《Chainalysis：2025年度加密貨幣犯罪報告（英文版）（135頁）.pdf》由會員分享，可在線閱讀，更多相關《Chainalysis：2025年度加密貨幣犯罪報告（英文版）（135頁）.pdf（135頁珍藏版）》請在三個皮匠報告上搜索。

1、 FEBRUARY 2025 The 2025 Crypto Crime Report The rising role of cryptocurrency in all forms of crime and how its transparency is creating unique opportunities for investigation Table of Contents Introduction 1 Ransomware 9 Darknet Markets 22 Market Manipulation 38 Scams 53 Stolen Funds 72 Sanctions 8

2、7 Extremism 105 Organized Crime 118 Introduction Illicit Volumes Portend Record Year as On-Chain Crime Becomes Increasingly Diverse and Professionalized In recent years,cryptocurrency has become increasingly mainstream.Although illicit activity on-chain previously revolved heavily around cybercrime,

3、cryptocurrency is now also being used to fund and facilitate all kinds of threats,ranging from national security to consumer protection.As cryptocurrency has gained greater acceptance,illicit on-chain activity,too,has become more varied.For example,some illicit actors primarily operate off-chain,but

4、 move funds on-chain for laundering.We report on certain defined categories stolen funds,darknet markets,and ransomware,to name a few on an annual basis.However,with the diversification of crypto crime to include all types of crime,the on-chain illicit ecosystem has witnessed increasing professional

5、ization,with a broadening array of illicit actor organizations and networks using cryptocurrency,as well as increased complexity in their operations.In particular,we have seen the emergence of large-scale on-chain services that provide infrastructure for numerous types of illicit actors to help them

6、 launder their ill-gotten crypto.How are these developments playing out on-chain?Lets take a look at the data and high-level trends.Introduction 2 According to our metrics today,it looks like 2024 saw a drop in value received by illicit cryptocurrency addresses to a total of$40.9 billion.However,202

7、4 was likely a record year for inflows to illicit actors as these figures are lower-bound estimates based on inflows to the illicit addresses weve identified up to today.A year from now,these totals will be higher,as we identify more illicit addresses and incorporate their historic activity into our

8、 estimates.For instance,when we published last years Crypto Crime Report,we reported$24.2 billion for 2023.One year later,our updated estimate for 2023 is$46.1 billion.Much of that growth came from various types of illicit actor organizations,such as vendors operating through Huione,which provide on

9、-chain infrastructure and laundering services for high-risk and illicit actors.It stands to reason that 2024s illicit cryptocurrency volume will exceed that of 2023.Since 2020,our annual estimates of illicit activity which include both evidentiary attributions and Chainalysis Signals data have grown

10、 by an average of 25%between annual reporting periods.Assuming a similar growth rate between now and next years Crypto Crime Report,our annual totals for 2024 could surpass the$51 billion threshold.In general,our totals exclude revenue from non-crypto-native crime,such as traditional drug traffickin

11、g and other crimes in which crypto may be used as a means of payment or laundering.Such transactions are virtually indistinguishable from licit transactions in on-chain data,although law enforcement with off-chain information can still investigate these crimes using Chainalysis solutions.In cases wh

12、ere were able to confirm such information,we count the transactions as illicit in our data.For example,since the conviction of FTXs former CEO of fraud,our 2022 figures have included the$8.7 billion in creditor claims against the exchange.However,there are almost certainly many instances where we do

13、 not have such confirmation,and therefore the numbers would not be reflected in our totals.Introduction 3 Introduction 4 At the time of this publication,we see a reduction in absolute value of illicit activity year-over-year(YoY);however,based on historical growth rates,we suspect that this number w

14、ill eventually exceed last years total as our data attributions improve.In addition,our estimate for the share of all attributed crypto transaction volume associated with illicit activity,depicted below,also fell to 0.14%from 0.61%in 2023.1 Similarly,we expect this share to rise over time,although h

15、istorically these rates consistently remain below 1%.As we initially shared in our mid-year crypto crime update,another important update this year is that weve begun to factor suspected illicit activity into our total estimates for certain crime types,based on Signals data.Previously,our estimates i

16、ncluded only totals tied to addresses for which we had supporting documentation demonstrating that they belong to a certain illicit entity.Signals leverages on-chain data and heuristics to identify the suspected category for a particular unknown address or cluster of addresses,with confidence levels

17、 ranging from likely to almost certain.The introduction of Signals not only grows our estimates of certain illicit activity categories over time,but also enables us to refine previous years estimates,given more time has passed to collect inputs and understand on-chain patterns of suspicious activity

18、.As bad actors continue to evolve their tactics,so too will our methods of detecting and disrupting them.1 Transaction volume is a measure of all attributed economic activity,a proxy for funds changing hands.We have tweaked our methodology this year to include only transactions involving at least on

19、e attributed entity,while removing peel chains,internal service transactions,transactions between two personal wallets,change,and any other type of transaction that would not count as an economic transaction between distinct economic actors.Introduction 5 We are also seeing a continued trend vis-vis

20、 the types of assets involved in crypto crime.Through 2021,BTC was unequivocally the cryptocurrency of choice among cybercriminals,likely due to its high liquidity.Since then,however,we have observed a steady diversification away from BTC,with stablecoins now occupying the majority of all illicit tr

21、ansaction volume(63%of all illicit transactions).This new reality is part of a broader ecosystem trend in which stablecoins also occupy a sizable percentage of all crypto activity,demonstrated by total growth YoY in stablecoin activity around 77%.In our 2024 Geography of Cryptocurrency report,we cov

22、ered the wide array of practical use cases for stablecoins in a range of markets,such as storing value,sending remittances,facilitating cross-border payments,and international trade.Additionally,stablecoin issuers often freeze funds if they are made aware of their use by illicit actors.For example,T

23、ether has frozen addresses of concern linked to scams,terrorist financing,and sanctions evasion,which can make stablecoins a poor tool for the transfer of value by illicit actors.Nonetheless,despite these ecosystem-wide trends,some forms of crypto crime,such as ransomware and darknet market(DNM)sale

24、s,remain BTC-dominated.The popular privacy coin Monero,although an increasingly important part of the DNM ecosystem,is not included in the analysis for this report.Other illicit activity,such as scamming or laundering stolen funds,often take a more eclectic approach and spread out across all asset t

25、ypes.Others,such as transactions associated with sanctioned entities,have shifted primarily to stablecoins.Sanctioned entities,including individuals operating in sanctioned jurisdictions,often have a greater incentive to use stablecoins due to challenges otherwise accessing the U.S.dollar through tr

26、aditional means amid a desire to benefit from its stability Introduction 6 Below,well take a closer look at three key trends that defined crypto crime in 2024 and will be important to watch going forward.Stolen funds and scams still prolific Stolen funds increased by approximately 21%YoY to$2.2 bill

27、ion.Although the largest share of stolen funds was robbed from decentralized finance(DeFi)services,centralized services were the most targeted in Q2 and Q3.Private key compromises accounted for the largest share(43.8%)of stolen crypto in 2024,with North Korean hackers stealing more from crypto platf

28、orms than ever before:$1.34 billion,representing 61%of the total amount stolen for the year.Some of these events appear to be linked to North Korean IT workers,who have been increasingly infiltrating crypto and web3 companies,compromising their networks,and using sophisticated tactics,techniques,and

29、 procedures(TTPs).High-and low-tech fraud and scams were prolific in 2024,with high-yield investment scams and pig butchering representing the most successful fraud and scam types.We have also observed the increasing use of artificial intelligence(AI)in the fraud and scams space,such as in highly pe

30、rsonalized sextortion attacks.This use of AI is consistent with a broader trend across a range of illicit cybercrimes,as services have emerged that leverage AI to bypass know-your-customer(KYC)requirements.Fraud and scam operators are also leveraging guarantee services such as Huione(discussed below

31、),while crypto ATM scams are a growing concern,especially as they relate to elder fraud.Ransomware still front and center,darknet markets and fraud shop volumes on the decline Ransomware has continued to see revenues in the hundreds of millions of dollars,but a number of large,multilateral law enfor

32、cement disruptions coupled with decreased victim appetite to pay ransoms have made a dent in the ecosystem.2024 has nonetheless been a productive year,as attack volume was relatively sustained and some ransomware groups have still managed to eke out payments albeit in lower amounts.DNMs received$2 b

33、illion as opposed to close to$2.3 billion in 2023,while fraud shop volume is down by slightly more than half at$220.1 million.This marked decline for fraud shops is due in part to a large U.S.-Dutch takedown of Universal Anonymous Payment System(UAPS),a crypto payment processor that facilitated tran

34、sactions for hundreds of fraud shops,including Brian Dumps and Faceless.Crypto crime landscape increasingly diverse and professionalized An array of illicit actors,including transnational organized crime groups,are increasingly leveraging cryptocurrency for traditional crime types,such as drug traff

35、icking,gambling,intellectual property theft,money laundering,human and wildlife trafficking,and violent crime.Furthermore,some criminal networks are resorting to crypto to facilitate polycrime,or multiple crime types.Indeed,of the total$40.9 billion received by illicit crypto addresses in 2024,$10.8

36、 billion was received by“illicit-actor org,”our catch-all term for wallets of services and individuals both directly committing cybercrime like hacking,extortion,Introduction 7 trafficking,or scams,as well as those facilitating this activity by selling the underlying infrastructure,tools,and service

37、s needed to commit crime and profit,including laundering-as-a-service.Perhaps no entity better illustrates the professionalization of the crypto crime ecosystem than the online marketplace Huione Guarantee.As we highlighted in our 2024 mid-year crypto crime update,Huione and all vendors operating on

38、 their platform have processed more than$70 billion in crypto transactions since 2021.This platform has provided infrastructure which facilitates the sale of scam technology and processed on-chain transactions for pig butchering and other fraud and scams,addresses reported as stolen funds,sanctioned

39、 entities such as the Russian exchange Garantex,fraud shops,child sexual abuse material,and Chinese-language gambling sites and casinos,among others.Introduction 8 Ransomware Introduction 9 35%Year-over-Year Decrease in Ransomware Payments,Less than Half of Recorded Incidents Resulted in Victim Paym

40、ents The ransomware landscape experienced significant changes in 2024,with cryptocurrency continuing to play a central role in extortion.However,the total volume of ransom payments decreased year-over-year(YoY)by approximately 35%,driven by increased law enforcement actions,improved international co

41、llaboration,and a growing refusal by victims to pay.In response,many attackers shifted tactics,with new ransomware strains emerging from rebranded,leaked,or purchased code,reflecting a more adaptive and agile threat environment.Ransomware operations have also become faster,with negotiations often be

42、ginning within hours of data exfiltration.Attackers range from nation-state actors to ransomware-as-a-service(RaaS)operations,lone operators,and data theft extortion groups,such as those who extorted and stole data from Snowflake,a cloud service provider.In this chapter,well explore these developmen

43、ts and their implications,including a variety of case studies LockBit,Iranian ransomware strains,Akira/Fog,and INC/Lynx that exemplify this years trends.Ransomware activity shifts halfway through the year In 2024,ransomware attackers received approximately$813.55 million in payments from victims,a 3

44、5%decrease from 2023s record-setting year of$1.25 billion,and for the first time since 2022,ransomware revenues declined.As we noted in our mid-year crime update,value extorted by ransomware attackers between January and June 2024 had reached$459.8 million,approximately 2.38%higher than the value ex

45、torted over the same time period in 2023.H1 2024 also saw a few exceptionally large payments,such as the record-breaking$75 million payment to Dark Angels.Despite its small half-over-half(HoH)increase,we expected 2024 to surpass 2023s totals by the end of the year.Fortunately,however,payment activit

46、y slowed after July 2024 by approximately 34.9%.This slowdown is similar to the HoH decline in ransom payments since 2021 and the overall decline during H2 2024 in some types of crypto-related crime,such as stolen funds.Notably,the decline this year is more pronounced than in the last three years.Ra

47、nsomware 10 Ransomware 11 A closer examination of the top 10 ransomware strains in terms of H1 revenue provides valuable insights into the groups driving these HoH trends.As we see in the below chart,Akira,which has targeted more than 250 entities since March 2023,is the only H1 top 10 ransomware st

48、rain to have ramped up its efforts in H2 2024.LockBit,which was disrupted by the United Kingdoms National Crime Agency(NCA)and the U.S.Federal Bureau of Investigation(FBI)in early 2024,saw H2 payments decrease by approximately 79%,showcasing the effectiveness of international law enforcement collabo

49、ration.ALPHV/BlackCat,which had been among 2023s top grossing strains,exit scammed in January 2024,leaving a void in H2.As Lizzie Cookson,Senior Director of Incident Response at Coveware,a ransomware incident response firm,told us,“The market never returned to the previous status quo following the c

50、ollapse of LockBit and BlackCat/ALPHV.We saw a rise in lone actors,but we did not see any group(s)swiftly absorb their market share,as we had seen happen after prior high profile takedowns and closures.The current ransomware ecosystem is infused with a lot of newcomers who tend to focus efforts on t

51、he small-to mid-size markets,which in turn are associated with more modest ransom demands.”Ransomware 12 To further contextualize what may have driven H2s decrease in ransomware payment activity,we first looked at data leak sites,which could be a proxy for ransomware events.In the below chart,we can

52、 see that the number of ransomware events increased into H2,but on-chain payments declined,suggesting that more victims were targeted,but fewer paid.Source:ecrime.ch Data leak sites posted more victims in 2024 than in any year prior.Not only were there more alleged victims,but,according to Allan Lis

53、ka,Threat Intelligence Analyst at Recorded Future,there were 56 new data leak sites in 2024 more than double the number Recorded Future identified in 2023.However,there are some caveats to consider with data leak site information and what it suggests about the ransomware ecosystem.Corsin Camichel,Th

54、reat Researcher at eCrime,shared more information on the legitimacy of leaks.“We have observed leak site posts claiming organizations,only to fail on a deeper analysis.For example,we have seen claims for multinational organizations,but in reality,only a smaller subsidiary was impacted.More than 100

55、organizations got listed on two or more data leak sites in 2024.The MEOW leak site plays a big role in this,seeming to compromise websites and list data taken from web servers or databases.”Another reason for the inverse relationship between ransomware payments and data leak site victims shown above

56、 could be that threat actors have been caught overstating or lying about victims or reposting claims by old victims.“The LockBit operators played games to pretend to stay relevant and active after a law enforcement action called Operation Cronos,as they re-posted many previously listed claims again

57、or added attacks that happened a long time ago,some even over one year ago,”Camichel added.Ransomware 13 Liska also shared with us information about illegitimate victims posted to data leak sites,stating,“This is especially true of LockBit,which,in a bid to remain relevant after being ostracized by

58、much of the underground community post law enforcement action,has published as high as 68%repeat or straight up fabricated victims on its data leak site.”In the aftermath of the LockBit disruption and BlackCats exit scam,another interesting phenomenon has been the rise of RansomHub RaaS,which absorb

59、ed a lot of the displaced operators from LockBit and BlackCat.RansomHub posted the highest number of victims in 2024,according to Camichel,and despite only emerging in February 2024,ranked in the top 10 strains for 2024,according to on-chain data.Incident response data show that the gap between the

60、amounts demanded and paid continues to increase;in H2 2024,there was a 53%difference between the two factors.Reporting from incident response firms suggests a majority of clients opt not to pay altogether,which means the actual gap is larger than the below numbers suggest.We spoke to Dan Saunders,Di

61、rector,Incident Response,EMEA at Kivu Consulting,a cybersecurity incident response firm,to learn more about this victim resilience.“According to our data,around 30%of negotiations actually lead to payments or the victims deciding to pay the ransoms.Generally,these decisions are made based on the per

62、ceived value of data thats specifically been compromised,”he stated.Similarly,Cookson noted that,thanks to improved cyber hygiene and overall resiliency,victims are increasingly able to resist demands and explore multiple options to recover from an attack.“They may ultimately determine that a decryp

63、tion tool is their best option and negotiate to reduce the final payment,but more often,they find that restoring from recent backups is the faster and more cost-effective path,”she added.Final payment amounts typically ranged from$150,000 to$250,000,regardless of initial demands.Ransomware 14 When l

64、ooking at the figure below,we can see the evolution of ransomware payment distributions into 2024.In 2020,there was a long tail but a single hump to ransomware payments,but in 2024,there were three classes of ransomware actors.Some,such as Phobos,have average payments clustering at less than$500$1,0

65、00.There is another cluster around$10,000 and a third with payments north of$100,000,some of which reached$1 million.We also see more events at the higher end of the distribution,meaning proportionately greater attacks in excess of$1 million.This segmentation reflects the shift in the ransomware act

66、or landscape that Cookson observed,with smaller groups dominating low-and mid-value payments,while the outlier 7-8 figure ransoms push the distribution rightward toward the third class of payments.Ransomware 15 In the below chart,we can see which strains were the worst in terms of total value extort

67、ed(bubble size),median payment size(X axis),and an index of extortion events(Y axis).Ransomware off-ramping:Where do the funds go?Understanding ransomware laundering methods offers critical insights into post-exploit threat actor behavior,enabling law enforcement to respond more efficiently and,in s

68、ome cases,anticipate future actions based on established patterns.In the below chart,we see that ransom funds primarily flowed through centralized exchanges(CEXs)(used to off-ramp funds),personal wallets(to hold funds),and bridges(to attempt to obscure the movement of funds).We note a substantial de

69、cline in the use of mixers in 2024.Historically,mixing services routinely captured between 10%and 15%of ransomware quarterly money laundering flows.The decline of mixing among ransomware actors over the years is very interesting and a testament to the disruptive impact of Ransomware 16 sanctions and

70、 law enforcement actions,such as those against Chipmixer,Tornado Cash,and Sinbad.In place of mixers,we have noted ransomware actors increasingly rely on cross-chain bridges to facilitate their off-ramping.In contrast,CEXs continue to be a mainstay of the ransomware offramping playbook,with 2024 seei

71、ng a slightly above-average reliance on these types of services(39%versus 37%for the period between 2020 and 2024).Its worth calling out the substantial volumes of funds being held in personal wallets.Curiously,ransomware operators,a primarily financially motivated group,are abstaining from cashing

72、out more than ever.We attribute this largely to increased caution and uncertainty amid what is probably perceived as law enforcements unpredictable and decisive actions targeting individuals and services participating in or facilitating ransomware laundering,resulting in insecurity among threat acto

73、rs about where they can safely put their funds.While numerous factors are likely behind any one of the trends visible in the chart above,the decline in the use of no-KYC exchanges since October 2024 may be attributed to the designation of Russia-based exchange Cryptex and the German Federal Criminal

74、 Police(BKA)s seizure of 47 Russian language no-KYC crypto exchanges both in September 2024.The timing of those enforcement actions,coupled with the period when ransomware inflows to no-KYC exchanges dwindled,is conspicuous.Ransomware 17 Ransomware case studies Panevs arrest and its impact on LockBi

75、ts operations Between 2019 and 2024,Israeli-Russian dual citizen Rostislav Panev allegedly played a crucial role in supporting LockBit.He is accused of developing several tools for the group,including one that enabled attackers to print ransom notes from any printer connected to compromised systems,

76、for which he was reportedly paid around$230,000 in bitcoin(BTC).While Russian nationals,including LockBits administrator Dimitry Yuryevich Khoroshev,have previously faced sanctions for their roles in these attacks,it is important to recognize that ransomware is truly a global threat,involving actors

77、 from around the world.Panev is currently in Israel awaiting extradition to the United States,where he is wanted for conspiracy to commit fraud,cybercrime,wire fraud,and other offenses.In the Reactor graph we can see,per the indictment,the transfer of roughly$5,000 in BTC from Khoroshev on a biweekl

78、y basis beginning in 2022.Then,from July 2023 through early 2024,approximately$10,000 in BTC was transferred to Khoroshev on a monthly basis.Ransomware 18 Panevs arrest potentially marked a significant blow to LockBits ability to reconstitute,and highlighted that,even years after a crime has been co

79、mmitted,blockchains transparent and immutable nature continues to empower law enforcement to trace illicit activities and disrupt transnational cybercrime syndicates.The LockBit takedown and Panevs arrest were major victories in 2024 and sparked a shift toward a more fragmented and less coordinated

80、ecosystem.Iranian ransomware involvement In addition to Russian-speaking cybercriminals,within the past several years,Iranian nationals have also been sanctioned by the U.S.Department of the Treasurys Office of Foreign Assets Control(OFAC)for their involvement in facilitating and conducting ransomwa

81、re attacks.Weve also previously noted on-chain evidence of LockBit affiliates working with Iranian ransomware strains and depositing funds at an Iranian exchange.Fortunately,through our on-chain analysis,we can identify Iranian actors as they rebrand or switch to a different RaaS.As we see in the be

82、low Chainalysis Reactor graph,we tied four different ransomware strains to the same Iranian threat actor,who likely also deployed a popular RaaS strain.We also see the reuse of deposit addresses at multiple global exchanges,connecting these seemingly disparate strains not only to each other,but also

83、 confirming the operators Iran ties.Ransomware 19 Major strains rebranding,launching offshoots Since Akiras emergence,it has proven successful in exploiting vulnerabilities particularly in enterprise environments and has gained traction with a number of high-profile attacks.As we mentioned above,Aki

84、ra is the only top 10 ransomware strain to have ramped up its efforts in H2 2024.In September 2024,Fog,a new ransomware strain,entered the scene,and has since demonstrated an ability to target critical vulnerabilities,much like Akira.Both groups have primarily focused on exploiting VPN vulnerabiliti

85、es,which allows them to gain unauthorized access to networks and consequently deploy their ransomware.Both Akira and Fog have used identical money laundering methods,which are distinct from other ransomware strains,further supporting a connection between them.For instance,the following Chainalysis R

86、eactor graph shows that several wallets operated by Akira and Fog have transferred funds to the same no-KYC exchange.In addition to Akiras relationship to Fog,we have also discerned links between the INC and Lynx ransomware variants by examining similar on-chain behaviors.Cybersecurity researchers h

87、ave also noted the two strains shared source code.Ransomware 20 These overlapping relationships illustrate a broader trend within the ransomware ecosystem:the continuous evolution of cybercriminal strategies in response to increased law enforcement scrutiny.Navigating an evolving threat landscape Ra

88、nsomware in 2024 reflected shifts driven by law enforcement action,improved victim resilience,and emerging attack trends.Crackdowns and collaboration with incident response firms and blockchain experts helped disrupt many ransomware groups,reducing their profitability.Victims also demonstrated great

89、er resistance to ransom demands,widening the gap between demands and payments.Financial strategies continue to adapt under law enforcement pressure,although malicious actors face increasing difficulties laundering payments from victims.Sustained collaboration and innovative defenses will remain crit

90、ical to building on the progress made in 2024.Ransomware 21 Darknet Markets Darknet Markets 22 Darknet market and fraud shop BTC revenues decline amid years-long international law enforcement disruption A series of law enforcement takedowns in the last few years have shaped the 2024 drug and fraud e

91、cosystems.While 2024 was likely a record year for crypto crime revenue overall,darknet market(DNM)and fraud shop inflows fell,with DNMs receiving just over$2 billion in BTC on-chain,and fraud shops$225 million.Historically,DNMs have been known for the illicit drug trade,but in recent years have diff

92、erentiated themselves with unique service offerings.This trend,however,is not universal.For example,in Russia-based DNMs,the illicit drug trade remains predominant.Since last years Crypto Crime Report,the top performing Russia-based DNMs have held steady,but Kraken DNM overtook Mega as the leading D

93、NM by annual revenue in 2024.While Megas inflows declined by more than 50%year-over-year(YoY),Kraken DNMs rose nearly 68%YoY.Kraken DNM,which billed itself as Hydras Markets successor,received$737 million on-chain in 2024.Darknet Markets 23 Blacksprut,which rose to prominence with Mega in the wake o

94、f Hydras 2022 sanctions designation,law enforcement seizure,and subsequent collapse,came in third with 13.6%less revenue YoY.As reported last year,some drug shops have been outsourcing services like website hosting and payment processing.iKlad.biz and Klad.cc,shown in the chart above,are examples of

95、 those infrastructure providers.While these outfits are not traditional DNMs,their success highlights how drug vendors are scaling their operations throughout Russian-speaking countries.In spite of Hydra Markets disruption in 2022,former Hydra affiliates still found operating in todays DNMs rely hea

96、vily on these infrastructure providers.Last December,a Russian court imposed a life sentence on Stanislav Moiseyev,Hydra Markets suspected founder and operator,although the Moscow prosecutors office did not publicly tie the guilty verdict to Hydra.The court also sentenced fifteen accomplices to anyw

97、here from eight to 23 years in maximum-security penal colonies.Besides Hydra operators,other DNM administrators faced criminal prosecution in 2024.In March,Incognito Markets administrators conducted an exit scam.The FBI tied Taiwanese national Rui-Siang Lin,Incognitos operator,to the DNMs website by

98、 tracing crypto transfers to an exchange account in Lins name.Lin was charged with a host of crimes,and by May,federal authorities in New York had arrested him.Nemesis Market also saw its demise in March,when German authorities seized its infrastructure,along with$102,000 in cryptocurrency.Darknet M

99、arkets 24 As international authorities have disrupted DNMs large and small in the last few years,cybercriminals and drug dealers have learned firsthand the consequences of running BTC-accepting DNMs given the currencys inherent transparency.Many operators have since moved to accepting only Monero(XM

100、R),a privacy coin with features designed to boost anonymity and reduce traceability.XMR activity falls outside the scope of this report.Darknet market vendors evolve their on-chain behavior Historically,DNMs have usually cashed out their funds at centralized exchanges(CEXs).Although CEXs remain a st

101、able destination in the DNM ecosystem,the pattern of sending funds to them shifted in 2024,as illustrated in the chart below.Last year,DNM vendors sent a significantly higher portion of their funds to DeFi than they did historically.This trend is notable since DNMs operate largely in BTC or privacy

102、coins.Throughout 2024,DNM vendors also sent far more value to personal wallets and stored funds on-chain.Retail vendors appear to be holding a greater portion of their proceeds on-chain than wholesale vendors,while wholesale vendors(those who distribute drugs in large quantities)are making greater u

103、se of DeFi.Darknet market and online pharmacy inflows according to drug-purchasing behaviors When looking at crypto inflows to DNMs in 2024,the data indicate that wholesale drug purchases were dominant,averaging between 71 and 81%of this years total market share.For online pharmacies,wholesale purch

104、ases led in 2024,followed by large retail.Darknet Markets 25 Below are definitions for DNM purchase categories,based on purchase sizes,from which we infer buyer intent:Small retail.Less than$100,likely made for personal consumption.Large retail.Between$100 and$500,also likely made for personal consu

105、mption.Social supply.Between$500 and$1,000,indicating customers may be sharing drugs with third parties in social settings.Potential wholesale.Over$1,000,more likely made by drug sellers and distributors.When examining drug-purchasing habits from DNMs spanning 2020 to 2024,some patterns emerge,in pa

106、rticular about wholesale activity,that is,purchases likely made by organizations with the intent to redistribute.First,the major drawdown in DNM wholesale revenue in 2022 can be attributed to the Hydra Market takedown.Second,while wholesale drug purchasing revenues have steadily climbed since that d

107、rop,they have yet to regain their former highs.This could indicate that:1.No DNM since Hydra has established itself as the premier destination for wholesale drug purchases.2.Global law enforcement operations are becoming increasingly effective in disrupting markets that cater to these purchasers.Dar

108、knet Markets 26 3.Sellers and vendors are resorting to other channels,like instant messaging platforms,and/or payment methods for illicit drug trade.As for online pharmacies,these have predominantly catered to wholesale and large retail customers in the last several years,and 2024 saw growth in whol

109、esale purchases toward the end of last year.Like DNMs,online pharmacies receive most of their revenues from larger drug resellers.Abacus Market:Facilitating illicit drug trade In 2024,Abacus Market was the highest-earning DNM serving Western customers.Last year,Abacus Market received$43.3 million on

110、-chain.Since 2021,Abacus Markets revenue has increased substantially,and in 2024,it more than doubled,growing by 183.2%YoY.This increase may be due in part to the closures of top DNMs,the shift to the exclusive acceptance of XMR by other active markets,and delistings of XMR by popular centralized ex

111、changes.The below graph shows an increase in Abacus sales(in BTC)following the closure of ASAP Market in July 2023,and a further increase following some CEXs delisting XMR.Darknet Markets 27 Abacus Market has a global presence and broad product offering.Below is a screenshot from the Abacus Market w

112、ebsite showing the range of items it sells,with drugs and chemicals representing the overwhelming majority of its products.Darknet Markets 28 On Abacus Market,the US,Canada,Germany,Australia,and the UK have the highest number of listings.In the US,theres a large diversity in the types of products so

113、ld,including counterfeit pills.For example,in the screenshot below,an American vendor lists protonitazene powder,and advertises its uses as a counterfeit for oxycodone,also referred to as“M30”(i.e.30 mg).Darknet Markets 29 While the US market is best characterized by its diverse product offerings,ot

114、her countries offer regional specialties.In Colombia,for instance,many of the vendor listings are for cocaine or Infrastructure-as-a-Service,as seen in the screenshot below.Darknet Markets 30 Some countries have just one or a few vendors with a loyal customer base and a wider selection of goods.For

115、example,in India,one of the most frequent listings is for generic medication,which mostly comes from the first vendor shown below.China-based Abacus vendors have many listings for research chemicals.They also sell PMK and BMK,which are precursors to MDMA and methamphetamine,respectively.Darknet mark

116、et connection to Chinese pill press manufacturers While China-based vendors are frequently referenced as the source of precursors for dangerous synthetic drugs,their involvement in machinery sales is also an important aspect of the drug supply chain.One Darknet Markets 31 China-based pill press manu

117、facturer which advertises on clearnet business-to-business(B2B)websites has on-chain ties to drug vendors on Abacus Market.Along with its listings for large pill press machines,the vendor does not hide the sale of Oxycontin and Xanax TDP die kits,which are used to press counterfeit pills.The vendor

118、accepts BTC and XMR,and analyzing its on-chain exposure to regional CEXs and DNMs reveals that it serves customers worldwide,including in the United States,Canada,Sweden,and Russia.The Reactor graph below shows this vendors connection with drug vendors on Abacus Market.While not all are pictured abo

119、ve,in total,we found 16 vendors either selling or sourcing drug material from Abacus and purchasing production supplies from this China-based vendor.China-based vendors and novel synthetic opioids China-based precursor manufacturers mark the beginning of the synthetic drug supply chain.In years past

120、,these organizations were more overt in their display of such products,openly advertising on mainstream B2B websites.Depending on the severity of the chemical,some manufacturers still follow this practice.In 2024,however,many vendors of reagents and precursors have turned to criminal forums to adver

121、tise their product offerings,or have delisted(at least publicly)chemicals related to fentanyl synthesis.This could be in response to increasing pressure from the United States and China,and the crackdown on the websites selling these products.The organized crime section of this report,which discusse

122、s the nexus between Mexican cartels and Chinese fentanyl precursor manufacturers,indicates that this corridor still exists,although overall inflows to these manufacturers have seen a dip.In addition to fentanyl,the presence of nitazenes in the global supply of dangerous synthetic opioids has increas

123、ed,and China-based vendors have established themselves as the initial source.Nitazenes are a type of synthetic opioid with a similar potency to fentanyl.The US and Europe have seen an increase in Darknet Markets 32 nitazine-related overdose deaths in recent years,perhaps due to the halt in the heroi

124、n supply following the Talibans crackdown.Due to the novelty of these substances(and the fact that many are analogs)the true number of overdoses in Europe could be higher,as forensic drug testing may lag behind the pace of the crisis.In addition to various benzodiazepines,stimulants,and psychedelics

125、,one longstanding China-based research chemical manufacturer also sells nitazenes.The vendors listing of a protonitazene analog boldly states that the compound has a potency 20 x greater than that of fentanyl,as seen below.In this listing,the vendor offers free shipping to the US.Once received by th

126、e buyer,the compound could be pressed into counterfeit pills,like M30s,and further distributed to end consumers.Screenshot from a China-based research chemical manufacturers website This vendor is known for supplying chemicals in bulk.Deposits span from the hundreds to the tens of thousands of dolla

127、rs,and the average deposit amount in 2024 was over$2,000.On-chain data indicates the vendor supplies these drugs to other Chainalysis-identified online pharmacies and DNM vendors,all while maintaining a far-reaching global customer base throughout North America,Europe,Australia,and South America.Int

128、erestingly,this vendor has also been a trusted supplier for OFAC-designated fentanyl traffickers Alex Adrianus Martinus Peijnenburg and Matthew Simon Grimm,having received close to$1.5 million in purchases from them.Darknet Markets 33 Fraud shop revenues decline in 2024 Fraud shops are services foun

129、d mainly on the dark web that sell stolen data and personally identifiable information(PII),which cybercriminals use for scams,identity theft,and ransomware attacks.In 2024,fraud shop inflows declined by 50%YoY,a sharp downturn from the last three years.Darknet Markets 34 A few factors likely influe

130、nced this BTC revenue decline among fraud shops:The elimination of UAPS,a payment processor on which many fraud shops relied.US agencies and other international authorities prioritizing the takedown of fraud-related services.A migration away from BTC payments to XMR,as observed with DNMs.UAPS:The ta

131、kedown of a fraud shop payment processor and its impact on ecosystem Last September,OFAC designated Sergey Sergeevich Ivanov,the alleged creator and operator of Universal Anonymous Payment System(UAPS),a payment processor used by many fraud shops,as well as PM2BTC,a Russian virtual currency exchange

132、r associated with Ivanov,and Cryptex,a crypto exchange operating in Russia and registered in St.Vincent and the Grenadines.These actions were part of a coordinated effort among US government agencies and foreign counterparts to combat Russian illicit finance.In September 2024,the US Secret Services

133、Cyber Investigative Section,Netherlands Police,and the Dutch Fiscal Intelligence and Investigation Service(FIOD)seized web domains and infrastructure linked to UAPS,PM2BTC,and Cryptex.After the UAPS infrastructure takedown,we observed a swift decline in on-chain activity from UAPS counterparties,ind

134、icating that many fraud shops relied on this infrastructure to process customer payments.The chart below shows this counterparty decline,as well as a drop in crypto flows across the fraud shop ecosystem.Darknet Markets 35 Conversely,some fraud shops saw an increase in activity and higher revenues on

135、-chain.The chart below shows fraud shops that performed well after the UAPS takedown,indicating that the customer migration was swift,and favored longstanding,trusted fraud shops like Vclub and Bankomat.Revenues for the fraud shops on the right side of the chart declined,suggesting their dependence

136、on UAPS for payment infrastructure.The fraud shop-ghost gun connection:A case study Ghost guns,assembled with prefabricated parts and without required serial numbers,are nearly always designed to be semi-automatic firearms,and are almost impossible to trace.Everytown,an organization that works to pr

137、event gun violence in America,calls ghost guns a“weapon of choice for violent criminals”and extremists.In 2023,the New York Police Department(NYPD)Intelligence Bureau,which predominantly handles counter terrorism cases,received a tip about two people in New York City involved in manufacturing and se

138、lling ghost guns.Using a series of search warrants and subpoenas,the NYPD found the suspects online raw material purchases,and uncovered a crypto dimension to the case,not publicly shared until now.Suspects were exchanging large sums of fiat for cryptocurrency by transferring cash into a mainstream

139、CEX account and buying BTC,which they used to purchase stolen credit cards and identities from fraud shops on the dark web.The Reactor graph below shows five purchases made to fraud shops,four of which passed through intermediary addresses.Darknet Markets 36 With these stolen credentials,the suspect

140、s purchased ghost gun parts and tools from a variety of legitimate websites,which they used to build ghost guns with a 3D printer,and sell for cash.A Manhattan district attorney successfully used this evidence to bring charges against one of the suspects.Continued law enforcement efforts key to illi

141、cit market disruption While DNM and fraud shop revenues declined in 2024 following years of concerted international law enforcement efforts,these platforms have managed to sustain their operations by adopting new tactics.In spite of disruptions to the dark web ecosystem,DNMs in particular continue t

142、o play a significant role in enabling the China-based synthetic drug production supply chain,highlighting the necessity for ongoing global cooperation to disrupt and dismantle illicit drug networks worldwide.Darknet Markets 37 Market Manipulation Market Manipulation 38 Suspected Wash Trading on Sele

143、ct Blockchains May Account for Up To$2.57 Billion in Trading Volume In last years report,we introduced a novel methodology for detecting suspicious trading patterns in crypto markets by analyzing on-chain data.We focused on decentralized finance(DeFi),given its transparency and the availability of o

144、n-chain information,which is not similarly available in centralized trading platforms.Our approach tracks patterns of behavior and not intent,which means that it is not by itself sufficient to prove market manipulation;however,it provides a valuable starting point for deeper investigations when comb

145、ined with off-chain information.This focus on foundational insights is also why we do not estimate victim losses,as such calculations require significantly more data beyond on-chain analysis.This chapter zeroes in on two prevalent forms of market manipulation:wash trading and pump-and-dump schemes.W

146、ash trading involves artificially inflating trading volume by repeatedly buying and selling the same asset,creating a misleading perception of demand.Pump-and-dump schemes lure unsuspecting investors by driving up the price of an asset,often through coordinated hype,only for insiders to sell off the

147、ir holdings at a peak,leaving unwitting holders of the asset with significant losses.Keep reading as we delve into our methodologies for uncovering these suspicious patterns,providing a clearer view of how market manipulation manifests in the crypto space.Heuristics enable identification of patterns

148、 of potential wash trashing,which show concentration in specific pools and among fewer actors While there are subtle differences in the legal definitions of wash trading across jurisdictions,wash trades are generally understood to involve the near-simultaneous buying and selling of an asset without

149、any change in beneficial interest,ownership,or market position.Currently,most of the academic research on wash trading in crypto has been focused on centralized exchanges(CEXs),where possible motivations for inflating trade volumes include attracting users or climbing leaderboards.Unlike trading on

150、CEXs,doing so on decentralized exchanges(DEXs)incurs gas fees,making wash trading potentially more expensive;nonetheless,such activity still exists.Financial regulators around the world face challenges in identifying wash trading in traditional markets because collusion strategies vary and collusive

151、 transactions can be masked among normal trading activities.These challenges often take different forms in the crypto space,where pseudonymity,the use of decentralized platforms,and a lack of comprehensive regulatory oversight add complexity.Market Manipulation 39 During our research,which primarily

152、 focuses on fungible tokens such as ERC-20 tokens and BEP-20 tokens,we encountered the following difficulties in identifying wash trading:1.Maximal Extractable Value(MEV)bots and arbitragers share characteristics with wash trading,as they buy and sell the same token pairs in very short time interval

153、s.However,this activity is not typically directed at driving up volumes,but rather at capturing arbitrage opportunities.2.Most of the DEXs we studied are AMM-based(automatic market makers),rather than order book-based,as is common in most traditional financial markets.In order book-based markets,tra

154、ders execute trades with a direct counterparty at a price set by one of the two parties to the transactions.In AMM-based markets,traders execute trades against a pool of assets supplied by liquidity providers at an algorithmically determined price.In the absence of a single trader sitting on both si

155、des of a trade,it is more challenging to identify activity that would achieve a prearranged wash result.Additionally,because a trader lacks control over the quoted price for a transaction,it can also be challenging to determine whether the price is a result of an intentionally structured wash trade,

156、rather than the price set algorithmically by the AMM.Regardless,it is possible to look at on-chain activity to identify crypto addresses that exhibit patterns of potential wash trading activity,which well demonstrate with an analysis of two relevant heuristics.Wash trading Heuristic 1:matched buy an

157、d sell across transactions For our first heuristic,we applied the following criteria to identify potential wash trades in a manner that avoids capturing MEV bot and arbitrager activity and excludes certain high-volume liquidity pools that are unlikely to be driven by wash trading.We looked for activ

158、ity in which all three criteria were met:1.An address that executed one buy transaction and one sell transaction within 25 blocks(usually,25 blocks are created within five minutes).2.The difference in the two transaction volumes in USD is less than 1%,which suggests that the trade did not yield a me

159、aningful profit.3.A single address executed three or more trades that matched criteria 1 and 2 during the time period studied.The first heuristic suggests that the combined wash trading volume on Ethereum,BNB Smart Chain(BNB),and Base was around$704 million in 2024.To put this into perspective,suspe

160、cted wash trading volume identified by this heuristic accounted for 0.035%of the total DEX trade volume in November 2024.The volume increases in March,April,and June in the below chart were most likely due to a few DEX pools with very active suspected wash trading.Market Manipulation 40 For instance

161、,in April,five DEX pools accounted for a total of$78 million worth of suspected wash trading.Although suspected wash trading volumes fluctuated throughout the year,the number of DEX pools with associated activity remained fairly consistent,averaging around 1,000 to 1,800 pools per month,or between 0

162、.2 and 0.3%of the approximately 500,000 pools active monthly,suggesting that wash trading may be concentrated in specific pools and/or driven by a small number of actors with targeted efforts.Market Manipulation 41 We were able to identify a total of 23,436 unique addresses across Ethereum,BNB,and B

163、ase exhibiting activity consistent with the Heuristic 1 criteria.On average,each address engaged with two DEX pools and initiated 129 suspected wash trades of$30,033 in total volume during the time period studied.However,as shown in the table below,addresses that traded with four or more DEX pools a

164、ccounted for 10%of total addresses identified by Heuristic 1.These addresses accounted for 43%of the total suspected wash trading volume in 2024.Number of DEX Pools one address engages in Total wash trade volume one address initiates(USD)Number of wash trades one address initiates Average 2$30,033 1

165、29 Median 1$651 10 75 percentile 2$5,940 25 90 percentile 4$32,249 102 Max 241$17,334,934 54,684 One address in 2024 initiated more than 54,000 buy-and-sell transactions of almost identical amounts very suspicious in itself illustrating the scale of this potential activity.Market Manipulation 42 Was

166、h trading Heuristic 2:disperse-based detection For our second heuristic,we looked at activity across token multi-senders,which were originally developed to simplify payments by facilitating simultaneous transfers of different tokens to multiple addresses.Unfortunately,many bad actors exploit these s

167、ervices to distribute funds across numerous addresses,managing them algorithmically in an attempt to conceal that the same actor is potentially manipulating tokens.With this in mind,we employed the following criteria to identify suspected wash trading,accounting for ETH and BNB transfers by two mult

168、i-sender applications,and removing major pools that are unlikely to involve wash trading:1.Controller addresses that send funds to five or more managed addresses.2.Managed addresses that received their first ETH or BNB deposit from the corresponding controller address through a token multi-sender.3.

169、The difference in the total USD value between the buy and sell sides executed by managed addresses in a single liquidity pool is less than 5%.Heuristic 2 suggests that the combined wash trade volume on Ethereum,BNB,and Base was around$1.87 billion in 2024.In November 2024,the suggested wash trade vo

170、lume accounted for 0.046%of total DEX volume.Market Manipulation 43 Similar to the first heuristic,the spikes observed between March 2024 and April 2024 in the below chart coincide with the activity of 2024s most prominent operators.For instance,in April,three controller addresses alone accounted fo

171、r$318 million in suspected wash trading volume.In January 2024,one controller address was responsible for approximately$142.99 million in suspected wash trade volume.Although the monthly estimated wash trade volume fluctuated significantly throughout 2024,the number of active controller addresses wa

172、s more consistent,experiencing a steady upward trend between January and June.Market Manipulation 44 Upon examining these addresses more closely,we learned that controller addresses managed an average of 183 addresses in 2024.As shown in the table below,a single controller address can manage tens of

173、 thousands of addresses.In 2024,the average suspected wash trade volume for one controller address was around$3.66 million in 2024.As we see in the chart below,the maximum volume of suspected wash trading controlled by one address can reach the hundreds of millions of dollars,illustrating the potent

174、ial scale of this inflated activity.Market Manipulation 45 Number of addresses one operator controls Average 183 Median 7 75 percentile 21 90 percentile 100.00 Max 22,832 Total wash trade volume one operator executes(USD)Average$3,661,934 Median$11,742 75 percentile$223,446 90 percentile$1,918,388 M

175、ax$313,585,875 Heuristics 1 and 2 use different methodologies in order to detect different potential wash trading tactics.By adding the totals from heuristic 1($704 million)and heuristic 2($1.87 billion),we identify a total of$2.57 billion in potential wash trading activity.It is possible that there

176、 is overlap in the amounts detected by each heuristic in other words,some suspected wash trading activity may have been detected by both heuristics and so we consider this an upper bound estimate for this methodology.Wash trading case study:volume boosting bot,Volume.li Wash trading has emerged as a

177、 key concern in cryptocurrency market integrity,drawing the attention of U.S.regulators and law enforcement.For instance,on October 9,2024,the United States Securities and Exchange Commission(SEC)charged four market makers ZM Quant,Gorbit,CLS Global,and MyTrade for generating artificial token tradin

178、g volume.The Internal Revenue Service(IRS)later reported that this wash trading scheme involved 18 individuals and entities operating an international trading scheme with touchpoints in the U.K.and Portugal.In this case,the market makers conducted the alleged illicit trading by operating trading bot

179、s that created artificial token volume.Typically,the strategy of building and operating bots for this purpose is difficult to distinguish from ordinary trading on both CEXs and DEXs.To explore in-depth how this process typically works,we looked at a boosting bot service called Volume.li,which provid

180、es trading bots to customers who want to create fake volume on DEXs.While this service was not used by those charged by the SEC in the case above,it demonstrates how wash traders may leverage a tool to conduct similar activity.According to its website,Volume.li has generated a total of$257.5 million

181、 in trading volume to date.Customers have the option of purchasing bots of varying degrees of volume,from$50 to$100,000,within 24 hours.The Volume.li site states that a bot generating$100,000 in volume within 24 hours costs 0.212 ETH.After the customer pays this fee,the bot will buy and sell a token

182、 100 times in rapid succession.Market Manipulation 46 In the below example,a purchased trading bot generated fake trades of the SoylanaManletCaptainZ token(ANSEM)paired with wETH on Uniswap.We discovered that this trading bot uses a specific function(0 x5f437312)to initiate its trades.Typically,swap

183、s in Uniswap are initiated when the router contract receives a transaction,meaning that the contract is the recipient.However,in these types of trades,a few addresses likely controlled by Volume.li send transactions to the smart contracts they manage,invoking the 0 x5f437312 function.These smart con

184、tracts act as intermediaries,subsequently triggering multiple wash trade transactions on Uniswap.One example of an asset with trading volume boosted by Volume.li is the Donald J.Chump token,which had 6,939 holders as of January 2025.Within five days,Volume.lis bot generated 10,341 pairs of buy and s

185、ell orders using five different addresses,creating a total of$39,723 in fake trading volume.From July 27 to July 30 the token issuer relied heavily on Volume.li to generate liquidity,which accounted for approximately 43%of the tokens total trading volume on Uniswap.As Volume.li exemplifies,even when

186、 our starting point is off-chain,pairing open-source research on platforms of interest with our own heuristics can yield powerful insights about potential on-chain market manipulation.Market Manipulation 47 3.59%of all launched tokens in 2024 display patterns that may be linked to pump-and-dump sche

187、mes In 2024,more than 2 million tokens were launched in the blockchain ecosystem,approximately 0.87 million of which(42.35%)were listed on a DEX.Last year,we noted that the majority of new tokens were developed on Ethereum due to the ease of creating tokens using the ERC-20 standard.Although Ethereu

188、m is still the chain with the greatest number of tokens actively traded on DEXs,weve noticed many token creators using other chains,such as BNB and Base.In the below chart,we see that,in most months in 2024,several hundreds of thousands of tokens were launched on these chains,with July seeing more t

189、han 400,000.Despite the staggering number of tokens launched in 2024,only a small fraction(1.7%)have been actively traded within the last 30 days.So,why do so many of these tokens appear dormant?One possibility is that many are abandoned shortly after their creation,potentially due to a lack of inte

190、rest or failure to gain traction.It is also possible that some of these tokens facilitate intentional short-lived schemes designed to exploit initial hype before fading away,also known as pump-and-dumps or rug pulls.Market Manipulation 48 Heres an example of how a pump-and-dump scheme might work wit

191、h a token:1.A crypto participant either launches a new token or buys a large share of the supply for an existing token usually one with historically low volume.2.This participant hypes up the token using social media and/or online chat rooms.3.The hype attracts attention from other users,leading to

192、an increase in buying pressure on the token.4.The initial participant may also engage in wash trading,as described in the previous section,in order to further artificially inflate the tokens trading volume.5.If these methods are successful,the token rises in value.6.Once the token reaches the desire

193、d price target,the original participant liquidates their position for a profit.7.The tokens price rapidly drops due to selling pressure,leaving many victims“holding the bag.”8.If the participant is also the token creator or one of the liquidity pools primary liquidity providers,they may also complet

194、ely abandon the project in a rug pull,taking more users funds with them.In certain cases,however,governance protocols may not allow this.It is possible to identify many of these activities using on-chain analysis,and we used the following criteria to identify potential pump-and-dump schemes.We looke

195、d for activity in which all three criteria were met:1.An address that added value to a tokens liquidity pool and subsequently removed at least 65%of the pools liquidity,valued at$1,000 or more.Market Manipulation 49 2.The tokens liquidity pool is no longer active.3.The liquidity pool had previously

196、gained traction,with more than 100 transactions occurring in it.We made several changes to our methodology this year,employing stricter criteria to improve accuracy.First,we loosened the liquidity removal threshold from last years 70%to 65%to capture tokens with larger liquidity volumes.We also repl

197、aced the criterion of a token having liquidity worth$300 or less with a completely inactive liquidity pool(we consider a liquidity pool inactive if no transactions occurred in the last 30 days).And finally,we replaced the original criterion of a token being purchased at least five times by DEX parti

198、cipants with no on-chain connection to the tokens biggest holders,with the criterion of the liquidity pool having more than 100 transactions.Number of tokens Percent of all tokens launched Number of tokens launched in 2024 2,063,519 100%Number of tokens listed on DEX 873,957 42.54%Number of suspecte

199、d pump-and-dump tokens 74,037 3.59%Market Manipulation 50 Approximately 94%of DEX pools involved in suspected pump-and-dump schemes appear to be rugged by the address that created the DEX pool.The other 6%appear to be rugged by the addresses that were funded by the pool or token deployer.In some cas

200、es,the pool deployer address and the address that rugged the pool were funded by the same address source,suggesting there may have been a coordinated effort to exploit users.After a DEX pool is launched,it typically takes a few days to a few months before the associated token is abandoned.As we see

201、in the table below,it took an average of six to seven days,and 1%of suspected pump-and-dump schemes lasted longer than four to five months.Market Manipulation 51 Total Average in days 6.23 Median in days 0 75 percentile in days 0 90 percentile in days 8 99 percentile in days 123 Total Number of pool

202、s dumped by the same actor who deployed the DEX pool 69,897 Total number of DEX pools engaged in suspected pump-and-dump schemes 74,312 Share of pools dumped by the same actor who deployed the DEX pool 94.00%Navigating the challenges of crypto market manipulation Market manipulation remains a critic

203、al concern for both crypto industry participants and authorities as they strive to keep pace with the rapidly-evolving sector.The complex and dynamic nature of market manipulation,compounded by cryptos unique characteristics such as its pseudonymity and decentralization heightens the challenge.A rob

204、ust and coordinated approach is therefore essential one that fully harnesses the power of on-chain data and analytics to enable proactive detection and prevention of manipulative activities.Market Manipulation 52 Scams Scams 53 Pig Butchering Grows Nearly 40%YoY as Fraud Industry Leverages AI and In

205、creases in Sophistication In 2024,cryptocurrency scams received at least$9.9 billion on-chain,an estimate that will increase as we identify more illicit addresses associated with fraud and scams in the coming months.According to our metrics today,it looks like 2024 saw a drop in scam revenue;however

206、,2024 was likely a record year as these figures are lower-bound estimates based on inflows to the scam addresses weve identified up to today.A year from now,these totals will be higher,as we identify more illicit addresses and incorporate their historic activity into our estimates.Since 2020,our ann

207、ual estimates of scam activity have grown by an average of 24%between annual reporting periods.Assuming a similar growth rate between now and next years Crypto Crime Report,our annual totals for 2024 could surpass the$12 billion threshold.Further,with our recent acquisition of Alterya,we will levera

208、ge AI-powered fraud and scam detection to augment our data,and expect our totals to become even more robust than our estimates based on Scams 54 historical increases.Alterya has worked with top cryptocurrency exchanges,fintech companies,and financial institutions to proactively prevent fraud and min

209、imize losses.In 2024,the organization detected$10 billion sent to scams.In the last few years,crypto fraud and scams have continued to increase in sophistication,as the fraud ecosystem becomes more professionalized.Operations like Huione Guarantee,a peer-to-peer(P2P)marketplace,offer a host of illic

210、it services that support pig butchering scamming operations and serve as a one-stop-shop for scammers needs.These services range from the technology infrastructure required to initiate scams to money laundering services for obfuscating illicit activity and cashing out.In this section,well(1)discuss

211、fraud and scam trends in 2024;(2)profile Huione Guarantee and its role in professionalizing the scam ecosystem,and;(3)explore a crypto ATM scam story,its implications for the elderly population,and emerging regulatory priorities.High-yield investment and pig butchering scams see highest crypto reven

212、ues In the past year,high-yield investment scams(HYIS)and pig butchering scams received the most crypto among scam sub-classes,at 50.2%and 33.2%respectively.Scams 55 Despite pulling in half of all scam revenue in 2024,HYIS inflows declined by 36.6%YoY,while pig butchering revenue increased by almost

213、 40%YoY.These categories aside,the fraud and scam landscape is expanding into a variety of other subclasses that well discuss.One lucrative HYIS active in 2024,Smart Business Corp,is a decade-old ponzi scheme targeting Spanish-speaking countries,particularly Mexico.In 2022,Smart Business Corp added

214、bitcoin to its investment portfolio and promised affiliates outsized returns based on a tiered investment scheme.That same year,Mexican government consumer protection agency CONDUSEF warned that Smart Business Corp was not registered to offer securities in Mexico.To date,Smart Business Corp has rece

215、ived$1.5 billion on-chain.The graph below shows its top 10 counterparties by crypto received,a combination of seven mainstream exchanges and three self-hosted wallets.Pig butchering scams(also known as investment or romance scams)target and build relationships with individuals,convincing them to inv

216、est in fraudulent opportunities,and predominantly originate via large scam compounds in Southeast Asia.International Justice Mission(IJM),a global organization that protects Scams 56 people in poverty from violence,began observing forced labor cases tied to these operations in 2021,and has since obs

217、erved immense growth of these crimes.IJMs work in this region focuses on preventing human trafficking associated with these operations by strengthening justice systems.Despite their prominent footprint in Southeast Asia,pig butchering scams have become more geographically dispersed.While none of the

218、se operations yet approach the scale of those in Southeast Asia,IJM has observed shifts to other countries over the past two years.Some recent examples:December 2024:Nigerias anti-graft agency announced the arrest of 48 Chinese and 40 Filipino nationals for running an investment scam operation that

219、targeted people mostly from Europe and the Americas.Scam operators recruited Nigerians to prospect for victims online,whom the scammers then tricked into investing in fake crypto schemes.June 2024:Interpol coordinated a global operation to disrupt scam operations worldwide,including one in Namibia t

220、hat forced 88 youths into conducting scams as part of an international scam network.October 2023:Malaysian authorities announced that Peruvian police had rescued 43 Malaysian citizens trafficked to Peru who were forced to work in a scam operation.Pig butchering scammers have also evolved to diversif

221、y their business model beyond the“long con”of pig butchering scams which can take months and even years of developing a relationship before receiving victim payments to quicker turnaround employment or work-from-home scams that typically yield smaller victim deposits.One such example,a fraudulent jo

222、b site impersonating a record label offering work-from-home jobs,sent crypto to consolidation wallets where a pig butchering scam also sent funds,as seen in the top left of the graph below.Researchers at cybersecurity company Proofpoint assess with a high degree of confidence that the same actors co

223、nducted these seemingly disparate pig butchering and employment scams.Chainalysis was separately able to connect these scam domains on-chain by shared consolidation addresses that Proofpoint had connected.Scams 57 Though employment scam inflows represented less than 1%of total on-chain value that sc

224、ams received last year,thousands of people unwittingly paid into fake job platforms and the FBI warned U.S.citizens about these schemes in 2024.Proofpoint attests that many of these platforms are getting savvier,including registering multiple backup domains for every site in case they are taken down

225、.Scam operators are also likely wisening up to the traceability of cryptocurrency,and are now having victims reach out to“customer service”representatives to obtain a crypto address.Some scammers are foregoing cryptocurrency as a payment option altogether and are instead directing scam victims to ot

226、her payment services.IJM began seeing instances of work-from-home scams in mid-2023,with paid social media ads using the names of real companies.Since then,it appears tactics have changed to sending targets text messages with vague job details,sometimes pretending to be from legitimate job boards.“T

227、hese scams are particularly devious because anyone who has put their resume out there and is looking for a job could easily be hooked by these,especially those desperate for work,”says Eric Heintz,global analyst at IJM.Heintz said that while the scam has a few variations,generally speaking,after the

228、 target accepts the“job,”the scammer has them join a platform where they complete tasks and accrue“payments”.In order to withdraw money,the victim must pay a percentage in“tax”,with a lower percentage required if they wait to withdraw large amounts,which causes the victim to lose even more money.The

229、 scam seems to have originally targeted people in Asia and,in 2024,shifted focus to North America and Europe.“While pig butchering scams garner the most attention,large scam compounds are essentially havens for any type of scam that can be carried out via the internet,and its not uncommon to have mu

230、ltiple criminal groups operating within the same compound focusing on different scams,”says Heintz.Scams 58 Growth across the fraud and scam ecosystem In 2024,on-chain activity indicates that five scam types grew:pig butchering,address poisoning,crypto drainers,livestream,and blackmail/sextortion sc

231、ams.In 2024,pig butchering revenue grew nearly 40%YoY and the number of deposits to pig butchering scams grew nearly 210%YoY,potentially indicating an expansion of the victim pool.Conversely,the average deposit amount to pig butchering scams declined 55%YoY.The combination of lower payment amounts a

232、nd increased deposits could indicate a change in strategy for pig butchering scams.Scammers could be spending less time priming targets,and therefore,receiving smaller payments,in exchange for targeting more victims.Another destination for heavy scam flows,crypto drainers continued to proliferate an

233、d grew across the board nearly 170%YoY revenue growth,almost 55%YoY increase in deposit size,and 75%YoY growth in number of deposits.Notably,in January of 2024,a drainer posing as the U.S.Securities and Exchange Commission(SEC)prompted users to connect their wallets to claim fake tokens through an a

234、irdrop after the SECs X account was compromised.Like crypto drainers,address poisoning attacks use on-chain infrastructure to scam victims out of their funds.Scammers pick a target and study their transaction patterns and most frequent counterparties.Using an algorithm,scammers then will generate a

235、new crypto address similar to one the target interacts with regularly,and send a small transaction from this newly created address to“poison”the targets Scams 59 address book.In 2024,crypto sent to address poisoning scams grew over 15,000%,largely driven by a single massive attack in May.On-chain da

236、ta shows that address poisoning scammers target users with higher than average wallet balances.Where scammers send illicit crypto In the last few years,destinations for scammed funds have remained relatively the same,with most funds going to centralized exchanges(CEXs).But as scams on more blockchai

237、ns including Ethereum,Tron,and Solana have grown,so too has the use of DeFi protocols.Since mid-2023,crypto sent from scams to Huione money laundering services has also grown.Money laundering is just one type of illicit activity the Huione Guarantee platform supports,among a host of services that fa

238、cilitate scams.How Huione Guarantee is professionalizing the scam ecosystem Huione Group,a Cambodian conglomerate known to offer legitimate services like remittances,insurance products,and,for a time,luxury tourism offerings,is also known to facilitate cybercrime.Since 2021,Huione Guarantee an onlin

239、e forum and P2P marketplace affiliated with Huione Group has processed Scams 60$70 billion in crypto transactions.2 On-chain activity indicates Huione Guarantee is heavily used for illicit crypto-based activities supporting the growing pig butchering industry in Southeast Asia,including the sale of

240、scam technology products,money laundering services,and much more.Specifically,Huoine Guarantee has become a one-stop-shop for illicit actors needing the technology,infrastructure,and resources to conduct scams assets like targeted data lists,web hosting services,social media accounts and content cre

241、ation,and AI software.In addition to these offerings,Huione has also bolstered scores of money laundering operations that scammers use to obfuscate their illicit activity.In short,Huione Guarantee has driven and enabled a scam ecosystem that is massive,growing,and interconnected.A large and growing

242、fraud ecosystem In 2024,Huione scam technology vendors collectively received at least$375.9 million in cryptocurrency.The chart below examines the types of vendors capitalizing on products and services used to facilitate scams,including,but not limited to AI services,data,infrastructure,and social m

243、edia management.When comparing crypto flows from 2021 through 2024 based on a compound annual growth rate,Huione scam infrastructure providers revenue has increased exponentially,with AI service vendors revenue growing by 1900%,indicating an explosion in the use of AI technology to facilitate scams.

244、AI vendors offer 2 These numbers include the platforms Huione Guarantee,Huione Pay,and all vendors advertising through Huione platforms.Scams 61 technology that helps scammers impersonate others or generate realistic content that tricks victims into making fraudulent investments.Huione data vendors

245、sell stolen data such as personally identifiable information(PII)that bad actors can exploit for illicit purposes,often with information on“quick kill”targets(i.e.,potential victims who are most susceptible to being scammed).Web infrastructure providers offer technology services like website hosting

246、 and mechanisms to bypass authentication on app stores,which lend credence to fake websites and apps used to scam victims.Additionally,services that facilitate mass text message marketing help scammers extend their reach across the globe to a wider set of potential victims.As for social media servic

247、es,scammers can boost the legitimacy of their campaigns by leveraging services that enhance the clout of their social media accounts.The growth in data vendors,while lower than that of AI service vendors,has still seen exponential increases in inbound funds YoY.Generative AI software:Creating fake p

248、ersonas for scammers While generative AI can accelerate legitimate innovation,it can also make scams more scalable and affordable for bad actors to conduct.“GenAI is amplifying scams,the leading threat to financial institutions,by enabling high-fidelity,low-cost,and highly scalable fraud that exploi

249、ts human vulnerabilities,”says Elad Fouks,head of fraud products at Chainalysis and co-founder of Alterya.“It facilitates the creation of synthetic and fake identities,allowing fraudsters to impersonate real users and bypass identity verification controls.”In fact,Alterya found that 85%of scams invo

250、lve fully verified accounts that bypass traditional identity-based solutions.“Additionally,GenAI enables the generation of realistic fake content,including websites and listings,to power investment scams,purchase scams,and more,making these attacks more convincing and harder to detect,”said Fouks.Wi

251、th this technology,scammers can deceive targets into authorizing payments under false pretenses,often known as authorized push payment(APP)fraud.The Huione Guarantee platform hosts dozens of software vendors that provide generative AI technology to facilitate scams.As we see below,one AI vendor on H

252、uione Guarantee advertises AI“face-changing services”for$200 worth of crypto.Scams 62 On-chain analysis reveals multiple payments sent to the above AI software vendor were consistent with the purchase price,indicating the counterparties are likely AI software buyers and potential scammers.These buye

253、rs likely made these purchases after seeing the vendors advertisements on Huione Guarantee.Scams 63 On-chain analysis,visualized below in Chainalysis Reactor,shows AI Software Buyer 4 first received pig butchering scam proceeds on October 25,three days after its AI software purchase on October 22,an

254、d another scam proceeds payment nine days later,on October 31.This narrow timeframe highlights how quickly scammers are likely leveraging Huione Guarantees technology vendors to execute their scams against their victims.This example aligns with a cyclical pattern observed among Huione AI software ve

255、ndors and five major pig butchering scams with on-chain exposure to Huoine Guarantee.When Huione AI software vendors see higher inflows,2-11 days later,inflows rise for the pig butchering scams observed.Subsequently,20-27 days after that increase,inflows to Huione AI software vendors rise;again,indi

256、cating that scammers are likely reinvesting scam proceeds into AI technology to execute new scams.Scams 64 Last year,Huione launched a blockchain project called Xone,as well as its own USD-pegged stablecoin called“USDH”.Both entities are touted as unblockable and unrestricted by traditional regulato

257、ry agencies,likely to overcome asset seizure and freeze.Whether XOC or USDH will become Huiones preferred means of trading remains to be seen.USDH is currently only available via Huione-affiliated websites,and according to an announcement in October 2024,the Huione Chain team is working with mainstr

258、eam exchanges to allow the listing of USDH on trading platforms.The interconnected nature of Huione vendors A review of on-chain activity in the past year reveals the extent to which Huione vendors used each others services.The chart below shows the scale of this great degree of interconnectedness b

259、ased on transfers within the Huione Guarantee platform.Scams 65 When examining on-chain interactions in 2024 among vendors and scams on the Huione platform,the chord diagram above shows 2,345 transfers among scams,infrastructure providers,social media management services,AI service vendors,and data

260、vendors.Given the larger width of the colored bands between infrastructure providers and social media management services,those two vendor types had the highest transaction activity in the group,sending funds mostly to each other,indicating frequent use of one anothers services.Scams had moderate tr

261、ansaction activity,paying primarily for social media management services,as did data vendors and AI service vendors,which had the lowest amount of transfers and interaction with the other entities.Crypto ATMs:A risk vector for fraud payments Crypto automatic teller machines(ATMs)(also known as Bitco

262、in ATMs or crypto kiosks)allow users to buy and sell cryptocurrency using an ATM,and have been around for over a decade.While crypto ATMs are used for legitimate purposes,they are also popular among scammers,and in the last few years,the FBI has received thousands of reports about cybercriminals usi

263、ng crypto ATMs to receive payouts for scams.To receive funds from their victims,scammers often impersonate tech and customer support personnel as well as government officials.In the tech scam scenario,the common tactic is urgency:the victim must act quickly to solve an imminent personal crisis by wi

264、thdrawing cash from their bank and depositing it into a crypto ATM.Since 2020,the Federal Trade Commission(FTC)has seen a tenfold increase in funds lost in the United States to scammers using crypto ATMs,according to reports from consumers.The FTC found that in just Scams 66 the first six months of

265、2024,these losses exceeded$65 million with a median reported loss of$10,000 per individual.Crypto ATM scam case study Last year,a target living in the Midwest fell prey to a tech support scam in which scammers extracted payment via Bitcoin ATM.The victim had purchased a new laptop compromised by mal

266、ware.When the victim began using the computer,a malware-initiated popup explained that a virus had infected it,and included a number to call for assistance,which led to a scammer impersonating Microsoft tech support.Ultimately,the scammer convinced the victim that$15,000 was required to resolve the

267、issue.The Reactor graph below shows three deposits the victim made at three Bitcoin ATMs,as instructed by the scammer.After ATM fees,the$15,000 totaled roughly$13,000 on-chain.Upon reflection,before the transactions were even confirmed,the victim returned home and reported the situation to local aut

268、horities.Using Chainalysis,investigators found that the scammer sent$13,100 from the original deposit address(Scam address 1)to an intermediary address(Scam address 2)and then onward to an instant exchange where they converted the funds to USDT(Scam address 5).The county sheriffs department referred

269、 the case to state investigators and an FBI field office,and using the evidence gathered on-chain,brought the case to county court where the scammer was tried in absentia.After a guilty verdict was issued,authorities initiated the recovery process with Tether.When it comes to reporting crypto scams,

270、time is of the essence,and the victims quick action helped positively influence the outcome of this case.Its also key that law enforcement agencies have the knowledge and capabilities to investigate crypto crime.Scams 67 Loss from crypto ATM scams The FBIs Internet Crime Complaint Center(IC3)urges U

271、.S.citizens to report all cyber-enabled crime.Using this data,the agency investigates these crimes,observes criminal trends,attempts to mitigate loss for victims,and works to prevent future cybercrime.IC3s 2023 Elder Fraud Report disclosed that it had fielded over 15,000 scam complaints from people

272、over 60,over 2,000 of which involved crypto ATMs.According to the report,“The use of cryptocurrency ATMs and kiosks has continued to increase as a payment mechanism,especially among Tech and Customer Support,Government Impersonation,and Confidence/Romance scams.”The FBIs 2023 Cryptocurrency Fraud Re

273、port also highlights the increasing prevalence of crypto ATM scams,reporting losses totaling$124.3 million that same year.And since 2020,43%of crypto-related suspicious activity reports(SARs)have been tied to crypto ATMs,according to a 2024 report by the Financial Crimes Enforcement Network.The push

274、 toward crypto ATM legislation AARP,an organization dedicated to empowering people as they age,works to educate its audience about the risks of cryptocurrency scams and advocates for stronger consumer protections.Scams involving crypto ATMs are in the top 10 complaints the AARP Fraud Watch Network r

275、eceives;on average,it fields three to four of these reports daily.Victim profiles transcend gender,and AARP often sees losses totaling in the tens of thousands of dollars or more.While the organization urges victims to submit their own reports via IC3 or local law enforcement,it also shares data wit

276、h the FTCs Consumer Sentinel Network,and has strong law enforcement partnerships.AARP explained that asset recovery for victims of crypto ATM scams is challenging for a few reasons:1.Currently,no one is able to retrieve cash from a crypto ATM once a deposit is made,because transactions are irreversi

277、ble.2.Business owners with crypto ATMs in their stores can be uneducated about the purpose of these machines,and powerless to help customers who need assistance.3.Police forces are generally not equipped to assist victims of crypto-related crimes,let alone those tied to crypto ATMs,because of a lack

278、 of training and resources.In addition to these challenges,the biggest problem AARP sees with crypto ATMs is the lack of friction around their deployment and usage.When crypto ATM vendors approach business owners about installing crypto ATMs at their locations,vendors not only promise the machine wi

279、ll increase traffic to the store,they assure owners they will not have to maintain the ATM.When it comes time for consumers to use these machines,friction is nearly non-existent in that process,too.Crypto ATMs are often placed in the back corner of convenience,liquor,or vape stores,and have few of t

280、he protections or security of fiat currency ATMs like cameras and daily transaction limits.Guidance about what the machines are for,and the risks associated with them,is also limited.Amy Nofziger,AARP Fraud Watch Networks director of victim support says,“There needs to be more transparency for busin

281、ess owners about what crypto ATM machines are used for and the risks they pose.”Scams 68 Francoise Cleveland,government affairs director at AARP,agrees.One victim calling the Fraud Watch Network Helpline had so much cash to deposit that it took her two hours.Cleveland said,“On noticing her discomfor

282、t,rather than raising concern about what she was doing,employees offered her a chair so she could sit down while she finished making her deposit.”In another case,a victim who had fallen prey to a scam was robbed as he approached a crypto ATM to make a deposit.Cleveland also learned of a scammer who

283、pretended to be the owner of a store in which a crypto ATM was located and compelled one of the stores employees to withdraw$3,000 from the register and deposit it into the machine.Clark Flynt-Barr,government affairs director,financial security at AARP says,“While education is important,we cant educ

284、ate our way out of this problem,but change is possible by putting regulation in place to protect consumers.”She says that while some crypto ATM providers have tiered compliance programs,others are not compliant with federal regulations and arent doing as much as they should to prevent victim loss.Fl

285、ynt-Barr pointed to the example of Money Gram and Western Union,formerly preferred channels for criminal wire transfers,and how protections the U.S.government enacted to help consumers made a difference.As AARP advocates for consumer protections around crypto ATMs,here are some measures the organiza

286、tion believes could mitigate crime in the US:Crypto kiosk operators could flag an address for investigation that has received funds from crypto ATMs several times in a few hours.Lawmakers could:Implement daily transaction limits,in particular for new customers,to limit the potential losses to fraud.

287、Require that crypto ATM operators refund fees associated with fraudulent transactions.Require that all crypto ATMs include disclosures about how much fees cost,exchange rates,and warnings that criminals sometimes use the technology to facilitate scams.Introduce some of the controls around crypto ATM

288、s that exist around ATMs In September of 2024,the U.S.Senate Committee on the Judiciary sent a letter endorsed by seven senators to the 10 largest crypto kiosk providers,urging those companies to“to take immediate action to address troubling reports that your Bitcoin ATMs(BTMs)are contributing to wi

289、despread financial fraud against elderly Americans.”Meanwhile,several states have been working to enact legislation to protect consumers from scams facilitated by crypto ATMs.States like California and Vermont passed daily transaction limits of$1,000.Many states are requiring that vendors register a

290、s money transmitters in the state,enacting fee regulations,and requiring written disclosure notices both for business owners where kiosks are installed,and any consumers using them.So far,the most restrictive legislation comes from New Jersey,proposing a statewide ban on crypto ATMs.Heres a list of

291、crypto ATM legislation that some states have passed:Scams 69 States that have passed crypto ATM legislation State Bill Status CA Digital Financial Assets Law:Information for Kiosk Operators Effective,01/01/24 CT 5211:An act concerning virtual currency and money transmission Passed,01/06/24 MN New Mi

292、nnesota crypto law goes into effect to protect consumers against fraud Effective,08/01/24 VT 110:An act relating to banking,insurance,and securities Effective,07/01/24 As for regulatory measures in Europe,Markets in Crypto-Assets Regulation(MiCA)went into effect last year and reinforces existing EU

293、and national anti-money laundering(AML)laws.Ahead of MiCAs rollout,last year,French regulators,including the French Financial Markets Authority(AMF)and the Paris inter-regional jurisdiction(JIRS),conducted search and seizure operations targeting unregistered crypto ATMs amid concerns they were being

294、 used for money laundering.French law dictates that these ATMs must be registered as digital asset service providers.German authorities have also been cracking down on unregistered crypto ATMs.In August of 2024,Germanys Federal Financial Supervisory Authority(BaFin)seized roughly 25 million from unr

295、egistered crypto ATMs across the country.Similarly,in September of 2024,the UKs Financial Conduct Authority(FCA)charged an individual living in London for operating crypto ATMs without FCA registration.This operation was part of an ongoing effort by UK authorities to disrupt unregistered crypto ATMs

296、,first announced in 2022.In Trkiye,the Capital Markets Law was amended to include crypto assets in July 2024,which required that all crypto ATMs end operations within three months of the law coming into effect,i.e.,by October 2024.It was further clarified that those that failed to comply would be sh

297、ut down by the local authorities,with penalties for continued operations.Across APAC,a number of regulators,such as in Singapore and Malaysia,have also taken steps to prohibit the operation of crypto ATMs.In Hong Kong,crypto ATMs would fall within the scope of the planned regulatory framework for OT

298、C crypto businesses,which would include AML/CFT requirements.In Australia,the country which reportedly hosts the worlds third highest number of crypto ATMs,the Australian Transaction Reports and Analysis Centre(AUSTRAC)has announced plans to tighten monitoring of crypto ATM providers.As broader cryp

299、tocurrency regulation evolves worldwide,the question of who should be liable when victims are scammed is increasingly entering the conversation.For instance,the UK introduced legislation requiring that crypto businesses compensate victims of APP fraud facilitated by these platforms.Other countries a

300、re requiring firms to take more responsibility for frauds such as hacks.The policy landscape may be shifting towards making stakeholders more accountable across all fronts.In the absence of regulation and compliance,crypto ATMs remain a well-known risk vector for illicit activity.The good news is th

301、eir transactions are also transparent and traceable.Scams 70 Global enablement,collaboration,and regulation are keys to fraud prevention The analysis of 2024s crypto scams reveals a complex and evolving landscape.Platforms like Huione Guarantee enable the sophistication and professionalization of th

302、e scam ecosystem,and highlight the persistent and adaptive nature of these illicit activities.The potential of AI technology to exponentially scale crypto scams further adds to the challenges associated with combating these crimes.Both fraud detection and compliance rely on granular,real-time data.C

303、ombining Alteryas AI-powered fraud detection with the Chainalysis blockchain intelligence platform will enhance visibility into potential scam-related transactions,improving fraud prevention and enforcement capabilities.As scams continue to evolve,investigators need access to deeper intelligence,fas

304、ter insights,and specialized expertise to detect and disrupt these emerging threats.Efforts to combat scams must focus on both prevention and enforcement,requiring stronger investigative resources and greater enablement of government agencies and local authorities.Regulatory measures,such as those d

305、iscussed for crypto ATMs,play a role in mitigating scam risk and protecting consumers.But effective disruption also requires collaboration between law enforcement,regulators,and the private sector.A recent example is Operation Spincaster,a Chainalysis-led initiative that brings together public and p

306、rivate sector organizations to disrupt and prevent scams.Through our advanced blockchain tracing capabilities,data and targeted training,investigators identified and traced thousands of compromised wallets amounting to over$187 million in losses,demonstrating how a coordinated,intelligence-led ecosy

307、stem approach can disrupt scam infrastructure and support victims.Combatting crypto scams at scale requires sustained efforts from government agencies,regulators and organizations.Chainalysis works alongside these organizations to build investigative capacity,enhance intelligence,and empower investi

308、gators with the technology needed to stay ahead of emerging threats.Scams 71 Stolen Funds Stolen Funds 72$2.2 Billion Stolen from Crypto Platforms in 2024,but Hacked Volumes Stagnate Toward Year-End as DPRK Slows Activity Post-July Crypto hacking remains a persistent threat,with four years in the pa

309、st decade individually seeing more than a billion dollars worth of crypto stolen(2018,2021,2022,and 2023).2024 marks the fifth year to reach this troubling milestone,highlighting how,as crypto adoption and prices rise,so too does the amount that can be stolen.In 2024,funds stolen increased by approx

310、imately 21.07%year-over-year(YoY)to$2.2 billion,and the number of individual hacking incidents increased from 282 in 2023 to 303 in 2024.Interestingly,the intensity of crypto hacking shifted about halfway through the year.In our mid-year crime update,we noted that cumulative value stolen between Jan

311、uary 2024 and July 2024 had already reached$1.58 billion,approximately 84.4%higher than the value stolen over the same period in 2023.As we see in the chart below,through the end of July,the ecosystem was easily on track for a year that could rival the Stolen Funds 73$3 billion+years of 2021 and 202

312、2.However,2024s upward trend slowed considerably after July,after which it remained relatively steady.Later,well explore a potential geopolitical reason for this change.In terms of amount stolen by victim platform type,2024 also saw interesting patterns.In most quarters between 2021 and 2023,decentr

313、alized finance(DeFi)platforms were the primary targets of crypto hacks.Its possible that DeFi platforms were more vulnerable because their developers tend to prioritize rapid growth and bringing their products to market over implementing security measures,making them prime targets for hackers.Althou

314、gh DeFi still accounted for the largest share of stolen assets in the first quarter of 2024,centralized services were the most targeted in Q2 and Q3.Some of the most notable centralized service hacks include DMM Bitcoin(May 2024;$305 million)and WazirX(July 2024;$234.9 million).Stolen Funds 74 This

315、shift in focus from DeFi to centralized services highlights the increasing importance of securing mechanisms commonly exploited in hacks,such as private keys.Private key compromises accounted for the largest share of stolen crypto in 2024,at 43.8%.For centralized services,ensuring the security of pr

316、ivate keys is critical,as they control access to users assets.Given that centralized exchanges manage substantial amounts of user funds,the impact of a private key compromise can be devastating;we only have to look at the$305 million DMM Bitcoin hack,which is one of the largest crypto exploits to da

317、te,and may have occurred due to private key mismanagement or lack of adequate security.Stolen Funds 75 After compromising private keys,malicious actors often launder stolen funds by funneling them through decentralized exchanges(DEXs),mining services,or mixing services to obfuscate the transaction t

318、rail and complicate tracing.In 2024,we can see that the laundering activity of private key hackers differs meaningfully from that of hackers exploiting other attack vectors.For instance,after stealing private keys,these hackers often turned to bridges and mixing services.For other attack vectors,DEX

319、s were more popular for laundering.Stolen Funds 76 Keep reading to learn more about crypto hacking trends in 2024,the DPRKs activities,and Hexagates use of machine learning models to proactively detect suspicious hacking behaviors,a capability recently acquired by Chainalysis.In 2024,North Korean ha

320、ckers stole more from crypto platforms than ever before Hackers linked to North Korea have become notorious for their sophisticated and relentless tradecraft,often employing advanced malware,social engineering,and cryptocurrency theft to fund state-sponsored operations and circumvent international s

321、anctions.U.S.and international officials have assessed that Pyongyang uses the crypto it steals to finance its weapons of mass destruction and ballistic missiles programs,endangering international security.In 2023,North Korea-affiliated hackers stole approximately$660.50 million across 20 incidents;

322、in 2024,this number increased to$1.34 billion stolen across 47 incidents a 102.88%increase in value stolen.These figures represent 61%of the total amount stolen for the year,and 20%of total incidents.Note that,in last years report,we published that the DPRK stole$1.0 billion across 20 hacks.Upon fur

323、ther investigation,we determined that certain large hacks we had previously attributed to the DPRK are likely no longer related,hence the decrease to$660.50 million.However,the number of incidents remains the same,as we identified other smaller hacks attributed to the DPRK.We aim to constantly re-ev

324、aluate our assessment of DPRK-linked hacking events as we acquire new on-chain and off-chain evidence.Stolen Funds 77 Unfortunately,it appears that the DPRKs crypto attacks are becoming more frequent.In the below chart,we examined the average time between successful DPRK attacks depending on the siz

325、e of the exploit and found that there was a decline YoY in attacks of all sizes.Notably,attacks between$50 and$100 million,and those above$100 million occurred far more frequently in 2024 than they did in 2023,suggesting that the DPRK is getting better and faster at massive exploits.This is in stark

326、 contrast to the previous two years,during which its exploits more often each yielded profits below$50 million.Stolen Funds 78 When examining the DPRKs activity in comparison to all other hacks we measured,it is clear that the DPRK has been consistently responsible over the last three years for most

327、 large-size exploits.Interestingly,the DPRKs dominance of the high end of the exploitation ladder continued in 2024,but there is also a growing density of DPRK hacks at lower amounts,most notably around$10,000 in value.Stolen Funds 79 Some of these events appear to be linked to North Korean IT worke

328、rs,who have been increasingly infiltrating crypto and Web3 companies,and compromising their networks,operations,and integrity.These workers often use sophisticated Tactics,Techniques,and Procedures(TTPs),such as false identities,third-party hiring intermediaries,and manipulating remote work opportun

329、ities to gain access.In a recent case,the U.S.Department of Justice(DOJ)indicted 14 DPRK nationals who obtained employment as remote IT workers at U.S.companies and generated more than$88 million by stealing proprietary information and extorting their employers.To mitigate these risks,companies shou

330、ld prioritize thorough employment due diligence including background checks and identity verification while maintaining robust private key hygiene to safeguard critical assets,if applicable.Although all of these trends suggest a very active year for the DPRK,most of its exploits occurred at the begi

331、nning of the year,with overall hacking activity stagnating in Q3 and Q4,as shown in this chart from earlier.Stolen Funds 80 In late June 2024,Russian President Vladimir Putin and North Korean leader Kim Jong Un met in Pyongyang at a summit to sign a mutual defense pact.So far this year,their growing

332、 alliance has been marked by Russia releasing millions of dollars in North Korean assets previously frozen in compliance with UNSC sanctions.Meanwhile,North Korea has deployed troops to Ukraine,supplied Russia with ballistic missiles,and reportedly sought advanced space,missile,and submarine technol

333、ogy from Moscow.If we contrast the average daily value lost from DPRK exploits before and after July 1,2024,we can see a significant decrease in the amount of value stolen.Specifically,as shown in the chart below,amounts stolen by the DPRK dropped by approximately 53.73%after the summit,whereas non-DPRK amounts stolen rose by approximately 5%.It is therefore possible that,in addition to redirectin