Crypto-exchange exploits OpSec mistakes to bust crooks
The Binance cryptocurrency exchange has explained how advances in data analytics helped it track down a group of money launderers involved with various cybercrimes, including the notorious Clop ransomware scam.
Ukrainian police announced the arrest of individuals and the takedown of infrastructure related to the ‘Clop’ ransomware operation earlier this month.
Binance’s statement confirms that those arrested were cashing out and laundering funds, rather than being behind the creation of the ransomware.
The group – also known as FANCYCAT – had their fingers in numerous criminal scams including laundering money for dark web operators as well as ransomware peddlers.
Follow the (digital) money
Analogous with drug dealers, the funds extracted from victims through criminal activity such as ransomware need to be disguised before they can be safely spent in the real world to buy goods. That’s because any funds tied back to criminal activity can become the target of forfeiture orders.
Even if money is already in digital form there is a need to launder it, with abusing exchanges being one of the main techniques in play.
“Blockchain analysis shows a network of money launderers living inside macro exchanges which deposit and withdraw to each other to wash the money,” according to Binance, the Cayman Islands-domiciled crypto exchange.
Based on this insight, Binance was able to apply detection mechanisms to identify and interdict suspect accounts before working with law enforcement to build cases and take down criminal groups, as it explained in a blog post about the investigation.
We applied the two-pronged approach to the FANCYCAT investigation: our AML detection and analytics program detected suspicious activity on Binance.com and expanded the suspect cluster. Once we mapped out the complete suspect network, we worked with private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyze on-chain activity and gain a better understanding of this group and its attribution.
Based on our analysis we found that this specific group was not only associated with laundering Clop attack funds, but also with Petya and other illegally-sourced funds. This led to the identification and eventual arrest of FANCYCAT.
We are continuing to investigate the FANCYCAT criminal syndicate across multiple jurisdictions and the connections associated with other cyber-attacks.
Earlier this year, Binance released a case study explaining how it worked with the Ukrainian Cyber Police to arrest a major cybercriminal group laundering over $42 million of illicit funds in a separate investigation.
All this work against money laundering has not gone far enough for some regulators, who are also concerned about the role of cryptocurrency exchanges in tax evasion.
Binance was ordered by the UK’s Financial Conduct Authority to stop all regulated activity in the United Kingdom, Reuters reports. Buying and selling cryptocurrencies is not regulated in the UK but trading in derivatives is regulated and it seems to be the activities of Binance Markets in this area that has brought the whole company an unwelcome sanction.