Crypto Crime Series: Decoding Hacks

Chat With Us
Thanks for your interest! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.

As quoted in The Wall Street Journal, this post is the third and final in our “Crypto Crime” series, detailing the recent trends in crypto crime and our predictions for the coming year. Sign up here for access to the complete Chainalysis Crypto Crime Report: Decoding Increasingly Sophisticated Hacks, Darknet Markets, and Scams.


Following the money of two prominent hacking groups

While several reports have done the job of quantifying the scale of cryptocurrency hacks, at Chainalysis, we seek to “decode” hacking, that is to gain insight into how and when hackers move assets after the initial crime, how long it takes them to cash out via an exchange, and whether this teaches us anything about who they are.

We took a look at hacks that target cryptocurrency organizations such as exchanges. These hacks involve large thefts, often stealing tens or even hundreds of millions of dollars directly from exchanges. Hacking dwarfs all other forms of crypto crime, and it is dominated by two prominent, professional hacking groups. Together, these two groups are responsible for stealing around $1 billion to date, at least 60% of all publicly reported hacks. And given the potential rewards, there’s no question hacking will continue; it is the most lucrative of all crypto crimes.

How hacked funds move through the cryptocurrency ecosystem

On average, the hacks we traced from the two prominent hacking groups stole $90 million per hack. The hackers typically move stolen funds through a complex array of wallets and exchanges in an attempt to disguise the funds’ criminal origins. The hackers then often observe a quiet period of 40 or more days in which they don’t move funds, waiting until interest in the theft has died down. Once they feel safe, they move quickly. At least 50% of the hacked funds are cashed out through some conversion service within 112 days.

Both hacking groups seek to evade detection between the hack and their exit, but they use different approaches to achieve these ends. For example, we suspect that one of the prominent hacking groups, which we’ll refer to as group Alpha, is a giant, tightly controlled organization at least partly driven by non-monetary goals. By contrast the second hacking organization, group Beta, seems to be a less organized and smaller organization absolutely focused on the money. They don’t appear to care very much about evading detection.


Working together to contain the damage

Until now, exchanges and law enforcement have had limited ability to track hacked funds. Furthermore, exchanges are regularly processing the stolen funds, allowing the hackers to convert the funds to traditional currencies or other cryptocurrencies. This is in part because unless you’re the exchange that was hacked, these funds look like they have come from legitimate owners (that is, the original entities who were hacked); it is hard to tell which funds have been stolen and which haven’t without specialized investigation software.

A working knowledge of how hackers move funds can equip legitimate participants to identify unusual spikes in transactions that may be tied to criminal activity. Cooperation between exchanges also goes a long way to help fight crime in this ecosystem. Neutral intermediaries between exchanges can play an important role in this effort.

Read the Full Report

To see our full research on this topic, sign up to receive access to the complete Chainalysis Crypto Crime Report: Decoding hacks, darknet markets, and scams.

Get Access to the Report

Learn more about KYT for Stablecoins & Token Issuers

Monitor transactions across the token’s full lifecycle, from issuance to redemption—and any transaction in between.

Learn More

How Transaction Monitoring Works at Chainalysis

One of the reasons Chainalysis KYT is so popular is that it uses global anti-money laundering (AML) standards common across regulatory bodies. We apply these standards when each transaction is screened.

Cryptocurrency businesses also need to understand the aggregate risk profile of each of their users. That’s why Chainalysis KYT provides a view of risk profiles at the user level, which reflects all of a user’s screened transactions. For example, if an organization has a user who receives funds from a darknet market, our software automatically flags that transaction as high risk. If the user sends funds to a regulated exchange, our software marks that transaction as low risk. And so on. Every screened transaction feeds into a user’s risk profile. Chainalysis KYT displays all user profiles, sortable by high, medium or low risk (using traffic light colors) for easy scanning.

We apply our risk methodology in real time to all users within an organization’s user base. This saves compliance teams from laborious, manual screening work. They can instead focus on developing comprehensive compliance programs. Organizations that work with us tell us this has enabled them to meet regulatory expectations and launch or grow their businesses.

Customizable risk level

We’re now giving our customers the ability to adjust the risk level of a category or a service. For example, not all jurisdictions around the world treat gambling the same way. In some countries, gambling is not considered a legitimate business activity and thus online gambling sites would be treated as high risk. In other countries, gambling is not considered illicit, which means properly licensed online gambling sites would be treated as low risk.

The ability to customize the risk level of categories and specific services means our customers can automate even more of their compliance workflows.

Organization-wide dashboard

One of the most useful facets of Chainalysis KYT is having a view of all users and their risk profiles directly accessible upon first logging in. It provides a visual alert of which users have high risk profiles and therefore require the most immediate attention. In keeping with the spirit of simplified visual cues, we have now launched a dashboard that summarizes key indicators at the total organization level. For example, organizations can now see what percentage of their user base is falling under high, medium or low risk. They will soon be able to see things like total exposure by category, or total transaction volume per day. These and other metrics will provide our customers additional understanding of their organization’s total exposure trends over time.

In-app chat

At Chainalysis, we strive to provide as much support to our customers as we can. To make it easier to interact with us, we added in-app chat to Chainalysis KYT. This allows our customers to send us questions or feedback without having to leave the environment. Our team typically responds within minutes.

Looking ahead

We know software is most valuable when it makes the lives of our customers easier and more productive. This means we’ll continue to add intuitive capabilities to our compliance products while increasing versatility for ongoing transaction monitoring. In the coming months, we will improve how transaction information is displayed. We will also boost our monitoring capabilities for other cryptocurrencies beyond Bitcoin. And we will deepen the integration with Chainalysis Reactor, which is used for enhanced due diligence and investigations.

The momentum around cryptocurrency compliance is only just starting and we look forward to continuing to offer software that builds trust in blockchains.

Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.
Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.

We’re growing! Check out our 25+ open roles >

Thank you! We'll be in touch shortly.
Oops! Something went wrong while submitting the form.
Oops! Something went wrong while submitting the form.
Please check your mailbox for a copy of the report.
Oops! Something went wrong while submitting the form.
Next article

Chainalysis Team

Watch Our Exclusive Webinar

Jan 31, 12PM ET

Chainalysis senior economist, Kim Grauer, answers audience questions on our latest research in a recorded webinar.

Watch Recording