25. September 2021

The measly share of crime in bitcoin

A report shows that criminal payments make up an increasingly smaller share of all bitcoin payments. Most transactions are from legit BTC usage – trading, gambling or crypto lending for example. But while some varieties of crime are in retreat, others are just starting to trumpet.

Chainalysis publishes an excerpt from the soon-to-be-released “Crypto Crime Report.” As always, things get exciting when the blockchain analyst spills the beans.

woman holding btcThe report begins by noting that 2020 has been an incredible and successful year for crypto. However, “cryptocurrencies remain, as they always have, attractive to criminals.” Despite its transparent design, criminals appreciate Bitcoin’s pseudonymous nature and the ability to easily send money around the world. “But the good news is that in 2020, crypto crime has dropped noticeably.”

At around $10 billion, the volume of illicit transcations has halved compared to 2019 – but remains double that of 2018. The share of illicit transactions in all value transferred via cryptocurrencies, meanwhile, has fallen to its lowest level in four years, at 0.34 percent. No wonder: the overall economic activity of Bitcoin has skyrocketed in the past year, but the illegal payment volume has dropped significantly. Bitcoin has never been cleaner than it is in 2020.

However, it’s also important to note, methodologically, that Chainalysis retroactively inflated the share of criminal payments in 2019 from the assumed 1.1 percent to 2 percent. “The reason is that we identified more addresses that were involved in criminal activity in 2019.” As a result, Chainalysis expects the numbers to subsequently increase for 2020 as well.

Still, the findings stand – volume and share of criminal transactoins are falling. But that’s not true for every criminal industry.

Winners and losers in cybercrime

Chainalysis sorts transactions by criminal discipline. In this way, the analyst shows which types of crime have declined more than others.

As in every year, the “scam” category – that is, fraud – takes the bear share. These are various scams, ranging from classic phishing emails to large pyramid and ponzi schemes. Especially in the year before last, the gigantic PlusToken scam from China probably inflated the volume of this class extremely. Since at least so far no comparable scam is known for 2020, the volume of this category dropped massively: from more than 9 to just over 2.6 billion. This is almost tantamount to a collapse of the industry.

In second place are the darknet markets: trading platforms on the darknet, where mainly drugs are sold, but also weapons, fake documents and products, as well as malware, credit card data and more. These markets have seen a steady increase in volume since 2018, albeit at a relatively moderate level, about 29 percent for 2020. Last year, the Corona crisis likely drove growth: Domestic isolation is easier to endure with drugs, and drug trafficking likely shifted, at least in part, from the local park to the darknet due to lockdown. In addition, many fraudsters also offered alleged drugs against Corona on darknet markets.

A third important category is stolen funds. This continued to decline in 2020 compared to 2019 and especially 2018. There were few hacks of exchanges and other platforms.

Finally, the fourth important category is ransomware. And this had an extremely strong year in 2020 with strong growth. “The big story of cryptocurrency crime in 2020” is what Chainalysis calls ransomware. While it accounts for only 7 percent of all crime-related transactions, it grew by a whopping 311 percent since 2019. No other branch of cybercrime has seen even remotely comparable growth rates. Chainalysis also attributes this to the fact that the spontaneous domestic offices opened up many new security vulnerabilities.

Ransomware was so important in 2020 that Chainalysis dedicated a separate chapter of the report to it, also already published. Before we look at that, though, let’s take a look at another interesting chart showing monthly payment flows.

Here, for example, it can be seen that the illegal revenue from fraud fluctuates extremely. In January 2020, it was perhaps $50 million, whereas in August it was around $450 million. Illegal revenue from stolen finds and from ransomware behaves similarly, albeit at a lower level. Criminal activity where there is a victim-someone who falls for a scam, who opens an email with malware, who runs an inadequately secured exchange-appears to have little predictability and yields extremely volatile returns. Perhaps this is because people usually become involuntary “business partners” of these crooks only once.

btc on a PCThe situation is different, however, for criminal activities that do not involve one perpetrator and one victim, but two perpetrators. For example, in drug trafficking, where the dealer and the consumer voluntarily enter into a deal from which both benefit. Such deals often happen recurrently and generate continuous turnover, which is probably why drug trafficking is the foundation of any criminal cartel. Turnover through darknet markets typically ranged between $100 million and $180 million a month in 2020, making it a source of stability in an otherwise extremely erratic market.

The success story of the year

Ransomware, as noted, was the cybercrime success story last year. At about $350 million in volume, ransomware as a whole accounts for only 7 percent of all illicit payments, to be sure. But the growth is impressive, and Chainalysis stresses that the figures represent the lower end. Many cases go unreported, and the 2020 numbers are likely to go up as more hackers’ addresses are known, especially for the last two months. With Belgian companies alone reporting paying €100 million a year to the extortionists, the true scale may actually be much higher.

Ransomware is also, Chainalysis explains, “uniquely destructive, as the attacks can knock down governments and businesses for weeks.” Last year in particular, there was something cynical about the fact that many hospitals were affected, which also led to the first fatality. “If we calculate the economic damage that ransomware does, not just in payments, but in institutions and businesses being put out of commission, we end up with $20 billion.” And that, as mentioned, is the lower limit.

The massive growth of ransomware last year, Chainalysis said, was driven by several new incarnations of the software that demanded large sums of money from their victims, as well as increased revenue from existing versions. However, the many strands of ransomware that now exist give a false picture of the diversity of the market.

Ransomware is now a highly labor-divided industry, with some writing the software and others distributing it. Those who distribute the malware use arbitrary variants, which is why a small group of people can be behind the waves of attacks, despite the many families. In addition, security experts suspect that some of the larger families of the virus have the same inventors and administrators.

Chainalysis is trying to get to the bottom of these suspicions. After all, the more centralized the trade, the easier it is to find neuralgic points through which to effectively fight ransomware.

The analyst connects the addresses used for payments to the different versions. Most of the coins that the extortionists capture flow to exchanges, to “high-risk exchanges” (with loose or nonexistent anti-money laundering standards) and mixers. Chainalysis suspects that the core infrastructure that the hackers call into service to launder the money is controlled by just a handful of key players. This is indicated by an overlap of wallets to which payments from various ransomware eventually end up.

The majority of balances – 82 percent – flow to just five major crypto exchanges. And the absolute bulk of it – 80 percent of all coins – goes to 199 deposit addresses. An even smaller group of 25 addresses receives 46 percent. So there is a relatively small group that manages nearly half of all ransomware revenue on exchanges.

An example of such an address is an account on a large international exchange. It received more than $63 million in Bitcoin between August 2020 and the end of the year. The majority of the funds originate from legal activities, but a quarter come from sources associated with criminal activities and 10 percent directly from clearly identifiable criminal sources. Attacking such addresses or accounts, Chainalysis concludes, severely hurts the ransomware hackers’ ability to convert their proceeds into fiat money.