On March 14, the Financial Action Task Force (FATF) released a report titled “Tackling Ransomware Financing,” which outlines the money laundering risks associated with ransomware, as well as best practices for addressing the illicit flows of funds associated with with ransomware.
Here, we look at some of the key issues involving ransomware in light of the FATF report, including how blockchain analytics can contribute to striking back at ransomware attackers and addressing related asset flows.
Among crimes involving cryptoassets, ransomware remains among the most pressing and pressing issues today.
Ransomware gangs continue to generate hundreds of millions of dollars in cryptocurrency-denominated revenue. Of particular concern is that their attacks continue to target hospitals, utilities, energy companies and other critical infrastructure components that pose immediate security risks and which attackers can use to generate high-value ransoms – a technique known as Big Game Hunting. The emergence of the ransomware-as-a-service (RaaS) operating model has also allowed ransomware gangs to increase their profits by cultivating affiliate networks that can launch these attacks.
One of the key weapons available to combat ransomware is the ability to track the assets of these types of attackers via blockchain. Law enforcement agencies have had some major successes in tracking and seizing funds from ransomware attackers. This was demonstrated in the Colonial Pipeline ransomware attack, in which US law enforcement was able to recover approximately 80% of the approximately $4.5 million in Bitcoin ransom obtained by the DarkSide ransomware in the case.
Typologies
As the ransomware ecosystem has evolved, the money laundering typologies of ransomware perpetrators have become increasingly complex. In particular, ransomware gangs are increasingly looking at “chain-jump” money laundering typologies by moving their funds through cross-asset and chain swap services.
As we highlighted in our State of Multichain Crime report, innovations in the decentralized finance (DeFi) ecosystem – such as decentralized exchanges (DEX) and bridges – allow users to exchange cryptoassets and transfer funds seamlessly across different blockchains. Elliptic’s research shows that criminal actors – including ransomware attackers – have laundered more than $4 billion through these services to date, and are expected to launder an additional $10 billion by 2025.
In its report on ransomware, the FATF highlights the growing use of chain jump techniques by ransomware attackers to launder their attack funds. According to the FATF:
“Several jurisdictions have also noted that cybercriminals often convert Bitcoin ransom payments into other virtual assets via VASP or DeFi protocols. This action is often referred to as chain hopping, which refers to moving from one virtual asset to another different blockchain, often in rapid succession with the aim of avoiding attempts to track these movements. One jurisdiction reported that ransomware criminals are increasingly using DeFi protocols to chain jump into so-called stablecoins.”
Illegal actors are abusing these innovations on an increasing scale to launder their criminal earnings in the cross-chain, including ransomware attackers.
Successfully detecting and disrupting ransomware-related activity therefore requires access to blockchain analytics capabilities that can detect cross-chain laundering.
Ransomware gangs and cross-laundering
Ransomware gangs in particular have looked to DeFi bridges as a channel to launder the bitcoins obtained from their victims. DeFi bridges allow users to transfer value directly from one blockchain – such as Bitcoin – to another blockchain, such as Ethereum. By funneling their Bitcoin proceeds through the bridge and exchanging them for Ether, ransomware attackers aim to throw investigators off their trail – a classic example of a chain jump.
One DeFi bridge that was repeatedly abused by ransomware attacks in 2021 and 2022 was RenBridge, a service that allowed users to transfer funds across the Bitcoin, Ethereum, and Binance smart chains. According to Elliptic’s research, criminal actors laundered at least $540 million through RenBridge by the end of 2022, of which $153 million (or approximately 28%) was from ransomware gangs, as shown in the chart below.
Several ransomware gangs have abused RenBridge, but two ransomware campaigns in particular have made particularly effective use of the service. The Conti ransomware group – which launched a devastating wave of ransomware attacks on Costa Rica – used RenBridge in their laundering schemes.
In the fourth quarter of 2021 alone, Conti affiliates laundered approximately $29 million worth of cryptocurrency through RenBridge. Ryuk ransomware was another prolific campaign whose affiliates laundered around $35 million through RenBridge in the second quarter of 2022, as shown in the chart below.
This activity is designed to try to hide the full flow of funds. Unfortunately for these ransomware gangs, their laundering activity can still be detected where they use cross-chain services.
Using blockchain analytics to detect attackers’ asset flows
Using forensic crypto-tracking capabilities, such as Elliptic Investigator, analysts can track a ransomware gang’s attempts to engage in money laundering using cross-bridges and other related services, as shown in the image below.
Once attackers exchange their funds from Bitcoin to Ether via a bridge, they often attempt to further launder the funds by exchanging the new “clean” Ether for other tokens on the Ethereum network, including exchanging funds on DEXs. As the FATF notes, this may include exchanging funds for stablecoins.
In the detailed briefing note we published outlining the Elliptic investigation into Conti’s money laundering activity, we identified a case of cross-chain and cross-asset laundering to try to hide the proceeds of crime. In that case, Conti received 75 bitcoins from a ransomware victim.
Bitcoin was then sent through RenBridge and exchanged for Ether. After acquiring the latter, Conti then exchanged the funds for other Ethereum-based tokens such as DAI and Tether, which are two stablecoins. These were then sent to cryptoasset exchanges, including a crypto exchange in Estonia known as Garantex, which was sanctioned by the US Treasury Department in April 2022 for supporting ransomware gangs.
Blockchain analytics can be used to verify related transactions in such a case to determine where funds have been exchanged through cross-chain services and cross-asset services. As illustrated in the image below from Elliptic Navigator, our transaction screening solution, analysts can visualize the flow of funds through these services and across different assets.
This enables the identification of suspicious activities related to the flow of funds of ransomware attackers and can enable the seizure and disruption of their assets where funds are deposited on cryptoasset exchanges. Elliptic’s unique holistic screening capabilities enable analysts to seamlessly and efficiently identify these inter-chain and cross-fund transfers.
This image from Elliptic Navigator shows the flow of funds from the ransomware attacker’s Ethereum address (black circle on the left) and the subsequent trace after the funds were converted to DAI and Tether, before being deposited on Garantex, an OFAC-approved exchange ( featured green circle on the right).
Addressing the ransomware threat
As the FATF report makes clear, the fight against ransomware is a top international priority, and the public and private sectors have a role to play in that effort.
And as the FATF emphasizes in its report, this should include providing “access to and training in blockchain analytics and monitoring tools.” As a critical step, law enforcement investigators and compliance analysts should have access to blockchain’s analytical capabilities that enable detection of attackers’ cross-flows of funds and asset flows.
To learn more about how Elliptic’s blockchain analytics solutions—and related training offerings—can help you detect ransomware-related activity, contact us for a demo. In the meantime, watch our webinar on using blockchain analytics to detect cross crime.
Compliance Crypto crime in America