Cybercriminals Dive Into Cryptomining Pools to Launder FundsRansomware Attackers Sent $10M to Mining Services in Q1 2023, Up From $10K in 2018
Ransomware actors are using the thing that verifies crypto transactions - mining - to their advantage. More criminals are laundering ill-gotten gains by re-minting the digital money through mining to sanitize funds and bypass controls imposed by more highly regulated financial institutions.
Cryptocurrency mining is the process of solving complex puzzles to bring more coins into circulation, and it is vital for the functioning of the industry. But it also gives criminals the means to acquire money with a clean original source, which makes it a service of choice for heavily sanctioned nation-states such as Iran and North Korea.
The selling point for illicit actors is that law enforcement and private security companies cannot trace crypto through services such as mining pools.
An increasing number of hackers have used this service in the past few years, and the cumulative value of funds sent from ransomware addresses to mining services skyrocketed from less than $10,000 in the first quarter of 2018 to more than $10 million in Q1 2023, said Chainalysis, which analyzed suspicious deposits over the past five years.
Deposits with ransomware addresses received $158.3 million in cryptocurrency from January 2018 until nearly the end of the second quarter of 2023. That figure, Chainalysis said, is "likely an underestimation," and it added that mining pools play a "key role" in the ransomware laundering ecosystem.
Cryptocurrency is a tool of choice for ransomware actors and other cybercriminals due to its Wild West nature. Illicit use of the digital currency hit a record $20.1 billion in 2022, despite a price slump during the period. But converting the ill-gotten digital currency to usable fiat money has historically been a pain point because it is easy to trace most currencies through blockchains.
A "highly active" crypto wallet in an undisclosed mainstream exchange, for instance, routinely receives "substantial funds from both mining pools and wallets associated with ransomware," the report says. Of the $94.2 million deposited in this address, $19.1 million is from addresses related to ransomware actors and $14.1 million is from mining pools.
Ransomware actors also use separate addresses, called intermediary wallets, to send money to mining pools to further obfuscate the flow of funds. "In this scenario, the mining pool acts similarly to a mixer in that it obfuscates the origin of funds and creates the illusion that the funds are proceeds from mining rather than from ransomware," the report said.
The report says exchanges that hold deposit wallets for mining pool funds generally receive significant inflow from ransomware wallets. These exchanges likely don't curb this activity, as "ransomware actors are trying to pass off their own funds as mining proceeds, even though they're not first moving the funds through a mining pool."
In the 2019 BitClub Network case, hackers moved millions of dollars' worth of bitcoin to Russia-based money laundering services. For years after that, those money laundering wallets moved bitcoin to deposit addresses at two mainstream exchanges - the same ones used by a Russia-based bitcoin mining operation to move millions of dollars.
One of those wallets also received funds from BTC-e, a Russian exchange that laundered cybercrime funds, including those from the Mt. Gox hack.
The money launderers likely mingled funds from BTC-e and BitClub with those gained from mining to make it appear as if the funds had come from a legitimate source such as mining, the report says. Crypto scammers and money launderers working on behalf of these two platforms also used mining pools to launder funds, they said.
Mining pools and hashing services must screen wallets with Know Your Customer and blockchain analytics to check the origin of the funds coming into their wallets so they can reject funds from illicit addresses.