red 
About $1.2 billion worth of cryptoassets stolen from decentralized finance (DeFi) protocols and exchanges have been replaced using decentralized exchanges (DEX), Elliptic has revealed. This is an attempt to launder funds, and this figure accounts for more than a third of all cryptocurrencies stolen in hacks between Q4 2020 and August 2022.
DEXs are decentralized applications (dApps) that run as smart contracts on blockchains like Ethereum. These smart contracts provide a peer-to-peer exchange mechanism that allows users to trade tokens without relying on an intermediary. Trade terms are defined and automatically executed by code, as well as recorded on the blockchain.
The primary use of DEX is largely legitimate and serves a key purpose in today’s increasingly interconnected crypto ecosystem. However, their lack of anti-money laundering and know-your-customer (AML/KYC) checks have also been used by criminals to launder their proceeds from cryptocurrency theft – including some of the most notorious DeFi heists of all time.
So why are DEXs so widely used to launder hack proceeds and what can be done about it?
1. Using DEX to avoid freezing funds
Certain cryptoassets – such as stablecoins Tether (USDT) and USD Coin (USDC) – may be frozen by their issuers if they are found to be held by illegal wallets. Criminals therefore use DEXs to exchange freezeable assets for non-freeze ones such as ETH or DAI – another stablecoin.
This is exactly what happened with the 33.4 million USDT stolen by the PolyNetwork exploiters, with Tether eventually returning PolyNetwork from its own coffers. Before that, Tether was in the news when it froze 20 million USDT stolen from KuCoin in September 2020.
Not surprisingly, most exploiters replace all stolen assets within minutes in an attempt to beat any incoming asset freezes. Of the exploiters who stole freezeable assets in the investigated DeFi incidents, all but two made near-instant swaps for non-freeze ones.
2. Use of DEX in preparation for mixing
This use case was particularly prominent before Tornado Cash was sanctioned on August 8, 2022. As the most popular decentralized mixer on Ethereum before the US sanctions, the service was used to launder $1.54 in confirmed illegal earnings – $1.03 billion of which came from theft .
Take, for example, the April 2021 RARI Capital exploit. Several investment funds were attacked in a “re-entry attack,” siphoning assets including LUSD, FEI, DAI, UST, USDC, FRAX, USDT, and RAI. All of these funds were converted into 22,000 ETH (approximately $60 million) via two DEX aggregators before being sent via Tornado Cash.
3. Using DEX to further chain jump
The use of DEX often coincides with the subsequent use of cross-chain bridges, as criminals often have to first exchange tokens within the blockchain before they become convertible on the bridges. This may be due to the absence or expensive nature of a particular trading pair, making direct chain hopping less feasible or impossible due to a lack of available liquidity pool.
Elliptic recently published research on the criminal use of RenBridge to launder over $540 million worth of ill-gotten gains stemming from ransomware, ponzi schemes, and large-scale crypto hacks. To prepare funds for chain hopping, many criminals therefore use DEXs to obtain renBTC, an Ethereum-based asset that allows bridging through Ren.
Scales of illicit use of DEX
Over 53% of the illicit funds identified were exchanged directly through two DEXs – namely Curve ($315 million) and Uniswap ($309 million). Approximately $322 million (27.5%) was replaced using the 1-inch protocol aggregator.
Analyzing the most prolific illicit DEX users highlights that criminals don’t necessarily switch a single asset or even use a single DEX to facilitate their laundering. Spreading illegal activities across multiple DEXs allows criminals to get the best conversion rates while also splitting their funds to be further laundered through a variety of different methods.
Tracking the proceeds of crime through DEX
DEXs are here to stay, so their risks of criminal exploitation need to be managed. In today’s crypto environment, a single Ethereum Virtual Machine (EVM) compatible wallet can hold more than thousands of different tokens – all potentially exchanged and transferred via the DEX.
Given the increased focus on cryptocurrencies by regulatory bodies such as the Financial Action Task Force (FATF), the risk of sanctions violations cannot be ignored. It only takes one of those tokens to originate from a sanctioned entity – such as a DeFi exploit by North Korea’s Lazarus Group – for a virtual asset service to potentially violate sanctions by processing cryptocurrencies originating from that wallet.
Therefore, Elliptic’s Holistic Screening capabilities will enable virtual asset services to appropriately manage and mitigate the risks of processing funds laundered through these exchanges, replacing complex, manual cross-investigations with automated risk assessments to reduce the burden on compliance teams.
The growing threat of “multi-chain crime” illustrates the importance of multi-asset screening and cross-asset tracking capabilities to manage the overall small but serious risks of DEX-based illegal activity.
Holistic Screening is Elliptic’s answer to the rapidly evolving crypto criminals. Being able to track multiple assets and asset conversions, these capabilities provide critical functionality that legacy block analysis solutions were not capable of.
Elliptic’s Holistic Screening solutions mitigate the obfuscation potential of DEXs and other services that can be used to anonymously exchange funds between tokens or blockchains. Elliptic’s Holistic Screening capabilities work programmatically and at scale – thus keeping pace with the pace of criminal activity in the modern age – and automate the manual, time-consuming and often impractical investigations required in the past.
You can learn more here or contact us for a demo.
