In recent months, financial sector regulators and watchdogs around the world have been focusing increasing attention on money laundering risks related to decentralized finance (DeFi).
In April, the US Treasury released its first DeFi Illicit Funding Risk Assessment, which raised a number of concerns about the ability of illegal actors to abuse DeFi protocols. Over the past year, the Financial Action Task Force (FATF) has also warned that the growth of the DeFi sector could offer new opportunities for money laundering.
Regulators increasingly expect that virtual asset service providers (VASPs) – such as exchanges – should be able to detect money laundering activity involving the DeFi space.
In this article, we describe some of the key money laundering risks related to DeFi and explore how Elliptic’s unique holistic screening capabilities can enable compliance teams at VASPs and other financial institutions to detect these risks.
Decentralized Exchanges (DEX)
Decentralized exchanges (DEX) play a key role in the DeFi ecosystem, providing liquidity to markets by enabling the fast and seamless exchange of thousands of tokens. Unlike centralized exchange services, DEXs do not involve an intermediary taking custody of funds, but instead rely on smart contracts to automate the exchange of cryptoassets among liquidity participants. Major DEXs such as Uniswap, dYdX and Pancake Swap now facilitate trading volumes that rival those of some large centralized exchanges.
The growth of activity on DEXs has been central to the evolution and maturation of the DeFi ecosystem. DEXs are mostly used for legitimate purposes. Unfortunately, bad actors have also tried to use the growth of DEX to launder funds from various crimes, including hacking and cyber theft.
Illegal actors—including North Korean cybercriminals—may find DEXs attractive for money laundering purposes, especially since users generally do not have to provide know-your-customer (KYC) information when dealing with DEXs.
DEXs can prove especially valuable to hackers who steal tokens and stablecoins from centralized crypto exchanges or from other DeFi protocols. Certain tokens and stablecoins are designed to be reversible: their smart contracts allow transactions to be reversed if, for example, a law enforcement agency seeks to recover assets suspected of being involved in crime.
To overcome this reversibility, criminals who own tokens of illicit origin and stablecoins often try to exchange them on DEXs for Ether cryptoassets, since transactions in Ether cannot be reversed.
In its DeFi risk assessment, the US Treasury Department also notes that illegal actors “may choose to exchange their illegal earnings for several different assets, sometimes using different DEXs to achieve better conversion rates and diversify their money laundering methods.” These mutual exchanges of assets therefore become a critical step in the money laundering process.
One case that highlighted this money laundering technique occurred in September 2020, when cybercriminals – later found to be linked to North Korea’s hacking organization, the Lazarus Group – hacked the KuCoin crypto exchange in Singapore.
Following the theft of more than $150 million worth of tokens and stablecoins, Elliptic’s investigation into the case revealed that the hackers attempted to launder the funds through numerous DEXs, where they exchanged the stolen tokens and stablecoins for Ether.
Cross chain bridges
In addition to downloading exchanges via DEX to avoid seizure of their assets, illegal actors can try to launder funds through the DeFi ecosystem by moving funds from one blockchain to another. By moving funds from one ledger, such as the Bitcoin blockchain, to another ledger, such as the Ethereum blockchain, criminals aim to trace transactions and elude investigators.
This is a typology of money laundering known as “chain-hopping”. As the US Treasury notes in its DeFi Risk Assessment: “Chain-hopping can make it difficult […] to monitor financial transactions or for service providers to detect whether incoming funds are linked to illicit activities.”
Chain-hopping has become increasingly feasible through the emergence of cross-chain bridges or protocols that enable the seamless transfer of value across different blockchains.
Bridges have been critical to the growth of the DeFi space because they allow users to move value across the blockchain to access DeFi applications. For example, if a Bitcoin user wants to buy NFTs issued on Ethereum, they can effectively convert their Bitcoin to Ether without having to rely on a central party.
But, as with other innovations, criminal actors are increasingly exploiting bridges.
For example, ransomware attackers most often receive payments from victims in Bitcoin, but once they are in possession of these funds, they must try to disguise their origin. Elliptic’s research identified instances where ransomware attackers used cross-bridges to move their funds from Bitcoin to the Ethereum blockchain.
For example, in the second quarter of 2022 alone, affiliates of the Ryuk ransomware campaign laundered more than $35 million in cryptocurrency through RenBridge, a cross-chain service that Elliptic’s research shows processed illicit earnings totaling more than $540 million from various illegal actors in a certain period. less than two years.
DeFi mixers
When laundering money through the DeFi ecosystem, illicit actors have also abused crypto mixers and other privacy-enhancing services in an attempt to disguise the origin of their funds.
Mixers in the DeFi space have the same impact as mixers on the Bitcoin blockchain, but with a twist. Because they operate using smart contracts on Ethereum and other blockchains, DeFi mixers cannot be dismantled or taken down; they will continue to run on the blockchain as long as users interact with their smart contracts.
The biggest mixer in operation in the DeFi space so far has been the Tornado Cash mixer, which runs on Ethereum and other blockchains.
In August 2022, the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Tornado Cash because North Korea’s Lazarus Group used the mixer to launder funds from its cybercriminal activities. Elliptic’s research found that illegal actors laundered more than $1.5 billion through Tornado Cash, of which North Korea held more than $455 million in funds.
Following OFAC’s sanctions on Tornado Cash, North Korea has been looking for alternatives to conceal its illegal activity in DeFi. In January 2023, North Korea used a DeFi service known as Railgun to launder funds from the hack of the Harmony Horizon Bridge, the cross bridge from which the Lazarus Group stole $100 million.
Combining these money laundering methods
As illegal actors have become more adept at exploiting the DeFi ecosystem to launder funds, they have increasingly relied on a number of the methods described above in tandem.
For example, in November 2022, approximately $477 million in various Ethereum-based tokens were stolen from the FTX crypto exchange a day after it declared bankruptcy. Elliptic’s investigation at the time revealed that the stolen tokens were exchanged on DEXs for Ether. The thief then used Ether to buy RenBTC, a token used to move funds to the Bitcoin blockchain via RenBridge.
In another case in March 2022, the Lazarus Group stole more than $540 million in cryptoassets from Axie Infinity Ronin Bridge. After stealing the funds, the Lazarus Group converted the USDC stablecoins they stole into Ether on DEXs and then laundered the Ether through Tornado Cash.
Using holistic screening to identify and manage risks
Although illegal actors are becoming more sophisticated in their efforts to launder crypto-assets through the world of DeFi, blockchain transparency offers compliance teams at VASPs and financial institutions the ability to identify funds associated with DeFi-related laundering.
At Elliptic, we have developed a unique set of capabilities known as Holistic Screening that enable compliance teams to identify whether their clients’ wallets and transactions involve exposure to high-risk activities, even when funds are laundered through services such as DEXs and cross-chain bridges. .
Holistic screening equips compliance teams with next-generation capabilities to efficiently and effectively identify money laundering chain typologies and take appropriate steps to manage risks.
To understand the importance of using blockchain analytics powered by Holistic Screening, consider the following example.
Let’s assume that Alice is a customer of VASP and deposits Ether into her account with VASP. Using legacy blockchain analytics solutions that take a single asset view of risk, VASP’s compliance team can review this Ether transaction and determine that there are no money laundering risk indicators.
However, using Elliptic’s Holistic Screening capabilities, the same compliance team would come to a different understanding of risk. In the same scenario, the compliance team would identify that Alice’s Ether was in fact obtained from the DEX, where she received funds in exchange for the stablecoin Tether. An analysis of Tether’s sources indicates that Alice’s funds ultimately originate from cybercriminal activity.
In this case, by gaining immediate insight into the underlying activity of Chain Jump, VASP’s compliance team could take appropriate action to address the risks identified in this transaction – for example, by filing a Suspicious Activity Report (SAR), and potentially taking steps to close Alice’s order.
The rapidly evolving world of DeFi presents new risks and associated challenges for compliance teams at VASPs and financial institutions when it comes to identifying associated money laundering risks.
Contact us to learn more about how Elliptic’s unique Holistic Screening capabilities can empower your compliance team with the insights needed to successfully address these challenges.
DeFi Cross-Chain Compliance