Criminals Use Cryptocurrencies to Launder, Extort and Steal Money


In January 2015, kidnappers in Costa Rica demanded $500,000 in bitcoin in exchange for the safe return of a Canadian national. In January 2019, the wife of one of Norway’s richest citizens was likely kidnapped and her kidnappers demanded $10 million payable only in the cryptocurrency Monero. In July 2019, a criminal gang operating in India kidnapped and tortured cryptocurrency traders before demanding 80 bitcoin as ransom (the traders were later rescued).

Cryptocurrencies are no longer new nor nascent, but they are still a popular vehicle by which criminals use to extort, launder and steal money. “I remember when ransomware started, they [criminals] used PayPal,” said Costel Ion, CFE, director - principal investigator at Deutsche Bank in his virtual session at the 2020 ACFE Fraud Conference Europe. “Now ransomware criminals are using many forms of cryptocurrencies.”

Ion, a former member of INTERPOL, has years of experience researching and investigating cyrptocurrencies. He said he remembers when he and other investigators in INTERPOL worked on the kidnapping case in Costa Rica. “That was a very demanding case,” he said. “We needed a lot of support on that one.”

Kidnapping, however, is just one of the many ways in which criminals are using cryptocurrencies. Because cryptocurrencies are decentralized and allow anonymity, criminals are using them for kidnapping, ransomware, in darknet marketplaces and for terrorism.

“Ransomware is the No. 1 problem, the No. 1 threat today,” said Ion. But beyond ransomware, money laundering has become the common denominator between all forms of crypto crime. “The most interesting part of cryto crime is these professional laundering services,” said Ion. According to Ion, the crypto-laundering stages mimic regular money laundering stages:

  • Placement: Criminals will convert cash into cryptocurrency.

  • Layering: Cryptocurrencies are transferred between wallets and tumbling or mixing services (more on that below).

  • Integration: Cryptocurrencies are exchanged back to cash or are used to buy goods or services.

Since all cryptocurrency transactions are done on the blockchain, criminals have to break the chain. They do this during the layering stage by using tumbling or mixing services. So, how do these services work? Ion shared his screen with virtual attendees as he explained where criminals find these services and how they’re used.

First, a criminal will access the dark web using the TOR network. Ion took attendees to uncensored “Hidden Wiki,” a popular page that lists services for criminals, including financial services. There he pulled up a mixing service called “Bitcoin Cloak.” The site had two simple options: mix your bitcoin or pay anonymously.

How this works: A criminal will have dirty bitcoin in a regular bitcoin wallet. They will go to one of these tumbling/mixing services and transfer their dirty bitcoin into the service. At this point there’s a trackable transaction of someone moving that dirty bitcoin to another account.

Now here is where the laundering happens. The tumbling/laundering service will break the bitcoin transaction up into smaller transactions. It sends these transactions to a bunch of different new addresses, which then sends them to many other addresses — and over and over again. Once the transactions are scrambled, the service sends the bitcoin back into a clean wallet. Now the link from the dirty wallet to the clean wallet is completely obfuscated by the tumbling service with no direct link. The criminal can then take this clean wallet and move it to an exchange and sell it out for fiat. The service has broken the chain.

Ion said this is just one of the many ways — others include crypto ATMs, gambling websites and decentralized exchanges — that criminals are using to launder their money.

And though the process of hiding and laundering cryptocurrency seems complicated, fraud examiners and investigators can identify bad transactions by using blockchain explorers, tagging by transaction and by address clustering. “You will even see people who tweet about their bitcoin address,” Ion said.