The crypto-mediated illicit drugs trade mostly takes place on DNMs - multi-vendor online illicit global commerce platforms located on the “darknet”, an encrypted section of the internet neither accessible from standard internet browsers nor indexed by search engines.

An established form of transnational organized crime, DNMs combine anonymization networks and cryptocurrencies with encryption technologies. They are distinct from independent single-vendor shops that also sell illicit drugs, and from other types of fraud stores.

As much as USD 1.49 billion was spent on DNMs in 2022, according to TRM Labs research. Over 80% of this was spent on Russian-language DNMs. By contrast, the largest Western Bitcoin DNM currently in existence – ASAP Market – accounted for less than 10% of global DNM market share. Most Russian-language DNMs only support Bitcoin, with no privacy coin options available. This may reflect their lower perceived risk of being taken down by the authorities. By contrast, Western DNMs employ more on-chain operational security measures and either offer Monero only or Monero alongside Bitcoin.

‍

Forms of illicit commerce described in section 1 are often facilitated by cybercrime forums. Also known as dark web or darknet forums, these are platforms where cybercriminals discuss, sell, and promote illicit activity anonymously. In doing so, these forums play a significant role in connecting and driving cybercrime. Cybercrime forums derive their income from registration fees, advertisements, escrow services and account status upgrades.

‍

Two prominent examples of such forums studied by TRM Labs are Exploit.in and Cracked.io. Exploit is a Russian cybercrime forum established in 2005. Discussions on the forum focus on sharing exploits and vulnerabilities of various computer systems. Exploit is also a marketplace for initial accesses, digital goods, malware and so-called zero-day vulnerabilities – security flaws in a software application or system that are unknown to the vendor or developer and for which no patch or fix has been released.

‍

Cracked is a well-known English-language hacking forum, with more than 3.5 million users and 22.6 million posts on hacking, cracking, leaks and related topics. Cracked also includes a marketplace for illicit products. This platform periodically changes its cryptocurrency wallets.

Cryptocurrency has long been linked to the receipt and trafficking of stolen goods. The darkweb is replete with illicit marketplaces that accept cryptocurrency in exchange for stolen credit card details, personally identifiable information (PII), counterfeit goods and other products. There have also been reports of darknet-enabled illicit commerce involving antiquities and other significant cultural artifacts.

Despite claims that crypto is used as a means of payment for human trafficking, TRM research suggests that the most prominent nexus between crypto and human trafficking is the use of human trafficking to prop up cryptocurrency scams and frauds. 

‍

For example, human trafficking victims have been found to be working in illegal call centers run by Chinese criminal syndicates operating cryptocurrency pig butchering scams. These scams rely on psychological manipulation to wipe out victims’ life savings on the promise of making large returns on their investments. According to the FBI, people lured by false job advertisements offering lucrative pay later have their passports confiscated and are coerced into committing crypto fraud. More recently, authorities in the Philippines reportedly rescued victims who had allegedly been trafficked to work in a crypto scam call center based in Cambodia.

CSAM includes imagery or videos that show a child engaged in or depicted as being engaged in explicit sexual activity.

‍

TRM has analyzed over USD 3 million sent to cryptocurrency addresses involved in CSAM activities online in 2022. More than two thirds of those payments appear to have been made to CSAM scammers, who attempt to convince would-be buyers of CSAM images to pay for images or VIP access to galleries that turn out not to exist. 

‍

‍

The disproportionate share of funds received by CSAM scammers, who advertise widely on the darknet and deal almost exclusively in cryptocurrency, can be explained at least in part by the fact that true CSAM vendors seldom publicly promote their activity and continue to favor traditional finance channels. 

‍

By studying the properties and behaviors of CSAM actors, blockchain intelligence can allow investigators to identify international CSAM networks, profile persistent CSAM customers, and expose vendors that impersonate scammers in order to evade law enforcement attention by hiding in plain sight.

The past few years have witnessed a rise in the attempted use of cryptocurrency to pay for contract killings. It should be noted that there have been no publicly documented examples of a completed murder-for-hire scheme paid for in cryptocurrency at the time of publication. However, there is evidence of demand for such services, as shown by the prosecution of several individuals who have attempted to pay for contract killings with cryptocurrency.  

‍

In 2022, a Los Angeles man pleaded guilty to a federal murder-for-hire charge after sending USD 13,000 worth of bitcoin to a darknet website to hire a hitman to kill a woman who had rebuffed his advances. 

‍

Other instances of people accused of using cryptocurrency to pay hitmen have been reported elsewhere. In 2022, a Mississippi resident received a 10-year prison sentence for attempting to have her husband killed for a USD 10,000 fee in bitcoin.

‍

Such events have not been confined to the US. In 2021, Europol and the Italian police collaborated to arrest a man suspected of paying EUR 10,000 in bitcoin to hire an assassin to kill his ex-girlfriend. In that instance, the virtual asset service provider (VASP) involved in the transfer of the bitcoin to the would-be killer cooperated with authorities in providing details of the suspect.

Terrorist financing refers to the provision of financial support to terrorist organizations and individuals involved in terrorist activities. Cryptocurrency has been used for terrorist financing due in part to its perceived anonymity and ease of cross-border transfers. 

‍

Fundraising campaigns for ISIS families held in internment camps in northeastern Syria has been a significant driver of cryptocurrency usage among ISIS and its supporters. TRM Labs identified dozens of fundraising campaigns that accepted cryptocurrency in 2022, raising between a few dollars to tens of thousands. 

‍

TRM Labs also identified multiple pro-ISIS groups in Pakistan and Tajikistan raising tens of thousands of dollars in cryptocurrency to spread propaganda and recruit fighters. Over the course of 2022, TRM Labs has observed a significant increase in the use of the TRON blockchain among terrorist groups and associated fundraising campaigns, with some using it exclusively. The overwhelming majority of those actors collected donations in the stablecoin Tether (USDT). Among the terror financing entities tracked by TRM Labs in 2022, there was a 240% year-on-year increase in the use of Tether - against a mere 78% rise in Bitcoin use.

‍

‍

In 2022, multiple terror financing entities, including Syria-based cryptocurrency exchanges involved in terror financing campaigns, began experimenting with decentralized exchanges. Decentralized exchanges (DEXs) are peer-to-peer marketplaces where individuals can trade cryptocurrencies in a non-custodial manner.

There have been several high-profile cases of proven or alleged bribery involving crypto. In 2021, FTX founder Sam Bankman-Fried allegedly gave a USD 40 million cryptocurrency bribe to Chinese officials in exchange for unfreezing company accounts containing over USD 1 billion worth of cryptocurrency. 

‍

In 2022, the US Department of Justice accused two Chinese intelligence officers of allegedly attempting to bribe a US government employee with USD 61,000 in bitcoin to steal documents related to an investigation into Chinese tech giant Huawei.

Cryptocurrencies can also be used to influence voters during election campaigns. In 2019, a gubernatorial candidate in St Petersburg, Russia, handed out crypto tokens to voters on the campaign trail.

Espionage activities can involve the covert transfer of funds to support intelligence gathering or other covert operations. Cryptocurrencies can provide a discreet and secure means of transferring funds, making them an attractive option for state or non-state actors engaged in espionage. 

‍

In November 2022, US nuclear engineer Jonathan Toebbe and his wife Diana were sentenced to 18 and 21 years in prison respectively for attempting to pass secret nuclear propulsion technology to a third country. In their exchanges with FBI agents posing as foreign officials, the couple requested payment in the Monero privacy coin.

‍

The use of privacy-focused cryptocurrencies or mixing services can further enhance the anonymity of transactions, making it more difficult for authorities to trace the source or destination of the funds. In December 2022, Iran executed four alleged Israeli spies who were accused of receiving payment in cryptocurrency. That same year, South Korea arrested two of its nationals for allegedly accepting cryptocurrency to spy on behalf of North Korea.

Export control evasion involves using cryptocurrencies to bypass state capital controls and restrictions on the export of certain goods or technology. Individuals can use digital assets to facilitate payments for prohibited items, circumventing traditional financial systems that might flag or block such transactions.

‍

A 2019 study by researchers at the Chinese University of Hong Kong, Deakin University and the University of Technology Sydney found that cryptocurrency was being widely used by traders in China to circumvent capital controls.

US officials have long warned that North Korea, Iran and Russia could use cryptocurrency to evade sanctions. The European Union has also taken steps to prevent crypto from being used by Russia to evade international sanctions imposed after its invasion of Ukraine in 2022.

On-chain analysis has yet to show this happening to a significant degree today. Experts believe this is likely to be due to crypto’s current lack of liquidity relative to a country’s economy.  

Nevertheless, Russia, Iran and North Korea have been observed using crypto to offset the impact of international sanctions by conducting cyberattacks and mining bitcoin: both practices generate revenues that help make up for lost trade and investment. In 2022, the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned a Russian cryptocurrency mining company in order to prevent mining from becoming a  “mechanism for the Putin regime to offset the impact of sanctions”. 

OFAC has also sanctioned cryptocurrency addresses related to facilitators of North Korean weapons proliferation and Russian paramilitary groups. Additionally, the US Treasury has used sanctions to target money laundering linked to sanctions evasion. For example, in 2022, OFAC sanctioned Ethereum-based mixing service Tornado Cash for its involvement in laundering hacked and stolen funds by North Korea.

Proliferation financing involves the use of cryptocurrencies to fund the development or acquisition of weapons of mass destruction (WMD) or related materials. By using digital assets, parties involved in proliferation activities can avoid the scrutiny of traditional financial systems and evade international non-proliferation regimes. 

‍

In April 2023, the US, Japan and South Korea accused Pyongyang of funding its WMD programme using stolen cryptocurrency. 

Investment fraud centers on the solicitation of funds for fraudulent investments or projects. In the cryptocurrency space, these often involve fake initial coin offerings (ICOs), unregistered securities or fraudulent investment platforms. Investment fraud involving cryptocurrency rose by nearly 200% from USD 907 million in 2021 to USD 2.57 billion in 2022, according to the FBI’s annual Internet Crime Report.

Deceptive smart contracts are intentionally designed to trick users into transferring funds or granting permissions to them. The most notable example of this is drainware – smart contracts that, upon interaction, grant the attacker permission to move funds from the victim’s wallet. Spoof tokens are another form of deceptive smart contracts.

Exit scams, also known as rugpulls, occur when the operators of a project – one often related to investments or a new token – stop developing the project and withdraw user funds for themselves. They can either happen abruptly where project devs and funds suddenly disappear, or they can occur more slowly, where money is siphoned off a bit at a time and devs get less and less active. Sometimes, projects are called rugpulls by the community when they overpromise and underdeliver, though this is more difficult to outright label as fraud.

‍

Often they target decentralized finance (DeFi) projects. In a rugpull related to a new token, the project creators can withdraw liquidity from the trading pool, causing the value of the associated tokens to plummet. Investors are left with worthless tokens and no way to recover their funds. Many pyramid and Ponzi schemes end in exit-scam-like behavior, where payouts stop being made to investors and the creators of the scheme take the remaining funds and disappear.

‍

In June 2022 the US Department of Justice charged a Vietnamese national with one count of conspiracy to commit wire fraud and one count of conspiracy to commit international money laundering. Le Ahn Tuan had created an NFT project called Baller Ape Club, which sold NFTs of cartoon monkeys. According to the indictment, once Tuan and his co-conspirators had collected some USD 2.6 million from investors, they carried out a rugpull, ending the purported investment project, deleting its website, and stealing the investors’ money.

‍

Frosties NFT was another NFT project that promised exclusive digital art and collectibles. However, shortly after the project's launch the two 20-year-old creators shut down its website and Discord servers, removed the liquidity from the trading pool and disappeared with USD 1.1 million of investors' funds. According to the DOJ complaint, the duo transferred the proceeds from the scheme to various cryptocurrency wallets under their control in multiple transactions designed to obfuscate the original source of funds. They were later arrested and charged with wire fraud and conspiracy to commit money laundering.

Phishing involves the use of fraudulent emails, websites, or messages to trick users into revealing sensitive information, such as private keys or login credentials. In the cryptocurrency space, phishing attacks may target users of digital wallets or exchanges, leading to the theft of funds. 

‍

Crypto-related phishing attacks grew in prominence during the 2017 Initial Coin Offering (ICO) boom. Victims targeted in these phishing attacks would only lose the amount of cryptocurrency they sent to the wrong address in error. As NFTs entered the mainstream, attackers began to target novice NFT investors by exploiting the “FOMO” – fear of missing out – and hype surrounding the NFT world. 

‍

TRM Labs has observed hundreds of phishing attacks over the last year targeting NFT projects, where real-time messaging across multiple platforms has enabled attackers to target NFT investors by publishing phishing website links at a rapid pace.

‍

“Address poisoning”, a relatively new type of phishing, rose to prominence in 2022. It involves the scammer creating an address that resembles one to which the intended victim had previously sent funds. The scammer then sends a small amount of cryptocurrency to the target in the hope that they will unwittingly make a future payment to that scam address in place of their intended recipient.

Related to phishing, impersonation scams involve criminals posing as well-known individuals or organizations to deceive victims into sending funds or revealing sensitive information. In the cryptocurrency space, impersonation scams may involve criminals pretending to be representatives of exchanges, wallet providers or celebrities to trick users into sending cryptocurrencies to fraudulent addresses or divulging sensitive information.

‍

Scammers can create fake websites or social media accounts that resemble legitimate crypto exchanges or wallet providers. They impersonate customer support agents and reach out to unsuspecting users, offering assistance with technical issues or account problems. The users are persuaded to share their login credentials, private keys, or sensitive information, allowing the scammers to steal their funds.

‍

Similarly, scammers also create fraudulent websites, social media accounts, or email campaigns to impersonate legitimate crypto projects. Unsuspecting users send their cryptocurrencies, but the scammers disappear with the funds, leaving investors with nothing.

Business email compromise (BEC) is a type of scam where criminals impersonate a legitimate business or organization to trick employees or partners into transferring funds or revealing sensitive information. 

‍

BEC scams may involve the compromise of email accounts belonging to employees of exchanges, wallet providers, or other organizations, leading to the theft of funds or sensitive data. In 2022, BEC accounted for USD 2.7 billion (crypto and fiat) in losses reported by victims to the FBI’s Internet Crime Complaint Center (IC3).

For almost every type of illicit commerce or activity in the crypto space, there is a scam version of it, sometimes found on the dark web. TRM Labs has found scam money laundering services, carding shops, drug vendors, murder-for-hire providers, weapons dealers, CSAM sellers, hacking services, market manipulation services, scam-as-a-service providers and ransomware sellers.

Blackmail scams typically involve the scammer sending threatening emails to random recipients, claiming knowledge of infidelity, pornography use or other potentially embarrassing personal details that would be released publicly unless a cryptocurrency payment was made. 

‍

In many cases, the scammer does not in fact have the information in question. The most common type appears to be “sextortion”, where the scammer emails hundreds or thousands of people claiming to have installed malware on their computer or phone that recorded the recipient viewing pornographic sites. They then instruct the intended victim to send cryptocurrency – usually bitcoin – to the scammer in order not to have the videos sent to their friends and family.

Scammers are creative and can make a scam version out of nearly any activity. As such, there are many other types of scams than those mentioned in this paper. They include asset recovery scams, overpayment scams, money mule scams, different variations of the advance-fee scam, and the basic scam of simply not giving the buyer what they purchased.

Misappropriation of funds often occurs as part of many of the other frauds and scams mentioned here, though it can also occur independently. It is related to, but in some jurisdictions is a separate crime from, embezzlement. 

‍

Misappropriation of funds frequently accompanies investment fraud schemes, where, instead of investing customer funds as promised, the operator of the scheme instead diverts them either for personal use – such as to buy luxury goods – or for other business purposes. For example, the SEC alleges that the former CEO of Alameda Research “used misappropriated FTX customer funds for Alameda’s trading activity.”

‍

In 2021, a Microsoft employee was arrested for allegedly misappropriating USD 10 million in company funds by secretly creating thousands of official XBox gift card codes that he then sold at a discount online in exchange for cryptocurrency.

Crypto extortion can take many forms. At its most basic, it involves individuals threatening their victims and demanding payment in cryptocurrency. It can also involve the use of malicious software known as ransomware. As such, it is often prosecuted in the US under fraud statutes.

‍

In May 2023 a former employee of a public New York-based technology company was sentenced to six years in prison for stealing company files and demanding nearly USD 2 million for their return. In 2019, a group of Russian secret service agents were reported to have extorted a media mogul in exchange for USD 670,000 worth of bitcoin.

‍

Other variations of extortion begin with the scammer using phishing techniques to take control of the victim’s Instagram profile. The criminals then force the victims into filming videos instructing their followers to participate in fraudulent get-rich-quick Bitcoin schemes.

‍

Yet by far the biggest driver of crypto extortion is ransomware, which has also increasingly been adopted by groups targeting countries’ national security infrastructure (see below).

Market manipulation in the cryptocurrency space can involve various schemes designed to artificially influence the price of a cryptocurrency or token. These schemes can include pump and dump schemes, scalping, touting, and front-running.

‍

One of the most prominent recent examples of this practice took place in October 2022, when the Solana-based platform Mango Markets lost around USD 115 million when a group manipulated its price oracle, the authority that determines a token’s value. The hackers’ self-proclaimed leader, Avraham Eisenberg, later revealed his identity and characterized his team’s activities as a “highly profitable trading strategy” rather than a hack. 

‍

Eisenberg initially reached an agreement with Mango Markets to return around USD 70 million in exchange for a promise not to pursue criminal charges against him. Nevertheless, he was arrested by US officials in December 2022 and charged by the SEC with violating anti-fraud and market manipulation provisions of the securities laws. Eisenberg was later also sued by Mango Markets to return his remaining USD 47 million plus interest.

‍

Also in December 2022, the SEC charged leaders of Alameda Research and FTX with manipulating the price of FTX’s FTT Token “by purchasing large quantities on the open market to prop up its price.”

Crypto insider trading entails the use of non-public information to purchase cryptocurrency or other digital assets ahead of exchange listing announcements and profiting from the price surge that follows an announcement. As much as USD 24 million worth of ERC20 tokens was linked to insider trading in 2022 alone, generating at least USD 5.5 million in profit for the traders, according to proprietary research by Argus Inc, a blockchain insider trading and front-running analytics firm. Many of these wallets have continued to be active into 2023.

‍

In June 2022 a former employee of an NFT marketplace became the first individual to be charged with wire fraud and money laundering in connection with a scheme to commit insider trading in NFTs by using confidential information about what NFTs were going to be featured on the exchange’s homepage. Others have since faced similar charges.

Cryptocurrency “poses a significant detection problem by facilitating illegal activity broadly including tax evasion”, according to a US Treasury report released in 2021. High net worth individuals may shift taxable assets into the crypto economy to avoid tax, as governments may not be able to trace crypto income or transactions if they go unreported by exchanges, businesses and other third parties.

‍

A 2022 study found that crypto investors were likely paying less than half the taxes they owed. In response to these tax evasion concerns, in 2022 the European Commission proposed an amendment to the Directive on Administrative Cooperation (known as DAC8) that would widen tax reporting and information sharing requirements relating to holders of crypto and some NFTs. The new rules are likely to come into force in mid-2023.

The year 2022 was the biggest on record for cryptocurrency hacks and exploits, with about USD 3.7 billion stolen across over 175 incidents, according to a review of attacks by TRM Labs. The average hack was over USD 20 million per incident. 

‍

Hacks and exploits can be divided into smart contract and infrastructure attacks. The former group encompasses code exploits and protocol attacks; the latter includes private key theft and SIM swapping, among others. 

‍

Nearly 90% of the USD 3.7 billion stolen last year was through infrastructure attacks and code exploits, with most of the remaining value stolen from protocol attacks. The most common attack type in 2022 were code exploits, at 57 incidents, followed by infrastructure attacks (52) and protocol attacks (45). There were nearly 15 attacks per month on average in 2022, roughly one hack every two days.

‍

‍

Attacks against DeFi projects were more common and damaging than attacks against CeFi targets in 2022, with approximately 80% of all stolen funds, or USD 3 billion, involving DeFi victims and nine of the ten largest attacks occurring against DeFi projects. Flaws in smart contracts, a key component of DeFi that facilitate automation and transparency, provide attackers a seemingly endless supply of bugs to exploit. 

Cryptocurrency robberies involve the use of force, coercion, or threats to physically steal cryptocurrencies from victims. Sometimes known as “five dollar wrench attacks”, such robberies can occur during in-person transactions, such as buying or selling cryptocurrencies, or in more sophisticated and organized criminal operations.

‍

In 2022, police in Sweden were called to an incident involving an assault on a couple by armed strangers who broke into their home, tied them up, and forced them to transfer their cryptocurrency at gunpoint. During the same year, a Canadian man was held at gunpoint, tied up and assaulted during an in-person deal to exchange bitcoin for cash.

Among the fastest ways to convert fiat currency into cryptocurrency and vice-versa is through cash-to-crypto services. Of these, crypto ATMs are the most popular. These kiosks allow customers to insert banknotes, buy cryptocurrency and send it directly to a wallet without needing an exchange or even a bank account. There are over 30,000 crypto ATMs around the world, over 90% of which are located in North America.

‍

Crypto ATMs and other cash-to-crypto services are not illegal; however, they can be an appealing payment method for cybercriminals and other illicit actors. In 2022, over USD 40 million was sent to known scam addresses via cash-to-crypto services, according to research by TRM Labs. These addresses were linked to perpetrators of romance scams, investment scams, impersonation scams and others as neutral platforms enabling payment by victims.

‍

‍

In the case shown above, a single exchange address received funds from 40 different cash-to-crypto services ATMs located all over North America. The same address was reported in multiple public reports and investigations as being used by scammers as an aggregator and off-ramp for stolen funds. In this case, the significant number of transfers from multiple cash-to-crypto service locations to the same address served as the trigger for investigators to identify the suspicious destination address. 

‍

As a reflection of the use of cash-to-crypto services by illicit actors, state and local police departments regularly receive reports of victims being coerced into sending cryptocurrency to fraudsters through crypto ATMs.

These victim payments are often representative of placement in the money laundering context.
‍

In March 2023, authorities in New York arrested a man accused of helping to launder over USD 1 million in fraudulently-obtained small business loans which were offered as part of the US government’s COVID-19 relief strategy. He allegedly converted some of the funds to bitcoin and “used a portion of the rest to start his own lucrative cryptocurrency ATM business.”

Parasite VASPs rely on the architecture of a larger exchange to provide digital assets trading services to users, often without the knowledge or consent of the host exchange. Criminals and sanctioned individuals may use parasite VASPs to move their illicit proceeds through the crypto ecosystem to make the transactions appear legitimate. Parasite exchanges usually have weak to non-existent Know-Your-Customer (KYC) and AML requirements, which can make them a preferred vehicle of cybercriminals and money launderers for moving funds.

‍

Relative to their volume, parasite exchanges facilitate as much as 100 times more illicit on-chain activity than their mainstream counterparts, according to research by TRM Labs. Funds linked to sanctioned entities account for over half of the illicit volume processed by parasite exchanges. This is partly because nearly two-thirds of parasite exchanges appear to be based in Russia and Iran, with the Iranian exchanges being sanctioned based on their jurisdiction. SUEX, a crypto exchange and OTC broker sanctioned by OFAC in 2021, operated as a parasite exchange and was complicit in laundering millions of dollars for Russian ransomware groups.

‍

Parasite exchanges were also found to play an important role in the Russian darknet market ecosystem, resulting in significant exposure to Hydra - the world’s largest DNM until its sanctioning by OFAC in April 2022. Even controlling for sanctions exposure, TRM Labs research found parasite exchanges to carry 45 times more illicit exposure than compliant exchanges, as a percentage of their volume.

High-risk exchanges and other VASPs are characterized by lax compliance controls or are located in jurisdictions with weak regulatory oversight, which makes them attractive channels for money laundering activities. Over the course of 2022, TRM Labs tracked more than 500 active high-risk exchanges that together transferred tens of billions of dollars in value.

‍

High-risk VASPs share a combination of the following characteristics:

‍

• Exhibit elevated counterparty risk exposure to darknet marketplaces, scams, cybercrime services and other incidence of illicit on-chain activity such as money laundering
• Facilitate transactions using accounts of other exchanges without having a contractual relationship with them
• Use multiple accounts registered under fake or stolen identities to distribute their trading activity, making it harder for the host exchange to detect them
• Have inadequate KYC and AML procedures as well as weak or non-existent identity verification processes, making it easier for criminals to use these platforms for illegal activities
• Offer services that allow users to directly convert cryptocurrencies to cash or vice-versa, which helps to anonymize funds and avoid detection of illicit activities by authorities
• Operate from sanctioned jurisdictions or those listed on FATF Black and Grey lists

In addition to their primary role in crypto crime – the sale of illicit drugs – darknet markets (DNMs) are also involved in the laundering of proceeds from crime. Over the course of 2022, TRM Labs has witnessed a rise in international criminals using Russian-language DNMs to launder money.

Cryptocurrency payment processors are legitimate services that help individuals and businesses accept cryptocurrency as payment. These payment processors create payment addresses for customers and provide services that allow them to accept payments directly from their own websites, such as via an API, in return for a small percentage of the transaction value.

‍

Payment processors can be abused by criminals seeking to launder money, most commonly in placement and layering. Lightly regulated, they often have little to no KYC. By allowing users to create new addresses for every payment – or in some cases, reuse addresses for different actors – payment processors can make it more difficult for investigators to follow the flow of funds.

OTC desks allow users to exchange crypto for fiat and vice-versa without a centralized exchange or broker. They tend to specialize in larger sums. Although some established exchanges have proprietary OTC operations that are subject to stringent oversight, many private OTC brokers do not perform KYC or source of wealth checks on their customers. As a result, such OTC brokers are vulnerable to abuse by criminals seeking to cash out illegally-derived cryptocurrency.

P2P exchanges operate on the same principle as OTC desks: they enable users to change between cryptocurrencies and fiat. However, unlike OTC desks that are manned by brokers, P2P exchanges operate as fully automated DeFi entities. They operate by connecting trading partners seeking to buy or sell cryptocurrency without a third party intermediary. Some of these transactions can be arranged using cash or other non-crypto payment methods via the P2P platform.

Mixers, also known as tumblers, are services that blend multiple cryptocurrency transactions, making it difficult to trace the origin and destination of funds. According to the US Treasury’s National Money Laundering Risk Assessment from 2022, mixers and tumblers “help criminals hide the movement or origin of funds, creating additional obstacles for investigators.” 

‍

Mixers are not illegal; nor are they used exclusively for illicit activity. For example, many mixers advertise themselves as means to increase privacy and anonymity online. However, mixers are also frequently used by cybercriminals as a layering technique to disguise the source of illicit funds. The graph below shows an illicit actor using the Ethereum-based mixer Tornado Cash to obfuscate around USD 1 million of proceeds from a hack. After migrating the funds to the Ethereum blockchain and swapping them from USDC to ETH, the actor sends them to various wallets before depositing them into Tornado Cash.

‍

‍

In August 2022, OFAC sanctioned Tornado Cash, which has been used by North Korean cyber-criminals and other threat actors to launder the proceeds of hacks and other illicit activity. TRM Labs showed that North Korean cyber actors used Tornado Cash to launder over USD 1 billion of stolen funds in at least ten major cryptocurrency heists.

‍

In March 2023, German and US authorities, supported by Europol, announced the shutdown of ChipMixer, a cryptocurrency mixing service that facilitated international money laundering. During the operation, officials seized four servers and nearly USD 44.2 million in cryptocurrency. Research by TRM Labs confirms that ChipMixer was widely used by prominent ransomware syndicates to launder illicit proceeds. Among them were Karakurt, SunCrypt, REvil, Conti, LockBit, Ragnar Locker, and Royal. TRM Labs research also found at least 20 darknet marketplaces (DNMs) that sent funds to ChipMixer during the mixer’s nearly six years of activity.

Cash-to-crypto services can be used for layering through a laundering technique called money muling or smurfing. This entails the transfer of stolen funds by individuals unconnected to the original crime. 

‍

In the example below, in August 2022 a money laundering group deposited illicitly-obtained cash from into several crypto ATMs. From there, the funds, now in bitcoin, were sent to a consolidation wallet before being deposited at a large exchange.

‍

‍

In April 2023, a Missouri woman was arrested on charges of assisting with the movement of stolen funds. The suspect used cashiers checks and cryptocurrency ATMs to transfer USD 565,000 on behalf of the criminals that committed fraud in order to steal the victim’s funds. As smurfing can take place by unwitting third parties, it is often difficult to identify as the person committing the layering activity may not be aware of the source or destination of the funds.

High-risk exchanges are significantly more exposed to illicit counterparties than regulated exchanges, according to TRM Labs research. Some high-risk exchanges also operate as parasite exchanges, and usually have lax or non-existent KYC and AML processes. This makes them attractive platforms for cybercriminals who want to launder money or fund illicit activities. Administrators of such exchanges claim to earn 0.5%-1.0% commission on the transaction volume, depending on the share of revenue allocated to advertising and affiliate marketing necessary to drive traffic to their exchange.  

‍

In the example below, after hopping chains and diverting some of their stolen funds to a mixer, a scammer sends the remainder of the ill-gotten proceeds to a series of accounts at a Russia-based high-risk exchange.

‍

Programmatic money laundering (PML) includes using software to quickly move funds through hundreds or thousands of transactions, in an attempt to obfuscate the illicit origin. One of the most high-profile examples of cryptocurrency-based PML involved the North Korean Military in 2021.

‍

In the example below, an actor sent illicit funds from a mixer through a series of peel chains to “peel off” small amounts of BTC (represented by the green nodes) that are then sent to an exchange.

‍

Chain-hopping refers to the practice of moving cryptocurrency from one blockchain to another. While chain-hopping is not inherently illicit, it can be used by money launderers to obfuscate the transaction trail.

‍

For example, Bitfinex, a cryptocurrency exchange, fell victim in 2016 to a breach that resulted in the theft of nearly BTC 120,000. In 2022, the US Department of Justice (DOJ) used on-chain analytics to charge the two suspects in the case with fraud and money laundering. The money launderers conducted chain-hopping from Bitcoin to other blockchains, including swaps to anonymity-enhanced cryptocurrencies like Monero, before the funds were deposited into traditional financial accounts.

‍

TRM Labs research has also found bridge-hopping to be a favored money laundering methodology used by CSAM actors.

Privacy coins such as Monero, Zcash, and Dash provide enhanced privacy and anonymity features compared to standard cryptocurrencies like Bitcoin. Although privacy coins are not illegal, their ability to render transactions difficult to trace make them attractive for criminals seeking to launder illicit proceeds. 

‍

Several countries have cracked down on their use. Australia and South Korea have banned exchanges from offering privacy coins, while Japan banned them entirely in 2018. The use of blockchain intelligence tools to monitor crypto services that offer privacy coins helps law enforcement and regulators to identify on-ramps and off-ramps involving these protocols. 

‍

One challenge for such on-chain surveillance is that criminals frequently cash out using brokers who exchange physical banknotes for privacy coins deposited to their receiving address. The cash is then smuggled across borders while the cryptocurrency is traded on exchanges.

Because high-risk VASPs and parasite VASPs usually have weak to non-existent KYC and AML requirements, they are a preferred vehicle of cybercriminals and money launderers for moving funds as part of the layering process. These exchanges are sometimes referred to as swap services, because they allow criminals to pass funds through the service by exchanging one type of cryptocurrency for another, making tracing more difficult. Cybercriminals can also use these services to cash out into the traditional financial system.

Darknet markets (DNMs) are also used for layering illicit funds. The below example shows a drug vendor cashing out their profits from the DNM (represented by the red nodes) and sending the funds to addresses controlled by them at two separate exchanges.

‍

‍

The collapse in cooperation between Russia and the West on cybercrime matters since the start of the Ukraine war has created the perception among criminals that Russian-language DNMs have become a safe-haven from US and European law enforcement. As such, a wide range of criminals – including CSAM threat actors – have been observed depositing cryptocurrency to DNMs in order to obscure their original source: once crypto funds are withdrawn from DNM’s escrow accounts, they are no longer the same coins as those originally deposited.

Inter-VASP layering involves the use of several exchanges or other VASPs to break up and move funds during the money laundering process in order to make it more difficult for investigators to trace. Inter-VASP layering mirrors traditional money laundering techniques, whereby criminals use multiple banking services to obfuscate the source of funds; it is particularly difficult to trace funds through VASPs that settle transactions off-chain. 

‍

Although blockchain forensics tools can assist with identifying the transactions that reach the VASP, investigators are required to apply for legal data access to obtain the necessary transaction data to identify the off-ramps.

Payment processors can be abused by a variety of criminals and threat actors, including extremist and militant groups, to layer their funds. TRM Labs has identified numerous investment fraud schemes that have used mainstream payment processors. Violent extremist groups, including US-based neo-Nazi actors, have used payment processors to generate dynamic addresses, typically for the exchange of goods, services, or subscriptions. Following seizures by the Israeli government, Hamas and other Gaza-based militant groups stopped publicly publishing their cryptocurrency donation addresses and instead turned to payment processors, typically embedding them in their websites’ fundraising pages.

Although gambling is legal and socially acceptable in many jurisdictions, it has long been a useful method of laundering funds from illicit activity. The gambling process involves customers paying money into a casino or bookmakers’ and later cashing out any winnings along with the remaining funds and an official receipt. This gives money launderers the opportunity to claim that their illicitly-obtained funds are merely gambling profits. 

‍

Cryptocurrency-based gambling platforms make it difficult to trace funds through the service. However, they are increasingly subject to compliance regulations. This means that casinos must perform KYC and source of wealth checks on customers seeking to deposit large amounts. Later, should a suspected criminal claim gambling winnings as the source of their funds, the online casino in question can be subpoenaed by local law enforcement to release records relating to that user.

Decentralized finance (DeFi) is at risk of abuse by money launderers. While DeFi has the potential to increase financial inclusivity and provide more accessible and transparent services, it can also be exploited by those seeking to engage in illicit activities. 

‍

It is important to note that many DeFi platforms are actively implementing measures to enhance security, compliance and transparency. Regulatory authorities are also working on frameworks to address money laundering risks in the context of DeFi.

Cryptocurrency mining has been abused for laundering funds by ransomware groups, such as APT43, and other illicit actors. The coins minted on mining equipment acquired with illicit funds have no apparent ties to criminal activity, allowing criminals to cash out without leaving a traceable path on the blockchain.

‍

For example, TRM Labs has identified a DNM vendor using illicit funds made from the sale of drugs to purchase cloud mining accounts. The outputs from the mining transactions were then laundered through a Bitcoin ATM business controlled by the vendor, which provided a front for the illicit activity. From there the funds were withdrawn to a personally-held wallet.

‍

There are numerous options for transforming criminally obtained crypto into fiat currency. Bitcoin, Ethereum, and a range of other assets can be used online to buy gift vouchers, prepaid debit cards, or iTunes vouchers – without undergoing KYC or source of wealth checks. Unscrupulous OTC (“over the counter”) traders and P2P exchanges also offer cash-changing services with minimal scrutiny while maintaining client anonymity. 

‍

This transaction mechanism is often seen as part of the integration process for launders. Often they will engage services or peer traders that will not ask any questions about the source of funds so that the transfer is not subject to scrutiny.

It is possible for criminals to integrate their crypto-based wealth without resorting to fiat currency off-ramps. Over the past five years, an increasing array of goods and services has become available for purchase directly using cryptocurrency. This ranges from digital goods such as NFTs and in-game purchases to luxury goods and even real estate. These purchases may also be seen as stores of value, depending on how the criminal intends to use the asset in the future.