Cornerstone June 2024 Issue #53

Homeland Security Investigations Cornerstone

June 2024 ISSUE #53

200 Plus HSI Special Agents

Designated HSI Cornerstone representatives across all HSI field offices.

Did You Know?

HSI, the principal investigative arm of the Department of Homeland Security, is responsible for investigating transnational crime and threats, specifically those criminal organizations that exploit the global infrastructure through which international trade, travel, and finance move. In 2023, HSI established the Cross-Border Financial Crime Center (CBFCC)—a public-private partnership—to strengthen the United States’ anti-money laundering framework. The CBFCC convenes federal law enforcement agencies, partner nation authorities, banks and financial institutions, and financial technology companies to promote collaboration on cross-border financial crime. The CBFCC is prioritizing efforts to identify, disrupt, and dismantle Chinese money laundering organizations (CMLOs) operating throughout the United States given the emerging threat they pose to the financial system and our nation’s security.



July 2024

Digital Payment Systems 

Email Logo

Want to schedule a Cornerstone presentation?

for more information.

HSI special agents are available to provide training and share red flag indicators, criminal typologies, and methods with businesses and industries that manage the very systems that terrorists and criminal organizations seek to edit this placeholder text.

Cash and Cart

Chinese Money Laundering Organizations (CMLOs) Abuse of Gift Cards

Stored value and retail gift cards are commonly exploited by Organized Theft Groups (OTGs), financial fraud networks, and Chinese Money Laundering Organizations (CMLOs).  Gift cards allow criminals to comingle proceeds generated from victim assisted fraud schemes and organized retail crime (ORC).  Once comingled, these funds can be rapidly transferred across the globe or used to purchase high-value products that can be exported for resale to parts of the world that enable money laundering activity.

Homeland Security Investigations (HSI), through its private-public partnerships with the retail industry, has identified the following scenarios which may assist industry partners with detecting and reporting this type of criminal activity.

Gift Card Abuse Scenarios

Scenario 1 – Victim Assisted Fraud (VAF):

Step 1:  U.S.-based victim is contacted by an India-based telemarketing group via computer or phone.

Step 2:  U.S. victim is lured into purchasing a legitimate gift card from a U.S. retailer and provides the redemption code to the telemarketing group.

Step 3:  The telemarketing group sells the gift card redemption code(s) to a CMLO for a portion of the redemption value.

Step 4:  The CMLO sends the gift card information to U.S. based cells to obtain consumer goods. 

Scenario 2 – Organized Retail Crime (ORC):

Step 1 (Takers):  U.S. based CMLO recruits and hires Chinese Nationals to operate as “takers” to physically remove un-activated gift cards from U.S. retailers.


Step 2 (Tamperers):  The “takers” send un-activated gift cards to U.S. based “tamperers.”  Using a variety of techniques, the tamperers extract the gift card from its packaging, replace the legitimate bar code with a bar code controlled by the CMLO, then repackage the gift card making it appear as if the gift card was unaltered.


Step 3 (Placers):  The tampered gift cards are sent to “placers” who place the tampered cards back on the sales rack inside a retail location.  Oftentimes, the taker and the placer are the same person and may commit both acts in a single store visit.  The cards are often indistinguishable from untampered cards until the gift card package is opened by the consumer after purchase. 


Step 4 (Checkers):  An unwitting consumer selects a tampered gift card and places funds on the card at the point of sale.  CMLO “checkers” use online balance checkers to monitor the bar codes of tampered cards to identify when funds are placed on the cards.

Step 5: Funds Convergence –VAF and ORC Funds are Comingled and Exchanged for Goods (Acquirers)

The CMLO sends the gift card information to “acquirers” who use virtual gift card wallets and/or images of the gift card bar codes acquired through VAF and ORC to obtain high-value consumer goods (e.g. Apple products) from U.S. retailers, often from states with no sales tax.

Step 6: Completing the Laundering Cycle - Goods are Exported and Sold (Senders).  CMLO Keeps the Proceeds.

Goods are consolidated at centralized U.S. locations, from which “senders” export the goods to the People’s Republic of China (PRC) via express consignment to Hong Kong for resale.  Upon sale, the proceeds are acquired by the CMLO.  

HSI Header

Project Red Hook

HSI and the retail industry are engaged in robust intelligence sharing specific to this fraud methodology under the auspices of Project Red Hook.  These efforts have successfully identified several CMLO cells and associated subjects who have been arrested by HSI and its state and local law enforcement partners. Investigative analysis indicates that these cells, often consisting of two to four individuals, can perpetrate millions of dollars in fraud in weeks. To that end, HSI is seeking information from the financial industry about this fraud methodology. 

Retailers and law enforcement are encouraged to report suspected incidents of CMLO-related gift card fraud to

Project Red Hook Outcomes

  • Since implementation of Project Red Hook in December 2023, HSI has supported the arrest of 83 subjects engaged in gift card tampering and draining activities that fall within the purview of the project.
  • These arrests have come as result of close coordination between HSI and affected retailers, brand holders, and financial services companies.
  • HSI is leading an effort to formalize these efforts through the establishment of a Gift Card Fraud Coalition (GCFC), a public-private partnership between law enforcement, retail, and the financial industry to combat all forms of financial fraud and criminal activity that involves retail gift cards.

Men Red Flag

Red Flag Indicators (In-Store)

The following red flags may be indicative of individuals attempting to commit gift card abuse:

  • Takers and Placers are typically males (20-35 years old) who are nationals of the People’s Republic of China (PRC).
  • If encountered by authorities, Takers and Placers are likely to present fake PRC passports, fake U.S. driver licenses, and claim no ability to communicate in the English language.
  • Takers and Placers arrive at the store location in a rental car, often bearing an out-of-state license plate. Vehicles encountered in this scheme are commonly registered to California and New York. 
  • Vehicle is occupied by 2 to 4 individuals who enter the store individually or in groups of 2.
  • Takers and Placers often wear apparel or accessories that enable them to store large quantities of gift cards on their person (e.g. cross-body satchel, “fanny pack,” heavy puffer-style jacket).
  • Takers and Placers will spend an excessive amount of time in the store areas where gift cards are sold without conducting legitimate business inside the retail establishment.
  • Takers and Placers will appear to be on a phone call with unknown third parties, with either their smartphone to their ear or using Bluetooth enabled ear-bud type devices.
  • The gift cards sought by Takers are often open-loop products (e.g. Visa, MasterCard) or brands that sell high-value products desired in the PRC, such as Apple, Target, Nike.
  • Placers will put tampered gift cards at eye-level in front of cards that have not been tampered.
  • Acquirers will conduct single transactions in-person that routinely exceed $10,000+ and involve unusually large quantities of high-value items, particularly, Apple products.
  • Acquirers will use multiple gift card bar codes in a single transaction. These bar codes may be presented in the following ways:  a physical card, a photographic image of a bar code, and/or a gift card wallet application on their smartphone. 
  • If questioned by retail employees at the point of sale, Acquirers are known to become verbally combative and cause a disturbance to pressure the employee to permit the sale.
  • Communications between perpetrators occur primarily through the WeChat messaging application.

Red Flag Indicators (Account Activity)

  • Chinese passport used to open a business checking account using a Limited Liability Company (LLC) structure and absent a business history or clear purpose.
  • Business address used for the account is associated with massage services.
  • Business or personal account reflects frequent charges for express shipping and consignment despite business purpose or stated personal employment not associated with such services.
  • Account holder lists their occupation as laborer, restaurant worker, hospitality worker, self-employed, or unemployed at account opening, then immediately commences purchasing negotiable instruments with large amounts of cash, non-commensurate with their employment status.
  • Account applicant or account holder creates a stir, becomes hostile, or loudly objects to Know-Your-Customer (KYC) questioning or requests for supporting documents by bank employees.
  • Customer claims no English language ability and uses smart phone translation applications for communications with bank employees. Does not answer or claims not to understand KYC questions. 

HSI encourages the public to report suspected suspicious activity through its toll-free Tip Line at 877-4-HSI-TIP.

Callers may remain anonymous.