The frequency of ‘crypto’-related crime is down this year, although you wouldn’t know it from a pair of new criminal cases filed by New York federal prosecutors.
On Wednesday, blockchain analytics firm Chainalysis released its mid-year update on cryptocurrency-related criminal activity during the first six months of 2023. Chainalysis notes that overall digital asset transaction volume has taken a significant hit since the first half of 2022, during which the cascading sequence of corporate and protocol failures was just starting. But the decline in illicit crypto volume is outpacing the decline in legitimate transactions.
Digital asset inflows to ‘known illicit entities’—not including entities that authorities have sanctioned or subjected to ‘special measures’—are down 65% from the same period last year. Inflows to ‘risky entities’—aka coin mixing services and ‘high-risk’ exchanges—are down 42%. Meanwhile, legitimate transaction inflows are down only 28%.
In dollar figures, total crypto crime inflows are down more than $5.2 billion from the first half of 2022. The bulk of this decline was due to a reduction in outright scams, which fell 77% year-on-year to a mere $1 billion in H123.
Chainalysis credited some of the dramatic drop in scams to the apparent demise of two groups: VidiLook (a multi-level marketing scam that charged users $50 to join and then ‘paid’ users in worthless tokens to watch video ads) and Chia Tai Tianqing Pharmaceutical Financial Management. Both of these investment frauds exit scammed their users this spring, and Chainalysis expressed some surprise that other scams didn’t immediately fill the void.
Inflows to impersonation scams fell at a slower rate (-23%) than overall scam inflows despite the number of individual transfers to these scams rising by 49%. That indicates individual victims transferring smaller amounts to scammers and bucked the trend of a 70% decline in overall deposits to crypto scams.
Also bucking the trend was ransomware, which brought in over $449 million in H123 compared to less than $300 million in H122. At this rate, crypto-based ransomware is poised for its second-biggest year to date, following the record $940 million in 2021.
Interestingly, ransomware was in sharp decline last year, and Chainalysis argues this year’s surge is notable for its increases at both the low- and high-value ends of the spectrum. Ransomware hackers are also making bigger initial demands of higher-value targets while hitting them with more sophisticated software and, in some instances, using “more extreme extortion targets, such as harassment of employees from victim firms who have not yet paid.”
Last year’s ransomware decline may also have been to Russia’s invasion of Ukraine in February 2022, which Chainalysis suggests may have diverted the attention of Russian state-sponsored hackers to more strategic targets. But with the war now well into its second year, it’s possible the desire to raise cash for Russia’s war effort may have restored the hackers’ original mandate.
Overall, Chainalysis says organizations and governments are getting better at defending against ransomware attacks. In January, the U.S. Federal Bureau of Investigation (FBI) announced that it had taken down the Hive malware gang’s network in late-2022, which allowed the FBI to offer many ransomware victims the ‘keys’ to unlock frozen assets.
The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) has also targeted coin mixers such as Tornado Cash, which was long used by crypto crooks to launder tokens on the Ethereum network that were the proceeds of crimes, including ransomware.
Last one into the pool’s a North Korean defector!
Last month, Chainalysis reported that crypto crooks were using stolen digital assets in hashing services with the aim of acquiring newly mined ‘clean’ assets that haven’t been flagged by online watchdogs. Mandiant researchers previously reported similar findings regarding North Korea’s notorious Lazarus Group.
Chainalysis cited an example in which millions of dollars worth of both ransomware proceeds and mining pool rewards entered the same deposit address on an unspecified ‘mainstream exchange.’
“This may represent a sophisticated attempt at money laundering, in which the ransomware actor funnels funds to its preferred exchange via the mining pool in order to avoid triggering compliance alarms at the exchange.”
Chainalysis added that starting in 2018, there’d been “a large, steady increase” in the value of digital assets transferred from ransomware wallets to mining pools. The data suggests that “mining pools may play a key role in many ransomware actors’ money laundering strategy.”
In total, nearly $1.8 billion in tainted assets have been moved through deposit addresses with heavy mining exposure. Interestingly, the two highest quarters of ‘scam value received by exchange deposit addresses with heavy mining pool exposure’ came in the second half of 2022. The numbers have fallen off dramatically since, in keeping with the overall drop in crypto scamming discussed above.
Stolen Ape Prison Club
Immediately prior to this week’s Chainalysis update, the U.S. Attorney’s Office for the Southern District of New York (SDNY) unsealed indictments against two individuals accused of involvement in two separate crypto-related crimes.
On Monday, the SDNY announced charges against Soufiane Oulahayne, who is charged with (among other things) wire fraud for stealing $450,000 worth of digital assets and dozens of non-fungible tokens (NFTs) from a Manhattan resident in September 2021. The NFTs included items from the Bored Ape Yacht Club (BAYC), Bored Ape Kennel Club, CryptoDad, and Meebit collections.
Oulahayne, who is currently in custody in Morocco on local charges, obtained the stolen property by buying paid ads on a search engine that caused a spoofed version of the OpenSea NFT marketplace to appear first when users searched for ‘opensea.’ Clicking that link took users to a bogus OpenSea login page that funneled their digital wallet credentials to Oulahayne, who proceeded to rob them blind.
Just google ‘how to cop a plea,’ already
A second indictment unsealed on Tuesday accuses New York resident Shakeeb Ahmed of wire fraud and money laundering. The charges stem from stealing $9 million worth of digital assets from a decentralized exchange (DEX) operating on the Solana blockchain.
The theft began in early July 2022, when Ahmed—a senior security engineer at an unrelated ‘leading international technology company’ with expertise in ‘reverse engineering smart contracts’—identified a flaw in the DEX’s code.
The DEX used ‘tick accounts’ to calculate the fees generated by liquidity providers who deposited digital assets into the pool. While rank-and-file users couldn’t create tick accounts, they could create ‘position accounts’ that tracked their share of the liquidity pool. Ahmed “carefully structured and designed” two position accounts to appear as tick accounts, and the DEX accepted them as legitimate.
From there, Ahmed fed false price-tick data into the sham accounts, making it look like he’d deposited a huge amount of liquidity, which the DEX rewarded by paying him massive fees that he wasn’t entitled to.
Ahmed then took out a series of “at least 21” uncollateralized ‘flash loans’ worth “tens of millions of dollars” in a mix of stablecoins, including USDC, Tether, Hubble (USDH), and Project Pai (PAI), as well as Solana’s native SOL token, from an unspecified ‘crypto lender.’
Ahmed deposited the borrowed assets into the DEX’s pool, used his fake tick account to generate more fees, then withdrew the borrowed assets via a second fake tick account to repay the lender.
To launder his ill-gotten gains, Ahmed used every trick in the book, from ‘bridging’ tokens across different blockchains, transferring assets to other Solana wallets via a ‘swap aggregator,’ converting the tokens to privacy coin Monero and transferring the assets to a number of overseas exchanges.
While the DEX caught on to Ahmed’s scheme fairly early, he rejected their offer of letting him keep $800,000 of the stolen cash if he returned the rest. Ahmed counter-offered a plan that would let him keep $2.5 million, later lowering this to $1.8 million, ultimately returning all but $1.5 million on July 8, 2022.
The indictment notes that a subsequent perusal of Ahmed’s computers revealed a rather careless approach to op-sec, including numerous online searches for information on the DEX hack shortly after it occurred, including the likelihood of being identified and prosecuted for such crimes.
Ahmed’s incriminating searches also included ‘white collar criminal defense attorneys with expertise in cryptocurrency,’ ‘how to prove malicious intent,’ ‘how to stop federal government from seizing assets,’ ‘buying citizenship,’ and ‘can I cross the border with crypto.’
Solana has been the subject of any number of malicious attacks, scams, and ineptitude in its basic design, but rarely has it been targeted by someone so seemingly determined to get caught. Now, if you’ll excuse us, we have to google ‘how to clean blood and brains off a car seat’ for utterly innocent reasons.
Follow CoinGeek’s Crypto Crime Cartel series, which delves into the stream of groups—from BitMEX to Binance, Bitcoin.com, Blockstream, ShapeShift, Coinbase, Ripple,
Ethereum, FTX and Tether—who have co-opted the digital asset revolution and turned the industry into a minefield for naïve (and even experienced) players in the market.
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
