Cybercriminals Dive into Cryptomining Pools to Launder Funds

Ransomware attackers are using what validates cryptocurrency transactions: mining to their advantage. More criminals are laundering their ill-gotten gains by re-minting digital money through mining to sanitize funds and avoid regulation by more heavily regulated financial institutions.

Related item: Live Webinar | Solve Security Challenges to Stop Your Day from Starting at 3pm

cryptocurrency mining It is a process of solving complex puzzles to get more coins into circulation and is essential to the functioning of the industry. But it also provides criminals with a way to get their money from clean sources, making it a perfect service for heavily sanctioned nation-states such as: Iran and North Korea.

The selling point of illegal actors is that they are law enforcement agencies and private security companies. Can’t track cryptocurrencies Through services such as mining pools.

Over the past few years, the number of hackers using the service has increased, with the cumulative amount transferred from ransomware addresses to mining services increasing from less than $10,000 in Q1 2018 to Q1 2023. skyrocketed to over $10 million in 2015. Said Chainalysis analyzes suspicious deposits over the past five years.

From January 2018 to near the end of Q2 2023, depositors with ransomware addresses received $158.3 million in cryptocurrency. Chainalysis said the figure was “likely an underestimate,” adding that mining pools played a “significant role.” Ransomware laundering ecosystem.

Cryptocurrencies are the tools of choice for ransomware attackers and other cybercriminals due to their Wild West nature.Illegal use of digital currency strike Despite the price slump during the period, it will hit a record high of $20.1 billion in 2022. However, converting illicitly obtained digital currency into usable fiat currency has historically been a challenge, as most currencies are easily traceable through blockchain.

trend analysis

For example, “highly active” cryptocurrency wallets on private mainstream exchanges routinely receive “substantial amounts from both mining pools and ransomware-related wallets,” the report said. ing. Of the $94.2 million he deposited into this address, $19.1 million came from addresses associated with ransomware attackers and $14.1 million came from his pool mining.

To further obfuscate the flow of funds, ransomware attackers send funds to mining pools using separate addresses called intermediate wallets. “In this scenario, mining pools act similarly to mixers in that they obscure the origin of funds and create the illusion that funds come from mining rather than from ransomware,” the report states. ing.

According to the report, exchanges that hold deposit wallets for mining pool funds generally receive large inflows from ransomware wallets. These exchanges probably won’t curb this activity because “ransomware attackers are trying to disguise their funds as mining progresses, even though they haven’t moved them to the mining pool in the first place.” prize.

in the 2019 BitClub Network Incident, hackers moved millions of dollars worth of bitcoin to a Russia-based money laundering service. In the years that followed, these money laundering wallets were the same deposit addresses on two mainstream exchanges used by Russia-based bitcoin mining operations to move millions of dollars. moved bitcoins to

One of these wallets also received funds from the Russian exchange BTC-e, which was laundering cybercrime funds, including funds from the Mt. Gox hack.

Money launderers may have mixed BTC-e or BitClub funds with mined funds to make it appear that the funds came from legitimate sources such as mining. Yes, the report says. Crypto scammers and money launderers operating on behalf of these two platforms were also reportedly using mining pools to launder money.

Mining pools and hashing services must screen wallets using Know Your Customer and blockchain analytics to verify the origin of funds entering wallets so that they can reject funds from fraudulent addresses.