by Cezary Podkul

ProPublica is a nonprofit newsroom that investigates abuses of power. Sign up to receive our biggest stories as soon as they’re published.

Brian Maloney Jr. was flummoxed when he was served with a lawsuit against his family’s business, Middlesex Truck and Coach, in January. Maloney and his father, also named Brian, run the operation, located in Boston, which boasts that it can repair anything “from two axles to ten.” A burly man in his mid-50s who wears short-sleeved polo shirts emblazoned with the company name, Maloney Jr. has been around his dad’s shop since he was 8. The garage briefly surfaced in the media in 2012 when then-presidential candidate Mitt Romney made a campaign stop there and the Boston Herald featured Maloney Sr. talking about how he had built the business from nothing in a neighborhood he described as having been a “war zone.”

Now Middlesex was being sued by a New Jersey man who claimed he had been defrauded of $133,565 in a cryptocurrency scheme. The suit claimed Middlesex “controlled and maintained” a bank account at Chase that had been used to collect the fraudulent payment. The purported victim wanted his money back.

None of this made any sense to Maloney Jr. His company did not have an account at Chase, and he barely knew what crypto was. “For God’s sake, we fix trucks and still have AOL,” he would later say.

It was only after Maloney went to Chase to investigate that he was able to piece together at least part of the explanation. It turned out that Chase had allowed an unknown individual, who applied online with no identification, to open an account under Middlesex’s name, according to information Chase provided to Maloney. The account was then used to solicit hundreds of thousands of dollars from fraud victims, including the $133,565 from the man who was now trying to reclaim his funds.

Middlesex’s experience, as bizarre as it seems, is part of a global problem that plagues the banking industry. The account falsely opened in Middlesex’s name, and many others like it, are way stations in a sophisticated multistep money laundering process that transports cash from U.S. scam victims to crime syndicate bosses in Asia.

There’s been an explosion in international online fraud in recent years. Particularly widespread are “pig-butchering” schemes, as ProPublica reported in 2022. The macabre name derives from the process of methodically “fattening” victims by getting them to contribute more and more money to an investment scheme that seems to be succeeding, before eventually “butchering” them by taking all their deposits. Often operated by Chinese gangs out of prison-like compounds in Cambodia, Laos and Myanmar, pig-butchering in that region has reached a staggering $44 billion per year, according to a report by the United States Institute of Peace, and it likely involves millions of victims worldwide. The report called the Southeast Asian scam syndicates the “most powerful criminal network of the modern era.”

A huge portion of such fraud is transacted in cryptocurrency. But given that the typical consumer doesn’t own crypto, many scams unfold with a victim tapping a traditional bank account to wire dollars to swindlers, who receive the funds in their own accounts, then convert them into crypto to move across borders. Later in the process, the scammers will typically transfer their crypto back into standard currency.

Bank accounts are so crucial to this process that a thriving international black market has developed to rent accounts for fraud. That, it seems, is how a Chase account in the name of Middlesex ended up as a repository for the proceeds of pig-butchering.

The huge demand for accounts used for misbehavior gives banks a crucial, and not always welcome, role as gatekeepers — a responsibility required by U.S. law — to prevent criminals from opening accounts or engaging in money laundering. Yet from the U.S. to Singapore, Australia and Hong Kong, banks have consistently failed at that responsibility, according to experts who have investigated money laundering, as well as reviews of fraudulent account details shared by victims and court cases reviewed by ProPublica. The list of financial institutions whose accounts pig-butchering scammers have made use of includes global behemoths like Bank of America, Chase, Citibank, HSBC and Wells Fargo and many other U.S. and foreign lenders.

The banks said in statements to ProPublica that they make extensive efforts to fight fraud by investing in systems to detect suspicious activity and to report it to authorities (read the banks’ statements here). The American Bankers Association, which represents the industry, acknowledged that “with more than 140 million bank accounts opened every year bad actors can sometimes get through despite determined and ongoing efforts to stop them.” But the group said other industries like telecommunications providers and social media platforms need to do more to fight fraud because there’s only so much that financial institutions can do.

Pig-butchering scams present some unique challenges for banks. Among other things, a customer in thrall to a fraudster will sometimes foil their own bank’s attempts to prevent them from sending money to a criminal. And foreign-based scammers have become adept at finding middlemen in the U.S. to exploit the banking system. “Cyber-enabled fraud operations in Southeast Asia have taken on industrial proportions,” according to an October report by the United Nations Office on Drugs and Crime. John Wojcik, one of the authors of the report, told ProPublica, “Banks have never been targeted at this scale, in these ways.”

It doesn’t help that there are “no real standards as to what a bank has to do for detecting fraud or money laundering,” said Lester Joseph, a financial compliance consultant who used to oversee money laundering cases at the Department of Justice and later worked at Wells Fargo. The main law governing U.S. compliance regimes, the Bank Secrecy Act, requires financial institutions to maintain programs to know their customers and to detect and report suspicious activity to the government. That might mean noticing, say, that a newly opened account is suddenly receiving and sending hundreds of thousands of dollars of wire payments each month.

But it is up to banks to design those programs. The regulations don’t even require that the programs be effective. That gives banks wide flexibility on how much due diligence and monitoring to do — or not do. More scrutiny upfront means slowing down business and adding costs. Many banks don’t ask questions until it’s too late.

If you’re a criminal looking to obtain a bank account with no pesky formalities, it’ll take you only minutes to find one on the messaging app Telegram. Chinese forums there feature ads for “cars” or “fleets” — bank accounts or other online payment platforms that can be used to collect stolen funds. (The vehicle metaphor stems from the fact that in Chinese slang, money laundering operations are known as “motorcades.”) One Telegram ad offered accounts at PNC, Chase, Citi and Bank of America and boasted of “firsthand” control of the accounts: “People can go to the bank to transfer money,” the ad said.

Another Telegram channel listed various flavors of pig-butchering scams for which it provided bank accounts. The group, named KG Pay, boasted of accepting wire transfers, making withdrawals from U.S. banks........

© ProPublica