Inside The Wire Inside The Wire

THE RUNDOWN

Headlines often feature articles that describe the downfall of FTX Trading Company, cryptocurrency scams, and the use of cryptocurrency by countries like Venezuela, Iran, and North Korea to bypass sanctions.

What often isn’t described or detailed in these articles is what techniques are used so that these bad actors evade sanctions, launder their money, or evade detection from law enforcement.?

Cryptocurrency is a digital form of currency where peer to peer transactions are added to a public ledger by participants within the network. Third parties referred to as “miners” approve a transaction between two parties. Once this is completed the transaction is added to the blockchain. Transactions on the blockchain can be seen by anyone, anywhere. 

A user interested in transacting on the blockchain will be given a wallet which contains a public key (similar to checking account number) and private key (similar to debit card pin) which allows them to access funds located on the public blockchain. Cryptocurrency transactions work similarly to traditional money exchange services where individuals can send and receive funds and purchase goods and services.

Tactics, Techniques and Procedures

Contrary to popular belief, the exchange of cryptocurrency is not completely anonymous, instead it is pseudonymous. For example, a user’s activity on the blockchain can be tied back to any identifying information they utilized to create an initial cryptocurrency wallet. Much like when an individual creates a bank account, a cryptocurrency exchange such as Coinbase or Kraken will ask an individual for identifying information.

Illicit threat actors have come to understand that transacting on the blockchain has its risks. They have taken to nontraditional and unique methods to obscure their transactional activity.

The North Korean organization, Lazarus Group, was sanctioned by the Office of Foreign Assets Control for conducting state sponsored cyber hacking activity in 2019. This group utilized the cryptocurrency mixer “Sinbad.io (Sinbad)” to process millions of dollars worth of stolen virtual currency. Sinbad also obfuscated transactions derived from other criminal activity such child sexual abuse material (CSAM) and drug trafficking.

A cryptocurrency mixer is a service that combines the digital currencies from multiple users to obscure the source and ownership of the funds. The mixers essentially shuffle the funds which are then subsequently withdrawn to new wallet addresses. Crypto mixers are not specifically illegal in most countries and jurisdictions. While legally permitted in some areas, these mixers often pose challenges within the compliance realm.

Because blockchain transactions are open for anyone to analyze, criminals often utilize mixers to “muddy the water.. Without the use of a mixer or any other obfuscating techniques, a criminal could theoretically be tracked down using a combination of blockchain analytic tools, solid investigative skills, and KYC information provided by an exchange.  

Mixers are not the only tool that criminals use to keep themselves away from a prying eye. Purchasers of CSAM have been known to utilize the cryptocurrency, “Monero” as a means of flying under the radar. Monero is a privacy coin, one which utilizes various techniques to hide the individual behind the transaction. For example, a privacy coin may employ a one time address for each transaction, making it difficult to link several transactions to a single individual. A privacy coin may also utilize confidential transactions, ones which do not display the transaction amount, making it difficult to analyze the flow of funds.

The dark web has traditionally been a marketplace for illicit goods and services. Cryptocurrency mixing services are plentiful on the dark web. One such cryptocurrency service was identified, referred to as “OnionWallet” which is advertised as a free Bitcoin mixer. The service is one of many advertised, which allows interested parties to conduct business in an anonymous nature. The service states they do not implement any Know Your Customer (KYC) or Anti Money Laundering (AML) policies, and the service is secure as a user’s Internet Protocol (IP) address is protected on the TOR Network.

Some of the features of the wallet include:

  • Anonymous registration
  • Cold (offline) storage of Bitcoin
  • Personalized transaction PIN

Screenshot of Dark Web Marketplace advertising OnionWallet:

The service also states individuals can initially purchase bitcoin via cash, wire transfers, or via money order at Western Union via various URLs. A review of the provided URL’s found that several of them have been shut down. The ultimate nature of the website closures is unknown and not provided. 

Unlike creating an account at a larger cryptocurrency exchange such as Coinbase where KYC information is collected, and your private key is held by the exchange, illicit actors will also conduct business using a  non custodial wallet. With a non custodial wallet, the private key is sensitive. These wallets give the user complete control over their private key, making them entirely responsible for protecting their funds.

Illicit actors will also use a method referred to as “chain hopping” where funds on one blockchain are moved to another blockchain in an attempt to obfuscate the flow of funds. According to Elliptic and TRM Labs, both blockchain analytics firms, “nearly 7 billion dollars worth of illicit crypto transactions have been laundered via chain hopping.” Criminals are shying away from using Bitcoin as a means for processing transactions and instead utilizing lesser known cryptocurrencies. According to a report from TRM Labs, in 2016 approximately “two thirds of crypto hack volume was on Bitcoin; in 2022, it accounted for just under 3%, with Ethereum (68%) and Binance Smart Chain (19%) dominating the field. And while Bitcoin was the exclusive currency for terrorist financing in 2016, by 2022 it was all but replaced by assets on the TRON blockchain, with 92%.”

In addition to the aforementioned tactics, chain hopping is becoming an increasingly popular method for criminals to launder their funds. In November 2023, the United States Secret Service uncovered a 9-million-dollar plot by scammers which consisted of various romance scams perpetrated by the fraudsters. After the fraudsters obtained funds from their victims they used a variety of techniques, chain hopping being one of them, to obscure the flow of funds.

Visual representation of chain hopping:

TAKEAWAY

The financial landscape is changing before our eyes. Third party payment processors are becoming more prevalent among users worldwide. Traditional banking services and the use of physical cash are slowly becoming phased out, and the introduction of virtual assets is slowly taking its place.

From the days of prohibition where bootleggers would meet in obscure places to trade goods, to widespread Paycheck Protection Program (PPP) loan fraud during COVID-19, threat actors have always found ways to thrive, evade law enforcement, and transact in a secure manner.

As cryptocurrency services are still novel and slowly expanding in popularity, criminals will want to utilize unconventional means to obscure their transactional history and payment patterns. As globalization continues to increase, tighter measures must be implemented to stop people from dealing in CSAM, cyber scams, and other illicit activity.

Related posts:

  1. Elaborate Methods Drug Traffickers Use to Smuggle Their Product
  2. Vulkan Unveiled: the Explosive Collaboration in Russian Cyber Warfare
  3. Cyber Anarchy Squad: Ukraine’s Answer to Killnet?
  4. The Evolution of Command-and-Control Servers