The First Crypto War? Assessing the Illicit Blockchain Ecosystem One Year Into Russia's Invasion of Ukraine
When Russia invaded Ukraine on February 24, 2022, many analysts and commentators anticipated that it would become the world’s first crypto war.
There were several reasons for such predictions. The offensive spurred the first major international conflict since the mainstream emergence of crypto in the 2010s. It also coincided with the top of the crypto bull run, when bitcoin and blockchain-enabled goods such as NFTs reached historic highs and maximum hype.
Second, countries of the former Soviet Union have long dominated global hacking and cybercrime activity. Both factors raised expectations that cyber warfare would play a significant role in the conflict.
Third, Ukraine’s wholehearted embrace of crypto for international donations, together with fears that Western sanctions would spur a rise in crypto adoption by Russian entities seeking to evade them, also contributed to a sense of crypto’s centrality to the conflict.
As the war marks its grim first anniversary, TRM Labs has focused its analysis on the state of the illicit crypto ecosystem over the past year. This report discusses how cybercriminals have adjusted their organizations and tactics to adapt to the ongoing financial, political and logistical disruptions facing Europe and the wider world.
Before February 2022 Russia and Ukraine, together with several neighboring countries, exhibited broad commonalities when it came to crypto crime.
Exchanges linked to Russia and Ukraine accounted for more than half of all international volumes of illicit crypto funds, while cybercriminal syndicates and other illicit groups were staffed by Russian speakers from across the region with little apparent division along national or ethnic lines. The targets of these malware groups tended to be commercially, rather than politically, motivated.
Russian-language darknet markets (DNMs) dominated the global crypto drugs trade in terms of volumes and appeared impervious to law enforcement action. Also known as cryptomarkets, DNMs are multi-vendor online illicit global commerce platforms that mainly specialize in the sale of illicit drugs.
DNMs combine anonymisation networks and cryptocurrencies with encryption technologies. They are distinct from independent single-vendor shops that also sell illicit drugs, and from other types of fraud stores. Deposits into Russian language DNMs represent over 80% of all deposits made to darknet marketplaces globally. In the year since the outbreak of war, TRM research has noted changes to many of these characteristics, while others have remained largely unaffected.
View the full report here, which covers the key findings summarized below:
- Despite Western Sanctions and Shutdowns, Russian-language DNMs, Ransomware Groups and High-Risk Exchanges Continue to Thrive
The year 2022 was marked by unprecedented action by Western governments and law enforcement agencies against DNMs and high-risk exchanges linked to Russia. In April 2022, German police confiscated the servers powering Hydra, at the time the world’s largest DNM.
That same month, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned both Hydra and Garantex, a Russia-based crypto exchange that was also registered in Estonia and which was accused of facilitating over USD 100 million in transactions associated with illicit actors and DNMs, including nearly USD 6 million from Russian ransomware gang Conti and some USD 2.6 million from Hydra.
Despite these actions, not only does Garantex continue to operate, but it more than doubled its trading volumes over the course of 2022. Similarly, TRM research found that new Russian-language DNMs have quickly filled the vacuum left by Hydra, with sales in May-December 2022 equaling and surpassing those between January and April, when Hydra was still active.
And although Conti officially shut down in May 2022, it has continued to operate after rebranding as several smaller but related entities. One of them, Karakurt, appears to have been set up by Conti as a side-project in 2021.
Russia remains home to the world’s largest number of high-risk crypto exchanges, with nearly 10% of all the transactions on its exchanges classified by TRM as high risk – a figure that has remained relatively constant before and after the invasion. Located beyond the reach of Western law enforcement, these high-risk exchanges saw cryptocurrency volumes in 2022 dip only slightly from the previous year, even as the crypto winter wiped out around 60% of the value of bitcoin.
- Entities linked to Child Sexual Abuse Materials (CSAM) Flocked to Russian High-Risk Exchanges and DNMs
The total collapse in cooperation between Russia and the West on cybercrime matters may have encouraged the rise of new or previously uncommon illicit activity.
TRM research tracked USD 3.81 million sent to CSAM-linked entities over 2022. TRM research found a spike in the volumes of funds sent by CSAM-linked entities to Russian high-risk exchanges in the leadup to and immediate aftermath of the invasion. And while some links were previously observed between CSAM actors and DNMs, traffic to DNMs grew significantly over 2022.
The CSAM actors may have turned to Russian language DNMs as mixers to obscure the source of funds by taking advantage of the complexity of the cryptocurrency infrastructure deployed by such markets and possibly because of a perception that the DNMs are beyond the reach of international law enforcement.
- A Rising Politicization Detected Among Hackers, But Not in Darknet Marketplaces or Forums
The war coincided with the politicization of some Russian-speaking hacking and cybercrime groups, several of which began soliciting crypto donations. For example, the malware and DDOS group KillNet pledged its allegiance to the Russian state and threatened to attack entities linked to countries, such as the US and its allies, that oppose Russian foreign policy.
KillNet has also used its popular Telegram channel to raise cryptocurrency that it claims funds donations of military equipment to Russian army units. KillNet’s pro-Ukrainian counterpart, Dump Forums, has conducted cyber attacks against Russian targets and also fundraises using Telegram.
On the other hand, other areas of the illicit crypto economy appear to have remained relatively insulated from geopolitical rifts. This was found to be the case for DNMs and darknet forums. Our analysis established that while some DNMs have acquired reputations as either pro-Russian or pro-Ukrainian, in general the space has remained politically neutral.
Commercial imperatives – competition over product quality and the race for market dominance in the wake of the shutdown of Hydra, the world’s largest DNM in April 2022 – appear to trump politics, with groups allying with and attacking each other independently of their purported political leanings.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.