“What to do with your dirty cryptocurrency is my concern” – such is the call of a Russian crypto exchanger on an illegal forum, signaling their not-so-subtle willingness to launder money for the cybercriminal underworld. In this excerpt from our recent State of the Cross Crime report, Elliptic takes a look at the empire of “coin-swapping” services that have processed over $1.2 billion in dirty cryptocurrency for hackers, dark web kingpins, ransomware operators and master fraudsters.
What is a “coin exchange” service and why is it high risk?
A coin swap service – sometimes called an “instant swap exchange” or “non-custodial crypto exchange” – is an entity that allows users to exchange cryptoassets for other tokens, either on the same or a different blockchain.
Some of their most important features are that they do not require users to open an account or verify their identity. Users can simply connect their wallet, send cryptocurrencies to the service and receive the converted funds back to a predetermined wallet address. For the privilege of remaining anonymous, most coin exchanges charge a higher commission on average than typical exchanges in accordance with the rules.
As with all virtual asset services, coin exchange services range from entities that serve a mostly legitimate audience to completely illegal entities that advertise almost exclusively on cybercrime forums. These illicit variants will promote their services based on how “clean” the funds received will be and will charge extra to exchange cryptocurrencies from apparently illicit sources. Many have the ability to exchange cryptoassets to or from the Monero privacy coin or through two-layer scaling solutions that process off-chain transactions.
Advertisement for a “crypto-whitening” coin exchange service on a Russian cybercrime forum.
Due to the lack of identity or anti-money laundering (AML) checks, coin exchanges have become the main money-disbursement and money-laundering tool for cybercriminals, mostly originating in Russia. To a lesser extent, the proceeds of exchanges and decentralized finance (DeFi) hacks – some that have since been linked to North Korea’s Lazarus Group – have been laundered through coin exchanges. These trends have significant implications for virtual asset services and investigators aiming to manage the risks of financial crime and crypto-asset sanctions.
Scale of money laundering based on coin swapping
Elliptic’s analysis of coin exchange services shows that over 97% of the illegal cryptoassets they process – over $1.1 billion – originate on the Bitcoin blockchain. Illicit BTC laundered through coin exchange services mainly originates from dark web markets (over $485 million), illegal virtual asset services (over $269 million), and crypto gambling sites (over $167 million). Fraud and theft – including the suspected Lazarus Group robberies – totaled around $140 million.
Origin of funds flowing into coin exchange services (BTC, ETH, WETH, WBTC, USDC, USDT, DAI).
Elliptic’s internal analysis suggests that one particular coin exchange service has seen more than 70% of their incoming cryptocurrency from known sources come from illegal activity – predominantly from a large dark web market called “OMG!OMG!”. The now-sanctioned former dark web market Hydra also contributed significantly.
Coin exchange services are already the most popular known destination of outgoing funds for another dark web market – i.e. Solaris. Over $6.7 million in illicit funds originating from Solaris were laundered through at least 18 coin exchange services, compared to just $2.9 million flowing through centralized exchanges.
Compared to Bitcoin, illicit funds transferred through coin exchange services rarely originate from high-risk events on other assets. Approximately $47.7 million of illegal Ether was sent via coin swaps, along with $1.7 million (0.2%) in Tether.
The vast majority – $35.9 million – came from Tornado Cash, indicating that illicit actors may be using coin swaps and mixers as part of a multi-layered process. Over $18.6 million in ETH was sent from coin exchange services to Tornado Cash – demonstrating the fungibility of these methods in money laundering schemes.
Implications of Coin Exchange Service Sanctions
The use of coin exchange services by sanctioned entities such as Hydra also presents additional red flags. The entities sanctioned by OFAC – including Tornado Cash, SUEX, Chatex and Garantex – have all been prolific users of money-laundering and disbursement coin exchanges. In many cases, coin exchanges can be “nested” services – using wallets provided by cryptoasset exchanges to run their operations. Compliant virtual asset services must therefore be aware of the telltale signs and risks, to ensure that they do not inadvertently facilitate the evasion of sanctions.
Coin exchanges aimed at the Russian audience will also allow users to convert cryptoassets to and from fiat currency, including the Russian ruble. Since the invasion of Ukraine in February 2022 and the broad sanctions imposed against Russian finances in response, such entities may also reflect sanctions risk. Sberbank and Alfa-bank – both subject to sanctions in the United States – represent some of the most common destination or source banks in crypto-RUB or RUB-crypto pairs that advertise these services.
An example of a coin exchange service that allows users to exchange crypto-assets for and from BTC, cash, Monero and RUB (Russian Ruble), including banks that are sanctioned in Europe and America. Also note the support email address @gmail.
Risk management of coin exchange services
For legitimate users of cryptoassets, coin exchange services provide a fast and efficient way to exchange their assets for others, both within and across the blockchain. However, their usual minimal to zero use of AML/KYC – or their use for nefarious purposes in the case of illegal coin swaps – makes them attractive to criminals looking to launder their funds.
Their support for Monero, Lightning Network and the Russian ruble in certain cases further increases the risk of illegal activities. Their prolific use by dark web markets, sellers of stolen data and ransomware operators underscores that they are a key part of the cybercrime ecosystem. There is no shortage of coin exchanges advertised on cybercrime forums – which also host many illegal services that use them for payouts.
How Elliptic can help
Elliptic’s transaction monitoring and wallet screening solutions enable virtual asset services and investigators to identify and manage coin exchange activity. Our VASP entity verification and analysis tool Elliptic Discovery can also provide transaction details and information about coin exchange services for onboarding and risk management purposes.
Elliptic’s recently launched next-generation blockchain analytics – Holistic Screening – is revolutionizing the way entities manage risk in the multi-chain crypto ecosystem.
Get more insight into the growing risk of cross-chain crime with our report: The State of Cross-Chain Crime.
Compliance with Sanctions Cryptocrime