Two Major Hacking Groups Stole A Billion In Crypto – Chainalysis Report

Crime, FinTech, News | January 29, 2019 By:

In its annual research into crypto crime, Chainalysis discovered two unique signature styles of moving hacked funds. These signatures identify two major groups responsible for stealing $1 billion in cryptocurrency over the last few years, accounting for at least 60% of publicly reported hacked funds.

While that number is daunting, Chainalysis’ platform enables forensic analysis of how the hacked funds move through the cryptocurrency ecosystem. With that capability, researchers found, on average, that the hackers move funds at least 5,000 times before cashing out, often observing quiet periods of 40 or more days before quickly moving to cash out. At least 50% of hacked funds are cashed out within 112 days, and 75% within 168 days.

The research also found the two groups have vastly different exit strategies, and presumably, end goals. These “fingerprints” of hacker styles could be useful to law enforcement analysts who may try and identify these groups:

  • Group Alpha – driven, at least partly, by non-monetary goals as they sow confusion and havoc by rapid and frequent movement of stolen funds (15k moves in one traced hack), often cashing out up to 75% in within 30 days.

  • Group Beta – driven by a need for cash, this group bides its time, waiting between 6 to 18 months before efficiently and rapidly exiting over 50% of funds within days of their first move after the wait. In one case, the group cashed out $32 million in a few days.

Following the money of two prominent hacking groups

While several reports have done the job of quantifying the scale of cryptocurrency hacks, at Chainalysis, we seek to “decode” hacking, that is to gain insight into how and when hackers move assets after the initial crime, how long it takes them to cash out via an exchange, and whether this teaches us anything about who they are. 

We took a look at hacks that target cryptocurrency organizations such as exchanges. These hacks involve large thefts, often stealing tens or even hundreds of millions of dollars directly from exchanges. Hacking dwarfs all other forms of crypto crime, and it is dominated by two prominent, professional hacking groups. Together, these two groups are responsible for stealing around $1 billion to date, at least 60% of all publicly reported hacks. And given the potential rewards, there’s no question hacking will continue; it is the most lucrative of all crypto crimes. 

How hacked funds move through the cryptocurrency ecosystem

On average, the hacks we traced from the two prominent hacking groups stole $90 million per hack. The hackers typically move stolen funds through a complex array of wallets and exchanges in an attempt to disguise the funds’ criminal origins. The hackers then often observe a quiet period of 40 or more days in which they don’t move funds, waiting until interest in the theft has died down. Once they feel safe, they move quickly. At least 50% of the hacked funds are cashed out through some conversion service within 112 days.

Both hacking groups seek to evade detection between the hack and their exit, but they use different approaches to achieve these ends. For example, we suspect that one of the prominent hacking groups, which we’ll refer to as group Alpha, is a giant, tightly controlled organization at least partly driven by non-monetary goals. By contrast the second hacking organization, group Beta, seems to be a less organized and smaller organization absolutely focused on the money. They don’t appear to care very much about evading detection.

Working together to contain the damage

Until now, exchanges and law enforcement have had limited ability to track hacked funds. Furthermore, exchanges are regularly processing the stolen funds, allowing the hackers to convert the funds to traditional currencies or other cryptocurrencies. This is in part because unless you’re the exchange that was hacked, these funds look like they have come from legitimate owners (that is, the original entities who were hacked); it is hard to tell which funds have been stolen and which haven’t without specialized investigation software. 

A working knowledge of how hackers move funds can equip legitimate participants to identify unusual spikes in transactions that may be tied to criminal activity. Cooperation between exchanges also goes a long way to help fight crime in this ecosystem. Neutral intermediaries between exchanges can play an important role in this effort.