Being at the forefront of helping businesses and agencies detect crypto crime, Elliptic routinely researches new trends in how criminals are using crypto for illicit activities.
The aim is that, where detected early, prevention measures against these trends will have a better chance of success. Since 2013, we have traced the gravitation of crypto crime from traditional cryptoassets such as Bitcoin to decentralized finance, and from non-fungible tokens (NFT) to metaverse gaming.
When asking “what’s next”, we routinely run into the same pattern of criminal activity: as one means of crime is prevented through an enforcement action, criminals gravitate to the next best alternative way of committing said crime where there is no such measure designed to stop them.
This pattern is called “crime displacement”, and its existence in the cryptoasset ecosystem is evident throughout recent sanctions and seizures levied against illicit crypto entities.
As much as the phenomenon exists in physical crimes, it is even easier in digital borderless settings (see FATF Updates Guidance on Virtual Crypto Assets).
How crypto crime displacement works?
Take, for example, the Lazarus Group – North Korea’s state-backed cyberhacking organization that was recently confirmed as responsible for stealing almost $240 million in cryptoassets from four crypto entities, and suspected of carrying out a fifth attack against CoinEx.
Previously, the organization used a number of crypto services, such as decentralized mixer Tornado Cash and the Ethereum-Bitcoin bridge RenBridge, to launder the proceeds of their crypto heists.
The chart below shows the comparative value of illicit cryptoassets laundered through mixers versus cross-chain bridges over time. It underscores how crypto crime has gravitated towards cross-chain options in recent months.
At the height of its activities, Elliptic published analysis into RenBridge, linking it to the laundering of over $500 million worth of illicit cryptoassets.
By the end of 2022, however, neither Tornado Cash or RenBridge were functioning as normal.
Tornado Cash was subject to US sanctions in August 2022, massively reducing the crucial liquidity it needed to effectively launder large amounts of funds.
RenBridge, meanwhile, ceased to operate after Alameda Research – its main financial backer – collapsed in the high-profile FTX debacle in November 2022.
Lacking the liquidity of Tornado Cash, the move proved fruitless – effectively leaving the organization right back where it started. This represents the success of identifying potential crime displacement opportunities early on.
Cross-chain crime
As with the Lazarus Group, illicit actors engaging in all forms of criminality have been affected by the demise of Tornado Cash and other anonymity enhancing services, such as Blender:io and ChipMixer.
Cross-chain crime – otherwise known as “chain-” or “asset-hopping” – refers to the rapid and anonymous swapping of cryptoassets either between or across blockchains to different cryptoassets.
It often occurs using services such as decentralized exchanges (DEXs), cross-chain bridges or coin swap services.
A cross-chain bridge is a DeFi protocol that can swap a user’s assets – without know-your-customer (KYC) requirements – across blockchains, making them more difficult to trace. This string of transactions – which is one of many combinations they used – has no legitimate business purpose apart from to obfuscate the transaction trail.
Significant monthly shifts demonstrate crime displacement in action. The sudden drop of mixer use in August 2022 corresponds to the sanctioning of Tornado Cash.
The brief recovery of mixers until the end of the year corresponds to the shutting down of RenBridge, and the second drop of mixer use in March 2023 corresponds to the seizure of ChipMixer by EUROPOL.
Why are criminals displacing to cross-chain methods?
There are a number of reasons why cross-chain crime is benefitting to a worrying extent from crime displacement.
- First, proceeds of crypto crime are increasingly being generated in lesser-known cryptoassets, such as DeFi protocol-specific tokens that are only exchangeable through cross-chain or cross-asset services.
- Second, most of these services – be it DEXs, cross-chain bridges or coin swap services – do not require identity verification to use.
- Finally and perhaps most importantly, criminals are aware that legacy blockchain analytics solutions do not have the means to trace illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner.
Many of these solutions are designed with traditional crypto crime in mind, which typically involve a single asset, such as Bitcoin or Ether.
………………………….
AUTHOR: Ecliptic analytics
