How hackers launder and cash out their stolen crypto funds

Cryptocurrency thefts and hacks have become somewhat of a trend recently, as we’ve seen with the recent Ronin Bridge hack (Axie Infinity), the Horizon Bridge hack etc. I am no expert in the field of hacking and cybersecurity but it seems that smart contracts and bridges in particular, are the most commonly exploited areas of the DeFi world.

Admittedly though, hacking seems to be the “easier” part of the process, with the laundering and cashing out being the real challenge for the exploiters.

There is also a common misconception among non-cryptocurrency users, that the blockchain is “anonymous”, therefore money laundering runs wild in the crypto space. Let’s clear this up: blockchains are not anonymous. They are pseudonymous. Which means that wallet addresses – these random strings of letters – represent wallets that can be traced to individuals. Additionally, blockchains are public ledgers where each transaction verified and recorded is visible to anyone, thus making the job of a hacker much more difficult than say, cash thefts.

So, let’s say a hacker has just managed to exploit a smart contract and got away with millions of dollars’ worth of crypto. What’s the next step?

Going through a big centralized exchange to cash out the stolen funds is the biggest mistake a hacker can make. As you all know, big centralized exchanges such as Coinbase, Binance etc. require KYC from their customers, which makes it incredibly easy for the authorities to find out the identity of the hacker. This was the mistake that the Axie Infinity hacker made back in March, who transferred the stolen funds to centralized exchanges such as Huobi, FTX and crypto.com. After a successful heist, the stolen funds are transferred to various hot wallets, which are quickly tracked and flagged, so exchanges know not to do business with those wallets.

This also makes privacy coins a no-go for hackers, as they usually have to be converted through a centralized exchange as well. Even if a hacker manages to steal a large amount of, let’s say, BTC, in order to move it anonymously, they have to exchange it to Monero (XMR) or ZCASH, which is impossible to do without moving the funds through a CEX.

So… what are the options?

1. Find a centralized exchange that doesn’t require KYC, or a decentralized exchange.

This seems like an obvious choice, however, this is impractical since small CEXes usually do not have enough funds to be withdrawn to fiat money, not to mention it will raise a mountain of red flags to the authorities (like we’ve said, wallets are easily tracked). On the same note, DEXes also usually lack the liquidity to execute large orders of pair trades, since most DEXes operate using liquidity pools.

2. The “Peel-Chain” laundering technique.

This is a technique that was made famous by the North Korean hacking group, “Lazarus”. Since these guys know that their wallets are being watched, they transfer all the stolen funds to a brand-new wallet and before it can get flagged as a stolen wallet, they take small chunks of money, maybe $1000 or so, send that to an exchange to quickly get it cashed out using fake IDs (they bypass KYC with photoshopped pictures), and then they continue doing this until they’ve cashed out all of what they want, transfer all the money to a new wallet, peel off a little, send it to an exchange, and do it again and keep repeating. This is called the ”peel chain laundering technique”. This book goes into depth in how the Lazarus group has stolen huge amounts in cryptocurrencies and how they launder them.

3. Tumblers (Coin Mixers)

Tumblers are Bitcoin and cryptocurrency mixers that will take your cryptocurrency and mix it with other people’s. You put your money in the tumbler, it gets washed with some other people’s, you get your money back and it’s really hard for investigators to trace the money and wallets. For example, a hacker could send 14.39 BTC as an input transaction into the coin mixer and would receive one output transaction of 10 BTC, 4 outputs of 1 BTC, 3 outputs of 0.1 BTC, and 9 outputs of 0.09 BTC. Tornado cash is the most famous ETH mixer. CoinJoin is a famous BTC mixer.

4. Other common methods

Other common laundering methods used by hackers include: Leaving the funds in scattered wallets around the internet that can be used at any time, in different countries, to buy goods and services with, or even cashed out to vouchers such as iTunes gift cards etc. Sometimes, funds will be used in online crypto casinos. There are also “experts” that charge a fee to “wash your stolen funds”, but this usually doesn’t go according to plan. There was an old case of a project called "Marine Chain" that tried to launch an ICO in order to launder stolen funds. I'd bet that ICO scams are more often than not, money laundering schemes

And here it is. I hope this clears up the misconceptions regarding “blockchain anonymity”, privacy coins and the difficulty of cashing out funds through centralized exchanges. I also hope the FBI doesn’t have my search history over the past couple days, because it makes me look like a 10-year-old who desperately wants to become a hacker…

Leaving you with 2 key lessons:

1. Smart contract exploits and Bridge hacks are the most common places for hackers. Be careful when using them and think twice before locking up funds in such protocols.

2. If a centralized exchange or any other custodian gets hacked, they will certainly have access to all wallets, including yours. Your funds are never safe in such places. Make sure you store funds in your own wallets and safeguarding your own keys.