《Chainalysis：2023年加密貨幣犯罪報告（英文版）（109頁）.pdf》由會員分享，可在線閱讀，更多相關《Chainalysis：2023年加密貨幣犯罪報告（英文版）（109頁）.pdf（109頁珍藏版）》請在三個皮匠報告上搜索。

1、The 2023 Crypto Crime ReportEverything you need to know about cryptocurrency-based crimeFEBRUARY 20232CoverTable of ContentsIntroduction 3Sanctions 9 Ransomware 26 Money Laundering 41Stolen Funds 55Oracle Manipulation Attacks 65Darknet Markets 70 Scams 85 Pump and Dump Tokens 1043Section titleIntrod

2、uction4Introduction2023 Crypto Crime Trends:Illicit Cryptocurrency Volumes Reach All-Time Highs Amid Surge in Sanctions Designations and HackingEvery year,we publish our estimates of illicit cryptocurrency activity to demonstrate the power of blockchains transparency these kinds of estimates arent p

3、ossible in traditional finance and to teach investigators and compliance professionals about the latest trends in cryptocurrency-related crime that they need to know about.What could those estimates look like in a year like 2022?Last year was one of the most tumultuous in cryptocurrency history,with

4、 several large firms imploding,including Celsius,Three Arrows Capital,FTX,and others some amid allegations of fraud.Those allegations make this years Crypto Crime Report a bit tricky,as some feel that those businesses should be treated as criminal enterprises.Ultimately though,we dont include their

5、trans-action volumes in our measures of illicit activity because our estimates are based solely on on-chain intelligence we dont account for instances where,for example,off-chain bookkeeping may have been fraudulent.Plus,the bankruptcy and criminal cases associated with these collapses are still ong

6、oing,so for the time being,well leave questions of criminality to the legal system.The events of this year have made clear that although blockchains are inherently transparent,the industry has room for improvement in this respect.There are opportunities to connect off-chain data on liabilities with

7、on-chain data to provide better visibility,and transparency of DeFi,where all transactions are on-chain,is a standard that all crypto services should strive to achieve.As more and more value is transferred to the blockchain,all potential risks will become transparent,and we will have more complete v

8、isibility.For now though,well continue to focus on illicit activity that can be measured on-chain.Lets look at how the market tumult of 2022 affected cryptocurrency-based crime.5Introduction$25B$20B$20.6B$15B$10B$12.3B$18.1B$5B$4.9B$4.6B$8.4B0Total cryptocurrency value received by illicit addresses,

9、2017-2022201720182019202020212022Child abuse materialRansomwareStolen fundsSanctionsTerrorism financingScamCybercriminal administratorFraud shopDarknet marketSee endnote 1 for notes on this chart.Despite the market downturn,illicit transaction volume rose for the second consecutive year,hitting an a

10、ll-time high of$20.6 billion.We have to stress that this is a lower bound estimate our measure of illicit transaction volume is sure to grow over time as we identify new addresses associated with illicit activity,and we have to keep in mind that this figure doesnt capture proceeds from non-crypto na

11、tive crime(e.g.conventional drug trafficking involving cryptocurrency as a mode of payment).For example,last year we published that we found$14 billion in illicit activity in 2021 weve now raised that figure to$18 billion,mostly due to the discovery of new crypto scams.Its also worth keeping in mind

12、 that 43%of 2022s illicit transaction volume came from activity associated with sanctioned entities,in a year when OFAC launched some of its most ambitious and difficult-to-enforce crypto sanctions yet.Crypto exchange Garantex,which accounted for the majority of sanctions-related transaction volume

13、last year,is a great example.OFAC sanctioned Garantex in April 2022,but as a Russia-based business,the exchange has been able to continue operating with impunity.Transactions associated with Garantex or any other sanctioned crypto service represent,at the very least,substantial compliance risk for b

14、usinesses that are subject to U.S.jurisdiction,including fines and potential criminal charges.6Introduction-200%0%200%400%600%2019202020212022Terrorism financingDarknet marketFraud shopCybercriminal administratorChild abuse materialRansomwareStolen fundsScamYoY percent change in value received by cr

15、ime type,20192022Note:Sanctions-related transaction volume rose 152,844%from 2021 to 2022 we do not include that on the graph above due to the scale issues it would create.Transaction volumes fell across all of the other,more conventional categories of cryptocurrency-re-lated crime,with the exceptio

16、n of stolen funds,which rose 7%year-over-year.The market downturn may be one reason for this.Weve found in the past that crypto scams,for instance,take in less revenue during bear markets,likely because users are more pessimistic and less likely to believe a scams promises of high returns at times w

17、hen asset prices are declining.In general,less money in crypto overall tends to correlate with less money associated with crypto crime.Overall,the share of all cryptocurrency activity associated with illicit activity has risen for the first time since 2019,from 0.12%in 2021 to 0.24%in 2022.2 7Introd

18、uctionIllicit share of all cryptocurrency transaction volume,2017-20220.00%0.86%1.90%0.49%0.43%0.24%0.12%0.50%1.00%1.50%2.00%201720182019202020212022This shouldnt come as a huge surprise.As one might expect,total transaction volume fell with the onset of the bear market,and as we showed above,illici

19、t transaction volume grew slightly.In fact,we first spotted this trend back in August,when we noted that legitimate transaction volumes were declining faster than illicit volumes.Overall,illicit activity in cryptocurrency remains a small share of total volume at less than 1%.Its also worth keeping i

20、n mind that despite this years jump,crime as a share of all crypto activity is still trending downwards.Keep reading,and well dig into the details of the criminal activity behind that 0.24%,as well as what our on-chain analysis reveals about the market failures of the last year.8IntroductionEndnotes

21、:1 Notes on our illicit transaction volume chart:These are lower bound estimates that will likely rise over time as additional illicit activity is discovered.This does not include off-chain criminal activity where proceeds may have been moved into crypto for laundering,though that activity can still

22、 be traced.This does not include volumes associated with centralized services that collapsed in 2022,some of which are facing charges of fraud,given lack of off-chain insights.Funds received by sanctioned entity Garantex accounts for much of 2022s illicit volume.While most of that activity is likely

23、 Russian users using a Russian exchange,most compliance profes-sionals treat this as illicit activity.2 For those keeping a close eye on our annual analyses,you may be surprised to find that our estimate for the illicit share of all cryptocurrency transaction volume for 2021 actually decreased from

24、the number we published in last years report 0.15%to 0.12%.Dont these estimates usually increase over time,as mentioned above?In this case,our denominator total volume analyzed increased as we added mature support for additional blockchains.9IntroductionSanctions10SanctionsHow 2022s Biggest Cryptocu

25、rrency Sanctions Designations Affected Crypto CrimeAgencies like the Office of Foreign Assets Control(OFAC)of the U.S.Department of the Treasury and its equivalents in other countries implement sanctions through the targeting of countries,regimes,individuals,and entities that are considered threats

26、to national security and foreign policy.Tradi-tionally,sanctions enforcement relies on the cooperation of mainstream financial institutions,but some bad actors have turned to cryptocurrency to circumvent these third party intermediaries,giving policymakers and sanctioning bodies new challenges with

27、which to grapple.However,cryptocur-rencys inherent transparency,along with the willingness of compliant cryptocurrency services in particular,the many centralized exchanges that function as the link between crypto and fiat have demonstrated that sanctions enforcement is possible in the crypto world.

28、In this section,well look at how the U.S.governments crypto-related sanctions strategy has evolved over time,examine the types of entities that it has sanctioned so far,and analyze the impact of those sanctions on the entities themselves and the wider crypto crime ecosystem.OFACs cryptocurrency-rela

29、ted sanctions are on the rise since 20212018 saw OFACs first crypto-related sanctions,when it designated two Iranian nationals associated with the SamSam ransomware strain and included Bitcoin addresses linked to the individuals as identifiers on their Specially Designated Nationals And Blocked Pers

30、ons(SDN)List entries.For the next two years,virtually all cryptocurrency addresses included as sanctions identifiers were personal wallet addresses controlled by individuals,with an average of two addresses per crypto-related designation in 2018,four in 2019,and nine in 2020.11SanctionsSanctioned ad

31、dress countSanctioned entity countSanctioned crypto-related entities and number of sanctions-related addresses by year added,20182022Number of sanctioned addressesNumber of sanctioned crypto-related entities0100200300400024681020182019202020212022That changed starting in 2021 though,when OFAC began

32、to designate entire crypto services as opposed to just individual bad actors overall,the average number of addresses per sanctioned entity reached 35 by 2022,with some designations containing over 100 cryptocurrency addresses as identifiers.As seen below with the expanding funnel of sanctioning acti

33、vity,OFACs efforts have increased across three dimensions,targeting larger entities and services,more diverse service types,and doing so for a wider array of reasons.12Sanctions20192020Year202120222023NOV 8,2021Yaroslav Vasinskyi$958,600 Yevgeniy Igorevich Polyanin$16,098,600SEP 14,2022Amir Hossein

34、Nikaeen Ravari$95,300 Ahmad Khatibi Aghada$138,100Cyber criminal administratorMAY 6,2022Lazarus Group$991,000,000MAR 2,2020Jiadong Li$14,901,700 Yinyin Tian$102,000,000SEP 16,2020Danil Potekhin$13,746,300 Dmitrii Karasavidi$45,908,300APR 15,2021Mujtaba Ali Raza$24,100SEP 10,2020Artem Mikhaylovich Li

35、fshits$6,500 Anton Nikolaeyvich Andreyev$962,000JUL 18,2021Farrukh Furkatovitch Fayzimatov$3,200AUG 21,2019Guanghua Zheng$63,700 Fujing Zheng$76,800 Xiaobing Yan$1,057,700NOV 28,2018Mohammad Ghorbaniyan$1,219,100 Ali Khorashadizadeh$2,975,000Personal walletNOV 8,2021SouthFront$21,100SEP 15,2022Task

36、Force Rusich$160,400Fraud shopAPR 15,2021Secondeye Solution$2,612,300Darknet market&illicit drug exchangeAPR 5,2022Hydra Marketplace$6,810,000,000NOV 9,2022Matthew Simon Grimm$5,498,500 Alex Adrianus Martinus Peijnenburg$25,091,600APR 5,2022Garantex$15,700,000,000High-risk exchangeSEP 21,2021Suex OT

37、C$1,040,000,000NOV 8,2021Chatex$243,000,000MixerAUG 8,2022Tornado Cash$8,740,000,000MAY 6,2022Blender.io$1,360,000,000Timeline of OFAC crypto-related sanctions designations,20182022Cybercrime activityDisinformationDrug traffickingElection meddlingIllicit servicesParamilitary groupMoney launderingTer

38、ror financing$100,000$1,000,000,000$10,000,000,000$1,000,000$100,000,000Bubble size=USD inflows13Sanctions2022 has seen some of OFACs biggest cryptocurrency service designations to date.Three in particular are notable not just due to their size,but also in how each highlights unique challenges in en

39、forcing sanctions against different types of crypto entities:darknet market Hydra,decentralized mixer Tornado Cash,and Russia-based cryptocurrency exchange Garantex.But before we get into those,well provide an overview of all crypto-related sanctions designations over the last year.Sanctioned crypto

40、-linked entities in 2022:Who they are and what they doHeres the breakdown of the individuals and entities with cryptocurrency nexuses sanctioned in the U.S.in 2022,along with the reason OFAC sanctioned them.NameReason for sanctionLazarus GroupHacking and crypto theft on behalf of North Korean govern

41、mentAhmad Khatibi AghadaRansomwareAmir Hossein Nikaeen RavariRansomwareAlex Adrianus Martinus PeijnenburgDrug traffickingMatthew Simon GrimmDrug traffickingHydra MarketplaceDarknet market and money launderingGarantexMoney launderingBlender.ioMoney launderingTornado CashMoney launderingTask Force Rus

42、ichRussian paramilitary group in UkraineOFAC sanctioned a relatively even mix of individuals and different types of entities in 2022,citing activity such as cybercrime(including ransomware),drug trafficking,money laundering,and in the case of Task Force Rusich,participation in Russias invasion of Uk

43、raine.Again,this diversity of entities represents a huge change compared to OFACs pre-2021 designations,which were all against individuals and,at the blockchain level,comprised of only a relatively small number of personal wallets.14SanctionsExploring pre and post-designation activity for three of 2

44、022s most notable sanctioned entities:Hydra,Garantex,and Tornado CashIn order to examine the effects of sanctions on illicit cryptocurrency activity,lets look at how a few of 2022s most notable sanctioned entities behaved before and after their OFAC designations.Well analyze three services:Hydra,Gar

45、antex,and Tornado Cash.First,some brief background on each:Hydra was the largest darknet market in the world until its servers were seized by German police,concurrent with its designation by OFAC in April 2022,effectively shutting down the market-place.Based in Russia,Hydra not only facilitated drug

46、 sales,but also offered money laundering services to cybercriminals,including ransomware attackers.Garantex is a high-risk crypto exchange based in Russia and was sanctioned at the same time as Hydra for similar money laundering activity.Unlike Hydra,Garantex continues to operate following its desig

47、nation.Tornado Cash is a decentralized mixing service on the Ethereum blockchain that was sanctioned in August 2022(and again in November)for facilitating money laundering,primarily in relation to funds stolen in cryptocurrency hacks by cybercriminals associated with North Korea.Tornado Cash is curr

48、ently the only DeFi protocol to have been sanctioned by OFAC all other desig-nations have been centralized services or personal wallets.As a DeFi protocol,no person or organization can“pull the plug”as easily on Tornado Cash as they could with a centralized service,which has led to questions around

49、the feasibility of sanctioning the service and who,if anyone,can be held responsible for criminal activity it facilitates.On-chain data can tell us more about the types of entities transacting with these services prior to their sanctions designations.15SanctionsNote:Illicit transaction activity refe

50、rs to transactions in which one or more counterparty addresses are associated with an illicit entity,such as a darknet market or ransomware attacker.Risky activity refers to transactions in which one or more counterparty addresses are associated with a risky entity,such as a high-risk exchange or ga

51、mbling service.Legitimate activity refers to transactions in which one or more counterparty addresses are associated with entities that are not inherently criminal or risky,such as personal wallets or exchanges.The chart above shows the breakdown of each sanctioned entities source of incoming funds

52、in the 60 days prior to their designations based on whether the sending wallets were associated with legitimate,illicit,or risky activity.A few things stand out:Hydra had by far the most criminal activity of the three services,with 68.2%of all incoming funds coming from illicit addresses,and 12.6%co

53、ming from risky addresses.Garantex,on the other hand,saw 6.1%of its inflows come from illicit sources and 16.1%from risky sources.6.1%may sound like a small share of inflows,but it actually puts Garantex firmly Share of funds by sourceDays before sanctions designation(0=Designation date)Share of fun

54、ds received by sanctioned entities by source type:Garantex vs.Hydra vs.Tornado CashSource typeGarantexHydra MarketplaceTornado CashIllicitLegitimateRisky6040200 60200 60402000.000.250.500.751.004016Sanctionson the riskier end of the spectrum for exchanges over the same 60-day period,centralized exch

55、anges as a whole received on average just 0.3%of funds from illicit addresses.34%of all funds sent to Tornado Cash came from illicit sources,but this number fluctuated greatly depending on the day,with most illicit funds coming in brief spikesLets dig deeper into the specific types of illicit entiti

56、es that sent funds to each of these sanctioned services.Source of illicit funds sent to sanctioned entities by share:Garantex vs.Hydra vs.Tornado Cash(excludes transfers between sanctioned entities)Fraud shopRansomwareStolen fundsCybercriminal administratorScamTerrorist financingChild abuse material

57、Darknet marketShare of funds by illicit categoryDays before sanctions designation(0=designation date)GarantexHydra MarketplaceTornado Cash60402000.000.250.500.751.000.000.250.500.751.000.000.250.500.751.0017SanctionsGarantex and Hydra both received funds from a wide array of illicit actors in the 60

58、 days leading up to their sanctions designations,including fraud shops,scams,and most notably,ransomware.During this time period,Hydra received roughly$176,000 worth of cryptocurrency from ransomware addresses,representing 2.2%of all funds sent by any ransomware address.Garantex was even worse,takin

59、g in$931,000 from ransomware addresses,or 11.6%of all funds sent by ransomware addresses.The numbers underscore how crucial these services especially Garantex have been to enabling ransomware attacks.We must also note that these dollar figures may grow as we continuously identify more ransomware-rel

60、ated wallets over time.Tornado Cashs illicit activity was concentrated to just two forms of cybercrime:Crypto hacks and scams.While not apparent from the graph above,we should note that stolen funds make up nearly all of that total,at 99.7%of all illicit funds received during the entire 60-day time

61、period.The inflows of stolen funds come in periodic spikes,which in turn drive the spikes in overall illicit inflows to Tornado Cash that we saw in the previous graph.The Harmony Bridge hack,which occurred in June 2022,roughly 45 days before Tornado Cashs sanctions designation,accounted for 65.7%of

62、the mixers total stolen fund inflows during this period.This pattern of isolated,unique events,contrasts with the more constant flow of illicit activity from services such as darknet markets,which produce a steady stream of funds.18SanctionsHow did sanctioned entities behave post-designation?It depe

63、nds.On-chain data shows that each of the three sanctioned services were affected differently by their designations.The charts below show cryptocurrency inflows for Garantex,Hydra,and Tornado Cash in the 60 days before and after they were sanctioned.On one end of the spectrum,we have Hydra.Its inflow

64、s dropped to zero as soon as it was sanctioned because the service was also seized in a coordinated law enforcement action at the same time.On the other end of the spectrum is Garantex,which wasnt seized upon being sanctioned,and actually saw its transaction volume steadily increase post-designation

65、.For example,in the four Total daily value receivedInflows to sanctioned entities 60 days before and after designation:Hydra vs.Tornado Cash vs.GarantexDays before and after sanctions designation(0=Designation date)603003060603003060603003060$10,000,000$20,000,000$30,000,000$40,000,000$50,000,000$0$

66、5,000,000$10,000,000$15,000,000$20,000,000$25,000,000$0$2,000,000$4,000,000$6,000,000$8,000,000Hydra MarketplaceTornado CashGarantex19Sanctionsmonths up through April when Garantex was sanctioned,the high risk exchange had averaged$620.8 million in monthly inflows.After the sanctioning event,Garante

67、xs inflows rose considerably,with an average of approximately$1.3 billion in monthly inflows through October.This is most likely due to the fact that Garantex and most of its users are based in Russia.The Russian government has not enforced U.S.sanctions,leaving users not subject to U.S.jurisdiction

68、 with virtually no incentive to stop using Garantex.In fact,Garantex explicitly stated its intent to continue operating in social media posts immediately following the designation.Tornado Cash falls in the middle of the spectrum,as its activity dropped significantly after being sanctioned,but hasnt

69、ceased completely.As we discussed previously,Tornado Cash runs on smart contracts that cant be taken offline the way a centralized service can,so theres nothing except the legal consequences of sanctions violations stopping anyone from using it.However,the Tornado Cash website that acted as a front-

70、end for easy access to the mixing service was taken down,making it more difficult to access.And,as a global service,Tornado Cash likely had more users who could face consequences for violating U.S.sanctions,or who would be cut off from using other services if their wallets displayed exposure to Torn

71、ado Cash following its designation.Digging deeper into these aggregate inflow patterns,we also see that different types of counter-parties reacted differently to each services sanctions designation.Well leave Hydra out here,as we already saw above that its inflows dropped to zero due to the seizure

72、of its darknet site infra-structure.20SanctionsValue received(7day moving average)Inflows to Garantex by source 100 days before and after sanctions designation100500501001005005010010050050100$0$5,000$10,000$15,000$0$2,500$5,000$7,500$0$25,000$50,000$75,000$0$5,000$10,000$15,000$0$5,000$10,000$15,00

73、0$20,000Days before and after sanctions designation(0=Designation date)Fraud ShopDarknet MarketScamPotentially risky serviceRansomwareHeres how inflows to Garantex from different types of services and entities changed following its sanctions designation.Most of Garantexs counterparties continued to

74、use the service at roughly the same levels they did before the exchange was sanctioned,apparently unperturbed by the designation.In fact,darknet markets and scammers actually sent more funds to Garantex following the designation,perhaps reassured that the exchange would be unlikely to try and curb t

75、heir activity.21SanctionsChange in inflows to Tornado Cash postsanctions designation by counterparty category(60days pre/post sanction designation date)Pre SanctionPost SanctionPercent change,60 days predesignation vs.60 days postdesignation$36,420$66,856$0$41,495$294,240$8,718,844$59$85,443,145$396

76、,270,037Decentralized exchange contractExchangeMiningMixingPersonal walletsSanctionsScamSmart contractStolen fundsToken smart contract100%0%100%200%300%$1,203,904$8,060,050$69,858$2,773,291$1,171,048$23,691,213$8,048,761$0$4,057$19,65694,000%increase to$56,118 USDTornado Cash,on the other hand,saw d

77、rops in inflows from virtually every category,the exceptions being an increase in funds sent from scammers and mixing services.However,despite the percentage increases,neither category had sent a particularly high volume of funds to Tornado Cash before its sanctions designation anyway.And,in the cas

78、e of scams,the increase was the result of a single YouTube-based liquidity bot scam that saw inflows over four deposits,and likely does not reflect a wider trend.22SanctionsDid sanctions affect criminal users of designated services?Four of the entities sanctioned in 2022 were designated at least in

79、part due to their provision of money laundering services to other criminals,such as ransomware attackers,scammers,and hackers.Those services were:Hydra Garantex Tornado Cash Blender.io(another mixer)It follows that one goal of those sanctions would be to disrupt the criminals who relied on those ser

80、vices for money laundering.Did this end up happening in practice?Or,put another way,if I was a crypto criminal who relied on one(or more)of these money laundering services,did I see less revenue than expected after that service was sanctioned?We attempt to answer this question below by quantifying t

81、he average difference between actual inflows and expected inflows for illicit entities who used the money laundering services listed above prior to their designations.In order to calculate expected inflows,we used inflows to other illicit services in the same criminal categories who did not use thos

82、e sanctioned money laundering services as a control group.These other illicit services help to establish a revenue baseline for the two months following each money laundering services sanctions designation.1 We found that illicit entities who used sanctioned services saw significant lost potential r

83、evenue across nearly every crypto crime category in the two months following the sanctioning event for example,the average darknet market who had previously sent funds to one of the sanctioned services saw an estimated$25,000 less revenue in the two months following that services designation than th

84、ey likely would have had the service not been designated.23SanctionsThe most-affected category were cybercriminal administrators,who on average saw an estimated$750,000 decrease in revenue due to the sanctioning of money laundering services they had previ-ously used.The one exception to this trend w

85、as fraud shops,who on average saw nearly$5,000 more revenue than we would estimate absent the sanctioning of a money laundering service counterparty.Its important to keep in mind that the graph above shows only the average estimated change in revenue for counterparties of sanctioned money laundering

86、 services.With several distinct entities in each category who had previously used those money laundering services,the estimated total losses by category are much higher.Illicit categoryNumber of entitiesAverage inflows changeTotal revenue change for categoryDarknet market11-$24,634.52-$270,979.67Fra

87、ud shop10$5,222.79$52,227.91Cybercriminal administrator20-$749,907.00-$14,998,139.98Ransomware6-$9,621.23-$57,727.38Scam23-$13,333.58-$306,672.24Stolen funds42-$42,895.81-$1,801,624.08Average difference between real and expected inflowsAverage difference in inflows for illicit entities using sanctio

88、ned services for two months following sanctions designation-$1,000,000.00-$500,000.00-$24,634.52-$749,907.00-$9,621.23-$13,333.58-$42,895.81$5,222.79$0.00$500,000.00$1,000,000.00Darknet marketFraud shopCybercriminal administratorRansomwareScamStolen funds24SanctionsWe should caveat these findings by

89、 noting that,while weve taken steps to control for other factors and analyze only the revenue changes brought on by the sanctioning of their money laundering services,there could be other reasons these dependent entities revenue might have changed following the sanctions designations.We should also

90、emphasize that were only looking at changes to revenue in the two months following the money laundering services designations its entirely possible and even likely that any revenue hits to illicit entities will be temporary,and that theyll soon find alternative money laundering services that havent

91、been sanctioned.Nonetheless,our findings suggest that sanctions against money laundering services did in fact disrupt the illicit entities who relied on those services,at least temporarily,and impacted their bottom line.Key takeaways:Impact of crypto sanctions depends on jurisdiction and technical c

92、onstraintsNew technologies and forms of value transfer change the landscape of financial crime enforcement.OFAC is learning this first-hand,and has broken new ground in the last two years with its efforts to move beyond individuals and designate cryptocurrency services that facilitate money launderi

93、ng and other harmful forms of crypto-based activity.The three examples we focused on above show how different variables impact agencies ability to levy sanctions against those services.First,the case of Hydra teaches us that sanctions can be extremely effective against entities with key operations i

94、n cooperative jurisdictions.Hydras servers were located in Germany German law enforcement coordinated with U.S.agencies,and moved to seize Hydras servers,striking a fatal blow to the organization,in addition to the sanctions levied by OFAC on the darknet market.Second,the case of Garantex shows what

95、 happens when there is an absence of international cooper-ation.While Garantex has been largely cut off from the compliant exchange ecosystem,Russia has declined to enforce sanctions against the service,so it continues to operate mostly unencumbered.This case shows that it is difficult to effectivel

96、y sanction entities whose home jurisdictions have no formal cooperation channels with OFAC.Finally,the case of a decentralized service like Tornado Cash is more complicated.While its front-end website was taken down,its smart contracts can run indefinitely,meaning anyone can still techni-cally use i

97、t at any time.That suggests sanctions against decentralized services act more as a tool to disincentivize the services use rather than cut off usage completely.In the case of Tornado Cash,those incentives appear to have been powerful,as its inflows fell 68%in the 30 days following its designation.Th

98、ats especially important here given that Tornado Cash is a mixer,and mixers become less effective for money laundering the less funds they receive overall.25SanctionsThese case studies provide a model of how OFAC and its international equivalents can approach sanctions designations against different

99、 kinds of crypto-related entities.It will be interesting to see how these patterns develop as sanctioning bodies continue to improve their ability to effectively target sanctions against different kinds of illicit cryptocurrency services,in partnership with other agencies in the U.S.and internationa

100、lly.Endnotes:1 Interventions always need to factor in what would otherwise have been.In this case,we used data on the non-counterparties of sanctioned services to estimate what total on-chain aggregate revenue inflows for counterparties might have looked like absent a sanctioning event.Non-counter-p

101、arties are those entities that sent no funds to sanctioned entities in the two months before they were sanctioned.Counterparties are those entities that did send funds to sanctioned entities prior to the sanctioning event(over a two-month window).We assume that,within a given category of illicit act

102、ivity(say,darknet markets),counterparties are roughly comparable to non-counterparties,and differ largely in their counterparty status.This assumption lets us compare the inflows(which we can think of as akin to revenue for a criminal enterprise or actor)of counterparties relative to the performance

103、 of non-counterparties in the months following a sanctioning event,and reveal how counterparties may have performed had their service not been sanctioned.For example,if a counterparty of a sanctioned service received 10%more aggregate revenue inflows after a sanctioning event,that can look like the

104、sanctions had a counterproductive effect.However,if entities of a similar type that were not counterparties to the sanctioned service grew by 50%,then we have reason to suspect that the 10%growth seen by counterparties was actually less than it would have been if sanctions had not been used.The diff

105、erence in post-sanctioning performance of counterparties and non-counterparties helps us estimate(directionally)and with modest precision the degree of under or over performance of sanctioned entity counterparties.To reach this final step,we take the difference between the average counterparty perce

106、nt change in on-chain inflows by category and subtract the same measure for non-counterparties.We then use this percentage point value to weight the total amount of USD inflows to each category of sanctioned entity counterparty,ultimately providing a single best guess about the degree to which sanct

107、ioning interrelates with counterparty on chain activity.26SanctionsRansomware27RansomwareRansomware Revenue Down As More Victims Refuse to Pay2022 was an impactful year in the fight against ransomware.Ransomware attackers extorted at least$456.8 million from victims in 2022,down from$765.6 million t

108、he year before.Total value received by ransomware attackers,20172022$0$600M$400M$200M$800M201720182019202020212022$46M$43M$174M$765M$457M$766MAs always,we have to caveat these findings by noting that the true totals are much higher,as there are cryptocurrency addresses controlled by ransomware attac

109、kers that have yet to be identified on the blockchain and incorporated into our data.When we published last years version of this report,for example,we had only identified$602 million in ransomware payments in 2021.Still,the trend is clear:Ransomware payments are significantly down.However,that does

110、nt mean attacks are down,or at least not as much as the drastic dropoff in payments would suggest.Instead,we believe that much of the decline is due to victim organizations increasingly refusing to pay ransomware attackers.Well discuss this phenomenon more below,but first,lets look more at general r

111、ansomware trends in 2022.28Ransomware2022 ransomware by the numbersDespite the drop in revenue,the number of unique ransomware strains in operation reportedly exploded in 2022,with research from cybersecurity firm Fortinet stating that over 10,000 unique strains were active in the first half of 2022

112、.On-chain data confirms that the number of active strains has grown significantly in recent years,but the vast majority of ransomware revenue goes to a small group of strains at any given time.We do,however,see turnover throughout the year among the top-grossing strains.Top 5 ransomware strains by q

113、uarter,20220%25%50%75%100%2022Q12022Q22022Q32022Q4OtherRoyalRagnarQuantumPlayLockbitHiveDaixinCubaContiBlackbastaAlphv-BlackcatHive sees a large spike in activity as victims becomeless willing to pay ContiPayments to Conti decline following Contis announced support for Russian government in Feb 2022

114、 New strains like Royal,BlackBasta,and Play emerge following Contis demise Likewise,ransomware lifespans continue to drop.In 2022,the average ransomware strain remained active for just 70 days,down from 153 in 2021 and 265 in 2020.As well explore below,this activity is likely related to ransomware a

115、ttackers efforts to obfuscate their activity,as many attackers are working with multiple strains.29RansomwareDays activeAverage lifespan of a ransomware strain,2012202201,0002,0003,0004,0003,9071,6841,2001,0424537065924732652012201320142015201620172018201920202021202215370When it comes to money laun

116、dering,the data indicates that most ransomware attackers send funds theyve extorted to mainstream,centralized exchanges.30RansomwareDestination of funds leaving ransomware wallets,201820220%25%50%75%100%20182019202020212022SanctionsP2P ExchangeOtherMixingMiningIllicitGambling platformDeFiCentralized

117、 exchangeHigh-risk jurisdictionsHigh-risk exchangeIn fact,the share of ransomware funds going to mainstream exchanges grew from 39.3%in 2021 to 48.3%in 2022,while the share going to high-risk exchanges fell from 10.9%to 6.7%.Usage of illicit services such as darknet markets for ransomware money laun

118、dering also decreased,while mixer usage increased from 11.6%to 15.0%.Sizing up the ransomware ecosystemThe constant turnover amongst top ransomware strains and appearance of new ones would suggest that the ransomware world is a crowded one,with a large number of criminal organizations competing with

119、 one another and new entrants constantly coming onto the scene.However,looks can be deceiving.While many strains are active throughout the year,the actual number of individuals who make up the ransomware ecosystem is likely quite small.One place we see this is in affiliate overlap.Most ransomware st

120、rains function on the ransom-ware-as-a-service(RaaS)model,in which the developers of a ransomware strain allow other cybercriminals,known as affiliates,to use the administrators malware to carry out attacks in exchange for a small,fixed cut of the proceeds.However,weve seen time and time again that

121、many affiliates carry out attacks for several different strains.So,while dozens of ransomware strains may technically have been active throughout 2022,many of the attacks attributed to those strains were likely carried out by the same affiliates.We can think of it as the gig economy,but for ransomwa

122、re.31RansomwareA rideshare driver may have his Uber,Lyft,and Oja apps open at once,creating the illusion of three separate drivers on the road but in reality,its all the same car.Microsoft Security discussed an example of this in a blog post earlier this year discussing one prolific affiliate group,

123、whom theyve labeled DEV-0237,who has carried out attacks using the Hive,Conti,Ryuk,and BlackCat ransomware strains.Microsoft Security researchers were able to identify this example of affiliate overlap by analyzing the technical details of how the attacks were carried out,but we can also identify ex

124、amples of affiliate overlap on the blockchain.On the Chainalysis Reactor graph below,we see an affiliate whose wallet has received large sums from the Dharma,Conti,and BlackCat ransomware strains at different times,which means the affiliate has carried out attacks for all three strains.Conti is a pa

125、rticularly interesting case for observing how not just affiliates,but administrators as well rebrand themselves and switch between strains.Conti was a prolific ransomware strain for a few years,taking in more revenue than any other variant in 2021.But in February,immediately following Russias invasi

126、on of Ukraine,the Conti team publicly announced its support for Vladimir Putins government.Soon after,a cache of Contis internal communications leaked,and indicated connect-ions between the cybercrime organization and Russias Federal Security Service(FSB).For these reasons,many ransomware victims an

127、d incident response firms decided that paying Conti attackers was too risky,as the FSB is a sanctioned entity despite Conti itself not being one.Conti responded by announcing its closure in May,but soon after,much of the Conti team split up into smaller groups and continued their activity.Contis clo

128、sure drove many affiliates to conduct attacks for other strains whose ransoms victims were more likely to pay,as we showed above.We can see another example of this activity below.32RansomwareHere,we see a Conti affiliate who began working with the Suncrypt,Monti,and Lockbit strains.But it isnt just

129、Conti affiliates who have rebranded.On-chain data shows that core administrators have also begun to work with and launch other strains,including the ransomware groups leader,who goes by the alias Stern.The Reactor graph below shows that Stern has transacted with addresses linked to strains like Quan

130、tum,Karakurt,Diavol,and Royal in 2022 following Contis demise.33RansomwareNotice that in many cases,the ransomware attackers re-used wallets for multiple attacks launched nominally under other strains.This on-chain activity confirms previous research from cybersecurity firm AdvIntel revealing plans

131、by Contis core leadership to shift operations to some of the strains seen above.Its a great example of how blockchain analysis in tandem with technical analysis of ransomware code and attack patterns can identify offshoots of ransomware strains that have been deemed too risky to pay.With this data i

132、n mind,can Conti truly be said to have shut down if its leader,affiliates,and other members are still successfully carrying out ransomware attacks under new brand names?The data suggests that it may be more productive to think of the ransomware ecosystem not as a collection of distinct strains,but i

133、nstead as a small group of hackers who rotate brand identities regularly.The fluidity with which affiliates move between ransomware brands makes the sector appear larger than it really is.“The number of core individuals involved in ransomware is incredibly small versus perception,maybe a couple hund

134、red,”said Bill Siegel,CEO and co-founder of ransomware incident response firm Coveware.“Its the same criminals,theyre just repainting their get-away cars.”Siegel indicated this activity has increased of late,and that affiliates are now much more likely to switch strains frequently rather than stick

135、with one for an extended period of time.But,despite ransomware attackers best efforts,the transparency of the blockchain allows investigators to spot these rebranding efforts virtually as soon as they happen.The big story:Ransomware victims are paying less frequently Based on the data available to u

136、s now,we estimate that 2022s total ransomware revenue fell to at least$456.8 million in 2022 from$765.6 million in 2021 a huge drop of 40.3%.However,the evidence suggests that this is due to victims increasing unwillingness to pay ransomware attackers rather than a decline in the actual number of at

137、tacks.We spoke with a number of ransomware experts to learn more.The first question that jumps to mind:How can we actually know fewer victims are paying,given the lag weve noted previously in how long it takes to identify ransomware addresses,and the massive underreporting of attacks by victims?Mich

138、ael Phillips,Chief Claims Officer of cyber insurance firm Resilience,indicated that businesses shouldnt rest easy just because ransomware revenue is down.“Data from claims across the cyber insurance industry show that ransomware remains an increasing cyber threat to businesses and enterprises.There

139、have,however,been signs that meaningful disruptions against ransomware actor groups are driving lower than expected successful extortion attempts,”he told us.Phillips cited among those disruptions the Russia-Ukraine war and the increased pressure on ransomware gangs from western law enforcement,incl

140、uding arrests and recovery of extorted cryptocurrency.34RansomwareRecorded Future intelligence analyst and ransomware expert Allan Liska,also known as the Ransomware Sommelier,pointed to the data teams like his collect from data leak sites(DLS),where many ransomware attackers post data stolen from v

141、ictims in an effort to pressure them into paying.“Most organizations scrape DLS data to collect a baseline victimology.By that measure,ransomware attacks decreased between 2021 and 2022 from 2865 to 2566 a 10.4%drop,”said Liska.If we take DLS victim leaks as a proxy for the number of attacks,theres

142、still a huge gap between a 10.4%drop in leaks and a 40.3%drop in overall ransomware revenue.Instead,our conversations with representatives of cyber insurance and incident response firms suggest much of the revenue drop is explained by victims paying less frequently.Bill Siegel of Coveware provided u

143、s with statistics on the probability of a ransomware victim to pay a ransom based on his firms client matters over the last four years:2019202220212022Paid76%70%50%41%Did Not Pay24%30%50%59%The trend is highly encouraging since 2019,victim payment rates have fallen from 76%to just 41%.But what exact

144、ly accounts for this shift?One big factor is that paying ransoms has become legally riskier,especially following an OFAC advisory in September 2021 on the potential for sanctions violations when paying ransoms.“With the threat of sanctions looming,theres the added threat of legal consequences for pa

145、ying ransomware attackers,”said Liska.Bill Siegel agreed,telling us that his firm refuses to pay ransoms if theres even a hint of connection to a sanctioned entity.Another big factor is the outlook of cyber insurance firms,who are usually the ones reimbursing victims for ransomware payments.“Cyber i

146、nsurance has really taken the lead in tightening not only who they will insure,but also what insurance payments can be used for,so they are much less likely to allow their clients to use an insurance payout to pay a ransom,”said Liska.Phillips echoed this sentiment in his remarks to us.“Today,compan

147、ies have to meet stringent cybersecurity and backup measures to be insured for ransomware coverage.These requirements have proven to actively help companies bounce back from attacks rather than pay ransom demands.An increased focus on under-writing against factors that contribute to ransomware has l

148、ed to lower incident costs for companies and contributed to a decreasing trend in extortion payments.”Siegel agreed that cyber insurance firms demand for better cybersecurity measures is a key driver of the trend toward less frequent ransom payments,and described some of the measures they push clien

149、ts to implement.“A lot of the insurance carriers are tightening underwriting standards,35Ransomwareand will not renew a policy unless the insured has comprehensive backup systems,uses EDR,and has multi-authentication.This has driven a lot of companies to become more secure,”said Siegel.Liska agreed

150、that cybersecurity measures have improved greatly over the past few years.“Back in 2019 when big game hunting and RaaS really started taking off,a lot of security professionals really emphasized the importance of backups.Security professionals saying something and organi-zations implementing it can

151、take a while.While having an effective backup solution doesnt stop ransomware attacks and doesnt help with data theft,it does give victims more options so they arent forced to pay,”he said.Siegel described to us how companies with well segmented yet highly available data backups are much less likely

152、 to experience material business impact as the result of an attack,and said that they regularly advise clients not to pay unless the payment is economically justified due to the severity of the impact being experienced.Liska also emphasized that backups arent a magic bullet,noting that the data reco

153、very process can take months and leave ransomware victims vulnerable to follow-up attacks during this process,as we saw in the case of Australian logistics firm Toll Group,which suffered two attacks in three months in 2022.Of course,the best-case scenario is for organizations not to fall victim to r

154、ansomware attacks in the first place.To that end,Liska recommends organizations run recurring tabletop exercises,in which all relevant teams cybersecurity,networking,IT,server administration,backup teams,PR,finance,etc.meet with leadership to establish how the organization can keep itself secure,ide

155、ntify vulnerabil-ities,and understand whos responsible for all aspects of security.“Having a realistic picture of where your organization stands and what its weaknesses and strengths are will better prepare everyone in the event your organization is hit with a ransomware attack,and it also makes lea

156、dership aware of where it needs to invest to better secure the network,ahead of an attack,”said Liska.If more organizations can implement these best practices the way they have data backups and other security measures,well hopefully see ransomware revenue continue to fall in 2023 and beyond.36Ransom

157、wareHow the Dutch National Police Tricked Prolific Ransomware Strain Deadbolt Into Giving Up Victim Decryption KeysDeadbolt is a ransomware strain that first became active in early 2021,and operates very differently from other notable strains of the last few years.While most ransomware gangs focus p

158、rimarily on attacking large organizations who can afford heavy ransoms,Deadbolt does the opposite,instead taking more of a“spray and pray”approach,targeting small businesses and even individuals in high numbers,while demanding a relatively small ransom from each victim.The reason for this is that De

159、adbolt has built its operations on exploiting a security flaw in network-attached storage(NAS)devices produced by the provider QNAP,rather than infecting entire computer networks,which is the go-to tactic for the“big game hunting”favored by most ransomware attackers.Deadbolt also communicates with v

160、ictims differently from other ransomware strains.While many strains have set up websites to negotiate with victims and provide decryption keys to those who pay,Deadbolt simply instructs victims to pay a set amount to a specific Bitcoin address in a message that appears when the victim attempts to ac

161、cess the infected device.Source:Sophos blog37RansomwareOnce a victim pays,Deadbolt automatically sends them the decryption key via the blockchain,sending a low-value Bitcoin transaction to the ransom address with the decryption key written into the transactions OP_RETURN field.In order to send the O

162、P_RETURN,some amount of cryptocurrency must be transferred blockchain analysis suggests that Deadbolts developers pre-programmed transactions to send a negligible sum of.0000546 BTC(about$1 USD)to its own ransom payment wallet each time a victim pays,so that funds are available to then send transact

163、ions necessary to communicate the decryptor to each victim upon receipt of their ransom.While that unique method for delivering decryption keys is slick,its also exactly what the Dutch National Police were able to exploit to fool Deadbolt into handing decryption keys for hundreds of victims,enabling

164、 them to recover their data at no cost.Well break down how they did that below,but first,lets look more closely at Deadbolts activity over the last two years.38RansomwareDeadbolts ransomware activity summarizedOver the course of 2022,Deadbolt has taken in more than$2.3 million from an estimated 4,92

165、3 victims,with an average ransom payment size of$476,compared to over$70,000 for all ransomware strains.Value receivedNumber of transfers receivedMonthly total value and number of transfers received by Deadbolt ransomware,2022 Number of transfersTotal value received$0$200,000$400,000$600,00002505007

166、501,0001,250Jan 2022Feb 2022Mar 2022Apr 2022May 2022Jun 2022Jul 2022Aug 2022Sep 2022Oct 2022Nov 2022Dec 2022Jan 2023Deadbolts revenue last year makes it a relatively low earner amongst all ransomware strains last year,but in terms of sheer reach and number of victims,it was perhaps the most prolific

167、 of any strain in 2022.In fact,if we use all the unpaid Deadbolt addresses associated with victims who did not pay as a proxy for total number of infections,we can estimate Deadbolts total victim count as roughly 5,500 individuals or businesses.39RansomwareThat reach really comes through the Chainal

168、ysis Reactor graph above,which shows thousands of victims making payments to Deadbolt.How Dutch National Police disrupted Deadbolt and took decryption keys without payingCyber investigators with the Dutch National Police(Cybercrimeteam Oost-Nederland and Cyber-crimeteam Oost-Brabant)had been investi

169、gating Deadbolt for months when they came to a crucial realization while analyzing transactions between Deadbolt and its victims,following a tip of the Dutch incident response company Responders.NU.“Looking through the transactions in Chainalysis,we saw that in some cases,Deadbolt was providing the

170、decryption key before the victims payment was actually confirmed on the blockchain,”said one Dutch National Police investigator who worked on the case.Cryptocurrency transactions arent actually finalized until a new block is confirmed to the blockchain for Bitcoin,this process takes roughly ten minu

171、tes per block.However,during that 40Ransomwaretime,unconfirmed transactions are visible in Bitcoins mempool.“This meant that a victim could send the payment to Deadbolt,wait for Deadbolt to send the decryption key,and then use replace-by-fee(RBF)to change the pending transaction,and have the ransomw

172、are payment go back to the victim,”said the investigator.With this information,the Dutch National Police hatched a plan to send and retract payments for as many Deadbolt victims as possible in order to get them their decryption keys.They knew theyd only have one shot,as Deadbolt would surely notice

173、the flaw in their automated decryption key distri-bution system and fix it once the plan was attempted.The first step was to find as many Deadbolt victims as possible who had yet to pay their ransom.“We searched police reports from all over the Netherlands for Deadbolt victims and extracted the Bitc

174、oin addresses Deadbolt provided.In cases where there wasnt an address,we reached out to victims.”The Dutch National Police also worked with Europol to find victims in other countries as well 13 in total.Next,the team had to test that they could in fact send and retract a large number of payments to

175、help as many victims as possible.“We wrote a script to automatically send a trans-action to Deadbolt,wait for another transaction with the decryption key in return,and use RBF on our payment transaction.Since we couldnt test it on Deadbolt,we had to run it on testnets to make sure it worked,”the inv

176、estigator told us.Once everything was ready to go,the team deployed their script and started the process of sending and retracting payments for Deadbolt victims.The Deadbolt team quickly realized what was happening and halted their automated OP_RETURN transactions.But in that time,the Dutch National

177、 Police retrieved decryption keys for nearly 90%of the victims who reported Deadbolt payment addresses via Europol,depriving Deadbolt of hundreds of thousands of dollars.While Deadbolt remains active,its been forced to adopt a more manual process for providing decryption keys via Bitcoin transaction

178、 OP_RETURNs,which raises Deadbolts overhead.Overall,the Dutch National Police operation against Deadbolt is a valuable reminder that blockchain analysis has applications beyond tracing the flow of funds.In this case,police were able to discover a crucial vulnerability in Deadbolts modus operandi by

179、closely reviewing its transaction patterns and digging into the metadata of the transactions.The operation also underscores why its so important for ransomware victims to report attacks to the authorities.No one who had their data hijacked by Deadbolt likely knew that an operation like this would be

180、 possible,but in cutting edge fields like cryptocurrency and cybersecurity,unique solutions can come from anywhere.The Dutch National Police could only reach out to victims who had reported to the police in their countries,and those who didnt may have missed an opportunity to recover their data at n

181、o cost.41RansomwareMoney Laundering42Money LaunderingCrypto Money Laundering:Four Exchange Deposit Addresses Received Over$1 Billion in Illicit Funds in 2022Money laundering is crucial to all financially motivated crime because its what enables criminals to access the funds they generate from their

182、activities.Otherwise,why commit the crimes in the first place?The same is true in cryptocurrency.The goal of money laundering in cryptocurrency is to move funds to addresses where its original criminal source cant be detected,and eventually to a service that allows cryptocurrency to be exchanged for

183、 cash usually this means exchanges.If that werent possible,there would be very little incentive to commit crimes involving cryptocurrency.Weve written in the past about how money laundering activity is highly concentrated to just a few services,and within those services,concentrated even further to

184、a small number of deposit addresses.That remained true in 2022,though as well explore,with a few new wrinkles.In addition,well examine the rise of underground money laundering services that exist separately from the crypto businesses most are familiar with,and also analyze funds still held by crypto

185、 criminals on the blockchain.2022 crypto money laundering activity summarizedMoney laundering in cryptocurrency typically involves two types of on-chain entities and services:Intermediary services and wallets:These can include personal wallets(also known as unhosted wallets),mixers,darknet markets,a

186、nd other services both legitimate and illicit.Crypto criminals typically use these services to hold funds temporarily,obfuscate their movements of funds,or swap between assets.DeFi protocols are also used by illicit actors in order to convert funds but,as we will discuss,are not an efficient means o

187、f obfuscating the flow of funds.Fiat off-ramps:This refers to services that allow for cryptocurrency to be exchanged for fiat.This is the most important part of the money laundering process,as the funds can no longer be traced via blockchain analysis once they hit a service only the service itself w

188、ould have visibility into where they go next.Additionally,if the funds are converted into cash,they can only be followed further through traditional financial investigation methods.Most fiat off-ramps are centralized exchanges,but P2P exchanges and other services can also serve this function.With th

189、at in mind,lets look at some of the money laundering trends we saw in 2022.43Money LaunderingTotal cryptocurrency laundered by year,20152022$0 B$5 B$10 B$15 B$20 B$25 B20152016201720182019202020212022$0.4B$1.1B$4.5B$3.4B$11.8B$14.2B$23.8B$8.5BOverall,illicit addresses sent nearly$23.8 billion worth

190、of cryptocurrency in 2022,a 68.0%increase over 2021.As is usually the case,mainstream centralized exchanges were the biggest recipient of illicit cryptocurrency,taking in just under half of all funds sent from illicit addresses.Thats notable not just because those exchanges generally have compliance

191、 measures in place to report this activity and take action against the users in question,but also because those exchanges are fiat off-ramps,where the illicit cryptocurrency can be converted into cash.44Money LaunderingDestination of funds leaving illicit wallets,201720220%25%50%75%100%2017201820192

192、02020212022P2P exchangeOtherMixingMiningGambling platformDeFiCentralized exchangeHigh-risk exchangeHigh-risk jurisdictionsDestination of funds leaving illicit wallets,20172022P2P exchangeOtherMixingMiningGambling platformDeFiCentralized exchangeHigh-risk exchangeHigh-risk jurisdictionsDarknet market

193、Fraud shopRansomwareSanctionsScamsStolen funds0%25%50%75%100%More illicit funds were sent to DeFi protocols than ever before,a continuation of a trend that began in 2020.Cybercriminals send funds to DeFi protocols not because DeFi is useful for obscuring the flow of funds.In fact,quite the opposite

194、is true,as unlike with centralized services,all activity is recorded on-chain.Keep in mind too that DeFi protocols dont allow for the conversion of cryptocurrency into fiat,so most of those funds likely moved next to other services,including fiat off-ramps.And as we see below,almost all usage of DeF

195、i protocols for money laundering is carried out by one criminal group:hackers stealing cryptocurrency.45Money LaunderingHackers holding stolen cryptocurrency are the only criminal category sending the majority of funds to DeFi protocols,at a whopping 57.0%.2022 was an enormous year for hacking,hence

196、 why these cybercriminals were almost single-handedly able to drive the overall increase in the usage of DeFi protocols for money laundering.The fact that DeFi protocols themselves were the biggest target of hacks in 2022 also influences these numbers.In DeFi hacks,attackers often end up with tokens

197、 that arent listed on other exchanges,so they need to use decentralized exchanges(DEXes)to swap them for more liquid crypto assets.DEXes have historically been used to convert funds to Ether,which can then be sent to Ethereum-based mixers.DEXes have also been used to convert to assets that will be m

198、ore likely to hold their value,or in the case of stablecoins,to swap to an asset that cannot be frozen by the stablecoin issuer.However,as noted previously,DEXes dont enable the conversion of funds from cryptocurrency to fiat currency this must still be done through a centralized exchange or other f

199、iat off-ramp.Aside from hackers,crypto criminals send the majority of their funds directly to centralized exchanges,but there are some notable exceptions.For instance,darknet market vendors and admin-istrators send most of their funds to other illicit services primarily other darknet markets,some of

200、 whom may offer money laundering services similar to those of the now-shuttered Hydra Market.Darknet market addresses also sent a large share of funds to high-risk exchanges,such as Bitzlato,a Russia-based exchange shut down in an international law enforcement action recently for its money launderin

201、g activity.Ransomware attackers are another interesting case.Addresses associated with them send a disproportionately large share of funds to mixers,and also make heavy use of illicit services.Fraud shop vendors and administrators are also notable for their outsized mixer usage.In total,we see that

202、over half of all funds sent from illicit addresses travel directly to centralized exchanges,both mainstream and high-risk,where they can be exchanged for fiat unless compliance teams take action.However,over 40%of illicit funds move first to intermediary services primarily mixers and illicit service

203、s or DeFi protocols with most of those funds coming from ransomware,darknet market,and hacker addresses.Overall mixer usage falls in 2022,but illicit usage hits all-time highMixers are a popular obfuscation service used by crypto criminals,taking in 8.0%of all funds sent from illicit addresses in 20

204、22.Mixers function by taking in cryptocurrency from multiple users,mixing it all together,and sending each user an amount equivalent to what they put in.The result is that each users cryptocurrency can now only be traced back to the mixer,rather than to its original source,unless special blockchain

205、analysis techniques are employed.You can learn more about how different types of mixers work here.46Money LaunderingThere are many legitimate use cases for mixers,most of which are related to financial privacy.For example,if someone knows your cryptocurrency address,they can see virtually your entir

206、e trans-action history on the blockchain,so its reasonable for users to try and prevent this with mixers.Of course,the financial privacy provided by mixers is also valuable to criminals,hence their popularity as a destination for illicit funds.In May 2022,OFAC sanctioned a mixer for the first time e

207、ver when it designated Blender.io for its role in laundering cryptocurrency stolen by North Korean hacking syndicate Lazarus Group.OFAC didnt waste any time designating its second mixer,Tornado Cash,in August for the same reasons.The sanctioning of prominent mixers may have contributed to two trends

208、 we observed in 2022:The total amount of cryptocurrency sent to mixers fell significantly,and the funds that did travel to mixers were more likely to come from illicit sources.Yearly cryptocurrency received by mixers by source,20162022Value received from illicit sourcesIllicit share of all value rec

209、eivedValue received from non-illicit sources$0 B$2 B$4 B$6 B$8 B$10 B$12 B0%5%10%15%20%25%2016201720182019202020212022Cryptocurrency value receivedShare of value received from illicit sourcesMixers processed a total of$7.8 billion in 2022,24%of which came from illicit addresses,whereas in 2021,they

210、processed$11.5 billion,only 10%of which came from illicit addresses.The data suggests that legitimate users have decreased their use of mixers,possibly due to law enforcement actions against prominent ones,while criminals have continued to use them.Its also worth noting that the vast majority of ill

211、icit value processed by mixers is made up of stolen funds,a large share of which were stolen by North Korea-linked hackers,who are unlikely to be dissuaded by the threat of U.S.sanctions given they reside in a non-cooperative jurisdiction.47Money LaunderingSources of illicit cryptocurrency sent to m

212、ixers,2022Stolen funds85.1%Darknet market6.3%Fraud shop2.3%Ransomware3.0%Sanctions0.2%Scam2.7%Cybercriminal admin0.4%Other sanctioned entities and darknet markets also accounted for significant shares of value received by mixers in 2022.Money laundering concentration at fiat off-rampsAs we discussed

213、 above,fiat off-ramp services like exchanges are crucial for money laundering,as those are the services where criminals can turn crypto into cash,which is likely their ultimate goal.Fiat off-ramps are also among the most heavily regulated cryptocurrency services,and their compliance teams have an im

214、portant role to play in flagging incoming illicit funds and preventing them from being exchanged for cash.But while there are thousands of cryptocurrency services offering fiat off-ramping,a select few receive most of the illicit funds we observe on-chain.48Money LaunderingNumber of fiat off-ramps r

215、eceiving illicit funds by year vs.Share received by top five fiat off-ramps receiving illicit funds,20112022Share going to top 5Number of fiat off-ramps0.0%25.0%50.0%75.0%88.9%84.5%77.2%72.2%59.1%37.1%43.3%62.6%53.8%56.7%67.9%100.0%05001,0001,50020112012201320142015201620172018201920202021202262.1%S

216、hare of funds going to top five fiat off-ramps by amount of illicit value receivedNumber of fiat off-ramps915 unique fiat off-ramping services received illicit cryptocurrency in 2022,down from 1,124 in 2021.Some of that dropoff is likely due to exchanges going out of business during the bear market.

217、Of the illicit funds received by exchanges,67.9%went to just five services,all of which are centralized exchanges.This represents an increased concentration compared to 2021,when the top five services received only 56.7%of illicit funds.But what about the individual exchange users facilitating this

218、activity?We can assume that many of the criminals sending funds to fiat off-ramps are using an account at the service that they themselves control.But in some cases,criminals work with specialized money laundering service providers,who control the accounts and help criminals convert their cryptocurr

219、ency into cash once it arrives at the exchange.Those businesses fall into the category of nested services,meaning services that are built on top of larger exchanges,using those exchanges deposit addresses to access their liquidity and trading pairs.Most nested services are legitimate businesses many

220、 prominent over-the-counter(OTC)brokers,for instance,operate as nested services.However,on-chain data suggests that a small group of nested services facilitate the majority of money laundering,either due to negligence or purposeful catering to crypto criminals.For that reason,its useful to analyze t

221、he specific service deposit addresses that account for the majority of money laundering activity,as we can generally attribute the activity of a given deposit address to a user at the service whose account is linked to that deposit address.In the graph below,we look at all off-ramp service deposit a

222、ddresses that received any illicit funds in 2022,bucketed by the range in value of illicit funds received.49Money LaunderingAll illicit cryptocurrency received by fiat off-ramp service deposit addresses,2022Deposit addresses bucketed by illicit value receivedTotal illicit value receivedNumber of dep

223、osit addressesDeposit address bucketsIllicit cryptocurrency value receivedNumber of deposit addresses$0$500M$1B$1.5B0250K50K750K1M1.25M$0-$100$38M$242M$668M$1,005M$1,101M$1,283M$904M$1,047M1,220,154707,484233,68537,3784,195502364$100-$1k$1k-$10k$10k-$100k$100k-$1M$1M-$10M$10M-$100M$100M+How to read

224、this graph:This graph shows service deposit addresses bucketed by how much total illicit cryptocurrency each address received individually in 2022.Each blue bar represents the number of deposit addresses in the bucket,while each grey bar represents the total illicit cryptocurrency value received by

225、all deposit addresses in the bucket.Using the first bucket as an example,we see that 1,220,154 deposit addresses received between$0 and$100 worth of illicit cryptocurrency,and together all of those deposit addresses received a total of$38 million worth of illicit cryptocurrency.The graph shows that

226、most cryptocurrency money laundering is facilitated by a very small group of people.Four deposit addresses cracked$100 million in illicit cryptocurrency received in 2022,and combined received just over$1.0 billion,while the 1.2 million deposit addresses receiving under$100 in illicit funds account f

227、or$38 million in total.Further,51%of the$6.3 billion in illicit funds received by fiat off-ramp services in 2022 went to a group of just 542 deposit addresses.Those numbers represent a lower level of money laundering concentration at the deposit address level than we saw in 2021,even though 2022 saw

228、 a slight uptick in concentration at the service level.One possible reason for this is that continued law enforcement crackdowns against crypto money launderers,such as the shutdown of the exchange Bitzlato,have spooked the biggest money laundering service providers,or encouraged them to spread thei

229、r operations across more deposit addresses.We also see high variance in the degree of money laundering concentration by crime type.50Money LaunderingShare of all funds receivedMoney laundering concentration by crime type:Share of total illicit valuereceived by top deposit addresses,2022 ScamStolen f

230、undsFraud shopRansomwareDarknet marketNumber of fiat off-ramp deposit addresses0%20%40%60%80%05101520253035404550556065707580859095Just 21 deposit addresses account for 50%of all funds sent from ransomware to fiat off-ramps,while the top 21 deposit addresses for funds received from darknet markets a

231、ccount for just 18%.Despite the drop in overall concentration,51%of illicit funds moving to just 542 deposit addresses at 83 exchanges still represents a high level of money laundering concentration.If law enforcement and compliance teams were able to disrupt the individuals and groups behind those

232、addresses,it would be much more difficult for criminals to launder cryptocurrency at scale,and go a long way toward making the ecosystem safer.Underground money laundering services are a growing concernAnother money laundering trend weve observed is the growth of underground services that arent as p

233、ublicly accessible or well-known as standard mixers,as they are typically accessible only through private messaging apps or the Tor browser,and usually only advertised on darknet forums.Weve written above and in past Crypto Crime Reports about OTC brokers nested on exchanges that launder large quant

234、ities of illicit funds,many of which seem to explicitly cater to cybercriminals.While this activity still exists,were also seeing the rise of underground money laundering services with brand names and custom infrastructure,which vary in terms of complexity.Some function simply as networks of private

235、 wallets,while others are more akin to an instant exchanger or mixer.But generally,what links them is that they typically move cryptocurrency to exchanges on behalf of 51Money Launderingcybercriminals,exchange them for either fiat currency or clean crypto,then send that back to the cybercriminals.Li

236、ke the nested OTC services,many of these underground services also use those exchanges for liquidity.We can see one example on the Chainalysis Reactor graph below,though names of relevant illicit organizations have been redacted due to ongoing investigations.In this case,the underground laundering s

237、ervice,which functions similarly to a mixer,helped an affiliate for a prominent ransomware strain move funds to a deposit address at a large,centralized exchange.The deposit address is believed to be controlled by the laundering service itself.Underground money laundering service activity like that

238、shown above isnt as easy to spot as most activity on public blockchains identifying these services addresses requires extensive investigative work,and untangling their transactions requires advanced blockchain analysis techniques such as demixing.That means its difficult to analyze these services ac

239、tivity at scale.However,we can estimate their activity by analyzing the activity of all wallets and networks of wallets that meet the following criteria:Receive large amounts of cryptocurrency from illicit services Send large amounts of cryptocurrency to exchanges and other fiat off-rampsThe graph b

240、elow shows the yearly cryptocurrency value received by wallets that fit those criteria.52Money LaunderingTotal illicit value moving to suspected underground laundering services,20192022$2B$0$4B$0.9B$0.9B$4.5B$6.0B$6B$8B2019202020212022Total cryptocurrency moving to wallets fitting those criteria has

241、 grown over the last few years,and hit$6 billion in 2022.Again,these are estimates we cant guarantee that all of the wallets included in this analysis are necessarily underground laundering services,but their on-chain activity suggests that they could be.Its also possible that usage of underground m

242、oney laundering services will pick up as high-risk exchanges,which have facilitated this activity in the past,face increased pressure from law enforcement,as we saw with Garantex and Bitzlato.Criminal balances dropped in 2022As we mentioned previously,criminals will often leave funds in a personal w

243、allet,or in a wallet associated with a criminal service for extended periods of time.In some cases,this may be because their crimes have generated enough attention that they dont feel its possible to move the funds without investigators or industry observers calling it out we see this often with fun

244、ds stolen in hacks.In other cases,this may reflect an intention to hold cryptocurrency in the expectation its price will rise,or to continue using it for other criminal endeavors.Thanks to the transparency of the block-chain,we can track these criminal balances granularly to know how much confirmed

245、illicit entities are holding at any given time.Below,well take a look at how criminal balances changed in 2022.53Money LaunderingYear end balances of illicit addresses by crime type,20172022$0$2.5B$5B$7.5B$10B$12.5B201720182019202020212022Terrorism financingStolen fundsScamSanctionsRansomwareCybercr

246、iminal administratorFraud shopDarknet marketChild abuse materialTwo things stand out:The first is that criminal balances have plummeted in value in 2022,from$12.0 billion at the end of 2021 to just$2.9 billion.Price declines in the ongoing bear market and large,successful seizures by law enforcement

247、 in 2022 are the most likely causes of this.Second,we can see that stolen funds dominate on-chain criminal balances.This is likely due to the fact that the amount of cryptocurrency stolen in hacks has skyrocketed over the last two years,and that these hacks often become huge points of discussion on

248、crypto Twitter and in other industry forums,with many tracking the funds publicly and sharing the addresses holding stolen funds.This can make it difficult for hackers to move stolen funds to a fiat off-ramp,which could be one reason they choose to leave the funds sitting in personal wallets.Crimina

249、l balances are valuable to track as they represent a lower-bound estimate of cryptocurrency that could potentially be seized by law enforcement the true number for criminal balances is likely much higher,as it includes funds associated with addresses weve yet to attribute to criminal entities and fu

250、nds derived from offline criminal activity and converted to cryptocurrency after the fact.Investigative agencies have continued to ramp up their ability to seize cryptocurrency in 2022,with the IRS Criminal Investigation Unit announcing they seized$7 billion worth of digital assets last year,more th

251、an double the amount seized in 2021.2022 saw several other notable stories of crypto-currency seized from criminals,including:54Money Laundering A record$3.6 billion seized from two individuals accused of laundering funds stolen in the 2016 hack of Bitfinex The November 2021 seizure of$3.36 billion

252、in Bitcoin stolen from darknet market Silk Road,which was later announced publicly in November 2022 The seizure of$30 million worth of cryptocurrency stolen from Axie Infinitys Ronin Bridge,marking the first successful seizure of cryptocurrency stolen by North Korean hacking syndicate Lazarus GroupO

253、ur data on criminal balances suggests there are still more opportunities for successful seizures,and more generally,illustrates a crucial difference between financial investigations in cryptocurrency versus fiat:In cryptocurrency,criminal holdings cant be stashed away in opaque networks of banks and

254、 shell corporations almost everything is out in the open.55Money LaunderingStolen Funds56Stolen Funds2022 Biggest Year Ever For Crypto Hacking with$3.8 Billion Stolen,Primarily from DeFi Protocols and by North Korea-linked AttackersTotal value stolen in crypto hacks and number of hacks,20162022Total

255、 value stolenTotal number of hacksCryptocurrency value stolenNumber of hacks$0.0 B$1.0 B$0.1 B$0.2 B$1.5 B$0.5 B$0.5 B$2.0 B$3.0 B$4.0 B 01002003002016201720182019202020212022$3.3 B$3.8 B2022 was the biggest year ever for crypto hacking,with$3.8 billion stolen from cryptocurrency businesses.Hacking

256、activity ebbed and flowed throughout the year,with huge spikes in March and October,the latter of which became the biggest single month ever for cryptocurrency hacking,as$775.7 million was stolen in 32 separate attacks.57Stolen FundsTotal value stolen in crypto hacks and number of hacks by month,202

257、2Total value stolenTotal number of hacksCryptocurrency value stolenNumber of hacks$0.0 M$200.0 M$400.0 M$600.0 M$139.7 M$440.3 M$732.4 M$355.5 M$122.3 M$114.7 M$264.4 M$531.9 M$775.7 M$110.0 M$34.3 M$800.0 M 010203040JanFeb Mar AprMay Jun Jul Aug Sept Oct Nov Dec$167.0 M Below,well dive into what ki

258、nds of platforms were most affected by hacks,and take a look at the role of North Korea-linked hackers,who drove much of 2022s hacking activity and shattered their own yearly record for most cryptocurrency stolen.58Stolen FundsDeFi protocols by far the biggest victims of hacksIn last years Crypto Cr

259、ime Report,we wrote about how DeFi protocols in 2021 became the primary target of crypto hackers.That trend intensified in 2022.Cryptocurrency stolen in hacks by victim platform type,201620220%25%50%75%100%2016201720182019202020212022WalletToken protocolPrivateDeFi protocolCentralized serviceDeFi pr

260、otocols as victims accounted for 82.1%of all cryptocurrency stolen by hackers a total of$3.1 billion up from 73.3%in 2021.And of that$3.1 billion,64%came from cross-chain bridge protocols specifically.Cross-chain bridges are protocols that let users port their cryptocurrency from one blockchain to a

261、nother,usually by locking the users assets into a smart contract on the original chain,and then minting equivalent assets on the second chain.Bridges are an attractive target for hackers because the smart contracts in effect become huge,centralized repositories of funds backing the assets that have

262、been bridged to the new chain a more desirable honeypot could scarcely be imagined.If a bridge gets big enough,any error in its underlying smart contract code or other potential weak spot is almost sure to eventually be found and exploited by bad actors.How do we make DeFi safer?DeFi is one of the f

263、astest-growing,most compelling areas of the cryptocurrency ecosystem,largely due to its transparency.All transactions happen on-chain,and the smart contract code governing DeFi protocols is publicly viewable by default,so users can know exactly what will happen to their funds when they use them.That

264、s especially attractive now in 2023,as many of the market blowups of the past year were due to a lack of transparency into the actions and risk profiles of centralized cryptocurrency businesses.But that same transparency is also what makes DeFi so vulnerable hackers can scan DeFi code for vulnerabil

265、ities and strike at the perfect time to maximize their theft59Stolen FundsDeFi code auditing conducted by third-party providers is one possible remedy to this.Blockchain security firm Halborn is one such provider,and is notable for its clean track record no DeFi protocol to pass a Halborn audit has

266、subsequently been hacked.We spoke with Halborn COO David Schwed,whose background includes stints in risk and security at large banks like BNY Mellon,about how DeFi protocols can better protect themselves.He emphasized that many of the issues in DeFi come down to a lack of investment in security.“A b

267、ig protocol should have 10 to 15 people on the security team,each with a specific area of expertise,”he told us.He indicated that the core issue is that DeFi devel-opers prioritize growth over all else,and direct funds that could fund security measures to rewards in order to attract users.“The DeFi

268、community generally isnt demanding better security they want to go to protocols with high yields.But those incentives lead to trouble down the road.”Schwed told us that DeFi developers should look to traditional financial institutions for examples of how to make their platforms more secure.“You dont

269、 need to move as slow as a bank,but you can borrow from what banks do.”Some measures he recommends include:Test protocols with simulated attacks.DeFi developers can simulate different hacking scenarios on testnets in order to test how their protocol stands up to the most common attack vectors.Take a

270、dvantage of cryptos transparency.One huge advantage of a blockchain like Ethereum is that transactions are visible in the mempool before theyre confirmed on the blockchain.Schwed recommended that DeFi developers monitor the mempool closely for suspicious activity on their smart contracts to detect p

271、ossible attacks as early as possible.Circuit breakers.DeFi protocols should build out automated processes to pause their protocols and halt transactions if suspicious activity is detected.“Its better to briefly inconvenience users than to have the entire protocol get drained,”said Schwed.Schwed also

272、 told us that regulators have a role to play here,and can help make DeFi safer by setting minimum security standards that protocol developers must follow.The data on DeFi hacks makes one thing clear:Whether achieved through regulation or voluntary adoption,DeFi protocols will greatly benefit from ad

273、opting better security in order for the ecosystem to grow,thrive,and eventually penetrate the mainstream.60Stolen FundsYearly total cryptocurrency stolen by North Korea-linked hackers,20162022$0 M$500 M$522.3 M$271.1 M$299.5 M$428.8 M$1,650.5 M$1,000 M$1,500 M$2,000 M 2016201720182019202020212022$1.

274、5 M$29.2 M North Korea-linked hackers break theft records yet again:$1.7 billion stolenNorth Korea-linked hackers such as those in cybercriminal syndicate Lazarus Group have been by far the most prolific cryptocurrency hackers over the last few years.In 2022,they shattered their own records for thef

275、t,stealing an estimated$1.7 billion worth of cryptocurrency across several hacks weve attributed to them.For context,North Koreas total exports in 2020 totalled$142 million worth of goods,so it isnt a stretch to say that cryptocurrency hacking is a sizable chunk of the nations economy.Most experts a

276、gree the North Korean government is using these stolen to fund its nuclear weapons programs.$1.1 billion of that total was stolen in hacks of DeFi protocols,making North Korea one of the driving forces behind the DeFi hacking trend that intensified in 2022.North Korea-linked hackers tend to send muc

277、h of what they steal to other DeFi protocols,not because these protocols are effective for money laundering theyre actually quite bad for money laundering given their increased transparency compared to centralized services but rather because DeFi hacks often result in cyber-criminals acquiring large

278、 quantities of illiquid tokens that arent listed at centralized exchanges.The hackers therefore must turn to other DeFi protocols,usually DEXes,to swap for more liquid assets.61Stolen FundsDestination of stolen funds:North Korea-linked hacks vs.All others,2022DEXLending contractMixerCentralized exch

279、angeCross-chain bridgeMining poolGambling platform0%20%40%60%North Korea-linked hacksAll other hacksBesides DeFi protocols,North Korea-linked hackers also tend to send large sums to mixers,which have typically been the cornerstone of their money laundering process.In fact,funds from hacks carried ou

280、t by North Korea-linked hackers move to mixers at a much higher rate than funds stolen by other individuals or groups.But which mixers do they use?Well dig in below.62Stolen FundsMeet the new mixer North Korean hackers have turned to following Tornado Cashs OFAC designationFor much of 2021 and 2022,

281、North Korea-linked hackers almost exclusively used Tornado Cash to launder cryptocurrency stolen in hacks.Its not hard to see why Tornado Cash was for a time the biggest mixer operating,and its unique technical attributes made the funds it mixes relatively difficult to trace.Mixers used by DPRK to l

282、aunder funds,Q4 2020Q4 20220%25%50%75%100%Q4 2020Q1 2021Q2 2021Q3 2021Q4 2021Q1 2022Q2 2022Q3 2022Q4 2022SinbadOtherTornado CashBlenderHowever,the hackers adapted when Tornado Cash was sanctioned in August 2022.While North Korea-linked hackers have still sent some funds to Tornado Cash since then,we

283、 can see above that they diversified their mixer usage in Q4 2022,soon after the mixers designation.This may be due to the fact that,while still operational,Tornado Cashs overall transaction volume has fallen since its designations,and mixers generally become less effective when fewer people are usi

284、ng them.Since then,the hackers have turned to another mixer,Sinbad,which well look at in more detail below.63Stolen FundsSinbadSinbad is a relatively new custodial Bitcoin mixer that began advertising its services on the BitcoinTalk forum in October 2022.Chainalysis investigators first observed wall

285、ets belonging to North Korea-linked hackers sending funds to the service in December 2022,which we can see on the Reactor graph below.As weve seen in many North Korea-directed hacks,the hackers bridge the stolen funds from the Ethereum blockchain including a portion of the funds stolen in the Axie I

286、nfinity hack to Bitcoin,then send that Bitcoin to Sinbad.During December 2022 and January 2023,North Korea-linked hackers have sent a total of 1,429.6 Bitcoin worth approximately$24.2 million to the mixer.North Korea-linked hackers in action:How the Qubit hack unfoldedQubit was a South Korea-based D

287、eFi lending protocol built on the BNB chain.Qubit also ran an associated protocol,the QBridge,that allows users to use assets on other chains as collateral to borrow against on Qubit,without actually moving those other assets onto BNB Chain.Users send assets they want to collateralize to a QBridge s

288、mart contract on those assets chains,and QBridge mints an equivalent asset on the BNB Chain.Unfortunately,as has happened with many cross-chain bridges,hackers found an exploitable error in the code governing QBridge,and were able to drain the protocol of all of its holdings roughly$80 million in as

289、sets,making it South Koreas largest crypto theft of 2022.We can now share publicly for the first time that we have attributed this attack to North Korea-linked hackers,as was the case with so many other large DeFi hacks in 2022.Lets take a look at how the Qubit hack unfolded.The exploit the Qubit ha

290、ckers discovered allowed them to mint unlimited qXETH an asset meant to represent Ether bridged from the Ethereum blockchain from the QBridge,without actually depos-iting any Ether.The hackers used the unbacked qXETH as collateral to“borrow”all of the assets held by the protocol mostly BNB coin but

291、also several BEP-20 tokens worth roughly$80 million at the time of the theft.The hackers then bridged those funds to the Ethereum blockchain.64Stolen FundsOnce they bridged the funds from BNB Chain to Ethereum,the North Korean hackers used what was at the time their go-to money laundering strategy:T

292、hey sent the funds to the mixer Tornado Cash.We can see an example of some of that activity following the Qubit hack below.The hackers received their newly mixed Ether from Tornado Cash,and from there sent a portion to a decentralized exchange to be swapped for different ERC-20 tokens,while the rest

293、 was moved to deposit addresses at various centralized exchanges.The Qubit hack exemplifies many of the key elements of the North Korean hacking strategy we saw in 2022:Exploit a DeFi protocol,bridge the funds to a blockchain where funds cant be frozen,mix them,and move them to a centralized exchang

294、e.In this case,South Koreas Transnational Crime Information Center(TCIC)of the National Intelligence Service(NIS)was able to trace the funds in partnership with Chainalysis following the theft.While North Korea-linked hackers are undoubtedly sophisticated and represent a significant threat to the cr

295、yptocurrency ecosystem,law enforcement and national security agencies ability to fight back is growing.Last year,for example,we saw the first ever seizure of funds stolen by North Korea-linked hackers,when agents recovered$30 million worth of cryptocurrency stolen in the Axie Infinity Ronin Bridge h

296、ack.We expect more such stories in the coming years,largely due to the transparency of the blockchain.When every transaction is recorded in a public ledger,it means that law enforcement always has a trail to follow,even years after the fact,which is invaluable as investigative techniques improve ove

297、r time.Their growing capabilities,combined with the efforts of agencies like OFAC to cut off hackers preferred money laundering services from the rest of the crypto ecosystem,means that these hacks will get harder and less fruitful with each passing year.65Oracle Manipulation AttacksOracle Manipulat

298、ion Attacks66Oracle Manipulation AttacksOracle Manipulation Attacks a Rising,Unique Concern for DeFiAs we covered in our section on stolen funds,2022 was the biggest year in crypto hacking history,with more than$3.8 billion stolen.However,not all of those attacks were what one may think of as hacks

299、in the traditional sense.In some cases,bad actors were able to drain DeFi protocols of funds without actually taking advantage of an error in the protocols code.These attackers were able to do this by manipulating the price oracles DeFi protocols use to ensure the assets available on their platforms

300、 are priced in accordance with the wider cryptocurrency market.As such,well refer to these unique instances as oracle manipulation attacks.Bad actors typically carry out oracle manipulation attacks by using large amounts of cryptocurrency to quickly increase the trading volume of low-liquidity token

301、s on the targeted DeFi protocol,which can lead to fast,significant price increases not reflective of the wider market.Those initial funds are often sourced through a flash loan if the attacker doesnt have the funds on hand.Once an assets price has been driven up,the attacker can then exchange their

302、artificially inflated holdings for other tokens with greater liquidity and a more consistent value,or use them as(worthless)collateral to borrow assets,never to be repaid.Overall,we estimate that in 2022,DeFi protocols lost$386.2 million in 41 separate oracle manip-ulation attacks.Oracle manipulatio

303、n attacks:Total value stolen and number of attacks by year,2020-2022 Total value stolenNumber of attacksValue stolenNumber of attacks$0$100 M$65.0 M$200 M$300 M$400 M$500 M 01020304050202020212022$403.2 M$399.1 M67Oracle Manipulation AttacksSome attackers have tried to argue that oracle manipulation

304、 attacks arent criminal in the same way a more straightforward hack is.In fact,Avraham Eisenberg,the individual behind one of the biggest oracle manipulation attacks of the year,claimed that his actions were perfectly legal and represented nothing more than a“profitable trading strategy.”However,the

305、 SEC and CFTC both filed charges of market manipulation against him,with the DOJ also bringing an indictment.While the trial hasnt happened yet,the complaint suggests that authorities wont allow these attackers to evade responsibility,even if the targeted protocol technically behaved as designed.Bel

306、ow,well look at Eisenbergs infamous million attack on Mango Markets as an example of how oracle manipulation attacks can work.Breaking down the Mango Markets exploitOne of the biggest oracle manipulation attacks of last year was the October 2022 attack of Mango Markets,a DEX on the Solana blockchain

307、,which saw$117 million in assets drained from the protocol.The Mango Markets exploit was particularly interesting in that the perpetrator,Avraham Eisenberg,identified himself publicly afterwards and argued that his actions didnt constitute a crime.Heres how the exploit occurred from an on-chain pers

308、pective:1.Eisenberg started with$10 million USDC(its possible he also used funds not attributable to him on-chain to manipulate asset prices on other exchanges),split across two separate accounts at Mango Markets.2.Eisenberg used one account to short 488 million MNGO(MNGO,or Mango,is the governance

309、token for Mango Markets)effectively selling 488 million MNGO on leverage while the other account took the opposite side of that trade,using leverage to buy the same amount.3.Eisenbergs leveraged purchase of MNGO,combined with further buying of MNGO on other DEXes,pushed the price of MNGO up very qui

310、ckly on spot exchanges.This was possible because MNGO was a low-liquidity asset without much trading volume.The account used to purchase MNGO immediately profited roughly$400 million in paper gains because all of Eisenbergs buying activity significantly boosted the assets price.4.With such a high po

311、rtfolio value,Eisenberg was able to borrow against his artifi-cially inflated MNGO holdings and remove virtually all of the assets held by Mango Markets.This activity caused MNGOs price to drop immediately,so his long positions were liquidated due to loss of collateral value,but it was too late Eise

312、nberg had already“borrowed”all of Mango Markets assets with any real value.68Oracle Manipulation AttacksWe can see this activity on the Chainalysis Storyline below:Adding insult to injury,Eisenberg used the MNGO he still held after the exploit to propose and vote on a governance proposal that would

313、allow him to return$10 million worth of cryptocurrency stolen in the attack,and keep the rest as a“bug bounty.”The proposal eventually passed.While most hackers avoid publicity,Eisenberg was open about his role in the Mango Markets exploit,and seemed convinced that because the code had at all times

314、technically run as designed,he had done nothing wrong.He even appeared on Laura Shins popular Unchained Podcast to explain this perspective.69Oracle Manipulation AttacksHowever,as the SEC lays out in its complaint,Eisenbergs actions allegedly qualify as market manip-ulation due to the false increase

315、 in MNGO trading volume 2,000%higher on the day of the exploit compared to the average over the previous ten days that he orchestrated.Since charges were filed,Mango Markets has also sued Eisenberg for the difference between what he stole and what he returned as a result of his governance proposal,a

316、rguing that Eisenberg was not engaged in“lawful bargaining”when he negotiated his bug bounty with the Mango Markets DAO.70Darknet MarketsDarknet Markets71Darknet MarketsHow Darknet Markets Fought for Users In the Wake of Hydras Collapse2022 saw a decline in revenue from the previous year for darknet

317、 markets and fraud shops.Total darknet market revenue for 2022 ended at$1.5 billion,down from$3.1 billion in 2021.Darknet market and fraud shop revenue,20202022Fraud shopDarknet market$0.0 B$1.0 B$2.0 B$2.1 B$3.1 B$1.5 B$3.0 B$4.0 B 202020212022Four of the top five highest-earning darknet markets in

318、 2022 were conventional,drug-focused darknet markets,while just one,Brian Dumps,was a fraud shop.72Darknet MarketsTop 25 darknet markets and fraud shops by revenue,2022Drug marketFraud shop$0$200 M$400 M$600 M Hydra MarketplaceMega Darknet MarketBlacksprut MarketOMG!OMG!MarketBrian DumpsASAP MarketM

319、G555UniccSolaris marketBenumb ShopWorld MarketBankomat.ccBypass ShopMatanga marketAbacus MarketHGN storeIncognito marketXNova.ltdYalelodgeBasetools-TrustcvvEasydealsApproved Credit Card Flugsvamp 4.0Russian MarketExploit.in Escrow Hydra Market led the way once again as the highest-earning darknet ma

320、rket in 2022,even though it was sanctioned by OFAC and shut down in a joint U.S.-German operation in April no other market beat the revenue lead it built up in those four months.Salih Altuntas,a German Federal Police agent who worked on the case said,“Hydra had a monopoly,and that gave it the time a

321、nd resources to build out unique services other markets couldnt.”For instance,Hydra prided itself on customer service,with perks and thoughtfulness one would expect more from a legitimate business than an online drug market.“Hydra had a service where users could send drugs in to be tested for purity

322、,”said Altuntas.“They had a Telegram bot users could contact for first aid information in the event someone overdosed.They helped vendors connect with legal services in the event they were raided by police.”As well explore later,the three next-highest earning markets of the year Mega Darknet Market,

323、Blacksprut Market,and OMG!OMG!Market all gained their initial market share in the wake of Hydras collapse,with on-chain data suggesting these markets made concerted efforts to attract former Hydra users and vendors.Hydras closure prompted a sector-wide decline in darknet market revenues,with average

324、 daily revenue for all markets falling from$4.2 million just prior to its closure and to$447,000 immediately after.While drug markets collective revenue hasnt recovered fully,it climbed slowly back toward previous levels in the second half of 2022.Fraud shops,however,have continued to decline.73Dark

325、net MarketsDaily revenue for darknet markets vs.fraud shops,2020202220202021202220232020202120222023$0$5 M$10 M$15 M$20 M$0$5 M$10 M$15 M$20 MDarknet marketFraud shopFraud shops are a unique segment of darknet markets that sell compromised data such as stolen credit card information and other forms

326、of personally identifying information(PII)that can be used for fraudulent activity.This decline was triggered in part by the closure of prominent fraud shops like Bypass Shop,which was shut down in March.Brian Dumps,the biggest overall fraud shop for the year,also appears to have suffered a disrupti

327、on as its revenue fell almost to zero in October,though its unclear exactly why.While darknet markets have largely recovered after Hydras closure and fraud shops have not,single vendor shops showed a different pattern.Single vendor shops are standalone shops set up by individual drug vendors who hav

328、e typically gathered a large customer base on a larger,traditional darknet market.Setting up a single vendor shop allows those vendors to save on fees that would ordinarily go to the administrators of a traditional darknet market.74Darknet MarketsDarknet market inflowsSingle vendor shop inflowsDaily

329、 revenue:darknet markets vs.single vendor shops,2022Darknet market(30-day moving average)Single vendor shop(30-day moving average)$0$2.5 M$5 M$7.5 M$10 M$0$5,000$10,000$15,0001/1/20223/1/20225/1/20227/1/20229/1/202211/1/2022Throughout 2022,we observed a negative relationship between funds sent to re

330、gular darknet markets and those sent to single vendor shops.For instance,we see single vendor shop revenue spike beginning around March,around the same time traditional darknet market revenue began to fall.Similarly,single vendor shop revenue fell concurrently with the recovery of traditional darkne

331、t markets from around June through end of year.The battle for market dominance,post-Hydra shutdownBefore law enforcement shut down Hydra,it was the largest darknet market in the world.Prior to its demise,Hydra Marketplace captured 93.3%of all economic value received by darknet markets in 2022 some$3

332、57.4 million.The Russia-based darknet market enabled drug sales and offered cybercriminals unique money laundering services.“Hydra had an internal mixer called Bitcoin Bank Mixer,which vendors could use to withdraw Bitcoin from Hydra that appeared clean on-chain,”said Altuntas.75Darknet MarketsHydra

333、s closure and the top eight markets in 2022ASAP MarketBlacksprut MarketHydra MarketplaceMatanga marketMega Darknet MarketMG555OMG!OMG!MarketSolaris marketReceived USD(7-day moving average)$0$2M$4M$6M$8MJan 2022Jul 2022Jan 2023Mar 2022May 2022Sep 2022Nov 2022OMG dominanceHydra dominancePost-OMG dominanceThrough most of April and May,OMG captured well over 50%of total market share,reaching a peak of