As ransomware continues to be an increasing threat to the US financial sector, businesses, and the public, the U.S. Treasury’s Crimes Enforcement Network (FInCEN) has identified six money laundering typologies related to ransomware payments:
1. Threat Actors Increasing Request Payments in AECs
Ransomware-related payments are initially requested in Bitcoin, however threat actors may also ask for requests for Anonymity-Enhanced Cryptocurrencies (aka privacy coins) like Monero, which are secure/anonymous and private transactions between two different parties. These types of payments are hard to trace.
2. Threat Actors Avoided Using Wallet Addresses
Threat acts are also laundering payments from each ransomware event separately by not reusing the same wallet addresses after each attack.
3. Centralized CVC Exchanges are Preferred Cash-Out Points
Threat actors are using foreign centralized exchanges for ransomware related deposits, including exchanges incorporated in high-risk jurisdictions that may have opaque ownership structures or that may have inadequate anti-money laundering and countering the financing of terrorism compliance standards.
4. Chain Hopping
Other money laundering tactics include “chain hopping,” a way for actors to disguise the origins of their funds by converting Bitcoin to an AEC. They can then transfer the converted funds to large CVC services and MSBs with lax compliance programs.
5. Mixing Services
FinCEN observed an increased use of mixing services in its suspicious activity reports. “Mixers are websites or software designed to conceal or obfuscate the source or owner of CVC. Mixers may have obligations as money transmitters under the BSA. Mixing is done either as a general privacy measure or for covering up the movement of funds obtained from theft, darknet markets, or other illicit sources,” according to FinCEN.
6. Decentralized Exchanges Likely Used to Convert Illicit Proceeds
FinCEN notes “ransomware-related payments are being converted to other types of CVCs through decentralized exchanges or other DeFi applications. Some DeFi applications allow for automated peer-topeer transactions without the need for an account or custodial relationship. FinCEN analysis of transactions on the BTC blockchain identified ransomware-related funds sent indirectly to addresses associated with open protocols for use on DeFi applications.”