4.04 Illegal Activities in Crypto

The lesson is based on information from the 2022 ’Crypto Crime Report’ published by the blockchain data platform Chainalysis. The report's authors base their estimates on blockchain data and since bankruptcy and criminal proceedings related to the collapses of some companies are still ongoing, their transactions are not included in this year's 'Crypto Crime Report’. As a result, it focuses on illegal activities that can be tracked on-chain.

 

Contents

• Crypto Crime in 2022
• Sanctions
• Ransomware
• Money laundering
• Stolen funds
• Darknet market
• Scams
• Pump n Dump Tokens
• 2022 Cryptocurrency Crime Trends Summary

 

Crypto Crime in 2022

Last year, cryptocurrencies experienced disturbing market turbulences. The collapses of prominent companies, including FTX, Celsius and Three Arrows Capital, among others, created uncertainty among investors and attracted the attention of regulators. 

 

Despite the overall market slowdown, the volume of illegal transactions increased for the second consecutive year in 2022, reaching a record high of $20.6 billion. However, the report's authors point out that this is only the lower bound estimate, as the volume of illegal transactions is likely to increase with the discovery of new addresses linked to criminal activities.

 

It is worth highlighting that illegal activity in cryptocurrencies still represents a small share of the total volume of cryptocurrency transactions, amounting to less than 1%. It should also be noted that despite this year's jump, the share of crime in total cryptocurrency activity shows a downward trend.

 

Sanctions

43% of the volume of illegal transactions in 2022 came from activities related to sanctioned entities. 

Several cryptocurrency-related services were designated as sanctioned entities by OFAC (Office of Foreign Assets Control) in 2022. Three of them in particular are noteworthy because they highlight the unique challenges to sanctions enforcement against different types of cryptocurrency-related entities.

These include: 

• Hydra - darknet marketplace (at one time the largest darknet marketplace in the world based in Russia, facilitating drug sales and offering money laundering services),
• Garantex - cryptocurrency exchange (a high-risk cryptocurrency exchange based in Russia that was sanctioned for money laundering activities),
• Tornado Cash - decentralized mixer (a decentralized mixing service on the Ethereum blockchain that was sanctioned for facilitating money laundering, mainly of funds stolen by cybercriminals linked to North Korea).

Breakdown of the source of funds coming to each sanctioned entity in the 60 days preceding the imposition of sanctions on them:

• Hydra  

It showed by far the highest criminal activity of all three services, with 68.2% of all incoming funds coming from illegal addresses and 12.6% from risky ones.

• Garantex 

6.1% of the inflows came from illegal sources and 16.1% from addresses considered risky. While 6.1% may seem like a small share of total inflows, it represents a high figure compared to other centralized exchanges, which received an average of only 0.3% of funds from illegal sources during the same period.

• Tornado Cash 

34% of all funds sent to Tornado Cash came from illegal sources.

In the 60 days prior to the sanctions, Garantex and Hydra received funds from a wide variety of illicit entities, including fraud companies or individuals associated with ransomware.

During this period, Hydra received about $176,000 in cryptocurrencies from ransomware-related addresses, accounting for 2.2% of all funds sent by such addresses. Garantex, on the other hand, received $931,000 from ransomware-related addresses, representing 11.6% of all funds sent by such addresses. These figures show that these services - especially Garantex - were crucial to enabling ransomware attacks.

Tornado Cash was involved in illegal activities, focusing mainly on two types of cybercrime: hacking and scams. 99.7% of all illegal funds Tornado Cash received in the 60 days prior to being sanctioned were stolen funds. The Harmony Bridge hack that took place in June 2022 (about 45 days before Tornado Cash was sanctioned) brought about 65.7% of the total inflow of stolen funds to the mixer during this period.

Key findings: The impact of crypto sanctions depends on the jurisdiction and technical constraints.

• First, the Hydra case shows that sanctions can be extremely effective against entities with key operations in cooperating jurisdictions (Hydra's servers were located in Germany - German law enforcement coordinated with US agencies and seized Hydra's servers).
• Second, the case of Garantex illustrates what happens when international cooperation is lacking. It is difficult to effectively sanction entities whose home jurisdictions have no formal channels of cooperation with the sanctioning jurisdiction.
• Third, the cases of decentralized services (such as Tornado Cash) are more complicated. Sanctions against decentralized services act more as a tool to discourage use of the service, rather than cutting it off entirely.

 

Ransomware

Revenue from ransomware declines because more victims refuse to pay.

Ransomware attackers extorted at least $456.8 million from victims in 2022, down from $765.6 million the year before. The report's creators stress that the real totals are higher because there are cryptocurrency addresses controlled by ransomware attackers that have not yet been identified on the blockchain.

 

Although the data shows a clear decline in ransomware payments, this doesn't mean that these attacks decreased to the same extent. According to experts, the decline may be due to the fact that more and more organizations are refusing to pay ransoms to cybercriminals who use ransomware attacks.

What exactly is behind this change?

• Paying ransoms has become more legally risky (in terms of paying to sanctioned entities).
• The perspective of cyber insurance companies, which typically reimburse victims for ransomware payments (nowadays, companies must meet strict cyber security and backup measures to be insured against ransomware). While having an effective backup solution won't stop ransomware attacks or help in the event of data loss, it gives victims more options so they aren't forced to pay the ransom.

According to data, most ransomware attackers transfer the money they receive to major and centralized exchanges. 

• The share of ransomware funds going to major exchanges increased from 39.3% in 2021 to 48.3% in 2022.
• The use of illegal services, such as darknet marketplaces, to launder ransomware money also declined, while the use of mixers increased from 11.6% to 15%.

 

Evaluation of the ransomware ecosystem

While the multiplicity of existing strains of ransomware might indicate that competition in the market is high, the reality is otherwise - the number of ransomware attackers is probably quite small.

Most strains of ransomware operate on a Ransomware-as-a-service model, where the authors allow their software to be used by other cybercriminals, called affiliates, in exchange for a percentage of the profits. Many of the attacks are carried out by the same affiliate group, using different strains of ransomware.

In the Chainalysis Reactor chart below, the authors of the ’Crypto Crime Report’ showed an affiliate whose wallet received deposits from the Dharma, Conti and BlackCat ransomware strains at different times, indicating that the affiliate conducted attacks for all three strains.

 

Analyzing the ransomware data, it is possible to conclude that the ransomware ecosystem shouldn't be viewed as a collection of separate strains, but rather as a small group of hackers who frequently change their 'brand' (this phenomenon makes the ransomware sector appear larger than it really is).

 

Money Laundering

Ilegal addresses sent nearly $23.8 billion worth of cryptocurrencies in 2022, up 68% from 2021.

The purpose of cryptocurrency money laundering is to hide the origin of the funds so that it becomes difficult to link them to a crime. Ultimately, money laundering involves converting cryptocurrency into fiat currency and in most cases, it's done using cryptocurrency exchanges.

Cryptocurrency money laundering typically involves two types of entities and on-chain services:

• Intermediary services and wallets: These can include personal wallets (also known as non-hosted wallets), mixers, darknet markets and other services both legal and illegal. Cryptocurrency criminals typically use these services to, for example, temporarily store funds.
• Fiat off-ramps: This refers to services that allow cryptocurrency to be exchanged for fiat. This is the most important part of the money laundering process, as funds can no longer be tracked through blockchain analysis. Most fiat off-ramps are centralized exchanges.

 

Illegal addresses sent nearly $23.8 billion worth of cryptocurrency in 2022, up 68% from 2021. In most cases, major centralized exchanges were the recipients of the transfers, receiving slightly less than half of all funds sent from illegal addresses.

 

More and more illicit money is going into DeFi protocols, as DeFi protocols themselves were the most common target of attacks in 2022. As a result of such attacks, hackers typically end up with less popular tokens (mostly not listed on major, centralized exchanges), which require the use of decentralized exchanges (DEX) to exchange them for more popular cryptocurrencies.

Using mixers

Mixers are popular services used by cryptocurrency criminals, receiving 8% of all funds sent from illegal addresses in 2022. Last year, OFAC sanctioned mixers for the first time ever, first Blender.io and then Tornado Cash, for their role in laundering cryptocurrencies stolen by North Korea's Lazarus Group.

The sanctioning of known mixers may have contributed to two trends observed in 2022:

• the total amount of cryptocurrency sent to mixers dropped significantly, 
• the funds that actually went to the mixers were more likely to come from illegal sources.

Mixers processed a total of $7.8 billion in 2022, 24% of which came from illegal addresses.

It is also worth noting that the vast majority of illegal funds processed by the mixers consist of stolen funds, much of which were stolen by hackers linked to North Korea.

Concentration of money laundering at fiat off-ramp services

Fiat off-ramps, such as exchanges, allow criminals to convert cryptocurrencies into fiat currencies, which is probably their main target for money laundering. On the other hand, these services are among the most regulated and their compliance teams play a large role in detecting illegal activities, preventing the flow of illicit funds and exchanging them for cash.

In 2022 there were 915 unique fiat off-ramps receiving illegal cryptocurrencies (down from 1,124 in 2021). Of the illegal funds received by exchanges, 67.9% went to just five services, all of which are centralized exchanges.

"Underground" money laundering services are a growing concern

Another trend in money laundering, as observed by Chainalysis, is the growth of underground services that are not as publicly available or well-known as standard mixers (usually accessed through the TOR browser and mostly advertised only on darknet forums). Such services typically move cryptocurrencies to exchanges on behalf of cybercriminals, exchange them for fiat currency or "clean" cryptocurrencies, and then send them back to the cybercriminals.

 

Stolen Funds

2022 the biggest year in history for cryptocurrency thefts with a total value of $3.8 billion.

 

DeFi protocols the biggest victims of hacking

Over the previous year, 82.1% of the total amount stolen by hackers came from DeFi protocols, amounting up to $3.1 billion (an increase from 73.3% in 2021). The report's authors point out that 64% of these stolen funds came from cross-chain bridge protocols. Bridges are attractive targets for hackers because smart contracts become powerful, centralized collections of funds supporting assets that have been "bridged" to a new chain.

How to make DeFi safer?

Recommended solutions:

• DeFi code auditing by third-party providers;
• testing protocols with simulated attacks;
• closely monitoring of the mempool for suspicious activity on smart contracts.

The report indicates that regulators can also play a significant role here and can help make DeFi more secure by setting minimum security standards that protocol developers would have to follow.

Hackers linked to North Korea

Hackers linked to North Korea (such as those on the Lazarus Group) broke their own records in 2022, stealing cryptocurrencies worth an estimated $1.7 billion. Most experts agree that the North Korean government is using these stolen funds to fund its nuclear weapons programs.

$1.1 billion of that total was stolen through hacks of DeFi protocols. The reason hackers linked to North Korea tend to send much of what they steal to other DeFi protocols is that during their attacks they acquire large amounts of non-liquid tokens that are not listed on centralized exchanges. Hackers must therefore turn to other DeFi protocols (usually DEX) to exchange them for more liquid assets.

Hackers linked to North Korea pose a serious threat to the cryptocurrency ecosystem. However, law enforcement agencies are able to fight them more and more effectively. An example of this was the seizure of $30 million worth of funds stolen by North Korean hackers who carried out an attack on the Axie Infinity Ronin Bridge. This was the first such incident in history, which shows that law enforcement agencies have increasing capabilities to fight cryptocurrency-related crimes.

 

Darknet Markets

In 2022, there was a decrease in revenue from the previous year for darknet markets.

The darknet market's revenue in 2022 closed at $1.5 billion, down from $3.1 billion in 2021.

 

Hydra Market led as the highest-earning darknet market in 2022, despite being sanctioned by OFAC and shut down in a combined US-German operation in April - no other market beat their revenue advantage.

The report, prepared by Chainalysis, explains that Hydra offered legitimate business-style service to its customers, providing amenities and customer care. For example, Hydra offered a service that allowed users to check drug purity. In addition, Hydra provided a Telegram bot that could help users in the event of an overdose, and also helped vendors contact lawyers.

The closure of Hydra resulted in a decline in darknet market revenue across the sector - average daily revenue for all markets fell from $4.2 million to $447,000 immediately after Hydra's closure.

 

Scams

Cryptocurrency scam revenue dropped 46% in 2022.

Although scams remain the largest form of cryptocurrency-based crime, revenues from this area dropped significantly from $10.9 billion in the 2021 to $5.9 billion in 2022. It should again be emphasized that the numbers indicated are the lower end of estimates and are likely to change as Chainalysis identifies more addresses related to these activities.

Despite the fact that revenues from this category declined in 2022, several very ‚successful’ scams were observed, the largest of which was Hyperverse, which brought in nearly $1.3 billion in revenue. In 2022, investment fraud dominated as a major category and contributed the most revenue among all illegal activities in this area.

A brief overview of the categories of scams that Chainalysis tracks:

• Giveaway scams - scammers impersonate celebrities and promise more cryptocurrency in exchange for sending them funds.
• Impersonation scams - fraudsters pretend to be someone in a position of authority - telling victims that they need to send them funds to fix a problem or avoid trouble.
• Investment scams - scammers promote a fake investment company with the promise of huge profits.
• NFT scams - fraudsters trick victims into buying fake NFTs that are supposed to resemble notable collections.
• Romance scams - scammers pretend to build a romantic relationship with the victim to convince him/her to send them money. They can also include 'pig butchering scams' which combine elements of romance and investment fraud.

 

The average deposit taken from romance scam victims was nearly $16,000, almost triple the next closest category.

Revenue from scams usually correlates with the price of Bitcoin, but not every type of crime follows the same pattern. For example, romance scams are more about building a personal relationship with the victim. The victim's main goal is not to get rich quick, but rather to help a person they consider to be a potential partner.

 

Pump ‘n Dump Tokens

24% of new tokens launched in 2022 had features of ’pump and dump’ schemes.

In the world of cryptocurrencies, the use of "pump and dump" schemes (artificially raising the price to attract investors, followed by the sale of tokens by their creators, causing a sharp drop in value and losses for investors) has become common. This is due to the ease with which fraudsters can launch a new token into the market and artificially inflate its price and market capitalization by controlling the volume of trading and supply of the token. Many projects and tokens are launched by anonymous teams, allowing criminals to conduct many such scams.

Last year, more than 1.1 million new tokens were launched on the market. However, most of them failed to gain popularity among the cryptocurrency community, which was measured by the number of swaps made on exchanges.

Of the 1.1 million tokens launched in 2022, the report's creators, based on specific criteria, identified 40,521 tokens that gained enough popularity on DEXes to be analyzed. It turned out that 9,902 of them, that is 24%, experienced a price drop in the first week after their launch, indicating that they were created to scam others (using a ’pump and dump’ scheme).

The report's creators found that 445 individuals or groups were responsible for nearly 10,000 suspicious tokens launched in 2022.

The most active suspected pump-and-dump token creator identified launched 264 tokens in 2022.

 

2022 Cryptocurrency Crime Trends Summary

• The volume of illegal transactions reached a record high of $20.6 billion.
• 43% of the volume of illegal transactions came from activity related to sanctioned entities.
• Revenue from ransomware declined as more victims refused to pay.
• Illegal addresses sent nearly $23.8 billion worth of cryptocurrencies, up 68% from the previous year.
• 2022 was the biggest year ever in terms of cryptocurrency theft, with a total value of $3.8 billion.
• There was a decrease in revenue from the previous year for darknet markets.
• Cryptocurrency scam revenue fell by 46%.
• 24% of new tokens launched had features of ’pump and dump’ schemes.

Criminal activity in cryptocurrencies accounts for less than 1% of total cryptocurrency transaction volume and despite this year's spike, its share of total cryptocurrency activity is on a downward trend.