Crypto Theft Rose in 2022 as Scams, Ransomware Bounty Fell: Chainalysis

The volume of crime-related transactions rose for the second consecutive year, hitting an all-time high of $20.6 billion, blockchain analytics firm Chainalysis says in its new "Crypto Crime Report." But that is a small share of total volume of the crypto market: less than 1%.

Thieves, hackers, exploiters

2022 became the biggest year for crypto thieves. According to Chainalysis, about $3.8 billion, more than in any other year, was stolen from various services and protocols, $775.7 million of which was stolen in October alone. At the same time, total revenue of scammers and ransomware hackers declined, the report says.

82.1% of all the stolen funds were taken from decentralized finance (DeFi) protocols, especially cross-chain bridges – protocols allowing users to trade assets between two different blockchains. “Bridges are an attractive target for hackers because the smart contracts in effect become huge, centralized repositories of funds backing the assets that have been bridged to the new chain – a more desirable honeypot could scarcely be imagined,” the report reads.

A growing trend in DeFi hacks is oracle manipulation, when an attacker compromises the mechanisms by which a decentralized protocol gets a price for traded assets, and creates favorable conditions for fast and super-profitable trades, Chainalysis says. According to the report, in 2022, DeFi protocols lost $386.2 million in 41 separate oracle manipulation attacks.

One example of this is a Mango Markets exploit, for which the alleged attacker, Avraham Eisenberg, was arrested and now is facing commodity manipulation charges in U.S. court.

North Korean hackers from the Lazarus group broke their own record in 2022: $1.7 billion stolen from several victims. Most of that money was sent to decentralized exchanges and several mixers: Tornado Cash, Blender.io and, after the shutdown of Blender, to Sinbad. Sinbad may have been launched by the same team that ran Blender, blockchain intel firm Elliptic said earlier.

Read also: Sanctioned Mixer Blender Re-Launched as Sinbad, Elliptic Says

The weight of sanctions

There might be one big skewing factor to the overall illicit transactions statistics: 43% of all 2022’s illicit transaction volume came from activity associated with sanctioned entities, Chainalysis said.

A big part of these illicit money flows are funds received by sanctioned entity Garantex, which is likely just “Russian users using a Russian exchange,” Chainalysis said, but most compliance professionals treat these transactions as illicit activity anyway, it adds.

In 2022, the U.S. sanctioned Russian darknet marketplace Hydra, exchange Garantex, crypto mixers Blender.io and Tornado Cash. Not all the money these sanctioned services processed were of criminal origins: Only 6.1% of the funds Garantex received came from illicit sources (still 20 times more than centralized exchanges in average); for Tornado Cash, the number is 34%, according to Chainalysis.

Sanctions seriously curbed the flow of funds into Tornado Cash, but Garantex remained as active as ever, and saw even more incoming funds from known scams and darknet shops, Chainalysis said.

Sanctions also seem to reduce the popularity of mixers: In 2022, $7.8 billion in crypto passed through mixers, compared to $11.5 billion in 2021. The U.S. Office of Foreign Assets Control (OFAC) sanctioned mixers Tornado Cash and Blender.io last year because both services had been actively used by the North Korean hacker group Lazarus.

Money laundering trends

Crypto infrastructure remains open to ransomware hackers because they most often send extorted money to centralized crypto exchanges, Chainlaysis said. The centralized exchanges, despite the intensified attention of law enforcement agencies around the world over the past few years, remain the major receivers of criminal funds, Chainalysis said.

Read more: Ransomware Variants Are on the Rise but Overall Gains Decline: Chainalysis

However, hackers that steal crypto from exchanges and other entities prefer DeFi platforms for money laundering, especially when the DeFi protocols themselves are victims, the report says. “In DeFi hacks, attackers often end up with tokens that aren’t listed on other exchanges, so they need to use decentralized exchanges (DEX) to swap them for more liquid crypto assets,” according to Chainalysis.

Other cybercriminals usually use darknet platforms, mixers and centralized exchanges with weak KYC (Know Your Customer) protections, like Bitzlato, whose founder and other staff members arrested in January.

Police double-spends

The report looks into a particular case of one ransomware strain, Deadbolt, which was active in 2022. Unlike the most infamous ransomware groups such as Conti, attacking large organizations for big ransoms, Deadbolt operators chose to target small businesses and individuals. In 2022 it received over $2.3 million from around 4,923 victims, who paid about $476 each, on average.

A twist here is the way this group sent decryption keys to their victims who paid the ransom: Once a victim sent a bitcoin transaction to Deadbolt’s address, another transaction would get triggered automatically, sending back a meager amount of bitcoin (around $1) with the decryption key written into the OP-RETURN field of the transaction data.

This mechanism helped the Dutch Royal Police, which investigated the group, to get decryption keys for a dozen victims without them having to par with their money. The police sent payout transactions to the hackers, but as soon as they received the key they reverted the payouts using the replace-by-fee mechanism.

Replace-by-fee allows replacement of the already initiated transaction in the Bitcoin blockchain with a new one with a higher fee, so the miners would include a more profitable transaction into the blockchain and the first one would became invalid as the bitcoin is already spent.

Read also: Ransomware Gang Extorted 725 BTC in One Attack, On-Chain Sleuths Find