《Chainalysis：2024年度加密貨幣犯罪報告：勒索軟件、詐騙、黑客攻擊等方面的最新趨勢（英文版）（113頁）.pdf》由會員分享，可在線閱讀，更多相關《Chainalysis：2024年度加密貨幣犯罪報告：勒索軟件、詐騙、黑客攻擊等方面的最新趨勢（英文版）（113頁）.pdf（114頁珍藏版）》請在三個皮匠報告上搜索。

1、FEBRUARY 2024The 2024 CryptoCrime ReportThe latest trends in ransomware,scams,hacking,and more0Table of ContentsIntroduction2Ransomware10Money Laundering22Stolen Funds34Market Manipulation47CSAM56Sanctions69Terrorism Financing79Darknet Markets89Scams103IntroductionIntroduction2Illicit Activity Down

2、as Scamming andStolen Funds Fall,But Ransomwareand Darknet Markets See Growth2023 was a year of recovery for cryptocurrency,as the industry rebounded from the scandals,blowups,and price declines of 2022.With crypto assets rebounding and market activity growing over the course of2023,many believe tha

3、t crypto winter is ending,and a new growth phase may soon be upon us.But what did all of that mean for crypto crime?Lets look at the high-level trends.Total cryptocurrency value received by illicit addresses2018-20232023 saw a significant drop in value received by illicit cryptocurrency addresses,to

4、 a total of$24.2 billion.As always,we have to caveat by saying that these figures are lower bound estimates based on inflows tothe illicit addresses weve identified today.One year from now,these totals will almost certainly be higher,as we identify more illicit addresses and incorporate their histor

5、ic activity into our estimates.For instance,when we published our Crypto Crime Report last year,we estimated$20.6 billion worth of illicittransaction volume for 2022.One year later,our updated estimate for 2022 is$39.6 billion.Much of thatgrowth came from the identification of previously unknown,hig

6、hly active addresses hosted by sanctionedIntroduction3services,as well as our addition of transaction volume associated with services in sanctioned jurisdictionsto our illicit totals.Another key reason the new total is so much higher,besides the identification of new illicit addresses:Were now count

7、ing the$8.7 billion in creditor claims against FTX in our 2022 figures.In last years report,we said that we would hold off on including transaction volumes associated with FTX and other firms thatcollapsed that year under allegedly fraudulent circumstances in our illicit totals until legal processes

8、 playedout.Since then,a jury has convicted FTXs former CEO of fraud.Typically,we only include measurable on-chain activity in our estimates for illicit activity.In the case of FTX,its impossible to use on-chain data alone to measure the scope of the fraudulent activity,as theres no wayto isolate ill

9、egitimate movements of user funds.As such,we believe the$8.7 billion in creditor claimsagainst FTX is the best estimate to include.Given the size and impact of the FTX situation,we are treatingit as an exception to our usual on-chain methodology.If courts convict in similar,ongoing cases,we plan toi

10、nclude their activity in our illicit transaction data as well in the future.All other totals exclude revenue from non-crypto native crime,such as conventional drug trafficking inwhich crypto is used as a means of payment.Such transactions are virtually indistinguishable from licittransactions in on-

11、chain data.Of course,law enforcement with off-chain context can still investigate theseflows using Chainalysis solutions.In cases where were able to confirm such information,we count thetransactions as illicit in our data,but there are almost certainly many instances where that isnt the case,and the

12、refore the numbers wouldnt be reflected in our totals.Introduction4CHAINALYSIS ESTIMATESHow big was crypto crime in 2023?$24.2 Breceived by illicitaddresses0.34%of total on-chaintransaction volumeEstimates of illicit transaction activity DO include:Funds sent to addresses weve identified as illicitF

13、unds stolen in crypto hacksEstimates of illicit transaction activity DO NOT include:xFunds sent to addresses we have not yet identified as illicit.Why?Because we dont know thattheyre illicit yet.But we update our numbers on a rolling basis as we make more identifications.xFunds derived from non-cryp

14、to native crime,except for cases brought to our attention bycustomers.Why?Because these transactions are impossible to identify as illicit without moreinformation.xFunds associated with crypto platforms accused of fraud,absent convictions in court.Why?Because only a judge and jury can make that dete

15、rmination.xTransaction volume associated with potential market manipulation.Why?Because our researchheuristics are designed to catch suspected instances of market manipulation based on on-chainbehavior,but arent definitive.xFunds associated with crypto money laundering.Why?Because our goal here is t

16、o calculatetotal revenue from illicit activity,based on inflows to illicit addresses.We share the total valuelaundered on-chain in the reports money laundering section,calculated based on the valuesent from illicit addresses to off-ramping services.Including money laundering totals here basedon outf

17、lows would effectively be double counting,and artificially inflate our estimates ofon-chain criminal activity.Introduction5In addition to the reduction in absolute value of illicit activity,our estimate for the share of all cryptotransaction volume associated with illicit activity also fell,to 0.34%

18、from 0.42%in 2022.1Illicit share of all cryptocurrency transaction volume2018-2023Were also seeing a shift in the types of assets involved in cryptocurrency-based crime.Illicit transaction volume by asset type2018-20231Transaction volume is a measure of all economic activity,a proxy for funds changi

19、ng hands.We remove peel chains,internalservice transactions,change,and any other type of transaction that would not count as an economic transaction betweendistinct economic actors.Introduction6Through 2021,Bitcoin reigned supreme as the cryptocurrency of choice among cybercriminals,likely due toits

20、 high liquidity.But thats changed over the last two years,with stablecoins now accounting for themajority of all illicit transaction volume.This change also comes alongside recent growth in stablecoinsshare of all crypto activity overall,including legitimate activity.However,stablecoin dominance isn

21、t thecase for all forms of cryptocurrency-based crime.Illicit transaction volume by crime category and asset type2023Some forms of illicit cryptocurrency activity,such as darknet market sales and ransomware extortion,stilltake place predominantly in Bitcoin.2Others,like scamming and transactions ass

22、ociated with sanctionedentities,have shifted to stablecoins.Those also happen to be the biggest forms of crypto crime bytransaction volume,thereby driving the larger trend.Sanctioned entities,as well as those operating insanctioned jurisdictions or involved with terrorism financing,also have a great

23、er incentive to usestablecoins,as they may face more challenges accessing the U.S.dollar through traditional means,but stillwant to benefit from the stability it provides.However,stablecoin issuers can freeze funds when theybecome aware of their illicit use,as Tether recently did with addresses link

24、ed to terrorism and warfare inIsrael and Ukraine.Below,well look at three key trends that defined crypto crime in 2023 and will be important to watchmoving forward.2These estimates do not include privacy coins like Monero.Introduction7Scamming and stolen funds down bigCrypto scamming and hacking rev

25、enue both fell significantly in 2023,with total illicit revenue for eachdown 29.2%and 54.3%respectively.As we discuss later in our scams section,many crypto scammers have now adopted romance scam tactics,targeting individuals and building relationships with them in order to pitch them on fraudulent

26、investingopportunities,rather than advertising them far and wide,which often makes them more difficult touncover.Although the FBI has published data showing that reports of crypto investment scams in the U.S.has been increasing year over year through 2022,our on-chain metrics suggest scamming revenu

27、esglobally have been trending down since 2021.We believe this aligns with the long-standing trend thatscamming is most successful when markets are up,exuberance is high,and people feel like they aremissing out on an opportunity to get rich quickly.Of course,the impact of romance scams on individualv

28、ictims is devastating and should not be understated.And while increased reporting at least in the U.S.is a good sign,we still believe insights into romance scams in particular suffer from underreporting.Wehypothesize that the true damage of scamming is greater than what reporting to the FBI and our

29、on-chainmetrics show,but overall,scamming is down,given broader market dynamics.Crypto hacking,on the other hand,is much more difficult for criminals to hide,as industry observers canquickly spot the unusual outflows from a given service or protocol when a hack occurs.As well discusslater,the declin

30、e in stolen funds is driven largely by a sharp dropoff in DeFi hacking.That dropoff couldrepresent the reversal of a disturbing,long-term trend,and may signify that DeFi protocols are improvingtheir security practices.That said,stolen funds metrics are heavily outlier-driven,and one large hack could

31、again shift the trend.Ransomware and darknet market activity on the riseRansomware and darknet markets,on the other hand,are two of the most prominent forms of crypto crimethat saw revenues rise in 2023,in contrast with overall trends.The growth of ransomware revenue isdisappointing following the sh

32、arp declines we covered last year,and suggests that perhaps ransomwareattackers have adjusted to organizations cybersecurity improvements,a trend we first reported earlierthis year.Similarly,this years growth in darknet market revenue also comes after a 2022 decline in revenue.Thatdecline was driven

33、 largely by the shutdown of Hydra,which was once the worlds most dominant marketby far,capturing over 90%of all darknet market revenue at its peak.While no single market has yetemerged to take its place,the sector as a whole is rebounding,with total revenue climbing back towardsits 2021 highs.Transa

34、ctions with sanctioned entities drive the vast majorityof illicit activityPerhaps the most obvious trend that emerges when looking at illicit transaction volume is the prominenceof sanctions-related transactions.Sanctioned entities and jurisdictions together accounted for a combinedIntroduction8$14.

35、9 billion worth of transaction volume in 2023,which represents 61.5%of all illicit transaction volumewe measured on the year.Most of this total is driven by cryptocurrency services that were sanctioned bythe U.S.Department of the Treasurys Office of Foreign Assets Control(OFAC),or are located in san

36、ctionedjurisdictions,and can continue to operate because theyre in jurisdictions where U.S.sanctions are notenforced.While those services can and have been used for nefarious purposes,it also means that some of that$14.9 billion in sanctions-related transaction volume includes activity from average

37、crypto users whohappen to reside in those jurisdictions.For example,Russia-based exchange Garantex,which wassanctioned by OFAC and OFSI in the U.K.for its facilitation of money laundering on behalf of ransomwareattackers and other cybercriminals,was one of the biggest drivers of transaction volume a

38、ssociated withsanctioned entities in 2023.Garantex continues to operate because Russia does not enforce U.S.sanctions.So,does that mean all of Garantexs transaction volume is associated with ransomware and moneylaundering?No.Nevertheless,exposure to Garantex introduces serious sanctions risk for cry

39、pto platformssubject to U.S.or U.K.jurisdiction,which means those platforms must remain ever-more vigilant and screenfor exposure to Garantex in order to be compliant.Introduction9RansomwareRansomware10Ransomware Payments Exceed$1 Billionin 2023,Hitting Record High After 2022DeclineIn 2023,ransomwar

40、e actors intensified their operations,targeting high-profile institutions and criticalinfrastructure,including hospitals,schools,and government agencies.Major ransomware supply chainattacks were carried out exploiting the ubiquitous file transfer software MOVEit,impacting companiesranging from the B

41、BC to British Airways.As a result of these attacks and others,ransomware gangsreached an unprecedented milestone,surpassing$1 billion in extorted cryptocurrency paymentsfrom victims.Last years developments highlight the evolving nature of this cyber threat and its increasing impacton global institut

42、ions and security at large.2023:A watershed year for ransomware2023 marks a major comeback for ransomware,with record-breaking payments and a substantial increasein the scope and complexity of attacks a significant reversal from the decline observed in2022,which we forewarned in our Mid-Year Crime U

43、pdate.Total value received by ransomware attackers2019-2023Ransomware11Ransomware payments in 2023 surpassed the$1 billion mark,the highest ever observed.Although 2022saw a decline in ransomware payment volume,the overall trend line from 2019 to 2023 indicates thatransomware is an escalating problem

44、.Keep in mind that this number does not capture the economicimpact of productivity loss and repair costs associated with attacks.This is evident in cases like theALPHV-BlackCat and Scattered Spiders bold targeting of MGM resorts.While MGM did not pay theransom,it estimates damages cost the business

45、over$100 million.The ransomware landscape is not only prolific but continually expanding,making it challenging to monitorevery incident or trace all ransom payments made in cryptocurrencies.It is important to recognize that ourfigures are conservative estimates,likely to increase as new ransomware a

46、ddresses are discovered overtime.For instance,our initial reporting for 2022 in last years crime report showed$457 million in ransoms,but this figure has since been revised upward by 24.1%.Looking back at 2022:An anomaly,not a trendSeveral factors likely contributed to the decrease in ransomware act

47、ivity in 2022,including geopoliticalevents like the Russian-Ukrainian conflict.This conflict not only disrupted the operations of some cyberactors but also shifted their focus from financial gain to politically motivated cyberattacks aimed atespionage and destruction.As we noted in our 2023 Crypto C

48、rime Report,other factors that played a role in this downturn included areluctance among some Western entities to pay ransoms to certain strains due to potential sanctions risks.Conti in particular faced issues,suffering from reported links to sanctioned Russian intelligence agencies,exposure of the

49、 organizations chat logs,and overall internal disarray.This led to a decrease in theiractivities and contributed to the overall reduction in ransomware incidents in 2022.But researchers havenoted that many ransomware actors linked to Conti have continued to migrate or launch new strains,making victi

50、ms more willing to pay.Another significant factor in the reduction of ransomware in 2022 was the successful infiltration of the Hiveransomware strain by the Federal Bureau of Investigation(FBI),as announced by the Department ofJustice early in 2023.Our analysis highlights the substantial impact of t

51、his single enforcement action.Law enforcement takes on ransomware:The Hive interventionDuring the infiltration of Hive,the FBI was able to provide decryption keys to over 1,300 victims,effectivelyremoving the need for ransom payments.The FBI estimates that this intervention prevented approximately$1

52、30 million in ransom payments to Hive.But the impact of this intervention extends further than that.Total tracked ransomware payments for 2022 currently stand at just$567 million,indicating the ransompayments prevented by the Hive infiltration significantly altered the ransomware landscape as a whol

53、elast year.Ransomware12Top RaaS strains by ransomware revenue2022 2023Furthermore,the FBIs$130 million reduced payment estimate may not tell the whole story of just howsuccessful the Hive infiltration was.That figure only looks directly at ransoms averted through theprovision of decryptor keys,but d

54、oes not account for knock-on effects.The Hive infiltration also most likelyaffected the broader activities of Hive affiliates,potentially lessening the number of additional attacks theycould carry out,even using strains other than Hive.During the six months the FBI infiltrated Hive,total ransomware

55、payments across all strains hit$290.35million.But our statistical models estimate an expected total of$500.7 million during that time period,based on attacker behavior in the months before and after the infiltration and thats a conservativeestimate.Based on that figure,we believe the Hive infiltrati

56、on may have averted at least$210.4 million inransomware payments.FBIs Tampa Division Special Agent in Charge,David Walker,provided further insights into the importanceof the infiltration.“The Hive investigation is an example of a gold standard for deploying the key servicesmodel.”Said Walker.“The FB

57、I continues to see,through its investigations and victim engagements,thesignificant positive impact actions such as the Hive takedown have against cyber threat actors.We willcontinue to take proactive disruptive measures against adversaries.”Ransomware13Ransomware resurges:2023 threat landscapeIn 20

58、23,the ransomware landscape saw a major escalation in the frequency,scope,and volumeof attacks.Ransomware attacks were carried out by a variety of actors,from large syndicates to smaller groups andindividuals and experts say their numbers are increasing.Allan Liska,Threat Intelligence Analyst atcybe

59、rsecurity firm Recorded Future,notes,“A major thing were seeing is the astronomical growth in thenumber of threat actors carrying out ransomware attacks.”Recorded Future reported 538 newransomware variants in 2023,pointing to the rise of new,independent groups.We can see some of that variety on the

60、graph below,which shows the most active ransomware strainsby quarter for 2023.Top ransomware strains by revenue by quarter2023We can also see significant differences in the victimization strategies of the top ransomware strains on thechart below,which plots each strains median ransom size versus its

61、 frequency of successful attacks.Thechart also illustrates numerous new entrants and offshoots in 2023,who we know often reuse existingstrains code.This suggests an increasing number of new players,attracted by the potential for high profitsand lower barriers to entry.Ransomware14Top 50 ransomware s

62、trains by median payment size and payment frequencyNote:Bubble size denotes total 2023 ransom inflowsSome strains,like Cl0p,exemplify the“big game hunting”strategy,carrying out fewer attacks than manyother strains,but collecting large payments with each attack.As well explore later,Cl0p leveragedzer

63、o-day vulnerabilities that allowed it to extort many large,deep-pocketed victims en masse,spurring thestrains operators to embrace a strategy of data exfiltration rather than encryption.Overall,big game hunting has become the dominant strategy over the last few years,with a bigger andbigger share of

64、 all ransomware payment volume being made up of payments of$1 million or more.Ransomware15$1M+ransoms as a share of all ransomware payment volumeJan 2021-Dec 2023Other strains,like Phobos,have adopted the Ransomware as a Service(RaaS)model,in which outsidersknown as affiliates can access the malware

65、 to carry out attacks,and in exchange pay the strains coreoperators a cut of the ransom proceeds.Phobos simplifies the process for less technically sophisticatedhackers to execute ransomware attacks,leveraging the typical encryption process that is the hallmark ofransomware.Despite targeting smaller

66、 entities and demanding lower ransoms,the RaaS model is a forcemultiplier,enabling the strain to carry out a large quantity of these smaller attacks.ALPHV-BlackCat is also a RaaS strain like Phobos,but is more selective in the affiliates it allows to use itsmalware,actively recruiting and interviewi

67、ng potential candidates for their hacking capabilities.Thisenables the group to attack bigger targets for larger sums.Its also important to keep in mind that rebranding and overlapping strain usage remains prevalent forransomware attackers.As weve covered previously,ransomware administrators often r

68、ebrand or launchnew strains,while affiliates often switch strains or work for multiple simultaneously.Rebrands often allowransomware attackers to distance themselves from strains publicly linked to sanctions or that haveincurred too much scrutiny.Rebrands and affiliate switching can also allow attac

69、kers to hit the samevictims twice under different strain names.Fortunately,blockchain analysis makes it possible to identify ransomware rebrands,by showing on-chainlinks between wallets of seemingly disparate strains.We can see an example on the Chainalysis ReactorRansomware16graph below,which shows

70、 links between the Trickbot administrator known as Stern,Royal ransomware,and its newer iteration known as 3am.The frequency of rebranding,especially among actors behind the biggest and most notorious strains,is animportant reminder that the ransomware ecosystem is smaller than the large number of s

71、trains wouldmake it appear.The spread of Ransomware-as-a-Service(RaaS)and availability of hacking toolshave made it easier to launch attacksThe growth of initial access brokers(IABs)has made it easier for bad actors to carry out ransomwareattacks.As their name would suggest,IABs penetrate the networ

72、ks of potential victims,then sell thataccess to ransomware attackers for as little as a few hundred dollars.We found a correlation betweeninflows to IAB wallets and an upsurge in ransomware payments,suggesting monitoring IABs could provideearly warning signs and allow for potential intervention and

73、mitigation of attacks.IABs combined with off-the-shelf RaaS,means that much less technical skill is required to carry out asuccessful ransomware attack.Andrew Davis,General Counsel at Kivu Consulting,a firm specializing incybersecurity incident response,told us more about this trend.“The increase in

74、 attack volume can beattributed to the affiliate models ease of access and the adoption of ransomware-as-a-service,adisturbingly effective business model for cybercriminals,”said Davis.We can see examples of this activity on the following Reactor graph,which shows a ransomware operatorsending funds

75、to several IABs and other purveyors of tools useful for ransomware attacks.Ransomware17The ransomware actors depicted above have executed attacks that have brought in millions of dollars.CASE STUDYCl0p:How zero-day attacks enable big game hunting2023 was remarkable for the number of high-impact rans

76、omware incidents that utilized zero-dayvulnerabilities,which are particularly beneficial for threat actors because they leverage security gapsbefore developers have the opportunity to create and distribute a fix.Zero-day exploits can be even moredamaging if they affect software that is ubiquitous bu

77、t not well-known to end users who are the ultimatevictims of an attack,usually because the software is used primarily by vendors serving those end users.Cl0ps most notorious attack of 2023 was its exploitation of the MOVEit zero-day.MOVEit is a file transfersoftware used by many IT and cloud applica

78、tions,so this vulnerability exposed the data of hundreds oforganizations and millions of individuals at once.“Many victims of the MOVEit exploitation did not knowthat they were affected because they were not aware that they were exposed to the software,”said AllanLiska of Recorded Future.Ransomware1

79、8Beginning in May of 2023,Cl0p began exploiting the MOVEit vulnerability,enabling the group to target ahuge number of victims.With so many targets,encrypting data and distributing decryptor keys to thosewho pay becomes logistically impractical.Data exfiltration stealing data without blocking access

80、andthreatening to release it to the public proves to be a more efficient tactic and hedges against possibledecryptors foiling the attack.Lizzie Cookson,Senior Director of Incident Response at Coveware,commentson this tactic.“Encryption requires more expertise,resources,and a specific type of victim

81、landscape,”saidCookson.“Exfiltration requires less dwell time,less experience and skill to execute and can often beaccomplished without malicious software.”Cl0ps MOVEit campaign allowed it to become for a time the most prominent strain in the entire ecosystem,amassing over$100 million in ransom paym

82、ents and accounting for 44.8%of all ransomware valuereceived in June,and 39.0%in July.Cl0ps share of all ransomware revenue by month2023In addition to being extremely lucrative,Cl0ps MOVEit campaign shows that leaner extortion efforts canstill get victims to pay.Ransomware off-ramping:Where do the f

83、unds go?Analyzing the movement of ransomware funds provides essential insights into the methods and servicesused by threat actors,enabling law enforcement to target and disrupt their financial networks andinfrastructure.It is important to keep in mind that threat actors may take weeks,months,or even

84、 years to launder theirproceeds from ransomware,and so some of the laundering observed in 2023 is from attacks that occurredwell into the past.Ransomware19Centralized exchanges and mixers have consistently represented a substantial share of transactions,suggesting they are preferred methods for laun

85、dering ransomware payments.However,this year saw theembrace of new services for laundering,including bridges,instant exchangers,and gambling services.Weassess that this is a result of takedowns disrupting preferred laundering methods for ransomware,someservices implementation of more robust AML/KYC

86、policies,and also as an indication of new ransomwareactors unique laundering preferences.We also see significant concentration in the specific services within each category that ransomware actorsturn to for laundering.Ransomware20Destination of funds sent from ransomware wallets2022-2023Concentratio

87、n in ransomware money laundering by off-ramping service category:Share of value going to the top service in category vs.All others2023Exchanges showed the lowest level of concentration,while gambling services,cross-chain bridges,andsanctioned entities showed the highest levels of concentration.Mixer

88、s,no-KYC exchanges,andunderground exchanges were in the middle,with roughly half of all funds sent to each category fromransomware wallets went to one service.Mixer concentration may have increased as a result of theChipmixer takedown,which eliminated a popular option for ransomware attackers.In gen

89、eral,thisoverconcentration may expose ransomware actors to bottlenecks that make them vulnerable,as lawenforcement could significantly disrupt operations by taking down a relatively small number of services.Lessons from 2023The ransomware landscape underwent significant changes in 2023,marked by shi

90、fts in tacticsand affiliations among threat actors,as well as the continued spread of RaaS strains and swifterattack execution,demonstrating a more efficient and aggressive approach.The movement of affiliateshighlighted the fluidity within the ransomware underworld and the constant search for morelu

91、crative extortion schemes.Threat actors continue to innovate and adapt to regulatory changes and law enforcement actions,but 2023 also saw significant victories in the fight against ransomware with collaboration betweeninternational law enforcement,affected organizations,cybersecurity firms,and bloc

92、kchain intelligence.Lizzie Cookson of Coveware pointed out,The Hive takedown and the BlackCat disruption are bothgreat examples of how the FBI has been prioritizing victims assistance,helping victims and imposingcosts on bad actors.Andrew Davis of Kivu Consulting also noted an uptick in proactive en

93、gagementfrom law enforcement,indicating a stronger,more determined approach to aiding victims andtracking down cybercriminals.Ransomware21Money LaunderingMoney Laundering22Money Laundering Activity Spread AcrossMore Service Deposit Addresses in 2023,Plus New Tactics from Lazarus GroupThe goal of mon

94、ey laundering is to obscure the criminal origins of funds so that they can be accessed andspent.In the context of cryptocurrency-based crime,that generally means moving funds to services wherethey can be converted into cash,while often taking extra steps to conceal where the funds came from.Ouron-ch

95、ain analysis of crypto money laundering therefore focuses on two distinct groups of services andon-chain entities:Intermediary services and wallets.This category includes personal wallets,mixers,instantexchangers,various types of DeFi protocols,and other services both legitimate and illicit.Cryptocr

96、iminals generally use services in this category to hold funds,or to obfuscate their criminal origins,often by obscuring the on-chain link between their source address and their current address.Fiat off-ramping services.This category includes any service where cryptocurrency can beconverted into fiat

97、 currency,the most common being centralized exchanges.However,it can alsoinclude P2P exchanges,gambling services,and crypto ATMs.Its also important to consider nestedservices that operate using the infrastructure of centralized exchanges and allow for fiatoff-ramping,such as many OTC trade desks.Its

98、 important to remember that all of these services have different capabilities and options when it comesto addressing money laundering.Centralized exchanges,for instance,have much more control in that theycan freeze funds coming from suspicious or illicit sources.DeFi protocols,however,generally dont

99、 have thisoption,as they run autonomously and dont take custody of users funds.Of course,DeFi protocolsdecentralized nature also means that blockchain analysts can generally trace funds moving through DeFiprotocols to their next stop,which isnt the case with centralized services.And of course,illici

100、t servicespurposely facilitating money laundering can generally be stopped only through law enforcementoperations or other legal processes.Its also important to keep in mind that token issuers can play apositive role as well.Stablecoins like USDT and USDC,for instance,have functionalities allowing t

101、hem tofreeze assets held by addresses associated with crime.With that in mind,lets look at the key crypto money laundering trends of 2023.2023 crypto money laundering:Key trendsIn 2023,illicit addresses sent$22.2 billion worth of cryptocurrency to services,which is a significantdecrease from the$31.

102、5 billion sent in 2022.Some of this drop may be attributed to an overall decrease incrypto transaction volume,both legitimate and illicit.However,the drop in money laundering activity wassteeper,at 29.5%,compared to the 14.9%drop in total transaction volume.Money Laundering23Total cryptocurrency lau

103、ndered by year2019-2023Overall,centralized exchanges remain the primary destination for funds sent from illicit addresses,at a ratethat has remained relatively stable over the last five years.Over time,the role of illicit services has shrunk,while the share of illicit funds going to DeFi protocols h

104、as grown.We attribute this primarily to the overallgrowth of DeFi generally during the time period,but must also note that DeFis inherent transparencygenerally makes it a poor choice for obfuscating the movement of funds.2023 mostly resembled 2022 in terms of the breakdown of service types used for

105、money laundering,butwe did see a slight decrease in the share of illicit funds moving to illicit service types,and an increase infunds moving to gambling services and bridge protocols.Money Laundering24Destination of funds leaving illicit wallets2019-2023However,if we zoom in to look at how specific

106、 types of crypto criminals laundered money,we can see thatthere was in fact significant change in some areas.Most notably,we saw a huge increase in the volume offunds sent to blockchain bridges from addresses associated with stolen funds,a trend well examine ingreater detail later.We also observed a

107、 substantial increase in funds sent from ransomware to gamblingplatforms,and in funds sent to bridges from ransomware wallets.Money Laundering25YoY change change in money laundering services utilized by crime category2022 vs 2023Money laundering concentration at fiat off-rampsFiat off-ramping servic

108、es are important because theyre where criminals can convert their crypto into cash the culmination of the money laundering process.While there are thousands of off-ramping services inoperation,most money laundering activity is concentrated to a select few services.Of all illicit funds sent tooff-ram

109、ping services in 2023,71.7%went to just five services,up slightly from 68.7%in 2022.Share of all illicit funds going to five off-ramping services2019-2023Money Laundering26We can also go one level deeper and examine money laundering concentration at the deposit addresslevel.Deposit addresses are add

110、resses at centralized services associated with individual users you canthink of them as akin to bank accounts.Examining money laundering activity at the deposit address leveltherefore lets us get a better sense of the individuals or nested services most directly responsible for themajority of crypto

111、 money laundering activity.Looking at things through this lens,we can see that moneylaundering actually became less concentrated at the deposit address level in 2023,even as it becameslightly more concentrated at the service level.All illicit cryptocurrency received by fiat off-ramp service deposit

112、addresses2023How to read this graph:This graph shows service deposit addresses bucketed by how much total illicit cryptocurrency eachaddress received individually in 2023.Each grey bar represents the number of deposit addresses in the bucket,while each bluebar represents the total illicit cryptocurr

113、ency value received by all deposit addresses in the bucket.Using the first bucket as anexample,we see that 2,235,329 deposit addresses received between$5 and$100 worth of illicit cryptocurrency,and togetherall of those deposit addresses received a total of$69.4 million worth of illicit cryptocurrenc

114、y.In 2023,109 exchange deposit addresses received over$10 million worth of illicit cryptocurrency each,andcollectively,they received$3.4 billion in illicit cryptocurrency.While that still represents significantconcentration,in 2022,only 40 addresses received over$10 million in illicit crypto,for a c

115、ollective total ofjust under$2.0 billion.In 2022,just 542 deposit addresses received over$1 million in illicit cryptocurrency,for a total of$6.3 billion,which was over half of all illicit value received by centralized exchanges that year.In 2023,1,425 deposit addresses received over$1 million in ill

116、icit cryptocurrency,for a total of$6.7 billion,which accounts for just 46%of all illicit value received by exchanges for the year.However,its also worth noting that money laundering concentration differs by criminal type.For instance,CSAM vendors and ransomware operators show a high degree of concen

117、tration just seven depositMoney Laundering27addresses account for 51.0%of all value received from CSAM vendors by exchanges,while forransomware,just nine addresses account for 50.3%.On the other side of the spectrum,scams and darknetmarkets show much less concentration.Forms of crypto crime displayi

118、ng higher concentration may bemore vulnerable to law enforcement,as their money laundering activity relies on comparatively fewerservices that can be disrupted.Money laundering concentration by crime type:Share of total illicit value received by top deposit addresses2023Overall,its possible that cry

119、pto criminals are diversifying their money laundering activity across morenested services or deposit addresses in order to better conceal it from law enforcement and exchangecompliance teams.Spreading the activity across more addresses may also be a strategy to lessen theimpact of any one deposit ad

120、dress being frozen for suspicious activity.As a result,fighting crypto crime viathe targeting of money laundering infrastructure may require greater diligence and understanding ofinterconnectedness through on-chain activity than in the past,as the activity is more diffuse.Money Laundering28Money lau

121、ndering tactics changing:Most sophisticatedcrypto criminals utilizing bridges and mixersA big share of crypto money laundering activity is relatively unsophisticated,and consists of bad actorssimply sending funds directly to exchanges.We can see this on the Chainalysis Reactor graph below,which show

122、s the now-defunct phone number spoofing service iSpoof which facilitated over 100 millionin scamming activity before being shut down by law enforcement sending millions in Bitcoin directly toa group of deposit addresses at a centralized exchange.However,crypto criminals with more sophisticated on-ch

123、ain laundering skill sets such as the notoriousNorth Korean cybercriminals associated with hacking gangs like Lazarus Group tend to utilize a greatervariety of crypto services and protocols.Below,well look at two important ways sophisticated bad actorsadjusted their money laundering strategy,illustr

124、ated through examples from Lazarus Group:Use of a new mixer following Sinbads takedown and OFAC designationChain hopping via cross-chain bridgesLets take a closer look at both.Money Laundering29New mixer:YoMix takes over for SinbadOverall,2023 saw a decline in funds sent to mixers from illicit addre

125、sses,from$1.0 billion in 2022 to$504.3 million in 2023.Total illicit value moving to mixers2019-2023Much of this is likely due to law enforcement and regulatory efforts,such as the sanctioning and shutdownof mixer Sinbad in November 2023.But sophisticated cybercriminal groups like Lazarus Group have

126、adapted their mixer usage.As we covered in last years Crypto Crime Report,Sinbad became a preferredmixer for North Korea-affiliated hackers in 2022,soon after the sanctioning of Tornado Cash,which hadpreviously been the go-to for these sophisticated cybercriminals.With Sinbad out of the picture,Bitc

127、oin-based mixer YoMix has acted as a replacement.We can see an example of this on the Reactorgraph below,which shows a wallet associated with North Korean hacking activity receiving funds fromYoMix,whereas it had previously received funds from Sinbad.Money Laundering30Overall,YoMix saw huge growth i

128、n 2023,with inflows growing by more than 5x over the course ofthe year.Quarterly indexed growth of funds sent to Yomix2023|Index:Q1 2023=100Based on Chainalysis data,roughly one third of all YoMix inflows have come from wallets associated withcrypto hacks.The growth of YoMix and its embrace by Lazar

129、us Group is a prime example of sophisticatedactors ability to adapt and find replacement obfuscation services when previously popular ones areshut down.Money Laundering31Use of cross-chain bridgesCross-chain bridges allow users to move funds from one blockchain to another.Generally,anyone canaccess

130、these smart contracts,although in theory a bridge could implement a blacklist.All of this activityhappens on-chain,which means that blockchain analysts can trace funds through bridges,as nocentralized entity ever takes custody of the funds that move to bridges.As discussed previously,illicit actors

131、use of bridge protocols for money laundering purposes grewsubstantially in 2023,particularly amongst crypto thieves.Total illicit value moving to bridges2019-2023Overall,bridge protocols received$743.8 million in crypto from illicit addresses in 2023,up from just$312.2 million in 2022.North Korea-af

132、filiated hackers have been among those to utilize bridges for money laundering the most,and we can see an example of this activity on the Reactor graph below.Money Laundering32In this case,funds associated with the 2022 Harmony hack moved to a popular bridge protocol in May2023,where they were moved

133、 from the Bitcoin blockchain to the Avalanche blockchain.The funds werethen swapped for a stablecoin,and then bridged again using a different protocol,this time from theAvalanche blockchain to the TRON blockchain.Sophisticated bad actors adapt frequentlyThe changes in money laundering strategy weve

134、seen from crypto criminals like Lazarus Group serve asan important reminder that the most sophisticated illicit actors are always adapting their moneylaundering strategy and exploiting new kinds of crypto services.Law enforcement and compliance teamscan be more effective by studying these new launde

135、ring methods and becoming familiar with the on-chainpatterns associated with them.Money Laundering33Stolen FundsStolen Funds34Funds Stolen from Crypto Platforms FallMore Than 50%in 2023,but HackingRemains a Significant Threat as Number ofIncidents RisesOver the last few years,cryptocurrency hacking

136、has become a pervasive and formidable threat,leading tobillions of dollars stolen from crypto platforms and exposing vulnerabilities across the ecosystem.As werevealed in last years Crypto Crime Report,2022 was the biggest year ever for crypto theft with$3.7billion stolen.In 2023,however,funds stole

137、n decreased by 54.3%to$1.7 billion,though the number ofindividual hacking incidents actually grew,from 219 in 2022 to 231 in 2023.Yearly total value stolen in crypto hacks and number of hacks2016-2023Why the huge drop in stolen funds?Mostly due to a drop in DeFi hacking.Hacks of DeFi protocols large

138、lydrove the huge increase in stolen crypto that we saw in 2021 and 2022,with cybercriminals stealing morethan$3.1 billion in DeFi hacks last year.But this year,hackers stole just$1.1 billion from DeFi protocols.This amounts to a 63.7%drop in the total value stolen from DeFi platforms year-over-year.

139、There was alsoa significant drop in the share of all funds stolen accounted for by DeFi protocol victims in 2023,as we seeon the chart below.Stolen Funds35Cryptocurrency stolen in hacks by victim platform type2016-2023Well explore the possible reasons for the drop in DeFi hacking in greater detail l

140、ater on.Despite that drop,there still were several large hacks of notable DeFi protocols throughout 2023.In March,for instance,EulerFinance,a borrowing and lending protocol on Ethereum,experienced a flash loan attack,leading to roughly$197 million in losses.July 2023 saw 33 hacks the most of any mon

141、th which included$73.5 millionstolen from Curve Finance.We can see the spikes driven by those hacks below.Monthly total value stolen in crypto hacks and number of hacks2023Stolen Funds36Similarly,several large exploits occurred in September and November 2023 on both DeFi and CeFiplatforms:Mixin Netw

142、ork($200 million),CoinEx($43 million),Poloniex Exchange($130 million),HTX($113.3 million),and Kyber Network($54.7 million).Keep reading to learn more about crypto hacking trends in 2023,including how North Korea-affiliatedcyber criminals had one of their most active years,executing more individual c

143、rypto hacks than ever before.Attack vectors affecting DeFi are sophisticated and diverseDeFi hacking exploded in 2021 and 2022,with attackers stealing approximately$2.5 billion and$3.1billion,respectively,from protocols.Mar Gimenez-Aguilar,Lead Security Architect and Researcher at ourpartner Halborn

144、,a security company specializing in web3 and blockchain solutions,told us more about therise in DeFi hacking during those years.“Theres been a worrying trend in the escalation of both thefrequency and severity of attacks within the DeFi ecosystem,”she explained.“In our comprehensiveanalysis of the t

145、op 50 DeFi hacks,we observed that EVM-based chains and Solana are among the mosttargeted chains,largely due to their popularity and capability to execute smart contracts.”Whenexamining this trend last year,security experts told us that they believe many DeFi vulnerabilities stemmedfrom protocol oper

146、ators focusing primarily on growth,and not enough on implementing and maintainingrobust security systems.However,for the first time since DeFis emergence as a key sector of the crypto economy,the yearly totalstolen from DeFi protocols fell and fell significantly.Value stolen in DeFi hacks2019-2023Th

147、e value lost in DeFi hacks declined by 63.7%year-over-year in 2023,and median loss per DeFi hackdropped by 7.4%.And,while the number of individual crypto hacks rose in 2023,the number of DeFi hacksspecifically declined by 17.2%.Stolen Funds37In order to understand this trend better,we worked with Ha

148、lborn to analyze 2023 DeFi hacking activitythrough the lens of the specific attack vectors hackers utilized.Classifying and analyzing attack vectors within the DeFi landscapeAttack vectors affecting DeFi are diverse and constantly evolving;it is therefore important to classify themto understand how

149、hacks occur and how protocols might be able to reduce their likelihood in the future.According to Halborn,DeFi attack vectors can be placed into one of two categories:vectors originatingon-chain and vectors originating off-chain.On-chain attack vectors stem not from vulnerabilities inherent to block

150、chains themselves,but rather fromvulnerabilities in the on-chain components of a DeFi protocol,such as their smart contracts.These arent apoint of concern for centralized services,as centralized services dont function as decentralized apps withpublicly visible code the way DeFi protocols do.Off-chai

151、n attack vectors stem from vulnerabilities outsideof the blockchain one example could be the off-chain storage of private keys in,say,a faulty cloudstorage solution and therefore apply to both DeFi protocols and centralized services.Hack attack vector sub-categoryDefinitionOn-chain or off-chainProto

152、col exploitationWhen an attacker exploits vulnerabilitiesin a blockchain component of a protocol,such as ones pertaining to validatornodes,the protocols virtual machine,or inthe mining layer.On-chainInsider attackWhen an attacker working inside aprotocol,such as a rogue developer,usesprivileged keys

153、 or other privateinformation to directly steal funds.Off-chainPhishingWhen an attacker tricks users into signingpermissions,often done by supplanting alegitimate protocol,allowing the attackerto spend tokens on users behalf.Phishingmay also happen when an attacker tricksusers into directly sending f

154、unds tomalicious smart contracts.Off-chainContagionWhen an attacker exploits a protocol dueto vulnerabilities created by a hack inanother protocol.Contagion also includeshacks that are closely related to hacks inother protocols.On-chainCompromised serverWhen an attacker compromises a serverthat is o

155、wned by a protocol,therebydisrupting the protocols normal workflowor gaining knowledge to further exploitthe protocol in the future.Off-chainStolen Funds38Wallet hackWhen an attacker exploits a protocol thatprovides custodial/wallet services andsubsequently acquires information aboutthe wallets oper

156、ation.Off-chainPrice manipulation hackWhen an attacker exploits a smartcontract vulnerability or utilizes a flawedoracle that does not reflect accurate assetprices,facilitating the manipulation of adigital tokens price.On-chainSmart contract exploitationWhen an attacker exploits a vulnerabilityin a

157、smart contract code,which typicallygrants direct access to various controlmechanisms of a protocol and tokentransfers.On-chainCompromised private keyWhen an attacker acquires access to ausers private key,which can occurthrough a leak or a failure in off-chainsoftware,for example.Off-chainGovernance

158、attacksWhen an attacker manipulates ablockchain project with a decentralizedgovernance structure by gaining enoughinfluence or voting rights to enact amalicious proposal.On-chainThird-party compromisedWhen an attacker gains access to anoff-chain third-party program that aprotocol uses,which provides

159、 informationthat can later be used for an exploit.Off-chainOtherEither the attack does not fit in any of theprevious categories or there is not enoughinformation to properly classify it.On-chain/Off-chainSource:HalbornAccording to Gimenez-Aguilar,both on-chain and off-chain vulnerabilities present s

160、erious concerns.“Historically,the majority of DeFi hacks have stemmed from vulnerabilities in smart contract design andimplementation a large proportion of the affected contracts we examined had either not undergone anyaudit or had been audited inadequately,”she said,explaining on-chain vulnerabilit

161、ies.“Another notabletrend is the increase in attacks as a result of compromised private keys,which underscores the importanceof improvements in security practices outside of a given blockchain.”Indeed,the data shows that both the on-chain and off-chain vulnerabilities Gimenez-Aguilar describes in pa

162、rticular the compromise of private keys,price manipulation hacks,and smart contract exploitation drove hacking losses in 2023.Stolen Funds39Yearly share of value stolen in DeFi hacks by attack vector2023Source:HalbornOverall,on-chain vulnerabilities drove the majority of DeFi hacking activity in 202

163、3,but as we see on thechart below,that changed over the course of the year,with compromised private keys driving a largershare of hacks in the third and fourth quarters.Quarterly share of value stolen from DeFi protocols by attack vector2023Source:HalbornStolen Funds40On a hack-by-hack basis,hacks s

164、temming from contagion(on-chain)were the most destructive,with amedian loss of$1.4 million.Governance attacks(on-chain),insider attacks(off-chain),and compromisedprivate keys(off-chain)follow,with all three accounting for a median hack value of roughly$1 million.Median value stolen in hacks:Breakdow

165、n by subtype2023Source:HalbornOverall though,the data provides reasons for optimism.Both the drop in raw value stolen from DeFi,andthe relative decline in on-chain vulnerability-driven hacking over the course of 2023 suggests that DeFioperators may be getting better at smart contract security.“I do

166、think that the increase of securitymeasures in DeFi protocols is a key factor in the reduction in the quantity of hacks related to smartcontracts vulnerabilities.If we compare the top 50 hacks by value lost from this year with those fromprevious ones(studied in Halborns Top 50 hacks report),there is

167、 a reduction in percentage of losses from47.0%of the total to 18.2%.Price manipulation attacks,nevertheless,remain almost constant with around20.0%of the total value lost.This is an indication that,when performing an audit,protocols should alsotake into account how they interact with the whole DeFi

168、ecosystem,”said Gimenez-Aguilar.However,shealso stressed that the growth in hacks driven by attack vectors such as compromised private keys indicatesthat DeFi operators must move beyond smart contract security and address off-chain vulnerabilities aswell:“Doing the same comparison as before,losses r

169、elated to compromised private keys increased from22.0%to 47.8%.”As we see above,both on-chain and off-chain vulnerabilities can be highly destructive.However,Gimenez-Aguilar also acknowledged that the drop in DeFi hacking losses may be driven in partby the overall drop in DeFi activity in 2023,which

170、 may have simply decreased the number of DeFi protocolsStolen Funds41that made ripe targets for hackers.Total value locked(TVL),which measures the total value held or stakedin DeFi protocols,was down for all of 2023,following a sharp decrease in the middle of 2022.Monthly total value locked(TVL)in D

171、eFi protocolsJan 2021-Dec 2023Source:DeFiLlamaWe cant say for sure whether the drop in DeFi hacking was driven primarily by better security practices orthe drop in DeFi activity overall most likely,it was a mix of the two.But,if the decrease in hacking wasprimarily driven by the drop in overall acti

172、vity,then it would be important to watch whether DeFi hackingrises again in tandem with another DeFi bull market.Such a bull market would lead to higher TVL andtherefore a larger pool of DeFi funds for hackers to target.Regardless,there are steps DeFi operators should take to improve security.DeFi p

173、rotocols vulnerable toon-chain failures can develop systems that monitor on-chain activity related to economic risks and priorplatform losses.Companies such as Hypernative and Hexagate,for example,produce customized alerts toprevent and react to cyber attacks,which can help platforms better secure i

174、ntegrations with third partiessuch as bridges,and communicate with customers who might be at risk.Platforms vulnerable to off-chainfailures may aim to reduce reliance on centralized products and services.North Korea hacked more crypto platforms than ever in2023,but stole less in total than in 2022No

175、rth Korea-linked hacks have been on the rise over the past few years,with cyber-espionage groups suchas Kimsuky and Lazarus Group utilizing various malicious tactics to acquire large amounts of crypto assets.Stolen Funds42Just last year,cryptocurrency stolen by hackers associated with North Korea re

176、ached its highest level ofapproximately$1.7 billion.In 2023,we estimate that the total amount stolen is slightly over$1.0 billion,butas we see below,the number of hacks rose to 20 the highest number on record in the context of theoverall crypto bear market.Estimated value stolen by DPRK-linked hacke

177、rs2016-2023North Korea-linked hackers stole approximately$428.8 million from DeFi platforms in 2023,and alsotargeted centralized services($150.0 million stolen),exchanges($330.9 million),and wallet providers($127.0 million).Stolen Funds43Share of value stolen in DPRK-linked hacks by crypto service t

178、ype2016-20232023 saw a notable decrease in North Korean targeting of DeFi protocols,mirroring the overall drop in DeFihacking that we discussed above.CASE STUDYThe DPRKs Atomic Wallet exploitIn June 2023,thousands of users of Atomic Wallet,a non-custodial cryptocurrency wallet service,weretargeted b

179、y a hacker,leading to estimated losses of$129 million.The FBI later attributed this attack toNorth Korea-affiliated hacking group TraderTraitor and stated that the Atomic Wallet exploit was the firstin a series of similar attacks,including the Alphapo and Coinspaid exploits later in the month.Althou

180、gh thespecifics of how the attack occurred remain unclear,we used on-chain analysis to look at what happenedto the funds after the initial attack,which weve broken down into four phases.In the first phase,the attacker chain hopped moving assets from one blockchain to another,typically toobfuscate th

181、e flow of ill-gotten funds to the Bitcoin blockchain via the following three methods:1.Sending funds to centralized exchanges.While we cant continue to trace funds on-chain followingtheir movement to a centralized service,we know in this case that funds stolen from Atomic Walletwere converted into B

182、itcoin at centralized exchanges because we gathered intelligence from othertrusted sources with whom we regularly collaborate.2.Sending funds to cross-chain bridges where they could be moved to the Bitcoin blockchain.3.Sending funds to wrapped Ether(wETH)contracts,then moving to the Bitcoin blockcha

183、in via theAvalanche Bridge.Stolen Funds44The Chainalysis Reactor graph below illustrates the third method whereby the stolen funds(in Ether at thetime)moved through several intermediary addresses before reaching the Avalanche Bridge and convertingto Bitcoin.In the second phase,the attacker sent the

184、stolen funds to the OFAC-sanctioned Sinbad,a mixing servicethat obscures on-chain transaction details and has been previously used by North Korean moneylaunderers.Then,the attacker withdrew the funds from Sinbad and moved them to consolidationaddresses on Bitcoin.In the third phase,the attackers mon

185、ey laundering strategy shifted to focusing almost exclusively on theTron blockchain rather than the Bitcoin blockchain.The attacker chain hopped to the Tron blockchain viaone of the following methods:1.Sending funds to Avalanche through the Avalanche Bridge where they could be moved to the Tronblock

186、chain.2.Sending funds to centralized services,then moving them to the Tron blockchain.3.Sending funds through additional mixers or privacy-enhancing services to further obfuscate theflow of funds,then moving them to the Tron blockchain.In the fourth and final phase,the attacker deposited the funds a

187、t various services on the Tron blockchain.Some of these funds were mixed via Trons JustWrapper Shielded Pool,whereas others were ultimatelysent to high-activity Tron addresses suspected of belonging to over-the-counter traders.Stolen Funds45Additional on-chain activity revealed that funds stolen fro

188、m Atomic were consolidated with assets fromother sources before moving elsewhere,which is likely related to the subsequent Alphapo and Coinspaidexploits.The future of crypto hackingAlthough the total amount stolen from crypto platforms in 2023 was down significantly from prior years,itis clear that

189、attackers are becoming increasingly sophisticated and diverse in their exploits.The good newsis,crypto platforms are becoming more sophisticated in their security and responses to attacks,too.When crypto platforms act promptly after exploits,law enforcement agencies will be better equipped tocontact

190、 exchanges where frozen funds are located to initiate seizure and contact services through whichthe funds flowed to gather relevant information about accounts and users.Over time,as these processesimprove,it is likely that funds stolen from crypto hacks will continue to decline.Stolen Funds46Market

191、ManipulationMarket Manipulation4754%of ERC-20 Tokens Listed on DEXesin 2023 Display Patterns That May BeSuggestive of Pump and Dump Schemes,but Represent just 1.3%of DEX TradingVolumeFor most of the research that we publish in our annual Crypto Crime Report,the data tells a clear story.Forinstance,f

192、unds sent to ransomware operators,darknet markets,or sanctioned entities can be measuredand trends can be analyzed with Chainalysis labeling and data.But on-chain data can also be used todetect suspicious trading patterns.In these cases,the evidence on the blockchain is less definitive.Instead,on-ch

193、ain data can provide a starting point for deeper investigations,usually combined with other,off-chaininformation.For this reason,we do not include possible market manipulation proceeds or estimates ofvictim losses in our count of total illicit transaction volume there isnt enough information to dete

194、rminewhether the activity is criminal or not without additional context.Pump and dump schemes typically involve an actor or group of actors investing in a token,heavilypromoting that token to spur a price increase,and subsequently dumping their holdings at a significantprofit.This often results in a

195、 heavy decline or even collapse of a tokens price,impacting unsuspectingholders.For this analysis,we designed a methodology to surface data points that identify potential areas forfurther investigation into possible market manipulation.We focused on DeFi,given its transparency andthe availability of

196、 on-chain trading data,which is not similarly available for centralized exchanges.Specifically,we looked at the Ethereum network,which has experienced rapid growth and innovation inrecent years.Thanks to the ecosystems ERC-20 standard,or technical guidelines for Ethereum-basedfungible tokens,its nev

197、er been easier to build new tokens on top of Ethereum,with all tokens able to betraded with one another and used on a variety of decentralized applications(dApps).Below,well use on-chain analysis to consider what some of these patterns look like,a critical tool formarket operators and government age

198、ncies alike.How on-chain data could be used to identify elements ofpossible pump and dump schemesBetween January and December 2023,just over 370,000 tokens were launched on Ethereum,approximately 168,600 of which were available to trade on at least one decentralized exchange(DEX).Aswe see below,the

199、number of monthly tokens launched has been increasing since mid-2022,with recentspikes in activity nearing 50,000 per month.Market Manipulation48This data comes from Transpose,the comprehensive source for indexed real-time blockchain data.Not all of those tokens get significant traction,though.In an

200、y given month,less than 14.1%of all tokenslaunched achieve more than$300 of DEX liquidity within the subsequent month,and only 5.7%of alltokens launched in 2023 are currently above that threshold.Although this is an increase from the previoustwo years,low liquidity values suggest that the majority o

201、f tokens launched still cannot be easilyexchanged with liquid assets such as ETH,wETH,USDC,USDT,and wBTC without having their pricessignificantly affected.Share of tokens launched on Ethereum to achieve$300 in DEX liquidity one month after launchJan 2021-Dec 2023Market Manipulation49Number of tokens

202、 launched on EthereumJan 2021-Dec 2023There are many reasons that could explain the failure to reach more liquid trading volumes.As thepopularity of tokenization grows,launching new tokens into an increasingly crowded marketplacebecomes more challenging.However,some may be attempts at pump and dump

203、schemes.Here is an example of how one type oftoken manipulation could occur:1.An actor(or group of actors)either launches a new token or buys a large share of supply for anexisting token usually one with historically low volume.2.This actor hypes up the token as an opportunity to“get rich quick,”typ

204、ically using social media andonline chat rooms like Discord and Telegram.3.The persistent marketing on social media and chat rooms attracts attention from users,leading toan increase in buying.4.The actor may also engage in wash trading,which involves the simultaneous buying and selling ofthe same a

205、sset with the intent of falsifying its level of activity.5.If successful,the token rises in value.6.Once the token reaches the desired price target,the actor liquidates their position for a profit.7.The price of the token rapidly drops due to increased selling pressure,leaving many victims“holding t

206、he bag.”8.If the actor is also the token creator,they may completely abandon the token project,taking moreusers funds with them,also known as a“rug pull.”However,this is not always possible dependingon the governance of the project.Many of these elements can be identified in on-chain data.We utilize

207、d Transpose to look for ERC-20tokens that met the following three criteria,which well refer to as Criteria A:1.The token was purchased five times or more by DEX users with no on-chain connection to thetokens biggest holders,indicating that it achieved some level of traction in the market.2.A single

208、address removed more than 70.0%of the liquidity in the tokens DEX liquidity pool,indicating that the biggest holder dumped the token.In most cases,the address removed thetokens liquidity within the first few weeks of launch.3.The token currently has liquidity of$300 or less,indicating that the marke

209、t for the token essentiallyceased following the removal of liquidity.If the token was involved with multiple DEX pools,wecombined the liquidity of each one.We found that approximately 90,408 tokens launched in 2023 met Criteria A.This number represents24.4%of all tokens launched on Ethereum and 53.6

210、%of tokens that were listed on a DEX during the timeperiod studied.However,over the course of the year,the volume of transactions made with tokens thatmet Criteria A accounted for only 1.3%of total trade volume on Ethereum DEXes.Market Manipulation50Number of tokensPercent of all tokens launchedTota

211、l tokens launched370,066100.0%Tokens listed on DEX168,62353.6%Tokens currently with less than$300 in liquiditywhere a single address removed more than70.0%of liquidity in a single transaction withfive or more previous DEX purchases90,40824.4%This methodology does not mean these tokens were the subje

212、cts of pump and dump schemes rather,itillustrates how operators or regulators can leverage on-chain trading data to identify and prioritizepatterns that may suggest illicit activity and warrant further investigation.The monthly number of new tokens meeting Criteria A has been declining since mid-202

213、3,although it isstill higher than the number from 2022.Number of ERC-20 tokens that met criteria for possible pump and dumpJan 2022-Dec 2023Source:TransposeMarket Manipulation51How much did actors who launched tokens meeting Criteria A profit before their tokens plummeted invalue?We can calculate th

214、is using the following formula,based on how wallets associated with a tokenslaunch interacted with its DEX liquidity pools and traded the token itself.A=Amount withdrawn from DEX pool by possible illicit actorB=Amount deposited into DEX pool by possible illicit actorC=Funds spent by illicit actor to

215、 trade token,possibly via wash tradingProfit=A-B-CUsing this formula,we calculate that actors who launched tokens meeting Criteria A collectively madeapproximately$241.6 million in profit in 2023,not accounting for other costs to build and launch the token.Estimated monthly profit generated by token

216、s that met criteria for possible pump and dump2023Source:TransposeAlthough the total profit amassed by these actors is significant,individual tokens meeting our criteria onaverage produce just$2,672 each in profit and,again,account for just 1.3%of total Ethereum DEX tradingvolume for 2023.The data p

217、aints a picture of an ecosystem in which potentially bad actors could generatetens of thousands of potential pump and dump tokens,most of which fail to generate significant profit anddont attract meaningful trading volume.Market Manipulation52CASE STUDYOne of 2023s most prolific token creators gener

218、ated81 different token typesSome of the actors involved also appear to launch multiple tokens that meet our criteria.During the time period studied,we identified one address Wallet 1 on the chart below that appearsto have been involved in the most launches of tokens meeting Criteria A.The operator o

219、f this addresslaunched 81 different token types to generate an estimated$830,000 in profits.Top 20 wallets by number of tokens launched that met criteria for possible pump and dump2023In one instance,this address earned approximately$46,000 on the launch and DEX listing of a token wellrefer to as To

220、ken A.We can see a breakdown of how this address operator successfully executed these activities and moreusing Chainalysis Storyline.First,on August 5,2023,the address operator sent wrapped Ether(wETH)and Token A to a liquidity pool.Next,the address operator appears to have wash traded using ETH and

221、wETH,shown by the eight subsequent transactions,and removed some liquidity on August 6,likely totake partial profits.Market Manipulation53After executing these trades,the address operator removed all wETH and Token A liquidity on August 9 byselling existing positions,and left remaining users with no

222、 liquidity to sell their own assets.Since these lastremovals,there have been no additional transactions in this liquidity pool,suggesting a rug pull in additionMarket Manipulation54to the suspected pump and dump scheme.Taken together,this activity suggests the actor may haveemployed different tactic

223、s for a relatively complex attack.The below chart illustrates how the liquidity of the DEX pool shifted during this period,showing severalsharp increases in the wETH balance on August 6.On the far right,we see that the liquidity moved back tozero once the address operator withdrew all funds on Augus

224、t 9.Overall,108 other market participantsusing this DEX pool appear to have lost funds;they had purchased approximately$55,000 in Token Aduring this period.Amount of wETH in liquidity pool during Token A rise and declineAug 5,2023-Aug 9,2023Source:TransposeMonitoring market patterns to maintain cryp

225、to marketintegrity and stabilityMarket manipulation,such as pump and dump schemes,are destructive to the crypto markets in the sameway they are to traditional markets.However,cryptocurrencys inherent transparency provides anopportunity to build safer markets.Market operators and government agencies

226、can deploy monitoring toolsthat can help identify and prioritize areas for further investigation in a way that wouldnt be possible intraditional markets.Tools like Transpose can help monitor on-chain data for signs of unusual activity,and help surfaceactionable leads in conjunction with various form

227、s of off-chain data.Market Manipulation55CSAMCSAM56On-chain Analysis Suggests CSAM VendorsMay Benefit from Privacy Coins Like Moneroand Other Obfuscation MeasuresCSAM(child sexual abuse material)is an understudied part of the crypto crime ecosystem.The industry isbroadly aware that there are digital

228、 spaces where CSAM can be bought and sold using crypto,and thereare well-publicized instances of law enforcement shutting down crypto-based CSAM marketplaces likeWelcome to Video.Not all CSAM activity involves cryptocurrency,and in many cases,users simply trade CSAM amongstthemselves.But cryptocurre

229、ncy-based sales of CSAM are a growing problem.Tamsin McNally,HotlineManager at the Internet Watch Foundation(IWF)shared with us that they“find virtual currency is thedominant choice for buyers and sellers of commercial child sexual abuse content,so much so that we nowhave a dedicated crypto unit tha

230、t works with law enforcement and the finance industry to help provideevidence for investigations.”This analysis is our first attempt to produce a comprehensive,objectivemeasure of the CSAM-cryptocurrency ecosystem.First,we debut a methodology for measuring the scope of the crypto-based CSAM ecosyste

231、m across anumber of different variables,based on on-chain activity.Overall,our data suggests that while the size ofthe crypto-based CSAM market has decreased in 2023,the sophistication of CSAM sellers and in turn theirresilience to detection and takedowns has increased over time.In addition,well loo

232、k at CSAM vendors useof obfuscation measures such as mixers and privacy coins like Monero,and examine how vendors maybenefit from them.All of the CSAM data we analyze here is based on a subset of over 400 on-chain CSAM vendor walletsweve identified that were active between 2020 and 2023 and met a sp

233、ecific threshold of transactionactivity.We observed over 10,000 wallets that sent funds to CSAM vendor wallets in 2023,which for thepurposes of this analysis we label as CSAM buyers.Identifying CSAM vendors isnt easy,as most shyaway from advertising even on the darknet due to the stigma associated w

234、ith this particularly abhorrentform of crime virtually all darknet markets,for example,explicitly ban the sale of this material.Ouridentifications of CSAM vendor wallets come from a variety of sources,including the IWF,other partnersand customers,and our own investigations.We are almost certainly no

235、t capturing all on-chain CSAM activity,but given the breadth of sources wedraw from,as well as the fact that we have a big enough sample size to measure non-scale basedcharacteristics like longevity and sophistication,we believe this analysis sheds valuable light on howon-chain CSAM marketplaces ope

236、rate and have changed over time.CSAM57How cryptos CSAM problem has changed over time:Afour-component measurementWe quantify most forms of cryptocurrency-based crime primarily based on the crypto value received byillicit addresses.However,this would be misleading in the case of CSAM.As a recent resea

237、rch report by theEuropean Parliament explains,theres more CSAM on the internet than ever before,and its never beencheaper to produce.Given the flood of inexpensive material,and the fact that each piece of contentinherently involves abuse,we dont believe that a dollar figure can accurately measure th

238、e true damage ofCSAM.Instead,weve come up with a four-component measurement to assess the unique problem of CSAM overtime based on different on-chain metrics.For any given period of time,we can assign a score for each ofthe four components,and in that way see how the cryptocurrency-based CSAM market

239、 changes acrosseach component over time.Those four components are listed below.1.ScaleScale captures the size of the CSAM market in terms of transactions and participants.On-chain metrics here include:Number of wallets sending to CSAM vendors3Number of distinct CSAM vendors active during the time pe

240、riodNumber of transactions incoming to CSAM vendorsTotal value sent to CSAM vendors2.SeveritySeverity is intended to capture the extremity and volume of the content being shared on a per transactionbasis.While this cant be directly seen on-chain,we can infer these characteristics based on the price

241、ofindividual transactions with CSAM vendors.On-chain metrics here include:Mean payment sizeMedian payment sizeNumber of CSAM vendors that have received payments of$70 or more in size these representthe highest tier of payments that CSAM vendors typically charge in a single transaction forcontent.Wel

242、l explain the five-tier payment classification system experts use for CSAMmarketplace analysis in more detail later.3For the purposes of this analysis,we do not count transactions from services to CSAM vendors,which could also representpeople purchasing this material.We also do not count instances w

243、here one individual may be purchasing CSAM from anotherwho made the initial purchase from a CSAM vendor.For example,if personal wallet 1 transfers to CSAM vendor 1,and thenpersonal wallet 2 transfers to personal wallet 1,we dont count that second transaction,which might be redistribution.Again,we ar

244、e almost certainly not capturing all on-chain CSAM activity.CSAM583.SophisticationSophistication refers to the level of obfuscation measures taken by CSAM providers during a given timeperiod.Later in the report,well examine the relationship between sophistication and CSAM vendors abilityto stay in o

245、peration for longer.On-chain metrics here include:Inflows to CSAM vendors from mixers(which we assume to be customer payments made viamixers)Outflows from CSAM vendors to mixers(which we assume represent efforts by CSAM vendors tolaunder funds)Outflows from CSAM vendors to instant exchange services

246、that support privacy coins like Monero(which we assume are possible conversions into privacy coins by CSAM vendor operators formoney laundering purposes)4.ResilienceResilience refers to CSAM vendors ability to become active and stay in business.On-chain metrics here include:Average cumulative lifesp

247、an of active CSAM vendorsNumber of CSAM vendors that became inactive during the time period(this would negativelyimpact the resilience score)Number of new services that became active during the time periodThe net growth or decline of CSAM vendors,calculated by subtracting the number of services that

248、became inactive during a given year from the number of new services that emerged in that yearCSAM59Lets look at how the crypto-based CSAM market has changed over the last four years along each of thosefour axes.CSAM activity on-chain by year:A four-component measurementOverall,we see that the scale

249、and severity of CSAM activity peaked in 2021 after relatively low activity in2020.The fluctuations in severity become clearer when we incorporate our five-tier payment classificationsystem.This tiered pricing system has been identified by the IWF as being used by many CSAM vendors,with higher tiers

250、being more expensive and giving users a greater volume of content,and often moreextreme content,in the context of a single purchase.The tiering system is as follows:Tier 1:$10-$20Tier 2:$20-$35Tier 3:$35-$50Tier 4:$50-$70Tier 5:$70As we can see on the chart below,purchases in Tiers 4 and 5 have decr

251、eased as a share of overall CSAMtransactions over time since 2021,while the share for Tiers 1 and 2 has increased.CSAM60CSAM purchases by severity tier2020-2023This may indicate that the CSAM being disseminated is becoming less extreme,or that less material isbeing provided on a per purchase basis.O

252、f course,it could also mean that the market is being flooded withcontent,leading to price drops across the board regardless of the extremity of the content.For instance,researchers have noted that AI is enabling the dissemination of synthetic CSAM a glut of such contentcould drive prices down.We als

253、o see that the resilience of CSAM vendors has gone up.Look at the following chart,which showsthe lifespan of all CSAM vendors we track by start date and end date.CSAM61Average lifespan for active CSAM vendors by year2020-2023Lifespans are trending upwards:In 2023,the lifespan of the average active C

254、SAM vendor is 884 days,upfrom 560 days in 2022.However,relatively few new CSAM vendors have cropped up in 2023 just 43,compared to 112 in 2022.Still,how is it that so many CSAM vendors are able to persist for so long,andwhy is resilience going up?Of course,there are many steps CSAM vendors could be

255、taking to obfuscate their activity that havenothing to do with cryptocurrency,such as the use of internet anonymity tools like Tor.But when it comesto crypto specifically,the data suggests CSAM vendors may be benefiting from the use of Monero.Monerois the most popular of the so-called“privacy coins,

256、”which are cryptocurrencies whose blockchains employunique privacy enhancing features that make it more difficult to follow the flow of funds or discern theiroriginal source.This screenshot shows a CSAM vendor soliciting Monero donations on its darknet website.Many CSAM vendors have adopted Monero i

257、n recent years,though Bitcoin is by far the most widely usedcryptocurrency for CSAM purchasing.In fact,while the screenshot above shows a vendor asking users topay in Monero,the data suggests Moneros role is more prevalent in CSAM vendors efforts to launder theiron-chain earnings,rather than to obsc

258、ure the purchases themselves.Its difficult to show Moneros roledirectly on-chain using standard blockchain analysis techniques,but we can look at CSAM vendors use ofCSAM62Monero-friendly instant exchangers to estimate their potential Monero use.Unlike traditional centralizedexchanges(CEXes),which ha

259、ve largely delisted Monero,instant exchangers are non-custodial andgenerally dont offer crypto-to-fiat conversion but unlike,say,a DeFi protocol,they are centrallymanaged by a single organization.Instant exchangers typically draw on the liquidity of multiple CEXes togive users the best possible pric

260、es,and facilitate the exchange of one crypto for another directly betweenusers wallets,such that the transaction is often difficult to trace on-chain.That,along with the fact thatmany instant exchangers dont require KYC,can make them helpful for concealing the original source ofcryptocurrency.It is

261、also possible that CSAM vendors are swapping into other cryptocurrencies,including privacy coinsother than Monero.But based on vendors specific solicitation of Monero and our own investigations,webelieve Monero to be the currency of choice for laundering via instant exchangers.Our data shows that CS

262、AM vendors usage of instant exchangers that allow for Monero conversion hasincreased significantly over the last few years.Monthly value sent to exchanges by CSAM services:Monero-friendly instant exchangers vs.Traditional CEXes2020-2023Traditional CEXes have always been the biggest recipient of fund

263、s sent by illicit services,including CSAMvendors.However,Monero-friendly instant exchangers have narrowed the gap in recent years,suggestingthat CSAM vendor wallets may be increasing their usage of Monero for money laundering purposes,eventhough they continue to receive the bulk of customer payments

264、 in Bitcoin.Some CSAM vendors havetransitioned almost entirely away from direct sending to CEXes,instead sending funds only toCSAM63Monero-friendly instant exchangers.We can see two examples of CSAM vendors that made that switch in2022 on the chart below.Two example CSAM vendor wallets that are pote

265、ntially using more MoneroIf CSAM vendors usage of Monero-friendly instant exchangers does indeed correlate with actual usage ofMonero,the data suggests that Monero may be helping those CSAM vendors survive longer.Check out thefollowing chart,which compares the survival rates over time of a sample of

266、 CSAM vendors that send fundsto Monero-friendly instant exchangers versus those that do not.CSAM64Survival of CSAM services by potential Monero UseCSAM vendors that use Monero-friendly instant exchangers are much more likely to survive initially thanthose that dont within 50 days of launching,the su

267、rvival rate of potential Monero using CSAM vendorsis roughly 77.6%,compared to just 57.0%for all others.Furthermore,at the 1,000 day mark,19.2%ofpotential Monero using CSAM vendors are still active,compared to just 3.8%of all others.While the lack ofKYC at many instant exchangers and inability to tr

268、ace through these centralized services may also play arole,the data suggests that Monero could be a huge boon to CSAM vendors.Its important to note that the use of an instant exchanger does not necessarily provide anonymity forusers.Some instant exchangers do have KYC and other compliance processes,

269、including transactionmonitoring.We also know that many comply with law enforcement requests related to investigations,including ones involving CSAM.Overall,52.0%of CSAM vendor wallets active in 2023 have sent funds to Monero-friendly instantexchangers.One reason that number isnt higher could be Mone

270、ros comparative difficulty of use.Manyexchanges dont support Monero for off-ramping purposes,though users could always swap back fromMonero to a different cryptocurrency thats easier to convert into cash.Regardless,the data suggests thatthe availability of privacy coins like Monero may help CSAM ven

271、dors stay in business longer.Lawenforcement may consider investment in specialized blockchain analysis services that can make tracingMonero and other assets possible,and instant exchangers that do not employ traditional compliancepractices may consider building programs that contribute to a safer ec

272、osystem.CSAM65CASE STUDYUsing blockchain analysis to track down CSAM vendorsand administratorsNow that weve examined how the CSAM marketplace has changed over time,and the techniques vendorsmay be using to evade detection,the question remains:How can law enforcement catch the people buyingand sellin

273、g CSAM with cryptocurrency?Weve got one example courtesy of Homeland SecurityInvestigations(HSI).Using blockchain analysis tools,HSI Special Agents,Analysts and New York PoliceDepartment(NYPD)detectives were able to identify the administrator of a large-scale darkweb CSAMservice and rescue a child b

274、eing victimized by one of the services customers.The team accomplished thisstarting with nothing more than a web address scrawled on a piece of paper,discovered while searchingthe apartment of what appeared to be a lone sex offender.Well describe how they did it below.Following the trail from one ar

275、rest to an online networkIn 2019,an NYPD detective working with HSI New Yorks Cyber Division arrested New York City residentJason Seto in an undercover operation,in which Seto believed he was meeting up with a 14-year-old boyfor sexual activity.Soon after,the investigators discovered something inter

276、esting while executing a searchwarrant at the suspects apartment:A TOR web address written on a piece of paper next to the suspectscomputer.The detective visited the darkweb website and immediately discovered a directory of CSAMforums and websites,one of which allowed users to purchase CSAM and even

277、 arrange meetups withunderage victims,all paid for in Bitcoin.Being well-versed in blockchain analysis,the detective worked alongside HSI New Yorks Darkweb andCryptocurrency Task Force in pursuing next steps.Investigators sent a small test payment of Bitcoin to theaddress provided by the service,and

278、 communicated with the sites administrator.The detective posed as auser seeking CSAM content,and promised to send a full payment once the administrator confirmed receiptof the initial transaction.Once the administrator confirmed hed received the Bitcoin,the detective knew theaddress truly belonged t

279、o the administrator,and ceased communication.From there,a task force analystwatched the address on-chain activity using Chainalysis Reactor,and waited for the administrator tomove the funds.Sure enough,the administrator eventually sent Bitcoin to a peer to peer(P2P)exchange.From there,the task force

280、s investigation led to the identity of the individual.CSAM66Immediately,one can see why its crucial for law enforcement professionals in all agencies and divisions not just those focused on cybercrime to understand the basics of cryptocurrency and blockchainanalysis.“Law enforcement has to evolve an

281、d keep up with technology in order to identify cyber criminals,”said HSI New York Supervisory Special Agent(SSA)Anthony V.With cryptocurrency now playing a role inmany forms of crime with a financial component including sex crimes against minors,as we see in thiscase study law enforcement must know

282、how to identify and analyze cryptocurrency addresses in orderto be as effective as possible.In this case,the darkweb administrator was identified as residing outside of the United States andinvestigators are working diligently to follow up on viable leads.Blockchain analysis leads to second arrest a

283、nd rescue of childThe HSI task force wasnt done yet.Thanks to the unique transparency of blockchains,investigators coulddo more than watch where the darkweb administrator sent funds after discovering his Bitcoin address.They could also observe incoming funds from other customers.This is an important

284、 advantage that lawenforcement agents gain when investigating criminal activity being conducted with cryptocurrency ratherthan fiat currency.“Understanding the illicit flow of cryptocurrency allows law enforcement to unravelcomplex investigations,”explained SSA Anthony V.While observing the darkweb

285、administrators Bitcoin wallet,investigators saw another address sendingBitcoin in an amount suggesting the purchase of CSAM videos.The agents saw that the new address hadbeen funded by a centralized cryptocurrency exchange,and began investigating further.The task forceidentified the CSAM buyer and d

286、iscovered that he was also producing his own CSAM,abusing a12-year-old victim to do so.Courts eventually sentenced this buyer to 55 years in prison.CSAM67How law enforcement agents can use blockchain analysis to fight CSAMAs we discussed above,law enforcement agents can fight CSAM more successfully

287、as well as otherforms of crime if they become familiar enough with blockchain analysis to spot crypto addresses andanalyze their on-chain activity for actionable leads.However,cryptocurrency exchanges have an important role to play as well.With the right transactionmonitoring tools,exchanges can get

288、 alerted in real time if their users transact with any addressesidentified as belonging to a CSAM vendor,and proactively report those transactions to the properauthorities.Exchanges can also help by collaborating with law enforcement when agents requestinformation.HSI encourages collaboration betwee

289、n the private sector and law enforcement,especially when it comesto the exploitation of the most vulnerable in our society our children.We commend our partners at theHSI and the NYPD for their work on this case.CSAM68SanctionsSanctions69In 2023,OFACs Crypto-linked SanctionsMore than Double,Tornado C

290、ash InflowsSlowly ClimbIn 2023,the U.S.Office of Foreign Assets Control(OFAC)imposed a total of 18 sanctions on individuals orentities that included cryptocurrency addresses in their designation.Additionally,Chainalysis has identifiedcrypto addresses belonging to other entities that OFAC designated

291、in 2023,such as ransomware gangmembers associated with Trickbot.Each year,OFAC continues to expand on its crypto-relateddesignations,including a wider variety of entities under additional sanctions programs.Overall,crypto inflows to sanctioned entities and jurisdictions comprised 61.5%of all illicit

292、 transactionvolume last year as seen in the chart below,representing$14.9 billion in transaction volume.Notably,thetargets of OFACs crypto-linked sanctions shifted from the previous year.While OFAC designated majorservices like Garantex,Hydra,and mixers Tornado Cash and Blender.io in 2022,its sancti

293、ons mostlytargeted groups and individual actors in 2023,with the exception of fraud shop Genesis Market and cryptomixer Sinbad.io.Share of all illicit transaction volume associated with sanctioned entities and jurisdictions2018-2023Sanctions70As we see on the chart,sanctions-related transaction volu

294、me is making up a larger and larger share of allillicit transaction volume over the last few years,in part due to the number of entities being sanctioned,butalso due to the difficulty of enforcing sanctions against entities in regions that dont comply with OFACsdesignations or against decentralized

295、operations.In addition to the increased number of crypto sanctions,OFAC has also designated larger services over time.As mentioned,this includes some entities that cannotconcurrently be shut down by law enforcement like the notorious decentralized mixer Tornado Cash thatwas sanctioned in 2022 and th

296、erefore continues to transact after being sanctioned,though at muchsmaller volumes.Garantex,a Russia-based crypto exchange sanctioned in 2022,also continues to receivecrypto as it is in a region that doesnt comply with OFACs sanctions.In this section of the crime report,well provide an overview of s

297、anctions trends,share who was sanctioned and why,examine TornadoCashs post-designation crypto activities,and discuss the origin points of crypto inflows to Iran.Sanctions activity and trends in 2023Since 2022,total crypto transaction value associated with sanctioned entities has remained high,as see

298、nin the chart below.Two services are mostly responsible for this elevated volume:Garantex sanctionedon April 5,2022 for its affiliation with illicit actors including ransomware as a service(RaaS)groups andTornado Cash,sanctioned on August 8,2022,for its role in laundering crypto stolen by the NorthK

299、orean-linked hacking organization Lazarus Group.As for crypto sent to sanctioned jurisdictions,that hastrended downward from the bull market peaks of 2021.Quarterly value sent to sanctioned entities and jurisdictionsQ1 2022-Q4 2023When examining the top five entities sanctioned in 2023 by volume and

300、 their crypto inflows in the yearleading up to their designations,we see below that they collectively received$821.4 million in cryptoduring that time.Sinbad.io a Bitcoin mixer which OFAC sanctioned and law enforcement shut down inNovember of 2023 was used by North Korea-affiliated hacking outfit La

301、zarus Group for cryptoSanctions71laundering,and took the lions share of those inflows with$665.4 million in crypto received.As mentionedearlier,2023 mostly saw sanctions against smaller targets and individuals,rather than major services.Crypto inflows one year prior to sanctioning for the top sancti

302、oned entities in 2023Drug-related sanctions with a crypto nexus in 2023As the U.S.fentanyl crisis persists,drug-related sanctions appeared to be a priority in 2023.OFAC imposednine fentanyl-related sanctions including crypto addresses as identifiers in their designations,across fourdifferent sanctio

303、ning events.On April 17,OFAC designated individuals and entities in China and LatinAmerica for their role in fentanyl manufacturing and trafficking.On September 26,it sanctioned individualsinvolved in illegal fentanyl,cocaine,and methamphetamine trafficking into the United States on behalf ofMexicos

304、 Sinaloa Cartel.And on October 3,it sanctioned China-based individuals and companies involvedin the manufacturing and distribution of fentanyl,other drugs,and associated precursor chemicals.Its alsoworth noting that,in 2023,OFAC updated a designation to add a crypto address for China-based chemicalc

305、ompany Hebei Atun,which was sanctioned in 2021 for its involvement in fentanyl precursor chemicalsales.North Korea-related sanctions with a crypto nexus in 2023Last year,across three different sanctioning events,OFAC designated five individuals/entities tied to itsNorth Korea Sanctions Regulations p

306、rogram that included crypto addresses in their designations.The firstevent occurred on April 24,against China-based individuals facilitating crypto money laundering activitiesused to fund North Korean weapons of mass destruction and missile programs.The second event,on May23,was a joint action by OF

307、AC and South Koreas Ministry of Foreign Affairs(MOFA),against entities andindividuals associated with illicit North Korean revenue generation schemes.The third on November 29was a sanction against crypto mixer Sinbad.io for its use by Lazarus Group a North Korea-affiliatedcybercriminal syndicate to

308、launder millions of dollars in stolen crypto.And while no crypto addressesSanctions72were included in its designation,on November 30 OFAC and Japans Ministry of Foreign Affairs jointlysanctioned North Korean hacking group Kimsuky for its cyber espionage activity and support of NorthKoreas nuclear we

309、apons program.This came after South Koreas Ministry of Foreign Affairs sanctionedKimsuky in June of that year,where cryptocurrency addresses were included in the designation.Crypto-linked entities sanctioned in 2023:Who they are andwhat they doBelow is a breakdown of individuals and entities with ti

310、es to cryptocurrency that were sanctioned by OFACin 2023,along with the reason they were sanctioned.NameReason for sanctionNorth Korea hacking group KimsukyCyber espionageCrypto mixer Sinbad.ioCrypto money launderingRussian national Ekaterina ZhdanovaCrypto money launderingGaza-based MSB Buy CashTer

311、rorism financingChina-based illicit drug producersFentanyl manufacturing and distributionSinaloa cartel affiliatesDrug trafficking&crypto money launderingTrickbot affiliatesRansomwareRoman Semenov,Tornado Cash co-founderMoney launderingISIS and Al-Qaeda operativesTerrorismNorth Korea hackersHacking

312、and money launderingDubai-based financial services firm,its CEO John DesmondHanafin,and affiliatesRussian sanctions evasionRussian national Mikhail MatveevRansomwareChina-based individuals facilitating DPRKCrypto money launderingChinese chemical businesses and Latin American drug cartelassociatesFen

313、tanyl production and purchaseFraud shop Genesis MarketStolen PIIRussia-based cybercrime gang TrickbotMalwareIgor Vladimirovich Zimenkov and affliatesRussian arms dealingSanctions73OFACs crypto-linked sanctions by programSince OFAC began including crypto addresses in its designations six years ago,it

314、s worth examining thevariety of sanctions programs on which it based these actions.Year to year,we can observe compositionalchanges in the types of sanctions OFAC has imposed according to these programs.Before we look atthose trends,here are the programs where crypto has been included and any corres

315、ponding ExecutiveOrders(EOs).OFAC program nameDescriptionCYBER2Malicious cyber threat actors,EO 13694 and EO 13757DPRK2Activity related to the Democratic Peoples Republic of Korea(DPRK),EO 13687DPRK3Activity related to DPRK,EO 13722DPRK4Activity related to DPRK,EO 13810ELECTION-EO13848Foreign actors

316、 interfering with US elections,EO 13848IRGC/IFSRIranian actors/Iranian Financial Sanctions RegulationsILLICIT-DRUGSForeign persons involved in global illicit drug trade,EO 14059NPWMDWeapons of mass destruction proliferatorsRUSSIA-EO14024Specified harmful activities of the Russian government,EO 14024

317、SDGTGlobal terrorismSDNTKForeign narcotics kingpinUKRAINE-EO13661Persons contributing to the situation in Ukraine,EO 13661When looking at the history of OFACs crypto-linked sanctions,we see an expansion in the programs itsemployed since the first designation in 2018,starting with single programs in

318、the first and second years,and branching out to several more in the years following.This highlights just how many sanctionsprograms have a cryptocurrency connection,underscoring the pervasive use of crypto by bad actors,andthe steps the industry has taken to react to that.Sanctions74In the chart bel

319、ow,we see that crypto-linked sanctions tied to OFACs illicit drugs program increasedsubstantially in 2023,with four times as many designations as 2022.Crypto-related sanctions againstNorth Korea(DPRK2-4)also rose,as did designations against cybercriminals(CYBER2).OFACs crypto-linked sanction activit

320、y by program2018-2023Tornado Cash inflows slowly rebound post-sanctioningIn August of 2022,Ethereum mixer Tornado Cash was sanctioned for its role in laundering over$455million worth of cryptocurrency stolen by Lazarus Group.Despite this action and OFACs delisting andredesignation of Tornado Cash th

321、at November,due to the decentralized nature of its operations,TornadoCash could not physically be shut down.While on-chain data indicates that,relative to the pre-sanctionsmonthly average,the mixers monthly inflows dropped by as much as 93%immediately following OFACsdesignation,Tornado Cash inflows

322、have since risen from that low by 28 percentage points,and the mixerhas received a total of$822.0 million in crypto since the designation.Sanctions75Tornado Cash crypto inflows by monthJan 2022-Dec 2023However,its important to note that when looking at the comparable period prior to OFACs designatio

323、n,Tornado Cash processed over$7.6 billion in crypto,indicating that the sanctioning event has since reducedcrypto sent to the mixer by 89.2%.Its still worth watching Tornado Cash as its continued activity in the lastyear highlights the challenge of enforcing sanctions on decentralized entities,while

324、 also demonstrating theefficacy of sanctions and reinforcing the need for regulation in the DeFi ecosystem.Sources of crypto inflows to Iranian exchanges in 2023Iran continues to be a major cryptocurrency adopter,with dozens of exchanges in the country processingbillions of dollars in transactions,w

325、hich begs the question:How is Iran using crypto?And how is itpotentially using it to evade international sanctions?The following chart shows crypto inflows to Iran bysource between 2020 and 2023.Sanctions76Quarterly crypto inflows to Iran by top three origin points2020-2023In 2023,73.3%inflows to Ir

326、anian exchanges came from international mainstream exchanges and couldindicate that Iranian services are heavily used to facilitate transfer of value in and out of the country.With the broad-reaching international sanctions against Iran,crypto could be a mechanism used to evadedetection.This is furt

327、her evidenced by how-to videos regularly posted on social media platforms thatexplicitly detail ways for Iranian entities to skirt sanctions by using crypto.For example,one videodescription states,Because of sanctions on Iran,it is impossible for Iranians to have internationaltransactions easily.So

328、you might ask how is it possible for people in Iran to buy and sell cryptos in Iran?I will explain for you in this video.”Screenshot of a video that claims to instruct Iranians on how to evade sanctions using cryptoSanctions77Interestingly,the second largest counterpart to Iranian crypto exchanges i

329、s other Iranian crypto exchanges,at 17.1%of the total volume.This may indicate Iranians are also using crypto exchanges for eitherin-country transactions or to send funds amongst friends and relatives.Given the extreme volatility of theIranian Rial,its possible that Iranians are seeking other mechan

330、isms to transfer value,which may accountfor Irans relatively high ranking in the Chainalysis Global Crypto Adoption Index at 28th in the world.The third largest counterpart to Iranian crypto services is mining pools,with 3.16%of the total volumeacross all assets and 29.1%of Bitcoin flows.Iran legali

331、zed cryptocurrency mining in 2019 and its also theeighth largest oil producer in the world,with 4%of global oil production.Given the extensive sanctionsagainst Iran and its access to affordable energy,experts have warned that Iran could use crypto mining asa revenue generation tool to mitigate the i

332、mpact of global sanctions.Considering this data,in the absence of access to traditional financial systems,Iranian exchange usersmay be leveraging licit services like the international mainstream exchange ecosystem to transfer and storevalue.Recapping crypto-related sanctions in 2023Crypto inflows to

333、 sanctioned entities and jurisdictions took the largest share of illicit inflows in 2023.Thiscould be happening partly because entities in heavily sanctioned jurisdictions lack access to traditionalfinancial systems and are attempting to use crypto to evade sanctions.It could also be because of theaforementioned challenges associated with enforcing sanctions against entities like Tornado Cash orGa