Crime

Criminal Whales Hold over $25 Billion in Cryptocurrency From Multitude of Illicit Sources

This blog is a preview of our 2022 Crypto Crime Report. Sign up here to download your copy now!

One positive development in the last year has been law enforcement’s growing ability to seize cryptocurrency from criminals. We saw several examples of this in 2021, including:

  • The U.S. Department of Justice (DOJ) seizing $2.3 million worth of cryptocurrency from the DarkSide ransomware operators responsible for the attack on Colonial Pipeline, as we cover in-depth in our ransomware section.
  • IRS-CI’s cumulative seizures of over $3.5 billion worth of cryptocurrency over the course of 2021.
  • London’s Metropolitan Police Service (MPS) made the UK’s largest ever seizure of cryptocurrency, taking £180 million worth from a suspected money launderer. 

More recently in February 2022, the DOJ seized $3.6 billion worth of Bitcoin connected to the 2016 hack of Bitfinex, in what is currently the largest ever recovery of stolen assets in either cryptocurrency or fiat. 

These stories are important not only because they allow financial restitution for victims of cryptocurrency-based crime, but also because they disprove the narrative that cryptocurrency is an untraceable, unseizable asset perfect for crime. If cybercriminals know law enforcement is capable of seizing their cryptocurrency, it may lower their incentive to use it in the future.

These cases also raise an important question: How much cryptocurrency is currently held by known criminal entities on the blockchain, and could therefore theoretically be seized by law enforcement? The answer is a function not just of cryptocurrency-based crime revenue in 2021, but of the all-time criminal revenue still held by visible addresses. Below, we’ll break down both the sum amount of cryptocurrency holdings that can be traced back to illicit sources, as well as the total balances of criminal whales, meaning criminals holding $1 million or more in cryptocurrency.

Stolen funds dominate total criminal balances

Let’s start by looking at the year-end criminal balances over the last five years, broken down by the types of illicit activity the funds were derived from. In this analysis, criminal balances refer to any funds currently held by addresses Chainalysis has attributed to illicit actors. These addresses can belong to criminal services, like darknet markets, but in some cases can also be hosted by private wallets, such as in cases involving stolen funds. 

Two things stand out most: The first is the huge increase in criminal balances in 2021 — at year’s end, criminals held $11 billion worth of funds with known illicit sources, compared to just $3 billion at the end of 2020. The second is how much stolen funds dominate. As of the end of 2021, stolen funds account for 93% of all criminal balances at $9.8 billion. Darknet market funds are next at $448 million, followed by scams at $192 million, fraud shops at $66 million, and ransomware at $30 million. 

Note: “Cybercriminal administrator” refers to addresses that have been attributed to individuals connected to a cybercriminal organization, such as a darknet market.

Criminal balances also fluctuated throughout the year, from a low of $6.6 billion in July to a high of $14.8 billion in October. The fluctuations are a reminder of the importance of speed in cryptocurrency investigations, as criminal funds that have been successfully traced on the blockchain can be liquidated quickly. Of course, criminal balances can also fall for good reasons as well. The large drop in criminal balances we see above in February 2022 is due to the DOJ’s $3.6 billion seizure of Bitcoin stolen in the 2016 Bitfinex hack. Following that seizure, criminal balances currently stand at roughly $5 billion as of February 9, 2022. 

Let’s look at which types of cybercriminals tend to hold their funds the longest.

Looking at all-time trends, darknet market vendors and administrators tend to hold their funds the longest before liquidating, while wallets with stolen funds tend to hold for the shortest amount of time. That last bit may be surprising — how could stolen funds be held for such little time but account for the vast majority of criminal balances? It turns out that most of those holdings belong to extremely large wallets that hold longer than is typical for others in the stolen funds category. But what really stands out is how much holding times have decreased across the board, as the 2021 average holding times are at least 75% shorter than the all-time figures in all categories. Ransomware operators in particular exemplify this trend, as they now hold funds on average for just 65 days before liquidating. This may be a response to the mounting law enforcement pressure ransomware attackers face.

Criminal whales show more variation

A question that naturally follows from our investigation into criminal balances: Which criminals hold the most cryptocurrency? We decided to investigate by analyzing the balances of criminal whales. However, please note that we calculate criminal whale balances a bit differently than we do the overall criminal balances we discussed above. We define a criminal whale as any private wallet holding $1 million or more worth of cryptocurrency that has received more than 10% of its funds from illicit addresses. Please recognize that because criminal whale balances are calculated based on private wallet holdings, while overall criminal balances are calculated based on the holdings of addresses tagged as illicit (meaning they can include funds held at services in addition to private wallets), the criminal whale balances discussed here won’t align with the overall criminal balances calculated above.  

Overall, Chainalysis has identified 4,068 criminal whales holding over $25 billion worth of cryptocurrency. Criminal whales represent 3.7% of all cryptocurrency whales — that is, private wallets holding over $1 million worth of cryptocurrency.

An interesting pattern emerges when we break down all criminal whales by the share of their total funds that have illicit origins: Most criminal whales received either a relatively small or extremely large share of their total balance from illicit addresses.

Above, we bucket all criminal whales by the share of their total cryptocurrency received that came from illicit addresses. The lowest-share bucket is the biggest — 1,374 criminal whales received between 10% and 25% of their total balance from illicit addresses. However, the largest-share bucket is close behind, with 1,361 criminal whales that received between 90% and 100% of their total balance from illicit addresses. In total, 1,333 criminal whales received between 25% and 90% of all funds from illicit addresses.

Illicit funds received by criminal whales also come from more varied sources than the funds making up overall criminal balances.

Whereas stolen funds dominate overall criminal balances, darknet markets are the biggest source of illicit funds sent to criminal whales, followed by scams second and stolen funds third.  

Finally, we can also use time zone analysis to try and approximate the location of criminal whales. On the graph below, we’ve assigned UTC time zones to the 768 criminal whales whose wallets have enough activity for us to make a strong estimate.

UTC time zones 2, 3, and 4 are estimated to contain the most criminal whales, while time zones 1 and -9 also have a large number. UTC time zones 2, 3, and 4 include much of Russia, including major population centers like Moscow and Saint Petersburg, which is especially interesting in the context of Russia’s outsized role in cryptocurrency-based crime, as we explore elsewhere in this report. However, time zones of course only allow us to estimate longitudinal location, so it’s possible some of these criminal whales are based in other countries within time zones 2, 3, and 4, such as South Africa, Saudi Arabia, or Iran. 

The ability to efficiently track criminal whales and quantify their holdings from one public data set is a major difference between cryptocurrency-based crime and fiat-based crime. In fiat, the highest net worth criminals have murky networks of foreign banks and shell corporations to obfuscate their holdings. But in cryptocurrency, transactions are saved on the blockchain for all to see. Investigation of criminal whales represents a significant opportunity for government agencies around the world to continue their string of successful seizures, and bring to justice the biggest beneficiaries of cryptocurrency-based crime.

This blog is a preview of our 2022 Crypto Crime Report. Sign up here to download your copy now!

This material is for informational purposes only, and is not intended to provide legal, tax, financial, or investment advice. Recipients should consult their own advisors before making investment decisions. 

This website contains links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein. 

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in this report and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.