Cybercriminals steal billions of cryptocurrencies every year through ransomware attacks, exploits and hacks.
But theft is just the first step in illicit crypto activity. Perpetrators then use a web of crypto mixers, chain-hopping services, scam tokens, and exchanges to launder their loot, hide their tracks, and eventually cash out.
What’s more, professional money-laundering operators are ready to help out for a fee.
“Many of these operators list their services on cybercriminal forums, often accessible only through the dark web,” Arda Akartuna, Senior Cryptocurrency Threat Analyst at Elliptic, the research firm, told DL News.
Law enforcement authorities worldwide are constantly playing whack-a-mole with their targets — when they catch up with one dark web forum and shut it down, thieves simply jump to other platforms like Telegram, Akartuna said.
As the cryptocurrency industry struggles to improve its image amid constant hacks and scandals, figuring out how cybercriminals escape with the loot is paramount. “Follow the money” may be an adage from the 1970s, but its message has never been more pertinent in the 21st century digital economy.
This year, online grifters have have stolen more than $272 million from crypto projects, according to fresh data from DefiLlama. Those attacks include the $197 million Euler Finance exploit in March and the $7.4 million Hundred Finance exploit this month. Last year, hackers stole over $3.2 billion from DeFi protocols.
The crypto community is not alone in feeling criminals’ sting. In the world of cybercrime, cryptocurrencies have been ransomware gangs’ payment method of choice for years.
Last year, cybersecurity firm SonicWall tracked more than 493 million ransomware attacks across the globe and around 140 million cryptojacking attacks, in which hackers reprogram victims’ devices to mine cryptocurrencies.
That doesn’t even count unreported attacks where the victims “were too ashamed or couldn’t go to the press and risk reputational damage,” Meera Sarma, founder and CEO of cybersecurity research company Cystel, told DL News.
Chasing the bad guys
Law enforcement are stepping up their efforts to catch the bad guys.
“Investigative agencies are continuing to ramp up their ability to seize cryptocurrency and stamp out financial crime in crypto,” Eric Jardine, cybercrime research lead at Chainalysis, the research firm, told DL News.
State agencies are also tapping the services of crypto forensic firms like Elliptic and Chainalysis to track down stolen funds and bring criminals to justice.
These efforts have enabled them to claw back stolen funds, shutter alleged money laundering rings, understand how cybercrime funds everything from Russian Neo-Nazi gangs to terrorist groups like Hamas and al-Qaeda, and arrest criminals.
This is forcing cybercriminals to develop new ways to stay a stead ahead of the law and convert crypto to fiat cash as quickly as they can.
“[Once] a hack is known and the funds are attributed as stolen, it is possible to track their movement with high fidelity and ultimately to inform off-ramps that incoming funds originate with a hack,” Jardine said.
While crypto exchanges and other players are ready to freeze and block wallets and accounts linked to cybercrime, these platforms must first be alerted to the alleged illegality. That’s not easy because criminals usually cash out too fast.
“There really isn’t a lot they can do about it,” Hugh Brooks, director of security operations at CertiK, the smart contract auditor, told DL News.
This is why mainstream centralised exchanges continue to handle most looted tokens, taking in almost half of the funds sent from suspicious addresses in 2022, according to Chainalysis.
Three options after a hack
Broadly speaking, bad actors have three options after a hack: buy services from other criminals; off-ramp the money after laundering it; or invest in new criminal enterprises.
The first option may be the most straight-forward. Criminals employ vendors on the Dark Web to buy everything from new ransomware tools to trading cryptocurrencies for cash, phone credits, or even gift cards.
“They may even sell equivalent sums from clean wallets in exchange for similar amounts in dirty wallets they know how to launder better,” Brooks said.
Off-ramping is trickier because thieves have to stay ahead of law enforcement investigators who may ask exchanges to lock down accounts.
‘The most obvious trend we have observed more recently is chain and asset hopping, which is what we refer to as cross-chain crime.’— Arda Akartuna
To avoid raising the alarm, cybercriminals can hide their tracks in several ways, often using tools with legitimate uses.
“The most obvious trend we have observed more recently is chain and asset hopping, which is what we refer to as cross-chain crime,” Akartuna said. “This trend has risen simultaneously with the increasing popularity of decentralised finance.”
Chain-hopping refers to services that swap assets across or within blockchains — such as decentralised exchanges and cross-chain bridges.
Ransomware gangs, such as infamous North Korean-backed Lazarus Group, abuse chain-hopping services to “obfuscate their transaction trails without having to provide any identification or pass [know your customer] checks,” Akartuna said.
The value of money laundered annually through cross-chain crime is expected to jump 61% in the next two years, to $10.5 billion, according to Elliptic research.
Splitting up loot
Cybercriminals can split up their loot into smaller accounts and transactions to further muddy the waters. “This is called Smurfing,” Brooks said.
Smurfing enables criminals to drip-feed the cryptocurrencies to off-ramps. They can also send tokens through crypto mixers to further obscure their traces.
Crypto mixers blend many users’ cryptocurrencies into one pool. Later, the funds are withdrawn to new addresses under the control of the user, creating a layer of privacy.
In 2022, almost a tenth of all crypto addresses tied to illicit activity transferred their funds through mixers, according to Chainalysis. Last year, the US sanctioned the Tornado Cash mixer and Dutch prosecutors arrested its developer, Alexey Pertsev. He was released from detention this month and is expected to go on trial soon.
Illicit usage of mixers hit an all-time high in 2022, according to Chainalysis. The firm has also noted a rise of underground services that aren’t as publicly accessible or well-known as standard mixers, “as they are typically accessible only through private messaging apps or the Tor browser, and usually only advertised on darknet forums,” Jardine said.
Bad actors also use smaller high-risk exchanges with low or no background checks like Bitzlato to off-ramp the money. When US and French authorities, supported by Europol, cracked down on the exchange in January, they alleged that 46% of the assets — worth €1 billion — exchanged through Bitzlato had links to criminal activities.
Anatoly Legkodymov, the founder of Bitzlato, has denied the US money-laundering case against him.
Scammers gonna scam
Cybercriminals also invest stolen crypto in new scams. CertiK has, for instance, noticed a rise in one-day rug pulls.
A rug pull is essentially a scam where criminals pump a fake token to encourage victims to invest in it before disappearing with the funds and leaving the victim with a useless digital asset. Crooks can use the money stolen in a digital heist to inflate the value of those scams, luring innocent people to invest in them.
CertiK now tracks hundreds of these projects, although Brooks wouldn’t provide a specific figure.
Those scams also have the added benefit of further muddying the traces after a hack.
Criminals can invest the stolen cryptocurrencies in a plethora of other scams, following the hack.
From buying things on the darknest to laundering cryptocurrencies before off-ramping the money and launching new schemes, cybercriminals won’t run out of options on what to do with stolen cryptocurrencies any time soon.
“[Stealing] digital money is the perfect crime,” Jake Moore, global cybersecurity advisor at cybersecurity firm ESET, told DL News.