In the world of online crime, anonymous cryptocurrencies are the payment method of choice. But at some point, virtual hauls need to be turned into hard cash. Enter the "Treasure Men".
Finding a Treasure Man is easy if you know where to look. They are listed for hire on Hydra, the largest marketplace on the dark web by revenues, a part of the internet that is not visible to search engines and requires specific software to access.
"They will literally leave bundles of cash somewhere for you to pick up," said Dr Tom Robinson, chief scientist and co-founder of Elliptic, a group that tracks and analyses crypto transactions. "They bury it underground or hide it behind a bush, and they'll tell you the coordinates. There's a whole profession."
The Russian-language Hydra offers plenty of other ways for criminals to cash out of cryptocurrencies, including exchanging bitcoin for gift vouchers, prepaid debit cards or iTunes vouchers, for example.
The ability to hold cryptocurrencies without divulging your identity has made them increasingly attractive to criminals, and particularly to hackers who demand ransoms after breaking into companies.
In 2020, at least US$350m in crypto ransoms was paid out to hacker gangs, such as DarkSide, the group that shut down the Colonial Pipeline earlier this month, according to Chainalysis, a research group.
But at the same time, every transaction in a cryptocurrency is recorded on an immutable blockchain, leaving a visible trail for anyone with the technical knowhow.
Several crypto forensics companies have sprung up to help law enforcement track criminal groups by analysing where the currencies flow to.
These include New York's Chainalysis, which raised US$100m at more than a US$2 billion valuation earlier this year, London-based Elliptic, which boasts Wells Fargo among its investors, and US government-backed CipherTrace.
In total, in 2020 some US$5b in funds were received by illicit entities, and those illicit entities sent US$5b on to other entities, representing less than 1 per cent of the overall cryptocurrency flows, according to Chainalysis.
In the early days of cryptocurrencies, criminals would simply cash out using the major cryptocurrency exchanges. Elliptic estimates that between 2011 and 2019, major exchanges helped cash out between 60 per cent to 80 per cent of bitcoin transactions from known bad actors.
By last year, as exchanges began to worry more about regulation, many of them bolstered their anti-money laundering (AML) and know-your-customer (KYC) processes and the share shrank to 45 per cent.
Stricter rules have pushed some criminals towards unlicensed exchanges, which typically require no KYC information. Many operate out of jurisdictions with less stringent regulatory requirements or lie outside of extradition treaties.
But Michael Phillips, chief claims officer at cyber insurance group Resilience, said such exchanges tend to have lower liquidity, making it harder for criminals to transfer crypto into fiat currencies. "The aim is to impose further costs on the business model," he said.
There are an array of other niche off ramps into fiat currency. Analysis by Chainalysis suggests that over-the-counter brokers in particular help facilitate some of the largest illicit transactions — with some operations clearly set up for that purpose alone.
Meanwhile smaller transactions flow through the more than 11,600 crypto ATMs that have sprung up globally with little to no regulation, or through online gambling sites that accept crypto.
Against this backdrop, the crypto forensics firms use technology that analyses blockchain transactions, together with human intelligence, to work out which crypto wallets belong to which criminal groups, and map out a picture of the wider, interlocking crypto criminal ecosystem.
With an overview of how criminals move their money, their research has shone a light in particular on how hackers are renting out their ransomware software to networks of affiliates, while taking a cut of any proceeds.
Kimberly Grauer, head of research at Chainalysis, added that hackers are increasingly paying for support services from other criminals, such as cloud hosting or paying for the login credentials of their victims, with crypto, giving investigators a more complete picture of the ecosystem.
"There's actually fewer needs to cash out in order to sustain your business models," said Grauer. This means "we can see the ransom paid, and we can see the splitting and going to all the different players in the system".
Losing the trail
But cyber criminals are increasingly wielding their own high-tech tools and techniques in a bid to muddy the crypto trail that they leave behind them.
Some criminals undertake what is known as "chain-hopping" — jumping between different cryptocurrencies, often in rapid succession — to lose trackers, or use particular "privacy coin" cryptocurrencies that have extra anonymity built into them, such as Monero.
Among the most common tools for throwing investigators off the scent are tumblers or mixers — third-party services that mix up illicit funds with clean crypto before redistributing them.
In April, the Department of Justice arrested and charged a dual Russian-Swedish national who operated a prolific mixing service called Bitcoin Fog, moving some US$335m in bitcoin over the past decade.
"It is possible to untumble coins," said Katherine Kirkpatrick, a partner at law firm King & Spalding with expertise in anti-money laundering. "But it's highly technical and takes a lot of processing power and data."
The "preferred obfuscation tool" in 2020 — which helped facilitate 12 per cent of all bitcoin laundering that year — were highly sophisticated "privacy wallets" that have anonymisation techniques including mixing capabilities built into them, according to Elliptic.
"They're basically a trustless version of a mixer and it's all done within software," said Robinson, noting that an open-source project called Wasabi Wallet was the dominant player in the space.
What comes next?
Authorities "need to modernise forfeiture and asset freezes" so that it is easier for law enforcement to seize crypto from exchanges, said Tom Kellermann, head of cyber security strategy for VMware and cyber investigations advisory board member for the US Secret Service.
Individual exchanges can today sign up to services from the forensics firms that will notify them of suspicious activity based on their intelligence.
But experts have in the past touted the idea of having shared blacklists of wallets known to be used by bad actors — a kind of Interpol alert, with exchanges, analytics groups and the government openly sharing information on their investigations in order to make this possible.
"Perhaps now is a better time to reconsider some of those policy initiatives," said Kemba Walden, assistant general counsel at Microsoft's Digital Crimes Unit.