Euro Security Watch with Mathew J. Schwartz

Blockchain & Cryptocurrency , Cryptocurrency Fraud , Cybercrime

Ransomware Proceeds: $400 Million Routed to Russia in 2021

Chainalysis: 74% of Known Ransomware Revenue Flowed to Russians Last Year
Ransomware Proceeds: $400 Million Routed to Russia in 2021
Total known cryptocurrency value received by ransomware addresses; information current as of January 2022 and likely to change (Source: Chainalysis)

In case anyone doubts that Russia is the epicenter of ransomware operations, a new report charting 2021 cryptocurrency flows offers clear numerical evidence.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

"Overall, roughly 74% of ransomware revenue in 2021 - over $400 million worth of cryptocurrency - went to strains we can say are highly likely to be affiliated with Russia in some way," says blockchain analysis firm Chainalysis. "Blockchain analysis combined with web traffic data also tells us that after ransomware attacks take place, most of the extorted funds are laundered through services primarily catering to Russian users."

"Successful cybercriminal kingpins in Russia follow two rules: Never attack Russians, and do the occasional favor for the government." 

How are such Russian affiliations determined? Chainalysis says it identified ransomware operations with a known or likely Russian connection by analyzing:

  • Evil Corp: The cryptocurrency flows were tied to ransomware strains used by Russian cybercrime empire Evil Corp, which in 2021 received 10% of all known ransomware revenue;
  • Native speakers: About 36% of flows traced to ransomware operations with suspected ties to Russia because operators speak Russian on Russian-language forums;
  • CIS avoidance: About 26% of flows were tied to ransomware designed to never infect any system in the Commonwealth of Independent States - formed following the dissolution of the Soviet Union in 1999 - which strongly implies that the operators wish to avoid angering local Russian authorities and allies.

What's left is 27% of known ransomware flows, which have no obvious connection to Russia.

Source: Chainalysis

The vast majority of cryptocurrency use globally isn't illicit. And as a nation, Russia ranks 18th on a national index of the biggest cryptocurrency adopters, Chainalysis says.

Safe Haven

But experts say Russia sees a disproportionate quantity of cryptocurrency tied to crime.

Much of this, Chainalysis says, was routed through businesses based in Moscow known to handle risky funds, including Bitzlato, Buy-bitcoin, Cashbank, Eggchange, Garantex, Suex and Tetchange.

Not coincidentally, Russia has long been seen as a safe haven for criminals who wield ransomware, banking Trojans and other online attack tools against foreigners. Likewise, the country has a reputation for serving the domestic cybercrime community with a number of Russian-language forums and darknet markets - including the world's largest, which is Hydra - as well as services for laundering criminal proceeds, including via bitcoin mixers.

Criminals often look to cryptocurrency to help disguise the illicit flow of funds and make it more difficult for investigators to trace criminal proceeds back to them. Over time, however, more information about cryptocurrency flows inevitably comes to light.

New Intelligence

One measure of this is that blockchain analysis firms such as Chainalysis, which tracks the flow of illicit funds on an annual basis, often has to update its running total of illicit cryptocurrency flows for the year.

For example, the firm says it has now identified more than $692 million in ransom payments made to ransomware operators in 2020, which is nearly double the amount it had identified 12 months ago. So far for 2021, it has identified $602 million known to have been received by ransomware addresses, but that figure is certain to increase.

New intelligence can come to light in a variety of ways, including via law enforcement takedowns of cybercrime markets - such as AlphaBay in 2017 - and bitcoin mixers, which allow investigators to seize records and begin analyzing them to build or bolster cases.

Records of darknet market buyers and sellers and mixing service logs can reveal the identities of individuals tied to specific cryptocurrency wallets. All of this helps investigators follow the money.

For laundering cryptocurrency, historically, many criminals relied on exchanges that didn't comply with anti-money laundering regulations or know-your-customer requirements. But U.S. Office of Foreign Assets Control sanctions and other targeted efforts have made it more difficult for noncompliant exchanges to operate.

Furthermore, OFAC now sanctions not just exchanges, but also specific traders - including middlemen - as well as cryptocurrency wallet addresses, including those known to be used by Evil Corp. OFAC also publishes these addresses, which helps blockchain analysis firms refine their intelligence on criminal cryptocurrency flows.

Cash-Out Challenges

Increased intelligence makes life more difficult for anyone who wants to use cryptocurrency for illicit purposes. This is reflected in part by charges unveiled last week by U.S. prosecutors against New York-based married couple Ilya "Dutch" Lichtenstein and Heather Morgan. The pair have been charged with laundering bitcoins now worth $3.6 billion that were stolen from the Bitfinex virtual currency exchange in 2016.

In total, 119,756 bitcoins were stolen from Bitfinex and initially sent to a single wallet, where 79% of them remain, according to blockchain analysis firm Elliptic. So while 21% got cashed out - in part via AlphaBay in 2017 and Hydra starting in 2020 - the rest had yet to be converted to cash, likely because whoever controlled it thought such a move would be too risky.

Number of bitcoins from the Bitfinex hack received each month by the largest destinations (Source: Elliptic)

Of course, this is a case involving Americans, brought by U.S. prosecutors. Whether Russian authorities will truly crack down on domestic cybercrime remains to be seen. Recently, Russian law enforcement authorities arrested 14 suspected affiliates of the REvil, aka Sodinokibi, ransomware operation and shuttered several well-known carding and cybercrime markets.

Whether this is a cynical play by the Russian government to say that it's taking a bite out of cybercrime, not least against the backdrop of President Vladimir Putin potentially ordering an invasion into Ukraine, also remains to be seen.

Source: Chainalysis

Notably, the arrests don't appear to have snared any big fish. But perhaps this shouldn't be a surprise. Security experts have long noted that successful cybercrime kingpins in Russia follow two rules: Never attack Russians, and do the occasional favor for the government.

Take Evil Corp: In 2019, when the U.S. Department of Treasury announced sanctions against the crime group, it noted that "in addition to his involvement in financially motivated cybercrime, the group's leader, Maksim Yakubets, also provides direct assistance to the Russian government's malicious cyber efforts, highlighting the Russian government's enlistment of cybercriminals for its own malicious purposes."

If that holds, get ready to see hundreds of millions of dollars more in known illicit cryptocurrency flows heading Russia's way over the rest of this year.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.