Illicit Crypto Ecosystem Report: Page 1

A Comprehensive Guide to Illicit Finance Risks in Crypto

Illicit Crypto
Ecosystem Report
A Comprehensive Guide to Illicit
Finance Risks in Crypto

June 2023

trmlabs.com
Illicit Crypto Ecosystem Report: Page 2
A Comprehensive Guide to Illicit Finance Risks in Crypto

4 Introduction

Part I

Illicit Crypto
8 Illicit Commerce
22 Exit Scams
8 Illicit Drug Trafficking
9 Vendor Shops
23 Phishing

9 Cybercrime Services 24 Impersonation Scams

10 Bulletproof Hosting 24 Business Email Compromise
10 Credit Card (CC) Checkers 24 Illicit Commerce Scams
11 Illicit Trafficking of Stolen Goods 25 Blackmail Scams
11 Carding and Personally Identifiable Information (PII)
25 Other Scams
11 Intellectual Property Crime
25 Misappropriation of Funds
11 Human Trafficking and Migrant
Smuggling 25 Extortion
26 Ransomware
12 Child Sexual Abuse and Exploitation
Material (CSAM) 27 Blackmail
27 Kidnap for Ransom
13 Murder for Hire
27 Market Manipulation
28 Pump and Dump Schemes
14 Illicit Payments
28 Touting
14 Terrorist Financing 29 Front-Running
15 Bribery and Corruption 29 Insider Trading
16 Espionage 30 Tax Evasion
16 Export Control Evasion
16 Sanctions Evasion 31 Theft
17 Proliferation Financing 31 Hacks and Exploits
32 Smart Contract Attacks

18 Fraud and Scams 32 Code Exploits

32 Protocol Attacks
19 Investment Fraud
33 Infrastructure Attacks
19 Pyramid and Ponzi Schemes
33 Private Key Theft
20 Pig Butchering
33 SIM Swapping
21 Deceptive Smart Contracts
34 Robbery
21 Drainware
22 Spoof Tokens
Illicit Crypto Ecosystem Report: Page 3
A Comprehensive Guide to Illicit Finance Risks in Crypto

Part II

Money
Laundering
36 Placement
45 Darknet Marketplaces
36 Cash-to-Crypto
46 Inter-VASP Layering
37 Parasite VASPs
46 Payment Processors
38 High-Risk VASPs
46 Gambling
38 Darknet Marketplaces
47 Decentralized Finance (DeFi)
39 Payment Processors
47 Mining
39 OTC (Over-the-Counter) Desks
39 P2P Exchanges
48 Integration
48 Crypto-Fiat Value Transfer
40 Layering 48 Cash-to-Crypto
40 Mixers 49 High-Risk VASPs

41 Cash-to-Crypto 49 OTC Desks

49 P2P Exchanges
42 High-Risk Exchanges
49 Spend as Crypto
43 Programmatic Money Laundering
49 Real Estate
44 Chain-Hopping 50 Luxury Goods
44 Privacy Coins 50 Crypto Gift Cards

45 High-Risk and Parasite VASPs

51 Methodology

52 Conclusion and
Recommendations

trmlabs.com
Illicit Crypto Ecosystem Report: Page 4
A Comprehensive Guide to Illicit Finance Risks in Crypto

Introduction
QUICK LINKS

Introduction

Confounding expectations, the collapse in cryptocurrency prices since Part I — Illicit Crypto
2021 had no meaningful impact on the dollar value of crypto-related crime
in 2022. Indeed, TRM data reveals at least USD 7.8 billion paid into Ponzi or
Part II — Money
pyramid schemes, USD 1.5 billion spent on darknet markets specializing in Laundering
illegal drugs, and USD 3.7 billion stolen through hacks and exploits, based
on TRM Labs data.
Methodology
Among the possible reasons behind this resilience is crypto’s qualitative
leap away from Bitcoin domination towards a new multi-chain reality that
Conclusion and
has given rise to novel threats.
Recommendations
For example, in 2022, approximately USD 2 billion was stolen through at-
tacks on cross-chain bridges, which enable cryptocurrency to pass from one
blockchain to another. Criminals also increasingly rely on chain-hopping, or
moving funds through various blockchain networks, as part of their mon-
ey laundering strategies to obscure the source and destination of ill-got-
ten gains.

The multi-chain era has had a sweeping impact on the distribution of illic-
it crypto volume as a whole, where Bitcoin’s share plummeted from 97%
in 2016 to 19% in 2022. In 2016, two thirds of crypto hack volume was on
Bitcoin; in 2022, it accounted for just under 3%, with Ethereum (68%) and
Binance Smart Chain (19%) dominating the field. And while Bitcoin was the
exclusive currency for terrorist financing in 2016, by 2022 it was all but re-
placed by assets on the TRON blockchain, with 92%.

Yet until now, there has been no systematic attempt to create a holistic over-
view of this new illicit crypto ecosystem. In the first guide of its kind, TRM
Labs has identified, studied and classified over 40 types of criminal activity,
from espionage to SIM swapping and pump and dump schemes.
Illicit Crypto Ecosystem Report: Page 5
A Comprehensive Guide to Illicit Finance Risks in Crypto

This landmark report spans over 20 blockchains

and covers all major known forms of crypto-
mediated illicit finance, as well as the use of
cryptocurrency to launder the proceeds of crime.

The first section maps out criminal activities that generate crypto proceeds
of crime including illicit commerce, illicit payments, fraud, and theft. The
second section catalogs the way the crypto ecosystem is used in laundering
proceeds of crime, whether fiat or crypto.

Through original research, case studies and an analysis of specific risks, this
report offers insights into the complex dynamics of the illicit crypto ecosys-
tem and contributes to a better understanding of the challenges faced by
regulators, law enforcement agencies and industry stakeholders.

Understanding these risks is crucial for law enforcement to combat wrong-

doing, for financial institutions and businesses to ensure that their platforms
are not used to launder illicit funds, and for policy makers and regulators to
assess, respond to, mitigate and prevent the full gamut of blockchain-me-
diated illicit activity.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 6
A Comprehensive Guide to Illicit Finance Risks in Crypto

trmlabs.com
Illicit Crypto Ecosystem Report: Page 7
A Comprehensive Guide to Illicit Finance Risks in Crypto

Part I
QUICK LINKS

Illicit Crypto
Part I — Illicit Crypto

1. Illicit Commerce

2. Illicit Payments
This section presents an analysis of criminal activities that may generate
proceeds in cryptocurrency. While fiat currencies, particularly the US dol- 3. Fraud and Scams
lar, dominate illicit transactions, the utilization of crypto in illicit activity of-
fers critical benefits in the fight against financial crime. The transparent and 4. Theft
traceable nature of crypto transactions facilitates two unique benefits: (1)
the systematic measurement of illicit activity, leading to insights into crimi-
nal networks and typologies, (2) an ability to "follow the money" in criminal
investigations that is faster and more effective than following the money in
cash. By leveraging the transparency and traceability of crypto transactions,
we not only gain valuable tools for measuring illicit activity and understand-
ing criminal networks but also contribute to the development of a more re-
silient and secure financial ecosystem.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 8
A Comprehensive Guide to Illicit Finance Risks in Crypto

1. Illicit Commerce
QUICK LINKS

Part I — Illicit Crypto

Illicit commerce involves the trade of illegal goods and services. While the 1. Illicit Commerce
vast majority of illicit commerce continues to use fiat currency such as the
Illicit Drug Trafficking
US dollar, cryptocurrency is the preferred medium of exchange on dark-
net marketplaces, cybercrime forums, and on CSAM sites.Darknet markets
Cybercrime Services
(DNMs), which specialize in selling drugs and also offer personally identifi-
able information (PII), are the biggest drivers of illicit commerce using cryp- Illicit Trafficking of Stolen
tocurrency. A smaller and more elusive subset of illicit commerce concerns Goods
child sexual abuse materials (CSAM).
Human Trafficking and Migrant
Smuggling

Illicit Drug Trafficking

Child Sexual Abuse and
Exploitation Material (CSAM)
The crypto-mediated illicit drugs trade mostly takes place on DNMs - multi-
vendor online illicit global commerce platforms located on the “darknet”, an
Murder for Hire
encrypted section of the internet neither accessible from standard internet
browsers nor indexed by search engines.

An established form of transnational organized crime, DNMs combine an-

onymization networks and cryptocurrencies with encryption technologies.
They are distinct from independent single-vendor shops that also sell illicit
drugs, and from other types of fraud stores.

As much as USD 1.49 billion was spent on DNMs in 2022, according to TRM
Labs research. Over 80% of this was spent on Russian-language DNMs. By con-
trast, the largest Western Bitcoin DNM currently in existence – ASAP Market
– accounted for less than 10% of global DNM market share. Most Russian-
language DNMs only support Bitcoin, with no privacy coin options available.
This may reflect their lower perceived risk of being taken down by the author-
ities. By contrast, Western DNMs employ more on-chain operational security
measures and either offer Monero only or Monero alongside Bitcoin.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 9
A Comprehensive Guide to Illicit Finance Risks in Crypto

Vendor Shops
QUICK LINKS

Also known as single-vendor markets, vendor shops are online platforms Part I — Illicit Crypto
that host illicit drug sales for a particular vendor only. These independent
vendors use a range of online services, from darknet websites such as on- 1. Illicit Commerce
ion sites on the Tor network and eepSites on the I2P network, to automated
Illicit Drug Trafficking
Telegram bots, direct interactions on encrypted communication applica-
tions, and encrypted email services. Many vendor shop owners also trade
Cybercrime Services
simultaneously on DNMs.
Illicit Trafficking of Stolen
Generally offering a limited range of products, sometimes only one or
Goods
two types of drug, vendor shops first gained prominence in the wake of
Operation Onymous in 2014. That international law enforcement action Human Trafficking and Migrant
shut down several large DNMs, leading customers to seek alternative sourc- Smuggling
es of supply. TRM Labs data indicates that in 2022 vendor shops received
more than USD 230 million. Child Sexual Abuse and
Exploitation Material (CSAM)
Engaging directly with vendor shops carries greater risks for customers than
dealing with vendors on DNMs due to the absence of the neutral third-par- Murder for Hire
ty which provides the escrow service, manages transactions and mediates
disputes.

Cybercrime Services
Cybercrime services are illicit services such as bulletproof hosting, DDOS
attacks, exploits-as-a-Service, compromised accounts, credit card (CC)
checkers, botnet-as-a-service, flood attacks, spam attacks and online forums
dedicated to cyber crime activity, typically sold through darknet forums.
These forums play a significant role in connecting and driving cybercrime.
Cybercrime forums derive their income from registration fees, advertise-
ments, escrow services and account status upgrades.

Two prominent examples of such forums studied by TRM Labs are Exploit.in
and Cracked.io. Exploit is a Russian cybercrime forum established in 2005.
Discussions on the forum focus on sharing exploits and vulnerabilities of
various computer systems. Exploit is also a marketplace for initial access-
es, digital goods, malware and so-called zero-day vulnerabilities – security
flaws in a software application or system that are unknown to the vendor or
developer and for which no patch or fix has been released.

Cracked is a well-known English-language hacking forum, with more than

3.5 million users and 22.6 million posts on hacking, cracking, leaks and re-
lated topics. Cracked also includes a marketplace for illicit products. This
platform periodically changes its cryptocurrency wallets.
trmlabs.com
Illicit Crypto Ecosystem Report: Page 10
A Comprehensive Guide to Illicit Finance Risks in Crypto

Bulletproof Hosting
Bulletproof hosting services (BPHS) facilitate illicit threats such as botnets,
malware, CSAM content, cybercrime forums and ransomware while provid-
ing secure anonymous hosting for malicious content and activity. Not all
BPHS are illicit: many DDOS protection services also use the term bullet-
proof in their advertisements. TRM Labs tracks only entities that allow illicit
threats or content to be hosted, and which ignore abuse requests.

Bulletproof hosting providers may ignore abuse requests and other legal
requests because they are often based in countries that lack strict internet
regulations. Additionally, these providers may take steps to protect the ano-
nymity of their customers and prevent their identities from being revealed.
Some bulletproof hosting providers may also require little or no identifying
information from customers, making it difficult for authorities to track down
the owners of illicit websites. These services are also central to illicit actors
layering their identities online to obfuscate their illicit activity.

Most major BPHS entities require manual setup, including, for example, a
mass-scan of a network. Some entities also advertise the offerings on their
websites, allowing users to choose the configurations for their server from
a catalog, and pay in crypto at checkout. BPHS websites such as these often
use payment processors.

Credit Card (CC) Checkers

CC checkers are illicit darknet services used to validate compromised pay-
ment cards by conducting unauthorized micro-transactions at specific on-
line stores. They are also used to check whether a credit card number is
valid according to the rules for that card type, and whether the expiration
date and CVV code match the information held by the issuing bank. Some
CC checkers may also provide additional information about the card, such
as the type of card and the name of the issuing bank.

CC checkers are fully automated in terms of accepting payments. They usually

have their own websites and telegram bots, and can also work as built-in check-
ers within carding shops, by providing their API (application programming in-
terface) to the carding shop. Unlike cybercrime forums or BPHS, CC checkers
incur no fixed overhead expenses, which maximizes their profit margins.

4check, a prominent CC checker, raised USD 2.8 million worth of cryptocur-

rency from 16 Carding/PII (personally identifiable information) shops be-
tween January 2016 and October 2022. An on-chain investigation found
that the carding shops likely used 4check as a built-in CC checker. Two card-
ing shops, Bypass and Ferum, were 4check’s biggest customers, having
paid a total of USD 1.2 million each. trmlabs.com
Illicit Crypto Ecosystem Report: Page 11
A Comprehensive Guide to Illicit Finance Risks in Crypto

Illicit Trafficking of Stolen Goods

QUICK LINKS

Cryptocurrency has long been linked to the receipt and trafficking of sto- Part I — Illicit Crypto
len goods. The darkweb is replete with illicit marketplaces that accept cryp-
tocurrency in exchange for stolen credit card details, personally identifiable 1. Illicit Commerce
information (PII), counterfeit goods and other products. There have also
Illicit Drug Trafficking
been reports of darknet-enabled illicit commerce involving antiquities and
other significant cultural artifacts. Cybercrime Services

Carding and Personally Identifiable Information (PII) Illicit Trafficking of Stolen

Goods

Carding and PII shops are entities associated with buying, selling or distrib-
Human Trafficking and Migrant
uting payment card data and PII using cryptocurrencies. They range from il- Smuggling
licit marketplace platforms that act as brokers connecting buyers and sellers
of the compromised payment cards and PII data, to individual vendor shops Child Sexual Abuse and
that sell payment card and PII data. Exploitation Material (CSAM)

Murder for Hire

Intellectual Property Crime
Counterfeit products account for between 1.5% and 2.5% of all listings on
DNMs, according to Europol estimates. Most of that comprises counterfeit
banknotes and fake IDs. Other products available on the darknet that in-
fringe on intellectual property rights include:
• Clothes, textiles and accessories
• Electronics including mobile phones
• Jewelry
• Pirated software
• Pirated e-books
• Pharmaceutical products (especially lifestyle medicines, steroids and
hormones)
• Subscriptions to TV channels, music platforms and online game accounts
• Watches

Human Trafficking and Migrant Smuggling

Despite claims that crypto is used as a means of payment for human traffick-
ing, TRM research suggests that the most prominent nexus between crypto
and human trafficking is the use of human trafficking to prop up cryptocur-
rency scams and frauds.

For example, human trafficking victims have been found to be working in ille-
gal call centers run by Chinese criminal syndicates operating cryptocurren-
cy pig butchering scams. These scams rely on psychological manipulation
trmlabs.com
Illicit Crypto Ecosystem Report: Page 12
A Comprehensive Guide to Illicit Finance Risks in Crypto

to wipe out victims’ life savings on the promise of making large returns on QUICK LINKS
their investments. According to the FBI, people lured by false job adver-
tisements offering lucrative pay later have their passports confiscated and Part I — Illicit Crypto
are coerced into committing crypto fraud. More recently, authorities in the
Philippines reportedly rescued victims who had allegedly been trafficked to 1. Illicit Commerce
work in a crypto scam call center based in Cambodia.
Illicit Drug Trafficking

Child Sexual Abuse and Exploitation Material Cybercrime Services

(CSAM) Illicit Trafficking of Stolen

Goods
CSAM includes imagery or videos that show a child engaged in or depicted
as being engaged in explicit sexual activity. Human Trafficking and Migrant
Smuggling
TRM has analyzed over USD 3 million sent to cryptocurrency addresses in-
volved in CSAM activities online in 2022. More than two thirds of those pay- Child Sexual Abuse and
ments appear to have been made to CSAM scammers, who attempt to Exploitation Material (CSAM)
convince would-be buyers of CSAM images to pay for images or VIP access
to galleries that turn out not to exist. Murder for Hire

The disproportionate share of funds received by CSAM scammers, who adver-

tise widely on the darknet and deal almost exclusively in cryptocurrency, can
be explained at least in part by the fact that true CSAM vendors seldom pub-
licly promote their activity and continue to favor traditional finance channels.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 13
A Comprehensive Guide to Illicit Finance Risks in Crypto

By studying the properties and behaviors of CSAM actors, blockchain intelli- QUICK LINKS
gence can allow investigators to identify international CSAM networks, profile
persistent CSAM customers, and expose vendors that impersonate scam- Part I — Illicit Crypto
mers in order to evade law enforcement attention by hiding in plain sight.
1. Illicit Commerce

Murder for Hire Illicit Drug Trafficking

The past few years have witnessed a rise in the attempted use of cryptocur- Cybercrime Services
rency to pay for contract killings. It should be noted that there have been no
Illicit Trafficking of Stolen
publicly documented examples of a completed murder-for-hire scheme paid
Goods
for in cryptocurrency at the time of publication. However, there is evidence
of demand for such services, as shown by the prosecution of several indi- Human Trafficking and Migrant
viduals who have attempted to pay for contract killings with cryptocurrency. Smuggling

In 2022, a Los Angeles man pleaded guilty to a federal murder-for-hire

Child Sexual Abuse and
charge after sending USD 13,000 worth of bitcoin to a darknet website to Exploitation Material (CSAM)
hire a hitman to kill a woman who had rebuffed his advances.
Murder for Hire
Other instances of people accused of using cryptocurrency to pay hitmen
have been reported elsewhere. In 2022, a Mississippi resident received a
10-year prison sentence for attempting to have her husband killed for a
USD 10,000 fee in bitcoin.

Such events have not been confined to the US. In 2021, Europol and the
Italian police collaborated to arrest a man suspected of paying EUR 10,000 in
bitcoin to hire an assassin to kill his ex-girlfriend. In that instance, the virtual as-
set service provider (VASP) involved in the transfer of the bitcoin to the would-
be killer cooperated with authorities in providing details of the suspect.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 14
A Comprehensive Guide to Illicit Finance Risks in Crypto

2. Illicit Payments
QUICK LINKS

Part I — Illicit Crypto

Cryptocurrency has been used to evade capital controls and make illic- 2. Illicit Payments
it payments to terrorist groups, corrupt officials or sanctioned jurisdictions
Terrorist Financing
and individuals. “More crypto usage is empirically associated with higher
perceived corruption and more intensive capital controls,” stated a 2022 Bribery and Corruption
working paper from the International Monetary Fund. It found that “coun-
tries with weaker control of corruption (more corruption) and lower degree Espionage
of capital openness (more capital controls) tend to have a larger share of
crypto adoption, suggesting that crypto assets may be used to transfer cor- Export Control Evasion

ruption proceeds or circumvent capital controls.”

Sanctions Evasion

Terrorist Financing
Proliferation Financing

Terrorist financing refers to the provision of financial support to terrorist or-

ganizations and individuals involved in terrorist activities. Cryptocurrency
has been for terrorist financing due in part to its perceived anonymity and
ease of cross-border transfers.

Fundraising campaigns for ISIS families held in internment camps in north-

eastern Syria has been a significant driver of cryptocurrency usage among
ISIS and its supporters. TRM Labs identified dozens of fundraising cam-
paigns that accepted cryptocurrency in 2022, raising between a few dollars
to tens of thousands.

TRM Labs also identified multiple pro-ISIS groups in Pakistan and Tajikistan
raising tens of thousands of dollars in cryptocurrency to spread propaganda
and recruit fighters. Over the course of 2022, TRM Labs has observed a sig-
nificant increase in the use of the TRON blockchain among terrorist groups
and associated fundraising campaigns, with some using it exclusively. The
overwhelming majority of those actors collected donations in the stablecoin
Tether (USDT). Among the terror financing entities tracked by TRM Labs in
2022, there was a 240% year-on-year increase in the use of Tether - against a
mere 78% rise in Bitcoin use.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 15
A Comprehensive Guide to Illicit Finance Risks in Crypto

QUICK LINKS

Part I — Illicit Crypto

2. Illicit Payments

Terrorist Financing

Bribery and Corruption

Espionage

Export Control Evasion

Sanctions Evasion

Proliferation Financing
In 2022, multiple terror financing entities, including Syria-based cryp-
tocurrency exchanges involved in terror financing campaigns, began
experimenting with decentralized exchanges. Decentralized exchang-
es (DEXs) are peer-to-peer marketplaces where individuals can trade
cryptocurrencies in a non-custodial manner.

Bribery and Corruption

There have been several high-profile cases of proven or alleged brib-
ery involving crypto. In 2021, FTX founder Sam Bankman-Fried alleged-
ly gave a USD 40 million cryptocurrency bribe to Chinese officials in
exchange for unfreezing company accounts containing over USD 1 bil-
lion worth of cryptocurrency.

In 2022, the US Department of Justice accused two Chinese intelli-

gence officers of allegedly attempting to bribe a US government em-
ployee with USD 61,000 in bitcoin to steal documents related to an
investigation into Chinese tech giant Huawei.

Cryptocurrencies can also be used to influence voters during election

campaigns. In 2019, a gubernatorial candidate in St Petersburg, Russia,
handed out crypto tokens to voters on the campaign trail.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 16
A Comprehensive Guide to Illicit Finance Risks in Crypto

Espionage
QUICK LINKS

Espionage activities can involve the covert transfer of funds to support intel- Part I — Illicit Crypto
ligence gathering or other covert operations. Cryptocurrencies can provide
a discreet and secure means of transferring funds, making them an attractive 2. Illicit Payments
option for state or non-state actors engaged in espionage.
Terrorist Financing
In November 2022, US nuclear engineer Jonathan Toebbe and his wife
Bribery and Corruption
Diana were sentenced to 18 and 21 years in prison respectively for attempt-
ing to pass secret nuclear propulsion technology to a third country. In their
Espionage
exchanges with FBI agents posing as foreign officials, the couple requested
payment in the Monero privacy coin. Export Control Evasion

The use of privacy-focused cryptocurrencies or mixing services can further Sanctions Evasion
enhance the anonymity of transactions, making it more difficult for authori-
ties to trace the source or destination of the funds. In December 2022, Iran Proliferation Financing
executed four alleged Israeli spies who were accused of receiving payment
in cryptocurrency. That same year, South Korea arrested two of its nation-
als for allegedly accepting cryptocurrency to spy on behalf of North Korea.

Export Control Evasion

Export control evasion involves using cryptocurrencies to bypass state cap-
ital controls and restrictions on the export of certain goods or technolo-
gy. Individuals can use digital assets to facilitate payments for prohibited
items, circumventing traditional financial systems that might flag or block
such transactions. A 2019 study by researchers at the Chinese University
of Hong Kong, Deakin University and the University of Technology Sydney
found that cryptocurrency was being widely used by traders in China to cir-
cumvent capital controls.

Sanctions Evasion
US officials have long warned that North Korea, Iran and Russia could use
cryptocurrency to evade sanctions. The European Union has also taken
steps to prevent crypto from being used by Russia to evade international
sanctions imposed after its invasion of Ukraine in 2022.

On-chain analysis has yet to show this happening to a significant degree to-
day. Experts believe this is likely to be due to crypto’s current lack of liquid-
ity relative to a country’s economy.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 17
A Comprehensive Guide to Illicit Finance Risks in Crypto

Nevertheless, Russia, Iran and North Korea have been observed using QUICK LINKS
crypto to offset the impact of international sanctions by conducting cy-
berattacks and mining bitcoin: both practices generate revenues that Part I — Illicit Crypto
help make up for lost trade and investment. In 2022, the US Treasury
Department’s Office of Foreign Assets Control (OFAC) sanctioned a 2. Illicit Payments
Russian cryptocurrency mining company in order to prevent mining
from becoming a “mechanism for the Putin regime to offset the im- Terrorist Financing
pact of sanctions”.
Bribery and Corruption
OFAC has also sanctioned cryptocurrency addresses related to facil-
itators of North Korean weapons proliferation and Russian paramili- Espionage

tary groups. Additionally, the US Treasury has used sanctions to target

Export Control Evasion
money laundering linked to sanctions evasion. For example, in 2022,
OFAC sanctioned Ethereum-based mixing service Tornado Cash for its Sanctions Evasion
involvement in laundering hacked and stolen funds by North Korea.
Proliferation Financing

Proliferation Financing
Proliferation financing involves the use of cryptocurrencies to fund the
development or acquisition of weapons of mass destruction (WMD) or
related materials. By using digital assets, parties involved in prolifera-
tion activities can avoid the scrutiny of traditional financial systems and
evade international non-proliferation regimes. In April 2023, the US,
Japan and South Korea accused Pyongyang of funding its WMD pro-
gramme using stolen cryptocurrency.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 18
A Comprehensive Guide to Illicit Finance Risks in Crypto

3. Fraud and Scams

QUICK LINKS

Part I — Illicit Crypto

Cryptocurrency fraud and scams include investment fraud such as pyramid 3. Frauds and Scams
schemes, insider trading, phishing attacks geared towards stealing private
Investment Fraud
keys and exchange credentials, pig butchering and impersonation-based
scams such as business email compromise (BEC). Scammers also resort Deceptive Smart Contracts
to attempts at blackmail, in which they claim to possess sensitive or dam-
aging information and demand cryptocurrency payment for its return or Exit Scams
suppression.
Phishing
Although “fraud” and “scam” are often used interchangeably, the cryptocur-
rency community typically refers to “scams” . Generally, the concept refers to Impersonation Scams
people being deceived into sending cryptocurrency and other digital assets
Business Email Compromise
(or clicking on something that enables the transfer) to somewhere that they
would otherwise not have done had they known the truth.
Illicit Commerce Scams

Many types of fraud can coexist within the same scheme. For example, a
Blackmail Scams
pig butchering scheme can involve a romance scam, an investment scam,
an advance fee scam and an asset recovery scam. Equally, an investment Other Scams
scheme operating around a new token can involve market manipulation, a
pyramid scheme and an exit scam. Misappropriation of Funds

TRM Labs identified about USD 9.04 billion being sent to various types of Extortion
fraud schemes in 2022, with the large majority going to apparent Ponzi and/
or pyramid schemes. Market Manipulation

Insider Trading

Tax Evasion

trmlabs.com
Illicit Crypto Ecosystem Report: Page 19
A Comprehensive Guide to Illicit Finance Risks in Crypto

Investment Fraud
QUICK LINKS

Investment fraud centers on the solicitation of funds for fraudulent in- Part I — Illicit Crypto
vestments or projects. In the cryptocurrency space, these often involve
fake initial coin offerings (ICOs), unregistered securities or fraudulent 3. Frauds and Scams
investment platforms. Investment fraud involving cryptocurrency rose
Investment Fraud
by nearly 200% from USD 907 million in 2021 to USD 2.57 billion in
2022, according to the FBI’s annual Internet Crime Report. Deceptive Smart Contracts

Pyramid and Ponzi Schemes Exit Scams

Phishing
Pyramid and Ponzi schemes are fraudulent investment schemes that
rely on the constant recruitment of new investors or investments to Impersonation Scams
generate returns for earlier investors. These schemes often collapse
when it becomes impossible to recruit enough new investors or invest- Business Email Compromise
ments to maintain payouts.
Illicit Commerce Scams
TRM Labs identified at least USD 7.78 billion in incoming volume in
2022 related to these types of schemes. Ten of the largest schemes ac- Blackmail Scams

counted for about 54% of the total amount. Just under 40% of total in-
Other Scams
coming volume for all investment fraud schemes active in 2022 was on
TRON, mostly via USDT, more than double the 17% observed in 2021. Misappropriation of Funds

Extortion

Market Manipulation

Insider Trading

Tax Evasion

Several major cryptocurrency-based Ponzi schemes were prosecut-

ed in 2022. Two of the largest were Forsage and the Trade Coin Club,
while the Bitconnect founder was indicted by the US Department of
Justice (DOJ) following charges from the Securities and Exchange
Commission (SEC) in 2021.
trmlabs.com
Illicit Crypto Ecosystem Report: Page 20
A Comprehensive Guide to Illicit Finance Risks in Crypto

According to the SEC, Forsage was a cryptocurrency-based Ponzi and pyra-

mid scheme that lured investors with promises of high returns through sev-
eral smart contracts on Ethereum and BNB Chain in what TRM Labs calls a
decentralized investment fraud scheme. TRM Labs research found that the
scheme has received nearly USD 400 million since 2020. The apparent suc-
cessor to Forsage, Meta Force, received about USD 574 million in 2022.

The Trade Coin Club was a Ponzi scheme that claimed to offer high returns
through a cryptocurrency trading platform. The platform's operators used
new investors' funds to pay returns to earlier investors, and the scheme ul-
timately collapsed, resulting in significant losses for many participants. The
Trade Coin Club raised more than BTC 82,000 – valued at USD 295 million
at the time – from more than 100,000 investors between 2016 and 2018, ac-
cording to charges filed by the SEC in November 2022.

Pig Butchering
Pig butchering scams rely on psychological manipulation and social engi-
neering to wipe out victims’ life savings on the promise of making large re-
turns on their investments. Such scams often include the widespread use
of Tether by scammers, significant interconnectivity between individual pig
butchering scams, and links to transnational organized criminal groups.
Because scams in general are significantly under-reported by victims, it is
difficult to quantify the scale of pig butchering globally.

Once cryptocurrency reaches a scammer’s wallet, it is typically shuffled from

wallet to wallet in a complex web of transactions between scammers and
money launderers (sometimes the same people), with each wallet accu-
mulating funds from additional victims along the way. Funds often move
circuitously, making it difficult for investigators to follow the money and to
separate victim funds from other tokens.

TRM Labs data indicates that cryptocurrency wallets that receive victim
funds from individual pig butchering scams are also often associated with
other scams. Over half of the pig butchering schemes studied by TRM Labs
up to December 2022 exhibited apparent links to large transnational orga-
nized crime groups.

The graph below, of a pig butchering scheme studied by TRM Labs, shows
multiple interconnected scams operated by the illicit actors either in succes-
sion or simultaneously. In addition, the scammers appear to have relied on
a single money laundering network, with the same addresses appearing in
multiple cases.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 21
A Comprehensive Guide to Illicit Finance Risks in Crypto

QUICK LINKS

Part I — Illicit Crypto

3. Frauds and Scams

Investment Fraud

Deceptive Smart Contracts

Exit Scams

Phishing

Impersonation Scams

Business Email Compromise

Illicit Commerce Scams

Deceptive Smart Contracts

Blackmail Scams

Deceptive smart contracts are intentionally designed to trick users into

Other Scams
transferring funds or granting permissions to them. The most notable ex-
ample of this is drainware – smart contracts that, upon interaction, grant the Misappropriation of Funds
attacker permission to move funds from the victim’s wallet. Spoof tokens are
another form of deceptive smart contracts. Extortion

Market Manipulation
Drainware
Insider Trading
Drainware is a type of malicious smart contract that has been referred to as
“drainers”, “sweepers” and “wallet drainers.” Drainware attacks operate by Tax Evasion
draining cryptocurrency and NFTs (non-fungible tokens) directly from a us-
er’s wallet after they unknowingly sign a transaction to purchase and mint an
NFT, or interact with a phishing website.

Until its creator shut it down in 2023, Monkey Drainer was one of the lat-
est major drainware tools targeting the crypto industry en masse. The mali-
cious contract required users only to approve and sign transactions, making
it simpler than many traditional attack methods. Most of the stolen cryp-
tocurrency from Monkey Drainer was laundered through Tornado Cash. In
some cases the fraudsters used intermediary wallets before attempting to
cash out stolen funds at three centralized exchanges. Since the demise of
Monkey Drainer, others, such as Venom Drainer, have filled the niche.

This dramatic rise in drainware attacks has even led to the emergence of
Drainer Templates as a Service (DTaaS), providing ready-to-launch pre-built
templates and enabling attackers to launch malicious contracts at scale, as trmlabs.com
Illicit Crypto Ecosystem Report: Page 22
A Comprehensive Guide to Illicit Finance Risks in Crypto

seen during the 2021 NFT boom. Some drainers also attempt to scam their QUICK LINKS
criminal users, for example by sending high value NFTs or tokens to the
original creator of the malicious contract and less valuable tokens to the ac- Part I — Illicit Crypto
tor wielding the drainer. This has led to the rise of an entire “scam-as-a-ser-
vice” industry, offering entire malicious packages complete with a phishing 3. Frauds and Scams
website, discord server bot and smart contract.
Investment Fraud

Spoof Tokens Deceptive Smart Contracts

SSpoof tokens are crypto tokens – whether new coins or NFTs – set up by Exit Scams
scammers who manipulate the tokento make it look like they have been
sent from addresses associated with celebrities, high-profile influencers, Phishing

companies, or specific projects.. Believing them to be popular potentially

Impersonation Scams
lucrative, investors are deceived into buying these tokens, when in fact they
have no value. Business Email Compromise

To manufacture spoof tokens, scammers create a new token smart contract

Illicit Commerce Scams
and give it a name related to what they are spoofing. They may also modi-
fy the smart contract code to enable the scammer to send the token on be- Blackmail Scams
half of other addresses, making it appear that those addresses initiated the
transfer. Other Scams

A recent example of a spoof token was the “Peaceful World” token which Misappropriation of Funds
purported to be a token airdropped by the Ukrainian government.
Extortion

Exit Scams Market Manipulation

Insider Trading
Exit scams, also known as rugpulls, occur when the operators of a project
– one often related to investments or a new token – stop developing the Tax Evasion
project and withdraw user funds for themselves. They can either happen
abruptly where project devs and funds suddenly disappear, or they can oc-
cur more slowly, where money is siphoned off a bit at a time and devs get
less and less active. Sometimes, projects are called rugpulls by the commu-
nity when they overpromise and underdeliver, though this is more difficult
to outright label as fraud.

Often they target decentralized finance (DeFi) projects. In a rugpull relat-

ed to a new token, the project creators can withdraw liquidity from the trad-
ing pool, causing the value of the associated tokens to plummet. Investors
are left with worthless tokens and no way to recover their funds. Many pyra-
mid and Ponzi schemes end in exit-scam-like behavior, where payouts stop
being made to investors and the creators of the scheme take the remaining
funds and disappear.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 23
A Comprehensive Guide to Illicit Finance Risks in Crypto

In June 2022 the US Department of Justice charged a Vietnamese nation- QUICK LINKS
al with one count of conspiracy to commit wire fraud and one count of con-
spiracy to commit international money laundering. Le Ahn Tuan had created Part I — Illicit Crypto
an NFT project called Baller Ape Club, which sold NFTs of cartoon monkeys.
According to the indictment, once Tuan and his co-conspirators had collect- 3. Frauds and Scams
ed some USD 2.6 million from investors, they carried out a rugpull, ending
the purported investment project, deleting its website, and stealing the in- Investment Fraud
vestors’ money.
Deceptive Smart Contracts
Frosties NFT was another NFT project that promised exclusive digital art
and collectibles. However, shortly after the project's launch the two 20-year- Exit Scams

old creators shut down its website and Discord servers, removed the liquid-
Phishing
ity from the trading pool and disappeared with USD 1.1 million of investors'
funds. According to the DOJ complaint, the duo transferred the proceeds Impersonation Scams
from the scheme to various cryptocurrency wallets under their control in
multiple transactions designed to obfuscate the original source of funds. Business Email Compromise
They were later arrested and charged with wire fraud and conspiracy to
commit money laundering. Illicit Commerce Scams

Blackmail Scams

Phishing Other Scams

Phishing involves the use of fraudulent emails, websites, or messages to Misappropriation of Funds
trick users into revealing sensitive information, such as private keys or login
credentials. In the cryptocurrency space, phishing attacks may target users Extortion
of digital wallets or exchanges, leading to the theft of funds.
Market Manipulation
Crypto-related phishing attacks grew in prominence during the 2017 Initial
Coin Offering (ICO) boom. Victims targeted in these phishing attacks would Insider Trading

only lose the amount of cryptocurrency they sent to the wrong address in
Tax Evasion
error. As NFTs entered the mainstream, attackers began to target novice
NFT investors by exploiting the “FOMO” – fear of missing out – and hype
surrounding the NFT world.

TRM Labs has observed hundreds of phishing attacks over the last year tar-
geting NFT projects, where real-time messaging across multiple platforms
has enabled attackers to target NFT investors by publishing phishing web-
site links at a rapid pace. Phishing attacks linked to NFT minting scams de-
ployed through compromised Discord accounts grew rapidly in 2022. A
review of more than 15 notable Discord compromises targeting NFT serv-
ers and analysis of on-chain and off-chain data by TRM investigators sug-
gest that dozens of these recent account compromises are likely related.

“Address poisoning”, a relatively new type of phishing, rose to prominence

in 2022. It involves the scammer creating an address that resembles one
to which the intended victim had previously sent funds. The scammer then
trmlabs.com
Illicit Crypto Ecosystem Report: Page 24
A Comprehensive Guide to Illicit Finance Risks in Crypto

sends a small amount of cryptocurrency to the target in the hope that they QUICK LINKS
will unwittingly make a future payment to that scam address in place of their
intended recipient. Part I — Illicit Crypto

3. Frauds and Scams

Impersonation Scams
Investment Fraud
Related to phishing, impersonation scams involve criminals posing as well-
known individuals or organizations to deceive victims into sending funds or Deceptive Smart Contracts
revealing sensitive information. In the cryptocurrency space, impersonation
Exit Scams
scams may involve criminals pretending to be representatives of exchang-
es, wallet providers or celebrities to trick users into sending cryptocurren-
Phishing
cies to fraudulent addresses or divulging sensitive information.
Impersonation Scams
Scammers can create fake websites or social media accounts that resemble
legitimate crypto exchanges or wallet providers. They impersonate custom- Business Email Compromise
er support agents and reach out to unsuspecting users, offering assistance
with technical issues or account problems. The users are persuaded to Illicit Commerce Scams
share their login credentials, private keys, or sensitive information, allowing
the scammers to steal their funds. Blackmail Scams

Similarly, scammers also create fraudulent websites, social media ac- Other Scams
counts, or email campaigns to impersonate legitimate crypto projects.
Misappropriation of Funds
Unsuspecting users send their cryptocurrencies, but the scammers disap-
pear with the funds, leaving investors with nothing.
Extortion

Market Manipulation
Business Email Compromise
Insider Trading
Business email compromise (BEC) is a type of scam where criminals imper-
sonate a legitimate business or organization to trick employees or partners Tax Evasion
into transferring funds or revealing sensitive information.

BEC scams may involve the compromise of email accounts belonging to

employees of exchanges, wallet providers, or other organizations, leading
to the theft of funds or sensitive data. In 2022, BEC accounted for USD 2.7
billion (crypto and fiat) in losses reported by victims to the FBI’s Internet
Crime Complaint Center (IC3).

Illicit Commerce Scams

For almost every type of illicit commerce or activity in the crypto space, there
is a scam version of it, sometimes found on the dark web. TRM Labs has found
scam money laundering services, carding shops, drug vendors, murder-for-
hire providers, weapons dealers, CSAM sellers, hacking services, market ma-
nipulation services, scam-as-a-service providers and ransomware sellers. trmlabs.com
Illicit Crypto Ecosystem Report: Page 25
A Comprehensive Guide to Illicit Finance Risks in Crypto

Blackmail Scams
QUICK LINKS

Blackmail scams typically involve the scammer sending threatening emails Part I — Illicit Crypto
to random recipients, claiming knowledge of infidelity, pornography use
or other potentially embarrassing personal details that would be released 3. Frauds and Scams
publicly unless a cryptocurrency payment was made.
Investment Fraud
In many cases, the scammer does not in fact have the information in ques-
Deceptive Smart Contracts
tion. The most common type appears to be “sextortion”, where the scam-
mer emails hundreds or thousands of people claiming to have installed
Exit Scams
malware on their computer or phone that recorded the recipient viewing
pornographic sites. They then instruct the intended victim to send crypto- Phishing
currency – usually bitcoin – to the scammer in order not to have the videos
sent to their friends and family. Impersonation Scams

Business Email Compromise

Other Scams Illicit Commerce Scams

Scammers are creative and can make a scam version out of nearly any ac-
Blackmail Scams
tivity. As such, there are many other types of scams than those mentioned
in this paper. They include asset recovery scams, overpayment scams, mon- Other Scams
ey mule scams, different variations of the advance-fee scam, and the basic
scam of simply not giving the buyer what they purchased. Misappropriation of Funds

Extortion

Misappropriation of Funds Market Manipulation

Misappropriation of funds often occurs as part of many of the other frauds

Insider Trading
and scams mentioned here, though it can also occur independently. It is re-
lated to, but in some jurisdictions is a separate crime from, embezzlement. Tax Evasion

Misappropriation of funds frequently accompanies investment fraud schemes,

where, instead of investing customer funds as promised, the operator of the
scheme instead diverts them either for personal use – such as to buy luxury
goods – or for other business purposes. For example, the SEC alleges that the
former CEO of Alameda Research “used misappropriated FTX customer
funds for Alameda’s trading activity.”

In 2021, a Microsoft employee was arrested for allegedly misappropriat-

ing USD 10 million in company funds by secretly creating thousands of
official XBox gift card codes that he then sold at a discount online in ex-
change for cryptocurrency.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 26
A Comprehensive Guide to Illicit Finance Risks in Crypto

Extortion
QUICK LINKS

Crypto extortion can take many forms. At its most basic, it involves individ- Part I — Illicit Crypto
uals threatening their victims and demanding payment in cryptocurrency.
It can also involve the use of malicious software known as ransomware. As 3. Frauds and Scams
such, it is often prosecuted in the US under fraud statutes.
Investment Fraud
In May 2023 a former employee of a public New York-based technology
Deceptive Smart Contracts
company was sentenced to six years in prison for stealing company files and
demanding nearly USD 2 million for their return. In 2019, a group of Russian
Exit Scams
secret service agents were reported to have extorted a media mogul in ex-
change for USD 670,000 worth of bitcoin. Phishing

Other variations of extortion begin with the scammer using phishing tech- Impersonation Scams
niques to take control of the victim’s Instagram profile. The criminals then
force the victims into filming videos instructing their followers to participate Business Email Compromise
in fraudulent get-rich-quick Bitcoin schemes.
Illicit Commerce Scams
Yet by far the biggest driver of crypto extortion is ransomware, which has
also increasingly been adopted by groups targeting countries’ national se- Blackmail Scams
curity infrastructure (see below).
Other Scams

Ransomware Misappropriation of Funds

Ransomware is a type of malicious software that encrypts a victim's files or Extortion

data, rendering them inaccessible. The attacker then demands a ransom,

Market Manipulation
usually in cryptocurrency, in exchange for the decryption key. Ransomware
has become a significant threat to individuals, businesses, and even govern- Insider Trading
ments, with high-profile attacks making headlines.
Tax Evasion
Two of the most significant ransomware syndicates in recent years have been
LockBit and Conti. LockBit largely focused on government facilities, health-
care and public health, and the financial services sector. Conti most fre-
quently targeted critical manufacturing, commercial facilities, and the food
and agriculture sectors. Lockbit, the most prolific ransomware group, has re-
ceived at least USD 100 million in payments since its inception, and USD 44
million in 2022 alone, according to TRM Labs analysis of on-chain data.

The Russian invasion of Ukraine led to significant changes in the Russian-

speaking ransomware ecosystem. TRM Labs analysis of on-chain transac-
tions, open source reporting, and proprietary information indicates that
LockBit and Conti restructured, probably to avoid sanctions by Western
countries. Conti shut down its operations and rebranded into at least three
smaller groups – Black Basta, Karakurt, and BlackByte.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 27
A Comprehensive Guide to Illicit Finance Risks in Crypto

Blackmail
QUICK LINKS

Blackmail can be perpetrated by outside hackers or disgruntled employees Part I — Illicit Crypto
with access to corporate information. For example, in 2022 a former work-
er at an internet provider in the UK was sentenced to two years and four 3. Frauds and Scams
months in prison for attempting to blackmail a senior manager whose hard
Investment Fraud
drive he had hacked into, transferring him GBP 40,000 worth of bitcoin.

Scammers can also use the empty threat of blackmail to convince victims Deceptive Smart Contracts

to transfer cryptocurrency to them – that practice is known as crypto black-

Exit Scams
mail scams.
Phishing

Kidnap for Ransom

Impersonation Scams

Kidnap-for-ransom schemes involve the abduction of individuals and the

Business Email Compromise
subsequent demand for a ransom in exchange for a victim's release.
Illicit Commerce Scams
The use of cryptocurrency in kidnappings has been reported all over the
world. In 2020, an armed gang kidnapped a lawyer in Mexico city and de- Blackmail Scams
manded nearly USD 100,000 in bitcoin to secure her freedom, while crimi-
nals in India set a USD 2.3 million ransom for the release of a kidnapped boy. Other Scams
Both incidents followed the 2019 kidnapping of a wealthy Norwegian wom-
an by captors who reportedly sought over USD 10 million in cryptocurrency. Misappropriation of Funds

Extortion

Market Manipulation Market Manipulation

Market manipulation in the cryptocurrency space can involve various schemes Insider Trading
designed to artificially influence the price of a cryptocurrency or token.
These schemes can include pump and dump schemes, scalping, touting, Tax Evasion
and front-running.

One of the most prominent recent examples of this practice took place
in October 2022, when the Solana-based platform Mango Markets lost
around USD 115 million when a group manipulated its price oracle, the au-
thority that determines a token’s value. The hackers’ self-proclaimed leader,
Avraham Eisenberg, later revealed his identity and characterized his team’s
activities as a “highly profitable trading strategy” rather than a hack.

Eisenberg initially reached an agreement with Mango Markets to return

around USD 70 million in exchange for a promise not to pursue crimi-
nal charges against him. Nevertheless, he was arrested by US officials in
December 2022 and charged by the SEC with violating anti-fraud and mar-
ket manipulation provisions of the securities laws. Eisenberg was later also
sued by Mango Markets to return his remaining USD 47 million plus interest.
trmlabs.com
Illicit Crypto Ecosystem Report: Page 28
A Comprehensive Guide to Illicit Finance Risks in Crypto

Also in December 2022, the SEC charged leaders of Alameda Research and
FTX with manipulating the price of FTX’s FTT Token “by purchasing large
quantities on the open market to prop up its price.”

Pump and Dump Schemes

Pump and dump schemes involve the coordinated buying of a cryptocur-
rency or token to inflate its price artificially, followed by a coordinated sell-off
once the price has reached a certain level. This results in the price crashing,
leaving unsuspecting investors with significant losses. These schemes are
often organized through online forums or social media groups and can in-
volve the use of misleading or false information to entice new investors.

Thousands of online chat rooms in the deep and dark web as well as pub-
lic chat channels on Telegram are dedicated to pump and dump schemes,
some with as many as four million subscribers in a single room.

Researchers at the Centre for Blockchain Technologies at University College

London (UCL) studied data from almost five million deep and dark web mes-
sages gathered by Cloudburst Technologies, a crypto market monitoring
company, relating to cryptocurrency price manipulation fraud. The research-
ers found that pump and dump schemes amounted to as much as USD 120
billion in annual crypto volumes. Geolocation-aided analysis found that the
US was the leading source of pump and dump, followed by Iran, Iraq, Yemen,
Pakistan, Egypt, Saudi Arabia, the United Arab Emirates, Turkey and Russia.

Many pump and dump schemes also exhibit the characteristics of scams.
For example, organizers and higher-ranking members of a Telegram group
may provide trading signals to other group members several minutes after
they have already traded. This helps the leaders of the group profit at the
expense of the other members, who are misled to believe that they will prof-
it by buying or selling the relevant token at the organizers’ direction.

Touting
When an individual promotes a cryptocurrency or other digital asset defined
as securities without disclosing that they are being paid by their issuers, that
is known as touting - an illegal practice under US federal securities laws.
Over the past five years, several celebrities have been sanctioned by the
SEC for violating touting laws when promoting Initial Coin Offerings (ICOs).

trmlabs.com
Illicit Crypto Ecosystem Report: Page 29
A Comprehensive Guide to Illicit Finance Risks in Crypto

In one particularly high-profile case, in October 2022, the SEC charged Kim QUICK LINKS
Kardashian West for touting on social media a “crypto asset security” of-
fered and sold by EthereumMax without disclosing that she was paid USD Part I — Illicit Crypto
250,000 to do so. Kardashian paid USD USD 1.26 million in penalties, dis-
gorgement, and interest to settle the charges. 3. Frauds and Scams

In March 2023, the SEC charged eight other celebrities, including Lindsay Investment Fraud
Lohan and YouTube influencer Jake Paul, with touting. Most of the defen-
dants paid to settle the charges. Deceptive Smart Contracts

Exit Scams
Front-Running
Phishing
Front-running involves individuals or groups exploiting their access to in-
formation or trading systems to profit from upcoming trades. This can in- Impersonation Scams
volve using privileged access to exchange order books or exploiting the
Business Email Compromise
latency of decentralized exchanges to execute trades before other users.
Front-running can lead to price manipulation and undermine the integri-
Illicit Commerce Scams
ty of the market. However, unlike insider trading (see below), in the crypto
world front-running may not necessarily be illegal. Blackmail Scams

A 2022 paper by academics at the University of Technology Sydney found Other Scams
that up to a quarter of new crypto listings at a major US exchange between
September 2018 and May 2022 were affected by front-running. Such activi- Misappropriation of Funds
ty generated up to USD 1.5 million in profits for those involved.
Extortion
One example is the popular use of Maximal Extractable Value Bots (MEV
Bots), which operate based on publicly available blockchain information. Market Manipulation
MEV Bots can have extremely high amounts of activity and have played a
Insider Trading
role in several large scale exploits, including Nomad.
Tax Evasion

Insider Trading
Crypto insider trading entails the use of non-public information to purchase
cryptocurrency or other digital assets ahead of exchange listing announce-
ments and profiting from the price surge that follows an announcement. As
much as USD 24 million worth of ERC20 tokens was linked to insider trad-
ing in 2022 alone, generating at least USD 5.5 million in profit for the trad-
ers, according to proprietary research by Argus Inc, a blockchain insider
trading and front-running analytics firm. Many of these wallets have contin-
ued to be active into 2023.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 30
A Comprehensive Guide to Illicit Finance Risks in Crypto

In June 2022 a former employee of an NFT marketplace became the first QUICK LINKS
individual to be charged with wire fraud and money laundering in connec-
tion with a scheme to commit insider trading in NFTs by using confidential Part I — Illicit Crypto
information about what NFTs were going to be featured on the exchange’s
homepage. Others have since faced similar charges. 3. Frauds and Scams

Investment Fraud
Tax Evasion
Deceptive Smart Contracts
Cryptocurrency “poses a significant detection problem by facilitating illegal
Exit Scams
activity broadly including tax evasion”, according to a US Treasury report re-
leased in 2021. High net worth individuals may shift taxable assets into the
Phishing
crypto economy to avoid tax, as governments may not be able to trace cryp-
to income or transactions if they go unreported by exchanges, businesses Impersonation Scams
and other third parties.
Business Email Compromise
A 2022 study found that crypto investors were likely paying less than half
the taxes they owed. In response to these tax evasion concerns, in 2022 Illicit Commerce Scams
the European Commission proposed an amendment to the Directive on
Administrative Cooperation (known as DAC8) that would widen tax report- Blackmail Scams

ing and information sharing requirements relating to holders of crypto and

Other Scams
some NFTs. The new rules are likely to come into force in mid-2023.
Misappropriation of Funds

Extortion

Market Manipulation

Insider Trading

Tax Evasion

trmlabs.com
Illicit Crypto Ecosystem Report: Page 31
A Comprehensive Guide to Illicit Finance Risks in Crypto

4. Theft
QUICK LINKS

Part I — Illicit Crypto

Theft is the biggest driver of crypto crime. It comprises a wide array of mal- 4. Theft
feasance, from hacks and exploits to robbery. In total, nearly USD 4 billion was
Hacks and Exploits
stolen in 2022 through the main types of crypto theft studied by TRM Labs.
Robbery

Hacks and Exploits

The year 2022 was the biggest on record for cryptocurrency hacks and ex-
ploits, with about USD 3.7 billion stolen across over 175 incidents, according
to a review of attacks by TRM Labs. The average hack was over USD 20 mil-
lion per incident.

Hacks and exploits can be divided into smart contract and infrastructure at-
tacks. The former group encompasses code exploits and protocol attacks;
the latter includes private key theft and SIM swapping, among others.

Nearly 90% of the USD 3.7 billion stolen last year was through infrastruc-
ture attacks and code exploits, with most of the remaining value stolen from
protocol attacks. The most common attack type in 2022 were code exploits,
at 57 incidents, followed by infrastructure attacks (52) and protocol attacks
(45). There were nearly 15 attacks per month on average in 2022, roughly
one hack every two days.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 32
A Comprehensive Guide to Illicit Finance Risks in Crypto

Attacks against DeFi projects were more common and damaging than at-
tacks against CeFi targets in 2022, with approximately 80% of all stolen
funds, or USD 3 billion, involving DeFi victims and nine of the ten largest at-
tacks occurring against DeFi projects. Flaws in smart contracts, a key compo-
nent of DeFi that facilitate automation and transparency, provide attackers a
seemingly endless supply of bugs to exploit.

Smart Contract Attacks

Smart contracts are self-executing computer programs that are stored on
a blockchain and are used to automate the execution of transactions. In a
smart contract attack, hackers target bugs or vulnerabilities in smart con-
tracts to steal funds, manipulate data, or disrupt the functionality of the ser-
vice. Code exploits and protocol attacks are types of smart contract attacks.

Code Exploits

Code exploits target a project’s smart contract code and allow an attacker to
remove funds from DeFi protocols without authorization. Code exploits are
facilitated by coding mistakes and errors, such as unchecked external calls,
access control issues, and logic bugs. Of the USD 1.4 billion stolen via code
exploits in 2022, authentication issues, improper validation, and signature
verification issues accounted for about 90% of the amount stolen.

In February 2022, Solana’s Wormhole bridge was targeted in a hack resulting

in over USD 300 million being removed from the DeFi protocol. According
to the Wormhole team, the hacker managed to exploit the Solana VAA ver-
ification and mint tokens. The hacker then utilized the Wormhole bridge to
hop chains to Ethereum.

Protocol Attacks

Protocol attacks target weaknesses in the underlying protocol or business

logic of a cryptocurrency system. Although this was one of the most com-
mon attack types in 2022, the average protocol attack was only half as
damaging as the average hack. Over 50% of the total amount stolen from
protocol attacks came from price manipulation techniques, such as oracle
issues and flash loans. It is common for attackers to combine attack tech-
niques in protocol attacks to achieve the desired result, such as leveraging
flash loans and governance attacks.

In October 2022, Sovryn, allegedly the first DeFi protocol on Bitcoin, was at-
tacked resulting in an approximate loss of USD 1 million. In the attack, the
hacker utilized a vulnerability in pricing and executed a flash loan. Despite a
majority of the funds being returned, the attacker managed to use ThorSwap
to hop chains to Bitcoin. trmlabs.com
Illicit Crypto Ecosystem Report: Page 33
A Comprehensive Guide to Illicit Finance Risks in Crypto

Governance attacks are a type of protocol attack where a hacker manipu-

lates a blockchain project that uses decentralized governance by gaining
enough voting rights to reshape the rules. A DeFi credit-based stable coin
protocol known as Beanstalk was attacked in April 2022 resulting in a loss of
USD 182 million. The attacker utilized a flash loan to exploit the DeFi proto-
col’s governance. With the USD 182 million, the attacker gained controlling
ownership in the protocol providing the ability to influence votes.

Infrastructure Attacks
Infrastructure attacks target the systems, platforms, or services that support
the creation, exchange, or storage of cryptocurrencies. These types of at-
tacks are often facilitated by traditional cyber attacks or exploits. Techniques
include private key or seed phrase theft and SIM swapping.

Private Key Theft

The most damaging type of infrastructure attacks in 2022 were private key
or seed phrase thefts, which allow an attacker to commandeer and drain a
victim’s wallet. Private key or seed phrase compromises accounted for near-
ly USD 1.5 billion in stolen funds, or 85% of all infrastructure attacks, in 2022.
Other types of infrastructure attacks, such as front-end compromises and
DNS hijacking, accounted for about USD 250 million in stolen funds in 2022.

In March 2022, Ronin Bridge was attacked, leading to a loss of over USD 600
million. According to a post mortem from Ronin, the attacker was able to
drain 173,600 Ethereum and USD 25 million USDC by stealing private keys
to forge fake withdrawals. In April 2022, the FBI publicly attributed the at-
tack to Lazarus Group and APT38, cyber actors associated with North Korea.

SIM Swapping

SIM swapping involves the hijacking of a victim’s phone number in order

to fraudulently authenticate the movement of funds out of their account. In
2022 a Florida man was sentenced to 18 months in prison for a 2018 SIM
swap attack that allowed his co-conspirators to hijack the victim’s phone
number and fraudulently transfer over USD 23 million in cryptocurrency
away from his crypto wallet.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 34
A Comprehensive Guide to Illicit Finance Risks in Crypto

Robbery
QUICK LINKS

Cryptocurrency robberies involve the use of force, coercion, or threats to Part I — Illicit Crypto
physically steal cryptocurrencies from victims. Sometimes known as “five
dollar wrench attacks”, such robberies can occur during in-person transac- 4. Theft
tions, such as buying or selling cryptocurrencies, or in more sophisticated
Hacks and Exploits
and organized criminal operations.
Robbery
In 2022, police in Sweden were called to an incident involving an assault on
a couple by armed strangers who broke into their home, tied them up, and
forced them to transfer their cryptocurrency at gunpoint. During the same
year, a Canadian man was held at gunpoint, tied up and assaulted during an
in-person deal to exchange bitcoin for cash.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 35
A Comprehensive Guide to Illicit Finance Risks in Crypto

Part II
QUICK LINKS

Money Laundering
Part II — Money
Laundering

1. Placement

Money laundering amplifies the total amount of illicit activity in the ecosys- 2. Layering
tem because all transactions made to try to launder funds are themselves il-
licit. It involves processing the criminally-derived funds in order to disguise 3. Integration
their illicit origin. This is done largely through the abuse of otherwise le-
gitimate tools, such as privacy coins and cash-to-crypto services. However,
money launderers also leverage darknet markets and cybercrime services,
creating a multiplier effect on total illicit activity.

Cryptocurrency services are attractive to money launderers for many of the

same factors appreciated by regular consumers: fast transfers, pseudo-an-
onymity and convenience. Criminals are interested in collecting funds via a
non-reversible format that is nearly instantaneous.

Money laundering involving cryptocurrency largely follows the same path

as its conventional counterpart, starting with placement, followed by layer-
ing and integration. This section maps the key mechanisms for money laun-
dering within the crypto ecosystem.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 36
A Comprehensive Guide to Illicit Finance Risks in Crypto

1. Placement
QUICK LINKS

Part II — Money
Laundering
During this initial stage of money laundering, criminals can use the prof-
its obtained through illegal activity to purchase cryptocurrencies. In cases 1. Placement
where the initial funds are received in cryptocurrency, for example from theft,
Cash-to-Crypto
extortion or illicit commerce, placement involves obscuring their origins and
converting them into more widely-accepted or less traceable forms. Parasite VASPs

The form that placement takes depends on the type of predicate crime and
High-Risk VASPs
the service used. In cases of fraud, particularly pig butchering and romance
scams, victim funds often enter the crypto ecosystem through cash-to-cryp- Darknet Marketplaces
to services. Ransomware perpetrators, on the other hand, tend to require
victims to use a third-party service or VASP in order to make a payment. Payment Processors

OTC (Over-the-Counter) Desks

Cash-to-Crypto P2P Exchanges

Among the fastest ways to convert fiat currency into cryptocurrency and
vice-versa is through cash-to-crypto services. Of these, crypto ATMs are the
most popular. These kiosks allow customers to insert banknotes, buy cryp-
tocurrency and send it directly to a wallet without needing an exchange or
even a bank account. There are over 30,000 crypto ATMs around the world,
over 90% of which are located in North America.

Crypto ATMs and other cash-to-crypto services are not illegal; however, they
can be an appealing payment method for cybercriminals and other illicit ac-
tors. In 2022, over USD 40 million was sent to known scam addresses via
cash-to-crypto services, according to research by TRM Labs. These address-
es were linked to perpetrators of romance scams, investment scams, imper-
sonation scams and others as neutral platforms enabling payment by victims.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 37
A Comprehensive Guide to Illicit Finance Risks in Crypto

In the case shown above, a single exchange address received funds from 40 QUICK LINKS
different cash-to-crypto services ATMs located all over North America. The
same address was reported in multiple public reports and investigations as Part II — Money
being used by scammers as an aggregator and off-ramp for stolen funds. Laundering
In this case, the significant number of transfers from multiple cash-to-crypto
service locations to the same address served as the trigger for investigators 1. Placement
to identify the suspicious destination address.
Cash-to-Crypto
As a reflection of the use of cash-to-crypto services by illicit actors, state and lo-
cal police departments regularly receive reports of victims being coerced into Parasite VASPs
sending cryptocurrency to fraudsters through crypto ATMs. These victim pay-
High-Risk VASPs
ments are often representative of placement in the money laundering context.

In March 2023, authorities in New York arrested a man accused of helping Darknet Marketplaces

to launder over USD 1 million in fraudulently-obtained small business loans

Payment Processors
which were offered as part of the US government’s COVID-19 relief strategy.
He allegedly converted some of the funds to bitcoin and “used a portion of OTC (Over-the-Counter) Desks
the rest to start his own lucrative cryptocurrency ATM business.”
P2P Exchanges

Parasite VASPs
Parasite VASPs rely on the architecture of a larger exchange to provide digi-
tal assets trading services to users, often without the knowledge or consent
of the host exchange. Criminals and sanctioned individuals may use para-
site VASPs to move their illicit proceeds through the crypto ecosystem to
make the transactions appear legitimate. Parasite exchanges usually have
weak to non-existent Know-Your-Customer (KYC) and AML requirements,
which can make them a preferred vehicle of cybercriminals and money
launderers for moving funds.

Parasite exchanges facilitate as much as 100 times more illicit on-chain activ-
ity than their mainstream counterparts, according to research by TRM Labs.
Funds linked to sanctioned entities account for over half of the illicit volume
processed by parasite exchanges. This is partly because nearly two-thirds of
parasite exchanges appear to be based in Russia and Iran, with the Iranian
exchanges being sanctioned based on their jurisdiction. SUEX, a crypto ex-
change and OTC broker sanctioned by OFAC in 2021, operated as a para-
site exchange and was complicit in laundering millions of dollars for Russian
ransomware groups.

Parasite exchanges were also found to play an important role in the Russian
darknet market ecosystem, resulting in significant exposure to Hydra - the
world’s largest DNM until its sanctioning by OFAC in April 2022. Even con-
trolling for sanctions exposure, TRM Labs research found parasite exchang-
es to carry 45 times more illicit exposure than compliant exchanges, as a
trmlabs.com
percentage of their volume.
Illicit Crypto Ecosystem Report: Page 38
A Comprehensive Guide to Illicit Finance Risks in Crypto

High-Risk VASPs
QUICK LINKS

High-risk exchanges and other VASPs are characterized by lax compliance Part II — Money
Laundering
controls or are located in jurisdictions with weak regulatory oversight, which
makes them attractive channels for money laundering activities. Over the
course of 2022, TRM Labs tracked more than 500 active high-risk exchang- 1. Placement
es that together transferred tens of billions of dollars in value.
Cash-to-Crypto
High-risk VASPs share a combination of the following characteristics:
Parasite VASPs
• Exhibit elevated counterparty risk exposure to darknet marketplaces,
scams, cybercrime services and other incidence of illicit on-chain activity High-Risk VASPs
such as money laundering
Darknet Marketplaces
• Facilitate transactions using accounts of other exchanges without having
a contractual relationship with them
Payment Processors
• Use multiple accounts registered under fake or stolen identities to dis-
tribute their trading activity, making it harder for the host exchange to de- OTC (Over-the-Counter) Desks
tect them
P2P Exchanges
• Have inadequate KYC and AML procedures as well as weak or non-exis-
tent identity verification processes, making it easier for criminals to use
these platforms for illegal activities
• Offer services that allow users to directly convert cryptocurrencies to cash
or vice-versa, which helps to anonymize funds and avoid detection of il-
licit activities by authorities
• Operate from sanctioned jurisdictions or those listed on FATF Black and
Grey lists

Darknet Marketplaces
In addition to their primary role in crypto crime – the sale of illicit drugs –
darknet markets (DNMs) are also involved in the laundering of proceeds
from crime. Over the course of 2022, TRM Labs has witnessed a rise in inter-
national criminals using Russian-language DNMs to launder money.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 39
A Comprehensive Guide to Illicit Finance Risks in Crypto

Payment Processors
QUICK LINKS

Cryptocurrency payment processors are legitimate services that help indi- Part II — Money
Laundering
viduals and businesses accept cryptocurrency as payment. These payment
processors create payment addresses for customers and provide services
that allow them to accept payments directly from their own websites, such 1. Placement
as via an API, in return for a small percentage of the transaction value.
Cash-to-Crypto
Payment processors can be abused by criminals seeking to launder money,
Parasite VASPs
most commonly in placement and layering. Lightly regulated, they often have
little to no KYC. By allowing users to create new addresses for every payment
High-Risk VASPs
– or in some cases, reuse addresses for different actors – payment processors
can make it more difficult for investigators to follow the flow of funds. Darknet Marketplaces

Payment Processors
OTC (Over-the-Counter) Desks
OTC (Over-the-Counter) Desks
OTC desks allow users to exchange crypto for fiat and vice-versa without
P2P Exchanges
a centralized exchange or broker. They tend to specialize in larger sums.
Although some established exchanges have proprietary OTC operations
that are subject to stringent oversight, many private OTC brokers do not
perform KYC or source of wealth checks on their customers. As a result,
such OTC brokers are vulnerable to abuse by criminals seeking to cash out
illegally-derived cryptocurrency.

P2P (Peer-to-Peer) Exchanges

P2P exchanges operate on the same principle as OTC desks: they enable
users to change between cryptocurrencies and fiat. However, unlike OTC
desks that are manned by brokers, P2P exchanges operate as fully auto-
mated DeFi entities. They operate by connecting trading partners seeking
to buy or sell cryptocurrency without a third party intermediary. Some of
these transactions can be arranged using cash or other non-crypto payment
methods via the P2P platform.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 40
A Comprehensive Guide to Illicit Finance Risks in Crypto

2. Layering
QUICK LINKS

Part II — Money
Laundering
Layering is designed to make the tracing of illicit assets more difficult by
putting them through a series of transactions and by using a variety of tools. 2. Layering
Mixers, bridges, swap services, and coin-joins – individual transactions
Mixers
where multiple senders combine funds to obfuscate their source – are com-
monly used for layering as they are designed to enhance privacy and make Cash-to-Crypto
it more difficult for investigators to trace the flow of funds. While some will
simply funnel funds to exchanges in order to cash out quickly, advanced High-Risk Exchanges
launderers may incorporate programmatic money laundering techniques.
Programmatic Money
Data science models that can identify different types of money laundering Laundering
patterns (called Signatures) are an essential toolkit for money laundering in-
vestigators, as is the ability to demix transactions from mixers and automat- Chain-Hopping

ically trace through cross-chain bridges.

Privacy Coins

Mixers
High-Risk and Parasite VASPs

Darknet Marketplaces
Mixers, also known as tumblers, are services that blend multiple crypto-
currency transactions, making it difficult to trace the origin and destination Inter-VASP Layering
of funds. According to the US Treasury’s National Money Laundering Risk
Assessment from 2022, mixers and tumblers “help criminals hide the move- Payment Processors

ment or origin of funds, creating additional obstacles for investigators.”

Gambling
Mixers are not illegal; nor are they used exclusively for illicit activity. For ex-
Decentralized Finance (DeFi)
ample, many mixers advertise themselves as means to increase privacy and
anonymity online. However, mixers are also frequently used by cybercrimi-
Mining
nals as a layering technique to disguise the source of illicit funds. The graph
below shows an illicit actor using the Ethereum-based mixer Tornado Cash
to obfuscate around USD 1 million of proceeds from a hack. After migrat-
ing the funds to the Ethereum blockchain and swapping them from USDC
to ETH, the actor sends them to various wallets before depositing them into
Tornado Cash.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 41
A Comprehensive Guide to Illicit Finance Risks in Crypto

QUICK LINKS

Part II — Money
Laundering

2. Layering

Mixers

Cash-to-Crypto

High-Risk Exchanges

Programmatic Money
Laundering

In August 2022, OFAC sanctioned Tornado Cash, which has been used by Chain-Hopping

North Korean cyber-criminals and other threat actors to launder the pro-
Privacy Coins
ceeds of hacks and other illicit activity. TRM Labs showed that North Korean
cyber actors used Tornado Cash to launder over USD 1 billion of stolen High-Risk and Parasite VASPs
funds in at least ten major cryptocurrency heists.
Darknet Marketplaces
In March 2023, German and US authorities, supported by Europol, an-
nounced the shutdown of ChipMixer, a cryptocurrency mixing service that Inter-VASP Layering
facilitated international money laundering. During the operation, officials
seized four servers and nearly USD 44.2 million in cryptocurrency. Research Payment Processors

by TRM Labs confirms that ChipMixer was widely used by prominent ran-
Gambling
somware syndicates to launder illicit proceeds. Among them were Karakurt,
SunCrypt, REvil, Conti, LockBit, Ragnar Locker, and Royal. TRM Labs re- Decentralized Finance (DeFi)
search also found at least 20 darknet marketplaces (DNMs) that sent funds
to ChipMixer during the mixer’s nearly six years of activity. Mining

Cash-to-Crypto
Cash-to-crypto services can be used for layering through a laundering tech-
nique called money muling or smurfing. This entails the transfer of stolen
funds by individuals unconnected to the original crime.

In the example below, in August 2022 a money laundering group deposited

illicitly-obtained cash from into several crypto ATMs. From there, the funds,
now in bitcoin, were sent to a consolidation wallet before being deposited
at a large exchange.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 42
A Comprehensive Guide to Illicit Finance Risks in Crypto

QUICK LINKS

Part II — Money
Laundering

2. Layering

Mixers

Cash-to-Crypto

High-Risk Exchanges

Programmatic Money
Laundering

Chain-Hopping
In April 2023, a Missouri woman was arrested on charges of assisting with
the movement of stolen funds. The suspect used cashiers checks and cryp- Privacy Coins
tocurrency ATMs to transfer USD 565,000 on behalf of the criminals that
committed fraud in order to steal the victim’s funds. As smurfing can take High-Risk and Parasite VASPs
place by unwitting third parties, it is often difficult to identify as the person
Darknet Marketplaces
committing the layering activity may not be aware of the source or destina-
tion of the funds.
Inter-VASP Layering

High-Risk Exchanges
Payment Processors

Gambling
High-risk exchanges are significantly more exposed to illicit counterparties
than regulated exchanges, according to TRM Labs research. Some high- Decentralized Finance (DeFi)
risk exchanges also operate as parasite exchanges, and usually have lax
Mining
or non-existent KYC and AML processes. This makes them attractive plat-
forms for cybercriminals who want to launder money or fund illicit activities.
Administrators of such exchanges claim to earn 0.5%-1.0% commission on
the transaction volume, depending on the share of revenue allocated to ad-
vertising and affiliate marketing necessary to drive traffic to their exchange.

In the example below, after hopping chains and diverting some of their sto-
len funds to a mixer, a scammer sends the remainder of the ill-gotten pro-
ceeds to a series of accounts at a Russia-based high-risk exchange.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 43
A Comprehensive Guide to Illicit Finance Risks in Crypto

QUICK LINKS

Part II — Money
Laundering

2. Layering

Mixers

Cash-to-Crypto

High-Risk Exchanges

Programmatic Money
Laundering

Chain-Hopping

Programmatic Money Laundering

Privacy Coins

High-Risk and Parasite VASPs

Programmatic money laundering (PML) includes using software to quickly
move funds through hundreds or thousands of transactions, in an attempt Darknet Marketplaces
to obfuscate the illicit origin.
Inter-VASP Layering
In the example below, a criminal sent illicit funds from a mixer through a se-
ries of peel chains to “peel off” small amounts of BTC (represented by the Payment Processors
green nodes) that are then sent to an exchange. One of the most high-pro-
Gambling
file examples of cryptocurrency-based PML involved the North Korean
Military in 2021.
Decentralized Finance (DeFi)

Mining

trmlabs.com
Illicit Crypto Ecosystem Report: Page 44
A Comprehensive Guide to Illicit Finance Risks in Crypto

Chain-Hopping
QUICK LINKS

Chain-hopping refers to the practice of moving cryptocurrency from one Part II — Money
Laundering
blockchain to another.. While chain-hopping is not inherently illicit, it can be
used by money launderers to obfuscate the transaction trail.
2. Layering
For example, Bitfinex, a cryptocurrency exchange, fell victim in 2016 to a
breach that resulted in the theft of nearly BTC 120,000. In 2022, the US Mixers
Department of Justice (DOJ) used on-chain analytics to charge the two sus-
Cash-to-Crypto
pects in the case with fraud and money laundering. The money launder-
ers conducted chain-hopping from Bitcoin to other blockchains, including
High-Risk Exchanges
swaps to anonymity-enhanced cryptocurrencies like Monero, before the
funds were deposited into traditional financial accounts. Programmatic Money
Laundering
TRM Labs research has also found bridge-hopping to be a favored money
laundering methodology used by CSAM actors. Chain-Hopping

Privacy Coins
Privacy Coins
High-Risk and Parasite VASPs
Privacy coins such as Monero, Zcash, and Dash provide enhanced privacy
Darknet Marketplaces
and anonymity features compared to standard cryptocurrencies like Bitcoin.
Although privacy coins are not illegal, their ability to render transactions
Inter-VASP Layering
difficult to trace make them attractive for criminals seeking to launder illic-
it proceeds. Payment Processors

Several countries have cracked down on their use. Australia and South Korea Gambling
have banned exchanges from offering privacy coins, while Japan banned
them entirely in 2018. The use of blockchain intelligence tools to monitor Decentralized Finance (DeFi)
crypto services that offer privacy coins helps law enforcement and regula-
tors to identify on-ramps and off-ramps involving these protocols. Mining

One challenge for such on-chain surveillance is that criminals frequently

cash out using brokers who exchange physical banknotes for privacy coins
deposited to their receiving address. The cash is then smuggled across bor-
ders while the cryptocurrency is traded on exchanges.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 45
A Comprehensive Guide to Illicit Finance Risks in Crypto

High-Risk and Parasite VASPs

QUICK LINKS

Because high-risk VASPs and parasite VASPs usually have weak to non-exis- Part II — Money
Laundering
tent KYC and AML requirements, they are a preferred vehicle of cybercrimi-
nals and money launderers for moving funds as part of the layering process.
These exchanges are sometimes referred to as swap services, because they 2. Layering
allow criminals to pass funds through the service by exchanging one type
Mixers
of cryptocurrency for another, making tracing more difficult. Cybercriminals
can also use these services to cash out into the traditional financial system. Cash-to-Crypto

High-Risk Exchanges
Darknet Marketplaces
Programmatic Money
Darknet markets (DNMs) are also used for layering illicit funds. The below Laundering
example shows a drug vendor cashing out their profits from the DNM (rep-
Chain-Hopping
resented by the red nodes) and sending the funds to addresses controlled
by them at two separate exchanges.
Privacy Coins

High-Risk and Parasite VASPs

Darknet Marketplaces

Inter-VASP Layering

Payment Processors

Gambling

Decentralized Finance (DeFi)

Mining

The collapse in cooperation between Russia and the West on cybercrime

matters since the start of the Ukraine war has created the perception among
criminals that Russian-language DNMs have become a safe-haven from US
and European law enforcement. As such, a wide range of criminals – includ-
ing CSAM threat actors – have been observed depositing cryptocurrency to
DNMs in order to obscure their original source: once crypto funds are with-
drawn from DNM’s escrow accounts, they are no longer the same coins as
those originally deposited.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 46
A Comprehensive Guide to Illicit Finance Risks in Crypto

Inter-VASP Layering
QUICK LINKS

Inter-VASP layering involves the use of several exchanges or other VASPs to Part II — Money
Laundering
break up and move funds during the money laundering process in order to
make it more difficult for investigators to trace. Inter-VASP layering mirrors
traditional money laundering techniques, whereby criminals use multiple 2. Layering
banking services to obfuscate the source of funds; it is particularly difficult
Mixers
to trace funds through VASPs that settle transactions off-chain.
Cash-to-Crypto
Although blockchain forensics tools can assist with identifying the transac-
tions that reach the VASP, investigators are required to apply for legal data
High-Risk Exchanges
access to obtain the necessary transaction data to identify the off-ramps.
Programmatic Money
Laundering
Payment Processors
Chain-Hopping
Payment processors can be abused by a variety of criminals and threat ac-
tors, including extremist and militant groups, to layer their funds. TRM Labs Privacy Coins

has identified numerous investment fraud schemes that have used main-
High-Risk and Parasite VASPs
stream payment processors. Violent extremist groups, including US-based
neo-Nazi actors, have used payment processors to generate dynamic ad- Darknet Marketplaces
dresses, typically for the exchange of goods, services, or subscriptions.
Following seizures by the Israeli government, Hamas and other Gaza-based Inter-VASP Layering
militant groups stopped publicly publishing their cryptocurrency donation
addresses and instead turned to payment processors, typically embedding Payment Processors

them in their websites’ fundraising pages.

Gambling

Gambling
Decentralized Finance (DeFi)

Mining
Although gambling is legal and socially acceptable in many jurisdictions, it
has long been a useful method of laundering funds from illicit activity. The
gambling process involves customers paying money into a casino or book-
makers’ and later cashing out any winnings along with the remaining funds
and an official receipt. This gives money launderers the opportunity to claim
that their illicitly-obtained funds are merely gambling profits.

Cryptocurrency-based gambling platforms make it difficult to trace funds

through the service. However, they are increasingly subject to compliance
regulations. This means that casinos must perform KYC and source of wealth
checks on customers seeking to deposit large amounts. Later, should a sus-
pected criminal claim gambling winnings as the source of their funds, the
online casino in question can be subpoenaed by local law enforcement to
release records relating to that user.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 47
A Comprehensive Guide to Illicit Finance Risks in Crypto

Decentralized Finance (DeFi)

QUICK LINKS

Decentralized finance (DeFi) is at risk of abuse by money launderers. While Part II — Money
Laundering
DeFi has the potential to increase financial inclusivity and provide more ac-
cessible and transparent services, it can also be exploited by those seeking
to engage in illicit activities. 2. Layering

It is important to note that many DeFi platforms are actively implementing Mixers
measures to enhance security, compliance and transparency. Regulatory
Cash-to-Crypto
authorities are also working on frameworks to address money laundering
risks in the context of DeFi.
High-Risk Exchanges

Programmatic Money
Mining Laundering

Cryptocurrency mining has been abused for laundering funds by ransom- Chain-Hopping
ware groups, such as APT43, and other illicit actors. The coins minted on
mining equipment acquired with illicit funds have no apparent ties to crim- Privacy Coins

inal activity, allowing criminals to cash out without leaving a traceable path
High-Risk and Parasite VASPs
on the blockchain.
Darknet Marketplaces
For example, TRM Labs has identified a DNM vendor using illicit funds made
from the sale of drugs to purchase cloud mining accounts. The outputs from
Inter-VASP Layering
the mining transactions were then laundered through a Bitcoin ATM busi-
ness controlled by the vendor, which provided a front for the illicit activity. Payment Processors
From there the funds were withdrawn to a personally-held wallet.
Gambling

Decentralized Finance (DeFi)

Mining

trmlabs.com
Illicit Crypto Ecosystem Report: Page 48
A Comprehensive Guide to Illicit Finance Risks in Crypto

3. Integration
QUICK LINKS

Part II — Money
Laundering
Integration is the final stage of money laundering, during which the laun-
dered proceeds are re-introduced into the legitimate economy. This is done 3. Integration
by funneling the funds to legitimate channels so that the source of funds
Crypto-Fiat Value Transfer
can plausibly be explained.
Send as Crypto
The key purpose of integration is to convert the tainted crypto funds into
fiat currency or stablecoins which are then off-ramped through VASPs such
as payment processors, exchanges, OTC desks, cash-to-crypto services and
peer-to-peer (P2P) services. Criminals may also use their crypto proceeds
directly to purchase goods and services such as NFT artwork, computers,
airline tickets and clothing. Dozens of mainstream retailers already accept
payment in cryptocurrency.

Transaction analysis of declared wallets – incorporating both direct and in-

direct risk exposure – belonging to accused criminals can help investigators
to identify the true source of funds .

Crypto-Fiat Value Transfer

There are numerous options for transforming criminally obtained crypto
into fiat currency. Bitcoin, Ethereum, and a range of other assets can be
used online to buy gift vouchers, prepaid debit cards, or iTunes vouchers
– without undergoing KYC or source of wealth checks. Unscrupulous OTC
(“over the counter”) traders and P2P exchanges also offer cash-changing
services with minimal scrutiny while maintaining client anonymity.

This transaction mechanism is often seen as part of the integration process

for launders. Often they will engage services or peer traders that will not
ask any questions about the source of funds so that the transfer is not sub-
ject to scrutiny.

Cash-to-Crypto
Cash-to-crypto services can be used to cash out the illicit proceeds of crime
during the integration stage. TRM Labs has tracked the use of crypto ATMs
by suspected perpetrators of severe illicit activity, including terrorist financ-
ing and CSAM. It is likely that criminals use such ATM kiosks due to the rela-
tively loose KYC policies implemented by many such services.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 49
A Comprehensive Guide to Illicit Finance Risks in Crypto

High-Risk VASPs
QUICK LINKS

Due to their lack of KYC requirements, unregulated status and domicile in Part II — Money
opaque jurisdictions, high-risk VASPs are frequently used to cash out illicit Laundering
cryptocurrency earnings. The obtained fiat currency can then be spent on a
variety of goods and services. 3. Integration

Crypto-Fiat Value Transfer

OTC Desks
Send as Crypto
OTC services can be used for all three stages of laundering, where criminals
need to place cash into the financial, or wish to transfer funds across bor-
ders quickly without oversight as a method of layering, and finally as a way
of cashing out their funds during the integration process. In 2021, SUEX, a
Russian-language OTC broker, was sanctioned by OFAC for facilitating fi-
nancial transactions for ransomware actors.

P2P Exchanges
Although most P2P exchanges are technically governed by AML rules –
for example, business transactions of over USD 600 involving US persons
must be reported under US informational reporting rules – many flout such
requirements.

Spend as Crypto
It is possible for criminals to integrate their crypto-based wealth without re-
sorting to fiat currency off-ramps. Over the past five years, an increasing ar-
ray of goods and services has become available for purchase directly using
cryptocurrency. This ranges from digital goods such as NFTs and in-game
purchases to luxury goods and even real estate. These purchases may also
be seen as stores of value, depending on how the criminal intends to use
the asset in the future.

Real Estate
In 2022, Portugal became among the first countries to allow the sale of a
house using crypto. Most high-value real-world transactions involving crypto
require KYC and source of wealth checks, which poses challenges for crimi-
nals. However, there remain myriad ways for illicit actors to evade such guard-
rails - often through the use of shell companies and cybercrime services.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 50
A Comprehensive Guide to Illicit Finance Risks in Crypto

Luxury Goods
Luxury goods such as supercars, jewelry, and designer bags are frequent-
ly bought with the proceeds of illicit crypto activities. Some luxury goods
can be purchased directly with cryptocurrency: for example, the German
fashion designer Philipp Plein allows the use of cryptocurrency in his on-
line boutiques.

Luxury goods are often found during police raids on crypto criminals. In
March 2022, a series of raids by Brazilian police on a gang accused of run-
ning a EUR 780 million illegal cryptocurrency scheme. Despite promising in-
vestors healthy returns, the criminals used investor funds to buy real estate,
jewelry, cars, boats, and luxury clothing.

Crypto Gift Cards

As prepaid gift cards can be purchased using cryptocurrency, they can also
be abused by criminals to cash out illicit funds. After buying gift cards from
an online service with proceeds from crime, an illicit actor can then use the
cards to acquire a wide range of consumer goods from mainstream e-com-
merce platforms and physical stores. For example, one of the accused par-
ties behind the Bitfinex hack allegedly spent a portion of the stolen funds on
a USD 500 Walmart gift card.

Gift cards can also be acquired by scammers posing as crypto traders who
convince would-be investors to send them gift cards as sources of value to
make crypto investments on their behalf. The scammers then run off with
the gift cards.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 51
A Comprehensive Guide to Illicit Finance Risks in Crypto

Methodology
QUICK LINKS

Introduction

The taxonomy development process followed a systematic and iterative ap- Part I — Illicit Crypto
proach, incorporating various data sources and expert input to include the
most comprehensive range of predicate offenses.
Part II — Money
Initially, a preliminary list of illicit activities associated with cryptocurrency Laundering
was compiled through a literature review and expert interviews. This includ-
ed analyzing predicate offenses defined by the FATF Recommendations, Methodology
examining criminal investigations involving cryptocurrency, and consulting
with private and public sector partners globally. The activities were catego-
Conclusion and
rized into themes and subcategories, considering the nature of the activi-
Recommendations
ties, the actors involved, and prosecution across jurisdictions. For instance,
ransomware was classified under extortion and fraud due to its frequent
prosecution in the United States under the Computer Fraud and Abuse Act
(CFAA) - 18 U.S.C. § 1030.

To gather data, historical transaction data from 20 public blockchains was

indexed. Open-source intelligence, active intelligence collection, and pat-
tern recognition algorithms were used to collect information on blockchain
addresses and transactions associated with illicit activity.The absolute vol-
ume of a specific category ($X) was measured by aggregating the USD val-
ue of incoming transfers to relevant addresses, considering the USD price
of the asset on the transfer date.

Several limitations should be acknowledged in this report. First, reported

volume for specific categories may be underestimated if TRM lacks attribu-
tion for addresses or transactions within those categories. Certain catego-
ries like darknet marketplaces and investment schemes are more likely to
be comprehensively measured due to their inherent visibility and the pres-
ence of platforms like Chainabuse that facilitate victim reporting. The trans-
parency of the blockchain allows for an estimation of the upper bound of
illicit activity by subtracting known volume associated with legitimate activ-
ity such as trading from total crypto volume. Second, this report does not
measure fiat proceeds of crime converted into crypto. Virtual asset service
providers (VASPs) and financial intelligence units (FIUs) play a critical role in
detecting the conversion of fiat proceeds of crime into cryptocurrency and
digital assets for money laundering.

As TRM continues to collect more data, it is possible that the reported num-
bers may increase over time, improving the accuracy and completeness of
the report. These limitations are essential to consider in interpreting the
findings and recognizing the potential for further refinement and expansion
of the taxonomy in the future. trmlabs.com
Illicit Crypto Ecosystem Report: Page 52
A Comprehensive Guide to Illicit Finance Risks in Crypto

Conclusion and
QUICK LINKS

Recommendations
Introduction

Part I — Illicit Crypto

Despite only existing in mainstream use for around a decade, cryptocurren- Part II — Money
cies have embroidered themselves into every typology of crime, from the Laundering
purely digital theft enabled by hacks to drugs trafficking, extortion, terror-
ist financing and espionage. Crypto did not introduce these criminal forms;
Methodology
nor has it (yet) come to dominate them. Indeed, fiat currencies and even
older forms of finance such as hawala remain the default means by which il-
licit activity is financed and its proceeds are laundered. Conclusion and
Recommendations
The “crypto winter” of 2022 did little to erode the use of
crypto in illicit activity and in money laundering. The year
saw as much as USD 2 trillion worth of cryptocurrency
assets wiped out from investors’ balance sheets,
according to World Economic Forum estimates. Yet the
fall in crypto’s value does not appear to have dissuaded
criminals from using and exploiting crypto.
This has been particularly true regarding DeFi, with hacks on DeFi targets and
cross-chain bridges resulting in USD 3.7 billion stolen – an average of over
USD 20 million per incident. Illicit investment schemes, too, have seen signif-
icant activity, with at least USD 7 billion in volume linked to such addresses.

The continued proliferation of cryptocurrencies and blockchain technology

suggests that they will retain a significant place in the criminal arsenal. The
good news for investigators, law enforcement and regulators is that cryptocur-
rencies can provide granular visibility into the structure, operations and, most
of all, interconnectivity between different criminal actors and enterprises.

As this report shows, the various kinds of crypto crime

and their perpetrators do not operate in silos; rather,
they are highly intertwined.
Seemingly unrelated pig butchering incidents were found to be linked to ma-
jor international crime groups; cryptocurrency ATM scams have been alleged
to fuel people trafficking syndicates; Russian-language DNMs specializing in
drugs are also used by CSAM actors to launder funds; the sanctioned mix-
ing service Chipmixer was facilitating the work of Royal, a notorious ransom-
ware syndicate that targets US national security infrastructure. trmlabs.com
Illicit Crypto Ecosystem Report: Page 53
A Comprehensive Guide to Illicit Finance Risks in Crypto

Over the last two years, the US Treasury Department’s Office of Foreign
Assets Control (OFAC) has sanctioned non-compliant VASPs, darknet mar-
kets and other parts of the illicit crypto ecosystem for facilitating ransom-
ware, sanctions evasion, and other activity.

In January 2023, the US Department of Justice and the US Treasury De-

partment announced a coordinated action against non-compliant Hong
Kong-registered cryptocurrency exchange Bitzlato. Its owner was arrested
for “conducting a money transmitting business that transported and trans-
mitted illicit funds and that failed to meet US regulatory safeguards, includ-
ing anti-money laundering requirements.”

Disrupting these criminal enterprises depends on understanding not just

the ways in which they connect but also on the ability to overcome their
attempts at obscuring the origin and flow of their cryptocurrencies across
blockchains. As the number of blockchains continues to proliferate, tracking
these financial flows becomes ever more technically demanding.

As the first blockchain intelligence platform designed

for the multi-chain era, TRM Labs has pioneered tracing
support for new blockchains, including all assets on
Ethereum (2019), TRON (2019) and Solana (2021).
Today, TRM Labs can trace over 28 blockchains and over
a million assets including all derivative assets, wrapped
assets, stablecoin and NFTs, enabling historical replay of
99% of crypto volume.
TRM Labs was the first to launch state-of-the-art capabilities including au-
tomated cross-chain tracing, automated demixing, NFT tracing, nested en-
tity analytics, and mobile-first forensics. TRM Labs offers one-click tracing
through 50 blockchain pairs and over 10 million cross-chain swaps.

Blockchain intelligence represents a transformative leap forward in the on-

going fight against illicit finance. Previously, law enforcement agencies, reg-
ulators and the broader private sector lacked a real-time understanding of
illicit economies, their size, how their assets are transferred and how they
are overlapping with other illicit networks.

trmlabs.com
Illicit Crypto Ecosystem Report: Page 54
A Comprehensive Guide to Illicit Finance Risks in Crypto

Approaching crypto crime in a systematic way allows for a

holistic view that can inform a broad strategy for dealing with
crypto crime risks. Any such strategy should consider the
following questions:

• How detailed is our understanding of crypto crime and

money laundering, and do we need to adjust our frameworks
to mirror a more granular risk taxonomy?

• Are we overly focused on activity involving bitcoin to the

detriment of other emerging chains showing increased
involvement in illicit activity?

• Have we conducted a coverage assessment against these

risks to better understand our exposure to the various illicit
risk categories?

• Are our resources (both technological and human) well

positioned to identify not just a singular risk and typology
but multiple illicit activities interacting within one connected
scheme?

Such an approach can help equip law enforcement and compliance profes-
sionals with a more comprehensive, granular and targeted view of where to
allocate their surveillance, investigative and technological resources.

TRM provides blockchain intelligence tools to help financial Find out more:
institutions, crypto businesses and governments combat [email protected]
cryptocurrency fraud and financial crime. trmlabs.com

trmlabs.com