Blockchain and cryptocurrency infrastructure provider Binance has shared details of its role in the 16 June 2021 raid on elements of the Cl0p (aka Clop) ransomware crew in Ukraine, revealing how the expansion of its in-house cyber capabilities generated firm evidence that cybercriminals are taking advantage of cryptocurrency exchanges in their work.
While the raid on Cl0p is now widely agreed by observers to have been a takedown of more peripheral elements associated with the gang, with the big guns still suspected to be at large, as evidenced by the recent appearance of new victims on their dark web leak site, the joint raid earlier in June still resulted in the seizure of assets including cash, computing equipment, and luxury cars, as well as several arrests.
The group is suspected of laundering substantial sums of extorted cryptocurrency and is thought to have caused over $500m of damage during its lengthy crime spree.
Binance said that over the past year, it had expanded its in-house anti-money laundering detection and analytics capabilities and, based on its subsequent research and analysis, as well as an existing understanding of cybercriminal cashout tactics, it came to the conclusion that the most prominent security issue in the cryptocurrency industry is money gained in cyber-attacks being laundered via nested services and “parasite” exchanger accounts living inside macro virtual asset service providers (IDPs), including its own Binance.com exchange. This network of money launderers deposits and withdraws to one another to wash the money.
“These criminals enjoy taking advantage of reputable exchanges’ liquidity, diverse digital asset offerings, and well-developed APIs,” said the organization. “In a majority of the cases associated with illicit blockchain flows coming onto exchanges, the exchange is not harbouring the actual criminal group themselves, but rather being used as a middleman to launder stolen profits.”
This understood, Binance is now implementing a two-pronged approach to crack down on it, putting in place a new detection mechanism to identify and offboard suspicious accounts, and providing information to law enforcement to build cases and disrupt criminal networks in the physical world.
It applied this approach to the investigation that took out Cl0p – run by a group dubbed Fancycat – coordinated via an international effort including law enforcement from South Korea, Spain, Switzerland, Ukraine, and the US.
Fancy was running multiple cyber criminal activities, including the distribution of cyber attacks, the operation of high-risk exchangers, and money laundering from dark web operations and high-profile attacks associated with the Cl0p and Petya ransomware.
“Our AML detection and analytics program detected suspicious activity on Binance.com and expanded the suspect cluster,” said Binance. “Once we mapped out the complete suspect network, we worked with private sector chain analytics companies TRM Labs and Crystal (BitFury) to analyse on-chain activity and gain a better understanding of this group and its attribution.
“Based on our analysis, we found that this specific group was not only associated with laundering Cl0p attack funds, but also with Petya and other illegally sourced funds. This led to the identification and eventual arrest of Fancycat.”
The organisation added: “At Binance, we believe that strong controls across exchanges, smart legislation and ongoing education will help immensely with weeding out bad actors. Projects such as our Bulletproof Exchanger and our ongoing partnerships with law enforcement, as well as security and blockchain analytics firms, will be a driving force in improving the cyber security measures across the wider crypto industry.”