How cybercriminals launder dirty crypto

Crypto mixers, nested exchanges, cash-out and other crypto-laundering methods used by ransomware operators.

The most popular ways to launder cryptocurrency

You can hardly call cryptocurrency an anonymous means of payment. After all, since all transactions (well, almost all; more on that below) are written to the blockchain, the movement of cryptocurrency is fairly easy to trace. There are specialized analytical tools that make it relatively convenient and easy to locate both the source and destination of such funds.

Aware of that, some ransomware victims assume that the best strategy is to pay the ransom, regain control over their corporate resources, and then go to law enforcement and simply wait while the investigation proceeds — leading, hopefully, to the funds eventually being returned back to their accounts.

Unfortunately, it’s not that simple. Cybercriminals invented various tools, techniques and services to compensate for the excessive transparency of blockchains. Those methods make it difficult or even impossible to trace cryptocurrency transactions. That’s what we’ll talk about today.

Intermediary crypto wallets

The simplest thing for cybercriminals to do with dirty crypto is spread it to fake wallets. In the case of very large-scale operations, such as the BitFinex hack or the Sky Mavis heist, we could be talking several thousand fake wallets.

But since all transactions are written to the blockchain anyway, using fake wallets doesn’t solve the problem of tracing funds. As such, this technique is usually deployed only in the early stages of laundering in order to, first, muddy the trail, and, second, break up large sums into smaller ones, which can then by laundered more easily in other ways.

Dirty crypto can often lie in those fake wallets for a long time. This is sometimes due to greedy cybercriminals waiting for the exchange rate to improve. In the case of transactions large enough to attract the attention of law enforcement, the reason is caution. Attackers try to keep a low profile until the scrutiny dies down and the funds become easier to withdraw.

Crypto mixers

Crypto mixers were invented with the express aim of solving the abovementioned problems of excessive blockchain transparency and insufficient privacy. They work as follows: incoming cryptocurrency transfers are poured into one “pot” and thoroughly mixed with funds coming in from other users of the service. At the same time, outgoing transfers of random amounts are made according to a random schedule and to completely different wallets, rendering it impossible to match incoming and outgoing amounts and identify transactions.

Clearly, this is a very effective method of dealing with dirty crypto. And although far from all crypto-mixer users are cybercriminals, illegal funds do account for a significant portion of the flows coming into crypto mixers; so significant, in fact, that in 2022 US regulators finally went after them, issuing sanctions on not one but two popular crypto mixers.

Large crypto exchanges

The overwhelming majority of transactions on crypto exchanges take place between internal client accounts, and are recorded in detail exclusively in these exchanges’ own databases. Only the summarized results of a whole bunch of such internal transactions ends up in the blockchain.

Of course, this is done to save both fees and time (blockchain bandwidth is limited, after all). But this means that any crypto exchange is a kind of natural crypto mixer: incoming and outgoing transfers can’t be matched using blockchain analysis alone. The thread by which the movement of funds can be traced is cut when a transaction enters an exchange.

On the one hand, this facilitates illegal activity. On the other, it adds considerable risks: by transferring funds to a major crypto exchange, cybercriminals no longer have full control over them. And since such exchanges generally cooperate with regulators and law enforcement, the chances of losing the spoils are well above zero. In addition, bona fide crypto exchanges always have a Know Your Customer (KYC) verification procedure, which only adds to the risks and difficulties associated with laundering funds.

Small crypto exchanges

An alternative option for cybercriminals is to use small crypto exchanges that are less inclined to meet regulatory requirements and define themselves as anonymous. Oftentimes, such exchanges turn into full-fledged crypto-laundering platforms.

But the more popular an exchange is with cybercriminals, the more likely it is to attract the unwanted gaze of law enforcement. What usually happens in the end is that the authorities’ patience wears thin, and they find a way to take the platform down. For example, earlier this year U.S. authorities arrested the owner of Bitzlato Ltd., an exchange that handled hundreds of millions of dollars of dirty crypto. And a significant part of that dirty crypto came from ransomware operators and crypto scammers. European police also seized and disabled the exchange’s infrastructure, thus putting an end to its activities.

Nested exchanges

Besides full-fledged crypto exchanges, there are also many so-called nested exchanges. These are essentially crypto-exchange intermediaries that allow users to trade cryptocurrency without the need to register exchange accounts.

Such services resemble brokers from the world of traditional finance, only in the crypto universe they’re used to ensure privacy – in particular, by bypassing KYC, which is mandatory for all clients of large crypto exchanges. Theoretically nested exchanges work not only for the benefit of cybercriminals, but the opportunity to elude unwanted questions naturally attracts the attention of those looking to launder ill-gotten gains.

DeFi: decentralized protocols

Lastly, another option for cryptocurrency launderers is to use decentralized finance protocols (DeFi). These lie at the heart of automated decentralized crypto exchanges that operate on the basis of smart contracts. The advantages for cybercriminals are obvious: decentralized exchanges (DEX) perform no client checks and don’t require account registration.

Another plus of DEX is that funds remain under the full control of their owners (unless there’s an error in the smart contract). True, there’s one big minus: all DEX-based transactions are written to the blockchain, so with some effort they can still be traced. As a result, the number of cybercriminals who resort to DeFi is quite low. That said, DeFi can be an effective component of more complex multistage money-laundering schemes.

Dark-web laundering services

In case you’re hoping that not every extortionist knows how to properly cover their financial tracks, we have bad news. Modern cybercrime is highly specialized. And there’s been a growing trend of late for cybercriminals to use underground services dedicated exclusively to laundering dirty crypto. They provide what can be called laundering-as-a-service: variants of the above schemes to obfuscate the movement of cryptocurrency, thus unburdening their clients of this task.

Laundering services advertise themselves on the darkweb and communicate with clients through secure messengers; everything is geared toward complete anonymity. According to even conservative estimates, such services last year raked in US$6 billion.

Cashing out

As you may already know, a paradox of cryptocurrency is that it can buy you an expensive picture of a monkey, but not a loaf of bread. Therefore, the end goal of any illegal cryptocurrency operation is to cash out. This represents the final stage of any laundering scheme: once cryptocurrency has been turned into ordinary fiat money, clearly it can no longer be traced by means of blockchain analysis.

There are many options here, and some of the above schemes provide such an outlet to the real world. When it comes to cashing out, both large and small crypto exchanges, nested exchanges that allow trading without opening an account, and dark-web laundering services that specialize in aiding cybercriminals (without specifying exactly how) can all be used.

What this means for ransomware victims

As you can see, cybercriminals have a wide range of means for laundering dirty crypto. And they’re not limited to using only one of above-mentioned methods at a time. On the contrary, most cybercriminals employ sophisticated, multistage laundering operations that use crypto mixers, intermediary wallets, exchanges and various cash-out methods all at once.

As a result, despite the best efforts of law enforcement, it’s often difficult to recover most of any stolen funds, even if an investigation is successful. So, in brief, don’t hope to see again any money you paid as a ransom. As always, prevention is the best form of defense: install a reliable security solution on all devices — one whose anti-ransomware capabilities have been demonstrated in independent tests.

Tips