During the last week of July, an interesting story surfaced in the news. CWT, a travel management company, paid $4.5 million to hackers who stole reams of sensitive corporate data. CWT that makes $1.5 billion in annual revenues, agreed to pay 414 BTC in ransom to the hackers on July 28 to regain access to two terabytes of files and to stop them from exposing the information. The files included employee data, financial documents, and other information. One of the interesting things of the story was that the ransom negotiations took place in an online chat group. The second was that the hackers used an exchange to launder the money. The hackers, who are still at large, tried to launder their money through some of the largest cryptocurrency exchanges in the world, including Binance, Coinbase and Huobi.
According to Reuters, the attackers used a ransomware strain called Ragnar Locker, which encrypts computer files and renders them usable. The $4.5 million in Bitcoin ransom was paid for a decryption key in a bid to restore the files.
The Ragnar Locker ransomware and its strategy is well known: when it infects a computer or an entire network, it encrypts its files to prevent its rightful owner from accessing its content. To regain control of the information and return to normality, the victim is forced to pay a “ransom” in a cryptocurrency so that the transaction cannot be traced.
Looking at the timeline of events, initially CWT sent 1 BTC to the hackers’ address. After the hackers confirmed they received the money and the remaining 413 BTC were transferred. Twenty minutes after the entire ransom was paid, the hackers split the Bitcoin into two addresses, the first with 102 BTC and the second with 310 BTC. Then they did one more split, taking the 310 BTC and splitting it into two equal parts, each with 155 BTC. The first of the 155 BTC was sent to an address on Binance to launder $1.5 million. The hackers completed over 20 transactions within 30 minutes to launder the initial 155 BTC. The remaining 155 BTC was moved to other crypto exchanges, including Coinbase, Huobi and Poloniex.
Whats even more bizarre is the channel and language, during the negotiations between CWT and the hackers. They communicated on a publicly accessible online chat group. In the farewell, both parties cordially thank each other, as if they closed a legitimate business deal. In fact, hackers compliment CWT and thank the head of the company for his professionalism. Surreal!
Personally I was surprised at how professional and collegial the whole conversation was. From beginning to end, this was treated a business transaction for both parties pic.twitter.com/UyzetQeVab
— Jack Stubbs (@jc_stubbs) July 31, 2020
Getting the crypto is only the first step to any hack. In the second which is even more crucial, otherwise the whole exercise is pointless, criminals must exchange their cryptocurrency for fiat currency.
Criminals often use multiple intermediate wallets and mixer services to launder stolen cryptocurrencies. They create layers of transactions to make tracing difficult before converting funds into fiat or other cryptocurrencies.
In many cases, hackers would use a something like Bitcoin tumbler to mix stolen with legitimate Bitcoin. Mixers involve lots of people mixing anonymously their funds together. Then the mixer takes all those funds and sends them to addresses owned by those people, crediting them with the amounts they put in.
But to mix $1.5 million, would require plenty of time and a huge source of liquidity and hackers, usually want the easiest way to get their money.
Now we are seeing more hackers push stolen funds through large exchanges, using a method called “chain-hopping” (From Money Mules to Chain-Hopping).
With chain-hopping, digital assets are converted from one cryptocurrency into another, across digital currency exchanges, the less-regulated the better, to create a money trail that is almost impossible to track. Converting stolen Bitcoin into Ethereum is difficult to trace. Now if you couple coin-hopping with decentralized exchanges (DEX), that are mostly unregulated, then you have a huge challenge.
Splitting a huge amount into small deposits and converting from one crypto to another might not sound very practical or scalable, but from an investigative standpoint it’s a resource-intensive nightmare.
Exchanges have emerged as the leading destination for illicitly-gained cryptocurrencies. While they have always been a popular off-ramp, since the beginning of 2019, $2.8 billion in Bitcoin were moved from criminal entities to exchanges.
According to a report by Chainalysis, Binance and Huobi, account for more than 50% of all the illicit Bitcoin received by exchanges, an amount totaling $1.4 billion.
Also, in the same report, many criminals launder their cryptocurrency with the assistance of over-the-counter brokers. OTC brokers are agents or firms that facilitate trades between buyers and sellers who do not want to (or cannot) transact on a cryptocurrency exchange.
While cryptocurrencies get a bad rep for money laundering, the real challenge, for the bad guys is liquidating digital assets, without getting caught. Regardless of methods and tactics they follow to achieve anonymity, today crypto always needs to be exchanged into fiat currency, if they want to use somehow. Monitoring crypto transactions, within and across blockchains, can lead to the de-anonymization of criminals.
But, it’s amazing how we always seem to forget that the final path from stolen cryptocurrency to clean fiat money is existing banking system. They are the real movers and shakers in the global money laundromat.
Subscribe by email to join the other Fintech leaders who read our research daily to stay ahead of the curve. Check out our advisory services (how we pay for this free original research)