Crypto in the spotlight: ... hacks

Research Mar 10, 2022

Key take-aways
·      Cryptocurrencies are widely perceived to be a safe haven for illegal activity and illicit transactions.
·      The reality is different as demonstrated by the recent retrieval by the US government of Bitcoins stolen in 2016 Bitfinex hack.
·      Regulatory oversight, combined with the transparency of the blockchain, provides law enforcement with new ways to trace nefarious activities.
·      Longer-term, the stigma of illegality – one factor that has impinged wider public acceptability of cryptocurrencies – should diminish as legitimate use continues to rise.

On February 8th the US Department of Justice announced it had arrested two people for an alleged conspiracy to launder cryptocurrency related to the 2016 Bitfinex hack and had seized $3.6bn worth of Bitcoin[1]. Unquestionably, this was a big win for the US authorities as it represents the single largest recovery of crypto-assets in history. One might take this as further confirmation that cryptocurrencies are simply a haven for illegal activity and illicit transactions.  

Quantifying Illegal Usage

Such perceptions are certainly common. Indeed, it is almost the default opinion of politicians and policymakers the world over, as illustrated by comments made by former Fed Chair Yellen who, in her US Treasury Secretary confirmation hearing, stated that

“Cryptocurrencies are of particular concern. I think many are used, at least in a transaction sense, mainly for illicit financing. And I think we really need to examine ways in which we can curtail their use, and make sure that anti-money laundering [sic][2] doesn't occur through those channels.”

Previous academic work seeking to measure the use of cryptocurrencies in financing illegal activity provided weight to this viewpoint. One widely quoted paper, Foley et al. (2019)[3] judged that one-quarter of Bitcoin users are involved in illegal activity and account for just under half of all transactions.

However, more recent research indicates that those estimates are significantly biased upwards. Makarov and Schoar (2021)[4], for example, calculated just 3% of Bitcoin transactions are associated with illegal activity[5]. That’s quite a difference.

Commenting on the earlier paper Makarov and Schoar explain that the difference largely arises for two methodological reasons. First, the earlier paper excludes exchange-related volumes from their calculations in order to focus on payments for goods and services. Given the size of these excluded volumes, this provides a significant boost to their estimates by lowering the denominator. Second, they noted that criminals very often attempt to obfuscate the illegal source of their Bitcoins by sending funds through multiple addresses and different chains, a process known as a “peeling chain”. Due to the method used to identify illegal activities by Foley et al. in their paper, this serves to inflate illegal volumes in their estimate by raising the numerator.

Clearly, quantifying the extent of criminal activity associated with cryptocurrencies is difficult. However, the details of the Bitfinex hack suggest cryptocurrencies are not as criminal-friendly as is often assumed.

The Bitfinex Hack

In 2016 the crypto exchange Bitfinex was hacked and just under 120,000 Bitcoins were stolen. On January 31st 2022, over five years after the incident, US law enforcement agencies finally gained access to the hacker’s wallet[6]. They found 94,636 Bitcoin, spread over 2,000 Bitcoin addresses, still there. These Bitcoins, equating to almost 80% of the original amount, were seized and sent to a US government-controlled address[7].

Even before the DoJ made the announcement – a full week ahead of it – various on-chain metrics companies flagged the remaining 94,636 Bitcoins associated with the hack were on the move[8]. At the time the motivation for these transactions was not known but it was clear something was going on. The reason is simple: the blockchain. Every transaction ever conducted is recorded, published, and visible to all.

Clearly, these were not the first Bitcoins from the Bitfinex hack to be moved. Every time a transaction involving the hacker’s wallet occurred it was analysed and commented on. In May last year, blockchain analytics company Elliptic published a blog article analysing transactions from the hacker’s wallet[9]. They not only tracked the transactions through time but were also able to identify where the funds were subsequently moved. They found that

“[T]hey are in the process of being transferred to a range of third-party services to be laundered or cashed-out, but slowly and in small increments.”

“… the stolen bitcoins are being funneled [sic] to three types of actor: darknet markets (84%), privacy wallets (12%)[10] and exchanges (4%).”

The need to conduct transactions in such a complex manner stems from the transparency of the blockchain because the wallet containing the Bitcoins stolen from Bitfinex was readily identifiable. It was soon blacklisted and no reputable exchange would process transactions from the wallet.

While blockchain metrics are good for tracking the flow of funds in the crypto space, the challenge for law enforcement (and the thing criminals seek to avoid) is connecting crypto wallets with personal IDs. The Statement of Facts for the Bitfinex hack issued last month by the IRS[11] shows how the US government agencies traced transactions from the hacker’s wallet to crypto exchange accounts and other off-ramping (conversion back to fiat) methods used by the alleged perpetrators. Below is a snippet of an illustrative graphic included in the statement.

Source: IRS Statement of Facts

As a first step, the hacker’s wallet made payments to two virtual currency exchanges (VCE 1 and VCE 4). Funds to VCE 1 came via the dark net market Alpha Bay, which law enforcement shut down in July 2017. Funds were also sent to VCE 4. It is not clear in the graphic, but the accompanying text states that the funds received by the unidentified US exchange (VCE 4) were not denominated in Bitcoin, the form stolen from Bitfinex. What was deposited was Monero (XMR), a so-called privacy coin[12]. The use of dark net markets and privacy coins should have – as the suspects clearly hoped - obfuscated the original source of the funds to get round the blacklisting of the hacker’s wallet. It should also have made linking it to the suspects’ crypto exchange accounts impossible.

So how did law enforcement connect the dots?

The statement does not make this explicit. One possibility is law enforcement has found a way to trace the Monero transaction back to the original Bitcoin wallet by a currently undisclosed method – an unsettling thought, no doubt, for Monero users[13]. In doing so it became possible from subsequent transactions to connect it with crypto exchange accounts opened by the suspects using their real identities[14]. The second possibility, and one I personally tend to favour as it is simpler[15], is that when law enforcement took down Alpha Bay in 2017 they seized their server, and data on this server provided them with sufficient information to connect back to their identifiable exchange accounts. With this information at hand, tracing back to the earlier Monero transaction would have been well within the known means of law enforcement.

Whatever method was utilized, the arrest of the suspects in the Bitfinex hack readily demonstrates that law enforcement has the tools to follow even complex transactions on the blockchain. Also, because all transaction histories are stored on the blockchain subsequent seizures of hardware from illicit sites such as Alpha Bay can provide valuable information for tracking down criminals even years later. Finally, and most importantly, the off-ramp is the criminal’s Achilles heel because whenever fiat currency is involved governments can, like it does for commercial banks, impose stringent KYC requirements. It’s where anonymity dissolves.

Dark Net Markets

As mentioned, according to Elliptic’s analysis the bulk of funds moved from the Bitfinex hacker’s wallet went to darknet markets, and of those, the majority went to Hydra, a Russian-language darknet market[16]. That one of the alleged perpetrators has dual US/Russian nationality may in part explain this choice, but it is unlikely to be the only reason.

In their paper, Makarov and Schoar analyzed exchange transactions involving Hydra. They found that the highest transaction volumes were with non-KYC exchanges. Transaction volumes with KYC exchanges were, by contrast, considerably lower. This reason for this bias is the vast majority of transaction volumes occur on centralized exchanges, which are less technically demanding to set-up and more cost-effective to run than decentralized exchanges[17]. They typically use custodial trading where customers make on-blockchain transfers of cryptocurrencies they wish to trade from their wallet to the exchange’s hot wallet. Trades are then executed via the exchange database, which is an off-chain transaction. Effectively they operate as escrow accounts for their clients with incoming cryptocurrency flows mixed up with other clients' flows.

For non-KYC exchanges, where anonymity is preserved unlike KYC exchanges, this makes tracking cryptocurrencies on the blockchain almost impossible. For a criminal, this is a very attractive feature as it allows “tainted” cryptocurrencies to be cleaned without revealing any personal information that could provide law enforcement with the means to pursue and prosecute suspects as occurred in the Bitfinex case.

Given non-KYC and KYC exchanges are allowed to conduct transactions bilaterally, Makarov and Schoar expressed concern that the former could act as a “gateway for money laundering and other gray activities”. However, under pressure from regulators, more exchanges are introducing KYC/AML measures. For example, Binance[18], Huobi and Bybit – some of the largest centralized crypto exchanges – last year all announced they were introducing transaction caps based on the level of personal information provided – the more personal information provided the higher the cap on permitted transaction volumes.

These are not the only measures being introduced to reduce the attractiveness of cryptocurrencies to criminals. Blockchain monitoring companies offer KYT (Know Your Transaction) services, a cryptocurrency complement to KYC that allows users, such as exchanges, to identify and source high-risk transactions/users in order to comply with the necessary compliance laws[19]. Travel Rules to collect, retain, and share transfer information on cryptocurrency transactions are also under active consideration. In the UK, for example, the government, which has already consulted on the legislative proposal and is likely to implement it soon, requires “personally identifiable information” for all cryptocurrency transactions above £1,000[20].

Clearly, global regulators have crypto-assets firmly in their sights. If anything, the pace of crypto regulation is set to accelerate as a direct consequence of Russia’s invasion of Ukraine.

Until next time.

Ryan Shea, crypto economist at Trakx


[1]    See: Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency (The US Department of Justice)

[2]    Yellen meant to say money laundering.

[3]    See: Sex, Drugs, and Bitcoin: How Much Illegal Activity Is Financed Through Cryptocurrencies? (SSRN)

[4]    See: Blockchain Analysis of the Bitcoin Market (NBER)

[5]    Chainalysis, a leading blockchain data platform, estimates that illegal transactions have declined to less than 1% of all transactions – see: Crypto Crime Trends for 2022: Illicit Transaction Activity Reaches All-Time High in Value, All-Time Low in Share of All Cryptocurrency Activity (Chainalysis)

[6]    According to the statement of facts – see footnote 11 below - the alleged perpetrators saved their wallet addresses and private keys on a cloud storage account. Not the smartest approach one would have thought.

[7]    In the process the US government became the world’s fifth largest holder of Bitcoin.

[8]    See: Blockstream Explorer

[9]    See: Elliptic Follows the $7 Billion in Bitcoin stolen from Bitfinex in 2016

[10]  Privacy wallets use coinjoin transactions to add uncertainty to wallet ownership of Bitcoin to enhance privacy by impeding blockchain tracing – see: Wikipedia

[11]  See:

[12]  See: What Are Privacy Coins and Are They Legal? (Coindesk)

[13]  This does not mean to imply all Monero users are criminals. People may, rightly so in my opinion, want financial privacy for a whole host of non-nefarious reasons.

[14]  The suspects did make transfers to exchange accounts not opened in their real names. However, these accounts were frozen by the crypto exchanges when ID verification (KYC) and source of funds information were not provided.

[15]  Good old Occam’s razor.

[16] Hydra has become an important player in the space, accounting for an estimated 75% of the dark web market revenue worldwide. It has been around for a long time (seven years versus an average estimated life span measured in high-single-digit-months) and according to numerous estimates continues to witness strong growth in transaction volumes. Its success has raised questions as to whether it has some form of semi-official backing, or less strongly, the Russian authorities are tolerant of their servers operating in their country – see: Dark Markets Can Be a Geopolitical Force Multiplier (Bloomberg)

[17]  The top decentralized exchange – or DEX - according to CoinMarketCap is Uniswap(V3) which had daily volumes of $2.5bn, roughly a tenth the size of the largest centralized exchange Binance – see: Coinmarketcap Top Decentralized Exchanges

[18] Binance made full-compliance KYC mandatory in August 2021. While it did lose some users as a result of the change, it was only 3%. This is a surprisingly low percentage for an asset class supposed to be rife with criminality – see: Binance CEO Advocates for Fundamental Crypto Rights

Read more at: Binance CEO Advocates for Fundamental Crypto Rights (BloombergQuint)

[19] In effect, it introduces a trusted third party – the monitoring company - into the ecosystem, a feature cryptocurrencies were designed to avoid making such services contentious within the crypto community.

[20]  See: EU and UK move towards the “travel rule” implementation for crypto-assets (Regulation tomorrow)

Carole Laizet

Senior marketing manager with 15+ years of experience in the Financial Industry (traditional Banking as well as Crypto Assets). Responsible for market research