A report published by Chainalysis on Wednesday details crypto-related criminal activity in Eastern Europe, which is broadly believed to be the home base for many infamous hacker groups and the drug marketplace Hydra, which Chainalysis has said is the world’s biggest.

“In terms of raw value, Eastern Europe has sent the second most cryptocurrency of any region to illicit addresses, behind only Western Europe,” the report reads.

In total, addresses associated with Eastern Europe received about $1.15 billion of illicit funds from July 2020 to June 2021, according to Chainalysis.

Hydra, in particular, is one of the reasons Eastern Europe sends more cryptocurrency to darknet markets than any other region in the world, the report said. The Russian-speaking darknet marketplace for drugs and illegal goods is believed to be a big driver of criminal crypto liquidity into Russia, earning up to 75% of the global darknet revenue, as Chainalysis said in an earlier report.

However, the biggest share of funds Eastern Europeans are sending to illicit addresses goes to scams, Chainalysis said.

“Between June 2020 and July 2021, Eastern Europe-based addresses sent $815 million to scams, second only to Western Europe,” the report reads. Most of the web traffic to known scam websites also comes from Eastern Europe, especially Ukraine, Chainalysis said.

The region also received “roughly $950 million worth of cryptocurrency from scam addresses,” which makes Eastern Europe the second-largest recipient of scam funds in the world, after Western Europe, Chainalysis said. This monthly number has been rising since March 2021, the firm added.

The most prolific case in the region turns out to be Finiko, an alleged Ponzi scheme whose founders are under criminal investigation in Russia. As CoinDesk reported, Russian police received reports from Finiko users, who claimed to have lost about $1 million in total. However, an anonymous source at Russia’s central bank told business publication The Bell the losses might have amounted to almost $95 million.

Chainalysis’ estimate is even more striking: The crypto sleuthing firm identified over $1.5 billion worth of bitcoin received by Finiko’s addresses in over 800,000 separate deposits, the report said.

“While it’s unclear how many individual victims were responsible for those deposits or how much of that $1.5 billion was paid out to investors to keep the Ponzi scheme going, it’s clear Finiko represents a massive fraud perpetrated against Eastern European cryptocurrency users, predominantly in Russia and Ukraine,” Chainalysis wrote.

Ransomware geography

Ransomware addresses believed to belong to Eastern European hackers received $46 million over the past year, “behind only Western Europe at $51 million.” Here, researcher’s task gets trickier because it’s hard to precisely locate any crypto address on the globe.

As Chainalysis said, the main assumption is the most notorious hacker groups are presumably associated with Russia, such as the Evil Corp, “whose leadership reportedly has ties to the Russian government,” the report said. Also, most ransomware strains affiliated with Russia and the neighboring countries have parts of code that prevents them from attacking the computers located in those countries.

“Our geographic attribution is based on web traffic to cryptocurrency services, so in cases where two regions use many of the same services, it’s more difficult to attribute transaction volume to the correct service,” Chainalysis wrote.

“Western Europe has high service overlap with more regions than any other, displaying particularly strong relationships with Eastern Europe, North America and Central and Southern Asia,” said Kim Grauer, Chainalysis’ head of research.

“We believe that for some regions like North America, this dynamic reflects a convergence of institutional investors and professional traders on a handful of platforms. On the other hand, for regions like Eastern Europe and Central and Southern Asia, we believe the service overlap in those cases is also driven by remittance payments being sent from Western Europe, as this would mirror remittance activity we see in the fiat world,” Grauer added.