Stolen crypto withdrawal and transfer patterns

by the Crystal analytics team

Feb 23, 2021

Key findings:

  • In 2020, crypto-criminals attempted to withdraw stolen and scam-sourced assets at a rate of 13-times faster than five years ago.
  • At 53%, exchanges with verification requirements were the most popular destinations of stolen funds for crypto-criminals in 2015.
  • This number dropped dramatically in 2020 to just 8% of stolen funds being transferred through exchanges with verification procedures.
  • Mixers and exchanges without verification requirements were the main destinations in 2020 for crypto-criminal fund withdrawals.
  • Crypto-criminals usually attempt to send stolen funds to known entities using additional transactions with unknown intermediate addresses.
  • Between 2015-2020, about 81% of all withdrawal transfers from crypto-criminals to known entities were made with 9 hops in between.
  • Blockchain analytics tools are compelling crypto-criminals to change their withdrawal patterns to remain uncovered (anonymous).

Bitcoin and other cryptocurrencies are becoming ever more popular and more widely adopted, year-on-year. There are more and more "newbies" finding their way into the cryptocurrency market, giving it their best shot in buying, trading, and holding assets. The number of Virtual Assets Service Providers (VASPs) in the sector is also growing day by day. These are some of the positive changes in the growing popularity of cryptocurrencies. As with any financial sector, however, this does mean that the number of bad actors attempting to illegally obtain crypto is also growing.

According to Crystal Blockchain's Report on Security Breaches and Fraud Involving Crypto 2011-2021, the volume of stolen funds and the number of cases of security breaches reached its highest number yet in 2019/ 2020. To ensure a decrease in these numbers in the industry, it's important to understand these theft patterns more clearly. For this reason, our analytics team has collated this report that analyzes the withdrawal paths of stolen assets to understand how they may have changed over the last five-year period, and what are the reasons for those changes.

The Crystal team analyzed all entities on the Bitcoin Blockchain that have been reportedly connected to ransom, scams, and/ or theft since 2015. These entities are called crypto-criminals for the purposes of this report. The report looked at the average time it took to make transfers of stolen funds, as well as the share of stolen funds transferred to known entities by year and by "hop".

Average transfer times of stolen funds to known entities 2015-2020

The graph below shows the average time needed to withdraw 80% of the stolen funds by crypto-criminals and to get them out of their addresses.

Analysis parameters for the graph above: according to Vilfredo Pareto's Pareto Principle, also known as the 80/20 rule, it's universally found that most often 80% of the consequences of any action come from 20% of the causes. Following this principle fairly accurately, 80% of the amount of stolen funds that crypto-criminals receive is often found to be withdrawn as fast as they think is the best, while the other 20% of the stolen funds could lay in the balance for a much longer time period after the illicit activity has been completed. For this reason, we chose to analyze the withdrawal time for 80% of all received amounts by each crypto-criminal. (NOTE: These parameters only apply to the graph above. The subsequent graphs below were calculated using 100% of fund flow/ transaction volumes.)

The first thing to note is that the average withdrawal time, for 80% of the stolen funds, has steadily reduced over the last five years. While in 2015, crypto-criminals could potentially hold stolen money for anything up to 365 days, in 2020 the average time for withdrawals of 80% of the illicitly gained funds stands at around 28 days. This is a 13X decrease in withdrawal times in 2020 compared to 2015.

Some of the potential reasons for such changes are:

  1. the development of crypto networks that include various VASPs and law enforcement entities, and
  2. the growing popularity of blockchain analysis tools like Crystal Blockchain.

In the case of security breaches, for example, the combination of the speed at which information is spread amongst crypto-community members in 2020 as compared to 2015, as well as the improved ability to instantly tag addresses as high-risk by blockchain analytics platforms, now forces crypto-criminals to withdraw stolen assets in a much shorter period than they ever had to before.

NOTE: For the purposes of this report and for general analysis on the Crystal platform, "hops" are defined as the number of steps in the withdrawal path of a particular transaction made by a specified entity.

What we've observed, by following the number of hops made by illicit entities post-breach or scam, is that crypto-criminals will always try to withdraw and send assets to known entities (different types of exchanges, for example) using more than one hop. Bad actors tend to use additional transactions with unknown intermediate addresses before they ever attempt to interact with an exchange, in what we see as an attempt to obfuscate the stolen funds. In the next section, we take a look at the average minimum number of hops crypto-criminals use when withdrawing stolen funds.

Share of stolen fund withdrawal transfers to known entities (by hops)

The graph below shows what share of withdrawal transfers to known entities were made, and the minimum number of hops made with untagged addresses. (For example, 40% of crypto-criminal withdrawals of stolen funds were made to known entities by a minimum of 3 hops in between.)

During the period 2015-2020, 81% of all crypto-criminal stolen fund transfers that were made to known entities were made with 9 hops between breach an entity, and 91% of those transfers were made with 14 hops in between.

The reason behind this behavior (including several hops between illegal withdrawal and transfer to a known entity) is that a crypto criminal's main intention is to entangle the trace of funds from withdrawal and to cover the signals that indicate a tagged risky address. This then allows them to withdraw assets on exchanges that use low-quality tools or don't use anti-money laundering tools. (It's worth noting that it's not a problem for Crystal to detect such withdrawal patterns and flag them as risky interactions. In fact, you can go through such a withdrawal pattern step-by-step and visualize it with our tools.)

Look at the withdrawal destination changes during the same analyzed period from 2015-2020, indirect withdrawals include transactions between criminal entities and other known entities, even if there are unknown intermediate addresses i.e. addresses that do not belong to any identified services. It is possible to explore the indirect connections of any entity in Crystal's using the All Connection feature.

Share of stolen fund withdrawal transfers to known entities (by year)

The graph below shows the withdrawal share sent by crypto-criminals to known entities (by year) even if there are no tagged intermediate addresses.

The most popular crypto-criminal fund destinations in 2015 were exchanges with verification requirements. 53% of received stolen amounts were sent through this type of entity. The second-biggest share of stolen amounts was withdrawn through exchanges without verification requirements, this amounted to 33% of the entities used. Other types of entities weren't popular among crypto-criminals in 2015.

In 2020, however, these statistics changed noticeably, the stolen amounts withdrawn through exchanges with verification requirements had dropped significantly to just 8%, while the share sent to exchanges without verification requirements grew to 61%. There is also a new destination for crypto-criminal withdrawals: mixers which received 27% of stolen funds in 2020, compared to just 3% in 2015.

Exchanges with verification requirements are doing the best they can to comply with crypto-asset regulations. Verified exchanges were the first entity type to start using blockchain analysis and anti-money laundering tools, and they are the most active participants in the crypto-community fight against crypto-criminals. This is likely the main reason they've become such an unpopular stolen fund destination.

Exchanges without verification requirements haven't been in as much of a rush to come in line with crypto-asset regulations, so they have no need to use analytics tools. Some exchanges that have little to no verification requirements don't want to be regulated or to analyze their clients' funds sources because they know they will lose a noticeable share of customers who use their services to stay anonymous.

The growing popularity of mixers among crypto-criminals is not that much of a surprise. These services were created with the main purpose of entangling and obscuring the fund flows of stolen crypto assets so that they are less traceable by compliance officers or investigators following the flow of funds. Mixers are a very useful tool when you breach the security of a crypto exchange, for example.

Conclusions and Predictions:

There is a noticeable growth in the popularity of blockchain analytics tools used by the crypto-community network. Cryptoasset regulation and compliance requirements are encouraging more and more law-abiding VASPs to use anti-money laundering and blockchain analysis tools like Crystal Blockchain. This has caused changes in the behavior of crypto-criminals, making them work even harder to entangle and hide stolen fund transaction flows much more precisely.

The most recent characteristics used by crypto-criminals to cover their tracks are:

  • a reduced time in the withdrawal of stolen funds from crypto-criminals addresses
  • an increased number of intermediate transactions with unknown addresses in stolen fund flows to known entities
  • a preference for mixers and exchanges without verification requirements as stolen fund destinations

As the number of VASPs using analytics tools increases, the fight against theft and other illicit activities continues to improve. This does mean, however, that the schemes used by crypto-criminal to withdraw stolen funds will become even more complex and concealed, and they will definitely attempt to withdraw their assets in an even shorter time period than they ever have before.

While these schemes by crypto-criminals will inevitably become more complex, analytics tools like Crystal Blockchain continue to develop their solutions to meet and to ultimately combat these illicit activities as quickly as possible, continuing the work to fight fraud at the root and to continue to make the blockchain and cryptocurrency space as secure as possible for all involved.

See the Crystal Blockchain platform in action. Get a demo today.

Similar news

Darknet interactions & bitcoin — a crypto activity analysis for May 2021

An analysis of current darknet entities and their interactions with other entity types in Q1 2021, in comparison with historical dynamics over the last four years.

by the Crystal analytics team

Jun 17, 2021

Rising instances of digital ransomware (using bitcoin) & how to deal with them

Tracking cryptocurrency transactions accurately from the victim to the illicit entity is key to dealing with ransomware involving digital assets like bitcoin on public blockchains

by the Crystal analytics team

Jun 16, 2021

NFTs: the good, the bad, and the artful scammers

How NFTs could become a new opportunity for crypto-criminals - if we’re not careful…

by the Crystal analytics team

May 19, 2021

Ukrainian Cyber Police Department Now In Collaboration with Crystal Blockchain

The first meeting between the Ukrainian Cyber Police Department and Crystal Blockchain, was a discussion of ambitious goals as well as exchanges of experience in cybercrime mitigation

by the Crystal communications team

May 18, 2021

Geography of Bitcoin Transaction Dynamics Report 2014 — Q1 2021

The Crystal team regularly explores bitcoin and crypto market dynamics, to see how fund flows have been affected by external factors like financial fluctuations or increasing regulations. We update these dynamics quarterly on our interactive map and in our report (PDF attached).

by the Crystal analytics team

Apr 28, 2021

5 steps to identifying potentially suspicious entities on blockchains

How to prevent accepting risky transactions and avoid becoming a victim of scams and criminal activities. These five steps will help you avoid these potential pitfalls.

by the Crystal communications team

Apr 21, 2021

Crystal Expands Blockchain Coverage & Crypto AML Compliance Solutions

Regulations from the Financial Action Task Force (FATF) and the 6th Anti-Money Laundering Directive (6AMLD), mean that cryptocurrency services, and businesses exposed indirectly to cryptocurrencies, need to get compliant. By integrating Crystal analytics alongside existing AML/CFT procedures businesses can manage crypto risk and comply with new legislation.

by the Crystal communications team

Apr 07, 2021

Peer-to-Peer (P2P) Transaction Volume Analysis 2019-2020

At the V20 Summit in November 2020, the co-chair of the FATF’s Virtual Asset Contact Group, Sandra Garcia, stated that regulatory requirements for P2P exchanges may emerge in 2021 to combat AML, as they come under the same hood as VASPs. The FATF is currently collecting data on P2P exchanges to allow their guidelines to reflect P2Ps (likely to be added June 2021).

by the Crystal analytics team

Feb 03, 2021

Ukraine challenges regulatory hurdles as blockchain industry advances

Crystal Blockchain spoke with the deputy minister of the Ukrainian Ministry for Digital Transformation, Alex Bornyakov, about blockchain tech and regulatory developments happening in Ukraine, and how its partnership with Crystal advances that purpose.

by the Crystal communications team

Jan 14, 2021

Crystal Blockchain End of Year Report 2020

A number of industries were put on pause this year due to the COVID19 pandemic. However, regulatory guidelines for the cryptocurrency markets continued to be a priority internationally in 2020, and legislation in the blockchain industry is ever more imminent. This, along with an increasing amount of cryptocurrencies being utilized for suspicious activities, has meant that Crystal Blockchain’s risk assessment and transactions and connections monitoring solution for virtual asset service providers (VASPs) has been an increasingly important tool to combat ML.

by Marina Khaustova

Dec 21, 2020

FICO and Crystal Blockchain of Bitfury Group Announce Partnership To Deliver Real-Time Cryptocurrency Risk Management

FICO, a global analytics leader, and Crystal Blockchain of Bitfury Group ("Crystal"), a leading digital currency analytics company, announced a partnership to provide cryptocurrency risk management and monitoring services. With an increasing number of financial service providers looking to expand services into the crypto market, the joint offering will help to protect new business models and effectively connect the worlds of virtual and fiat currency for the benefit of their customers.

by the Crystal communications team

Dec 16, 2020

Understanding the FATF red flag indicators for crypto service providers

When do VASPs need to employ the services of crypto AML and KYT compliance software companies to adhere to the FATF “red flag risk indicator” guidelines?

by the Crystal analytics team

Dec 08, 2020

Bitlicense and Other Crypto Licenses Around The World 2020

What types of cryptocurrency licenses are available internationally today?

by the Crystal analytics team

Nov 16, 2020

Security Breaches & Fraud Involving Crypto Still High Despite Tech Development

It’s ten years since the first official cyber-terrorist attack of a crypto exchange, and despite technological advances, most cryptocurrency entities have not yet been able to develop sufficiently reliable security systems to minimize security breaches on their platforms.

by the Crystal analytics team

Nov 12, 2020

Crypto payments provider B2BinPay in collaboration with Crystal

Global cryptocurrency payments provider, B2BinPay, is working in collaboration with Crystal analytics to strengthen their cryptocurrency compliance procedures.

by the Crystal communications team

Oct 15, 2020

The Importance of Knowing Your Cryptocurrency Transaction (KYT)

As traditional banks and financial institution become more directly involved with cryptocurrencies, they need to consider KYT as part of their KYC compliance due diligence

by the Crystal analytics team

Sep 21, 2020

Bitfury Crystal partners with PARSIQ to power their blockchain monitoring

World-leading blockchain monitoring system, PARSIQ will integrate Crystal Blockchain’s transaction risk scoring capabilities to power their AML and KYT processes for VASPs.

by the Crystal communications team

Sep 03, 2020

The importance of Ripple monitorization on the Crystal platform

Ripple (XRP) cryptocurrency released in 2012 stands behind two other digital assets only in terms of market capitalization, as of August 2020. Ripple is the sixth digital asset to be supported by the Crystal Blockchain analytics platform, adding to the current list of bitcoin (BTC), Bitcoin Cash (BCH), Ethereum (ETH, as well as ERC20 and ERC721), Litecoin (LTC), and Tether (USDT).

by the Crystal analytics team

Aug 19, 2020

2020 Report on Fund Sources for Dormant Bitcoin Addresses

It's been 11 years since the genesis Bitcoin block was created. During these last 11 years, bitcoin has been used for payments, exchange trading, and as a store of value. Not all mined bitcoins move much after their creation, however.

by the Crystal analytics team

Aug 04, 2020

Bitfury’s Crystal to assist the Ukrainian Ministry of Digital Transformation

Bitfury’s Crystal analytics to assist the Ukrainian Ministry of Digital Transformation

by the Crystal communications team

Jul 24, 2020

Crypto Regulation Continues To Progress Despite COVID-19 Pandemic

The Crystal Blockchain analytics team continues its quarterly update to the International Bitcoin Flows Analytics Report that was first compiled back in September 2019. This update takes into account fund flows from 2013 through the first six months of 2020. The report also considers the progress that has been made with the FATF guidelines and “travel rule”, despite the current COVID-19 pandemic that has seen many processes slowed down or stalled.

by the Crystal analytics team

Jul 14, 2020

Bitfury Group Brings Crystal Blockchain to India with HumanSTAR*

India's Strategic Advisory Firm, HumanSTAR* to offer Crystal Blockchain Analysis for Indian Law Enforcement Agencies

by the Crystal communications team

Jul 07, 2020

Upbit and Crystal partner to strengthen exchange’s compliance

South Korea-based crypto exchange Upbit will use Crystal analytics to strengthen AML compliance procedures

by the Crystal communications team

Jun 19, 2020

11 Years Later: Is Satoshi Nakamoto Finally Moving Bitcoin Funds?

More than ten years after the launch of the Bitcoin Blockchain, coins that were mined on February 9, 2009 have just started moving. Yesterday, 50 BTC left the address 17XiVVooLcdCUCMf9s4t4jTExacxwFS5uh. They were initially received in block number 3,654, created on February 9, 2009 - exactly one month after bitcoin mining started.

by the Crystal analytics team

May 22, 2020

Darknet Use and Bitcoin — A Crypto Activity Report by Crystal Blockchain

This report by Crystal Blockchain analytics reviews the use of bitcoin by darknet entities. The report analyzes darknet interactions with exchanges and other entities throughout the first quarter of 2020 and compares it to historical darknet activity from the past three years.

by the Crystal analytics team

May 19, 2020

Historical Data Shows Crypto Exchange Dynamics Influenced By Regulatory Changes

To investigate the effects of new regulation on the cryptocurrency market, as well as the extent virtual asset service providers will be affected by the changes, the Crystal™ Blockchain analytics team has issued an updated report on the historical international flow of bitcoin between cryptocurrency exchanges.

by the Crystal analytics team

May 05, 2020

2019 Crypto Compliance: Year in Review

2019 was a year of preparation and standardization for the cryptocurrency industry, as regulators around the world came together to enforce tangible legislation impacting the ecosystem. In the U.S., SEC Chairman Jay Clayton spoke candidly to a Senate Committee in December, informing them that the SEC is taking a measured yet proactive regulatory approach to crypto that will both foster innovation and capital formation while protecting investors and U.S. markets.

by Marina Khaustova

Dec 27, 2019

2019 Darknet Interactions and Bitcoin — A Crypto Activity Report by Crystal Blockchain

The Crystal analytics team have compiled a detailed report based on investigations into darknet interactions using bitcoin, and how regulation is changing trends.

by the Crystal analytics team

Dec 15, 2019

The Year in Review for Crystal Blockchain Analytics — 2018

The Crystal™ analytics platform is the all-in-one blockchain analytics tool for law enforcement bodies, capital market companies and financial organizations. This software provides a comprehensive view of the public blockchain ecosystem and uses advanced analytics and data scraping to map cryptocurrency transactions and related entities and to reveal suspicious funds and participants.

by Marina Khaustova

Jan 24, 2019