Investigations | February 23, 2021

Stolen crypto withdrawal and transfer patterns

by the Crystal analytics team

An analysis of cryptocurrency transactions made by crypto-criminals post-theft between 2015 and 2020, with a look at the fund flow patterns made using this stolen crypto.

Key findings:

  • In 2020, crypto-criminals attempted to withdraw stolen and scam-sourced assets at a rate of 13-times faster than five years ago.
  • At 53%, exchanges with verification requirements were the most popular destinations of stolen funds for crypto-criminals in 2015.
  • This number dropped dramatically in 2020 to just 8% of stolen funds being transferred through exchanges with verification procedures.
  • Mixers and exchanges without verification requirements were the main destinations in 2020 for crypto-criminal fund withdrawals.
  • Crypto-criminals usually attempt to send stolen funds to known entities using additional transactions with unknown intermediate addresses.
  • Between 2015-2020, about 81% of all withdrawal transfers from crypto-criminals to known entities were made with 9 hops in between.
  • Blockchain analytics tools are compelling crypto-criminals to change their withdrawal patterns to remain uncovered (anonymous).

Bitcoin and other cryptocurrencies are becoming ever more popular and more widely adopted, year-on-year. There are more and more “newbies” finding their way into the cryptocurrency market, giving it their best shot in buying, trading, and holding assets. The number of Virtual Assets Service Providers (VASPs) in the sector is also growing day by day. These are some of the positive changes in the growing popularity of cryptocurrencies. As with any financial sector, however, this does mean that the number of bad actors attempting to illegally obtain crypto is also growing.

According to Crystal Blockchain’s Report on Security Breaches and Fraud Involving Crypto 2011-2021, the volume of stolen funds and the number of cases of security breaches reached its highest number yet in 2019/ 2020. To ensure a decrease in these numbers in the industry, it’s important to understand these theft patterns more clearly. For this reason, our analytics team has collated this report that analyzes the withdrawal paths of stolen assets to understand how they may have changed over the last five-year period, and what are the reasons for those changes.

The Crystal team analyzed all entities on the Bitcoin Blockchain that have been reportedly connected to ransom, scams, and/ or theft since 2015. These entities are called crypto-criminals for the purposes of this report. The report looked at the average time it took to make transfers of stolen funds, as well as the share of stolen funds transferred to known entities by year and by “hop”.

Average transfer times of stolen funds to known entities 2015-2020

The graph below shows the average time needed to withdraw 80% of the stolen funds by crypto-criminals and to get them out of their addresses.

Analysis parameters for the graph above: according to Vilfredo Pareto’s Pareto Principle, also known as the 80/20 rule, it’s universally found that most often 80% of the consequences of any action come from 20% of the causes. Following this principle fairly accurately, 80% of the amount of stolen funds that crypto-criminals receive is often found to be withdrawn as fast as they think is the best, while the other 20% of the stolen funds could lay in the balance for a much longer time period after the illicit activity has been completed. For this reason, we chose to analyze the withdrawal time for 80% of all received amounts by each crypto-criminal. (NOTE: These parameters only apply to the graph above. The subsequent graphs below were calculated using 100% of fund flow/ transaction volumes.)

The first thing to note is that the average withdrawal time, for 80% of the stolen funds, has steadily reduced over the last five years. While in 2015, crypto-criminals could potentially hold stolen money for anything up to 365 days, in 2020 the average time for withdrawals of 80% of the illicitly gained funds stands at around 28 days. This is a 13X decrease in withdrawal times in 2020 compared to 2015.

Some of the potential reasons for such changes are:

  1. the development of crypto networks that include various VASPs and law enforcement entities, and
  2. the growing popularity of blockchain analysis tools like Crystal Blockchain.

In the case of security breaches, for example, the combination of the speed at which information is spread amongst crypto-community members in 2020 as compared to 2015, as well as the improved ability to instantly tag addresses as high-risk by blockchain analytics platforms, now forces crypto-criminals to withdraw stolen assets in a much shorter period than they ever had to before.

NOTE: For the purposes of this report and for general analysis on the Crystal platform, “hops” are defined as the number of steps in the withdrawal path of a particular transaction made by a specified entity.

What we’ve observed, by following the number of hops made by illicit entities post-breach or scam, is that crypto-criminals will always try to withdraw and send assets to known entities (different types of exchanges, for example) using more than one hop. Bad actors tend to use additional transactions with unknown intermediate addresses before they ever attempt to interact with an exchange, in what we see as an attempt to obfuscate the stolen funds. In the next section, we take a look at the average minimum number of hops crypto-criminals use when withdrawing stolen funds.

Share of stolen fund withdrawal transfers to known entities (by hops)

The graph below shows what share of withdrawal transfers to known entities were made, and the minimum number of hops made with untagged addresses. (For example, 40% of crypto-criminal withdrawals of stolen funds were made to known entities by a minimum of 3 hops in between.)

During the period 2015-2020, 81% of all crypto-criminal stolen fund transfers that were made to known entities were made with 9 hops between breach an entity, and 91% of those transfers were made with 14 hops in between.

The reason behind this behavior (including several hops between illegal withdrawal and transfer to a known entity) is that a crypto criminal’s main intention is to entangle the trace of funds from withdrawal and to cover the signals that indicate a tagged risky address. This then allows them to withdraw assets on exchanges that use low-quality tools or don’t use anti-money laundering tools. (It’s worth noting that it’s not a problem for Crystal to detect such withdrawal patterns and flag them as risky interactions. In fact, you can go through such a withdrawal pattern step-by-step and visualize it with our tools.)

Look at the withdrawal destination changes during the same analyzed period from 2015-2020, indirect withdrawals include transactions between criminal entities and other known entities, even if there are unknown intermediate addresses i.e. addresses that do not belong to any identified services. It is possible to explore the indirect connections of any entity in Crystal’s using the All Connection feature.

The reason behind this behavior (including several hops between illegal withdrawal and transfer to a known entity) is that a crypto criminal’s main intention is to entangle the trace of funds from withdrawal and to cover the signals that indicate a tagged risky address. This then allows them to withdraw assets on exchanges that use low-quality tools or don’t use anti-money laundering tools. (It’s worth noting that it’s not a problem for Crystal to detect such withdrawal patterns and flag them as risky interactions. In fact, you can go through such a withdrawal pattern step-by-step and visualize it with our tools.)

Share of stolen fund withdrawal transfers to known entities (by year)

The graph below shows the withdrawal share sent by crypto-criminals to known entities (by year) even if there are no tagged intermediate addresses.

The most popular crypto-criminal fund destinations in 2015 were exchanges with verification requirements. 53% of received stolen amounts were sent through this type of entity. The second-biggest share of stolen amounts was withdrawn through exchanges without verification requirements, this amounted to 33% of the entities used. Other types of entities weren’t popular among crypto-criminals in 2015.

In 2020, however, these statistics changed noticeably, the stolen amounts withdrawn through exchanges with verification requirements had dropped significantly to just 8%, while the share sent to exchanges without verification requirements grew to 61%. There is also a new destination for crypto-criminal withdrawals: mixers which received 27% of stolen funds in 2020, compared to just 3% in 2015.

Exchanges with verification requirements are doing the best they can to comply with crypto-asset regulations. Verified exchanges were the first entity type to start using blockchain analysis and anti-money laundering tools, and they are the most active participants in the crypto-community fight against crypto-criminals. This is likely the main reason they’ve become such an unpopular stolen fund destination.

Exchanges without verification requirements haven’t been in as much of a rush to come in line with crypto-asset regulations, so they have no need to use analytics tools. Some exchanges that have little to no verification requirements don’t want to be regulated or to analyze their clients’ funds sources because they know they will lose a noticeable share of customers who use their services to stay anonymous.

The growing popularity of mixers among crypto-criminals is not that much of a surprise. These services were created with the main purpose of entangling and obscuring the fund flows of stolen crypto assets so that they are less traceable by compliance officers or investigators following the flow of funds. Mixers are a very useful tool when you breach the security of a crypto exchange, for example.

Conclusions and Predictions:

There is a noticeable growth in the popularity of blockchain analytics tools used by the crypto-community network. Cryptoasset regulation and compliance requirements are encouraging more and more law-abiding VASPs to use anti-money laundering and blockchain analysis tools like Crystal Blockchain. This has caused changes in the behavior of crypto-criminals, making them work even harder to entangle and hide stolen fund transaction flows much more precisely.

The most recent characteristics used by crypto-criminals to cover their tracks are:

  • a reduced time in the withdrawal of stolen funds from crypto-criminals addresses
  • an increased number of intermediate transactions with unknown addresses in stolen fund flows to known entities
  • a preference for mixers and exchanges without verification requirements as stolen fund destinations

As the number of VASPs using analytics tools increases, the fight against theft and other illicit activities continues to improve. This does mean, however, that the schemes used by crypto-criminal to withdraw stolen funds will become even more complex and concealed, and they will definitely attempt to withdraw their assets in an even shorter time period than they ever have before.

While these schemes by crypto-criminals will inevitably become more complex, analytics tools like Crystal Blockchain continue to develop their solutions to meet and to ultimately combat these illicit activities as quickly as possible, continuing the work to fight fraud at the root and to continue to make the blockchain and cryptocurrency space as secure as possible for all involved.

See the Crystal Blockchain platform in action. Get a demo today.

Be the first to get news from Crystal