Anonymity services refers to a loose category of products and services that allow users to maintain an internet business or presence with greater privacy. These include:
- Virtual private networks (VPNs)
- Virtual SIM cards
- Encrypted communication
- Anonymous postage
- Bullet-proof hosting
Perhaps unsurprisingly, many of these services allow customers to pay for them using cryptocurrency, adding another layer of privacy. While all the examples of anonymity services we list above are perfectly legal and have plenty of legitimate use cases, the extra privacy they afford makes them attractive tools for cybercriminals. Therefore, it’s important that compliance and law enforcement professionals understand how to find these providers and analyze their transactions on the blockchain. Likewise, we would encourage any anonymity services provider accepting cryptocurrency payments to use a tool like Chainalysis KYT or partner with a merchant services provider who does in order to limit the possibility of accepting payments from a criminal entity.
Below, we’ll examine each type of anonymity service listed above more closely and show you an example of a provider accepting cryptocurrency payments.
VPN services
VPNs allow users to navigate the public internet as if they were connected to a private network, often with encryption for heightened security. Many companies use VPNs to let employees access corporate tools and data while outside of the office. However, many services now offer VPN services to the masses, allowing them to mask their true IP address with one provided by the service and thereby browse the internet as though they were in a different location of their choosing. It’s worth noting that many of these services don’t meet the technical definition of a true VPN despite marketing themselves this way.
VPNs have several positive applications, especially for people in countries with restrictive internet policies. For instance, many internet users in China rely on VPNs to circumvent the country’s firewall and visit censored websites. However, cybercriminals also use VPNs as an extra layer of security. In cases where such cybercriminals use cryptocurrency to purchase VPN access, law enforcement could have an opportunity to track the transactions and uncover more of the suspect’s cryptocurrency transactions, or even subpoena the VPN provider for more information.
SecureVPN.to is an example of a VPN service that accepted cryptocurrency payments. While no longer active, we can still analyze its prior transactions using Chainalysis Reactor.
While active between September 2014 and December 2016, SecureVPN.to received 131.9 BTC, mostly in small transactions of around 0.02 BTC that appear to be payments from customers. Its largest counterparties by volume are safe, compliant exchanges such as Kraken and Coinbase. However, we also see SecureVPN.to received funds from mixers like SharedCoin, which while not illegal should be considered high-risk. We also see SecureVPN.to received funds from darknet markets like Abraxas Market, which strongly suggests a darknet market administrator or vendor purchased services from the VPN provider.
Virtual SIM cards
Virtual SIM card providers allow users to get a working phone number for any region whenever they need them. There are several legitimate use cases for virtual SIM cards, such as avoiding roaming charges while travelling, conducting business overseas with a local phone number, and using other devices such as tablets for phone calls.
However, virtual SIM cards have illicit use cases as well. Cybercriminals often use them to communicate more anonymously or to sign up for various online services that require a phone number, such as social media sites or even fintech platforms, with a fake number that can’t be traced back to their real life identity.
VirtualSim.net is an example of a virtual SIM card provider accepting cryptocurrency payments.
Since its addresses became active in June 2017, VirtualSim.net has received 13.77 BTC from customers. Its counterparties appear mostly safe, but similarly to SecureVPN.to, it has direct exposure to darknet markets, having received over $1,000 worth of Bitcoin from the darknet market Hydra Marketplace.
Encrypted communications
The encrypted communications category covers a wide range of services that use high-grade encryption to enable greater privacy in online communication. In addition to encryption, these services often offer other privacy-enhancing features like self-destructing messages.
Encrypted communications platforms provide a vital service. Many journalists and whistleblowers, for instance, rely on them to exchange sensitive information with lower risk of exposure. However, as with all anonymity services, privacy cuts both ways. Cybercriminals can also take advantage of the increased anonymity offered by encrypted communications services, making it more difficult for law enforcement to track them.
Below, we’ll examine some of the cryptocurrency transactions made by ProtonMail, one of the leading encrypted email platforms.
During these addresses’ period of activity between November 2017 and May 2020, ProtonMail received 206.57 BTC. Most of its receiving volume comes from exchanges and other safe service categories, though we also see exposure to high-risk exchanges, as well as direct transactions with Hydra Marketplace.
Anonymous postage
Anonymous postage is the only anonymity service category we’ll cover here that isn’t directly related to online activity, but is still important to understand because of its role in cybercrime. As the name would suggest, anonymous postage services allow users to buy stamps and shipping labels without submitting any personally identifying information (PII). While anonymous postage isn’t illegal in its own right, darknet market vendors frequently rely on these providers, as they need to buy postage to ship drugs to their customers.
We can see an example of this in analyzing the transactions of Anderson Burgamy, who sold opioids as a darknet vendor under the name NeverPressedRx until his arrest in April of 2020.
On the left, we see NeverPressedRx transacting with addresses hosted at Empire Market, his darknet market of choice. On the right however, we see him sending 0.24 BTC to Bitcoinpostage.info for 19 separate orders of postage in order to run his operation.
Bulletproof hosting
Nearly every website we use relies on a web hosting service to provide server space in order to make the site accessible on the world wide web. Bullet-proof hosting providers differentiate themselves in this crowded space by allowing customers to pay for web hosting anonymously, and are generally lenient on the content they’ll allow clients to host.
While many website creators have good reason to remain anonymous, bulletproof hosting providers naturally attract controversial or even criminal users. For instance, darknet markets, sites facilitating prostitution and sex trafficking, and phishing sites set up to steal customers’ information by mimicking legitimate business’ websites often rely on bulletproof hosting providers to stay up and running.
Below, we’ll examine some of the cryptocurrency payments received by Black Host, a popular bulletproof hosting provider.
According to Reactor, Black Host has received 12.49 BTC since May 2016. At first glance, its transaction history appears relatively safe, with most of the bitcoin it received coming from safe exchanges and minimal exposure to riskier services like high-risk exchanges and mixers. However, that isn’t the whole story. Earlier this year, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) sanctioned two individuals for their role in helping the North Korea-affiliated cybercriminal syndicate Lazarus Group launder funds stolen in cryptocurrency exchange hacks. Our analysis of those addresses’ activity strongly suggests that Black Host received payment from an address also linked to the North Korean hacking group. You can read the full analysis in our intelligence brief here.
Don’t let cybercriminals abuse these vital services
Anonymity services fill an important role, particularly for those living under authoritative regimes, and cryptocurrency transactions they conduct should not be considered suspicious in and of themselves. Nonetheless, these services by their very nature attract cybercriminals. Because of this, it’s crucial that anonymity service providers, compliance professionals, and law enforcement are equipped to work together in analyzing payments to these companies when relevant to criminal investigations.