Scams are being revamped, dark web activity is doubling, do you dare to read the 2018 Cryptocurrency Crime Report?

It is undeniable that due to the high anonymity and cross-border capabilities of cryptocurrency, many people have "bundled" Bitcoin with cybercrimes such as the dark web and money laundering since its advent.

It can be said that the dark web is the largest application of digital currencies such as Bitcoin.

The former "Silk Road" was a dark version of Taobao, and was the e-commerce with the most "brand value" in the dark web. It was used for various illegal transactions such as drugs, and was closed by law enforcement agencies in 2013. But the dark web is like an indestructible cockroach. Although the Silk Road is dead, there are still many replacements. The scale and number of dark web markets are still growing rapidly. Compared with 2017, the dark web market activities in 2018 almost doubled!

Why Cryptocurrency Crime Is Becoming More Sophisticated

Recently, a report titled "Crypto Crime Report" released by digital currency research organization Chainalysis shows that crypto crime is still a major problem that needs to be solved in the cryptocurrency ecosystem, and it is clearly on the rise, such as the doubling of dark web activity. In the report, Chainalysis deeply analyzed the following three types of criminal activities.

• First, there are hacks targeting cryptocurrency exchanges. By tracing the flow of stolen funds from the point of crime to their exit point, Chainalysis analysis reveals signature patterns in trading activity that are most helpful in identifying and recovering compromised assets in the months following a hack.

• Then, as law enforcement took aggressive action against darknet markets, Chainalysis saw their surprising resilience, exploring in a report on the darknet’s “whack-a-mole” problem how when major darknet markets shut down, trading activity briefly subsided and then quickly shifted to new platforms.

• Chainalysis also looked at the changing trends in Ethereum scams, with last year’s phishing scams losing their effectiveness and more sophisticated Ponzi schemes and ICO scams emerging and reaping huge profits.

• Finally, Chainalysis discussed the role of cryptocurrencies in the money laundering scenario and highlighted the importance of different types of services used to integrate illicit cryptocurrencies into the “clean” economy.

It also looks forward to the trends and developments of crypto crimes in 2019, and proposes countermeasures. Blockchain Base Camp has translated and sorted the report without changing its meaning, and shared it with you.

Key Takeaways

The types of crime in the cryptocurrency ecosystem are incredibly numerous and changing rapidly, with different types of illegal activity taking root in different cryptocurrencies. The most important trends of 2018 are as follows.

1. Decoding hackers reveals two prominent organizations and their money laundering strategies

Hacking against exchanges is undoubtedly the most cost-effective crypto crime, generating about $1 billion in illicit revenue in 2018 alone. Chainalysis tracked two hacker groups responsible for most of the stolen funds, who acted quickly, cashing out most of the funds within three months of the attack and creating complex trading patterns to hide their activities. Chainalysis believes that since exchanges are often the main cash-out points, exchanges can reduce the success of these sophisticated hacker attacks by strengthening coordination.

2. Darknet markets show resilience

Following a massive shutdown in 2017, darknet market activity nearly doubled in 2018, with transactions exceeding $600 million, despite falling cryptocurrency prices.

Criminal organizations value the confidentiality and convenience of darknet markets and are not driven by price speculation. Efforts to shut down darknet markets have been somewhat successful in curbing growth, but much of the demand has simply been shifted to other markets. In addition, sellers and buyers are developing new technologies to communicate using distributed technology and encrypted messaging apps such as Telegram and WhatsApp.

3. Ethereum scams are small but growing fast

While the absolute amount of revenue earned by Ethereum scammers nearly doubled between 2017 and 2018, this figure is still less than 0.01% of the value of all Ether. In addition, many attacks are not as effective as they once were, as the hype has cooled and the number of informed users has increased. After peaking in early 2018, the number of victims and the total revenue sent to Ethereum phishing scams are falling rapidly. In particular, the success of phishing scams is cyclical and changes with price. Therefore, users should be aware of more complex Ponzi schemes and ICO frauds when prices are low, and prepare for phishing attacks when prices rise.

If you feel that the above content is not exciting enough, next is a detailed interpretation and analysis with both pictures and texts!

Decoding the hack: Tracking the $1 billion hacker fund

Tracking the Funds of Two Well-Known Hacker Groups

Hackers steal money by gaining access to a person or group's computer systems for malicious purposes, such as by sending phishing emails to gain access to the victim's phone and personal credentials.

Hackers target cryptocurrency organizations such as exchanges to conduct large-scale thefts, often stealing tens or even hundreds of millions of dollars directly from exchanges. Hacking dwarfs all other forms of crypto crime, and research shows that it is led by two well-known professional hacking groups. To date, these two groups have stolen a total of approximately $1 billion, accounting for at least 60% of all publicly reported hacks. Given the potential rewards, there is no doubt that hacking will occur frequently, and it is the most profitable of all crypto crimes.

While several investigations have attempted to quantify the scale of the hacking activity, no one has yet been able to uncover the true face of the hackers and figure out how they make their money.

Chainalysis seeks to “decode” hacking behavior, meaning understanding how and when hackers move illicit assets after the initial crime and how long it takes them to cash out through exchanges.

Understanding how hacked funds move through the cryptocurrency ecosystem is the first step to figuring out how hacks work, and is also the first step to identifying hackers and recovering hacked assets.

How hacker funds flow through the cryptocurrency ecosystem

Hackers from these two well-known hacker groups stole an average of $90 million each time.

Hackers typically move stolen funds through a complex series of wallets and exchanges in an attempt to conceal their criminal origins. On average, hackers move funds at least 5,000 times.

Hackers typically don’t move funds for 40 days or more until attention about the theft wanes, and once they feel safe they move quickly. At least 50% of hacked funds are cashed out through some kind of conversion service within 112 days, and 75% of hacked funds are cashed out within 168 days.

The two hacker groups had the same goal, to evade behavioral detection between attacks and exits, but their methods were different.

For example, Chainalysis suspects that one of the most prominent hacker groups, which it calls "group Alpha," is a large, tightly controlled group that is partly driven by non-monetary goals. They seem eager to create chaos as much as to maximize profits. "Group Alpha" appears to be much more sophisticated, and they are skilled at moving funds around to avoid detection.

In contrast, the second hacker group, "group Beta," appears to be a smaller, absolutely money-focused group. They don't seem to care too much about evading detection, only about finding a clear path to convert illicit assets into clean cash.

By studying these exit strategies, analysts may eventually be able to identify "fingerprint" patterns that help catch hackers, although this ability is still in its infancy.

Transaction analysis shows that "group Alpha" is extremely good at transferring funds. After stealing the funds, they will immediately start to shuffle them quickly. The average number of transfers is very high. In the tracked hacker attacks, the maximum number of transfers can reach 15,000 times, and the movement speed is relatively fast. Up to 75% of the stolen assets can be converted into cash within 30 days.

"Group Beta" tends to bide its time but does a far less good job of hiding the origin of its assets. This group steals funds and then sits on them for 6 to 18 months before cashing out. When they feel they can cash out, they quickly go to an exchange and cash out more than 50% of their funds within a few days, cashing out $32 million at a time.

Working together to control damage

To date, exchanges and law enforcement have had limited ability to track hacked funds. Additionally, exchanges regularly process stolen funds, which hackers can convert into traditional currency or other cryptocurrencies. Unless you are the exchange that was hacked, the funds will look like they came from the legitimate owner; without specialized investigative software, it can be difficult to tell which funds were stolen and which were not.

Actual knowledge of how hackers move funds can help legitimate actors identify unusual spikes in transactions that could be linked to criminal activity. Exchange collaboration can also go a long way in combating crime in this ecosystem. Neutral intermediaries between exchanges can play an important role in this regard. For example, one exchange was recently hacked, and our analysis showed that the stolen funds had been moved to another exchange. We worked to verify that the deposits to the second exchange came from the hack of the first exchange, enabling them to engage with law enforcement.

Hacking is on the rise, in part because it works. It is difficult to defend against given the size of the adversary. As a result, exchanges and the cryptocurrency ecosystem are at greater risk. However, cracking hacks is the first step to stopping them, and tracking and recovering funds through mutual cooperation may be the best defense.

Decoding darknet markets: Understanding their resilience

Playing whack-a-mole with dark web markets

Despite ongoing efforts by law enforcement to crack down on illegal activity, dark web market activity has been remarkably resilient over the past few years.

When one darknet market shuts down, others pop up to take its place. Price changes also have limited impact on darknet market participants, who use cryptocurrencies to buy illegal goods rather than speculate.

As shown in the chart below, darknet market volume peaked in 2017 at over $700 million. After the closure of AlphaBay and Hansa in mid-2017, darknet market activity dropped by 60%, but the slowdown was short-lived.

Today, there is a resurgence of activity flowing to “darknet” markets, with an average daily value of around $2 million in Bitcoin alone. Much of AlphaBay’s activity appears to have been redirected to Hydra, a Russian darknet market, which has traded over $780 million in Bitcoin to date, 14% more than AlphaBay’s $690 million. AlphaBay’s shutdown could double Hydra’s traffic.

This is a common problem with darknet market activity: shutting down a darknet market often just causes people to use other platforms.

Price changes will not affect dark web traffic

Darknet market activity is relatively price inelastic; that is, this type of activity does not decrease when cryptocurrency prices fall. In fact, during 2018, when Bitcoin transaction volume fell 78%, dark market activity nearly doubled.

However, the flow of money into darknet markets is very time sensitive. We see more Bitcoin flowing into darknet markets on Fridays and Saturdays, with a spike in cash flow on Mondays, a pattern that fits what we know about drug trafficking. Over the weekend, when people have the time and privacy to browse, they buy drugs, and then dealers convert the cryptocurrency into cash on Monday.

Despite law enforcement’s best efforts, darknet markets continue to change and thrive

Law enforcement has been working to stop illegal activity on the black market, with some notable successes, such as the shutdown of AlphaBay. However, overall, darknet markets will continue to thrive as participants move their operations to other platforms.

For example, the shutdown of AlphaBay and Hansa caused a significant drop in darknet market activity in late 2017, which lasted until February 2018, when market activity began to pick up again. Since then, transaction volume has been steadily increasing. So, while overall darknet market activity in 2018 was lower than in 2017, transaction volume has been steadily increasing month by month for most of the year.

In fact, as law enforcement has gotten better at shutting down centralized darknet markets, a new model of distributed darknet market activity has emerged, with criminals increasingly turning to encrypted messaging apps including Telegram and WhatsApp to conduct illegal transactions. When trading activities are conducted through these apps, trading activities are decentralized and person-to-person; the probability of shutting down the entire network by shutting down one website is small. However, to conduct transactions through decentralized applications, trust in the end user is required. In this decentralized system, darknet market participants bear an additional layer of transaction risk.

Regardless of cryptocurrency prices or the platforms chosen, darknet markets will continue to thrive. Buying and selling illegal goods through cryptocurrency is similar in many ways to traditional illegal markets. Understanding the patterns of buyers and sellers in darknet markets is critical for law enforcement to develop effective strategies to combat this type of illegal activity.

Decoding the Ethereum scam: Small but growing fast

Fewer scams, more revenue: The face of Ethereum crime has radically changed

In 2018, only 0.01% of all ether was stolen in crypto scams, worth about $36 million, more than double the amount in 2017. The number of scams has declined so far in 2018. But the remaining number is still large, more sophisticated, and more profitable.

Why Should You Care About Ethereum Scams?

Ethereum has long been known as the cryptocurrency of choice for scams for a variety of reasons. The Ethereum smart contract platform created a new model for decentralized investing through ICOs. People gradually got used to the crypto hype of late 2017 and sold their ether to get huge returns from these ICOs. Fraudsters took advantage of this new willingness and people’s fear of missing out to create phishing scams that included fake investment pages, where victims would often enter their personal information.

These types of scams are not inherent to the functionality of Ethereum smart contracts, but since 82% of ICOs are built on the Ethereum blockchain, it has quickly become a scammer’s choice. In addition to phishing scams, numerous other types of scams, including ICO fraud, are hidden in many real ICOs as well as Ponzi schemes.

Types of Ethereum scams

In general, Ethereum scams come in three main forms:

• Phishing scam: This is the most common type of Ethereum scam. Simply put, it pretends that your account has been stolen, and then sends you a phishing message to trick you into giving away your Ethereum wallet password or directly ask you to transfer money.

• ICO scam: Fraudsters set up fake companies or foundations, claiming to launch services or products that appear to have great potential, and then use ERC20 to issue unregulated tokens to raise funds. After the ICO is completed, they deliberately cash out the proceeds and disappear, leaving investors with nothing.

• Ponzi schemes: Most often combined with ICOs, they use unreasonably high returns to attract initial investment, and the returns are paid from new investment funds to attract more investors until the scammers shut down the scam and abscond with the money. Many related scams in Taiwan belong to this type.

Of course, the rapid rise of the latter two can be attributed to the ICO investment trend in the second half of 2017.

The rise and fall of fraud

From the end of 2016 to the end of 2018, Chainalysis detected more than 2,000 fraudulent accounts on Ethereum, which have defrauded funds from nearly 40,000 independent Ethereum users, and nearly 75% of them were defrauded in 2018.

But this activity has changed dramatically over the course of the year. The first quarter of this year saw a surge in fraud activity, largely related to the market hype in late 2017. In fact, as the next chart shows, nearly 45% of the fraud value occurred in the first quarter of 2018.

Know the types of scams

While phishing, Ponzi schemes, and ICO scams are the most common types of crypto crime, there are other types of fraud on Ethereum, and the frequency and success of these scams have changed over time.

There were two shifts in fraud activity in 2018. First, after the success of phishing scams in 2017, more criminals jumped on the bandwagon. They flooded the market with phishing attacks, but few users took the bait.

As a result, phishing scams are far less effective than in previous years. In 2018, the median amount sent to fraudsters was about $94, significantly lower than the median of $144 in 2017. Additionally, the median total earnings of fraudsters in 2017 were over $6,500, compared to $2,440 in 2018.

In 2017, only 49 scams made less than $100, while in 2018 that number jumped to 181, with 65 of those making less than $10. However, while most Ethereum scams are low-profit, a few exceptions have brought in millions of dollars.

A small group of creative fraudsters executed more sophisticated Ponzi schemes and ICO exit scams that generated millions of dollars in revenue. These more complex schemes dominated the second half of the year.

Protect against evolving threats

The good news is that despite Ethereum’s reputation for scams, the number of thefts is a tiny fraction of the total. In addition, after the first quarter, as prices fell, fraud decreased. In 2018, the simplest scams, such as phishing emails, were far less effective than in previous years.

However, on the negative side, criminals responded by getting creative and developing large, innovative, and complex scams that reaped huge rewards. User losses in 2018 were twice as high as in 2017 due to these mega scams.

What to do? As market conditions change, users need to protect themselves from different types of fraud, beware of Ponzi schemes when prices are low, and beware of phishing scams when prices rise. In-depth data analysis can decode these changing threats and equip users with the skills to protect themselves.

How do they launder money?

The criminal activities analyzed in this report generate billions of dollars in proceeds that need to be laundered. Money laundering is difficult to quantify, whether in traditional or cryptocurrencies. This is because successful money laundering is largely invisible; the key is to make criminal proceeds look like legitimate funds.

In traditional currencies, analysts can only estimate money laundering activity by tracing back successful prosecutions and assuming how much activity was uncovered in total.

While the transparency and integrity of cryptocurrency transaction data show promise in tracking money laundering activities, the evaluation of cryptocurrency transaction data is also difficult.

As with traditional currencies, there are three distinct stages in money laundering with cryptocurrencies:

A successful money laundering scheme therefore involves “placing” criminal funds into the financial system, moving or “layering” them to avoid detection, and then “integrating” those funds into the real economy, usually through businesses, to make them appear to be legitimate profits.

There are two types of software needed to help quantify cryptocurrency money laundering.

First, the survey software allows us to estimate the flow of funds from illegal entities to trading services that can be integrated into the wider economy. Most of the illegal funds actually flow through exchanges (65%) or p2p exchanges (12%), while the rest flow through other conversion services such as mixing services, Bitcoin ATMs and gambling websites.

Of course, this analysis only captures part of the problem. A large amount of criminal activity originates from blockchain, such as drug cartels using cryptocurrencies to make cross-border payments. To investigate this form of money laundering, a second essential type of software is needed: anomaly detection software. This software will flag unusual activity similar to "layering", such as spikes in the frequency and size of transactions.

The role of cryptocurrency in money laundering will continue to evolve as the legal and regulatory environment changes. However, the greater traceability of cryptocurrency, coupled with the increasing KYC requirements in the cryptocurrency ecosystem, means this is not a game-changing new method of laundering money for large criminal organizations. Nonetheless, the use of cryptocurrency by smaller players such as local drug dealers remains a concern for law enforcement, who will continue to prosecute these crimes.

Looking ahead to 2019

The price bubble of late 2017 and early 2018 has ended, and with it came many scams that took advantage of the investment hype, such as phishing scams and ICO fraud. Because law enforcement takes time, we will continue to see prosecutions for these types of crimes. However, we believe that illegal activity in 2019 will shift from hype-driven investment fraud to the following emerging trends:

A new era of decentralized crime

We believe that 2019 will be the year of decentralized crime, where criminal activity will shift to new decentralized platforms. This is a major concern for law enforcement. Criminal organizations will shift from darknet markets to decentralized applications including Telegram, Signal, and WhatsApp. For example, Telegram may attract criminals because it offers semi-direct connections and automated chatbots. Some of these decentralized applications have already provided channels for drug dealers and child pornographers.

Traditional criminals add cryptocurrency to their toolbox

Cryptocurrency crime is evolving into traditional crime, and we think this trend will continue in 2019. Many traditional criminal organizations are already using virtual currencies, not limited to Bitcoin, to support their operations. Criminal organizations are bringing in virtual currency experts to advise them on combining cryptocurrencies with fraud, money laundering, and illegal gambling operations. Cartels and other criminal groups are taking over exchanges and Bitcoin miners as sources of clean money. These organizations are exploring traditional cryptocurrency scams and inventing new ones, and they are posing an increasing challenge to law enforcement.

Give sanctions in return

Finally, we believe that 2019 will force a reckoning with the role that cryptocurrencies play in evading sanctions. Governments will seek to limit the ability of rogue nations, state-sponsored hacker groups, and sanctions officials to move funds through cryptocurrencies.

Against this backdrop, cryptocurrency networks will continue to grow and develop. They will likely be more strictly regulated than they are today, providing more safeguards to attract law-abiding investors. Criminals will continue to push the envelope, from street crime to cybercrime, in search of applications for cryptocurrencies. Participants in the cryptocurrency market will need cutting-edge technology and investigative analysis to fight back.

What Institutional Actors Can Do About Crypto Crime

Crypto crime accounts for only a small portion of trading activity, but it has given the cryptocurrency ecosystem a bad name. Here are some ways institutional players, including businesses, regulators, and law enforcement, can improve the system to make it work for everyone.

Enable Know Your Transaction (KYT) capabilities to identify illegal activity

In the traditional financial system, Know Your Customer (KYC) is the foundation of compliance. It is also becoming the standard in the cryptocurrency ecosystem. We see an opportunity to go beyond this — Know Your Transaction (KYT).

KYT means that cryptocurrency businesses and financial institutions can be informed of illegal activity so they can avoid getting involved in transactions that could harm them or their customers. Automated cryptocurrency transaction monitoring is key to identifying patterns that point to trouble spots and empowering market participants to take action.

Understand the differences between different types of crime

Crypto crime trends are constantly changing, and compliance strategies should be too. For example, a compliance manager at a cryptocurrency payment processor who knows that darknet market activity increases on Mondays, when drug dealers convert weekend earnings into cash, can adjust their transaction monitoring systems to account for this at the start of the week.

Compliance officers at cryptocurrency exchanges know that it can take 45 days or more for hackers to cash out stolen funds, and they can be alert to large, suspicious bursts of transactions that could be linked to hackers. Trusted experts in the market can help decode illegal activity so companies and exchanges can shape their compliance programs accordingly.

Working with communities to dismantle major criminal organizations

Illegal activity in the cryptocurrency ecosystem is not as prevalent as many people think, but unfortunately, a few bad actors have given the space a bad name. Through information sharing and collaboration, businesses and financial institutions can make it more difficult for criminal organizations to operate.

Law enforcement, exchanges, and merchant services are in a unique position to work together to identify criminals as they steal funds and move them around. When necessary, companies like Chainalysis can act as a middleman, connecting market participants in a secure, neutral way so they can share insights that benefit all. By enabling rapid communication between exchanges and other institutions when funds are stolen, cryptocurrency businesses can protect themselves and their customers. This ultimately makes the entire ecosystem more approachable and safer for all.