Jonathan Levin, co-founder and CSO of Chainalysis, and Kim Grauer, head of research, discuss the company’s 2020 Crypto Crime Report, which explores how cryptocurrency criminals, who perpetrate hacks and scams and send out ransomware and more, cash out. We cover how criminals are turning their illicit crypto into fiat currency, why exchanges are a prime avenue for money laundering, and how over-the-counter brokers are playing a large role. They talk about a group of OTC brokers they describe as the Rogue 100, what their transactions look like, and what can be done to help stop criminals from cashing out. Jonathan and Kim talk about the PlusToken scam, the largest Ponzi scheme in crypto and how Chainalysis determined that it was likely driving down the price of Bitcoin. They also explain the trends in exchange hacks and how the most prolific hackers have grown more sophisticated, giving some examples of how the Lazarus Group, a cybercriminal syndicate linked to the North Korean government has become more advanced. Finally, we also discuss ransomware and terrorism financing and what trends they are seeing there.

Thank you to our sponsors! 

CipherTrace: https://ciphertrace.com/unchained

Kraken: https://www.kraken.com Crypto.com: https://crypto.com

Episode links: 

Chainalysis: https://www.chainalysis.com/

Jonathan Levin: https://twitter.com/jony_levin

Kim Grauer: https://twitter.com/KimberlyGrauer

Previous Unchained interview with Jonathan: https://unchainedpodcast.com/how-chainalysis-helps-solve-crimes-jonathan-levin-tells-all-ep-62/

Unconfirmed episode on how Bitcoin led to the demise of the largest child porn site: https://unchainedpodcast.com/how-bitcoin-led-to-the-demise-of-the-largest-child-porn-site/

Money laundering report: https://blog.chainalysis.com/reports/money-laundering-cryptocurrency-2019 

https://fortune.com/2020/01/15/crypto-criminals-brokers-launder-billions/

Exchange hacks report: https://blog.chainalysis.com/reports/cryptocurrency-exchange-hacks-2019

Unchained interview with Priscilla Moriuchi on why North Korea is interested in cryptocurrency: https://unchainedpodcast.com/why-north-korea-is-interested-in-cryptocurrency/

Plus Token report: https://blog.chainalysis.com/reports/plustoken-scam-bitcoin-price

Terrorism financing report: https://blog.chainalysis.com/reports/terrorism-financing-cryptocurrency-2019 

Transcript:

Laura Shin: 

Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host Laura Shin. If you enjoy Unchained or Unconfirmed, my other podcast, which now features a weekly news recap after every show, please give us a top rating or review in Apple Podcasts or wherever you listen to Unchained. 

Crypto.com
Crypto.com. The Crypto super app that lets you buy, earn and spend crypto in one place. Get a metal MCO Visa Card with up to 5% back on ALL your spending. Download the Crypto.com App today

Kraken
Kraken is the best exchange in the world for buying and selling digital assets. It has the tightest security, deep liquidity and a great fee structure with no minimum or hidden fees. Whether you’re looking for a simple fiat onramp, or futures trading, Kraken is the place for you.

CipherTrace
CipherTrace cutting-edge cryptocurrency intelligence powers anti-money laundering, blockchain analytics, and threat intel. Leading exchanges, virtual currency businesses, banks, and regulators themselves use CipherTrace to comply with regulation and to monitor compliance.

Laura Shin:

Today’s guests are Jonathan Levin, Co-Founder and CSO, Chainalysis, and Kim Grauer, Head of Research. Welcome, Jonathan and Kim.

Jonathan Levin:

Hey, Laura.

Kim Grauer:

Hey, Laura. Thanks for having us.

Laura Shin:

You’re in the middle of releasing your big 2020 Crypto Crime report, and it’s been making waves. Congrats. Why don’t we just start with a brief description of what Chainalysis does overall, and then why don’t you talk about what the Crypto Crime report is and how that fits into your overall work?

Jonathan Levin:

Sure. So Chainalysis is the blockchain analysis company. We provide compliance and investigation software to the world’s leading institutions, including government agencies, financial institutions, and cryptocurrency businesses. Essentially, we’re empowering everyone to prevent money laundering and comply with regulations to ensure that there can be a fair and open marketplace for cryptocurrencies, and that really entails us mapping out how cryptocurrencies are used in the real world and understanding the different use cases, from the legitimate use cases to the illicit uses of cryptocurrency.

The 2020 Crypto Crime report is really about mapping out how different actors are abusing cryptocurrencies to further their aims, and we unpack different types of money laundering, hacks, scams, and other types of illicit activity to give everyone an idea about how much is going on, what trends are changing, but also to put that in context of how is this related to the overall cryptocurrency economy?

Laura Shin:

So, big picture, what trends are you seeing in crypto crime now, especially compared to previous eras in crypto?

Jonathan Levin:

So I think we essentially like to track the different types of activity that are consistent across the different years, and we’ve definitely touched on…this year, we’re really focused on what is the actual money laundering schemes that are enabling this type of criminal and illicit activity? So we have focused a lot of this report, at least primarily, on, you know, what is financial crime?

How are criminals taking their proceeds from, you know, whether it be scams, whether it be hacks into exchanges or ransomware, and how, actually, are they moving then out of cryptocurrency into the traditional financial ecosystem? And that’s where we’ve spent quite a lot of this report and being able, really, for the first time, to map out how those different types of actors are taking different steps to move from cryptocurrency into traditional finance.

Laura Shin:

Okay, so before we go a little bit into more detail, I also wanted you to define crime for the purposes of your report. You know, you name some things, like ransomware and hacks and scams and stuff, but could you kind of give I guess a list…or maybe not a list, but just identify which transactions you’re calling criminal and also which cryptocurrencies you’re tracking, because I imagine you can’t track all of them?

Jonathan Levin:

Sure. So, in this piece of research that we’ll talk about, it’s really about where cryptocurrency has actually been directly used to perpetrate a crime. So, for that, we’re thinking about terrorist financing. Has someone actually raised, in a public campaign, the financing for an act of terror? Has some cryptocurrency been stolen from one of the exchanges in a hack?

We also identify something like ransomware where the crime is that someone has had a computer locked, and the payment and the extortion is paid in cryptocurrency. The majority of the activity that we track in this report is bitcoin, but it also extends to other different cryptocurrencies. We track around 50 different cryptocurrencies, and actually, whether it’s in the report or in the background research, we’re really looking at all of those different cryptocurrencies to see what types of illicit activity’s occurring on those blockchains.

Laura Shin:

And when you say it’s mostly bitcoin, is that because that’s what’s primarily used or because that’s where you have the best analytics?

Jonathan Levin:

So we focus our analytics on where the majority of the economic activity is, and so our best analytics is in bitcoin, but it is also the predominant way that people are moving value across the world, whether it’s for legitimate purposes, but also for illicit uses, and we also see that the most liquid markets…and some of the amounts of money that we’re talking about in this report are, you know, fairly large sums, into the billions of dollars, and there, you need the market that has the most liquidity, and that has meant that bitcoin is still really predominant in the world of illicit activity in cryptocurrencies.

Laura Shin:

And when I asked you which types of activity you would count as criminal, you didn’t mention Dark Net market activity where I believe Monero is quite popular. Is that also included?

Jonathan Levin:

So, yes, we also do track that. Still, in the Dark Net market, there’s actually not a lot of activity beyond bitcoin. So the Dark Net markets are definitely evolving in their business models and how they store cryptocurrency, but typically, if they want to be able to access a large audience of buyers, the vendors themselves are still accepting bitcoin because that’s where the majority of users are still comfortable to spend their cryptocurrency.

Laura Shin:

All right. So, now, let’s dive into some of the finer details of the report. As you mentioned, the money laundering aspect is kind of a lynchpin of these crimes since, obviously, the crime isn’t really complete until they have the money in fiat which they can use more easily. So how are these criminals generally cashing out their crypto nowadays?

Kim Grauer:

We have been aware for quite some time of this money laundering infrastructure that has been growing and becoming more sleek I guess, and we wanted to, for the first time, take that on for this report, and so we’ve known about it for quite some time, but this is our first attempt to, like, let’s try and quantify the numbers. What is actually happening at scale, and what is flowing through this laundering infrastructure?

So that really inspired this money laundering section, which was recently released and will be fully released when the full crime report comes out, and that was a really intensive process that started with let’s just look at where the illicit funds are flowing to based on the distribution of deposit addresses that are receiving those illicit funds, and we noticed that there was a really high concentration of illicit funds going to a small number of deposit addresses, which was something that was kind of weird.

And so it confirmed some suspicions that we had that there’s a few, you know, bad actors that are potentially in the business of laundering money at scale, and so we kind of merged that with some other research we had been doing on OTC brokers that’ve been a part of past investigations, and we found that, actually, many of the OTC brokers that we’ve identified independently were identified as being those large deposit addresses that were receiving illicit funds on a few exchanges.

So this kind of allowed us to paint a really compelling picture that this laundering infrastructure exists where there’s illicit money that is flowing through the network, and it’s going to a very few number of kind of end points, and that was kind of really interesting for us to be able to see for the first time from a data perspective.

Laura Shin:

Yeah. So before we get more into those OTC brokers, one thing that I noticed when I looked at this section of the report is that there’s a graph showing that the percentage of cash-outs via what you were defining as risky services, which I believe were I think, like, mixers and that kind of thing, decreased dramatically in 2017, while cashing out via exchanges actually went up during that period, and that was surprising to me because I feel like, in these more recent years, regulatory scrutiny of exchanges has actually increased. So I was curious to know why you thought that percentage of cashing out via exchanges had grown?

Kim Grauer:

Yeah. Well, one of the main risky services that was prior to that decline that you see in the graph was BTC-e, actually. So when that shut down, you know, the whole ecosystem kind of changes. So that was a major offer for a lot of illicit funds back then, and so that money had to go someplace else because those risky services shut down, and where did it go? And we found that, by and large, the biggest answer to that was to certain exchanges that we…to, you know, Binance and Huobi, and predominantly, I think it was around 52% went to those two exchanges, and so that was evidence for us that money that formerly went to BTC-e is now going to these other exchanges.

Laura Shin:

Oh, interesting, and just out of curiosity, why was BTC-e categorized as a risky service as opposed to an exchange?

Kim Grauer:

Well, the administrators are currently facing indictments, and so there’s a lot of evidence as to why we would want to classify it as risky, but yeah.

Laura Shin:

Yeah, I guess during that period when people were using it, that was before the indictment. So that’s why…do you know what I’m saying? Like, at that time.

Jonathan Levin:

Yeah. Essentially, the way in which BTC-e was operated was, you know, without the types of compliance processes, and actually, some of the operators on the site and even the site itself was…there are claims that they were knowingly laundering the proceeds of crime.

Laura Shin:

Yeah, like the Mt. Gox hack money?

Jonathan Levin:

Yeah.

Laura Shin:

Okay, so one other thing…and this actually wasn’t in your report, but I was just curious because the report shows, like, percentages of where the illicit bitcoin has been going, but I was also wondering, in absolute numbers, is the amount of bitcoin associated with criminal activity going up or going down, and there are so many ways to look at it because it’s like percentage and then numbers of bitcoin, but then also in dollar amounts. So I was curious to know if it was going up or down?

Kim Grauer:

The amount of cryptocurrency involved, in absolute terms, has gone up from 2018 to 2019, and it’s gone up because we’ve talked about…we’ve identified some major scams that have contributed to those numbers, such as the PlusToken scam, which was a multi-billion-dollar scam, and that was unique to 2019. So, in absolute terms, the amount of illicit activity went up between 2018 and 2019.

Laura Shin:

Oh, okay. Right. Of course. So one other thing is, you know, as you named these two exchanges, Binance and Huobi, that received more than half of all the illicit bitcoin, both of those exchanges are subject to Know Your Customer regulations, so how can they be receiving so much of this illicit bitcoin?

Jonathan Levin:

So, when it comes to the exact mechanics, we want to be really clear that the OTC market is where these proceeds are going to. So you could think of it as there is an over-the-counter market where people are selling and buying large batches of cryptocurrency, and those OTC brokers are customers of those exchanges, and what some of these actors might be doing is it might be that they are facing counterparties that they don’t really know.

So the key weakness in the system is that the OTC brokers are not necessarily checking sources of funds, or they might be, you know, actually rogue actors that are accepting cryptocurrency or bids for cryptocurrency that are at large discounts to the actual price, and then they are customers of those exchanges, and what can happen is that the exchanges themselves need to be able to put pressure on their OTC customers to say, you know, what types of controls are you putting in place?

What is your procedure to know who your counterparties are, because the exchanges themselves may have even identified who the OTC brokers are and got comfortable with that, but then they need to understand who is that OTC broker being able to do business with, and are they one of these sort of rogue actors, or are they actually trying to do the right thing?

Laura Shin:

And one other thing I was curious about is, you know, this goes back to my question about how you’re defining what is illicit activity. Let’s say that I perpetrate a hack and I get some bitcoin from the hack. I would imagine that a lot of these hackers are trying to obfuscate what happens to those bitcoins before they cash out. So when you, as Chainalysis, are tracking this, how confident can you be, let’s say, that they’re using a mixer or something like that, that…for you, does the trail kind of go cold at that point, or can you still follow funds even through some of the things that they might try to do to obfuscate the trail?

Jonathan Levin:

Yeah, so I think what’s important to realize is that every single transaction is public, and when you are talking about sort of the much larger sums of money, it’s a lot more difficult to make that trail go really cold, even if you are potentially using mixing services and the like. So I think that the types of source of funds and being able to identify, you know, when some criminal activity happens and where those proceeds have gone, we are able, in most instances, to be able to follow that through, you know, even when there’s the use of many different obfuscation transactions or something like that.

Laura Shin:

All right. So let’s dive a little bit more into who these OTC brokers are that you’re talking about using Binance and Huobi. Are they kind of…I imagine it could range from anything like maybe a more active local bitcoin-style person to something more professional. So can you kind of describe what their business looks like and also what kind of KYC do they typically require?

Kim Grauer:

So the OTC brokers that were named on the list that we’ve been investigating have been, like I said, a part on our radar for quite some time. We only mostly have our eyes on what’s going on on the blockchain, so we are really limited in our assessments of some of these users based on what we can actually see on the blockchain.

But when you combine that with some of our really rigorous professionals, investigators who have been running investigations and have been looking into, for example, hacked funds for quite some time, they’re not just looking at hacked funds this year, but they’ve been following hacked funds, stolen funds for many years, and they’ve seen some of these individuals coming up time and again, some of these OTC brokers.

And then when you pair that with blockchain analytics…so are they receiving, you know, large, rounded amounts consistently over time, you can start to paint a picture of what type of business this person is. Then you can start to say that is an OTC broker. That is likely an OTC broker, and so it’s really a combination of many different things, and you’re certainly right, that there’s a spectrum that we’ve identified in this process.

Laura Shin:

And you also have this list that you call the Rogue 100 of OTC brokers. What does that mean? Describe who that group is.

Kim Grauer:

Those are the 100 that have come up over the years that we’ve been running these investigations that we felt confident enough to put on this list, and it was just kind of like a happy coincidence that it equaled to be around 100, and I mean, I don’t know if you want to call it a happy coincidence or not, but so there are certainly more that could qualify for the list, and there are some that we might want to, like, think about again, but the list that we’ve seen time and again and is around this size, and like I said before, they’ve been a part of past investigations.

They’ve come up time and again in times when we’ve been tracking stolen money. These are brokers that aren’t just connected with one instance of illicit activity, but many, multiple over a few years, and so, like I said, it’s really about painting a picture of what this individual or group of individuals likely is based on our investigations and blockchain-level activity that we can, you know, of course, like, track over…we can track all the transactions coming into those deposit addresses.

Laura Shin:

And one thing that you say about this Rogue 100 is that none of them operate on Binance. Why do you think that is?

Kim Grauer:

I think that we focused our investigation on just…basically, we’ve compiled a list of individuals that just happened to come up in past investigations. Many of them were on Huobi, and I don’t know exactly why that is yet. However, it’s a phenomenon that I think we’ll continue to learn more about it as we start to push this question of, like, what does an OTC broker look like? What is their process of doing KYC on exchanges, and what are exchanges supposed to be doing to monitor these OTC brokers? But it just kind of happens that those were the primary kind of centers of where our investigations fell.

Laura Shin:

And as you mentioned, you know, a large portion of them, 70 out of the 100, use Huobi, and so what does that say to you about what kind of KYC practices Huobi has or that they’re pressuring their OTC brokers to have?

Kim Grauer:

I honestly don’t know what Huobi is doing for their KYC or these OTC brokers. We tried to engage with them, and it didn’t amount to anything. So I think you can speculate how they’re managing the KYC or how they’re onboarding these customers, but I truly don’t know what the process looks like at this point in time.

Laura Shin:

All right, and one other thing is that you also describe the transaction activity of this Rogue 100, and it’s kind of interesting. Well, first of all, why don’t you just describe what their transactions do look like?

Kim Grauer:

There’s not a defined set of transactions. So there’s a distinction that I do want to make that comes out in the report. In the money laundering section of the crime report, we tried to look at OTC brokers in two distinct ways. One was can we programmatically, systematically, through blockchain analytics alone, find OTC brokers or find kind of the off-ramps of these illicit funds? And that is what you see kind of in the first part of the chart where we’re looking at all the illicit funds.

And that’s when we kind of make the realization that they flow to a few number of very large accounts on Binance and Huobi, but that is not enough for us to say, okay, those are all OTC brokers. They could just be, you know, really high-power users, or they could just, you know, not be doing KYC adequately, but then the second way is through this list of 100 that’s come up through investigations through kind of a long time of curating the specialized list of “bad actors,” and so, for the first one, you know, you can kind of paint a picture of what their transaction activity looks like just by…it’s really about volume.

They’re just doing so much volume of not just illicit activity, but also other types of activity, and so that is kind of a more scalable way to analyze through blockchain, you know, heuristics where the illicit funds are going to, but the other one, which is the more tailored list, it’s all over the place. There’s not one set, like, kind of checklist of criteria to get yourself on that list. It’s about painting a picture, which is often what you’ll hear law enforcement says when they’re prosecuting a money laundering case.

It’s if you ask someone on law enforcement, like, how much money laundering is there happening in the world right now, they would laugh at you because you can’t quantify that. It’s about painting a picture and making a case for what should be on this Rogue 100 list. So these are definitely much more tailored, much less kind of systematic, but they have come up in past investigations and have been tied to hacked funds, and just oftentimes do a lot of volume, as well.

Laura Shin:

Yeah. Well, one other thing that I thought was interesting was you show that they transact with each other fairly often, and you say that one of the reasons could be to try to fool blockchain analysis software, to essentially make it look as if money laundering is a much smaller proportion of their overall business than it really is. Did I kind of understand that correctly from the report?

Kim Grauer:

Yeah. Yeah. That’s something that we noticed that was extremely interesting, but yeah, that’s also not super new. We’ve noticed it throughout the year, as well.

Laura Shin:

But I mean, I guess, like, on the other side, to argue, it is known that OTC traders do trade a lot amongst themselves. So it’s hard to really say.

Kim Grauer:

Yeah, it’s definitely really hard to say for sure, and I think that’s one of the major issues with identifying money laundering at scale. It’s because there are other reasons why they could be trading with each other, but we know that this is at least one incentive for them to trade with each other, and we know about that there’s a possibility that you can take a premium. So there’s the incentives that are really there. So if you’re an OTC broker and you take hacked funds, for example, you’re going to take it out of premium. So you’re going to get crypto at a lower price than you would pay for it at face value. So the incentives are really there to move this money between the brokers.

Laura Shin:

All right. Well, what do you think could be done to help stop criminals from cashing out of their illicitly gotten crypto?

Jonathan Levin:

So I think the first step is really to shine some transparency on this issue and say that, you know, both in the exchange market and in the OTC market, there needs to be an increased focus on being able to identify, pretty close to actually real time, where the source of funds are coming from, and so, from the exchanges, you know, they need to look at their compliance gaps and say, do we know who these OTC brokers are? Do we have procedures to make sure that they’re actually facing counterparties that we’re happy with them facing.

You know, a lot of the OTC market around the world is totally legitimate activity that is about allowing people to get large amounts of liquidity in and out of cryptocurrency, but as we said, there is this Rogue 100 list of where there’s a concentration of illicit activity, and both the OTC market and the exchange market needs to come together and sort of say who are all of these OTC brokers, and do they have procedures in place to make sure that they’re not selling large amounts of cryptocurrency that are the proceeds of crime?

Laura Shin:

All right. So, in a moment, we’re going to discuss the PlusToken Ponzi scheme, exchange hacks, ransomware, and terrorism financing, but first, a quick word from the sponsors who make this show possible. 

Cipher Trace
Will the world follow France and advocate banning privacy-coins? Will government-backed stable-coins become the new fiat? Are distributed and peer-to-peer exchanges just a flash in the pan? The answer is maybe.  Virtual currencies can flourish and create a new, private and more versatile economy. But that grand vision can’t happen without keeping crypto clean —AND that requires support of governments and accountability for bad actors. Privacy Enhanced Compliance using cryptographic controls has the potential to preserve anonymity without compromising legitimate investigations. CipherTrace is working on this vision of the future. Sign up stay up to date on the Privacy Enhanced Compliance initiative and receive authoritative Crypto AML reports quarterly. https://www.CipherTrace.com/KeepCryptoClean Kraken
Today’s episode is brought to you by Kraken. Kraken is the best exchange in the world for buying and selling digital assets. With all the recent exchange hacks and other troubles, you want to trade on an exchange you can trust. Kraken’s focus on security is utterly amazing, their liquidity is deep and their fee structure is great – with no minimum or hidden fees. They even reward you for trading so you can make more trades for less. If you’re a beginner you will find an easy onramp from 5 fiat currencies, and if you’re an advanced trader you’ll love their 5x margin and futures trading. To learn more, please go to kraken.com.

Crypto.com
Crypto.com sees a future of cryptocurrency in every wallet. Have you seen the MCO Visa Card? Loaded with perks including up to 5% back on ALL your spending and unlimited airport lounge access. They pay for your Spotify & Netflix too! What’s not to love? With Crypto.com, not only can you spend your crypto, but you can grow it too! Earn up to 6% per year on the most popular coins like BTC, ETH, XRP and up to 12% p.a. on Stablecoins. Crypto.com has recently launched its Exchange and crypto fundraising platform, The Syndicate. There is a 50% off ATOM listing event on 12 February 2020. Sign up on the Crypto.com Exchange now!

Laura Shin:

Back to my conversation with Jonathan Levin and Kim Grauer of Chainalysis. You guys analyzed the PlusToken scam and concluded that that could be driving down the price of bitcoin. So for listeners who don’t know much about this, why don’t you first just describe what PlusToken is?

Kim Grauer:

Sure. So PlusToken was a major Ponzi scheme that has been unfolding throughout 2019, and I’m sure you are familiar with what a Ponzi scheme is, but it was definitely the most successful Ponzi scheme using cryptocurrencies and you know, rivaling some of the biggest ones just globally. Period. The end, and so PlusToken was particularly interesting because mid 2019, we started to hear that, you know, some people had been arrested in relation to this scam, and then, right out the gate, we decided that we wanted to be following this.

And following it was certainly a certain individual’s full-time job for a few weeks, and it took a very large amount of effort to trace these funds, and so we had been just following it for quite some time, and then we started to wonder about its relation on price, because, you know, we have a team of economists, and that’s kind of always what people are asking, is what is the impact of this on price and that on price? And so that’s kind of…it was just a bunch of curious people who decided that we had this great investigation to analyze more.

Laura Shin:

So how did the scammers try to cash out? I mean, first of all, how much did they raise again?

Kim Grauer:

You get different estimates. I think the public number that was cited in the legal documents were around 3 billion. We traced 2 billion to the PlusToken wallets.

Laura Shin:

And so how did they try to cash out?

Kim Grauer:

It was a massive investigation. They moved the funds through, you know, thousands, hundreds of thousands of intermediary wallets. They utilized mixers or they utilized CoinJoins, and they eventually wound up at Huobi, mostly.

Laura Shin:

And so, eventually, you guys did try to conduct an analysis of what the impact of cashing out of this PlusToken scam was having on the bitcoin price. So how did you do that, and what did you conclude?

Kim Grauer:

It was an extremely difficult process because it’s hard to…one of the things that you do with the econometrics that we employed is you try and you know, get rid of all the background noise and try to just isolate the cause and effect, and so that’s the first thing that’s extremely hard to do, and so we ended up using a lot of order book data and found that shortly after the huge amount of PlusToken funds wound up at Huobi, there was a statistically significant change in the volatility of price on Huobi, and so we monitored that, and then that was connected. That was the thing that was connected with the price decline. So it was a combination of watching the on-chain activity to Huobi, then looking at the volatility on that exchange, and then seeing how that volatility impacted the price.

Laura Shin:

And in that analysis, was it also that kind of the movement of the price happened first on Huobi?

Kim Grauer:

Sorry, the price change happened after the PlusToken funds arrived at the exchange.

Laura Shin:

Right. Right, but what I’m saying is, so, if the price worldwide, you know, dropped once the funds arrived on Huobi, was it also…because I imagine that you can sort of see where the price is dropping first, and was it dropping first on Huobi?

Kim Grauer:

We actually did not observe that. We just looked at the price on Huobi, and the nature of the way that these exchanges are so highly connected is even if you look at, you know, 40-minute-level data, it still kind of very quickly also is going to be happening on Binance or on other major exchanges. It’s actually really efficient how the price moves in tandem across different exchanges, at least on the order books.

Laura Shin:

Okay. Well, so while we’re talking about exchanges, let’s also talk about exchange hacks. 2019 saw the greatest number of hacks, but it was actually the third highest when it came to the total value stolen. So, from those two pieces of information, I couldn’t decide if that meant that exchanges were getting better at security or if it was just because the prices had gone down. So what’s your take on what’s going on with exchanges?

Kim Grauer:

Yeah, it was really interesting to see that there was the most hacks last year, especially…we were struggling with what the narrative was, because in, you know, 2018, they had that Coincheck hack, and they just, far and away, had the most in terms of amount hacked, and so what’s the narrative here? And it’s really hard to draw an outright trend when we’re looking at, you know, 11 hacks up from I think 8 or something.

So to what extent is that random, and to what extent is that a real trend? But I think our conclusion was that exchanges are getting better at potentially mitigating the severity of a hack, because the average and median amount hacked went down from last year. So even though there were more hacks, it seems to be that the way that exchanges are handling and managing their funds is better because that average and median amount hacked is going down.

Laura Shin:

All right, and so when hackers hack from an exchange, I could imagine it would be kind of hard for them to cash out. So what are they doing with their pilfered funds?

Kim Grauer:

The hackers’ stolen funds in 2019 were largely sent to exchanges, and just one word on definitions. When we’re talking about stolen funds at scale, we weren’t just looking at exchange hacks. So we’re also looking at other types of exploits that, you know, resulted in funds being stolen for various reasons, whereas the exchange hacks were a very specific group of 11 and that we looked at.

Now, the stolen funds is what we reported on in terms of the exposure, and so those are going to kind of a variety of places, and I think, like, let me just refresh my memory. Like I said, most of them are going to exchanges, but you also see some hosted wallets. You see some unidentified services. Even some stolen funds are going to other illicit services. So it’s a wide variety of destinations, but like I said, still, far and away, most of them are going to exchanges.

Laura Shin:

Oh, interesting. You know, the reason why I said I thought it would be difficult is because I believe a lot of the different exchanges are in contact with each other, and when a hack happens, they are happy to help each other out and say, oh, you know, we’re not going to let people who are associated with this hack cash out here. So is it just that I guess certain exchanges just aren’t in touch with the wider group or something, and that’s how these hackers can launder their funds from exchanges, stolen from exchanges?

Jonathan Levin:

I think the way that those sort of groups work is, you know, fairly informal, and a lot of the exchanges do participate in that, but that only really applies if someone moves the stolen funds directly to one of the other exchanges. You know, the reason that we sort of use to track these types of crimes is that there is an increase in the level of sophistication of how many transactions are going in between the actual theft and the cash-out point, and there can be hundreds, if not thousands, and there can be also mixes in between the original hack and the cash-out point, and that’s very hard for the exchanges to coordinate without using Chainalysis as someone to notify them that these funds are actually being cashed out.

Laura Shin:

Oh, okay. Yeah. Right. That makes sense, because, yeah, the more, I guess, hops there are in between, the more it’s hard to say we’re not going to let you use our service. Well, so one thing I wanted to ask about also was the Lazarus Group, which you call a cyber criminal syndicate linked to the North Korean government, this group also came up in a previous episode I did on why North Korea’s so interested in cryptocurrency, but you say that their operations have become more advanced. How so?

Kim Grauer:

We found that their operations have become more advanced simply in the way that they move funds after they’ve done a hack. So you can see, in the report that we present you with, a bird’s eye view of two investigations, and one of the bird’s eye views is from last year…or the year before last, 2018, and you can see that they’re really just exploiting low-KYC exchanges, albeit, there’s a lot of transactions that are happening before they will hit the exchange.

It’s actually kind of a relatively simple process to follow. Whereas, this year, the ones that we did track were adapting with the times, and they used a lot…the investigations were a lot more complex and required, you know, a full understanding of CoinJoin wallets, for example, and it was just the way that the investigation occurred or the way that the funds moved that signified to us that, you know, this group is adapting in how they’re moving funds after they’re stolen to exit ramps, and it was really interesting to see that.

Laura Shin:

Yeah. It was also so elaborate how they did one of them, which he walked us through, which was the hack of the Singapore-based exchange DragonX. Can you describe what they did there?

Kim Grauer:

The DragonX case was really interesting because, typically…it was just a very advanced way of hacking into DragonX. They created a shell company called Worldbit-bot, and they even made a fake product that the DragonX employees could demo that had malware on it, and so just that whole scheme was also another sign that their methods have been becoming more elaborate, I guess more creative, you might say.

And so then all you had to do was install that malware from that fake product, and it happened to be on the computer that had access to the private keys, and then we were contacted by DragonX and were able to run the investigation, and we, you know, do a really good job in the report of showing exactly what that investigation looked like and how the funds were moved through lots of intermediary wallets to exit ramps.

Laura Shin:

Yeah, and one thing that I found so fascinating was just the website for that fake company, it was really so believable.

Kim Grauer:

Yeah.

Laura Shin:

Yeah, and I have to also say, like, for listeners who can’t tell, one of my other obsessions, in addition to crypto, is North Korea, and for a country that paints the US as the enemy, the whole thing was written in what looks like pretty perfect English. So it was like, okay, like, they even have North Koreans now who speak good English, but anyway, so, yeah, I was pretty floored when I watched that, but one other thing that you said here about the hackers like Lazarus is that one of their behaviors that’s changing is that they’re moving their illicit funds to exchanges more quickly than they did in 2018, and I was curious to know, you know, why you thought that, but then also how you can even track that because of the greater obfuscation that they build into their movements?

Kim Grauer:

Yeah. That was also another really interesting thing. So the chart that you’re referring to is the one that shows the number of days between the hack occurring and when you’re cashing out your funds, and we looked in this specific chart at a Lazarus hack in 2019, a Lazarus hack in 2018, and two unknown groups, and the one…I can’t say for sure why I think that they’re cashing out their funds faster. It would just be speculation.

Like we’ve said a few times, we’re a blockchain analytics firm, so we can see what’s happening on the blockchain. I think that you would speculate that…I think that there’s a few reasons that would determine why they would choose to cash out. One would be maybe it’s related to the price. Is there something happening with the price that would make it a good time to suddenly cash out, or do you just need the money in that moment?

Or were you just waiting to evade…for kind of the media to die out so that you feel as though it’s a safe time for you to move the funds to an off-ramp? So I think one of those three reasons might explain why the cashing out happened so much quicker, but I think that, potentially, you know, the role of mixers and the more advanced and more sophisticated that we’ve been seeing might also contribute to why the funds are moving more quickly to off-ramps.

Laura Shin:

Yeah, and I actually thought that maybe they were moving more quickly to off-ramps because the longer they stay in crypto, the crime remains incomplete, right? They don’t actually benefit from it until they can turn it into fiat, and so the longer it stays in crypto, the higher chance it is that perhaps they can maybe never cash out if, somehow, you know, those funds…I don’t know what would happen, but somehow, if they get blocked from cashing it out. Whereas the more quickly they can move, then that’s the less time law enforcement has to do anything.

Kim Grauer:

Yeah, I think that’s an argument, for sure.

Laura Shin:

Yeah, and one other thing that I want to ask, so, yeah, just at the end of this, you made a few recommendations. What would you say law enforcement and exchanges should do if hackers are moving more quickly from crypto to fiat?

Jonathan Levin:

Yeah, so what we have seen is that, obviously, crypto is global from the outset, and some of these exchanges are based in jurisdictions all over the world. You know, particularly when it comes to something like North Korea, that’s something that the whole world is interested in understanding how they are moving money. So there are what they call financial intelligence units.

So every country has a financial intelligence unit, which is going to be…in the US, that’s going to be FinCEN, which is the Financial Crime Enforcement Network, which is really the financial crime regulator in most countries, and they have been very successful with other types of crime like this, like business email compromise where companies are scammed into sending international wires to criminal accounts. They’ve been really successful in sharing information rapidly across borders to be able to freeze those assets at those exchanges.

I think that one thing that you’ll see over this year is that FIUs around the world, as they have needed under new regulations, to actually stand up cryptocurrency regulation teams and understand what the nature of these crimes are and understand how this money is being moved, there needs to be coordination between the exchanges and the financial intelligence units to really be able to share information quickly and allow some of these accounts to be frozen under actual legal requests so that this can actually be a process where exchanges are working together formally with their local regulator to be able to mitigate these types of risks.

I think the other thing it’s just going to improve is that, in general, the types of compliance requirements for exchanges around the world have increased, and that is going to help have better compliance policies and procedures at some of these exchanges so that they can minimize the number of places that these funds can be cashed out.

Laura Shin:

All right, let’s also now talk about ransomware, which is one of those crimes that actually affects non-crypto people and sort of gets them roped into our world. So how would you define ransomware? And one thing that I actually wasn’t sure about from reading the report and even Googling a little bit, is all ransomware crypto related, or is it possible for ransomware to demand payment in another form of money?

Jonathan Levin:

So ransomware is a crime that essentially is a piece of computer software that encrypts a device and blocks access to a file system or a computer and demands a ransom in order to unlock that machine. So, in this world, we’ve seen, you know, a number of very high-profile cases of hospitals, schools, and other types of critical infrastructure being affected where whole computer systems are actually locked, and they can’t be used by those businesses or hospitals, and they are demanded to pay some ransom in order to unlock them and bring their systems back online. So we’ve seen, you know, very high-profile cases. We’ve seen major businesses affected.

We’ve seen, for example, Travelex was affected. We’ve seen the city of New Orleans declare a state of emergency. We’ve seen hospitals and other types of things. So all of these high-profile targets are definitely raising an awareness about how ransomware is being spread. The vast majority, if not all ransomware when it comes to encrypting computer devices, is definitely, you know, linked with a cryptocurrency ransom. The other types of extortion that do exist today may not. So kidnapping and other types of extortion schemes and sextortion schemes, actually, some of that does use cryptocurrency, and some of that still uses other forms of payment.

Laura Shin:

Oh, wow, so the computer ones, that was really enabled by cryptocurrency?

Jonathan Levin:

So ransomware did preexist cryptocurrency, which is kind of an important thing to know, where, you know, the original form of ransomware…sort of the first known ransomware was distributed on a floppy disk in 1989, and the demand was to send a sort of check or some sort of money order to a P.O. box in Panama. So that was the first…and it was actually, interestingly, targeted at scientists who were researching AIDS.

Laura Shin:

Oh, I think you mentioned this when I interviewed you before. Okay, I recall. Anyway, keep going.

Jonathan Levin:

Yeah, and so ransomware and extortion, in general, definitely, as a crime, preexists cryptocurrency. It happens to be today that the most efficient way to move money internationally in an irreversible manner is with cryptocurrency, and therefore, cryptocurrency can be used pretty effectively, especially when it comes to encrypting computer systems.

Laura Shin:

Oh my gosh. All right, well, what trends did you guys see with ransomware in 2019?

Kim Grauer:

We looked at just the aggregate numbers, but I think what we wanted to highlight the most was the growth of ransomware-as-a-service, and we have been more aware of this phenomena where an individual can purchase the services of a person who has, you know, written or owns ransomware, and that was a phenomenon that was really particularly scary for us to kind of start investigating, and you can really use blockchain analytics to follow those funds.

For example, we identified in our report a ransomware service strain that we’ve identified where you can see the vendor and the perpetrator both getting paid out, as there’s kind of a splitting after the payment is received by this ransomware strain, and so I think that’s the biggest thing that we wanted to highlight in the report, is the growth of ransomware service.

Laura Shin:

Yeah. Like, even when I just saw that term in your report, I was like, what? You know, just the idea that that exists was crazy to me, but anyway, well, what do you recommend businesses do to protect themselves from ransomware?

Jonathan Levin:

So I think that the protection is sort of outside of our wheelhouse, but you know, making sure that there are backups to systems, making sure that software updates and software is patched, and really understanding your proactive cyber security posture is something that a lot of institutions are investing in.

I think one thing to flag and something that we’ve noticed is that the actual crime needs to be destigmatized, because we’re seeing underreporting of ransomware attacks where businesses are scared or hospitals or even people themselves are scared to report these crimes because it’s sort of embarrassing that, you know, one of these attacks has gone through and managed to attack their systems, and really, what we find is that the more reporting that there is, we can really help with that.

One of the things that I’ve seen over the last year is we’ve really worked with some of the insurance companies who are providing cyber insurance to businesses, and actually, then the policy can actually cover some sort of ransom payment, and then we’ve managed to connect our law enforcement customers who are investigating either one of these ransomware-as-a-service providers or one of the ransomware authors themselves.

And we’ve managed to really provide new information between the sort of effective businesses, the law enforcement agencies, and the insurers to actually help build a better case and find out who are the people behind these ransomware campaigns? And I think that the more that then people are able to report this ransomware, the more we will be able to take it on as a threat where we’re following the money and finding out, you know, who are these types of perpetrators, and what are the connections between the different strains and actors who are perpetrating these crimes?

Laura Shin:

All right, so last section that we’ll discuss before we go is the terrorism financing aspects of the report. What are you guys seeing there in terms of cryptocurrency being used for terrorism financing?

Kim Grauer:

We traced a few campaigns over the years. So, in 2019, we focused on one campaign where we noticed that there…the takeaway was that there was an increasing sophistication in the way that these organizations were using cryptocurrencies, and so these are public campaigns where someone will say, you know, donate to this address, and so that’s how we get our information, and looking at the campaign in 2018 versus 2019, the campaign was much more successful in raising more funds in a shorter period of time, and they used more advanced wallet softwares, and so we’ve just seen this narrative continue in this type of crime, as well, where criminals are increasing their sophistication in their use of cryptocurrencies.

Laura Shin:

However, the amounts are small. So can you just say what those amounts are, but also explain…like, in your report, you say even though the amounts are small, that should not be dismissed, and so why is that?

Kim Grauer:

Yeah, the amounts are extremely small, tens of thousands of dollars, but still, the takeaway is that this is extremely important because it doesn’t take a large amount of money to, you know, carry out a terrorist attack. So even a small amount of money, like, this is something that you really need to pay attention to and that needs to be on law enforcement’s radar, and to the extent that we can get ahold of this information and quickly attribute it in our software service and then trace those funds, it’s extremely important because of just the low cost that is required to carry out a terrorist attack.

Laura Shin:

And you mention the ways that they’re soliciting financing are getting more sophisticated. So what are they doing now?

Kim Grauer:

The campaign that we saw was…I mean, it’s the way that they’re going about it is, you know, you’ll advertise that you have a cryptocurrency website through various types of advertising, and then the donors will come to that publicly listed address. The sophisticated part comes in for what type of wallet software are you using, and then how successful are your advertising campaigns in raising more money in a shorter period of time, and what types of services are you using after the fact? Those are all the different types of things that allow us to say that these attacks have become more sophisticated, but just notably, just how, compared to the previous year, which was a longer campaign, which raised, you know, a similar amount of money to a campaign that was much shorter that raised a comparable amount.

Laura Shin:

Yeah, well, for one of these groups, AQB, you mention that they have moved to receiving donations via unique addresses generated for each donor, and I was curious about that because, like, then I guess I didn’t know how you could then track the funds. How did you know even which addresses were used for the terrorist financing thing?

Kim Grauer:

Yeah, we have a variety of heuristics that we use to track funds and that can connect addresses to each other through…you know, there’s a lot of different ways, but most importantly and crucially is that we have investigators who are experts in this field, who are studying this day to day, who are able to provide us with addresses that we can connect together through these investigations and allow us to go beyond just what we see on the blockchain to paint a stronger picture of what’s going on. So the experts in the field have been really crucial to allowing us to successfully write this section on terrorism financing.

Laura Shin:

I see, and so, generally, where do you think the trend could go when it comes to cryptocurrency being used in terrorism financing?

Jonathan Levin:

So I think that there’s a really important point that we’re making here, which is that, actually, when it comes to an issue like terrorist financing, it’s really important to have real expertise, and one of the things that we were seeing is that there are, like, consistent donors across some of these campaigns that definitely helped us identify different wallets that were involved.

But we also see sort of some bad press in the public domain, some misinformation about other terrorist financing campaigns in cryptocurrency, which are not done by experts just by looking at the public blockchain and making incorrect inferences that, you know, a terrorist financing campaign was actually not well described, and they took an address from an exchange in Gaza and said that that whole exchange was terrorist financing, and we think it’s really important to correct that type of misinformation.

I actually use experts that understand the connections between different groups of people and the definitions of what is considered actually terrorist financing according to the US law, and we take it very seriously about, you know, when we are actually going to label and identify these types of campaigns. When it comes to the actual actors themselves, I think that it’s clear that there is now an understanding and a public awareness that these types of public campaigns are possible to do.

And I think when it comes to different types of terrorist organizations that actually are in desperate needs of funds, you will see more experimentation. You will see some more of these campaigns. Fortunately, we have experts on hand. We work very closely with our law enforcement partners and our exchange partners to identify this type of activity really quickly and make sure that these campaigns can be ineffective when it comes to raising funds.

Laura Shin:

All right. So we’ve gone through pretty much most of the report that has already been published, but there’s still a little bit that is yet to come out. Can you give listeners a sense of what the last section or sections will be about and when those will be released?

Kim Grauer:

The last two sections are going to be on Dark Net marketplaces and scamming, and those are, you know, beloved sections to many of us. Dark Net markets, it should be coming out soon, and what we’ll be discussing there is just overall trends and some case studies, as well. Whereas with scams, we really focus on what’s happened with PlusTokens more and maybe some other Ponzi scams, as well, and so it’s a full data-rich deep dive into each of these sections, and definitely probably some of the most data-rich sections that we have.

Laura Shin:

Okay. Great. Well, I look forward to reading them. Where can people learn more about you two and Chainalysis?

Jonathan Levin:

So you can go to Chainalysis.com and check us out on Twitter @Chainalysis. We also run webinars on this type of material, so there will be people going through the whole report in a two-part webinar in the coming weeks. So you can get in touch with us and register for that, and we look forward to discussing any of the findings with people that are interested.

Laura Shin:

Great. Well, thanks to both of you for coming on Unchained.

Jonathan Levin:

Thanks, Laura.

Kim Grauer:

Thanks so much.

Laura Shin:

Thanks so much for joining us today. To learn more about Jonathan, Kim, and Chainalysis, check out the show notes inside your podcast player. If you’re not yet subscribed to my other podcast Unconfirmed, which is shorter, a bit newsier, and now features a short news recap every week, be sure to check that out. Also find out what I think are the top crypto stories each week by signing up for my email newsletter at UnchainedPodcast.com. Unchained is produced by me Laura Shin with help from Fractal Recording, Anthony Yoon, Daniel Nuss, Josh Durham, and the team at CLK Transcription. Thanks for listening.