Introduction
A past conversation with an undercover federal agent who specializes in money laundering revealed staggering amounts of currency moving across geographic boundaries, skirting traditional Anti-Money Laundering (AML) processes. From local and transnational crime syndicates to presidential spouses and those looking to evade sanctions or tax regimes, the need to wash and move illicit funds into reputable banking channels has never been greater.
The FT’s recent AML coverage highlights the scale of the problem and provides timely background reading on money laundering networks, suspects, and indictments. One story is particularly relevant as it centers around proof of address compliance failures. Coincidentally, address verification is precisely the problem highlighted by a recent Recorded Future Payment Fraud Intelligence (PFI) report.
Big Fraud and a Hong Kong Address
The address in question is:
12th Floor, San Toi Building,137-139
Connaught Road Central, Hong Kong
The San Toi Building (and 12th-floor visual estimate) provided by Google Maps
The address is linked to two scam website (fraud) clusters—designated “Misspelled” and “Brand as a Cover”—which share merchant accounts and payment processing logic. The three merchant accounts include “‘CAMHUBSTORE’, ‘AQAPAY*xmvmxft,’ ‘SMARTTECHHK,’ and ‘gracefashionhub.’” Hundreds, if not thousands, of scam websites are connected to these merchants.
A scam website snapshot.
A victim articulates why Camhubstore is a scam site.
These merchant accounts that process payments for fraudulent, non-existent goods are tied to the 12th floor of the San Toi Building as the registered business address. The address is even placed directly on some of the sites as a contact address. Here’s where it gets interesting. The address is listed on the U.S. Treasury OFAC list for ties to an Iranian terrorism group.
The 12th floor is presumably large enough to house multiple businesses and likely sufficiently small such that businesses transit through reasonably often. Of course, it would be difficult to draw a direct connection between these merchant accounts and terrorism based on a shared space address. Still, other questions remain, namely: how are these scam merchants acquiring the ability to process payment cards when their physical address is on the OFAC list?
Remedying AML / KYC Compliance Failures
Knowing your customer (KYC) might be difficult when bad actors go to great lengths to obscure their identity and purpose, but this is an egregious case of acquiring banks and payment processors missing obviously problematic contact details.
Geoff White’s book, The Lazarus Heist, documented that even routine checks can lead to better outcomes. In it, White details North Korean hackers’ inability to transfer a more significant amount (hundreds of millions of dollars) from Bangladesh Bank to a bank branch in Manila because the branch is located on Jupiter Street, and “Jupiter” is also the name of a sanctioned Iranian shipping vessel. Addresses matter.
Suppose the US pursues a more friendly regulatory environment for cryptocurrencies under President Trump, and exchanges find it easier to acquire bank accounts. In that case, the potential for money laundering may explode without rigorous AML / KYC / KYT efforts. The SEC may have fewer teeth, but banks and processors are still gambling if anyone can obtain a merchant account with little to no compliance checks.
Indeed, the business incentives are aligned to offer maximum merchant accounts to generate more processing fees, and historically, compliance costs have eroded profitability. However, this may be an emerging opportunity for GenAI. Semi-autonomous agents trained to flag basic AML violations (for example, website contact details listed on OFAC, perhaps) and elastic agents that deploy on demand when a new merchant application is submitted would assist AML compliance efforts and help the financial services industry grappling with a tsunami of fraudulent merchant transactions.