Public Key Podcast

2024 Chainalysis Crypto Crime Report Preview – Ep. 97

Episode 97 of the Public Key podcast is here! The highly anticipated Chainalysis 2024 Crypto Crime Report is being downloaded world wide and we speak to the driving forces behind the report, Eric Jardine (Cybercrimes Research Lead, Chainalysis) and Kim Grauer (Director of Research, Chainalysis) to talk ransomware, darknet markets, sanctions, DeFi hacks and so much more. 

You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 97.

Public Key Episode 97: The Changing Landscape of Crypto Crime in 2024 

The highly anticipated Chainalysis 2024 Crypto Crime Report is being downloaded worldwide and Ian Andrews (CMO, Chainalysis) speaks to the driving forces behind the report, Eric Jardine (Cybercrimes Research Lead, Chainalysis) and Kim Grauer (Director of Research, Chainalysis) to talk about what groundbreaking data they uncovered. 

 Ian Andrews (CMO, Chainalysis) speaks to the newly appointed Vice President and Deputy General Counsel, Global Policy at Circle, Corey Then and our very own policy expert, Caroline Malcolm to discuss stablecoin regulation, USDC’s integration into international markets and the threat of de-dollarization.

The trio dive into the most surprising and interesting trends discovered during their research, including the resurgence of Tornado Cash, the increase in ransomware attacks, the decline in stolen funds from crypto platforms and the use of stablecoins in illicit activities.

Eric also goes in depth about the evolving landscape of Darknet markets and Kim highlights the prevalence of market manipulation and how more data is moving on-chain with respect to ransomware-as-a-service infrastructures. 

The conversation also explores the impact of sanctions on crypto activities, the effectiveness of law enforcement interventions and the ongoing challenges in tracking and preventing scams in the cryptocurrency space.

Quote of the episode

“One cool thing that blockchain analytics allows us to do is, when the entire business model is moving onto the blockchain, then every transaction that’s happening to underpin a ransomware attack, we know about. So we know funds going to initial access brokers, which we’ve identified. We know funds going to VPN services.” – Kim Grauer (Director of Research, Chainalysis)

Minute-by-minute episode breakdown

  • (1:35) – Surprising resurgence of Tornado Cash, record high ransomware payouts and hacking declining 
  • (4:20) Ransomware reaching an all-time high of over a billion dollars
  • (12:50) – Dynamic ecosystem of ransomware actors and the adaptability of strains
  • (18:50) – Debate on whether DeFi platforms are getting safer or if hacking them is becoming less lucrative
  • (24:21) – Stablecoins now account for 60% of overall transactional activity but increased usage for illicit activity and sanctions evasion
  • (27:50) – Discussion on the effectiveness of sanctions as a tool in the crypto world and the uptick in Tornado Cash usage
  • (32:25) – Shifts and developments in the Darknet market ecosystem
  • (37:38) – Market manipulation and pump and dump schemes on newly minted tokens

 

Related resources

Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.

Speakers on today’s episode

This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.

Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material. 

Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company. 

Transcript


Ian:

All right. Hey everyone, welcome to another episode of Public Key. This is one of my favorite episodes of the year, and actually one of the most popular episodes we’ve done the last two years. It is our breakdown of the annual Chainalysis Crypto crime report. Today I’m joined by my colleagues and friends, Kim Grauer, our head of research and Eric Jardine.

Kim:

Hello.

Eric:

Hello everyone.

Ian:

Welcome to the program. It is a big time of year for your team. I know you’ve been grinding on this report for months. By the time this episode airs, I think we will have published the full report so people will be able to go and download it. They can read the hundreds of pages of details, but I love this episode because we get to dive into some of the more interesting stories and trends. I’m really curious, what was the most surprising or interesting thing you discovered as you were going about building a report? Eric, let’s start with you.

Eric:

Sure. Yeah. It’s always tricky to take something of this scope and scale and be like, “Let’s just name one thing.” So I’m going to finesse the answer a smidge by saying, you said surprising and or interesting. So I’ll say one of each. On the surprising front, what struck me the most is “Huh. I didn’t see that coming,” was the gradual resurgence of Tornado Cash, the ETH based smart contract mixer. I think it struck me as odd, didn’t see it coming. A lot of discussions of sanctions gets dominated by other entities, but that one has increasingly seen more and more inflows, and that’s unexpected. And on the interesting front, I think the big resurgence in ransomware really stood out to me as well, that cresting a billion for the first time was quite a significant milestone.

Ian:

Awesome. Well, that’s a great setup for the rest of the episode because we’re going to talk more about ransomware and more about sanctions. Kim, what about you? Interesting or unexpected that came through in the research cycle?

Kim:

Well, definitely the wildest moment was when we ran the final numbers for ransomware and saw that we had hit an all time high. And I remember because it was like a head to head with the previous year, and we got a fresh surge of ransomware addresses, and we were at all time highs. And I think that’s when we realized we had been focusing really heavily on other sections on hacking, on North Korea on money laundering. And that’s when we realized that ransomware is a really big part of the story this year, and maybe something that people aren’t talking about. So I really like when the crime report highlights something that is not broadly discussed, and it shows that our data can surface insights that are happening that maybe were going, flying under the radar. And that definitely happened with ransomware. I think on the flip side, what we saw with hacking was that it was going down.

And I think that also surprised people, because we are used to being in this industry where every day there’s a hack, it’s so unsafe. And so to see that narrative turn around was really exciting as well. And then I’m, of course, going to plug the market manipulation section, which is my favorite section, where we were, for reasons that aren’t really results-based, but more methods-based, but we were able to show that a pretty big percentage of the newly launched tokens are associated with some patterns that look suspicious, but that only represents a small fraction of the total trading volume. So three fun points I think that I enjoyed.

Ian:

Amazing. We’re going to talk more about all three of those. I think we should jump in to ransomware so that we don’t bury the lede here. Eric, the big headline this year, more than a billion dollars in funds paid in ransom. First time that we’ve ever seen in excess of a billion dollars going to ransomware rings. It was also a huge change in trajectory. We had called 2021 the year of ransomware. That was the year in which Colonial Pipeline got shut down here in the United States. There were also a number of other pretty notorious hacks. 2022, I think surprised us because it was down materially, but obviously 2023 has come back with a vengeance. Maybe start with a bit of speculation. What’s behind the shift in trajectory that we’re observing?

Eric:

Yeah, I think about it as almost 2023 reverted back to what the longer term trend in ransomware happens to be. That if you look at it over a multi-year period, the line’s up and to the right. And 2022 is certainly anomalous in this respect. It was a big drop. And as the year we’re on, and into this year, we actually I think started to get a glimpse at what was maybe driving some of that change in activity. And one, so you had, I think a perfect storm for a reduced amount of ransomware. So in the early half of the year, you had Russia’s invasion of Ukraine that led to a change in tactical approach, people doing other things.

And then in the second half of the year, unbeknownst to most, until January, when the FBI announced it publicly, the FBI had actually infiltrated one of the major strains called Hive. And they were essentially providing decrypter keys to victims so that they would be able to avert ransoms. And so one of the things we were able to quantify, this time around in the report, was just how big of an effect that might be. And the FBI had provided a conservative estimate at the time that they announced the close of their operation. They said that they knew or had knowledge of about 130 million worth of averted ransoms in 2022. And our estimate puts it at a significantly higher number than that, tens of millions more, most likely.

So the knock on effects of getting into one of the major strains and disrupting their activity is quite significant, and a really good approach for law enforcement interventions in the future. But that was happening basically from the middle of 2022 into the early part of 2023. So there’s this whole drag put onto the ransomware ecosystem during that year that was unknown until it was made public. Certainly the disruptive effects were apparent, but what was driving it was not. And so as we see this resurge back, it’s basically when you start to remove some of those forces of drag from ransomware actors, they’re rubber banding back to where the trend sort of suggested they might’ve ended up. Unfortunately.

Ian:

And you bring up an interesting point talking about Hive. One of the things that strikes me when I think about the ransomware landscape versus one of the other big we’ll talk about which is stolen funds, is that it seems like there’s… There’s a couple of groups we talk about pretty consistently, like the North Korean Lazarus group, who is notorious in the world of stolen funds. It seems like ransomware, it’s a much more dynamic ecosystem of actors that we’re dealing with, where groups form and then they dissolve and they might merge, or they might be infiltrated by the FBI. And even if law enforcement and technologists are successful at halting a particular strain, a new one will emerge fairly quickly that fills the void that’s been left. Can you talk a little bit about what we saw in terms of the mix of different actors that are involved here? Are there any that we should be particularly on the lookout for as we head into 2024?

Eric:

Yeah, so I think you’re absolutely right at a diagnostic level, you have the ability to change strains, you have the ability to modify strains. And we do see that. One interesting example is the Black Basta ransomware. It was reliant on Qbot, which had a… Or QuackBot, which had another infiltration that was announced in August of this year, and it was basically shut down. But basically you find a different delivery mechanism, which Black Basta did, and then you get a resurgence of activity later in the period of 2023. So this adaptability is fairly challenging. And then from an on-chain dimension, on-chain infrastructure is highly recyclable.

You can use it once, you can jettison it from there, which makes tracking, identification, these sorts of things, quite a challenge. So I think there’s a few groups that are, they closed out the year pretty strongly, including ones like Black Basta and the big players that are doing the lion’s share, I’d say of the ransomware activity at a dollar denominated level, that you really want to be watching out for, because there isn’t unfortunately a really effective permanent solution here. You disrupt their delivery mechanism, they adapt. You disrupt their on-chain infrastructure, they adapt. You infiltrate the strain, it will eventually regrow, unfortunately. A little bit like a hydra.

Ian:

Interesting. One of the things that keeps coming up is ransomware as a service, which seems like maybe that’s proliferating the availability of the tools necessary to carry out a ransomware attack so we get more smaller actors. Am I interpreting that right, or is the ecosystem maybe not quite that heterogeneous?

Eric:

I think, yeah, there’s a big spectrum with ransomware as a service. So you have some, where you’re at the small end of the medium ransom payments, you may be conducting a fair number of attacks, but you’re not getting a lot for them. And you can range from there up into the alpha predator side of things where your strains associated with some of the larger attacks that we might observe during the course of the year. This affiliate model, where people are signing in to use your ransomware strain basically does proliferate the… Think about it this way, it lowers the bar for what you need in order to do ransomware because you don’t need to be the admin designing it and so forth.

And from there, you can basically work with access brokers to get into networks. You deliver the payload, you take receipt and you get paid. And that’s a model that’s right for people who are, strictly speaking, just financially motivated, but may lack skills in some of these other areas. So it definitely lowers the bar for participation, which can create a proliferation of actors across the ecosystem. But there is a big range. Some of them are pretty straightforward, some of them are far more complex. So there’s some nuances there.

Kim:

I will say on the flip side of ransomware as service, one cool thing that blockchain analytics allows us to do is when the entire business model is moving onto the blockchain, then every transaction that’s happening to underpin a ransomware attack, we know about. So we know funds going to initial access brokers, which we’ve identified. We know funds going to VPN services. And Eric, actually, one of the cool things that he did was look at the relationship between investment by ransomware strains in things like infrastructure to carry out an attack, initial access, broker access, and then the predictability of when a ransomware attack is going to happen. So even though it’s scaling ransomware operations at such a high rate, now you can just buy access. You don’t have to be the person who’s building the attack. You can dabble in different ransomware strains.

It’s also giving a lot of opportunities to law enforcement to model out exactly the entire business model of a ransomware attack, and see where funds are going, what it takes to carry out a ransomware attack. And crucially, what we’ve talked about at Chainalysis, which is the supply chain, the supply chain of the ransomware attack, more opportunities to disrupt the ransomware operator. So if there’s an operator in a jurisdiction that maybe you don’t have jurisdiction over, maybe there’s someone in your jurisdiction that is a part of this whole supply chain of ransomware attacks. So our investigators are really great at modeling out all of the components of ransomware when you do go from just an individual run ransomware to this whole business model, that ransomware as a service is, blows open the door for investigations.

Ian:

It really is powerful, the visibility that we get into the entire business once everything’s conducted in cryptocurrency. It’s such a powerful tool in the toolbox of law enforcement and other cybersecurity investigators. I’m curious, actually, you said supply chain. I’m going to take that in a slightly different direction, because it seemed like in 2023, supply chain attacks were at the core of so much of the really big, notorious attacks that we saw. This compromise of MOVEit was one that just stuck with me all year because it’s a piece of software that’s on so many devices all around the world, very common IT administrative tooling. And once their infrastructure was compromised, this just exposed so many companies to vulnerabilities and ultimately attack. I’m curious, how much are we seeing that type of supply chain vulnerability as contrasted to something more of a run-of-the-mill of credential theft or individual user compromise? Do we have any sense of the breakdown between those two?

Eric:

From my standpoint, not at a frequency level other than I would hazard things like MOVEit are rarer. That’s one of the only upsides of zero days is, to a degree, fewer and far between as opposed to compromising somebody’s credentials in order to gain partial or full access to a system. At an effect size level, we looked a little bit at the effect of MOVEit, particularly on inflows to a particular strain wallet associated with the CLOP ransomware, which was leveraging that particular vulnerability, and it jumped in terms of its inflow proportion relative to the whole, during the months that it was active in this regard. It was upwards 30 to 40% of all ransomware inflows in those couple month periods were associated with CLOP because it was taking advantage of how ubiquitous MOVEit happened to be.

So those are the doomsday scenarios, where you find this little known who probably could have named MOVEit before it became a thing. It was everywhere, but nobody… It was so latent in the infrastructure stack that people just didn’t really know it was there. And it’s the worst case scenario when a ransomware actor gets a hold of a vulnerability because it’s everywhere. Nobody knows it’s there. Cleanup takes a long time getting it figured out and patched, and all the rest. So certainly I think those vulnerabilities are luckily fewer and far between other methods of potentially gaining access, I would hazard. But when they are found and exploited, it’s a mess, no doubt about it.

Ian:

It certainly made me want to go delete everything off all my devices that I don’t use regularly that it’s absolutely necessary to be there. I was like you, I had never heard of MOVEit until I heard about MOVEit. So last question on ransomware. I’m curious, where are all the funds going? A billion dollars is a lot of money. I know that’s not to one organization or just one individual, obviously, but where are the funds going after they’re ransomed from victims? A few years ago we were, I think, all very happy to see us Treasury, OFAC, take action against one of the more popular money laundering organizations that was supporting the ransomware activity. Has a new player emerged post that sanctions activity that most of this is consolidating through, or have they taken different tactics entirely since then?

Eric:

I think that there’s some interesting changes to the off-ramping or laundering pattern that we were observing on-chain. One is I think there’s increasingly these episodic periods where ransomware actors lean into things they haven’t tried before. Mining pools, cross-chain bridges, things like that. The go-tos are usually exchanges, underground laundering services or mixers are the big categories of things that we’ll receive funds. But there’s definitely… There are dynamic actors in this space and they’re trying out these alternatives, things they can effectively launder but haven’t really been something we’ve observed before, but we’re seeing it pop here and there. It’ll be like one quarter worth where all of a sudden cross-chain bridges become the thing that they’re trying, or gambling services on a lower denomination basis, stuff like that. So I would interpret it as the ransomware actors in the ecosystem are certainly not staying flat-footed, and they’re definitely just trying out other methods for laundering funds, probably with AI towards just seeing what the most effective pathway happens to be at the given moment, rather than any innate desire to use a cross-chain bridge or something like that.

They’re doing it for a reason, to try to avoid detection, for sure. But it’s an interesting dynamic because it shows that they’re definitely not just… Well, I’d interpret it this way. It’s an interesting dynamic because it definitely shows that they don’t think the current approach to things is sufficient going forward. Because the more they’re trying out and cycling through new things, the more it must be that they’re feeling some pressure to try to launder funds more effectively, and are feeling things like sanctioning events or closures or frozen funds or whatever it happens to be.

Ian:

And I would imagine… Go ahead, Kim.

Kim:

Sorry. There was one really unique way that ransomware shined from the rest of the crime types when it comes to money laundering, and that is in addition to experimenting with bridges, and mixers are obviously a big part of the picture, the new mixers, the old mixers, but there’s a lot of use of informal or homegrown built money laundering infrastructure that feeds into really large deposit addresses on low KYC exchanges. And a lot of the other crime types were adapting this year to the fact that we can see everything going on to the deposit addresses. So we saw most crime types were diversifying across multiple deposit addresses, except ransomware, which started going all in on these really big deposit addresses. So using more concentrated off-ramps, fiat off-ramps, to move their funds. We’ve speculated as to why that is, but it’s really unique to ransomware, and a reversing trend across every other type of crime, who are moving away from leveraging these really easy to see large deposit addresses.

Ian:

Do you think that’s a nested exchange where they have some controlling interest maybe in an operating entity that’s then nested inside of a larger exchange that’s looking the other way? Can you speculate more as to what’s driving that?

Kim:

So the term nested service is, I’ve always found it to be difficult to get concrete about, because are you talking about is it a known service with it’s filed its papers, or is it just someone who’s doing a business that’s just informally? At what point do you become a nested service versus just someone who’s just carrying out their money laundering operations that’s scaling? And so I think the line there is a little bit gray. I would say that it is in that domain, someone professionally moving money. And do they do other stuff besides ransomware? Well, we can look at the deposit address and see the exposure and answer that, and I’m reluctant to share some of what we’ve seen now. But you can get a sense of that, okay, this is a business operation. Are they registered? What have they told to exchange? Does the exchange care? Those are different questions. But if you’re moving that amount of ransomware money, it’s definitely going to be at a business scale.

Ian:

Yeah. Fascinating. It’s something we’re going to have to keep an eye on. I don’t suspect that the ransomware trend line we’ve observed in 23 is going to slow down at all. So I think we will have more to say on that topic. Shifting gears a little bit, Kim, one of the things that blew me away, looking at the research this year, was the total amount stolen from crypto platforms fell dramatically year over year. We’re talking from over 3 billion stolen in 2022 down to just a bit over a billion last year. The number of incidents decreased slightly year over year. I am curious how to interpret this. Are DeFi platforms getting safer, or is maybe hacking them getting less lucrative for some reason? I know TVL is down year over year as well. What do you think? What’s the big takeaway we should put behind those numbers?

Kim:

Well, Eric will know that we have a different opinion about this. So my-

Ian:

Ooh. Controversy.

Kim:

I will let him characterize his opinion, but I am in the camp that DeFi is getting safer. And if you look at the types of attacks that are happening, or at least the DeFi attack vectors that we saw in the past that were taking advantage of on-chain vulnerabilities and smart contract vulnerabilities, are the share in the second half of 2023 of all attacks that were more in the line of phishing or compromised keys, grew a lot. And then the share of the attacks that were smart contract on-chain exploitations declined a lot. And so I’m seeing signals that some of the on-chain vulnerabilities, we’re cleaning up the ship a little bit. And our hypothesis for two years now has been that can’t go on for the industry. We can’t have that many smart contract vulnerabilities that people are actively using and storing their funds in. Of course, that’s a hard problem to overcome. And then we also saw a lot of price manipulation, which is a different type of attack vector, but Eric, I think when we talked about this, has been in the gets lower TVL camp.

Ian:

Yeah, Eric, give us the counterpoint here.

Eric:

All right. So first off, they’re not mutually exclusive, so I definitely lean one direction, but I do recognize that you can have improved security and reduced TVL and they both contribute some proportion, and I think that’s probably what’s happening. But no, I’m definitely… There’s the Sutton rule, the famous bank robber, and the quote was something along the lines of when asked why did you rob banks. And he says, “Well, that’s where the money is.” And I think the distilled lesson from that is if there’s less to steal, in terms of TVL, you’d expect less in terms of stolen funds amounts in the DeFi ecosystem just as a function of that. And so I think when looking at, for example, the decline in TVL that mirrors the decline in value stolen, my initial reaction is that, yes, at least some portion of this, I think a majority portion, but this is where the difference of opinion comes in, is probably that we’re tracking that decline in value at risk, as opposed to the decline in, or as opposed to, strictly speaking, improvements in security.

What I think is interesting is just thinking about this in terms of next steps is I just saw Bitcoin, before we started here, Bitcoin cracked 50 K. Go team.

Ian:

Wow.

Kim:

Did it?

Eric:

Yeah. But if we do trend in this year or into next year, into another bull market cycle, and if TVL surges as a result of that, the two factors we’re talking about would have different of predictions for the future, and mine would be kind of a pessimistic regression back to pretty high amounts of value stolen, and the security improvements, assuming they’re sticky and assuming new entrants adopt the best practices that we’ve seen develop during the bear market, then we should see the numbers not be quite as bad as they were historically. I certainly hope that that’s the one that happens, but I think the pessimist in me suggests that I think the safer prediction is when TVL surges, stolen funds and DeFi is going to surge again too.

Kim:

I will say, to bolster your point, is that if you look at the DPRK hacking, they’re at all-time highs for number of hacks carried out, and attributable to the Lazarus group, but it’s about half of the value from last year. But to support the reason why DeFi is actually becoming safer, and I mean, I guess the way you phrase this is important, because the DeFi native on-chain attacks are fewer, but you still and will always have phishing risks, risks associated with phishing, and that the same types of problems that impact every organization around the world are becoming prevalent and a part of this. But the DeFi vulnerabilities that are specific to bad contract, bad code, those are cleaning up a little bit. And I think that the Lazarus group’s hacks show that if you look at the way that they’re breaching and the number of attacks and the amount. So yeah, maybe we’re all right.

Ian:

I would add to it as well, it’s not as simple as, okay, we’re writing better smart contract code. I think there’s better tooling in the ecosystem as well. We’ve seen the emergence of companies like Hyper Native that gives you real-time, security threat intelligence. They can tell you as an attack is forming against your platform and allow you to potentially take action like block an address or pause your protocol. There’s tools like Olympics that is a smart contract code editing assistant. So I think we’re getting a higher quality of infrastructure is developing, plus the best practices that you all just talked about. So it feels to me like the industry’s getting better protected, a bit smarter, but Lazarus is, by no means, slowing down. So it’s not a moment to rest.

I think, Kim, the other thing I caught my eye is stablecoins. When we looked at the illicit activity, it seemed like there was a spike in usage that maybe started last year in terms of stablecoins as a percentage of the overall stolen funds that were transmitted. Which strikes me as really weird. Because the two biggest stablecoin issuers by volume, both have not only the technical capability but the demonstrated history of collaborating with law enforcement. If you send a notice and say these funds are stolen or there’s something bad happened here, they will freeze those funds on-chain. So I’m obviously not a criminal, but if I try and put my criminal hat on and think like a criminal, that seems like a really bad way to go about conducting my illicit activities, to use money that can be taken out of my pocket at any moment in time. So unpack what’s going on for us a little bit with stablecoins.

Kim:

It’s a good news for the industry.

Ian:

Yeah, absolutely.

Kim:

It is. Because our next steps are obvious. And there’s a really powerful tool at our disposal of how we can handle this. So even though it is happening, and it could potentially be happening because we’re all just starting to really tap into that capability and get comfortable with using that capability. But another nuance is that we think of crypto crime, I think people immediately still think about buying drugs on the dark web and ransomware attacks, but a lot of the stablecoin activity is occurring in the sanctioned actor category. So this is entities or services that have been sanctioned by OFAC and are operating. A big one would be Garantex, it’s still operating a majority stablecoin activity because its people are trading. Stablecoins are… Underlying all of this is the fact that stablecoins are completely blowing up and everyone is using stablecoins. If you want it up into the right chart, you look at the share of all crypto activity that is denominated in stablecoins, it’s becoming the number of active wallets that are holding stablecoins is growing rapidly.

So the share of that that is on these sanctioned services is also growing as a general, because of this general trend. But also because it’s not that criminals want to use stablecoins, per se, to carry out ransomware attacks or purchase drugs on dark web or something, it’s because of these services that are being sanctioned, the types of activity on many of these services, or at least the vast majority of them, are denominated in stablecoins. So it’s actually also more of a reflection of some industry shifts in how we’re thinking about crypto crime, which is that we’re looking at the share of all activity that is associated with these sanctioned entities in OFAC, and you’ll see in our sanction section, has been sanctioning services at a really fast rate. The amount of sanctioning they’re doing is growing, to the extent that we are caring about the amount of sanctioned activity that is just capturing the stablecoin, the stablecoin value.

Ian:

Yeah, I think now stablecoins are like 60% of overall transactional activity, plus or minus a few percent, probably, which is amazing. That’s a huge shift from where we were a few years ago when it heavily leaned towards Bitcoin and then sort of secondarily Ethereum and then all the long tail of altcoins, stables now, well over the majority. I am curious, you brought up sanctions, which was a topic I wanted to dive into a little bit. So OFAC obviously has been much more active in recent year in terms of using sanctions as a tool to stop everything from money laundering platforms to exchanges operating in jurisdictions where there’s supporting activity that is outside of US interests. What’s our sense of sanctions as a tool to modulate activity in the world of crypto? Does it work? Kim?

Kim:

Does it work? This is actually something we tackled in the crime report last year. And Eric, you actually led that research. Do you want to say what your findings were?

Eric:

Sure. I can do a quick summary. It’s a wonderfully loaded question. Thank you. I think… My evolving take on it is they work better than I think a lot of people would think, because with a censorship resistant payment system, having an organization like OFAC, this is a sanctioned entity, it doesn’t literally stop the transfer of funds, so you’re relying on broad based compliance across the ecosystem. But what it tends to do in practice is, yeah, it seems to reduce, it reduces inflows. There’s a couple of caveats and exceptions that we can talk about, but it reduces inflows a lot of the time. Causes services to close. It disrupts the activity of the counterparties of those services.

So when an illicit actor, be it a mixer or a dark net market or whatever, when they get sanctioned, what we found last year was that the counterparties that have been relying on that infrastructure as a part of their business model, they essentially did less on-chain activity than non counterparties. So there’s this second order effect that’s at play. Interestingly, I think one of the things we’ve unearthed this year that’s caused me to modulate my view a little bit, is I think there’s a shorter term, far more severe effect, to the good, but that over time, that effect can modulate a little bit, that people, in the case of, for example, Tornado Cash, the inflow volumes dropped about 95, 96% in the immediate aftermath, but because it’s a smart contract mixer and it’s not going anywhere, volumes have ticked back up over time, which is an interesting dynamic suggesting-

Ian:

Do we have any sense, Eric, of who is now using Tornado Cash? I know I’m not going anywhere near it. What’s the profile of a user or maybe where are they coming from? Do we have any sense of that?

Eric:

We do, to a degree, yeah. It’s a heavy amount of DeFi-related inflows as an origin point. And then Tornado Cash still seems to be servicing this mixture of scams and stolen funds. Not the sort of Lazarus group scale stolen fund activity that was the reason for its sanctioning in the first place, is a smaller scale than that. Likely a lot of drainers and things like that, that are at play, that are cashing out through Tornado Cash or laundering, I should say, through Tornado Cash. So it’s because of what it is, an ETH-based smart contract mixer, you’re tethered into that ecosystem pretty hard. And there are a few things that are interesting because of their absence. It doesn’t have any exposure related to Darknet markets, for example, but they’re operating in the Bitcoin silo, and except maybe through Bridges, you’re not going to be conducting business on a Darknet market and then going immediately to Tornado Cash, you have to find some in-between point.

Yeah, that’s an interesting… That result from this year’s report caused me to modulate my view from last year. Because last year I was like, “These are actually far more effective than I thought they were going to be,” was my immediate reaction. If you’d asked the interesting or surprising question about last year’s report, that would have been it. These things work really well, and I still think they do. And there’s those second-order disruptive effects and everything else that I mentioned, but I think there’s this, it diminishes a little bit, not a lot. There’s still… They’re 75, 80% down from where they were before sanctioning in terms of inflows to Tornado Cash, but that effect has modulated certainly a little bit over time.

Ian:

What about some of the larger exchanges that we know operate out of sanctioned jurisdictions like Garantex in Russia or Novatech in Iran? Any effect that we’ve been able to observe related to sanctions in those cases?

Eric:

There are some negative ones.

Kim:

The activity is not tremendously impacted by the sanctioning event. We tend to say that the best thing to do in this scenario would be to sanction and seize a server. But I will say that even though Garantex and some of these other services are operating, business as usual, the number one thing that we get asked on the customer side is how do we protect against receiving funds from sanctioned entities? So we tag these, we have incredible attribution of these services. We know about their entire wall infrastructure and we have these identified in our product. And that on top of sanctioning being the number one concern of many customers that are wanting to safely and securely engage in crypto with cryptocurrency. I think that even if Garantex is not phased right now, there’s a long-term impact that these sanctioning events will have on some of these services. But Garantex in particular is still highly active.

Ian:

Yeah, interesting. I saw that took up a pretty large share of the dollar value of the illicit activity we’re attracting this year, I think, to sanctioned entities. So something to keep an eye on. It doesn’t seem like there’s a simple answer to the strategy approach there. Eric, I know that you spend a lot of time on the dark web side of the internet, not for personal reasons, but research ones, I’m not trying to make any suggestions here. There’s been a bit of a shift in that ecosystem as well. So very large Darknet market called Hydra was shut down. I think at the peak they were doing over a billion dollars in sales a year, if I have those statistics correct. What’s happened since the shutdown of Hydra, and how’s Darknet markets as an industry going through 2023?

Eric:

Yeah. So Darknet markets and ransomware were the two non-sanction related areas that grew year over year. And in both cases you have this base rate effect that’s a part of the reason you see big changes. Now, we already talked a lot about ransomware, with the case of Darknet markets when Hydra was sanctioned and closed in early April of 2022, what basically happened was removing the biggest market in the space. It was well over 90% share of all activity. And so there’s two ways to then think about what happens next, especially into 2023. And one is we definitely saw a recovery in terms of dollar flows. So the ecosystems basically back to where it was before Hydra was sanctioned and closed. And that’s been over the longer historical period since, let’s say, 2013 when Silk Road was closed. That’s been the pattern, that there’s a drawdown in activity, but eventually growth resumes, the market size increases over time.

What’s interesting this time, though, is there’s another way to look at what happens when you remove a top market, and that is what happens in terms of the dominance of any given market in this space. So how much does the top market hold? So Hydra is sitting north of 90%. That has historically been what we see, that one, maybe two markets are eating up a lion’s share of all inflows. And what’s interesting this time is since April of 2022, all the way through a full calendar year plus some, then we’ve seen a bit of a re-concentration, but it hasn’t been extreme. It’s not what we would’ve expected and not what we saw over the longer historical run. And so, one of the things we did was scratch the surface to say, “Why are we seeing a lack of concentration like we’ve seen every other time after our top market has been closed?”

And in this case, what seems to be happening is basically the ecosystem’s developing now in a way that I think is best thought of as task and regional specialization. So you have some markets, Flugsvamp for example, which I think is on its fourth iteration, Incognito, ASAP, these sorts of Darknet markets that are selling drugs, but they’re doing so to Western audiences predominantly. And then you’ve got other markets that are servicing, let’s say, a global clientele, or based in servicing Eastern Europe in terms of drug exchange. And then you’ve got some markets that are actually doing something that’s closer to what you might call cyber crime enablement. So they’re receiving large amounts of funds from fraud shops or stolen funds or ransomware or stuff like that. So they’re either selling tools or they’re providing some sort of laundering, stuff of that nature.

And what’s interesting about all this is you definitely see, if you start to break the data down this way, that the dominant market in any one of those categories, western facing drug markets are different in terms of which one’s dominant compared to the Russian and Eastern European ecosystem versus the global ecosystem. So that specialization’s why we’re not seeing a re-concentration, that there isn’t a global dominant market anymore. It’s like the dominant market in, let’s say, North America and Europe is this one, the dominant market in this field of activity is this one, that kind of thing. And so the lack of re-concentration, from a data standpoint, what it was interesting about it gave us a clue that let us then go look and basically see, and then trace, in fairly precise terms, who’s servicing what part of this evolving ecosystem as they take on more things and service more areas.

Ian:

Is there an advantage from a criminal standpoint to being smaller? It seems like you’d have less of a target on your back. If you’re doing a billion dollars in revenue, everybody knows your name.

Eric:

Yep.

Ian:

Whereas if you specialize in only one particular type of item and you maybe are localized to a particular jurisdiction, it just seems like you’re going to catch much, much less attention from law enforcement.

Eric:

That stands to reason, I think. I know that one of the things… There’s… So on the catching law enforcement attention standpoint, I don’t know the degree to which the greed of servicing multiple markets and doing so at a big scale, would weigh the risk. That’s an individual risk preference and business decision among these operators. But definitely they are aware of what factors drive, let’s say, the FBI’s attention as one of the… Since they’ve been involved in most of the major market closures. And so most of these Darknet markets have on the books terms of service prohibitions against selling fentanyl and opioids, because that’s like a surefire way to get Jcode’s attention in the FBI, which brings a lot of resources, capacity and a history of success into the equation. And so they’ll try to avoid it by just saying, “If you’re a vendor, don’t sell this.”

That’s one of our rules. It turns out in practice, those are really terribly enforced. Most of the time that you’ll find either derivatives or component parts or street lingo that basically shows, on the face of it, vendors selling all of these products. And even the comments of customers, which they’ll leave on these effective little tiny e-commerce sites that are Darknet markets. They’ll be commenting about how it does or does not include opioids. So it’s not like it’s an enforced prohibition most of the time, but it’s definitely a pro forma nod toward trying to avoid getting in the crosshairs on the part of the FBI for sure.

Ian:

Amazing. Kim, you talked at the top about pump and dump schemes, and just this whole idea of market manipulation. It’s something that we’ve… We’ve had a couple episodes on the podcast in the last year. I think one of the companies that joined was Cloudburst. They seem to have, with pretty high confidence, identified broad market manipulation, a lot of it happening on dark web chat forums. I’m really curious, the analysis you mentioned at the top, maybe take us through what you looked at and some of the key findings there.

Kim:

Sure. Market manipulation, I think, is a really important area to focus on because, as we’ve shown in this podcast in our crime report, Chainalysis is really good at showing how much activity that is associated with wallets that you can identify as illicit, how much is happening, what percentage of all blockchain activity is there. And we’ve come a long way in assuring the public that about 1% of the blockchain is associated with this type of activity. But now we’re in this time where the big unknown is related to market integrity. Everyone thinks, “Oh, the whole market is manipulated.” And so we can do the same thing with market manipulation and be, as every transaction is available on the blockchain, we can really bring insight into how much of the blockchain activity and newly launched tokens might be illicit. So what we did in this, this is just one potential type of many ways market manipulation could occur.

We looked at what share of newly launched tokens are a little bit to have suspicious trading patterns. So with our acquisition of transpose, we were able to do this really actually pretty easily. We look at tokens that were launched in 2023, and then we create a few criteria that help us further segment out if something’s suspicious. So did the person who launched the pool remove all of the liquidity in a single transaction within a certain amount of time after the token was launched? And to get rid of noise, we do things like was there a maximum amount of liquidity that this token that was in a liquidity pool reached? Were there at least five or a certain threshold number of people transacting with the token? And then we found that of all of those tokens, 54% had some suspicious activity in the early days of the token, where the liquidity provider did remove the liquidity in one transaction.

And a lot of… The journalists who came to me to talk to me about this, they were, “This is really bad for the industry, isn’t it?” And I was like, “No, it’s actually good that we can see this, but also this is the long tail problem. Anyone can launch a token and it’s only 1% of the total volume on all dexes that are associated with these tokens.” And so I worked hard to advocate that this is actually really good news, and good news because we can do it, but also because such a small share of all the trading volume is associated with these newly launched tokens that have suspicious trading patterns.

Ian:

Yeah, it’s really interesting. For anyone that’s ever done it, creating a token on the Ethereum blockchain is incredibly easy. The protocol spec is very straightforward. The three of us could get together, and in an hour or two, have shared a batch of tokens probably from a standing start. And I think there’s a lot of people out there who are probably experimenting with the technology, or they’re really just playing around with no ill intent. They’re having a laugh, trying to make a meme coin. Maybe it gets really popular like Pepe Token or something like that, I would imagine. But then it does seem like you found some evidence where individuals were intentionally creating a token, drawing enough attention and activity to it, that a few dollars came in, and then they run off with the money by swapping out into another asset. But I guess, like you said, good news that it’s not a massive dollar volume, right? It’s possible, but it doesn’t seem to be really gaining meaningful traction. Would that be the right summary on the research?

Kim:

Yeah. Yeah, I think so. And you’re right, anyone can launch a token. This is just a set of criteria that we’ve associated with pump and dumps in the past. But also this is just one way of running market manipulation. We’ve looked at wash trading of NFTs in the past, which would be a different, still straightforward, transposed query. But yeah, it’s a small percentage of the volume, and I think that it’s exciting to see that of all of the tokens launched, it’s only 1% of the volume that have some dubious activity.

Ian:

For anyone that wants to dive really deeper into this, we’ll post the link to the blog that Kim’s referencing in the show notes. And you can actually go and set up a free account on Transpose.io and run some of these queries yourself. We’re running out of time here, but Eric, I wanted to hit one last question, which was related to scam revenue. Now, we’ve spent a lot of time on this podcast talking about pig butchering, which is one flavor of scam that we track. And by my anecdotal experience, it doesn’t feel like that’s slowing down. If anything, it’s becoming industrialized. But looking at the data in 2023, we actually saw a fairly significant decline in dollars being siphoned off to scams, which I know struck, at least a few people who’ve reached out to me, as a little unusual. What do you think is behind that? What’s actually going on here? Are we maybe in a media moment where everyone’s now talking about a thing, but it’s not quite happening as much as it would suggest, just glancing at my Twitter timeline?

Eric:

So I think important caveats to this question and to my answer would be that we report the data that we see at a given moment. And historically what we have is every year when we release our intro results to the world and say, “Here is the broad picture.” If you look back to what happened in terms of our estimated values the year prior, they tend to revise upwards. And so we were always at that point where our data’s constantly evolving and improving over time. And so I would caveat everything by saying those scam figures that we have released for the course of 2023, they will go up. Now, will they go up enough to correct the downward trend is another question, because over the last few years, we have seen, year-over-year, declines in scam related inflows. And that basically means we’re coming out of the bull market into the bear market and now into whatever we want to call where we’re at right now, what we’ve seen is a drawdown. Now there’s currency and denomination effects at play.

So when tokens are worth more and there’s more participants in the ecosystem who are flooding in to get yield or returns, you’d expect scamming revenue to go higher. We’ve documented fairly well that scam inflows tend to correlate pretty heavily with market activity. But I don’t know, I think that there’s something here that’s, I think, broader than that, which is this drawdown has been multi-year now. It isn’t responding in the way to over a hundred percent price appreciation of Bitcoin, for example. It’s not responding to that in the way that we’ve seen it historically. And so I think there’s a few things that might be going. There may be a media moment, as you said. Maybe part of it is people think scamming is more prevalent than it is.

Maybe what’s happening is alternative ways of measuring scamming activities is going up. So maybe the stigma about being scammed is washing away, so people are reporting more. And as a result of that, we’re seeing more reports which filter through into various outputs, but the on-chain footprint of what’s happening is actually going down. So more reporting, less scamming, to phrase it differently. It might also be that the nature of the scamming activities evolving in a way that makes it harder to track on-chain. Or it may even be the case that some of the crypto related scams might have no crypto dimension, per se. They may be… I mean, I could scam my parents. I’m not going to. Love them very much. I could scam my parents and say-

Ian:

Please don’t do that. Your parents are lovely. You don’t want to scam them.

Eric:

They are lovely. I could scam my parents and say, “I’m going to be doing crypto investments for you. Give me a thousand dollars through an e-transfer.” And it’ll never hit the blockchain. But they think that they’ve been scammed with crypto. And so they report a crypto scam, but it doesn’t have this blockchain related footprint. And so there’s all these different facets that I think are important for us as a wider ecosystem to bear in mind and try to reconcile going forward. Because in the face of it, yeah, it seems like multiple year over year drawdown is inconsistent with what some of the other things that we’re hearing, but it is possible if you start to add in, maybe it’s greater reporting, maybe it’s crypto scams without a blockchain dimension, etc, etc.

All of a sudden the numbers can start to converge. So I think from my standpoint, the key thing is just information sharing and improving attribution is what we want to try to do, so that we can make clearer and better estimates going forward about the level of scam volume, and then we leverage our data in order to help scam victims get their funds back if they can, I think is also a crucial dimension. But it’s a tricky one because there isn’t a definitive answer as to why those two things seem to be moving in opposite directions.

Ian:

Well, for all the listeners out there, stay safe. If something sounds too good to be true, it is. Don’t send them your money.

Eric:

Yes.

Ian:

Eric, Kim, this has been fantastic. Any final words before we wrap up?

Kim:

See you next year?

Ian:

Absolutely. Hopefully sooner than that. These are some of my favorite podcast interviews. Thanks so much for joining us.

Kim:

Thank you.

Eric:

Thanks everyone.