Criminals are locked in battle with forensics firms tracking how Treasure Men, privacy wallets and gift cards are used to turn virtual hauls into hard cash
28 May 2021 – This past weekend we had a flurry of ransomware and cybersecurity articles in my weekend BONG! report, my weekly newsletter which highlights the more significant stories from the eDiscovery and information governance communities, with additional contributions from our cyber security and digital media communities. As usual, anything “cyber” gets great metrics, enormous numbers of click-thrus. Given current times, I am not surprised at the interest.
But one aspect I did not include was this: in the world of online crime, anonymous cryptocurrencies are the payment method of choice. But at some point, virtual hauls need to be turned into hard cash.
Enter the “Treasure Men”. The folks that assist criminals to cash out of cryptocurrencies. Finding a Treasure Man is easy if you know where to look. They are listed for hire on Hydra, the largest marketplace on the dark web by revenues, a part of the internet that is not visible to search engines and requires specific software to access. And at this point I want to give a big shout out to … well, unnamed sources in my Linkedin community who gave me the software and the connections to Hydra.
And, yes, there is some irony here. It is interesting how crypto is being singled out for money laundering. We should not forget that laundering occurs big time with all major currencies via many “legit” financial institutions that facilitate laundering located in the Caymans, Dubai, Geneva, London, Panama, Singapore, etc., etc.
So, how do the Treasury men operate? Herein a brief mash-up of pieces from the Financial Times, Ars Technica and other sources:
* * * * * * * * *
Finding a Treasure Man is easy if you know where to look. They are listed for hire on Hydra, the largest marketplace on the dark web by revenues, a part of the internet that is not visible to search engines and requires specific software to access. Says Dr Tom Robinson, chief scientist and co-founder of Elliptic, a group that tracks and analyses crypto transactions:
“They will literally leave bundles of cash somewhere for you to pick up. They bury it underground or hide it behind a bush, and they’ll tell you the coordinates. There’s a whole profession.”
The Russian-language Hydra offers plenty of other ways for criminals to cash out of cryptocurrencies, including exchanging bitcoin for gift vouchers, prepaid debit cards or iTunes vouchers, for example. The ability to hold cryptocurrencies without divulging your identity has made them increasingly attractive to criminals, and particularly to hackers who demand ransoms after breaking into companies. In 2020, at least $350m in crypto ransoms was paid out to hacker gangs, such as DarkSide, the group that shut down the Colonial Pipeline earlier this month, according to Chainalysis, a research group.
NOTE: the Colonial Pipeline hackers accepted payment in either Bitcoin, or Monero, but for Bitcoin payments they demanded a 20% surcharge, as that’s the cost of laundering.
But at the same time, every transaction in a cryptocurrency is recorded on an immutable blockchain, leaving a visible trail for anyone with the technical knowhow. Several crypto forensics companies have sprung up to help law enforcement track criminal groups by analysing where the currencies flow to. These include: New York’s Chainalysis, which raised $100m at more than a $2bn valuation earlier this year; London-based Elliptic, which boasts Wells Fargo among its investors; and US government-backed CipherTrace.
Dark exchanges
In total, in 2020 some $5bn in funds were received by illicit entities, and those illicit entities sent $5bn on to other entities, representing less than 1 per cent of the overall cryptocurrency flows, according to Chainalysis. In the early days of cryptocurrencies, criminals would simply cash out using the major cryptocurrency exchanges. Elliptic estimates that between 2011 and 2019, major exchanges helped cash out between 60 per cent to 80 per cent of bitcoin transactions from known bad actors.
By last year, as exchanges began to worry more about regulation, many of them bolstered their anti-money laundering (AML) and know-your-customer (KYC) processes and the share shrank to 45 per cent. Stricter rules have pushed some criminals towards unlicensed exchanges, which typically require no KYC information. Many operate out of jurisdictions with less stringent regulatory requirements or lie outside of extradition treaties.
But Michael Phillips, chief claims officer at cyber insurance group Resilience, said such exchanges tend to have lower liquidity, making it harder for criminals to transfer crypto into fiat currencies:
“The aim is to impose further costs on the business model”.
There are an array of other niche off ramps into fiat currency. Analysis by Chainalysis suggests that over-the-counter brokers in particular help facilitate some of the largest illicit transactions — with some operations clearly set up for that purpose alone. Meanwhile smaller transactions flow through the more than 11,600 crypto ATMs that have sprung up globally with little to no regulation, or through online gambling sites that accept crypto.
Forensics firms
Against this backdrop, the crypto forensics firms use technology that analyses blockchain transactions, together with human intelligence, to work out which crypto wallets belong to which criminal groups, and map out a picture of the wider, interlocking crypto criminal ecosystem. With an overview of how criminals move their money, their research has shone a light in particular on how hackers are renting out their ransomware software to networks of affiliates, while taking a cut of any proceeds. Kimberly Grauer, head of research at Chainalysis, added that hackers are increasingly paying for support services from other criminals, such as cloud hosting or paying for the login credentials of their victims, with crypto, giving investigators a more complete picture of the ecosystem:
“There’s actually fewer needs to cash out in order to sustain your business models. This means we can see the ransom paid, and we can see the splitting and going to all the different players in the system”.
Losing the trail
But cyber criminals are increasingly wielding their own high-tech tools and techniques in a bid to muddy the crypto trail that they leave behind them. Some criminals undertake what is known as “chain-hopping” — jumping between different cryptocurrencies, often in rapid succession — to lose trackers, or use particular “privacy coin” cryptocurrencies that have extra anonymity built into them, such as Monero.
Among the most common tools for throwing investigators off the scent are tumblers or mixers — third-party services that mix up illicit funds with clean crypto before redistributing them. In April, the Department of Justice arrested and charged a dual Russian-Swedish national who operated a prolific mixing service called Bitcoin Fog, moving some $335m in bitcoin over the past decade. Says Katherine Kirkpatrick, a partner at law firm King & Spalding with expertise in anti-money laundering:
“It is possible to untumble coins. But it’s highly technical and takes a lot of processing power and data”.
The “preferred obfuscation tool” in 2020 — which helped facilitate 12 per cent of all bitcoin laundering that year — were highly sophisticated “privacy wallets” that have anonymisation techniques including mixing capabilities built into them, according to Robinson of Elliptic:
“They’re basically a trustless version of a mixer and it’s all done within software. An open-source project called Wasabi Wallet was the dominant player in the space”.
What comes next?
Authorities “need to modernise forfeiture and asset freezes” so that it is easier for law enforcement to seize crypto from exchanges, said Tom Kellermann, head of cyber security strategy for VMware and cyber investigations advisory board member for the US Secret Service. Individual exchanges can today sign up to services from the forensics firms that will notify them of suspicious activity based on their intelligence.
But experts have in the past touted the idea of having shared blacklists of wallets known to be used by bad actors — a kind of Interpol alert, with exchanges, analytics groups and the government openly sharing information on their investigations in order to make this possible. Kemba Walden, assistant general counsel at Microsoft’s Digital Crimes Unit:
“Perhaps now is a better time to reconsider some of those policy initiatives”.
CONCLUDING THOUGHTS
As I noted above, there is some irony here. It is interesting how crypto is being singled out for money laundering. We should not forget that laundering occurs big time with all major currencies via many “legit” financial institutions that facilitate laundering located in the Caymans, Dubai, Geneva, London, Panama, Singapore, etc., etc. I would posit the number 1 currency used for illegal activity is still the U.S. dollar.
And there is nuance here. Privacy is not a crime. Not everyone will be able to own a UTXO in the near future, and those that do should have the right to privacy, just as people do with their bank accounts today. If you want to avoid a Facebook/profiling/targeting/fake news, etc. style fallout in the financial sector as money becomes predominately digital, you want privacy. We cannot make the mistakes of the past, and must be willing to consider the many shades of grey inherent to data privacy. There is a big difference between conducting criminal activity and protecting yourself online.
And let’s not be blinded by “Western” eyes. We spend a lot of time criminalizing crypto currencies so that we forget a key fact: they are the only a palatable savings option for a bunch of people who can’t trust traditional investment institutions in their country as far as you can throw them. Those who claim there is no use for digital currencies fundamentally do not understand the disconnect and antagonism between digital natives and the traditional financial space. Digital natives will need a digitally native set of asset classes.
Also, many of us feel the growing income inequality in a way that those deeply embedded in the industry of managing wealth simply never will. When our otherwise marginalized friends are making serious life changing returns on these supposedly decentralized assets, it feels like a rare opportunity to shift the balance of wealth towards something more equal. The specter of criminalized digital currency should not spoil the sector as a whole. Crypto is able to bank the unbanked.