Assembling a diverse set of public, proprietary, and hand-collected data including dark web conversations in Russian, we conduct the first detailed anatomy of crypto-enabled cybercrimes and highlight relevant economic issues. Our analyses reveal that a few organized ransomware gangs dominate the space and have evolved into sophisticated firm-like operations with physical offices, franchising, and affiliation programs. Their techniques also have become more aggressive over time, entailing multiple layers of extortion and reputation management. Blanket restrictions on cryptocurrency usage may prove ineffective in tackling crypto-enabled cybercrime and hinder innovations. But blockchain transparency and digital footprints enable effective forensics for tracking, monitoring, and shutting down dominant cybercriminal organizations.Wigglesworth comments:
Perhaps. But while it is true that blockchain transparency might enable arduous but effective analysis of crypto-enabled cyber crime, reading this report it’s hard not to think that the transparency remedy is theoretical, but the costs are real.I have argued that the more "arduous but effective analysis" results in "tracking, monitoring, and shutting down" cybercriminals, the more they will use techniques such as privacy coins (Monero, Zcash) and mixers (Tornado Cash). Indeed, back in January Alexander Culafi reported that Ransomware actors increasingly demand payment in Monero:
In one example of this, DarkSide, the gang behind last year's Colonial Pipeline attack, accepted both Monero and Bitcoin but charged more for the latter because of traceability reasons. REvil, which gained prominence for last year's supply-chain attack against Kaseya, switched to accepting only Monero in 2021.Below the fold I discuss both Cong et al's paper, and Erin Plante's $30 Million Seized: How the Cryptocurrency Community Is Making It Difficult for North Korean Hackers To Profit, an account of Chainalysis' "arduous but effective" efforts to recover some of the loot from the Axie Infinity theft.
Cong et al argue that:
A one-size-fits-all solution, such as restricting or banning cryptocurrency usage by individuals or organizations is problematic for three major reasons. First, this is not a national problem. Blockchains exist across multiple countries and harsh regulations in a particular country or jurisdiction have little or no effect outside that country. As we have seen from other global initiatives (e.g., carbon tax proposals), it is nearly impossible to get global agreement. Second, while an important problem, cryptocurrency plays a small role in the big picture of illegal payments. Physical cash is truly anonymous and, indeed, this may account for the fact that 80.2% of the value of U.S. currency is in $100 notes. It is rare the consumers use $100 bills and it is equally rare that retailers are willing to accept them. Third, and most importantly, expunging all cryptocurrency use in a country eliminates all of the benefits of the new technology. Even further, it puts the country at a potential competitive disadvantage. For example, a ban on crypto effectively eliminates both citizens and companies from participating in web3 innovation.I would counter:
- The goal of cybercrime is not to amass cryptocurrency but fiat. Doing so involves organizations such as exchanges and banks that do respond to OFAC sanctions. The goal should be to ban the on- and off-ramps, making converting large amounts of cryptocurrency into fiat extremely difficult, risky and expensive.
- It is true that physical cash has excellent anonymity. But experts in illegal payments, such as drug smugglers, currently prefer cryptocurrency to cash as being more secure and more portable.
- This is the tell. Arguments in favor of cryptocurrencies always end up touting mythical future benefits such as "web3 innovation" to distract from the very large and very real negative externalities that they impose right now on everyone outside the crypto-bros in-group.
Cong et al divide the crimes they study into two groups:
In the first, hackers exploit weaknesses in either centralized organizations such as crypto-exchanges or decentralized algorithms, using this to siphon out cryptocurrency. For example, Mt. Gox, a Japanese crypto-exchange, was the victim of multiple attacks—the last one in 2014 led to loss of almost 850,000 bitcoins ($17b at the time of writing). In these types of attacks, coins are transferred to a blockchain address. Given that these transactions and addresses do not require real names, the attackers are initially anonymous. Indeed, the exploit is available for anyone to see given that the ledger of all transactions is public here. While the original exploit is completely anonymous (assuming the address has not been used before), the exploiter needs to somehow “cash out.” Every further transaction from that address is also public, allowing for potential deployment of blockchain forensics to track down the attacker.It is the fact that it is practically almost impossible, and theoretically unsafe, to purchase real goods with cryptocurrency that forces cybercriminals to "cash out" to fiat. Thus the need for regulators to crack down on on- and off-ramps.
They describe the second group thus:
Beyond stealing cryptocurrency via exchange and protocol exploits, traditional cybercriminal activities are now also enabled with a new payment channel using the new technology—the second opportunity our research focuses on. The use of cryptocurrencies replaces potentially traceable wire transfers or the traditional suitcase of cash, and is popular for extortion. Criminal organizations also use cryptocurrencies to launder money. According to Europol, criminals in Europe laundered approximately $125b in currency in 2018 and more than $5.5 billion through cryptocurrencies. The increasing cryptocurrency adoption also facilitates many other forms cybercrimes.Again, the authors undercut their argument against regulation by acknowledging the advantages cryptocurrencies have over "the traditional suitcase of cash". Although Cong et al briefly survey these two groups, they conclude that:
As of April 2022, Ransomware leads BTC payments with (42.5%), followed by Other (45.7%), and Bitcoin Tumbler (6.9%). If Other is excluded, Ransomware dominates cybercrime-related bitcoin activity with 86.7% of the total BTC payments.Their detailed analysis of ransomware groups' business models and operations is fascinating and well worth study. But here I want to focus on their proposal for how to combat the scourge; chain analysis. They write:
In light of these issues, the remainder of the article delves deeper into the economics of ransomware, the most threatening and consequential form of crypto-enabled cybercrime, to provide insights relevant for digital asset owners and investors, as well as regulatory agencies and policymakers.
While addresses are anonymous initially, funds are often transferred from one address to another in order to “cash out.” All transactions are viewable and immutable - a key feature of blockchain technology. This opens the possibility of deploying forensic tools with a focus on tracking, monitoring, and identifying the crypto transactions attributed to criminals. Indeed, our research provides a glimpse of what is possible given the transparent nature of blockchains.
One of the most troubling trends in crypto crime right now is the stunning rise in funds stolen from DeFi protocols, and in particular cross-chain bridges. Much of the value stolen from DeFi protocols can be attributed to bad actors affiliated with North Korea, especially elite hacking units like Lazarus Group. We estimate that so far in 2022, North Korea-linked groups have stolen approximately $1 billion of cryptocurrency from DeFi protocols.Plante is celebrating Chainalysis' recebt success:
With the help of law enforcement and leading organizations in the cryptocurrency industry, more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers has been seized. This marks the first time ever that cryptocurrency stolen by a North Korean hacking group has been seized, and we’re confident it won’t be the last.The details are interesting but it appears that this success was enabled by regulatory action:
The seizures represent approximately 10% of the total funds stolen from Axie Infinity (accounting for price differences between time stolen and seized), and demonstrate that it is becoming more difficult for bad actors to successfully cash out their ill-gotten crypto gains. We have proven that with the right blockchain analysis tools, world-class investigators and compliance professionals can collaborate to stop even the most sophisticated hackers and launderers.
However, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) recently sanctioned Tornado Cash for its role in laundering over $455 million worth of cryptocurrency stolen from Axie Infinity. Since then, Lazarus Group has moved away from the popular Ethereum mixer, instead leveraging DeFi services to chain hop, or switch between several different kinds of cryptocurrencies in a single transaction.Why did OFAC sanctions cause Lazarus Group to avoid Tornado Cash? It is clearly not because they were worried that sanctions would apply to them. They worried that the exchanges they need to use to "cash out" would be penalized for accepting coins trackable to one of Tornado Cash's sanctioned wallets. The exchanges need access to the global banking system to accept and distribute fiat, and that access would be at risk if they traded with a Tornado Cash wallet. Note that this would be a "strict liability" offence, so ignorance would be no excuse.
Not wishing to rain on Chainalysis' parade, but $30M is 3% of the $1B that Chainalysis estimates North Korean groups have stolen from DeFi so far this year, and 0.3% of the running total at Molly White's Web3 is going just great. Plante notes:
Much of the funds stolen from Axie Infinity remain unspent in cryptocurrency wallets under the hackers’ control. We look forward to continuing to work with the cryptocurrency ecosystem to prevent them and other illicit actors from cashing out their funds.There is clearly a long way to go before claiming that it is "Difficult for North Korean Hackers To Profit", let alone cyber criminals more generally. Despite all the focus on the blockchain, it is clear that the key vulnerability of cyber criminals is their need eventually to convert cryptocurrency into fiat. This was, for example, the undoing of Ilya Lichtenstein and Heather Morgan. Increasing regulation and its enforcement on the cryptocurrency on- and 0ff-ramps is essential.