The laundering of ill-gotten cryptocurrency exerts a multifaceted impact on global financial and security landscapes, presenting challenges for businesses, governments, and individuals alike. For businesses, particularly those operating within the fintech and blockchain sectors, crypto laundering undermines the perception of integrity in their industry, eroding public trust in these emerging and promising technologies. Governments face the dual challenge of adapting regulatory frameworks to effectively combat these sophisticated laundering techniques, while ensuring innovation in the digital finance sector is not stifled. At an individual level, the repercussions of crypto laundering extend beyond the direct financial losses incurred from these activities.
It also contributes to a broader atmosphere of insecurity and mistrust in digital financial systems, potentially impeding the wider adoption and development of legitimate cryptocurrency applications. Understanding and addressing crypto laundering is not only a matter of financial security but also pivotal in shaping the trajectory of digital finance and maintaining public confidence in these systems.
In 2023, a discernible shift in crypto laundering methods has emerged. Our analysis reveals a marked increase in the bridging of stolen funds to the Bitcoin blockchain.
Across the 50 largest exploits of 2023, one-third of stolen proceeds ended up being bridged to or laundered on the Bitcoin network. This is particularly notable as the vast majority of Web3 security incidents do not take place on Bitcoin.
This trend indicates a departure from the previously predominant use of platforms like Tornado Cash, which, despite its continued use, has seen a decline following heightened regulatory scrutiny. Bitcoin mixers, such as the recently dismantled Sinbad mixer, have become the laundering tools of choice for sophisticated cybercriminal groups like Lazarus Group. This shift was evident when CertiK scrutinized the top 50 most significant security incidents of 2023, analyzing the methods employed by attackers in the aftermath of their heists. This trend not only sheds light on the evolving nature of crypto laundering tactics but also signals an urgent need for equally dynamic countermeasures in the ongoing battle against blockchain-based financial crime.
Despite the imposition of sanctions by OFAC in 2022, Tornado Cash continues to be a tool for laundering funds among malicious actors. Nevertheless, there has been a noticeable decline in its usage, particularly visible in the Tornado Cash 100 ETH contract on Ethereum. A significant reduction in this contract's ETH balance became apparent following the sanction announcement, indicating a shift in laundering preferences.
While Tornado Cash remains a channel for smaller-scale laundering, the landscape is changing for larger incidents. In these cases, the stolen proceeds are increasingly being transferred to the Bitcoin blockchain. This strategic move enables bad actors to leverage alternative privacy services available on the Bitcoin network, illustrating a trend towards diversification in laundering methods and the pursuit of more secure avenues for obscuring illicit funds.
Tornado Cash operates by allowing users to deposit funds into its smart contracts, which are available in fixed denominations. For instance, if a user deposits 100 ETH, they can only withdraw the same amount, minus a fee, to a new wallet. This process effectively obfuscates the link between the sender and receiver, significantly complicating traceability.
In contrast, modern Bitcoin mixers employ a different approach. A case in point is the now-seized Sinbad protocol, which enabled users to deposit Bitcoin and distribute it across multiple recipient wallets in varying percentages, further complicating the tracking of funds.
Other Bitcoin mixing services integrate the CoinJoin method. CoinJoin, introduced in 2013 by Bitcoin developer Greg Maxwell, utilizes the inherent structure of Bitcoin transactions to enhance privacy without altering the Bitcoin protocol itself. It operates by combining multiple inputs from different users into a single transaction, where each input is accompanied by a unique signature. While typically inputs in a transaction originate from a single user, CoinJoin breaks this norm by allowing several users to collectively participate in a transaction, effectively sending Bitcoin back to themselves. The privacy in this process stems from the difficulty in discerning the number of participants involved, as the multiple inputs are merged, obfuscating the transaction's specific details.
Although Bitcoin tumblers and mixers are not inherently illegal, they frequently fall short of anti-money laundering (AML), know your customer (KYC), and counter-terrorism financing (CTF) standards, drawing the attention of law enforcement agencies. A notable instance is the seizure of the Sinbad mixer, favored by high-profile hacking groups like the North Korean Lazarus Group.
In addition to mixers, Bitcoin privacy wallets provide another layer of obscurity. Wasabi wallet, for example, integrates CoinJoin functionality, offering enhanced privacy for Bitcoin transactions, while Samourai wallet implements a similar protocol. Our investigation traced the flow of funds from Web3 security incidents to the Bitcoin network, where these various privacy-enhancing services are employed, demonstrating their role in the complex landscape of cryptocurrency laundering.
The United States Department of Justice (DoJ) has aggressively pursued operators of Bitcoin mixers and identified the role of laundering tools in other cases. In just the last few years, the DoJ has shut down and arrested the operators of three major Bitcoin mixing services:
ChipMixer – March 2023 ($3 billion)
Bitcoin Fog – April 2021 ($335 million)
Helix – February 2020 ($300 million)
The DoJ also often highlights its identification of money laundering efforts when filing charges against operators of non-compliant exchanges, Ponzi schemes, exchange and DeFi protocol hackers, and when seizing the proceeds of darknet market sales.
This year, the Department formally charged the operators of Tornado Cash with money laundering and sanctions violations.
Money laundering is clearly a key concern for the DoJ. The increased scrutiny of longstanding services like Tornado Cash and the regular shutdowns of major Bitcoin mixers has impacted the tactics of criminal actors in the space.
Recent observations indicate a notable shift in the laundering strategies of malicious actors, with a growing preference for transferring stolen funds to the Bitcoin network over traditional reliance on services like Tornado Cash. A case in point involves the scammer in the Florence Finance incident, who, after stealing approximately $1.4 million in a phishing scam, channeled these funds to Bitcoin via THORChain.
THORChain is a decentralized liquidity protocol that enables users to swap assets across different blockchains without a central party. Its cross-chain capabilities and the relative anonymity it offers in transaction processes make it a useful tool for those looking to launder money (as well as the millions more people who simply want a convenient interface for making cross-chain transactions).
Similarly, the culprits behind the $2 million CoinSpot theft utilized THORChain and Wan Bridge for transferring assets to BTC. Notably, the FTX hacker has also started relocating stolen Ethereum assets to the Bitcoin network.
The table below highlights this trend: among the top 50 incidents by loss amount, funds from 12 incidents were deposited into Tornado Cash, totaling around $108 million. In contrast, $318.4 million was transferred to Bitcoin. Excluding the funds yet to be moved by exploiters, incidents involving Bitcoin bridging/laundering account for one-third (32.2%) of total funds stolen.
The observed shift in laundering tactics, especially in cases involving thefts exceeding $50 million, is largely attributable to the specific preferences and established methods of notable threat actors. Prominent among these is the North Korean Lazarus Group, which has repeatedly demonstrated a preference for using Bitcoin mixers as a primary channel for laundering substantial stolen funds. This group's methodical approach, often involving private key compromises on centralized entities, underscores their sophistication and comfort with Bitcoin-based laundering systems. Private key compromises so far account for 51% of total losses in the crypto industry in 2023. This figure is especially notable in light of the fact that such compromises represent just 6% of the total number of security incidents, underscoring their often devastating impact.
Similarly, entities tied to Russian cybercriminal organizations exhibit an affinity for the use of Bitcoin blockchain mixers, aligning their laundering techniques with those employed by groups like the Lazarus Group. This convergence of methods among different threat actors points to a broader, more systemic shift in the landscape of cryptocurrency laundering.
While Tornado Cash remains a primary tool for obfuscating funds from smaller-scale cybercrimes, a shift is evident in larger-scale incidents involving assets exceeding $50 million. This transformation is primarily driven by the strategic preferences of the most formidable threat actors in the digital realm. Notably, the North Korean Lazarus Group, with their well-established laundering operations utilizing Bitcoin mixers, has set a precedent in the crypto underworld.
Lazarus’s methodical transfer of vast sums into Bitcoin mixers underscores a deep-seated familiarity with and confidence in this laundering avenue. Similarly, Russian-linked cybercriminal factions have echoed this approach, further cementing Bitcoin mixers' status as one of the go-to tool for laundering in high-stakes crypto thefts, regardless of whether they initially take place on the Bitcoin blockchain.
This strategic pivot towards Bitcoin-based laundering solutions is not merely a trend but a harbinger of the challenges that lie ahead in combating crypto laundering. Understanding and countering this shift is not just crucial for mitigating financial losses, it’s also pivotal in safeguarding the integrity and future of the Web3 world.