How Hackers Launder Their Stolen Cryptocurrency Funds From Cybercrime

by Sunny Hoi

Alexander Vinnick, a former owner of the cryptocurrency exchange BTC-e, was arrested by Greek police at the request of the U.S. Department of Justice on money laundering charges in July 2017. The overall amount thought to be laundered through the platform totals over 4 Billion USD.

Hackers targeting exchanges along with ransomware that demands payments from victims via cryptocurrencies and ICO hacks are common incidents in the domain of cryptocurrency.

Notably, it is approximated that about 1.1 billion USD in cryptocurrency was stolen by cybercriminals and hackers in the first half of 2018. Cybercriminals are increasingly moving away from Bitcoin as their favored digital currency for ransomware demands to other cryptocurrencies such as Monero, Dash and Zcash. For example, Monero was launched in 2014, and it provides enhanced privacy, and security features which halt transactions from being tracked back to users and transaction histories cannot be observed. Nevertheless, Bitcoin is still preferred by many cybercriminals due to its popularity.

This article will address the methods that hackers and cybercriminals use to launder their stolen or extorted cryptocurrency funds from cybercrime activities that are ultimately used legitimately.

Cryptocurrency Tumblers

Cryptocurrency tumblers aka cryptocurrency mixing services refer to services that permit users to obfuscate the origin of their digital currency funds.

Coin mixing comes with the expectation that the tainted coins will eventually become clean from the tumbling process.

Coin mixing employs an anonymization technique named CoinJoin, which packages various transactions collectively to conceal the source of the original coins. For instance, John wishes to send $30 in Bitcoin to address B, and Vanessa wishes to send $50 in Bitcoin to address C. Coinjoining operates by bringing together both of those payments, possibly with thousands of additional payments, into a range of thousands of transactions that ultimately pay out John’s $30 to B and Vanessa’s $50 to C. Since tumblers will amass collectively distinct currencies from several sources, it is difficult to identify the last address of the units.

After the NoPetya ransomware cyber attack in 2017, investigators were tracing the Bitcoin wallet addresses that were linked to the hackers. Following a couple of days of idleness, the cybercriminals started to shift the units. Nevertheless, it became evident that the cybercriminals were deploying a Bitcoin mixer.

The coins shifted through a large number of addresses, including a large-volume address, which was possibly the wallet of a lawful exchange. The investigators calculated roughly that the units shifted through over 2,373 wallet addresses. Hence, such laundering activities are substantial since it renders it extremely burdensome, if not impracticable, to identify the Bitcoin tokens the hackers were attempting to clean. With cryptocurrency mixing services, the hackers successfully acquired access to their illicit unlawfully acquired funds.

Decentralized Exchanges

Cybercriminals and hackers use decentralized exchanges (DEX) to launder their illicit funds. Essentially, decentralized exchanges are cryptocurrency exchanges that permit peer-to-peer trading without the presence of a central authority retaining investors funds.

As a result of their design, it is not necessary for users to disclose any information to be involved in the network. Consequently, hackers may deploy such platforms to exchange their tainted coins for others. This is a crucial tool for cybercriminals since centralized exchanges such as Coinbase have known to refuse coins they deem tainted with any unlawful activity. Hence, decentralized exchanges supply cybercriminals with a substitution.

Anonymous Exchanges

Anonymous exchanges represent platforms whereby users may purchase or sell digital currencies without disclosing their identity. The onset of regulation and rigorous KYC/AML policies, the majority of conventional exchanges demand users to validate their identities prior to utilizing the platforms. Consequently, it is forthright to trace any expends.

Anonymous exchanges supply a substitution. A user may employ these platforms without supplying any personal information. Accordingly, cybercriminals may deploy such services to alter their tainted coins for other cryptocurrencies. Even though the outputs from the hackers’ bitcoin wallets will be apparent on the blockchain, once the units are converted into another digital currency, any additional investigation becomes increasingly onerous since the trail turns cold.

This is particularly correct provided that the digital assets that were obtained are privacy-focused cryptocurrencies such as Monero since these cryptocurrencies hold incorporated features that are designed to preserve financial privacy and anonymity. Thus, the tainted funds are effectively expended without any problems after an asset trade.

CoinSwitch, Flypme, and MorphToken are anonymous exchanges that permit cryptocurrency trading without disclosing any personal information. Users do not have to sign up. Such exchanges assist in instant asset trades throughout diverse blockchains. This indicates that you may trade, say Bitcoin (BTC) for Monero (XMR). This has noticeable benefits for a hacker looking to shift their funds. Even without taking into account privacy-focused cryptocurrencies, hackers will profit from the enhanced trail obfuscating that takes place with a cross-blockchain asset exchange.


Although it is certainly feasible for hackers and cybercriminals to launder their stolen cryptocurrency funds successfully, the entire process typically takes a prolonged duration. This is notably true when the sums are substantial. Furthermore, cybercriminals usually deploy several methods to utilize the funds.

Additional techniques deployed by cybercriminals to cash out small sums comprise Bitcoin Automated Teller Machines (ATMs) and prepaid Bitcoin debit cards, specifically those including quantities under the level that does not demand KYC-compliant registration.

With more choices in privacy-focused tokens, cybercriminals are no longer confined to using Bitcoins. They may choose to adopt another token exclusively or utilize various tokens.

Related Posts