Crypto related hacks have fallen in frequency since the great crypto bust of 2018 – or at the very least, they don’t grab headlines like they once did. They’ve also become an accepted risk of trading in crypto: Gone are the days when a devastating hack like the one that brought down Mt. Gox back in 2014 have had serious repercussions for the entire crypto market.
But that hasn’t deterred firms like Chainalysis, the respected crypto forensics firm that has reportedly helped the FBI and other US law enforcement agencies track illicit activity and bust money launderers using crypto, from exploring the methods used by hackers to conceal the provenance of stolen coins on a system that touts transparency as one of its biggest selling points.
During the course of its research, Chainalysis happened upon a surprising finding: Just as there are “whales” who hold concentrated portions of crypto wealth, so there are whale-like hackers who are responsible for much of the thievery that has plagued the eco-system. According to a Wall Street Journal summary of Chainalysis’ findings, two groups of highly sophisticated criminals appear to have stolen some $1 billion in cryptocurrency, an amount that accounts for the majority of the money lost to hackers. Some $1.7 billion in crypto has been reported stolen over the years, mainly from exchanges (Mt. Gox and Bitfinex being two of the most infamous hacks).
Chainalysis spent about three months tracking the stolen funds in known hacks, and noted that there’s a slight chance that its analysis is incorrect.
The analysts at Chainalys christened the groups “Alpha” group and “Beta” group. The MOs of the two groups differ in one important way. While established government-linked groups like the Lazarus Group have been identified as the culprits behind certain hacks (like the hack of South Korea’s Bithumb), Chainalysis said these two groups appear to be independent – and possibly amateur – criminals.
Chainalysis’s digital investigators determined that likely wasn’t the case when they analyzed the transaction flows from known hacks. The firm believes it has connected most of the hacks to two groups, which it labeled alpha and beta.
Alpha is “a giant, tightly controlled organization at least partly driven by nonmonetary goals,” Chainalysis said in its report. Beta, the second group, is smaller and less organized, a “heavily sanctioned organization absolutely focused on the money,” according to the report.
Chainalysis said the two hacker groups employed an extensive network of digital wallets to hide their tracks and later converted the money to physical cash through online exchanges and individual transactions. The stolen funds were transferred an average of 5,000 times before they were converted into cash, Chainalysis found.
Alpha tends to immediately begin shuffling the funds around, according to the report. One hack involved 15,000 transfers. The entity converted about three-quarters of its stolen funds into cash within an average of 30 days.
Beta, on the other hand, may sit on the stolen funds for up to 18 months, waiting for any publicity surrounding the hack to fade. “When they feel ready to cash out, they quickly hit one exchange, cashing out over 50% of funds within days,” the report said.
Though thieves prefer unregulated exchanges (as the bust of shadowy exchange BTC-e showed), thieves will sometimes use regulated exchanges to launder the funds. Because by the time the funds have gone through so many transfers, even exchanges with stringent AML controls can’t trace them.