STUTTGART, GERMANY - Jun 28, 2021: Smartphone with logo of US cryptocurrency company Chainalysis Inc. on screen in front of website. Focus on center-left of phone display.

Chainalysis ‘Crypto Crime Report’ details OFAC sanctions’ impact

The global ‘crypto’ market may have crashed hard in 2022 yet the total value of illicit crypto activity hit an all-time high of over $20 billion.

Blockchain analytics firm Chainalysis is set to release its latest annual Crypto Crime Report next month, but the company has begun previewing some of its marquee findings for 2022. The headline figure is that the total value of digital currencies received by ‘illicit’ addresses hit a record $20.1 billion last year, and the company cautions that this is likely to be “a lower bound estimate.”

For instance, while Chainalysis originally pegged 2021’s total crypto crime value at $14 billion, they’ve since revised that sum to $18 billion, “mostly due to the discovery of new crypto scams.” Chainalysis also cautions that these sums don’t include proceeds from “non-crypto native crime,” such as drug traffickers using crypto as payment in lieu of fiat currency.

Chainalysis says 2022’s estimates are further complicated by the year’s unprecedented carnage that followed the collapse of several major crypto firms, including digital lender Celsius, the Three Arrows Capital (3AC) hedge fund and the FTX exchange. Chainalysis notes that many of these implosions occurred “amid allegations of fraud,” meaning the true scale of 2022’s blockchain criminality may be off the charts.

Given that many of these companies are currently involved in bankruptcy or criminal cases, Chainalysis says “for the time being, we’ll leave questions of criminality to the legal system.” For the purposes of its report, Chainalysis must restrict its estimates to “on-chain intelligence” and ignore fraudulent “off-chain bookkeeping.”

Breaking down 2022’s $20.1 billion, the value of stolen funds rose 7% but most other categories—including scams, ransomware and ‘darknet’ marketplaces—saw reductions in value. Chainalysis attributed this to the onset of ‘crypto winter’ early in 2022 and the fact that “less money in crypto overall tends to correlate with less money associated with crypto crime.”

Illicit activity’s percentage of overall crypto activity was 0.24%, twice 2021’s tally and the first year-on-year increase since 2019 (which saw a serious spike to 1.9%). And while “legitimate transaction volumes were declining faster than illicit volumes” during the current bear market, Chainalysis maintains that “crime as a share of all crypto activity is still trending downwards.”

Year of the sanctions

In terms of illicit activity, 2022’s largest year-on-year growth was seen in the ‘sanctions’ category, which accounted for 44% of all illicit transaction volume. That’s a jaw-dropping 10,012,224.34% higher than in 2021, reflecting a growing interest in crypto affairs by regulatory bodies such as the U.S. Office of Foreign Assets Control (OFAC).

While the number of sanctioned crypto entities saw only modest growth from 2021 to 2022, the number of sanctioned addresses exploded. Chainalysis says this is in part due to OFAC adapting its strategies by designating “entire crypto services as opposed to just individual bad actors.”

Among OFAC’s more headline-grabbing moves in 2022 was its targeting of the Tornado Cash mixing service and the blacklisting of any Ethereum address with which the service interacted. In targeting a so-called ‘decentralized finance’ protocol for the first time, OFAC accused Tornado Cash of “laundering funds for malicious cyber actors on a regular basis and without basic measures to address its risks.”

Chainalysis says 34% of funds sent to Tornado Cash came via illicit sources, with most of the illicit funds coming in “brief spikes,” leading to wide fluctuations from day to day.

OFAC similarly targeted Russian exchange Garantex for aiding the Russia-based Hydra darknet marketplace. While Hydra was shut down, Garantex continues to operate, despite OFAC convincing Estonia to revoke the “ransomware-enabling” exchange’s license.

Incoming funds from illicit addresses accounted for over 68% of Hydra’s volume, with a further 12.6% coming via ‘risky’ addresses. Chainalysis defines ‘risky’ as involving “one or more counterparty addresses [that] are associated with a risky entity, such as a high-risk exchange or gambling service.”

By comparison, illicit and risky inflows were only 6.1% and 16.1%, respectively, at Garantex in the 60-day period before sanctions were imposed. That sounds small, but Chainalysis notes that over a comparable 60-day period, illicit inflow to other centralized exchanges was a mere 0.3%. So Garantex was a notable outlier in terms of its handling of suspect funds.

Hydra and Garantex were prime destinations for ransomware bad actors. Hydra handled 2.2% of funds sent by ALL ransomware-linked addresses during the 60-days pre-sanctions, while Garantex handled a worrisome 11.6%. Chainalysis notes that the figures underscore how “crucial” these services are in “enabling” ransomware attacks.

Tornado Cash’s illicit activity was almost entirely focused on hacks and scams. In fact, during the 60-days prior to the OFAC sanctions, stolen funds accounted for 99.7% of illicit funds sent to the mixing service. The Harmony Bridge hack in June 2022 accounted for nearly two-thirds of all stolen funds sent to Tornado Cash during this period.

The impact of sanctions

The April 2022 sanctions against Hydra were accompanied by a coordinated law enforcement action, so its inflows halted entirely (while Russia-based, Hydra’s servers were based in Germany). Meanwhile, Garantex saw overall monthly inflows more than double from April to October, as Russian authorities declined to enforce the U.S. sanctions, effectively rolling out the welcome mat at Garantex for bad actors based outside America.

Tornado Cash saw its volume drop off a cliff following the OFAC sanctions and, while volume has recovered somewhat, it’s still well off its pre-sanctions peak. This can be explained by the fact that the website offering easy access to the mixer was taken down, leaving only committed customers to continue using the service.

Post-sanctions, Garantex saw a spike in inflows from addresses linked to scammers and darknet markets, which Chainalysis theorizes was based on the growing perception that Garantex wasn’t all that interested in curbing illicit activity.

Tornado Cash suffered reduced inflows in nearly all categories, except scams and other mixing services. However, those two categories weren’t huge users of Tornado Cash pre-sanctions, so the percentage gains are a little illusory. And the scamming surge was primarily due to a single YouTube-based bot scam that did all its damage in a mere four deposits.

Did it make any difference?

By studying the activities of bad actors who didn’t use the sanctioned services, Chainalysis attempted to establish a control group to determine if the sanctions resulted in significant loss of revenue for those who did use these services.

With the exception of 10 fraud shops, who individually saw revenue rise around $5,000 in the two months following the imposition of sanctions, all other categories saw revenue fall. The most drastic reduction was for 20 ‘cybercriminal administrators,’ who each suffered an average decline of $750,000 over the two-month period.

Chainalysis admits that the formula is anything but definitive and only examines a very narrow time horizon, meaning there’s a good possibility that the bad actors were eventually able to adapt and overcome the obstacles put up by these sanctions.

Chainalysis summarizes their findings thusly: sanctions can be effective if authorities cooperate on a global basis. But as the example of Garantex indicates, a reluctance to cooperate by authorities in an operation’s home territory will have only minimal impact.

Watch: The Future World with Blockchain

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]