Elliptic Typologies Report 2024 PDF

ELLIPTIC TYPOLOGIES REPORT 2024 Preventing Financial Crime in Cryptoassets Identifying Evolving Criminal Behavior Introduction 7 Part I: Money Laundering...

ELLIPTIC TYPOLOGIES REPORT 2024 Preventing Financial Crime in Cryptoassets Identifying Evolving Criminal Behavior Introduction 7 Part I: Money Laundering 10 1. Cryptoasset Exchanges 11 1.1. Use of Non-compliant or Unlicensed Exchanges 11 1.2. Use of Exchanges in High-risk Jurisdictions 17 1.3. Use of Money Mules or Fraudulent Documents at Legitimate Exchanges 24 2. Mixers and Privacy Wallets 30 3. Decentralized Finance (DeFi) and Cross-chain Crime 43 3.1. Money Laundering Through DEXs 44 3.2. Money Laundering Through DeFi Mixers 47 3.3. Money Laundering Through Cross-chain Bridges 51 4. Tokens and Stablecoins 55 4.1. Tokens & Stablecoins Used to Clean Illicit-origin Funds 56 4.2. Laundering of Proceeds From Scams 58 4.3. Laundering of Hacked Tokens and Stablecoins 61 5. Privacy Coins & Chain Hopping 64 5.1. Use of Privacy Coins to Layer Illicit Proceeds 64 5.2. Laundering Illicit-origin Privacy Coins 66 6. Wallet-specific Behaviors 70 6.1. Chain Peeling 70 6.2. Multi-customer Cross-wallet Activity 73 7. Cryptoasset ATMs 75 7.1. Facilitation of Illicit Transfers 75 7.2. Money Mule Activity 80 7.3. Victims of Scams Send Funds via Cryptoasset ATMs 82 8. Card 86 8.1. Use of Cryptoasset Prepaid Cards to Layer Criminal Proceeds 86 8.2. Dirty Cryptoassets Used to Purchase Fiat Cards For Laundering 89 8.3. Fiat Cards Used to Purchase Cryptoassets For Illicit Purposes 92 9. Banks and Indirect Exposure to Cryptoasset Risks 94 9.1. Indirect Exposure Through Processing VASP Transactions 94 9.2. Indirect Exposure Through Correspondent Relationships 96 10. Non-fungible Tokens (NFTs) 98 10.1. NFTs and Money Laundering 98 10.2. NFTs and Fraud 100 10.3. NFTs and Theft 103 11. Metaverse-related Laundering 107 11.1. Use of Metaverse Services to Launder Illicit-origin Cryptoassets 107 11.2. Laundering the Proceeds of Metaverse Crimes 108 12. Artificial Intelligence (AI)-Enhanced Financial Crime 110 12.1. Laundering the proceeds of AI-Enhanced, Crypto-Enabled Illicit Activity 111 12.2. Laundering of Funds from “AI-Related” Scam Tokens and Rug-Pulls 112 13. Multi-technique and Multi-service Typologies 115 13.1. The Bitfinex Hack 115 13.2. Operation Argenti 118 13.3. Russia Hacking 118 13.4. Dark Web Laundering 121 13.5. Ransomware: the Colonial Pipeline Attack 122 13.6. Other Examples 123 Part II: Terrorist Financing 124 14. TF Involving Crowdfunding Through Charities and 126 Other Organizations 15. TF Involving Individuals or Small Cells 131 Part III: Key Trends: Criminal and Threat Actors 133 16. Hackers and Cybercriminals 135 17. Dark Web Vendors 136 18. Fraudsters 137 19. Professional Money Launderers 141 20. Street Drug Dealers 141 21. Human Traffickers and Sex Trade Perpetrators 143 22. Tax Evaders 144 23. State Actors and Sanctions Evaders 146 24. Terrorists and Political Extremists 155 Index 156 Executive Summary to the 2024 Edition It’s been exactly one year since we published the 2023 version of Elliptic’s Typologies Report, and in that short time we’ve seen important and rapid developments impacting the nexus between cryptoassets and financial crime. In January 2024, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) kicked off the year by issuing a finding that cryptoasset mixers are a primary money laundering concern owing to their frequent use in money laundering, and issued a proposed rule that would require stringent reporting requirements for US crypto businesses and financial institutions where they identify transactions involving mixers. Additionally, across the first half of 2024, the Treasury’s Office of Foreign Assets Control (OFAC) continued its intensive use of financial sanctions to target cryptoasset activity involving a range of threat actors, from cybercriminals, to Russian- affiliated entities involved in sanctions evasion, to the financial support networks of designated terrorist organizations such as Hamas and Hezbollah. These developments were accompanied by other important developments in the financial crime risk landscape impacting the cryptoasset space. For example: Stablecoins, and in particular Tether (USDT) on the TRON network, have featured increasingly in financial crime typologies, including in so-called “pig-butchering” scams, and in sanctions evasion activity involving jurisdictions such as Russia, Iran, and North Korea. Professional money launderers associated with Chinese organized crime groups have looked to cryptoassets as a method for moving illicit funds across borders. Cryptoasset exchanges located in high risk jurisdictions, such as Russia, continue to offer an important lifeline to criminal actors seeking to convert funds from crypto into fiat currencies. Illicit actors such as ransomware attackers and North Korean cybercriminals continue to utilize complex money laundering schemes, relying on numerous methods of obfuscation, such as mixers, cross-chain services, and “peeling-chain” techniques - often in tandem. Criminals are leveraging developments in artificial intelligence (AI) when perpetrating crimes involving cryptoassets, enabling them to scale their illicit operations, particularly related to crimes such as fraud and ransomware. These ongoing trends require that analysts and investigators not only understand underlying typologies of financial crime, but that they have access to solutions that can enable them to identify associated behaviors and red flags. To that end, at Elliptic, we’ve been working to Typologies Report 2024 5 ensure that our best-in-class blockchain analytics capabilities enable our customers to detect these and other emerging risks. Our aim with this report is to equip analysts and investigators with the practical insights needed to ensure they can continue to detect new financial crime risks with success. Therefore, we’ve designed the 2024 version of this report to reflect the changing landscape. For example, we’ve: provided additional insights into the use of DeFi, stablecoins and other related innovations that are involved in cross-chain laundering typologies; updated the chapter on stablecoins to reflect the recent significant changes in this component of the cryptoasset ecosystem; included guidance on how you can leverage new functionality within the Elliptic product suite - such as our behavioral detection capabilities and Entity Due Diligence data - to enhance your detection of financial crime typologies; and added additional, updated case studies throughout the report based upon major law enforcement and regulatory actions that have occurred across late 2023 and the first half of 2024. It is more important than ever for professionals to understand the evolving nature of financial crime typologies in the crypto space, so that they can scale their operations to ensure the effective detection and disruption of risks. At Elliptic, we have always been committed to equipping our customers with the data, insights, and capabilities needed to navigate a rapidly evolving landscape. We hope this guide provides you with the insights needed to ensure success in your efforts to prevent financial crime. David Carlisle Vice President of Policy and Regulatory Affairs Typologies Report 2024 6 Introduction The public discussion around cryptoassets frequently mentions their use in money laundering, terrorist financing, and other financial crime. It is often anecdotal and of little practical use to compliance officers, law enforcement agents, regulators, and other stakeholders responsible for disrupting illicit activity. This detailed guide to money laundering and terrorist financing typologies details the true impact of crime in cryptoassets. Elliptic’s intention is for this study to provide a meaningful contribution to the public and private sectors as they work to root out illicit actors. This report is designed to equip financial crime analysts and investigators with the knowledge and insights needed to proactively and practically: identify specific money laundering and terrorist financing risks; investigate cases of suspected crime involving cryptoassets; develop anti-money laundering and counter terrorist financing (AML/CTF) responses; evolve their responses to manage risk to businesses, consumers, and society; In compiling this report, Elliptic has drawn from multiple sources: Data insights drawn from Elliptic’s continuous research and analysis of blockchains. Consultations with compliance officers at cryptoasset businesses about the typologies they face and risks they encounter on a day-to-day basis. Publicly available reports, indictments, and literature produced by law enforcement agencies (LEAs), national financial intelligence units (FIUs), organizations such as the Financial Action Task Force (FATF), and other publicly available court documents. Other public records such as press reporting Bad actors continue to find new ways to support their criminal activities. Between editions of this report, you will find the latest insights and trends related to money laundering and terrorist financing using cryptoassets on our website. Typologies Report 2024 7 As we work in partnership to make crypto safe to use, please share any emerging typologies identified through your daily work with your Elliptic contact. Our Research & Intelligence Team will use these inputs – together with Ellptic’s bespoke monitoring and analysis techniques – to uncover new typologies and bad actors, ensuring you can rely on the most accurate and up- to-date blockchain analytics capabilities. How to Use This Report This report is designed to be a desk guide to complement Elliptic’s blockchain analytics solutions for analysts and investigators. It can be studied top to bottom so you can become familiar with money laundering red flags in crypto, or you can use it as a reference as and when suspicious activity emerges. Elliptic’s crypto AML/CFT risk management and investigative solutions enable compliance teams, LEAs, regulators, and FIUs to efficiently and effectively: Automate AML/CTF and sanctions compliance checks. Identify address clusters associated with illicit actors and take action. Illustrate the flow of Bitcoin from address to address to support investigations. Monitor movement related to criminal activity involving dark web markets, ransomware attacks, cryptoasset exchange hacks, and other crimes. This guide deep dives into financial crime typologies using cryptoassets to arm you with a comprehensive set of red-flag indicators that describe: Illicit activity involving cryptoassets. Examples of how these indicators fit into broader criminal behaviors. Context on how criminals engaged in these activities are working to clean their illicit funds. How money laundering methods are evolving, assuming some basic knowledge of these crime types. Typologies Report 2024 8 This document catalogs identified typologies into three parts for easy reference. Part I: Money Laundering An outlook of key money laundering typologies Elliptic has identified and their impact on specific cryptoasset products and services. Part II: Terrorist Financing An overview of identified terrorist financing cases involving cryptoassets. Part III: Key Trends: Criminal and Threat Actors A summary view of how specific sets of illicit actors make use of the specific laundering techniques identified throughout the guide. Look out for these indicators which evidence the typologies described and inform actions you need to take. Red Flags Indicators of risk that might not clearly pinpoint illicit activity as a standalone. But, when they appear in conjunction with other indicators it may suggest suspicious activity is at play. Diagrams and Flowcharts Illustrations, diagrams, graphs and charts are included throughout to help you visualize a typology and, where possible, give a relative view. Case Studies Wherever possible, real-life examples of how criminals are exploiting the typologies Elliptic has examined are included to evidence how the typology is played out. Warning Signals Warnings describe significant issues and trends in criminal behavior that are worth highlighting in their own right and can indicate suspicious activity or require extra attention. Key Controls & Best Practices These summarize solutions and approaches that can enable the detection and prevention of the typologies described in this report. Typologies Report 2024 9 01. Money Laundering Typologies Report 2024 10 1. Cryptoasset Exchanges Cryptoasset exchanges provide essential liquidity to crypto markets, acting as vital gateways between the fiat and cryptoasset ecosystems. Thus, exchanges inevitably feature heavily in cryptoasset-related money laundering activity. A report by the Financial Action Task Force (FATF) in September 2020 on cryptoasset red flags highlights the specific risks coming from unregulated exchanges, or those that don’t have AML/ CTF controls. The FATF noted that “criminals have exploited the gaps in AML/CTF regimes [...] by moving their illicit funds to VASPs domiciled or operated in jurisdictions with non-existent or minimal AML/CTF regulations [...].” 1 Unlicensed and non-compliant exchanges present significant money laundering risks. Legitimate and well-intentioned exchanges may also be targeted in money laundering schemes. Those exchanges that hold know your customer (KYC) information on users can often provide law enforcement with vital insights that help to connect the dots between the transaction trail on the blockchain and information about the identities of illicit actors. In light of the tendency of criminals to target exchanges in their money laundering activity, it is incredibly important that regulated businesses conduct due diligence on crypto exchange counterparties they interact with. To assist in this effort, during 2024, Elliptic launched new Entity Due Diligence services - analytic dashboards that harness blockchain data to provide a comprehensive view of the activity associated with specific cryptoasset exchanges that compliance teams can use to assess the riskiness of dealing with a particular exchange. This section highlights three major money laundering typologies related to criminal abuse of cryptoasset exchanges. 1.1. Use of Non-compliant or Unlicensed Exchanges The Problem Criminals deliberately seek out exchanges they know they can exploit with little or no obstruction when moving between fiat and cryptoasset, or from cryptoasset-to-cryptoasset. This may include: exchanges that deliberately flaunt regulation and registration requirements; those that allow customers to set up accounts with little or no identifying information; and exchange services that do not require customers who open accounts to comply with regulation in any jurisdiction. Typologies Report 2024 11 Considering that unlicensed and non-compliant exchanges often do not require any KYC or customer due diligence (CDD) information from users, criminals can operate under a veil of additional anonymity beyond that already afforded by the pseudonymous or anonymous nature of certain cryptoassets. In addition, some – though certainly not all – non-compliant and unlicensed exchanges have themselves been criminal enterprises and deliberately facilitated illicit activity. Non-compliant and unlicensed exchanges present significant systemic risks within the cryptoasset ecosystem, because they enable a wide range of illicit actors to engage in large scale money laundering. Legitimate crypto exchanges should be on the alert for customers whose cryptoasset transaction histories include frequent interactions with unregulated or non-compliant exchanges. Similarly, legitimate exchanges and cryptoasset businesses – such as cryptoasset brokerages – that provide services to other exchanges must be alert to the risks of dealing with unlicensed and non-compliant exchanges. The Typology2 A common method of abusing unlicensed and, or non-compliant exchanges works as follows: 1. A criminal – for example a perpetrator of ransomware – is in possession of illicitly obtained cryptoassets and requires a source to make the dirty cryptoassets appear clean. 2. The criminal establishes an account with an unlicensed or non-compliant exchange to swap their cryptoassets, sometimes using a mixing or tumbling service. They can set up accounts with complete anonymity, or by using aliases (such as “Mickey Mouse’’), or false identifying information (such as listing residential addresses at “123 Main Street”).3 3. The criminal swaps their dirty cryptoassets for fiat currencies, or for other cryptoassets. 4. The criminal can then “cash out” from the exchange, having their funds routed directly to a bank account. Other options could be via WebMoney, Perfect Money or other value transfer services, including through the banking system. Often, any messages accompanying related funds transfers may include information or references that are deliberately meant to conceal that they are related to cryptoassets. 5. Alternatively, the criminal may first move new “clean” cryptoassets to a legitimate exchange, from which it can then cash out. Often, this includes swapping transparent cryptoassets – such as Bitcoin, Ethereum and Litecoin – for privacy coins, such as Monero. Typologies Report 2024 12 The diagram below offers a simple illustration of how a criminal may move dirty cryptoassets through non-compliant exchanges. Typologies Report 2024 13 Red Flags Common red-flag indicators and risk factors associated with non-compliant and unlicensed exchanges include: the exchange requires no KYC/CDD information; customers can establish an account, or access services with only basic information, such as an email address and password; the exchange is either unable to produce AML policies and procedures when requested to do so, or its documented AML policies are of a poor standard; the exchange does not place any limits or restrictions on customers’ volumes and values of permissible trading activity; the exchange permits customers to fund their account even if they have received cryptoassets directly from mixers/tumblers; there is no meaningful information about its compliance practices, management structure or business registration on the exchange’s website; customers regularly engage in business with other non-compliant and/or opaque exchanges; the exchange is associated with high percentages of cryptoasset transfers coming from addresses associated with criminal sources, such as ransomware attacks and dark web markets (for instance, 50-60% or more of the exchange’s business may come from or go to criminal sources); the exchange’s website warns customers not to make mention of Bitcoin or cryptoassets when talking to external parties such as banks; the exchange may instruct customers to put vague or misleading information into wire transfer message fields when transferring fiat funds to or from a bank; the exchange may have only recently registered and possibly has no prior established history of cryptoasset trading; association with open discussions among criminals on the dark web; the exchange is associated with open discussions among criminals on its user chat rooms, internet message boards – such as Reddit – or other surface web sources; and the exchange advertises that it allows customers to exchange cash for cryptoassets. Typologies Report 2024 14 SUEX, Chatex, Garantex and the Laundering of Ransomware Proceeds In September 2021, the US Treasury’s Office of Foreign Assets Control (OFAC) undertook a sanctions action that highlighted the pivotal role that unregulated cryptoasset exchanges that fail to apply AML/CFT controls play in facilitating illicit finance. That month, OFAC placed sanctions on SUEX OTC, S.R.O., a cryptoasset trading business registered in the Czech Republic and with operations in Russia. SUEX had a limited online presence, advertising boutique services for a largely Russian clientele, including enabling users to buy cryptoassets with credit cards online, or in-person in cash. To the average person, SUEX would have appeared to be an inconsequential and small cryptoasset business of little relevance. However, SUEX was in fact a linchpin in the ransomware ecosystem, enabling ransomware perpetrators to launder their ill-gotten gains. According to OFAC, SUEX facilitated money laundering activity related to at least eight ransomware strains, and as much as 40% of its overall business related to illicit activity. 4 Elliptic’s research indicates that from 2018 onward, SUEX engaged in cryptoasset transactions totalling more than $934 million, as indicated in the chart below. This suggests that it processed more than $370 million in illicit transactions in the course of just three years – a substantial sum for a seemingly small exchange service.5 Value of Cryptoassets Received By SUEX Addresses Listed By OFAC 500 400 $ Value (in millions) 300 200 100 0.00 BTC USDT ETH USDC DAI Other Tokens Typologies Report 2024 15 As part of its sanctions action targeting SUEX, OFAC included 25 Bitcoin, Ethereum, and Tether addresses that it controlled to enable the private sector to block transactions with SUEX. Because SUEX operated an over-the-counter trading service by opening accounts at larger exchange businesses, the OFAC sanctions come with real impact: other exchanges need to cut off business with SUEX or risk violating OFAC’s restrictions. In November 2021, the agency followed the SUEX action by placing sanctions on another exchange, Chatex, which was also a key facilitator of ransomware payments. Registered in St. Vincent and the Grenadines, Chatex shared common owners and controllers with SUEX and serviced a largely Russian clientele. According to OFAC, up to 50% of Chatex’s transaction history involved illicit activity, and Elliptic’s own analysis indicates that in addition to facilitating ransomware transactions Chatex was a major facilitator of transactions involving the Russia-based Hydra dark web market. Press reporting from December 2021 indicated that Chatex and its users were facing an inability to move their funds off of the exchange as a result of the OFAC sanctions.6 In April 2022, OFAC sanctioned yet another Russia-linked crypto exchange when it targeted Garantex, a Estonia-registered exchange also accused of facilitating activity on behalf of Russian ransomware gangs.7 The OFAC sanctions targeting SUEX, Chatex, and Garantex send a powerful message: the US government is prepared to disrupt the financial networks that sustain crimes such as ransomware, and it will target those cryptoasset exchanges at the heart of these illicit networks. This image from Elliptic Investigator above illustrates the flow of funds from a Bitcoin wallet belonging to the Conti ransomware gang (represented by the green circle on the left) to the SUEX crypto exchange (represented by the green circle on the right). The funds pass through intermediary wallets prior to being deposited at SUEX. Typologies Report 2024 16 Conducting Entity Due Diligence Blockchain data can provide critical insights that enable a compliance team to understand the risk associated with particular crypto asset exchange services. Elliptic’s Entity Due Diligence capabilities provide compliance teams at cryptoasset businesses and financial institutions with a comprehensive dashboard view of an exchanges’ blockchain activity, including: its transactional exposure to illicit actors such as those associated dark web markets, cybercrime activity, and fraud; its transactional exposure to wallets associated with individuals and entities sanctioned by the US, UK, EU and other jurisdictions; and its exposure to cryptoasset mixers. Equipped with these insights, compliance teams can make decisions about the level of risk associated with exchanges and can take appropriate steps to manage the risks. 1.2. Use of Exchanges in High-risk Jurisdictions The Problem Criminals will often look to exchanges that are in high-risk jurisdictions during the money laundering process. For cryptoasset-laundering purposes this can include: countries and regions that are generally high risk for money laundering and terrorist financing purposes. These could be in Africa, Eastern Europe or the Middle East; countries subject to international financial sanctions, embargoes and other restrictions; countries on the FATF’s list of High Risk and Non-Cooperative Jurisdictions; and countries with no AML/CTF regulation around cryptoassets, or with ineffective regulatory frameworks. This latter category can include countries and regions that in other contexts might not be regarded as high risk, but should be considered higher risk for cryptoasset-laundering purposes. Typologies Report 2024 17 The Typology This typology will generally mirror that described in section 1.1, with additional red flags described below. Red Flags Common red-flag indicators associated with cryptoasset exchanges in higher-risk jurisdictions are listed below: limited or no information available from any source about the location of the exchange; ownership structure may be opaque and involves the presence of shell companies in multiple jurisdictions – such as the Seychelles, Belize, Marshall Islands – associated with easy and non-transparent company formation; information on registration or legal status is unclear or contradictory with no available explanation (headquartered in Bulgaria but subject to the laws of Cyprus, for instance); the exchange is headquartered in a jurisdiction with no AML regulation around cryptoassets, and its website suggests it does not voluntarily apply AML/KYC in the absence of regulation; No KYC/AML policies in place at the exchange and it is also located in a country associated with high levels of organized criminal activity (such as Russia or Colombia); overseas registration – for example, in the Caribbean – even though nearly all its customers are located elsewhere (e.g. 75% or more are located in the EU); the exchange provides fiat currency trading pairs that are illogical or do not make business sense (for example, an exchange in Finland offers high value trading in Colombian pesos.8, or an exchange in Cyprus offers trading in Russian rubles); registration in a jurisdiction associated with international sanctions, such as Venezuela or Iran; the exchange engages in high volume trading involving fiat currencies associated with sanctioned jurisdictions, such as the Iranian rial; the exchange claims to offer trading in a state-issued cryptoasset (such as the Venezuelan petro); the exchange has been explicitly licensed by a sanctioned jurisdiction to offer services in a state-owned cryptoasset (for example, the exchange is a Venezuelan exchange authorized by the Venezuelan government to facilitate trading in the Venezuelan Petro.9); Typologies Report 2024 18 the exchange may be registered in a lower risk jurisdiction but has directors and beneficial owners who are from, and reside in, higher risk jurisdictions (for instance, the exchange is a UK registered limited company but whose owners reside in the Ukraine); in some cases, the beneficial owners of the exchange may be subject to adverse media or may be Politically Exposed Persons; the exchange has a phone number in a higher risk country – such as Russia – and is owned by registered companies located in other jurisdictions with no clear rationale (for instance, the British Virgin Islands); reliance on payment processors in higher risk jurisdictions to process customers’ fiat payments for no apparent reason (a US-based exchange uses an Azerbaijani payment processor, for instance.10); representatives of the exchange use web domains in high-risk jurisdictions with no clear connection to its publicly stated place of business; and trading addresses, phone numbers, and other business information change frequently and for no apparent reason. BTC-e BTC-e remains the most notorious example of a non-compliant, unlicensed exchange that operated with many high-risk geographical indicators while readily facilitating illicit activity. Established in 2011 by Alexander Vinnik – a Russian national – BTC-e was the preferred exchange for criminals using cryptoassets until Vinnik’s arrest in Greece, in mid-2017. By some estimates, as much as 95% of all Bitcoin-denominated ransomware payments were cashed out via BTC-e.11 According to US authorities, BTC-e engaged in a wide array of crimes which included “computer hacking and ransomware, fraud, identity theft, tax refund fraud schemes, public corruption, and drug trafficking”.12 BTC-e provided cryptoasset trading services to US persons without ever registering as a Money Service Business (MSB). This led the US Financial Crimes Enforcement Network (FinCEN) to impose a civil monetary penalty of $110 million on Vinnik and BTC-e. According to FinCEN: “BTC-e allowed its customers to open accounts and conduct transactions with only a username, password, and an email address. The minimal Typologies Report 2024 19 information collected was the same regardless of how many transactions were processed for a customer or the amount involved”.13 BTC-e also allowed customers to transact after using mixers and provided customers with access to privacy coins such as Dash. BTC-e worked to conceal the nature of its activities by operating through a web of corporate structures. It also provided incomplete and contradictory information on its whereabouts and the location of its activities. BTC-e’s ownership structure involved numerous shell companies, including the UK-registered Always Efficient LLP, which in turn had nominee directors based in the Marshall Islands and the Seychelles.14 The US indictment of Vinnik alleges that “BTC-e’s own website stated that it was located in Bulgaria, yet simultaneously stated it was subject to the laws of Cyprus. Meanwhile, BTC-e’s managing shell company Canton Business Corporation was based in the Seychelles but affiliated with a Russian phone number, and its web domains were registered to shell companies in Singapore, the British Virgin Islands, France and New Zealand”.15 BTC-e also relied on offshore bank accounts in the names of various shell companies to process fiat transactions with its customers. In July 2018, FinCEN Director Kenneth Blanco described how Suspicious Activity Reports (SARs) helped FinCEN to detect BTC-e’s evasive behavior, noting that “SAR filings played a critical role in the investigation of that case. It was filings by both banks and other virtual currency exchanges that provided critical leads for law enforcement. This information included beneficial ownership information, additional activity attributed to the exchange of which we were previously unaware, jurisdictional information, and additional financial institutions we could contact for new leads. All of this was obtained through SARs and the supporting documents filed by financial institutions.”16 BTC-e was, for a time, reconstituted under a new name – WEX – and registered in Singapore. Vinnik remains in custody in Greece, with the US, France, and Russia all seeking his extradition. Typologies Report 2024 20 Bitzlato – a Primary Money Laundering Concern In January 2023, FinCEN took action against another Russia-linked crypto exchange it accused of facilitating widespread money laundering activity. On January 18th, FinCEN identified Bitzlato – a Hong Kong-registered exchange owned by individuals from Russia – as a “primary money laundering concern”. The designation was made under section 9714 of the Combatting Russian Money Laundering Act, and marked the first time FinCEN applied the “primary money laundering concern” label to a crypto exchange. FinCEN had previously used authorities under the USA PATRIOT act to apply the label to approximately two dozen financial institutions it had accused of egregious money laundering activity, which puts Bitzlato among notorious company. Specifically, FinCEN alleges that Bitzlato laundered hundreds of millions of dollars worth of cryptoassets on behalf of Russia-based illicit actors, including users of the Hydra darknet market, numerous ransomware campaigns, and the OFAC-sanctioned Chatex crypto exchange. As a result of the action, US crypto exchanges and financial institutions must not engage in transactions with Bitzlato, and must ensure that they reject or block incoming funds transfers with Bitzlato and its successor entities.17 The image from Elliptic Investigator shows transactional links between the Bitzlato crypto exchange, the OFAC sanctioned entities Hydra Market and Chatex, and the Dharma Ransomware campaign. Ransomware campaign. Typologies Report 2024 21 Dealing with Unlicensed, Non-Compliant Exchanges (Including Exchanges in Higher Risk Jurisdictions) Below are some of the controls that can be used to assist in the detection of unlicensed and non-compliant exchanges, including those in higher risk jurisdictions: Elliptic Lens and Elliptic Navigator – to identify where a cryptoasset address or transaction is associated with an entity that is located in a high risk or sanctioned jurisdiction; Elliptic Investigator – to follow the flow of funds through the blockchain to identify if they originate from, or are deposited into, high risk exchanges; determine if the exchange is associated with significant levels of transactions with illicit entities. Elliptic Discovery – to identify where an exchange is unlicensed, whether it lacks KYC requirements or AML policies, or presents other high-risk factors; consulting information on an exchange’s website to determine whether it requests KYC information of its users and, or imposes meaningful limits and restrictions on trading activity; requesting that an exchange provide copies of its AML policies and procedures; in some cases, asking an exchange to provide additional information about the size, location and nature of its customer base; obtaining corporate due diligence reports and searching open source beneficial ownership registries – such as Companies House in the UK – to obtain information about an exchange’s ownership and control structure; requiring that exchanges seeking corporate cryptoasset services are subject to questions contained in enhanced due diligence forms; and screening the name of an exchange and its beneficial owners for evidence of adverse media or the presence of Politically Exposed Persons (PEPs). Typologies Report 2024 22 OTC Traders Operating on Exchanges Over-the-Counter (OTC) brokers play an important role in the cryptoasset ecosystem. They facilitate large trades between liquidity providers, often at lower prices than those available on exchanges. It is estimated the size of cryptoasset OTC markets are likely to total between $2 billion to $20 billion per day. Where they maintain accounts at exchange to facilitate their trading, OTC desks can act as an attractive avenue for money laundering. Their large trades offer a convenient cover for the introduction of illicit funds. This is particularly true of Chinese OTC brokers, who frequently maintain accounts at exchanges located in Asia and have been associated with large money laundering operations. By maintaining nested accounts at larger exchange businesses, illicit OTC brokers can conceal themselves in the larger cryptoasset ecosystem with a veneer of legitimacy. This was the operating model of the SUEX and Chatex exchange service sanctioned by OFAC in September and November 2021, respectively, for facilitating ransomware laundering. US law enforcement agencies have stated that Chinese cryptoasset brokers are involved in laundering funds on behalf of Mexican drug cartels.18 Chinese authorities also undertook a major crackdown on OTC traders across 2020, responding in part to their potential involvement in money laundering.19 These OTC services may also offer crypto-to-cash swaps for users. Services such as SUEX and Chatex enabled users to swap Bitcoin for Russian ruble cash notes. Research by Transparency International (TI) also indicates that Russia-based OTC brokers allow users in the UK to swap stablecoins such as Tether for cash. According to TI, these services do not seek KYC information of users.20 (See more information about money laundering using stablecoins in section 4 of this report). Typologies Report 2024 23 1.3. Use of Money Mules or Fraudulent Documents at Legitimate Exchanges The Problem Using regulated and compliant exchanges can add a veneer of legitimacy to a criminal’s otherwise illegitimate behavior. Legitimate exchanges can have a “mixing” effect for criminals. They can obtain new, untainted coins or cash out with fiat so that their otherwise tainted trail of activity appears clean. Regrettably, criminals sometimes succeed in abusing legitimate exchanges. The use of fraudulent KYC documents is attractive to money launderers seeking to deceive legitimate exchanges because the cryptoasset industry is online, and not face-to-face. Criminals often rely on fraudulent documents to open accounts in their own names, or in the names of other individuals. One method involves employing money mules – individuals who are used to open accounts and move funds on behalf of the criminal network. The Typology A common method of employing money mules at legitimate exchanges works as follows: 1. A group of individuals, often of common nationality and similar residential addresses, establish accounts at a cryptoasset exchange, generally within a short time period of one another. 2. The new customers provide full identity details and supporting documentation including passports and driving licenses. They may even supply selfies when prompted to do so by the exchange’s mobile app. 3. The new customers are provided with accounts at the exchange. 4. In one such set up, the mule accounts transfer in, or out, illicit funds to or from external sources (such as bank accounts) that are also registered in the names of the mules. The mules may operate the accounts themselves and facilitate transfers. 5. Alternatively, the criminals will operate the mule accounts manipulating them for their own ends. This could mean transferring funds to external sources, such as banks, money transfer services or other cryptoasset exchanges. Typologies Report 2024 24 The diagram below provides a general illustration of how a money mule operation can work. Typologies Report 2024 25 Students Used as Money Mules in the UK In October 2021, The Guardian reported on a money muling scheme targeting university students and relying on cryptoassets to launder illicit funds.21 In this scheme, university students responded to job advertisements on social media offering between £500 and £1,000 per week to act as brokers for cryptoasset transactions. Students who responded to the job posting were told by agents of a criminal organization posing as job recruiters to provide their personal information and ID documents. The criminal organization then instructed the students to open accounts at cryptoasset exchanges using their identity details and documents. The criminal organization would then transfer fiat currency funds into the students’ bank accounts in round value denominations of £700. The students were instructed to transfer the funds – which were derived from online fraud – to cryptoasset exchanges and buy cryptoassets with the proceeds of crime. The student money mule accounts therefore acted as a way for criminals to launder the proceeds of fraud using cryptoasset exchange accounts in the names of other individuals. DoJ Takes Down International Crypto Money Laundering Ring In November 2022, the US Department of Justice (DoJ) announced criminal charges against 21 individuals involved in using cryptoassets to launder funds stolen from US- based victims of online scams, such as romance scams, technical support schemes, and other forms of fraud, as well as from crimes such as dealing narcotics. The individuals charged acted as money mules on behalf of members of fraud and drug rings. For example, one of the accused was Zenobia Walker of Maryland, who received cash and checks in US dollars from victims of romance scams. After depositing the funds in her personal bank account, she would then convert the funds into cryptoassets to send to members of a fraud ring.22 Typologies Report 2024 26 Red Flags Common red-flag indicators associated with money mule activity impacting legitimate exchanges include the following: accounts are opened by numerous individuals within a short period of time using shared addresses, mobile devices, IP addresses and other common identity indicators; presentation of documents that appear to be forged, falsified, or stolen; sometimes documents that are forged or stolen may be almost impossible to distinguish from legitimate documents (see the text box on KYC kits below); large numbers of accounts may be opened simultaneously by groups of foreign nationals. They may be exploited for the purposes of opening accounts and have no clear link to the country where the exchange operates. For example, groups of Vietnamese nationals opening accounts in Japan, or nationals from Baltic states opening accounts at exchanges in Spain; inconsistencies between the customer’s stated identity information and other data they provide, or activity they undertake. This could be a customer with an address in a poor rural region of Africa who may have an email address, or IP addresses associated with China. They could make frequent large value cash-outs to exchanges in Hong Kong, suggesting a Chinese individual has stolen or purchased the mule IDs; multiple customers make high-value onward transfers to common accounts in high- risk jurisdictions with no clear apparent purpose. A customer can purchase cryptoassets in euros at a Finland exchange, quickly swap them for Colombian pesos and then request immediate transfers onward to banks in Colombia; cryptoassets pass through tumblers or mixers before eventually being transferred to the mule’s wallet. Funds are promptly cashed out from the exchange to bank accounts belonging to money mules; fiat funds may be sent to the exchange from corporate bank accounts – suggesting an online banking compromise – with requests to make rapid high value transfers into cryptoassets; frequent transfers are made to or from the customer’s account at the exchange, to or from individual third-party bank accounts – for instance, the mule is transferring funds to other mules or to criminals; the account holder may not have any understanding of what the funds in the account are being used for when questioned. In a case of stolen identity, they may not even be aware that an account was opened in their name; Typologies Report 2024 27 mule accounts may feature randomly generated email addresses that just have a string of random numbers and letters; and some mules may suggest that they have responded to ads on social media platforms offering money to open an account at the exchange. KYC Kits A common practice to enable money muling is the availability of “KYC kits”. Sold on the dark web, KYC kits provide criminals with stolen identity details of victims that can be used to open accounts and bypass AML controls.23 KYC kits can include a significant amount of information about the victim, such as: full name, date of birth, residential address and other identifying details; images of the individual’s ID documents, including passports, national ID cards or driving licences; selfies taken using a mobile device during online account opening; and logins and passwords for online bank accounts and other sites. Elliptic’s investigations have revealed more criminals are willing to use legitimate, compliant exchanges to launder funds because they can employ KYC kits. The image below shows an advertisement from the now-defunct Dream Market dark web market for KYC kits complete with selfies, ID documents, and utility bills. As of early 2024, evidence has also begun to emerge that criminals are increasingly relying on artificial intelligence (AI) capabilities to produce higher quality fake IDs - underscoring the importance of having robust controls in place to verify ID documents. Typologies Report 2024 28 Dealing With Money Mules The following are controls used to assist in the detection of money mules: using cryptoasset transaction monitoring software like Elliptic Navigator to identify transactions among exchange customers that demonstrate patterns of money mule activity – such as repeated low-value transactions that ultimately derive from or flow to an illicit source of funds; using Elliptic Investigator to trace and visualize the flow of funds two or from an exchange that reveal patterns of transactions associated money muling; monitoring customer logins and using mobile device fingerprinting to determine if the customer is active where they claim to be resident; using third-party identity document scanning solutions to assess the reliability of passports and other IDs; monitoring customer devices to identify whether multiple customers are using the same mobile device to access their accounts; following customer IP addresses to identify customers who may be accessing accounts from the same location; searching customer accounts for signs of emails registered to foreign domains inconsistent with their residential addresses; obtaining third-party due diligence reports on customers of concern incase they have other phone numbers or addresses associated with their name in addition to those listed on their account; imposing limits or prohibitions on customers to transfer funds to (or receive funds from) third-party accounts. Typologies Report 2024 29 2. Mixers and Privacy Wallets Cryptoasset mixing services add an element of privacy and opaqueness to the otherwise highly transparent crypto ecosystem. By collating and redistributing cryptoassets among numerous users, these services break the chain of end-to-end traceability around transactions on cryptoasset blockchains. Mixers play a vital role in cryptoasset laundering due to their ability to obscure transaction flows. Illegal mixing services have generally been associated with a small number of mixers, whose creators in some cases advertise to dark web vendors, cybercriminals and other illicit actors. For the past several years law enforcement agencies in the US and Europe have been undertaking a relentless campaign to disrupt mixing services by arresting the creators and operators of those services that facilitate large-scale illicit activity. These have included: In February 2020, the US DOJ announced that the founder of the Helix mixer, Larry Dean Harmon, had been arrested and charged with laundering over $300 million on behalf of criminals, including major dark web markets.24 In April 2021, the US Department of Justice (DOJ) announced the arrest of Roman Sterlingov, for operating Bitcoin Fog, another widely used mixing service that processed hundreds of millions of dollars in transactions for dark web markets.25 In March 2024, a jury found Sterlingov guilty on charges of money laundering and failing to register as a money service business (MSB). In that case, the judge also ruled that the prosecution could rely on blockchain analytics data as evidence to support its case against Sterlingov. In March 2023, European and US law enforcement agencies announced the takedown of the ChipMixer mixing service and charges against its founder Minh Quốc Nguyễn for laundering funds on behalf of criminals, including North Korea’s Lazarus Group. Elliptic’s analysis at the time indicated that ChipMixer facilitated at least $844 million worth of transactions on behalf of illicit actors, including $666 million in cryptoassets stolen through cybertheft. In August 2023, the US DOJ announced charges against Roman Storm and Roman Semenov for operating the Tornado Cash mixer, a service operating on the Ethereum and other blockchains, alleging that the pair conspired to engage in money laundering and sanctions evasion by knowingly laundering more than $1 billion in criminal proceeds, including hundreds of millions of dollars of funds associated with North Korean cybercriminals. Typologies Report 2024 30 In April 2024, the DOJ announced an action against Samurai Wallet, a privacy- enhancing wallet service that the US government alleges facilitated more than $2 billion in unlawful transactions, including $100 million in transactions on behalf of dark web markets. The US government charged Samurai Wallet’s founders with conspiracy to commit money laundering and for failing to register as an MSB, and in coordination with law enforcement in Iceland and Europe seized Samurai Wallet’s web servers and domain. Despite the disruption of these prominent mixing services, others continue to operate and launder funds on behalf of illicit actors. From an AML/CFT compliance perspective, cryptoasset exchanges and financial institutions must be able to demonstrate to regulators that they have considered the risks associated with mixers as they design their compliance controls and transaction monitoring arrangements. Transactions with mixers also increasingly present sanctions risks. The US Treasury has begun targeting mixers with its sanctions powers, as we describe in one of the case studies below. The Problem Mixing services are generally used in coordination with other money laundering typologies outlined in this report, some of which we’ve covered throughout (we also note some specific cases that have emerged recently in Chapter 13 on multi-service typologies). Over the past two years privacy wallets have also become an increasingly important money laundering vehicle for criminals. Privacy wallets such as Wasabi Wallet and Samurai use built-in anonymization techniques like CoinJoin to achieve a mixing effect that hides a user’s ultimate source of funds. As the graph below demonstrates, privacy wallets have overtaken mixers as a preferred avenue for laundering illicit funds. Fortunately, despite their opaque properties, mixing services and privacy wallets are detectable using Elliptic’s blockchain analytics software – enabling cryptoasset businesses to identify related suspicious activity. The Typology 1. A hacker, ransomware attacker, darknet market vendor or other criminal obtains cryptoassets. 2. The perpetrator transfers the funds through multiple wallets, potentially using chain- peeling techniques (see chapter 6), before sending the funds to a mixer or privacy wallet. Typologies Report 2024 31 3. The criminal may also send funds through other conversion services, such as DEXs (see chapter 3.2), prior to sending them to the mixer or privacy wallet. 4. After receiving new, “clean” cryptoassets from the mixer or privacy wallet, the criminal will send the funds to a centralized exchange service to convert the funds into fiat. The funds may be sent through multiple intermediary wallets before arriving at the exchange. Red Flags Red-flag indicators associated with cryptoasset laundering using mixing services and privacy wallets include the following: a customer has received a large amount of funds from a mixing service or privacy wallet and cannot provide further evidence of the ultimate source of funds; a customer’s account shows frequent transactions to, or from a mixing service or privacy wallet in a short amount of time, with only a vague explanation; and a customer is evasive about their reason for using a mixing service or privacy wallet. Elliptic’s software can generally identify known mixers and privacy wallets, and below are other indicators of Bitcoin addresses that could represent unidentified mixing services on the blockchain: the address involves very large volumes and values of Bitcoin inputs and outputs – it can be more than 20,000 – and has been highly active; at any given time, the address has a very low balance, which would distinguish it from an exchange or other conversion service managing customer orders; and the address suddenly stops transacting after having processed large volumes of payments – suggesting it has been abruptly shut down. July 2020 Twitter Hack The July 2020 Twitter hack is one of the best examples to date of how blockchain analytics enabled the real-time detection of criminals. It also illustrated the role of mixing services and privacy wallets in illicit transfers. Typologies Report 2024 32 On July 15th 2020, Twitter suffered a major breach, which allowed hackers to post fraudulent tweets through 130 compromised accounts owned by a range of well- known individuals and corporations. The attack started with a phone scam known as spear-phishing – targeting Twitter employees. The compromised accounts were used to defraud around 400 victims of $121,000 in Bitcoin, by way of a common fraud technique known as a “giveaway scam”. Once the hackers received funds from the victims, they undertook an elaborate series of transactions in an attempt to launder the Bitcoin. Approximately half of the stolen funds were sent via ChipMixer and Wasabi Wallet, while much of the remainder was sent to cryptoasset exchanges. While the use of ChipMixer and Wasabi Wallet added a layer of obfuscation to the hackers’ funds transfers, cryptoasset businesses were not completely in the dark. Elliptic’s capabilities enable its customers to determine whether a crypto transaction originated from specific mixing services such as ChipMixer or Wasabi Wallet. Knowing that these specific mixers were used by the scammers, cryptoasset exchanges in receipt of funds from those services could initiate further due diligence and identify whether their customers deposit proceeds of this scam. The hackers – three US and UK teenagers – were arrested on July 31st 2020, which was only 16 days after the cyberattack. Blockchain analytics and information obtained by cryptoasset businesses and supplied to law enforcement played a pivotal role in apprehending them. The above image from Elliptic Investigator shows the flow of funds between a Bitcoin wallet belonging to the July 2020 Twitter scammers and the obfuscating services Wasabi Wallet and ChipMixer. Typologies Report 2024 33 Helix Mixer and Coin Ninja US legal and regulatory action against Larry Dean Harmon – the founder of the Helix and Coin Ninja mixing services – reveals the scale and nature of illicit activity that mixing services can achieve. FinCEN discovered that Harmon offered his mixing services to criminals – especially vendors on the dark web market Alphabay. Over a three-year period, he processed more than one million transactions worth $311 million.26 Harmon ran Helix on the Grams darknet.onion site27 and advertised his services on both the surface web and dark web, claiming that Helix could allow users to avoid law enforcement detection. He argued that by providing users with fresh cryptoasset addresses with no trading history, Helix made transactions less susceptible to blockchain monitoring.28 From April 2014 to December 2017, Helix was the mixer of choice for dark web vendors on Alphabay, Agora Market, Nucleus, Dream Market and others.29 Harmon also facilitated transactions on behalf of child exploitation sites, neo-Nazi groups, Iran-based users and conducted approximately $900,000 of transactions involving BTC-e.30 FinCEN provided the following detailed account describing how Helix transactions worked: a. customers would send Bitcoin to a wallet associated with their Grams account; b. customers would then complete a Helix withdrawal form, which included the amount to withdraw, a destination address and the ability to set a time delay for the transactions; c. Helix would transmit the Bitcoin deposited into their wallet to one of numerous accounts held at different exchangers of convertible virtual currency; d. Helix would take Bitcoin from a different account it held and transmit that Bitcoin to a different Bitcoin address; e. from this Bitcoin address, Helix would then transmit Bitcoin to the customer – minus a fee – into the previously provided customer destination address; f. Helix asserted that it deleted customer information after seven days, or allowed customers to delete their logs manually after a withdrawl.”31 In addition to running Helix, Harmon set up a Delaware company called Coin Ninja in July 2017. The latter also operated a mixing service “allowing customers to accept and transmit Bitcoin through text messages or Twitter handles”.32 Typologies Report 2024 34 Preventing Abuse of Mixers and Privacy Wallets Controls to mitigate or prevent the risk of money laundering using mixing services and privacy wallets include: utilizing wallet screening solutions – such as Elliptic Lens – to identify attempted customer withdrawals to wallets associated with mixers and privacy wallets; utilizing Elliptic’s screening capabilities to identify crypto addresses that feature “mixer-first funding” - that is, addresses where the first transactions they receive come from a a mixer, a potential indicator of money laundering activity utilizing transaction monitoring solutions like Elliptic Navigator to identify transactions with exposure to mixers and privacy wallets; establishing policies and procedures to ensure enhanced due diligence is conducted around higher risk scenarios involving mixers and privacy wallets – including seeking additional information from the customer about the purpose and ultimate source or destination of funds. Sanctions and Mixers Since early 2022, OFAC has begun imposing sanctions on mixing services that have facilitated illicit activity. In May that year, OFAC sanctioned Blender – a mixing service that was used to launder Bitcoin by North Korea’s Lazarus Group – a sanctioned cybercrime organization. Analysis of the blockchain indicates that the Lazarus Group laundered Bitcoin worth more than $20.5 million through Blender following the March 2022 hack of the Ronin Bridge, a decentralized finance (DeFi) service related to the Axie Infinity blockchain- based gaming platform, which resulted in the theft of more than $540 million on cryptoassets. By imposing sanctions on Blender, OFAC prohibited US persons – including US crypto exchanges – from processing transactions with the mixer, which shut down around the time of the sanctions. In February 2023, Elliptic identified that the Lazarus Group had also sent Bitcoin totalling more than $100 million through the Sinbad mixer – a new service that was established in October 2022. Typologies Report 2024 35 Preventing Abuse of Mixers and Privacy Wallets Controls to mitigate or prevent the risk of money laundering using mixing services and privacy wallets include: utilizing wallet screening solutions – such as Elliptic Lens – to identify attempted customer withdrawals to wallets associated with mixers and privacy wallets; utilizing Elliptic’s screening capabilities to identify crypto addresses that feature “mixer-first funding” - that is, addresses where the first transactions they receive come from a a mixer, a potential indicator of money laundering activity utilizing transaction monitoring solutions like Elliptic Navigator to identify transactions with exposure to mixers and privacy wallets; establishing policies and procedures to ensure enhanced due diligence is conducted around higher risk scenarios involving mixers and privacy wallets – including seeking additional information from the customer about the purpose and ultimate source or destination of funds. Regulatory Activity: FinCEN’s Primary Money Laundering Designation of Mixing Activity On October 19, 2023, the US Treasury’s FinCEN took a major step in the effort to crack down on illicit mixing activity designating the class of transactions associated with crypto mixing activity as a “Primary Money Laundering Concern”. As part of this finding, FinCEN initiated a Notice of Proposed Rulemaking (NPRM) and began soliciting comments related to its proposed imposition of Special Measure 1, a power granted to it under Section 311 of the PATRIOT Act. The immediate effect of this action was that covered entities - such as crypto exchanges and financial institutions - must consider as part of their risk management frameworks that this entire class of transactions is now deemed by the US government to represent a heightened financial crime risk. It is reasonable to think that any such transactions may potentially be seen as suspicious by regulators overseeing such entities’ compliance programs. The implications of the proposed implementation of Special Measure 1 are significant. In its proposal, FinCEN has stated that, in connection with all covered transactions, FinCEN would seek to collect the following information: Typologies Report 2024 36 The amount of any so-called convertible virtual currency (CVC) transferred, in both CVC and its US dollar equivalent when the transaction was initiated. CVC type. The CVC mixer used, if known. CVC wallet address associated with the mixer. CVC wallet address associated with the customer. Transaction hash. Date of transaction. IP addresses and time stamps associated with the covered transaction. Narrative. Further, the proposal requires that reportable information regarding the customer associated with the covered transaction would also necessarily be collected, including: customer’s full name; customer’s full name; customer’s date of birth; address; email address associated with any and all accounts from which or to which the CVC was transferred; and unique identifying number. This unprecedented action may result in a significant change in the ways in which virtual currency exchanges evaluate financial crime risk and mitigate potential regulatory actions. As of the time of this report’s publication, FinCEN was still considering input submitted by the private sector to its NPRM, and there is no clear timeline for when the rule may become final. Typologies Report 2024 37 Sanctions and Mixers Since early 2022, OFAC has begun imposing sanctions on mixing services that have facilitated illicit activity. In May that year, OFAC sanctioned Blender – a mixing service that was used to launder Bitcoin by North Korea’s Lazarus Group – a sanctioned cybercrime organization. Analysis of the blockchain indicates that the Lazarus Group laundered Bitcoin worth more than $20.5 million through Blender following the March 2022 hack of the Ronin Bridge, a decentralized finance (DeFi) service related to the Axie Infinity blockchain- based gaming platform, which resulted in the theft of more than $540 million on cryptoassets. By imposing sanctions on Blender, OFAC prohibited US persons – including US crypto exchanges – from processing transactions with the mixer, which shut down around the time of the sanctions. In February 2023, Elliptic identified that the Lazarus Group had also sent Bitcoin totalling more than $100 million through the Sinbad mixer – a new service that was established in October 2022. The Sinbad website. Typologies Report 2024 38 In researching Sinbad, Elliptic determined that the new service appeared to be acting as a replacement for Blender following the OFAC sanctions. Analysis of Bitcoin transactions indicated that Sinbad’s activity was closely tied to Blender’s through common transactions, and showed that a disproportionate number of transactions for such a new mixing service appeared to be related to facilitating transactions with the Lazarus Group. In November 2023, OFAC sanctioned the Sinbad mixer, and the service was also taken down by US and European law enforcement, due to its facilitation of activity on behalf of the Lazarus Group. Cryptoasset businesses and financial institutions therefore face a range of sanctions risks when it comes to mixers and other privacy-enhancing services. Analysis of blockchain transactions shows clear links between Blender and Sinbad. Typologies Report 2024 39 ChipMixer Shut Down After Laundering $840 Million in Criminal Proceeds ChipMixer – the world’s largest centralized crypto mixer – was shut down in March 2023 in a coordinated international law enforcement operation. Elliptic’s analysis of blockchain transactions shows that ChipMixer was used to launder over $844 million in Bitcoin that can be linked directly to illicit activity – including at least $666 million from thefts. The most prolific hacks going through ChipMixer, and the seizure of funds from ChipMixer sent to a law enforcement wallet, as shown on Elliptic Investigator. ChipMixer was one of a variety of mixers used to launder the proceeds of hacks perpetrated by North Korea’s Lazarus Group. The mixer has also been used by ransomware gangs and darknet drug vendors. ChipMixer’s website before and after the seizure. Typologies Report 2024 40 In total, more than $2.7 billion in Bitcoin was sent through ChipMixer since it was established in May 2017. As part of the operation, law enforcement were able to seize $47.5 million in Bitcoin from the mixer. The US Justice Department also announced that 49-year-old Minh Quốc Nguyễn of Hanoi, Vietnam, was charged with money laundering, operating an unlicensed money transmitting business and identity theft, connected to the operation of ChipMixer. The Samurai Wallet Take Down and Wasabi Wallet Closure On April 24, 2024, the US DOJ announced that it had filed money laundering charges against Keonne Rodriguez and William Lonergan Hill, the founders and operators of Samurai Wallet, a non-custodial privacy wallet service that they created in 2015. Samurai Wallet used several anonymity-enhancing techniques to obfuscate users’ crypto transactions. One of these techniques was known as “Whirlpool,” which involved commingling users’ funds; another technique was known as “Ricochet” and enabled Typologies Report 2024 41 users of the wallet to generate transactions involving numerous intermediary crypto addresses (or “hops”) as a manner of obfuscating the connection to a user’s original source of funds. While Samurai Wallet purported to offer anonymity to legitimate users of cryptoassets seeking enhanced privacy, the US government alleges that Rodriguez and Hill knew that the service was being used by illicit actors and that they took no steps to prevent this criminal activity. For example, the pair knew that Samurai Wallet was being employed by users of dark web markets such as the Silk Road and Hydra Market to launder the proceeds of drug sales, and they indicated in their communications that they were satisfied if illicit users continued to access the wallet. As part of the law enforcement effort to disrupt Samurai Wallet, Rodriguez and Hill were both arrested, and US agencies worked with counterparts in Iceland and Europe to seize Samurai Wallet’s servers and web domain. The Samurai Wallet app was also removed from the Google Play store, making it unavailable to US users.33 Following the announcement of the Samurai Wallet takedown, the creators of the Wasabi Wallet privacy wallet service - which featured in the July 2020 Twitter Hack (see case study above) - announced their plan to shut their service down from June 1, 2024, apparently concerned that they could meet the same fate as Samurai’s founders.34 Typologies Report 2024 42 3. Decentralized Finance (DeFi) and Cross-chain Crime Decentralized finance (DeFi) has been one of the most significant areas of cryptoasset growth and investment over the past couple of years. DeFi involves the use of “smart contracts’’ – or programmable, self-executing protocols – to enable users to have disintermediated access to financial services that have historically only been available through centralized financial institutions. Using the Ethereum network – as well as other emerging blockchains – innovators have launched new DeFi apps (Dapps) for use cases such as: lending; stablecoins; derivatives trading; prediction markets; asset management; and decentralized exchange services (DEXs). The growth in the DeFi space in recent years has been truly explosive. The total value of capital locked in Dapps grew 1,700% during 2021 to reach $247 billion, and monthly trading volumes on DEXs hit $300 billion. While DeFi trading volumes declined off their highs during 2022 as crypto markets faced turbulence, DeFi innovations remain at the forefront of developments in the crypto space. This incredible rate of innovation has started to gain the attention of banks and other financial institutions, which are considering how they can leverage DeFi innovations to provide their clients with new products and services. However, innovation in the DeFi space brings risk as well as opportunities. DeFi protocols and apps, for example, are frequently targeted by cybercriminals, who steal funds from them. Elliptic’s research indicates that approximately $3.3 billion was stolen from exploits of these protocols in 2022. What’s more, criminals are able to use the DeFi ecosystem to launder the proceeds of crime. Users of Dapps can generally access these services without having to provide KYC/CDD information, which makes the DeFi ecosystem an attractive conduit for cybercriminals and others seeking to launder stolen cryptoassets. DeFi also allows users to move funds seamlessly across different cryptoassets and blockchains. This enables the acceleration of “chain-hopping” typologies of money laundering, whereby criminals attempt to break the funds trail on the blockchain by swapping their ill-gotten funds into other assets or coins. In a report issued in June 2022, the FATF noted that “DeFi protocols can be used to perform ‘chain-hopping’ which can make the transactions more difficult to trace”. Typologies Report 2024 43 We’ve outlined these risks and challenges in detail in our separate “State of Cross-Chain Crime” report. The rise of this type of crime also prompted Elliptic to update our blockchain analytics solutions suite across 2023 to enable the detection of these risks, including by pioneering our unique Holistic Screening capabilities, which enable the instantaneous identification of funds being swapped through cross-chain and cross-asset services. Below, we summarize three of the primary DeFi money laundering typologies that enable cross- chain crime, and tips for how you can spot them. 3.1. Money Laundering Through DEXs Unlike centralized exchange platforms – which are custodial services that take possession of users’ funds – DEXs built on Ethereum and other blockchains utilize smart contracts to enable users to undertake peer-to-peer (P2P) cryptoasset swaps exchanges in real time. DEX trading volumes have exploded in recent years, hitting highs of more than $30 billion per month at their height. Major DEXs such as Uniswap are now competing with large centralized exchanges in overall trading volumes. This increase in liquidity on DEXs has also made them increasingly vulnerable to exploitation by money launderers, who can layer large volumes of funds through these increasingly active platforms. Elliptic’s research has shown that to date, hackers have laundered more than $1.2 billion of funds stolen from hacks of DeFi protocols through DEXs in an effort to throw investigators off the trail. The chart below illustrates the largest hacks where funds were laundered through DEXs after the attack. Top 10 Exploits By Assets Swapped Through DEXs $100,000,000 $95.3m $88.9m $82.4m $75,000,000 $64.8m $64.4m $60.9m $60.2m $58.8m $58.0m $52.7m $50,000,000 $25,000,000 0 21 t 21 it 21 k 21 x 20 dge 20 nce 20 AO 22 l 22 d 22 s 20 pita 20 ar 20 bZ 20 or 20 rm 20 b 20 a ) ) ) ) ) ) ) ) ) ) n Qu m ec BitM ec erD ug tw 21 21 21 ug na pr Fa un ri pr a ug No (J B (A yNe (A i C (D g (A Fi (A k on d al ov r am Ba Ra l a riz Po st (N (D (J (A an Ho re C Be Typologies Report 2024 44 The Problem DEXs can offer criminals the advantage of bypassing compliance controls – much in the manner of dealing with non-compliant exchanges like SUEX, Chatex or BTC-e. Simultaneously offering another advantage, they lack a central administrator with active oversight of user accounts, records, identities or activities. In many jurisdictions, it is still unclear whether DEXs fall within the scope of AML/CTF regulation. DEXs provide a useful mechanism for the laundering of criminal proceeds. In particular, for undertaking cryptoasset-to-cryptoasset swaps – while avoiding exposure to regulators or law enforcement. DEXs may also prove attractive to more sophisticated illicit cryptoasset users – such as cybercriminals – who can use them with ease. North Korea’s cybercriminal organization the Lazarus Group made frequent use of DEXs across 2022, in an effort to hide hundreds of millions of dollars it stole from hacks of crypto platforms. The explosion in DeFi has also led to a corresponding ecosystem of tools that enable hiding Ether transactions – such as the Tornado Cash mixing services. Criminals can use these in conjunction with DEXs. More importantly, laundering via DEXs is not impervious to AML controls. Unlike centralized exchanges – which are a dead-end when it comes to trying to trace flows of funds through them – DEXs offer tremendous transparency when it comes to blockchain analytics. All DEX crypto-to-crypto swaps are recorded in smart contracts on the blockchain, which makes these swaps visible. This, therefore, allows users of Elliptic’s solutions to see if funds they’ve received are of illicit origin even where DEXs are used in the laundering process. The Typology A money laundering typology involving DEXs works as follows: 1. a criminal obtains Ether or Ethereum-based tokens, for example by hacking an exchange; 2. the criminal moves the funds to a wallet they use at a DEX; 3. the Ether or Ethereum-based tokens are swapped at the DEX for new tokens; and 4. the new tokens are deposited at a legitimate exchange, and cashed out for fiat. Typologies Report 2024 45 Red Flags Red flags associated with money laundering involving DEXs may include the following: a customer suddenly receives a large amount of cryptoassets directly from a DEX- associated account and attempts to cash out immediately; the customer can not provide any evidence or logical explanation for their source of funds and why they were engaged in dealings through a DEX; and the DEX in question may be associated with relatively high volumes of illicit activity involving dark markets, exchange hacks and other crimes such as ransomware attacks. The Axie Infinity Ronin Bridge Hack On March 29th 2022, Ronin Network announced that 173,600 Ether (ETH) and 25.5 million USD Coins had been stolen from the Ronin cross-chain bridge six days earlier. The total value of the stolen cryptoassets at the time of the theft was $615 million. On April 14th, the US Treasury’s Office of Foreign Assets Control (OFAC) announced new sanctions against the thief’s Ethereum address and listed the owner of this address as the Lazarus Group – the North Korean state hacking organization. The sanctions prohibit US persons and entities from transacting with this address to ensure the state- sponsored group can’t cash out any further funds they continue to hold onto through US-based crypto exchanges. The incident occurred six days before the exploit was announced by Ronin. Amid confusion over the delayed response, it announced that the exploit was only discovered after a 5,000 ETH withdrawal attempt from one of their users failed. According to a postmortem published by Ronin, the theft came as a result of an attacker hacking the “validator nodes” of the Ronin bridge. Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets. Elliptic’s internal analysis indicates that the attacker had managed to launder 18% of their stolen funds as of April 14th. First, the stolen USDC was swapped for ETH through decentralized exchanges (DEXs) to prevent it from being seized. Tokens such as stablecoins are controlled by their issuers, who in some cases can freeze tokens involved in illicit activity. Typologies Report 2024 46 By converting the tokens at DEXs, the Lazarus Group avoided the AML and KYC checks performed at centralized exchanges. The image above shows the flow of funds from an Ethereum wallet belonging to the Lazarus Group after it swapped funds from the Roning Bridge hack at DEXs. The funds were subsequently laundered onwards to cryptoasset exchanges and through the Tornado Cash Ethereum mixer. 3.2. Money Laundering Through DeFi Mixers When it comes to the DeFi ecosystem, mixers and other obfuscating services have played an important role in money laundering, just as they have in the Bitcoin ecosystem. In DeFi, most mixing activity has involved Tornado Cash, a DeFi mixer that the US Treasury’s OFAC sanctioned in August 2022, and whose creators the US charged with money laundering and other crimes in August 2023. The sanctions on Tornado Cash are leading criminals – such as the Lazarus Group – to seek out alternative mixing services in Ethereum, as described in one of the case studies below. The Problem Compliance professionals and law enforcement agencies leverage the transparency of public blockchains to identify and act against money laundering and other financial crime activity. This transparency allows for insights into illicit activity across the DeFi ecosystem – acting as an important mitigant. However, criminals operating in the DeFi space were quick to leverage Tornado Cash, a Dapp that facilitates the mixing of transactions on the Ethereum and other DeFi blockchains. Elliptic’s research indicates that Tornado Cash was used to launder as much as $1.5 billion by criminal actors, approximately a third of which were funds from the Lazarus Group. By sending illicit funds Typologies Report 2024 47 to Tornado Cash, criminals attempted to obfuscate the funds trail – making it more difficult to decipher their activity. Since being designated by OFAC, Tornado Cash’s transaction volumes have declined by more than 50%, which renders it less effective as a mixing service. However, the same typology that criminals have used in laundering funds through Tornado Cash is one that can apply to other, smaller Ethereum mixers. Proceeds of Crime Laundered Through Tornado Cash Thefts $1.04bn Sanctioned Entities - $462.3m Fraud - $40.8m Total: $1.54 billion ETH & USDC The Typology A money laundering typology involving DEXs works as follows: 1. a criminal obtains Ether or Ethereum-based tokens, for example by hacking a DeFi lending platform; 2. the criminal sends the stolen funds to a Tornado Cash address; 3. the criminal receives new “clean” tokens from Tornado cash; and 4. the new tokens are deposited at a centralized exchange platform, and cashed out for fiat. Red Flags Red flags associated with money laundering involving DeFi mixers may include the following: a customer receives frequent inbound transfers from a DeFi mixer such as Tornado Cash, and is unwilling or unable to provide information about the ultimate source of funds; a customer makes frequent transfers to Tornado Cash or other DeFi mixers without a reasonable explanation for this activity; and a customer whose activity involves frequent interactions with DEXs also engages in transactions with mixing services such as Tornado Cash. Typologies Report 2024 48 North Korea’s Laundering Through Tornado Cash and Railgun Horizon – a cross-chain bridge servicing the Harmony blockchain – was exploited on June 24th 2022 for $99.7 million. Concerns had previously been raised that the bridge was over-centralized, meaning that it was particularly vulnerable to social engineering attacks – a common attack vector for the Lazarus Group. Similar issues resulted in the criminal organization stealing over $540 million in the aforementioned Ronin attack earlier in March 2022. After stealing the funds from Horizon, the Lazarus Group then programmatically structured transactions through Tornado Cash, which is a decentralized Ethereum- based mixer. Elliptic researchers identified that the laundering methods employed mirrored those the Lazarus Group had used when attempting to conceal funds from the Ronin Bridge hack, which had also been sent through Tornado Cash. Tornado Cash was subsequently sanctioned by the US Treasury in August 2022, with Secretary of State Anthony Blinken citing its prolific use by the Lazarus Group to launder funds from its past hacks. Elliptic’s research suggests that the Lazarus Group sent more than $555 million through Tornado Cash from these hacks, including more than $468 million from the Ronin hack and $96 million from the Harmony hack. This North Korea-linked activity accounts for approximately 5.8% of the nearly $9 billion in total funds sent through the Tornado Cash mixer to date. Proportion of Funds DeFi Obfuscating Services Have Received From North Korean Hacks 5.8% of 9bn 70% of 83m 70% of 83m Tornado Cash Railgun Ronin - $460m Harmony - $58.1m Harmony - $58.1m Other Railgun Users Other Tornado Cash Users Typologies Report 2024 49 Elliptic has traced the stolen funds from the Horizon hack through Tornado Cash. Our briefing note breaks down the methodology we used and how it ultimately aided the eventual attribution of the exploit to the Lazarus Group. The post-Tornado withdrawals were initially placed into several addresses, where they remained dormant until January 2023. In January 2023, Lazarus began structuring the funds into several deposits into a privacy-based DeFi protocol called Railgun, which functions similar to a mixer. Elliptic has previously identified Railgun as a prime alternative to Tornado Cash following sanctions against the latter. You can read more about Railgun – and other Ethereum- based privacy-enhancing solutions – in our Tornado Cash Alternatives Briefing note. Elliptic’s research suggests that a significant portion of funds – estimated at around 70% – that has been sent through Railgun to date are funds from the Harmony hack. This suggests that since the OFAC sanctions on Tornado Cash, North Korea may be turning to lower obfuscating services as an alternative. However, the fact that funds from the Harmony hack comprised such a substantial volume of the Ether passing through Railgun renders the mixing ineffective. As an analogy, imagine if you threw five pennies into a jar full of 100 pennies, it would be extremely difficult for someone to determine which pennies were yours. However, if you threw 70 pennies into a jar with only 30 other pennies in it, then there would be a higher chance of linking those 70 specific pennies back to you. Mixers work in a similar way: when the anonymity set or volume of other funds in the mixer is low, it makes the mixer less effective at concealing disproportionately large funds transfers. On-chain data shows that after sending the funds through Railgun, the Lazarus Group has since deposited funds into three cryptoasset exchanges. Two – namely Binance and Huobi – have announced that they have identified, blocked and seized a portion of the funds. This case demonstrates the importance of cryptoasset exchanges utilizing blockchain analytics solutions to identify transactions involving mixing services abused by sanctioned actors such as North Korea. Elliptic’s Holistic wallet and transaction screening solutions enable our customers to identify and block transactions involving these mixing services, including where there may be sanctions implications – such as links to North Korean-perpetrated hacks. Typologies Report 2024 50 A screenshot from Investigator, Elliptic’s multi-asset crypto investigations software - showing the stolen funds being sent through Tornado Cash, to several new wallets. 3.3. Money Laundering Through Cross-chain Bridges One inherent limitation of DeFi ecosystems is that transactions within a particular DeFi network – such as Ethereum – are limited to tokens based on that blockchain. In other words, blockchains are not interoperable, and a user cannot use Bitcoin for transactions with Ethereum-based Dapps. This limits the practical utility of DeFi for many users who may wish to move funds across numerous blockchains. A solution to this problem are cross-chain bridges, which allow for an asset on one blockchain to be represented as a token on another. Popular cross-chain bridges have included RenBridge, VoltSwap and WanBridge. Rather than relying on a centralized exchange to swap Bitcoin for Ethereum, users can send their BTC to a cross-chain bridge to obtain Ethereum-based tokens, but avoid having to surrender custody of their cryptoassets or undergo KY

Elliptic Typologies Report 2024 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue