Investigations

How Crystal Investigations Truly Make a Difference

by the Crystal development team

August 4, 2021

Recent cases that highlight the important role of crypto investigations services

Fraud, money laundering, and ransomware crimes using cryptocurrencies are on the rise. This development has made it imperative for businesses to seek help from investigative experts. Firms such as Crystal Blockchain provide specialized investigation services that cover all major aspects of crypto transactions.

In 2021 alone, Crystal has already been instrumental in helping to solve the JBS ransomware payment to REvil, the Pipeline payment to Darkside, the Binance takedown of the cybercriminal ring FANCYCAT, and analysis of the Hamas donations campaign.

1. Beefing Up the Investigation Against REvil

Image Source: Crystal Platform

Brazilian JBS S.A. is the largest meat company in the world by sales. A well-known brand in the meat industry caters to a wide range of geographies, including Latin America, Europe, North America, and Oceania, with hundreds of industrial plants in different parts of the world.

On May 30, 2021, the company suffered a major cyberattack. The ransomware attack was so severe that all of the company’s beef plants in the US came to a halt. Some of the firm’s plants in Canada and Australia were shut down temporarily.

It was later revealed that the Russian hacker group REvil was behind this attack. The group managed to break into JBS’ IT systems and demanded a ransom in return for preserving critical data. As a result, JBS had to pay $11 million in bitcoin to get back its data.

The Crystal team checked all blockchain transactions with the provided information on paid amounts, and we managed to find several addresses which fit the requirements.

After a small period of time, we could label a certain address as a REvil ransomware, as it had shown a pattern of laundering funds through mixers, dark entities and certain exchanges. We hope, that our mark will help to prevent future REvil funds laundering.

In the aftermath, JBS revealed that it had paid the money to ensure no further attacks take place. The firm is also working to make its security systems more robust to protect its business interests. REvil, which is also known as Sodinokibi, has been particularly active this year.

2. Uncovering the Darkside

Image Source: Crystal Platform

The Colonial Pipeline is an oil pipeline system based in Texas. It supplies jet fuel and gasoline to several parts of the South-Eastern United States. It is considered to be the largest pipeline system for refined oil in the entirety of the US. The pipeline has been active for more than 50 years. The Colonial Pipeline is also responsible for supplying fuel to several major airports.

In May 2021, the Colonial Pipeline suffered a major ransomware attack. This attack was carried out by DarkSide, a group known for deploying ransomware. It is worth noting that this group targets all parts of the world, except for post-Soviet states. As a result of the attack, Colonial shut down all operations and engaged a cybersecurity firm to investigate the incident. The US government also provided support to the company to ensure that its operations are restored.

Crystal’s analytics found the transactions on the blockchain by knowing the day of transactions and the amount that was sent. The team analyzed each potential cluster (of addresses) and found additional evidence in one of them: a transaction of $4.4 million, or 78 BTC sent by Brenntag, a chemical distribution company. We labeled the following cluster on the platform in order to prevent any further laundering of the extorted funds.

After the attack, Colonial Pipeline had to pay nearly $5 million in bitcoin to regain access to its resources. However, the US government stepped in and managed to seize as much as $2.3 million worth of ransom. Further, the CEO of Colonial also had to testify in front of the Senate and disclose plans related to the firm’s security arrangements. It was also revealed that DarkSide had partnered with other hackers to execute the attack.

3. Taming the FANCYCAT

Image Source: Binance Blog

Binance is one of the most well-known crypto exchanges in the world. Its operations are not only limited to trading cryptos, as the company also focuses its resources on taking down cybercriminals. To achieve this goal, Binance has partnered with several agencies, including Ukraine Cyber Police, the Spanish Civil Guard, the Cyber Bureau of Korean National Police Agency, Swiss Federal Office of Police, as well as US Law Enforcement agencies.

In July 2021, Binance announced that it had managed to take down an international ransomware group known as FANCYCAT. This group has been engaged in cybercrimes worth $500 million. FANCYCAT had been operating a high-risk exchanger and was laundering money via the dark web. Further, the group had undertaken the Cl0p and Petya ransomware attacks. Binance managed to nab the group by undertaking Anti-Money Laundering investigations.

Crystal received a request from the investigation group to check some sensitive information. With the Crystal platform, investigators were able to understand the fund flows and managed to catch these criminals and take down a cybercriminal gang.

Once FANCYCAT had been identified as a suspect group, Binance managed to create a comprehensive map of its network. This was achieved by analyzing the on-chain activity and attributing funds to different parties. In the aftermath of the analysis, the FANCYCAT group has been arrested by the authorities and they are being prosecuted. Binance continues to partner with investigative agencies to catch other such groups.

4. Frozen Hamas Funds

Image Source: Crystal Platform

Hamas is a militant group based in Palestine. The group is engaged in several illegal activities, such as suicide bombings, money laundering, as well as terrorist financing. The group also sources funds via other illegal acts such as smuggling, copyright infringement, and credit card fraud. Over the years, Hamas has built a network of funding that comes from several sources around the world.

At the beginning of 2021, it was found that Hamas had received nearly $100,000 worth of bitcoin. These funds were then used to fund attacks on Israel. During the conflict, Hamas recorded a spike in crypto donations from different parts of the world. Some of these donations were then cashed out via Binance, which is a leading cryptocurrency exchange. These transactions sparked a deep investigation around the wallets owned and operated by Hamas.

Crystal constantly monitors official authorities’ reports in order to blocklist reported criminal addresses on time. Hamas wallets had been officially reported by the Department of Justice. Due to activity spikes in May 2021, the Crystal team looked at the Hamas donators in order to provide information about involved VASPs to legal.

In July 2021, Israel announced that it had begun seizing cryptocurrency accounts that were associated with Hamas. The country also reported that it had found a vast network of crypto wallets that were being used to fund activities against it. Additionally, the US Department of Justice has also managed to seize millions of dollars from such accounts since 2020. The department reported that these funds were being used to come up with violent plots.

Crystal’s New Investigations Services Unit

Fraud, money laundering, and ransomware crimes using crypto continue to rise, and Crystal is helping to combat this situation via our newly dedicated Investigations Service headed up by specialist Scott Pounder. Scott has over 16 years of experience in law enforcement and has successfully dealt with high-profile and sensitive investigations – specializing in Complex Fraud, AML, Cybercrime, and Financial Investigations. We’re delighted to have his expertise on board.

Looking for cryptocurrency crime investigation services? Contact Crystal Investigations Services to make an inquiry or to request assistance on your case: investigations@crystalblockchain.com.

Similar news...

Investigations

by the Crystal analytics team

August 16, 2021

Crystal Investigations: Antinalysis – darknet analytics service blocked

As illicit activities become more inventive, the crypto community must respond quickly IMAGE: sourced from...

Read more

August 16, 2021

Investigations

by the Crystal development team

August 4, 2021

How Crystal Investigations Truly Make a Difference

Recent cases that highlight the important role of crypto investigations services Fraud, money laundering, and...

Read more

August 4, 2021

Investigation

by Crystal analytics team

June 17, 2021

Darknet interactions & bitcoin — a crypto activity analysis for May 2021

An analysis of current darknet entities and their interactions with other entity types in Q1...

Read more

June 17, 2021

How Crystal Investigations Truly Make a Difference
Recent cases that highlight the important role of crypto investigations services