In the cryptosphere, no month passes without some large-scale hacks on smart contracts or crypto exchanges, with attackers usually carrying off millions of Dollars after a successful hack. However laundering the crypto assets to the point where they can spend their illicitly gained money is a difficult process.
The first step of getting away with crypto asset theft is to somehow transfer the stolen funds to a clean wallet, or rather a series of wallets whose addresses are not associated with the theft in any way. Hackers are aware that at the very moment they take off with their score, they are wanted, not only by the people they have stolen from, but also by law enforcement authorities, and the crypto community at large.
Of course it is not possible to simply transfer illicit funds to another wallet without tainting that other wallet as well. This is, unless a privacy coin like Monero or ZCash is used, but the vast majority of assets stolen from exchanges or smart contracts are not privacy coins. Converting them into a privacy coin is not possible either since that would require using a centralized exchange.
Centralized exchanges must be avoided at all costs when trying to launder stolen crypto funds, since most exchanges require all users to undergo KYC/AML checks. The ones that don’t require KYC/AML for withdrawals are typically smaller exchanges with a bad reputation and using one to withdraw large amounts can easily raise a red flag for law enforcement.
Also, these exchanges are often not liquid enough to handle conversions of millions of dollars and a sharp drop in trading price for one or multiple assets can also alert the community that something fishy is going on. Decentralized exchanges can be used to convert assets that are held on the same blockchain, such as ERC-20 tokens into Ether, but they cannot be used to convert assets into privacy coins.
In all likelihood, it will become necessary to use an anonymizing service, such as a coin mixer to mask the origins of illicit funds. These services take input transactions and break them down into smaller denominations that are indistinguishable from each other. For example, a hacker could send 14.39 BTC as an input transaction into the coin mixer and would receive one output transaction of 10 BTC, 4 outputs of 1 BTC, 3 outputs of 0.1 BTC, and 9 outputs of 0.09 BTC.
The output transactions are then mixed together with output transactions from legitimate sources that use the same anonymizing service. In result, neither blockchain forensics, nor law enforcement can distinguish which output transactions come from legitimate sources and which don’t.
If done right, hackers end up with a large set of wallets that contain crypto assets whose origins are unknown, besides the fact that they come from a coin mixer. This however does not mean that an attacker can now spend the money freely in the off-chain world. If offramped and deposited into a personal bank account in large quantities, financial authorities will start asking questions.
Even when the origin of the funds are properly anonymized, it is still dirty money and the rules of traditional money laundering apply. When asked by financial or taxation authorities, the hacker must still be able to credibly explain where the money comes from. Next to traditional methods used for money laundering, cryptocurrencies have made some new methods possible, such as online casinos that accept cryptocurrency.
It is also possible to use dirty crypto money to buy luxury items, or common spending items such as gift cards. Smaller amounts can be withdrawn using Bitcoin ATMs. However, this is still not enough to launder millions of Dollars for most ordinary people. The online nature of cryptocurrencies makes it a little bit easier to deposit the money in an offshore bank account or to set up a shell company, or even a legitimate business that helps in laundering larger quantities.
As of lately, art trading has become an increasingly popular vehicle for money laundering and it wouldn’t be surprising if this transfers to digital art and other types of NFTs as well. In fact, it is highly possible that this is already happening and that hackers now use the rising subjective value of NFTs as a means to cash out their stolen funds.
There is a growing number of blockchain analytics firms such as Elliptic and Chainalysis, who specialize in forensics as one of their services. These firms work closely together with law enforcement agencies in order to decrease the risk of on-chain money laundering. So far, they can track crypto transactions and link wallet addresses with their holder’s identity if the wallet contains funds that originate from an illegitimate source.
Analytics companies also work together with exchanges, who have an interest in preventing money laundering as well. As one of the measures, analytics firms can calculate a risk score for addresses that want to deposit funds to an exchange. The risk score might for example increase when the majority of the funds on a wallet comes from a coin mixer.
The victims of exchange or smart contract hacks also can take measures to make it harder for the perpetrator to launder the money, such as publishing a list of the withdrawal addresses. Other exchanges, coin mixers, and other crypto services can then blacklist these addresses and forensics firms can use this information to track down the hacker more easily.