- Joined
- Nov 26, 2020
- Messages
- 716
Cryptomixers, nesting doll services, cashing out and other ways ransomware operators launder crypto-income.
As you know, cryptocurrencies are not anonymous at all. Since all transactions with them (almost all, but more on that below) are recorded in blockchains, the movement of funds is quite easy to track. There are specialized analytical tools that help to understand relatively easily and conveniently where financial flows come from and where they go.
Therefore, some victims of ransomware may have the illusion that it would be reasonable to pay a ransom, regain control over corporate resources, while simultaneously complaining to law enforcement agencies - and then simply wait a little while for the investigation to be completed and the money to be returned.
Unfortunately, it's not that simple: to compensate for the "excessive" transparency of blockchains, a whole range of different tools, techniques and services have emerged that make it difficult or even impossible to track cryptocurrency transactions. We'll talk about them today.
Fake crypto wallets
The simplest thing cybercriminals can do with dirty crypto is send it to fake wallets. In the case of particularly large-scale operations, such as the BitFinex hack or the Sky Mavis heist, we can talk about several thousand wallets.
However, since all transactions are still recorded on the blockchain, transfers to dummy wallets do not prevent funds from being tracked. So this technique is usually used only in the first stages of laundering, in order, firstly, to confuse the traces, and secondly, to split large amounts into small ones, which will be easier to launder in the future using other methods.
Often, dirty crypto can be stored in fake wallets for quite a long time. Sometimes this happens because cybercriminals are greedy - they are simply waiting for a more favorable exchange rate. In the case of particularly high-profile operations that attract close attention from law enforcement, the reason is caution. The attackers try to lie low in the hope that over time the tension will ease and it will be easier to withdraw the funds.
Cryptomixers
Cryptomixers were invented precisely to solve the problem of complete transparency of the blockchain and, as a result, insufficient privacy of cryptocurrencies.
Crypto mixers work as follows. Incoming cryptocurrency transfers are poured "into a single pot" and thoroughly mixed there with all funds coming from other users of the service. Outgoing transactions of random amounts are made according to a random schedule and to completely different wallets. Thus, it is impossible to compare incoming and outgoing transactions by amounts and identify matches.
Obviously, this is an extremely effective way to work with dirty cryptocurrency. And although not all users of crypto mixers are cybercriminals, criminal funds make up a very significant part of the total incoming financial flow of crypto mixers. So significant that in 2022, American regulators finally took a close look at them: two popular crypto mixers were sanctioned at once .
Large crypto exchanges
The vast majority of transactions on crypto exchanges occur between clients' internal accounts on those exchanges and are recorded in detail exclusively in those exchanges' own databases. And only the total result of a whole bunch of such internal operations gets into the blockchain.
Of course, this is done to save commissions and time (after all, the throughput of the blockchain is not too high). But as a result, it turns out that any crypto exchange is a kind of natural cryptomixer: it is impossible to compare incoming and outgoing transfers using blockchain analysis alone. The thread that allows you to track the movement of funds breaks when the transaction arrives at the exchange.
On the one hand, this is very convenient for illegal activity. On the other hand, it also adds considerable risks: by depositing funds on a large crypto exchange, cybercriminals lose complete control over them. And since such exchanges, as a rule, cooperate with regulators and law enforcement agencies, there is a non-zero chance of losing production. In addition to this, serious crypto exchanges always have a verification system (KYC - Know Your Customer procedure), which, of course, increases the complexity and risks for those who are trying to launder cryptocurrency.
Small crypto exchanges
An alternative option for cybercriminals is to use small crypto exchanges that are in no hurry to meet the demands of the authorities and position themselves as anonymous. Often such exchanges end up becoming real cryptocurrency launderers.
But the more popular such an exchange is with cybercriminals, the more likely it is to attract the attention of law enforcement agencies. More often than not, the authorities eventually run out of patience and find a way to stop the operation of such a service in one way or another. For example, in 2023, the owner of the Bitzlato exchange , through which hundreds of millions of dollars worth of dirty cryptocurrency annually passed, was arrested in the United States. And a significant part of these funds came from the income of ransomware operators and various crypto scammers. At the same time, European law enforcement officers arrested and disabled the exchange’s infrastructure, putting an end to its activities.
Financial services dolls
In addition to full-fledged crypto exchanges, there are a significant number of nesting doll services. These are, in fact, intermediaries that are add-ons to crypto exchanges. They provide the opportunity to trade cryptocurrencies without opening accounts directly on the exchange itself.
Such services are a bit like brokers from the world of traditional finance, only in the crypto universe they are used to achieve privacy - in particular, to avoid the KYC procedure, which is mandatory for all clients of large crypto exchanges. Of course, the activities of the Matryoshka services are not limited to serving cybercriminals. But the opportunity to avoid answering unnecessary questions naturally attracts those who want to launder criminal money.
DeFi: decentralized protocols
Finally, another option for laundering cryptocurrency is the use of decentralized financial protocols (Decentralized Finance - DeFi). Automated decentralized crypto exchanges operating thanks to smart contracts are built on their basis . The advantages for cybercriminals are obvious: decentralized exchangers (DEX) do not check their clients in any way - in order to use their services, you do not need to create any special account at all.
Another advantage: when using DEX, the funds remain under the full control of their owners (unless, of course, there is an error in the smart contract). However, there is an important limitation: all transactions in DEX are recorded in the blockchain, so with some effort they can still be tracked. Therefore, as a rule, only a few cybercriminals resort to DeFi. However, using decentralized exchanges can be effective as one of the stages of a more complex laundering scheme.
Laundering services from darknets
If you suddenly expect that not every extortionist knows how to properly cover up his financial trail, then here too we have to disappoint you. Modern cybercrime prefers to specialize in certain industries. Recently, the trend of using underground services by cybercriminals that focus specifically on laundering dirty cryptocurrency has been gaining popularity. In essence, they are something like Laundering-as-a-Service - they organize various schemes listed above that make it difficult to track the movement of cryptocurrency and thus remove this task from the shoulders of their clients.
To advertise their services, money laundering services use the darknet, and communicate with clients in secure messengers - in general, everything is designed for complete anonymity. According to conservative estimates, the turnover of such services last year amounted to 6 billion dollars.
Exit to fiat money aka cashing out
As we remember, you can buy a very expensive painted monkey with cryptocurrency , but you won’t be able to buy a loaf of bread . Therefore, the ultimate goal of any cybercrime involving cryptocurrency is to reach the cache. And at the same time, this is the final stage of any laundering scheme: after the cryptocurrency is converted into ordinary fiat money, it will obviously no longer be possible to track it using blockchain analysis methods.
There are many options here - some of the above schemes allow one or another method of output to the real world. For cashing out, both large and small crypto exchanges, financial matryoshka services that allow you to trade on the exchange without opening an account on it, as well as money laundering services from the darknet that specialize in working with cybercriminals (without specifying how they will actually work) can be used ).
What does this mean for ransomware victims?
As you can see, cybercriminals have a wide choice of means to launder dirty cryptocurrency. And of course, they do not have to use any of the methods mentioned. On the contrary, most criminals use complex multi-stage laundering operations, which simultaneously involve cryptomixers, fake wallets, several exchangers, and various cash-out options.
As a result, despite all the efforts of law enforcement agencies, it is often difficult to recover most of the funds even if the investigation was successful. Therefore, you should not expect that the extortionists will be able to get back the money paid as a ransom. You should protect yourself from this threat proactively, and the most important part of this fight is installing a reliable security solution on all devices, whose effectiveness in countering ransomware has been repeatedly proven by independent tests.
As you know, cryptocurrencies are not anonymous at all. Since all transactions with them (almost all, but more on that below) are recorded in blockchains, the movement of funds is quite easy to track. There are specialized analytical tools that help to understand relatively easily and conveniently where financial flows come from and where they go.
Therefore, some victims of ransomware may have the illusion that it would be reasonable to pay a ransom, regain control over corporate resources, while simultaneously complaining to law enforcement agencies - and then simply wait a little while for the investigation to be completed and the money to be returned.
Unfortunately, it's not that simple: to compensate for the "excessive" transparency of blockchains, a whole range of different tools, techniques and services have emerged that make it difficult or even impossible to track cryptocurrency transactions. We'll talk about them today.
Fake crypto wallets
The simplest thing cybercriminals can do with dirty crypto is send it to fake wallets. In the case of particularly large-scale operations, such as the BitFinex hack or the Sky Mavis heist, we can talk about several thousand wallets.
However, since all transactions are still recorded on the blockchain, transfers to dummy wallets do not prevent funds from being tracked. So this technique is usually used only in the first stages of laundering, in order, firstly, to confuse the traces, and secondly, to split large amounts into small ones, which will be easier to launder in the future using other methods.
Often, dirty crypto can be stored in fake wallets for quite a long time. Sometimes this happens because cybercriminals are greedy - they are simply waiting for a more favorable exchange rate. In the case of particularly high-profile operations that attract close attention from law enforcement, the reason is caution. The attackers try to lie low in the hope that over time the tension will ease and it will be easier to withdraw the funds.
Cryptomixers
Cryptomixers were invented precisely to solve the problem of complete transparency of the blockchain and, as a result, insufficient privacy of cryptocurrencies.
Crypto mixers work as follows. Incoming cryptocurrency transfers are poured "into a single pot" and thoroughly mixed there with all funds coming from other users of the service. Outgoing transactions of random amounts are made according to a random schedule and to completely different wallets. Thus, it is impossible to compare incoming and outgoing transactions by amounts and identify matches.
Obviously, this is an extremely effective way to work with dirty cryptocurrency. And although not all users of crypto mixers are cybercriminals, criminal funds make up a very significant part of the total incoming financial flow of crypto mixers. So significant that in 2022, American regulators finally took a close look at them: two popular crypto mixers were sanctioned at once .
Large crypto exchanges
The vast majority of transactions on crypto exchanges occur between clients' internal accounts on those exchanges and are recorded in detail exclusively in those exchanges' own databases. And only the total result of a whole bunch of such internal operations gets into the blockchain.
Of course, this is done to save commissions and time (after all, the throughput of the blockchain is not too high). But as a result, it turns out that any crypto exchange is a kind of natural cryptomixer: it is impossible to compare incoming and outgoing transfers using blockchain analysis alone. The thread that allows you to track the movement of funds breaks when the transaction arrives at the exchange.
On the one hand, this is very convenient for illegal activity. On the other hand, it also adds considerable risks: by depositing funds on a large crypto exchange, cybercriminals lose complete control over them. And since such exchanges, as a rule, cooperate with regulators and law enforcement agencies, there is a non-zero chance of losing production. In addition to this, serious crypto exchanges always have a verification system (KYC - Know Your Customer procedure), which, of course, increases the complexity and risks for those who are trying to launder cryptocurrency.
Small crypto exchanges
An alternative option for cybercriminals is to use small crypto exchanges that are in no hurry to meet the demands of the authorities and position themselves as anonymous. Often such exchanges end up becoming real cryptocurrency launderers.
But the more popular such an exchange is with cybercriminals, the more likely it is to attract the attention of law enforcement agencies. More often than not, the authorities eventually run out of patience and find a way to stop the operation of such a service in one way or another. For example, in 2023, the owner of the Bitzlato exchange , through which hundreds of millions of dollars worth of dirty cryptocurrency annually passed, was arrested in the United States. And a significant part of these funds came from the income of ransomware operators and various crypto scammers. At the same time, European law enforcement officers arrested and disabled the exchange’s infrastructure, putting an end to its activities.
Financial services dolls
In addition to full-fledged crypto exchanges, there are a significant number of nesting doll services. These are, in fact, intermediaries that are add-ons to crypto exchanges. They provide the opportunity to trade cryptocurrencies without opening accounts directly on the exchange itself.
Such services are a bit like brokers from the world of traditional finance, only in the crypto universe they are used to achieve privacy - in particular, to avoid the KYC procedure, which is mandatory for all clients of large crypto exchanges. Of course, the activities of the Matryoshka services are not limited to serving cybercriminals. But the opportunity to avoid answering unnecessary questions naturally attracts those who want to launder criminal money.
DeFi: decentralized protocols
Finally, another option for laundering cryptocurrency is the use of decentralized financial protocols (Decentralized Finance - DeFi). Automated decentralized crypto exchanges operating thanks to smart contracts are built on their basis . The advantages for cybercriminals are obvious: decentralized exchangers (DEX) do not check their clients in any way - in order to use their services, you do not need to create any special account at all.
Another advantage: when using DEX, the funds remain under the full control of their owners (unless, of course, there is an error in the smart contract). However, there is an important limitation: all transactions in DEX are recorded in the blockchain, so with some effort they can still be tracked. Therefore, as a rule, only a few cybercriminals resort to DeFi. However, using decentralized exchanges can be effective as one of the stages of a more complex laundering scheme.
Laundering services from darknets
If you suddenly expect that not every extortionist knows how to properly cover up his financial trail, then here too we have to disappoint you. Modern cybercrime prefers to specialize in certain industries. Recently, the trend of using underground services by cybercriminals that focus specifically on laundering dirty cryptocurrency has been gaining popularity. In essence, they are something like Laundering-as-a-Service - they organize various schemes listed above that make it difficult to track the movement of cryptocurrency and thus remove this task from the shoulders of their clients.
To advertise their services, money laundering services use the darknet, and communicate with clients in secure messengers - in general, everything is designed for complete anonymity. According to conservative estimates, the turnover of such services last year amounted to 6 billion dollars.
Exit to fiat money aka cashing out
As we remember, you can buy a very expensive painted monkey with cryptocurrency , but you won’t be able to buy a loaf of bread . Therefore, the ultimate goal of any cybercrime involving cryptocurrency is to reach the cache. And at the same time, this is the final stage of any laundering scheme: after the cryptocurrency is converted into ordinary fiat money, it will obviously no longer be possible to track it using blockchain analysis methods.
There are many options here - some of the above schemes allow one or another method of output to the real world. For cashing out, both large and small crypto exchanges, financial matryoshka services that allow you to trade on the exchange without opening an account on it, as well as money laundering services from the darknet that specialize in working with cybercriminals (without specifying how they will actually work) can be used ).
What does this mean for ransomware victims?
As you can see, cybercriminals have a wide choice of means to launder dirty cryptocurrency. And of course, they do not have to use any of the methods mentioned. On the contrary, most criminals use complex multi-stage laundering operations, which simultaneously involve cryptomixers, fake wallets, several exchangers, and various cash-out options.
As a result, despite all the efforts of law enforcement agencies, it is often difficult to recover most of the funds even if the investigation was successful. Therefore, you should not expect that the extortionists will be able to get back the money paid as a ransom. You should protect yourself from this threat proactively, and the most important part of this fight is installing a reliable security solution on all devices, whose effectiveness in countering ransomware has been repeatedly proven by independent tests.