“Malicious Actors Hiding in the Dark”: An Overview of Money Laundering Techniques Employed by Malicious Actors
By: Athul Harilal (Security Researcher) and Koh Kai Xuan (Associate Security Analyst)
In this article, we highlight the techniques employed by malicious actors to launder illicit funds from point of origin blacklisted wallets to exchanges where malicious actors encash them. In order to do so, we collected approximately 30,000 different malicious actor wallets from our Threat Intelligence database (TRDB) that belong to around 1500 different malicious incidents. For our research, we have used only ethereum wallets belonging to malicious actors as a use case, however money laundering techniques derived from our research is applicable to other cryptocurrencies as well.
Types of Malicious Actor Wallets found in our Dataset:
We categorized malicious actor wallets into 3 types based on their use.
1. Point of origin wallets: Point of origin wallets comprise of initial wallets that malicious actors use to run away with illicit funds extorted from innocent victims or organisations. These wallets are reported by victims themselves through our portal or through public forums that gain attention, which are then validated by our security experts.
2. Storage wallets: A storage wallet is one that malicious actors use to store illicit ether collected from one or more point of origin wallets.
3. Exchange user wallets: An exchange user wallet is one that malicious actors use to convert illicit ether into fiat cash. These wallets are issued by exchanges themselves to users in order to buy or sell cryptocurrency, and a user could possess more than one of such wallets that belong to different or same exchanges.
From our dataset, we observe that close to 60% of the wallets comprises of exchange user wallets, 31% comprises of point of origin wallets and only the remainder 9% are storage wallets.
Main Intent of Malicious Actor
The main aim of the malicious actor is to relay the illicit funds from point of origin wallets to exchange user wallets for encashing, in a manner that makes it difficult for cryptocurrency enthusiasts to keep track of their transactions. Using Figure 1 as the reference, let’s observe how malicious actors are able to do so.
In Fig 1, we have represented a group of point of origin wallets in red circles, exchange user wallets in purple circles and storage wallets in blue circles. We observe 1 direct link between point of origin wallets and exchange user wallet / storage wallet. However, the other storage wallet and exchange user wallet cannot be linked back to point of origin wallets because malicious actors have used some techniques to hide the link. In Fig 1, we represent this by an obfuscation block which receives funds from point of origin wallets and sends this to exchange user wallet or storage wallet, in a manner that makes it difficult for investigators to find a link between them.
Money Laundering Techniques Observed
Upon following the transactions from point of origin wallets up to 8 hops, we found that only 39% of malicious actor’s exchange user wallets and 16% of their storage wallets were contacted, as shown in Table 1 column Links Found. This shows that malicious actors were successful in hiding the link between point of origin wallets and exchange user wallets or storage wallets. How did malicious actors achieve this?
1.Point of Origin Wallets: Upon querying point of origin wallets through our Crypto Analysis Risk Assessment Tool (CARA) and Crypto Analysis Transaction Visualization (CATV), we infer that malicious actors employed multiple techniques, as shown in Table 1. Predominantly, we observed 83% of malicious actors employed relaying and mixing of illicit funds over multiple wallets, followed by 40% tumbling the funds through multiple wallets, which made it difficult to find a link between them. In the cryptocurrency ecosystem, there are readily available services such as mixers and tumblers that predominantly cater to such needs. These services function by requesting the user to transfer funds to one or more wallets owned by service and they would send the funds back to another wallet owned by the user, in such a way that makes it difficult to establish a link between the initial and final user wallets, which is illustrated by the obfuscation block in Figure 1.
While more sophisticated malicious actors could build similar services with the help of Ethereum blockchain APIs that facilitate creation of multiple wallets and initiate transactions between them through self- developed programs.
The mean lifetime of point of origin wallets was 197 days, of which only 13% of malicious actors moved all the illicit funds in a single day, as shown in Table 1. From here, we can infer that malicious actors generally move funds from time to time, in an effort to make it difficult for defenders to keep track of them.
2. Exchange User Wallet: While 39% of malicious actor’s exchange user wallets could be traced from point of origin wallets, the remainder 61% could not be traced. As a result, they enjoyed the benefit of portraying as normal users that interact with exchanges. From our dataset, the average lifetime of malicious actor’s exchange user wallets were 233 days, much larger than point of origin wallets. However, 29% of malicious actor’s user wallets had a lifetime spanning only a few minutes, involving a single transaction to the exchange and not reused since then. Hence malicious actors use a combination of exchange user wallets to encash or convert to other cryptocurrency.
3. Storage wallets: 16% of malicious actor’s storage wallets had connection with point of origin wallets and the remainder 84% of them were hidden due to the laundering techniques applied. From our dataset, we find that the mean lifetime of these wallets is 208 days, which indicates that malicious actors sometimes store funds away from the point of origin wallets for a significant amount of time before encashing it.
Upon querying exchange user wallets and storage wallets through our Crypto Analysis Risk Assessment Tool (CARA), we found that the majority of malicious actors employed relaying and mixing, followed by tumbling to receive illicit funds into their wallets as shown in Table 1. Therefore, we can determine malicious intent in these wallets although it is difficult to find a link between these wallets and point of origin wallets.
Concluding Words
Malicious actors usually operate over 6 months to run away and encash illicit funds. In order to do so, they resort predominantly to relaying and mixing, and tumbling of illicit funds over multiple wallets, to hide the link between point of origin wallets and exchange user wallets or storage wallets, which resulted in hiding 61% and 84% of exchange user wallets and storage wallets respectively. Hence, malicious actors are able to reuse the same exchange user wallet or storage wallet for durations greater than 6 months with some measure of confidence.
However, although malicious actors are able to hide the link, we can still infer malicious intent in exchange user wallets and storage wallets based on money laundering characteristics observed when they engage in services such as mixers and tumblers, that can aid as a precursor to finding the link between them.
Request for Dataset: If you are interested in the dataset, contact us at research@uppsalasecurity.com.
Reference:
“Uppsala Security | TRDB — Sentinel Protocol.” https://www.uppsalasecurity.com/trdb. Accessed 12 Feb. 2020.
“How to Submit an Incident Report — Sentinel Protocol — Medium.” 13 Nov. 2018, https://medium.com/sentinel-protocol/how-to-submit-an-incident-report-6b65914d4ad8. Accessed 12 Feb. 2020.
“Catching and Stopping Online Security Threats: Our Review ….” 18 Nov. 2018, https://medium.com/sentinel-protocol/catching-and-stopping-online-security-threats-our-review-procedure-9e1b0ec398dc. Accessed 12 Feb. 2020.
“Identifying Exchanges Affected by Stolen Upbit ETH — Sentinel ….” 6 Dec. 2019, https://medium.com/sentinel-protocol/identifying-exchanges-affected-by-stolen-upbit-eth-41e6e5db6962. Accessed 12 Feb. 2020.
“Uppsala Security | CARA — Sentinel Protocol.” https://www.uppsalasecurity.com/cara. Accessed 12 Feb. 2020.
“How CATV Helps Businesses Track Money Laundering and ….” 30 Apr. 2019, https://medium.com/sentinel-protocol/how-catv-helps-businesses-track-money-laundering-and-terrorist-funding-90c45f24a063. Accessed 12 Feb. 2020
“Ethereum Mixer. Ether (ETH) Tumbler. — Bitcoin Mixer.” https://bitcoinmix.org/eth. Accessed 12 Feb. 2020.
“Web3.py — Web3.py 5.5.0 documentation.” https://web3py.readthedocs.io/en/stable/. Accessed 12 Feb. 2020.
