Just a month after the May 2021 Colonial Pipeline ransomware attack, the Department of Justice (DoJ) announced it had seized a large portion (63.7 bitcoins, valued at $2.3 million at the time) of the total ransom paid in the attack (75 bitcoins).
According to the FBI, the initial ransom payment was sent to a cryptocurrency address in two payments, and from there a transaction was then made from this address to two other addresses; and then to two more, continuing in intervals from May 8 to May 9 until the ransom payment had been filtered through at least 23 other addresses, with each transaction cutting away a small portion of the total amount until 63.7 bitcoins were left. The FBI, meanwhile, was able to track down these payments by reviewing the Bitcoin public ledger - which is used as a record-keeping organizer for all transactions between participants on a network - until the ransom was transferred to a specific address for which the FBI had the private key.
The FBI’s affidavit gives an inside look into how ransom funds are transferred by cybercriminals after they have been paid - but also, importantly, how law enforcement is getting better at following the breadcrumbs of these payments. The U.S. government has put a heavier priority on ransomware over the past year, and cracking down on illicit cryptocurrency transactions - including ones that transfer ransomware proceeds - is a pivotal part of this strategy. In addition to implementing programs aimed at providing support for DoJ and FBI cases involving illicit cryptocurrency transactions, the government has also made efforts to snuff out several of the platforms used by cybercriminals to obfuscate their payments, including cryptocurrency exchanges and services that do not enforce certain anti-money laundering compliance measures.
“The U.S. government has taken this approach where they want to be a leader in the digital asset space… that said, they want to ensure that they’re going after the illicit actors who are trying to take advantage within this ecosystem,” said Ari Redbord, head of legal and government affairs with TRM Labs, a blockchain intelligence firm. “Where you’ve seen the most focus is what the Treasury Department has done going after the illicit underbelly of an overall growing crypto ecosystem… darknet markets, mixing services that are involved with darknet markets, non-compliant exchanges, that sort of world.”
“Where you’ve seen the most focus is what the Treasury Department has done going after the illicit underbelly of an overall growing crypto ecosystem… darknet markets, mixing services that are involved with darknet markets, non-compliant exchanges, that sort of world.”
When Bitcoin first emerged in 2009 as the first decentralized virtual currency, the revolutionary nature of the cryptocurrency meant that there were few restrictions and regulatory measures. This has paved the way for an environment that is favorable for cybercriminals, which make illicit transactions tied to several malicious activities outside of ransomware, including (predominantly) the laundering of stolen funds, scams, darknet market transactions and fraud.
According to a report by Chainalysis, cryptocurrency-based crime hit an all-time high in 2021, with illicit addresses receiving $14 billion over the course of the year (a jump up from $7.8 billion in 2020). It’s important to note that the growth of legitimate cryptocurrency usage is by far outpacing the growth of cybercriminal usage, with transactions involving illicit addresses representing only .15 percent of cryptocurrency transaction volume in 2021 (a figure that is also down from previous years), according to Chainalysis. However, that number may rise as Chainalysis researchers identify more addresses associated with illicit activity.
Over the years, authorities have started imposing more regulations on cryptocurrency exchange platforms, which are financial service platforms like Coinbase or Kraken that allow users to purchase or sell cryptocurrency, or convert cryptocurrency into fiat currencies. These cryptocurrency exchanges fall under the regulatory scope of the Bank Secrecy Act, which requires financial institutions to keep records of transactions in an effort to assist the government in fighting money laundering. Improved regulation of the cryptocurrency environment means that platforms are required to capture more information on users and transactions. Exchanges must register with the Financial Crimes Enforcement Network (FinCEN) and implement certain anti-money laundering/combating the financing of terrorism (AML/CTF) compliance controls, a set of regulations that financial institutions follow to detect and prevent money laundering. The Know Your Customer (KYC) guideline is one such security measure where exchanges must keep records on essential facts for each customer. For cryptocurrency exchanges, the information required for buying cryptocurrency may vary from a date of birth to a photo of valid government-issued identification.
"Regulations related to customer identification and money laundering prevention have been implemented and are applicable to all entities operating as regulated crypto exchanges in the United States," said Chis DePow, senior adviser of Financial Institution Regulation and Compliance with Elliptic, which provides blockchain analytics for crypto asset compliance. "At the state level, money transmitter regulations may apply and individual states, such as NY and WY, have instituted crypto-specific regulatory regimes. There is also extant guidance related to the interaction of traditional federally regulated banks and the crypto ecosystem, specifically around holding reserve assets for stablecoins. There is opportunity for regulatory enhancement with regard to consumer protection, market manipulation, and fraud."
“With ransomware, we are seeing an evolution in the payment mechanisms in this cat and mouse game."
Cybercriminals can still skirt these regulatory requirements by providing fake or stolen identities for KYC requirements. Others may seek an easier alternative, however, through offshore exchanges that are unlicensed and impose loose requirements for KYC processes or other regulations. Russian-based cryptocurrency exchanges Suex, Chatex and Garantex - all recently sanctioned by the Treasury Department - failed to put in place compliance controls like AML/CFT. Garantex, for instance, was linked to over $100 million in transactions associated with illicit actors, including $6 million from the Conti ransomware group and darknet markets, according to the Treasury Department.
Beyond these exchanges, cybercriminals are also using an array of obfuscation tactics to conceal their illicit transactions. These measures are continuing to become more sophisticated, particularly as law enforcement officials simultaneously step up their efforts.
“With ransomware, we are seeing an evolution in the payment mechanisms in this cat and mouse game,” said Jackie Burns Koven, head of cyber threat intelligence at Chainalysis. In one notable example, she said, “cybercriminals are catching on that their extortion addresses can be used against them.”
“Now, not only are unique addresses used for each victim but we’re seeing extortion addresses being provided in password-protected chats that are shielded from the outside world, whereas previously you would see a spammed campaign with a standard ransom note and a single cryptocurrency addressed being reused on multiple victims,” said Koven.
Cybercriminals have also turned to use anonymity enhanced cryptocurrencies (AECs), such as Monero, Dash and Zcash. These AECs (also known as privacy coins) have a specific focus on encryption and use an obfuscated public ledger, offering a higher level of anonymity to cybercriminals.
“It’s like whack-a-mole between law enforcement and the tools they use, and criminals."
However, these types of coins are still nowhere near the level of popularity of Bitcoin. FinCEN said in October, it observed attackers providing both a Monero and Bitcoin wallet address for ransomware payments, and imposing an extra fee - a 10 to 20 percent surcharge - for victims paying in Bitcoin. Other times, attackers would exclusively request payment in Monero, but would ultimately accept a payment in Bitcoin after negotiation. Overall, FinCEN said in a report that it observed 17 ransomware incidents where the attackers requested payment in Monero.
“While Bitcoin is still used in the majority of payments, a few ransomware strains now have added Monero,” said Koven. “But the liquidity of Monero is not conducive to large payments, and it’s also challenging to provide guidance for victims [to pay with Monero]. That’s why we’re still seeing Bitcoin as predominant.”
Cybercriminals are also relying on cryptocurrency mixers, which are services that, for a fee, pool together streams of cryptocurrency deposits from several different users and then return them at random values. These mixer services (also known as tumblers) are legal and offer users more anonymity. CoinJoins, another technique, involve the mixing of coins from different parties in a Bitcoin transaction, with the output mixing up the addresses to make tracking more difficult. And a process known as chain hopping involves converting cryptocurrency and moving funds across blockchains, all in rapid succession, in a way that traditionally was difficult to follow.
“It’s like whack-a-mole between law enforcement and the tools they use, and criminals,” said Redbord. “You’re seeing money launderers use more and more sophisticated techniques to move money in crypto. There are so many of these types of techniques that bad actors are using today, and they’re also taking advantage of these non-compliant exchanges.”
However, he said, as the bad actors are getting more effective, so too are the tools used by law enforcement in protecting against these threats, which allow them to trace funds and link suspicious activity to real-world entities, as well as monitor transactions for crypto assets to weed out ones potentially linked to malicious actors.
“We’ve seen meaningful steps by the U.S. government in cracking down on rogue exchanges that haven’t fulfilled their obligations, like transaction monitoring or KYC."
U.S. authorities have made some headway in their ability to track illicit cryptocurrency funds, with the Internal Revenue Service’s criminal investigation unit seizing $3.5 billion in cryptocurrency during fiscal 2021. In February, the DoJ seized $3.6 billion in Bitcoin connected to the 2016 Bitfinex hack - the largest recovery of stolen assets in cryptocurrency ever.
However, the government is also taking more proactive steps to root out the services that make up the backbone of illicit cryptocurrency transactions. Beyond its sanctions on exchange platforms Suex, Chatex and Garantex, the Treasury Department in May also issued its first set of sanctions against a virtual currency mixer called Blender.io, which was used by the North Korean state-sponsored Lazarus group in order to process over $20.5 million in illicit proceeds funneled from a $620 million virtual currency heist of a blockchain project linked to online game Axie Infinity. The mixer had also been used to help facilitate money laundering for various ransomware groups like Trickbot, Conti, Ryuk and Gandcrab, according to the Office of Foreign Assets Control (OFAC). The government also announced the takedown of the Hydra marketplace in April, which offered services for cryptocurrency mixing and laundering and for cybercriminals to withdraw illegal funds.
The implementation of new programs signals that the U.S. government will continue to crack down on illicit cryptocurrency transactions. In 2021, the DoJ announced the National Cryptocurrency Enforcement team, which is led by seasoned prosecutor Eun Young Choi and will identify and investigate DoJ cases involving the criminal use of cryptocurrency; while in February the FBI launched the Virtual Asset Exploitation Unit, a specialized team of cryptocurrency experts that will provide support and training for the FBI.
“We’ve seen meaningful steps by the U.S. government in cracking down on rogue exchanges that haven’t fulfilled their obligations, like transaction monitoring or KYC,” said Koven. However, she warned, “threat actors will flow to the path of least resistance… once these exchanges are shut down, the actors will eventually find the next one.”