Unchained - The Rogue 100: How Cryptocurrency Criminals Cash Out - Ep.156
Episode Date: January 28, 2020Jonathan Levin, co-founder and CSO of Chainalysis, and Kim Grauer, head of research, discuss the company's 2020 Crypto Crime Report, which explores how cryptocurrency criminals, who perpetrate hacks a...nd scams and send out ransomware and more, cash out. We cover how criminals are turning their illicit crypto into fiat currency, why exchanges are a prime avenue for money laundering, and how over-the-counter brokers are playing a large role. They talk about a group of OTC brokers they describe as the Rogue 100, what their transactions look like, and what can be done to help stop criminals from cashing out. Jonathan and Kim talk about the PlusToken scam, the largest Ponzi scheme in crypto and how Chainalysis determined that it was likely driving down the price of Bitcoin. They also explain the trends in exchange hacks and how the most prolific hackers have grown more sophisticated, giving some examples of how the Lazarus Group, a cybercriminal syndicate linked to the North Korean government has become more advanced. Finally, we also discuss ransomware and terrorism financing and what trends they are seeing there. Thank you to our sponsors! CipherTrace: https://ciphertrace.com/unchained Kraken: https://www.kraken.com Crypto.com: https://crypto.com Episode links: Chainalysis: https://www.chainalysis.com/ Jonathan Levin: https://twitter.com/jony_levin Kim Grauer: https://twitter.com/KimberlyGrauer Previous Unchained interview with Jonathan: https://unchainedpodcast.com/how-chainalysis-helps-solve-crimes-jonathan-levin-tells-all-ep-62/ Unconfirmed episode on how Bitcoin led to the demise of the largest child porn site: https://unchainedpodcast.com/how-bitcoin-led-to-the-demise-of-the-largest-child-porn-site/ Money laundering report: https://blog.chainalysis.com/reports/money-laundering-cryptocurrency-2019 https://fortune.com/2020/01/15/crypto-criminals-brokers-launder-billions/ Exchange hacks report: https://blog.chainalysis.com/reports/cryptocurrency-exchange-hacks-2019 Unchained interview with Priscilla Moriuchi on why North Korea is interested in cryptocurrency: https://unchainedpodcast.com/why-north-korea-is-interested-in-cryptocurrency/ Plus Token report: https://blog.chainalysis.com/reports/plustoken-scam-bitcoin-price Terrorism financing report: https://blog.chainalysis.com/reports/terrorism-financing-cryptocurrency-2019 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi everyone. Welcome to Unchained, your no-hype resource for all things Crypto. I'm your host, Laura Shin. If you enjoy Unchained or Unconfirmed, my other podcast, which now features a weekly news recap for every show, please give us a top rating our review in Apple Podcasts or wherever you listen to Unchained.
CipherTrace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain analytics, and threat intel.
leading exchanges, virtual currency businesses, banks, and regulators themselves use ciphertrace to comply with regulation and to monitor compliance.
Crypto.com, the crypto super app that lets you buy, earn, and spend crypto in one place.
Get a metal MCO visa card with up to 5% back on all your spending. Download the crypto.com app today.
Cracken is the best exchange in the world for buying and selling digital assets.
It has the tightest security, deep liquidity, and a great fee structure with no minimum or hidden fees.
Whether you're looking for a simple fiat on-ramp or futures trading, Cracken is the place for you.
Today's guest is, today's guests are Jonathan Levin, co-founder and CSO Chainalysis, and Kim Grauer, head of research.
Welcome, Jonathan and Kim.
Hey, Laura.
Hey, Laura.
Thanks for having us.
you're in the middle of releasing your big 2020 crypto crime report and it's been making waves.
Congrats.
Why don't we just start with a brief description of what Chainalysis does overall?
And then why don't you talk about what the Crypto Crime Report is and how that fits into your overall work?
Sure.
So, Chain Analysis is the blockchain analysis company.
We provide compliance and investigation software to the world's leading institutions, including government,
agencies, financial institutions, and cryptocurrency businesses, essentially we're empowering everyone
to prevent money laundering and comply with regulations to ensure that there can be a fair and
open marketplace for cryptocurrencies. And that really entails us mapping out how
cryptocurrencies are used in the real world and understanding the different use cases,
from the legitimate use cases to the illicit uses of cryptocurrency.
cryptocurrency. The 2020 Cryptocurrency report is really about mapping out how different actors are
abusing cryptocurrencies to further their aims. And we unpack different types of money laundering,
hacks, scams, and other types of illicit activity to give everyone an idea about how much
is going on, what trends are changing, but also to put that in context of,
how is this related to the overall cryptocurrency economy?
So big picture, what trends are you seeing in crypto crime now,
especially compared to previous eras in crypto?
So I think we essentially like to track the different types of activity
that are consistent across the different years.
And we've definitely touched on,
this year we're really focused on what is the actual money laundering scheme.
that are enabling this type of criminal and illicit activity.
So we have focused a lot of this report, at least primarily on, you know, what is financial crime?
How are criminals taking their proceeds from, you know, whether it be scams, whether it be
hacks into exchanges or ransomware, and how actually are they moving then out of cryptocurrency
into the traditional financial ecosystem.
And that's where we've spent quite a lot of this report
and being able really for the first time to map out
how those different types of actors are taking different steps
to move from cryptocurrency into traditional finance.
Okay, so before we go a little bit into more detail,
I also wanted you to define crime,
for the purposes of your report. You know, you name some things like ransomware and hacks and
scams and stuff, but could you kind of give, I guess, a list, or maybe not a list, but, you know,
just identify which transactions you're calling criminal and also which cryptocurrencies you're
tracking, because I imagine you can't track all of them. Sure. So in this piece of research
that we'll talk about, it's really about where cryptocurrency,
has actually been directly used to perpetrate a crime.
So for that, we're thinking about terrorist financing.
Has someone actually raised in a public campaign,
the financing for an act of terror,
has some cryptocurrency been stolen from one of the exchanges in a hack?
we also identify something like ransomware where the crime is that someone has had a computer
locked and the payment and the extortion is paid in cryptocurrency.
The majority of the activity that we track in this report is Bitcoin, but it also extends to
other different cryptocurrencies.
We track around 50 different cryptocurrencies.
and actually, whether it's in the rapport or in the background research, we're really looking at
all of those different cryptocurrencies to see what types of illicit activity is occurring on
those blockchains.
And when you say it's mostly Bitcoin, is that because that's what's primarily used or
because that's where you have the best analytics?
So we focus our analytics on where the majority of the economic activity is.
And so our best analytics is in Bitcoin, but it is also the predominant way that people are moving value across the world, whether it's for legitimate purposes, but also for illicit uses.
And we also see that the most liquid markets and some of the amounts of money that we're talking about in this report are fairly large sums into the billions of dollars.
And there you need the market that has the most liquidity.
And that has meant that Bitcoin is still really predominant in the world of illicit activity and cryptocurrencies.
And when I asked you for which types of activity you would count as criminal, you didn't mention dark net market activity where I believe Monero is quite popular.
Is that also included?
So yes, we also do track that.
We have still in the dark net markets, there's actually not a lot of activity beyond Bitcoin.
So the dark net markets are definitely evolving in their business models and how they store cryptocurrency.
But typically, if they want to be able to access a large audience,
of buyers, the vendors themselves are still accepting Bitcoin because that's where the majority of
users are still comfortable to spend their cryptocurrency.
All right. So now let's dive into some of the finer details of the report. As you mentioned,
the money laundering aspect is kind of a linchpin of these crimes since obviously the crime isn't
really complete until they have the money in Fiat, which they can use more easily. So how are these
criminals generally cashing out of their crypto nowadays? We have been aware for quite some time of this
money laundering infrastructure that has been that has been growing and becoming more sleek,
I guess. And we wanted to, for the first time, take that on for this report. And so we've known
about it for quite some time. But this is our first attempt to, like, let's try and quantify the numbers.
what is actually happening at scale and what is flowing through this laundering infrastructure.
And so that really inspired this money laundering section, which was recently released and
will be fully released when the full crime report comes out.
And that was a really intensive process that started with, let's just look at where the
illicit funds are flowing to based on the distribution of deposit addresses that,
are receiving those illicit funds. And we noticed that there was a really high concentration
of illicit funds going to a small number of deposit addresses, which was something that was
kind of weird. So it confirmed some suspicions that we had that there's a few bad actors
that are potentially in the business of laundering money at scale. And so we kind of
merged that with some other research we had been doing on OTC brokers that we have been,
that have been a part of past investigations. And we found that actually many of the OTC brokers
that we've identified independently are in our, we're identified as being those large deposit
addresses that were receiving illicit funds on a few exchanges. And so this kind of allowed us to
paint a really, really compelling picture that there are, that this laundering infrastructure
exists where there's illicit money that is flowing through the network and it's going to a
very few number of kind of endpoints. And that was, that was kind of really interesting for us to be
able to see for the first time from a data perspective. Yeah. So before we get more into those OTC
brokers. One thing that I noticed when I looked at this section of the report is that there's a
graph showing that the percentage of cashouts via what you were defining as risky services,
which I believe were, I think, like mixers and that kind of thing, decreased dramatically in
2017 while cashing out via exchanges actually went up during that period. And that was surprising
me because I feel like, you know, in these more recent years, regulatory scrutiny of exchanges
has actually increased. So I was curious, you know, to know why you thought that percentage
of cashing out via exchanges had to grown. Yeah. Well, one of the main risky services that was prior
to that decline that you see in the graph was BTCE actually. So when that shut down, you know,
the whole ecosystem kind of changed. So that was a major, that was a major offerant for a lot of
is illicit funds back then. And so that money had to go someplace else because those risky
services shut down and where did it go? And we found that the by and large, the biggest answer to
that was to, you know, to certain exchanges that we need to, you know, finance and Hwobie. And predominantly,
I think it was around 52% went to those two exchanges. And so that was that was evidence for us that
that money had that formerly went to BTCE is now going to these other exchanges.
Oh, oh, interesting. And just out of curiosity, why was BTCE categorized as a risky service as
opposed to an exchange? Well, the administrators are currently facing indictments. And so there's a lot
of evidence as to why we would want to classify it as risky. But yeah. Yeah, I guess like during that
period when people were using it, that was before the indictment.
So that's why.
Do you know what I'm saying?
Like at that time.
Yeah.
Essentially, the way in which BTC was operated was, you know, without the types of compliance
processes and actually the, some of the operators on the, on the site and even the site
itself was, you know, there are claims that they were knowingly.
laundering the proceeds of crime. Right, like the Mount Gawks hack money. Yeah. So, okay, so one other thing,
and this actually wasn't in your report, but I was just curious because the report shows like percentages of
where the illicit Bitcoin has been going. But I was also wondering, in absolute numbers,
is the amount of Bitcoin associated with criminal activity going up or going down? And there's so many
ways to look at it because it's like percentage and then numbers of Bitcoin, but then also in dollar
amounts. I was curious to know if it was going up or down. The amount of the amount of cryptocurrency
involved in absolute terms is gone up from 2018 to 2019. And it's gone up for because we've like,
we've talked about, we've identified some major scams that have contributed to those numbers,
such as the plus token scam, which was a multi-billion dollar scam. And that was unique to
2019. So in absolute terms, the amount of illicit activity went up between between 27,
2018 and 2019. Okay, right, of course. So one other thing is, you know, as you named these two
exchanges, Binance and Huiby, that received more than a half of all the illicit Bitcoin.
Both of those exchanges are subject to know your customer regulations. So how can they be
receiving so much of this illicit Bitcoin?
So when it comes to the exact mechanics, we want to be really clear that the OTC market is where these proceeds are going to.
So you can think of it as there is an over-the-counter market where people are selling and buying large batches of cryptocurrency.
and those OTC brokers are customers of those exchanges.
And what some of these actors might be doing is they might be,
it might be that they are facing counterparties that they don't really know.
So the key weakness in the system is that the OTC brokers are not necessarily checking sources of funds
or they might be actually rogue actors.
that are accepting cryptocurrency or bids for cryptocurrency that are at large discounts to the
actual price.
And then they are customers of those exchanges.
And what can happen is that the exchanges themselves need to be able to put pressure on their
OTC customers to say, what types of controls are you putting in place?
what is your procedure to know who your counterparties are?
Because the exchange themselves may have even identified who the OTC brokers are and got
comfortable with that, but then they need to understand who is that OTC broker being able
to do business with.
Are they one of these sort of rogue actors or are they actually trying to do the right thing?
And one other thing I was curious about is, you know, this goes back to my question about
how you're defining what is illicit activity. I imagine, you know, let's say that I
perpetrate a hack and I get some Bitcoin from the hack. I would imagine that, you know,
a lot of these hackers are trying to obfuscate what happens to those Bitcoins before they cash out.
So when you, as Chainllus, are tracking this, you know, how confident can you be,
let's say that they're using a mixer or something like that?
that, you know, for you, does the trail kind of go cold at that point? Or like, can you still
follow funds even through some of the things that they might try to do to off-sgate the trail?
Yeah. So I think what's important to realize is that every single transaction is public.
And when you are talking about sort of the much larger sums of money, it's a lot more difficult
to make that trail go really cold, even if you are potentially using mixing services and the like.
So I think that the types of source of funds and being able to identify when some criminal
activity happens and where those proceeds have gone, we are able, in most instances,
to be able to follow that through.
even when there's the use of many different obfuscation transactions or something like that.
All right.
So let's dive a little bit more into who these OTC brokers are that you're talking about using, you know,
Binance and Wobie.
Are they kind of, yeah, I imagine it could range from anything like maybe a more active local
Bitcoin style person to something more professional.
So can you kind of describe what their business looks like and also what kind of KYC they do typically require?
So the OTC brokers that were named on the list that we've been investigating have been, like I said, a part on our radar for quite some time.
We only mostly have our eyes on what's going on on the blockchain.
So we are really limited in our assessments of some of these users based on what we can.
actually see on the blockchain. But when you combine that with some of our, you know, really rigorous
professionals, investigators who have been doing running investigations and have been looking into,
for example, hacked funds for quite some times. They're not just looking at hacked funds this year,
but they've been following hacked funds, stolen funds for many years. And they've seen some of these
individuals coming up time and again, some of these OTC brokers. And then when you pair that with
blockchain analytics, so are they receiving, you know, large, rounded amounts?
consistently over time. You can start to paint a picture of what type of business this person is,
and then you can start to say, that is an OTC broker. That is likely an OTC broker. And so it's really
a combination of many different things. And you're certainly right that there's a spectrum that we've,
that we've identified in this process. And you also have this list that you call the Rogue 100 of
OTC brokers, what does that mean, describe who that group is? Those are the groups. Those are the
100 that have come up over the years that we've been running these investigations that we felt
confident enough to put on this list. And it was just kind of like a happy coincidence that it
equaled to be around 100. And I mean, I don't know if you want to call it a happy coincidence or not.
But so we, there are certainly more that could qualify for the list, and there are some that we might want to, like, think about again. But the, the list that we've seen time and again is around this size. And they've, like I said before, they've been a part of past investigations. They've come up time and again in times when we've been tracking stolen money. These are, these are brokers that aren't just connected with one, one instance of,
illicit activity, but many multiple over many over a few years. And so like I said, it's really about
painting a picture of what this individual or group of individuals likely is based on our
investigations and blockchain level activity that we can, you know, of course, like track over,
we can track all the transactions coming into those deposit addresses. And one thing that you
say about this rogue 100 is that none of them operate on Binance. Why do you think that is?
I think that we focused our investigation on just basically we've compiled a list of individuals that just happened to come up in past investigations.
Many of them were on Hwobie.
And I don't know exactly why that is yet.
However, it's a phenomenon that I think will continue to learn more about it as we start to push this question of like what does an OTC broker look?
like what is their process of doing KYC on exchanges and what are exchanges supposed to be
doing to monitor these OTC brokers but it just kind of happens that those were the primary
kind of centers of where our investigations fell and as you mentioned you know a large portion of
them 70 out of the 100 use woeby and so you know what does that say to you about what
kind of KYC practices, Wobie has or that they're kind of, you know,
pressuring their OTC brokers to have.
I honestly don't know what Hwobie is doing for their KYC of these OTC brokers.
We tried to engage with them and it didn't amount to anything.
So I think you can speculate what the how they're managing these KYC of or how they're
onboarding these customers.
but I truly don't know what the process looks like at this point in time.
All right. And one other thing is that you also describe the transaction activity of this
Rogue 100. And it's kind of interesting. Well, first of why don't you just describe what
their transactions do look like? There's not a defined set of transactions. So there's a distinction
that I do want to make that comes out in the report. We've, we've,
in the money laundering section of the crime report, we tried to look at OTC brokers in two distinct ways.
One was can we programmatically, systematically, through blockchain analytics alone, find OTC brokers,
or find the kind of the off ramps of these illicit funds.
And that is what you see kind of in the first part of the chart where we're looking at all the illicit funds.
And that's when we kind of make the realization that they,
flow to a few number of very large accounts on Binance and Hwobie.
And that, but we, that is not enough to, for us to say, okay, those are all OTC brokers.
They could just be, you know, really high power users or they could just, you know, not be doing
KYC adequately.
But then the second way is through this list of 100 that's come up through investigations through
kind of a long time of curating the specialized list of, of, I know, quote,
bad actors. And so for the first one, you know, you can kind of paint a picture of what their
transaction activity looks like just by just, it's really about volume. They're just doing so
much volume of, of not just illicit activity, but also other types of activity. And so that is
kind of a more scalable way to, to analyze through blockchain, you know, heuristics, where the
list that funds are going to. But the other one, which is the more tailored list, it's all over the
place. There's not one set, like, kind of checklist of criteria to get yourself on that list.
It's about painting a picture, which is often what you'll hear law enforcement says when they're,
when they're prosecuting a money laundering case. It's, if you ask someone on law enforcement,
like how much money laundering is there happening, you know, in the world right now, they would
laugh at you because you can't quantify that. It's about painting a picture and making a case for what
should be on this Rogue 100 list. So these are definitely much more tailored, much less
kind of systematic. But they have, you know, come up in past investigations and have been tied to
hacked funds and just oftentimes do a lot of volume as well. Yeah, well, one other thing that I thought
was interesting was that you show that they transact with each other fairly often. And you say that
one of the reasons could be to try to full blockchain analysis software to essentially make it look
as if money laundering is a much smaller proportion of their overall business than it really is.
Is that, did I kind of understand that correctly from the report? Yeah, yeah, that's something that we
noticed that was extremely interesting. And, but yeah,
We've, that's also not super new. We've noticed it throughout the year as well. But it could, I mean, I guess like on the other side to argue, it is known that OTC traders do trade a lot amongst themselves. So I guess, so it's hard, it's hard to really say. Yeah, it's definitely really hard to say for sure. And I think that's what that's one of the major issues with identifying money laundering at scale. It's because they're,
There are other reasons why they could be trading with each other, but we know that this is at least an incentive, one incentive for them to trade with each other.
And we know about that there's a possibility that you can take a premium.
So there's the incentives that are really there.
So you can, if you take, if you take, if you're an OTC broker and you take hacked funds, for example, you're going to take it out of premium.
So you're going to get crypto at a lower price than you would pay for it at face value.
So the incentives are really there to move this money between the brokers.
All right.
Well, what do you think could be done to help stop criminals from cashing out of their illicitly gotten crypto?
So I think the first step is really to shine some transparency on this issue and say
that both in the exchange market and in the OTC market,
there needs to be an increased focus on being able to identify pretty close to actually
real-time where the source of funds are coming from.
And so from the exchanges, they need to look at their compliance gaps and say,
do we know who these OTC brokers are?
Do we have procedures to make sure that they're actually facing counterparties that we're happy with them facing?
A lot of the OTC market around the world is totally legitimate activity that is about allowing people to get large amounts of liquidity in and out of cryptocurrency.
But as we said, there is this rogue 100 list of where there's a concentration of.
of a lesser activity. And both the OTC market and the exchange market needs to come together and
sort of say, where, who are all of these OTC brokers and do they have procedures in place to make
sure that they're not selling large amounts of, of cryptocurrency that are the proceeds of crime.
All right. So in a moment, we're going to discuss the plus token Ponzi scheme, exchange hacks,
ransomware and terrorism financing. But first a quick word from the sponsors who make this show possible.
Today's episode is brought to you by Cracken. Cracken is the best exchange in the world for buying and
selling digital assets. With all the recent exchange hacks and other troubles, you want to trade
on an exchange you can trust. Cracken's focus on security is utterly amazing. Their liquidity is
deep and their fee structure is great with no minimum or hidden fees. They even
and reward you for trading so you can make more trades for less. If you're a beginner, you'll find
an easy on-ramp from five Fiat currencies, and if you're an advanced trader, you'll love their
5x margin and futures trading. To learn more, please go to crackin.com. That's KRAK-E-N.com.
Crypto.com sees the future of cryptocurrency in every wallet. Have you seen the MCO Visa
card? Loaded with perks, including up to 5% back on all your spending and in
limited airport lounge access. They pay for your Spotify and Netflix, too. What's not to love?
With Crypto.com, not only can you spend your crypto, but you can grow it too.
Earn up to 6% per year on the most popular coins like BTC, ETH, XRP, and up to 12% per annum on stable coins.
Crypto.com has recently launched its exchange and crypto fundraising platform, the syndicate.
There is a 50% off Adam listing event on February 12, 2020. Sign up on the Crypto.com
exchange now. Will the world follow France and advocate banning privacy coins? Will government-backed
stable coins become the new fiat? Are distributed and peer-to-peer exchanges just a flash in the pan?
The answer is maybe. Virtual currencies can flourish and create a new, private, and more versatile
economy. But that grand vision can't happen without keeping crypto clean. And that requires
support of governments and accountability for bad actors. Privacy enhanced compliance using cryptographic
controls has the potential to preserve anonymity without compromising legitimate investigations.
CipherTrac is working on this vision of the future. Sign up to stay up to date on the privacy
enhanced compliance initiative and receive authoritative crypto-AML reports quarterly.
Back to my conversation with Jonathan Levin and Kim Grower of Chainalysis. You guys analyzed the plus token scam and concluded that that could be driving down the price of Bitcoin. So for listeners who don't know much about this, why don't you first just describe what Plus token is?
Sure. So Plus token was a major Ponzi scheme that has been unfolding throughout 2019. And I'm sure you are familiar with what a Ponzi.
scheme is, but it was definitely the most successful Ponzi scheme using cryptocurrencies and,
you know, rivaling some of the biggest ones just globally, a period of the end. And so plus
token was particularly interesting because, you know, mid-2019, we started to hear that, you know,
some people had been arrested in relation to this scam. And then, you know, right out the gate,
we decided that we wanted to be following this. And, you know,
Following it was certainly, you know, a certain unfortunate individuals full-time job for a few weeks. And it took a very large amount of effort to trace these funds. And so we had been just following it for quite some time. And then we started to wonder about its relation on price because, you know, we have a team of economists and that's kind of always what people are asking is what is the impact of this on price.
that on price. And so that's that's kind of, it was just a bunch of curious people who decided that
we had this great investigation to, um, to analyze more. So how did the scammers try to cash out?
I mean, first of all, um, how much did they raise again?
You get different estimates. I think the public number that was cited in the, um, in the legal
documents were around three billion. We traced two billion.
to the plus token wallets.
And so how did they try to cash out?
It was a massive investigation.
It was they moved the funds through, you know, thousands, hundreds of thousands of intermediary wallets.
They utilized mixers or they utilized coin joins.
And they eventually wound up at Hwobie, mostly.
And so eventually you guys did try to conduct an analysis of what the impact of cashing out of this plus token scam was having on the Bitcoin price.
So how did you do that and what did you conclude?
It was a extremely difficult process because it's hard to, one of the things that you do with the econometrics that we employed is you try and get rid of all the background noise and try to just,
kind of isolate the cause and effect. And so that was, that's the first thing that's extremely
hard to do. And so we looked, we ended up using a lot of order book data and found that
there, shortly after the huge amount of plus token funds wound up at Hwobi, there was a statistically
significant change in the volatility of price on Hwobie. And so we, we monitored that and then that was
connected. That was the thing that was connected with the price decline. So it was a combination of
watching the on-chain activity to Huobi, then looking at the volatility on that exchange,
and then seeing how that volatility impacted the price. And in that analysis, was it also that
kind of the movement of the price happened first on Huobi? Sorry, the, the, the
price change happened after the plus token funds arrived at the exchange. Right, right. But what I'm saying
is so if the price worldwide, you know, dropped once the funds arrived on Wobie, was it also,
because I imagine that, you know, you can sort of see where the price is dropping first. And was it
dropping first on Wobie? We actually did not observe that. We weren't, we just looked at the price on
Wobie. And the nature of the way that these exchanges are so highly connected is even if you look at,
you know, 40-minute level data, it's still kind of very quickly also is going to be happening
on finance or on, you know, other major exchanges. There's a, it's actually like really efficient
how the price moves in tandem across different exchanges, at least on the order books.
Okay.
Well, so while we're talking about exchanges, let's also talk about exchange hacks.
2019 saw the greatest number of hacks, but it was actually the third highest when it came to the total value stolen.
So from those two pieces of information, I couldn't decide if that meant that exchanges were getting better at security or if it was just because the prices had gone down.
So what's your take on what's going on with exchanges?
Yeah, it was really interesting to see that there was the most hacks last year, especially,
we were struggling with what the narrative was because in 2018 they had that coin check hack
and they just far and away had the most, like in terms of amount hacked.
And so we were, what's the narrative here?
And just to know, it's really hard to draw an outright trend when we're looking at,
you know, 11 hacks up from, I think, 8 or something.
So to what extent is that random and to what extent is that a real trend?
But I think our conclusion was that exchanges are getting better at potentially mitigating the severity of a hack because the average and median amount hacked went down from last year.
So even though there were more hacks, it seems to be that the way that exchanges are handling
and managing their funds is better because that average and median amount hacked is going down.
All right.
And so when hackers hack from an exchange, I could imagine it would be kind of hard for them
to cash out.
So how are they, what are they doing with their Pilford funds?
The hackers, the stolen funds in 2019 were largely sent to exchanges.
And just one word on definitions, when we were talking about stolen funds at scale, we're not, we weren't just looking at exchange hacks.
So we're also looking at other types of exploits that resulted in funds being stolen for various reasons.
Whereas the exchange hacks were a very specific group of 11 that we looked at.
Now, the stolen funds is what we reported on in terms of the exposure.
And so those are going to kind of a variety of places.
And I think, like, let me just refresh my memory.
most, like I said, most of them are going to exchanges, but you also see some hosted wallets.
You see some unidentified services, even some stolen funds are going to other illicit services.
So it's a wide variety of destinations, but like I said, still far in way most of them are going
to exchanges.
Oh, interesting.
You know, the reason why I said I thought it would be difficult is because I believe, you know,
a lot of the different exchanges are in contact with each other. And, you know, when a hack happens,
they, you know, are happy to help each other out and say, oh, you know, we're not going to let,
you know, people who are associated with this hack cash out here. So is it just that, you know,
I guess certain exchanges just aren't in touch with the wider group or something? And that's how
these hackers can can launder their funds from exchanges stolen from exchanges?
I think that the way that the way that those sort of groups work is fairly, fairly informal.
And a lot of the exchanges do participate in that.
But that only really applies if someone moves directly the stolen funds directly to one
of the other exchanges.
You know, the reason that we sort of are used to track these types of crimes is that there is an increase in the level of sophistication of how many transactions are going in between the actual theft and the cash out point.
And there can be hundreds, if not thousands, and there can be also mixes in between the, you know,
original hack and the cash out point.
And that's very hard for the exchanges to coordinate without using chain analysis as,
you know, someone to notify them that something has changed, that these funds are actually
being cashed out.
Okay.
Yeah, right.
That makes sense because, yeah, the more, I guess, hops there are in between,
the more it's hard to say, you know, we're not going to let you use our service.
Well, so one thing I wanted to ask about also was the Lazarus group, which you call a cybercriminal syndicate linked to the North Korean government.
This group also came up in a previous episode I did on why North Korea is so interested in cryptocurrency.
But you say that their operations have become more advanced.
How so?
We found that their operations have become more advanced simply.
the way that they move funds after they've done a hack. So you can see in the report that we
present you with a bird's eye view of two investigations. And one of them is, or one of the
bird's eye views is from last year or the year before last 2018. And you can see that they're
really just exploiting low KYC exchanges, albeit there's a lot of transactions that are happening
before they will hit the exchange. It's actually kind of a relatively simple process to follow,
whereas this year, the exchange, the ones that we did track were adapting with the times,
and they used a lot more, the investigations were a lot more complex and required, you know,
a full understanding of coin join wallets, for example, for example. And it was just,
just the way that the investigation occurred or the way that the funds moved that signify to us
that, you know, this group is adapting and how they're moving funds after they're stolen to exit
ramps. And it was really interesting to see that. It was also so elaborate how they did one of
them, which he walked us through, which was the hack of the Singapore-based exchange Dragon X.
Can you describe what they did there? The Dragon Xx. The Dragon X.
case was really interesting because typically it was just a very advanced way of hacking into
Dragon X. They created a shell company called World BitBot, and they even made a fake product that
the Dragon X employees could demo that had malware on it. And so just that whole scheme was also
another sign that it was really that their methods have been becoming more elaborate, I guess
more creative, you might say. And so they then, all you had to do was install that malware from that
fake product and it happened to be on a computer that had access to the private keys. And then
we, you know, we're contacted by Dragon X and were able to run the investigation and we, you know,
do a really good job in the report of showing exactly what that investigation looked like and how the funds were moved through
lots of intermediary wallets to exit ramps.
Yeah.
And one thing that I found so fascinating was just the website for that fake company.
It was really so believable.
And yeah.
And I have to also say like, for listeners,
you can't tell one of my other obsessions in addition to crypto is North Korea. And, you know,
for a country that paints the U.S. as the enemy, like, the whole thing was written in what
looks like pretty perfect English. So it was like, okay, like they even have North Koreans now
who speak good English. But anyway, so yeah, I just, I was pretty floored when I watched that.
But one other thing that you said here about the hackers like Lazarus is that one of their
behaviors that's changing is that they're moving their illicit funds to exchange.
changes more quickly than they did in 2018. And I was curious to know why you thought that, but then
also how you can even track that because of the, you know, greater obfuscation that they
build into their movements. Yeah, we, that was also another really interesting thing. So the,
the chart that you're referring to is the one that shows the number of days since the hack,
between the hack occurring and when you're cashing out your funds. And we looked in this,
specific chart at a Lazarus hack in 2019, a Lazarus hack in 2018, and two unknown groups.
And the one, I can't say for sure why I think that they're cashing out their funds faster.
It would just be speculation, like we've said a few times, we're a blockchain analytics firm,
so we can see what's happening on the blockchain.
I think that you would speculate that, I think that there's a few reasons that would determine
why they would choose to cash out. One would be maybe it's related to the price. Is there something
happening with the price that would make it a good time to suddenly cash out? Or do you just need
the money in that moment? Or are you, were you just waiting to evade for kind of the media to die out
so that you feel as though it's a safe time for you to move the funds to an off ramp?
I don't, I think one of those three reasons might explain why the cashing out happened so much
quicker. But I think that potentially, you know, the role of mixers and the more advanced and
more sophistication that we've been seeing might also contribute to why the funds are moving more
quickly to off-ramps. Yeah. And I actually thought that maybe they were moving more quickly to
off-ramps because the longer they stay in crypto, the, it's just like the crime remains incomplete, right?
They don't actually benefit from it until they can turn it into fiat. And so the longer they,
it stays in crypto, the higher chance is that like perhaps maybe they can never cash out if
somehow, you know, those funds, you know, I don't know what would happen, but, but somehow if,
you know, they get blocked from from cashing it out. Whereas like the more quick,
they can move, then that's the less time law enforcement has to do anything. Yeah, I think that's
an argument for sure. Yeah. And one other thing that I want to ask, so, oh, yeah, just at the end of this,
you made a few recommendations. Like, what would you say law enforcement and exchanges should do
if hackers are moving more quickly from crypto to fiat? Yeah. So what we have seen is that,
obviously crypto is global from the outset and some of these exchanges are based in jurisdictions
all over the world, particularly when it comes to something like North Korea, that's something
that the whole world is interested in understanding how they are moving money.
So there are what they call financial intelligence units.
So every country has a financial intelligence unit, which is going to be in the U.S., that's going to be FinCEN, which is the Financial Crime Enforcement Network, which is really the financial crime regulator in most countries.
And they have been very successful with other types of crime like this, like business email compromise, where companies are scammed into sending.
international wires to criminal accounts.
They've been really successful in sharing information rapidly across borders
to be able to freeze those assets at those exchanges.
I think that one thing that you'll see over this year is that FIUs around the world
as they have needed under new regulations to actually stand up,
cryptocurrency regulation teams and understand what the nature of these crimes are and
understand how this money is being moved.
There needs to be coordination between the exchanges and the financial intelligence units
to really be able to share information quickly and allow some of these accounts to be frozen
under actual legal requests so that this can actually be a process where exchanges are
working together formally with their local regulator to be able to mitigate these types of risks.
I think the other thing is just going to improve is that in general, the types of compliance
requirements for exchanges around the world have increased and that is going to help have better
compliance policies and procedures at some of these exchanges so that they can minimize the number
of places that these funds can be cashed out.
All right.
Let's also now talk about ransomware, which is one of those crimes that actually affects
non-crypto people and sort of gets them roped into our world.
So how would you define ransomware?
And one thing that I actually wasn't sure about for reading the report and even Googling a
little bit, is all ransomware crypto-related?
Or is it possible for ransomware to demand?
payment in another form of money.
So ransomware is a crime that essentially is a piece of computer software that encrypts a device
and blocks access to a file system or a computer and demands a ransom in order to unlock
that machine.
So in this world, we've seen a number of very high profile cases of hospitals, schools, and other types of critical infrastructure being affected where whole computer systems are actually locked and they can't be used by those businesses or hospitals.
And they are demanded to pay some ransom in order to unlock them.
bring those systems back online.
So we've seen, you know, very high-profile cases.
We've seen, you know, major businesses affected.
We've seen, for example, like TravelX was affected.
We've seen, you know, the city of New Orleans declare a state of emergency.
We've seen, you know, hospitals and other types of things.
So all of these high-profile targets are definitely raising an awareness about, you know,
how ransomware is being spread.
The vast majority, if not all, ransomware when it comes to encrypting computer devices,
is definitely linked with a cryptocurrency ransom.
The other types of extortion that do exist today may not.
So kidnapping and other types of extortion schemes and sextortion schemes actually
some of that does use cryptocurrency and some of that still uses other forms of payment.
Oh, wow. So the computer ones, that was really enabled by cryptocurrency.
So ransomware did pre-exist cryptocurrency, which is kind of an important thing to know where, you know,
the original form of ransomware, sort of the first known ransomware was distributed on a floppy disk in 19.
1989. And that was, the demand was to send a sort of check or some sort of money order to a PO box in Panama.
So that was the first, and it was actually interestingly targeted at scientists who were researching AIDS.
Oh, I think you mentioned this when I interviewed you before now that, okay, I recall.
Yeah.
keep going. And so, you know, it does, ransomware and an extortion in general, definitely as a crime pre-exists
cryptocurrency. It happens to be today that the most efficient way to move money internationally
in a irreversible manner is with cryptocurrency and therefore, you know, cryptocurrency can be
used pretty effectively, especially when it comes to encrypting computer systems.
Oh, my gosh. All right.
Well, what trends did you guys see with ransomware in 2019?
We looked at just the aggregate numbers, but I think what we wanted to highlight the most was the growth of ransomware as a service.
And we have been more aware of this phenomena where an individual can purchase the services of a person who has, you know, written or owns ransomware.
And that was a phenomenon that was really particularly scary for us to kind of start investigating.
And you can really use blockchain analytics to follow those funds.
For example, we identify in our report a ransomware service strain that we've identified
where you can see that the vendor and the perpetrator both getting paid out as there's
kind of a splitting after the payment is received by this ransomware strain. And so I think that's
the biggest thing that we wanted to highlight from the report is the growth of ransomware service.
Yeah. Like even when I just saw that term in your report, I was like, what? You know, just the idea
that that exists was crazy to me. But anyway, well, what do you recommend businesses do to protect themselves from
ransomware.
So I think that the protection is sort of outside of our wheelhouse, but, you know,
making sure that there are backups to systems, making sure that software updates and software
is patched and really understanding your proactive cybersecurity posture is something that
a lot of institutions are investing in. I think one thing to flag and something that we
we've noticed is that the actual crime needs to be destigmatized because we're seeing
underreporting of ransomware attacks where businesses are scared or hospitals or even people
themselves are scared to report these crimes because it's sort of embarrassing that
one of these attacks has gone through and managed to attack their systems.
And really what we find is that the more reporting that there is, we can really help with that.
And one of the things that I've seen over the last year is we've really worked with some of the insurance companies who are providing cyber insurance to businesses.
And actually then the policy can actually cover some sort of ransom payment.
And then we've managed to connect our law enforcement customers who are investigating either one of these ransomware as a service providers or one of the ransomware authors themselves.
And we've managed to really provide new information between the sort of affected businesses, the law enforcement agencies and the insurers to actually help build a better case and find out.
who are the people behind these ransomware campaigns? And I think that the more that then,
you know, people are able to report this ransomware, the more we will be able to, you know,
take it on as a threat where we're following the money and finding out, you know, who are these
types of perpetrators and what are the connections between the different strains and actors
who are perpetrating these crimes.
All right. So last section that we'll discuss before we go is the terrorism,
aspect of report. What are you guys seeing there in terms of cryptocurrency being used for terrorism
financing? We saw, we traced, we traced a few campaigns over the years. So this, in 2019,
we focused on one campaign that where we noticed that there, the takeaway was that there was an
increasing sophistication in the way that, um, these organizations were, were using cryptocurrencies.
And so these are, you know, public campaigns where someone will say, you know, donate to this address. And so that's how we get our information. And looking at the campaign in 2018 versus 2019, the campaign was much more successful in raising more funds in a shorter period of time. And they used more advanced wallet softwares. And so we've just seen this narrative.
continue in this type of crime as well, where, you know, criminals are increasing their sophistication
and their use of cryptocurrencies. However, the amounts are small. So can you just say what those
amounts are, but also explain, like in your report, you say even though the amounts are small,
that should not be dismissed. And so why is that? Yeah, the amounts are extremely small,
tens of thousands of dollars, but still the takeaway is that this is extremely important because
it doesn't take a large amount of money to carry out a terrorist attack. So even a small amount
of money like this is something that you really need to pay attention to and that needs to be
on law enforcement's radar and to the extent that we can get our hold of this information
and quickly attribute it in our software service and then trace those funds.
It's extremely important because of just the low cost that it was required to carry out a terrorist attack.
And you mentioned how the ways that they're soliciting financing are getting more sophisticated.
So what are they doing now?
The campaign that we saw was, I mean, it's the way that they're going about it is there,
you know, you'll have a, you'll have a, you'll advertise that you have a cryptocurrency website through, you know, various types of advertising. And then the donors will come to that publicly listed address. The sophisticated part comes in for what type of wallet software are you using. And then, you know, how do you, how successful are you, are your advertising campaigns and raising more money in a shorter period of time? And what types of services are you using after the fact? Those are all the different.
types of things that allow us to say that these attacks have become more sophisticated.
But just notably, just how compared to the previous year, which was a longer campaign,
which raised a similar amount of money to a campaign that was much shorter, that raised a comparable
amount.
Yeah, well, for one of these groups, AQB, you mentioned that they have moved to receiving donations
via unique addresses generated for each donor.
And I was curious about that because, like, then I guess I didn't know how you could then
track the funds.
Like how did you know even which addresses, you know, were used for the tourist financing thing?
We, yeah, we have a variety of heuristics that we use to track funds.
and that can connect addresses to each other through, you know, there's a lot of different ways.
But most importantly and crucially is that we have, you know, investigators who are experts in this field,
who are kind of on studying this day-to-day, who are able to provide us with addresses that we can connect together through these investigations
and allow us to go beyond just what we see on the blockchain to paint a stronger picture of what's going on.
So the experts in the field have been really crucial to allowing us to successfully write this section on terrorism financing.
I see. And so generally, where do you think the trend could go when it comes to cryptocurrency being used in terrorism financing?
So I think that there's a really important point that we're making here, which is that actually when it comes to an issue like terrorist financing, it's really important to have real.
expertise. And one of the things that we were seeing is that there are consistent donors across
some of these campaigns that definitely helped us identify different wallets that were involved.
But we also see sort of some bad press in the public domain that some misinformation about
sort of other terrorist financing campaigns in cryptocurrency, which are not done by experts,
just by looking at the public blockchain and making incorrect inferences that, you know,
a terrorist financing campaign was actually not well described.
And they took an address from an exchange in Gaza and said that that whole exchange was
terrorist financing.
And we think it's really important to correct that type of misinformation and actually use
experts that understand the connections between different groups of people and the definitions of
what is considered actually terrorist financing according to the US law.
And we take it very seriously about when we are actually going to label and identify these
types of campaigns.
When it comes to the actual actors themselves, I think that it's clear that there is now
an understanding and a public awareness that these types of public campaigns are possible to do.
And I think when it comes to different types of terrorist organizations that actually are in
desperate needs of funds, you will see more experimentation.
You will see some more of these campaigns.
Fortunately, we have experts on hand.
We work very closely with our law enforcement partners and our exchange.
partners to identify this type of activity really quickly and make sure that these campaigns can be
ineffective when it comes to raising funds. All right. So we've gone through pretty much most of
the report that has already been published, but there's still a little bit that is yet to come out.
Can you give listeners a sense of what the last section or sections will be about and when
those will be released?
The last two sections are going to be on darknet marketplaces and scamming,
and those are, you know, beloved sections to many of us.
Darknet markets, it should be coming out soon.
And what we'll be discussing there is just overall trends and some, you know, case studies as well.
Whereas with scams, we really, you know, focus on what's happened with plus tokens more.
and maybe some other Ponzi scams as well.
And so it's a full data-rich deep dive into each of these sections
and definitely probably some of the most data-rich sections that we have.
Okay, great.
Well, I look forward to reading them.
Where can people learn more about you two and chain analysis?
So you can go to chain analysis.com and check us out on Twitter at Chainalysis.
We also run webinars on this type of material.
So there will be people going through the whole report in a two-part webinar in the coming weeks.
So you can get in touch with us and register for that.
And we look forward to discussing any of the findings with people that are interested.
Great.
Well, thanks to both of you for coming on Unchained.
Thanks, Laura.
Thanks so much.
Thanks so much for joining us today.
To learn more about Jonathan Kim and Chain Alice's, check out the show notes inside your podcast player.
If you're not yet subscribed to my other podcast Unconfirmed, which is shorter, a bit newsier,
and now features a short news recap every week.
Be sure to check that out.
Also, find out what I think are the top crypto stories each week by signing up from my email newsletter at Unchainedpodcast.com.
Unchained is produced by me, Laura Shin, with help from factual recording, Anthony Yun,
Daniel Ness, Josh Durham, and the team at CLK transcription.
Thanks for listening.