Being at the forefront of helping businesses and agencies detect crypto crime, Elliptic routinely researches new trends in how criminals are using crypto for illicit activities.
The aim is that, where detected early, prevention measures against these trends will have a better chance of success. Since 2013, we have traced the gravitation of crypto crime from traditional cryptoassets such as Bitcoin to decentralized finance, and from non-fungible tokens (NFT) to metaverse gaming.
When asking “what’s next”, we routinely run into the same pattern of criminal activity: as one means of crime is prevented through an enforcement action, criminals gravitate to the next best alternative way of committing said crime where there is no such measure designed to stop them.
This pattern is called “crime displacement”, and its existence in the cryptoasset ecosystem is evident throughout recent sanctions and seizures levied against illicit crypto entities.
As much as the phenomenon exists in physical crimes, it is even easier in digital borderless settings (see FATF Updates Guidance on Virtual Crypto Assets).
Emerging trends in crypto crime
Recent trends reveal an evolution in the use of cryptocurrency by criminals, who have adapted to enforcement actions by seeking innovative methods for laundering and concealing illicit gains. With traditional mixing services, such as Tornado Cash, coming under regulatory scrutiny and facing sanctions, criminals are shifting to cross-chain strategies.
nown as “chain-hopping” or “asset-hopping,” this tactic involves transferring assets between different blockchains or converting them into various crypto tokens to obscure their origins.
Decentralized exchanges (DEXs), cross-chain bridges, and anonymous coin swap services are key tools in this evolving strategy, offering minimal-to-no know-your-customer (KYC) requirements.
This shift is part of a broader phenomenon known as “crime displacement,” where criminals move to alternative methods as previous avenues close. Cross-chain crime has surged as bad actors leverage the anonymity and accessibility of decentralized finance (DeFi) platforms.
By moving assets across chains, criminals complicate transaction tracing, exploiting gaps in blockchain analytics that are still predominantly designed for single-chain activity. Furthermore, the growth of decentralized exchanges and token-specific protocols in the DeFi ecosystem has made it easier for criminals to work with lesser-known tokens, many of which can only be exchanged through specialized cross-chain or DeFi services.
How crypto crime displacement works?
With criminals constantly seeking new avenues, the need for advanced, scalable solutions to track activity across blockchains has become more pressing, marking a critical phase in counteracting crypto-enabled crime.
The Lazarus Group, a state-backed cyber organization from North Korea, exemplifies this trend. The group has used cross-chain options extensively to launder hundreds of millions in cryptoassets.
Their activities underscore the adaptability of criminal organizations in response to sanctions, as they leverage DeFi protocols to circumvent enforcement measures. These evolving trends in crypto crime highlight the challenges facing blockchain analytics, as they struggle to keep up with the fluid nature of decentralized and cross-chain transactions.
The Lazarus Group – North Korea’s state-backed cyberhacking organization that was recently confirmed as responsible for stealing almost $240 mn in cryptoassets from four crypto entities, and suspected of carrying out a fifth attack against CoinEx.
Previously, the organization used a number of crypto services, such as decentralized mixer Tornado Cash and the Ethereum-Bitcoin bridge RenBridge, to launder the proceeds of their crypto heists.
The chart below shows the comparative value of illicit cryptoassets laundered through mixers versus cross-chain bridges over time. It underscores how crypto crime has gravitated towards cross-chain options in recent months.
At the height of its activities, Elliptic published analysis into RenBridge, linking it to the laundering of over $500 million worth of illicit cryptoassets.
By the end of 2022, however, neither Tornado Cash or RenBridge were functioning as normal.
Tornado Cash was subject to US sanctions in August 2022, massively reducing the crucial liquidity it needed to effectively launder large amounts of funds.
RenBridge, meanwhile, ceased to operate after Alameda Research – its main financial backer – collapsed in the high-profile FTX debacle in November 2022.
Lacking the liquidity of Tornado Cash, the move proved fruitless – effectively leaving the organization right back where it started. This represents the success of identifying potential crime displacement opportunities early on.
Cross-chain crime
As with the Lazarus Group, illicit actors engaging in all forms of criminality have been affected by the demise of Tornado Cash and other anonymity enhancing services, such as Blender:io and ChipMixer.
Cross-chain crime – otherwise known as “chain-” or “asset-hopping” – refers to the rapid and anonymous swapping of cryptoassets either between or across blockchains to different cryptoassets.
It often occurs using services such as decentralized exchanges (DEXs), cross-chain bridges or coin swap services.
A cross-chain bridge is a DeFi protocol that can swap a user’s assets – without know-your-customer (KYC) requirements – across blockchains, making them more difficult to trace. This string of transactions – which is one of many combinations they used – has no legitimate business purpose apart from to obfuscate the transaction trail.
Significant monthly shifts demonstrate crime displacement in action. The sudden drop of mixer use in August 2022 corresponds to the sanctioning of Tornado Cash.
The brief recovery of mixers until the end of the year corresponds to the shutting down of RenBridge, and the second drop of mixer use in March 2023 corresponds to the seizure of ChipMixer by EUROPOL.
Why are criminals displacing to cross-chain methods?
There are a number of reasons why cross-chain crime is benefitting to a worrying extent from crime displacement.
- First, proceeds of crypto crime are increasingly being generated in lesser-known cryptoassets, such as DeFi protocol-specific tokens that are only exchangeable through cross-chain or cross-asset services.
- Second, most of these services – be it DEXs, cross-chain bridges or coin swap services – do not require identity verification to use.
- Finally and perhaps most importantly, criminals are aware that legacy blockchain analytics solutions do not have the means to trace illicit blockchain activity across blockchains or tokens in a programmatic or scalable manner.
Many of these solutions are designed with traditional crypto crime in mind, which typically involve a single asset, such as Bitcoin or Ether.
FAQ
Crime displacement in crypto refers to the shift in criminal tactics as enforcement actions prevent specific types of crypto-related crimes. Criminals often move to alternative methods or platforms that lack restrictions, creating a cycle of changing tactics to evade detection.
Crime displacement has led criminals to favor cross-chain methods after sanctions limited the effectiveness of mixers like Tornado Cash. Criminals increasingly use cross-chain bridges and decentralized exchanges (DEXs) to launder assets, making transactions harder to trace.
Cross-chain crime, or asset-hopping, allows criminals to swap assets across blockchains or into different cryptoassets without KYC checks. This obscures the transaction trail and leverages services that don’t require identity verification, adding layers of anonymity.
DeFi protocols, especially cross-chain bridges, enable anonymous asset swapping across blockchains. Criminals use these protocols as they lack KYC requirements and can handle lesser-known tokens, making it easier to obscure transaction trails and evade detection.
Enforcement actions, like sanctions on Tornado Cash and the shutdown of RenBridge, have forced criminals to seek new methods, primarily through cross-chain services. These actions demonstrate the importance of early detection in countering crime displacement.
Elliptic uses advanced analytics to monitor shifting crime tactics in the crypto space, including tracking asset flows across mixers, cross-chain bridges, and DeFi protocols. By identifying patterns in cross-chain crime, they provide insights to help prevent new types of illicit activity.
Traditional blockchain analytics tools often struggle with cross-chain crime because they are typically designed to track single-asset transactions (like Bitcoin or Ether). These tools lack the capability to programmatically trace activity across multiple blockchains or asset types, creating gaps in detection.
………………………….
AUTHOR: Ecliptic analytics. Reviewed by Peter Sonner