The Exfiltration Phase of The Kill Chain of a Cryptocurrency-Based Attack Provides the Greatest Opportunity to Identify Cybercriminals
Cryptocurrency gained through illicit means is less useable than other assets due to the way cryptocurrency systems currently do not fully protect owner identity and allow for only limited liquidity. This incentivizes threat actors to transfer assets out of DeFi platforms and into traditional markets after successfully stealing cryptocurrency. Centralized markets contain strong controls including Know Your Customer (KYC), Anti Money Laundering (AML), and other standards specifically designed to strip away anonymity and additional information to identify asset owners. A focus on identification and tracing of illicit assets leaving DeFi systems provides key cryptocurrency threat intelligence to analysts trying to determine attribution and deter threat actors. This report looks at some different paths available to threat actors for obfuscating cryptocurrency assets.
Exfiltration is a Multistep Process Aimed at Obfuscating Ownership of Cryptocurrencies
A 2021 report by Europol found laundering was the “main criminal activity associated with the illicit use of cryptocurrencies.” (1) Threat actors use intermediate transfer services that assist in obfuscating transactions between initial wallets and the wallets eventually used to ‘cash out’. Multiple services can be used and chained together to create blockchain asset exfiltration paths that become highly obfuscated.
Most blockchain data is oriented towards public transparency allowing any user to view logged data on the blockchain, including a threat actor’s transactions. Once a DeFi system is hacked or users are defrauded, threat actors risk having stolen assets identified and frozen if kept in wallets within the same blockchain on which the cyberattack occurred. For this reason, threat actors usually consolidate stolen assets and transfer them off the original blockchain(s) quickly. Many mixing services exist to launder funds and maximize anonymity, including formal, registered, and well-organized mixing services alongside informal, direct peer-to-peer services initiated on-demand. If the trail from initial cryptocurrency compromise to centralized markets is significantly obfuscated, threat actors can dodge the security controls and maximize stolen profits on centralized (traditional) markets.
DeFi Immaturity Drives Threat Actors to Convert Cryptocurrency to Centralized Markets
Two main drivers incentivizing the transfer of assets off blockchains is the relatively limited use of cryptocurrency in the physical world, coupled with cryptocurrency's high price volatility. Assets can be more easily utilized currently when converted to traditional currencies or traditional investment. Another primary driver is the ability of decentralized finance platforms to blacklist stolen cryptocurrency assets if they can be identified, which renders them unusable. This special process invalidates signatures of the assets controlled by threat actors from interacting further within the DeFi landscape, however blacklist participation is completely voluntary and varies by DeFi platform.
A Variety of Services Provide Threat Actors With Anonymity When Transfering Crypto Assets
A broad range of options and obfuscation architectures are available to significantly inhibit tracking and analysis of stolen funds. The TTPs described below in the form of various cryptocurrency services are novel, lack regulation, and play key roles enabling threat actors to exfiltrate and transfer stolen cryptocurrencies. Services are ordered from most basic - existing across informal peer-to-peer (P2P) and over the counter (OTC) channels initiated directly between users to more complex systems - formal, 3rd-party DeFi services, which can be registered (written agreement exists reducing risk) or unregistered, and purposely designed to hide asset ownership. With all exfiltration services, separate channels outside the blockchain are used for communication between the client and the service administrator to complete transactions. Not all obfuscation architectures are discussed here.
Overall cryptocurrency laundering volume currently remains relatively low compared to the volume laundered in traditional centralized markets.
Threat actors are likely to increase cryptocurrency-based cyberattack and laundering activities in the future because of the lack of centralized controls and oversight. While the estimated cryptocurrency launder rate in 2021 rose 30% over 2020, this still represents only 0.05% of all transactions (2). By contrast, traditional currency retains a launder rate of 5% of transactions, or around $2 trillion (3). Historical reports of annual cryptocurrency laundering estimate total rates have possibly fluctuated between 1% and 23%. (1) Before cryptocurrency adoption expands further, opportunities exist for tool development to target movements of large values of cryptocurrency assets that are possibly backed by malicious activity. As cryptocurrency becomes more widely used, greater data and volumes of transactions will help obscure malicious transactions and require further resources.
Tactics, Techniques, and Procedures Used in Cryptocurrency Obfuscation
Swapping Cryptocurrencies is an Effective and Simple Way to Mix Stolen Cryptocurrency Assets
Threat actors split and swap assets between different cryptocurrencies which may provide convenient obfuscation channels through their privacy design. Swapping is typically leveraged along with other DeFi mixing services to bridge crypto assets and traditional markets, creating a series of steppingstones and vulnerable points before ‘cashing out’. The process can be simple or complex. Threat actors may convert one amount into another, or into many different coins or tokens. New wallets on new platforms with different transaction signatures are used, which creates new IOCs (indicators of compromise) and dilutes the transaction chain-of-custody. This makes it more difficult to trace and connect assets to prove ownership. Some cryptocurrency platforms collect minimal user information, sometimes limited to username and email address. Privacy coins, containing additional obfuscation features are also often leveraged through legitimate channels because they require fewer details by design, and additional privacy functions such as added encryption, helping to further hide ownership (4).
Coinjoin is One of the Simplest and Highly Effective Implementations of a Cryptocurrency Mixing Protocol
Coinjoin is an example of a simple protocol that works by mixing one or more initial amounts through mulitiple transactions which each continually split the inputs and outputs of each transaction throughout a pool of wallets. Changing amounts may or may not repetedly touch the same wallet address. The process requires at least two people with wallets to participate. The resulting final amount(s), redistributed and possibly reconsolidated either to the original or differnet addresses (wallets), cannot currently be traced back in a way that legally proves ownership of the funds. This is because each transaction contains a unique digital signature and there is no way to correlate the unique transactions with certainty across large networks of wallets participating in a Coinjoin. Different amounts and wallets keep changing accross every transaction to break chain-of-custody. This ability within some cryptocurrencies and blockchains greatly increases privacy by making transactions nearly impossible to track (5). Official and unofficial services or P2P channels may incorporate the Coinjoin protocol using manual or automated services to mix assets.
Managed DeFi Services Cater to Threat Actors Looking to Guarantee Anonymity
Between 2019 and 2022, it is reported over half of illicit cryptocurrency funds tracked were sent to just five services for mixing (6,7). Wallet Mixers (WM, aka CryptoMixers or CryptoTumblers) are legitimate independent services that aid cryptocurrency wallet (account) anonymity. The protocols WMs use are more complex than the Coinjoin swap described above. Services may be small-scale, comprised of individuals or small groups of users that operate pools or lakes of wallets, or the process can be incredibly complex. WMs both exist as legitimate third-party software services and as peer-to-peer networks of self-organized groups of users.
WMs involve taking the assets of a client's wallet, distributing the assets within the mixer’s own pool of wallets and assets using a proprietary algorithm, and redistributing the same value - under the same or a different cryptocurrency - back to the client in different wallets. Through these services, cryptocurrency assets touch many different wallet addresses associated with many different accounts. The resulting tornado-trail of transactions is difficult to trace, hence the term “mixers”. A small fee (1-3%) is retained by the service from each client for each mix. Some WMs are known to have strong working relationships with ransomware syndicates providing specialized channels to obfuscate ransom payments (8).
Informal Peer-to-Peer Channels Carry Increased Risk And Also Increase Obfuscation
In addition to the formal services described above, a variety of less formal channels – often referred to as peer-to-peer (P2P) and over the counter (OTC) - are also available to threat actors to help obfuscate asset ownership. P2P/OTC vectors involve direct, ad-hoc transactions between individuals without the use of an intermediary. These vectors are more discreet, exist outside of formal or registered DeFi services like DEXs, have no formal guarantees and contracts, which makes them more attractive for threat actors engaged in fraud. These channels are typically used (in malicious transactions) to circumvent regulation governing transactions on more formal/registered services that might otherwise hold data used to expose threat actors. The channels can involve inter or intra cryptocurrency exchanges, either to traditional currency, or to other cryptocurrency mediums such as Non-Fungible Tokens (NFTs). Channels of this type are commonly advertised through social media. Increasingly complex P2P services are comprised of multiple cybercriminal groups working together on disparate channels and through legitimate DeFi services in such a way that the true network of cybercriminal operations is highly obfuscated.
Lightning Networks do Not Require the Same Validation Scheme for Approval as Ordinary Blockchain Transactions
Lightning networks were established as DeFi P2P transaction channels in 2013. Originally designed for Bitcoin, lightning networks circumvent the normal blockchain transaction and validation channels by directing transactions through the users’ wallets using simple smart contracts (9). These channels are attractive because they are usually cheaper, faster, and operate with less infrastructure than the more formal channels described above.
To create a P2P lightning network, the initiator pays a small amount of Bitcoin as a fee that acts as fuel to keep a Lightning Network channel open. The recipient then confirms the lightning channel. Once this channel is established it remains open depending on how much cryptocurrency the initiator wants to commit to complete their transactions. Legitimate lightning network transactions are typically smaller (the price of a cup of coffee). Once the transaction(s) are complete, the channel is closed, and all the transaction information that occurred over the temporary lightning network is then grouped into one transaction and recorded on the blockchain where the cryptocurrencies reside. Lightning networks will work with different types of wallets, but are limited in that they must be funded (opened) using Bitcoin.
Decentralized Exchange Services That Operate Legitimate Pools of Crytpocurrency Assets May Knowingly or Unknowingly Serve as Vehicles To Obfuscate Assets Accross Blockchains
Threat actors can obfuscate assets using Decentralized Cryptocurrency Exchanges (DEXs) to take advantage of programmable cryptocurrencies designed to interoperate with other crytpocurrencies and tokens. Some DEXs ask for minimal identifying information. Some implement protocols that purposely align to increased obfuscation for transactions. There are even registered and unregistered DEXs that specialize in asset laundering using fake and stolen identities (10). A December 2021 Europol report found a cybercriminal organization operating a system of at least four registered exchanges aimed largely at enabling illicit activity (1).
APT Groups Involved in Cryptocurrency Attacks Increasingly Favor Legitimate Channels to Exfiltrate Assets
Recent reporting demonstrates APT groups, the most sophisticated threat actors, are significantly increasing their reliance on WMs and DEXs to exfiltrate stolen funds (11). Data since 2019 indicates APTs are likely shifting TTPs away from unofficial and informal third-party services such as P2P vectors in favor of more official and well-established channels that carry lower risk of asset loss. This pattern is very likely due to the expanding DeFi service landscape. As more exchanges are in operation, it becomes easier to find legitimate channels with high fidelity and lower risk or containing loopholes, which APTs and other threat actors can exploit.
Threat Actor Attempts at Cryptocurrency Exfiltration Can Last Years and Include Multiple TTPs
In 2016, threat actors gained access to the Bitfinex DEX to approve their own transactions leading to approximately $4 billion (January 2022 value) in Bitfinex assets stolen (12, 13). In 2017, several months after the Bitfinex attack, the stolen assets began moving in a complex chain of transactions to separate initial accounts allegedly traceable to the defendant. Bitfinex announced an official bounty for the stolen assets in 2020.
By the end of January 2021 investigators noticed the funds began moving again between different wallets in a way that appears the threat actors were attempting to consolidate the funds from the initial accounts, mentioned above, into even fewer wallets. One of these “fewer” wallet accounts allegedly contained an email address tied to India that investigators were able to pair to the real name of the alleged perpetrator (Ilya Lichtenstein). (19) Separately, investigators were able to pair an IP address to a Walmart gift card purchased with cryptocurrency and sent to Russia. With this information, law enforcement used a subpoena to pivot to cloud infrastructure used by the same individual. Investigators found private keys to the group of consolidated wallets inside files on their cloud account, as well as further personally identifiable information matching the alleged perpetrator and their partner. The staggering delay in moving the funds was likely a deliberate TTP employed to avoid immediate attention in the aftermath of the large Bitfinex hack.
Cryptocurrency-Based Cybercrime Will Almost Certainly Increase Through at Least the Next Two Years as Global Cryptocurrency Adoption Expands
Reporting across the DeFi industry indicates that cryptocurrency adoption is increasing globally. It is likely in the near future that other governments will adopt schemes similar to others already underway; like tax payments in the Bahamas (mentioned earlier), and adoption in El Salvador (14). Official engagements with cryptocurrency, in addition to current widespread purely public DeFi implementations, will create a larger space within which threat actors can operate (15, 16). Governments will be forced to increase resources against DeFi cybercrime.
Growing Cryptocurrency Usage is Likely to Reduce Cryptocurrency-to-Traditional Market Conversion Incentives and Circumvent Centralized Market Controls
Reporting consistently indicates laundering of cryptocurrency to traditional currency-backed assets remains much more prevalent than fiat-to-cryptocurrency laundering. This is due to the higher utility of traditional currency-backed assets than of cryptocurrency assets. DeFi is designed to avoid centralized intervention and the well-established law enforcement operations now inherent in traditional banking. Expanding cryptocurrency adoption as regular forms of payment, including not only regular business transactions, but also taxes and remittances and other integrations, will very likely create the greatest incentive for threat actors to keep assets within cryptocurrency (17). Exfiltration of stolen cryptocurrency assets out of DeFi is very likely to become less relevant, if threat actors are able to use the cryptocurrency more directly. Retaining more assets on-chain will allow threat actors to hide identities and hide assets more easily because they can remain under the privacy protecting features and protocols of some cryptocurrencies
A Focus On Tools to Track Malicious Cryptocurrency Exfiltraion Is The Best Way to Counter High-Risk Attacks
Although various blockchain architectures underlying cryptocurrencies are similar to each other, the decentralized nature of all of them has produced variations in development and implementation. Threat actors exploit a variety of weaknesses, lack of oversight, and security holes accross many DeFi systems for large gain (18). It will almost certainly become more difficult and resource-intensive to correlate IOCs and trace assets from DeFi cyberattacks as further DeFi systems generate increasing transaction data. A strategic bottleneck exists across every large scale attack: how to obfuscate and transfer cryptocurrency assets to global traditional markets. The goal of tool development should not be to identify users, because cryptocurrencies contain strong privacy protocols that obfuscate real identities by design. Instead, cryptocurrency tools to help trace chain-of-custody will lower risk from the largest cryptocurrency cyberattacks by providing the ability to identify patterns of behavior conducive to threat-actor syndicates or APTs attempting to inject large sums of illicitly gained cryptocurrency.
About EclecticIQ Threat Research
EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.
We would love to hear from you. Please send us your feedback by emailing us at firstname.lastname@example.org or fill in the EclecticIQ Audience Interest Survey to drive our research towards your priority area.
You might also be interested in:
Attack Patterns Produce Growing Losses Targeting Mutual Vulnerabilities Endemic to Decentralized Finance
Understanding Features and Vulnerabilities of The Decentralized Finance Attack Surface is Key to Protecting Against Cyber Attacks
Five Ways the Ukraine-Russia War Could Alter the Cyber Landscape
- https://bitcoinmagazine.com/technical/a-comprehensive-bitcoin-coinjoin-guide https://en.bitcoin.it/wiki