Markets

Cashout has become a service industry. On Telegram channels and Dark Web forums, “cashout services” advertise their ability to convert stolen card data, account access, or fraudulent wire transfers into cash for a percentage fee, typically ranging from 20% to 50% of the face value.

These services handle the operational complexity of cashout on behalf of buyers who may have access to stolen data but lack the infrastructure or mule networks to convert it themselves. Bank insider services, which are cashout operations with a complicit employee at a financial institution, command premium fees because they can access and drain accounts with reduced friction.

How Financial Institutions Detect Cash-Out Fraud?

Transaction monitoring

Behavioral analytics applied to transaction data flags patterns consistent with cashout activity: rapid sequential withdrawals, unusual geographic spread of activity, and transactions just below reporting thresholds.

AI fraud detection

Real-time machine learning models score transactions as they occur, blocking high-risk transactions for manual review before they complete.

AML systems

Anti-money laundering monitoring looks for layering patterns, the use of multiple accounts and transfers to obscure the origin of funds, that are characteristic of cashout operations.

How SOCRadar Threat Intelligence Exposes Cashout Networks?

SOCRadar’s Advanced Dark Web Monitoring tracks cashout services on Telegram and Dark Web markets. When new cashout services emerge, when existing services announce partnerships with specific carding markets, or when cashout networks specifically target certain financial platforms, this intelligence reaches security and fraud teams. Threat actor profiling connects cashout operations to the upstream fraud that generates the stolen data, enabling a more complete picture of the fraud chain.

Frequently Asked Questions

What is cashout in cybercrime?

Cashout is the final phase of fraud monetization, where cybercriminals convert stolen payment data, credentials, or fraudulently transferred funds into cash or untraceable cryptocurrency.

How do ATM cash-out attacks work?

Attackers either physically compromise ATMs through jackpotting malware, compromise bank backend systems to issue fraudulent withdrawal commands, or use stolen card data loaded onto prepaid cards that money mule crews withdraw simultaneously at multiple locations.

What is Ghost Tap?

Ghost Tap is a 2024 cashout technique that uses NFC signal relay technology to conduct contactless payment transactions with stolen card data at remote locations, without requiring a physical cloned card.