In the world of online crime, anonymous cryptocurrencies are the payment method of choice. But at some point, virtual hauls need to be turned into hard cash. Enter the “Treasure Men”.
Finding a Treasure Man is easy if you know where to look. They are listed for hire on Hydra, the largest marketplace by revenues on the dark web, a part of the internet that is not visible to search engines and requires specific software to access.
“They will literally leave bundles of cash somewhere for you to pick up,” says Tom Robinson, chief scientist and co-founder of Elliptic, a group that tracks and analyses crypto transactions.
“They bury it underground or hide it behind a bush, and they’ll tell you the co-ordinates. There’s a whole profession.”
The Russian-language Hydra offers plenty of other ways for criminals to cash out of cryptocurrencies, including exchanging bitcoin for gift vouchers, prepaid debit cards or iTunes vouchers, for example.
The ability to hold cryptocurrencies without divulging your identity has made them increasingly attractive to criminals, and particularly to hackers who demand ransoms after breaking into companies.
In 2020, at least $US350 million ($454 million) was paid out to ransoms to hacker gangs, such as DarkSide, the group that shut down the Colonial Pipeline last month, according to research group Chainalysis.
But at the same time, every transaction in a cryptocurrency is recorded on an immutable blockchain, leaving a visible trail for anyone with the technical know-how.
Several crypto forensics companies have sprung up to help law enforcement track criminal groups by analysing where the currencies flow to.
These include New York’s Chainalysis, which raised $US100 million at more than a $US2 billion valuation earlier this year, London-based Elliptic, which boasts Wells Fargo among its investors, and US government-backed CipherTrace.
In total, in 2020 some $US5 billion in funds were received by illicit entities, and those illicit entities sent $US5 billion on to other entities, representing less than 1 per cent of the overall cryptocurrency flows, according to Chainalysis.
In the early days of cryptocurrencies, criminals would simply cash out using the major cryptocurrency exchanges. Elliptic estimates that between 2011 and 2019, major exchanges helped cash out between 60 per cent to 80 per cent of bitcoin transactions from known bad actors.
By last year, as exchanges began to worry more about regulation, many of them bolstered their anti-money laundering and know-your-customer processes and the share shrank to 45 per cent.
Stricter rules have pushed some criminals towards unlicensed exchanges, which typically require no know-your-customer information. Many operate out of jurisdictions with less stringent regulatory requirements or lie outside of extradition treaties.
But Michael Phillips, chief claims officer at cyber insurance group Resilience, says such exchanges tend to have lower liquidity, making it harder for criminals to transfer crypto into fiat currencies. “The aim is to impose further costs on the business model.“
There are an array of other niche off-ramps into fiat currency. Chainalysis suggests that over-the-counter brokers in particular help facilitate some of the largest illicit transactions – with some operations clearly set up for that purpose alone.
Meanwhile, smaller transactions flow through the more than 11,600 crypto ATMs that have sprung up globally with little to no regulation, or through online gambling sites that accept crypto.
Against this backdrop, the crypto forensics companies use technology that analyses blockchain transactions, together with human intelligence, to work out which crypto wallets belong to which criminal groups, and map out a picture of the wider, interlocking crypto criminal ecosystem.
With an overview of how criminals move their money, their research has shone a light on how hackers are renting out their ransomware software to networks of affiliates, while taking a cut of any proceeds.
Kimberly Grauer, head of research at Chainalysis, says hackers are increasingly paying for support services from other criminals, such as cloud hosting or paying for the login credentials of their victims, with crypto, giving investigators a more complete picture of the ecosystem.
“There’s actually fewer needs to cash out in order to sustain your business models,” she says. “We can see the ransom paid, and we can see the splitting and going to all the different players in the system.”
Losing the trail
But cyber criminals are increasingly wielding their own high-tech tools and techniques in a bid to muddy the crypto trail that they leave behind.
Some criminals undertake what is known as “chain-hopping” – jumping between different cryptocurrencies, often in rapid succession – to lose trackers, or use particular “privacy coin” cryptocurrencies that have extra anonymity built into them, such as Monero.
Among the most common tools for throwing investigators off the scent are tumblers, or mixers – third-party services that mix up illicit funds with clean crypto before redistributing them.
In April, the US Department of Justice arrested and charged a dual Russian-Swedish national who operated a prolific mixing service called Bitcoin Fog, moving some $US335 million in bitcoin over the past decade.
“It is possible to untumble coins,” says Katherine Kirkpatrick, a partner at law firm King & Spalding with expertise in anti-money laundering. “But it’s highly technical and takes a lot of processing power and data.”
The “preferred obfuscation tool” in 2020 – which helped facilitate 12 per cent of all bitcoin laundering last year – were highly sophisticated “privacy wallets” that have anonymisation techniques, including mixing capabilities built into them, according to Elliptic.
“They’re basically a trustless version of a mixer and it’s all done within software,” says Robinson, noting that an open-source project called Wasabi Wallet was the dominant player in the space.
What comes next?
Authorities “need to modernise forfeiture and asset freezes” so that it is easier for law enforcement to seize crypto from exchanges, says Tom Kellermann, head of cyber security strategy for VMware and cyber investigations advisory board member for the US Secret Service.
Individual exchanges can sign up to services from forensics companies that will notify them of suspicious activity based on their intelligence.
But experts have in the past touted the idea of having shared blacklists of wallets known to be used by bad actors – a kind of Interpol alert, with exchanges, analytics groups and the government openly sharing information on their investigations in order to make this possible.
“Perhaps now is a better time to reconsider some of those policy initiatives,” says Kemba Walden, assistant general counsel at Microsoft’s Digital Crimes Unit.