Must-Know Crypto Investigations of 2023: Global

TRM InsightsInsights
Must-Know Crypto Investigations of 2023: Global

We have traveled the globe over the course of our series “Must Know Crypto Investigations.” We have learned that law enforcement, in every region of the world, is focused on stopping bad actors from taking advantage of new technology. But the greatest lesson? Great investigations take great cooperation across borders and between the public and private sectors.

Our final installment in the series looks at some of 2023’s key global investigations that epitomize international law enforcement cooperation.

1. European and US authorities shut down mixing service used by illicit actors to launder billions

In March 2023, German and US authorities, with the support of Europol, shut down ChipMixer, a cryptocurrency mixing service that facilitated international money laundering. 

During the operation, German authorities seized four servers and nearly USD 44.2 million in cryptocurrency. US authorities also levied several charges against ChipMixer’s operator, Vietnamese national Minh Quốc Nguyễn, and seized two domains directing users to ChipMixer. Belgian, Polish and Swiss authorities also supported the case via information exchange facilitated by Europol. Nguyễn is alleged to have created ChipMixer in August 2017, procuring domain names and hosting services using identity theft, pseudonyms and anonymous email providers. 

Mixers enable users to hide the origins of their funds by mixing cryptocurrencies belonging to many users together. This may be used by lawful users to enhance the security and privacy of their transactions, as well as illicit actors seeking to throw law enforcement off their trail.

In the case of ChipMixer, authorities’ investigations suggest that ChipMixer may have facilitated the laundering of up to USD 3 billion worth of Bitcoins. TRM Labs’ intelligence confirms that ChipMixer was widely used by prominent ransomware syndicates. “ChipMixer was used by some of the most notorious and sophisticated groups in the history of ransomware. In particular, the Royal ransomware gang, which has targeted over 350 organizations worldwide with ransom demands totaling more than USD 275 million, was a frequent user of ChipMixer,” shared Callie Brutcher, Blockchain Intelligence Analyst at TRM, and former Tactical Specialist for Cyber Investigations at the US Federal Bureau of Investigation (FBI). “Ransomware attacks are largely financially motivated. By unmasking their techniques and taking down the tools syndicates utilize to launder funds, law enforcement is disrupting ransomware operations and hitting groups where it hurts most.”

In one instance, actors affiliated with Royal used ChipMixer to launder nearly USD 500,000 from a ransom payment they received in November 2022.

TRM also found that ChipMixer was used by at least 20 darknet marketplaces (DNMs) and some independent vendors of illicit drugs, to launder their illicit proceeds. Hydra, the world’s largest DNM before its April 2022 takedown, laundered over USD 17 million through ChipMixer. DNMs are multi-vendor online illicit global commerce platforms located on the “darknet”, an encrypted section of the internet neither accessible from standard internet browsers nor indexed by search engines, and are the epicenter of the online crypto-mediated illicit drugs trade. 

ChipMixer was used by at least 20 DNMs to launder their ill-gotten gains.

2. Worldwide takedown of western darknet marketplace severely disrupts illicit drugs trade

In May 2023, global law enforcement dealt another blow to the illicit drugs trade by taking down Monopoly Market, a western DNM. The Europol-coordinated operation involved authorities from the US, UK, Germany, Netherlands, Austria, France, Switzerland, Poland and Brazil, making a total of 288 arrests across nine countries, including both vendors and buyers. 

Monopoly Market was itself a relatively small player in the western DNM ecosystem, with around 1,200 listings and a total sales volume of about USD 1.6 million over four years. However, the case is significant due to its outsized impact on the wider western DNM landscape. Authorities were able to seize more than USD 53.4 million in cash and cryptocurrencies, as well as large amounts of illicit drugs and firearms from the arrested suspects. The overall deposit volumes into western DNMs also fell by about a third following the announcement of the Monopoly takedown. 

One explanation for this apparent ripple effect is that western DNM vendors tend to be active across multiple DNMs at once. This allows vendors to build a steady, multi-source income stream and hedge against the risk of any one DNM going down. Because some vendors caught operating on Monopoly Market were also likely to have been active on other DNMs, its takedown resulted in sales and volume declines far beyond the seized marketplace.

“The knock on effect of this disruption shows just how interconnected the online illicit drug trade is. When law enforcement is able to make a broad strike on a single DNM, comprehensively targeting both vendors and customers, there is significant potential for outsized impact even if the DNM is small,” explained Allan Liefke, Global Investigator at TRM and former special agent with the US Drug Enforcement Administration (DEA). “Stealth is an important factor in achieving such a thorough take down. Monopoly Market went offline back in December 2021, but the seizure was not announced until this year. This would have given authorities ample time to dig into seized data to identify vendors and customers without alerting the suspects.”

The value and volume of deposits into Western DNMs fell sharply after the Monopoly takedown was announced.

3. Global law enforcement cripple online marketplace for stolen digital identities

In April 2023, a global law enforcement operation led by the FBI and Dutch National Police and coordinated by Europol arrested 119 suspects for their involvement in Genesis Market, an online criminal marketplace that mainly sold stolen digital identities. Authorities from 19 countries, all the way from North America to Europe to Australia, were involved in the operation. 

Genesis specialized in the sale of “bots” which “advertised and sold packages of stolen account access credentials.” Upon purchase, buyers would be able to access all data harvested by the bot, including “fingerprints, cookies, saved logins and autofill form data.” They were also provided with a custom browser that would allow them to access victim accounts without triggering security measures. Over 1.5 million bots were available for sale on Genesis, for as little as USD 0.70 per bot. 

TRM analysis shows that Genesis amassed almost USD 8 million in revenue between February 2018 and May 2022. Genesis received the biggest share of those funds from payment services, crypto exchanges and P2P crypto marketplaces where users can buy, sell, and/or trade digital assets in exchange for fiat currency.

“The scale of identity theft being monetized on Genesis was staggering. It hosted more than 80 million credentials and digital fingerprints from more than two million people. Just in the UK alone, hundreds of users were identified, and 24 arrests were made,” commented Michael Donegan, Global Investigator at TRM and former Senior Operational Support Officer at the UK National Crime Agency. “Aside from serving justice to criminals, the Genesis seizure also allowed law enforcement to identify and support victims. Through an initiative of the Dutch National Police, members of the public can check online if their data was compromised, and take steps to protect themselves.”

While the operation crippled Genesis’ operations, darknet forums suggest that some servers remain functional and its administrators may still be at large. The way Genesis’ operations were set up likely posed significant challenges to asset seizure as well. Genesis used a third party payment processor to collect deposits from its customers. Because the payments were routed through a different entity with a different server, seizure of assets would have been more difficult than in situations where payments are being processed directly by the marketplace itself.

“This case throws light on some challenges investigators face in targeting illicit e-commerce,” added Mr Donegan. “Blockchain intelligence tools like TRM can help investigators to uncover interconnectivities in the ecosystem, and enable further disruption.”

TRM’s on-chain analysis found that the payment processor was not just used by Genesis, but numerous “carding shops” specializing in selling stolen credit card information.

4. US authorities and global partners take down malware bot infrastructure and seize millions in illicit crypto

In late August 2023, the FBI, in cooperation with law enforcement agencies from around the world, announced a proactive disruption of the infrastructure of Qakbot, a sophisticated malware variant and botnet used since 2008 to further cyber-criminal activity, including ransomware and exfiltration of victim data. Qakbot was used by many prominent ransomware groups to infect victim computers and then demand extortion “ransom payments” in order to delete the botnet from the victims’ computers.

The extensive operation succeeded in redirecting botnet traffic to an FBI controlled server, removing Qakbot malware from infected victims, and dismantling of its global infrastructure. Authorities were also able to seize or freeze approximately USD 8.6 million worth of  cryptocurrency in illicit proceeds. 

“Like most cyber criminals, Qakbot, over time, evolved to a pretty exclusive use of cryptocurrency [..] because of the perceived anonymity behind it and the speed at which you can move value across borders,” explained FBI Cyber Division Section Chief Bryan Smith. “We’ve used a number of blockchain analytics tools to then identify the cryptocurrency and trace that across the globe [leading to the successful seizure]. ”

This major disruption was the culmination of over a decade of investigative efforts and multi-agency collaborations, a testament to the power of persistence and partnership.

5. Global cyber crime operation seized over $100 million in crypto fraud proceeds

In December 2023, INTERPOL announced the conclusion of Operation HAECHI IV, a transnational police operation against online financial crime. The six month operation, which was financially supported by Korea and involved authorities from over 30 countries around the world, targeted seven kinds of cyber-enabled scams: voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise fraud, and e-commerce fraud. In particular, 75% of HAECHI IV’s cases investigated revolved around investment fraud, business email compromise and e-commerce fraud.

Authorities made over 3,500 arrests and seized over USD 199 million in cash and USD 101 million in virtual assets. INTERPOL also worked with frontline officers and VASPs to identify 367 virtual asset accounts linked to transnational organized crime. Assets have been frozen by the relevant police agencies and investigations are ongoing.

“With crypto and the internet, there are no borders for fraudsters and scammers. They can easily target a victim on the other side of the world, and decentralize their operations across multiple jurisdictions. Transnational and inter-agency operations are therefore critical to stop frauds and scams,” said Lisa Wolk, Manager of Global Investigations at TRM. “Public-private partnerships are also essential. VASPs are a key interruption point since they are typically the last stop on the money laundering trail before funds are converted back to fiat currencies. VASPs’ commitment to strong compliance controls, as well as close cooperation with law enforcement, is key to detecting and stopping these illicit actors.”

Looking at these cases, it is equally clear that borders are no barrier to law enforcement in fighting crypto-related crime. 2024 looks set to continue this trend - just this week, authorities announced the takedown of LockBit, one of the world’s most prolific ransomware syndicates, through a global operation. With such close and careful cooperation across the international community, more large-scale disruptions are on the horizon.

If you are a law enforcement officer wanting to expand your crypto investigative skills through learning and partnership with the global law enforcement community, join our law enforcement-only working group, LEO Labs, here

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.