Cryptocurrency Crime Explained (Part 1): A Guide for Financial Crime Investigators

Explore the intricacies of cryptocurrency-related financial crimes. Gain insights on detection, prevention, and compliance strategies for AML officers and FCC experts.

Crypto Crime. Image created using DALL-E.

Increased adoption of cryptocurrency has ushered in a new financial era. Its perceived decentralized nature, cryptographic security, and promise of anonymity have revolutionized transactions but also provided fertile ground for illicit activities. From its early association with the infamous Silk Road to the intricate money laundering schemes seen today, cryptocurrency’s role in crime is both fascinating and complex.

This article is part one of a two-part series aimed at demystifying the shadowy underworld of cryptocurrency crime. In part one, we will explore the evolution of cryptocurrency, the ways it is used for illicit activities, and current trends. In part two, we will delve into crypto-native money laundering, the role of KYC and AML in combating crypto crime, and popular cryptocurrency scams. By the end of this series, you will have a comprehensive understanding of the intersection between cryptocurrency and crime, equipping you with the knowledge to navigate this intriguing and often dangerous landscape.

Cryptocurrency Crime Explained (Part 2): A Guide for Financial Crime Investigators

From Silk Road to Mainstream: The Evolution of Cryptocurrency Crime

Cryptocurrency’s journey into the mainstream is inextricably linked to its shadowy beginnings. From the outset, digital assets like Bitcoin were celebrated for their promise of financial freedom and privacy. However, this promise quickly attracted individuals seeking to exploit these features for illicit purposes. The turning point came with the rise of the Silk Road, a now-infamous darknet marketplace.

Silk Road

Launched in 2011 by Ross Ulbricht under the pseudonym “Dread Pirate Roberts,” Silk Road was a groundbreaking platform enabling users to buy and sell illegal goods and services using Bitcoin. This marketplace operated on the Tor network, an anonymizing technology that concealed users’ identities and locations. The Silk Road’s business model was simple yet revolutionary: leverage the pseudonymity of cryptocurrency to facilitate transactions beyond the reach of law enforcement.

The Silk Road’s impact on the cryptocurrency world was profound. For many, it was their first exposure to Bitcoin and digital currencies. The marketplace rapidly grew, boasting over 100,000 users and listings for everything from drugs to forged documents. Ulbricht’s arrest in 2013 and the subsequent shutdown of Silk Road marked a significant moment in the history of cryptocurrency. The U.S. Department of Justice’s press release described Silk Road as “the most sophisticated and extensive criminal marketplace on the Internet.”

Silk Road website: Online black market resurfaces. Source: CBS Mornings on YouTube.

The case against Ross Ulbricht not only spotlighted the dark side of Bitcoin but also set legal precedents that reverberate through the cryptocurrency industry today. The prosecution painted a vivid picture of Ulbricht as a digital kingpin who reaped millions in commissions from the illicit sales on his platform. Despite Ulbricht’s efforts to anonymize transactions using Bitcoin and Tor, the digital trail led law enforcement to his doorstep.

The fallout from the Silk Road saga was twofold. On one hand, it cemented Bitcoin’s reputation as the currency of choice for criminals, casting a long shadow over the burgeoning cryptocurrency industry. On the other hand, it demonstrated the power of blockchain technology in tracking and apprehending offenders. This paradoxical outcome spurred both increased scrutiny and accelerated innovation within the crypto space.

Subsequent darknet markets learned from Silk Road’s downfall, adopting stricter codes of conduct and even greater measures to enhance anonymity. Despite these efforts, the association between cryptocurrency and crime, established by Silk Road, remains challenging for the industry. The early association of Bitcoin with the Silk Road has had a lasting impact, influencing public perception and regulatory approaches to cryptocurrency. However, as we will see in this two-part series, there is much more to cryptocurrency than its humble beginnings.

Decoding Crypto Crime: Key Threats in Digital Finance

Cryptocurrency’s allure of anonymity and decentralization has made it a magnet for various forms of illicit activity. Understanding these activities is crucial to grasping the full spectrum of risks associated with digital currencies. Let’s explore the different types of cryptocurrency crime, each with its own unique characteristics and implications.

Sanction Evasion

Sanctions are powerful tools governments use to curb illicit activities and enforce international law. In the realm of cryptocurrency, sanctioned entities often exploit digital assets to bypass financial restrictions.

Case Study: U.S. Treasury Sanctions Virtual Currency Mixer for DPRK Cyber Threats

The U.S. Office of Foreign Assets Control (OFAC) has increasingly targeted individuals and entities using virtual currencies for malign activities. On May 6, 2022, the U.S. Treasury’s OFAC sanctioned Blender.io, a virtual currency mixer used by North Korea to launder stolen cryptocurrency. This unprecedented move came after the DPRK’s Lazarus Group stole nearly $620 million from a blockchain project linked to the game Axie Infinity, with Blender.io processing $20.5 million of these illicit funds. These activities fund North Korea’s weapons and missile programs.Such cases highlight the need for robust compliance measures in the cryptocurrency industry to prevent sanctioned entities from exploiting digital currencies.

This diagram illustrates the Blender.io cryptocurrency mixing process, showing the steps from a cyber crime event, through laundering and mixing, to the obfuscation of proceeds. It details how illicit funds are mixed with other customers’ funds to make them indistinguishable, thereby hiding their origins. Source: U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats, U.S Department of the Treasury.

Terrorist Financing

In addition to sanction evasion cryptocurrency has been used as a tool for terrorist groups to fund their operations, leveraging its pseudonymous nature to move money across borders without detection.

Case Study: Hamas and Cryptocurrency Fundraising

One of the most recent examples of cryptocurrency being used to finance terrorist activity is Hamas. For instance, between 2020 and 2023, cryptocurrency wallets connected to Hamas received approximately $41 million. The group solicited donations through various campaigns, using platforms like Binance to facilitate transactions. In response, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned a Gaza-based virtual currency exchange involved in these activities and identified additional virtual wallet addresses linked to Hamas. These efforts highlight the persistent challenge of terrorist financing and the importance of vigilant regulatory measures to curb the flow of illicit funds.

This infographic by Hamas explains the benefits of Bitcoin, highlighting its encrypted nature, decentralization, anonymity, and ease of conversion to cash. It also provides a brief history of Bitcoin’s value changes from 2009 to 2019, illustrating its growth and market impact. Source: Hamas Military Wing Crowdfunding Bitcoin, Forbes.

Child Sex Abuse Material (CSAM)

The internet has sadly become a hub for the distribution of child sex abuse material (CSAM), with cryptocurrency facilitating these heinous transactions due to its anonymous nature.

Case Study: Welcome to Video

Welcome to Video was a notorious child pornography website that operated out of South Korea, allowing users to buy content with Bitcoin. The site’s takedown in 2018, which led to the seizure of 8 terabytes of child pornography and over 1.3 million Bitcoin addresses, was a landmark case. Law enforcement agencies worldwide collaborated, using blockchain analysis to track transactions and identify users, leading to numerous arrests. This case underscores the global reach of CSAM networks and the critical role of cryptocurrency in their operations.

This image shows a notice of seizure for the dark web site ‘Welcome to Video’, indicating its shutdown by law enforcement agencies from the United Kingdom, United States, Germany, and South Korea. It highlights the involvement of international partners, including countries such as Australia, Brazil, Canada, France, and others, in the operation that led to the arrests of the site’s operator and hundreds of users globally. Source: Hundreds Arrested in Child Pornography Site Takedown, voanews.

Malware and Ransomware

Malware and ransomware are malicious software programs designed to infiltrate systems, steal information, and extort victims. Cryptocurrency plays a pivotal role in these attacks, providing an untraceable payment method for ransoms.

Ransomware Case Study: AT&T and ShinyHunters

In a recent ransomware case, US telecom giant AT&T paid a hacker 5.7 Bitcoins (over $300,000) on May 17, 2024, to delete stolen customer call records. The hacker, a member of the notorious ShinyHunters group, negotiated the ransom after stealing the data from unsecured Snowflake cloud storage accounts. A payment of 5.7 bitcoin, worth approximately $373,646 at the time, was made. Chris Janczewski of TRM Labs confirmed the transaction, noting that the funds were laundered through several cryptocurrency exchanges and wallets, obscuring their final destination.

This image shows the Twitter profile of ShinyHunters, an advanced persistent threat (APT) group known for negotiating ransoms after stealing data from unsecured Snowflake cloud storage accounts. The profile, which was created in January 2020, has 561 followers and follows one account. Source: Dark Web Profile: ShinyHunters, SOCRadar.

Cryptojacking

Cryptojacking involves infecting computers with malware that mines cryptocurrency without the owner’s knowledge. This type of attack harnesses the victim’s computational power, often slowing down their devices significantly while generating revenue for the attacker.

Cryptojacking Case Study: Charles O. Parks III

On April 15, 2024, Charles O. Parks III, also known as “CP3O,” was indicted for a cryptojacking scheme that defrauded cloud service providers of over $3.5 million in computing resources to mine nearly $1 million in cryptocurrency. Parks used aliases and fake companies to access and exploit these resources. He faces charges of wire fraud, money laundering, and unlawful monetary transactions. Parks was arrested on April 13, 2024, and will appear in federal court in Omaha. This case highlights the growing threat of cryptojacking and the collaboration between law enforcement and private sectors to combat it.

This diagram outlines the lifecycle of a cryptojacking attack, illustrating how a threat actor uses compromised credentials to access a cloud environment, hijacks the subscription, increases core quotas, mass-creates computing resources, and installs cryptocurrency mining software on virtual machines to mine cryptocurrency. Source: Cryptojacking: Understanding and defending against cloud compute resource abuse, Microsoft.

Darknet Markets

Darknet markets are hidden websites that facilitate the sale of illegal goods and services, primarily using cryptocurrency due to its anonymity.

Darknet Market Case Study: Hydra Market Shutdown

On April 5, 2022, the Justice Department, in coordination with German authorities, seized Hydra Market, the largest darknet marketplace, responsible for 80% of all darknet market-related cryptocurrency transactions in 2021. Since 2015, Hydra had facilitated $5.2 billion in transactions. The operation also resulted in the confiscation of $25 million in bitcoin and the indictment of Russian resident Dmitry Olegovich Pavlov for conspiracy to distribute narcotics and commit money laundering. This case underscores the ongoing efforts to dismantle major darknet markets and bring criminals to justice.

This image shows the interface of Hydra Market, an online darknet marketplace that operated similarly to a retail platform, facilitating the buying and selling of various goods among diverse consumers and vendors. The site was seized by the U.S. Department of Justice and German authorities on April 5, 2022. Source: Germany’s Federal Criminal Police Office Takes Down Hydra Darknet Marketplace, TRM Labs.

Revenue Trends and Law Enforcement Challenges

According to Chainalysis’ 2024 Crypto Crime Report, the value received by illicit cryptocurrency addresses dropped significantly to $24.2 billion in 2023. However, these figures are lower bound estimates based on the illicit addresses identified to date. As more illicit addresses are discovered and their historical activity is incorporated, these totals are expected to increase. For instance, the initial estimate for 2022 was $20.6 billion, but with new address identifications and the inclusion of transactions from sanctioned services, the updated figure rose to $39.6 billion.

This image depicts the number of crypto heists by month and year from 2011 to 2024, indicating a total of 957 heists, with an actual amount stolen of $12.47 billion USD, and an equivalent value today of $50.44 billion USD. The graph shows a significant increase in attacks over the years, particularly from 2020 onwards. Source: Worldwide cryptocurrency heists tracker, comparitech.

Stolen Funds

Cryptocurrency exchanges and services are prime targets for hackers, resulting in significant financial losses and posing a substantial security risk.

Top 10 Biggest Crypto Heists

Here are some of the most significant crypto heists to date, based on the stolen amount in USD at the time:

1. Ronin Network (Axie Infinity) — $620 million. On March 29, 2022, hackers stole $620 million from Ronin Network, composed of 173,600 ETH and $25.5 million in USD. The US Treasury attributed the theft to North Korea’s Lazarus group.
2. Poly Network — $610 million. In August 2021, a hacker exploited a vulnerability in Poly Network, stealing over $600 million. Most of the funds were eventually returned after negotiations, though $33 million in USDT remained frozen.
3. Binance — $570 million. In October 2022, hackers stole $570 million in BNB tokens from Binance’s cross-chain bridge. Quick actions froze most tokens, leaving about $110 million unrecoverable.
4. Coincheck — $547 million. In January 2018, hackers stole $547 million in NEM tokens from Japan-based Coincheck by exploiting their use of a hot wallet. Although marked as stolen, the tokens were speculated to have been sold on dark markets.
5. MT Gox — $470 million. Between 2011 and 2014, MT Gox lost 850,000 bitcoins (worth $470 million then, $4.7 billion today) due to ongoing theft. The exchange went into liquidation, recovering 200,000 bitcoins.
6. FTX — $415 million. Following its bankruptcy announcement, FTX suffered a hack, losing $415 million. Remaining funds were moved to cold storage for security.
7. Wormhole — $326 million. On February 2, 2022, hackers exploited Wormhole, stealing $326 million in wrapped Ethereum (wETH). The platform temporarily shut down to address the breach.
8. DMM Bitcoin — $305 million. In May 2024, DMM Bitcoin lost $305 million worth of bitcoin in an attack. The platform sought funds to compensate victims.
9. PlayDapp — $290 million. In February 2024, hackers stole private keys and minted 1.79 billion PLA tokens, worth $290 million. PlayDapp offered a $1 million bounty, but the hacker continued exploiting the platform.
10. KuCoin — $281 million. In September 2020, hackers stole $281 million in various cryptocurrencies from KuCoin’s hot wallets. Evidence suggested North Korean hackers were responsible.

Navigating the Crypto Underworld: What’s Next in Our Deep Dive into Cryptocurrency Crime

As we have seen in part one, cryptocurrency’s journey from the Silk Road to mainstream acceptance has been marred by its association with various illicit activities. From sanction evasion and terrorist financing to child sex abuse material and ransomware, the misuse of digital currencies poses significant challenges to law enforcement and regulatory bodies.

In part two, we will continue our exploration by examining crypto-native money laundering and the sophisticated techniques criminals use to obscure the origins of illicit funds. In addition, we will dig into the critical role of KYC (Know Your Customer) and AML (Anti-Money Laundering) protocols in combating cryptocurrency crime. Additionally, we will uncover popular cryptocurrency scams that prey on unsuspecting victims. Stick around as we uncover more about the dynamic and evolving landscape of cryptocurrency crime and the ongoing efforts to secure the global financial system.

Explore Next

Master Bitcoin Basics: A guide to understanding Bitcoin transactions, manual tracking techniques, and tools for tracing illicit value across virtual and physical realms. Read on…

Bitcoin Tracking for Law Enforcement: A Guide to Crypto Investigations

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Mirror.xyz.