The advent of cryptocurrency promised faster payment times along with programmability and financial inclusion however, this open, global system of money also proved to be a potent instrument for criminals. Over the last decade, scammers, hackers and organized groups have come up with ever more sophisticated methods of stealing cryptocurrency and transform it into cashable value. This article explains the methods they use and the reasons why it’s so difficult to stop, and how businesses, investors and government officials can do to mitigate the chance of being a victim.
Quick overview: Why crypto is attractive to criminals
Three aspects make cryptocurrency attractive to criminals:
-
Pseudonymity Transactions are publicly available on the blockchain, however wallet addresses aren’t identified with a name. This allows for tracing, however it is sometimes it can be slow and uncertain.
-
Speed and global reach Funds move across borders instantaneously Criminals don’t require local bank relationships.
-
Tooling on-chain – smart contracts and DEXs, (DEXs) and tokens are able to create a variety of new attack points and innovative ways of laundering.
Knowing the tactics they employ can help defenders react more effectively.
How do hackers obtain the money (common attacks)
-
Custodial and exchange security breaches
The centralised platforms are a prime target because they have a lot of keys of users. Hackers can successfully breach them and transfer large amounts of money quickly. -
DeFi and smart-contract vulnerabilities
vulnerabilities that exist in smart contract (reentrancy bugs oracle manipulation, bugs in logic) permit attackers to take the liquidity pools, use flash-loan attacks or create tokens from nothing. -
Social engineering and phishing
malicious links fake dApps, compromised emails or fake schemes fool users into signing contracts or releasing seed phrases. -
Rug pulling and exit frauds
Scammers make liquidity pools or tokens that inflate prices by creating hype, and then take the liquidity, and then leave investors with useless tokens. -
Keys to private keys stolen and wallet breaches
malware clipsboard hijackers, clipboard hijackers or account takingovers (including accounts compromised by social networks to resets of the seed) are all common. -
Account takeovers using central service
Utilizing KYC/AML vulnerabilities or credentials stolen, hackers remove user accounts or cash out using exchanges.
How stolen crypto can be cashed out – high-level methods
I’ll discuss the concepts to let you know the paths without providing the “how-to” for doing wrong.
1. Chain-hopping & token swaps
The thieves transfer stolen funds between several blockchains and tokens to make it more difficult to trace. Each hop adds complexity to investigators.
2. DEXs, decentralized exchanges (DEXs) along with on-chain swaps
Large amounts may be exchanged to secure coins or stablecoins on DEXs typically in many small transactions to avoid price slipping or attracting the need for.
3. Privacy and mixing services
Services known as “mixers” (or coins tumblers) combine funds from several users, and then shuffle outputs to ad-hoc linkages. Certain mixers are centralized, while others utilize smart contracts. The law enforcement agencies have identified mixers as being involved in aiding in laundering money, but alternative options keep popping up.
Discussions of mixers are essential for raising understanding; giving instructions for operation to conceal funds could be in the way of enabling wrongdoing, which is why I’m limiting this to low-level.
4. Bridges, wraps and fiat off-ramps
Bridges convert tokens to other chains, and subsequently, funds could be transferred to exchanges that allow the option of withdrawals using fiat. The attackers look at weaknesses in KYC enforcement or P2P on-ramps that change crypto into cash.
5. Peer to peer (P2P) exchanges, as well as OTC desks
Over-the-counter desks and P2P platforms permit sellers and buyers to trade directly, often with less identification checks. Criminals employ intermediaries and layer trades to make cash.
6. Privacy coins and Obfuscation tokens
The cryptocurrency that is designed to be private (or tokens that include privacy features) could be appealing to conceal quickly, but authorities have created tools to study the flow of transactions into these chains.
7. NFT gaming economies and laundering
Sometimes, stolen funds are used to purchase NFTs or items in game at an overpriced price; later these assets are then transferred to third party sellers and provide an (noisy) method to secure revenues.
8. Prepaid gift cards, gift cards and crypto ATMs
Attackers convert crypto into gift or prepaid cards (which are more difficult to track when employed) or use ATMs with crypto that permit cash withdrawals, with different degrees of KYC.
The reason tracing is difficult -it is not always easy, but sometimes it gets simpler
-
Layers of obfuscation: Multiple swaps, mixers and chain hops generate noise.
-
Intermediaries that are not cooperative: Some platforms don’t make KYC/AML data available or shared immediately.
-
Fast innovation Bridges, tokens and services emerge quicker than the rules or analytics tools evolve.
Blockchain transparency can be used as a tool by investigators. On-chain forensic companies and law enforcement agencies are increasingly using clustering as well as labeling and cross-referencing and exchange KYC to trace assets and locate suspected criminals. Public pressure and regulatory actions can also make cash-out points more risky for criminals in the long run.
Warning signs and red flags for investors
-
The tokens are newly launched and have anonymous teams and massive founder allocations.
-
Projects that are not audited by a third party or with rushed roll-out contracts.
-
Guaranteed returns, unrealistic APYs or overt influencer marketing.
-
Rapid liquidity withdrawals and paired with silence on social media from the project teams.
-
Unexpected activity in your wallet: approvals that you did not authorize or token transfers to unidentified addresses.
If you notice multiple signals, you should treat the asset as well as any associated hyperlinks with extreme care.
Practical protections (for platforms and users)
For those who are individuals
-
Utilize hardware wallets for holdings of significant value. Never copy and paste seed phrases on websites.
-
Allow 2FA and choose authenticators that are app-based over SMS.
-
Block approvals Regularly revoke token approvals that you do not need anymore.
-
Verify the URLs and sources of smart-contracts prior to interacting with them and treat links that have not been requested as suspicious.
-
Multiply custody — Don’t keep all your funds in one exchange or in one wallet.
-
Make use of reputable services for large transactions Choose platforms with robust AML or insurance coverage.
Exchanges and custodians
-
Strong KYC and transaction-monitoring systems to detect suspicious cash-outs.
-
Integration of analytics on the chain to identify deposits that are suspected to be from illegal clusters.
-
Quick takedown and freezing process in collaboration in conjunction with police.
-
Multi-sig and periodic audits.
For DeFi projects
-
Security audits performed by independent firms (and public bug-bounty programmes).
-
Time-locks for admin keys and transparent multisig governance that reduces the risk of rug-pull.
-
Verifiable, clear team identities and tokenomics that don’t allow immediate draining.
What law enforcement and regulators are doing (high levels)
-
Sanctions and Enforcement against mixers known to be involved or laundering providers.
-
International collaboration to track cross-border flows and exchanges of subpoenas.
-
Frameworks for regulating forcing exchanges to carry out KYC, AML monitoring, and reporting on suspicious activity.
-
Forensic collaborations Law enforcement is increasingly collaborating with firms that use blockchain analytics to locate and block the funds that are stolen.
These measures increase the risk and cost for criminals, however enforcement is usually reactive and is caught up in the latest technology.
New trends in criminal behavior are being experimented with
-
Flash-based loans-enabled attacks that take advantage of temporary liquidity without requiring capital.
-
Layer-2 and cross-chain tooling utilized to quickly transfer the value of ecosystems.
-
Greater blend in real assets (NFTs tokenized securities and gambling assets) to conceal the provenance.
-
The use of decentralized privacy and identity improvements in order to circumvent KYC-lite service.
Defenders must be aware of the developments in this area and prioritize control options that are adaptive.
If you’ve been compromised — immediately take steps
-
Transfer unaffected funds into cold storage.
-
Refuse all active approvals for compromised accounts (use reliable revocation services).
-
Contact the platform or exchange that cash-outs might take place and provide the details of the transaction and request that they block the withdrawals that are suspicious.
-
The report is sent to law enforcement agencies in the area and crypto-forensics companies that are able to track the flow of money.
-
Document Everything such as timestamps and Txids, communications, as well as screenshots.
The sooner you take coordinated action, the better chances of recovery.
Closing: a cat and mouse reality
The ledger’s transparency gives attackers and defenses with powerful tools. Hackers are constantly innovating as do exchanges, analysts and regulators. For the average user the most basic and effective defense is to combine of operation-level security (hardware wallets 2FA, shrewd approvals) and skepticism regarding “too promising to be real” opportunities.
Crypto will continue to develop. To stop criminals, it requires the use of more advanced technology (secure contract, audited tools) as well as higher-quality industry standards (KYC/AML when necessary) and well-informed users. The system that succeeds will be one that makes it difficult enough — expensive and dangerous for criminals to effectively convert stolen tokens into cash.
