Testifying in the US Congress as early as 1989, financial crime expert Charles A. Intriago noticed that “every time rules […] undertakes a new effort, money launderers appear to be one step ahead of the cash cops”. The arms race between criminals and those who want to stop them is such that the old adage “prevention is better than cure” is increasingly true today, as new developments lead to new and ingenious money laundering techniques.
Being at the forefront of helping businesses and agencies detect crypto crime, Elliptic routinely investigates emerging trends in how criminals are using crypto for illicit activities.
The goal is that, when detected early, preventive measures against these trends have a better chance of success. Since 2013, we have tracked the gravity of crypto crime from traditional cryptoassets such as Bitcoin to decentralized financeand from non-fungible tokens (NFT) that metaverse gaming.
When we ask “what’s next,” we routinely encounter the same pattern of criminal activity: as one means of crime is thwarted through the act of enforcement, criminals gravitate to the next best alternative means of committing said crime where no such measure exists to stop them.
This pattern is called “crime shifting,” and its existence in the crypto-asset ecosystem is evident through recent sanctions and seizures against illegal crypto entities. As much as the phenomenon exists in physical crimesit’s even easier in borderless digital settings.
How Cryptocrime Displacement Works: The Case of North Korea
Take, for example, the Lazarus Group – a North Korean state-backed cyber hacking organization that was recently confirmed to be responsible for stealing nearly $240 million in crypto assets from four crypto entities, and suspected of carrying out the fifth attack on CoinEx.
Previously, the organization used numerous crypto services, such as Tornado Cash decentralized mixer and Ethereum-Bitcoin bridge RenBridge, to launder the proceeds of their crypto heists. At the peak of its activities, Elliptic published analysis in RenBridge, linking it to the laundering of over $500 million worth of illegal crypto-assets.
However, by the end of 2022, neither Tornado Cash nor RenBridge were operating normally. Tornado Cash was subject to US sanctions in August 2022, massively reducing the crucial liquidity that was needed to efficiently launder large amounts of funds. RenBridge, meanwhile, went out of business after Alameda Research – its main financial backer – collapsed in high profile FTX debacle in November 2022.
Predicting the Displacement Effect of Crime, Elliptic implemented and released some research on services that could replace Tornado Cash. True, one of the services we identified – a DeFi anonymity-enhancing service called Railgun – was then used by the Lazarus group in an attempt to cover up his stolen funds.
Lacking Tornado Cash’s liquidity, the move proved unsuccessful – effectively leaving the organization where it started. This represents a success in early identification of potential criminal displacement opportunities.
So what’s next?
Cross Crime: The Next Frontier of Moving Crypto Crime
As with the Lazarus group, illicit actors involved in all forms of crime have been affected by the shutdown of Tornado Cash and other anonymity-enhancing services such as Blender.io (sanctioned April 2022) i ChipMixer (confiscated in March 2023).
Elliptic’s internal analysis ultimately determined that all of these criminals gravitate to cross-criminality—in some cases to alarming proportions. The Lazarus Group’s cross-functional activities, for example, have doubled in the past year.
Cross-chain crime – otherwise known as “chain-” or “asset-hopping” – refers to the rapid and anonymous exchange of cryptoassets between or across the blockchain for different cryptoassets. It often happens using services such as decentralized exchanges (DEX), cross-bridges (such as RenBridge) or coin exchange services (centralized exchanges that do not require you to create an account).
Take the case below, for example, which shows the Lazarus Group swapping stolen Bitcoins from one blockchain to another – only to end up with Bitcoin again – using cross-chain bridges.
Cross-chain bridge is a DeFi protocol that can exchange user funds – without know-your-customer (KYC) requirements – across the blockchain, making them difficult to trace. This string of transactions – which is one of many combinations they used – serves no legitimate business purpose other than obfuscating the transaction trail.
To demonstrate this trend at a more aggregate level, the chart below shows the comparative value of illicit cryptoassets laundered through mixers versus cross-bridges over time. This highlights how crypto-crime has gravitated towards cross-chain options in recent months.
Significant monthly shifts show the displacement of crime in action. Aug 2022 Aug 2022 mixer usage spike corresponds to Tornado Cash being sanctioned. A short recovery in mixers by the end of the year corresponds to the shutdown of RenBridge, and a second decline in mixer usage in March 2023 corresponds to the seizure of ChipMixers by EUROPOL. As of July 2023, illegal use of mixers has remained minimal relative to bridges and has not recovered (yet).
Why are criminals “switching” to cross-chain methods?
There are a number of reasons why inter-chain crime has the worrying benefit of crime displacement. First, the proceeds of crypto-crime are increasingly generated in lesser-known crypto-assets, such as DeFi protocol-specific tokens that can only be exchanged through cross-chain services or cross-assets. Second, most of these services – be they DEXs, cross-bridges, or coin exchange services – do not require identity verification to use.
Finally and perhaps most importantly, criminals are aware that legacy blockchain analytics solutions do not have the means to track illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner. Many of these solutions are designed with traditional crypto crime in mind, which typically involves a single asset, such as Bitcoin or Ether.
How to stay ahead of cross crime
When we identify new trends in crypto crime, we also want to find ways to equip the relevant companies or agencies with the means to tackle them. That’s why Elliptic was a pioneer holistically powered blockchain analytics solutions – an industry first – so that investigators can programmatically monitor cross-criminal activity at scale.
Our inaugural 2022 State of Inter-Chain Crime Report. found that cross-chain methods have already been used to launder over $4 billion worth of funds – highlighting the need to scale and automate what were once complex, manual and time-consuming cross-investigations.
Beyond solving cases and reuniting crime victims with their cryptocurrency, there is a greater benefit to holistic technology that can allow investigators to effectively police the very face of crypto crime.
As the example with Railgun showed, forcing criminals to move away from their previous money laundering methods can lead them to alternatives that simply don’t work. Holistically based blockchain analytics is our primary weapon in the criminal arms race to tactically provoke a shift away from cross-chain solutions.
By doing this, we can prevent them from using services like DEXs or bridges and instead force criminals to a narrower set of alternatives that are easier to detect, more expensive to use, and less effective for large-scale laundering. That way, we can do our best to ensure that cryptocurrency remains accessible and safer for everyone.
Learn more
Our upcoming 2023 State of Cross-Crime report – updated myself Inaugural publication 2022 – contains case studies of the latest cross-typologies and trends that professionals need to be aware of.
It also contains a comprehensive manual on how to use holistic blockchain analytics tools to solve cross-chain cases, often in just one or a few clicks. Pre-register here to receive a copy of the report as soon as it is published.
Want to learn more about holistic blockchain analytics? Check it out this page or contact us for a demo.
Crypto Crime Cross-Chain Global