Blockchain analysis firm Chainalysis has reported that criminals have turned to crypto mining for money laundering. This trend extends beyond nation-state actors, including sanctioned countries like Iran, which employ crypto mining to accumulate capital outside traditional financial systems.
The notorious North Korean hacking syndicate Lazarus Group has also used stolen cryptocurrencies such as Bitcoin. They use the cryptocurrency to acquire newly-mined crypto through hashing rental and cloud mining services, as revealed by cybersecurity company Mandiant.
Cybercriminals use stolen cryptocurrencies to actively mine and launder “clean” coins through different services. Chainalysis has identified an undisclosed “mainstream exchange” that has received “substantial funds” from both mining pools and wallets connected to ransomware operations.
A specific deposit address has received a staggering $94.2 million. Of that number, $19.1 million originated from ransomware addresses and $14.1 million came from mining pools.
Chainalysis, however, highlighted that in certain instances, the ransomware wallet in question actively transferred funds to a mining pool, doing so “both directly and via intermediaries.” According to the report, this could indicate a “sophisticated” money laundering strategy.
“This may represent a sophisticated attempt at money laundering, in which the ransomware actor funnels funds to its preferred exchange via the mining pool in order to avoid triggering compliance alarms at the exchange,” the report reads.
Additionally, Chainalysis highlights the growing trend of ransomware actors exploiting mining pools. Based on the data, the firm reports a substantial and consistent rise in the value transferred from ransomware wallets to mining pools since the beginning of 2018.
Chainalysis revealed that mining pools and ransomware addresses had collectively sent cryptocurrency valued at a minimum of $1 million to a total of 372 exchange deposit addresses.
The firm suggested that such instances indicate ransomware actors’ efforts to disguise their illicit funds as proceeds from legitimate crypto-mining activities. Since the beginning of 2018, these exchange deposit addresses have received a total of $158.3 million from ransomware addresses.
In another case involving the exploitation of mining pools, Chainalysis highlighted BitClub, a crypto Ponzi scheme. BitClub deceived numerous investors between 2014 and 2019 by falsely promising lucrative returns from Bitcoin mining operations.
According to the firm, BitClub Network had transferred millions of dollars worth of Bitcoin to wallets associated with “underground money laundering services,” suspected to be located in Russia. These money laundering wallets transferred Bitcoin to deposit addresses at two widely recognized exchanges for three years.
From October 2021 to August 2022, an undisclosed Bitcoin mining operation in Russia actively moved millions of dollars worth of Bitcoin to the exact deposit addresses at the exchanges mentioned above.
One of the wallets linked to the money launderers also received funds from BTC-e, a crypto exchange accused by the U.S. government of facilitating money laundering and operating an unlicensed money service business.
BTC-e was allegedly involved in handling funds stolen from Mt. Gox, the largest Bitcoin exchange during the early 2010s.
Consequently, U.S. authorities seized BTC-e in July 2017 and shut down its website. The authorities also apprehended BTC-e founder Alexander Vinnik in Greece during the same month.
Chainalysis said, “We believe it’s possible that the money launderers in this case purposely mingled funds from BitClub and BTC-e with those gained from mining in order to make it look like all of the funds sent to the two exchanges came from mining.”
As per the firm’s findings, “deposit addresses fitting that profile have received just under $1.1 billion worth of cryptocurrency from scam-related addresses since 2018.”
To safeguard the integrity of mining, which is a fundamental aspect of Bitcoin and various other blockchains, Chainalysis stressed the importance of mining pools and hashing services implementing robust wallet screening procedures, including implementing Know Your Customer (KYC) protocols.
Chainalysis also pointed out the importance of blockchain analysis and other tools in validating the origin of funds and rejecting cryptocurrencies from illicit addresses. These screening measures can effectively prevent malicious actors from using mining as a means of money laundering.
The Inferno Drainer scam
Last month, scam detection platform Scam Sniffer announced linking a malicious software provider to thousands of scams, resulting in the theft of millions of dollars.
By analyzing off-chain and on-chain data across Ethereum, Arbitrum, BNB Chain and other blockchain networks, the security firm uncovered 4,888 victims who collectively lost over $5.9 million in cryptocurrencies and NFTs.
The investigation revealed that approximately 1,699 ETH had been stolen and dispersed among five different addresses, each containing a balance ranging from 300 to 400 ETH.
The true extent of these scams came to light when an individual suspected of being a member of the Inferno Drainer group, using the alias “Mr Inferno,” appeared in Scam Sniffer’s Telegram group.
This encounter led to the discovery of a website promoting the scammer’s services. Scam Sniffer informed Decrypt that they have a product designed for scanning malicious Web3 websites on various platforms, which allowed them to identify numerous fraudulent websites. “The Telegram channel helped us connect them together,” Scam Sniffer explained.
Scam Sniffer also reported that the scammer demands a 20 percent to 30 percent share of the stolen assets in exchange for their malicious software, which is used to create deceptive websites.
Since March 27, Inferno has reportedly created around 689 phishing websites, although Scam Sniffer suggests that the activity might have started earlier based on on-chain data analyzed by Decrypt.
According to Scam Sniffer, Inferno can be considered a “malware-as-a-service” offering, providing both the software and malicious site hosting while charging based on the stolen amount. One victim alone had assets worth nearly $400,000 stolen. In an attempt to negotiate, the victim proposed allowing the scammer to retain 50 percent of the stolen goods.
Scam Sniffer had previously identified a similar “Scam as a Service” called Venom Drainer, which drained $27 million from 15,000 victims in the past month. The top five victims collectively lost $14 million. A total of 530 phishing sites were created, which targeted approximately 170 brands.
Among the targeted brands in the crypto ecosystem was Pepe, Collab.Land, zkSync, MetaMask and Nakamigos, along with about 220 other brands used for deception.
Despite the ongoing bear market, crypto scams remain prevalent. According to a study by Crystal Blockchain, 2022 witnessed a record high of 120 reported incidents of crypto fraud, representing a 28 percent increase compared to 2021.
Yet, the total value lost across all incidents in 2022 was less than half of the funds lost in 2021. The loss amounted to $4.6 billion, likely influenced by the persisting bear market that began in May 2023.