In the Maze of Cybercrime Money Laundering

When an attacker extorts a victim with ransomware and successfully receives a payment in bitcoins, the transaction is recorded. However, the receiving blockchain wallet will be marked. It contains dirty money, which cybercriminals will attempt to launder in multiple ways. This is the final stage to obtain real profit from scams, online thefts, and other cyberattacks.

The laundering of funds from cybercrime operates within a complex web of money transfers. It is a maze of cryptocurrency transactions and conversions between cryptocurrencies and fiat currencies. Thus, investigators tracking the trail of these funds have their work cut out for them. “In the end, this activity has generated a shadow economy, but a global one, incredibly large and complex,” says Raúl Orduna, head of Digital Security at the Basque technological center Vicomtech. “Once someone has carried out a cyberattack, the key is how they manage to access the obtained money.”

In 2023, the laundering of illicit funds linked to cryptocurrencies is estimated to amount to about $22.2 billion, according to calculations in the 2024 Crypto Crime Report, prepared by Chainalysis, a company known for investigating threats in blockchain networks. Compared to last year, the same entity notes that the total value transferred to illicit blockchain addresses—akin to checking accounts for storing cryptocurrencies—was $40.9 billion, although it is estimated that it could reach $51.3 billion.

Cybercriminals aim to convert this enormous volume of illegally sourced funds into clean money. “Typically, attackers receive the money in Bitcoin or other cryptocurrencies, and then they try to access it without revealing their identities. They use various mechanisms, such as exchanges or mixers, to launder the money. In this process, the money moves to different blockchain addresses, and then some of this money sometimes returns to the real economy,” summarizes George Smaragdakis, a professor of Cybersecurity at Delft University of Technology in the Netherlands.

To untangle this mess, several terms and how they connect must be clarified. This is what both Smaragdakis and Raúl Orduna are attempting to do. They both collaborate on the Horizon Project, a European initiative that involves businesses, public and private research centers, and police from various countries. Its purpose is to improve the EU’s preparedness against cyber threats, and part of this involves understanding how cybercriminals actually make real profits.

In the world of cryptocurrencies, which is key to understanding how laundering is done, a wallet allows multiple blockchain addresses to receive or send funds. “Transactions on the blockchain are anonymous, but access is open. So, we can analyze money flows and detect money laundering patterns even if we don’t know who they belong to,” highlights Orduna. Investigators look for signals indicating where services akin to banking are offered, but in the crypto sector and under anonymity.

They focus particularly on certain systems within blockchain networks, such as an escrow or a mixer. The former consists of a smart contract that allows holding the money transferred by one party. The blockchain keeps it as a deposit until the conditions of the contract are fulfilled. Then, it is automatically delivered to the recipient. Mixers, or money mixing services, were developed to increase the anonymity of transactions, and some cybercriminals may use them. “A mixer prevents you from tracking the sources of that money, accelerating exchanges between different cryptocurrencies to lose track of who pays whom,” explains Orduna.

“You might find the origin of the money, because it is probably the victim or someone representing the victim,” points out Smaragdakis. But he adds that after many transactions, the trail is lost. “Let’s say you have thousands or hundreds of bank accounts. If they find something suspicious in one of them, they close it, but you still have all the others. It is not easy to open many bank accounts, but it is easy to open many blockchain addresses.”

With this technical infrastructure, cybercriminals try to sow confusion. “Before, they had a blockchain address where they gathered money from many victims. But now the trend has changed, and they have an address for each victim’s money. Sometimes, for a single victim, many blockchain addresses are used,” elaborates the professor from Delft University of Technology.

Thus, cybercriminals do not have the equivalent of half a million dollars in one blockchain address but rather have many addresses with a balance of 100 dollars, for example. This is much harder to trace. And then comes the next step in laundering. “They can mix the funds with other sources of money or put it into a casino that accepts cryptocurrencies, just as is done with real money. By making many micro-bets with low profit and low risk, they lose money but what they obtain is clean money that they can later cash out as fiat currency,” explains Orduna.

Another way to launder funds would be through exchanges, cryptocurrency trading platforms such as Binance or Coinbase. However, such entities are required to implement anti-money laundering policies, just like financial institutions would. Anyone who has opened an account on one of these exchanges would have had to upload a photograph of their ID and take a selfie, which will be cross-checked with the ID photo. Thus, users are identified, and the police can request information about them with a court order.

So these exchanges are off-limits for cybercriminals. Instead, they turn to other types of entities that allow them to exchange their funds. “Their flow of movement is equal to or similar to that of registered exchanges. So, beware; here is someone who is acting like an exchange but is not on the list of registered entities,” emphasizes Orduna, whose team tries to detect these types of platforms through movement patterns.

Knowing how a legal exchange behaves, investigators can develop a model regarding this type of activity and look for traces of it throughout the blockchain networks. They work with digital behavior models, based on the detected activity of cybercriminals or the tools they might use for laundering. At this point, the Vicomtech team collaborates closely with researchers from the authorities.

“We gather more or less abstract requirements about what the [State Security Forces] need, what information and relationships they consider useful. We look for examples to identify that activity or generate synthetic data that has that structure to develop intelligent models and test them with this fictional, anonymous data,” explains Orduna. Once it has been verified that the model works, it goes to real investigation, now in the hands of the competent authority.

A large portion of cybersecurity research is dedicated to understanding how attacks occur, improving defenses, anticipating breaches, and mitigating intrusions. But these researchers have another task: to trace the money. And their work is vital to making it difficult for attackers to profit, a way to minimize their economic incentive.