Crypto Crime Series: Decoding Hacks

As quoted in The Wall Street Journal, this post is the third and final in our “Crypto Crime” series, detailing the recent trends in crypto crime and our predictions for the coming year. Sign up here for access to the complete Chainalysis Crypto Crime Report: Decoding Increasingly Sophisticated Hacks, Darknet Markets, and Scams.

Following the money of two prominent hacking groups

While several reports have done the job of quantifying the scale of cryptocurrency hacks, at Chainalysis, we seek to “decode” hacking, that is to gain insight into how and when hackers move assets after the initial crime, how long it takes them to cash out via an exchange, and whether this teaches us anything about who they are.

We took a look at hacks that target cryptocurrency organizations such as exchanges. These hacks involve large thefts, often stealing tens or even hundreds of millions of dollars directly from exchanges. Hacking dwarfs all other forms of crypto crime, and it is dominated by two prominent, professional hacking groups. Together, these two groups are responsible for stealing around $1 billion to date, at least 60% of all publicly reported hacks. And given the potential rewards, there’s no question hacking will continue; it is the most lucrative of all crypto crimes.

How hacked funds move through the cryptocurrency ecosystem

On average, the hacks we traced from the two prominent hacking groups stole $90 million per hack. The hackers typically move stolen funds through a complex array of wallets and exchanges in an attempt to disguise the funds’ criminal origins. The hackers then often observe a quiet period of 40 or more days in which they don’t move funds, waiting until interest in the theft has died down. Once they feel safe, they move quickly. At least 50% of the hacked funds are cashed out through some conversion service within 112 days.

Both hacking groups seek to evade detection between the hack and their exit, but they use different approaches to achieve these ends. For example, we suspect that one of the prominent hacking groups, which we’ll refer to as group Alpha, is a giant, tightly controlled organization at least partly driven by non-monetary goals. By contrast the second hacking organization, group Beta, seems to be a less organized and smaller organization absolutely focused on the money. They don’t appear to care very much about evading detection.

Working together to contain the damage

Until now, exchanges and law enforcement have had limited ability to track hacked funds. Furthermore, exchanges are regularly processing the stolen funds, allowing the hackers to convert the funds to traditional currencies or other cryptocurrencies. This is in part because unless you’re the exchange that was hacked, these funds look like they have come from legitimate owners (that is, the original entities who were hacked); it is hard to tell which funds have been stolen and which haven’t without specialized investigation software.

A working knowledge of how hackers move funds can equip legitimate participants to identify unusual spikes in transactions that may be tied to criminal activity. Cooperation between exchanges also goes a long way to help fight crime in this ecosystem. Neutral intermediaries between exchanges can play an important role in this effort.