MIT Bitcoin Expo 2021: The New Normal - Cryptocrime

May 19, 2021 04:00 · 4880 words · 23 minute read

Our final session in the morning is about cryptocrime, and it will be presented by Kim Grauer, Head of Research at Chainalysis.

00:15 - She’s an economist trained at the London School of Economics with previous experience working the economic development arm of the New York City mayor’s office.

00:27 - Welcome, Kim. Hi. Thank you so much for having me.

00:32 - All right, so I’m going to talk to you all today about cryptocurrency crime.

00:40 - And I’ve prepared a little bit of a presentation.

00:43 - So I’m just going to go ahead and share my screen to help guide this discussion.

00:50 - And ask anything and everything. Feel free to chime in with any questions that you might have.

00:58 - Why am I at Chainalysis here to talk to you all about cryptocrime? Well, the reason is it has to do with what the company that I work for is capable of doing.

01:09 - And it actually comes down to something that’s relatively straightforward, which is our core business model of associating addresses to services.

01:19 - Some people say that we’re kind of like the phone book of crypto, whereas you might go to a blockchain explorer and look at a transaction you made, and it will look like something like this on the left.

01:31 - In our software product, it looks like this on the right.

01:36 - So we’re figuring out the services that are managing a series of addresses, and then associating them together, identifying them, and keeping track of all of that.

01:46 - And that’s kind of our core. It’s actually pretty simple.

01:49 - It’s our core kind of what we’re trying to accomplish.

01:54 - And you can imagine that there’s not just one type of service in crypto, in cryptocurrency.

01:59 - There’s a whole host of different types of services.

02:03 - So we have our exchanges, our merchant service providers, our mining pools, our hosted wallets.

02:08 - These are kind of all the different– examples of the different types of services that we’re working really hard to identify at Chainalysis.

02:19 - And then the reason why I’m here to talk to you about cryptocrime is because a whole lot of those services are actually illegal services.

02:27 - So illicit, they do things that are illegal.

02:30 - And the services that we tend to identify which are carrying out that illegal activity are things you’ve all probably heard of, and maybe even– hopefully not, but potentially even encountered firsthand.

02:45 - So we’ve got our darknet marketplaces, which have been a part of the crypto story for a very long time now and go back to the very beginning of when people started using cryptocurrency.

02:57 - We have the story of the Silk Road. We have ransomware, which is a big problem nowadays, especially something that we’ve seen to be growing quite a bit.

03:06 - We’ll talk a little bit about that, or scams, terrorist financing, hacks, and stolen funds.

03:11 - And what I get to do is I get to sit on top of all of this, what we call attribution, and just ask basic questions around what’s driving activity in cryptocurrency.

03:21 - Because of the fact that we’re sitting on this phone book, and then we can segment the data in all of these different ways and start to ask, what percentage of all activity is going through exchanges? What percentage of all activity is between exchanges and mixers? And segment the data in a lot of different ways.

03:40 - And so for our annual crypto crime report, we focus on this side of things.

03:46 - And we say how much money have these wallets that are controlled by people carrying out these criminal activities, how much money are they actually sitting on and moving? And which types of crime are the biggest using cryptocurrency? And how has that changed over the years? So this chart that we’re seeing is kind of like our high level chart of if we put all of those wallets we’ve identified as illegal or illicit together, and we just sum up the amount that was received and sent by those wallets.

04:26 - And we can see that in 2020, around $10 billion was sent and received by these wallets.

04:33 - And that represents less than 1% of all economic activity associated with that we identified in 2020.

04:41 - And that’s a big decline from the year before when there was over $20 billion in illicit activity.

04:48 - Around 2% of all transactions were associated with illicit.

04:53 - If you follow our research, you might– we put out this report every year.

05:00 - And we’ve now said that in 2019, there is 2% of all transactions were associated with illicit.

05:07 - But last year we said it was around 1%. So I do like to caveat our research by saying that our numbers are constantly changing because of the fact that we have a team of people always finding– looking for new services.

05:23 - Our data is never perfect. We’re always working hard to find new scams, new wallets that are controlled by scammers.

05:30 - Maybe it’s not just the wallet that you sent funds to, but also later wallets that those bad actors are using to move money.

05:39 - So we’re always finding new wallets. And then another caveat that I like to identify is that when we say 1%, or 2%, or less than 1% is associated with illicit activity, this is only speaking about a certain type of crime, like a subset of criminal activity that’s using cryptocurrency.

06:03 - And that is when the source of illegality is on the blockchain, so when funds were sent to a darknet market wallet, a scam wallet.

06:13 - It does not include criminal activity where maybe the person purchased drugs old school in person.

06:22 - Who does that anymore? And then they converted their funds to cryptocurrency in order to engage in a layering, or money laundering comportion.

06:34 - So we wouldn’t capture that because the source of illegality is actually not on the blockchain.

06:40 - So our numbers are probably the best in the biz, but there’s still lots of caveats in what we’re doing.

06:46 - What we’re trying to accomplish here is really tough.

06:48 - And it’s always going to be an uphill effort.

06:52 - So we saw that decline in the amount of funds sent to illicit wallets.

06:58 - But one thing that I’ve learned from tracking this activity over the years is that it actually doesn’t make much sense to think of cryptocurrency crime as one thing.

07:11 - Each of these different types of criminal activity– scams, child abuse materials, darknet markets, ransomware– they’re all impacted by different trends.

07:21 - The criminal actors are motivated by different things.

07:25 - They live in different parts of the world. So it’s not that illicit activity on the whole went down from 2019 to 2020.

07:31 - But when we look at the numbers, it’s actually scamming specifically went down from 2019 to 2020.

07:38 - And when we put this in a longer time series, we can see that it’s actually 2019 was just an outlier year for scamming.

07:45 - And the reason for that was one giant scam called PlusToken.

07:49 - And actually, there was even two other really large scams in 2019.

07:55 - But mostly this is driven by one event called PlusToken, which was a multibillion dollar Ponzi scheme that impacted millions of people.

08:04 - And so when we see that decline in both the share and the amount, it’s really because of that kind of adjustment post-PlusToken.

08:13 - But actually, if we look at some of the other types of scams, we know darknet markets are an all-time high this year.

08:19 - Ransomware, too– oops, yeah. We call it the year of the ransomware because on this chart, what we’re seeing is the year-on-year growth of each of these subtypes of criminal activity.

08:30 - And last year, or the year of this scam, 500% increase between 2018 and 2019 in funds sent to scam accounts.

08:38 - In 2020, 311% increase in funds sent to ransomware.

08:44 - So this chart makes it really easy to see what it’s the year of.

08:47 - So I wonder what next year is going to be. This kind of chart tends to do my– the work of explaining of determining what the biggest problem was in each– in any given year.

08:58 - Ransomware grew for a lot of reasons, which we talk– which a lot of people have different ideas around what happened, but there probably is something to do with the fact that an entire workforce had to go work remotely basically overnight.

09:13 - And there’s a lot of operational security challenges that come from that.

09:17 - And on top of that, we know that we’ve been tracking this ransomware as a service ecosystem.

09:27 - So criminals who are– you can purchase ransomware on a dark web on a darknet market, or purchase an attack.

09:36 - And that is actually a business operation. And we can start to put together the pieces of what ransomware as a business kind of looks like, and see how much that’s scaling because of improvements made to the organizational structures of these ransomware businesses.

09:55 - But that’s just kind of the very tip top surface of what’s going on with ransomware.

10:01 - There’s a lot of research in this report if you are interested in learning more about that.

10:07 - As I said, we also saw that it was an all-time high for funds sent to darknet marketplaces.

10:13 - This is a story that didn’t actually– it wasn’t that big of a story when we put this out, but I still think it is significant that one thing we identify and we’re able to measure by tracking cryptocurrency activity over time is the way that darknet marketplaces kind of organically grow over time.

10:35 - And we can see when we’re able to identify the core infrastructure, the wallet infrastructure of a darknet marketplace, we’re actually able to see how many customers are coming to this darknet marketplace, and what’s the growth curve of that darknet marketplace.

10:53 - And you can learn things about how– what can we expect the growth of a darknet marketplace to be.

11:02 - Does it grow kind of linearly or does it grow exponentially? As more people hear about a really great darknet marketplace that has– it can ship you your product in one to two days, and has great customer service, and all that.

11:17 - But we’re seeing that it was an all-time high in 2020.

11:20 - Over $1. 7 billion were received by the darknet markets that we identified.

11:26 - Although, there was a decline in the number of transfers sent.

11:32 - There’s also actually some interesting COVID-related research that comes from analyzing darknet marketplaces.

11:38 - We saw in early– right around the early times of lockdown disruptions in the supply chain.

11:44 - People weren’t receiving their orders, and you can see that in the data as well.

11:48 - And when you’re able to identify a darknet market wallet, you can see also where the funds are going to, so which services are cashing out those darknet market funds.

12:07 - And oftentimes one discovery we’ve made lately is that many services actually tend to serve regionally specific populations.

12:16 - And maybe that’s because of banking requirements.

12:18 - Maybe it’s language. Maybe it’s just there are certain services that are popular for reasons that I’m not able to articulate right now.

12:28 - But that allows us to apply a little bit of a geo footprint, geographic footprint to services used to move darknet market funds.

12:40 - And this is just an estimate– what you see on the screen here– of where the funds are coming from and going to that are leaving darknet marketplaces.

12:47 - And there’s a real global component to this.

12:51 - So we see that Russia was the number one according to this estimate in terms of the share of money received from and sent to darknet marketplaces.

13:05 - But we also see the United States. We see Ukraine.

13:08 - We see Venezuela is number five in its rank among countries sending value to darknet marketplaces.

13:15 - And then China and Vietnam. And increasingly, we’re seeing that actually there is a lot of mirroring of traditional drug trafficking trends using cryptocurrency.

13:31 - And the customers we work with and the people we work with, their interpretation here is that we’re kind of gradually seeing people adding cryptocurrency to their toolkit in order to carry out international payments when it comes to moving drug money.

13:48 - So it’s just a finding that we’re paying attention to.

13:52 - There’s a lot of noise around this, but it’s definitely useful and probably directionally correct.

13:58 - Another thing that we pay attention to is hacking.

14:04 - You probably hear a lot about major hacks, multi-hundred million dollar hacks that happen using cryptocurrency from exchanges.

14:12 - And in 2020 the biggest hack that we identified was KuCoin.

14:19 - Over $200 million stolen in this one hack. And we identified that that hack was actually carried out by North Korean hacking organizations, DPRK, North Korean hacking organizations.

14:34 - And we have been tracking these hacking organizations for a long time.

14:39 - And what this chart is showing is the share of all hacks that we can confidently attribute to these North Korean organizations.

14:50 - And so we see over 200 million was stolen by these groups in 2020.

14:55 - Of course, that’s a decline from a high in 2018 when there was a whole lot of hacks that we were able to identify as carried out by North Korea.

15:05 - Decline in 2019, and that still is representing around 50% of all funds hacked.

15:13 - This is something that we are noticing is a big part of North Korea’s funding strategy for getting money for funding some– well, we can only assume what they’re doing with this money.

15:30 - I mean, my job ends at the blockchain, and then you let other experts take over who might have regional expertise in understanding how North Korea spends their money.

15:40 - But you can assume that hundreds of millions of dollars is a very significant amount of money for anyone.

15:47 - Now, the final section that I wanted to talk to you all about is money laundering.

15:59 - And I think this is a really interesting thing that we’re set up to take on in a really effective way when it comes to cryptocurrency because of just the transparent nature of blockchains.

16:13 - So first of all, I’ll just describe what this chart is showing.

16:15 - When we take all of those illicit wallets and merge them together, we can then ask, where are all those funds in aggregate winding up? Where are they going? And that, the nature of that question is the beginning of you trying to understand the money laundering infrastructure.

16:42 - And this chart is showing on a monthly basis what types of services those funds tend to wind up on.

16:50 - And we can do this because of an algorithm we’ve created called indirect exposure.

16:55 - So it’s not even the direct– where the funds are directly going to.

17:00 - It’s actually traversing the blockchain through many what we call hops until we identify a service that we can positively attribute.

17:11 - And so it’s not– so we’ll take funds that are possessed by a scammer.

17:18 - And we’ll assume that potentially they might be trying to obfuscate detection by moving cryptocurrency through many wallets, and then ultimately sending those funds to a place where they can convert those funds to fiat.

17:35 - And so when we do that at scale and when we take all of the wallets together, we can create this picture, where throughout 2020, we see that exchanges are the biggest destination for illicit funds.

17:51 - And that makes sense. That makes sense for a few reasons, probably most importantly because we know that scamming was the biggest type of crime in 2020, and actually just over the years.

18:05 - And that trend is most likely going to continue.

18:08 - And just a side note. It’s definitely not unique to cryptocurrency.

18:12 - If go to– if you study scamming in whatever region you’re based in, in the US I use this website called ponzitracker. com, which actually shut down, which is unfortunate, but they would track all the major Ponzi schemes by jurisdiction.

18:27 - There’s a ton of scamming. And actually only a few of those are ever using cryptocurrency.

18:35 - But we can see that. So scamming, for a long time, scams appear legitimate.

18:41 - And they look like real services, especially financial investment scams where I give a service money because I think they’re going to double, triple, quadruple, 500x– I mean, we’re in cryptocurrency– my investments.

18:56 - And so that infrastructure for a while will oftentimes just directly work with exchanges.

19:03 - And so what we see here is that the majority of funds leaving illicit wallets tend to wind up on exchanges.

19:13 - But we also have this kind of interesting story right here, which is that there’s a lot of riskier services.

19:20 - So these are your mixers. These are– depending on what jurisdiction you’re in, and also depending on how you approach these problems– also, gambling sites might be considered risky to you if you’re in compliance.

19:34 - Maybe you have a different attitude towards the riskiness of gambling.

19:40 - And so we’re seeing these definitive trends.

19:43 - And we have here, these are unnamed services, things that we have not identified.

19:49 - You can in theory intelligently look at these services, look at their exposure, and try to say, hey, are these risky unnamed services or not risky? That’s not something we do, but you could do it.

20:04 - And one of the more exciting things that we did with the crime report this year is we have this knowledge that funds are winding up on exchanges.

20:15 - And we’re actually able to not only see that, but we’re able to see which deposit addresses on exchanges are those funds winding up on.

20:24 - So you can think of a deposit address as– many of you probably have cryptocurrency on exchanges, where you get a unique address, and you can send funds to and from that address.

20:36 - And so we said, which– how many deposit addresses on these exchanges are receiving those illicit funds? And there’s a really interesting trend that emerges.

20:47 - So on the x-axis we see that these buckets are the amount of money, the total amount of illicit money received by deposit address.

21:00 - So over here, these deposit addresses received between 10 and 100 million in illicit money.

21:06 - And so 25% of all the funds, of illicit funds in 2020 wound up on these really, really large deposit addresses that were receiving tens of millions of dollars in illicit funds.

21:17 - And our main finding was that only 270 deposit addresses were receiving over 55% of all of the illicit money.

21:28 - We’re seeing a concentration of funds moving towards these really large deposit addresses on exchanges.

21:34 - And that is new this year. That is new in 2020.

21:38 - So look at– let’s compare that to 2019, where it’s much flatter.

21:43 - You can see less overall money is going to these large deposit addresses.

21:49 - Now why is that? Well, these are probably– some of these are probably services, nested services.

21:55 - There’s also probably a little bit of some institutional– not institutional, structural money laundering infrastructures that have been solidifying over the years have continued to grow, and kind of take more of a share of those funds as well.

22:16 - But we don’t– a lot of times we don’t know what those deposit addresses are, because like I said early on, we are just able to see blockchain level data.

22:25 - And we don’t really merge it with any offchain data often, unless it’s maybe open source intelligence or something like that.

22:34 - But we can look at the data in different ways.

22:38 - So over here, what this chart is showing is each of those deposit addresses receiving more than $1 million in illicit funds, and then let’s look at what other type of activity are those deposit addresses up to.

22:55 - What share of overall activity is actually illicit? So up here, this deposit address right here received over $2 million in illicit funds.

23:06 - But that was 100% of what that deposit address was doing.

23:10 - These deposit addresses up here are probably in the business of money laundering.

23:17 - But then you have something down here, which is a deposit address right here, moving $7 million in illicit funds, but that’s 1%, less than 1% of what it’s doing overall.

23:30 - Maybe that’s a normal share of risk exposure for a service doing that much volume.

23:38 - So we can start to learn more about these deposit addresses based on other kind of behavioral features that we’re able to glean by looking at the data in certain ways.

23:48 - So I guess some takeaways from this presentation, a lot of data.

23:52 - We put out this report every year. It’s free, because we think it’s important to have this data out there so people can make informed decisions around how risky blockchain actually is.

24:07 - I’m sure you know that people approach this industry with reluctance.

24:12 - And they might think that it’s only used for terrorist financing, or something that we’re able to with data prove is not the case.

24:21 - So of course, we want to make this data public.

24:25 - So some of the other insights are that the transparency of blockchains means that we’re better situated to fight criminal activity than ever before.

24:35 - I like to say there’s not an equivalent data set in fiat where you can kind of go into some blockchain interface and see connections between criminals, and see how they’re moving their money, how their business is organized.

24:49 - And you can imagine that if you pair this with some real investigation chops, you can start to profile criminal rings that have– lots of criminal rings.

25:00 - And so there’s no equivalent data set that allows you to do this in fiat.

25:04 - It’s also never been more important to understand the use of cryptocurrencies and act quickly.

25:10 - Following the money on the blockchain provides important leads in complex investigations.

25:15 - And new techniques for generating leads are emerging.

25:18 - And finally, we are exploring new ways to– we’re always exploring new ways to empower customers and the like to figure out what’s happening with money laundering, because, I think, that’s one of the most exciting places that can be really disrupted effectively with blockchain analytics.

25:41 - So I think I’m going to end right there. And I think we will– I’ll just stop my share.

25:50 - OK. Yeah, a very interesting presentation.

25:54 - Thanks a lot, Kim. So we do have a couple of questions.

25:58 - So the first one, perhaps I will reframe it a little bit.

26:04 - So this analyzing blockchains, it brings a lot of very interesting sides regarding to this illicit activity, perhaps at the cost of some privacy.

26:16 - So what is your personal opinion in regards to the balance between these benefits about identifying this kind of activity and the privacy? Yeah.

26:29 - It’s a really good question. And I definitely understand why people are a little nervous about what we’re doing and are concerned and have privacy questions.

26:39 - And the first thing to say is that we are not personally identifying people and their behaviors and their wallets.

26:53 - And the deposit address research is not identifying people.

26:58 - And so what we do is exploit publicly available information, services, they have websites.

27:06 - They want you to come and do business with them.

27:10 - And we are just making a lot of connections around– we’re making a lot of connections that are basically publicly available, and creating this kind of phone book of cryptocurrency activity.

27:25 - Nothing is personally identifiable. And it’s, like I said, based on companies who have public websites and put their– give you cryptocurrency addresses to transact with.

27:38 - But I do think that it’s something that we need to always be engaging with.

27:44 - What’s the impact of this product feature we want to do on privacy? What are the costs and benefits? Is this important for the industry? It’s really important that people can feel safe interacting with cryptocurrency, and can feel like it’s not– that it is a well-regulated industry that people can safely engage in.

28:08 - I mean, that’s the way towards mass adoption.

28:10 - So you’re constantly weighing these costs and benefits.

28:15 - And I think that at Chainalysis, and I mean, you can ask me personally.

28:19 - I don’t know if– I can’t even disentangle them anymore.

28:22 - But I do think that potentially what we’re doing is required and a bare minimum requirement for getting to where maybe a lot of us want to go with this space, and hope that we can get there.

28:40 - But yeah, I mean it’s a tough question. I don’t have the perfect answer either.

28:48 - That’s fine. So I have another one.

28:51 - How often do your services lead to enforcement actions? And the follow-up question, do governments frequently request tracing for exposure? Sorry.

29:04 - Can you repeat that second one? Do governments frequently request tracing for exposure? Perhaps.

29:14 - So we don’t– I don’t have numbers on what percentage of law enforcement– we sell software to law enforcement.

29:28 - And I wish they would tell us all of the– everything about all the cases, just because I’m interested.

29:33 - But they don’t often tell us. It’s really sensitive what is going on.

29:41 - I mean, a lot of these cases are people have been working on investigations for years.

29:48 - And there’s a lot of really sensitive information specific to the law enforcement investigators.

29:54 - So there’s a reason why were not included in that side of things.

30:01 - We do get to learn about cases. Sometimes they release information publicly.

30:06 - And we’ll learn about it in a news announcement, and then kind of try and figure out what allowed them to come to this enforcement action.

30:18 - Was it– did they do all of it using our tool? Or was it they had reason to suspect someone, and then they used our tool to get more evidence so that they could have a more complete case? All of those things are part of the story.

30:38 - But yeah, so I don’t know exactly how much people– and we are hired.

30:45 - In answer to the second question, we do have a professional services arm.

30:48 - So a lot of people who know that cryptocrime is happening in their jurisdiction might not be cryptocurrency experts.

30:55 - So you can hire us. And we have investigators who will kind of either do an investigation, or help you with an investigation.

31:02 - And that is one of the services that are offered at Chainalysis.

31:09 - Yeah. Great. Unfortunately, our time is over.

31:14 - But I would like to say thank you once again.

31:17 - Thank you. A very insightful presentation, conversation.

31:21 - Thank you so much. Well, this concludes our morning schedule.

31:28 - Now we’re going to have the lunch break. And the presentations will resume in about an hour.

31:34 - So please join us on the [INAUDIBLE] and [INAUDIBLE]. .

31:38 - And we’ll be back at 1:10 PM with the session “Recent Developments in Bitcoin Core. ” See you soon.

31:48 -.