A cybersecurity analyst has traced part of a $4.5 million Bitcoin ransom paid out by US travel giant CWT. But the hackers chose to launder their money in the place you’d least expect it—in plain sight on large cryptocurrency exchanges.
CWT, which produces annual revenues of $1.5 billion, paid the Bitcoin ransom to the hackers on July 28 to regain access to two terabytes of files and to stop them from exposing the information. The files included employee data, financial documents, and other information.
Tal Be’ery, co-founder of Israeli cyber-security firm ZenGo, found out what happened to the money. In a write-up today, Be’ery found that the hackers, who are still at large, tried to launder their money through some of the largest cryptocurrency exchanges in the world, including Binance, Coinbase and Huobi.
“While most ransomware cases occur behind closed doors, CWT and their attackers inadvertently left the trail of their conversations open to public view, providing a unique glimpse into an otherwise secret world of ransomware-related negotiations,” he said.
Be’ery and his team at ZenGo followed the money to crypto exchanges using information about the correspondence uncovered by a Reuters journalist. Just 20 minutes after CWT paid the hackers their ransom, the hackers started splitting up the funds.
Rich Sanders, CEO of US-based blockchain forensics company CipherBlade, traced the funds for Decrypt and found that they sent about 58% of the funds to exchanges.
Over half of these funds went to one of the largest crypto exchanges in the world, Binance. The hackers cut up the funds into small payments and sent them periodically to the exchange to avoid red flags. The rest of those funds went to several other exchanges, including Huobi, Poloniex and Coinbase.
Why didn’t the hackers use mixers?
So why did the hackers move their money through large crypto exchanges like Binance rather than using so-called cryptocurrency “mixers,” a method of obscuring transactions by jumbling lots of people’s transactions together?
“Attackers are not looking for the best way. They are looking for the easiest way they can get away with, and apparently this method was good enough to get them where they wanted to,” Be’ery told Decrypt.
The reason why they didn’t use a mixer, he said, is time. Mixers involve lots of people joining together anonymously to jumble their funds up together. Then the mixer takes all those funds and sends them to addresses owned by those people, crediting them with the amounts they put in. Because the money has been mixed up, it’s difficult to work out whence they came.
But for a mixer to work, you need a lot of people. And if you’re mixing millions of dollars, you’ll need lots of other rich mixers to remain anonymous. “Simply put, to ‘mix’ you need to have a lot of other money from multiple parties, otherwise it’s not mixing as it is mainly your money. Not too many people want to mix $1.5M fast,” said Be’ery.
Koh Wei Jie, a Singaporean cybersecurity analyst who worked on MicroMix, an Ethereum-based mixer, provided Decrypt with more detail. “It’s not very practical to split up a huge amount into small deposits,” he told Decrypt.
“It’s possible to use a mixer but the bottleneck is the size of the anonymity pool(s) involved.” He added that certain types of analysis can make using mixers even riskier, since “it’s possible to correlate deposits and withdrawals based on timing and pattern.”
Why the hackers used exchanges to launder their money
Rich Sanders, the blockchain forensics analyst, said that sometimes hackers push funds through large exchanges to implement a tactic known as “chain-hopping,” whereby hackers use exchanges to buy small amounts of various cryptocurrencies and send them to different exchanges using different accounts.
Sanders said that hackers will often use exchanges that don’t ask for the identities of their customers or use the identities of people they’ve “offered money to register an account on an exchange and sell their account information.”
Sanders said that it’s likely they’ll have sorted all of this out before laundering the money. “Those executing ransomware already have a ‘war chest’, so spending a bit on some exchange accounts or other laundering help is peanuts.”
Though it’s time-intensive, there’s a benefit, said Sanders. “From an investigative perspective, for each [bundle of, say, $20,000 transactions] that’s… four or five subpoenas. Basically, chain-hopping makes it a resource-intensive nightmare; they do this deliberately to make the ‘juice not worth the squeeze’,” he said.
He thinks going through exchanges is “the smarter play. I think just dumping the BTC into a mixer would be reckless and stupid,” he said—“mixers aren’t always unbreakable.”
So laundering your money in plain sight may not be so dumb after all. Of course, that’s after the dumb decision to hack a billion-dollar company expecting to get away with it.